Introduction

Note: I’ve updated this post with new info relating to Configuration Manager Technical Preview 2004.

Microsoft has been hard at work making client management even more cloud friendly, now you can do device sync and device actions from within the Microsoft Endpoint Manager Admin Center.

In a previous blog post I showed you how you can enable tenant attach in Configuration Manager Technical Preview 2002.2. If you haven’t already, please check out the steps in that post before continuing.

In that blog post you enabled the tenant attach feature and as part of that you were informed that the wizard would create an Azure AD application. You can see that application in Azure AD.

Note: The keen eyed among you will notice that I have three (ConfigMgr) apps listed below but only the first is valid, the other two were likely the result of my first failed attempt at installing the feature and they do not have any API permissions.

Select the first ConfigMgrSvc and click on View API Permissions, you should see something like this.

And it’s those permissions that allow the Azure Ad application to share data and actions between the cloud and your on premise ConfigMgr environment.

So Let’s look in Intune, I mean, let’s look in the Microsoft Endpoint Manager Admin Center (or MEMAC).

browse to https://aka.ms/memac and expand your devices.

The device named MININT-01MIIG3 is currently active in my lab, so let’s work with that one.

To understand where that device came from, you can look at the collection I pointed to in ConfigMgr when I setup the Tenant Attach (All Windows 10) and here’s a view of that collection.

You can see our active client right there.

But back to MEMAC and let’s select that device. This reveals actions that can be taken on the ConfigMgr managed device from the cloud !

The hardware tab reveals some data too (not a lot, but some).

The following actions are available:

• Sync Machine Policy
• Sync User Policy
• App Evaluation Cycle

Sync machine policy

Click on Sync machine policy in the Microsoft Endpoint Manager console. Once done, you’ll see the action status in the MEMAC console (probably pending).

Note: The screenshots below are from Technical Preview 2004.

You’ll see a popup in Microsoft Endpoint Manager asking if you’d like to continue with your action.

After clicking Yes on the ConfigMgr server side you can monitor progress in the CMGatewayNotificationWorker.log

Look for a line that reads:

Received new notification. Validating basic notification details...

Notice how it states shortly after…

 Authorized to perform client action. TemplateID: RequestMAchinePolicy...

On the client side, look at the following log file:

C:\Windows\CCM\Logs\PolicyAgent.log

Look for a line that has the following text:

Requesting Machine policy assignments from authority 'SMS:XXX'

Replace XXX with your site code.

Note that the date/time is exactly the same as when you initiated the action in Intune.

That’s pretty impressive indeed ! well done to all the Product Group @ Microsoft.

Sync user policy

This time we’ll try to sync user policy, in Microsoft Endpoint Manager click on Sync user policy.

After clicking Yes on the ConfigMgr server side you can monitor progress in the CMGatewayNotificationWorker.log

Notice how it states the following shortly after our notification…

 Authorized to perform client action. TemplateID: RequestUserPolicyForAllUsers...

And on the client side in this log file:

C:\Windows\CCM\Logs\PolicyAgent.log

Look for a line that has the following text:

Requesting User policy assignments for ...

App evaluation policy

This action triggers a revaluation of requirement rules for all application deployments on the client. To test the scenario, deploy a required application to a collection the client is in. Then after the application installed, manually uninstall it in control panel.

In Microsoft Endpoint Manager after clicking on App evaluation policy you’ll see the following popup, click Yes to continue.

In the CMGatewayNotificationWorker.log look for

Authorized to perform client action. TemplateID: ApplicationDeploymentEvaluation

And on the client..look at the C:\Windows\CCM\Logs\AppDiscovery.log, and you’ll see it performing a detection of the application…

next, look at C:\Windows\CCM\Logs\AppIntentEval.log and you’ll see any dependencies listed…

No dependencies for DeploymentType...

next, look at C:\Windows\CCM\Logs\AppEnforce.log where you’ll see

Starting Install enforcement...

because the required application is not installed.

cool !

Action status

After you’ve tried a few sync actions you’ll see the status of your actions in the MEMAC console.

If your sync actions remain listed as pending after refreshing the console page, check the troubleshooting section below.

Troubleshooting

Note that in this version you’ll only see a max of three device actions status listed, so, if you for example trigger a new Sync Machine Policy action, the Device action status will simply overwrite the last matching status with your current action.

This might make it hard to troubleshoot what actions you initiated and when, but no doubt this will be improved upon soon enough !

If Device action status remains in a pending state for a long time look at the CMGatewayNotificationWorker.log on the ConfigMgr server for a failure (at the time when you initiated the action in MEMAC) like this.

Unauthorized to perform client action

If you see that error then verify that you completed the following actions:

• Setup Azure AD Connect on the ConfigMgr server
• Setup Cloud Management to sync Azure Directory Users to AD

Once you have done those correctly you’ll see the log reporting as follows:

Authorized to perform client action. TemplateID: RequestMachinePolicy TenantId: ..

and you should quickly see it update the status of the device action from Pending to Complete.

Success !