Tag Archives: SCCM

SCCM 1706 – Azure AD Discovery

SCCM 1706 was recently released and one of the new features is Azure AD Discovery. This was in Technical Preview 1705. This guide will show how to set up Azure AD  Discovery and install the SCCM client on a workgroup machine on the Internet without certificates using the Cloud Management Gateway.

For more information about SCCM 1706 see What’s new in version 1706 of System Center Configuration Manager

In my lab, I already have the Cloud Management Gateway set up. To set up the CMG you can see the documentation here https://docs.microsoft.com/en-us/sccm/core/clients/manage/setup-cloud-management-gateway

Once you have installed the 1706 update, expand Cloud Services, then right click on Azure Services and click Configure Azure Services

1706-azuread01

Select Cloud Management and click Next

1706-azuread02

Next create the Server and Client Apps. Click Browse on the Web App then click Create.

1706-azuread03

Enter in an Application Name, HomePage URL and App ID URL. Then Sign in to Azure AD with an admin account and it will create the app for you in Azure.

1706-azuread04

Select the app and click Ok.

1706-azuread05

Do the same as above but for the Client App and give it an Application Name and a Reply URL, then sign in to Azure with an Azure admin account. The app will then be created in Azure.

1706-azuread06

Enable Azure Active Directory User Discovery.

1706-azuread07

You need to grant permissions on both the client app and server app in Azure, otherwise you will see in SMS_AZUREAD_DISCOVERY_AGENT.log there will be access denied errors.

1706-azuread08

Login to https://portal.azure.com and go to Azure Active Directory, then App Registrations. Select the app and go to Required Permissions and click Grant Permissions. I did this for both the client app and server app.

1706-azuread09

Now looking back in SMS_AZUREAD_DISCOVERY_AGENT.log mine is now successful and has discovered by Azure AD users.

1706-azuread10

You can view the Azure AD users in the SCCM console in \Assets and Compliance\Overview\Users\All Users

An example below you can see that it is discovered by SMS_AZUREAD_USER_DISCOVERY_AGENT

1706-azuread11

In the SCCM console, in \Administration\Overview\Cloud Services\Azure Services, you can also run a full discovery by clicking Run Full Discovery Now, and view information about Azure AD Discovery like the Full Sync Schedule, Delta Sync Interval, and the Last Full Sync/Delta Sync time.

1706-azuread12

On a Windows 10 Azure AD joined machine, you can install the SCCM manually client without using any certificates. This is useful on Workgroup machines.

You can use the installation command

ccmsetup.exe /NoCrlCheck /Source:C:\CLIENT CCMHOSTNAME=SCCMPROXYCONTOSO.CLOUDAPP.NET/CCM_Proxy_ServerAuth/72457598037527932 SMSSiteCode=HEC AADTENANTID=780433B5-E05E-4B7D-BFD1-E8013911E543 AADTENANTNAME=contoso AADCLIENTAPPID= AADRESOURCEURI=https://contososerver

For a reference of how to obtain the information above, see https://docs.microsoft.com/en-us/sccm/core/clients/deploy/deploy-clients-cmg-azure#step-4-install-and-register-the-configuration-manager-client-using-azure-active-directory-identity

 

SCCM Cloud Management Gateway – Installing SCCM client on an Internet client manually

The Cloud Management Gateway in SCCM Current Branch allows you to manage computers on the Internet without deploying the traditional IBCM infrastructure. Microsoft have made some improvements in SCCM 1702 for the CMG regarding client registration.

This post will not go into how to set up the CMG, you can view Plan for cloud management gateway in Configuration Manager for that information.

This blog post will show you how you can use the CCMHOSTNAME property when manually installing the SCCM client to specify the Cloud Management Gateway management point. This isn’t official documentation from Microsoft, however it does work. The post assumes you have copied over a PKI certificate for the client and installed the certificate, and also copied over the SCCM client installation files.

