Tag Archives: SCCM

SCCM 1706 – Azure AD Discovery

SCCM 1706 was recently released and one of the new features is Azure AD Discovery. This was in Technical Preview 1705. This guide will show how to set up Azure AD  Discovery and install the SCCM client on a workgroup machine on the Internet without certificates using the Cloud Management Gateway.

For more information about SCCM 1706 see What’s new in version 1706 of System Center Configuration Manager

In my lab, I already have the Cloud Management Gateway set up. To set up the CMG you can see the documentation here https://docs.microsoft.com/en-us/sccm/core/clients/manage/setup-cloud-management-gateway

Once you have installed the 1706 update, expand Cloud Services, then right click on Azure Services and click Configure Azure Services

1706-azuread01

Select Cloud Management and click Next

1706-azuread02

Next create the Server and Client Apps. Click Browse on the Web App then click Create.

1706-azuread03

Enter in an Application Name, HomePage URL and App ID URL. Then Sign in to Azure AD with an admin account and it will create the app for you in Azure.

1706-azuread04

Select the app and click Ok.

1706-azuread05

Do the same as above but for the Client App and give it an Application Name and a Reply URL, then sign in to Azure with an Azure admin account. The app will then be created in Azure.

1706-azuread06

Enable Azure Active Directory User Discovery.

1706-azuread07

You need to grant permissions on both the client app and server app in Azure, otherwise you will see in SMS_AZUREAD_DISCOVERY_AGENT.log there will be access denied errors.

1706-azuread08

Login to https://portal.azure.com and go to Azure Active Directory, then App Registrations. Select the app and go to Required Permissions and click Grant Permissions. I did this for both the client app and server app.

1706-azuread09

Now looking back in SMS_AZUREAD_DISCOVERY_AGENT.log mine is now successful and has discovered by Azure AD users.

1706-azuread10

You can view the Azure AD users in the SCCM console in \Assets and Compliance\Overview\Users\All Users

An example below you can see that it is discovered by SMS_AZUREAD_USER_DISCOVERY_AGENT

1706-azuread11

In the SCCM console, in \Administration\Overview\Cloud Services\Azure Services, you can also run a full discovery by clicking Run Full Discovery Now, and view information about Azure AD Discovery like the Full Sync Schedule, Delta Sync Interval, and the Last Full Sync/Delta Sync time.

1706-azuread12

On a Windows 10 Azure AD joined machine, you can install the SCCM manually client without using any certificates. This is useful on Workgroup machines.

You can use the installation command

ccmsetup.exe /NoCrlCheck /Source:C:\CLIENT CCMHOSTNAME=SCCMPROXYCONTOSO.CLOUDAPP.NET/CCM_Proxy_ServerAuth/72457598037527932 SMSSiteCode=HEC AADTENANTID=780433B5-E05E-4B7D-BFD1-E8013911E543 AADTENANTNAME=contoso AADCLIENTAPPID= AADRESOURCEURI=https://contososerver

For a reference of how to obtain the information above, see https://docs.microsoft.com/en-us/sccm/core/clients/deploy/deploy-clients-cmg-azure#step-4-install-and-register-the-configuration-manager-client-using-azure-active-directory-identity

 

SCCM Cloud Management Gateway – Installing SCCM client on an Internet client manually

The Cloud Management Gateway in SCCM Current Branch allows you to manage computers on the Internet without deploying the traditional IBCM infrastructure. Microsoft have made some improvements in SCCM 1702 for the CMG regarding client registration.

This post will not go into how to set up the CMG, you can view Plan for cloud management gateway in Configuration Manager for that information.

This blog post will show you how you can use the CCMHOSTNAME property when manually installing the SCCM client to specify the Cloud Management Gateway management point. This isn’t official documentation from Microsoft, however it does work. The post assumes you have copied over a PKI certificate for the client and installed the certificate, and also copied over the SCCM client installation files.

1 – On a machine that is on the internal network with the SCCM client installed, view the LocationServices.log and search for the Internet Management Point. You can see mine below highlighted in yellow. Copy the name of the Azure Cloud Management Gateway as you will need this for the CCMHOSTNAME property when installing the client

CMG01

2 – Launch a command prompt to run ccmsetup.exe and run the command ccmsetup.exe /UsePkiCert SMSSITECODE=<SiteCode> CCMHOSTNAME=<CMG copied above>

3 – Keep an eye on C:\Windows\ccmsetup\Logs\ccmsetup.log and ensure it successfully installs “CcmSetup is exiting with return code 0”. My logs in C:\Windows\CCM\Logs now indicate that the client is registered (ClientIDManagerStartup.log) and communicating with the Cloud Management Gateway (CcmMessaging.log). The machine should now appear in the ConfigMgr console. I can also see in the Configuration Manager Properties of the client that it is Internet based

CMG02

After it has installed successfully, you should see it communicating and retrieving policies.

