Co-management is a feature that allows organizations to manage their devices using both Microsoft Intune and System Center Configuration Manager (ConfigMgr). This enables organizations to take advantage of the latest security features and cloud capabilities, such as conditional access and device compliance policies, while also being able to manage certain client actions without the need for access to the ConfigMgr console.

Some of the key benefits of co-management are:

Seamless transition: Co-management allows organizations to gradually transition from traditional management methods to modern management methods without disrupting their current workflow.

Increased security: Co-management enables organizations to take advantage of the latest security features, such as conditional access and device compliance policies, to protect their devices and data.

Improved management capabilities: Co-management gives organizations the ability to manage both Windows and mobile devices from a single console, making it easier to deploy apps, updates, and security policies.

Better end-user experience: Co-management allows organizations to provide their users with a better experience by giving them access to the latest features and apps.

Cost-effective: Co-management allows organizations to take advantage of existing ConfigMgr infrastructure, thus reducing the need for additional infrastructure and costs.

Better insights: With co-management, organizations can gain better insights into the health and security status of their devices, which can help them make more informed decisions about device management.

To enable co-management, you can go through Microsoft's documentation at https://learn.microsoft.com/en-us/mem/configmgr/comanage/tutorial-co-manage-clients

In this blog post, we will look at different methods for identifying devices with co-management status, specifically devices that are not co-managed for further troubleshooting.

1. Using Microsoft Intune portal

2. Using Endpoint Configuration Manager console (SCCM)

3. Using SQL report in Configuration Manager

4.Using PowerShell or Graph API. (not covered in this blog post,may be future post).

1. Using Microsoft Intune portal

Login to Endpoint Manager portal click on devices, click on Monitor.

Under the enrollment section, you will find Cloud attached devices (preview). This is still in preview at the time of writing this blog post.

In the summary page, you will find the co-management summary along with the workloads assigned to the device.

In the same section, click on reports

you will find 2 reports available. Click on Co-Management Eligibility

Click on the filer section and select the status.

For devices that are not co-managed, i have selected the following in the filer section.

click on Generate report.

It will take few seconds before you can download the data into csv for troubleshooting purpose.

This method generate the list of devices from the tenant irrespective of the region or country etc.

If you are scoped to manage the devices with co-management at different regions but not all ,then you will need to sort the devices based on the hostname or so. Lets review other methods.

2. Using Configuration Manager console

Using Configuration Manager console, we will create a collection or use built-in co-management status

Collection for devices that are not co-managed. Make sure the limiting collection is all workstation (create a custom) or update the following WQL query to exclude server endpoints.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System join sms_combineddeviceresources on sms_combineddeviceresources.resourceid = sms_r_system.resourceid where sms_combineddeviceresources.CoManaged=0 and sms_combineddeviceresources.IsClient=1

This collection method is more controlled and we can apply a fix to the devices using scripts or package deployment etc.

If you want do a quick search in the console, to find the devices that are not co-managed, we can add filter criteria and search.

Using admin console, we can check the co-management status using monitoring node, co-management tab.

For more information about this chart, refer https://learn.microsoft.com/en-us/mem/configmgr/comanage/how-to-monitor

By clicking on the count on the enrollment error, we can see the list of devices that are failed to do co-management.

3. Using SQL report in Configuration Manager:

This is the last method in this blog post with SQL report.

Since there is huge data available in the SQL database about the client inventory and it helps us to create multiple reports based on the requirement.

For this post, the criteria is to get list of all workstations that are not co-managed.

As you can see above, from the specific collection, we got about 90 co-managed devices and 21 not co-managed devices. The 21 not co-managed devices are listed in the report for troubleshoot purpose.

This report has client information data along with last logon, HW scan, device last online and is the device ONLINE right now.

You can download the report from Github repository, upload to your reports and change the data source.

you can edit the report for more customizations at your risk.

The following are some of the troubleshooting guides that can you help to fix the issues.

Troubleshoot auto-enrolling existing Configuration Manager devices in Intune - Intune | Microsoft Learn

Troubleshoot Configuration Management bootstrap with modern provisioning - Intune | Microsoft Learn

Troubleshooting Intune and Configuration Manager co-management workloads - Intune | Microsoft Learn

SCCM Right click tools for co-managed workloads

Thank you for reading the post.

Co-management (cloud attach) enables you to manage Windows 10 or later devices simultaneously by using both Configuration Manager and Microsoft Intune. For more information about co-management, please refer here.

For a device to be co-managed, one of the pre-requisite is Windows devices must be connected to Azure AD using Hybrid Azure AD joined or Azure AD joined (cloud domain joined).

Currently, co-management supports the following workloads.

Co-management supports the following workloads:

• Compliance policies
• Windows Update policies
• Resource access policies
• Endpoint Protection
• Device configuration
• Office Click-to-Run apps
• Client apps

Let's assume, you have enabled the cloud attach (co-management) and you have also moved some of the workloads such as windows updates and device compliance policies to intune.

The devices will receive the policies and start communicating with Microsoft Intune for the applied workloads.

If you wanted to know the workloads applied for a specific device for troubleshooting purposes, you can either look at the intune console, for a specific device and check the intune managed workloads in the overview page.

The other way is to get the co-managed workload ID from the SCCM database and translate the workload ID into a descriptive value which is blogged by Ben

Although there is a co-management dashboard view within the SCCM console, it is limited and not possible to click the workloads to see data further.

And, I cannot find any reports available to see the workload information at a device level.

So, are you co-managed and you are interested to view the workloads applied to a specific device including the device hybrid azure adjoined or azure adjoined and other important information with one click view from the SCCM console, devices node?

I have this covered for you in this blog post.

when you right-click on a device in the SCCM console, you will see the Co-Mgmt workloads icon and click on that.

If the device is co-managed and workloads are switched to intune or with ConfigMgr, you will see the status in the workloads section.

If the device is not co-managed, you will see red color indicator with workload status as not Co-Managed. This is something you will need to troubleshoot further to get the device into co-managed state.

This tool is not applicable for server OS as co-management is applicable only to non-server OS (windows 10 and later OS).

How to implement the changes?

Download the files (co-managed workloads.zip) from Github.

Right click on the zip file, unblock the file.

Extract the files, you will find comanagement.workloads.ps1, and folder.

Edit Co-mgmt.Workloads.xml located inside folder ed9dee86-eadd-4ac8-82a1-7234a4646e62

You need to edit line 19 for the location of the PowerShell script. You can copy the comanagement.workloads.ps1 to your ConfigMgr admin location or anywhere that you have access.

"G:\Program Files\Microsoft Configuration Manager\AdminConsole\bin\comanagement.workloads.ps1"

I copied it to the admin console install folder (bin).

Now, copy the folder (ed9dee86-eadd-4ac8-82a1-7234a4646e62) to XmlStorage\Extensions\Actions folder.

In my case, the actions folder is in G:\Program Files\Microsoft Configuration Manager\AdminConsole\XmlStorage\Extensions\Actions

Close the SCCM console (in case it is opened already) and launch the console again to see the changes.

I hope you find this tool useful for troubleshooting!

If you have any feedback on this tool or would like to add more data into the tool of device, please comment below.

Blog post updated on 23 Oct, 2023

Problem:

Few weeks ago ,colleague of mine was trying to perform patch management on bulk number of clients (servers) as monthly patching ,as part of it he made sure the maintenance window was in place, deployment was set rightly for software updates deployment.

Maintenance window started ,patches started installing and after a while ,he logged in ( browse the reports ) to check the status for deployed patches (software update groups) using reports. He found that, 30-40% was compliant and rest of them non-compliant (majority) /unknown (very few) .

By the time ,he found something wrong ,he has only 1 hr left to finish the patching activity due to the maintenance window and after the maintenance window passed ,cannot reboot the servers and you need confirm the patching status with the application teams so that they can perform the application testing.

What do do now and how to get these non-compliant servers get fix in 1hr before the maintenance window elapse ? Since there was not enough time to troubleshoot the clients and look for other methods to fix ,had preferred manual method  .

I got to know about this on the next day morning while I was chatting with him . I tried to sneak into the logs to help what could be the problem  but the logs are overwritten and nothing found for previous day issue.

The only status I got to know from him was that ,all updates available in software center showing  ‘Past due – will be installed’.

Solution:

If you ever get into such issues ,I would suggest to start picking one problem client for troubleshooting ,go through the logs to check if the client is waiting for enough maintenance window or updates are waiting to complete something before they could start etc.

There could be various reasons why the software updates failed  or not even started on client and to troubleshoot ,you must check the logs.  I written couple of articles on software updates troubleshooting and reference guides .

http://eskonr.com/2015/04/sccm-2012-troubleshoot-client-software-update-issues/

http://eskonr.com/2016/10/sccm-configmgr-troubleshooting-guides-for-reference/

coming to the problem ,how do I force to install the updates that are available in software center if I don’t have enough time to troubleshoot the issue or how do I install the updates that are made available on the client ?

Well ,we can use PowerShell script to select all the updates available in software center and install followed by settings configured in software update deployment like reboot or suppress reboot etc.

This script also useful to check if any updates are failed (from reporting you can get list of clients with status) for some reason and you want to install them without login to the client .

Part of the script taken from book Microsoft System Center Software Update Management Field Experience.pdf ,modified it to log the output,read notepad file for clients.

<#
.SYNOPSIS
This script checks for missing software updates on the local system using the CCM_SoftwareUpdate WMI class.
If missing updates are found, it attempts to install them using the CCM_SoftwareUpdatesManager WMI class.

.DESCRIPTION
The script performs the following steps:
1. Queries the CCM_SoftwareUpdate class to retrieve missing updates with ComplianceState=0.
2. Checks if there are missing updates.
3. If missing updates are found, reformats the update information and attempts to install them.
4. Displays a success message or an error message based on the return value of the InstallUpdates method.

.NOTES
Name : Install-MissingUpdates.ps1
Author: Eswar Koneti @eskonr
#>

# Get missing updates
$MissingUpdates = Get-WmiObject -Class CCM_SoftwareUpdate -Filter ComplianceState=0 -Namespace root\CCM\ClientSDK
$total=$MissingUpdates.Count
# Check if there are missing updates
if ($MissingUpdates -and $MissingUpdates.Count -gt 0) {
# Reformat missing updates
$MissingUpdatesReformatted = @($MissingUpdates | ForEach-Object { if($_.ComplianceState -eq 0) { [WMI]$_.__PATH } })
# Install missing updates
$InstallReturn = Invoke-WmiMethod -ComputerName $env:computername -Class CCM_SoftwareUpdatesManager -Name InstallUpdates -ArgumentList (,$MissingUpdatesReformatted) -Namespace root\ccm\clientsdk

if ($InstallReturn.ReturnValue -eq 0) {
Write-Host "Initiated installation of $total updates."
} else {
Write-Host "Error installing updates. Return code: $($InstallReturn.ReturnValue)"
}
} else {
Write-Host "No missing updates found."
}

Download the complete PowerShell script from TechNet Gallery Here.

To run the script on remote computers ,make sure you have enough permissions to connect wmi on remote computer and RPC (dynamic ) ports opened.

This script will check if the account you trying to run has enough permissions on remote computer ,if yes go into loop else move onto next client to perform the check and it repeat.

Script pipe the information into log file with client name, Targeted patches (approved patches) ,pending patches (include failed,waiting for MW etc) ,reboot pending and finally Compliant if it has nothing in software center to install.

If a client already installed all patches and waiting for reboot ,I considered it as compliant in the script as it will be rebooted either manually or auto reboot based on the settings you configured in deployment.

Post your feedback via comments section.

In a recent transition from Citrix VDI to AVD (single and multi-session), the AVD devices are being efficiently managed by SCCM and Intune (co-management).

As part of routine maintenance, we have implemented a weekly reboot schedule for our AVD devices to ensure optimal performance and security.

To achieve this, I created a simple package with a command line (shutdown –r –f –t 300 “Rebooting the device as part of weekly maintenance”) for rebooting the devices weekly.

From the time, the weekly reboot job implemented, there were no issues until someone reported to team that AVD device was rebooting daily at 2 AM local time, contrary to our intended schedule.

I picked it up to investigate further to identify the root cause.

First thing is to look at the SCCM client logs specially execmgr.log for the advertisement status and it shows that, the specific package is being run daily at 2AM.

Next is to look deployment properties, if there were any changes to the schedule ? .... found it intact, set to run weekly as intended.

Further investigation, I have also verified that, the weekly schedule information can be seen from the client WMI class.

For that the following Powershell script will help you to get the schedule of specific advertisement applied to the device.

gwmi -Namespace root\ccm\policy\machine -class CCM_Scheduler_ScheduledMessage | where {$_.ScheduledMessageID-like "*ABC21452*"} | Select ScheduledMessageID,ActiveMessage,Triggers | fl *

ABC21452 = Advertisement ID

To convert the Schedule string, we can use Convert-CMSchedule cmdlet available in SCCM powershell module.

Login to SCCM server or a device that has installed with SCCM powershell module.

Import the SCCM powershell module and run the following with schedulestring.

Convert-CMSchedule 00A2AD40001B2000

As you can see from the above, the recurring schedule is same what we have configured it in the deployment.

Despite confirming that the deployment schedule remained unchanged (from SCCM deployment schedule properties), the device continued to reboot daily.

