In order to walk you through the entire process of setting up the co-management feature, I am going to break this down into a number of parts;

Prepare Azure for Device registration, Allow users to join their devices to Azure AD

  1. Go to Azure Portal
  2. Click on Azure AD Directory – Users and groups – Device settings
    Set users may join devices to Azure AD to All. or you can select a user group.

Configure client settings to allow cloud services.

If you have not setup client settings yet, follow steps from part 4.

Configure Co-management feature

  1. Click Cloud Services, right-click on Co-management, choose Configure co-management

  2. Click on Sign In. logon to your Azure tenant. Then Next.

  3. Choose Automatic enrollment in Intune: Pilot

    NOTE: if you don’t have cloud management gateway configured, you will get warning message like this:

  4. Chose the workloads that you would like to manage in Intune, and choose Pilot Intune

  5. Click on Browse… Choose your Pilot Co-Management collection as Pilot group

  6. Finish the wizard.

 

Verify client applied Co-Management setting

  1. Check log file CoManagementHandler.log
    CoManagementHandler.log is located on folder C:\Windows\CCM\Logs, before client applied Co-Management settings, it should shows:

    Merged value for setting ‘CoManagementSettings_AutoEnroll’ is ‘False’…Merged value for setting ‘CoMangemenSettings_Capabilities’ is ‘1’


    After client applied Co-Management setting, it should shows:

    Merged value for setting ‘CoManagementSettings_AutoEnroll’ is ‘true’…Merged value for setting ‘CoMangemenSettings_Capabilities’ is ‘3’

  2. Restart computer
  3. Log on as the user that is in MDM Users Collection group (See part 4)
  4. If you have Windows Hello for business policy configured in Intune, you will get those settings and asks for setup PIN code.
    NOTE: Windows Hello for business is not requirement for Co-Management

  5. If you have configured Multi-Factor Authentication (MFA) in Intune, you will get those settings and ask for MFA authentication.
    NOTE: MFA is not requirement for Co-Management.

  6. You will see a new log file ADALOperationProvider.log shows up in folder C:\Windows\CCM\Logs.
    You  should see ADALOperationProvider.log like this:

  7.  Open Access Work or School dialog

    Before assigning Co-Management settings to Cliet03, Client03 is only domain joined:

    After assign Co-Management settings to Cliet03, Client 03 is Domain joined and enrolled to Azure AD, you will see “Info” button shows up.
    (You might need to log off and log on again, or restart computer)

  8. Run command: dsregcmd.exe /status
    Before assign Co-Management settings to Cliet03, Client03 is only domain joined, dsregcmd.exe /status results are:

     

    After assign Co-Management settings to Cliet03 and before restart Client03,  dsregcmd.exe /status results are:

  9. Open Intune Portal
    Client03 is controlled by Microsoft Intune, Managed by MDM/ConfigMgr Agent.

  10. Windows Update.
    If you configure use Pilot Intune to control Windows Update policies for Pilot Co-management collection, devices in Pilot Co-management collection will use Intune to control Windows update.

    Bellow image is from a device that not under Co-management control. Windows update is ConfigMgr managed.

    Feature flag is OFF, should be SCCM managed.



    Bellow image is from a device that is under Co-management control. Windows update is Intune managed.

    Feature flag is ON, device should be Intune managed.

 

Monitor co-management

  1. SQL View:

    SELECT * FROM ClientCoManagementState

    NOTE: A device is co-managed when the MDMEnrolled field and ComgmtPolicyPresent fields both have a value of 1

    Or this SQL query:

    SELECT
      System_DISC.Name0, 
      ClientCoManagementState.MachineID, 
      System_DISC.User_Name0, 
      ClientCoManagementState.ComgmtEnabled, 
      ClientCoManagementState.CoMgmtWorkloadFlags, 
      ClientCoManagementState.MDMEnrolled, 
      ClientCoManagementState.ComgmtPolicyReceived, 
      ClientCoManagementState.LastMessageTime, 
      ClientCoManagementState.LastMessageStateID, 
      ClientCoManagementState.MDMRegistrationKind, 
      ClientCoManagementState.ScheduledEnrollTime, 
      ClientCoManagementState.EnrollmentBeginTime, 
      ClientCoManagementState.EnrollmentEndTime, 
      ClientCoManagementState.EnrollmentStatusCode, 
      ClientCoManagementState.EnrollmentErrorDetail
    FROM
      ClientCoManagementState 
      INNER JOIN System_DISC ON ClientCoManagementState.MachineID = System_DISC.ItemKey
  2. ConfigMgr Admin Console Monitoring

Now we have finished setup Co-Management. Hope you enjoy this and happy testing!

