Category Archives: Azure

SCCM Power BI Solution Template preview

A few days ago Microsoft released a public preview of the System Center Configuration Manager Power BI solution template

“Stand up a scalable and extensible System Center Configuration Manager dashboard in a few hours. Information is collected daily so you can see not only how your organization’s computer health looks like today, you can also see how those key metrics change over time. Quickly identify machines not up-to-date with software updates, successful and failed mitigations to malware infections to be able to act quickly.”

More information on this can be found here and you can download the template from here 

Requirements:

  • System Center 2012 Configuration Manager R2 SP1 or later. Read access to System Center Configuration Manager database is required.
  • Destination database: Azure SQL database or SQL Server database (SQL Server 2008 R2 SP3 or later).
  • For the machine where the installation is run, Microsoft .NET Framework 4.5 or later & PowerShell version 3.0 or later.
  • Power BI Desktop (latest version)
  • Power BI Pro (to share the template with your organization)

In this post, I am going to test installing the public preview of SCCM Power BI solution template in my lab which has:

  • ConfigMgr Current Branch 1606 & SQL server 2012 SP3
  • Windows Server 2012 R2  with Microsoft .Net Framework 4.5 installed
  • Azure SQL Database as my target database.

First thing I am going to do is create my target SQL server which will be an Azure SQL database.

Login to https://portal.azure.com

Below, I have clicked on Add, then given my database a name, created a new resource group, chosen a blank database, created a new SQL server, and used “S0 Standard” pricing tier as my ConfigMgr site is a very small lab.

When you create the new SQL Server, take a note of the login and password as you will need this later for the ConfigMgr Power BI Solution template setup.

powerbi2

Once my SQL database deployment has finished, I have gone into the SQL database overview, and copied down my Server Name as it is required for later.

powerbi6

Next up in my lab I have installed Microsoft-SCCMTemplate.exe which I downloaded earlier from here  . Once finished installing, you can configure the solution template. Again the requirements are listed. Click Next.

powerbi4

Enter in your source ConfigMgr database server details and select your ConfigMgr database, then validate and click Next:

powerbi5

Next I will enter my target database which is my Azure SQL database name. I have selected “Using Azure SQL” . Make sure in the Azure portal you enter in your public IP for the SQL Server firewall in your SQL Server settings in https://portal.azure.com otherwise you will get the error below as it cannot connect. Steps to add your IP to the firewall are here.

powerbi7

This is how it should look:

powerbi8

On the Customize page I have left settings as default and clicked Next.

On the Progress page you can download your PBIX file and open it up with Power BI Desktop. You can download PowerBI Desktop from here if you do not have it installed.

powerbi11

Once I have opened my downloaded PBIX file and opened it up in Power BI Desktop, I clicked on Refresh so it can get the latest data. It popped up for me to enter credentials to my Azure SQL database. Make sure you click on Database instead of Windows to enter your credentials, otherwise you will not have permission.

powerbi12

Once it has pulled the latest data, you can view the Overview as shown in the screenshot below, or you can view the other tabs Protection, Malware, Updates Compliance and Software.

powerbi14

Here is an example showing Update Compliance

powerbi15

 

Advertisements

Azure AD public preview in new Azure portal is available

Finally – The public preview for Azure AD is now available in the new Azure portal (Azure Resource Manager) portal.azure.com

Azure AD has always only been available in the Azure classic portal (manage.windowsazure.com)

You can read up more on it here https://blogs.technet.microsoft.com/enterprisemobility/2016/09/12/the-azuread-admin-experience-in-the-new-azure-portal-is-now-in-public-preview/

You can pin the Azure AD in the portal.azure.com like this

azuread2

You can then view the public preview of Azure AD

azuread1

ConfigMgr 1606 – Microsoft Operations Management Suite (OMS) in Azure

With ConfigMgr 1606, you can now connect Configuration Manager collections to the Microsoft Operations Management Suite (OMS) in Azure. The OMS Connector is currently a prerelease feature. As so, this is done in a lab. This blog will go through the steps on how to add the connector in ConfigMgr and the preqreuisite steps to take in Azure.

This blog post assumes you have a running ConfigMgr 1606 environment and a subscription in Azure.

The first step is to configure your ConfigMgr 1606 site to consent to use Pre-Release features.Make sure you read the disclaimer.

OMS1

After this is done, we will turn on the “Pre-release  Microsoft Operations Management Suite (OMS) Connector”

OMS2.jpg

Click Yes to the dialogue box (make sure to read the disclaimer)

OMS3

Log in to the Azure Classic portal https://manage.windowsazure.com an go into your Azure AD, select Applications. Click on Add down the bottom.

OMS4

Enter in the name you would like to use and select web application and/or web API and click next.

OMS5

Enter in sign on URL and APP ID URI. I added in my ConfigMgr server name (http://configmgr.domain.com) for both.

OMS6

Next we will log into the Azure Resource Manager https://portal.azure.com and create our OMS Workspace. Click on Browse then go to “Log Analytics (OMS)” then click on Add

OMS7

Once this is created, we will go back in the Azure Classic Portal and go into our Azure AD then Application we created earlier to make a note of our Client ID and generate a key.

OMS8OMS9

Next we will create our connection to OMS back in the ConfigMgr console:

OMS10

This is the part that Technet did not tell us. The part with the red box around it is misleading. We actually need to give our application we created earlier access to our Resource Group in the Azure Resource Manager Portal (portal.azure.com). This is probably because Operation Insights was moved from Azure Classic Portal to Azure Resource Manager. Without doing this, I will show you what happens:

OMS11

I will type in my tenant name and Client ID and secret key from before, click Verify, then click Next.

OMS12

ConfigMgr is unable to pull any information about the subscription or Resource Group or the OMS Workspace

OMS13

To fix this, we need to log back into https://portal.azure.com and go into our Resource Group with our OMS workspace and give our Application we created earlier access.

OMS14

Go to Settings, then click Users

OMS15

Click on Add, and type in the name of the Application you created in the classic portal https://manage.windowsazure.com I gave mine Contributor role for testing.

OMS16

Now if we go back and try and add the Operations Management Suite Connection again, you will see that ConfigMgr can pull the information from our Resource Group and OMS Workspace.

OMS17

There we go. This looks better! It pulled the information now that it has access.

OMS18

OMS19OMS20

You can view the OMS Connector here. You can also right click on it and go to properties to view the properties and add collections.

OMS21

Once the connector is set up, it should install the Microsoft Monitoring Agent.

OMS29.jpg

Next we will log into the Azure Resource Manager portal https://portal.azure.com and enable the ConfigMgr collections. Once you’re in the Azure portal, go to Log Analytics (OMS) then click on OMS Portal

OMS22

Once in the OMS Portal, go to Settings

OMS23

Go to the COMPUTER GROUPS tab, and click on SCCM, then click “Import Configuration Manager collection memberships” and save.

OMS26

After it updates you should see the collections (I added some more)

OMS27

You can click on the links to view more information

OMS28

 

SCCM Azure Cloud Proxy Service for managing clients on the Internet

In Configuration Manager Technical Preview 5 with update 1606, Microsoft introduced the Azure Cloud Proxy Service for managing clients on the Internet. More info can be read here.

This post covers how I set up the Cloud Proxy Service in my ConfigMgr lab to deploy software to a client on the Internet (this is a technical preview and NOT reccomended for production environment, it was simply to test out the Cloud Proxy Service). Make sure your lab Configuration Manager is updated to version 1606 so you have the cloud proxy functionality (In the Configuration Manager console, go to Administration > Cloud Services > Updates and Servicing). I had a Visual Studio MSDN subscription for Azure. You can also sign up for a 30 day Azure trial here

Certificates:

I followed all certificate requirements here  (under certificates section of Cloud Proxy)  to create the custom SSL certificate for the cloud proxy service and to create the client certificates (and also export the client root certificate)

These certificates were created the certificates below using this Technet guide:

ConfigMgr Client Distribution Point Certificate
ConfigMgr Client Certificate
ConfigMgr Cloud-Based Distribution Point Certificate (custom SSL certificate as mentioned in Technet)
ConfigMgr Web Server Certificate

For the management certificate for Azure, I exported the custom SSL certificate with the private key as PFX file, and also exported the certificate as a .cer file which I would upload to Azure. The custom SSL cert will be used when setting up the Cloud service later.

Log into manage.windowsazure.com and click on Settings down the left hand side, then click on Management Certificates. Upload the your management certificate (in my case, I used my .cer as described above). Take a note to copy down your subscription ID in a notepad, you will need it later. This is also shown in Subscriptions right next to Management Certificates below.

azuremangement

In the ConfigMgr console, in Administration, expand Cloud Services, right click on Cloud Proxy Service and click Create Cloud Proxy Service.

2azure

Type in your subscription ID (which you can get from manage.windowsazure.com in the settings where you uploaded the management certificate) and browse to the Azure management PFX certificate(I exported this earlier from the custom ssl certificate). Azure will validate the certificates.

3azure

Type in your Service Name. This will appear as <servicename>.cloudapp.net once created in Azure. Select your region and select Instance number (amount of proxies it creates in Azure). Once you select your custom ssl certificate for “Certificate file” it will automatically fill in your service FQDN. This has to be a unique name in your namespace (ie it cannot exist). For Root certificate file –  select the client root certificate you exported earlier (steps are here under the “Export the client certificate’s root” heading which is in section of Cloud Proxy Service for managing clients on the Internet).
I unticked Verify Client Certificate Revocation.

4azure

Continue on with the rest of the wizard. Once the Cloud Proxy Service starts to provision you can see it in the area below. You can watch CloudMgr.log in the site server log file directory to see what is happening. The status will be set to Ready once complete. It should take around 10-15 minutes.

6azure

DNS:

Once the status was set to Ready, on the public DNS (Internet) I created a CNAME DNS record to point my Service Name to my Cloud Service Name. For example azure.domainname.com to azuretestproxy.cloudapp.net. You can get the Cloud Service name by logging into manage.windowsazure.com  and going into the Cloud Service created by the Cloud Proxy Service, and view the Dashboard. It will say Site URL.

This was so my clients on the Internet could resolve the Service Name when they try and connect. Configuration Manager also needs to be able to resolve the Service Name as it has to establish connections with the Azure proxy. You can see this in the SMS_CLOUD_PROXYCONNECTOR.log later on.

 

Under Site Configuration, click Sites, and right click your site server and click properties then click on the Client Computer Communication tab and make sure you’re set to use PKI certificates,

10azure

Next we will add the Cloud Proxy Connector point. In Servers and and Site System roles, select your site, right click and add the Cloud Proxy Connector point: (details on adding site system roles are here).

7azure

5azure

Once this is complete, pay attention to the SMS_CLOUD_PROXYCONNECTOR.log  on the site server. You will see your Configuration Manager site server try to establish a connection with the Service Name (make sure your CNAME DNS record points the Service Name to the Cloud Service name).

The first time I set this up I saw some illegal character XML errors in SMS_CLOUD_PROXYCONNECTOR.log. I stopped the service and waited for CloudMgr.log to show it was fully stopped until starting it again and it resolved the issue.

6.6.azure

Next we will configure our Management Point and Distribution Point to allow Configuration Manager Proxy traffic (you can also add this to your SUP if you like. Currently only Distribution Point, Management Point and Software Update Point are supported by the Cloud Proxy Service at this time of writing)

In Servers and and Site System roles, right click on your Distribution Point/Management point and click properties then tick the box to allow Configuration Manager Cloud Proxy traffic.

8azure

After you have done the above, you can restart SMS AGENT HOST on one of your lab workstation machines. It should pickup the new Azure proxy location.

Below is the behavior on my Windows 10 client when removing it from the internal network and having Internet access only.

13azure

While still removed from the internal network and only on having Internet access, I deployed a test application and installed it from Software Center:

16azure

When checking the LocationServices.log it came back with the “Service Name” created in the Cloud Proxy Service (I had my public DNS CNAME pointing it to my Azure cloud services name)

15azure

This is a bit of background of what is actually provisioned in Azure to get the Cloud Proxy to work. Earlier we created 2 instances. You can see these below. Also the “Site URL” is what I used to point my DNS CNAME from “Service Name” to “Cloud Service Name”

17azure

You can monitor SMS_CLOUD_PROXYCONNECTOR.log to make sure nothing funny is going on. You can see every 60 seconds it scans the connections and confirm that the proxy connector is connecting to Azure ok.

azure18