Co-Management & Off-site Devices

%3CLINGO-SUB%20id%3D%22lingo-sub-1389621%22%20slang%3D%22en-US%22%3ECo-Management%20%26amp%3B%20Off-site%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1389621%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20of%20our%20Clients%20were%20and%20are%20managed%20by%20ConfigMgr%20for%20Servicing%20and%20Updates.%26nbsp%3B%20We%20had%20a%20bunch%20of%20devices%20go%20off-site%20due%20to%20COVID%20and%20they%20did%20not%20have%20VPN%20access%20and%20could%20no%20longer%20communicate%20with%20ConfigMgr.%26nbsp%3B%20During%20this%20time%20we%20have%20enabled%20Co-Management%20with%20the%20plan%20to%20move%20as%20many%20workloads%20to%20Intune%20as%20possible%20but%20we're%20obviously%20in%20a%20unique%20scenario%20because%20they%20can't%20communicate%20with%20ConfigMgr%20to%20get%20Co-Management%20policies%2C%20can't%20enroll%20in%20Intune%2C%20and%20can't%20communicate%20with%20a%20DC%20to%20get%20any%20changes%20in%20Group%20Policy.%26nbsp%3B%20Are%20there%20any%20options%20for%20me%20in%20this%20scenario%3F%26nbsp%3B%20I%20would%20like%20to%20revert%20our%20GPOs%20and%20finalize%20configuration%20of%20WUfB%20but%20a%20lot%20of%20those%20devices%20won't%20get%20those%20policies%20and%20I'm%20afraid%20when%20they%20come%20back%20onsite%20that%20some%20of%20those%20policies%20won't%20apply%20in%20the%20proper%20order%20and%20there%20would%20be%20the%20possibility%20that%20they%20reach%20out%20to%20un-managed%20Windows%20Update%20and%20update%20to%20a%20Feature%20Update%20we%20haven't%20approved%20yet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1389674%22%20slang%3D%22en-US%22%3ERe%3A%20Co-Management%20%26amp%3B%20Off-site%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1389674%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F668081%22%20target%3D%22_blank%22%3E%40acjuelich%3C%2FA%3E%26nbsp%3BReally%20tough%20situation%20with%20no%20pretty%20or%20easy%20answers%20here.%26nbsp%3B%20IF%20there%20is%20somebody%20who%20has%20admin%20rights%20on%20the%20device%2C%20then%20you%20may%20have%20some%20scripting%20options.%26nbsp%3B%20Without%20any%20admin%20access%2C%20you%20are%20going%20to%20have%20to%20get%20creative.%26nbsp%3B%20(We%20have%20had%20customers%20in%20other%20situations%20actually%20create%20a%20drive%20up%20queue%20outside%20of%20their%20business%20with%20an%20IT%20Admin%20and%20a%20network%20cable%20to%20get%20settings%20updated%20from%20the%20network.)%26nbsp%3B%20Please%20reach%20out%20to%20our%20FastTrack%20team%20who%20is%20working%20to%20help%20customers%20in%20exactly%20this%20situation.%26nbsp%3B%20%3CA%20href%3D%22https%3A%2F%2Fwww.fasttrack.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffasttrack.microsoft.com%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

 

All of our Clients were and are managed by ConfigMgr for Servicing and Updates.  We had a bunch of devices go off-site due to COVID and they did not have VPN access and could no longer communicate with ConfigMgr.  During this time we have enabled Co-Management with the plan to move as many workloads to Intune as possible but we're obviously in a unique scenario because they can't communicate with ConfigMgr to get Co-Management policies, can't enroll in Intune, and can't communicate with a DC to get any changes in Group Policy.  Are there any options for me in this scenario?  I would like to revert our GPOs and finalize configuration of WUfB but a lot of those devices won't get those policies and I'm afraid when they come back onsite that some of those policies won't apply in the proper order and there would be the possibility that they reach out to un-managed Windows Update and update to a Feature Update we haven't approved yet.

 

Thanks!

1 Reply

@acjuelich Really tough situation with no pretty or easy answers here.  IF there is somebody who has admin rights on the device, then you may have some scripting options.  Without any admin access, you are going to have to get creative.  (We have had customers in other situations actually create a drive up queue outside of their business with an IT Admin and a network cable to get settings updated from the network.)  Please reach out to our FastTrack team who is working to help customers in exactly this situation.  https://fasttrack.microsoft.com