Investigating Co-Management Issues with Windows Endpoints in SCCM/Intune

Managing Windows endpoints with SCCM (System Center Configuration Manager) and co-management enabled can be challenging, especially when dealing with co-management issues. In this post, I’ll share insights and troubleshooting steps to help you resolve issues with devices that are supposed to be co-managed by Intune but aren’t appearing as expected.

Background

I recently worked on a Power BI report designed to compare devices listed in Active Directory (AD) with those in Intune (via Log Analytics) based on their last logon status. The goal was to identify devices that are co-managed or Intune-enrolled. During this process, I noticed that hundreds of devices—both Windows 10 and Windows 11—were missing from Intune, displaying “Null” in the report, indicating no record of these devices in Intune.

Initial Investigation

Since these devices have SCCM agents and should be co-managed, Intune enrollment should have occurred via the co-management configuration. Devices that aren’t co-managed won’t receive any workloads that have been transitioned to Intune, which hinders effective management.

I decided to pick a handful of these devices to investigate why they weren’t showing as co-managed.

Troubleshooting Steps

Step 1: Check Device Status in Entra ID

1. Start by selecting a device from the Power BI report and searching for it in Entra ID (formerly Azure AD).
2. Verify if the device is hybrid-joined. As shown in the screenshot (not included here), hybrid join was successful, but the device was only managed by Microsoft Defender for Endpoint (MDE) rather than Intune—indicating that Intune enrollment wasn’t successful.

Step 2: Verify Device Status in the Intune Portal

1. Next, look up the device in the Intune portal.
2. In this case, the device was only showing as managed by MDE and SCCM through tenant attach but was not co-managed. This confirmed that the device wasn’t enrolled in Intune, and co-management hadn’t been properly set up.

Step 3: Review Device Status in SCCM

1. Search for the device in SCCM to verify its connection status.
2. The device was online, active, but not co-managed. This could be confirmed by checking the CoManagementHandler.log, which indicated that co-management was disabled.

   Log location: C:\Windows\CCM\Logs\CoManagementHandler.log

3. The log confirmed that co-management wasn’t enabled, which meant the device hadn’t enrolled in Intune.

Additional Checks

For devices that are successfully enrolled in Intune, a registry key confirms enrollment status, and Event Viewer logs can also provide useful troubleshooting information. For further guidance on diagnosing enrollment issues, refer to Microsoft’s documentation.

Solution and Script for Remediation

After identifying the root cause (event viewer, registry), I developed a script to automate the fix. This script clears the problematic registry entries and triggers re-enrollment, allowing devices to join Intune as co-managed devices.

The script can be run directly on affected devices or deployed via SCCM for a larger scale remediation. After running the script, you can check the CoManagementHandler.log to confirm that co-management is enabled and the device has successfully enrolled in Intune.

Final Verification

1. Confirm the device’s co-management status in the CoManagementHandler.log.
2. Check the Intune portal to ensure the device now appears as co-managed.

Download the remediation script from my GitHub Repository and follow the instructions to implement it.

The script does the following.

1.Deletes registry entries associated with co-management if enrolled via Microsoft’s Intune.

2.Initiates the device re-enrollment process using Device Enroller.
3. Runs the co-management compliance baseline rule to ensure proper policy synchronization.

This process should help you quickly identify and resolve co-management enrollment issues in your environment, allowing you to manage Windows endpoints more effectively in SCCM and Intune.