In order to walk you through the entire process of setting up the co-management feature, I am going to break this down into a number of parts;

Prepare Azure for Device registration, Allow users to join their devices to Azure AD

  1. Go to Azure Portal
  2. Click on Azure AD Directory – Users and groups – Device settings
    Set users may join devices to Azure AD to All. or you can select a user group.

Set up the Azure Services app in Configuration Manager Cloud Services

This connects your Configuration Manager site to Azure AD and is a prerequisite for all other operations in this section.
Azure AD User Discovery is configured as part of Cloud Management.

  1. Right-Click on Azure Serves, click on Configure Azure Service

  2. Choose install Cloud Management, give name as: Cloud Management (or anything that you like)

  3. Click on Browse… to add Web app

  4. Click on Create, you should see this dialog
    Homepage URL and Add ID URI is automatic assigned (I am using ConfigMgr TP 1711)
    If it is empty, input the following information as bellow picture.

  5. Click on Sign in… and logon to your Azure tenant

  6. Choose the ConfigMgr-ServerApp that you just created, then click OK.

  7. Click on Browse… to create Native client app
  8. Click on Create, you should see this dialog
    Reply URL is automatic assigned, if it is empty, input the following information as bellow picture

  9. Click on Sign in… and logon to your Azure tenant

  10. Choose the ConfigMgr-ClientApp that you just created, then click OK

  11. Click on Next.. Next.. to complete the wizard.

  12. Grant permissions for these two Apps we just created.
    Go to Azure Portal, Click on Azure Active Directory – App registrations.
    Find these two Apps we just created, click on Required permissions

    Then click on Grant Permissions, then click OK.
  13. Choose Azure ServicesCloud Management, right-click Azure Active Directory User Discovery, choose Run Full Discovery Now

  14. Check status from SMS_AZUREAD_DISCOVERY_AGENT.log

    If you didn’t do step.12 Grant permissions, you will see error message like this:


Configure client settings to allow cloud services.

If you have not setup client settings yet, follow steps from part 4.

Configure Co-management feature

  1. Click Cloud Services, right-click on Co-management, choose Configure co-management

  2. Click on Sign In. logon to your Azure tenant. Then Next.

  3. Choose Automatic enrollment in Intune: Pilot

    NOTE: if you don’t have cloud management gateway configured, you will get warning message like this:

  4. Chose the workloads that you would like to manage in Intune, and choose Pilot Intune

  5. Click on Browse… Choose your Pilot Co-Management collection as Pilot group

  6. Finish the wizard.


Verify client applied Co-Management setting

  1. Check log file CoManagementHandler.log
    CoManagementHandler.log is located on folder C:\Windows\CCM\Logs, before client applied Co-Management settings, it should shows:

    Merged value for setting ‘CoManagementSettings_AutoEnroll’ is ‘False’…Merged value for setting ‘CoMangemenSettings_Capabilities’ is ‘1’

    After client applied Co-Management setting, it should shows:

    Merged value for setting ‘CoManagementSettings_AutoEnroll’ is ‘true’…Merged value for setting ‘CoMangemenSettings_Capabilities’ is ‘3’

  2. Restart computer
  3. Log on as the user that is in MDM Users Collection group (See part 4)
  4. Setup PIN code for Windows Hello for business.

  5. Authenticate with Multi-Factor Authentication (MFA) method.

  6. You will see a new log file ADALOperationProvider.log shows up in folder C:\Windows\CCM\Logs.
    You  should see ADALOperationProvider.log like this:

  7.  Open Access Work or School dialog

    Before assigning Co-Management settings to Cliet03, Client03 is only domain joined:

    After assign Co-Management settings to Cliet03, Client 03 is Domain joined and enrolled to Azure AD, you will see “Info” button shows up.
    (You might need to log off and log on again, or restart computer)

  8. Run command: dsregcmd.exe /status
    Before assign Co-Management settings to Cliet03, Client03 is only domain joined, dsregcmd.exe /status results are:


    After assign Co-Management settings to Cliet03 and before restart Client03,  dsregcmd.exe /status results are:

  9. Open Intune Portal
    Client03 is controlled by Microsoft Intune, Managed by MDM/ConfigMgr Agent.

  10. Windows Update.
    If you configure use Pilot Intune to control Windows Update policies for Pilot Co-management collection, devices in Pilot Co-management collection will use Intune to control Windows update.

    Bellow image is from a device that not under Co-management control. Windows update is ConfigMgr managed.

    Feature flag is OFF, should be SCCM managed.

    Bellow image is from a device that is under Co-management control. Windows update is Intune managed.

    Feature flag is ON, device should be Intune managed.


Monitor co-management

  1. SQL View:

    SELECT * FROM ClientCoManagementState

    NOTE: A device is co-managed when the MDMEnrolled field and ComgmtPolicyPresent fields both have a value of 1

    Or this SQL query:

      INNER JOIN System_DISC ON ClientCoManagementState.MachineID = System_DISC.ItemKey
  2. ConfigMgr Admin Console Monitoring

Now we have finished setup Co-Management. Hope you enjoy this and happy testing!

Next in part 7, I will show you how to deploy ConfigMgr Client to AAD devices from Intune.



Sandy has been working in the IT industry since 2009. Primarily dealing with SCCM, MDT, Group Policy, software packaging, workstation problem solving. Sandy currently works for a large Finnish company with several thousand endpoints. In 2016, Sandy founded the blog and is now a guest blogger on SCConfigMgr.

  • Ram Lan
    Posted at 18:05 December 20, 2017
    Ram Lan

    Hi – I have completed all the parts (1-6). Not sure why, I am unable to enroll the device to MDM. The logs keeps reporting MDM enrollment failed.

    MDM enrollment failed with error code 0x80080300 ‘The background task activation is spurious.

    Unable to find any useful information through Google. How to troubleshoot this issue?

    Appreciate anybody input on the above.



  • Ram Lan
    Posted at 23:34 December 20, 2017
    Ram Lan

    Hi – Sorry, I did not mentioned which log. These are the logs (CoManagementHandler.log, ADALOperationProvider.log, WUAHandler.log).

    All the devices are Domain Joined. My home lab is Hybrid setup. There are no devices joined to Azure AD yet. I am going to join Win 10 v1710 virtual machine during this weekend to Azure AD.

    Thanks for mentioning about MDM auto enrollment not covered in your post.

    I will have a look at the link you shared for MDM auto enrollment.

    By the way what kind of lab setup you have at home?



  • Ram Lan
    Posted at 17:14 December 23, 2017
    Ram Lan

    Hi – Just an update. After 24 hours – MDM enrollment was successful on Windows 10 machine. Now it shows up in Intune. I will complete Part 7 during the holidays.


  • M Taylor
    Posted at 19:48 January 3, 2018
    M Taylor

    I have an SCCM environment that currently supports devices that are bound to one local domain but have multiple Azure tenants. Is it possible to have multiple Azure tenants configured in SCCM? Can SCCM co-management policies be created that connect to different Azure AD tenants?

    • Zeng Yinghua
      Posted at 00:23 January 18, 2018
      Zeng Yinghua

      As far as I know cannot have multiple Azure tenants configured in ConfigMgr, so as Co-Manangement.

  • Leave a Reply