Nov 01 2021 02:22 AM
Hello,
I have some co-managed (Hybrid) windows 10 devices (version 21H2) which have their workloads set to "Intune" in SCCM. These devices have several device configuration policies set to them, which works fine. But the "Settings catalog" items are "Not applicable". When I create the same policy using the "Device Configuration" and "Administrative Template" it works though.
For my Intune managed device (AAD only) this works without any problem.
To my understanding, using catalog settings with co-managed devices should work just fine, or am I missing something?
Also, I have configured the CSP MDMWinsOverGP setting.
Please advise,
BR Theodor
Nov 03 2021 01:38 AM
Looping in @Rudy_Ooms_MVP . Any thoughts?
Nov 03 2021 01:48 AM
Nov 03 2021 02:10 AM
Hi @Rudy_Ooms_MVP,
Thank you for your reply. The organization are following CIS best practices (specifically CIS_Microsoft_Intune_for_Windows_10_Release_2004_Benchmark_v1.0.1) and the configuration profiles are based on these controls. One example in this framework is control 18.1.1, which prevents enabling camera under lock screen (see attached image). As you can see, the category is even under Administrative template. And what bothers me is that when I configure the same settings using Administrative templates, for the same device, it does work ☹
Anyway, uploading event viewer logs to a public forum might be difficult for the organization to agree with, but I have asked RM and waiting for reply. But, I did investigate it and didn’t find anything interesting. From what I could tell, there are no related errors. Is there something specific you are looking for?
FYI, we do have a Microsoft support case running in parallel.
BR
Theodor
Nov 03 2021 03:27 AM
Nov 03 2021 03:28 AM - edited Nov 03 2021 03:29 AM
Nov 03 2021 03:30 AM
Nov 03 2021 03:34 AM
Nov 03 2021 03:37 AM
Nov 03 2021 03:57 AM - edited Nov 03 2021 04:00 AM
Is it possible for you to also send the intune mgt from the program data folder to info@call4cloud.nl?
And if its possible create a new settings catalog policy and e make sure you sync the device first :) so I am sure if there are warning in it its in there :)
And could you show me how you assigned it?
Nov 03 2021 04:24 AM
Hi @Rudy_Ooms_MVP ,
"Is it possible for you to also send the Intune mgt from the program data folder to info@call4cloud.nl?" - Yes, I have sent it to you.
And if its possible create a new settings catalog policy and e make sure you sync the device first :) so I am sure if there are warning in it its in there :) - I created a new policy and synced as per request.
And could you show me how you assigned it? - The assignment is based on a security group, with membership type “Assigned”. Members are only devices, both Intune managed (AAD only, which works) and our co-managed devices (hybrid, which are "not applicable").
BR
Theodor
Nov 03 2021 04:42 AM
Nov 03 2021 04:54 AM
Sadly I have the same issue. Works for intune managed, not for co-managed (same user).
Nov 03 2021 07:01 AM
Nov 03 2021 07:11 AM
Well, I am 100% certain that the workloads are set to Intune, since I can see that other Device configurations are applied successfully for the same VM. Nothin interesting in the CoManagementHandler.log file
Nov 03 2021 07:17 AM - edited Nov 03 2021 07:19 AM
If you have twitter, you could send out a tweet "asking" and tagging the intunesupportteam and mikedanaski (knows it all about the settings catalog). As again switching that flip to intune should have done it... so it looks like something didn't succeeded when doing that
Does the log mention something like : CoManagementSettings_Capabilities ?
And how does the report looks like when you run it from the info settings in the account
Nov 03 2021 07:31 AM
Nov 03 2021 08:03 AM
Nov 23 2021 01:42 AM
Nov 23 2021 01:46 AM