Category Archives: SCCM Current Branch

SCCM Current Branch 1702 – Office 365 Installer

SCCM Current Branch 1702 introduces “Office 365 ProPlus Installer” (this feature was seen in technical previews).The Office 365 ProPlus installer allows you to specify your Office 365 ProPlus settings (exclude apps, update channels etc), download the Office 365 ProPlus files, create the Application, Deployment Type, and deploy the application if you choose to.

Before this feature was released, you needed to use the Office Deployment Tool (ODT) to download the Office 365 ProPlus and create an XML with the Office 365 configuration settings, then create an Application in SCCM.

This post will show how you can leverage the new Office 365 Installer in SCCM Current Branch version 1702 to create, download and deploy an Office 365 ProPlus package without having to use the Office Deployment Tool.

Open the SCCM console go to Software Library node, then expand Office 365 Client Management folder, click on the Office 365 Installer


Give it a name and content location:


You can use an existing XML with the Office 365 ProPlus configuration you have created, or manually create one using this wizard. I have chosen to manually create the XML:


Specify your settings. I have chosen the Office 365 ProPlus suite, and have chosen to exclude the old Groove OneDrive for Business client.


Select your architecture. I am using 32bit, and have chosen to use the Deferred channel.


I have said Yes to deploy the application.


Chosen my collection to deploy it to


Added my distribution point


I am deploying mine as Available


Settings here are left as default.


Default again


Default again


Click next to start downloading the Office 365 ProPlus files


After it has finished, you can now see there is now an Application created with a deployment type and deployed to the collection specified earlier.


Changing Office 365 ProPlus Update Channel with ConfigMgr 1610

This post will show how you can use the compliance settings in SCCM to change the update channel in Office 365 ProPlus by changing CDNBaseUrl in the registry.  This is useful if you want to change some clients from Current Channel to Deferred Channel or Deferred Channel to Current Channel.

This post assumes you are running ConfigMgr Current Branch 1610 and have the Client Settings set to “Enable management of the Office 365 Client Agent” in the Software Updates section, and have configured ConfigMgr 1610 to deploy updates for Office 365. More info about that can be read here Manage Office 365 ProPlus updates with Configuration Manager

In the ConfigMgr console, create a new Configuration Item


Give it a name and click Next.


Click on New so you can add a new setting.


I have clicked on Browse near the Hive Name and connected to another machine with Office 365 installed and browsed to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\CDNBaseUrl


Select CDNBaseURL and select The selected registry value must exist on client devices.


Click OK and it should look like this


Click on the Compliance Rules tab and click New.


Now where you have the setting selected, change the “Equals the following values” to the update channel you would like to change to. For example, mine was previously set to Deferred channel, so I selected the URL for Current Channel and pasted it in.

For reference I have copied the URL’s from Change the update channel after you enable Office 365 clients to receive updates from Configuration Manager and pasted them below:


Click on OK.


Click Next.


Click Next.


Click Next.


Click Close.


Now we will create the Configuration Baseline and add the previously created Configuration Item.


Click on Add, then select Configuration Item.


Select the previously created Configuration Item and click Add.


Now we will deploy it to a collection to test it.


Make sure the correct Configuration Item is selected, and Remediate noncompliant rules when supported. Choose a test collection to deploy it to (my All Workstations is in a lab, not a production environment)


Now on a machine that is in the collection where you deployed the baseline to, after the machine gets the policy you should be able to see the Baseline in the Configurations tab of the ConfigMgr client properties. Click on Evaluate and wait for the Compliant tab to change from Unknown to Compliant.


One of the cool things in ConfigMgr 1610 is the Office 365 dashboard. This is found under Office 365 Client Management in the Software Library node. Previously it said it had 2 Office 365 Client channels set to Deferred Channel.


After initiating a Hardware Inventory cycle on the machine where I deployed the baseline to, because I changed CDNBaseUrl to the Current Channel URL, you can see the Office 365 Client Management dashboard has now changed from having 2 Deferred Channels, to 1 Deferred Channel, and 1 Current Channel.


Also after initiating the software updates deployment scan cycle, you can see that Software Center updates have changed from Deferred Channel to Current Channel.



Intune Hybrid – Deploy Office 365 click-to-run and enroll Windows 10 computer

This post will cover how to deploy Office 365 click-to-run to an enrolled Windows 10 machine using a Hybrid ConfigMgr 1610 environment with an Intune subscription. I will generate the .msi for Office 365 ProPlus and deploy it using ConfigMgr, enroll a Windows 10 machine, then install Office 365 ProPlus from the Comapany Portal using Click-to-Run.

