question

PhP59300 avatar image
0 Votes"
PhP59300 asked ChadSimmons answered

Moving to full Intune - Devices still showing as "Co-managed"

We setup SCCM for co-management last year, however, as we only really use SSCM for app deployment we have decided to remove SCCM and go completely with InTune. Our existing Windows 10 clients are enrolled into Intune but have a status of:

managed by = co-managed
compliance = see configmgr

New Windows 10 devices (not registered with SCCM) can enrol into Intune and have a status of:

managed by = intune
compliance = compliant

We have deleted the 'co-management' config within SCCM. We have also uninstalled the CM agent (ie: ccmsetup.exe /uninstall) on a handful of existing Windows 10 client, however, these still show as 'co-managed' and have a compliance status of 'see configmgr'.

How can we get the existing Windows 10 client to update so Intune knows its fully authoritative? At the moment we can only deploy Intune apps to the new Window 10 clients.

mem-cm-co-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PaD-7009 avatar image
0 Votes"
PaD-7009 answered

Have you done CLEAN uninstall of SCCM client and registry?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Amandayou-MSFT avatar image
0 Votes"
Amandayou-MSFT answered

Hi @PhilipPreece-5935,

Our existing Windows 10 clients are enrolled into Intune but have a status of:

managed by = co-managed
compliance = see configmgr

Please retire the co-managed Windows 10 device, and check the information on the side of device disappears, then delect the record of Windows 10 device in AAD, finally re-enroll the device into Intune, so that the device could be managed by intune fully instead of co-managed.



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PhP59300 avatar image
0 Votes"
PhP59300 answered Jason-MSFT commented

Thanks both for the suggestions.

PaD-7009, yes we've uninstalled the CM client using ccmsetup.exe /uninstall. We have also ran some PS scripts to delete all traces of the CM files, folders and registry.

Amandayou-MSFT, just to confirm we should retire a co-managed Win10 device from within Intune. Then delete the hybrid joined computer account from AAD and allow it to resync back from on-prem to AAD. Then try re-enrolling into InTune?

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Yes, the way is to make the device re-enroll to Intune, so that the device could be managed by intune fully.

0 Votes 0 ·

Sorry for the delayed reply, with the covid situation this was put on the back burner for a while. Here's what i've tried:

  • Retired two Win10 devices (laptops) from within Intune. Both had a status of 'co-managed'.

  • Deleted the same two devices from Azure AD.

  • Ensured the SCCM agent was uninstalled from both Win10 laptops.

  • Allowed Azure AD Sync to synchronise the on-prem computer accounts back to AAD (we have a GPO in place to auto hybrid join Win10 computers).

  • Rebooted the two Win10 laptops, ran GPUDATE /FORCE and rebooted again (again we have a GPO in place to auto enrol computers into Intune).

Unfortunately, both devices have reappeared back in Intune as 'co-managed'. Something somewhere (either within the Win10 registry or within the AD computer account) must still be marked as SCCM managed? Any other thoughts or suggestions would be appreciated.

0 Votes 0 ·

I just tested this in my lab yesterday. All that was required was for the ConfigMgr agent to be uninstalled. No retirement from Intune or removal of any Intune or AAD objects was required.

How exactly did you uninstall the ConfigMgr agent?

Did you reboot the device after uninstalling the agent?

Did you force an MDM/Intune policy sync after uninstalling the agent?

0 Votes 0 ·
PhP59300 avatar image
0 Votes"
PhP59300 answered

Yeah, I used ccmsetup.exe /uninstall and rebooted them both. The ConfigMgr shortcut is no longer in Control Panel too.
I've not forced policy sync as yet. I'll give that a go.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PhP59300 avatar image
0 Votes"
PhP59300 answered Salvador-Rodriguez commented

Still got the same problem. Summary of steps taken.

-Deleted/removed all cloud services/links from SCCM
-Retire win10 device from InTune
-Deleted win10 device from AAD
-Ensured ConfigMgr agent is uninstalled from device
-Reboot device
-Reregister device back to AAD (hybrid joined)
-Allow device to auto enrol back into Intune

Device still has a MDM status of: System Center Configuration Manager

I'm at a loss now.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

What version of the ConfigMgr agent exactly are you using?

What does "Deleted/removed all cloud services/links from SCCM" mean?

Have tried by simply uninstalling the ConfigMgr agent?

0 Votes 0 ·

I got the same problem. Can you check if have old certificates of Configuration Manager?

I Did the same steps that you did but no lock.

-Deleted/removed all cloud services/links from SCCM
-Retire win10 device from InTune
-Deleted win10 device from AAD
-Ensured ConfigMgr agent is uninstalled from device
-Reboot device
-Reregister device back to AAD (hybrid joined)
-Allow device to auto enrol back into Intune

Additional
mmc.exe > File > Add/Remove Snap-in. >In the Add or Remove Snap-ins window, select Certificates and click Add. > In the Certificates snap-in window, select Computer account, click Next, select Local computer, and click Finish. > in the Personal Folder > Certificates > Delete legacy Configuration manager Certificates

Any ideas?

0 Votes 0 ·
PhP59300 avatar image
0 Votes"
PhP59300 answered

unfortunately deleting the certificates hasnt resolved the issue for us.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PhP59300 avatar image
0 Votes"
PhP59300 answered MROD-1815 published

update in case anyone else runs into this issue.... deleting the following reg keys fixed the issue:

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DeviceManageabilityCSP
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCMSetup

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This worked for me.

0 Votes 0 ·
ChadSimmons avatar image
0 Votes"
ChadSimmons answered

I wrote this script awhile back for the same issues/scenario. It removes "everything" that the ConfigMgr client creates and more.

Remove-ConfigMgrClient.ps1 on GitHub

 #.SYNOPSIS
 #   Remove-ConfigMgrClient.ps1
 #   run ConfigMgr's uninstall command and cleanup leftover files, registry keys, and certificates
 #.DESCRIPTION
 #   Log high-level actions to C:\Windows\Logs\CCMSetup-Uninstall.log
 #   Stop ConfigMgr services
 #   Copy CMTrace to C:\Windows to preserve it as a troubleshooting tool
 #   Execute CCMsetup.exe /uninstall
 #   Remove ConfigMgr services from registry
 #   Remove ConfigMgr Client from registry
 #   Remove leftover folders and files
 #   Remove ConfigMgr Start Menu Software Center shortcut and empty folder
 #   Remove ConfigMgr self-signed certificates
 #   If -Force parameter used
 #      Remove WMI Namespaces
 #      Remove Windows Update Agent policies and rely on GPO or MDM to reapply them
 #      Reset MDM Authority


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.