Monthly Archives: June 2018

SCCM TP 1806 – Office Customization Tool integration

In the new Technical Preview version 1806 of SCCM, the Office Customization Tool is now integrated with the Office 365 installer. This gives a better admin experience than the previous Office 365 installer, and allows you to further customize your Office 365 ProPlus settings.

If you go to the Office 365 Client Management section and click on the Office 365 Installer, there is a new option to Go to Office Web Page.

O365-01

This is where we can start customizing Office 365 ProPlus including entering in your organisation name, selecting either 32 or 64bit, excluding certain products, and selecting your language.

O365-02

You can choose your update channel and a specific version. I have chosen semi-annual channel and the latest version.

O365-03

I have selected to automatically accept the EULA.

O365-04

This is one of the nice parts where you can further customize Office 365 ProPlus. I won’t go through all the settings but some of the settings I have configured are to disable the opt-in wizard at first run, and to disable the customer experience improvement, and to disable the first run movie.

O365-05

Once you’re done, click on Submit then close the webpage.

O365-06

You can continue on with the rest of the wizard as normal to download and deploy Office 365 ProPlus. It will create an application for you and the deployment types with requirement rules.

O365-07

At the end you can see that the wizard has created the Application with the configuration.xml with the settings specified in the Office Customization Tool.

O365-08

Advertisements

SCCM TP 1806 – Deploy updates without downloading them

In the recently released SCCM Technical Preview 1806, one of the new features is the ability to deploy software updates without downloading them to a deployment package. This post will quickly show how to deploy the updates without downloading them. My client is Windows 10 1803 which is Internet based and communicating with my Cloud Management Gateway. This means that I won’t need to distribute the updates to a Cloud Distribution Point and waste space.

When you go to deploy your software updates, on the deployment package section where previously you had to either select an existing deployment package or create a new one, you will see there is a new option called “No deployment package” and the text “Client will download content from peer cache or public cloud if available”

Updates01

I have gone and deployed this to a collection which my Internet based machine. I will click on Install and see what the logs say.

Updates02

As expected, you can see that the client is downloading updates from Microsoft..

Updates03

SCCM TP 1806 – Download content from a CMG

The Cloud Management Gateway keeps getting better and better. In recent release of the Technical Preview 1806, clients can now download content from the Cloud Management Gateway. This means you do not need to deploy a Cloud Distribution Point which will save costs of not needing additional Azure VM’s and certificates. It is also not mandatory now to use the trusted client root certificate. This is useful if you are only using Azure AD authentication. More information can be found Here.

Going through the new CMG wizard and signing in as normal and selecting to deploy the CMG in Azure Resource Manager.

CMG01

You can notice a few things different here. First I do not need to select the trusted client root certificate, before this was mandatory. And also there is a new checkbox “Allow CMG to function as a cloud distribution point and serve content from Azure storage

CMG02

Once the CMG has been deployed, I will use the Configuration Analyzer to make sure everything is OK.

CMG04

Now when you distribute content you can select your Cloud Management Gateway.

CMG03

After downloading an application from Software Center you can see that it connected to https://<cloudservicename>.blob.core.windows.net/

CMG05

 

 

SCCM TP 1805 – CMG Connection Analyzer

One of the nice new features in the SCCM Technical Preview 1805 is the CMG Connection analyzer to help you determine issues with your Cloud Management Gateway. At the moment it allows you to troubleshoot as a user authenticating through Azure AD, and a user authenticating with a client authentication certificate.

This post will show the different checks that the Connection analyzer performs, and the types of errors it displays when something has gone wrong. I will include a few scenario’s of me breaking my CMG and what the Connetion analyzer shows.

You will notice in the CMG section there is a new button called Connection analyzer.

CA01

You can see the different authentication options you get. First I will test logging in as an Azure AD user. You can see that the first two steps involve checking that the service is running and testing connecting to it.

CA02

Next we can see that its checking the configuration versions to make sure it matches between on-prem and Azure.

CA03

Here in my lab you can see that the next step checks the CMG connection point and confirms that it is connected.

CA04

I have set my management point to allow CMG traffic, the test confirms this.

CA05

The Azure AD user can authenticate against my management point without any issues.

CA06

Now if I was to break the certificate on my management point IIS bindings and run the test again, you can see that the test fails and reports some 500 status code errors and gives possible reasons.

CA07

Next up is testing using a client certificate. You have two options to load the certificate. You can either export the client authentication certificate from a machine with the private key, or you can connect to the Certificate Store.

CA072

In this Tech Preview when you try to connect to the Certificate Store, it will try to connect to the User Store and then report that there are no certificates available. So for this post I have chosen to export the client authentication certificate to run through the tests.

CA08

You can see below that it has the same steps as testing authenticating as an Azure AD user.

CA09

I have broken my Cloud Management Gateway Point role in my lab and run through the tests again to see what it fails on. You can see that it fails as it can’t connect to the CMG Service.

CA010_2

The same as below.

CA11

Another interesting scenario is if I use an incorrect Client trusted root certificate that is uploaded to the CMG service. You can see that it fails below with the 403 forbidden status code.

CA10

And again, you can see that it says that the certificate is not trusted by the CMG.

CA12

That is all the tests I have run so far. So far it is a good start. It seems quite a few customers have issues getting their CMG up and running, I think it is mostly to do with certificates. Hopefully in the future the descriptions can be improved with more details as to what could be wrong in the Connection analyzer to help customers troubleshoot more. The Cloud Management Gateway is an awesome feature.