Enabling the new Tenant Attach feature in Configuration Manager

Introduction

Microsoft are constantly innovating and adding new features to already amazing products, one such recent addition is a cloud feature called Tenant Attach for Microsoft Endpoint Manager and you can start testing it right now in Configuration Manager Technical Preview 2002.2.

Update: 2020/04/02. The feature has even made it into Configuration Manager 2002 (Current Branch). For updated details about what Tenant Attach is in relation to Configuration Manager 2002, please see what Microsoft has to say here.

For more info about this new ability see the Microsoft docs below:

Pay attention to the prerequisites:

  • An account that is a Global Administrator for signing in when applying this change. For more information, see Azure Active Directory (Azure AD) administrator roles.
    • Onboarding creates a third-party app and a first party service principal in your Azure AD tenant.
  • An Azure public cloud environment.
  • The user account triggering device actions has the following prerequisites:

Note: In case it’s not clear above, you need to configure Azure AD Connect to sync your on-premise users to the cloud for the user actions to succeed. You also need to go through the Azure services in ConfigMgr and configure cloud management to sync Azure Active Directory User Discovery.

See below screenshot.

The user performing the action needs to be in both AAD and AD

To see the new cloud feature (as it will probably not show up in your 2002.2 Technical Preview release), you need to restart your SMS Executive service on the ConfigMgr server, I won’t go into details but you can use the Configuration Manager Service Manager to do that. This restart is only necessary for this version of Technical Preview.

Once done, opt-in to the new feature by selecting Turn On.

and answer Yes to continue.

Review the following log files for more info  located in <ConfigMgr install directory>\Logs, to monitor the device upload:

  • CMGatewaySyncUploadWorker.log
  • CMGatewayNotificationWorker.log

Even though it’s not listed, I’d recommend you reboot (restart) your CM server at this point. And you can review that the feature is turned on.

Next, if you don’t have co-management enabled, Use the Configure co-management wizard to enable device upload. You can upload your devices without enabling automatic enrollment for co-management or switching workloads to Intune.

At least that’s the theory, in my lab the Configure co-management action button was greyed out so I couldn’t configure it.

If the Configure co-management button is greyed out for you too, you could try the following, it worked for me.

  1. On your Technical Preview Primary Site, run the wbemtest tool as administrator
  2. Click the Connect… button
  3. In the Namespace textbox, enter root\sms\site_[SITECODE] and click the Connect button
  4. Click on the Query… button
  5. In the Enter Query textbox, enter:
SELECT * FROM SMS_ConfigurationPolicy WHERE CategoryInstance_UniqueIDs = 'SettingsAndPolicy:SMS_CoManagementSettings'
  1. Click on the Apply button, you should now see a list of objects with this format:
“SMS_ConfigurationPolicy.CI_ID={ID}”
  1. Select and delete all the objects in that list
  2. Click on the Close button and you can exit the wbemtest tool
  3. In the Admin Console, navigate to Administration > Cloud Services > Co-management node. The action button Configure co-management should now be enabled.

On the Configure Co-management screen, deselect the option to  Enable automatic client enrollment for co-management as it’s not needed for this feature.

click on Sign In and sign in to your tenant, when it’s becomes greyed out, select Next.

you’ll be prompted to accept creation of an AAD application, click Yes

select your chosen devices

and click Next to continue, however, doing that gave me the following error even though I used a Global admin account.

Note: If you get an error like the above please refer to the SMSAdminUI.log for troubleshooting details.

I decided to re run  the steps above and this time I got a next button 🙂

and against the odds it seemed to work !

At which point you can see the logs full of data…

Next, login to your tenant at https://aka.ms/memac

and look at this !

Awesome !@

To see how you can utilize this new ability in Microsoft Endpoint Manager Admin Center (MEMAC) check out my blog post here.

 

This entry was posted in 2002, 2002.2, Intune, tenant attach. Bookmark the permalink.

1 Response to Enabling the new Tenant Attach feature in Configuration Manager

  1. Pingback: Using device sync and device actions in Microsoft Endpoint Manager Admin Center | just another windows noob ?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.