Using device sync and device actions in Microsoft Endpoint Manager Admin Center


Microsoft has been hard at work making client management even more cloud friendly, now you can do device sync and device actions from within the Microsoft Endpoint Manager Admin Center.

In a previous blog post I showed you how you can enable tenant attach in Configuration Manager Technical Preview 2002.2. If you haven’t already, please check out the steps in that post before continuing.

In that blog post you enabled the tenant attach feature and as part of that you were informed that the wizard would create an Azure AD application. You can see that application in Azure AD.

Note: The keen eyed among you will notice that I have three (ConfigMgr) apps listed below but only the first is valid, the other two were likely the result of my first failed attempt at installing the feature and they do not have any API permissions.

Select the first ConfigMgrSvc and click on View API Permissions, you should see something like this.

And it’s those permissions that allow the Azure Ad application to share data and actions between the cloud and your on premise ConfigMgr environment.

So Let’s look in Intune, I mean, let’s look in the Microsoft Endpoint Manager Admin Center (or MEMAC).

browse to and expand your devices.

The device named MININT-01MIIG3 is currently active in my lab, so let’s work with that one.

To understand where that device came from, you can look at the collection I pointed to in ConfigMgr when I setup the Tenant Attach (All Windows 10) and here’s a view of that collection.

You can see our active client right there.

But back to MEMAC and let’s select that device. This reveals actions that can be taken on the ConfigMgr managed device from the cloud !

The hardware tab reveals some data too (not a lot, but some).

So let’s try an action ! The following actions are available:

  • Sync Machine Policy
  • Sync User Policy
  • App Evaluation Cycle

Click on Sync Machine Policy in the MEMAC console.

Once done, you’ll see the action status in the MEMAC console (probably pending).

And on the ConfigMgr server side you’ll see this in the CMGatewayNotificationWorker.log

Look for a line that reads:

Received new nofitication. Validating basic notification details...

and lo and behold (a few minutes later) the computer starts syncing machine policy !

That’s pretty impressive indeed ! well done to all the Product Group @ Microsoft.

And after you’ve tried a few syncs you’ll see the status of your actions in the MEMAC console. If yous are currently still listed as pending check the troubleshooting section below.


Note that in this version you’ll only see a max of three device actions status listed, so, if you for example trigger a new Sync Machine Policy action, the Device action status will simply overwrite the last matching status with your current action.

This might make it hard to troubleshoot what actions you initiated and when, but no doubt this will be improved upon soon enough !

If Device action status remains in a pending state for a long time look at the CMGatewayNotificationWorker.log on the ConfigMgr server for a failure (at the time when you initiated the action in MEMAC) like this.

Unauthorized to perform client action

If you see that error then verify that you completed the following actions:

  • Setup Azure AD Connect on the ConfigMgr server
  • Setup Cloud Management to sync Azure Directory Users to AD

Once you have done those correctly you’ll see the log reporting as follows:

Authorized to perform client action. TemplateID: RequestMachinePolicy TenantId: ..

and you should quickly see it update the status of the device action from Pending to Complete.

Success !





This entry was posted in 2002.2, Cloud Management. Bookmark the permalink.