Monthly Archives: July 2017

SCCM 1706 – Share an application from Software Center

With version 1706 coming out for SCCM Current Branch, one of the new useful features is the ability to give a user a direct link to an application in the Software Center. This can be useful for a scenario such as deploying an application as Available, and providing the users with a direct link to the application in Software Center so the users can choose to install the application if they like.

This post will show a quick demo on how to share the link to Office 365 ProPlus which was deployed as Available.

Open Software Center and click on the application you would like to share. Click the share button.

shareapp01

You can now copy the link below. In my example, I am going to email staff advising them that Office 365 ProPlus is available to install from Software Center. I will email a picture of an Office 365 ProPlus logo and add a hyperlink to the link below in the picture.

shareapp02

Below is a test email I can email staff and add a hyperlink in the image below pointing to the application in Software Center.

shareapp03

When a user clicks on the image above, it will open up the application in Software Center ready to be installed.

shareapp04

Advertisements

SCCM 1706 – Azure AD Discovery

SCCM 1706 was recently released and one of the new features is Azure AD Discovery. This was in Technical Preview 1705. This guide will show how to set up Azure AD  Discovery and install the SCCM client on a workgroup machine on the Internet without certificates using the Cloud Management Gateway.

For more information about SCCM 1706 see What’s new in version 1706 of System Center Configuration Manager

In my lab, I already have the Cloud Management Gateway set up. To set up the CMG you can see the documentation here https://docs.microsoft.com/en-us/sccm/core/clients/manage/setup-cloud-management-gateway

Once you have installed the 1706 update, expand Cloud Services, then right click on Azure Services and click Configure Azure Services

1706-azuread01

Select Cloud Management and click Next

1706-azuread02

Next create the Server and Client Apps. Click Browse on the Web App then click Create.

1706-azuread03

Enter in an Application Name, HomePage URL and App ID URL. Then Sign in to Azure AD with an admin account and it will create the app for you in Azure.

1706-azuread04

Select the app and click Ok.

1706-azuread05

Do the same as above but for the Client App and give it an Application Name and a Reply URL, then sign in to Azure with an Azure admin account. The app will then be created in Azure.

1706-azuread06

Enable Azure Active Directory User Discovery.

1706-azuread07

You need to grant permissions on both the client app and server app in Azure, otherwise you will see in SMS_AZUREAD_DISCOVERY_AGENT.log there will be access denied errors.

1706-azuread08

Login to https://portal.azure.com and go to Azure Active Directory, then App Registrations. Select the app and go to Required Permissions and click Grant Permissions. I did this for both the client app and server app.

1706-azuread09

Now looking back in SMS_AZUREAD_DISCOVERY_AGENT.log mine is now successful and has discovered by Azure AD users.

1706-azuread10

You can view the Azure AD users in the SCCM console in \Assets and Compliance\Overview\Users\All Users

An example below you can see that it is discovered by SMS_AZUREAD_USER_DISCOVERY_AGENT

1706-azuread11

In the SCCM console, in \Administration\Overview\Cloud Services\Azure Services, you can also run a full discovery by clicking Run Full Discovery Now, and view information about Azure AD Discovery like the Full Sync Schedule, Delta Sync Interval, and the Last Full Sync/Delta Sync time.

1706-azuread12

On a Windows 10 Azure AD joined machine, you can install the SCCM manually client without using any certificates. This is useful on Workgroup machines.

You can use the installation command

ccmsetup.exe /NoCrlCheck /Source:C:\CLIENT CCMHOSTNAME=SCCMPROXYCONTOSO.CLOUDAPP.NET/CCM_Proxy_ServerAuth/72457598037527932 SMSSiteCode=HEC AADTENANTID=780433B5-E05E-4B7D-BFD1-E8013911E543 AADTENANTNAME=contoso AADCLIENTAPPID= AADRESOURCEURI=https://contososerver

For a reference of how to obtain the information above, see https://docs.microsoft.com/en-us/sccm/core/clients/deploy/deploy-clients-cmg-azure#step-4-install-and-register-the-configuration-manager-client-using-azure-active-directory-identity

 

Intune – Denying access to Windows 10 without Bitlocker enabled

This blog post will show how you can deny access to Exchange Online and SharePoint Online to Windows 10 machines without Bitlocker enabled, using Conditional Access.

This is a lab environment, conditional access requires some planning as you can potentially deny access to all machines if you deploy the conditional access policy to all users.

First I will create the compliance policy for Windows 10 to require encryption.

In https://portal.azure.com go to Intune, then Device compliance, then Policies, then Create Policy

Condaccbit01

Give the policy a name, and select Windows 10 and later for the platform then click Configure. Under System Security, you will see down the bottom Encryption of data storage on device, click Require. 

Condaccbit02

Create the policy, then assign the policy to a group. In my testing, I have a group called Intune.

Condaccbit02_2

Next I will create the Conditional Access policy to require Windows devices to be compliant to access Exchange Online and SharePoint online. Be careful about who you deploy the policy to. I am using a group with some test users here, rather than all users so I don’t block access to all unenrolled Windows machines.

Click on Azure Active Directory, then click on Conditional Access

Condaccbit03

Under Users and groups, I selected a pilot group with a few users. You could create a group with Windows 10 machines included to deploy the conditional access policy to.

I have given it a name “Windows 10 – Bitlocker required”. For the Cloud apps I have selected Exchange Online and SharePoint online”

Condaccbit04

I have selected Windows as the platform.

Condaccbit05

I have selected Browser and Mobile apps and Desktop clients.

Condaccbit06

Under Grant,  have selected Require device to be marked as compliant. This means the device needs to be enrolled in Intune, and also compliant.

Condaccbit07

Now, this is the user experience on my Windows 10 Pro machine. I have not enrolled it in Intune. When I go to https://outlook.office365.com using either Edge or IE11, I am presented with the message below:

Condaccbit08

Once I have MDM enrolled by Windows 10 machine into Intune, you can see the popup in the bottom right hand corner saying Encryption needed. The user needs to select this to kick off the encryption.

Condaccbit09

Once I have clicked on Encryption needed, I will follow the prompts:

Condaccbit10

Condaccbit11

Condaccbit12

Condaccbit13

Once the encryption has finished, I can now access Exchange Online and SharePoint Online.

Condaccbit14