 

 

SCCM Current Branch 1702 – Automatically close executable files before installation

A new nice feature in SCCM Current Branch 1702 is the ability to set the “Install Behaviour” on a deployment type to either automatically close specified .exe’s if the deployment is required, or to advise the user that the installation has failed because of the running .exe’s. This is useful for some deployments where certain processed cannot be running. For example if you are deploying an add-in for Outlook and you would like Outlook to not be running, or other Office applications.

One thing to note is that you need to have your client upgraded to the 1702 version otherwise it will not work. This post will quickly show how you can configure the Install Behaviour and the user experience for an Available application.

After upgrading the client to the latest version, in an existing Application (7Zip) I have right clicked on the Deployment Type and clicked on the Install Behavior tab. Click on Add and type in the executable file name and give it a display name.

autoclose01

This application is deployed as Available, not required. So you can see below I have the .exe open on the right hand side, I will then install 7-Zip.

autoclose02

Now you can see it has failed because the executable filename I specified earlier is running. If the deployment was Required, it should automatically close the specified exe’s.

autoclose03

SCCM Current Branch 1702 – Office 365 Installer

SCCM Current Branch 1702 introduces “Office 365 ProPlus Installer” (this feature was seen in technical previews).The Office 365 ProPlus installer allows you to specify your Office 365 ProPlus settings (exclude apps, update channels etc), download the Office 365 ProPlus files, create the Application, Deployment Type, and deploy the application if you choose to.

Before this feature was released, you needed to use the Office Deployment Tool (ODT) to download the Office 365 ProPlus and create an XML with the Office 365 configuration settings, then create an Application in SCCM.

This post will show how you can leverage the new Office 365 Installer in SCCM Current Branch version 1702 to create, download and deploy an Office 365 ProPlus package without having to use the Office Deployment Tool.

Open the SCCM console go to Software Library node, then expand Office 365 Client Management folder, click on the Office 365 Installer

Office365Deploy1

Give it a name and content location:

Office365Deploy2

You can use an existing XML with the Office 365 ProPlus configuration you have created, or manually create one using this wizard. I have chosen to manually create the XML:

Office365Deploy3

Specify your settings. I have chosen the Office 365 ProPlus suite, and have chosen to exclude the old Groove OneDrive for Business client.

Office365Deploy4

Select your architecture. I am using 32bit, and have chosen to use the Deferred channel.

Office365Deploy5

I have said Yes to deploy the application.

Office365Deploy6

Chosen my collection to deploy it to

Office365Deploy7

Added my distribution point

Office365Deploy8

I am deploying mine as Available

Office365Deploy9

Settings here are left as default.

Office365Deploy10

Default again

Office365Deploy11

Default again

Office365Deploy12

Click next to start downloading the Office 365 ProPlus files

Office365Deploy13

After it has finished, you can now see there is now an Application created with a deployment type and deployed to the collection specified earlier.

Office365Deploy15

Changing Office 365 ProPlus Update Channel with ConfigMgr 1610

This post will show how you can use the compliance settings in SCCM to change the update channel in Office 365 ProPlus by changing CDNBaseUrl in the registry.  This is useful if you want to change some clients from Current Channel to Deferred Channel or Deferred Channel to Current Channel.

This post assumes you are running ConfigMgr Current Branch 1610 and have the Client Settings set to “Enable management of the Office 365 Client Agent” in the Software Updates section, and have configured ConfigMgr 1610 to deploy updates for Office 365. More info about that can be read here Manage Office 365 ProPlus updates with Configuration Manager

In the ConfigMgr console, create a new Configuration Item

office365_01

Give it a name and click Next.

office365_02

Click on New so you can add a new setting.

office365_03

I have clicked on Browse near the Hive Name and connected to another machine with Office 365 installed and browsed to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\CDNBaseUrl

office365_04_1

Select CDNBaseURL and select The selected registry value must exist on client devices.

office365_04_2

Click OK and it should look like this

office365_04

Click on the Compliance Rules tab and click New.

office365_04_3

Now where you have the setting selected, change the “Equals the following values” to the update channel you would like to change to. For example, mine was previously set to Deferred channel, so I selected the URL for Current Channel and pasted it in.

