This blog post will show you how to Block TikTok Microsoft Intune on iOS and Android. This strategy can be used for any app.

TikTok was recently caught accessing user clipboard data when running in the background, potentially exposing passwords or other sensitive data. The behaviour was revealed because of a new feature in iOS 14, and it’s unclear how long it had been present in the app. TikTok has since removed the feature, but the privacy scare underscored long-standing privacy concerns over the app, which is owned by China-based ByteDance.

The NY Times also reported that TikTok has been under scrutiny as a potential national security threat. Amazon has also asked its employee to remove TikTok from their corporate phone to keep email access.

So, with all this information, it’s possible that your company asks you to block TikTok from your corporate devices. This post will show you how to bloc TikTok using Microsoft Intune device compliance policy and Conditional Access.

Can we block the TikTok app in an enterprise environment? You can’t block users from installing it and using it, but you can block their company access if they are.

If you’re starting with Intune, you may be tempted to use a device configuration profile and use an Application Restriction policy. This look like exactly done for that… but after trying it ourselves for hours, we never got it to work. The documentation is poorly made and the troubleshooting tools and reports are just bad. Impossible to know what’s wrong with our policy.

So we didn’t stop there and we decide to go with a good old Device Compliance policy. In short, the policy checks for our app (TikTok) and mark the device as “Non-Compliant”. After, we’ll set up a Conditional Access policy to block all devices that is not compliant to company resources.

Block TikTok Microsoft Intune – Device compliance policy and Conditional Access

iOS

We will start by show how to block Tiktok on iOS.

Bundle IDs for native iOS and iPadOS apps are all well documented but third party app is more tricky to find. The easiest way is to use the method documented in this blog post. In our case, we found the Tik Tok App BundleID: com.zhiliaoapp.musically

At the end of this post, we gather some popular BundleID for you to use if you want to block more app than just Tiktok.

Now that we have the BundleID, we’ll create our Device Compliance Policy.

• To block TikTok app with Intune, navigate to https://portal.azure.com and click on Intune
• Click on Device compliance / Policies and Create Policy
• Platform: iOS/iPadOS
• Click Create at the bottom

• In the Basic tab, enter a Name and Description, click Next

• On the  iOs Compliance Policy tab, select System Security
• In Restricted Apps , enter a friendly name and the App BundleID
  • Name : TikTok
  • Bundle ID : com.zhiliaoapp.musically
• Click Next

• In the Action for Compliance tab
• Keep the Mark device noncompliant at 0
• I like to add a Send Email to end User option to notify the user. Once selected, you need to select the message template. If you haven’t created a template yet, skip this step, you could come back and add it later.
• Click Next

• In the Scope tab, select a scope. We leave it to the Default scope, click Next

• iOS Compliance Policy must be assigned to groups of users.
• On the Assignment tabs, Select the group you want to deploy your restriction to. We select our Test groups, click Next

• On the Review + Create tab, select Create at the bottom

Android

The Android version is pretty similar to a single change at the start. Follow all iOS steps except when creating your policy, select Android

• Click on Device compliance / Policies and Create Policy
• Platform: Android Device Administrator
• Click Create at the bottom

Conditional Access Policy

Now that we have a Device Compliance Policy, we must create a Conditional Access Policy to decide what to do with our non-compliance devices.

If you’re not familiar with Conditional Access Policy, read the Microsoft documentation as you can lock the user out your company resources.

• In the Intune Portal click Conditional Access

• Click Policy / New Policy

• Enter a Policy Name
• Click User and Groups, select the group you want to target with your policy. We select our Test group

• In Cloud Apps or actions, select All Cloud App. Full list of cloud app is available on the Microsoft documentation

• In Conditions, select Device Platforms and select iOS (and Android – if applicable)

• Still in Conditions, select Client App and select Browser and Mobile Apps and desktop clients – More information

• In Access Controls, select Grant Access and Require Device to be marked as compliant. This is where we are saying to grant access only to compliant device (based on if there’s TikTok on the device)

• At the bottom, enable your policy and click Save

Block TikTok Microsoft Intune – End UserResults

We will now test our configuration. Wait a couple of minutes for the Policy to synchronise.

