Use Intune RBAC for tenant attach with Configuration Manager Technical Preview 2106
Published Jun 24 2021 12:13 PM 13.7K Views

Update 2106 for the Technical Preview Branch of Microsoft Endpoint Configuration Manager has been released.


You can use Intune role-based access control (RBAC) when displaying the Client details page for tenant attached devices in the Microsoft Endpoint Manager admin center. When using Intune as the RBAC authority, a user with the Help Desk Operator role  doesn't need an assigned security role or additional permissions from Configuration Manager. Currently, the Help Desk Operator role can display only the Client details page without additional Configuration Manager permissions.

Screenshot of RBAC settingScreenshot of RBAC setting

For more information, see Intune role-based access control for tenant attach


This preview release also includes:

Convert a CMG to virtual machine scale set - Starting in current branch version 2010, you could deploy the cloud management gateway (CMG) with a virtual machine scale set in Azure. This support was primarily to unblock customers with a Cloud Solution Provider (CSP) subscription. In this release, any customer with a CMG that uses the classic cloud service deployment can convert to a virtual machine scale set.


Implicit uninstall of applications - Many customers have lots of collections because for every application they need at least two collections: one for install and another for uninstall. This practice adds overhead of managing more collections and can reduce site performance for collection evaluation. Starting in this release, you can enable an application deployment to support implicit uninstall. If a device is in a collection, the application installs. Then when you remove the device from the collection, the application uninstalls.


Microsoft .NET requirements - Configuration Manager now requires Microsoft .NET Framework version 4.6.2 for site servers, specific site systems, clients, and the console. Before you run setup to install or update the site, first update .NET and restart the system. If possible in your environment, install the latest version of .NET version 4.8. For more information, see Microsoft .NET requirements.


Audit mode for potentially unwanted applications - An Audit option for potentially unwanted applications (PUA) was added in the Antimalware policy settings. Use PUA protection in audit mode to detect potentially unwanted applications without blocking them. PUA protection in audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives.


External notifications - In a complex IT environment, you may have an automation system like Azure Logic Apps. Customers use these systems to define and control automated workflows to integrate multiple systems. You could integrate Configuration Manager into a separate automation system through the product's SDK APIs. But this process can be complex and challenging for IT professionals without a software development background.


Starting in this release, you can enable the site to send notifications to an external system or application. This feature simplifies the process by using a web service-based method. You configure subscriptions to send these notifications. These notifications are in response to specific, defined events as they occur. For example, status message filter rules. When you set up this feature, the site opens a communication channel with the external system. That system can then start a complex workflow or action that doesn't exist in Configuration Manager.


List additional third-party updates catalogs - To help you find custom catalogs that you can import for third-party software updates, there's now a documentation page with links to catalog providers. Choose More Catalogs from the ribbon in the Third-party software update catalogs node. Selecting More Catalogs opens a link to a documentation page containing a list of additional third-party software update catalog providers.


Management insights rule for TLS/SSL software update points - Management insights has a new rule to detect if your software update points are configured to use TLS/SSL. To review the Configure software update points to use TLS/SSL rule, go to Administration > Management Insights > All Insights > Software Updates.


Renamed Co-management node to Cloud Attach - To better reflect the additional cloud services Configuration Manager offers, the Co-management node has been renamed to the Cloud Attach node. Other changes you may notice include the ribbon button being renamed from Configure Co-management to Configure Cloud Attach and the Co-management Configuration Wizard was renamed to Cloud Attach Configuration Wizard.


Improvements for managing automatic deployment rules - The following items were added to help you better manage your automatic deployment rules:

  • Updated Product parameter for New-CMSoftwareUpdateAutoDeploymentRule cmdlet
  • A script (available in community hub) to apply deployment package settings for automatic deployment rule

New prerequisite check for SQL Server 2012 - When you install or update the site, it now warns for the presence of SQL Server 2012. The support lifecycle for SQL Server 2012 ends on July 12, 2022. Plan to upgrade database servers in your environment, including SQL Server Express at secondary sites.


Console improvements

In this technical preview we've made the following improvements to the Configuration Manager console:

  • Shortcuts to status messages were added to the Administrative Users node and the Accounts node. Select an account, then select Show Status Messages.
  • You can now navigate to a collection from the Collections tab in the Devices node. Select View Collection from either the ribbon or the right-click menu in the tab.
  • Maintenance window column was added to the Collections tab in the Devices node.
  • If a collection deletion fails due to scope assignment, the assigned users are displayed.


Client encryption uses AES-256 - Starting in this release, when you enable the site to Use encryption, the client uses the AES-256 algorithm. This setting requires clients to encrypt inventory data and state messages before it sends to the management point. For more information, see Plan for security - signing and encryption.


PowerShell release notes preview - These release notes summarize changes to the Configuration Manager PowerShell cmdlets in technical preview version 2106.


For more details and to view the full list of new features in this update, check out our Features in Configuration Manager technical preview version 2106 documentation. 


Update 2106 for Technical Preview Branch is available in the Microsoft Endpoint Configuration Manager Technical Preview console. For new installations, the 2106 baseline version of Microsoft Endpoint Configuration Manager Technical Preview Branch is available on the Microsoft Evaluation Center. Technical Preview Branch releases give you an opportunity to try out new Configuration Manager features in a test environment before they are made generally available.


We would love to hear your thoughts about the latest Technical Preview!  Send us feedback about product issues directly from the console and continue to share and vote on ideas about new features in Configuration Manager.



The Configuration Manager team


Configuration Manager Resources:

Documentation for Configuration Manager Technical Previews

Try the Configuration Manager Technical Preview Branch

Documentation for Configuration Manager

Configuration Manager Forums

Configuration Manager Support

1 Comment
Version history
Last update:
‎Jun 24 2021 12:51 PM
Updated by: