Support Tip: Configuring workloads in a co-managed environment

Published Jun 19 2019 07:11 AM 18.5K Views

Hi everyone, today we have a great post by Intune support engineer Betty Jia where she walks you through resolving an issue you might encounter when co-management is enabled, but even better, she goes on to talk about how pre-release features work in Configuration Manager and offers some insight into how you can turn these on and off and verify the configuration in your environment. Whether you use co-management today or have plans to do so in the future, this is one you’ll want to bookmark.




Co-management is a great solution that allows you to concurrently manage Windows 10 devices by using both Configuration Manager and Microsoft Intune. It lets you cloud-attach your existing investment in Configuration Manager by adding new functionality and allowing you to control which workloads are controlled by which service. You're also able to pilot a workload with a separate collection of devices. Piloting allows you to test the Intune functionality with a subset of devices before switching a larger group. Similar to piloting, co-management also allows you to enable certain prerelease features for early testing, and this is the core of what I’ll be covering in this post.


For example, let’s say you’ve configured co-management but you notice that apps and PowerShell scripts deployed from Intune to co-managed devices show a status of Not applicable, whereas the same are successfully deployed to devices managed solely by Intune.



As mentioned earlier, co-management allows you to control which workloads are controlled by Intune and which are controlled by Configuration Manager (more on that here), however you notice that the problem remains even after switching all available workloads to Intune or Pilot Intune in the Configuration Manager console:




Do you notice anything missing in the screen shot above? When you review the workloads listed in this article and in the screen shot above, notice how the Client apps workload is not there even though the article states that co-management supports the following workloads:


  • Compliance policies
  • Windows Update policies
  • Resource access policies
  • Endpoint Protection
  • Device configuration
  • Office Click-to-Run apps
  • Client apps

So what’s going on? When the Client apps workload is switched to Intune (or Intune Pilot), you can deploy apps from Intune portal to co-managed devices. However, if this workload is not switched to Intune, the client apps cannot be deployed successfully from Intune. You will also notice that besides the client apps, PowerShell script profiles and Win32 apps also cannot be deployed successfully from Intune. This is because the Intune Management Extension (IME) that serves to supplement the in-box Windows 10 MDM features is only installed when a PowerShell script or a Win32 app is deployed to a user or device security group (see for more information on this). If the Client apps workload is not switched to Intune, IME will not get installed, thus PowerShell Scripts and Win32 apps will also fail to deploy.


Based on all of this you can probably now figure out why apps and PowerShell scripts deployed from Intune to co-managed devices show a status of Not applicable – because the workload has not been switched to Intune. But why is that, and why do you not see the option to switch the Client apps workload to Intune? The answer is because the Client apps workload is a pre-release feature.

Pre-release features are features that are in the current branch for early testing in a production environment. These features are fully supported but still in active development, thus they might receive changes until they move out of the pre-release category. To use pre-release features, you must first give consent and then enable them in the console. Here’s how that is done:


In the Configuration Manager console under Hierarchy Settings properties, you will see the option Consent to use Pre-Release features. The first step is to grant consent by checking the box:




Next, under Updates and Servicing, turn on Mobile apps for co-managed devices:




Lastly, go back to the Workloads tab and you’ll see that the Client apps workload now appears:




Switch the Client apps workload to Intune and you’re good to go. At this point, apps and PowerShell scripts deployed from Intune to co-managed devices should successfully install.


Additional Reading

Another common question I get when talking about this is how to check whether the Client apps workload is switched to Intune from the client device. To answer that question we’ll need to take a closer look at co-management capabilities.


Once the device is co-managed, in Configuration Manager properties you will see that the Co-management property value is set to Enabled:




You will also notice a Co-management capabilities property and value:




This value is a reflection of the co-management workloads configured in Configuration Manager and is a sum of settings you configured. The maximum value of Co-management capabilities is 255, which is the sum of all these values as listed in the chart below.





Inventory. It simply means co-management is configured


Compliance policies


Resource access policies


Device Configuration


Windows Update policies


Endpoint Protection


Client apps


Office Click-to-run apps


This means that if we only switch the Client apps workload to Intune, the Co-management capabilities value would be 1+64, or 65. So for a value of 175 as in our example above, that means the workloads switched to Intune are Inventory (1) + Compliance polices (2) +  Resource access polices (4) + Device Configuration (8) + Endpoint Protection (64) + Office click-to-run apps (128)= 175. We can verify this by checking in the Configuration Manager console:




Taking this a step further, if we switch the Client apps workload (a value of 64) to Intune, the value for Co-management capabilities will become 239 (175+64):






Hopefully this sheds a little more light not only on why apps and PowerShell scripts deployed from Intune to co-managed devices might show a status of Not applicable, but also how you can work with and enable pre-release features in Configuration Manager. As always, I appreciate any comments or feedback so feel free to leave me a note in the comments below.

Betty Jia

Support Engineer

Microsoft Intune Support Team

Occasional Contributor

Hi Betty

Great article, you should join the team that writes the documentation! :)

I do have one additional question that I hope you may be able to answer.

