Category Archives: SCCM Current Branch

SCCM Current Branch 1702 – Office 365 Installer

SCCM Current Branch 1702 introduces “Office 365 ProPlus Installer” (this feature was seen in technical previews).The Office 365 ProPlus installer allows you to specify your Office 365 ProPlus settings (exclude apps, update channels etc), download the Office 365 ProPlus files, create the Application, Deployment Type, and deploy the application if you choose to.

Before this feature was released, you needed to use the Office Deployment Tool (ODT) to download the Office 365 ProPlus and create an XML with the Office 365 configuration settings, then create an Application in SCCM.

This post will show how you can leverage the new Office 365 Installer in SCCM Current Branch version 1702 to create, download and deploy an Office 365 ProPlus package without having to use the Office Deployment Tool.

Open the SCCM console go to Software Library node, then expand Office 365 Client Management folder, click on the Office 365 Installer

Office365Deploy1

Give it a name and content location:

Office365Deploy2

You can use an existing XML with the Office 365 ProPlus configuration you have created, or manually create one using this wizard. I have chosen to manually create the XML:

Office365Deploy3

Specify your settings. I have chosen the Office 365 ProPlus suite, and have chosen to exclude the old Groove OneDrive for Business client.

Office365Deploy4

Select your architecture. I am using 32bit, and have chosen to use the Deferred channel.

Office365Deploy5

I have said Yes to deploy the application.

Office365Deploy6

Chosen my collection to deploy it to

Office365Deploy7

Added my distribution point

Office365Deploy8

I am deploying mine as Available

Office365Deploy9

Settings here are left as default.

Office365Deploy10

Default again

Office365Deploy11

Default again

Office365Deploy12

Click next to start downloading the Office 365 ProPlus files

Office365Deploy13

After it has finished, you can now see there is now an Application created with a deployment type and deployed to the collection specified earlier.

Office365Deploy15

Changing Office 365 ProPlus Update Channel with ConfigMgr 1610

This post will show how you can use the compliance settings in SCCM to change the update channel in Office 365 ProPlus by changing CDNBaseUrl in the registry.  This is useful if you want to change some clients from Current Channel to Deferred Channel or Deferred Channel to Current Channel.

This post assumes you are running ConfigMgr Current Branch 1610 and have the Client Settings set to “Enable management of the Office 365 Client Agent” in the Software Updates section, and have configured ConfigMgr 1610 to deploy updates for Office 365. More info about that can be read here Manage Office 365 ProPlus updates with Configuration Manager

In the ConfigMgr console, create a new Configuration Item

office365_01

Give it a name and click Next.

office365_02

Click on New so you can add a new setting.

office365_03

I have clicked on Browse near the Hive Name and connected to another machine with Office 365 installed and browsed to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\CDNBaseUrl

office365_04_1

Select CDNBaseURL and select The selected registry value must exist on client devices.

office365_04_2

Click OK and it should look like this

office365_04

Click on the Compliance Rules tab and click New.

office365_04_3

Now where you have the setting selected, change the “Equals the following values” to the update channel you would like to change to. For example, mine was previously set to Deferred channel, so I selected the URL for Current Channel and pasted it in.

For reference I have copied the URL’s from Change the update channel after you enable Office 365 clients to receive updates from Configuration Manager and pasted them below:

office365_06

Click on OK.

office365_07

Click Next.

office365_08

Click Next.

office365_09

Click Next.

office365_10

Click Close.

office365_11

Now we will create the Configuration Baseline and add the previously created Configuration Item.

office365_12

Click on Add, then select Configuration Item.

office365_13

Select the previously created Configuration Item and click Add.

office365_14

Now we will deploy it to a collection to test it.

office365_15

Make sure the correct Configuration Item is selected, and Remediate noncompliant rules when supported. Choose a test collection to deploy it to (my All Workstations is in a lab, not a production environment)

office365_16

Now on a machine that is in the collection where you deployed the baseline to, after the machine gets the policy you should be able to see the Baseline in the Configurations tab of the ConfigMgr client properties. Click on Evaluate and wait for the Compliant tab to change from Unknown to Compliant.

office365_17

One of the cool things in ConfigMgr 1610 is the Office 365 dashboard. This is found under Office 365 Client Management in the Software Library node. Previously it said it had 2 Office 365 Client channels set to Deferred Channel.

