Cloud Attach Your Future - Part II - "The Big 3"
Published Oct 06 2020 12:20 PM 26K Views

When the global pandemic started, we were all thrust into the new (and very lightly explored) area of managing devices remotely 100% of the time. Of course, everyone rushed to their VPN solution only to uncover new obstacles and even more significant challenges which they had never anticipated.

As I talk to customers and I listen to how their management of the Windows estate has changed, I am always surprised by the lack of the "Big 3":

  1. Cloud management gateway (CMG)
  2. Tenant attach
  3. Co-management

These are the essential features that you need NOW as you continue to modernize and streamline your management solution.


Let's talk about why those capabilities are so important.

As an IT pro for fifteen years and seven years here at  Microsoft, I know that the thing on everyone’s mind is: "How do I make changes with minimal-to-no disruption" while also "marching towards that north star of cloud management?" What a great thought and a very tight line to walk. That’s the reason you should LOVE the "Big 3" – when you use them together, it provides the fastest path for you to move forward to cloud management with no disruption or risk.


Now, to be clear, the Big 3 is excellent, but I wouldn’t be doing anyone any favors if I failed to mention how its foundations are built on identity with Azure Active Directory. With any cloud solution, identity for both the user and the device is essential – and I would even argue they are critical. When you cloud-attach, you connect Configuration Manager with Azure Active Directory – and this allows you to both simplify and enhance the authentication capabilities leveraged by the Big 3. This is the kind of value I’m talking about.  Onboarding your Configuration Manager environment to your organization’s Azure Active Directory is the foundation on which cloud-attach is built.


There is no predetermined order in which you need to enable the Big 3. If I’m thinking with the customer side of my brain, I will start with the biggest value; and that means that starting with CMG is a no-brainer, especially in this work-from-anywhere, manage-from-everywhere new normal.  Right away, I would enable Cloud Management Gateway. This gives your organization immediate value and instant cloud transformation because you are using your already-established workflows and processes.


Second, I would enable tenant attach because of the immediate value of having your device records in the cloud and being able to take actions on these devices from the cloud console. Finally, co-management provides huge value by enabling Conditional Access and many of the other workloads that can be managed via Configuration Manager.


Each of the Big 3 brings a ton of cloud value, let me highlight some of my favorite capabilities of each that will give you the biggest value and fastest path to the cloud with the smallest amount of effort.


Cloud management gateway

IT Pros are all coping with and/or reacting to how different it is to manage devices that no longer entering the corporate network. The challenge that very quickly follows, however, is how to minimize the management traffic through the VPN. The management traffic passing via VPN can be overwhelming, and the truth is that none of us know how much management traffic there is, although work from anywhere has certainly highlighted how much this can be. Frankly, there is no need for this traffic to pass over the VPN. By enabling CMG you minimize the management traffic coming over the VPN solution and free up bandwidth for the business-critical traffic that does need to return on-premises. When you enable CMG, you maintain a line of sight into your devices wherever they are on the internet, allowing all your established processes and practices to continue, business as usual. This enables you to not only keep on top of things like software deployments and device configuration, but, more crucially, software updates, and patch compliance.


Implementing a CMG can be done with no disruption and no additional risk, providing vast amounts of immediate cloud value to any organization – and, thanks to recent feature improvements, it can be done very easily too. Client certificates, from an enterprise PKI, are the most secure and recommended client authentication mechanism. Still, Azure Active Directory and the recently added token authentication in Configuration Manager current branch (version 2002 and later), remove the need for deploying any additional, often complex infrastructure in order to manage existing (and sometimes legacy) Windows devices over the Internet.


As noted above, CMG is the first thing I recommend any company set up as soon as possible if you currently have an on-premises Configuration Manager solution. Without a CMG, your organization is rapidly falling behind on the journey to cloud management.


Tenant attach

After cloud management gateway, the next feature I would look to enable is tenant attach. This is a fantastic way to extend your on-premises management by attaching to the cloud, and it is genuinely exciting to see the investment being made in Microsoft Endpoint Manager, both on-premises and in the cloud.


Notice below in the screenshot that I am getting real-time data from Configuration Manager on-premises; this includes clients connected from the Internet over CMG. Let that sink in… cloud-attaching your existing Configuration Manager estate is truly management from virtually anywhere. You can manage devices anywhere on the Internet from anywhere using the cloud console. Even from a phone.


In this console I can see if the device is co-managed, the boundary groups in which the device belongs, if the device is online, and so much more. What you should take away from the screenshot is the frictionless union of on-premises and cloud. While leveraging the cloud console, you can still take advantage of the investments you already have from your on-premises infrastructure. Think about that some more and keep in mind that I mentioned that there’s no disruption when you set this up.  This means you don’t have to recreate configuration in the cloud to have it available to your management estate.


You have got to leverage cloud-attach to extend and supercharge your investments on-premises to the cloud!




Figure 1: When you cloud-attach, the Microsoft Endpoint Manager admin center shows real-time data from Configuration Manager and enables you to manage your devices from virtually anywhere.


Not only does tenant attach bring existing management into the admin center, there are also some features that only exist when you are cloud-attached, such as Endpoint Analytics or the brilliant new Timeline which shows events that have occurred on a device in order to improve the troubleshooting experience of your helpdesk.




Figure 2: The Timeline view shows events that have occurred on a device to improve the troubleshooting experience of your helpdesk.



One common pre-conception is that co-management is just about migration. In reality, co-management is about digital transformation without the need to go through a huge migration effort. I mean, we all remember how much fun that ConfigMgr 2007 to 2012 migration was right?

Conditional Access is one of the most rapidly consumed services today – you simply can’t beat how easy and straightforward it is to enable by using co-management. But that's not the only reason for using co-management. I’m sure you’ve noticed that there’s a recurring theme here: immediate value. Co-management will help with device provisioning, device actions, and managing individual workloads as well – and it does that immediately.


I get a lot of customers that ask about device provisioning from the cloud, and we always end the conversation with the action to go turn on co-management. Provisioning devices can be such a complex and daunting task for many organizations, and enabling co-management and using Autopilot completely transforms and simplifies the provisioning process. The exciting piece for customers is when the Configuration Manager agent installs from the cloud, and then the device is effortlessly transformed into the corporate standard. This all happens over-the-air without the device needing to come on premises or connect to VPN – and it does this while still leveraging your existing application investments in Configuration Manager. Mind melting isn’t it?!?


Co-management also allows you to simplify your management by lifting workloads to the cloud.


As with any of the Big 3, there’s no one size fits all; digital transformation is about using the cloud that brings your organization the most business value. It’s pretty awesome to be able to control your transformation!  When you cloud-attach with co-management you control when you transform, and for what workloads you transform. From the screenshot below you can see the various workloads being managed from the cloud on the specific device, client health, and the last time the device communicated. There are lots of good insights here that you should be using to help drive the transformation of your business to the most secure cloud.




Figure 3: The co-management area shows you the device’s workloads being managed in the cloud, client health, and the last time the device communicated.


To summarize, there are some really simple steps you can take to get huge amounts of cloud value in your existing Configuration Manager environment, without the need to migrate, move, or otherwise cause disruption within your environment. The mantra here is “transformation not migration.”


Below are my exec-level value props for each of the Big 3.

  • CMG: Extend the capability of Windows device management and resolve VPN contention – without disruption to current workflows, without the added on-premises infrastructure to manage, and with no additional risk.
  • Tenant Attach: This is the simplest way to add value by extending the investment in your on-premises environment to the cloud without recreating net new configuration. Gain actions and insights to devices on-premises or off-premises from the Microsoft Endpoint Manager admin center.
  • Co-Management: Enable features in the cloud. Bring new functionality such as Conditional Access for immediate cloud value or begin to transition existing workloads from the cloud at your own pace.

Have questions? Join our Ask Microsoft Anything (AMA) event this Thursday, October 8th from 8:00-9:00 a.m. Pacific Time in the Microsoft Endpoint Manager community!




Reference Links:


Danny Guillory Jr
Senior Program Manager


Version history
Last update:
‎Oct 06 2020 12:20 PM
Updated by: