Kung Fu MMP-C Onboarding

by rudyooms Posted on
Patch My Pc | install & update thousands of apps

This blog will show how I onboarded multiple Microsoft 365 Tenants to the new MMP-C infrastructure (Microsoft Management Platform – Cloud) and explain why this is going to be huge!

Please Note: Using Graph to onboard the tenant to MMP-C is no longer possible, and with the Intune Core feature called Device Inventory doing it for all tenants, I decided to publish this blog.

1. Introduction

Last year, I explained what would happen when you activated Endpoint Privilege Management for your tenant. MMP-C | Microsoft Management Platform Cloud (call4cloud.nl)

In the blog above, I explained that activating EPM and configuring an EPM policy will push a CSP policy to your device when syncing with Intune. This CSP policy will trigger a Linked Enrollment/Dual Enrollment, and your device will get a second enrollment. The first and, for now, the main enrollment is Intune Enrollment. The Second enrollment is the MMP-C AKA Declared Configuration Enrollment. This Enrollment will be “linked” to your Intune Enrollment. This linked enrollment mainly uses the declared configuration service (dcsvc) to sync the policies to your device.

For now, “only” the EPM policies are being configured using this service. The Declared Configuration service is a great improvement compared to the old OMA-DM Client which was built for mobile phones a long time ago. The WinDc service is faster/more reliable/more secure. Did I already tell you that It was faster?

So, I was wondering if I could trigger my device to get a linked enrollment to MMP-C without having EPM and an EPM policy applied.

2. Onboarding a Client to MMP-C

Besides the blog I wrote about what was happening in the background when you activated EPM, I also explained how you could kickstart this on your turf. (don’t use this in prod…. Please don’t, as it is not an officially supported Microsoft method.. more like a supported Rudy Method)

EPM Enrollment | DeviceHealthMonitoring | Error | MMP-C (call4cloud.nl)

When we need to kickstart the MMP-C enrollment on our own, we need to use the localmdm PowerShell Tool. To be sure the linkedEnrollment will be targeted at the proper enrollment, we need to change the Enrollment type to match the localmdm one (14 instead of 6)

From there on, we need to fire off the local MDM request to start the actual dual enrollment

onboarding a device to mmp-c manually by using the localmdm client and using the linkedenrollment csp

As shown above, after firing off the localmdm request, I got a 200 response, and everything seemed fine until I opened the event log.

After using the localmdm client to enroll our device with MMP-C we got the failed to enroll mmp-c for dual enrollment (invalid request 400)

In the device management event log, I noticed the error that mentioned it failed to enroll MMP-C for dual enrollment because of an Invalid Request (400). Is it almost as if my tenant isn’t onboarded to MMP-C? Maybe a small side note, but I don’t have EPM….!! But? Damn… I just want all my devices to get a linked /dual enrollment into MMP-C. What can we do about that?

3.EndpointPrivilegeManagementProvisioningStatus

I opened Fiddler, started browsing the Intune Portal, and tried to open Endpoint Privilege Management. At this moment, I could not create a new EPM policy as it was greyed out.

Afbeelding met tekst, Lettertype, lijn, nummer Automatisch gegenereerde beschrijving

The moment I opened the Endpoint Privilege Management page, I noticed that Fiddler was trying to reach out to a certain graph URL: https://graph.microsoft.com/beta/deviceManagement/endpointPrivilegeManagementProvisioningStatus

The endpoint privilege management blade was trying to discover the provisioningstatus by checking out the https://graph.microsoft.com/beta/deviceManagement/endpointPrivilegeManagementProvisioningStatus url. This mentioned the onboardedtomicrosoftmanagedplatform=false

As shown above, the endpointPrivilegeManagementProvisioningStatus graph command shows us that the value of “onboardedtomicrosoftmanagedplatform” = False. I guess we have a challenge here because I want it enabled without the EPM requirement. But is having an EPM license a requirement for having the possibility to enroll our devices to MMP-C? Suddenly, I remembered a specific slide I presented at MMSMOA 2023. (It was a great summit and a unique experience!). This is the slide in question!

Afbeelding met tekst, schermopname, Lettertype, nummer Automatisch gegenereerde beschrijving

When EPM launched, the corresponding graph documents were also published. These documents showed us how to enable EPM with the power of Graph and retrieve the EPM provisioning status.

Afbeelding met tekst, Lettertype, lijn, schermopname Automatisch gegenereerde beschrijving

Unfortunately, this graph page was removed from the face of the earth, and every trace of it is gone. Even the Google archive isn’t showing it. Luckily for me, we always have the Docs Update Tracker. After spending some time trying to find the deleted graph page on GitHub, I found this.

Afbeelding met tekst, Lettertype, schermopname Automatisch gegenereerde beschrijving

This part mentions how we could EnableEndpointPrivilegeManagement with Graph. If we look closely at the description, things will get interesting: “Triggers onboarding of tenant to Microsoft Managed Platform Cloud (MMPC).”

Okay, okay… that sounds interesting, and when we looked at the provisioning status parts, I became a little bit more enthusiastic.

Default: The OnboardedToMicrosoftManagedPlatform default value is set to False. What will happen if that value is set to true? Let’s find out, shall we?

4. Onboarding your tenant to MMP-C

After copy-pasting the removed graph EPM pages and making sure the layout is all right, it will mention that we only need to perform a post command to a specific graph URI..

Afbeelding met tekst, schermopname, Lettertype, lijn Automatisch gegenereerde beschrijving

I logged in to the Graph Explorer and, by performing a “patch”, gave the user the required permissions, as mentioned above.

After the proper permissions were given, I first checked the “onboardedtomicrosoftmanagedplatform”, to make sure it was set to false.

Once it was set to false I copy-pasted the URI (https://graph.microsoft.com/beta/deviceManagement/enableEndpointPrivilegeManagement) and selected the POST command.

Afbeelding met tekst, Lettertype, lijn, schermopname Automatisch gegenereerde beschrijving

It took a couple of seconds of waiting, but it finally gave me this response:

Afbeelding met tekst, Lettertype, schermopname, lijn Automatisch gegenereerde beschrijving

Okay? I was expecting more, but then again, what do I know? To find out if something changed, I tried fetching the provisioning status again.

Afbeelding met tekst, Lettertype, schermopname, informatie Automatisch gegenereerde beschrijving

As shown above!!! Okay… My Microsoft 365 tenant was now onboarded to MMP-C, and the value was set to true.

If you don’t believe me, I also recorded a short video showing you the same simple steps I took to onboard a brand new dev tenant to MMP-C.

Once the tenant was onboarded to MMP-C, it was time to trigger the Linkedenrollment CSP to enroll our device?

5. What it did

Before I kicked off the linked enrollment CSP with the localmdm tool once again, I made sure my device could successfully sync with Intune. After the Intune sync was complete, I opened a PowerShell -mta session in the system context and copied and pasted the localmdm command.

Afbeelding met tekst, Lettertype, schermopname Automatisch gegenereerde beschrijving

As expected, we got the 200 status in return. From there on, I opened the event log and started checking out the device management event log.

Huh…. Huhhh? And Huhhhhhhh? I failed to enroll MMP-C for dual enrollment mode. The Result: The device is already registered! Didn’t I do anything?

When scrolling down the event log, it became clear that the device was indeed already enrolled into MMP-C, but without me doing anything.

Afbeelding met tekst, schermopname, Lettertype, lijn Automatisch gegenereerde beschrijving

From there on, I opened our RMM tool and executed a remote PowerShell session on some of the devices that were also enrolled into the same tenant. Guess what? All of those devices were also enrolled into MMP-C! The devices that weren’t were either not turned on or waiting for a sync, as it seemed. After performing a remote sync to those devices, they also kicked off the linked enrollment!

6. The “why”

So, it seems that we can kick off our tenant’s onboarding to MMP-C on our own, but what if Microsoft changes the default setting to true? Why should Microsoft do such a thing? Let me give you a good summary so you can draw your own conclusions!

The MMP-C infrastructure and the WinDc Windows components are amazing and way better than the old-school stuff we are still stuck with. It’s more reliable, efficient, secure, and faster. Even our Linux machines and workgroup devices could use the MMP-C infrastructure (MDE-Attach)!

It’s a shame that only Endpoint Privilege Management relies on this amazing infrastructure right now. It would be fantastic if Microsoft used MMP-C / WinDC for all Intune-related policies!!! Let me just put a big smiley here 🙂 It seems Microsoft took the first step with Device Inventory!

Under the hoods of the Windows Device Inventory Agent

As mentioned in the blog above, with Device Inventory hitting the streets, ALL devices will get a dual enrollment and with it ALL tenants will be onboarded to the MMP-C infrastructure!

Conclusion

With a simple POST command (it’s not working anymore), I onboarded my tenant to MMP-C. With device inventory now being rolled out, all tenants will be linked to the MMP-C infra!

Leave a Reply

Your email address will not be published. Required fields are marked *

  −  2  =  1

Proudly powered by WordPress | Theme: Wanderz Blog by Crimson Themes.