SCCM TP 1806 – Download content from a CMG

The Cloud Management Gateway keeps getting better and better. In recent release of the Technical Preview 1806, clients can now download content from the Cloud Management Gateway. This means you do not need to deploy a Cloud Distribution Point which will save costs of not needing additional Azure VM’s and certificates. It is also not mandatory now to use the trusted client root certificate. This is useful if you are only using Azure AD authentication. More information can be found Here.

Going through the new CMG wizard and signing in as normal and selecting to deploy the CMG in Azure Resource Manager.

CMG01

You can notice a few things different here. First I do not need to select the trusted client root certificate, before this was mandatory. And also there is a new checkbox “Allow CMG to function as a cloud distribution point and serve content from Azure storage

CMG02

Once the CMG has been deployed, I will use the Configuration Analyzer to make sure everything is OK.

CMG04

Now when you distribute content you can select your Cloud Management Gateway.

CMG03

After downloading an application from Software Center you can see that it connected to https://<cloudservicename>.blob.core.windows.net/

CMG05

 

 

Advertisements

SCCM TP 1805 – CMG Connection Analyzer

One of the nice new features in the SCCM Technical Preview 1805 is the CMG Connection analyzer to help you determine issues with your Cloud Management Gateway. At the moment it allows you to troubleshoot as a user authenticating through Azure AD, and a user authenticating with a client authentication certificate.

This post will show the different checks that the Connection analyzer performs, and the types of errors it displays when something has gone wrong. I will include a few scenario’s of me breaking my CMG and what the Connetion analyzer shows.

You will notice in the CMG section there is a new button called Connection analyzer.

CA01

You can see the different authentication options you get. First I will test logging in as an Azure AD user. You can see that the first two steps involve checking that the service is running and testing connecting to it.

CA02

Next we can see that its checking the configuration versions to make sure it matches between on-prem and Azure.

CA03

Here in my lab you can see that the next step checks the CMG connection point and confirms that it is connected.

CA04

I have set my management point to allow CMG traffic, the test confirms this.

CA05

The Azure AD user can authenticate against my management point without any issues.

CA06

Now if I was to break the certificate on my management point IIS bindings and run the test again, you can see that the test fails and reports some 500 status code errors and gives possible reasons.

CA07

Next up is testing using a client certificate. You have two options to load the certificate. You can either export the client authentication certificate from a machine with the private key, or you can connect to the Certificate Store.

CA072

In this Tech Preview when you try to connect to the Certificate Store, it will try to connect to the User Store and then report that there are no certificates available. So for this post I have chosen to export the client authentication certificate to run through the tests.

CA08

You can see below that it has the same steps as testing authenticating as an Azure AD user.

CA09

I have broken my Cloud Management Gateway Point role in my lab and run through the tests again to see what it fails on. You can see that it fails as it can’t connect to the CMG Service.

CA010_2

The same as below.

CA11

Another interesting scenario is if I use an incorrect Client trusted root certificate that is uploaded to the CMG service. You can see that it fails below with the 403 forbidden status code.

CA10

And again, you can see that it says that the certificate is not trusted by the CMG.

CA12

That is all the tests I have run so far. So far it is a good start. It seems quite a few customers have issues getting their CMG up and running, I think it is mostly to do with certificates. Hopefully in the future the descriptions can be improved with more details as to what could be wrong in the Connection analyzer to help customers troubleshoot more. The Cloud Management Gateway is an awesome feature.

SCCM Technical Preview 1805 – Improved secure client communications

One of the nice new features in the SCCM Technical Preview 1805 is the ability for an Azure AD joined device to communicate through the Cloud Management Gateway when the management point is configured for HTTP and not HTTPS. In the SCCM 1802 production release, the management point needs to be in HTTPS for this to work.