1 – On a machine that is on the internal network with the SCCM client installed, view the LocationServices.log and search for the Internet Management Point. You can see mine below highlighted in yellow. Copy the name of the Azure Cloud Management Gateway as you will need this for the CCMHOSTNAME property when installing the client

CMG01

2 – Launch a command prompt to run ccmsetup.exe and run the command ccmsetup.exe /UsePkiCert SMSSITECODE=<SiteCode> CCMHOSTNAME=<CMG copied above>

3 – Keep an eye on C:\Windows\ccmsetup\Logs\ccmsetup.log and ensure it successfully installs “CcmSetup is exiting with return code 0”. My logs in C:\Windows\CCM\Logs now indicate that the client is registered (ClientIDManagerStartup.log) and communicating with the Cloud Management Gateway (CcmMessaging.log). The machine should now appear in the ConfigMgr console. I can also see in the Configuration Manager Properties of the client that it is Internet based

CMG02

After it has installed successfully, you should see it communicating and retrieving policies.

 

 

SCCM Current Branch 1702 – Automatically close executable files before installation

A new nice feature in SCCM Current Branch 1702 is the ability to set the “Install Behaviour” on a deployment type to either automatically close specified .exe’s if the deployment is required, or to advise the user that the installation has failed because of the running .exe’s. This is useful for some deployments where certain processed cannot be running. For example if you are deploying an add-in for Outlook and you would like Outlook to not be running, or other Office applications.

One thing to note is that you need to have your client upgraded to the 1702 version otherwise it will not work. This post will quickly show how you can configure the Install Behaviour and the user experience for an Available application.

After upgrading the client to the latest version, in an existing Application (7Zip) I have right clicked on the Deployment Type and clicked on the Install Behavior tab. Click on Add and type in the executable file name and give it a display name.

autoclose01

This application is deployed as Available, not required. So you can see below I have the .exe open on the right hand side, I will then install 7-Zip.

autoclose02

Now you can see it has failed because the executable filename I specified earlier is running. If the deployment was Required, it should automatically close the specified exe’s.

autoclose03

SCCM Current Branch 1702 – Office 365 Installer

SCCM Current Branch 1702 introduces “Office 365 ProPlus Installer” (this feature was seen in technical previews).The Office 365 ProPlus installer allows you to specify your Office 365 ProPlus settings (exclude apps, update channels etc), download the Office 365 ProPlus files, create the Application, Deployment Type, and deploy the application if you choose to.

Before this feature was released, you needed to use the Office Deployment Tool (ODT) to download the Office 365 ProPlus and create an XML with the Office 365 configuration settings, then create an Application in SCCM.

This post will show how you can leverage the new Office 365 Installer in SCCM Current Branch version 1702 to create, download and deploy an Office 365 ProPlus package without having to use the Office Deployment Tool.

Open the SCCM console go to Software Library node, then expand Office 365 Client Management folder, click on the Office 365 Installer

Office365Deploy1

Give it a name and content location:

Office365Deploy2

You can use an existing XML with the Office 365 ProPlus configuration you have created, or manually create one using this wizard. I have chosen to manually create the XML:

Office365Deploy3

Specify your settings. I have chosen the Office 365 ProPlus suite, and have chosen to exclude the old Groove OneDrive for Business client.

Office365Deploy4

Select your architecture. I am using 32bit, and have chosen to use the Deferred channel.

Office365Deploy5

I have said Yes to deploy the application.

Office365Deploy6

Chosen my collection to deploy it to

Office365Deploy7

Added my distribution point

Office365Deploy8

I am deploying mine as Available

Office365Deploy9

Settings here are left as default.

Office365Deploy10

Default again

Office365Deploy11

Default again

Office365Deploy12

Click next to start downloading the Office 365 ProPlus files

Office365Deploy13

After it has finished, you can now see there is now an Application created with a deployment type and deployed to the collection specified earlier.

Office365Deploy15

Changing Office 365 ProPlus Update Channel with ConfigMgr 1610

This post will show how you can use the compliance settings in SCCM to change the update channel in Office 365 ProPlus by changing CDNBaseUrl in the registry.  This is useful if you want to change some clients from Current Channel to Deferred Channel or Deferred Channel to Current Channel.