For reference I have copied the URL’s from Change the update channel after you enable Office 365 clients to receive updates from Configuration Manager and pasted them below:

office365_06

Click on OK.

office365_07

Click Next.

office365_08

Click Next.

office365_09

Click Next.

office365_10

Click Close.

office365_11

Now we will create the Configuration Baseline and add the previously created Configuration Item.

office365_12

Click on Add, then select Configuration Item.

office365_13

Select the previously created Configuration Item and click Add.

office365_14

Now we will deploy it to a collection to test it.

office365_15

Make sure the correct Configuration Item is selected, and Remediate noncompliant rules when supported. Choose a test collection to deploy it to (my All Workstations is in a lab, not a production environment)

office365_16

Now on a machine that is in the collection where you deployed the baseline to, after the machine gets the policy you should be able to see the Baseline in the Configurations tab of the ConfigMgr client properties. Click on Evaluate and wait for the Compliant tab to change from Unknown to Compliant.

office365_17

One of the cool things in ConfigMgr 1610 is the Office 365 dashboard. This is found under Office 365 Client Management in the Software Library node. Previously it said it had 2 Office 365 Client channels set to Deferred Channel.

 

After initiating a Hardware Inventory cycle on the machine where I deployed the baseline to, because I changed CDNBaseUrl to the Current Channel URL, you can see the Office 365 Client Management dashboard has now changed from having 2 Deferred Channels, to 1 Deferred Channel, and 1 Current Channel.

office365_18office365_19

Also after initiating the software updates deployment scan cycle, you can see that Software Center updates have changed from Deferred Channel to Current Channel.

office365_20office365_21

 

Intune Hyrbid – Setting Edge homepage on Windows 10 machine using configuration baseline

This post will show how to set the Edge browser homepage on a Windows 10 machine enrolled in an Intune Hybrid environment with ConfigMgr 1610. I will create a configuration item, add it to a baseline, and then deploy the baseline to my Intune user collection. For a guide on setting up hyrbrid MDM with ConfigMgr, see Setup hybrid mobile device management (MDM) with System Center Configuration Manager and Microsoft Intune

In the ConfigMgr console, right click Configuration Items and select Create Configuration Item

edge01

Give the configuration item a name, and select Windows 8.1 and Windows 10 under Settings for devices managed without the Configuration Manager client and click Next.

edge02

In the Supported Platforms section, select Windows 10 as the supported platform and click Next.

On the Device Settings section, select Configure additional settings that are not in the default settings groups and select Next.

edge03

In the Additional Settings section, click on Add.

In the Available Settings search bar, search for “home” then select Homepages and click Select.

edge04

I have given the name a rule and given the Homepages value of “nhogarth.net” – you can make this any site you like then click OK.

edge05

Now click Select to select the setting you created.

On the Additional Settings page, click Next.

edge06

Click on Close to close the Completion screen.

Now we will create the Configuration Baseline and add the Configuration Item we created.

edge07

Give the baseline a name, and then click on Add, then Configuration Items.

edge08

Select the Available configuration item, then click on Add then click on OK.

Once the Configuration Item is added to the baseline, click on OK.

Now we will Deploy the baseline to our Intune user group. Right click on the baseline and click on Deploy.

edge09

With the selected configuration baseline (top right), select the Remediate non compliant rules when supported, and select your Intune user collection.

edge10

Now on our enrolled Windows 10 machine, we can check the compliance in the Company Portal to speed things up.

edge11

Now we can see that it has set our Edge browser to use the specified homepage from our Configuration Item.

edge12

Intune Hybrid – Deploy Office 365 click-to-run and enroll Windows 10 computer

This post will cover how to deploy Office 365 click-to-run to an enrolled Windows 10 machine using a Hybrid ConfigMgr 1610 environment with an Intune subscription. I will generate the .msi for Office 365 ProPlus and deploy it using ConfigMgr, enroll a Windows 10 machine, then install Office 365 ProPlus from the Comapany Portal using Click-to-Run.