My hybrid environment is already set up, and PC enrollment is already enabled. For this see

First to create the Office 365 click-to-run msi which we will deploy from ConfigMgr to our Intune user group, download and install “Microsoft Office ProPlus Install Toolkit” from


Install it and open it up. I have configured the options to what suits my environment. Have a good look through the options and customize it to your needs.




You can choose to exclude certain products if you like.



I have enabled updates.


I have set the Display Level to none, and accepted the EULA.


Make sure the install type is MSI and select the file path to output the msi.


Once you click Generate, you will be left with a 2mb msi which we will deploy through ConfigMgr to our Intune user group.



Now we will create the application in the ConfigMgr console


Make sure to specify the type as Windows Installer through MDM (*.msi) and also specify the UNC path to the earlier generated msi.


Click Yes.


Click Next.


Specify the information you would like here such as Name.


I have left all other options as default and clicked Next.


Now we will go to the properties of the application we created and choose to use a logo to display in the Company Portal.


Click on the Application Catalog tab and browse and select an icon you would like to use. I searched the web for an icon for Office 365 and made sure its 250×250 in size or smaller.


Now we will deploy the application to our Intune user group.



Make sure to distribute the msi to the Intune distribution point. Select Add then Distribution Point, then select the distribution point.



Click Next


I am deploying this Appliction as Available so the user can install it from the Company Portal.



Now I will enroll my Windows 10 Pro 1607 machine. The prerequisites are here

Click on Start, then Settings.


Select Accounts


Click on Access work or school then click on Connect.


Enter in your details for an account with an Intune license.





Now the device is enrolled. If we take a look in the ConfigMgr console, we can see the Windows 10 machine is enrolled as a mobile device.


I have installed the Company Portal application from the Windows Store. Once opened, I can see the Microsoft Office 365 ProPlus. Click on it, then click on Install.


If you load up task manager, you can see the set up files running.


After a while you can see the programs in the program list on the Windows 10 machine.


Intune Hybrid – Deploy msi to enrolled Windows 10 machine with ConfigMgr

This post will show how to deploy an MSI application to a Windows 10 machine enrolled as a mobile device in a ConfigMgr Current Branch 1610 environment with an Intune subscription. The Windows 10 machine has already been enrolled and has the Company Portal installed. For details on how to configure hybrid MDM and how to enroll devices, see Setup hybrid mobile device management (MDM) with System Center Configuration Manager and Microsoft Intune

Right click Applications, select Create Application.


Make sure to specify the type as Windows Installer through MDM (*.msi) and specify the location of the .msi file. In my example I am using the 32bit 7zip msi.


I have clicked Yes.



I have changed the name and left it as all default information.




Now I will deploy the application as an available application for the user to download and install from the Company Portal. Right click on the application and click Deploy.


I have selected a user collection and clicked Next.


Click on Add then select distribution point, then I will distribute the package to the cloud based intune DP.


I am deploying this as Available in this example and have left all other options as default and clicked Next on each screen.


Now the application is deployed.


In the content status section of the ConfigMgr console, I have made sure that the application has been successfully distributed to the Intune distribution point.


Now on my enrolled Windows 10 (1607) machine I have opened up Company Portal and can see the 7zip application available.


I have clicked on the application and then clicked on Install.


Now 7zip has installed successfully.


Intune Hybrid with ConfigMgr – Deploying required app to iOS from App Store

This post will show how to deploy a required application to an iPhone (or iOS device) from the App Store (Microsoft Excel) and also create a Mobile Application Management (MAM) Policy as Microsoft Excel requires it. My environment below is ConfigMgr Current Branch 1610 with an Intune subscription.

In the ConfigMgr console, go into Software Library, right click Applications and select Create Application


Select the type App Package for iOS from App Store. Paste the link of the app from the App Store. In this example, I have pasted the link for Microsoft Excel. You can browse the other apps from and get the link  and paste it in. Click Next.



You can add the required information here and click Next.


Click Next



Now we will create our MAM (mobile application management) policy for Microsoft Excel, as it is required before we deploy the application. Right click on Application Management Policies and select Create Application Management Policies.


Select the platform as iOS.


I have left the options as default.



Now we can deploy our Microsoft Excel application we created before. Select the Application, right click and select Deploy.


I will be deploying it to my Intune Users collection


In my example, I am deploying it as Required. Alternatively you can deploy it as Available and then download it from the Company Portal app.


All other options have been left as default. Now on the Application Management section I have selected the MAM policy I created before. If you didn’t create this MAM policy then you will not be able to proceed (For Microsoft Excel anyway)


Now I am going to initiate a Send Sync Request to my iPhone.


Once the iPhone receives the policy, because it was a required application I deployed, the iPhone is presented with this screen. Microsoft Excel will begin to install.


Intune Hybrid MDM – Remote Wipe iPhone

This post will show how you can use ConfigMgr (I am using ConfigMgr Current Branch 1610) with an Intune subscription (hybrid MDM) to completely wipe an iPhone if it has been lost or stolen. When doing a full wipe, it will restore the iPhone to its factory settings (removing all company and user data).

In the ConfigMgr console, select the device and right click and select Remote Device Actions, then select Retire/Wipe


The warning below will be displayed where you can either do a selective wipe, or a full wipe. In my example, I will be doing a full wipe.


Another warning is displayed


I will send a sync request from the console to save time (new feature in ConfigMgr Current Brach 1610)


Once the iPhone has received the sync request, you can see it is now doing a full factory restore, removing all company and user data.

iphonewipe5   iphonewipe6



Intune Hybrid MDM – Reset iPhone Passcode from ConfigMgr console

When an iPhone is enrolled with Intune (or other devices such as iOS/Android/Windows Phone 8 and Windows Phone 8.1) using Hybrid MDM, ConfigMgr provides the ability to be able to reset the passcode. This is very helpful if a user has forgotten their passcode.

This post will show how to clear the iPhone passcode using ConfigMgr Current Branch 1610 with an Intune subscription. When clearing the passcode on an iOS device, the passcode is actually cleared. A temporary passcode is not created.

Select the iPhone in the ConfigMgr console and right click, select Remote Device Actions, then select Reset Passcode.


The following warning will be displayed


One of the nice new features in ConfigMgr Current Branch 1610 in a hybrid deployment is the ability to request a policy sync for a device enrolled with Intune rather than having to do it from the Company Portal. 

Right click on the device, select Remote Device Actions, then select Send Sync Request


You see that the Passcode Reset state is set to Pending.


Once the passcode has been reset, you can see that the reset state is Succeeded.


From the iPhone now, previously if there was a passcode set, the passcode is now removed. On my device, I would usually need the passcode to unlock the device. Now I can unlock the device without a passcode and set a new passcode.


Intune Conditional Access with Exchange Online for Windows PC’s – User Experience

This post will show the end user experience for when Conditional Access is configured to prevent non-domain joined Windows 7 and Windows 10 PC’s from accessing Exchange Online either from the Outlook client, or OWA web mail.If you would like more information on how to configure Conditional Access and for different scenario’s, see Use conditional access with Intune and Configuration Manager

In a ConfigMgr Current Branch 1610 Intune Hybrid environment, I have configured the Conditional Access in the ConfigMgr console which will then open up the Intune admin console


I have enabled conditional access policy.


Now on a non-domain joined Windows 7 machine when trying to access OWA, the user is presented with the “You can’t get there from here” screen below


And on the same Windows 7 machine, if a user tries to configure their Exchange Online account in Outlook application, they will get the same “You can’t get there from here” screen


This looks the same on Windows 10


The same screen when accessing OWA on a Windows 10 machine


What happens if a machine had Outlook configured and working before the Conditional Access policies were put in place? In my testing, when opening the Outlook app, the same screen was displayed when it tried to connect to Exchange Online


Adding Intune subscription to ConfigMgr for Hyrbid MDM

This post will show you how to add an Intune subscription to ConfigMgr  for Hybrid MDM and enable enrollment for iOS devices.

To see the benefits of using Intune with ConfigMgr rather than standalone, Microsoft has a good post Choose between Microsoft Intune standalone and hybrid mobile device management with System Center Configuration Manager

My current on-prem environment looks like this:

  • ConfigMgr Current Branch version 1606.
  • User collection created with users whose devices can be enrolled
  • Custom domain add and verified in Office 365 admin portal
  • Azure AD Connect set up to synchronize my user accounts to Azure AD. Steps to set this up are here
  • Intune subscription (You can get a 30 day trial subscription here)

First step to add the Intune subscription is to go into Cloud Services then right click Microsoft Intune Subscriptions and select Add Microsoft Intune Subscription


Have a read of the Getting Started and click Next.


