Tag Archives: SCCM Technical Preview

SCCM 1705 TP – Azure AD User Discovery

In the recently released update 1705 for the Technical Preview Branch of System Center Configuration Manager, you can now set up Azure Active Directory User Discovery. This post will show how you can test it in your lab once you have updated to 1705 Technical Preview. More about this feature can be read here – https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1705#new-capabilities-for-azure-ad-and-cloud-management

In the Console, expand Cloud Services, then right click on Azure Services and click Configure Azure Services

sccmaad01

Enter in the Name, I have chosen “Azure AD Connector” and make sure Cloud Management is selected.

sccmaad02

Click Browse to create the Server app and Client app

sccmaad03

Click on Create

sccmaad04

Enter in a Application Name, Homepage URL and Identifier URL (you can make these up). Click on Sign in to sign in with your Azure admin account then click OK.

sccmaad05

Select the app you created and click OK.

sccmaad06

Click on Browse to create the client app.

sccmaad07

Click Create.

sccmaad08

Enter in an Application Name and enter in a Reply URL (again, you can make this up). Then sign in to Azure AD with your admin account.

sccmaad09

Select the client app and click OK.

sccmaad10sccmaad11

Make sure Enable Azure Active Directory User Discovery is selected. Click Settings to enable Delta user discovery and adjust the scheduling to however you like it.

sccmaad12sccmaad13

Once the Wizard is done, open up SMS_AZUREAD_DISCOVERY_AGENT.log from the Logs location on your site server, and you will see a whole bunch of Forbidden errors when trying to access https://graph.windows.net

sccmaad14

Go into portal.azure.com, then Azure Active Directory, then App Registrations, then select the Server app you created before.

sccmaad15

Click on Required Permissions, then Grant Permissions, then Yes.

sccmaad16

If you wait a little while, you will see SMS_AZUREAD_DISCOVERY_AGENT.log will start to sync the Azure Active Directory Users.

sccmaad18

You can now view your Azure AD users in the SCCM console.

sccmaad17

 

 

SCCM Azure Cloud Proxy Service for managing clients on the Internet

In Configuration Manager Technical Preview 5 with update 1606, Microsoft introduced the Azure Cloud Proxy Service for managing clients on the Internet. More info can be read here.

This post covers how I set up the Cloud Proxy Service in my ConfigMgr lab to deploy software to a client on the Internet (this is a technical preview and NOT reccomended for production environment, it was simply to test out the Cloud Proxy Service). Make sure your lab Configuration Manager is updated to version 1606 so you have the cloud proxy functionality (In the Configuration Manager console, go to Administration > Cloud Services > Updates and Servicing). I had a Visual Studio MSDN subscription for Azure. You can also sign up for a 30 day Azure trial here

Certificates:

I followed all certificate requirements here  (under certificates section of Cloud Proxy)  to create the custom SSL certificate for the cloud proxy service and to create the client certificates (and also export the client root certificate)

These certificates were created the certificates below using this Technet guide:

ConfigMgr Client Distribution Point Certificate
ConfigMgr Client Certificate
ConfigMgr Cloud-Based Distribution Point Certificate (custom SSL certificate as mentioned in Technet)
ConfigMgr Web Server Certificate

For the management certificate for Azure, I exported the custom SSL certificate with the private key as PFX file, and also exported the certificate as a .cer file which I would upload to Azure. The custom SSL cert will be used when setting up the Cloud service later.

Log into manage.windowsazure.com and click on Settings down the left hand side, then click on Management Certificates. Upload the your management certificate (in my case, I used my .cer as described above). Take a note to copy down your subscription ID in a notepad, you will need it later. This is also shown in Subscriptions right next to Management Certificates below.

azuremangement

In the ConfigMgr console, in Administration, expand Cloud Services, right click on Cloud Proxy Service and click Create Cloud Proxy Service.

2azure

Type in your subscription ID (which you can get from manage.windowsazure.com in the settings where you uploaded the management certificate) and browse to the Azure management PFX certificate(I exported this earlier from the custom ssl certificate). Azure will validate the certificates.

3azure

Type in your Service Name. This will appear as <servicename>.cloudapp.net once created in Azure. Select your region and select Instance number (amount of proxies it creates in Azure). Once you select your custom ssl certificate for “Certificate file” it will automatically fill in your service FQDN. This has to be a unique name in your namespace (ie it cannot exist). For Root certificate file –  select the client root certificate you exported earlier (steps are here under the “Export the client certificate’s root” heading which is in section of Cloud Proxy Service for managing clients on the Internet).
I unticked Verify Client Certificate Revocation.

4azure

Continue on with the rest of the wizard. Once the Cloud Proxy Service starts to provision you can see it in the area below. You can watch CloudMgr.log in the site server log file directory to see what is happening. The status will be set to Ready once complete. It should take around 10-15 minutes.

6azure

DNS:

Once the status was set to Ready, on the public DNS (Internet) I created a CNAME DNS record to point my Service Name to my Cloud Service Name. For example azure.domainname.com to azuretestproxy.cloudapp.net. You can get the Cloud Service name by logging into manage.windowsazure.com  and going into the Cloud Service created by the Cloud Proxy Service, and view the Dashboard. It will say Site URL.

This was so my clients on the Internet could resolve the Service Name when they try and connect. Configuration Manager also needs to be able to resolve the Service Name as it has to establish connections with the Azure proxy. You can see this in the SMS_CLOUD_PROXYCONNECTOR.log later on.

 

Under Site Configuration, click Sites, and right click your site server and click properties then click on the Client Computer Communication tab and make sure you’re set to use PKI certificates,

10azure

Next we will add the Cloud Proxy Connector point. In Servers and and Site System roles, select your site, right click and add the Cloud Proxy Connector point: (details on adding site system roles are here).

7azure

5azure

Once this is complete, pay attention to the SMS_CLOUD_PROXYCONNECTOR.log  on the site server. You will see your Configuration Manager site server try to establish a connection with the Service Name (make sure your CNAME DNS record points the Service Name to the Cloud Service name).

The first time I set this up I saw some illegal character XML errors in SMS_CLOUD_PROXYCONNECTOR.log. I stopped the service and waited for CloudMgr.log to show it was fully stopped until starting it again and it resolved the issue.

6.6.azure

Next we will configure our Management Point and Distribution Point to allow Configuration Manager Proxy traffic (you can also add this to your SUP if you like. Currently only Distribution Point, Management Point and Software Update Point are supported by the Cloud Proxy Service at this time of writing)

In Servers and and Site System roles, right click on your Distribution Point/Management point and click properties then tick the box to allow Configuration Manager Cloud Proxy traffic.

8azure

After you have done the above, you can restart SMS AGENT HOST on one of your lab workstation machines. It should pickup the new Azure proxy location.

Below is the behavior on my Windows 10 client when removing it from the internal network and having Internet access only.

13azure

While still removed from the internal network and only on having Internet access, I deployed a test application and installed it from Software Center:

16azure

When checking the LocationServices.log it came back with the “Service Name” created in the Cloud Proxy Service (I had my public DNS CNAME pointing it to my Azure cloud services name)

15azure

This is a bit of background of what is actually provisioned in Azure to get the Cloud Proxy to work. Earlier we created 2 instances. You can see these below. Also the “Site URL” is what I used to point my DNS CNAME from “Service Name” to “Cloud Service Name”

17azure

You can monitor SMS_CLOUD_PROXYCONNECTOR.log to make sure nothing funny is going on. You can see every 60 seconds it scans the connections and confirm that the proxy connector is connecting to Azure ok.

azure18

Update 1606 for Configuration Manager Technical Preview

Update 1606 for Configuration Manager Technical Preview has been released

Automatically categorize devices into collections:
Device categories can be created to automatically place devices into device collections when ConfigMgr is used with Microsoft Intune. Users are required to choose a device category when they enroll a device in Intune. The category of a device can also be changed in the ConfigMgr console.

Enforcement grace period for required application and software update deployments
Users can set a grace period for required application deployments or software updates that are past the deadline. Useful for machines that have been turned off for a while.

Using Configuration Manager as a managed installer with Device Guard
Device Guard is a feature in Windows 10. ConfigMgr can work with Device Guard so that software deployed from ConfigMgr is automatically trusted

Multiple device management points for On-premises Mobile Device Management

Cloud Proxy Service for managing clients on the Internet
New feature to manage ConfigMgr clients on the Internet. The service is deployed to Azure and connects your on-premises ConfigMgr infrastrucutre using the cloud proxy connector point (new role). It currently supports the management point, distribution point and software update point roles.

Manage the Office 365 client agent in Configuration Manager
Instead of using Group Policiy setting, you can configure a ConfigMgr client agent setting to enable Office 365 clients to receive updates from ConfigMgr.

The OSDPreserveDriveLetter task sequence variable has been deprecated
Windows Setup now determines the best drive letter to use (typically C:). You can still change the drive letter location in Apply Operating System task sequence step.

Changes for the Updates and Servicing Node

For more info: https://technet.microsoft.com/en-us/library/mt732696.aspx

Hyper-V Gen 2 Machine – Deploying Windows 10 test

I have a Hyper-V lab set up with a VM running a DC with DHCP, a VM with SCCM Technical Preview 4 and SQL 2012 SP1, and will be testing deploying Windows 10 eval to a Hyper-V Generation 2 VM

Getting Started…

I have made sure that my DP can respond to PXE requests. In my case, I am not using unknown computer support as I will import the MAC address of my hyper-v machine into a collection where I have deployed my task sequence to as required.

ts1

I have gone to the Software Library node and made a copy of the install.wim to my machine. (install.wim is from the sources directory on the iso for Windows 10)

ts2ts3

After I added my Windows 10 .wim I distributed it to my DP.Now I will be creating my very basic task sequence.

ts4

I will be using an existing image package that I created before.

ts5

ts6

ts7

Make note here I haven’t selected a Domain OU. This will put the computer in the default Computers container. If you specify the default Computers container, the Task Sequence will fail.

ts8

I left all other options as default. I then right clicked on my Task Sequence and clicked edit, I added the variable below so my installation of Windows 10 will use C:\ rather than X:\ for the drive letter where the OS will be installed.

ts10

I then deployed my Task Sequence as required

ts9

Creating the Hyper-V Gen 2 machine:

Right click on your Hyper-V host and select New Virtual Machine

hyperv1

Click next at Before you begin screen
Enter the name of your Virtual Machine
hyperv2

I am going to deploy a Windows 10 machine so I selected Generation 2
hyperv3

I am using 2GB for dynamic memory
hyperv4

I have made a Private virtual switch so only my VM’s can communicate (Domain controller, SCCM server and this)
hyperv5

I have left these settings as default
hyperv6

I will be installing the image via PXE so I have ticked the last checkbox
Then click Finish
hyperv7

I then turned on my virtual machine and turned it off. This is because I have a Dynamic MAC Address. If you check the Networking tab you can see it has created the MAC address. We will import this MAC address into SCCM to deploy the image
hyperv8

In the SCCM 2012/Technical Preview console, Select “Import Computer Information” to import the MAC address of the VM created
hyperv9

Select Import single computer
hyperv10

Type in the name of the computer and MAC address and click Next then Next again.

hyperv11

Select to add new computers only to the All Systems collection and keep clicking next until the end of the wizard

In the All Systems collection, I will add the new computer into my collection where I have deployed the task sequence to as Required (Win10Deployment)
hyperv12

Once my collection where I have the task sequence to has updated, I will power on my VM to download the image.
hyperv13

hyperv14

hyperv15

Software updates not synchronizing – Sync failed: WSUS update source not found on site

I installed a trial of Configuration Manager 2016 Technical Preview 4 and set up and configured the Software Update point. I wasn’t able to synchronize any updates.

I checked wsyncmgr.log and saw Sync failed: WSUS update source not found on site
wsussource1

The workaround was to configure the Software Update Point and disable/remove all Classifications and Products and then to schedule another sync.

wsussource2
wsussource3
wsussource4

After this, I scheduled another sync, and the sync completed.

wsussource5

I then went back and re-configued the Software Update Point for the Classifications and Products I wanted, then scheduled another sync and it worked fine.

wsussource6