question

RobertPanick-6370 avatar image
0 Votes"
RobertPanick-6370 asked Jason-MSFT commented

How do we remove Co-Management

My customer is getting very close to saying enough with Co-Management. They keep running into cases where the SCCM agent breaks. We traced some of it down to Azure AD Hybrid Join. But they are seeing more and more problems where the execmgr.log is showing:

Failed to GetDeviceManagementConfigInfo, honor MEM authority. Error (0x00000000).

When this happens they can't deliver packages with the SCCM agent. The fix has been to run DSREGCMD /Leave, but you have to do that from an elevated command prompt.

Looking through all the documentation, I don't see any way to back out of Co-Management. They are using the Pilot collections because there are some machines that they can't do Co-management with (no Internet connection). So would removing computers from the Pilot collection remove Co-management? Or do we have to do something else.

I'm hoping someone has an answer, otherwise we'll probably start trying to just remove some computers from the collection and see what happens.

Overall, so far I've not been impressed with co-management. The tools and documentation for it simply aren't ready for production IMHO.

mem-cm-co-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered RobertPanick-6370 commented

Failed to GetDeviceManagementConfigInfo, honor MEM authority. Error (0x00000000).

This is a benign statement in the log and not the source of or reflection of any issues or errors.

Without some actual hands on investigation and troubleshooting, not much additional can be said though.

Hybrid Azure AD Domain join is a potentially fragile beast particularly in the current work from home environment as line of sight to a domain controller is still required.

As for removing co-management from a device, there are two steps: remove from any collection assigned for co-management enablement and unenroll device from Intune. I'd encourage you or them to open a support case to help diagnose and identify issues you may be experiencing though as we have plenty of customers and devices successfully using co-management without issues.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We considered the work from home being an issue since a lot of people are working via VPN. But they have had issues with devices that aren't work from home, as well as those VPN connected.

I appreciate the answer on how to remove them from co-management. One question just to be clear, when you say unenroll device from Intune, you're talking about from the Intune Console (or PowerShell) or are you talking something else?

0 Votes 0 ·

From memory, you can Retire a device from Intune and that should unenroll it. You can also unenroll the device manually. Simply deleting the device from Intune doesn't change the state f the device itself.

Additional question: do you/they have a CMG in place as well? If not, that is 100% the next step here as co-management assumes consistent connectivity to ConfigMgr by the ConfigMgr agent.

1 Vote 1 ·

No they don't have a CMG. I lost the battle for that one, and they pushed it out to the future. But that's an excellent point I hadn't considered. It very well may explain a bunch of things. They have been relying on that most of their remote people are connecting daily by VPN. But that loss of connection could cause some confusion.

Thank you for that though.

0 Votes 0 ·
PhP59300 avatar image
0 Votes"
PhP59300 answered Jason-MSFT commented

Hi Robert, did you ever manage to ditch SCCM and move fully to InTune?

I've two customers wanting to do the exact same thing. One customer didn't setup co-management cloud services within SCCM and they've been able to enrol all their devices into Intune by simply uninstalling the CM agent. The other customer had co-management in place for a while and then removed it. They now have a problem whereby all their Win10 devices report as MDM = Co-Managed within the Intune portal. Even if we uninstall the CM agent, retired the device from Intune and delete the device from AAD, they report back as MDM = Co=Managed as soon as they re-enrol into Intune.

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

What version of ConfigMgr are they running?

0 Votes 0 ·

Current Branch 2002

0 Votes 0 ·

It's possible the older client agents aren't cleaning up everything necessary here. I'll see if I can find out.

0 Votes 0 ·

Moving off of SCCM to Intune was never the intention. The customer is likely years away from that kind of move for a lot of reasons, Intune simply isn't ready to do the things they need to do. Part of that is the maturity level of the customer.

I don't have any information on your scenario. While Co-management sounds like a nice idea, I'm getting to the point where I think its not quite ready for prime time yet. Oddly more because of issues with Hybrid AD.

0 Votes 0 ·

Co-management doesn't require HAADJ.

And while yes, HAADJ has its issues, for existing systems it does work fairly well (assuming those systems have connectivity on your on-prem domain controllers but that should already be reality for those on-prem domain joined systems anyway). For newly provisioned systems, you should 100% be moving to AADJ.

0 Votes 0 ·