Sign in with your Intune account


Have a read and if you agree, click the checkbox. Note that you can’t change this back unless you contact Microsoft Support.


Enter in your Intune username and password


Once you’re signed in, click on Next


Select the user collection with users whose devices can be enrolled. You can configure your company name and any other settings you like and click Next


Fill in any other information you would like and click Next


Specify a company logo if you like and click Next.


Select the user that you would like to be the Device Enrollment Manager. You can see more info here


If you would like to use MFA, select the enable checkbox and Next.


Confirm your settings and click Next.


Once its finished click Close. You can view the Cloudusersync.log to make sure the role was set up successfully and look out for any errors.


Next we will create an APN. The Apple Push Notification service (APNs) certificate is used to establish a trust relationship between the management service, Intune, and enrolled iOS mobile devices




Next we will login to the APN certificate portal with an Apple ID. The link is here


Click on Create Certificate


Click Accept if you accept the terms and conditions.


Upload the certificate you created earlier.


Now Download the certificate


Now we will configure the iOS platform.


Click Enable and browse to the certificate you downloaded before and click Ok.


ConfigMgr CB 1610 -Cloud Management Gateway

One of the features in the newly released 1610 update for ConfigMgr Current Branch is the pre-release Cloud Management Gateway. This is similar to the Azure Cloud Proxy feature released in the Technical Preview 1606. I wrote a post on this here.

One thing to note that seems to be different from the TP, is that the on-prem distribution point isn’t supported for cloud management gateway traffic. You will need to set up an Azure cloud based distribution point for clients to download content (applications etc). However, you can enable the Management Point and Software Update Point to receive cloud management gateway traffic.

You can see the limitations of the Cloud Management Gateway here

This post will show you how I set up the Cloud Management Gateway in a lab. I won’t dive into the certificates part but information can be found at Step-by-step example deployment of the PKI certificates for System Center Configuration Manager: Windows Server 2008 Certification Authority and

A bit of info about my setup:

  • Azure subscription (you can get a trial here)
  • ConfigMgr Current Branch 1610 environment
  • Azure Management certificate uploaded to
  • Cloud management gateway certificate for <name> Info for that can be found here Note: this name needs to be unique and cannot exist in Azure
  • Workstation certificate installed on clients and exported as the root certificate
  • Management Point and SUP configured for HTTPS
  • Windows 10 client with Workstation Certificate enrolled to test 

As this is a pre-release feature, I enabled it when installing the 1610 update


Now you will see the Cloud Management Gateway under the Cloud Services section. Click Create.


Enter in your Azure Subscription ID which can be found from or and select the Management Certificate (which needs to already be uploaded to Azure)


When the cloud service PKI certificate is selected from the Browse button, the service name and FQDN will automatically be filled in (this is the common name from when the certificate was requested). Make sure a unique name was chosen earlier for the certificate as it will create a cloud service in Azure with <name>

Also specify the client certificate root. You can see instructions here. Make sure this is done properly as the client will get certificate issues when trying to connect to the Management Point.


You have the ability to set thresholds to create alerts regarding the outbound traffic as Azure charges you based on the Outbound traffic.



You can watch the provisioning status. Or even better, examine the  CloudMgr.log so you can see exactly what is going on and look out for any issues or errors.


Enable the site to use PKI certificate. The workstations that communicate with the Cloud Management Gateway need a Workstation certificate enrolled. Workstation Certificates are covered here.


Next the Cloud Management Gateway connection point role will be added.


The information is filled in automatically


Once the role has been added, the Management Point and Software Update Point need to allow Cloud Management Gateway traffic. Make sure the Web Server certificate for the MP/WSUS is configured in IIS. There is a guide on that here 


On the client, while it has a connection to the Internal network, you can restart SMS Agent Host service so it picks up the new Internet management point.

Once that is done on my client, I have given the machine only Internet access and no internal network access. I have restarted SMS Agent Host and you can see in LocationServices.log it is using the Cloud Management Gateway and the ConfigMgr client connection type is set to Internet.


If you’re curious about what it looks like in Azure, if you go to and go to Cloud Services (classic), you can see it created a ProxyService role which is meant to be running on an A2 VM.