This cmdlet has one required parameter, AutoEnroll. This parameter determines if the Co-management setting deployment will force auto-enrollment with Intune. Aside from that, all others are optional and default to $false. Below is a quick reference for what the other parameters map to.

CAWorkloadEnabled = Compliance policies

RAWorkloadEnabled = Resource access policies

WufbWorkloadEnabled = Windows Updates Policies

EPWorkloadEnabled = Endpoint Protection

Notice anything odd? Office Click-to-Run apps is not an option! Device Configuration is also not, but that workload is implied by either Endpoint Protection or Resource Access policies. More on this later, for now let’s create our new policy, rename it and deploy it.

In my scenario I’m actively piloting everything except Office Click-to-Run apps and Windows Update policies. I would like to pilot those additional features, but only on a smaller subset of our pilot users. We will start with Windows Updates as there is a parameter available to us for this workload.