SCCM 2006 clients fail co-management enrollment

Question

question

RobertPanick-6370 asked Jan 4, '21 PanickRobert-3998 commented Jan 8, '21

SCCM 2006 clients fail co-management enrollment

Most of our SCCM clients enabled co-management just fine. Howerver, we have some that have not completed the enroll. We've checked and they are Hybrid AD, and the SCCM server is showing the SCCM agent doing policy requests. But when we try to do anything with Software Center there is no content. Searching the logs we find that agent is complaining about not finding a policy in the MDM.

Looking in the event log for the DeviceManagement-Enterprise-Diagnostics-Provider shows

Warning 12/29/2020 2:55:35 PM DeviceManagement-Enterprise-Diagnostics-Provider 78 None
Information 12/29/2020 2:55:35 PM DeviceManagement-Enterprise-Diagnostics-Provider 87 None
Information 12/29/2020 2:40:15 PM DeviceManagement-Enterprise-Diagnostics-Provider 75 None
Information 12/29/2020 2:40:15 PM DeviceManagement-Enterprise-Diagnostics-Provider 88 None
Warning 12/29/2020 2:40:15 PM DeviceManagement-Enterprise-Diagnostics-Provider 78 None
Information 12/29/2020 2:40:15 PM DeviceManagement-Enterprise-Diagnostics-Provider 87 None
Information 12/29/2020 2:40:10 PM DeviceManagement-Enterprise-Diagnostics-Provider 1708 None
Information 12/29/2020 2:40:10 PM DeviceManagement-Enterprise-Diagnostics-Provider 1700 None
Information 12/29/2020 2:17:10 PM DeviceManagement-Enterprise-Diagnostics-Provider 75 None
Information 12/29/2020 2:17:10 PM DeviceManagement-Enterprise-Diagnostics-Provider 88 None
Warning 12/29/2020 2:17:10 PM DeviceManagement-Enterprise-Diagnostics-Provider 78 None
Information 12/29/2020 2:17:10 PM DeviceManagement-Enterprise-Diagnostics-Provider 87 None

The warning event is "Auto MDM Enroll DMGetAadDeviceToken Failure (The user name or password is incorrect.)"

We tried reinstalling the SCCM Agent, but that did nothing. There don't appear to be any tools to try and fix a failed enrollment. There also isn't a whole lot of information on troubleshooting issues. The client I'm working with has put the entire co-management on hold until we can resolve the issues.

mem-cm-co-management

· 4

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RobertPanick-6370 · Jan 04, 2021 at 09:47 PM

Doing some more checking we were surprised when the Config Manager properties showed only two configuration policies.

0 ·

configmgr-1.jpg (35.6 KiB)

RobertPanick-6370 · Jan 05, 2021 at 04:51 PM

Here is the CoManagementHandler.log info. As I said, it looks like its waiting for co-management to finish since the vendor isn't set.

This device is enrolled to an unexpected vendor, it will be set in co-existence mode. CoManagementHandler
Workload settings is different with CCM registry. Current value is 4294967295, expected value is 1 CoManagementHandler
Workloads rules are not compliant. CoManagementHandler
Setting workload info: Allowed = 1, Flags = 1 CoManagementHandler
Updating comanagement registry key to 0x1 CoManagementHandler
CoManagement flags registry key updated. CoManagementHandler
Setting co-management RS3 flags CoManagementHandler
This device is enrolled to an unexpected vendor, it will be set in co-existence mode. CoManagementHandler
Machine is already enrolled with MDM CoManagementHandler
Incompatible enrollment type CoManagementHandler

0 ·

RobertPanick-6370 · Jan 05, 2021 at 04:51 PM

The rest of the log file

This device is enrolled to an unexpected vendor, it will be set in co-existence mode. CoManagementHandler
This device is enrolled to an unexpected vendor, it will be set in co-existence mode. CoManagementHandler
Device is not provisioned CoManagementHandler
State ID and report detail hash are not changed. No need to resend. CoManagementHandler

0 ·

RobertPanick-6370 · Jan 05, 2021 at 04:56 PM

For some reason this crappy forum interface didn't post this response, so typing it in again.

          AzureAdJoined : YES
       EnterpriseJoined : NO
           DomainJoined : YES
             DomainName : NNG

             AzureAdPrt : NO

I'm not sure why PRT is NO, the only thing I've come up with is the computer isn't used often and when the Co-Management occurred it didn't have a logged on user, and may not have in several months. The customer has some of these computers in place to handle specific emergency conditions, they are only used at those times.

0 ·

Answer 1 · 2021-01-05T06:33:53.343Z

Amandayou-MSFT answered Jan 5, '21 PanickRobert-3998 commented Jan 8, '21

Hi @RobertPanick-6370,

Please verify that the device is hybrid Azure AD joined, run dsregcmd /status from the command line, if both AzureAdJoined, DomainJoined are set to YES and AzureAdPrt as YES, we could confirm that the device is properly hybrid-joined.

For more information, please refer to this article:
https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy

Besides, please check if the client with issue is in the collection to upload to Microsoft Endpoint Manager. If not, please input it. About logs, kindly check CoManagementHandler.log on the client, it uses to troubleshoot co-management on the client.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

15.png (25.8 KiB)

· 10

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RobertPanick-6370 · Jan 05, 2021 at 11:42 AM

I should have mentioned that, it is AD and Hybrid AAD joined, and the SCCM agent communicates. Its been Hybrid AAD for about two months.

I'll get the CoManagementHandler.log when the customer is responsive. But I expect what its going to show is that its waiting for co-management to complete.

Also, we verified the computer is able to access all of the enrollment URLs.

0 ·

RobertPanick-6370 · Jan 05, 2021 at 03:13 PM

Also, we are not doing the Tenant onboarding through SCCM. We are only using the Pilot co-management mechanism.

0 ·

RobertPanick-6370 · Jan 05, 2021 at 04:39 PM

AzureAdJoined : YES
DomainJoined : YES
AzureAdPrt : NO

I'm trying to determine why PRT is showing NO. Other computers that are working are showing YES.

0 ·

Amandayou-MSFT RobertPanick-6370 · Jan 06, 2021 at 02:56 AM

Hi，

It seems that there is something wrong with AAD.

We could try these following steps to check if success:

1.Open cmd as administrator, run: -dsregcmd / leave / debug
2.Remove the devices on the Azure portal
3.Restart the device
4.Open cmd as administrator, run: -dsregcmd / join / debug

1 ·

RobertPanick-6370 Amandayou-MSFT · Jan 06, 2021 at 04:12 AM

I considered doing that but couldn't get anyone to try it. We'll give it a shot. Hopefully we'll only have a few, if we end up with hundreds doing this this solution isn't practical since someone would have to touch each computer.

Quick question, is there a way we can cancel the co-management enrollment? I've been looking for the scripts that are being run but haven't found them yet. There are a few things I've found about creating the Co-management policies, but there only appears to be a PowerShell New command, nothing to list, remove, etc. I also looked in WMI but didn't see anything. The documentation for Co-management is really lacking unfortunately.

0 ·

Show more comments

RobertPanick-6370 Amandayou-MSFT · Jan 07, 2021 at 09:41 PM

We did the steps and it worked successfully.

I think we may have identified the problem though. The machine was last logged on using a technicians account that isn't in AAD. When we did the command steps we had him elevate his normal user account to local admin and then run the commands. One note we had to enable the task in the task scheduler, otherwise the DSREGCMD /Join did not work.

Thank you for your help.

0 ·

Show more comments

question