To further investigate deep dive, I have enabled the verbose logging (how to enable verbose logging) and post the reboot, reviewing the client logs reveals there is specific setting in software center that is causing the daily reboot behavior issue.

Software center –> Options –> Computer maintenance—>Automatically install or uninstall required software and restart the computer only outside of specified business hours

This setting is disabled by default.

After disabling the setting in software center, the daily reboot stopped and follow the weekly schedule (original schedule).

Disabling this setting rectified the issue, allowing the device to follow the original weekly schedule as intended. However, the logic behind this setting and its interaction with scheduled deployments remains unclear.

Is this a bug, or is there a deeper understanding required of the specific setting in the Software Center for this use case?

In continuation to our investigation, we will need to identify the list of devices that are having this specific setting enabled in software center that will impact daily reboot,

Software center setting details are stored in WMI class (CCM_SoftwareCenterSettings) hence we can use Powershell scripts feature in SCCM and run it on all target endpoints to see how many devices would expect daily reboot behavior.

$data=(gwmi -Namespace root\ccm\policy\machine -class CCM_SoftwareCenterSettings | Select AutoInstallRequiredSoftware).AutoInstallRequiredSoftware
if ($data)
{
write-host "Not Expected, require fix"
}
else
{
write-host "All Good"
}

Since the devices are managed by intune, it is time to move the legacy tasks Microsoft Intune for better management and flexibility.

Microsoft Configuration Manager (SCCM) remains a cornerstone for IT administrators aiming to streamline patch management and software updates. However, as many sysadmins experience, ensuring high compliance in software update deployments can be challenging, particularly in large environments. Here, we explore strategies to enhance SCCM's capabilities, leveraging advanced tools and automation to address common hurdles.

Identifying Common Challenges in SCCM Updates

In SCCM deployments, issues such as partial compliance, timing constraints within maintenance windows, and troubleshooting failures are prevalent. These problems often stem from:

· Inadequate visibility into endpoint status across the network.

· Limited control over the timing and sequence of updates.

· Difficulties in promptly addressing non-compliant endpoints.

The Role of PowerShell and Enhanced Tools

To mitigate these challenges, PowerShell scripts, like this one detailed by Eswar, are invaluable. They enable admins to automate the retrieval and installation of pending updates before maintenance windows close.

However, to further optimize this process, integrating comprehensive management tools can turn reactive situations into proactive successes.

Advanced SCCM Solutions

Recast Software enhances SCCM with robust tools designed to address the complexities of endpoint management. Our suite includes:

· Right Click Tools: A powerful extension for SCCM that facilitates immediate actions across multiple systems, enhancing the native capabilities of ConfigMgr.

o Software Updates Deployment Status (SUDS) Dashboard: This tool offers real-time insights into update compliance, enabling IT admins to quickly identify and address non-compliant devices.

· Endpoint Insights: Provides deep visibility into hardware and software inventory, crucial for effective patch management.

How Recast Software Complements PowerShell Scripts

While PowerShell scripts provide a solid foundation for handling updates, integrating Recast Software offers several additional benefits:

· Automated Troubleshooting: With Right Click Tools, sysadmins can initiate diagnostic tools directly from the SCCM console, speeding up the resolution of non-compliance issues.

· Better Visibility: Endpoint Insights allows for a detailed examination of each endpoint's status, ensuring that all devices are ready and compliant before and after deploying updates.

· Proactive Management: The Software Updates Deployment Status (SUDS) Dashboard brings potential issues to the administrator's attention in real time, allowing for immediate corrective actions without manual checks.

Real-World Application

Consider a scenario where sysadmins face a tight deadline to update an array of servers. Using Right Click Tools, they can quickly assess and remedy non-compliant servers, ensuring all updates are deployed within the allotted maintenance window. This integration not only saves time but also significantly reduces the workload (and stress) associated with critical update deployments.

See the Capabilities in Action

Check out the following two videos for a glimpse into the potential these tools offer.

https://www.youtube.com/watch?v=nwgpmsuMHUA

https://youtu.be/V28jVr5ouzY?si=OaMyRVkcrblL0TzZ

Conclusion

As SCCM continues to serve as an essential tool for system management, enhancing its functionality with Recast Software’s solutions empowers sysadmins to manage updates more effectively and improve compliance numbers. By combining SCCM, PowerShell, and Recast Software’s tools, IT departments can achieve higher compliance rates, less downtime, and a more secure network. Learn more at Recast Software or reach out to the Recast team.