Implementation Guide: Windows Co-Management with Workspace ONE and Local Domain GPOs

Introduction: Bridging Traditional and Modern Management

Windows co-management represents one of the most significant shifts in enterprise device management since the introduction of Group Policy. After implementing co-management across numerous enterprise environments, I’ve learned that success requires more than just technical configuration—it demands a fundamental rethinking of how we approach device management in the modern workplace.

This implementation guide walks you through establishing co-management between Workspace ONE UEM and traditional domain Group Policy Objects (GPOs). You’ll learn how to create a hybrid management approach that leverages the best of both worlds: the granular control of GPOs for domain-joined devices and the modern, cloud-first capabilities of Workspace ONE for comprehensive device lifecycle management.

Understanding Co-Management Architecture

The Evolution of Windows Management

To understand why co-management is necessary, it’s important to recognize how Windows management has evolved and where traditional approaches fall short in modern environments.

Traditional Domain Management Limitations:

• Network Dependency: GPOs require domain connectivity to apply and update
• Limited Mobile Support: Poor experience for devices that are frequently off-network
• Reactive Management: Policies apply during startup/login, not in real-time
• Limited Visibility: Minimal reporting on policy application and device state
• Complex Troubleshooting: Difficult to diagnose policy application issues

Modern Management Advantages:

• Cloud-First Approach: Policies apply regardless of network location
• Real-Time Management: Immediate policy application and device communication
• Comprehensive Reporting: Detailed visibility into device state and compliance
• Mobile-Optimized: Designed for modern, mobile-first work patterns
• Simplified Troubleshooting: Clear audit trails and diagnostic information

Co-Management Benefits

Co-management allows organizations to leverage both traditional and modern management approaches, creating a comprehensive solution that addresses diverse business needs.

Strategic Advantages:

• Gradual Transition: Migrate to modern management at your own pace
• Best of Both Worlds: Leverage GPO maturity with modern management capabilities
• Risk Mitigation: Maintain existing processes while introducing new capabilities
• Flexibility: Choose the best management approach for each scenario
• Future-Proofing: Prepare for cloud-first management while maintaining current investments

Technical Benefits:

• Enhanced Visibility: Comprehensive device inventory and reporting
• Improved Compliance: Real-time compliance monitoring and remediation
• Better User Experience: Consistent management regardless of location
• Simplified Operations: Unified management console for diverse device types

Planning Your Co-Management Strategy

Assessment and Readiness

Before implementing co-management, conduct a thorough assessment of your current environment and readiness for hybrid management.

Current State Assessment:

1. Active Directory Environment:
   • Document current domain structure and OU design
   • Inventory existing GPOs and their purposes
   • Identify critical policies that must be maintained
   • Review Group Policy processing and inheritance
2. Device Inventory:
   • Catalog all Windows devices and their management status
   • Identify device types and usage patterns
   • Document current compliance and security posture
   • Assess device hardware capabilities and OS versions
3. Network Infrastructure:
   • Evaluate network connectivity patterns
   • Assess VPN usage and remote access capabilities
   • Review firewall rules and internet access policies
   • Document network segmentation and security controls

Readiness Checklist:

• Technical Prerequisites:
  • Windows 10 version 1709 or later on target devices
  • Azure AD Connect configured for hybrid identity
  • Workspace ONE UEM environment properly configured
  • Appropriate licensing for co-management features
• Organizational Readiness:
  • Executive sponsorship for management transformation
  • IT team training on modern management concepts
  • Change management processes for policy migration
  • User communication and training plans

Workload Distribution Strategy

One of the most critical decisions in co-management is determining which workloads to manage through which system. This requires careful analysis of your requirements and capabilities.

Workload Categories:

1. Device Configuration:
   • Traditional GPO: Complex domain-specific settings, legacy applications
   • Modern Management: Security baselines, Windows Update policies
2. Application Management:
   • Traditional GPO: Domain-joined application deployment, legacy MSI packages
   • Modern Management: Microsoft Store apps, modern application deployment
3. Security and Compliance:
   • Traditional GPO: Domain security policies, audit settings
   • Modern Management: Device compliance, conditional access policies
4. Windows Updates:
   • Traditional GPO: WSUS-based update management
   • Modern Management: Windows Update for Business, feature updates

Decision Framework:

Use this framework to decide which management approach to use for each workload:

• Use Traditional GPO When:
  • Complex domain-specific configurations are required
  • Legacy applications need domain-based deployment
  • Existing processes are working well and change risk is high
  • Specific compliance requirements mandate traditional approaches
• Use Modern Management When:
  • Devices are frequently off-network
  • Real-time policy application is needed
  • Enhanced reporting and visibility are required
  • Cloud-first approach aligns with business strategy

Workspace ONE UEM Configuration

Preparing Workspace ONE for Co-Management

Before enabling co-management, ensure your Workspace ONE environment is properly configured to work alongside existing domain infrastructure.

Organization Group Structure:

1. Create Co-Management OGs:
   • Open Workspace ONE UEM Console
   • Navigate to Groups & Settings → Groups → Organization Groups
   • Create dedicated OGs for co-managed devices
   • Structure OGs to mirror your AD OU structure where appropriate
2. Configure Group Settings:
   • Set appropriate enrollment restrictions
   • Configure device ownership settings
   • Set up user group mappings
   • Configure compliance policies

Directory Integration:

1. Configure Active Directory Integration:
   • Navigate to Groups & Settings → All Settings → System → Enterprise Integration → Directory Services
   • Add your Active Directory domain
   • Configure service account with appropriate permissions
   • Test directory connectivity and authentication
2. Set Up User Synchronization:
   • Configure user sync schedules
   • Map AD attributes to Workspace ONE user fields
   • Set up group membership synchronization
   • Test user authentication and group assignments

Enrollment Configuration

Configure Workspace ONE to support co-management enrollment scenarios.

Windows Enrollment Settings:

1. Configure Windows Platform Settings:
   • Navigate to Groups & Settings → All Settings → Devices & Users → Windows → Windows Desktop
   • Enable co-management support
   • Configure enrollment authentication methods
   • Set up device ownership determination
2. Enrollment Profile Configuration:
   • Create enrollment profiles for co-managed devices
   • Configure authentication requirements
   • Set up automatic enrollment triggers
   • Configure enrollment restrictions and policies

Certificate Configuration:

1. Set Up Certificate Authority Integration:
   • Navigate to Groups & Settings → All Settings → System → Enterprise Integration → Certificate Authority
   • Configure connection to your enterprise CA
   • Set up certificate templates for device authentication
   • Configure automatic certificate enrollment
2. Certificate Profiles:
   • Create certificate profiles for co-managed devices
   • Configure certificate deployment policies
   • Set up certificate renewal procedures
   • Test certificate issuance and installation

Group Policy Configuration

Preparing GPOs for Co-Management

Modify your existing Group Policy infrastructure to work effectively with co-management.

GPO Analysis and Cleanup:

1. Inventory Existing GPOs:
   • Open Group Policy Management Console
   • Document all existing GPOs and their purposes
   • Identify conflicting or redundant policies
   • Review GPO inheritance and processing order
2. Identify Co-Management Conflicts:
   • Review policies that might conflict with Workspace ONE
   • Identify settings that should be managed by modern management
   • Document policies that must remain in GPO
   • Plan for policy migration or consolidation

GPO Optimization for Co-Management:

1. Create Co-Management Specific OUs:
   • Open Active Directory Users and Computers
   • Create OUs for co-managed devices
   • Structure OUs to support different management scenarios
   • Configure OU permissions and delegation
2. Modify GPO Targeting:
   • Update GPO links to target appropriate OUs
   • Use WMI filters to target specific device types
   • Configure security filtering for co-managed devices
   • Test GPO application and inheritance

Policy Coordination

Establish clear boundaries between GPO and Workspace ONE management to avoid conflicts.

