Co-management is a feature that allows organizations to manage their devices using both Microsoft Intune and System Center Configuration Manager (ConfigMgr). This enables organizations to take advantage of the latest security features and cloud capabilities, such as conditional access and device compliance policies, while also being able to manage certain client actions without the need for access to the ConfigMgr console.
Some of the key benefits of co-management are:
Seamless transition: Co-management allows organizations to gradually transition from traditional management methods to modern management methods without disrupting their current workflow.
Increased security: Co-management enables organizations to take advantage of the latest security features, such as conditional access and device compliance policies, to protect their devices and data.
Improved management capabilities: Co-management gives organizations the ability to manage both Windows and mobile devices from a single console, making it easier to deploy apps, updates, and security policies.
Better end-user experience: Co-management allows organizations to provide their users with a better experience by giving them access to the latest features and apps.
Cost-effective: Co-management allows organizations to take advantage of existing ConfigMgr infrastructure, thus reducing the need for additional infrastructure and costs.
Better insights: With co-management, organizations can gain better insights into the health and security status of their devices, which can help them make more informed decisions about device management.
To enable co-management, you can go through Microsoft's documentation at https://learn.microsoft.com/en-us/mem/configmgr/comanage/tutorial-co-manage-clients
In this blog post, we will look at different methods for identifying devices with co-management status, specifically devices that are not co-managed for further troubleshooting.
1. Using Microsoft Intune portal
2. Using Endpoint Configuration Manager console (SCCM)
3. Using SQL report in Configuration Manager
4.Using PowerShell or Graph API. (not covered in this blog post,may be future post).
1. Using Microsoft Intune portal
Login to Endpoint Manager portal click on devices, click on Monitor.
Under the enrollment section, you will find Cloud attached devices (preview). This is still in preview at the time of writing this blog post.
In the summary page, you will find the co-management summary along with the workloads assigned to the device.
In the same section, click on reports
you will find 2 reports available. Click on Co-Management Eligibility
Click on the filer section and select the status.
For devices that are not co-managed, i have selected the following in the filer section.
click on Generate report.
It will take few seconds before you can download the data into csv for troubleshooting purpose.
This method generate the list of devices from the tenant irrespective of the region or country etc.
If you are scoped to manage the devices with co-management at different regions but not all ,then you will need to sort the devices based on the hostname or so. Lets review other methods.
2. Using Configuration Manager console
Using Configuration Manager console, we will create a collection or use built-in co-management status
Collection for devices that are not co-managed. Make sure the limiting collection is all workstation (create a custom) or update the following WQL query to exclude server endpoints.
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System join sms_combineddeviceresources on sms_combineddeviceresources.resourceid = sms_r_system.resourceid where sms_combineddeviceresources.CoManaged=0 and sms_combineddeviceresources.IsClient=1
This collection method is more controlled and we can apply a fix to the devices using scripts or package deployment etc.
If you want do a quick search in the console, to find the devices that are not co-managed, we can add filter criteria and search.
Using admin console, we can check the co-management status using monitoring node, co-management tab.
For more information about this chart, refer https://learn.microsoft.com/en-us/mem/configmgr/comanage/how-to-monitor
By clicking on the count on the enrollment error, we can see the list of devices that are failed to do co-management.
3. Using SQL report in Configuration Manager:
This is the last method in this blog post with SQL report.
Since there is huge data available in the SQL database about the client inventory and it helps us to create multiple reports based on the requirement.
For this post, the criteria is to get list of all workstations that are not co-managed.
As you can see above, from the specific collection, we got about 90 co-managed devices and 21 not co-managed devices. The 21 not co-managed devices are listed in the report for troubleshoot purpose.
This report has client information data along with last logon, HW scan, device last online and is the device ONLINE right now.
You can download the report from Github repository, upload to your reports and change the data source.
you can edit the report for more customizations at your risk.
The following are some of the troubleshooting guides that can you help to fix the issues.
Troubleshoot Configuration Management bootstrap with modern provisioning - Intune | Microsoft Learn
Troubleshooting Intune and Configuration Manager co-management workloads - Intune | Microsoft Learn
SCCM Right click tools for co-managed workloads
Thank you for reading the post.