Sample script at the end for this article.

I was recently at a customer that wanted to add new boundaries based on their DHCP-Scopes. This would be a very easy task if they only had a few, but they had well over a two-hundred scopes so I decided to create a PowerShell script to do the Job. One thing you need to bear in mind when doing this is that a DHCP-Scope can range from 10.10.10.1 – 10.10.10.254 which means when creating these boundaries that all client in this range are supported, no one is left out. However, a DHCP scope can also range from 10.10.10.100 – 200 which means that if a computer or server is not using DHCP but has been given an IP-address like 10.10.10.43 from an administrator which is outside the range and the computer or server has a ConfigMgr agent it would be left outside and would not be managed by ConfigMgr.

Well let’s go to the good stuff. First and foremost, we need to export the DHCP-Scopes to a comma separated CSV file. Run this command on your DHCP Server

Get-DhcpServerv4Scope | select Name,StartRange,Endrange | Export-Csv C:\Temp\DhcpServerv4Scope.csv

If you open the csv file in Notepad it should look something like this

Next save the csv file on a drive on your ConfigMgr Primary server where you want to import the Boundaries. In my environement I have used D:\Scripts

Then open a eleaveted PowerShell prompt and run the script as follows

Then yous should be able to see all your newly created boundaries in your ConfigMgr Console!

The Script:

<#  
    .NOTES 
    =========================================================================== 
    Created on:    28.02.2016 09.31 
    Created by:    Marius A. Skovli  
    Organization:  Coretech  
    Filename:      CreateBoundaries.
    =========================================================================== 
    .DESCRIPTION 
    Creates boundaries in SCCM Based on DHCP Scope. 
#>

#----
# On DHCP Server run this to get CSV File:
# Get-DhcpServerv4Scope | select Name,StartRange,Endrange | Export-Csv C:\Temp\DhcpServerv4Scope.csv
#----

#----
# Import Module
#----

Import-Module $env:SMS_ADMIN_UI_PATH.Replace("\bin\i386","\bin\configurationmanager.psd1")

$SiteCode = Get-PSDrive -PSProvider CMSITE
Set-Location "$($SiteCode.Name):\"

#----
# Import Boundaries from CSV file
#----

$Boundaries = Import-Csv `
    -Path "$PSScriptRoot\DhcpServerv4Scope.csv"

            foreach($Boundary in $Boundaries){

                Write-Output -InputObject "Creating $($Boundary.Name)"
    
                #Create the Boundary
                New-CMBoundary `
                    -Name $Boundary.Name `
                    -Type IPRange `
                    -Value "$($Boundary.'StartRange')-$($Boundary.'EndRange')" | 
                        Out-Null
            }

Do not forget to leave a comment if you have any questions – Have a great Easter!

There are so many reasons for migrating your environment to ConfigMgr CB (current branch), one of them being the new content management feature – Win PE Peer caching. To me it’s important to understand what the feature is bringing to the table, and what it is not. Win PE Peer caching is introduced to save bandwidth by sharing content already present on your local network. Those who are familiar with the ConfigMgr ecosystem, know that solutions to support that has been around for years. Solutions like OneSite from Adaptiva, Nomad from 1E and custom BrancheCache from 2Pintsoftware. This blog post will describe where 3^rd party solutions differ from Win PE Peer cache, and also dig a little deeper into what happens behinds the scenes when you configure Win PE Peer caching.

What are the 3rd party vendors bringing to the table?

3rd party vendors are bringing bandwidth control, content sharing and also the capability to turn a client operating system into a PXE host (thus allowing you to PXE boot without having a sever on the subnet). This blog post will not go into details between the different solutions or how they work. For a deep dive into bandwidth is preserved, check out this blog post from my colleague http://blog.coretech.dk/hra/a-story-on-using-nomad-branch-and-network-impact/

This table is my take on the differences between Win PE Peer cache solution and 3^rd party vendors.

Configure Win PE Peer Caching in ConfigMgr Current Branch

In a Win PE Peer caching environment, you will have a master (or multiple masters) and clients. In order to configure a master, you create custom client settings and deploy them to a collection:

1. From the Administration workspace, select Client Settings and click Create Custom Device Setting on the ribbon.
   1. Name: WinPe Hosts
   2. Select the Windows PE Peer Cache setting.
   3. Configure Enable Configuration Manager Client in full OS to share content to Yes.
   4. Deploy the custom setting to a collection containing your future Win PE Peer Cache masters.

   5. You’ll see the new configuration being applied on the Win PE Peer hosts by reading the cas.log file on the client. In the illustration below, you’ll see information about checking firewall, starting the SuperPeerController main thread, configuring the Server URL and finally information stating the client is waiting for requests.

You configure client support by creating a collection variable. In this example I’ll be creating two variables on the All Workstations collection.

1. Right click the All Workstations collection, select Properties and Collection Variables.
2. Create a new collection variable:
   1. Name: SMSTSPeerDownload (The variable will instruct clients in the collection to use a local peer when downloading content)
   2. Do not display this value in the Configuration Manager console: Disable
   3. Value: True
3. Create a new collection variable:
   1. Name: SMSTSPreserveContent (The variable will instruct clients in the collection preserve the content in the cache and use it for sharing)
   2. Do not display this value in the Configuration Manager console: Disable
   3. Value: True

       

      How to prestage content

      You can prestage content by using a new step in the task sequence. In the example below, I’ll prestage my Windows 10 image, configmgr package, USTM and Adobe Reader in the sccm agent cache.

4. Go to Software Library, Operating Systems, right-click Task Sequences and select Create Task Sequence.
   1. Select Create a new custom task sequence and click Next.
   2. On the Task Sequence Information page, type Pre-cache and finish the wizard.
5. Right click the newly created task sequence and select Edit.
   1. Click Add / Download Package Content.
   2. Select the packages you wish to download to the client cache. Consider adding the wim file, configuration manager client and other packages part of the task sequence.
   3. In Place into the following location, select Configuration Manager client cache and click OK.

       

   4. Deploy the task sequence to All Win PE Hosts (good idea is to deploy the task sequence without showing the progress bar.
   5. After a successful deployment, content will be in the client cache, but not installed on the client. In the illustration below, you can monitor the process by reading the cas.log file on the client.

      Requesting and downloading content

      A content request is a broadcast that is picked up by all Win PE Peer hosts on the subnet. You can monitor the process on the host by reading the cas.log (using cmtrace please). In the illustration below, you’ll see that my host is searching for the package in WMI, and returning a location to be used by the client.

      
      

   When the client starts downloading content, you’ll also notice the Get requests in the cas.log file

   You can monitor the process on the Win PE Peer client by reading the smsts.log file in Win PE. Below you’ll notice some interesting things. The top arrow, not only show the number of hosts discovered, but also the priority of the hosts (Multicast first, then HTTP and SMB). In my example I have 2 Windows 10 HTTP Win PE Peer hosts. The second arrow clearly show what file is being downloaded (the wim file). Third arrow gives you the full URL to the download location.
    

   What happens when the package is changed, but changes are not downloaded to the Win PE Peer host?

   The Win PE Peer client always ask for a specific version of a content. When the Win PE Peer host receive the query, it will query WMI for the highest version of the package. If the package version does not match the version requested, the Win PE Peer cache host will not reply to the broadcast. Instead it will go back to waiting for requests. In the illustration below you can see the WMI query, not returning the requested package version.

    

   I hope this article gave you a little insight to how easy it is to configure Win PE Peer cache.

   More information about the Win PE Peer cache and the 3^rd party vendors:

   Win PE Peer cache – https://technet.microsoft.com/en-us/library/mt613173.aspx#BKMK_PeerCacheObjects

   Adaptiva OneSite – http://www.adaptiva.com/

   1E Nomad – http://www.1e.com/

   2PintSoftware – http://2pintsoftware.com/

Guidence on how you can enroll your device and gain access to your corporate data and applications:

This web page is created by the community for the community to help corporate users to efficiently enroll their devices into an Microsoft Enterprise Mobility Solution. Businesses can use this webpage as an How-To for their users and link it to their existing documentation.

The site covers:

• Microsoft Windows 10 Devices
• Apple iOS Devices
• Google Android Devices

Visit the page by going clickin here: www.enrollyourdevice.com

Also check out the Microsoft EMS Resources App https://www.microsoft.com/store/apps/9nblggh6j3fq and YouTube page https://www.youtube.com/channel/UCbf6dOWcNhRgLHDEXJWqiNw for more information about Microsoft Enterprise Client Mangement, Enterprise Mobility and System Center Configuration Manager!

Do not forget to leave a comment if you have any questions!

Managing mobile devices can be different compared to managing traditional computers for many reasons. One of them being the lack of control with operating system versions on the devices. We simply don’t control when Android and iOS devices are being upgraded and as such we don’t control what version users are using. That can be a challenge when you are using requirement rules on your web applications (and other deployment types). In the illustrations below it’s easy to see that we have a bunch of Android 6+ versions and looking at the requirement rules for the web apps you’ll see that the max. OS version supported is Android 5x.

The trick is to select Android on the top instead selecting each of the specific operating systems (Android 4.1 etc). By selecting Android only, the specific OS version will be ignored when evaluating requirements rules. The same applies to iOS.

Scanning, deploying and installing software updates should be a walk in the park, and most of the times it is. But (luckily) sometimes we run into issues that we haven’t seen before. Like in this case where clients stopped scanning for software updates in ConfigMgr 1602. What I have learned in my years working with ConfigMgr is that software update issues often are caused by older version of the Windows Update agent, configuration change on the WSUS server(s) or a change in the infrastructure. The challenge is to figure out is what category your issues falls into. Normally, it’s fairly easy to tell if it’s one or the other. Simply look at the client impact, and you have your answer.

Personally when troubleshooting, I always start by looking at the WSUSApp pool and these log files found on the ConfigMgr client:

· scanagent.log and wuahandler.log – Both are ConfigMgr log files and will often tell when we are having issues. In my example scanagent.log and wuahandler.log was full of errors like:
ScanJob({DA9C4596-5B82-4155-B223-D23A5B3436A7}): CScanJob::OnScanComplete -Scan Failed with Error=0x80244017
ScanJob({DA9C4596-5B82-4155-B223-D23A5B3436A7}): CScanJobManager::OnScanComplete- failed at CScanJob::OnScanComplete with error=0x80244017

When searching for similar error code on Google (and even Bing), you’ll find several forum threads and blog posts stating the you might have a proxy issue. In my example we didn’t have any proxy server, why I normally move on and check two other log files:

• WindowsUpdate.log on the client and the IIS log files on my WSUS server.
  2016-04-20 13:17:44:532 276 3208 PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://wsus01.viaMonstra.com:8530/ClientWebService/client.asmx
  2016-04-20 13:17:44:547 276 3208 WS WARNING: Nws Failure: errorCode=0x803d0005
  2016-04-20 13:17:44:547 276 3208 WS WARNING: There was an error communicating with the endpoint at ‘http://wsus01.viamonstra.com:8530/ClientWebService/client.asmx’.
  2016-04-20 13:17:44:547 276 3208 WS WARNING: The server returned HTTP status code ‘403 (0x193)’ with text ‘Forbidden’.

The interesting part of this snippet is this line server returned HTTP status code ‘403 my client is clearly communicating with the server, but the server isn’t happy. Next step is to figure out, why the server is refusing to communicate with my clients. The best way to see that, is by looking at the IIS files on your WSUS server.

• IIS log files on my WSUS server.
  2016-04-20 12:34:11 10.1.4.108 POST /SimpleAuthWebService/SimpleAuth.asmx – 8530 – 172.144.187.168 Windows-Update-Agent – 403 4 5 218
  2016-04-20 12:34:11 10.1.4.108 POST /ClientWebService/client.asmx – 8530 – 172.1.154.18 Windows-Update-Agent – 403 4 5 1965

Again, pay attention to this part Windows-Update-Agent – 403 4. IIS error 403 4 = SSL required.

By looking at these 4 log files, here is what we know so far. Clients are trying to communicate with the WSUS server, but are refused by IIS because they aren’t using SSL. This makes fixing the problem super easy, only one question left to answer; – are we supposed to use SSL or not. In this example, we were not supposed to use SSL.

A quick check in IIS revealed that SSL settings were configure to Require SSL.

After disabling Require SSL and recycling the WSUSApp pool clients started to successfully communicate with IIS and perform software update scans again.

2016-04-20 17:40:42 ::1 POST /ApiRemoting30/WebService.asmx – 8530 viamonstra\sccm01$ ::1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.34209) – 200 0 0 0

2016-04-20 17:40:42 10.1.4.108 POST /ReportingWebService/ReportingWebService.asmx – 8530 – 172.38.20.199 Windows-Update-Agent – 200 0 0 0

Notice the IIS return code is 200 – and we all love 200

Conditional Access in either a Cloud-only or Hybrid scenario is a great way to control data by saying we do not allow you to access Corporate Email without enrolling the device to a Corporate MDM solution where Data Protection Policies will be applied. This is in my opinion the best compromise where we let the user be productive where they get the ability to access corporate data on any device, anywhere, where we at the same time have control over the device, forcing security and compliance policies, encrypting data, deploy (LoB) apps and las but not least have the ability to have Asset Control and reporting!

Now Conditional Access works just the way it sounds, if certain conditions = true then you will gain access! Take a look at the following flowchart, when access email for instance, some processes will start behind the curtains checking and verifying that the conditions you as the IT-Pro have set, are met.

From Microsoft TechNet: https://technet.microsoft.com/en-us/library/dn919655.aspx

For now, these are the services that support Conditional Access. However, keep in mind that it may vary a bit depending if you are running a Cloud-only solution with Microsoft Intune or a Hybrid solution with Microsoft Intune and ConfigMgr together.

• Microsoft Exchange On-premises
• Microsoft Exchange Online
• Exchange Online Dedicated
• SharePoint Online
• Skype for Business Online

I suggest to read more about Conditional access here before you read further:

• ConfigMgr (Hybrid): https://technet.microsoft.com/en-us/library/dn919655.aspx
• Office 365 and Intune: https://technet.microsoft.com/en-us/library/dn818907.aspx

Now, in this blog we will focus on a Hybrid scenario where we have Microsoft Exchange On-Premises as Email service and ConfigMgr + Intune as MDM solution. If you have Office 365 everything is done in the Intune Portal even if you use ConfigMgr + Intune as MDM solution. But since we have Exchange On-Premise everything is done in ConfigMgr.

First off, we need to establish a connection between ConfigMgr and Exchange and I assume you already have established a Microsoft Intune Subscription which is tied to your ConfigMgr solution through the Service Connection Point. Why establish a connection between ConfigMgr and Exchange you might ask, well the reason is that ConfigMgr needs the ability to manage devises through Exchange in order to restrict or approve access to email with Conditional Access.

These are the requirements (from Microsoft TechNet https://technet.microsoft.com/en-us/library/dn919655.aspx)

To establish a connection to Exchange open up your ConfigMgr Console and go to Hierarchy Configuration –> Exchange Server Connectors and Click Add Exchange Server. For rest of the steps follow this guide on TechNet: https://technet.microsoft.com/en-us/library/gg682001.aspx

• Monitor EADIS.log to verify that all is good. The log file is located here: \Microsoft Configuration Manager\Logs

Next we need to create two collections. The first collection will be a User Collection for targeted users and the other will be for exempted users. These will be based on of two groups in Active Directory. Below is a list of the collections a groups plus two simple PowerShell scripts to create them. Why do we need this you may ask, well the reason is simple, there may be a situation where there is a user you do not want to apply this policy to and when first implementing Conditional Access it is always smart to start small and slowly but steadily apply the policy to your users by moving them to the Targeted group.

Active Directory Groups:

• G-SC-CM-ConAcc-AllTargetedUsers
• G-SC-CM-ConAcc-AllExemptedUsers

Run the following script on a Domain Controller in your domain to create the groups (You need to change the variables in the script):

<#    
p    .NOTES 
    =========================================================================== 
    Created on:    24.04.2016 
    Created by:    Marius A. Skovli  
    Organization:  Coretech 
    Filename:      CreateADGroups.ps1
    ===========================================================================
    .DESCRIPTION
    Create Conditional Access Groups in Active Directory for use in System Center Configuration Manager
#>

    ######--------------------------
    #Prep variables
    ######--------------------------
    $domain = "redd0g"
    $DC = "com"
    $OU1 = "SCTemp"
    $DomainController = "redd0g-dc01"
    $TargetedGroup = "G-SC-CM-ConAcc-AllTargetedUsers"
    $ExemtedGroup = "G-SC-CM-ConAcc-AllExemptedUsers"

    ######--------------------------
    #Create OU 
    ######--------------------------
    New-ADOrganizationalUnit -Name $OU1 -Path "DC=$domain,DC=$DC"

    ######--------------------------
    #Create Groups
    ######--------------------------
        New-ADGroup `
        -Path "OU=$OU1,DC=$domain,DC=$DC" `
        -Name $TargetedGroup `
        -GroupCategory Security `
        -Description "SCCM Conditional Access All Targeted Users" `
        -GroupScope Global
    
        New-ADGroup `
        -Path "OU=$OU1,DC=$domain,DC=$DC" `
        -Name $ExemtedGroup `
        -GroupCategory Security `
        -Description "SCCM Conditional Access All Exempted Users" `
        -GroupScope Global

ConfigMgr Collections:

• Conditional Acces: All Targeted Users
• Conditional Acces: All Exempted Users

Run the following script on your ConfigMgr Server in order to create the collections:

<#  
    .NOTES 
    =========================================================================== 
    Created on:    24.04.2016 
    Created by:    Marius A. Skovli  
    Organization:  Coretech  
    Filename:      CreateCACollections.ps1
    =========================================================================== 
    .DESCRIPTION 
    Create Conditional Access Collections in System Center Configuration Manager
    This will create the following: Collections, Folders, Query and Schedule for Membership Update. 
#>


#----
#Import the ConfigMgr Module
#----
    Import-Module $env:SMS_ADMIN_UI_PATH.Replace("\bin\i386","\bin\configurationmanager.psd1")
    $SiteCode = Get-PSDrive -PSProvider CMSITE
    Set-Location "$($SiteCode.Name):\"

#----
#Create Folder
#----
    New-Item -Path RED:\UserCollection -Name 'Conditional Access'

#----
#Adding Collection refresh Schedule
#----
    $Schedule = New-CMSchedule -RecurCount 7 -RecurInterval Days

#----
#Adding user collections
#----
    $Collection1 = New-CMUserCollection -LimitingCollectionName "All Users" `
    -Name "Conditional Acces: All Targeted Users" `
    -Comment "Users who are Targeted for Conditional Acces" `
    -RefreshType Both -RefreshSchedule $Schedule

        Add-CMDeviceCollectionQueryMembershipRule `
        -CollectionName "Conditional Acces: All Targeted Users" `
        -QueryExpression ‘select *  from  SMS_R_User where SMS_R_User.UserGroupName like "%G-SC-CM-ConAcc-AllTargetedUsers%"’ `
        -RuleName G-SC-CM-ConAcc-AllTargetedUsers

    $Collection2 = New-CMUserCollection -LimitingCollectionName "All Users" `
    -Name "Conditional Acces: All Exempted Users" `
    -Comment "Users who are exempted from Conditional Access" `
    -RefreshType Both -RefreshSchedule $Schedule

       Add-CMDeviceCollectionQueryMembershipRule `
       -CollectionName "Conditional Acces: All Exempted Users" `
       -QueryExpression ‘select *  from  SMS_R_User where SMS_R_User.UserGroupName like "%G-SC-CM-ConAcc-AllExemptedUsers%"’ `
       -RuleName G-SC-CM-ConAcc-AllExemptedUsers
    
#----
#Move collections to Conditional Access folder
#----
    Move-CMObject `
    -FolderPath '.\UserCollection\Conditional Access' `
    -InputObject $Collection1

    Move-CMObject `
    -FolderPath '.\UserCollection\Conditional Access' `
    -InputObject $Collection2

Next go to Assets and Compliance, locate Conditional Acces and go to On-Premises Exchange: Right Click and choose “Configure Conditional Access Policy”

Click Next on the first page

Specify the Targeted Collection: Conditional Access: All Targeted Users

Specify the Exempted Collection: Conditional Access: All Exempted Users

If you want, you can edit the text that the user will be presented with when they try to access email on their device and conditions = false as in the Intune Management Portal as missing for example.

Click Next, and then Close. You can now see that you have a Conditional Access Policy created. If you want to change it, just right-click and click Properties.

That’s it. You have now Conditional Access enabled for your On-Premises Exchange solution.

Do not forget to leave a comment if you have any questions!

Microsoft released a new set of command-lets for Configuration Manager and all these new cmdlets are also included in the ConfigMgr 1605 TP release.

Here are all the new cmdlets:

Have fun!

Last week we got a new set of cmdlets for Configuration Manager and now we have the ability to create Servicing Plans with PowerShell. I put together end-to-end example and with this script you can:

1. Create a folder called Software Updates (cant move Device Collections into a folder because Move-CMObject is broken in latest release)
2. Create 5 Device Collections
3. Create Software Updates Deployment Package
4. Download the necessary upgrade package
5. Distribute the package to a Distribution Point
6. Create 5 different Servicing Plans

############ WINDOWS 10 SERVICING ###############################

    Get-CMWindowsServicingPlan
    New-CMWindowsServicingPlan

#These cmdlets require Configuration Manager 1511 or newer.

$DeploymentPackageName = ‘Windows 10 1511 Education’
New-Item -Path CTP:\DeviceCollection -Name ‘Software Updates’

New-CMCollection -Name ‘SUM – RING1’ -CollectionType Device -LimitingCollectionName ‘All Systems’
New-CMCollection -Name ‘SUM – RING2’ -CollectionType Device -LimitingCollectionName ‘All Systems’
New-CMCollection -Name ‘SUM – RING3’ -CollectionType Device -LimitingCollectionName ‘All Systems’
New-CMCollection -Name ‘SUM – RING4’ -CollectionType Device -LimitingCollectionName ‘All Systems’
New-CMCollection -Name ‘SUM – RING5’ -CollectionType Device -LimitingCollectionName ‘All Systems’

### Move-CMObject is broken

New-CMSoftwareUpdateDeploymentPackage `
    -Name $DeploymentPackageName `
    -Path "\\CMTP\Sources\Updates\$DeploymentPackageName"

$DeploymentPackage = Get-CMSoftwareUpdateDeploymentPackage `
    -Name $DeploymentPackageName

$UpgradePackge = Get-CMWindowsUpdate `
    -Name ‘Upgrade to Windows 10 Education, version 1511, 10586 – en-us, Volume’ `
    -Fast

Save-CMSoftwareUpdate `
    -SoftwareUpdate $UpgradePackge `
    -DeploymentPackageName $DeploymentPackageName `
    -Verbose

Start-CMContentDistribution `
    -DeploymentPackage $DeploymentPackageName `
    -DistributionPointName ‘CMTP.corp.viamonstra.com’

New-CMWindowsServicingPlan `
    -Name ‘SUM – RING1’ `
    -CollectionName ‘SUM – RING1’ `
    -EnabledAfterCreate $True `
    -Language English `
    -VerboseLevel AllMessages `
    -SendWakeupPacket $True `
    -RunType RunTheRuleAfterAnySoftwareUpdatePointSynchronization `
    -DeploymentRing CB `
    -DeploymentPackage $DeploymentPackage `
    -UpdateDeploymentWaitDay 10 `
   

New-CMWindowsServicingPlan `
    -Name ‘SUM – RING2’ `
    -CollectionName ‘SUM – RING2’ `
    -EnabledAfterCreate $True `
    -Language English `
    -VerboseLevel AllMessages `
    -SendWakeupPacket $True `
    -RunType RunTheRuleAfterAnySoftwareUpdatePointSynchronization `
    -DeploymentRing CB `
    -DeploymentPackage $DeploymentPackage `
    -UpdateDeploymentWaitDay 15

New-CMWindowsServicingPlan `
    -Name ‘SUM – RING3’ `
    -CollectionName ‘SUM – RING3’ `
    -EnabledAfterCreate $True `
    -Language English `
    -VerboseLevel AllMessages `
    -SendWakeupPacket $True `
    -RunType RunTheRuleAfterAnySoftwareUpdatePointSynchronization `
    -DeploymentRing Cbb `
    -DeploymentPackage $DeploymentPackage `
    -UpdateDeploymentWaitDay 50

New-CMWindowsServicingPlan `
    -Name ‘SUM – RING4’ `
    -CollectionName ‘SUM – RING4’ `
    -EnabledAfterCreate $True `
    -Language English `
    -VerboseLevel AllMessages `
    -SendWakeupPacket $True `
    -RunType RunTheRuleAfterAnySoftwareUpdatePointSynchronization `
    -DeploymentRing Cbb `
    -DeploymentPackage $DeploymentPackage `
    -UpdateDeploymentWaitDay 75

New-CMWindowsServicingPlan `
    -Name ‘SUM – RING5’ `
    -CollectionName ‘SUM – RING5’ `
    -EnabledAfterCreate $True `
    -Language English `
    -VerboseLevel AllMessages `
    -SendWakeupPacket $True `
    -RunType RunTheRuleAfterAnySoftwareUpdatePointSynchronization `
    -DeploymentRing Cbb `
    -DeploymentPackage $DeploymentPackage `
    -UpdateDeploymentWaitDay 100

Have fun!

Download the script from here New-CMServicingPlan 827 bytes
Downloaded 9 times

If you have been following me in twitter, then most likely you already know that the Move-CMObject cmdlet is broken in 1604 release.

Here is one quick examples that shows the error message.

Microsoft already knows this issue and hopefully they can fix it quickly but meanwhile we need to find a workaround or do something else:

1. Uninstall 1604 cmdlets and go back to older version

2. Replace Move-CMObject with your own custom function – http://cm12sdk.net/?p=1006

3. NEW! Use Invoke-CMWmiMethod

In this blog post I will show one example how to use Invoke-CMWmiMethod cmdlet. In this example Im going to move SUM – RING2 Device Collection to Software Updates folder.

$Collection = Get-CMCollection -Name ‘SUM – RING1’ -CollectionType Device
$TargetFolder = Get-Item ‘CTP:\DeviceCollection\Software Updates’

$Parameters = @{
ContainerNodeID = 0;
InstanceKeys = @($Collection.CollectionID)
ObjectType = $TargetFolder.ObjectType;
TargetContainerNodeID = $TargetFolder.ContainerNodeID
}

Invoke-CMWmiMethod `
-ClassName SMS_objectContainerItem `
-MethodName MoveMembers `
-Parameter $Parameters

After the code execution my Device Collection ended up in Software Updates folder.

Have fun!

If you have worked with Configuration Manager before, then most probably you know that some of the WMI classes contain lazy properties. Microsoft cmdlets for ConfigMgr queries by default these lazy properties, for example

If you query the same Device Collection directly through WMI, then you don’t see RefreshSchedule property value.

If you need to query lazy properties, then you can use the .GET() method or [WMI] accelerator.

Starting from 1604 cmdlets we have a new parameter called -FAST. Parameter FAST allows us to skip Lazy properties and this should make the queries much faster and should also lower the network impact.

If you don’t need the lazy property values and want to lower the query impact, then please use -FAST parameter

  $Update = ‘Windows 7 and 8.1 upgrade to Windows 10 Enterprise, version 1511, 10586 – en-us, Volume’

# Execute the command without the -FAST parameter

    #SDMPackageXML property contains data

Get-CMWindowsUpdate -Name $Update

# Execute the command with the -FAST parameter

    #SDMPackageXML property is empty

Get-CMWindowsUpdate -Name $Update -Fast

Here are the cmdlets that supports –FAST parameter.

·        Get-CMCertificateProfilePfx

·        Get-CMCertificateProfileScep

·        Get-CMCertificateProfileTrustedRootCA

·        Get-CMClientAuthCertificateProfileConfigurationItem

·        Get-CMEmailProfile

·        Get-CMRemoteConnectionProfileConfigurationItem

·        Get-CMTermsAndConditionsConfigurationItem

·        Get-CMUserDataAndProfileConfigurationItem

·        Get-CMVpnProfileConfigurationItem

·        Get-CMWindowsEditionUpgradeConfigurationItem

·        Get-CMWindowsFirewallPolicy

·        Get-CMWindowsServicingPlan

·        Get-CMWindowsUpdate

·        Get-CMWirelessProfileConfigurationItem

·        Get-CMApplication

·        Get-CMCertificate

·        Get-CMConfigurationPolicy

·        Get-CMResource

·        Get-CMSoftwareUpdate

·        Get-CMSoftwareUpdateAutoDeploymentRule

·        Get-CMSoftwareUpdateCategory

·        Get-CMSupportedPlatform

·        New-CMSoftwareUpdateDeploymentPackage

Last week I posted one example how to create ConfigMgr Servicing Plans with PowerShell. In this post I will show you how to create Servicin Plans using Excel.

Step 1 is to create a table like this

If you have that table with necessary information or if needed you can add more data, then simply save it as a CSV file and import the data to PowerShell.

Here is one quick and simple example how to create these Servicing Plans based on a CSV file and if needed create the Device Collections as well. This example also assumes that Software Updates Deployment Package already exists.