Policy Ownership Matrix:

Create a clear matrix defining which system manages each type of policy:

Policy Area	GPO Management	Workspace ONE Management
Security Baselines	Domain-specific security settings	Device compliance and security policies
Application Deployment	Legacy MSI packages, domain apps	Modern apps, cloud-based applications
Windows Updates	WSUS configuration (if retained)	Windows Update for Business
Device Configuration	Domain-specific settings	User experience and modern settings

Conflict Resolution Procedures:

1. Policy Precedence Rules:
   • Define clear precedence when policies overlap
   • Document which system takes priority for each setting
   • Establish procedures for resolving conflicts
   • Create testing procedures for policy changes
2. Change Management:
   • Require coordination between GPO and Workspace ONE teams
   • Implement approval processes for policy changes
   • Establish testing requirements before production deployment
   • Create rollback procedures for problematic changes

Device Enrollment and Onboarding

Co-Management Enrollment Process

Establish streamlined processes for enrolling devices into co-management.

Automatic Enrollment Configuration:

1. Configure Azure AD Auto-Enrollment:
   • Sign in to Azure Active Directory admin center
   • Navigate to Devices → Enroll devices → Windows enrollment
   • Configure automatic MDM enrollment
   • Set enrollment scope to include target user groups
2. Group Policy Auto-Enrollment:
   • Create GPO for MDM enrollment
   • Configure Computer Configuration → Administrative Templates → Windows Components → MDM
   • Enable “Enable automatic MDM enrollment using default Azure AD credentials”
   • Link GPO to appropriate OUs

Manual Enrollment Procedures:

1. User-Initiated Enrollment:
   • Provide users with enrollment instructions
   • Create self-service enrollment portals
   • Configure enrollment authentication methods
   • Set up enrollment status tracking
2. IT-Assisted Enrollment:
   • Create procedures for IT-assisted enrollment
   • Develop enrollment scripts and tools
   • Train IT staff on enrollment procedures
   • Establish enrollment verification processes

Device Configuration and Policies

Configure initial policies and settings for co-managed devices.

Baseline Configuration Profiles:

1. Create Device Configuration Profiles:
   • Navigate to Devices → Profiles & Resources → Profiles in Workspace ONE
   • Create baseline configuration profiles for co-managed devices
   • Configure essential security settings
   • Set up device restrictions and policies
2. Compliance Policies:
   • Create compliance policies for co-managed devices
   • Configure minimum OS version requirements
   • Set up security requirement validation
   • Configure compliance actions and remediation

Application Deployment:

1. Modern Application Deployment:
   • Configure Microsoft Store for Business integration
   • Set up Win32 application deployment
   • Create application assignment policies
   • Configure application update management
2. Legacy Application Coordination:
   • Maintain GPO-based deployment for legacy apps
   • Coordinate application deployment between systems
   • Avoid duplicate application installations
   • Monitor application deployment success

Monitoring and Reporting

Unified Visibility

Establish comprehensive monitoring across both management systems.

Workspace ONE Reporting:

1. Device Inventory Reports:
   • Navigate to Monitor → Reports & Analytics → Reports
   • Create custom reports for co-managed devices
   • Monitor enrollment status and device health
   • Track compliance and policy application
2. Compliance Dashboards:
   • Set up compliance monitoring dashboards
   • Configure automated compliance reporting
   • Monitor policy application success rates
   • Track remediation actions and outcomes

Group Policy Monitoring:

1. GPO Application Monitoring:
   • Use Group Policy Results and Group Policy Modeling
   • Monitor GPO processing events in Event Viewer
   • Set up centralized GPO reporting
   • Track policy application failures and conflicts
2. Integration with SIEM:
   • Forward GPO events to SIEM systems
   • Correlate GPO and Workspace ONE events
   • Set up alerting for policy failures
   • Create unified security monitoring

Performance Monitoring

Monitor the performance impact of co-management on devices and infrastructure.

Device Performance Metrics:

• Boot and Login Times: Monitor impact on device startup performance
• Policy Processing Time: Track time required for policy application
• Network Utilization: Monitor bandwidth usage for policy synchronization
• Resource Consumption: Track CPU and memory usage of management agents

Infrastructure Performance:

• Domain Controller Load: Monitor impact on AD infrastructure
• Workspace ONE Performance: Track UEM server performance and capacity
• Network Infrastructure: Monitor network impact of dual management
• Certificate Services: Monitor CA performance and certificate issuance

Troubleshooting Co-Management Issues

Common Issues and Solutions

Based on my experience implementing co-management, here are the most common issues and their solutions.

