locked
Devices are not co-managed even they are enrolled successfully RRS feed

  • Question

  • Hi all,

    for quiet some time now I'm trying to get all devices into the co-management state so I can move all workloads to intune step by step. My issue here is that some devices are not co-managed even when most devices are and they are sharing the same configuration. So the affected the devices are showing up in Intune but only as Managed by -> ConfigMgr instead of Co-managed.

    So what I did so far is

    • checked the licensing of the affected users
    • checked if auto-enrollment is set to "all" in intune
    • checked the Configuration Manager client settings for auto registering

    Following up is a CoManagementHandler Log file from one of the affected devices.

    Enrolling device to MDM... Try #1 out of 3 CoManagementHandler 24.07.2020 12:27:20 18108 (0x46BC)
    Set device to not externally managed CoManagementHandler 24.07.2020 12:27:20 18108 (0x46BC)
    Enrolling device with RegisterDeviceWithManagementUsingAADDeviceCredentials CoManagementHandler 24.07.2020 12:27:20 18108 (0x46BC)
    Failed to enroll with RegisterDeviceWithManagementUsingAADDeviceCredentials with error code 0x8018000a. CoManagementHandler 24.07.2020 12:27:20 18108 (0x46BC)
    Enrolling device with RegisterDeviceWithManagementUsingAADCredentials CoManagementHandler 24.07.2020 12:27:20 18108 (0x46BC)
    Device is already MDM enrolled. CoManagementHandler 24.07.2020 12:27:20 18108 (0x46BC)
    MDM enrollment succeeded CoManagementHandler 24.07.2020 12:27:20 18108 (0x46BC)
    Device is not MDM enrolled yet. All workloads are managed by SCCM. CoManagementHandler 24.07.2020 12:27:20 18108 (0x46BC)
    Value of CoManagementFlags retrieved: 0x1 CoManagementHandler 24.07.2020 12:27:20 18108 (0x46BC)
    Device is not provisioned CoManagementHandler 24.07.2020 12:27:20 18108 (0x46BC)
    Calculating hash with 32772 algorithm using 'Microsoft Enhanced RSA and AES Cryptographic Provider' CSP. CoManagementHandler 24.07.2020 12:27:20 18108 (0x46BC)
    StateID or report hash is changed. Sending up the report for state 110. CoManagementHandler 24.07.2020 12:27:20 18108 (0x46BC)
    Report detail: <ClientCoManagementMessage><MDMEnrollment><Enrolled Value="0" /><Provisioned Value="0" /><ServiceUri Value="https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc" /><RegistrationKind Value="6" /><ScheduledEnrollTime Value="07/24/2020 05:26:34" /><ErrorCode Value="1" /><ErrorDetail Value="Unzulässige Funktion.
    " /></MDMEnrollment><CoMgmtPolicy><Enabled Value="0" /><PolicyReceived Value="1" /><WorkloadFlags Value="1" /></CoMgmtPolicy></ClientCoManagementMessage> CoManagementHandler 24.07.2020 12:27:20 18108 (0x46BC)
    Executing 'INSERT CoMgmtState(EnrollmentPending,UseRandomization,LogonRetriesCount,ScheduledEnrollTime,EnrollStatusCode,EnrollErrorDetail,ExpectedWorkloadFlags,LastStateId,ReportHash) VALUES (1,1,0,1595568394,1,N'Unzulässige Funktion.
    ',255,110,N'FB7C5998C1676856B3EC2E75E4C86616EDC0C585')' CoManagementHandler 24.07.2020 12:27:20 18108 (0x46BC)
    Notifying settings agent to send report for 'ScopeId_043635DC-5E11-47D9-B49E-4E1DCB9CA37F/ConfigurationPolicy_7b69096d-e37b-4080-8086-672c99d74d5f' : 9 CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Processing GET for assignment (ScopeId_043635DC-5E11-47D9-B49E-4E1DCB9CA37F/ConfigurationPolicy_7b69096d-e37b-4080-8086-672c99d74d5f : 9) CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Getting/Merging value for setting 'CoManagementSettings_AutoEnroll' CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Merged value for setting 'CoManagementSettings_AutoEnroll' is 'true' CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Getting/Merging value for setting 'CoManagementSettings_Allow' CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Merged value for setting 'CoManagementSettings_Allow' is 'true' CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Getting/Merging value for setting 'CoManagementSettings_Capabilities' CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Merging workload flags 181 with 9 CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Merging workload flags 189 with 65 CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Merging workload flags 253 with 3 CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Merging workload flags 255 with 181 CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Merged value for setting 'CoManagementSettings_Capabilities' is '255' CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    New merged workloadflags value with co-management max capabilities '4095' is '255' CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Device is not MDM enrolled yet. All workloads are managed by SCCM. CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Value of CoManagementFlags retrieved: 0x1 CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Checking MDM_ConfigSetting to get Intune Account ID CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Expected MDM_ConfigSetting instance is missing, can't retrieve Intune SA Account ID. CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Co-management is disabled but expected to be enabled. CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Workloads rules are not compliant. CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Notifying settings agent to send report for 'ScopeId_043635DC-5E11-47D9-B49E-4E1DCB9CA37F/ConfigurationPolicy_ab1e5be0-2e35-4995-9130-692783d6fdeb' : 6 CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Processing GET for assignment (ScopeId_043635DC-5E11-47D9-B49E-4E1DCB9CA37F/ConfigurationPolicy_ab1e5be0-2e35-4995-9130-692783d6fdeb : 6) CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Getting/Merging value for setting 'CoManagementSettings_AutoEnroll' CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Merged value for setting 'CoManagementSettings_AutoEnroll' is 'true' CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Getting/Merging value for setting 'CoManagementSettings_Allow' CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Merged value for setting 'CoManagementSettings_Allow' is 'true' CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Getting/Merging value for setting 'CoManagementSettings_Capabilities' CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Merging workload flags 9 with 65 CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Merging workload flags 73 with 3 CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Merging workload flags 75 with 181 CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Merged value for setting 'CoManagementSettings_Capabilities' is '255' CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    New merged workloadflags value with co-management max capabilities '4095' is '255' CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Device is not MDM enrolled yet. All workloads are managed by SCCM. CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)
    Value of CoManagementFlags retrieved: 0x1 CoManagementHandler 24.07.2020 12:28:20 18108 (0x46BC)