$ServicingPlans = Import-Csv C:\Scripts\Windows10ServicingPlans.csv -Delimiter ‘;’

$DeploymentPackage = Get-CMSoftwareUpdateDeploymentPackage -Name ‘Windows 10 1511 CB’

foreach($Plan in $ServicingPlans){

    <#

        New-CMCollection `

            -Name $Plan.Name `

            -CollectionType Device `

            -LimitingCollectionName ‘All systems’

    #>

    New-CMWindowsServicingPlan `

        -Name $Plan.Name `

        -CollectionName $Plan.Collection `

        -EnabledAfterCreate $True `

        -Language $Plan.Language `

        -VerboseLevel AllMessages `

        -SendWakeupPacket $True `

        -RunType RunTheRuleAfterAnySoftwareUpdatePointSynchronization `

        -DeploymentRing $Plan.Branch `

        -DeploymentPackage $DeploymentPackage `

        -UpdateDeploymentWaitDay $Plan.DaysToWait

}

Enrolling devices into Intune and & ConfigMgr is normally straight forward until you run into issues. Below is an example where I received an enrollment error (picture 1), clicking Continue leads me to picture 2. As you can see in picture two the Enrollment Update turns from Warning to Checkmark, but only for about 5 seconds then it goes back to a warning.

Troubleshooting mobile devices is slightly different than traditional desktop troubleshooting. The troubleshooting options depends on the device (Android, iOS or Windows). In this example my device was an Android. You can email the log files from the Company Portal’s Settings page.

• In Settings, tap SEND DATA. This launches the device email application and attaches all the log files.

You will receive multiple files from the device

• CompanyPortalX.log. This log file contains a lot of information about the communication between the device and Microsoft Intune.
• Omadmlog.log. OMA-DM is an open mobile standard for managing mobile devices.
• com.microsoft.intune.mam.managedAppName.log. For each managed application, you have a log file with the name of the managed application.

In my case I was having issues enrolling the device and looked at the companyportal.log file from the device.

Notice the error where it says DeviceCapReached.

xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"><s:Header><a:Action s:mustUnderstand="1">DeviceCapReached</a:Action><a:RelatesTo>urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</a:RelatesTo><ActivityId CorrelationId="86bcba8d-713d-4268-8e67-71d2d1edfb3f" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">24adefb9-3a96-4f66-8dbb-ec57a7052cea</ActivityId></s:Header><s:Body><s:Fault><s:Code><s:Value>s:Receiver</s:Value><s:Subcode><s:Value>s:DeviceCapReached</s:Value>

</s:Subcode></s:Code><s:Reason><s:Text xml:lang="en-US">WindowsEnrollmentServiceError</s:Text></s:Reason><s:Detail><WindowsDeviceEnrollmentServiceError xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><ErrorType>AuthorizationError</ErrorType><Message>DeviceCapReached</Message><TraceId>30525159-cff1-4ab0-bf2f-024faffaf3e6</TraceId></WindowsDeviceEnrollmentServiceError></s:Detail></s:Fault></s:Body></s:Envelope>, failureType: DRS WPJ v1.4.0, WorkplaceJoinFailure: null

My problem is that the Azure Active Directory registration device cap has been reached.  The default limit is 20 devices (and as I was testing i passed that number). To fix the issue open https://byodtestservice.azurewebsites.net/ and delete the devices that are no longer needed. After that your can enroll new devices.

Recently ran into an unknown error while trying to create the Intune connector in ConfigMgr 1602 (and 1606). The error occurred in the “Create Microsoft Intune Subscription Wizard” when trying to Sign in using a Global Admin Azure account.

For those of you who do not understand Danish (yet), the error message is something like “An Unexpected error occurred”.

The GA Azure account is a “service account” and not used to enroll mobile devices. For that reason the account wasn’t assigned an Enterprise Mobility Suite (EMS) license. 

The solution: Assign an EMS license in Azure Active Directory to the Global Admin Azure account and sign-in again. You do not have to add the account to your custom Intune collection.  

The Impact of introducing the Microsoft Enterprise Mobility + Security in the organization

In my work as an advisor and consultant I see organizations adapting to the emerging IT landscape, where user behavior is changing and security risks are increasing. In the midst of this change, I encounter frustrated IT professionals trying to keep up with everything and not having enough time to do so. I encourage my customers to be on top of changes and make sure they stay on top. That message goes beyond IT pros and extends to business owners and managers who can no longer afford to allow IT to drive changes by itself. To understand the changes, first understand what’s driving the change and second look at how those changes will impact your environment and help drive the business.

Change Agents

There is no single new technology or trend driving the change. Rather it comes from a variety of factors, such as changes in user behavior, adoption of personal devices in the workplace, demand for greater business agility, and compounding security threats from multiple sources. We have to make decisions faster than ever before. To understand the change, it’s important to realize that specific devices like desktop and laptop PCs no longer play a leading role. Rather, change is being driven by external demands from the business ecosystem, including customers, and new business activities.

In the context of this changing landscape, organizations must focus on data first. While attention must still be paid to devices and applications, organizations need to ask themselves important questions, like how is data made available and to whom? How can they track the use of data? And how do they secure it? Think a moment about Uber and Airbnb. What is the one thing they have? That’s right, data.

If data is the key, then the role of IT professionals goes beyond deploying software and assisting users with forgotten passwords. As an IT professional these changes require more in depth knowledge and expertise on identity and data protection.

Let me break down some of the changes and see how they will impact the way your organization works with IT.  

Users: People no longer work solely in the office. Many workers spend a great deal of time on the road, accessing data and services from airports, hotel rooms and client sites. Likewise, telecommuting and telework programs allow employees to work from anywhere, improving productivity and reducing time spent commuting. Many companies don’t even have a dedicated cube for each employee–my local Microsoft office for example provides cubes for 50 percent of the employees. 

Devices: The number and types of devices connecting to corporate networks has exploded over the past decade. The uptick in smartphone, tablet and portable device usage has moved IT departments to support Bring Your Own Device (BYOD) programs, which aim to enable secure access to data, applications and services from personally owned devices. Some organizations are opting for a more restrictive Choose Your Own Device (CYOD) approach, where employees may only connect to corporate networks using devices on an approved list. Alas, many organizations lack a robust device plan. This can have catastrophic consequences, as a lost or stolen device can result in data leakage if controls are not in place.

Applications: Each year, about 20 percent of small businesses fall victim to cybercrime. Over half of those will end up going out of business within six months of an attack, according to a report by the National Cyber Security Alliance. Security gaps and vulnerabilities created by poorly managed or non-updated applications pose a significant risk. And that risk grows when application upgrades are put off because they won’t play well with an old internal CRM system or other software.

Applications are a portal to organizational data. As such, I encourage my customers to migrate to applications that support the business philosophy. If data must be available from everywhere, so must the application. Stop worrying about specific application versions and start focusing on identity management and Software-as-a-Service (SaaS).

Security threats: Gartner estimates that one-quarter to one-half of all calls to service desks are related to a password activity. I have heard of IT managers using this statistic as an excuse for not implementing a strong password policy. They simply don’t want to increase the cost of running the service desk—a position that invites disaster. Look at the facts: 65 percent of all users use the same password for multiple Web sites, while 33 percent will happily share their password with others, according to a 2015 survey by One Poll. The consequences can be devastating for an organization.

I know of examples where marketing users have been in charge of the company Twitter and Facebook account and use the same password for those as they do for their private social media accounts. Another for instance: Recently I was on site at a customer concerned that its internal sales people were copying and sharing price lists with competitors—something the company had encountered in the past.

 The Microsoft Enterprise Mobility Suite

There is no single piece of software that can make all the changes and threats challenging enterprise IT shops magically disappear. The answer is a mix of changing internal business processes and implementing solutions that enable both managed access to and protection of data. Microsoft Enterprise Mobility Suite is not a single application but a suite of three cloud services and one on-premises application. All four share one thing in common—they make data available in a secure manner.

• Microsoft Intune: The modern mobile device management (MDM) platform that enables application management, device configuration and security.
• Microsoft Azure Active Directory: Provides Identity in the cloud along with security features like multi-factor authentication and enhanced reporting.
• Microsoft Azure Rights Management: Offers document security, tracking and control.
• Advanced Threat Analytics: An on-premise security solution that analyzes and identifies normal and abnormal traffic on the network.

Azure Active Directory Premium

Azure Active Directory (AAD) Premium provides organizations with a cloud identity, which is required for organizations to utilize cloud services like Microsoft Intune. The business value of implementing AAD can be tremendous, with features like multi-factor authentication, self-service password reset, Software-as-a-Service and detailed reporting of abnormal user behavior.

One highly recommended task for organizations adopting AAD Premium is implementing a self-service password reset service. Doing so can significantly reduce service desk calls and support IT efforts to implement more restrictive password policies that mandate use of complex passwords and other security-enhancing policies.

To ensure compliance, it’s a good idea to craft a program for educating and training end users in the new system. Inform them about why changes are being made and show them how easy it is to reset passwords. The effort will help ensure that users opt into the change. The password reset experience is very similar to that used in many social password reset services. The password reset can be requested from any platform that is being used to access data and employs multi-factor authentication to increase security, as shown in Figure 1.

Figure 1 The Password Self-Service Experience

Software-as-a-Service is another element in the Enterprise Mobility Suite that impacts security and agility. The main benefit of implementing SaaS is granting users easy and secure access to data. With a single sign-on the workforce can access data stored in Salesforce and thousands of other applications. At the same time social media passwords, like those used for Twitter access, can be hidden from users in Marketing. Replacing existing on-prem applications doesn’t happen overnight, so it’s important to look for low hanging fruit, such as company Facebook, Twitter and other social media accounts. Configure these assets as SaaS applications, as shown in Figure 2, and in less than 20 minutes you can remove the threat of users accessing your services with a compromised password.

Figure 2 Configuring Facebook as a SaaS Application

The built-in reports are a very powerful resource when tracking how users are utilizing the different Azure services, such as accessing SaaS applications, using the password self-service or detecting suspicious behavior in user activity. In the example in Figure 3 the report displays the time between user sign-ins and the estimated hours of travel between the listed locations.

Figure 3 One of the Many Built-In Reports

 Microsoft Intune

Microsoft Intune is a modern mobile device management platform that enables management of Windows, Apple iOS and Android devices. The scope of features in the tool is overwhelming and keeps growing every month. My advice: Take the time to understand why Intune is being implemented and the business case it supports. From there, consider breaking the project into easy-to-manage stages, starting first with data protection.

The initial phase of an Intune project must address conditional access, compliance policies and the use of managed applications. With conditional access and compliance policies, I can define rules that must be enforced for any device before it is allowed to access company data or resources. For instance, I will not allow company email access unless the device is enrolled into Microsoft Intune. Furthermore, I can also enforce password and encryption policies on the device.

The key to success is motivating end users to enroll their devices, and blocking access to corporate mail will do just that. Figure 4 shows the email users receive when they try to access corporate email using a device that has not been enrolled with Intune. Once the device is enrolled, users can access corporate data through mail or other online services like SharePoint.

Figure 4 Devices Must Be Enrolled to Access Corporate Email

Intune can also be used to deploy managed applications, making it possible to prevent data from being shared outside the managed application. The controls help shut down one of the main culprits in application data leaks—users copying data and pasting it to unapproved targets.

The Intune feature list is long and keeps expanding on a monthly basis. Intune today supports hardware and software inventory and the ability to deploy and manage applications, certificates, WiFi profiles, VPN profiles and email profiles. Remote action features include remote passcode reset, remote lock, full device wipe and the ability to only wipe company data and access from devices.

Azure Rights Management

Data protection goes beyond device-level encryption and strong password policies. It’s critically important to consider where data lives. What happens to a secure Excel file after it’s mailed to a business partner? Who is accessing the file, how long is the file supposed to exist “out there,” and is the data being manipulated?

With Azure Rights Management data is protected using predefined templates created and published in Azure. Protecting data using rights management will be a new experience to many, so a measured approach may be best. Start by defining a few simple templates, rather than creating 50 templates that will end up confusing users. Define some rules for what data must be protected and find a group within the organization to test the solution and provide feedback to the project. Figure 5 shows a template that provides view-only access to files.

Figure 5 Assigning Custom Rights to the Azure Rights Management Template

Final configuration before publishing the template involves configuring data expiration and rules for offline access. Once configured, the template is ready to be published.  

At this point users can start protecting files from File Explorer and Microsoft Office. In the example in Figure 6, the document is being shared to a number of colleagues using a template that only allows read-only access to the document.

Figure 6 Protecting a Word Document Using Azure Right Management

Users have the ability to track documents by right clicking the file in File Explorer or from within Microsoft Office. Azure lists the document information in a dashboard, from which users can drill into more detailed views on who accessed the document and from where, as shown in Figure 7. Geolocation tracking is a particularly useful feature when protecting data, as it can help flag data and documents being accessed from unexpected locations.

Figure 7 Document Tracking

 Microsoft Advanced Threat Analytics

Microsoft Advanced Threat Analytics (ATA) is an on-premises solution to help IT professionals protect their enterprises from advanced attacks by automatically analyzing, learning and identifying normal and abnormal entity (user, devices and resources) behavior. ATA uses behavioral analysis to understand normal entity behavior, reducing false positives by applying contextual insight into traffic produced by engaged entities.

A key benefit of ATA is the ability to detect advanced attacks. Real-time detection, combined with awareness of existing security risks and behavioral analysis using Machine Learning algorithms help flag and foil sophisticated attacks.

ATA features a comprehensive console that enables IT admins to quickly view a timeline of attacks and the details of each affected entity, as shown in Figure 8 below:

Figure 8  The ATA Timeline View

The example above shows an identity theft type of attack (Pass-the-Hash) where the Client2 hash was stolen and used by Client1. Click on each one of these entities and you’ll see more details that help you gain a better understanding of the role, if any, each entity had in the attack. ATA also provides recommendations for the IT administrator to take based on the type of attack or suspicious activity.

ATA deployment is non-intrusive and can be installed in workgroup. The only infrastructure requirement is to have port mirroring configured in the Domain Controller since ATA need to listen to Active Directory traffic.

 Wrapping Up

What is the business impact of implementing Microsoft Enterprise Mobility Suite? Or put another way, what is the impact of not implementing the service? Protecting data is the key. Agile applications, data tracking and access to skilled workers are all vital assets that businesses rely on to preserve the integrity of data and applications.

With Microsoft Intune and managed applications, IT organizations can protect data from being shared. With Azure Active Directory, they can implement strong password policies and enforce multi-factor authentication while keeping service desk costs at a minimum. With Azure Rights Management, organizations can enable granular file protection and access tracking. And with Microsoft Advanced Threat Analytics, companies can implement intrusion detection to greatly minimize the risk of man in the middle attacks.

Be a leader, drive the change and create your own business case, where you start by defining the impact of not implementing the Microsoft Enterprise Mobility Suite.

For more information about Microsoft Enterprise Mobility +Security https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility 

I have seen several blog posts on how to unlock a BitLocker encrypted drive from Windows PE, using the recovery password stored in the Microsoft Bitlocker Administration and Monitoring (MBAM) SQL Server database.

What’s the problem with these solutions?

All of these have one thing in common: they query the SQL database directly, requires changing SQL Server configuration and granting access to the database directly.

Why is this a problem?

Well, in my opinion this is a bad design approach, as the core purpose of implementing BitLocker volume encryption and MBAM is to secure our data from being compromised.