Next in part 7, I will show you how to deploy ConfigMgr Client to AAD devices from Intune.

 

(3708)

Sandy has been working in the IT industry since 2009. Primarily dealing with SCCM, MDT, Group Policy, software packaging, workstation problem solving. Sandy currently works for a large Finnish company with several thousand endpoints. In 2016, Sandy founded the http://thesccm.com blog and is now a guest blogger on SCConfigMgr.

comments
  • Ram Lan
    Posted at 18:05 December 20, 2017
    Ram Lan
    Reply
    Author

    Hi – I have completed all the parts (1-6). Not sure why, I am unable to enroll the device to MDM. The logs keeps reporting MDM enrollment failed.

    MDM enrollment failed with error code 0x80080300 ‘The background task activation is spurious.

    Unable to find any useful information through Google. How to troubleshoot this issue?

    Appreciate anybody input on the above.

    Thanks

    Ram

  • Ram Lan
    Posted at 23:34 December 20, 2017
    Ram Lan
    Reply
    Author

    Hi – Sorry, I did not mentioned which log. These are the logs (CoManagementHandler.log, ADALOperationProvider.log, WUAHandler.log).

    All the devices are Domain Joined. My home lab is Hybrid setup. There are no devices joined to Azure AD yet. I am going to join Win 10 v1710 virtual machine during this weekend to Azure AD.

    Thanks for mentioning about MDM auto enrollment not covered in your post.

    I will have a look at the link you shared for MDM auto enrollment.

    By the way what kind of lab setup you have at home?

    Thanks

    Ram

  • Ram Lan
    Posted at 17:14 December 23, 2017
    Ram Lan
    Reply
    Author

    Hi – Just an update. After 24 hours – MDM enrollment was successful on Windows 10 machine. Now it shows up in Intune. I will complete Part 7 during the holidays.

    Ram

  • M Taylor
    Posted at 19:48 January 3, 2018
    M Taylor
    Reply
    Author

    I have an SCCM environment that currently supports devices that are bound to one local domain but have multiple Azure tenants. Is it possible to have multiple Azure tenants configured in SCCM? Can SCCM co-management policies be created that connect to different Azure AD tenants?

    • Zeng Yinghua
      Posted at 00:23 January 18, 2018
      Zeng Yinghua
      Reply
      Author

      As far as I know cannot have multiple Azure tenants configured in ConfigMgr, so as Co-Manangement.

  • Colin Ford
    Posted at 07:50 March 8, 2018
    Colin Ford
    Reply
    Author

    Just from my experience, it took around 20 minutes before I stopped getting authentication errors in SMS_AZUREAD_DISCOVERY_AGENT.log. Hope it helps anyone else 🙂

  • Adam Lee
    Posted at 15:41 July 10, 2018
    Adam Lee
    Reply
    Author

    Hi there,

    Thanks for the invaluable guides btw.

    While attempting to configure co-management though, I’m getting the warning “Please ensure the proper prerequisites are installed” as shown above. I have the Cloud Management Gateway installed and working so I’m not sure what the problem is or where to look, so if anyone has any ideas I would welcome any comments.

    For now I’m having to enter the client app command line manually but it would be nice to be able to click on “copy”. Also, I’m not sure if this warning has a bearing on anything else.

    Cheers.

    • Zeng Yinghua
      Posted at 18:36 July 10, 2018
      Zeng Yinghua
      Reply
      Author

      Hello, can you double check “site system roles”-“cloud management gateway connection point”, is it configured to use any cloud management gateway?

  • Adam
    Posted at 23:50 July 10, 2018
    Adam
    Reply
    Author

    haha. No it wasn’t!

    Corrected now and problem solved.

    Thanks a lot.

    • Zeng Yinghua
      Posted at 09:39 July 13, 2018
      Zeng Yinghua
      Reply
      Author

      Hi Adam, you are welcome. This happens when a cloud management gate was deleted and re-created a new one. I forgot this many times myself. 🙂

  • Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.