 

After initiating a Hardware Inventory cycle on the machine where I deployed the baseline to, because I changed CDNBaseUrl to the Current Channel URL, you can see the Office 365 Client Management dashboard has now changed from having 2 Deferred Channels, to 1 Deferred Channel, and 1 Current Channel.

office365_18office365_19

Also after initiating the software updates deployment scan cycle, you can see that Software Center updates have changed from Deferred Channel to Current Channel.

office365_20office365_21

 

Intune Hybrid – Deploy Office 365 click-to-run and enroll Windows 10 computer

This post will cover how to deploy Office 365 click-to-run to an enrolled Windows 10 machine using a Hybrid ConfigMgr 1610 environment with an Intune subscription. I will generate the .msi for Office 365 ProPlus and deploy it using ConfigMgr, enroll a Windows 10 machine, then install Office 365 ProPlus from the Comapany Portal using Click-to-Run.

My hybrid environment is already set up, and PC enrollment is already enabled. For this see https://docs.microsoft.com/en-us/sccm/mdm/understand/hybrid-mobile-device-management

First to create the Office 365 click-to-run msi which we will deploy from ConfigMgr to our Intune user group, download and install “Microsoft Office ProPlus Install Toolkit” from http://officedev.github.io/Office-IT-Pro-Deployment-Scripts/XmlEditor.html

microsoft-office-proplus-install-toolkit

Install it and open it up. I have configured the options to what suits my environment. Have a good look through the options and customize it to your needs.

mdmoffice3651

mdmoffice362

mdmoffice363

You can choose to exclude certain products if you like.

mdmoffice3654

mdmoffice3655

I have enabled updates.

mdmoffice3656

I have set the Display Level to none, and accepted the EULA.

mdmoffice3657

Make sure the install type is MSI and select the file path to output the msi.

mdmoffice3658

Once you click Generate, you will be left with a 2mb msi which we will deploy through ConfigMgr to our Intune user group.

mdmoffice3659

mdmoffice36510

Now we will create the application in the ConfigMgr console

mdmoffice36511

Make sure to specify the type as Windows Installer through MDM (*.msi) and also specify the UNC path to the earlier generated msi.

mdmoffice36512

Click Yes.

mdmoffice36513

Click Next.

mdmoffice36514

Specify the information you would like here such as Name.

mdmoffice36515

I have left all other options as default and clicked Next.

mdmoffice36516

Now we will go to the properties of the application we created and choose to use a logo to display in the Company Portal.

mdmoffice36517

Click on the Application Catalog tab and browse and select an icon you would like to use. I searched the web for an icon for Office 365 and made sure its 250×250 in size or smaller.

mdmoffice36518

Now we will deploy the application to our Intune user group.

mdmoffice36519

mdmoffice36520

Make sure to distribute the msi to the Intune distribution point. Select Add then Distribution Point, then select the manage.microsoft.com distribution point.

mdmoffice36522

mdmoffice36523

Click Next

mdmoffice36524

I am deploying this Appliction as Available so the user can install it from the Company Portal.

mdmoffice36525

mdmoffice36526

Now I will enroll my Windows 10 Pro 1607 machine. The prerequisites are here https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/enroll-hybrid-windows

Click on Start, then Settings.

enrollwin10-01

Select Accounts

enrollwin10-02

Click on Access work or school then click on Connect.

enrollwin10-03

Enter in your details for an account with an Intune license.

enrollwin10-04

enrollwin10-05

enrollwin10-06

enrollwin10-07

Now the device is enrolled. If we take a look in the ConfigMgr console, we can see the Windows 10 machine is enrolled as a mobile device.

enrollwin10-08

I have installed the Company Portal application from the Windows Store. Once opened, I can see the Microsoft Office 365 ProPlus. Click on it, then click on Install.

o365-01

If you load up task manager, you can see the set up files running.

o365-02

After a while you can see the programs in the program list on the Windows 10 machine.

o365-03

Intune Hybrid – Deploy msi to enrolled Windows 10 machine with ConfigMgr

This post will show how to deploy an MSI application to a Windows 10 machine enrolled as a mobile device in a ConfigMgr Current Branch 1610 environment with an Intune subscription. The Windows 10 machine has already been enrolled and has the Company Portal installed. For details on how to configure hybrid MDM and how to enroll devices, see Setup hybrid mobile device management (MDM) with System Center Configuration Manager and Microsoft Intune

Right click Applications, select Create Application.

intunewin10dep1

Make sure to specify the type as Windows Installer through MDM (*.msi) and specify the location of the .msi file. In my example I am using the 32bit 7zip msi.

intunewin10dep2

I have clicked Yes.

intunewin10dep3

intunewin10dep4

I have changed the name and left it as all default information.

intunewin10dep5

intunewin10dep6

intunewin10dep7

Now I will deploy the application as an available application for the user to download and install from the Company Portal. Right click on the application and click Deploy.

intunewin10dep8

I have selected a user collection and clicked Next.

intunewin10dep9

Click on Add then select distribution point, then I will distribute the package to the cloud based intune DP.

intunewin10dep10

I am deploying this as Available in this example and have left all other options as default and clicked Next on each screen.

intunewin10dep11

Now the application is deployed.

intunewin10dep12

In the content status section of the ConfigMgr console, I have made sure that the application has been successfully distributed to the Intune distribution point.

intunewin10dep13

Now on my enrolled Windows 10 (1607) machine I have opened up Company Portal and can see the 7zip application available.

intunewin10dep14

I have clicked on the application and then clicked on Install.

intunewin10dep15

Now 7zip has installed successfully.

intunewin10dep16

Intune Hybrid with ConfigMgr – Deploying required app to iOS from App Store

This post will show how to deploy a required application to an iPhone (or iOS device) from the App Store (Microsoft Excel) and also create a Mobile Application Management (MAM) Policy as Microsoft Excel requires it. My environment below is ConfigMgr Current Branch 1610 with an Intune subscription.

In the ConfigMgr console, go into Software Library, right click Applications and select Create Application

iosapp1

Select the type App Package for iOS from App Store. Paste the link of the app from the App Store. In this example, I have pasted the link for Microsoft Excel. You can browse the other apps from https://itunes.apple.com and get the link  and paste it in. Click Next.

iosapp2

iosapp3

You can add the required information here and click Next.

iosapp4

Click Next

iosapp5

iosapp6

Now we will create our MAM (mobile application management) policy for Microsoft Excel, as it is required before we deploy the application. Right click on Application Management Policies and select Create Application Management Policies.

iosapp7

Select the platform as iOS.

iosapp8

I have left the options as default.

iosapp9

iosapp10

Now we can deploy our Microsoft Excel application we created before. Select the Application, right click and select Deploy.

iosapp11

I will be deploying it to my Intune Users collection

iosapp12

In my example, I am deploying it as Required. Alternatively you can deploy it as Available and then download it from the Company Portal app.

iosapp13

All other options have been left as default. Now on the Application Management section I have selected the MAM policy I created before. If you didn’t create this MAM policy then you will not be able to proceed (For Microsoft Excel anyway)

iosapp14

Now I am going to initiate a Send Sync Request to my iPhone.

iosapp15

Once the iPhone receives the policy, because it was a required application I deployed, the iPhone is presented with this screen. Microsoft Excel will begin to install.

intuneapp16

Intune Hybrid MDM – Remote Wipe iPhone

This post will show how you can use ConfigMgr (I am using ConfigMgr Current Branch 1610) with an Intune subscription (hybrid MDM) to completely wipe an iPhone if it has been lost or stolen. When doing a full wipe, it will restore the iPhone to its factory settings (removing all company and user data).

In the ConfigMgr console, select the device and right click and select Remote Device Actions, then select Retire/Wipe

iphonewipe1

The warning below will be displayed where you can either do a selective wipe, or a full wipe. In my example, I will be doing a full wipe.

iphonewipe2

Another warning is displayed

iphonewipe3

I will send a sync request from the console to save time (new feature in ConfigMgr Current Brach 1610)

iphonewipe4

Once the iPhone has received the sync request, you can see it is now doing a full factory restore, removing all company and user data.

iphonewipe5   iphonewipe6

 

 

Intune Hybrid MDM – Reset iPhone Passcode from ConfigMgr console

When an iPhone is enrolled with Intune (or other devices such as iOS/Android/Windows Phone 8 and Windows Phone 8.1) using Hybrid MDM, ConfigMgr provides the ability to be able to reset the passcode. This is very helpful if a user has forgotten their passcode.

This post will show how to clear the iPhone passcode using ConfigMgr Current Branch 1610 with an Intune subscription. When clearing the passcode on an iOS device, the passcode is actually cleared. A temporary passcode is not created.

Select the iPhone in the ConfigMgr console and right click, select Remote Device Actions, then select Reset Passcode.

iphonepasscode1

The following warning will be displayed

iphonepasscode2

One of the nice new features in ConfigMgr Current Branch 1610 in a hybrid deployment is the ability to request a policy sync for a device enrolled with Intune rather than having to do it from the Company Portal. 

Right click on the device, select Remote Device Actions, then select Send Sync Request

iphonepasscode3

You see that the Passcode Reset state is set to Pending.

iphonepasscode4

Once the passcode has been reset, you can see that the reset state is Succeeded.

iphonepasscode5

From the iPhone now, previously if there was a passcode set, the passcode is now removed. On my device, I would usually need the passcode to unlock the device. Now I can unlock the device without a passcode and set a new passcode.

 

Intune Conditional Access with Exchange Online for Windows PC’s – User Experience

This post will show the end user experience for when Conditional Access is configured to prevent non-domain joined Windows 7 and Windows 10 PC’s from accessing Exchange Online either from the Outlook client, or OWA web mail.If you would like more information on how to configure Conditional Access and for different scenario’s, see Use conditional access with Intune and Configuration Manager

In a ConfigMgr Current Branch 1610 Intune Hybrid environment, I have configured the Conditional Access in the ConfigMgr console which will then open up the Intune admin console

condacc1

I have enabled conditional access policy.

condacc3

Now on a non-domain joined Windows 7 machine when trying to access OWA, the user is presented with the “You can’t get there from here” screen below

nondomainjoined

And on the same Windows 7 machine, if a user tries to configure their Exchange Online account in Outlook application, they will get the same “You can’t get there from here” screen

nondomainjoined2

This looks the same on Windows 10

nondomainjoined3

The same screen when accessing OWA on a Windows 10 machine

nondomainjoined4

What happens if a machine had Outlook configured and working before the Conditional Access policies were put in place? In my testing, when opening the Outlook app, the same screen was displayed when it tried to connect to Exchange Online

condacc2

Adding Intune subscription to ConfigMgr for Hyrbid MDM

This post will show you how to add an Intune subscription to ConfigMgr  for Hybrid MDM and enable enrollment for iOS devices.

To see the benefits of using Intune with ConfigMgr rather than standalone, Microsoft has a good post Choose between Microsoft Intune standalone and hybrid mobile device management with System Center Configuration Manager

My current on-prem environment looks like this:

  • ConfigMgr Current Branch version 1606.
  • User collection created with users whose devices can be enrolled
  • Custom domain add and verified in Office 365 admin portal
  • Azure AD Connect set up to synchronize my user accounts to Azure AD. Steps to set this up are here
  • Intune subscription (You can get a 30 day trial subscription here)

First step to add the Intune subscription is to go into Cloud Services then right click Microsoft Intune Subscriptions and select Add Microsoft Intune Subscription

intune1

Have a read of the Getting Started and click Next.

intune2

Sign in with your Intune account

intune3

Have a read and if you agree, click the checkbox. Note that you can’t change this back unless you contact Microsoft Support.

intune4

Enter in your Intune username and password

intune5

Once you’re signed in, click on Next

intune6

Select the user collection with users whose devices can be enrolled. You can configure your company name and any other settings you like and click Next

intune7

Fill in any other information you would like and click Next

intune8

Specify a company logo if you like and click Next.

intune9

Select the user that you would like to be the Device Enrollment Manager. You can see more info here

intune10

If you would like to use MFA, select the enable checkbox and Next.

