Co-management enrollment takes longer than expected for Configuration Manager clients

Symptoms

This update is superseded by the following update.
KB 4575790 Client setup is unable to download contents from a cloud distribution point in Configuration Manager current branch, version 2006

New co-managed devices configured to automatically enroll in Microsoft Intune will initially fail to enroll based on their Azure Active Directory (Azure AD) device token. The enrollment process then falls back to user token-based enrollment, which succeeds when a user logs in and meets any specific user enrollment requirements. 
The co-management dashboard may show a status of pending user sign in for affected clients during this time.

This issue only occurs in environments that meet the following criteria.
- Both of the following conditions:

  1. The following update rollup is installed, and clients have upgraded to version 5.00.9012.1052 before completing the co-management onboarding process.

    KB 4578605 Update Rollup for Microsoft Endpoint Configuration Manager version 2006

  2. The client restarts or upgrades during the enrollment process. If the client does not restart or upgrade during enrollment process, the client will not be affected.

- And one or both of the following conditions:

  1. The device/ user is configured to use multi-factor authentication with Azure Active Directory. If this condition is met along with the client restart, the end user will see an authentication prompt when their device continues with the user token-based enrollment.
    or

  2. Configuration Manager is the co-management authority for Resource Access; however, Windows Hello for Business is configured via Microsoft Intune. If this condition is met along with the client restart, the Windows Hello for Business policy targeted in Microsoft Intune will unexpectedly apply to the device.

Update information for Microsoft Endpoint Configuration Manager, version 2006

Update installation notes

  • If clients have not yet upgraded to version 5.00.9012.1052 from KB 4578605, it is recommended first to disable automatic client upgrade on the Client Upgrade tab of Hierarchy Settings. This removes the need to upgrade clients twice in a row: once from the update rollup and once from this standalone update. The client.msp file shipping in this update contains all of the prior changes that shipped with update rollup KB 4578605.

Microsoft Download Center

The following hotfix to resolve this problem is available for download from the Microsoft Download Center:

Download this hotfix now.

After you download the hotfix, see the following documentation for installation instructions:

Use the Update Registration Tool to import hotfixes to Configuration Manager

Microsoft scanned this file for viruses, using the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to it.

Prerequisites

To apply this hotfix, you must have Microsoft Endpoint Configuration Manager, version 2006 installed in addition to the following update:
KB 4578605 Update Rollup for Microsoft Endpoint Configuration Manager version 2006

Restart information

You do not have to restart the computer after you apply this update.

Update replacement information

This update does not directly replace any previously released updates. However, the client patch (.MSP file) contained in this update supercedes the version that shipped with update rollup KB 4578605. Therefore, only one client upgrade is required.

Additional installation information

After you install this update on a primary site, pre-existing secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, click Administration, click Site Configuration, click Sites, click Recover Secondary Site, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site are not affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.

Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:

select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')

If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.

If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.

File name

File version

File size

Date

Time

Platform

avhandler.dll

5.00.9012.1054

169848

30-Sep-2020

00:00

x64

avhandler.dll

5.00.9012.1054

141688

30-Sep-2020

00:00

x86

cm2006-client-kb4575787-i386.msp

Not Applicable

14286848

30-Sep-2020

00:00

Not Applicable

cm2006-client-kb4575787-x64.msp

Not Applicable

17129472

30-Sep-2020

00:00

Not Applicable

comanagementhandler.dll

5.00.9012.1054

270712

30-Sep-2020

00:00

x64

comanagementhandler.dll

5.00.9012.1054

213864

30-Sep-2020

00:00

x86

 

References

Updates and servicing for Configuration Manager

Co-management documentation

Monitor co-management enrollment status

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×