如何监视 Configuration Manager 中的共同管理How to monitor co-management in Configuration Manager

适用范围:Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

启用共同管理后,请使用以下方法监视共同管理设备:After you enable co-management, monitor co-management devices using the following methods:

共同管理仪表板Co-management dashboard

此仪表板可帮助你查看环境中共同管理的计算机。This dashboard helps you review machines that are co-managed in your environment. 图形有助于标识可能需要注意的设备。The graphs can help identify devices that might need attention.

在 Configuration Manager 控制台中,转到“监视”工作区,然后选择“共同管理”节点 。In the Configuration Manager console, go to the Monitoring workspace, and select the Co-management node.

共同管理仪表板的屏幕截图

客户端 OS 分发Client OS distribution

按版本显示每个 OS 的客户端设备数量。Shows the number of client devices per OS by version. 使用以下分组:It uses the following groupings:

  • Windows 7 和 8.xWindows 7 & 8.x

  • Windows 10 1709 以下版本Windows 10 lower than 1709

  • Windows 10 1709 及更高版本Windows 10 1709 and above

    提示

    Windows 10 1709 及更高版本是共同管理的先决条件。Windows 10, version 1709 and later, is a prerequisite for co-management.

将鼠标悬停在图表的某个部分上方可显示该 OS 组中设备所占的百分比。Hover over a graph section to show the percentage of devices in that OS group.

客户端 OS 分发磁贴

共同管理状态Co-management status

漏斗图,显示注册过程中具有以下状态的设备的数量:A funnel chart that shows the number of devices with the following states from the enrollment process:

  • 符合条件的设备Eligible devices
  • 已计划Scheduled
  • 已启动注册Enrollment initiated
  • 已注册Enrolled

共同管理状态(漏斗图)磁贴

共同管理注册状态Co-management enrollment status

显示以下类别中设备状态的细目:Shows the breakdown of device status in the following categories:

  • 成功,已联接混合 Azure ADSuccess, hybrid Azure AD-joined

  • 成功,已联接 Azure ADSuccess, Azure AD-joined

  • 正在注册,已联接混合 Azure ADEnrolling, hybrid Azure AD-joined

  • 失败,已联接混合 Azure ADFailure, hybrid Azure AD-joined

  • 失败,已联接 Azure ADFailure, Azure AD-joined

  • 挂起用户登录Pending user sign in

    备注

    从版本 1906 开始,若要减少处于挂起状态的设备数,新的共同管理设备现可根据其 Azure AD 设备令牌自动注册到 Microsoft Intune 服务。Starting in version 1906, to reduce the number of devices in this pending state, a new co-managed device now automatically enrolls to the Microsoft Intune service based on its Azure AD device token. 无需等待用户登录到设备,就能启动自动注册。It doesn't need to wait for a user to sign in to the device for auto-enrollment to start. 为支持此行为,设备需要运行 Windows 10 版本 1803 或更高版本。To support this behavior, the device needs to be running Windows 10, version 1803 or later.

    如果设备令牌出现故障,它会使用用户令牌回退到上一行为。If the device token fails, it falls back to previous behavior with the user token. 在 ComanagementHandler.log 中查找以下条目:Enrolling device with RegisterDeviceWithManagementUsingAADDeviceCredentialsLook in the ComanagementHandler.log for the following entry: Enrolling device with RegisterDeviceWithManagementUsingAADDeviceCredentials

在该磁贴中选择一种状态,即可深入查看相关状态的设备列表。Select a state in the tile to drill through to a list of devices in that state.

共同管理注册状态磁贴

工作负荷转换Workload transition

显示一个条形图,其中包含为可用工作负荷而转换为 Microsoft Intune 的设备数量。Displays a bar chart with the number of devices that you've transitioned to Microsoft Intune for the available workloads.

工作负载列表因 Configuration Manager 的版本而异。The list of workloads varies by version of Configuration Manager. 有关详细信息,请参阅能够转换到 Intune 的工作负荷For more information, see Workloads able to be transitioned to Intune.

将鼠标悬停在图表某个部分上方可显示为该工作负荷转换的设备的数量。Hover over a chart section to show the number of devices transitioned for the workload.

工作负载转换条形图

注册错误Enrollment errors

此表是设备的注册错误列表。This table is a list of enrollment errors from devices. 这些错误可能来自 Windows 中的 MDM 组件、核心 Windows 操作系统或 Configuration Manager 客户端。These errors can come from the MDM component in Windows, the core Windows OS, or the Configuration Manager client.

有数百种可能的错误。There are hundreds of possible errors. 下表列出了最常见的错误。The following table lists the most common errors.

错误Error 说明Description
2147549183 (0x8000FFFF)2147549183 (0x8000FFFF) 尚未在 Azure AD 上配置 MDM 注册,或者出现非预期的注册 URL。MDM enrollment hasn't been configured yet on Azure AD, or the enrollment URL isn't expected.

启用 Windows 10 自动注册Enable Windows 10 automatic enrollment
2149056536 (0x80180018)2149056536 (0x80180018)
MENROLL_E_USERLICENSEMENROLL_E_USERLICENSE
用户许可证处于错误状态,阻止注册License of user is in bad state blocking enrollment

向用户分配许可证Assign licenses to users
2149056555 (0x8018002B)2149056555 (0x8018002B)
MENROLL_E_MDM_NOT_CONFIGUREDMENROLL_E_MDM_NOT_CONFIGURED
尝试自动注册到 Intune,但 Azure AD 配置未完全应用。When trying to automatically enroll to Intune, but the Azure AD configuration isn't fully applied. 此问题应该是暂时性的,因为设备会在短时间后重试。This issue should be transient, as the device retries after a short time.
2149056554 (0x‭8018002A‬)2149056554 (0x‭8018002A‬)
 
用户已取消操作The user canceled the operation

如果 MDM 注册需要多重身份验证,并且用户尚未使用受支持的第二因素登录,则 Windows 会向用户显示要注册的 toast 通知。If MDM enrollment requires multi-factor authentication, and the user hasn't signed in with a supported second factor, Windows displays a toast notification to the user to enroll. 如果用户未响应 toast 通知,则会发生此错误。If the user doesn't respond to toast notification, this error occurs. 此问题应该是暂时性的,因为 Configuration Manager 将重试并提示用户。This issue should be transient, as Configuration Manager will retry and prompt the user. 当用户登录 Windows 时应使用多重身份验证。Users should use multi-factor authentication when they sign in to Windows. 此外,指示用户预期会发生这一行为,如果出现提示,则采取措施。Also educate them to expect this behavior, and if prompted, take action.
2149056532 (0x80180014)2149056532 (0x80180014)
MENROLL_E_DEVICENOTSUPPORTEDMENROLL_E_DEVICENOTSUPPORTED
不支持移动设备管理。Mobile device management isn't supported. 检查设备限制。Check device restrictions.
2149056533 (0x80180015)2149056533 (0x80180015)
MENROLL_E_NOTSUPPORTEDMENROLL_E_NOTSUPPORTED
不支持移动设备管理。Mobile device management isn't supported. 检查设备限制。Check device restrictions.
2149056514 (0x80180002)2149056514 (0x80180002)
MENROLL_E_DEVICE_AUTHENTICATION_ERRORMENROLL_E_DEVICE_AUTHENTICATION_ERROR
服务器未能对用户进行身份验证Server failed to authenticate the user

用户没有 Azure AD 令牌。There's no Azure AD token for the user. 确保用户可以对 Azure AD 进行身份验证。Make sure the user can authenticate to Azure AD.
2147942450 (0x‭80070032‬)2147942450 (0x‭80070032‬)
 
仅在 Windows RS3 及更高版本上支持 MDM 自动注册。MDM auto-enrollment is only supported on Windows RS3 and above.

确保设备满足共同管理的最低要求Make sure the device meets the minimum requirements for co-management.
34000732933400073293  ADAL 用户领域帐户响应未知ADAL user realm account response unknown

检查 Azure AD 配置,并确保用户成功进行身份验证。Check your Azure AD configuration, and make sure that users can successfully authenticate.
33995489293399548929  需要用户登录Need user sign-in

此问题应该是暂时性的。This issue should be transient. 如果用户在注册任务发生之前快速注销,就会发生该问题。It occurs when the user quickly signs out before the enrollment task happens.
34000732363400073236  ADAL 安全令牌请求失败。ADAL security token request failed.

检查 Azure AD 配置,并确保用户成功进行身份验证。Check your Azure AD configuration, and make sure that users can successfully authenticate.
21491224772149122477 泛型 HTTP 问题Generic HTTP issue
34000732473400073247 仅在联合流中支持集成 ADAL 的 Windows 身份验证ADAL-integrated Windows authentication is only supported in federated flow

规划混合 Azure Active Directory 联接实现Plan your hybrid Azure Active Directory join implementation
33999421483399942148 找不到服务器或代理。The server or proxy wasn't found.

