SCCM TP 1806 – Office Customization Tool integration

In the new Technical Preview version 1806 of SCCM, the Office Customization Tool is now integrated with the Office 365 installer. This gives a better admin experience than the previous Office 365 installer, and allows you to further customize your Office 365 ProPlus settings.

If you go to the Office 365 Client Management section and click on the Office 365 Installer, there is a new option to Go to Office Web Page.

O365-01

This is where we can start customizing Office 365 ProPlus including entering in your organisation name, selecting either 32 or 64bit, excluding certain products, and selecting your language.

O365-02

You can choose your update channel and a specific version. I have chosen semi-annual channel and the latest version.

O365-03

I have selected to automatically accept the EULA.

O365-04

This is one of the nice parts where you can further customize Office 365 ProPlus. I won’t go through all the settings but some of the settings I have configured are to disable the opt-in wizard at first run, and to disable the customer experience improvement, and to disable the first run movie.

O365-05

Once you’re done, click on Submit then close the webpage.

O365-06

You can continue on with the rest of the wizard as normal to download and deploy Office 365 ProPlus. It will create an application for you and the deployment types with requirement rules.

O365-07

At the end you can see that the wizard has created the Application with the configuration.xml with the settings specified in the Office Customization Tool.

O365-08

Advertisements

SCCM TP 1806 – Deploy updates without downloading them

In the recently released SCCM Technical Preview 1806, one of the new features is the ability to deploy software updates without downloading them to a deployment package. This post will quickly show how to deploy the updates without downloading them. My client is Windows 10 1803 which is Internet based and communicating with my Cloud Management Gateway. This means that I won’t need to distribute the updates to a Cloud Distribution Point and waste space.

When you go to deploy your software updates, on the deployment package section where previously you had to either select an existing deployment package or create a new one, you will see there is a new option called “No deployment package” and the text “Client will download content from peer cache or public cloud if available”

Updates01

I have gone and deployed this to a collection which my Internet based machine. I will click on Install and see what the logs say.

Updates02

As expected, you can see that the client is downloading updates from Microsoft..

Updates03

SCCM TP 1806 – Download content from a CMG

The Cloud Management Gateway keeps getting better and better. In recent release of the Technical Preview 1806, clients can now download content from the Cloud Management Gateway. This means you do not need to deploy a Cloud Distribution Point which will save costs of not needing additional Azure VM’s and certificates. It is also not mandatory now to use the trusted client root certificate. This is useful if you are only using Azure AD authentication. More information can be found Here.

Going through the new CMG wizard and signing in as normal and selecting to deploy the CMG in Azure Resource Manager.

CMG01

You can notice a few things different here. First I do not need to select the trusted client root certificate, before this was mandatory. And also there is a new checkbox “Allow CMG to function as a cloud distribution point and serve content from Azure storage

CMG02

Once the CMG has been deployed, I will use the Configuration Analyzer to make sure everything is OK.

CMG04

Now when you distribute content you can select your Cloud Management Gateway.

CMG03

After downloading an application from Software Center you can see that it connected to https://<cloudservicename>.blob.core.windows.net/

CMG05

 

 

SCCM TP 1805 – CMG Connection Analyzer

One of the nice new features in the SCCM Technical Preview 1805 is the CMG Connection analyzer to help you determine issues with your Cloud Management Gateway. At the moment it allows you to troubleshoot as a user authenticating through Azure AD, and a user authenticating with a client authentication certificate.

This post will show the different checks that the Connection analyzer performs, and the types of errors it displays when something has gone wrong. I will include a few scenario’s of me breaking my CMG and what the Connetion analyzer shows.

You will notice in the CMG section there is a new button called Connection analyzer.

CA01

You can see the different authentication options you get. First I will test logging in as an Azure AD user. You can see that the first two steps involve checking that the service is running and testing connecting to it.

CA02

Next we can see that its checking the configuration versions to make sure it matches between on-prem and Azure.

CA03

Here in my lab you can see that the next step checks the CMG connection point and confirms that it is connected.

CA04

I have set my management point to allow CMG traffic, the test confirms this.

CA05

The Azure AD user can authenticate against my management point without any issues.

CA06

Now if I was to break the certificate on my management point IIS bindings and run the test again, you can see that the test fails and reports some 500 status code errors and gives possible reasons.

CA07

Next up is testing using a client certificate. You have two options to load the certificate. You can either export the client authentication certificate from a machine with the private key, or you can connect to the Certificate Store.

CA072

In this Tech Preview when you try to connect to the Certificate Store, it will try to connect to the User Store and then report that there are no certificates available. So for this post I have chosen to export the client authentication certificate to run through the tests.

CA08

You can see below that it has the same steps as testing authenticating as an Azure AD user.

CA09

I have broken my Cloud Management Gateway Point role in my lab and run through the tests again to see what it fails on. You can see that it fails as it can’t connect to the CMG Service.

CA010_2

The same as below.

CA11

Another interesting scenario is if I use an incorrect Client trusted root certificate that is uploaded to the CMG service. You can see that it fails below with the 403 forbidden status code.

CA10

And again, you can see that it says that the certificate is not trusted by the CMG.

CA12

That is all the tests I have run so far. So far it is a good start. It seems quite a few customers have issues getting their CMG up and running, I think it is mostly to do with certificates. Hopefully in the future the descriptions can be improved with more details as to what could be wrong in the Connection analyzer to help customers troubleshoot more. The Cloud Management Gateway is an awesome feature.

SCCM Technical Preview 1805 – Improved secure client communications

One of the nice new features in the SCCM Technical Preview 1805 is the ability for an Azure AD joined device to communicate through the Cloud Management Gateway when the management point is configured for HTTP and not HTTPS. In the SCCM 1802 production release, the management point needs to be in HTTPS for this to work.

To view more about this feature see https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1805#improved-secure-client-communications

The post below will show how to configure an Azure AD joined Windows 10 1803 device communicate with the CMG whilst the management point is in HTTP mode. This post assumes that you have already created the Azure services and Cloud Management Gateway, and that the MP is in HTTP mode.

The first step is to check the box Use Configuration Manager-generated certificates for HTTP site systems on the site properties.

HTTPCMG01

Once it has been checked, if you open up computer certificates in MMC, you will see there is a new SMS Role SSL Certificate in the personal store.

HTTPCMG02

Once the certificate has been generated, you need to update your cloud services wizard, select the tenant from Azure Active Directory Tenants and select Update Application Settings and proceed with the prompts.

HTTPCMG03

Next part is to select the new certificate on the HTTPS bindings in IIS.

HTTPCMG04

Select the SMS Role SSL Certificate and click OK.

HTTPCMG05

One of the new cool features in the Technical Preview 1805 is the Connection analyzer. You can do this to check for any issues in your Cloud Management Gateway.

HTTPCMG06

Now previously my HTTPS bindings had no certificate selected. So when I tested the Azure AD Authentication with the CMG, I got the below error.

HTTPCMG07

Once I selected the certificate in the IIS bindings the tests worked fine.

HTTPCMG08

On a test Windows 10 1803 client which is joined to Azure Active Directory, I copied the SCCM client set up files and used the co-management command generated by the wizard (I did not enable co-management, I cancelled out of it after I got the set up switches) to install the client. I have added the /source switch to specify the source, and removed the /mp switch.

HTTPCMG09

The client has been installed on my Azure AD joined machine with my management point in HTTP and is communicating with the Cloud Management Gateway.

HTTPCMG10

The device ow shows up in the console and shows the current logged on user which is my Azure AD user.

HTTPCMG11

 

Cloud distribution point support for Azure Resource Manager

This post will show deploying a Cloud Distribution Point in Azure Resource Manager which is a new feature in SCCM Technical Preview 1805. Now you don’t need to create and upload a management certificate to Azure.

For a list of the other new awesome features in SCCM Technical Preview 1805, see https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1805#cloud-distribution-point-support-for-azure-resource-manager

First step is to configure Azure Services to create the Client and Server app registration in Azure, otherwise you will get this error when creating the Cloud DP:

ARMCloudDP01

Right click Azure Services and select Configure Azure Services

ARMCloudDP02

Give it a name and select Cloud Management and click Next.

ARMCloudDP03

Click on Browse to create the Server and Client apps.

ARMCloudDP04

Click on Create

ARMCloudDP05

Give it a name and sign into Azure then click on OK to create the App. Do the same for the Client App.

ARMCloudDP06

Once you have created both apps, click on Next.

ARMCloudDP07

You can see the apps now in App registrations, then click on All apps in portal.azure.com

ARMCloudDP08

Azure Active Directory User Discovery doesn’t need to be enabled for this example. If you do choose to configure it, make sure to give permissions to the Azure apps above in the Azure portal. There are plenty of other blogs for this. Click on Next and leave the other options as default to finish off the wizard.

ARMCloudDP09

I have created/requested/exported a certificate using these steps here https://docs.microsoft.com/en-us/sccm/core/plan-design/network/example-deployment-of-pki-certificates#BKMK_clouddp2008_cm2012 . I have gone into portal.azure.com then Cloud Services, and clicked Add to create a new cloud service and entered in the cloud service name I wanted, only to make sure it was available (unique) like in the picture below then canceled out. I have used that name for the common name when requesting the certificate.

ARMCloudDP11

In the ConfigMgr console, right click Cloud Distribution Points, click Create Cloud Distribution Point.

ARMCloudDP10

We now get the option to use the Azure Resource Manager deployment. Sign in with your Azure account and click Next.

ARMCloudDP12

I have chosen to create a new Azure Resource Group. Browse to the certificate you exported from https://docs.microsoft.com/en-us/sccm/core/plan-design/network/example-deployment-of-pki-certificates#BKMK_clouddp2008_cm2012 . This will re-populate the service name (which I made sure was unique earlier) and click Next and configure the rest of the settings like Alerts etc.

ARMCloudDP13

Once the Cloud Distribution Point status is Ready in \Administration\Overview\Cloud Services\Cloud Distribution Points, or check CloudMgr.log make sure the Cloud DP is enabled in the Client Settings under Cloud Services.

ARMCloudDP14ARMCloudDP15

Now I have distributed an application to the Cloud DP, tested downloading the application from Software Center on the client, and in the DataTransferService.log you can see it downloading from the new Cloud DP.

ARMCloudDP16

 

Intune – Windows Information Protection without enrollment

This post will show how you can use the Office 365 suite of apps deployed to a Windows 10 Pro 1709 device (with an EMS E3 license assigned), to enroll the device into MAM. This involves deploying a Windows Information Protection policy in Intune using the “without enrollment” setting, which means the device is not enrolled into Intune.

Suggested reading:
Protect your enterprise data using Windows Information Protection (WIP)
Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune

Make sure the MAM groups are configured, in the Intune portal in https://portal.azure.com go to Azure Active Directory > Mobility (MDM and MAM) then Microsoft Intune.

wipmam01

I have an Azure AD group called Intune and an Azure AD group called MAM enrollment. The user I will be using in this demonstration is a member of the MAM enrollment group.

A caution from Microsoft “If both MAM user scope and automatic MDM enrollment (MDM user scope) are enabled for a group, only MAM is enabled. Only MAM is added for users in that group when they workplace join personal device. Devices are not automatically MDM enrolled.”

wipmam02

Now i’ll create the MAM/Windows Information Protection policy. In Intune > Mobileapps > App protection policies, select Add a policy

wipmam03

Give the policy a name and description, select Windows 10 for the platform, and select without enrollment for the enrollment state. Click on Add apps.

wipmam04

I’ll be adding some apps to allow them to access my corporate data.

wipmam05

After clicking OK on the section above, I will add some more apps such as Outlook and Word. For the publisher, make sure you specify “O=Microsoft Corporation, L=Redmond, S=Washington, C=US”

wipmam06

For now, I will skip the Exempt apps. On the required settings, in this demonstration I will select the Block setting, which will prevent users from moving data from an allowed app into a non-allowed app.

wipmam07

In the advanced settings, I will rename the Cloud resources section to Office 365, and also add OneDrive to the list and Office 365 email. In the example I have added “<domain>-my.sharepoint.com for OneDrive, and outlook.office365.com for Exchange Online. Seperate these by a “|”. So my full list is <domain>-my.sharepoint.com|<domain>.sharepoint.com|outlook.office365.com

wipmam08

Click on Create, then assign the policy to a group.

wipmam10

Once the policy has been assigned to a group, on a Windows 10 1709 Pro machine, with Office 365 installed, when adding an account to Microsoft Office product such as Word, it will ask you to sign in. This is where you can register the device in Azure AD and enroll the device into MAM.

Click Sign in

wipmam11

Type in the account that is a member of the group that has the MAM enrollment enabled, and also a member of the group which had the WIP policy assigned

wipmam12

Enter in the password and click Sign in

wipmam13

Make sure you say Yes here. This is where it will register the device in Azure AD, and also enroll it into MAM.

wipmam14wipmam15wipmam16

From the above steps, in the Azure portal, we can see the device now in Azure AD as Azure AD Registered.

wipmam17

Also on the Windows 10 device you can go to Settings > Accounts > Access work or school, and you should see your Azure AD account there. Select it and click Info. You can see the Management Server Address shows its enrolled into MAM now.

wipmam20

Earlier in the policy I set Microsoft Word to be a protected app to access enterprise data. In this demonstration I will save some corporate data, and click the drop down near File name and select Work.

wipmam18

Now if I try and copy and paste text out of the protected document into a non protected app such as Notepad running in personal context, I get the message “Can’t use content here. Your organization doesn’t allow you to use work content here”. This is because I set the Windows Information Protection Mode to Block in the WIP policy above.

wipmam19

What happens if the device is unenrolled from MAM? The encryption key has been revoked and you will get this message when opening a Work protected document

wipmam21