Better Together

Better Together

Like fish and chips, peanut butter and jelly, and rhythm and blues, Configuration Manager (ConfigMgr) and Azure are, in fact, Better Together. For this reason, Microsoft created a new product suite, Microsoft Endpoint Manager (MEM). This suite unifies ConfigMgr, Intune, and a handful of newer, Azure-based technologies and services including the following short-list:

  • Cloud management gateway
  • Co-management
  • Tenant Attach
  • Endpoint Analytics
  • Desktop Analytics
  • Autopilot

Unify, at this point, means deeper integration of the technologies and products. It also means increasing the collaboration of the teams and resources involved in building them. It doesn’t explicitly indicate that the products and technologies are merging at a technical level, though.

While none of these features is explicitly required and your organization can successfully manage your Windows estate without them, these Azure-based features will improve your overall management capabilities and introduce quite a few new functions. Additionally, Microsoft is continuing to iterate and build upon each of these features to keep improving them. This brings further value to customers and their management experience. The following is a brief description of each of these Azure-based features and how they improve ConfigMgr and Windows management in general.

Cloud Management Gateway

Cloud Management Gateway

The cloud management gateway (CMG) extends your ConfigMgr hierarchy’s management to systems connected across the Internet. It does this by proxying client traffic through a service hosted in Azure back to your on-premises ConfigMgr site. Adding a CMG to a site extends nearly all of ConfigMgr’s on-premises management capabilities to your Internet-based clients. These capabilities include (but are not limited to) the following1Two notable features missing from this list include remote control and BitLocker management. Both are in the works, though, and should make it to a production build soon.:

  • Windows and software updates
  • Software distribution
  • Inventory
  • Scripts
  • CMPivot

The CMG does this without adding or requiring any additional on-premises infrastructure. All that is needed is connectivity to Azure and an Azure subscription2As with nearly all Azure services, CMG has a cost. In general, this cost is nominal, though, and far less than adding and maintaining the equivalent components on-premises. See the official documentation on Cost or this blog post: Real-world costs for using a Cloud Management Gateway (CMG) with ConfigMgr..



Co-management enables the dual, simultaneous management of your Windows 10 systems by both ConfigMgr and Intune. Co-management enables the best of both worlds for managing your Windows 10 systems by allowing you to pick the authority for specific workloads, including Windows updates, endpoint protection, and Microsoft 365 app management. Because Intune is a service running from the ever-present Azure, you can use it to keep tabs on your managed systems wherever they are. You can also send specific commands like wipe and reset that are only valid from a mobile device management (MDM) system like Intune.

In and of itself, co-management is not meant to be a remote management solution for your Internet-connected systems. It works best with a CMG in-place to deliver ConfigMgr policies to your Internet-based managed Windows 10 systems. This is not strictly required, but some scenarios are problematic without a CMG in place. Also, co-management does not connect your ConfigMgr site to Intune or vice-versa; it connects managed clients to both Intune and ConfigMgr.

Tenant Attach


Tenant attach connects your ConfigMgr site to Azure. By doing this, it makes ConfigMgr functionality and your site’s data available and accessible from the Azure-based MEM portal. Tenant attach is essentially an extension of your on-premises ConfigMgr admin console and its capabilities. It is not a full replacement for the ConfigMgr admin console, but it enables you to manage particular ConfigMgr-based administrative workflows using the MEM portal.

Initial tenant attach functionality includes standard client notification functionality like policy synchronization and application evaluation and surfaces some basic device information like collection membership. Tenant attach also exposes CMPivot and Scripts in the latest technical previews.

Endpoint Analytics


The newest service to complement and add value to ConfigMgr is Endpoint Analytics. Endpoint Analytics collects information from client systems relevant to the end-user experience, including bluescreens, application crashes, and boot times (to name just a few). It then surfaces this information in the MEM admin console to aid in proactive and correlative issue identification and remediation. Endpoint Analytics shows this collected information in an interactive timeline for managed devices. It also assigns organizational scores based on the overall results. The service then compares these scores against baseline scores derived from other organizations using the service. From this score and the data collected, it offers suggestions for improving the management of systems and the overall end-user experience.

To aid with proactive remediation, Endpoint Analytics also offers PowerShell based proactive script deployment. This feature is similar in nature and functionality to configuration items and baselines in ConfigMgr. Included in the service are scripts created by Microsoft to address pervasive or common Windows issues.

Desktop Analytics


Desktop Analytics is the successor to Windows Analytics. Desktop Analytics aims to provide information to admins so that they can intelligently deploy Windows upgrades and feature updates. It uses standard telemetry information submitted by your managed Windows devices and exposes that data to you in Azure including the following items:

  • Systems and their Windows versions
  • Application inventory, stability, and Windows 10 compatibility
  • Device hardware
  • Windows update inventory (including both security and feature updates)

In addition to exposing this information, Desktop Analytics uses this same information to enable intelligent, piloting, and tracking feature update deployment. It does this by identifying systems based on device hardware and important applications. From this, it forms a complete representative sample3Each organization individually defines which applications are important to them.. You can then leverage this representative sample of systems directly in ConfigMgr to deploy the desired feature update. It also provides cloud-sourced information on application compatibility as well as application stability post-upgrade.


Autopilot enables simple provisioning of new or reset Windows systems and includes the following activities:

  • Azure or hybrid Azure Active Directory domain join
  • Basic Windows configuration, including EULA acceptance, privacy settings, and user account type.
  • Enrollment in an MDM (Intune in typical scenarios)

Autopilot uses unique system identifiers that associate each system with an organization. OEMs and device vendors are typically responsible for registering the devices before delivery to an organization. This association enables the drop-shipment of systems directly to end-users by the vendor.

Autopilot is not an imaging or reimaging solution. It uses the OS currently loaded on a system; that OS instance must be in a newly provisioned state though just as it is when shipped from an OEM or vendor or reset to factory settings.

In and of itself, Autopilot doesn’t perform a significant amount of configuration; it is a gateway to system configuration by enrolling the device into an MDM (Intune), which is responsible for completing the configuration of the system including deploying policies and software.


Better Together is the clear direction, in both the short and long-term, from Microsoft for ConfigMgr and MEM. Our investment in ConfigMgr, our continued commitment to customer satisfaction, and our desire to increase and improve the Windows management capabilities in ConfigMgr are renewed and reinforced with each new release. Bringing the power of the cloud to ConfigMgr continues this trend.


1 Two notable features missing from this list include remote control and BitLocker management. Both are in the works, though, and should make it to a production build soon.
2 As with nearly all Azure services, CMG has a cost. In general, this cost is nominal, though, and far less than adding and maintaining the equivalent components on-premises. See the official documentation on Cost or this blog post: Real-world costs for using a Cloud Management Gateway (CMG) with ConfigMgr.
3 Each organization individually defines which applications are important to them.
Cloud Management Gateway Choices

Next Article

Cloud Management Gateway Choices

One way that a CMG is more complicated though is in the multiple possible requirements choices that you can use to fulfill the prerequisites. If you're not paying attention to the details in the official documentation, it's pretty easy to confuse the requirements, mistakenly conflate them, or miss an important condition.

No Comments