Category Archives: SCCM Current Branch

Customize Software Center – SCCM 1710

Since Microsoft released SCCM Current Branch 1710, you can now add enterprise branding elements and choose to hide certain tabs in Software Center. This example will show how you can customize Software Center by deploying new custom client settings, and the user experience in a Windows 10 machine.

In the Administration section of the SCCM console, select Client Settings. You can choose to use the Default Client Settings, but I would recommend creating some new custom client settings for any tests, as the Default Client Settings apply to all machines.

custom01

Give the custom client settings a name, and select Software Center. Once you check the Software Center box, you will see the settings now appear on the top left.

custom02

I have selected Yes next to the arrow, given my company name, and also selected a custom colour scheme, and uploaded a company logo. Note that the maximum dimensions are 100×400 for the logo, and it cannot be larger than 750kb in size. Here you can also choose to hide any tabs you wish.

custom03

I will now deploy the custom settings to a collection, and then initiate a machine policy evaluation on my test client. After a few minutes, open Software Center and you will notice the new changes.

custom04

custom05

This is what my new Software Center looks like. I have not chosen to hide any tabs, but I have selected the custom image on the top left, given the company name (Nhogarth.net) and chosen the custom blue colour.

custom06

 

 

Advertisements

Co-management – Enabling Co-management SCCM 1710

This post will show how you can enable co-management in SCCM 1710 and how to automatically enroll a Windows 10 1709 machine into Intune (Intune standalone) when it is currently managed by SCCM 1710.

Prerequisites:

  • Configuration Manager version 1710 or later
  • Azure AD
  • EMS or Intune license for all users
  • Azure AD automatic enrollment enabled
  • Intune subscription (MDM authority in Intune set to Intune)

Suggested readings:
Co-management for Windows 10 devices
Enable Windows 10 automatic enrollment
How to configure hybrid Azure Active Directory joined devices

In portal.azure.com then Azure Active Directory, Mobility (MDM and MAM), Microsoft Intune, I have set my MDM user scope to All for automatic Intune enrollment for Windows.

intunecomgmt-17

In the SCCM console, in Administration, expand Cloud Services, right click on Co-management to create a new co-management policy.

intunecomgmt-02

Sign in with the Intune account

intunecomgmt-03

I have set automatic enrollment in Intune to pilot.

intunecomgmt-04

Configure the workloads.

intunecomgmt-05

I have created a collection called Comanagement Pilot. I have added my test Windows 10 1709 machine managed by SCCM 17010 into this collection.

intunecomgmt-06

intunecomgmt-07

You can check the Monitoring node and look for the CoMgmtSettingsPilot status. You can see my test machine WIN10MDT has successfully had the co-management policy applied.

intunecomgmt-16

Previously in the Azure Active Directory then Devices blade in portal.azure.com you can see that my Windows 10 1709 machine is Hybrid Azure AD joined but the MDM was set to none.

intunecomgmt-19

Once the policy was applied above, you can see the machine has changed from None under MDM, to Microsoft Intune.

intunecomgmt-18

Co-management – Installing SCCM 1710 Client from Intune

With co-management available in SCCM Current Branch 1710, you can install the SCCM client on a Windows 10 1709 Intune enrolled machine (Intune standalone) by creating an app in Intune. This will leverage the Cloud Management Gateway and Azure AD User Discovery. This example post is for a Windows 10 1709 Intune enrolled machine, but you could also use Autopilot with the steps below to get the SCCM client installed as well.

Microsoft lists two paths for co-management. This post is about the second path.

Co-management for Windows 10 devices

https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-overview

There are two main paths to reach to co-management. One is Configuration Manager provisioned co-management where Windows 10 devices managed by Configuration Manager and hybrid Azure AD joined get enrolled into Intune. The other is Intune provisioned devices that are enrolled in Intune and then installed with the Configuration Manager client reach a co-management state.

Prerequisites:

  • SCCM Current Branch 1710 – https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1710
  • Cloud Management Gateway configured – See https://blogs.technet.microsoft.com/arnabm/2016/12/19/step-by-step-cloud-management-gateway/
  • Azure AD User Discovery configured – See https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/Azure-services-wizard#webapp
  • Cloud Distribution Point – See https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/use-a-cloud-based-distribution-point
  • Windows 10 1709 machine enrolled in Intune and Azure AD joined
  • Management Point with HTTPS enabled for Azure AD user authentication

Firstly, distribute the Configuration Manager Client Package to the Cloud Distribution Point.

intunecomgmt-01

Next co-management will be enabled. This will provide the SCCM command line arguments with the correct information to install the SCCM client through Intune.

In Administration section, expand Cloud Services and right click Co-management

intunecomgmt-02

Sign in with your Intune account and click Next.

intunecomgmt-03

Select the required settings. Copy the command line arguments for later as this will be used in Intune to deploy the SCCM client.

intunecomgmt-04

I have set all to Pilot Intune.

intunecomgmt-05

I have created a test Pilot Intune collection.

intunecomgmt-06

Close the Wizard.

intunecomgmt-07

ccmsetup.msi needs to be uploaded from C:\Program Files\Microsoft Configuration Manager\bin\i386 on the SCCM 1710 site server to Intune

In portal.azure.com go to Intune then Mobile Apps, then Apps and click Add.

intunecomgmt-08

Browse to the ccmsetup.msi

intunecomgmt-09

Fill in the details. You can change the name and other information as you like. For the Command-line arguments, paste in the details that we copied before.

intunecomgmt-10

The ccmsetup.msi will then begin to upload. You can view the notifcation below to see when it has been uploaded.

Click on Assignments and select a group. I created an Azure AD dynamic group for Windows 10 1709 machines and made the app as “Required”

intunecomgmt-11

On the Windows 10 1709 machine, you can do a Sync, then you can see the SCCM client is installing. If you see the ccmsetup.log file, it will start to grab the SCCM client files from the Cloud DP (make sure the client is distributed to the Cloud DP)

intunecomgmt-13

When you open up Company Portal now, you will see “Your apps are located in Software Center”. You can see in Software Center my SCCM applications are now appearing.

intunecomgmt-14

You can now see the device appearing in the SCCM console as active as it is communicating through the CMG.

intunecomgmt-15

SCCM 1706 – Share an application from Software Center

With version 1706 coming out for SCCM Current Branch, one of the new useful features is the ability to give a user a direct link to an application in the Software Center. This can be useful for a scenario such as deploying an application as Available, and providing the users with a direct link to the application in Software Center so the users can choose to install the application if they like.

This post will show a quick demo on how to share the link to Office 365 ProPlus which was deployed as Available.

Open Software Center and click on the application you would like to share. Click the share button.

shareapp01

You can now copy the link below. In my example, I am going to email staff advising them that Office 365 ProPlus is available to install from Software Center. I will email a picture of an Office 365 ProPlus logo and add a hyperlink to the link below in the picture.

shareapp02

Below is a test email I can email staff and add a hyperlink in the image below pointing to the application in Software Center.

shareapp03

When a user clicks on the image above, it will open up the application in Software Center ready to be installed.

shareapp04

SCCM 1706 – Azure AD Discovery

SCCM 1706 was recently released and one of the new features is Azure AD Discovery. This was in Technical Preview 1705. This guide will show how to set up Azure AD  Discovery and install the SCCM client on a workgroup machine on the Internet without certificates using the Cloud Management Gateway.

For more information about SCCM 1706 see What’s new in version 1706 of System Center Configuration Manager

In my lab, I already have the Cloud Management Gateway set up. To set up the CMG you can see the documentation here https://docs.microsoft.com/en-us/sccm/core/clients/manage/setup-cloud-management-gateway

Once you have installed the 1706 update, expand Cloud Services, then right click on Azure Services and click Configure Azure Services

1706-azuread01

Select Cloud Management and click Next

1706-azuread02

Next create the Server and Client Apps. Click Browse on the Web App then click Create.

1706-azuread03

Enter in an Application Name, HomePage URL and App ID URL. Then Sign in to Azure AD with an admin account and it will create the app for you in Azure.

1706-azuread04

Select the app and click Ok.

1706-azuread05

Do the same as above but for the Client App and give it an Application Name and a Reply URL, then sign in to Azure with an Azure admin account. The app will then be created in Azure.

1706-azuread06

Enable Azure Active Directory User Discovery.

1706-azuread07

You need to grant permissions on both the client app and server app in Azure, otherwise you will see in SMS_AZUREAD_DISCOVERY_AGENT.log there will be access denied errors.

1706-azuread08

Login to https://portal.azure.com and go to Azure Active Directory, then App Registrations. Select the app and go to Required Permissions and click Grant Permissions. I did this for both the client app and server app.

1706-azuread09

Now looking back in SMS_AZUREAD_DISCOVERY_AGENT.log mine is now successful and has discovered by Azure AD users.

1706-azuread10

You can view the Azure AD users in the SCCM console in \Assets and Compliance\Overview\Users\All Users

An example below you can see that it is discovered by SMS_AZUREAD_USER_DISCOVERY_AGENT

1706-azuread11

In the SCCM console, in \Administration\Overview\Cloud Services\Azure Services, you can also run a full discovery by clicking Run Full Discovery Now, and view information about Azure AD Discovery like the Full Sync Schedule, Delta Sync Interval, and the Last Full Sync/Delta Sync time.

