Troubleshooting co-management eligibility devices using scripts feature in SCCM

Intune has a Co-management eligibility report (currently in preview) which provides an eligibility evaluation for devices that can be co-managed. For devices to become co-managed, they must be running on windows 10 and enroll to Azure Active Directory.

For a full set of intune reports, please refer to https://docs.microsoft.com/en-us/mem/intune/fundamentals/reports

The other day, I was looking into the cloud-attached devices (preview) in Endpoint Manager for the co-management eligibility report. For more information about the Co-management eligibility report, https://docs.microsoft.com/en-us/mem/intune/fundamentals/reports#co-management-eligibility-report-organizational

From the report, in the dropdown list, I am interested viewing only the devices that need AAD join.

Generating the report reveals that there are a large number of devices that are needed azure ad join.

These devices are on-prem domain joined and for some reason, they are not hybrid azure AD joined.

For on-prem devices to reach co-management, first they must be hybrid azure ad joined, before they enroll to intune.

So I picked a device that is available from this list, check the status in the azure ad portal for Hybrid AAD joined, they show pending status.

I have logged into the machine to check the event viewer logs for further troubleshooting.

On the problem PC, Open cmd, run dsregcmd.exe /status , from the output, the device is not hybrid azure ad joined and AzureAdPrt : NO.

From the event viewer (Microsoft->Windows->User Device Registration->Admin), I can see the following data.

Automatic registration failed at join phase.
Exit code: Unknown HResult Error code: 0x801c0002
Server error: The verification of the target computer's SID (S-1-5-21-1704617455-1677075968-155068508-164177.2021-11-30 15:38:59Z) signature failed. Device id: (147f3ddd-0c43-45d5-895b-54e8e18e39f9).
Tenant type: Federated
Registration type: fallback_sync
Debug Output:
joinMode: Join
drsInstance: azure
registrationType: fallback_sync
tenantType: Federated
tenantId: d0d068a1-f100-44e9-afeb-cdb37c8f5d07
configLocation: undefined
errorPhase: join
adalCorrelationId: undefined
adalLog:
undefined
adalResponseCode: 0x0

Based on the error code, the verification of the target computer SID failed.

For further troubleshooting, and step 1) I have removed the device from the azure AD, wait for the Azure AD Connect sync (depends on your schedule how you have configured it) and run the workplace join task (Automatic-Device-Join) located at the task scheduler Microsoft—>Windows—>Workplace Join

This time, the device has completed the hybrid azure ad joined process, status appears in azure AD portal and finally the device is co-management.

The next step is to fix the remaining devices from the list that are not hybrid azure ad joined and also not co-managed.

The steps are, 1)remove the devices from the Azure AD portal, 2)Run the automatic device join task using SCCM (without rebooting the device).

1)Remove the devices from Azure AD portal:

Create a powershell script using the following code, save the devices to Comanageddevices.txt

<#

Description:Delete devices from Azure AD portal
Author:Eswar Koneti
Date:04-Dec-2021
#>
$scriptpath = $MyInvocation.MyCommand.Path
$dir = Split-Path $scriptpath
$date = (get-date -f dd-MM-yyyy-hhmmss)
$inputfile="$dir\Comanageddevices.txt"
$Outfile = "$dir\DevicesStatus.log"
import-module MSOnline
Write-Host "Checking for MSonline module..."
$Module = Get-Module -Name "MSOnline"
if (!($Module)) {
write-host
write-host "MSOnline Powershell module not installed..." -f Red
write-host "Install by running 'Install-Module Msonline' from an elevated PowerShell prompt" -f Yellow
write-host "Script can't continue..." -f Red
write-host
exit
}
else
{
"---------------Script started at $date" | Out-File $Outfile -Append
Connect-msolservice
$inputfile=Get-Content -Path $inputfile
foreach ($pc in $inputfile)
{
$details=Get-MsolDevice -Name $pc -ErrorAction SilentlyContinue
if($details)
{
try
{
if( Remove-MsolDevice -DeviceId ($details.DeviceId).guid -Force)
{
"Deleted the device $pc from Azure AD" | Out-File $Outfile -Append
}
}
catch
{
"Failed to Delet the device $pc from Azure AD" | Out-File $Outfile -Append
}
}
"device $pc not found" | Out-File $Outfile -Append
}
}
"---------------Script completed at $date" | Out-File $Outfile -Append

2) Run the workplace join/device registration task using Configuration Manager scripts feature.

<#
Description:Check if the device is AAD/HAAD and receive PRT token.
Author:Eswar Koneti
Date:04-Dec-2021
#>

dsregcmd.exe /status | Out-File "C:\programdata\HAAD.txt" -Force
$search = Select-String -Path "C:\programdata\HAAD.txt" -Pattern "AzureAdPrt : Yes"

if ($search)
{
echo "HAAD"
}
else
{
echo "Not HAAD"
Get-ScheduledTask -TaskPath "\Microsoft\Windows\Workplace Join\" | Get-ScheduledTask | ? TaskName -eq Automatic-Device-Join|Enable-ScheduledTask -ErrorAction SilentlyContinue
Get-ScheduledTask -TaskPath "\Microsoft\Windows\Workplace Join\" | ? TaskName -eq Automatic-Device-Join|Start-ScheduledTask -ErrorAction SilentlyContinue
}
Remove-Item -Path "C:\programdata\HAAD.txt" -Force -ErrorAction SilentlyContinue