Category Archives: SCCM Current Branch

SCCM 1706 – Share an application from Software Center

With version 1706 coming out for SCCM Current Branch, one of the new useful features is the ability to give a user a direct link to an application in the Software Center. This can be useful for a scenario such as deploying an application as Available, and providing the users with a direct link to the application in Software Center so the users can choose to install the application if they like.

This post will show a quick demo on how to share the link to Office 365 ProPlus which was deployed as Available.

Open Software Center and click on the application you would like to share. Click the share button.

shareapp01

You can now copy the link below. In my example, I am going to email staff advising them that Office 365 ProPlus is available to install from Software Center. I will email a picture of an Office 365 ProPlus logo and add a hyperlink to the link below in the picture.

shareapp02

Below is a test email I can email staff and add a hyperlink in the image below pointing to the application in Software Center.

shareapp03

When a user clicks on the image above, it will open up the application in Software Center ready to be installed.

shareapp04

Advertisements

SCCM 1706 – Azure AD Discovery

SCCM 1706 was recently released and one of the new features is Azure AD Discovery. This was in Technical Preview 1705. This guide will show how to set up Azure AD  Discovery and install the SCCM client on a workgroup machine on the Internet without certificates using the Cloud Management Gateway.

For more information about SCCM 1706 see What’s new in version 1706 of System Center Configuration Manager

In my lab, I already have the Cloud Management Gateway set up. To set up the CMG you can see the documentation here https://docs.microsoft.com/en-us/sccm/core/clients/manage/setup-cloud-management-gateway

Once you have installed the 1706 update, expand Cloud Services, then right click on Azure Services and click Configure Azure Services

1706-azuread01

Select Cloud Management and click Next

1706-azuread02

Next create the Server and Client Apps. Click Browse on the Web App then click Create.

1706-azuread03

Enter in an Application Name, HomePage URL and App ID URL. Then Sign in to Azure AD with an admin account and it will create the app for you in Azure.

1706-azuread04

Select the app and click Ok.

1706-azuread05

Do the same as above but for the Client App and give it an Application Name and a Reply URL, then sign in to Azure with an Azure admin account. The app will then be created in Azure.

1706-azuread06

Enable Azure Active Directory User Discovery.

1706-azuread07

You need to grant permissions on both the client app and server app in Azure, otherwise you will see in SMS_AZUREAD_DISCOVERY_AGENT.log there will be access denied errors.

1706-azuread08

Login to https://portal.azure.com and go to Azure Active Directory, then App Registrations. Select the app and go to Required Permissions and click Grant Permissions. I did this for both the client app and server app.

1706-azuread09

Now looking back in SMS_AZUREAD_DISCOVERY_AGENT.log mine is now successful and has discovered by Azure AD users.

1706-azuread10

You can view the Azure AD users in the SCCM console in \Assets and Compliance\Overview\Users\All Users

An example below you can see that it is discovered by SMS_AZUREAD_USER_DISCOVERY_AGENT

1706-azuread11

In the SCCM console, in \Administration\Overview\Cloud Services\Azure Services, you can also run a full discovery by clicking Run Full Discovery Now, and view information about Azure AD Discovery like the Full Sync Schedule, Delta Sync Interval, and the Last Full Sync/Delta Sync time.

1706-azuread12

On a Windows 10 Azure AD joined machine, you can install the SCCM manually client without using any certificates. This is useful on Workgroup machines.

You can use the installation command

ccmsetup.exe /NoCrlCheck /Source:C:\CLIENT CCMHOSTNAME=SCCMPROXYCONTOSO.CLOUDAPP.NET/CCM_Proxy_ServerAuth/72457598037527932 SMSSiteCode=HEC AADTENANTID=780433B5-E05E-4B7D-BFD1-E8013911E543 AADTENANTNAME=contoso AADCLIENTAPPID= AADRESOURCEURI=https://contososerver

For a reference of how to obtain the information above, see https://docs.microsoft.com/en-us/sccm/core/clients/deploy/deploy-clients-cmg-azure#step-4-install-and-register-the-configuration-manager-client-using-azure-active-directory-identity

 

SCCM 1705 TP – Azure AD User Discovery

In the recently released update 1705 for the Technical Preview Branch of System Center Configuration Manager, you can now set up Azure Active Directory User Discovery. This post will show how you can test it in your lab once you have updated to 1705 Technical Preview. More about this feature can be read here – https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1705#new-capabilities-for-azure-ad-and-cloud-management

In the Console, expand Cloud Services, then right click on Azure Services and click Configure Azure Services

sccmaad01

Enter in the Name, I have chosen “Azure AD Connector” and make sure Cloud Management is selected.

sccmaad02

Click Browse to create the Server app and Client app

sccmaad03

Click on Create

sccmaad04

Enter in a Application Name, Homepage URL and Identifier URL (you can make these up). Click on Sign in to sign in with your Azure admin account then click OK.

sccmaad05

Select the app you created and click OK.

sccmaad06

Click on Browse to create the client app.

sccmaad07

Click Create.

sccmaad08

Enter in an Application Name and enter in a Reply URL (again, you can make this up). Then sign in to Azure AD with your admin account.

sccmaad09

Select the client app and click OK.

sccmaad10sccmaad11

Make sure Enable Azure Active Directory User Discovery is selected. Click Settings to enable Delta user discovery and adjust the scheduling to however you like it.

sccmaad12sccmaad13

Once the Wizard is done, open up SMS_AZUREAD_DISCOVERY_AGENT.log from the Logs location on your site server, and you will see a whole bunch of Forbidden errors when trying to access https://graph.windows.net

sccmaad14

Go into portal.azure.com, then Azure Active Directory, then App Registrations, then select the Server app you created before.

sccmaad15

Click on Required Permissions, then Grant Permissions, then Yes.

sccmaad16

If you wait a little while, you will see SMS_AZUREAD_DISCOVERY_AGENT.log will start to sync the Azure Active Directory Users.

sccmaad18

You can now view your Azure AD users in the SCCM console.

sccmaad17

 

 

SCCM Cloud Management Gateway – Installing SCCM client on an Internet client manually

The Cloud Management Gateway in SCCM Current Branch allows you to manage computers on the Internet without deploying the traditional IBCM infrastructure. Microsoft have made some improvements in SCCM 1702 for the CMG regarding client registration.

This post will not go into how to set up the CMG, you can view Plan for cloud management gateway in Configuration Manager for that information.

This blog post will show you how you can use the CCMHOSTNAME property when manually installing the SCCM client to specify the Cloud Management Gateway management point. This isn’t official documentation from Microsoft, however it does work. The post assumes you have copied over a PKI certificate for the client and installed the certificate, and also copied over the SCCM client installation files.

1 – On a machine that is on the internal network with the SCCM client installed, view the LocationServices.log and search for the Internet Management Point. You can see mine below highlighted in yellow. Copy the name of the Azure Cloud Management Gateway as you will need this for the CCMHOSTNAME property when installing the client

CMG01

2 – Launch a command prompt to run ccmsetup.exe and run the command ccmsetup.exe /UsePkiCert SMSSITECODE=<SiteCode> CCMHOSTNAME=<CMG copied above>

3 – Keep an eye on C:\Windows\ccmsetup\Logs\ccmsetup.log and ensure it successfully installs “CcmSetup is exiting with return code 0”. My logs in C:\Windows\CCM\Logs now indicate that the client is registered (ClientIDManagerStartup.log) and communicating with the Cloud Management Gateway (CcmMessaging.log). The machine should now appear in the ConfigMgr console. I can also see in the Configuration Manager Properties of the client that it is Internet based

CMG02

After it has installed successfully, you should see it communicating and retrieving policies.

 

 

SCCM Current Branch 1702 – Automatically close executable files before installation

A new nice feature in SCCM Current Branch 1702 is the ability to set the “Install Behaviour” on a deployment type to either automatically close specified .exe’s if the deployment is required, or to advise the user that the installation has failed because of the running .exe’s. This is useful for some deployments where certain processed cannot be running. For example if you are deploying an add-in for Outlook and you would like Outlook to not be running, or other Office applications.

One thing to note is that you need to have your client upgraded to the 1702 version otherwise it will not work. This post will quickly show how you can configure the Install Behaviour and the user experience for an Available application.

After upgrading the client to the latest version, in an existing Application (7Zip) I have right clicked on the Deployment Type and clicked on the Install Behavior tab. Click on Add and type in the executable file name and give it a display name.

autoclose01

This application is deployed as Available, not required. So you can see below I have the .exe open on the right hand side, I will then install 7-Zip.

autoclose02

Now you can see it has failed because the executable filename I specified earlier is running. If the deployment was Required, it should automatically close the specified exe’s.

autoclose03

SCCM Current Branch 1702 – Office 365 Installer

SCCM Current Branch 1702 introduces “Office 365 ProPlus Installer” (this feature was seen in technical previews).The Office 365 ProPlus installer allows you to specify your Office 365 ProPlus settings (exclude apps, update channels etc), download the Office 365 ProPlus files, create the Application, Deployment Type, and deploy the application if you choose to.