To view more about this feature see https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1805#improved-secure-client-communications

The post below will show how to configure an Azure AD joined Windows 10 1803 device communicate with the CMG whilst the management point is in HTTP mode. This post assumes that you have already created the Azure services and Cloud Management Gateway, and that the MP is in HTTP mode.

The first step is to check the box Use Configuration Manager-generated certificates for HTTP site systems on the site properties.

HTTPCMG01

Once it has been checked, if you open up computer certificates in MMC, you will see there is a new SMS Role SSL Certificate in the personal store.

HTTPCMG02

Once the certificate has been generated, you need to update your cloud services wizard, select the tenant from Azure Active Directory Tenants and select Update Application Settings and proceed with the prompts.

HTTPCMG03

Next part is to select the new certificate on the HTTPS bindings in IIS.

HTTPCMG04

Select the SMS Role SSL Certificate and click OK.

HTTPCMG05

One of the new cool features in the Technical Preview 1805 is the Connection analyzer. You can do this to check for any issues in your Cloud Management Gateway.

HTTPCMG06

Now previously my HTTPS bindings had no certificate selected. So when I tested the Azure AD Authentication with the CMG, I got the below error.

HTTPCMG07

Once I selected the certificate in the IIS bindings the tests worked fine.

HTTPCMG08

On a test Windows 10 1803 client which is joined to Azure Active Directory, I copied the SCCM client set up files and used the co-management command generated by the wizard (I did not enable co-management, I cancelled out of it after I got the set up switches) to install the client. I have added the /source switch to specify the source, and removed the /mp switch.

HTTPCMG09

The client has been installed on my Azure AD joined machine with my management point in HTTP and is communicating with the Cloud Management Gateway.

HTTPCMG10

The device ow shows up in the console and shows the current logged on user which is my Azure AD user.

HTTPCMG11

 

Cloud distribution point support for Azure Resource Manager

This post will show deploying a Cloud Distribution Point in Azure Resource Manager which is a new feature in SCCM Technical Preview 1805. Now you don’t need to create and upload a management certificate to Azure.

For a list of the other new awesome features in SCCM Technical Preview 1805, see https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1805#cloud-distribution-point-support-for-azure-resource-manager

First step is to configure Azure Services to create the Client and Server app registration in Azure, otherwise you will get this error when creating the Cloud DP:

ARMCloudDP01

Right click Azure Services and select Configure Azure Services

ARMCloudDP02

Give it a name and select Cloud Management and click Next.

ARMCloudDP03

Click on Browse to create the Server and Client apps.

ARMCloudDP04

Click on Create

ARMCloudDP05

Give it a name and sign into Azure then click on OK to create the App. Do the same for the Client App.

ARMCloudDP06

Once you have created both apps, click on Next.

ARMCloudDP07

You can see the apps now in App registrations, then click on All apps in portal.azure.com

ARMCloudDP08

Azure Active Directory User Discovery doesn’t need to be enabled for this example. If you do choose to configure it, make sure to give permissions to the Azure apps above in the Azure portal. There are plenty of other blogs for this. Click on Next and leave the other options as default to finish off the wizard.

ARMCloudDP09

I have created/requested/exported a certificate using these steps here https://docs.microsoft.com/en-us/sccm/core/plan-design/network/example-deployment-of-pki-certificates#BKMK_clouddp2008_cm2012 . I have gone into portal.azure.com then Cloud Services, and clicked Add to create a new cloud service and entered in the cloud service name I wanted, only to make sure it was available (unique) like in the picture below then canceled out. I have used that name for the common name when requesting the certificate.

ARMCloudDP11

In the ConfigMgr console, right click Cloud Distribution Points, click Create Cloud Distribution Point.

ARMCloudDP10

We now get the option to use the Azure Resource Manager deployment. Sign in with your Azure account and click Next.

ARMCloudDP12

I have chosen to create a new Azure Resource Group. Browse to the certificate you exported from https://docs.microsoft.com/en-us/sccm/core/plan-design/network/example-deployment-of-pki-certificates#BKMK_clouddp2008_cm2012 . This will re-populate the service name (which I made sure was unique earlier) and click Next and configure the rest of the settings like Alerts etc.

ARMCloudDP13

Once the Cloud Distribution Point status is Ready in \Administration\Overview\Cloud Services\Cloud Distribution Points, or check CloudMgr.log make sure the Cloud DP is enabled in the Client Settings under Cloud Services.

ARMCloudDP14ARMCloudDP15

Now I have distributed an application to the Cloud DP, tested downloading the application from Software Center on the client, and in the DataTransferService.log you can see it downloading from the new Cloud DP.

ARMCloudDP16

 

Intune – Windows Information Protection without enrollment

This post will show how you can use the Office 365 suite of apps deployed to a Windows 10 Pro 1709 device (with an EMS E3 license assigned), to enroll the device into MAM. This involves deploying a Windows Information Protection policy in Intune using the “without enrollment” setting, which means the device is not enrolled into Intune.

Suggested reading:
Protect your enterprise data using Windows Information Protection (WIP)
Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune

Make sure the MAM groups are configured, in the Intune portal in https://portal.azure.com go to Azure Active Directory > Mobility (MDM and MAM) then Microsoft Intune.

wipmam01

I have an Azure AD group called Intune and an Azure AD group called MAM enrollment. The user I will be using in this demonstration is a member of the MAM enrollment group.

A caution from Microsoft “If both MAM user scope and automatic MDM enrollment (MDM user scope) are enabled for a group, only MAM is enabled. Only MAM is added for users in that group when they workplace join personal device. Devices are not automatically MDM enrolled.”

wipmam02

Now i’ll create the MAM/Windows Information Protection policy. In Intune > Mobileapps > App protection policies, select Add a policy

wipmam03

Give the policy a name and description, select Windows 10 for the platform, and select without enrollment for the enrollment state. Click on Add apps.

wipmam04

I’ll be adding some apps to allow them to access my corporate data.

wipmam05

After clicking OK on the section above, I will add some more apps such as Outlook and Word. For the publisher, make sure you specify “O=Microsoft Corporation, L=Redmond, S=Washington, C=US”

wipmam06

For now, I will skip the Exempt apps. On the required settings, in this demonstration I will select the Block setting, which will prevent users from moving data from an allowed app into a non-allowed app.

wipmam07

In the advanced settings, I will rename the Cloud resources section to Office 365, and also add OneDrive to the list and Office 365 email. In the example I have added “<domain>-my.sharepoint.com for OneDrive, and outlook.office365.com for Exchange Online. Seperate these by a “|”. So my full list is <domain>-my.sharepoint.com|<domain>.sharepoint.com|outlook.office365.com

wipmam08

Click on Create, then assign the policy to a group.

wipmam10

Once the policy has been assigned to a group, on a Windows 10 1709 Pro machine, with Office 365 installed, when adding an account to Microsoft Office product such as Word, it will ask you to sign in. This is where you can register the device in Azure AD and enroll the device into MAM.

Click Sign in

wipmam11

Type in the account that is a member of the group that has the MAM enrollment enabled, and also a member of the group which had the WIP policy assigned

wipmam12

Enter in the password and click Sign in

wipmam13

Make sure you say Yes here. This is where it will register the device in Azure AD, and also enroll it into MAM.

wipmam14wipmam15wipmam16

From the above steps, in the Azure portal, we can see the device now in Azure AD as Azure AD Registered.

wipmam17

Also on the Windows 10 device you can go to Settings > Accounts > Access work or school, and you should see your Azure AD account there. Select it and click Info. You can see the Management Server Address shows its enrolled into MAM now.

wipmam20

Earlier in the policy I set Microsoft Word to be a protected app to access enterprise data. In this demonstration I will save some corporate data, and click the drop down near File name and select Work.

wipmam18

Now if I try and copy and paste text out of the protected document into a non protected app such as Notepad running in personal context, I get the message “Can’t use content here. Your organization doesn’t allow you to use work content here”. This is because I set the Windows Information Protection Mode to Block in the WIP policy above.

wipmam19

What happens if the device is unenrolled from MAM? The encryption key has been revoked and you will get this message when opening a Work protected document

wipmam21

PXE – RequestMPKeyInformation: Send() failed.

I recently applied a hotfix to my SCCM Current Branch environment. When attempting to PXE boot a machine, the smspxe.log reported:

RequestMPKeyInformation: Send() failed.
PXE::MP_InitializeTransport failed; 0x80004005
PXE::MP_ReportStatus failed; 0x80070490
PXE::CPolicyProvider::InitializePerformanceCounters failed; 0x80070002
PXE::MP_LookupDevice failed; 0x80070490

PXE01

I first tried unchecking the PXE option on the distribution point to remove Windows Deployment Services and then re-enabling PXE support on the distribution point. This was the same issue.  After troubleshooting more I tried to open up http://fqdn/sms_mp/.sms_aut?mplist in IE and it displayed a 403.4 Forbidden Access error. My management point is not set to use HTTPS.

I checked the IIS logs on my management point and saw consistent 403.4 forbidden access on directories such as SMS_MP and ccm_system. In IIS on those virtual direcories, I checked the SSL Settings and noticed they were set to “Require SSL”. This is strange because my management point is in HTTP.

The fix was to uninstall the management point and then reinstall it. Keep an eye on MPSetup.log in your SCCM site server logs for when the MP has uninstalled and then re-add the role.

PXE started working again without any errors.

SCCM TP 1802 – Cloud Management Gateway Azure Resource Manager and Azure User collection deployments

Microsoft recently released update 1802 for SCCM Current Branch Technical Preview. Two new features that I was excited to test were:

  • Improvements in Cloud Management Gateway – Cloud management gateway support for Azure Resource Manager – When you deploy CMG with Azure Resource Manager, Azure AD is used to authenticate and create the cloud resources and does not require the classic Azure management certificate.
  • Install user-available applications on Azure AD-joined devices – You can now browse and install user-available applications from Software Center on Azure AD-joined devices.

This post will go into testing and configuring the Cloud Management Gateway in SCCM Technical Preview 1802 in Azure Resource Manager, creating a Cloud Distribution Point, installing the SCCM client on a machine enrolled into Intune to let SCCM manage the machine, and then finally deploying an application to a user collection containing Azure AD users.

In my lab, I currently have the following certificates:

  • Management certificate uploaded to the Azure portal and exported to PFX. Instructions Here
  • Management Point certificate for IIS, so the management point can be in HTTPS to authenticate Azure AD Clients. Instructions Here.
  • Certificate for my Cloud DP which was created by Digicert.
  • Certificate for my CMG which was created by Digicert
  • Trusted Root certificate exported from a client used for the CMG setup. Instructions Here.

Azure AD User Discovery:

First I have created the Cloud Management service in \Administration\Overview\Cloud Services\Azure Services. This will set up Azure AD User Discovery and allow clients to authenticate using Azure AD.

Right click Azure Services and select Configure Azure Services. Select Cloud Management.

CloudMgmt01

Select Browse next to Web App and click on Create to create the web app in Azure.

CloudMgmt0

Give everything a name, then sign into Azure AD and click on OK.

CloudMgmt03

Follow the same steps for the Native Client app. Once created, click OK.

CloudMgmt05

You can configure the polling schedule by clicking on Settings. Next Next finish…

CloudMgmt06

Now we need to grant the permissions in the apps we created in the Azure portal. Login to https://portal.azure.com Then click on Azure Active Directory, then App Registrations. Click the drop down to All Apps so you can see the apps that were created

CloudMgmt09

Now select the app, click on Settings, then Required permissions, then click on Grant Permissions. Do this for both apps.