• Go to Device Compliance/ Policies
• Select the TikTok policy and select Device Status under Monitor
• Ensure that your test devices are Compliant. My device is compliant because I don’t have the TikTok app installed.

• In the Company Portal, I check my device compliance status. Since my phone is compliant, I can access comany ressource.

• I’ll now add TikTok and see how it goes
• My Company Portal is now reporting that I must update my setting and that I may not be able to access company resources.
• Let’s press on Check Status

• I got the notification to uninstall the App to meet company policy

• I also received an email since I enable the notification in my device policy

• If I try to access a cloud app, I’m not able to access it.

• The only way to regain access it to remove the restricted app which is exactly what we want to do.

We hope this blog post helped achieve your security policy. Let us know what are you blocking

Popular App BundleID

Here are some of the most common asked app to be blocked in a corporate environment

• RSA SecureID: com.rsa.securid.iphone.SecurID
• Zoom Meeting : us.zoom.videomeetings
• Google Meet : com.google.meetings
• Webex Meeting : com.webex.meeting
• Goto Webinar : com.logmein.gotowebinar
• Goto Meeting : com.logmein.gotomeeting
• Slack : com.tinyspeck.chatlyio
• Messenger : com.facebook.Messenger
• Whatsapp Business : net.whatsapp.WhatsAppSMB
• Adobe Scan : com.adobe.scan.ios

The post Block TikTok using Intune device compliance policy and Conditional Access appeared first on System Center Dudes.

Windows Update for Business is one of the new things Microsoft proposed along with Windows 10. It has come a long way since it’s release. Even if it isn’t perfect yet, or give all the flexibility that ConfigMgr (MEMCM) offer when managing monthly update or feature release, for many small/medium business, this brings a more simple approach to patching and maintaining Windows 10 up to date. In this post, we will detail how to configure Intune Windows Update for Business to patch Windows 10 devices managed by Intune

Pre-requisites

• Windows 10 must be managed by Intune
  • If Windows 10 is being co-managed with ConfigMgr(MEMCM), make sure the slider for Software Update is set to Intune

Intune Windows Update Business – Update rings strategy

Depending on multiple factors, the key for Windows Update for Business to be successful is to define the various update rings for your enterprise.

Here, no magic answer or one size fit all scenarios.

To take in consideration to build your strategy :

• Number of users total/per rings
• Risk tolerance for the Feature update release
• Windows 10 Pro vs Enterprise
  • Pro only allows 18months support following the release date of a build. Feature update strategy is likely to be more aggressive than if Windows 10 Enterprise is used with its 30months policy for autumn releases.

What we usually recommend :

• Minimum of 3 Update rings
  • Test, with a few IT people only
  • Pilot, with more IT people and users for many department/roles
  • Production, with everyone else.
    • Depending on the total amount of user and support capacity, consider multiple Prod rings to avoid too many users at once installing Feature Update
• The monthly quality update can follow the same 3 major Update rings
  • Test, within the first few days of release
  • Pilot, within a week or so of the release
  • Prod, within 2-3 weeks after release
  • Remember, it’s not possible to deny a monthly update. So better be careful and avoid faulty updates for most of the users
• Servicing channel for most if not all should be Semi-Annual channel
• Carefully review User experience settings in the update ring. Find the best fit for your users along with security needs.

Here’s an example of an aggressive update rings configuration.

Create Windows 10 Update rings

• Open the Microsoft Endpoint Manager admin center
• Under Devices, select Windows 10 Update rings

• Click on Create profile

• Provide a name

• Configure the Update Ring settings

• Set scopes tags if needed

• Set the Assignments. Interesting point here is that you can target groups of users, which in the long run is a much easier way to target test and pilot users without care about the device anymore.

• Review

Monitor Windows Update for Business

This is still done with the Update Compliance from Windows Analytics. Note that this is the only component that hasn’t retired yet.

• Follow our post to configure Update Compliance
• Once configured, reporting will take a bit of time. After a few days, it will look like this

• It is possible to see the progress of both Monthly updates and Features updates.

