SCCM Tenant Attach Step by Step Guide Troubleshooting

Let’s check out SCCM Tenant Attach Step by Step Guide. In Configuration Manager, production version 2002, Microsoft introduced a new feature called “Tenant attach.” With this feature, you can synchronize ConfigMgr agents to Intune without enrolling in Intune.

Once synchronized, the ConfigMgr device will be visible in the Microsoft Endpoint Manager Admin Center portal. You can perform remote actions for SCCM clients from Intune portal. The SCCM tenant attach is helpful for helpdesk scenarios and a single pane of glass scenarios.

The key point is that the ConfigMgr client is in Intune console without enrolling in Intune. This means your ConfigMgr managed device does not need co-managed to avail of some Cloud benefits.

You can refer to more details on Tenant attach troubleshooting details from the blog post-SCCM Tenant Attach Background Process Walkthrough via Logs.

Patch My PC

Related Posts SCCM 2002 Installation Step By Step Guide | MEMCM | ConfigMgr & PowerShell Script To Enable Opt-In Version Of SCCM 2002 Early Update Ring

What is SCCM Tenant Attach Vs Co-Management

What is SCCM Cloud Attach Tenant Attach Client Attach Vs Co-Management? I hope you already heard about the SCCM cloud attach (wait, MECM Cloud Attach) many times before.

Let me tell you cloud attach is a bit different now! All the details are taken from Jason Githens & Rob York’s session in MS Ignite 2019. More information about the Ignite session is below.

Co-management is the bridge between traditional management and modern management. Microsoft renamed the co-management node in the SCCM admin console to Cloud Attach.

Adaptiva

Windows 10 or Windows 11 co-management is dual management (with SCCM and Intune) capability available with Windows 10 1709 version (Fall Creators Update) and later.

  • Co managed device = SCCM agent + Intune enrolled
  • Tenant attach device = SCCM agent synced to MEM (Not Intune enrolled)

Related Post

Introduction

Yes, you are correct! SCCM cloud attach is not new here. Microsoft mentioned the SCCM cloud attached features in the last MS Ignite. The following ⏬⏬was the offering from Microsoft.

Cloud Attached SCCM - Last Year MS Ignite Slide What is SCCM Cloud Attach Tenant Attach Client Attach Vs Co-Management
Last Year MS Ignite (2018) Slide What is SCCM Tenant Attach Vs Co-Management

Microsoft did a great job of evolving to the new vision of cloud attach with the following options. With the Microsoft Endpoint Manager announcement, Microsoft is trying to help organizations to reduce the friction in the Modern Management strategies. 

  • Cloud console
  • Tenant attach
  • Client attach
  • Single pane of glass

User Experience Analytics

User experience analytics comes with the following components as per Jason. You can listen to the recorded video of this session to know more about these topics.

  • Startup Performance
  • Remediation Scripting
  • Recommended Software
  • Experience Score
End User Experience with User Experience Analytics  What is SCCM Cloud Attach Tenant Attach Client Attach Vs Co-Management
End-User Experience with User Experience Analytics What is SCCM Cloud Attach Tenant Attach Client Attach Vs Co-Management

I hope these new options will to help customers to achieve their organizational goals, as Jason explained in the presentation.

  • Employee Experience
  • Employee Retention
  • Attracting New Talent
  • Change Control Dashboard (Change Control with User Experience in a data-driven way)

What is User Experience Analytics?

User Experience Analytics - Dashboard What is SCCM Cloud Attach Tenant Attach Client Attach Vs Co-Management
User Experience Analytics – Dashboard What is SCCM Cloud Attach Tenant Attach Client Attach Vs Co-Management

What is SCCM Cloud Attach Tenant Attach Client Attach Vs Co-Management?

As per Rob (check out the recorded session below), the cloud attach is the option to leverage the combined power of Microsoft Endpoint Manager by connecting SCCM to Intune.

There are two parts to Cloud Attach, and that is very well explained in the below slide deck. More details are below sub-sections.

SCCM Cloud Attach Options - SCCM Cloud Attach - SCCM Tenant Attach
SCCM Cloud Attach Options – SCCM Cloud Attach – SCCM Tenant Attach What is SCCM Cloud Attach Tenant Attach Client Attach Vs Co-Management

Tenant Attach

Tenant Attach – Connect your SCCM site to Microsoft Intune for instant cloud console and troubleshooting power. The “tenant attach” is on-demand connected architecture. No, Microsoft is not replicating the entire SCCM DB to Intune!!

The tenant architecture is an on-demand connection when you click on an item in the Microsoft Endpoint Manager portal. Also, these types of information will give help desk teams a better experience.

SCCM Cloud Attach Architecture Diagram What is SCCM Cloud Attach Tenant Attach Client Attach Vs Co-Management
SCCM Cloud Attach Architecture Diagram What is SCCM Cloud Attach Tenant Attach Client Attach Vs Co-Management

The following are the features you will be able to enable with the SCCM tenant attach:

  • Cloud Console through Microsoft Endpoint Admin Console (EMAC)
  • ATP Integration
  • Helpdesk
  • Desktop Analytics
  • User Experience Analytics
  • Web front-end CMPivot

Client Attach through Co-Management

SCCM Client attach is nothing but co-management. We have many guides about SCCM co-management. I would recommend going through the latest one, “SCCM CMG Schema Workflow Scenarios.”

Client Attach Features!

  • Conditional Access
  • Modern Provisioning through Autopilot
  • Management from Anywhere

How to Attach SCCM to Cloud Tenant?

As per Rob, this tenant attaches option will be coming to future SCCM versions. I shall presume in the 2002 version of SCCM or later!

How do you prepare for the SCCM cloud attach? Start preparing for co-management options.

  • Enable the option “Import data to Intune for cloud console
Import data to Intune for cloud console SCCM Cloud Attach - SCCM Tenant Attach
Import data to Intune for cloud console SCCM Tenant Attach

Introduction

Both tenants attached and co-managed devices will be visible in a single MEMAC console, but they are not the same.

  • Co managed device = SCCM agent + Intune enrolled
  • Tenant attach device = SCCM agent synced to MEM (Not Intune enrolled)

The co-managed device got many more options available in Microsoft Endpoint Manager Admin Center (MEMAC). However, we can expect a lot more features for tenant-attached devices in the MEMAC console in the future. Below are some of the cloud benefits ConfigMgr tenant attach provide:

  • Single Microsoft Endpoint Admin Console (MEMAC) to manage ConfigMgr and intune devices.
  • ATP Integration
  • Helpdesk troubleshooting
  • User Experience Analytics
  • Web front-end CMPivot

Note: Above listed benefits announced in ignite 2019 are not yet available to the public. Only limited features are available at the time of writing. We will discuss some of the features currently available.

Prerequisites

More updated details about prerequisites are given in Microsoft docs.

  • Appropriate access to SCCM infra (Full Admin preferably)
  • Recommended to perform this activity from the Tier 1 server in ConfigMgr Hierarchy (CAS) or standalone primary server
  • Global Administrator account for signing in the Tenant onboarding page (configuration in SCCM).
  • An Azure public cloud environment.
  • The user account triggering device actions has the following prerequisites after the 2103 version of SCCM:
    • Discovered with Azure Active Directory user discovery
    • Or Discovered with Active Directory user discovery
    • The Notify Resource permission under the Collections object class in Configuration Manager.
    • On-Prem user synchronized to azure using AADconnect
  • SCCM server should have access to the below Internet endpoints
    • https://aka.ms/configmgrgateway
    • https://gateway.configmgr.manage.microsoft.com
    • https://us.gateway.configmgr.manage.microsoft.com
    • https://eu.gateway.configmgr.manage.microsoft.com

NOTE! – Permissions for Tenant attached is updated. You don’t need to give permissions to Configuration Manager Microservice https://docs.microsoft.com/en-us/mem/configmgr/tenant-attach/client-details#permissions

SCCM Tenant attach high-level Architecture

There are three components in Tenant Attachment Architecture.

SCCM Tenant Attach Device Sync Architecture - Tenant Attach Guide for SCCM Logs Data Flow Troubleshooting Intune
SCCM Tenant Attach Device Sync Architecture – Tenant Attach Guide for SCCM Logs Data Flow Troubleshooting Intune
  • ConfigMgr agent:
    • The ConfigMgr client communicates with the ConfigMgr server as normal.
    • There is no change. In addition, there is no need to enroll in Intune.
  • ConfigMgr server:
    • ConfigMgr synchronizes devices to Microsoft Endpoint Manager Admin Center (MEMAC).
    • ConfigMgr server receives instructions from Microsoft Endpoint Manager Admin Center (MEMAC) and forwards the instructions to ConfigMgr clients.
    • The ConfigMgr server plays a middleman between Intune and ConfigMgr client.
  • Intune:
    • MEMAC console shows the SCCM Devices synchronized from the SCCM server to Intune.

Note: The entire ConfigMgr database will not be synchronized to Intune in this architecture. It is an on-demand architecture. MEMAC console connects to SCCM only when required or admin initiate action.

How to configure SCCM Tenant Attach?

The configuration required for the tenant attach within the co-management wizard. If you have not enabled the co-management wizard, follow the steps mentioned here.

In Configuration Manager Admin console, go to Administration > Overview > Cloud Services > Co-management.

SCCM Tenant Attach - CoMgmtSettingsProd - Tenant Attach Guide for SCCM Logs Data Flow Troubleshooting Intune
SCCM Tenant Attach – CoMgmtSettingsProd – Tenant Attach Guide for SCCM Logs Data Flow Troubleshooting Intune

Ensure your Azure environment is AzurePublicCloud. Tenant is boarded to azure by signing in using your Global Administrator account.

SCCM Tenant Attach Step by Step Guide
SCCM Tenant Attach Step by Step Guide

Ensure you select the option “upload to MEM admin center.”

Please make sure you select a collection for which you want devices to synchronize. Its recommended to select a test device collection to start with. Also, ensure you exclude the servers managed by ConfigMgr.

Tenant Attach Guide for SCCM Logs Data Flow Troubleshooting Intune
Tenant Attach Guide for SCCM Logs Data Flow Troubleshooting Intune

Tenant attach sync setting has nothing to do with co-management. However, tenant attaches settings are available within the co-management wizard.

Note: I do not have any co-managed devices in my scenario, so I configured it as none for Intune enrollment. It would help if you decided on the configuration based on your scenario.

Tenant Attach Guide for SCCM Logs Data Flow Troubleshooting Intune
SCCM Tenant Attach Step by Step Guide

Below azure AD application gets created automatically after completing the configuration in ConfigMgr. You can see the events for troubleshooting from the log SmsAdminUI.log.

You can see the application name starts with “ConfigMgrSVC_… “

The ConfigMgr server communicates with the cloud using this Azure AD Web application.

Tenant Attach Guide for SCCM Logs Data Flow Troubleshooting Intune
Tenant Attach Guide for SCCM Logs Data Flow Troubleshooting Intune

We completed the configuration. Let us discuss how the ConfigMgr server connects to Intune and uploads the devices.

NOTE! – Let’s add your admin user to this (Configuration Manager Microservice) enterprise app to get appropriate permissions to initiate SCCM actions from Intune portal.

  • CMPivot
  • Run Script
  • Collections
  • etc..

Log Files – Troubleshooting

Let’s see how log files can help troubleshoot the issue with device sync and tenant attach.

ConfigMgr Device Upload to Intune Workflow

GatewaySyncUploadWorker.log :

This log tracks the connectivity between ConfigMgr and Intune. You can use this log to troubleshoot if ConfigMgr devices do not upload to the MEMAC console.

  • ConfigMgr server selects the gateway to upload the device based on the location.
    • For the US the gateway URL is https://us.gateway.configmgr.manage.microsoft.com
    • For Europe gateway URL is https://eu.gateway.configmgr.manage.microsoft.com
  • Next, the ConfigMgr server will authenticate and establish the connection.
  • Once succeeded, the ConfigMgr agent uploads to Intune through the gateway.
  • You can see the ConfigMgr client records uploaded in batch

If you enable verbose logging, a log will tell the bytes written to the network for upload. Based on my testing, this network traffic is less. Moreover, the follow-up device synch will be delta only.

  • The default upload sync interval is 15 min (delta)
  • Response code 200 states the connection between ConfigMgr and Intune is successful
SCCM Tenant Attach Step by Step Guide Troubleshooting 1
SCCM Tenant Attach Step by Step Guide Troubleshooting 22

After successful upload, You can start seeing your ConfigMgr client in the Microsoft endpoint manager admin center console.

Tenant Attach Guide for SCCM Logs Data Flow Troubleshooting Intune
Tenant Attach Guide for SCCM Logs Data Flow Troubleshooting Intune

Until now, we discussed the device upload events from ConfigMgr to intune. Next, let us discuss the workflow from the MEM admin console to ConfigMgr.

Intune to SCCM event workflow

At the time of writing this post, only limited features are available in the MEM admin console for ConfigMgr clients, as listed below

  • Machine policy synch
  • User policy synch
  • Application evaluation
SCCM Tenant Attach Step by Step Guide
SCCM Tenant Attach Step by Step Guide

Let us see what happens when I trigger a machine policy from the MEM admin console. Below are the high-level activities

  1. MEM admin console sent instruction for triggering machine policy to ConfigMgr server
  2. ConfigMgr server receives notification from MEM gateway and authenticates
  3. Forwards as BGB instruction and process
  4. ConfigMgr server sent the notification to the ConfigMgr client
  5. The configMgr client receives the instruction from ConfigMgr server and process

MEM admin console sent the machine policy instruction to the ConfigMgr server. Initially, you can see the status will show pending.

SCCM Device Sync Troubleshooting - Tenant Attach Guide for SCCM Logs Data Flow Troubleshooting Intune
SCCM Device Sync Troubleshooting – SCCM Tenant Attach Guide for SCCM Logs Data Flow Troubleshooting Intune

cmgatewaynotificationworker.log :

This log tracks the events from Intune to ConfigMgr. You can refer to this log while troubleshooting communication between Intune and ConfigMgr.

SCCM Device Sync Troubleshooting
SCCM Device Sync Troubleshooting

ConfigMgr server receives the notification and authenticates the user who initiated the policy from the MEM console.

If user authentication is successful, the ConfigMgr BGB remote task will process further.

SCCM Tenant Attach Step by Step Guide
SCCM Device Sync Troubleshooting SCCM Tenant Attach Step by Step Guide

You may get the below error if the user is not having the necessary ConfigMgr permission as mentioned in the pre-req. Also, If the user is not an on Prem user id and not synchronized to azure, we see the below error.

Unauthorized to perform client action. TemplateID: RequestMachinePolicy TenantId: ed7ef5f4-73f7-4c1d-83de-453635ac145d AADUserID: f91c3e40-4c30-42e0-b0eb-c5663d549b75.

SCCM Tenant Attach Step by Step Guide
SCCM Device Sync Troubleshooting

ConfigMgr processes the BGB notification service. Then sent the notification to the ConfigMgr client.

SCCM Tenant Attach Step by Step Guide
SCCM Device Sync Troubleshooting SCCM Tenant Attach Step by Step Guide

You can also track the ConfigMgr client Machine policy status, which you initiated from the MEM console. The different statuses are Complete or pending or failed, as shown below.

SCCM Device Sync Troubleshooting - Tenant Attach Guide for SCCM Logs Data Flow Troubleshooting Intune
SCCM Device Sync Troubleshooting – Tenant Attach Guide for SCCM Logs Data Flow Troubleshooting Intune

I used the MEM admin portal from my mobile phone for this post to manage the SCCM agent. We could manage my SCCM agent from a mobile web browser. This is a great step.

Resources

Author

Vimal has more than ten years of experience in SCCM device management solutions. His main focus is on Device Management technologies like Microsoft Intune, ConfigMgr (SCCM), OS Deployment, and Patch Management. He writes about the technologies like SCCM, Windows 10, Microsoft Intune, and MDT.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.