Customizing Windows 10 – Office 365 using Intune Administrative Templates

Microsoft recently released a preview of the Administrative Templates for Windows 10 in Intune. These Administrative Templates can be found in the Windows 10 Device Configuration profiles. In addition to Office settings, you can also customize Internet Explorer, OneDrive, and other Windows settings.

This post will show how we can easily change some Office 2016 settings on a Windows 10 machine with Office 365 installed that is Intune enrolled and Azure AD joined. I will set some example settings, but feel free to check out any other settings that may interest you.

To configure the Administrative Templates, in the Intune portal (portal.azure.com) go into the Intune section, then go to Device configuration, profiles, Create profile.

o365_admintemplates_01

Give the profile a meaningful name, and select Windows 10 and later for the platform. For the profile type, select Administrative Templates (Preview) then click on Create.

o365_admintemplates_02

Now in our new Administrative Templates (Preview) device configuration profile, click on Settings to view all of the settings that we can configure. I would suggest to go through all these settings as there may be other settings that you might want to configure. These will most likely get updated in the future as well with new settings.

In my example I have searched for Office to filter the settings for Microsoft Office.

o365_admintemplates_03

If you click on one of the settings, it will take you to the setting with the description and the option to enable, or disable the setting. For example I have chosen to enable the setting to hide the option to enable or disable updates.

o365_admintemplates_04

I am going to go ahead and enable some other settings. You can see the settings that I have enabled are below.

o365_admintemplates_05

Once the settings are configured, as usual you need to assign the profile to a group. I have chosen to assign this to All Devices in my example.

o365_admintemplates_06

Now on my example Windows 10 machine that is Intune enrolled, Azure AD joined with Office 365 installed after doing a sync:

You can see that enable automatic updates is enabled, Hide option to enable or disable updates is enabled, and the update branch is set to Current as per my settings in the Administrative Templates.

o365_admintemplates_07

As noted in the registry above, you can see that the option to Disable Updates has now been removed as well.

o365_admintemplates_08

 

 

 

 

 

 

Advertisements

Intune – Win32 app Deploying BGInfo

Microsoft released a preview back in October 2018 for deploying Win32 applications through Intune. I wanted to deploy BGInfo to some Windows 10 machines that were enrolled in Intune and joined to Azure AD with a simple method, so I chose to try out the Win32 apps preview in Intune. It turned out to be really easy, and got the job done.

This post will show using the Intune Win32 App Packaging Tool to package up my required files into an .intunewin file, and then in Intune I will run a very basic PowerShell file that will:

  • Copy the BGInfo files (x64 version and config file) to C:\Program Files\BGInfo
  • Copy a shortcut for BGInfo to the StartUp folder so it can start up each time Windows runs
  • Run the BGInfo executable after it has copied everything

Prerequisites for Win32 Apps public preview

  • Windows 10 version 1607 or later (Enterprise, Pro, and Education versions)
  • Windows 10 client needs to be:
    • joined to Azure Active Directory (AAD) or Hybrid Azure Active Directory, and
    • enrolled in Intune (MDM-managed)
  • Windows application size is capped at 8 GB per app in the public preview

My install.ps1 is very simple and contains:

New-item -itemtype directory -force -path “c:\Program Files\BGInfo”

Copy-item -path “$psscriptroot\bginfo64.exe” -destination “C:\Program Files\BGInfo\bginfo64.exe”

Copy-item -path “$psscriptroot\custom.bgi ” -destination “C:\Program Files\BGInfo\custom.bgi”

Copy-item -path “$psscriptroot\bginfo.lnk” -destination “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\bginfo.lnk”

Start-process “C:\Program Files\BGInfo\Bginfo64.exe” -ArgumentList “`”C:\Program Files\BgInfo\custom.bgi`””,”/timer:0″,”/silent”,”/nolicprompt”

Return 0

I have downloaded the Win32 packaging tool from https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool and saved it to my C:\Intune

I have a folder called C:\bginfo that contains my BGinfo files:

  • Bginfo.lnk – This is the BGInfo shortcut that will be copied to the StartUp folder with the target of “”C:\Program Files\BGInfo\Bginfo64.exe” “C:\Program Files\BgInfo\custom.bgi” /timer:0 /silent /nolicprompt”
  • Bginfo64.exe – the executable to run BGInfo
  • custom.bgi – this is just my BGInfo configuration
  • install.ps1 – this contains the commands for copying the files and is mentioned above

win32_1

InTuneWinAppUtil.exe is very easy to run it, and it will prompt you for the source folder (the screenshot above with my Bginfo files and powershell file), the setup file (Bginfo64.exe), and the output folder (of where it will place the .intunewin file to upload to Intune).

win32_2

Once done, it will output the .intunewin file to upload to Intune to deploy.

win32_3

To create the Win32 app in Intune, login to the Azure portal.azure.com and select Intune > Client Apps > Add

win32_4

Select Windows app (Win32) – preview for the App type, and browse to the .intunewin package that was created earlier.

win32_5

Fill in the required information.

win32_6

For my install command, I have entered in “powershell.exe -executionpolicy Bypass .\install.ps1”

The uninstall command is required as well (I have used the same command which won’t work to uninstall, but I am not concerned about that)

win32_7

Fill in the requirements.

win32_8

I have used a detection rule to search for the file Bginfo64.exe in C:\Program Files\BGInfo

win32_9

Once you finish all the steps, the app needs to upload.

win32_10

You can now assign the app.

win32_11

Once the Windows 10 Azure AD Joined and enrolled into Intune device syncs, it will install.

win32_12

For troubleshooting, you can check the following log – C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log

win32_13

Demo of a new machine using Autopilot with the Win32 app deployed.

AutoPilot

Thanks to Steve Hosking for pointing out to me that I could use PowerShell isntead of a cmd file.

SCCM Current Branch – Import Azure Services existing Web Apps to use same Azure subscription for CMG in different SCCM environments

This post will show how you can import the Azure Web Apps in SCCM Current Branch so you can use the same Azure hosting subscription for the CMG for different SCCM Current Branch environments. For example, you might have a Dev SCCM environment and a Production SCCM environment, and you only have one Azure Subscription, but you want to deploy a CMG in both the Dev and Prod environment.

In the SCCM Cloud Management Gateway documentation, there is an FAQ’s section here that says:

Do the user accounts have to be in the same Azure subscription as the subscription that hosts the CMG cloud service?

If your environment has more than one subscription, you can deploy CMG into any subscription that can host Azure cloud services.

This question is common in the following scenarios:

  • When you have distinct test and production Active Directory and Azure AD environments, but one single, centralized Azure hosting subscription
  • Your use of Azure has grown organically across different teams

When you’re using a Resource Manager deployment, onboard the associated Azure AD tenant. This connection allows Configuration Manager to authenticate to Azure to create, deploy, and manage the CMG.

If you’re using Azure AD authentication for the users and devices managed over the CMG, onboard that Azure AD tenant. For more information on Azure services for cloud management, see Configure Azure services. When you onboard each Azure AD tenant, a single CMG can provide Azure AD authentication for multiple tenants, regardless of the hosting location.

In the SCCM console, go to Azure Services, then Configure Azure Services.

2018-10-29_15-12-59

Give it a Name, and select Cloud Management Gateway.

2018-10-29_15-13-31

Click on Brwose next to the Web app.

2018-10-29_15-19-38

You can create a new one, or you can import the existing one. Select Import.

2018-10-29_15-20-23

Now open up your Internet browser, go to portal.azure.com, then Azure Active Directory, I am using the new preview for App Registrations, so I have selected App registrations (Preview) and selected my Server App that I want to import.

2018-10-29_15-23-00

To import this web app, copy the Display Name, Client ID, and Tenant ID.

2018-10-29_15-24-06

Also go to Certificates & secrets, and create a new client secret.

2018-10-29_15-25-32

Copy the value. We will use this later.

2018-10-29_15-26-04

Type in your Azure AD Tenant name, the Tenant ID that you copied earlier, the Application Name, Client ID, Secret Key,  Secret Key Expiry, and the App ID URI. Make sure to click the Verify button to verify that all the information is correct.

2018-10-29_15-27-03

Click on OK.

2018-10-29_15-31-14

Do the same for the Native Client app. You can follow the instructions above to get the correct values.

2018-10-29_15-32-01

Once both apps have been imported, click on Next.

2018-10-29_15-33-07

I won’t be enabling Azure AD discovery.

2018-10-29_15-33-19

Finish the rest of the wizard and the the Subscription information will be imported so you can deploy the CMG in this subscription.

2018-10-29_15-33-31

SCCM 1806 CMG – Hybrid Azure AD – Failed to get CCM access token

When using the Cloud Management Gateway in SCCM Current Branch 1806, with Hybrid Azure AD clients for authentication, you may see the following errors in ccmmessaging.log on the client:

[CCMHTTP] ERROR: URL=https://<cmgname>/CCM_Proxy_MutualAuth/<guid>/ccm_system_windowsauth/request, Port=0, Options=1216, Code=0, Text=CCM_E_NO_TOKEN_AUTH
Failed to get CCM access token and client doesn’t have PKI issued cert to use SSL. Error 0x80004005
Post to https://<cmgname>/CCM_Proxy_MutualAuth/<guid>/ccm_system_windowsauth/request failed with 0x87d00231.

2018-10-26_10-30-05

If you then check the logs on the management point, specifically CCM_STS.log, you will see:

AAD user with ID <ID> and SID is not completely discovered
Return code: 403, Description: Un-authorized request, AAD user is not discovered

2018-10-26_10-28-30

At the time of writing this post, if you are using hybrid Azure AD for authentication, you need enable both Azure AD User Discovery, and the on-premises User Discovery. You can see in the CCM_STS.log above that it says the Azure AD user is not discovered which causes the 403 error.

Once both user discovery methods have been enabled, the client can authenticate over the CMG.

SCCM 1806 – Third Party Updates Error 13875

Recently when adding a catalog to the third party software update catalogs in SCCM Current Branch 1806 and trying to synchronize, I encountered the error “Unable to create the subscription. The console failed to download <product> from <URL> because of the error code 13875. For more information, see SmsAdminUI logfile.”

tpa01

The error code 13875 means “Invalid certificate signature“. For more troubleshooting I downloaded the cab file by opening up IE and pasting in the link. Once the cab file was downloaded, I right clicked on the file then properties, clicked Digital Signatures tab:

tpa02

Then here my issue was that the certificate in the signature could not be verified. I clicked on View Certificate to view more details.

tpa03

My issue was that on the client server, it was missing some Trusted Root certificates. After these were installed the third party updates could then be synchronized to SCCM Current Branch 1806 without issues.

tpa04

SCCM 1806 – Third Party Updates

This post will show how you can set up Third Party Updates in SCCM Current Branch 1806 using a catalog from Patch My PC. This is a fresh lab with no certificates or GPO’s configured. We will let SCCM create the Trusted Publisher certificate and take care of it on the clients by configuring the SCCM client settings, and also use the client settings to allow signed updates from an intranet location.

The below set up has the SUP installed on the same server as my Primary Site. My SUP is configured for HTTP mode. SSL must be enabled on the SUP if it is remote. See https://docs.microsoft.com/en-us/sccm/sum/deploy-use/third-party-software-updates for further details.

First thing is to enable third party updates, and then let SCCM manage the certificate.

TPA01

Once this is done, and you sync your software update point, it will then create and install the code signing certificate. You can see this in the wsyncmgr.log

TPA02

If you open up certlm.msc you can also see the WSUS Publishers Self-signed certificate in the WSUS store.

TPA03

You can also see this certificate in the Trusted Publishers store as well.

TPA04

Once the sync has completed, you can see there is now information about the certificate in the third party updates tab of the software update point properties.

TPA05

Next we will configure third party updates in the client settings. Open up the client settings and select the software updates section, then enable third party updates. This will add a local policy to the clients to allow signed updates from an intranet location, and also install the code signing certificate into the trusted publishers store. There is no need for a GPO to do this.

TPA06

If you open gpedit.msc on a machine that has received the new policy, and go to Computer Configuration > Administrative Templates > Windows Components > Windows Update, you will see the “Allow signed updates from an intranet Microsoft update service location” is now enabled.

TPA07

If you doa gpresult /computer you can also see the local policy has set this as well.

TPA08

You can also see that the code signing certificate has been installed.

TPA09

Now we need to add our third party update catalogs. You will see in the SCCM console you can right click on Third Party Software Update Catalogs and add a new catalog. In my example I will be adding some Patch My PC catalogs and then syncing them.

TPA10

Click on View Certificate and then click OK.

TPA12

Once you have viewed the certificate you can click Next.

TPA13

Once you have added the required catalogs, you now have to subscribe to them (the catalogs will synchronize automatically every 7 days)

TPA11

Once the updates have been subscribed to, the catalog will then download. You need to do a sync to import the metadata from the WSUS database into the SCCM database.

TPA14

Once the sync has finished, go back into your SUP properties, click products, and add the product.

TPA15

Another SUP sync needs to be done for the metadata to appear.

TPA16

Once the metadata has appeared from the catalogs we have added, we need to publish them before we can deploy them. You will see the updates download in the SMS_ISVUPDATES_SYNCAGENT.log

TPA17

After the updates have been published and downloaded, we need to do another sync.

TPA18

You can see that the icon has changed from the blue metadata, to green, We can now deploy our third party updates to a collection as normal.

TPA19

On my test client, you can see that it needed some Adobe Acrobat Reader, Google Chrome, and an Oracle Java update.

TPA

The updates have installed correctly. We know that the trusted publisher certificate and the allow signed updates from the intranet settings worked successfully.

TPA21

SCCM Current Branch 1806 – Cloud Management Gateway Improvements

In the recently released version 1806 for SCCM Current Branch there have been a number of improvements to the Cloud Management Gateway (CMG). You might have noticed these in the Technical Previews. More information about  new features can be seen here https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1806

Some of the nice new features for the Cloud Management Gateway:

Download content from a CMG – You can now allow the cloud management gateway to function as a cloud distribution point. This is one less cloud service virtual machine running, which saves costs. You can now right click on your cloud management gateway, view the properties, click settings, and check the box “Allow CMG to function as a cloud distribution point and serve content from Azure storage”

cmg01

Or if you were to deploy a new CMG, you can view the checkbox below.

cmg02

Trusted root certificate isn’t required with Azure AD – In the screenshot above, you will notice that you aren’t required to provide a trusted client root certificate anymore. This isn’t required when you use Azure AD for authentication.

CMG Connection Analyzer – This was in an earlier technical preview release and will help a lot of people. The Connection Analyzer allows you to troubleshoot connecting to your CMG. In the example below I have signed in as an Azure AD user and tested the connection. This was useful after configuring “Use Configuration Manager-generated certificates for HTTP site systems” in the screenshot below. After checking that box, I was able to leave my management point in HTTP mode and allow CMG traffic, and run through the tests to confirm that everything is working fine.

cmg03

Use Configuration Manager-generated certificates for HTTP site systems – As mentioned above, this feature is awesome. After checking the box below on your site server, you can leave your management point in HTTP for cloud management gateway traffic, and not have to worry about installing PKI certificates.

cmg04

Once the checkbox above is enabled, you will see that you can enable CMG traffic on your management point in the screenshot below.

cmg05

If you also open IIS manager, you will see on the https binding that the SMS Role SSL Certificate is now selected. If you remove this certificate or change it, you will notice that the test in the Connection Analyzer above called Testing the CMG channel for management point will fail.

cmg06

You will also find a nice Cloud Management dashboard in the Monitoring node to find some stats.

cmg07