In order to walk you through the entire process of setting up the co-management feature, I am going to break this down into a number of parts;
- How to setup Co-Management – Part 1 (Roles and Certificates)
- How to setup Co-management – Part 2 (Create Certificates)
- How to setup Co-management – Part 3 (Cloud Management Gateway)
- How to setup Co-management – Part 4 (Management point and Software Update point)
- How to setup Co-management – Part 5 (Cloud Distribution point)
- How to setup Co-management – Part 6 (Setup Co-management in ConfigMgr) – This post
- How to setup Co-Management – Part 7 (Deploy ConfigMgr client to Azure AD joined devices from Intune)
Prepare Azure for Device registration, Allow users to join their devices to Azure AD
- Go to Azure Portal
- Click on Azure AD Directory – Users and groups – Device settings
Set users may join devices to Azure AD to All. or you can select a user group.
Configure client settings to allow cloud services.
If you have not setup client settings yet, follow steps from part 4.
Configure Co-management feature
- Click Cloud Services, right-click on Co-management, choose Configure co-management
- Click on Sign In. logon to your Azure tenant. Then Next.
- Choose Automatic enrollment in Intune: Pilot
NOTE: if you don’t have cloud management gateway configured, you will get warning message like this:
- Chose the workloads that you would like to manage in Intune, and choose Pilot Intune
- Click on Browse… Choose your Pilot Co-Management collection as Pilot group
- Finish the wizard.
Verify client applied Co-Management setting
This is for verify Co-management is working, I use Windows Hello for business as example.
- Check log file CoManagementHandler.log
CoManagementHandler.log is located on folder C:\Windows\CCM\Logs, before client applied Co-Management settings, it should shows:Merged value for setting ‘CoManagementSettings_AutoEnroll’ is ‘False’…Merged value for setting ‘CoMangemenSettings_Capabilities’ is ‘1’
After client applied Co-Management setting, it should shows:Merged value for setting ‘CoManagementSettings_AutoEnroll’ is ‘true’…Merged value for setting ‘CoMangemenSettings_Capabilities’ is ‘3’
- Restart computer
- Log on as the user that is in MDM Users Collection group (See part 4)
- You will see a new log file ADALOperationProvider.log shows up in folder C:\Windows\CCM\Logs.
You should see ADALOperationProvider.log like this:
-
Open Access Work or School dialog
Before assigning Co-Management settings to Cliet03, Client03 is only domain joined:
After assign Co-Management settings to Cliet03, Client 03 is Domain joined and enrolled to Azure AD, you will see “Info” button shows up.
(You might need to log off and log on again, or restart computer)
- Run command: dsregcmd.exe /status
Before assign Co-Management settings to Cliet03, Client03 is only domain joined, dsregcmd.exe /status results are:
After assign Co-Management settings to Cliet03 and before restart Client03, dsregcmd.exe /status results are:
- Open Intune Portal
Client03 is controlled by Microsoft Intune, Managed by MDM/ConfigMgr Agent.
- Windows Update.
If you configure use Pilot Intune to control Windows Update policies for Pilot Co-management collection, devices in Pilot Co-management collection will use Intune to control Windows update.
Bellow image is from a device that not under Co-management control. Windows update is ConfigMgr managed.
Feature flag is OFF, should be SCCM managed.
Bellow image is from a device that is under Co-management control. Windows update is Intune managed.Feature flag is ON, device should be Intune managed.
Monitor co-management
- SQL View:
SELECT * FROM ClientCoManagementState
NOTE: A device is co-managed when the MDMEnrolled field and ComgmtPolicyPresent fields both have a value of 1
Or this SQL query:
SELECT System_DISC.Name0, ClientCoManagementState.MachineID, System_DISC.User_Name0, ClientCoManagementState.ComgmtEnabled, ClientCoManagementState.CoMgmtWorkloadFlags, ClientCoManagementState.MDMEnrolled, ClientCoManagementState.ComgmtPolicyReceived, ClientCoManagementState.LastMessageTime, ClientCoManagementState.LastMessageStateID, ClientCoManagementState.MDMRegistrationKind, ClientCoManagementState.ScheduledEnrollTime, ClientCoManagementState.EnrollmentBeginTime, ClientCoManagementState.EnrollmentEndTime, ClientCoManagementState.EnrollmentStatusCode, ClientCoManagementState.EnrollmentErrorDetail FROM ClientCoManagementState INNER JOIN System_DISC ON ClientCoManagementState.MachineID = System_DISC.ItemKey
- ConfigMgr Admin Console Monitoring
Now we have finished setup Co-Management. Hope you enjoy this and happy testing!
Next in part 7, I will show you how to deploy ConfigMgr Client to AAD devices from Intune.
(9908)
Sandy is an Enterprise Mobility MVP since 2018. She has been working in the IT industry since 2009, primarily dealing with device management solution planning and implementation. Sandy has worked with SCCM, MDT, Group Policy, software packaging, problem solving. Sandy currently works for a large Finnish company with several thousand endpoints as system architect. In 2016, Sandy founded the https://thesccm.com blog and is now a guest blogger on SCConfigMgr.
Ram Lan
Hi – I have completed all the parts (1-6). Not sure why, I am unable to enroll the device to MDM. The logs keeps reporting MDM enrollment failed.
MDM enrollment failed with error code 0x80080300 ‘The background task activation is spurious.
Unable to find any useful information through Google. How to troubleshoot this issue?
Appreciate anybody input on the above.
Thanks
Ram
Zeng Yinghua
Hi, what logs are you checking? Enrollment failed for Domain joined devices or you cannot enroll devices to Intune at all? Can you manually joined a device to Azure AD and enroll to Intune? At my posts I didn’t cover that part how to setup automatic MDM enrollment, I should have mentioned. If you cannot join a device to Azure AD or automatic enroll to MDM, you can take a lot example this post: https://docs.microsoft.com/en-us/intune/windows-enroll#enable-windows-10-automatic-enrollment and https://osddeployment.dk/2017/02/19/how-to-setup-automatic-mdm-enrollment-of-windows-10-with-azuread/
Ram Lan
Hi – Sorry, I did not mentioned which log. These are the logs (CoManagementHandler.log, ADALOperationProvider.log, WUAHandler.log).
All the devices are Domain Joined. My home lab is Hybrid setup. There are no devices joined to Azure AD yet. I am going to join Win 10 v1710 virtual machine during this weekend to Azure AD.
Thanks for mentioning about MDM auto enrollment not covered in your post.
I will have a look at the link you shared for MDM auto enrollment.
By the way what kind of lab setup you have at home?
Thanks
Ram
Ram Lan
Hi – Just an update. After 24 hours – MDM enrollment was successful on Windows 10 machine. Now it shows up in Intune. I will complete Part 7 during the holidays.
Ram
Zeng Yinghua
Awesome!
M Taylor
I have an SCCM environment that currently supports devices that are bound to one local domain but have multiple Azure tenants. Is it possible to have multiple Azure tenants configured in SCCM? Can SCCM co-management policies be created that connect to different Azure AD tenants?
Zeng Yinghua
As far as I know cannot have multiple Azure tenants configured in ConfigMgr, so as Co-Manangement.
Colin Ford
Just from my experience, it took around 20 minutes before I stopped getting authentication errors in SMS_AZUREAD_DISCOVERY_AGENT.log. Hope it helps anyone else 🙂
Adam Lee
Hi there,
Thanks for the invaluable guides btw.
While attempting to configure co-management though, I’m getting the warning “Please ensure the proper prerequisites are installed” as shown above. I have the Cloud Management Gateway installed and working so I’m not sure what the problem is or where to look, so if anyone has any ideas I would welcome any comments.
For now I’m having to enter the client app command line manually but it would be nice to be able to click on “copy”. Also, I’m not sure if this warning has a bearing on anything else.
Cheers.
Zeng Yinghua
Hello, can you double check “site system roles”-“cloud management gateway connection point”, is it configured to use any cloud management gateway?
Adam
haha. No it wasn’t!
Corrected now and problem solved.
Thanks a lot.
Zeng Yinghua
Hi Adam, you are welcome. This happens when a cloud management gate was deleted and re-created a new one. I forgot this many times myself. 🙂