Rollup update for Tenant attach – Run scripts

Microsoft released an in-console update (KB4580678) that helps you to enables the Run scripts feature from the Microsoft Endpoint Manager admin center (Intune) and is now available to the customers who have enabled the tenant attach in Configuration Manager. This update also resolves other tenant attach related issues and is a prerequisite to use the Run scripts feature from the admin center (Intune).

If you have not yet started the tenant attach process, please start now https://docs.microsoft.com/en-us/mem/configmgr/tenant-attach/ and take actions of your devices from mobile anywhere without accessing the configuration manager console.

Along with enabling the run script features from MEM admin center, it also fix the following issues:

  • Features, such as Scripts, in the admin center do not appear for users that are assigned to all security scopes but are not full administrators.
  • Internet-based links to approve or deny user application requests via email fail in Microsoft Endpoint Configuration Manager current branch, version 2006. This occurs for internet-based clients managed with a cloud management gateway (CMG).
    The administrator will receive an HTTP Error 400 when clicking the email link. Note that requests can still be approved using the Configuration Manager console, or other channels such as WMI that rely on the Configuration Manager administration service.
  • The online status listed for devices on the internet connecting via a cloud management gateway (CMG) in the Configuration Manager console may be incorrect. This occurs when the CMG connection point is co-located with the service connection point, and the management point is co-located with the SMS provider.

This update is only available to customers who have enabled the tenant attach process and must be running on build version 2006.

After the installation of the update, you don’t need to restart the server.

If you have any secondary sites, you need to update them by right click on the site and choose recover the secondary site.

Alternatively, you can also check the status of your secondary sites using the SQL query.

select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')

If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.

If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.

How to run the scripts using MEM Admin center?

Launch https://endpoint.microsoft.com, Select Devices then All Devices.

Select a device that is synced from Configuration Manager via tenant attach.

Click on scripts (preview)

You will see all the scripts that were directly targeted the device. If you have run the scripts against a specific collection where device is member of, won’t be shown here.

As you can see, I ran 2 scripts on a device that were recently executed.

User can now select the script and initiate it from the web directly.

It would nice to have list all scripts that are available in Configuration manager based on the RBAC for the user to be shown for each device so user can pick the script and run if needed instead of showing only the scripts that ran already.

For more information about pre-req, permissions for run scripts, please refer https://docs.microsoft.com/en-us/mem/configmgr/tenant-attach/scripts

Troubleshooting the client details in the admin center for tenant attach, please refer https://docs.microsoft.com/en-us/mem/configmgr/tenant-attach/troubleshoot-client-details

Leave a Reply