Menu
CCMEXEC.COM – Enterprise Mobility
  • Home
  • General
  • Configuration Manager
  • Windows 10
  • Windows 11
  • Intune
  • GitHub
  • About
CCMEXEC.COM – Enterprise Mobility

Co-Management and the importance of device token enrollment.

Posted on May 11, 2022May 11, 2022 by Jörgen Nilsson

After returning from presenting at MMS 2022 in Minneapolis, my first physical event in 2 1/2 years! A great experience as always! I thought it was time to write a post on how important it is that enrollment using a device token works when using Co-management in MEMCM + MEM. 

The Configuration Manager client will handle the enrollment automatically in MDM when Co-management is enabled. The enrollment itself will always try to use a Device Token to enroll and if it is unsuccessful it will fall back to enrolling using the logged on users token. Many we talk to don’t know that the device token is being used for enrollment as the prefered way of enrolling.

Why is this important then, enrollment in Co-management using a Device token can be done without any end user is logged on to the device. This is important for example when deploying a new Hybrid Joined computer and we have moved workloads to MEM as the settings cannot be applied until a user logs on and the enrollment is successful if the device token fails and it tries again with a user token.

Successful enrollment using device token

Device token kan fail when for example proxy servers, ADFS and other network related issues blocks it and this is something that needs to be handled when starting to enable co-management.

We see in many cases that enrollment using a user token is unsuccessful because there are more factors in play here as well, Conditional Access, enrollment restrictions, MFA and more that can block the enrollment. For example if the end user gets the dreaded “Work or school account problem” popup then user token enrollment will fail as well.

Work or School account problem dialog

How can we verify that a device token is being used to enroll devices?, well we can check the CoManagementHandler.log file on the clients. In the case below we have blocked devices from enrolling using Enrollment restrictions. Note: that the enrollment restrictions “All Users” are deployed to “All Devices” and it will block device token enrollment as well.

Default All users enrollment restriction
Device token enrollment failures

In the Device Management Portal we can only see user enrollment failures so this will be empty when a co-managed device fails to enroll using a device token. So using the CoManagementHandler.log file is the best way to troubleshoot.

Enrollment failures

Conclusion, make sure that your hybrid-joined co-managed devices are enrolling using a device token to have the optimal Co-Management experience.

Co-Management and the importance of device token enrollment.

1 thought on “Co-Management and the importance of device token enrollment.”

  1. Pingback: Co-Management and the importance of device token enrollment. - CCMEXEC.COM - News

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

My name is Jörgen Nilsson and I work as a Senior Consultant at Onevinn in Malmö, Sweden. This is my blog where I will share tips and stuff for my own and everyone elses use on Enterprise Mobility and Windows related topics.
All code is provided "AS-IS" with no warranties.

Recent Posts

  • New settings in Intune Security Baseline Windows 11 24H2 -2504
  • Managing extensions in Visual Studio Code
  • Reinstall a required Win32app using remediation on demand
  • Administrator protection in Windows 11 – First look
  • Remediation on demand script – ResetWindowsUpdate
©2025 CCMEXEC.COM – Enterprise Mobility | WordPress Theme by Superb Themes
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Reject Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT