Co-management enrollment takes longer than expected for Configuration Manager clients

প্রযোজ্য পণ্যঃ {পণ্য} Microsoft Endpoint Configuration Manager (current branch – version 2006)


New co-managed devices configured to automatically enroll in Microsoft Intune will initially fail to enroll based on their Azure Active Directory (Azure AD) device token. The enrollment process then falls back to user token-based enrollment, which succeeds when a user logs in and meets any specific user enrollment requirements. 
The co-management dashboard may show a status of pending user sign in for affected clients during this time.

This issue only occurs in environments that meet the following criteria.
- Both of the following conditions:

  1. The following update rollup is installed, and clients have upgraded to version 5.00.9012.1052 before completing the co-management onboarding process.

    KB 4578605 Update Rollup for Microsoft Endpoint Configuration Manager version 2006
  2. The client restarts or upgrades during the enrollment process. If the client does not restart or upgrade during enrollment process, the client will not be affected.

- And one or both of the following conditions:

  1. The device/ user is configured to use multi-factor authentication with Azure Active Directory. If this condition is met along with the client restart, the end user will see an authentication prompt when their device continues with the user token-based enrollment.
  2. Configuration Manager is the co-management authority for Resource Access; however, Windows Hello for Business is configured via Microsoft Intune. If this condition is met along with the client restart, the Windows Hello for Business policy targeted in Microsoft Intune will unexpectedly apply to the device.

Update information for Microsoft Endpoint Configuration Manager, version 2006

Microsoft Download Center

The following hotfix to resolve this problem is available for download from the Microsoft Download Center:

Download this hotfix now.

After you download the hotfix, see the following documentation for installation instructions:

Use the Update Registration Tool to import hotfixes to Configuration Manager


To apply this hotfix, you must have Microsoft Endpoint Configuration Manager, version 2006 installed in addition to the following update:
KB 4578605 Update Rollup for Microsoft Endpoint Configuration Manager version 2006

Restart information

You do not have to restart the computer after you apply this update.

Update replacement information

This update does not directly replace any previously released updates. However, the client patch (.MSP file) contained in this update supercedes the version that shipped with update rollup KB 4578605. Therefore, only one client upgrade is required.

Additional installation information

After you install this update on a primary site, pre-existing secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, click Administration, click Site Configuration, click Sites, click Recover Secondary Site, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site are not affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.

Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:

select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')

If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.

If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.