By allowing a user to directly query the MBAM recovery database from Windows PE, I have also exposed ALL of my recovery keys for ALL of my disk volumes in the entire enterprise, it is as easy as issuing a SELECT * FROM RecoveryAndHardwareCore.Keys query!

Some of these solutions also require that the SQL Server must be configured for basic authentication, which many a DBA will tell you is a bad practice that they will not allow…

To make things worse, the username and password for the SQL user that executes the query, is written I clear text in the script used to unlock the drive…

For these reasons I have not implemented any refresh scenarios that use offline USMT and hard links from Windows PE at my customers, as these solutions would require the unlock of the BitLocker protected volume. Well I finally got the time to attack this issue, and find a better solution.

The better solution (not perfect, but better)

Well we don’t need to query the database directly, MBAM has provided us with web based helpdesk interface that allows us to request the Recovery Password for a given volume if we provide the ID of the password. This helpdesk interface communicates with the recovery database through a WCF service, using its own application pool credentials.

To be able to use the helpdesk interface and service, the requestor must be member of active directory groups that grants them access to perform the request, ensuring that only authorized staff can access the recovery keys. In addition the request is logged in the MBAM audit database, allowing the security team to screen and identify the disclosure of recovery keys.

The result

So this is what I came up with:

• A single script that can be added as a single step to your task sequence
• Uses WMI to get the status of the volume, no need to unlock if bitLocker is not active.
• Does not rely on piping output manage-bde.exe result to text file before parsing it to get the recovery password ID. WMI can provide this directly.
• Only requests the recovery password for the current encrypted volume based on its recovery Password ID, no way to disclose recovery keys for other volumes.
• Authenticates to the MBAM web service using windows credentials, with the Configuration Manager Network Access Account (NAA)
• Allows for full audit logging in the MBAM audit database
• Does NOT require any changes to MBAM backend, SQL Server or specifying passwords in clear text.

How to use in 3 easy steps

In this scenario, I needed to allow the use of offline USMT, that is backup user profiles from WinPE as opposed to the full running OS, but the script can be used in ANY scenario where the drive needs to be unlocked from Windows PE.

Step 1

Add the script to the boot media. As the task sequence can’t download content to an encrypted disk, we need to make the script available in the boot image.

Place the UnlockDriveFromWinPE.wsf script along with the ZTIUtility.vbs script from the MDT toolkit in a prestart content folder on the ConfigMgr content share. In this case I placed them in the existing folder used with the Coretech HTA prestart scripts.

On the properties page of your boot image, go to the Customization tab and specify the path to the folder containing the script.

Notice that a command line must be entered, in this case there is already a prestart command defined, the Coretech HTA script. Just throw in a “ping.exe 127.0.0.1”  if there is not already a script defined.

Update the boot image on the distribution points to include the new files.

Step 2

As the script uses the network access account (NAA) defined in Configuration Manager to authenticate to the MBAM administration service, the NAA account must be added to the MBAM Advanced Helpdesk Users Active Directory security group.

Step 3

Add the script to your task sequence. As mentioned earlier, I used this script in a task sequence where the USMT must be run in offline mode in Windows PE.

Just after the Restart in Windows PE (which has a condition only to run if NOT in WinPE). Add a Run Command Line step

The command line calls the script placed in the SMS10000 folder (the prestart files) with two arguments: the drive to unlock and the url and port of the MBAM server containing the web site.

Example:
cscript.exe X:\sms\pkg\SMS10000\UnlockDriveFromWinPE.wsf /Drive:C: /MBAMServerUrl:https://mbam.domain.local:4443

Note that port is not necessaryto specyfy the port number if using port 80 (http) or 443 (https), but in this case the MBAM web site was listening on a special port, namely port 4443.

That’s IT! the drive will now be unlocked if BitLocker has been applied to the volume, and the recovery key exist in the MBAM database.

Reporting

After deploying the task sequence, any attempt to acquire the recovery password is logged in the MBAM compliance database, and can be audited by viewing the audit reports from the MBAM Helpdesk Portal.

Download the script here:  UnlockDriveFromWinPE.zip 32.62 kB
Downloaded 13 times

The purpose of the Default Site-Boundary-Group is to service clients that are not served by any other boundary group (that being local boundary group or neighbor boundary group). However in ConfigMgr 1610 there has been some confusement around the fact that you can add boundaries to the Default Site-Boundary-Group . I’ve been asked a couple of times if we should add all boundaries to the Default Site-Boundary-Group since the group is automatically configured for Site assignment.

My take on that is NO, don’t use the Default Site-Boundary-Group as you don’t really control it. You will also notice that you can’t add boundaries to the group (from within the boundary group).

However if you right click a boundary in ConfigMgr 1610, select Add Selected Items to Existing boundary Groups, then you are able to add the boundary!

Now, with this knowledge you have found a way to include all your boundaries to the Default Boundary group – but stop! Don’t think that’s a valid path. Instead create a new boundary group, add your boundaries and configure that for site assignment.

Changes in ConfigMgr 1701

In the latest ConfigMgr TP 1701 the ability to add boundaries to the Default Site-Boundary-Group is removed

So what should be added to the Default Boundary group?

In my opinion, a “fallback distribution point” and from ConfigMgr 1701 TP also a “fallback Software Update point”. That way clients without a managed boundary will still have site systems that can manage them.

Could you please tell me how many days can I use the trial version of Dashboard? Looks very useful for my SCCM infra. Also please let me know how to opt for dashboard after the trial period.First a huge thanks for all attending the webinar, as promised he are a list of the questions that we didn’t have time to answer during the webinar.

1. Q: We already use Flexera for compliance. Is "Patching" included in it OR is it a separate module?
   A: Patching is integrated in the standard CSI solution. You can either patch using WSUS or integrate with Configuration Manager
   
2. Q:We have had unexpected reboots when patching servers.  We have a GP in place to disable automatic updates and the server is in a collection that has 2 maintenance windows (one for SU and one for All Deployments).  Only a SU deployment is deployed to the (missing text)?
   A: I’m guessing that the missing text is something like “collection”. I would look in the RebootCoordinator.log file on the local server and see what caused the restart. I have seen the same issue when running Configuration Manager 1606, but not with version 1610
   
3. Q: Could you please tell me how many days can I use the trial version of Dashboard? Looks very useful for my SCCM infra. Also please let me know how to opt for dashboard after the trial period?
   A: I take it, that we are talking about the Coretech System Center Dashboard, a trial can be requested here: http://coretech.global/downloads/sccm-dashboard/ the trial is valid for at least 2 weeks and can be extended if needed.
4. Q: Is task sequence the recommended way to deploy Feature updates you said you had more control then?
   A: For now I would say Yes. A task sequence will offer you much more control compared to the build-in servicing feature. Just be aware that using a task sequence will increase the size of the content compared to the servicing module.
5. Q: Having those detailed task seq. logs for server baselining is great BUT how would you manage the sheer volume of logs if you had to patch 17,000 servers *monthly* ?
   A: In the Enterprise we normally integrate ConfigMgr with a CMDB like Microsoft Service Manager or ServiceNow. That allows us to collect the information where it truly belongs – a CMDB – along with with all the server documentation.
6. Q: Adding on question 1, what are the advantages where you recommend the CSI agent rather than built in software inventory?
   A: Using the CSI agent has a lighter impact on the amount of data being collected.
7. Q: The "Patching" item between reports and administration in the menu does not exist when we log on, what are missing?
   A: In the CSI console, the “Patching” object is only visible when you install the IE plugin. There is a red link in the button of your browser whenever you have an older version or the IE plugin or no plugin at all.
8. Q: can CSI scan use SCCM inventory data? If it does how compliance status will get updated after installing the patch? do we have to wait till next inventory cycle finishes?
   A: Yes, CSI can either use the CSI agent or software inventory data from Configuration Manager (*.exe, *.ocx, *.dll files). Compliance data are updated along with the software inventory scan process.
9. Q: We’re using WSUS since we don’t like ConfigMgr default reboot – we tried the Coretech shutdown tool – any plans to make more features available in the shutdown tool?
   A: What features are you looking for? Also the Configuration Manager reboot has changed in latest version 1610, you can now choose to install updates during restart or shutdown.
10. Q: After I perform a clean of the software updates (remove all expired and superseded) some sites will have a very large scan, in the form of traffic back to the primary SUP well over 1GB. I have not been able to sort out why some of these clients are doing such a large (missing text).
    A: I need to have more details to understand the scenario and answer the question – feel free to reach out to me using twitter @Agerlund
11. Q: Are there any good reason why a enterprise business should NOT choose LTSB?
    A: Yes, it’s never been mend to be a version implemented on “traditional” devices. Only special devices where changes happens rarely and new features are NEVER required.
12. Q: I missed where you got the dashboard from? Is it free and where can I get it?
    A: It’s a paid service that includes +25 customer reports, configuration items and the Azure dashboard interface. A trial can be requested here http://coretech.global/downloads/sccm-dashboard/
13. Q: Do the systems not reporting compliance include systems that have not completed a scan due to client issues?  Not just systems that have failed to apply updates.
    A: If a  client computer did not successfully scan for software updates compliance the state will be Unknown. clients that failed a deployment will be listed as “Failed”
14. Q: what can we do about the patches that insist on not installing on some clients? Like we installed a New time zone patch that published by Microsoft but some clients still don’t have it?
    A: If the client is not requesting the patch, then you could install it as a package, it really depends on the patch. You can also create a configuration item with a patch check and force the installation.
15. Q: IS it worth using CSI in an agentless format?  Can you talk a little bit about the Secunia/CSI agent footprint?
    A: The footprint is not that big, but often customers do not like the fact that we are installing another service on the endpoints. For that reason I find it easier to run the client as a package.

First, I need to say….the new Cloud Management Gateway feature in Configuration Manager 1610 is awesome. There are a couple of gotchas you need to know about, when creating the service, but once you have overcome those hurdles – you will look like a hero at work, and be known as the person who finally enabled client management on internet based endpoints like road-warriors and colleagues working from home.

In the wuahandler.log on the client you might run into Scan failed with error = 0x80240439. If that happens, first step in your troubleshooting should be checking he configuration manager agent version and verify you have the latest version and hotfix installed.

Second step in troubleshooting is to check the IIS log files on the Software update point to see if the traffic makes it all the way from the client to your internal environment. If you don’t see any activity in your IIS log files, then the issue must be on the Cloud Management Gateway virtual machine in Azure.

1. Login to Azure, select Cloud Services and find the CMG service.
2. Enable remote desktop on the cloud management gateway
3. Notice the IIS log files are not located in the default location

4. Check the IIS log file for any errors related to software update traffic. In my example I have the following:

   2017-03-13 07:00:39 W3SVC1273337584 RD00155D563B24 100.84.108.67 POST /CCM_Proxy_ServerAuth/72057594037927953/ClientWebService/client.asmx – 443 – 77.243.43.106 HTTP/1.1 Windows-Update-Agent/10.0.10011.16384+Client-Protocol/1.40 – – X000.cloudapp.net 413 0 0 357 14260 187

5. In my example the error indicated that the traffic coming from the client was over the default limit which is why it never made back to my internal SUP server. You can check the default limits in Azure, connect to the cloud service and navigate to Configuration and check the ProxyEndpointConfig. Default value for ClientWebService</Name><ClientAuthScheme>0</ClientAuthScheme><RequestLimitContentLength>10240</RequestLimitContentLength> can be a little to low for some environments.

6. In my DEMO environment, I had to modify the value in SQL by running this script

   update Proxy_EndpointDefinition set RequestLimitContentLength=1048576 where Name=’ClientWebService’
   

7. After running the script, the Cloud Manager component will write the configuration changes to Azure. You will be able to monitor the activity in the cloudmgr.log file on the site server and also by checking the updated ProxyEndpointConfig in Azure.
8. For me the change took 2-3 minutes after which my clients started scanning for software updates and patched happily ever after

To those of you, who still believe a VPN connection is the way forward when managing clients on the road…….wake up, we are not in the 90’s any longer – stop it, it’s simply not cool.

The new Cloud Management Gateway is going to make a big difference in the way we manage endpoints away from home in the future. The feature is a System Center Configuration Manager 1610 pre-release feature. Being a pre-release typically means = a little troubleshooting is required to get the feature working in different environments. In my previous blog post I described an issue with software update scan failing. The troubleshooting steps used in this blog post, are similar what I have described there.

In this environment we have a PKI with a Sub CA, and as part of the certificate upload somehow the certificate chain was broken (and yes, there is a script that describes how to upload the cert).

Client errors

In this example the error message in ccmmessaging.log (on the Internet client) was:

Post to https://MyCMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037928257/ccm_system/request failed with 0x87d00231.

a couple of things to check when this happen:

1. From a client, open IE and see if you can browse to https://MyCMG.CLOUDAPP.NET. if you get an error like 403, something is broken and you need to dig into the IIS log files on the Azure box.

2. Enable remote desktop on the cloud management gateway, and open the IIS log files to investigate further. In this example the log file had several lines like the one below. This error indicates

   2017-03-14 09:15:47 W3SVC1273337584 RD00155D81000 IPadr CCM_POST /CCM_Proxy_MutualAuth/72057594037928257/ccm_system/request – 443 – IP adr HTTP/1.1 ccmhttp – – mycmg.cloudapp.net 401 0 0 1589 3928 78

3. Next step in troubleshooting is opening the certificate manager snap-in and check the computer store. In here your CMG certificate chain should include the correct certificate chain. as you can see in the illustration, the issuer of this certificate can’t be found, and as such our trust is broken.

4. To fix the issue, copy and import your missing root certificate(s) to the Azure cloud management gateway server. The certificates are to be imported to the Intermediate Certification store. The correct way to get this done, is by running the script as described in this blog post – https://docs.microsoft.com/en-us/sccm/core/clients/manage/setup-cloud-management-gateway. If you upload the certificate manually it might be overwritten during maintenance of the virtual machine in Azure.

After that, check you ccmmessaging log and you should see traffic floating – once again………VPN is not really the way forward in the world of modern device management

Android for Work support was introduced in Intune standalone in late 2016. With the latest release of Configuration Manager current branch we also have AFW support in hybrid environments. In order to configure AFW a few things to you need to ensure first:

• Have a couple of Android devices with Android 5.0 or higher
• Create a Google account to be used as the Android for work admin account

Configure Android for Work

1. In the ConfigMgr console navigate to Administration workspace / Overview / Cloud Services / Microsoft Intune Subscriptions and click Configure Platforms / Android For Work.

2. Notice the dialog directs to you to configure the service from within the Intune console

3. Click on the link to open Intune
4. Intune opens in the Android for Work setting, click Configure.
5. Click Sign In and enter your Google admin account

6. Once signed in, click Get Started, enter your organization name and accept to use Intune as the Enterprise Mobility management provider.
7. The wizard will take you back to Intune to complete the registration.
8. In Intune, select your Android for Work Enrollment Settings and get started managing those droids.
9. Back in the Configuration Manager console, navigate to the Administration workspace / Overview / Cloud Services / Android for Work. Notice the initial synchronization can take 5-10 minutes.

You are now ready to enroll AFW