intune11

Confirm your settings and click Next.

intune12

Once its finished click Close. You can view the Cloudusersync.log to make sure the role was set up successfully and look out for any errors.

intune13

Next we will create an APN. The Apple Push Notification service (APNs) certificate is used to establish a trust relationship between the management service, Intune, and enrolled iOS mobile devices

intune14

intune15

intune16

Next we will login to the APN certificate portal with an Apple ID. The link is here

intune17

Click on Create Certificate

intune18

Click Accept if you accept the terms and conditions.

intune19

Upload the certificate you created earlier.

intune20

Now Download the certificate

intune21

Now we will configure the iOS platform.

intune22

Click Enable and browse to the certificate you downloaded before and click Ok.

intune23

ConfigMgr CB 1610 -Cloud Management Gateway

One of the features in the newly released 1610 update for ConfigMgr Current Branch is the pre-release Cloud Management Gateway. This is similar to the Azure Cloud Proxy feature released in the Technical Preview 1606. I wrote a post on this here.

One thing to note that seems to be different from the TP, is that the on-prem distribution point isn’t supported for cloud management gateway traffic. You will need to set up an Azure cloud based distribution point for clients to download content (applications etc). However, you can enable the Management Point and Software Update Point to receive cloud management gateway traffic.

You can see the limitations of the Cloud Management Gateway here

This post will show you how I set up the Cloud Management Gateway in a lab. I won’t dive into the certificates part but information can be found at Step-by-step example deployment of the PKI certificates for System Center Configuration Manager: Windows Server 2008 Certification Authority and

A bit of info about my setup:

  • Azure subscription (you can get a trial here)
  • ConfigMgr Current Branch 1610 environment
  • Azure Management certificate uploaded to manage.windowsazure.com
  • Cloud management gateway certificate for <name>.cloudapp.net. Info for that can be found here Note: this name needs to be unique and cannot exist in Azure
  • Workstation certificate installed on clients and exported as the root certificate
  • Management Point and SUP configured for HTTPS
  • Windows 10 client with Workstation Certificate enrolled to test 

As this is a pre-release feature, I enabled it when installing the 1610 update

clouggw01

Now you will see the Cloud Management Gateway under the Cloud Services section. Click Create.

clouggw02

Enter in your Azure Subscription ID which can be found from portal.azure.com or manage.windowsazure.com and select the Management Certificate (which needs to already be uploaded to Azure)

clouggw04

When the cloud service PKI certificate is selected from the Browse button, the service name and FQDN will automatically be filled in (this is the common name from when the certificate was requested). Make sure a unique name was chosen earlier for the certificate as it will create a cloud service in Azure with <name>.cloudapp.net

Also specify the client certificate root. You can see instructions here. Make sure this is done properly as the client will get certificate issues when trying to connect to the Management Point.

clouggw05

You have the ability to set thresholds to create alerts regarding the outbound traffic as Azure charges you based on the Outbound traffic.

clouggw06

clouggw07

You can watch the provisioning status. Or even better, examine the  CloudMgr.log so you can see exactly what is going on and look out for any issues or errors.

clouggw08

Enable the site to use PKI certificate. The workstations that communicate with the Cloud Management Gateway need a Workstation certificate enrolled. Workstation Certificates are covered here.

clouggw09

Next the Cloud Management Gateway connection point role will be added.

clouggw10

The information is filled in automatically

clouggw11

Once the role has been added, the Management Point and Software Update Point need to allow Cloud Management Gateway traffic. Make sure the Web Server certificate for the MP/WSUS is configured in IIS. There is a guide on that here 

clouggw11_2clouggw11_3

On the client, while it has a connection to the Internal network, you can restart SMS Agent Host service so it picks up the new Internet management point.

Once that is done on my client, I have given the machine only Internet access and no internal network access. I have restarted SMS Agent Host and you can see in LocationServices.log it is using the Cloud Management Gateway and the ConfigMgr client connection type is set to Internet.

clouggw12

If you’re curious about what it looks like in Azure, if you go to portal.azure.com and go to Cloud Services (classic), you can see it created a ProxyService role which is meant to be running on an A2 VM.

clouggw13