Tenant attach data collection

Applies to: Configuration Manager (current branch)

When you attach your Configuration Manager site with a Microsoft Intune tenant, the site sends additional data to Microsoft. This article summarizes the data that's sent.

Tenant attach makes the Microsoft Endpoint Manager admin center your console in the cloud. The architecture allows the Configuration Manager site to synchronize data about the device and the user to your Intune tenant. You can then query and present data from your on-premises environment in the cloud console in real time without active synchronization. It can fetch large volatile data from your on-premises site. Tenant attach uses a mixture of these methods to provide efficient up-to-date information in the cloud console.


The Microsoft data handling policies are described in the Microsoft Intune Privacy Statement. We only use your customer data to provide you the services you signed up for.

We don't sell any data collected by our service to any third parties for any reason.

The data is all required service data that's needed for the tenant attach connected experience. Required service data includes the following information:

  • Customer content, which is content you create. For example, the name of your LOB application.
  • Functional data, which includes information needed by a connected experience to perform its task. For example, configuration information about the app.
  • Service diagnostic data, which is the data necessary to keep the service secure, up to date, and performing as expected. Because this data is strictly related to the connected experience, it's separate from required or optional diagnostic data levels.

Microsoft Endpoint Manager collects information that falls into three categories:

  • Identified data: Most data that Microsoft Endpoint Manager collects is identified data. This data is tied to a user, device, or application and is essential to the nature of management. Identified data is used to manage a user's device and applications.

  • Pseudonymized data: This data is associated with a unique identifier. It's typically a number generated by the system that on its own can't identify an individual person. Microsoft Endpoint Manager uses this data to deliver the enterprise service.

  • Aggregated data: This data is usage statistics such as the number of devices or which controls you use in the Microsoft Endpoint Manager admin center.

The following sections provide examples of the types of data that tenant attach synchronizes to the cloud. They're grouped by functional entity, so you can review for specific features that you're using.


For each Windows Installer (msi) deployment type:

  • ProductName: The name of the application
  • Publisher: The entity that published the software
  • Version: The version of the application
  • ProductLanguage: The language code for the application
  • ProgramID: An identifier for the deployment type

Device sync

For each device:

  • SMSID: The unique identifier of your Configuration Manager hierarchy
  • AADTenantID: The unique identifier of your Azure Active Directory (Azure AD) tenant
  • AADDeviceID: The unique identifier of the device in Azure AD
  • Name: The device's host name
  • DeviceOS: The name of the device's operating system. For example, Microsoft Windows NT Server 6.3
  • DeviceOSBuild: The build version of the device's operating system. For example, 10.0.19041
  • AADPrimaryUserID: The unique identifier of the device's primary user in Azure AD
  • Model: The device model
  • Manufacturer: The device manufacturer
  • SerialNumber: The device serial number
  • DomainNames: Any domain names for the device
  • SKU

Windows Defender Advanced Threat Protection (ATP)

For any collection that you select for ATP policy deployment:

  • CollectionId: The unique identifier of the collection. For example, ABC00014
  • CollectionName: The name of the collection. For example, All Windows servers
  • CollectionType: Identifies whether it's a device or user collection.
  • CountTargeted: The count of devices that you target with this policy
  • CountCompliant: The count of devices that are compliant with this policy
  • CountNonCompliant: The count of devices that aren't compliant with this policy
  • CountFailed: The count of devices that failed to process this policy
  • CountActivated
  • CountEnforced

See also

For more general information on the data that Configuration Manager collects, see Diagnostics and usage data for Configuration Manager.

For more information about related privacy aspects, see the following articles: