Co-Management and the importance of device token enrollment.

After returning from presenting at MMS 2022 in Minneapolis, my first physical event in 2 1/2 years! A great experience as always! I thought it was time to write a post on how important it is that enrollment using a device token works when using Co-management in MEMCM + MEM.

The Configuration Manager client will handle the enrollment automatically in MDM when Co-management is enabled. The enrollment itself will always try to use a Device Token to enroll and if it is unsuccessful it will fall back to enrolling using the logged on users token. Many we talk to don’t know that the device token is being used for enrollment as the prefered way of enrolling.

Why is this important then, enrollment in Co-management using a Device token can be done without any end user is logged on to the device. This is important for example when deploying a new Hybrid Joined computer and we have moved workloads to MEM as the settings cannot be applied until a user logs on and the enrollment is successful if the device token fails and it tries again with a user token.

Successful enrollment using device token

Device token kan fail when for example proxy servers, ADFS and other network related issues blocks it and this is something that needs to be handled when starting to enable co-management.

We see in many cases that enrollment using a user token is unsuccessful because there are more factors in play here as well, Conditional Access, enrollment restrictions, MFA and more that can block the enrollment. For example if the end user gets the dreaded “Work or school account problem” popup then user token enrollment will fail as well.

How can we verify that a device token is being used to enroll devices?, well we can check the CoManagementHandler.log file on the clients. In the case below we have blocked devices from enrolling using Enrollment restrictions. Note: that the enrollment restrictions “All Users” are deployed to “All Devices” and it will block device token enrollment as well.

Default All users enrollment restriction

In the Device Management Portal we can only see user enrollment failures so this will be empty when a co-managed device fails to enroll using a device token. So using the CoManagementHandler.log file is the best way to troubleshoot.