My hybrid environment is already set up, and PC enrollment is already enabled. For this see https://docs.microsoft.com/en-us/sccm/mdm/understand/hybrid-mobile-device-management

First to create the Office 365 click-to-run msi which we will deploy from ConfigMgr to our Intune user group, download and install “Microsoft Office ProPlus Install Toolkit” from http://officedev.github.io/Office-IT-Pro-Deployment-Scripts/XmlEditor.html

microsoft-office-proplus-install-toolkit

Install it and open it up. I have configured the options to what suits my environment. Have a good look through the options and customize it to your needs.

mdmoffice3651

mdmoffice362

mdmoffice363

You can choose to exclude certain products if you like.

mdmoffice3654

mdmoffice3655

I have enabled updates.

mdmoffice3656

I have set the Display Level to none, and accepted the EULA.

mdmoffice3657

Make sure the install type is MSI and select the file path to output the msi.

mdmoffice3658

Once you click Generate, you will be left with a 2mb msi which we will deploy through ConfigMgr to our Intune user group.

mdmoffice3659

mdmoffice36510

Now we will create the application in the ConfigMgr console

mdmoffice36511

Make sure to specify the type as Windows Installer through MDM (*.msi) and also specify the UNC path to the earlier generated msi.

mdmoffice36512

Click Yes.

mdmoffice36513

Click Next.

mdmoffice36514

Specify the information you would like here such as Name.

mdmoffice36515

I have left all other options as default and clicked Next.

mdmoffice36516

Now we will go to the properties of the application we created and choose to use a logo to display in the Company Portal.

mdmoffice36517

Click on the Application Catalog tab and browse and select an icon you would like to use. I searched the web for an icon for Office 365 and made sure its 250×250 in size or smaller.

mdmoffice36518

Now we will deploy the application to our Intune user group.

mdmoffice36519

mdmoffice36520

Make sure to distribute the msi to the Intune distribution point. Select Add then Distribution Point, then select the manage.microsoft.com distribution point.

mdmoffice36522

mdmoffice36523

Click Next

mdmoffice36524

I am deploying this Appliction as Available so the user can install it from the Company Portal.

mdmoffice36525

mdmoffice36526

Now I will enroll my Windows 10 Pro 1607 machine. The prerequisites are here https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/enroll-hybrid-windows

Click on Start, then Settings.

enrollwin10-01

Select Accounts

enrollwin10-02

Click on Access work or school then click on Connect.

enrollwin10-03

Enter in your details for an account with an Intune license.

enrollwin10-04

enrollwin10-05

enrollwin10-06

enrollwin10-07

Now the device is enrolled. If we take a look in the ConfigMgr console, we can see the Windows 10 machine is enrolled as a mobile device.

enrollwin10-08

I have installed the Company Portal application from the Windows Store. Once opened, I can see the Microsoft Office 365 ProPlus. Click on it, then click on Install.

o365-01

If you load up task manager, you can see the set up files running.

o365-02

After a while you can see the programs in the program list on the Windows 10 machine.

o365-03

Adding Intune subscription to ConfigMgr for Hyrbid MDM

This post will show you how to add an Intune subscription to ConfigMgr  for Hybrid MDM and enable enrollment for iOS devices.

To see the benefits of using Intune with ConfigMgr rather than standalone, Microsoft has a good post Choose between Microsoft Intune standalone and hybrid mobile device management with System Center Configuration Manager

My current on-prem environment looks like this:

  • ConfigMgr Current Branch version 1606.
  • User collection created with users whose devices can be enrolled
  • Custom domain add and verified in Office 365 admin portal
  • Azure AD Connect set up to synchronize my user accounts to Azure AD. Steps to set this up are here
  • Intune subscription (You can get a 30 day trial subscription here)

First step to add the Intune subscription is to go into Cloud Services then right click Microsoft Intune Subscriptions and select Add Microsoft Intune Subscription

intune1

Have a read of the Getting Started and click Next.

intune2

Sign in with your Intune account

intune3

Have a read and if you agree, click the checkbox. Note that you can’t change this back unless you contact Microsoft Support.

intune4

Enter in your Intune username and password

intune5

Once you’re signed in, click on Next

intune6

Select the user collection with users whose devices can be enrolled. You can configure your company name and any other settings you like and click Next

intune7

Fill in any other information you would like and click Next

intune8

Specify a company logo if you like and click Next.

intune9

Select the user that you would like to be the Device Enrollment Manager. You can see more info here

intune10

If you would like to use MFA, select the enable checkbox and Next.

intune11

Confirm your settings and click Next.

intune12

Once its finished click Close. You can view the Cloudusersync.log to make sure the role was set up successfully and look out for any errors.

intune13

Next we will create an APN. The Apple Push Notification service (APNs) certificate is used to establish a trust relationship between the management service, Intune, and enrolled iOS mobile devices

intune14

intune15

intune16

Next we will login to the APN certificate portal with an Apple ID. The link is here

intune17

Click on Create Certificate

intune18

Click Accept if you accept the terms and conditions.

intune19

Upload the certificate you created earlier.

intune20

Now Download the certificate

intune21

Now we will configure the iOS platform.

intune22

Click Enable and browse to the certificate you downloaded before and click Ok.

intune23

ConfigMgr CB 1610 -Cloud Management Gateway

One of the features in the newly released 1610 update for ConfigMgr Current Branch is the pre-release Cloud Management Gateway. This is similar to the Azure Cloud Proxy feature released in the Technical Preview 1606. I wrote a post on this here.

One thing to note that seems to be different from the TP, is that the on-prem distribution point isn’t supported for cloud management gateway traffic. You will need to set up an Azure cloud based distribution point for clients to download content (applications etc). However, you can enable the Management Point and Software Update Point to receive cloud management gateway traffic.

You can see the limitations of the Cloud Management Gateway here

This post will show you how I set up the Cloud Management Gateway in a lab. I won’t dive into the certificates part but information can be found at Step-by-step example deployment of the PKI certificates for System Center Configuration Manager: Windows Server 2008 Certification Authority and

A bit of info about my setup:

  • Azure subscription (you can get a trial here)
  • ConfigMgr Current Branch 1610 environment
  • Azure Management certificate uploaded to manage.windowsazure.com
  • Cloud management gateway certificate for <name>.cloudapp.net. Info for that can be found here Note: this name needs to be unique and cannot exist in Azure
  • Workstation certificate installed on clients and exported as the root certificate
  • Management Point and SUP configured for HTTPS
  • Windows 10 client with Workstation Certificate enrolled to test 

As this is a pre-release feature, I enabled it when installing the 1610 update

clouggw01

Now you will see the Cloud Management Gateway under the Cloud Services section. Click Create.

clouggw02

Enter in your Azure Subscription ID which can be found from portal.azure.com or manage.windowsazure.com and select the Management Certificate (which needs to already be uploaded to Azure)

clouggw04

When the cloud service PKI certificate is selected from the Browse button, the service name and FQDN will automatically be filled in (this is the common name from when the certificate was requested). Make sure a unique name was chosen earlier for the certificate as it will create a cloud service in Azure with <name>.cloudapp.net

Also specify the client certificate root. You can see instructions here. Make sure this is done properly as the client will get certificate issues when trying to connect to the Management Point.

clouggw05

You have the ability to set thresholds to create alerts regarding the outbound traffic as Azure charges you based on the Outbound traffic.

clouggw06

clouggw07

You can watch the provisioning status. Or even better, examine the  CloudMgr.log so you can see exactly what is going on and look out for any issues or errors.

clouggw08

Enable the site to use PKI certificate. The workstations that communicate with the Cloud Management Gateway need a Workstation certificate enrolled. Workstation Certificates are covered here.

clouggw09

Next the Cloud Management Gateway connection point role will be added.

clouggw10

The information is filled in automatically

clouggw11

Once the role has been added, the Management Point and Software Update Point need to allow Cloud Management Gateway traffic. Make sure the Web Server certificate for the MP/WSUS is configured in IIS. There is a guide on that here 

clouggw11_2clouggw11_3

On the client, while it has a connection to the Internal network, you can restart SMS Agent Host service so it picks up the new Internet management point.

Once that is done on my client, I have given the machine only Internet access and no internal network access. I have restarted SMS Agent Host and you can see in LocationServices.log it is using the Cloud Management Gateway and the ConfigMgr client connection type is set to Internet.

clouggw12

If you’re curious about what it looks like in Azure, if you go to portal.azure.com and go to Cloud Services (classic), you can see it created a ProxyService role which is meant to be running on an A2 VM.

clouggw13

ConfigMgr CB 1610 Software updates dashboard

One of the nice new enhancements that came with the recently released 1610 update for ConfigMgr current branch is the Software Updates Dashboard. This dashboard is available in the Monitoring > Overview > Security section in the ConfigMgr console

If you haven’t installed update 1610 yet, here is what the dashboard looks like:

sudashboard01