Microsoft Endpoint Manager tenant attach: Device sync and device actions

Applies to: Configuration Manager (current branch)

Microsoft Endpoint Manager is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune into a single console called Microsoft Endpoint Manager admin center.

Starting in Configuration Manager version 2002, you can upload your Configuration Manager devices to the cloud service and take actions from the Devices blade in the admin center.

Prerequisites

  • An account that is a Global Administrator for signing in when applying this change. For more information, see Azure Active Directory (Azure AD) administrator roles.
    • Onboarding creates a third-party app and a first party service principal in your Azure AD tenant.
  • An Azure public cloud environment.
  • The user accounts triggering device actions have the following prerequisites:

Internet endpoints

  • https://aka.ms/configmgrgateway
  • https://*.manage.microsoft.com

Enable device upload

  • If you have co-management enabled currently, Edit co-management properties to enable device upload.
  • If you don't have co-management enabled, Use the Configure co-management wizard to enable device upload.
    • You can upload your devices without enabling automatic enrollment for co-management or switching workloads to Intune.
  • All Devices managed by Configuration Manager that have Yes in the Client column will be uploaded. If needed, you can limit upload to a single device collection.

Edit co-management properties to enable device upload

If you have co-management enabled currently, edit co-management properties to enable device upload using the instructions below:

  1. In the Configuration Manager admin console, go to Administration > Overview > Cloud Services > Co-management.

  2. Right-click your co-management settings and select Properties.

  3. In the Configure upload tab, select Upload to Microsoft Endpoint Manager admin center. Click Apply.

    • The default setting for device upload is All my devices managed by Microsoft Endpoint Configuration Manager. If needed, you can limit upload to a single device collection.

    Co-management Configuration Wizard

  4. Sign in with your Global Administrator account when prompted.

  5. Click Yes to accept the Create AAD Application notification. This action provisions a service principal and creates an Azure AD application registration to facilitate the sync.

  6. Click OK to exit the co-management properties once you've done making changes.

Use the Configure co-management wizard to enable device upload

If you don't have co-management enabled, use the Configure co-management wizard to enable device upload. You can upload your devices without enabling automatic enrollment for co-management or switching workloads to Intune. Enable device upload using the instructions below:

  1. In the Configuration Manager admin console, go to Administration > Overview > Cloud Services > Co-management.

  2. In the ribbon, click Configure co-management to open the wizard.

  3. On the Tenant onboarding page, select AzurePublicCloud for your environment. Azure Government cloud isn't supported.

  4. Click Sign In. Use your Global Administrator account to sign in.

  5. Ensure the Upload to Microsoft Endpoint Manager admin center option is selected on the Tenant onboarding page.

    • Make sure the option Enable automatic client enrollment for co-management isn't checked if you don't want to enable co-management now. If you do want to enable co-management, select the option.
    • If you enable co-management along with device upload, you'll be given additional pages in the wizard to complete. For more information, see Enable co-management.

    Co-management Configuration Wizard

  6. Click Next and then Yes to accept the Create AAD Application notification. This action provisions a service principal and creates an Azure AD application registration to facilitate the sync.

  7. On the Configure upload page, select the recommended device upload setting for All my devices managed by Microsoft Endpoint Configuration Manager. If needed, you can limit upload to a single device collection.

  8. Click Summary to review your selection, then click Next.

  9. When the wizard is complete, click Close.

Review your upload

  1. Open CMGatewaySyncUploadWorker.log from <ConfigMgr install directory>\Logs.
  2. The next sync time is noted by log entries similar to Next run time will be at approximately: 02/28/2020 16:35:31.
  3. For device uploads, look for log entries similar to Batching N records. N is the number of devices uploaded to the cloud.
  4. The upload occurs every 15 minutes for changes. Once changes are uploaded, it may take an additional 5 to 10 minutes for client changes to appear in Microsoft Endpoint Manager admin center.

Perform device actions

  1. In a browser, navigate to endpoint.microsoft.com

  2. Select Devices then All devices to see the uploaded devices. You'll see ConfigMgr in the Managed by column for uploaded devices. All devices in Microsoft Endpoint Manager admin center

  3. Click on a device to load its Overview page.

  4. Click on any of the following actions:

    • Sync Machine Policy
    • Sync User Policy
    • App Evaluation Cycle

    Device overview in Microsoft Endpoint Manager admin center

Known issues

Specific devices don't synchronize

It's possible that specific devices, which are Configuration Manager clients, won't be uploaded to the service.

Impacted devices: If a device is a distribution point that uses the same PKI certificate for both the distribution point functionality and its client agent, then the device won't be included in the tenant attach device sync.

Behavior: When performing tenant attach during the on-boarding phase, a full sync is performed the first time. Subsequent sync cycles are delta synchronizations. Any update to the impacted devices will cause the device to be removed from the sync.

Log files

Use the following logs located on the service connection point:

  • CMGatewaySyncUploadWorker.log
  • CMGatewayNotificationWorker.log

Next steps

For more information about the tenant attach log files, see Troubleshoot tenant attach.