1706-azuread12

On a Windows 10 Azure AD joined machine, you can install the SCCM manually client without using any certificates. This is useful on Workgroup machines.

You can use the installation command

ccmsetup.exe /NoCrlCheck /Source:C:\CLIENT CCMHOSTNAME=SCCMPROXYCONTOSO.CLOUDAPP.NET/CCM_Proxy_ServerAuth/72457598037527932 SMSSiteCode=HEC AADTENANTID=780433B5-E05E-4B7D-BFD1-E8013911E543 AADTENANTNAME=contoso AADCLIENTAPPID= AADRESOURCEURI=https://contososerver

For a reference of how to obtain the information above, see https://docs.microsoft.com/en-us/sccm/core/clients/deploy/deploy-clients-cmg-azure#step-4-install-and-register-the-configuration-manager-client-using-azure-active-directory-identity

 

SCCM 1705 TP – Azure AD User Discovery

In the recently released update 1705 for the Technical Preview Branch of System Center Configuration Manager, you can now set up Azure Active Directory User Discovery. This post will show how you can test it in your lab once you have updated to 1705 Technical Preview. More about this feature can be read here – https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1705#new-capabilities-for-azure-ad-and-cloud-management

In the Console, expand Cloud Services, then right click on Azure Services and click Configure Azure Services

sccmaad01

Enter in the Name, I have chosen “Azure AD Connector” and make sure Cloud Management is selected.

sccmaad02

Click Browse to create the Server app and Client app

sccmaad03

Click on Create

sccmaad04

Enter in a Application Name, Homepage URL and Identifier URL (you can make these up). Click on Sign in to sign in with your Azure admin account then click OK.

sccmaad05

Select the app you created and click OK.

sccmaad06

Click on Browse to create the client app.

sccmaad07

Click Create.

sccmaad08

Enter in an Application Name and enter in a Reply URL (again, you can make this up). Then sign in to Azure AD with your admin account.

sccmaad09

Select the client app and click OK.

sccmaad10sccmaad11

Make sure Enable Azure Active Directory User Discovery is selected. Click Settings to enable Delta user discovery and adjust the scheduling to however you like it.

sccmaad12sccmaad13

Once the Wizard is done, open up SMS_AZUREAD_DISCOVERY_AGENT.log from the Logs location on your site server, and you will see a whole bunch of Forbidden errors when trying to access https://graph.windows.net

sccmaad14

Go into portal.azure.com, then Azure Active Directory, then App Registrations, then select the Server app you created before.

sccmaad15

Click on Required Permissions, then Grant Permissions, then Yes.

sccmaad16

If you wait a little while, you will see SMS_AZUREAD_DISCOVERY_AGENT.log will start to sync the Azure Active Directory Users.

sccmaad18

You can now view your Azure AD users in the SCCM console.

sccmaad17

 

 

SCCM Cloud Management Gateway – Installing SCCM client on an Internet client manually

The Cloud Management Gateway in SCCM Current Branch allows you to manage computers on the Internet without deploying the traditional IBCM infrastructure. Microsoft have made some improvements in SCCM 1702 for the CMG regarding client registration.

This post will not go into how to set up the CMG, you can view Plan for cloud management gateway in Configuration Manager for that information.

This blog post will show you how you can use the CCMHOSTNAME property when manually installing the SCCM client to specify the Cloud Management Gateway management point. This isn’t official documentation from Microsoft, however it does work. The post assumes you have copied over a PKI certificate for the client and installed the certificate, and also copied over the SCCM client installation files.

1 – On a machine that is on the internal network with the SCCM client installed, view the LocationServices.log and search for the Internet Management Point. You can see mine below highlighted in yellow. Copy the name of the Azure Cloud Management Gateway as you will need this for the CCMHOSTNAME property when installing the client

CMG01

2 – Launch a command prompt to run ccmsetup.exe and run the command ccmsetup.exe /UsePkiCert SMSSITECODE=<SiteCode> CCMHOSTNAME=<CMG copied above>

3 – Keep an eye on C:\Windows\ccmsetup\Logs\ccmsetup.log and ensure it successfully installs “CcmSetup is exiting with return code 0”. My logs in C:\Windows\CCM\Logs now indicate that the client is registered (ClientIDManagerStartup.log) and communicating with the Cloud Management Gateway (CcmMessaging.log). The machine should now appear in the ConfigMgr console. I can also see in the Configuration Manager Properties of the client that it is Internet based

CMG02

After it has installed successfully, you should see it communicating and retrieving policies.