Before this feature was released, you needed to use the Office Deployment Tool (ODT) to download the Office 365 ProPlus and create an XML with the Office 365 configuration settings, then create an Application in SCCM.

This post will show how you can leverage the new Office 365 Installer in SCCM Current Branch version 1702 to create, download and deploy an Office 365 ProPlus package without having to use the Office Deployment Tool.

Open the SCCM console go to Software Library node, then expand Office 365 Client Management folder, click on the Office 365 Installer

Office365Deploy1

Give it a name and content location:

Office365Deploy2

You can use an existing XML with the Office 365 ProPlus configuration you have created, or manually create one using this wizard. I have chosen to manually create the XML:

Office365Deploy3

Specify your settings. I have chosen the Office 365 ProPlus suite, and have chosen to exclude the old Groove OneDrive for Business client.

Office365Deploy4

Select your architecture. I am using 32bit, and have chosen to use the Deferred channel.

Office365Deploy5

I have said Yes to deploy the application.

Office365Deploy6

Chosen my collection to deploy it to

Office365Deploy7

Added my distribution point

Office365Deploy8

I am deploying mine as Available

Office365Deploy9

Settings here are left as default.

Office365Deploy10

Default again

Office365Deploy11

Default again

Office365Deploy12

Click next to start downloading the Office 365 ProPlus files

Office365Deploy13

After it has finished, you can now see there is now an Application created with a deployment type and deployed to the collection specified earlier.

Office365Deploy15

Changing Office 365 ProPlus Update Channel with ConfigMgr 1610

This post will show how you can use the compliance settings in SCCM to change the update channel in Office 365 ProPlus by changing CDNBaseUrl in the registry.  This is useful if you want to change some clients from Current Channel to Deferred Channel or Deferred Channel to Current Channel.

This post assumes you are running ConfigMgr Current Branch 1610 and have the Client Settings set to “Enable management of the Office 365 Client Agent” in the Software Updates section, and have configured ConfigMgr 1610 to deploy updates for Office 365. More info about that can be read here Manage Office 365 ProPlus updates with Configuration Manager

In the ConfigMgr console, create a new Configuration Item

office365_01

Give it a name and click Next.

office365_02

Click on New so you can add a new setting.

office365_03

I have clicked on Browse near the Hive Name and connected to another machine with Office 365 installed and browsed to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\CDNBaseUrl

office365_04_1

Select CDNBaseURL and select The selected registry value must exist on client devices.

office365_04_2

Click OK and it should look like this

office365_04

Click on the Compliance Rules tab and click New.

office365_04_3

Now where you have the setting selected, change the “Equals the following values” to the update channel you would like to change to. For example, mine was previously set to Deferred channel, so I selected the URL for Current Channel and pasted it in.

For reference I have copied the URL’s from Change the update channel after you enable Office 365 clients to receive updates from Configuration Manager and pasted them below:

office365_06

Click on OK.

office365_07

Click Next.

office365_08

Click Next.

office365_09

Click Next.

office365_10

Click Close.

office365_11

Now we will create the Configuration Baseline and add the previously created Configuration Item.

office365_12

Click on Add, then select Configuration Item.

office365_13

Select the previously created Configuration Item and click Add.

office365_14

Now we will deploy it to a collection to test it.

office365_15

Make sure the correct Configuration Item is selected, and Remediate noncompliant rules when supported. Choose a test collection to deploy it to (my All Workstations is in a lab, not a production environment)

office365_16

Now on a machine that is in the collection where you deployed the baseline to, after the machine gets the policy you should be able to see the Baseline in the Configurations tab of the ConfigMgr client properties. Click on Evaluate and wait for the Compliant tab to change from Unknown to Compliant.

office365_17

One of the cool things in ConfigMgr 1610 is the Office 365 dashboard. This is found under Office 365 Client Management in the Software Library node. Previously it said it had 2 Office 365 Client channels set to Deferred Channel.

 

After initiating a Hardware Inventory cycle on the machine where I deployed the baseline to, because I changed CDNBaseUrl to the Current Channel URL, you can see the Office 365 Client Management dashboard has now changed from having 2 Deferred Channels, to 1 Deferred Channel, and 1 Current Channel.

office365_18office365_19

Also after initiating the software updates deployment scan cycle, you can see that Software Center updates have changed from Deferred Channel to Current Channel.

office365_20office365_21