CloudMgmt08

Once the permissions have updated, you shouldn’t see any access denied errors in SMS_AZUREAD_DISCOVERY_AGENT.log on your site server.

Cloud Management Gateway:

Now we will create the Cloud Management Gateway. In the SCCM console go to \Administration\Overview\Cloud Services\Cloud Management Gateway and right click Cloud Management Gateway and click Create Cloud Management Gateway.

Make sure Azure Resource Manager deployment is selected. Login with your Azure account and click Next.

CMGResMg-01

I have created a new resource group. Select your certificate file. I am using a certificate from Digicert. If you need to create a certificate see Here

Because I am using a certificate from Digicert, I have also created a CNAME in my external DNS to point my <cmgname>.domain.com to <cmgname>.cloudapp.net

Click on Certificates and add your Trusted Root certificate. I have cleared Verify Client Certificate Revocation. For details on how to get this certificate, see Here. Complete the rest of the wizard.

 

CMGResMg-02

Now I will add the Cloud management gateway connection point role on my site server from \Administration\Overview\Site Configuration\Servers and Site System Roles. Complete this wizard and make sure it connects to the newly created CMG.

CMGResMg-03

To authenticate the Azure AD clients, the Management Point must be in HTTPS and allow configuration manager cloud management gateway traffic. Make sure you have changed the bindings in IIS so the HTTPS uses the correct certificate. Details for that are Here

CMGResMg-04

Make sure clients can communicate with the Cloud distribution point and the Cloud management gateway in your client settings. You can do this by editing the client settings in the console here – \Administration\Overview\Client Settings

CMGResMg-05

Cloud Distribution Point:

First, login to the Azure portal https://portal.azure.com then go to Subscriptions. Take a note of your subscription ID as you will need it later, then click on your subscription. Click on Management Certificates under Settings, then Upload your management Certificate. Tip – you can create a management certificate using these steps Here.

In Administration\Cloud Services\Cloud Distribution Points, right click and Create Cloud Distribution Point.

Type in your Azure subscription ID and then browse to select the Management certificate.  Click Next.

CloudDP01

I am using a certicate from Digicert, I have created a CNAME in my external DNS that points the <clouddpname>.domain.com to <clouddpservicename>.cloudapp.net. If you need to create a certificate from your CA, then see the steps Here.

Click on Next then finish the wizard.

CloudDP02

Install the SCCM client from Intune:

In this section we will upload the ccmsetup.msi to Intune located on our SCCM site server in C:\Program Files\Microsoft Configuration Manager\bin\i386

In the Azure portal (https://portal.azure.com) go to Intune then Mobile Apps, then Add App. Select Line-of-business-app and browse to the ccmsetup.msi and click on Next.

CloudMgmt07

Fill in the required details including the command line arguments.

Note: An easy way to generate the command line arguments for the SCCM client is to configure the first few screens of the co-management wizard in the SCCM console in \Administration\Overview\Cloud Services\Co-management. You will then be presented with a box with the command line arguments that you can copy and paste. See the screenshot below.

IntuneClient01IntuneClient02

Once ccmsetup.msi has been uploaded. assign it to a group. I have a group with my Azure AD joined and Intune enrolled Windows 10 1709 machine.

IntuneClient03

On my Azure AD Joined and Intune enrolled Windows 10 1709 machine, after syncing with Intune, you can see that the client is now installing and grabbing the rest of the source files from the Cloud Distribution point I created earlier.

IntuneClient04

The client is now communicating through the Cloud Management Gateway and can now be seen in the SCCM devices.

IntuneClient05

I have created a User Collection containing my Azure AD Users that have been discovered. I will now create an application, and then deploy it to my Azure AD User collection.

IntuneClient06

I will deploy the application to my Cloud Distribution Point.

IntuneClient07

On my client you can see it downloaded the application from the Cloud Distribution Point and it is now seen as Installed in Software Center.

IntuneClient08IntuneClient10