如果客户端无法与云通信,此问题应该是暂时性的。This issue should be transient, when the client can't communicate with cloud. 如果它仍然存在,请确保客户端与 Azure 具有一致的连接。If it persists, make sure the client has consistent connectivity to Azure.
21490565322149056532 不支持特定平台或版本Specific platform or version is not supported

确保设备满足共同管理的最低要求Make sure the device meets the minimum requirements for co-management.
21479435682147943568 找不到元素Element not found

此问题应该是暂时性的。This issue should be transient. 如果问题持续出现,请与 Microsoft 支持部门联系。If it persists, contact Microsoft Support.
21921792082192179208 内存资源不足,无法处理此命令。Not enough memory resources are available to process this command.

此问题应该是暂时性的,它应该会在客户端重试时自行解决。This issue should be transient, it should resolve itself when the client retries.
33996144673399614467 此断言的 ADAL 授权授予失败ADAL Authorization grant failed for this assertion

检查 Azure AD 配置,并确保用户成功进行身份验证。Check your Azure AD configuration, and make sure that users can successfully authenticate.
21490565172149056517 管理服务器的一般故障,例如 DB 访问错误Generic Failure from management server, such as DB access error

此问题应该是暂时性的。This issue should be transient. 如果问题持续出现,请与 Microsoft 支持部门联系。If it persists, contact Microsoft Support.
21491340552149134055 Winhttp 名称未解析Winhttp name not resolved

客户端无法解析服务的名称。The client can't resolve the name of the service. 检查 DNS 配置。Check the DNS configuration.
21491340502149134050 Internet 超时internet timeout

如果客户端无法与云通信,此问题应该是暂时性的。This issue should be transient, when the client can't communicate with cloud. 如果它仍然存在,请确保客户端与 Azure 具有一致的连接。If it persists, make sure the client has consistent connectivity to Azure.

有关详细信息,请参阅 MDM 注册错误值For more information, see MDM Registration Error Values.

部署策略Deployment policies

在“监视”工作区的“部署”节点中创建了两个策略 。Two policies are created in the Deployments node of the Monitoring workspace. 一个策略用于试点组,另一个策略用于生产。One policy is for the pilot group and one for production. 这些策略仅报告其中 Configuration Manager 应用了此策略的设备数量。These policies report only the number of devices where Configuration Manager has applied the policy. 这些策略不考虑 Intune 中注册了多少设备,这是设备可实现共同管理的前提。They don't consider how many devices are enrolled in Intune, which is a requirement before devices can be co-managed.

生产策略 (CoMgmtSettingsProd) 定目标到“所有系统”集合。The production policy (CoMgmtSettingsProd) is targeted to the All Systems collection. 它有检查 OS 类型和版本的适用性条件。It has an applicability condition that checks the OS type and version. 如果客户端是服务器 OS 或不是 Windows 10,那么策略就不适用,且不会执行任何操作。If the client is a server OS or not Windows 10, the policy doesn't apply, and no action is taken.

WMI 设备数据WMI device data

在站点服务器上的 ROOT\SMS\site_<SITECODE> 命名空间中查询 SMS_Client_ComanagementState WMI 类。Query the SMS_Client_ComanagementState WMI class in the ROOT\SMS\site_<SITECODE> namespace on the site server. 可以在 Configuration Manager 中创建自定义集合,帮助确定共同管理部署的状态。You can create custom collections in Configuration Manager, which help determine the status of your co-management deployment. 有关创建自定义集合的详细信息,请参阅如何创建集合For more information on creating custom collections, see How to create collections.

下列字段在 WMI 类中可用:The following fields are available in the WMI class:

  • MachineId:Configuration Manager 客户端的唯一设备 IDMachineId: A unique device ID for the Configuration Manager client

  • MDMEnrolled:指定设备是否注册了 MDMMDMEnrolled: Specifies whether the device is MDM-enrolled

  • 机构:设备注册的机构Authority: The authority for which the device is enrolled

  • ComgmtPolicyPresent:指定客户端上是否存在 Configuration Manager 共同管理策略。ComgmtPolicyPresent: Specifies whether the Configuration Manager co-management policy exists on the client. 如果 MDMEnrolled 值是 0,则无论客户端是否存在共同管理策略,该设备都不会进行共同管理。If the MDMEnrolled value is 0, the device isn't co-managed whatever co-management policy exists on the client.

当 MDMEnrolled 和 ComgmtPolicyPresent 字段的值都为 1 时,设备才是被共同管理的 。A device is co-managed when the MDMEnrolled field and ComgmtPolicyPresent fields both have a value of 1.