Once the workload for 'Client Apps' is switched to Pilot/Intune, what happens to the SCCM capabilities to deploy applications? Can SCCM and Intune now both be used to deploy apps or is it Intune only from that point on?



Occasional Contributor

Yes- I do exactly have the same question as Jan. Thanks Jan for bringing this up. We are currently working on Autopilot managed through Intune- but would like to have the SCCM agent installed on these devices - so that we want to make our users use our internal shopping portal for which apps, when shopped, get delivered via CM. So wanted to know- can we make the apps delievered by both CM and Intune as we would like? I wish- i get the response as "yes" ;) 





Thanks for raising your questions Jan and Anantha! Betty will respond to your question shortly.


Jet Zhu

Microsoft Intune Support Team


Hi Jan & Anantha,

Thank you for posting comments. 

Once the workloads is switched to Intune, Intune will have the capability to deploy apps, and at the same time for SCCM, the capabilities is not removed. 

After you transition this workload, any available apps deployed from Intune are available in the Company Portal. Apps that you deploy from Configuration Manager are available in Software Center.

I just finished testing deploying .msi app installer as available type from SCCM to co-management devices after client app workload switched to Intune. The app will still appear in Software center and can be installed without any issue. 



Occasional Contributor

Thanks much Betty. This does clear few things. Thanks again.




Occasional Contributor

Hi Betty - 


Sorry-another one just dawned on my mind. With this setting of Co-management as briefed in this article, may I know what will be the impact of the existing devices managed by SCCM. I mean we are currently not looking at our on-prem devices to be co-managed from Intune, but only want the Autopilot devices to be co-managed by SCCM. Can you advice?


Many Thanks


Occasional Contributor

I guess as long as the on-prem device is NOT Hybrid Azure AD joined, the on-prem devices will continue to be managed ONLY by SCCM whereas for the Autopilot devices, it can leverage the CM SW deployment features as mentioned in your earlier response even its just Azure AD joined. Do correct me if am wrong in my understanding.


Many Thanks,


Occasional Contributor

Hi @Betty_Jia

Thanks for that clarification!

Senior Member

@Betty_Jia Thanks for more clarification on this preview feature. Hoping for more.


Hi @Anantha Subramanian Srinivasan , you are correct, on-promises SCCM and not hybrid AAD joined devices, will not be co-managed. 

New Contributor

Hi @Betty_Jia, may I ask when the feature Client app workload will be generally available in MECM?


Hi @Trang_95 ,

Sorry for late response. 


This Client apps feature was first introduced in version 1806 as a pre-release feature. Beginning with version 2002, it's no longer a pre-release feature.

This feature may appear in the list of features as Mobile apps for co-managed devices.

New Contributor

Hi, great article! Just a question in mind regarding the network diagram, maybe for @Betty_Jia : when a user self-deploy a ConfigMgr app from Company Portal, is the traffic flowing: a) from the device to MECM infra ; or b) from the device to Intune, which relays the communication (ie. the app or package) from MECM infra to the device?

Thanks in advance for the clarification!

New Contributor

Hello @Betty_Jia,@J.C. Hornbeck,


If the workload is moved to intune completely and the device are co managed can I deploy autodesk apps with large size(8GB+) from sccm to user group still? and will they be getting installed on the workstation?



Hi @chpranay 

moving the workloads to Intune does not affect the ability we deploy apps from SCCM. You can still use SCCM to deploy the apps & if SCCM support over 8GB app, then it is supported(depends on SCCM side)


Hi @Arnaud Layec ,

if we deploy the Configuration manager client installer from Intune, we need to setup the CMG for SCCM. The CM client will connect CMG for communication with SCCM local server, instead of through Intune to reach the SCCM server.

Path 2: Bootstrap with modern provisioning

Here's what you need to set it up:

  1. Setup enhanced HTTP
  2. Create the cloud services in Azure
  3. Configure the management point and clients to use the cloud management gateway
  4. Use Intune to deploy the Configuration Manager client
New Contributor

Hello @J.C. Hornbeck @Betty_Jia ,

In a co management environment when we have the workload moved to intune and If we deploy an app from SCCM to user can we see the app on company portal.

Because I did deploy a test app to user group from SCCM and it showed up on company portal as well as in software center. But when I am trying using a real app it's not working.


Any idea?


Hi @chpranay 

Yes, the apps deployed from SCCM will also show in company portal and software center. This is a new feature. Refer below for more details: 

Apps in Company Portal - Configuration Manager | Microsoft Docs


And for But when I am trying using a real app it's not working, is this app not appear in Company portal app or you click install button but with no response? 

New Contributor

@Betty_Jia ,

I deployed an app and it does not show in company portal but shows in Software center.

Regular Visitor

@Betty_Jia  Hi Betty,


I'm having a problem similar to what @chpranay described and was wondering if there are any tips to resolving an issue where co-management is set to pilot for client apps but apps in software center don't display in Company Portal. Not sure if it is a factor or not but all of our software deployments are to user collections rather than device.

Version history
Last update:
‎Jun 19 2019 07:11 AM
Updated by: