Author Archives: nhogarth

SCCM 1706 – Share an application from Software Center

With version 1706 coming out for SCCM Current Branch, one of the new useful features is the ability to give a user a direct link to an application in the Software Center. This can be useful for a scenario such as deploying an application as Available, and providing the users with a direct link to the application in Software Center so the users can choose to install the application if they like.

This post will show a quick demo on how to share the link to Office 365 ProPlus which was deployed as Available.

Open Software Center and click on the application you would like to share. Click the share button.

shareapp01

You can now copy the link below. In my example, I am going to email staff advising them that Office 365 ProPlus is available to install from Software Center. I will email a picture of an Office 365 ProPlus logo and add a hyperlink to the link below in the picture.

shareapp02

Below is a test email I can email staff and add a hyperlink in the image below pointing to the application in Software Center.

shareapp03

When a user clicks on the image above, it will open up the application in Software Center ready to be installed.

shareapp04

SCCM 1706 – Azure AD Discovery

SCCM 1706 was recently released and one of the new features is Azure AD Discovery. This was in Technical Preview 1705. This guide will show how to set up Azure AD  Discovery and install the SCCM client on a workgroup machine on the Internet without certificates using the Cloud Management Gateway.

For more information about SCCM 1706 see What’s new in version 1706 of System Center Configuration Manager

In my lab, I already have the Cloud Management Gateway set up. To set up the CMG you can see the documentation here https://docs.microsoft.com/en-us/sccm/core/clients/manage/setup-cloud-management-gateway

Once you have installed the 1706 update, expand Cloud Services, then right click on Azure Services and click Configure Azure Services

1706-azuread01

Select Cloud Management and click Next

1706-azuread02

Next create the Server and Client Apps. Click Browse on the Web App then click Create.

1706-azuread03

Enter in an Application Name, HomePage URL and App ID URL. Then Sign in to Azure AD with an admin account and it will create the app for you in Azure.

1706-azuread04

Select the app and click Ok.

1706-azuread05

Do the same as above but for the Client App and give it an Application Name and a Reply URL, then sign in to Azure with an Azure admin account. The app will then be created in Azure.

1706-azuread06

Enable Azure Active Directory User Discovery.

1706-azuread07

You need to grant permissions on both the client app and server app in Azure, otherwise you will see in SMS_AZUREAD_DISCOVERY_AGENT.log there will be access denied errors.

1706-azuread08

Login to https://portal.azure.com and go to Azure Active Directory, then App Registrations. Select the app and go to Required Permissions and click Grant Permissions. I did this for both the client app and server app.

1706-azuread09

Now looking back in SMS_AZUREAD_DISCOVERY_AGENT.log mine is now successful and has discovered by Azure AD users.

1706-azuread10

You can view the Azure AD users in the SCCM console in \Assets and Compliance\Overview\Users\All Users

An example below you can see that it is discovered by SMS_AZUREAD_USER_DISCOVERY_AGENT

1706-azuread11

In the SCCM console, in \Administration\Overview\Cloud Services\Azure Services, you can also run a full discovery by clicking Run Full Discovery Now, and view information about Azure AD Discovery like the Full Sync Schedule, Delta Sync Interval, and the Last Full Sync/Delta Sync time.

1706-azuread12

On a Windows 10 Azure AD joined machine, you can install the SCCM manually client without using any certificates. This is useful on Workgroup machines.

You can use the installation command

ccmsetup.exe /NoCrlCheck /Source:C:\CLIENT CCMHOSTNAME=SCCMPROXYCONTOSO.CLOUDAPP.NET/CCM_Proxy_ServerAuth/72457598037527932 SMSSiteCode=HEC AADTENANTID=780433B5-E05E-4B7D-BFD1-E8013911E543 AADTENANTNAME=contoso AADCLIENTAPPID= AADRESOURCEURI=https://contososerver

For a reference of how to obtain the information above, see https://docs.microsoft.com/en-us/sccm/core/clients/deploy/deploy-clients-cmg-azure#step-4-install-and-register-the-configuration-manager-client-using-azure-active-directory-identity

 

Intune – Denying access to Windows 10 without Bitlocker enabled

This blog post will show how you can deny access to Exchange Online and SharePoint Online to Windows 10 machines without Bitlocker enabled, using Conditional Access.

This is a lab environment, conditional access requires some planning as you can potentially deny access to all machines if you deploy the conditional access policy to all users.

First I will create the compliance policy for Windows 10 to require encryption.

In https://portal.azure.com go to Intune, then Device compliance, then Policies, then Create Policy

Condaccbit01

Give the policy a name, and select Windows 10 and later for the platform then click Configure. Under System Security, you will see down the bottom Encryption of data storage on device, click Require. 

Condaccbit02

Create the policy, then assign the policy to a group. In my testing, I have a group called Intune.

Condaccbit02_2

Next I will create the Conditional Access policy to require Windows devices to be compliant to access Exchange Online and SharePoint online. Be careful about who you deploy the policy to. I am using a group with some test users here, rather than all users so I don’t block access to all unenrolled Windows machines.

Click on Azure Active Directory, then click on Conditional Access

Condaccbit03

Under Users and groups, I selected a pilot group with a few users. You could create a group with Windows 10 machines included to deploy the conditional access policy to.

I have given it a name “Windows 10 – Bitlocker required”. For the Cloud apps I have selected Exchange Online and SharePoint online”

Condaccbit04

I have selected Windows as the platform.

Condaccbit05

I have selected Browser and Mobile apps and Desktop clients.

Condaccbit06

Under Grant,  have selected Require device to be marked as compliant. This means the device needs to be enrolled in Intune, and also compliant.

Condaccbit07

Now, this is the user experience on my Windows 10 Pro machine. I have not enrolled it in Intune. When I go to https://outlook.office365.com using either Edge or IE11, I am presented with the message below:

Condaccbit08

Once I have MDM enrolled by Windows 10 machine into Intune, you can see the popup in the bottom right hand corner saying Encryption needed. The user needs to select this to kick off the encryption.

Condaccbit09

Once I have clicked on Encryption needed, I will follow the prompts:

Condaccbit10

Condaccbit11

Condaccbit12

Condaccbit13

Once the encryption has finished, I can now access Exchange Online and SharePoint Online.

Condaccbit14

 

SCCM 1705 TP – Azure AD User Discovery

In the recently released update 1705 for the Technical Preview Branch of System Center Configuration Manager, you can now set up Azure Active Directory User Discovery. This post will show how you can test it in your lab once you have updated to 1705 Technical Preview. More about this feature can be read here – https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1705#new-capabilities-for-azure-ad-and-cloud-management

In the Console, expand Cloud Services, then right click on Azure Services and click Configure Azure Services

sccmaad01

Enter in the Name, I have chosen “Azure AD Connector” and make sure Cloud Management is selected.

sccmaad02

Click Browse to create the Server app and Client app

sccmaad03

Click on Create

sccmaad04

Enter in a Application Name, Homepage URL and Identifier URL (you can make these up). Click on Sign in to sign in with your Azure admin account then click OK.

sccmaad05

Select the app you created and click OK.

sccmaad06

Click on Browse to create the client app.

sccmaad07

Click Create.

sccmaad08

Enter in an Application Name and enter in a Reply URL (again, you can make this up). Then sign in to Azure AD with your admin account.

sccmaad09

Select the client app and click OK.

sccmaad10sccmaad11

Make sure Enable Azure Active Directory User Discovery is selected. Click Settings to enable Delta user discovery and adjust the scheduling to however you like it.

sccmaad12sccmaad13

Once the Wizard is done, open up SMS_AZUREAD_DISCOVERY_AGENT.log from the Logs location on your site server, and you will see a whole bunch of Forbidden errors when trying to access https://graph.windows.net

sccmaad14

Go into portal.azure.com, then Azure Active Directory, then App Registrations, then select the Server app you created before.

sccmaad15

Click on Required Permissions, then Grant Permissions, then Yes.

sccmaad16

If you wait a little while, you will see SMS_AZUREAD_DISCOVERY_AGENT.log will start to sync the Azure Active Directory Users.

sccmaad18

You can now view your Azure AD users in the SCCM console.

sccmaad17

 

 

Intune – Windows 10 Device Configuration

This post will show how you can set device configurations for MDM enrolled Windows 10 machines in the Intune preview in the Azure portal. This is using Intune standalone and not Intune hybrid. The device configurations I will deploy includes setting a wallpaper on a Windows 10 1703 Enterprise machine, and setting password restrictions. After configuring the Device configuration policy in Intune, it will also show the user experience in Windows 10.

In the Intune blade, select Device Configuration

IntuneDevCon01

Select Profiles, then select Create Profile

IntuneDevCon02

Type in a Name for the profile, for the Platform select Windows 10 and later, and for Profile type, select Device Restrictions

IntuneDevCon03

For this post, I will create password restrictions. I have selected Password as the category and configured some settings on the right hand side.

IntuneDevCon04

I will also set the desktop background picture in the Personalization category, by pasting in a URL to where I have uploaded the wallpaper. Note this CSP was only added in Windows 1703, and supported on Enterprise. See https://msdn.microsoft.com/en-gb/windows/hardware/commercialize/customize/mdm/personalization-csp

IntuneDevCon05

Now I will click on Assignments to assign the device configuration policy to my Intune group I created in Azure AD.

IntuneDevCon06

Select the group and click Save.

IntuneDevCon07

Now on my Windows 10 Enterprise 1703 machine I am prompted to change my password

IntuneDevCon08

And the custom wallpaper has been set

IntuneDevCon09

Intune – Require Device Encryption (BitLocker) on Windows 10 1703

This post will show how you can create a compliance policy in the Intune preview portal to require Device Encryption (BitLocker) for a Windows 10 1703 Pro or Enterprise machine. It will also show the user experience. I will be testing this on a Hyper-V Gen 2 machine with the TPM enabled.

In portal.azure.com select Intune, then select Device compliance

encryp01

Select Policies

encryp02

Select Create Policy

encryp03

Enter in the name for the policy, and select Windows 10 and later for the Platform. Then select System Security, and select Require under Encryption.

encryp04

Save the policy and click on Assignments to deploy the policy to a user group.

encryp05

On my test Hyper-V Gen 2 machine, I have shut the machine down. Right click on the VM and click Settings, then select Security, and check the box Enable Trusted Platform Module so we can test BitLocker.

You can see that there is a notification now on the Windows 10 1703 Pro/Enterprise machine that Encryption is needed. The user needs to click on it.

encryp06

If you open up the Company Portal, you can also see there is a policy issue. If you click on View, you can see that the device requires encryption.

encryp07encryp08

When clicking on the notification that the device needs encryption (clicking the notification in the earlier screenshot, or clicking the notification in the bottom right corner) the user needs to go through the encryption wizard process.

encryp09

You can choose where to save the key.

encryp10encryp11encryp12

If you chose the option to save the BitLocker key to the cloud, you can view the BitLocker key in the Azure portal (portal.azure.com) by going to Azure Active Directory > Users and groups > All Users > select the user > Devices > Select the Device >

encryp13

Deploy .MSI app to MDM enrolled Windows 10 device in Intune preview

This post will show how you can deploy an .MSI to an MDM enrolled Windows 10 machine in the Intune preview in the Azure portal. As noted, the device is enrolled in Intune, and does not have the Intune client installed.

This post will use 7Zip .msi as an example and it will be deployed as “Available” in the Company Portal app for a Windows 10 1703 device.

In the Azure portal (portal.azure.com), click on More Services, then search for Intune and select it.

intunemsi00

Click on Mobile apps

intunemsi01

In the Apps section under Manage, click on Add

intunemsi02

Select Line-of-business app

intunemsi03

Click on the blue browse button and select your MSI (allowed file extensions are ipa, apk, msi, xap, appx, appxbundle.)

intunemsi04

Fill in the required details. For my example I have filled in the Name, Description, Publisher, and also selected an icon.

intunemsi05

The .msi will begin to upload and you will get a notification when the .msi has been uploaded. Once it has been uploaded, you can assign the application to a group.

intunemsi06

Next step is to assign the application to a group. This can be done under Assignments. In my example I have made it as Available to my user group called Intune. You can see the the other options below in the screenshot.

intunemsi07

Now I will open the Company Portal app on my Windows 10 machine and install 7Zip.

intunemsi08intunemsi09