Category Archives: SCCM Technical Preview

SCCM TP 1806 – Office Customization Tool integration

In the new Technical Preview version 1806 of SCCM, the Office Customization Tool is now integrated with the Office 365 installer. This gives a better admin experience than the previous Office 365 installer, and allows you to further customize your Office 365 ProPlus settings.

If you go to the Office 365 Client Management section and click on the Office 365 Installer, there is a new option to Go to Office Web Page.

O365-01

This is where we can start customizing Office 365 ProPlus including entering in your organisation name, selecting either 32 or 64bit, excluding certain products, and selecting your language.

O365-02

You can choose your update channel and a specific version. I have chosen semi-annual channel and the latest version.

O365-03

I have selected to automatically accept the EULA.

O365-04

This is one of the nice parts where you can further customize Office 365 ProPlus. I won’t go through all the settings but some of the settings I have configured are to disable the opt-in wizard at first run, and to disable the customer experience improvement, and to disable the first run movie.

O365-05

Once you’re done, click on Submit then close the webpage.

O365-06

You can continue on with the rest of the wizard as normal to download and deploy Office 365 ProPlus. It will create an application for you and the deployment types with requirement rules.

O365-07

At the end you can see that the wizard has created the Application with the configuration.xml with the settings specified in the Office Customization Tool.

O365-08

Advertisements

SCCM TP 1806 – Deploy updates without downloading them

In the recently released SCCM Technical Preview 1806, one of the new features is the ability to deploy software updates without downloading them to a deployment package. This post will quickly show how to deploy the updates without downloading them. My client is Windows 10 1803 which is Internet based and communicating with my Cloud Management Gateway. This means that I won’t need to distribute the updates to a Cloud Distribution Point and waste space.

When you go to deploy your software updates, on the deployment package section where previously you had to either select an existing deployment package or create a new one, you will see there is a new option called “No deployment package” and the text “Client will download content from peer cache or public cloud if available”

Updates01

I have gone and deployed this to a collection which my Internet based machine. I will click on Install and see what the logs say.

Updates02

As expected, you can see that the client is downloading updates from Microsoft..

Updates03

SCCM TP 1806 – Download content from a CMG

The Cloud Management Gateway keeps getting better and better. In recent release of the Technical Preview 1806, clients can now download content from the Cloud Management Gateway. This means you do not need to deploy a Cloud Distribution Point which will save costs of not needing additional Azure VM’s and certificates. It is also not mandatory now to use the trusted client root certificate. This is useful if you are only using Azure AD authentication. More information can be found Here.

Going through the new CMG wizard and signing in as normal and selecting to deploy the CMG in Azure Resource Manager.

CMG01

You can notice a few things different here. First I do not need to select the trusted client root certificate, before this was mandatory. And also there is a new checkbox “Allow CMG to function as a cloud distribution point and serve content from Azure storage

CMG02

Once the CMG has been deployed, I will use the Configuration Analyzer to make sure everything is OK.

CMG04

Now when you distribute content you can select your Cloud Management Gateway.

CMG03

After downloading an application from Software Center you can see that it connected to https://<cloudservicename>.blob.core.windows.net/

CMG05

 

 

SCCM TP 1805 – CMG Connection Analyzer

One of the nice new features in the SCCM Technical Preview 1805 is the CMG Connection analyzer to help you determine issues with your Cloud Management Gateway. At the moment it allows you to troubleshoot as a user authenticating through Azure AD, and a user authenticating with a client authentication certificate.

This post will show the different checks that the Connection analyzer performs, and the types of errors it displays when something has gone wrong. I will include a few scenario’s of me breaking my CMG and what the Connetion analyzer shows.

You will notice in the CMG section there is a new button called Connection analyzer.

CA01

You can see the different authentication options you get. First I will test logging in as an Azure AD user. You can see that the first two steps involve checking that the service is running and testing connecting to it.

CA02

Next we can see that its checking the configuration versions to make sure it matches between on-prem and Azure.

CA03

Here in my lab you can see that the next step checks the CMG connection point and confirms that it is connected.

CA04

I have set my management point to allow CMG traffic, the test confirms this.

CA05

The Azure AD user can authenticate against my management point without any issues.

