How to setup Co-Management – Part 6 (Configure Co-management feature)

In order to walk you through the entire process of setting up the co-management feature, I am going to break this down into a number of parts;

• How to setup Co-Management – Part 1 (Roles and Certificates)
  
• How to setup Co-management – Part 2 (Create Certificates)
• How to setup Co-management – Part 3 (Cloud Management Gateway)
• How to setup Co-management – Part 4 (Management point and Software Update point)
• How to setup Co-management – Part 5 (Cloud Distribution point)
• How to setup Co-management – Part 6 (Setup Co-management in ConfigMgr) – This post
• How to setup Co-Management – Part 7 (Deploy ConfigMgr client to Azure AD joined devices from Intune)

Prepare Azure for Device registration, Allow users to join their devices to Azure AD

1. Go to Azure Portal
2. Click on Azure AD Directory – Users and groups – Device settings
   Set users may join devices to Azure AD to All. or you can select a user group.

   

Configure client settings to allow cloud services.

If you have not setup client settings yet, follow steps from part 4.

Configure Co-management feature

1. Click Cloud Services, right-click on Co-management, choose Configure co-management

   

2. Click on Sign In. logon to your Azure tenant. Then Next.

   

3. Choose Automatic enrollment in Intune: Pilot

   

   NOTE: if you don’t have cloud management gateway configured, you will get warning message like this:

   

4. Chose the workloads that you would like to manage in Intune, and choose Pilot Intune

   

5. Click on Browse… Choose your Pilot Co-Management collection as Pilot group

   

6. Finish the wizard.

Verify client applied Co-Management setting

This is for verify Co-management is working, I use Windows Hello for business as example.

1. Check log file CoManagementHandler.log
   CoManagementHandler.log is located on folder C:\Windows\CCM\Logs, before client applied Co-Management settings, it should shows:

   Merged value for setting ‘CoManagementSettings_AutoEnroll’ is ‘False’…Merged value for setting ‘CoMangemenSettings_Capabilities’ is ‘1’

   
   After client applied Co-Management setting, it should shows:

   Merged value for setting ‘CoManagementSettings_AutoEnroll’ is ‘true’…Merged value for setting ‘CoMangemenSettings_Capabilities’ is ‘3’

   

2. Restart computer
3. Log on as the user that is in MDM Users Collection group (See part 4)
4. If you have Windows Hello for business policy configured in Intune, you will get those settings and asks for setup PIN code.
   NOTE: Windows Hello for business is not requirement for Co-Management

   

5. If you have configured Multi-Factor Authentication (MFA) in Intune, you will get those settings and ask for MFA authentication.
   NOTE: MFA is not requirement for Co-Management.

   

6. You will see a new log file ADALOperationProvider.log shows up in folder C:\Windows\CCM\Logs.
   You  should see ADALOperationProvider.log like this:

   

7.  Open Access Work or School dialog

   Before assigning Co-Management settings to Cliet03, Client03 is only domain joined:
   

   

   After assign Co-Management settings to Cliet03, Client 03 is Domain joined and enrolled to Azure AD, you will see “Info” button shows up.
   (You might need to log off and log on again, or restart computer)

   

8. Run command: dsregcmd.exe /status
   Before assign Co-Management settings to Cliet03, Client03 is only domain joined, dsregcmd.exe /status results are:
   

   

    

   After assign Co-Management settings to Cliet03 and before restart Client03,  dsregcmd.exe /status results are:

   

9. Open Intune Portal
   Client03 is controlled by Microsoft Intune, Managed by MDM/ConfigMgr Agent.
   

   

10. Windows Update.
    If you configure use Pilot Intune to control Windows Update policies for Pilot Co-management collection, devices in Pilot Co-management collection will use Intune to control Windows update.

    

    Bellow image is from a device that not under Co-management control. Windows update is ConfigMgr managed.

    Feature flag is OFF, should be SCCM managed.

    
    

    

    
    Bellow image is from a device that is under Co-management control. Windows update is Intune managed.

    Feature flag is ON, device should be Intune managed.

    

    

Monitor co-management

1. SQL View:
   

   SELECT * FROM ClientCoManagementState

   

   NOTE: A device is co-managed when the MDMEnrolled field and ComgmtPolicyPresent fields both have a value of 1

   Or this SQL query:

   SELECT
     System_DISC.Name0, 
     ClientCoManagementState.MachineID, 
     System_DISC.User_Name0, 
     ClientCoManagementState.ComgmtEnabled, 
     ClientCoManagementState.CoMgmtWorkloadFlags, 
     ClientCoManagementState.MDMEnrolled, 
     ClientCoManagementState.ComgmtPolicyReceived, 
     ClientCoManagementState.LastMessageTime, 
     ClientCoManagementState.LastMessageStateID, 
     ClientCoManagementState.MDMRegistrationKind, 
     ClientCoManagementState.ScheduledEnrollTime, 
     ClientCoManagementState.EnrollmentBeginTime, 
     ClientCoManagementState.EnrollmentEndTime, 
     ClientCoManagementState.EnrollmentStatusCode, 
     ClientCoManagementState.EnrollmentErrorDetail
   FROM
     ClientCoManagementState 
     INNER JOIN System_DISC ON ClientCoManagementState.MachineID = System_DISC.ItemKey

2. ConfigMgr Admin Console Monitoring

   

Now we have finished setup Co-Management. Hope you enjoy this and happy testing!

Next in part 7, I will show you how to deploy ConfigMgr Client to AAD devices from Intune.

(7004)

Zeng Yinghua

Sandy is an Enterprise Mobility MVP since 2018. She has been working in the IT industry since 2009, primarily dealing with device management solution planning and implementation. Sandy has worked with SCCM, MDT, Group Policy, software packaging, problem solving. Sandy currently works for a large Finnish company with several thousand endpoints as system architect. In 2016, Sandy founded the https://thesccm.com blog and is now a guest blogger on SCConfigMgr.