Jump to content


Cloud attach - Endpoint Managers silver lining – part 5 Enabling compliance policies workload

Recommended Posts


This is part 5 in a series of guides about cloud attach in Microsoft Endpoint Manager, with the aim of getting you up and running with all things cloud attach. This part will focus on enabling the compliance policies workload. This series is co-written by Niall & Paul, both of whom are Enterprise Mobility MVP’s with broad experience in the area of modern management. Paul is 4 times Enterprise Mobility MVP based in the UK and Niall is 10 times Enterprise Mobility MVP based in Sweden.

In part 1 we configured Azure AD connect to sync accounts from the on premise infrastructure to the cloud. In part 2, we prepared Azure resources for the Cloud Management Gateway, in part 3 we created the cloud management gateway and verified that everything was running smoothly. In part 4 we enabled co-management. With co-management, you retain your  existing processes for using Configuration Manager to manage PCs in your organization and you gain the additional advantage of being able to transfer workloads to the cloud via Endpoint Manager (Intune). In this part we'll enable the compliance policies workload and see how that affects a co-managed computer.

Below you can find all parts in this series.


  • Cloud attach - Endpoint Managers silver lining - part 1 Configuring Azure AD connect
  • Cloud attach - Endpoint Managers silver lining - part 2 Prepare for a Cloud Management Gateway
  • Cloud attach - Endpoint Managers silver lining - part 3 Creating a Cloud Management Gateway
  • Cloud attach - Endpoint Managers silver lining - part 4 Enabling co-management
  • Cloud attach - Endpoint Managers silver lining - part 5 Enabling compliance policies workload <- you are here
  • Cloud attach - Endpoint Managers silver lining - part 6 Enabling conditional access
  • Cloud attach - Endpoint Managers silver lining - part 7 Co-managing Azure AD devices
  • Cloud attach - Endpoint Managers silver lining - part 8 Enabling tenant attach
  • Cloud attach - Endpoint Managers silver lining - part 9 Renewing expiring certificates
  • Cloud attach - Endpoint Managers silver lining - part 10 Using apps with tenant attach


Step 1. Verify compliance status in Endpoint Manager

Before making any changes to workloads, on a co-managed device, open devices in Microsoft Endpoint Manager and locate that device, you should see that the compliance state is in a status of See ConfigMgr.

compliance - see configmgr.png

Step 2. Create an Azure AD group

In Endpoint Manager, create a new Azure Ad group which you'll use in the next step. Give it a suitable name like Co-managed compliance policies devices, this group should have a membership of Assigned.

co-managed compliance policies devices aad group.png


Step 3. Add some devices to the workload collection

Next, add one or more devices to the collection that you will use when piloting a compliance workload. You can add the device(s) by selecting them and right clicking, choose Add selected items to Existing Device Collection and then point them to the relevant collection corresponding to that workload. The collection you will add device(s) to in this case is the Co-managed compliance policies collection.

add device to collection.png


Step 4. Enable Azure Active Directory group sync

In this step you'll enable synchronization of a collections membership to an Azure Active Directory group. This allows you to easily sync the membership of a collection in your on-premises environment to Endpoint Manager. In this step you'll sync one collection but you could add multiple collections depending on your needs. The sync takes place every 5 minutes.

To enable this, expand Cloud Services in the Administration node of ConfigMgr, select Azure Services, select Cloud Management service properties and on the Collection Synchronization tab, place a check in Enable Azure Active Directory Group Sync.

enable AAD group sync.png

Next, right click the collection you want to sync and choose Properties. In this example you'll right click on the previously created Co-managed compliance policies collection as shown below.

properties of co-managed compliance policies collection.png

In the properties of that collection, select the Cloud Sync tab.

cloud sync tab.png

Next, click on Add, then enter a search term such as co-managed to add the Azure AD groups you will sync to from Configuration Manager.

sync the following collection.png

Click on OK when done. After 5 minutes, you can browse the Azure AD group created in step 2 and you should see the co-managed devices have synced.

device appears in azure ad group after 5 minutes.PNG

Step 5. Create a Compliance policy

In Microsoft Endpoint Manager, select Devices in the left pane, select Windows, select Compliance Policies and click on + Create Policy, in the Create a policy window, select Windows 10 and later for the Platform. Then click on Create.

create a policy.png

select Windows 10 Compliance Policy, enter a name for it and click Next.

windows 10 compliance policy.PNG

select Require for the Require Encryption of data storage on device section and then click Next.

require encryption.PNG

Set Actions for noncompliance to mark the device as non compliant immediately. You can set a grace period for non-compliance however we want to force this the device to be non compliant quickly for this blog post.

compliance immediatly.PNG

Next, assign the compliance policy to the previously created Azure ad group, then don't forget to click on Review+Save.

assign compliance policy to configmgr synced aad group.png

Step 6. Check the client

Logon to the client computer that you added to the compliance policy workload collection, and open the ConfigMgr agent. Once the Configmgr client agent receives the policy it will flip the co-management capabilities value from 1 to 3 as shown here. You can get details about what those capability values can be in Ben's blog post here.

co-management capabilities 3.png

And this switch is revealed in the CoManagementHandler.log

setting flag to 3.png

and the registry key it's referring to is this one.

reg key.png

Next, we decrypted the device to ensure that it didn't match the compliance policy.

fully decrypted.png

If you now check in Endpoint Manager, under devices, the device will show up as Not Compliant.

Not Compliant.png

You can drill deeper in the Device Compliance node of the device itself.

Device Compliance.PNG

and click on the Error

remeditation failed.PNG

Next, we allowed BitLocker to Encrypt the device

fully encrypted.png

After the device has checked-in with MEM and reported it's compliance state, the change will be updated in Endpoint Manager as Compliant.

Compliant in MEM.PNG

finally, you can look at the individual compliance settings on the device itself.

device compliance compliant.PNG

that's it for this part, see you in Part 6 where we'll enable Conditional Access.


Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.