This post assumes you are running ConfigMgr Current Branch 1610 and have the Client Settings set to “Enable management of the Office 365 Client Agent” in the Software Updates section, and have configured ConfigMgr 1610 to deploy updates for Office 365. More info about that can be read here Manage Office 365 ProPlus updates with Configuration Manager

In the ConfigMgr console, create a new Configuration Item

office365_01

Give it a name and click Next.

office365_02

Click on New so you can add a new setting.

office365_03

I have clicked on Browse near the Hive Name and connected to another machine with Office 365 installed and browsed to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\CDNBaseUrl

office365_04_1

Select CDNBaseURL and select The selected registry value must exist on client devices.

office365_04_2

Click OK and it should look like this

office365_04

Click on the Compliance Rules tab and click New.

office365_04_3

Now where you have the setting selected, change the “Equals the following values” to the update channel you would like to change to. For example, mine was previously set to Deferred channel, so I selected the URL for Current Channel and pasted it in.

For reference I have copied the URL’s from Change the update channel after you enable Office 365 clients to receive updates from Configuration Manager and pasted them below:

office365_06

Click on OK.

office365_07

Click Next.

office365_08

Click Next.

office365_09

Click Next.

office365_10

Click Close.

office365_11

Now we will create the Configuration Baseline and add the previously created Configuration Item.

office365_12

Click on Add, then select Configuration Item.

office365_13

Select the previously created Configuration Item and click Add.

office365_14

Now we will deploy it to a collection to test it.

office365_15

Make sure the correct Configuration Item is selected, and Remediate noncompliant rules when supported. Choose a test collection to deploy it to (my All Workstations is in a lab, not a production environment)

office365_16

Now on a machine that is in the collection where you deployed the baseline to, after the machine gets the policy you should be able to see the Baseline in the Configurations tab of the ConfigMgr client properties. Click on Evaluate and wait for the Compliant tab to change from Unknown to Compliant.

office365_17

One of the cool things in ConfigMgr 1610 is the Office 365 dashboard. This is found under Office 365 Client Management in the Software Library node. Previously it said it had 2 Office 365 Client channels set to Deferred Channel.

 

After initiating a Hardware Inventory cycle on the machine where I deployed the baseline to, because I changed CDNBaseUrl to the Current Channel URL, you can see the Office 365 Client Management dashboard has now changed from having 2 Deferred Channels, to 1 Deferred Channel, and 1 Current Channel.

office365_18office365_19

Also after initiating the software updates deployment scan cycle, you can see that Software Center updates have changed from Deferred Channel to Current Channel.

office365_20office365_21

 

Intune Hyrbid – Setting Edge homepage on Windows 10 machine using configuration baseline

This post will show how to set the Edge browser homepage on a Windows 10 machine enrolled in an Intune Hybrid environment with ConfigMgr 1610. I will create a configuration item, add it to a baseline, and then deploy the baseline to my Intune user collection. For a guide on setting up hyrbrid MDM with ConfigMgr, see Setup hybrid mobile device management (MDM) with System Center Configuration Manager and Microsoft Intune

In the ConfigMgr console, right click Configuration Items and select Create Configuration Item

edge01

Give the configuration item a name, and select Windows 8.1 and Windows 10 under Settings for devices managed without the Configuration Manager client and click Next.

edge02

In the Supported Platforms section, select Windows 10 as the supported platform and click Next.

On the Device Settings section, select Configure additional settings that are not in the default settings groups and select Next.

edge03

In the Additional Settings section, click on Add.

In the Available Settings search bar, search for “home” then select Homepages and click Select.

edge04

I have given the name a rule and given the Homepages value of “nhogarth.net” – you can make this any site you like then click OK.

edge05

Now click Select to select the setting you created.

On the Additional Settings page, click Next.

edge06

Click on Close to close the Completion screen.

Now we will create the Configuration Baseline and add the Configuration Item we created.

edge07

Give the baseline a name, and then click on Add, then Configuration Items.

edge08

Select the Available configuration item, then click on Add then click on OK.

