In order to walk you through the entire process of setting up the co-management feature, I am going to break this down into a number of parts;

Prepare Azure for Device registration, Allow users to join their devices to Azure AD

  1. Go to Azure Portal
  2. Click on Azure AD Directory – Users and groups – Device settings
    Set users may join devices to Azure AD to All. or you can select a user group.

Set up the Azure Services app in Configuration Manager Cloud Services

This connects your Configuration Manager site to Azure AD and is a prerequisite for all other operations in this section.
Azure AD User Discovery is configured as part of Cloud Management.

  1. Right-Click on Azure Serves, click on Configure Azure Service

  2. Choose install Cloud Management, give name as: Cloud Management (or anything that you like)

  3. Click on Browse… to add Web app

  4. Click on Create, you should see this dialog
    Homepage URL and Add ID URI is automatic assigned (I am using ConfigMgr TP 1711)
    If it is empty, input the following information as bellow picture.

  5. Click on Sign in… and logon to your Azure tenant

  6. Choose the ConfigMgr-ServerApp that you just created, then click OK.

  7. Click on Browse… to create Native client app
  8. Click on Create, you should see this dialog
    Reply URL is automatic assigned, if it is empty, input the following information as bellow picture

  9. Click on Sign in… and logon to your Azure tenant

  10. Choose the ConfigMgr-ClientApp that you just created, then click OK

  11. Click on Next.. Next.. to complete the wizard.

  12. NOTE: Few weeks ago when I tested this, it required logon to Intune portal, and grant permissions for these two Apps we just created.
    However when I tested today, I didn’t need to do that.
  13. Choose Azure ServicesCloud Management, right-click Azure Active Directory User Discovery, choose Run Full Discovery Now

  14. Check status from SMS_AZUREAD_DISCOVERY_AGENT.log


Configure client settings to allow cloud services.

If you have not setup client settings yet, follow steps from part 4.

Configure Co-management feature

  1. Click Cloud Services, right-click on Co-management, choose Configure co-management

  2. Click on Sign In. logon to your Azure tenant. Then Next.

  3. Choose Automatic enrollment in Intune: Pilot

    NOTE: if you don’t have cloud management gateway configured, you will get warning message like this:

  4. Chose the workloads that you would like to manage in Intune, and choose Pilot Intune

  5. Click on Browse… Choose your Pilot Co-Management collection as Pilot group

  6. Finish the wizard.


Verify client applied Co-Management setting

  1. Check log file CoManagementHandler.log
    CoManagementHandler.log is located on folder C:\Windows\CCM\Logs, before client applied Co-Management settings, it should shows:

    Merged value for setting ‘CoManagementSettings_AutoEnroll’ is ‘False’…Merged value for setting ‘CoMangemenSettings_Capabilities’ is ‘1’

    After client applied Co-Management setting, it should shows:

    Merged value for setting ‘CoManagementSettings_AutoEnroll’ is ‘true’…Merged value for setting ‘CoMangemenSettings_Capabilities’ is ‘3’

  2. Restart computer
  3. Log on as the user that is in MDM Users Collection group (See part 4)
  4. Setup PIN code for Windows Hello for business.

  5. Authenticate with Multi-Factor Authentication (MFA) method.

  6. You will see a new log file ADALOperationProvider.log shows up in folder C:\Windows\CCM\Logs.
    You  should see ADALOperationProvider.log like this:

  7.  Open Access Work or School dialog

    Before assigning Co-Management settings to Cliet03, Client03 is only domain joined:

    After assign Co-Management settings to Cliet03, Client 03 is Domain joined and enrolled to Azure AD, you will see “Info” button shows up.
    (You might need to log off and log on again, or restart computer)

  8. Run command: dsregcmd.exe /status
    Before assign Co-Management settings to Cliet03, Client03 is only domain joined, dsregcmd.exe /status results are:


    After assign Co-Management settings to Cliet03 and before restart Client03,  dsregcmd.exe /status results are:

  9. Open Intune Portal
    Client03 is controlled by Microsoft Intune, Managed by MDM/ConfigMgr Agent.

  10. Windows Update.
    If you configure use Pilot Intune to control Windows Update policies for Pilot Co-management collection, devices in Pilot Co-management collection will use Intune to control Windows update.

    Bellow image is from a device that not under Co-management control. Windows update is ConfigMgr managed.

    Feature flag is OFF, should be SCCM managed.

    Bellow image is from a device that is under Co-management control. Windows update is Intune managed.

    Feature flag is ON, device should be Intune managed.


Monitor co-management

  1. SQL View:

    SELECT * FROM ClientCoManagementState

    NOTE: A device is co-managed when the MDMEnrolled field and ComgmtPolicyPresent fields both have a value of 1

    Or this SQL query:

      INNER JOIN System_DISC ON ClientCoManagementState.MachineID = System_DISC.ItemKey
  2. ConfigMgr Admin Console Monitoring

Now we have finished setup Co-Management. Hope you enjoy this and happy testing!

Next in part 7, I will show you how to deploy ConfigMgr Client to AAD devices from Intune.



Sandy has been working in the IT industry since 2009. Primarily dealing with SCCM, MDT, Group Policy, software packaging, workstation problem solving. Sandy currently works for a large Finnish company with several thousand endpoints. In 2016, Sandy founded the blog and is now a guest blogger on SCConfigMgr.

There are no comments.

Leave a Reply