Issue 1: Enrollment Failures

Symptoms: Devices fail to enroll in Workspace ONE or enrollment is incomplete

Troubleshooting Steps:

1. Check Azure AD Registration:
   • Open Settings → Accounts → Access work or school
   • Verify device is connected to Azure AD
   • Check for any error messages or warnings
   • Test Azure AD connectivity and authentication
2. Verify MDM Enrollment:
   • Check Settings → Accounts → Access work or school → Info
   • Look for MDM enrollment status
   • Review enrollment error messages
   • Check Workspace ONE enrollment logs
3. Review Group Policy Settings:
   • Verify MDM enrollment GPO is applied
   • Check for conflicting policies
   • Review GPO processing logs
   • Test policy application manually

Issue 2: Policy Conflicts

Symptoms: Inconsistent policy application or unexpected device behavior

Resolution Steps:

1. Identify Conflicting Policies:
   • Review both GPO and Workspace ONE policies
   • Use Group Policy Results to identify applied settings
   • Check Workspace ONE device details for applied profiles
   • Document conflicting settings and their sources
2. Resolve Conflicts:
   • Modify policies to eliminate conflicts
   • Adjust policy precedence and targeting
   • Use WMI filters or security filtering to refine targeting
   • Test policy changes in isolated environment

Issue 3: Performance Degradation

Symptoms: Slow device performance, extended login times, or high resource usage

Optimization Steps:

1. Analyze Performance Impact:
   • Monitor device performance metrics
   • Identify resource-intensive processes
   • Review policy processing times
   • Check network utilization patterns
2. Optimize Configuration:
   • Reduce policy processing frequency where possible
   • Optimize GPO structure and inheritance
   • Configure appropriate sync schedules
   • Implement policy caching strategies

Migration Planning and Execution

Phased Migration Strategy

Plan a phased approach to migrate from traditional to co-management.

Migration Phases:

1. Phase 1: Pilot Group (Weeks 1-4)
   • Select 50-100 pilot devices
   • Implement basic co-management
   • Test core functionality and user experience
   • Gather feedback and refine processes
2. Phase 2: Early Adopters (Weeks 5-8)
   • Expand to 500-1000 devices
   • Include diverse device types and user groups
   • Test advanced scenarios and edge cases
   • Refine policies and procedures
3. Phase 3: Departmental Rollout (Weeks 9-16)
   • Roll out department by department
   • Implement department-specific policies
   • Provide user training and support
   • Monitor adoption and resolve issues
4. Phase 4: Organization-wide (Weeks 17-24)
   • Complete organization-wide deployment
   • Optimize performance and policies
   • Implement advanced features
   • Plan for ongoing management and evolution

Success Metrics and KPIs

Define clear metrics to measure co-management success.

Technical Metrics:

• Enrollment Success Rate: Percentage of devices successfully enrolled
• Policy Compliance: Percentage of devices meeting compliance requirements
• Performance Impact: Device performance metrics before and after co-management
• Issue Resolution Time: Time to resolve co-management related issues

Business Metrics:

• User Satisfaction: User experience surveys and feedback
• IT Efficiency: Reduction in management overhead and support tickets
• Security Posture: Improvement in security compliance and incident response
• Operational Costs: Changes in management and support costs

Conclusion: Embracing Hybrid Management

Windows co-management with Workspace ONE and Group Policy represents a strategic approach to device management that bridges traditional and modern paradigms. Success requires careful planning, thoughtful implementation, and ongoing optimization.

Key success factors for co-management implementation:

• Strategic Planning: Develop a clear vision for hybrid management
• Gradual Implementation: Use phased approach to minimize risk
• Clear Boundaries: Define which system manages each workload
• Continuous Monitoring: Maintain visibility across both management systems
• User Focus: Prioritize user experience throughout the transition

Co-management is not just a technical implementation—it’s a strategic transformation that positions your organization for the future of device management. By successfully implementing co-management, you create a foundation for modern workplace capabilities while maintaining the stability and control of traditional management approaches.

As your organization continues to evolve, co-management provides the flexibility to adapt your management strategy to changing business needs, user expectations, and technology capabilities. The investment in co-management today pays dividends through improved security, enhanced user experience, and reduced operational overhead.