CA06

Now if I was to break the certificate on my management point IIS bindings and run the test again, you can see that the test fails and reports some 500 status code errors and gives possible reasons.

CA07

Next up is testing using a client certificate. You have two options to load the certificate. You can either export the client authentication certificate from a machine with the private key, or you can connect to the Certificate Store.

CA072

In this Tech Preview when you try to connect to the Certificate Store, it will try to connect to the User Store and then report that there are no certificates available. So for this post I have chosen to export the client authentication certificate to run through the tests.

CA08

You can see below that it has the same steps as testing authenticating as an Azure AD user.

CA09

I have broken my Cloud Management Gateway Point role in my lab and run through the tests again to see what it fails on. You can see that it fails as it can’t connect to the CMG Service.

CA010_2

The same as below.

CA11

Another interesting scenario is if I use an incorrect Client trusted root certificate that is uploaded to the CMG service. You can see that it fails below with the 403 forbidden status code.

CA10

And again, you can see that it says that the certificate is not trusted by the CMG.

CA12

That is all the tests I have run so far. So far it is a good start. It seems quite a few customers have issues getting their CMG up and running, I think it is mostly to do with certificates. Hopefully in the future the descriptions can be improved with more details as to what could be wrong in the Connection analyzer to help customers troubleshoot more. The Cloud Management Gateway is an awesome feature.

SCCM Technical Preview 1805 – Improved secure client communications

One of the nice new features in the SCCM Technical Preview 1805 is the ability for an Azure AD joined device to communicate through the Cloud Management Gateway when the management point is configured for HTTP and not HTTPS. In the SCCM 1802 production release, the management point needs to be in HTTPS for this to work.

To view more about this feature see https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1805#improved-secure-client-communications

The post below will show how to configure an Azure AD joined Windows 10 1803 device communicate with the CMG whilst the management point is in HTTP mode. This post assumes that you have already created the Azure services and Cloud Management Gateway, and that the MP is in HTTP mode.

The first step is to check the box Use Configuration Manager-generated certificates for HTTP site systems on the site properties.

HTTPCMG01

Once it has been checked, if you open up computer certificates in MMC, you will see there is a new SMS Role SSL Certificate in the personal store.

HTTPCMG02

Once the certificate has been generated, you need to update your cloud services wizard, select the tenant from Azure Active Directory Tenants and select Update Application Settings and proceed with the prompts.

HTTPCMG03

Next part is to select the new certificate on the HTTPS bindings in IIS.

HTTPCMG04

Select the SMS Role SSL Certificate and click OK.

HTTPCMG05

One of the new cool features in the Technical Preview 1805 is the Connection analyzer. You can do this to check for any issues in your Cloud Management Gateway.

HTTPCMG06

Now previously my HTTPS bindings had no certificate selected. So when I tested the Azure AD Authentication with the CMG, I got the below error.

HTTPCMG07

Once I selected the certificate in the IIS bindings the tests worked fine.

HTTPCMG08

On a test Windows 10 1803 client which is joined to Azure Active Directory, I copied the SCCM client set up files and used the co-management command generated by the wizard (I did not enable co-management, I cancelled out of it after I got the set up switches) to install the client. I have added the /source switch to specify the source, and removed the /mp switch.

HTTPCMG09

The client has been installed on my Azure AD joined machine with my management point in HTTP and is communicating with the Cloud Management Gateway.

HTTPCMG10

The device ow shows up in the console and shows the current logged on user which is my Azure AD user.

HTTPCMG11

 

Cloud distribution point support for Azure Resource Manager

This post will show deploying a Cloud Distribution Point in Azure Resource Manager which is a new feature in SCCM Technical Preview 1805. Now you don’t need to create and upload a management certificate to Azure.

For a list of the other new awesome features in SCCM Technical Preview 1805, see https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1805#cloud-distribution-point-support-for-azure-resource-manager

First step is to configure Azure Services to create the Client and Server app registration in Azure, otherwise you will get this error when creating the Cloud DP:

ARMCloudDP01

Right click Azure Services and select Configure Azure Services

ARMCloudDP02

Give it a name and select Cloud Management and click Next.

ARMCloudDP03

Click on Browse to create the Server and Client apps.

ARMCloudDP04

Click on Create

ARMCloudDP05

Give it a name and sign into Azure then click on OK to create the App. Do the same for the Client App.

ARMCloudDP06

Once you have created both apps, click on Next.

ARMCloudDP07

You can see the apps now in App registrations, then click on All apps in portal.azure.com

ARMCloudDP08

Azure Active Directory User Discovery doesn’t need to be enabled for this example. If you do choose to configure it, make sure to give permissions to the Azure apps above in the Azure portal. There are plenty of other blogs for this. Click on Next and leave the other options as default to finish off the wizard.

ARMCloudDP09

I have created/requested/exported a certificate using these steps here https://docs.microsoft.com/en-us/sccm/core/plan-design/network/example-deployment-of-pki-certificates#BKMK_clouddp2008_cm2012 . I have gone into portal.azure.com then Cloud Services, and clicked Add to create a new cloud service and entered in the cloud service name I wanted, only to make sure it was available (unique) like in the picture below then canceled out. I have used that name for the common name when requesting the certificate.

ARMCloudDP11

In the ConfigMgr console, right click Cloud Distribution Points, click Create Cloud Distribution Point.

ARMCloudDP10

We now get the option to use the Azure Resource Manager deployment. Sign in with your Azure account and click Next.

ARMCloudDP12

I have chosen to create a new Azure Resource Group. Browse to the certificate you exported from https://docs.microsoft.com/en-us/sccm/core/plan-design/network/example-deployment-of-pki-certificates#BKMK_clouddp2008_cm2012 . This will re-populate the service name (which I made sure was unique earlier) and click Next and configure the rest of the settings like Alerts etc.

ARMCloudDP13

Once the Cloud Distribution Point status is Ready in \Administration\Overview\Cloud Services\Cloud Distribution Points, or check CloudMgr.log make sure the Cloud DP is enabled in the Client Settings under Cloud Services.

ARMCloudDP14ARMCloudDP15

Now I have distributed an application to the Cloud DP, tested downloading the application from Software Center on the client, and in the DataTransferService.log you can see it downloading from the new Cloud DP.

ARMCloudDP16

 

SCCM TP 1802 – Cloud Management Gateway Azure Resource Manager and Azure User collection deployments

Microsoft recently released update 1802 for SCCM Current Branch Technical Preview. Two new features that I was excited to test were:

  • Improvements in Cloud Management Gateway – Cloud management gateway support for Azure Resource Manager – When you deploy CMG with Azure Resource Manager, Azure AD is used to authenticate and create the cloud resources and does not require the classic Azure management certificate.
  • Install user-available applications on Azure AD-joined devices – You can now browse and install user-available applications from Software Center on Azure AD-joined devices.

This post will go into testing and configuring the Cloud Management Gateway in SCCM Technical Preview 1802 in Azure Resource Manager, creating a Cloud Distribution Point, installing the SCCM client on a machine enrolled into Intune to let SCCM manage the machine, and then finally deploying an application to a user collection containing Azure AD users.

In my lab, I currently have the following certificates:

  • Management certificate uploaded to the Azure portal and exported to PFX. Instructions Here
  • Management Point certificate for IIS, so the management point can be in HTTPS to authenticate Azure AD Clients. Instructions Here.
  • Certificate for my Cloud DP which was created by Digicert.
  • Certificate for my CMG which was created by Digicert
  • Trusted Root certificate exported from a client used for the CMG setup. Instructions Here.

Azure AD User Discovery:

First I have created the Cloud Management service in \Administration\Overview\Cloud Services\Azure Services. This will set up Azure AD User Discovery and allow clients to authenticate using Azure AD.

Right click Azure Services and select Configure Azure Services. Select Cloud Management.

CloudMgmt01

Select Browse next to Web App and click on Create to create the web app in Azure.

CloudMgmt0

Give everything a name, then sign into Azure AD and click on OK.

CloudMgmt03

Follow the same steps for the Native Client app. Once created, click OK.

