The management planes merge even further with the announcement of the Tenant Attach feature for ConfigMgr, recently released as Preview in the ConfigMgr Technical Preview 2002.2 Build, which allows you to upload your ConfigMgr clients to Intune, and issues to them some initially very basic management capabilities from the MEMAC portal.

What this boils down to is initially in this early technical preview release bringing to bear basic management-capabilities of a ConfigMgr client, performed from Intune via the MEM Admin Center portal. Telling ConfigMgr to tell one of its clients to perform an activity, that’s some reach!

If you throw in the Client Management Gateway, we can communicate with ConfigMgr devices whether they are on or off the corporate network, as long as they are online we’ll be able to reach them from Intune.

And although the Device Upload feature sits inside the Co-management feature, we don’t have to enable Co-management for Device Upload to work. Enrollment to Intune for Co-managed devices can be disabled, and no work-loads need to be transferred.

There are some prerequisites, so make sure you have this lot ticked off:

The “Has been discovered with Azure Active Directory user discovery bit means that ConfigMgr has discovered the users from Azure AD, this requires Azure Services to be configured.

The “Has been discovered with Active Directory user discovery” bit means AD Connect has replicated the AD User to Azure AD. So you’re going to need AD Connect configured.

I whittled out a diagram shown below to visualise the requirement for Azure Active Directory User sync, used to sync Azure AD Users into ConfigMgr, and AD Connect to sync AD users to Azure AD. We’re not synchronising Azure AD Users into Active Directory quite yet, we just need Azure AD users to show up in ConfigMgr so as to be able to perform client actions:

My lab already has Azure Services configured to enable the Client Management Gateway but you don’t need one, head off and configure Azure Services to onboard your tenant if you haven’t already. Make sure AD Connect is correctly synchronising AD users to Azure AD, and make sure Azure Active Directory User Discovery is enabled and working on the ConfigMgr Site server:

Post-Azure Services onboarding:

Light up the Device Upload (Device Sync, Tenant Attach …) feature

Head on over to the ConfigMgr Console, navigate to Administration and expand the Updates and Servicing node, click on Features.

Find the Microsoft Endpoint Manager tenant attach: Device sync and device actions entry, turn it on:

At this point either restart the server or restart the SMS_EXECUTIVE service as pointed out in the documentation.

Roll on over to Administration, Cloud Services and Co-management, hit that Configure co-management button like a boss:

Give the Sign in button some loving:

Tap in credentials with enough privilege’s in Azure to do this job:

I’ve selected both options below, specifically the Upload to Microsoft Endpoint Manager admin center option is all that is needed to support the Device Upload feature:

Crack on and accept the prompt to register an application in the AAD tenant:

I’m not going to restrict the Device Upload feature in this lab, however as you can see we’re able to handle scoping to define a sub-set of the devices assigned to ConfigMgr by choosing a specific collection:

I’ll let ConfigMgr devices enrol into Intune, select None if you want to disable this feature, its not required for Device Upload to function:

I’ve kept the workloads as-is and not transferred any to Intune so as to light up the Co-management feature:

And I’ve left the workload collections unconfigured as a consequence:

The Summary page is always an exciting place full of trepidation especially on Technical Preview builds while working with preview features …

Looking good, Device Upload should be good to go:

Check out the Azure Services node, Cloud Attach is now mentioned, if it isn’t restart the server as an effective remedy:

Observation Deck

To observe what is happening we have two places to go, logs and  the MEM Admin Center portal.

Before we do, head over to the Azure Portal and open up App registrations:

The Application (client) ID is key, and drilling in yields some more information to ponder:


We have two logs to check out so as to observe operational telemetry for the Device Upload feature:

  • CMGatewaySyncUploadWorker
  • CMGatewayNotificationWorker

I use LogLauncher to get to logs easily, click click and I’m there, so many ways to look at logs nowadays but every lab I use has this productivity tool installed: