Tag Archives: 1606

ConfigMgr 1606 – Microsoft Operations Management Suite (OMS) in Azure

With ConfigMgr 1606, you can now connect Configuration Manager collections to the Microsoft Operations Management Suite (OMS) in Azure. The OMS Connector is currently a prerelease feature. As so, this is done in a lab. This blog will go through the steps on how to add the connector in ConfigMgr and the preqreuisite steps to take in Azure.

This blog post assumes you have a running ConfigMgr 1606 environment and a subscription in Azure.

The first step is to configure your ConfigMgr 1606 site to consent to use Pre-Release features.Make sure you read the disclaimer.

OMS1

After this is done, we will turn on the “Pre-release  Microsoft Operations Management Suite (OMS) Connector”

OMS2.jpg

Click Yes to the dialogue box (make sure to read the disclaimer)

OMS3

Log in to the Azure Classic portal https://manage.windowsazure.com an go into your Azure AD, select Applications. Click on Add down the bottom.

OMS4

Enter in the name you would like to use and select web application and/or web API and click next.

OMS5

Enter in sign on URL and APP ID URI. I added in my ConfigMgr server name (http://configmgr.domain.com) for both.

OMS6

Next we will log into the Azure Resource Manager https://portal.azure.com and create our OMS Workspace. Click on Browse then go to “Log Analytics (OMS)” then click on Add

OMS7

Once this is created, we will go back in the Azure Classic Portal and go into our Azure AD then Application we created earlier to make a note of our Client ID and generate a key.

OMS8OMS9

Next we will create our connection to OMS back in the ConfigMgr console:

OMS10

This is the part that Technet did not tell us. The part with the red box around it is misleading. We actually need to give our application we created earlier access to our Resource Group in the Azure Resource Manager Portal (portal.azure.com). This is probably because Operation Insights was moved from Azure Classic Portal to Azure Resource Manager. Without doing this, I will show you what happens:

OMS11

I will type in my tenant name and Client ID and secret key from before, click Verify, then click Next.

OMS12

ConfigMgr is unable to pull any information about the subscription or Resource Group or the OMS Workspace

OMS13

To fix this, we need to log back into https://portal.azure.com and go into our Resource Group with our OMS workspace and give our Application we created earlier access.

OMS14

Go to Settings, then click Users

OMS15

Click on Add, and type in the name of the Application you created in the classic portal https://manage.windowsazure.com I gave mine Contributor role for testing.

OMS16

Now if we go back and try and add the Operations Management Suite Connection again, you will see that ConfigMgr can pull the information from our Resource Group and OMS Workspace.

OMS17

There we go. This looks better! It pulled the information now that it has access.

OMS18

OMS19OMS20

You can view the OMS Connector here. You can also right click on it and go to properties to view the properties and add collections.

OMS21

Once the connector is set up, it should install the Microsoft Monitoring Agent.

OMS29.jpg

Next we will log into the Azure Resource Manager portal https://portal.azure.com and enable the ConfigMgr collections. Once you’re in the Azure portal, go to Log Analytics (OMS) then click on OMS Portal

OMS22

Once in the OMS Portal, go to Settings

OMS23

Go to the COMPUTER GROUPS tab, and click on SCCM, then click “Import Configuration Manager collection memberships” and save.

OMS26

After it updates you should see the collections (I added some more)

OMS27

You can click on the links to view more information

OMS28

 

SCCM 1606 – Support for cache size in Client Settings

One of the nice new features in ConfigMgr 1606 is the ability to set the client cache in the Client Settings. Previously in other version of ConfigMgr, you could set the size when installing the ConfigMgr client, or use a VBS/PowerShell script, or change it in the Configuration Manager Client Properties in Control Panel. You can see those scripts here.

Now in Update 1606 for ConfigMgr Current Branch, in \Administration\Overview\Client Settings you can see the new “Client Cache Settings” section.

clientcache

Update 1606 released for SCCM Current Branch

Microsoft have released update 1606 for ConfigMgr Current Branch. You can update directly to version 1602 from version 1511, or you can update from version 1602 to 1606.

If you cannot find the update in \Administration\Overview\Cloud Services\Updates and Servicing there is a PowerShell script here you can run which will make the update available. It worked for me.

What’s new in version 1606 of System Center Configuration Manager
https://technet.microsoft.com/en-US/library/mt752488.aspx

1606

1602_21606_31606_41606_5

1606_7

SCCM Azure Cloud Proxy Service for managing clients on the Internet

In Configuration Manager Technical Preview 5 with update 1606, Microsoft introduced the Azure Cloud Proxy Service for managing clients on the Internet. More info can be read here.

This post covers how I set up the Cloud Proxy Service in my ConfigMgr lab to deploy software to a client on the Internet (this is a technical preview and NOT reccomended for production environment, it was simply to test out the Cloud Proxy Service). Make sure your lab Configuration Manager is updated to version 1606 so you have the cloud proxy functionality (In the Configuration Manager console, go to Administration > Cloud Services > Updates and Servicing). I had a Visual Studio MSDN subscription for Azure. You can also sign up for a 30 day Azure trial here

Certificates:

I followed all certificate requirements here  (under certificates section of Cloud Proxy)  to create the custom SSL certificate for the cloud proxy service and to create the client certificates (and also export the client root certificate)

These certificates were created the certificates below using this Technet guide:

ConfigMgr Client Distribution Point Certificate
ConfigMgr Client Certificate
ConfigMgr Cloud-Based Distribution Point Certificate (custom SSL certificate as mentioned in Technet)
ConfigMgr Web Server Certificate

For the management certificate for Azure, I exported the custom SSL certificate with the private key as PFX file, and also exported the certificate as a .cer file which I would upload to Azure. The custom SSL cert will be used when setting up the Cloud service later.

Log into manage.windowsazure.com and click on Settings down the left hand side, then click on Management Certificates. Upload the your management certificate (in my case, I used my .cer as described above). Take a note to copy down your subscription ID in a notepad, you will need it later. This is also shown in Subscriptions right next to Management Certificates below.

azuremangement

In the ConfigMgr console, in Administration, expand Cloud Services, right click on Cloud Proxy Service and click Create Cloud Proxy Service.

2azure

Type in your subscription ID (which you can get from manage.windowsazure.com in the settings where you uploaded the management certificate) and browse to the Azure management PFX certificate(I exported this earlier from the custom ssl certificate). Azure will validate the certificates.

3azure

Type in your Service Name. This will appear as <servicename>.cloudapp.net once created in Azure. Select your region and select Instance number (amount of proxies it creates in Azure). Once you select your custom ssl certificate for “Certificate file” it will automatically fill in your service FQDN. This has to be a unique name in your namespace (ie it cannot exist). For Root certificate file –  select the client root certificate you exported earlier (steps are here under the “Export the client certificate’s root” heading which is in section of Cloud Proxy Service for managing clients on the Internet).
I unticked Verify Client Certificate Revocation.

4azure

Continue on with the rest of the wizard. Once the Cloud Proxy Service starts to provision you can see it in the area below. You can watch CloudMgr.log in the site server log file directory to see what is happening. The status will be set to Ready once complete. It should take around 10-15 minutes.

6azure

DNS:

Once the status was set to Ready, on the public DNS (Internet) I created a CNAME DNS record to point my Service Name to my Cloud Service Name. For example azure.domainname.com to azuretestproxy.cloudapp.net. You can get the Cloud Service name by logging into manage.windowsazure.com  and going into the Cloud Service created by the Cloud Proxy Service, and view the Dashboard. It will say Site URL.

This was so my clients on the Internet could resolve the Service Name when they try and connect. Configuration Manager also needs to be able to resolve the Service Name as it has to establish connections with the Azure proxy. You can see this in the SMS_CLOUD_PROXYCONNECTOR.log later on.

 

Under Site Configuration, click Sites, and right click your site server and click properties then click on the Client Computer Communication tab and make sure you’re set to use PKI certificates,

10azure

Next we will add the Cloud Proxy Connector point. In Servers and and Site System roles, select your site, right click and add the Cloud Proxy Connector point: (details on adding site system roles are here).

7azure

5azure

Once this is complete, pay attention to the SMS_CLOUD_PROXYCONNECTOR.log  on the site server. You will see your Configuration Manager site server try to establish a connection with the Service Name (make sure your CNAME DNS record points the Service Name to the Cloud Service name).

The first time I set this up I saw some illegal character XML errors in SMS_CLOUD_PROXYCONNECTOR.log. I stopped the service and waited for CloudMgr.log to show it was fully stopped until starting it again and it resolved the issue.

6.6.azure

Next we will configure our Management Point and Distribution Point to allow Configuration Manager Proxy traffic (you can also add this to your SUP if you like. Currently only Distribution Point, Management Point and Software Update Point are supported by the Cloud Proxy Service at this time of writing)

In Servers and and Site System roles, right click on your Distribution Point/Management point and click properties then tick the box to allow Configuration Manager Cloud Proxy traffic.

8azure

After you have done the above, you can restart SMS AGENT HOST on one of your lab workstation machines. It should pickup the new Azure proxy location.

Below is the behavior on my Windows 10 client when removing it from the internal network and having Internet access only.

13azure

While still removed from the internal network and only on having Internet access, I deployed a test application and installed it from Software Center:

16azure

When checking the LocationServices.log it came back with the “Service Name” created in the Cloud Proxy Service (I had my public DNS CNAME pointing it to my Azure cloud services name)

15azure

This is a bit of background of what is actually provisioned in Azure to get the Cloud Proxy to work. Earlier we created 2 instances. You can see these below. Also the “Site URL” is what I used to point my DNS CNAME from “Service Name” to “Cloud Service Name”

17azure

You can monitor SMS_CLOUD_PROXYCONNECTOR.log to make sure nothing funny is going on. You can see every 60 seconds it scans the connections and confirm that the proxy connector is connecting to Azure ok.

azure18

Update 1606 for Configuration Manager Technical Preview

Update 1606 for Configuration Manager Technical Preview has been released

Automatically categorize devices into collections:
Device categories can be created to automatically place devices into device collections when ConfigMgr is used with Microsoft Intune. Users are required to choose a device category when they enroll a device in Intune. The category of a device can also be changed in the ConfigMgr console.

Enforcement grace period for required application and software update deployments
Users can set a grace period for required application deployments or software updates that are past the deadline. Useful for machines that have been turned off for a while.

Using Configuration Manager as a managed installer with Device Guard
Device Guard is a feature in Windows 10. ConfigMgr can work with Device Guard so that software deployed from ConfigMgr is automatically trusted

Multiple device management points for On-premises Mobile Device Management

Cloud Proxy Service for managing clients on the Internet
New feature to manage ConfigMgr clients on the Internet. The service is deployed to Azure and connects your on-premises ConfigMgr infrastrucutre using the cloud proxy connector point (new role). It currently supports the management point, distribution point and software update point roles.

Manage the Office 365 client agent in Configuration Manager
Instead of using Group Policiy setting, you can configure a ConfigMgr client agent setting to enable Office 365 clients to receive updates from ConfigMgr.

The OSDPreserveDriveLetter task sequence variable has been deprecated
Windows Setup now determines the best drive letter to use (typically C:). You can still change the drive letter location in Apply Operating System task sequence step.

Changes for the Updates and Servicing Node

For more info: https://technet.microsoft.com/en-us/library/mt732696.aspx