CloudMgmt05

You can configure the polling schedule by clicking on Settings. Next Next finish…

CloudMgmt06

Now we need to grant the permissions in the apps we created in the Azure portal. Login to https://portal.azure.com Then click on Azure Active Directory, then App Registrations. Click the drop down to All Apps so you can see the apps that were created

CloudMgmt09

Now select the app, click on Settings, then Required permissions, then click on Grant Permissions. Do this for both apps.

CloudMgmt08

Once the permissions have updated, you shouldn’t see any access denied errors in SMS_AZUREAD_DISCOVERY_AGENT.log on your site server.

Cloud Management Gateway:

Now we will create the Cloud Management Gateway. In the SCCM console go to \Administration\Overview\Cloud Services\Cloud Management Gateway and right click Cloud Management Gateway and click Create Cloud Management Gateway.

Make sure Azure Resource Manager deployment is selected. Login with your Azure account and click Next.

CMGResMg-01

I have created a new resource group. Select your certificate file. I am using a certificate from Digicert. If you need to create a certificate see Here

Because I am using a certificate from Digicert, I have also created a CNAME in my external DNS to point my <cmgname>.domain.com to <cmgname>.cloudapp.net

Click on Certificates and add your Trusted Root certificate. I have cleared Verify Client Certificate Revocation. For details on how to get this certificate, see Here. Complete the rest of the wizard.

 

CMGResMg-02

Now I will add the Cloud management gateway connection point role on my site server from \Administration\Overview\Site Configuration\Servers and Site System Roles. Complete this wizard and make sure it connects to the newly created CMG.

CMGResMg-03

To authenticate the Azure AD clients, the Management Point must be in HTTPS and allow configuration manager cloud management gateway traffic. Make sure you have changed the bindings in IIS so the HTTPS uses the correct certificate. Details for that are Here

CMGResMg-04

Make sure clients can communicate with the Cloud distribution point and the Cloud management gateway in your client settings. You can do this by editing the client settings in the console here – \Administration\Overview\Client Settings

CMGResMg-05

Cloud Distribution Point:

First, login to the Azure portal https://portal.azure.com then go to Subscriptions. Take a note of your subscription ID as you will need it later, then click on your subscription. Click on Management Certificates under Settings, then Upload your management Certificate. Tip – you can create a management certificate using these steps Here.

In Administration\Cloud Services\Cloud Distribution Points, right click and Create Cloud Distribution Point.

Type in your Azure subscription ID and then browse to select the Management certificate.  Click Next.

CloudDP01

I am using a certicate from Digicert, I have created a CNAME in my external DNS that points the <clouddpname>.domain.com to <clouddpservicename>.cloudapp.net. If you need to create a certificate from your CA, then see the steps Here.

Click on Next then finish the wizard.

CloudDP02

Install the SCCM client from Intune:

In this section we will upload the ccmsetup.msi to Intune located on our SCCM site server in C:\Program Files\Microsoft Configuration Manager\bin\i386

In the Azure portal (https://portal.azure.com) go to Intune then Mobile Apps, then Add App. Select Line-of-business-app and browse to the ccmsetup.msi and click on Next.

CloudMgmt07

Fill in the required details including the command line arguments.

Note: An easy way to generate the command line arguments for the SCCM client is to configure the first few screens of the co-management wizard in the SCCM console in \Administration\Overview\Cloud Services\Co-management. You will then be presented with a box with the command line arguments that you can copy and paste. See the screenshot below.

IntuneClient01IntuneClient02

Once ccmsetup.msi has been uploaded. assign it to a group. I have a group with my Azure AD joined and Intune enrolled Windows 10 1709 machine.

IntuneClient03

On my Azure AD Joined and Intune enrolled Windows 10 1709 machine, after syncing with Intune, you can see that the client is now installing and grabbing the rest of the source files from the Cloud Distribution point I created earlier.

IntuneClient04

The client is now communicating through the Cloud Management Gateway and can now be seen in the SCCM devices.

IntuneClient05

I have created a User Collection containing my Azure AD Users that have been discovered. I will now create an application, and then deploy it to my Azure AD User collection.

IntuneClient06

I will deploy the application to my Cloud Distribution Point.

IntuneClient07

On my client you can see it downloaded the application from the Cloud Distribution Point and it is now seen as Installed in Software Center.

IntuneClient08IntuneClient10