I was recently working with a customer who, as a lot of customers do, have a lab that also happens to be production. One of the things we were working on was implementing the configuration items and baselines needed for configuring and enabling wake on lan in the environment. However, as we were working through this we discovered that for some reason no matter what we did the CI’s would not get created.
Identifying the issue
This meant that we needed to take a trip down into the logs. After some digging around I found the following log entry in the CIAgent log.
CDCMAgent::CheckAgentEnabled - Configuration Policies are not enabled due to co-management. Request will be ignored.
That seems fairly simple enough – Co-Management is enabled and it’s set to Intune so of course the policies from ConfigMgr would be ignored. However, when I asked my customer if they had Co-Management enabled they said nope, and when I went and looked in the console I found they in fact did not have Co-Management enabled. At this point I was well and truly confused so we started with the basics maybe the client is hosed, and we re-installed the agent along with a few other basic trouble shooting steps. All of which came to nothing.
Finally, after numerous questions and digging through things in Azure etc I found that what had happened was that Co-Management at one point had been enabled and while enabled the compliance policies slider had been set to update via Intune. However, since it was enabled the CoMgmtSettings were deleted after testing they decided they weren’t ready to make the move to a fully co-managed environment. The challenge was that when they removed the CoMgmtSettings they did not move the workload sliders back to ConfigMgr. This caused all of the clients to assume they should still get policy for Compliance Baselines from Intune.
Fixing the issue
In order to resolve the issue the simplest way it so re-enable Co-Management this is of course really easy but we’ll run through it quickly. In your configuration Manager console navigate to “Administration -> Cloud Services -> Co-Management” Right click in the pane and select “Configure Co-Management” this will open the configuration panel.
You will then advance to the workloads pane, and to fix the configuration item issue make sure you set the slider all the way over to Intune for the compliance policies option (as that is currently who manages the policy).
You then need to choose your Pilot collection and allow the process to finish. Once this has completed, Re-Open the pane and if you want configuration manager to be the primary for the Compliance Policies move the slider back as depicted below.
Jordan has been working in the Industry since 2009. Since starting he’s worked with Active Directory, Group Policy, SCCM, SCOM and PowerShell. Jordan most recently worked in the healthcare industry as an SCCM Infrastructure Team lead supporting over 150,000 endpoints. Jordan currently works as a Senior consultant for TrueSec Inc in the U.S. Most recently his focus has been in SQL Reporting for SCCM, creation of PowerShell scripts to automate tasks and PowerBI.