    I would really love to hear your oppinions and suggestions on this issue maybe I'm just missing a simple piece here.

    Thank you a lot for your attention and time in advance.

    Best

    Friday, July 24, 2020 2:38 PM

All replies

  • Have you reviewed https://docs.microsoft.com/en-gb/troubleshoot/mem/intune/troubleshoot-co-management-auto-enrolling?

    Have you validated that the systems are hybrid AAD or full AAD domain joined by running dsregcmd /status from an elevated command-prompt?

    Have you reviewed the User Device Registration and DeviceManagement-Enterprise-Diagnostic-Provider event logs on the clients?


    Jason | https://home.configmgrftw.com | @jasonsandys

    Friday, July 24, 2020 3:44 PM
  • Hi Jason,

    yes and I revisited the troubleshooting documentation for co-management. Since I have no specific error code for my scenario "The Configuration Manager client is installed and the device is registered successfully with Azure AD. However, the device isn't automatically enrolled in Intune and no errors are seen" there is only the advice to look up the co-management setup documentation which I also did again. But since for most machines it is working just as it should, I were not able to find a solution there either.

    For dsregcmd I gathered some result from working and not working machines and compared the status results.
    Things which all not-working machines had in common are the following:

    Device State - Device Name is missing
    Device Details - DeviceAuthStatus is missing
    Diagnostic Data - Executing Account Name is missing

    Everything else is the same.

    For the EventLogs there were no warnings or error in the DeviceManagement-Enterprise-Diagnostic-Provider log and in the User Device Registration log I found a warning which says "Vorabprüfungsaufgaben für den automatischen Gerätebeitritt wurden abgeschlossen. Für das Gerät kann KEIN Beitritt ausgeführt werden, da kein Domänencontroller gefunden wurde. Das Gerät muss mit einem Netzwerk verbunden sein, das mit einem Active Directory-Domänencontroller verbunden ist." Which should translate into something like "Preliminary verification tasks for automatic device join have been completed. CANNOT join the device because no domain controller was found. The device must be connected to a network that is connected to an Active Directory domain controller." Which left me a bit confused since the device is working properly despite the Intune enrollment.

    Monday, July 27, 2020 3:01 PM
  • Devices can "work" properly using cached credentials if not connected to the domain. However, to complete HAADJ, a device must be connected to the domain.

    What does dsregcmd /status (run from an elevated command prompt) show?


    Jason | https://home.configmgrftw.com | @jasonsandys

    Monday, July 27, 2020 3:20 PM
  • Infact most employees are working from home and jusing DirectAccess or VPN they are not connected "directly" to the domain. However this device for example is showen as hybrid joined correctly for my understanding since AAD show this device as HAADJ.

    Dsregcmd /status from that same device (removed personal infromation):


    +----------------------------------------------------------------------+
    | Device State                                                         |
    +----------------------------------------------------------------------+

                 AzureAdJoined : YES
              EnterpriseJoined : NO
                  DomainJoined : YES
                    DomainName : removed

    +----------------------------------------------------------------------+
    | Device Details                                                       |
    +----------------------------------------------------------------------+

                      DeviceId : removed
                    Thumbprint : removed
     DeviceCertificateValidity : removed
                KeyContainerId : removed
                   KeyProvider : Microsoft Platform Crypto Provider
                  TpmProtected : YES

    +----------------------------------------------------------------------+
    | Tenant Details                                                       |
    +----------------------------------------------------------------------+

                    TenantName : removed
                      TenantId : removed
                           Idp : login.windows.net
                   AuthCodeUrl : https://login.microsoftonline.com/bbb4fb3f-6d53-4a76-9cbb-a5e3a825c924/oauth2/authorize
                AccessTokenUrl : https://login.microsoftonline.com/bbb4fb3f-6d53-4a76-9cbb-a5e3a825c924/oauth2/token
                        MdmUrl : https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
                     MdmTouUrl : https://portal.manage.microsoft.com/TermsofUse.aspx
              MdmComplianceUrl : https://portal.manage.microsoft.com/?portalAction=Compliance
                   SettingsUrl : eyJVcmlzIjpbImh0dHBzOi8va2FpbGFuaTYub25lLm1pY3Jvc29mdC5jb20vIiwiaHR0cHM6Ly9rYWlsYW5pNy5vbmUubWljcm9zb2Z0LmNvbS8iXX0=
                JoinSrvVersion : 1.0
                    JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
                     JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
                 KeySrvVersion : 1.0
                     KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
                      KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
            WebAuthNSrvVersion : 1.0
                WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/bbb4fb3f-6d53-4a76-9cbb-a5e3a825c924/
                 WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net
        DeviceManagementSrvVer : 1.0
        DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/bbb4fb3f-6d53-4a76-9cbb-a5e3a825c924/
         DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net

    +----------------------------------------------------------------------+
    | User State                                                           |
    +----------------------------------------------------------------------+

                        NgcSet : NO
               WorkplaceJoined : NO
                 WamDefaultSet : ERROR

    +----------------------------------------------------------------------+
    | SSO State                                                            |
    +----------------------------------------------------------------------+

                    AzureAdPrt : NO
           AzureAdPrtAuthority : 
                 EnterprisePrt : NO
        EnterprisePrtAuthority : 

    +----------------------------------------------------------------------+
    | Diagnostic Data                                                      |
    +----------------------------------------------------------------------+

            AadRecoveryEnabled : NO
                   KeySignTest : PASSED

    +----------------------------------------------------------------------+
    | Ngc Prerequisite Check                                               |
    +----------------------------------------------------------------------+

                IsDeviceJoined : YES
                 IsUserAzureAD : NO
                 PolicyEnabled : NO
              PostLogonEnabled : YES
                DeviceEligible : YES
            SessionIsNotRemote : YES
                CertEnrollment : none
                  PreReqResult : WillNotProvision


    Monday, July 27, 2020 5:08 PM
  • Assuming that was run from an elevated command prompt, then it has an issue because it doesn't have a PRT. Based on the error message, I'd say it hasn't actually completed the necessary steps for HAADJ.

    Note that VPN and DirectAccess are no different than being on-prem assuming the traffic is allowed.

    I can't say for 100% for sure, but this still looks like an issue, exactly as the event log notes, with connectivity between this system and you on-prem domain.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Monday, July 27, 2020 5:25 PM
  • I just looked up dsregcmd status on a working device and this also says PRT "no".

    Do you think an dsregcmd /leave and /join would make sense to give it a try?

    I have to look up first how the device would be affected in this case.

    Monday, July 27, 2020 6:42 PM