Once the Configuration Item is added to the baseline, click on OK.

Now we will Deploy the baseline to our Intune user group. Right click on the baseline and click on Deploy.

edge09

With the selected configuration baseline (top right), select the Remediate non compliant rules when supported, and select your Intune user collection.

edge10

Now on our enrolled Windows 10 machine, we can check the compliance in the Company Portal to speed things up.

edge11

Now we can see that it has set our Edge browser to use the specified homepage from our Configuration Item.

edge12

Intune Hybrid – Deploy Office 365 click-to-run and enroll Windows 10 computer

This post will cover how to deploy Office 365 click-to-run to an enrolled Windows 10 machine using a Hybrid ConfigMgr 1610 environment with an Intune subscription. I will generate the .msi for Office 365 ProPlus and deploy it using ConfigMgr, enroll a Windows 10 machine, then install Office 365 ProPlus from the Comapany Portal using Click-to-Run.

My hybrid environment is already set up, and PC enrollment is already enabled. For this see https://docs.microsoft.com/en-us/sccm/mdm/understand/hybrid-mobile-device-management

First to create the Office 365 click-to-run msi which we will deploy from ConfigMgr to our Intune user group, download and install “Microsoft Office ProPlus Install Toolkit” from http://officedev.github.io/Office-IT-Pro-Deployment-Scripts/XmlEditor.html

microsoft-office-proplus-install-toolkit

Install it and open it up. I have configured the options to what suits my environment. Have a good look through the options and customize it to your needs.

mdmoffice3651

mdmoffice362

mdmoffice363

You can choose to exclude certain products if you like.

mdmoffice3654

mdmoffice3655

I have enabled updates.

mdmoffice3656

I have set the Display Level to none, and accepted the EULA.

mdmoffice3657

Make sure the install type is MSI and select the file path to output the msi.

mdmoffice3658

Once you click Generate, you will be left with a 2mb msi which we will deploy through ConfigMgr to our Intune user group.

mdmoffice3659

mdmoffice36510

Now we will create the application in the ConfigMgr console

mdmoffice36511

Make sure to specify the type as Windows Installer through MDM (*.msi) and also specify the UNC path to the earlier generated msi.

mdmoffice36512

Click Yes.

mdmoffice36513

Click Next.

mdmoffice36514

Specify the information you would like here such as Name.

mdmoffice36515

I have left all other options as default and clicked Next.

mdmoffice36516

Now we will go to the properties of the application we created and choose to use a logo to display in the Company Portal.

mdmoffice36517

Click on the Application Catalog tab and browse and select an icon you would like to use. I searched the web for an icon for Office 365 and made sure its 250×250 in size or smaller.

mdmoffice36518

Now we will deploy the application to our Intune user group.

mdmoffice36519

mdmoffice36520

Make sure to distribute the msi to the Intune distribution point. Select Add then Distribution Point, then select the manage.microsoft.com distribution point.

mdmoffice36522

mdmoffice36523

Click Next

mdmoffice36524

I am deploying this Appliction as Available so the user can install it from the Company Portal.

mdmoffice36525

mdmoffice36526

Now I will enroll my Windows 10 Pro 1607 machine. The prerequisites are here https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/enroll-hybrid-windows

Click on Start, then Settings.

enrollwin10-01

Select Accounts

enrollwin10-02

Click on Access work or school then click on Connect.

enrollwin10-03

Enter in your details for an account with an Intune license.

enrollwin10-04

enrollwin10-05

enrollwin10-06

enrollwin10-07

Now the device is enrolled. If we take a look in the ConfigMgr console, we can see the Windows 10 machine is enrolled as a mobile device.

enrollwin10-08

I have installed the Company Portal application from the Windows Store. Once opened, I can see the Microsoft Office 365 ProPlus. Click on it, then click on Install.

o365-01

If you load up task manager, you can see the set up files running.

o365-02

After a while you can see the programs in the program list on the Windows 10 machine.

o365-03