For more details about Update Compliance, see Microsoft docs

Additional steps

When using Windows Update for Business, Delivery Optimization should be reviewed for better network effecianty.

Follow our post to enable Delivery Optimization for Windows 10 update/upgrades and Office 365 updates

There is also a new option Windows 10 feature Update that is currently in preview. This allow administrators to select the Feature update to target instead of leaving it only by default.

For more details about Windows Update for Business, see Microsoft docs

The post How to use Windows Update for Business with Intune appeared first on System Center Dudes.

Microsoft has released a second SCCM version for 2020. SCCM 2006 has been released on August 11th, 2020! (SCCM has a new branding since 1910 – now called Microsoft Endpoint Configuration Manager (MEMCM). This post is a complete step-by-step SCCM 2006 upgrade guide, meaning that if you want to upgrade your existing SCCM/MEMCM installation to the latest SCCM/MEMCM updates, this post is for you.

If you’re looking for a comprehensive SCCM installation guide to build a new server, refer to our blog series which covers it all.

You won’t be able to install SCCM 2006 if you are running SCCM 2012.

SCCM 2002 is the latest baseline version. This means that if you’re downloading the source from Volume Licensing, 2002 will be the starting version of your new SCCM site. Once a new server is built using 2002, you can upgrade to the latest 2006 version after.

To install SCCM 2006 as an update, you must have installed SCCM 1810 or later. If you check for updates in your console and it’s not showing up, continue reading, we’ll describe how to get it using the “Fast Ring” script.

Keeping your infrastructure up to date is essential and recommended. You will benefit from the new features and fixes, which some of them can apply to your environment. It’s easier than ever to upgrade since Microsoft has implemented the servicing model directly from the console.

SCCM 2006 Upgrade Guide – New Features and Fixes

SCCM 2006 includes an incredible amount of new features and enhancements in the site infrastructure, content management, client management, co-management, application management, operating system deployment, software updates, reporting, and configuration manager console. This release is packed with interesting features to try.

You can consult the What’s new in version 2006 of System Center Configuration Manager Technet article for a full list of changes.

Here’s our list of favourite features. Microsoft brings together SCCM/MEMCM and Intune into a single console called Microsoft Endpoint Manager admin center. We’ll do blog posts on the most interesting feature in the coming weeks :

• Endpoint Analytics Preview
• Endpoint analytics data collection enabled by default
• VPN boundary type
• Management insights to optimize for remote workers
• Intranet clients can use a CMG software update point
• CMPivot from the console and CMPivot standalone has been converged
• Run CMPivot from an individual device or multiple devices without having to select or create a collection
• CMPivot query results, you can select an individual device or multiple devices then launch a separate CMPivot instance scoped to your selection.
• You can now configure the client setting Configuration Manager can force a device to restart to prevent devices from automatically restarting when a deployment requires it.
• Task sequence media support for cloud-based content
• With a task sequence that uses a boot image to deploy an OS, you can deploy it to a device that communicates via CMG
• You can now specify the disk encryption mode on the Enable BitLocker and Pre-provision BitLocker task sequence steps
• CMG support for endpoint protection policies

Support for SCCM Current Branch Versions

Ensure to apply this update before you fall into an unsupported SCCM version. Read about the support end date of the prior version of the following Technet article.

Windows and SQL Support

Before installing, make sure that you are running a supported Operating System and SQL version. Older SCCM version was giving a warning during the Prerequisite check but 2006 is giving an error that prevents the installation from continuing.

SCCM 2006 supports only Windows 2012+ and SQL 2012 SP3+.

Before you Begin – SCCM 2006 Upgrade Guide

Downloading and installing this update is done entirely from the console. There’s no download link, the update will appear on your console once the Service Connection Point is synchronized.

If you’re running a multi-tier hierarchy, start at the top-level site in the hierarchy. After the CAS upgrade, you can begin the upgrade of each child site. Complete the upgrade of each site before you begin to upgrade the next site. Until all sites in your hierarchy are upgraded, your hierarchy operates in a mixed version mode.

Before applying this update, we strongly recommend that you go through the upgrade checklist provided on Technet. Most importantly, initiate a site backup before you upgrade.

