Category Archives: SCCM Technical Preview

SCCM TP 1802 – Cloud Management Gateway Azure Resource Manager and Azure User collection deployments

Microsoft recently released update 1802 for SCCM Current Branch Technical Preview. Two new features that I was excited to test were:

  • Improvements in Cloud Management Gateway – Cloud management gateway support for Azure Resource Manager – When you deploy CMG with Azure Resource Manager, Azure AD is used to authenticate and create the cloud resources and does not require the classic Azure management certificate.
  • Install user-available applications on Azure AD-joined devices – You can now browse and install user-available applications from Software Center on Azure AD-joined devices.

This post will go into testing and configuring the Cloud Management Gateway in SCCM Technical Preview 1802 in Azure Resource Manager, creating a Cloud Distribution Point, installing the SCCM client on a machine enrolled into Intune to let SCCM manage the machine, and then finally deploying an application to a user collection containing Azure AD users.

In my lab, I currently have the following certificates:

  • Management certificate uploaded to the Azure portal and exported to PFX. Instructions Here
  • Management Point certificate for IIS, so the management point can be in HTTPS to authenticate Azure AD Clients. Instructions Here.
  • Certificate for my Cloud DP which was created by Digicert.
  • Certificate for my CMG which was created by Digicert
  • Trusted Root certificate exported from a client used for the CMG setup. Instructions Here.

Azure AD User Discovery:

First I have created the Cloud Management service in \Administration\Overview\Cloud Services\Azure Services. This will set up Azure AD User Discovery and allow clients to authenticate using Azure AD.

Right click Azure Services and select Configure Azure Services. Select Cloud Management.

CloudMgmt01

Select Browse next to Web App and click on Create to create the web app in Azure.

CloudMgmt0

Give everything a name, then sign into Azure AD and click on OK.

CloudMgmt03

Follow the same steps for the Native Client app. Once created, click OK.

CloudMgmt05

You can configure the polling schedule by clicking on Settings. Next Next finish…

CloudMgmt06

Now we need to grant the permissions in the apps we created in the Azure portal. Login to https://portal.azure.com Then click on Azure Active Directory, then App Registrations. Click the drop down to All Apps so you can see the apps that were created

CloudMgmt09

Now select the app, click on Settings, then Required permissions, then click on Grant Permissions. Do this for both apps.

CloudMgmt08

Once the permissions have updated, you shouldn’t see any access denied errors in SMS_AZUREAD_DISCOVERY_AGENT.log on your site server.

Cloud Management Gateway:

Now we will create the Cloud Management Gateway. In the SCCM console go to \Administration\Overview\Cloud Services\Cloud Management Gateway and right click Cloud Management Gateway and click Create Cloud Management Gateway.

Make sure Azure Resource Manager deployment is selected. Login with your Azure account and click Next.

CMGResMg-01

I have created a new resource group. Select your certificate file. I am using a certificate from Digicert. If you need to create a certificate see Here

Because I am using a certificate from Digicert, I have also created a CNAME in my external DNS to point my <cmgname>.domain.com to <cmgname>.cloudapp.net

Click on Certificates and add your Trusted Root certificate. I have cleared Verify Client Certificate Revocation. For details on how to get this certificate, see Here. Complete the rest of the wizard.

 

CMGResMg-02

Now I will add the Cloud management gateway connection point role on my site server from \Administration\Overview\Site Configuration\Servers and Site System Roles. Complete this wizard and make sure it connects to the newly created CMG.

CMGResMg-03

To authenticate the Azure AD clients, the Management Point must be in HTTPS and allow configuration manager cloud management gateway traffic. Make sure you have changed the bindings in IIS so the HTTPS uses the correct certificate. Details for that are Here

CMGResMg-04

Make sure clients can communicate with the Cloud distribution point and the Cloud management gateway in your client settings. You can do this by editing the client settings in the console here – \Administration\Overview\Client Settings

CMGResMg-05

Cloud Distribution Point:

First, login to the Azure portal https://portal.azure.com then go to Subscriptions. Take a note of your subscription ID as you will need it later, then click on your subscription. Click on Management Certificates under Settings, then Upload your management Certificate. Tip – you can create a management certificate using these steps Here.

In Administration\Cloud Services\Cloud Distribution Points, right click and Create Cloud Distribution Point.

Type in your Azure subscription ID and then browse to select the Management certificate.  Click Next.

CloudDP01

I am using a certicate from Digicert, I have created a CNAME in my external DNS that points the <clouddpname>.domain.com to <clouddpservicename>.cloudapp.net. If you need to create a certificate from your CA, then see the steps Here.

Click on Next then finish the wizard.

CloudDP02

Install the SCCM client from Intune:

In this section we will upload the ccmsetup.msi to Intune located on our SCCM site server in C:\Program Files\Microsoft Configuration Manager\bin\i386

In the Azure portal (https://portal.azure.com) go to Intune then Mobile Apps, then Add App. Select Line-of-business-app and browse to the ccmsetup.msi and click on Next.

CloudMgmt07

Fill in the required details including the command line arguments.

Note: An easy way to generate the command line arguments for the SCCM client is to configure the first few screens of the co-management wizard in the SCCM console in \Administration\Overview\Cloud Services\Co-management. You will then be presented with a box with the command line arguments that you can copy and paste. See the screenshot below.

IntuneClient01IntuneClient02

Once ccmsetup.msi has been uploaded. assign it to a group. I have a group with my Azure AD joined and Intune enrolled Windows 10 1709 machine.

IntuneClient03

On my Azure AD Joined and Intune enrolled Windows 10 1709 machine, after syncing with Intune, you can see that the client is now installing and grabbing the rest of the source files from the Cloud Distribution point I created earlier.

IntuneClient04

The client is now communicating through the Cloud Management Gateway and can now be seen in the SCCM devices.

IntuneClient05

I have created a User Collection containing my Azure AD Users that have been discovered. I will now create an application, and then deploy it to my Azure AD User collection.

IntuneClient06

I will deploy the application to my Cloud Distribution Point.

IntuneClient07

On my client you can see it downloaded the application from the Cloud Distribution Point and it is now seen as Installed in Software Center.

IntuneClient08IntuneClient10

 

Advertisements

SCCM TP 1708 – Software Center Customization

With the recently released SCCM Technical Preview 1708, you can now customize the Software Center look including the company name and logo, colour schemes, and hiding different tabs. This post will demonstrate how you can customize Software Center and how it looks.

These settings are configured in the Client Settings. You can see that there is now a Software Center section as displayed in the picture below.

Once you select Yes for Select these new settings to specify the company information, you can configure all the other settings. In my example below, I have set a company name, I have set the colour scheme and also used a logo. If you like, you can also choose to hide certain tabs.

SC01

When setting a logo for Software Center, note that the maximum dimensions are 100×400 pixels, and the file cannot be larger than 750kb in size.

SC02

This is how my Software Center previously looked without doing any customization.

SC03

Now after adding the colour scheme, Software Center logo and company name, the Software Center looks like the image below.

SC04

Update 1606 for Configuration Manager Technical Preview

Update 1606 for Configuration Manager Technical Preview has been released

Automatically categorize devices into collections:
Device categories can be created to automatically place devices into device collections when ConfigMgr is used with Microsoft Intune. Users are required to choose a device category when they enroll a device in Intune. The category of a device can also be changed in the ConfigMgr console.

Enforcement grace period for required application and software update deployments
Users can set a grace period for required application deployments or software updates that are past the deadline. Useful for machines that have been turned off for a while.

Using Configuration Manager as a managed installer with Device Guard
Device Guard is a feature in Windows 10. ConfigMgr can work with Device Guard so that software deployed from ConfigMgr is automatically trusted

Multiple device management points for On-premises Mobile Device Management

Cloud Proxy Service for managing clients on the Internet
New feature to manage ConfigMgr clients on the Internet. The service is deployed to Azure and connects your on-premises ConfigMgr infrastrucutre using the cloud proxy connector point (new role). It currently supports the management point, distribution point and software update point roles.

Manage the Office 365 client agent in Configuration Manager
Instead of using Group Policiy setting, you can configure a ConfigMgr client agent setting to enable Office 365 clients to receive updates from ConfigMgr.

The OSDPreserveDriveLetter task sequence variable has been deprecated
Windows Setup now determines the best drive letter to use (typically C:). You can still change the drive letter location in Apply Operating System task sequence step.

Changes for the Updates and Servicing Node

For more info: https://technet.microsoft.com/en-us/library/mt732696.aspx

Software updates not synchronizing – Sync failed: WSUS update source not found on site

I installed a trial of Configuration Manager 2016 Technical Preview 4 and set up and configured the Software Update point. I wasn’t able to synchronize any updates.

I checked wsyncmgr.log and saw Sync failed: WSUS update source not found on site
wsussource1

The workaround was to configure the Software Update Point and disable/remove all Classifications and Products and then to schedule another sync.

wsussource2
wsussource3
wsussource4

After this, I scheduled another sync, and the sync completed.

wsussource5

I then went back and re-configued the Software Update Point for the Classifications and Products I wanted, then scheduled another sync and it worked fine.

wsussource6

Lab Build – System Center Configuration Manager Technical Preview

Today I wanted to check out the new features of the Microsoft System Center Configuration
Manager Technical Preview

The technical preview includes new features such as:
Windows 10 in-place upgrade
Mobile Application Management
Data protection for mobile devices
Preferred management points
On-premises mobile device management (MDM)
Support for Microsoft Azure virtual machines
Client deployment status in console monitoring

All ISO’s in this lab were downloaded from Technet’s Evaluation Center
at https://technet.microsoft.com/evalcenter

The servers in my lab are running Server 2012 R2

Configuration: I have 3 Hyper-V Machines

Domain controller – Server 2012 R2
SQL Server – SQL 2012 SP1, Server 2012 R2
SCCM Server – System Center Configuration Manager Technical Preview, Server 2012 R2

Windows Firewall is disabled.

On my SQL machine I kiceked off the SQL 2012 SP1 build

sql1

I selected SQL Server Feature Installation.

sql2

Selected Database Engine Services, Reporting Services and Management Tools.

sql3

I used the default instance for this lab.

sql4

Earlier I created a normal domain account called ser-sql which I used for my
SQL service accounts.

I changed Startup Type to Automatic for SQL Server Agent.

sql5

SQL Collation is SQL_Latin1_General_CP1_CI_AS.

sql6

Added my current user as a SQL Administrator and left Windows authentication mode selected.

sql7

Once SQL has been installed, I opened up SQL management studio, right clicked on the
SQL server then memory, and
changed the maximum memory from unlimited to 2048MB to suit my lab.

sql9

In Computer Management, added my SCCM server to local administrator group.

sql10

Extending the Schema is the same as in SCCM 2012.
Make sure the account you’re running is a member of Schema Admins

Run SMSSETUP\BIN\X64\extadsch.exe and make sure it says it is successful.

sccm1

Next opened up ADSIEdit to create the System Management container and give
the SCCM computer account the correct permissions.

sccm2

Connected to default naming context. Right click system and create new object. Create a container.

sccm3
Give it the value of System Management

sccm4
Right click system management container after creating, then properties, then security and
add the SCCM computer account.

Click Full Control then advanced.

sccm5

Select the SCCM computer account and click Edit
sccm6

Select Applies to This object and all descendant objects

sccm7

Prerequisites:

Install Windows Assessment and Deployment Kit (ADK)
Select Deployment Tools
Windows Preinstallation Environment (Windows PE)
User State Migration Tool (USMT)

Net Framework 3.5 Features
Background Intelligent Transfer Services (BITS)
Remote Differential Compression

IIS Configuration:
Application Development:
ISAPI Extensions

IIS Security:
Windows Authentication

IIS 6 Management Compatibility:
IIS 6 Metabase Compatibility
IIS 6 WMI Compatibility

sccm8

Install a Configuration Manager Primary Site

sccm9

I left options as default.

sccm10

Enter in the path to download any required files

sccm11

Choose your site code and site name

sccm12

This is a lab so log files will be kept as default.

sccm13

sccm14

I will be using HTTP not HTTPS

sccm15

My lab machine will be both management point and distribution point

sccm16

Click Next, if any of the PreReq’s fail, read what has failed to rectify the issues.

sccm17

Once the installation has finished, you can open the Configuration Manager console and
view Configuration Manager Preview.

sccm19

When I have time I will be looking into the new features next.