Microsoft are constantly innovating and adding new features to already amazing products, one such recent addition is a cloud feature called tenant attach for Microsoft Endpoint Manager and you can start testing it right now in Configuration Manager Technical Preview 2002.2.
For more info about this new ability see the Microsoft docs below:
- Blog: https://techcommunity.microsoft.com/t5/configuration-manager-blog/take-action-on-your-configmgr-devices-from-the-microsoft/ba-p/1209759
- Technical Preview Docs: https://docs.microsoft.com/en-us/configmgr/core/get-started/2020/technical-preview-2002-2
- Intune what’s new: https://docs.microsoft.com/en-us/intune/fundamentals/whats-new
Pay attention to the prerequisites:
- An account that is a Global Administrator for signing in when applying this change. For more information, see Azure Active Directory (Azure AD) administrator roles.
- Onboarding creates a third-party app and a first party service principal in your Azure AD tenant.
- An Azure public cloud environment.
- The user account triggering device actions has the following prerequisites:
- Has been discovered with Azure Active Directory user discovery (configure cloud management)
- Has been discovered with Active Directory user discovery
- The Notify Resource permission under Collections object class in Configuration Manager.
- Enable this pre-release feature from Administration > Overview > Updates and Servicing > Features.
Note: In case it’s not clear above, you need to configure Azure AD Connect to sync your on-premise users to the cloud for the user actions to succeed. You also need to go through the Azure services in ConfigMgr and configure cloud management to sync Azure Active Directory User Discovery.
See below screenshot.
The user performing the action needs to be in both AAD and AD
To see the new cloud feature (as it will probably not show up in your 2002.2 Technical Preview release), you need to restart your SMS Executive service on the ConfigMgr server, I won’t go into details but you can use the Configuration Manager Service Manager to do that. This restart is only necessary for this version of Technical Preview.
Review the following log files for more info located in <ConfigMgr install directory>\Logs, to monitor the device upload:
Even though it’s not listed, I’d recommend you reboot (restart) your CM server at this point. And you can review that the feature is turned on.
Next, if you don’t have co-management enabled, Use the Configure co-management wizard to enable device upload. You can upload your devices without enabling automatic enrollment for co-management or switching workloads to Intune.
At least that’s the theory, in my lab the Configure co-management action button was greyed out so I couldn’t configure it.
- On your Technical Preview Primary Site, run the wbemtest tool as administrator
- Click the Connect… button
- In the Namespace textbox, enter root\sms\site_[SITECODE] and click the Connect button
- Click on the Query… button
- In the Enter Query textbox, enter:
SELECT * FROM SMS_ConfigurationPolicy WHERE CategoryInstance_UniqueIDs = 'SettingsAndPolicy:SMS_CoManagementSettings'
- Click on the Apply button, you should now see a list of objects with this format:
- Select and delete all the objects in that list
- Click on the Close button and you can exit the wbemtest tool
- In the Admin Console, navigate to Administration > Cloud Services > Co-management node. The action button Configure co-management should now be enabled.
select your chosen devices
I decided to re run the steps above and this time I got a next button 🙂
and against the odds it seemed to work !
At which point you can see the logs full of data…
Next, login to your tenant at https://aka.ms/memac
and look at this !
To see how you can utilize this new ability in Microsoft Endpoint Manager Admin Center (MEMAC) check out my blog post here.