Tenant attach data collection

Article
11/16/2023

Applies to: Configuration Manager (current branch) f

When you attach your Configuration Manager site with a Microsoft Intune tenant, the site sends more data to Microsoft. This article summarizes the data that's sent.

Tenant attach makes the Microsoft Intune admin center your console in the cloud. The architecture allows the Configuration Manager site to synchronize data about the device and the user to your Intune tenant. You can then query and present data from your on-premises environment in the cloud console in real time without active synchronization. It can fetch large volatile data from your on-premises site. Tenant attach uses a mixture of these methods to provide efficient up-to-date information in the cloud console.

Important

The Microsoft data handling policies are described in the Microsoft Intune Privacy Statement. We only use your customer data to provide you the services you signed up for.

We don't sell any data collected by our service to any third parties for any reason.

The data is all required service data that's needed for the tenant attach connected experience. Required service data includes the following information:

Customer content, which is content you create. For example, the name of your LOB application.
Functional data, which includes information needed by a connected experience to perform its task. For example, configuration information about the app.
Service diagnostic data, which is the data necessary to keep the service secure, up to date, and performing as expected. Because this data is strictly related to the connected experience, it's separate from required or optional diagnostic data levels.

The Microsoft Intune family of products collects information that falls into three categories:

Identified data: Most data that Microsoft Intune and Configuration Manager collect is identified data. This data is tied to a user, device, or application and is essential to the nature of management. Identified data is used to manage a user's device and applications.
Pseudonymized data: This data is associated with a unique identifier. It's typically a number generated by the system that on its own can't identify an individual person. The Microsoft Intune family of products use this data to deliver the enterprise service.
Aggregated data: This data is usage statistics such as the number of devices or which controls you use in the Microsoft Intune admin center.

The following sections provide examples of the types of data that tenant attach synchronizes to the cloud. They're grouped by functional entity, so you can review for specific features that you're using.

Applications

For each Windows Installer (msi) deployment type:

ProductName: The name of the application
Publisher: The entity that published the software
Version: The version of the application
ProductLanguage: The language code for the application
ProgramID: An identifier for the deployment type

Device sync

For each device:

SMSID: The unique identifier of your Configuration Manager hierarchy
AADTenantID: The unique identifier of your Microsoft Entra tenant
AADDeviceID: The unique identifier of the device in Microsoft Entra ID
Name: The device's host name
DeviceOS: The name of the device's operating system. For example, Microsoft Windows NT Server 6.3
DeviceOSBuild: The build version of the device's operating system. For example, 10.0.19041
AADPrimaryUserID: The unique identifier of the device's primary user in Microsoft Entra ID
Model: The device model
Manufacturer: The device manufacturer
SerialNumber: The device serial number
DomainNames: Any domain names for the device
SKU

Microsoft Defender for Endpoint

For any collection that you select for Endpoint policy deployment:

CollectionId: The unique identifier of the collection. For example, ABC00014
CollectionName: The name of the collection. For example, All Windows servers
CollectionType: Identifies whether it's a device or user collection.
CountTargeted: The count of devices that you target with this policy
CountCompliant: The count of devices that are compliant with this policy
CountNonCompliant: The count of devices that aren't compliant with this policy
CountFailed: The count of devices that failed to process this policy
CountActivated: The count of devices where the policy is activated
CountEnforced: The count of devices where the policy is enforced
TenantId: The unique identifier of your Microsoft Entra tenant
HierarchyId: The unique identifier of your Configuration Manager hierarchy
DeviceId: The unique identifier of the device in Microsoft Entra ID
ProductStatus: Provide the current state of the product
ComputerState: Provide the current state of the device
DefenderEnabled: Indicates whether the Windows Defender service is running
RtpEnabled: Indicates whether real-time protection is running
NisEnabled: Indicates whether network protection is running
QuickScanOverdue: Indicates whether a Windows Defender quick scan is overdue for the device
FullScanOverdue: Indicates whether a Windows Defender full scan is overdue for the device
SignatureOutOfDate: Indicates whether the Windows Defender signature is outdated
RebootRequired: Indicates whether a device reboot is needed
FullScanRequired: Indicates whether a Windows Defender full scan is required
EngineVersion: Version number of the current Windows Defender engine on the device
SignatureVersion: Version number of the current Windows Defender signatures on the device
DefenderVersion: Version number of Windows Defender on the device
QuickScanTime: Time of the last Windows Defender quick scan of the device
FullScanTime: Time of the last Windows Defender full scan of the device
QuickScanSigVersion: Signature version used for the last quick scan of the device
FullScanSigVersion: Signature version used for the last full scan of the device
TamperProtectionEnabled: Indicates whether the Windows Defender tamper protection feature is enabled
IsMdeSenseRunning: Indicates the Windows Defender Advanced Threat Protection Sense running state
MdeOnboardingState: Indicates Defender for Endpoint onboarding state for the device
IsVirtualMachine: Indicates whether the device is a virtual machine
LastUpdateTime: Time of the last Windows Defender signature update
ThreatID: The ID of a threat that has been detected by Windows Defender
ThreatName: The name of the specific threat
Category: Threat category ID
Severity: Threat severity ID
URL: URL link for additional threat information
CurrentStatus: Information about the current status of the threat
CurrentStatusID: Information about the current status of the threat
ExecutionStatus: Information about the execution status of the threat
LastThreatStatusChangeTime: The last time this particular threat was changed
InitialDetectionTime: The first time this particular threat was detected
NumberOfDetections: Number of times this threat has been detected on a particular client

For more details on data collected for Microsoft Defender for Endpoint, see Defender CSP.

Azure Application Insights

The site uploads data to the Azure Application Insights service. Application Insights detects issues for problem solving and continuous application improvement. The following data is sent to this service:

OS version information for the service connector point
Site version information
Site support ID, also known as the hierarchy ID
Language information
Azure tenant ID
Microsoft Entra client ID
Exceptions and errors that the service connector point generates
Status events for the service operation

For more information on this service, see Application Insights API for custom events and metrics. Configuration Manager currently uses the following API methods: TrackEvent, TrackException, TrackRequest, and TrackTrace.

Tenant attach data collection

Applications

Device sync

Microsoft Defender for Endpoint

Azure Application Insights

See also

Feedback

Feedback

Additional resources