In this post, we will update a stand-alone primary site server, consoles, and clients. Before installing, check if your site is ready for the update:

• Open the SCCM console
• Go to Administration \ Updates and Servicing
• In the State column, ensure that the update Configuration Manager
  2006 is Available

• If it’s not available, right-click Updates and Servicing and select Check for Updates

• If the update is not downloading, click on the button Download on the upper node. The update state will change to Downloading
• You can follow the download in Dmpdownloader.log or by going to Monitoring / Updates and Servicing Status, right-click your Update Name and select Show Status
• The process will first download .CAB file and will extract the file in the EasyPayload folder in your SCCM installation directory.
• It can take up to 15 minutes to extract all files.

SCCM 2006 Upgrade Guide

Step 1 | SCCM 2006 Prerequisite Check

Before launching the update, we recommend launching the prerequisite check first. To see the prerequisite checklist, see the Microsoft Documentation

• Open the SCCM console
• Go to Administration \ Updates and Servicing
• Right-click the Configuration Manager 2006 update and select Run prerequisite check

• Nothing will happen, the prerequisite check runs in the background and all menu are unavailable during the check
• One way to see progress is by viewing C:\ConfigMgrPrereq.log

• You can also monitor prerequisite check by going to Monitoring / Update and Servicing Status, right-click your Update Name and select Show Status

• If you have any warnings, follow the recommendation to fix the issue in the bottom pane
• When completed the State column will show Prerequisite check passed
• Right-click the Configuration Manager 2006 update and select Install Update Pack

Step 2 | Launching the SCCM 2006 Update

We are now ready to launch the SCCM 2006 update. At this point, plan about 45 minutes to install the update.

• On the General tab, click Next

• On the Features tab, checkboxes on the features you want to enable during the update

• Don’t worry, if you don’t select one of the features now and want to enable it later, you’ll be able to so by using the console Administration \ Updates and Servicing \ Features

• In the Client Update Options, select the desired option for your client update
  • This option allows updating only clients member of a specific collection. Refer to our pre-production client deployment post for more details

• On the License Terms tab, accept the license terms and click Next

• On the Summary tab, review your choices, click Next and close the wizard on the Completion tab

The whole process took a minute but the installation begins on the back end.

• During installation, the State column changes to Installing

• We suggest you monitor the progress, by navigating to Monitoring / Updates and Servicing Status, right-click your Update Name and select Show Status

Unfortunately, the status is not updated in real-time. Use the Refresh button to update the view.

• Open the SCCM update log SCCMInstallationDirectory\Logs\CMUpdate.log with CMTrace

• When completed, you’ll notice the message There are no pending update package to be processed in the log file
• Monitoring / Updates and Servicing Status, right-click your Update Name and select Show Status, the last step will be Installation Succeeded
• Refresh the Updates and Servicing node in Administration, the State column will be Installed

Updating the Outdated Consoles

As a previous update, the console has an auto-update feature. At the console opening, if you are not running the latest version, you will receive a warning and the update will start automatically.

• Since all updates operations were initiated from the console, we didn’t close it during the process. We received a warning message when clicking certain objects. You will have the same message when opening a new console

• Click OK, console restart and update will start automatically

• Wait for the process to complete. You can follow the progress in C:\ConfigMgrAdminUISetup.log and C:\ConfigMgrAdminUISetupVerbose.log. Once completed, the console will open and you’ll be running the latest version

Verification

Consoles

After setup is completed, verify the build number of the console. If the console upgrade was successful, the build number will be 8968and the version is now Version 2006. Notice the new Endpoint Configuration Manager branding!

SCCM Servers

• Go to Administration \ Site Configuration \ Sites
• Right-click your site and select Properties
• Verify the Version and Build number

SCCM 2006 Clients

The client version will be updated to 5.00.8968.100x (after updating, see the section below)

SCCM 2006 Client Package distribution

You’ll see that the 2 client packages are updated:

• Navigate to Software Library \ Application Management \ Packages

• Check if the update is successful, otherwise, select both packages and initiate a Distribute Content to your distribution points

Boot Images

Boot images will automatically update during setup. See our post on upgrade consideration in a large environment to avoid this if you have multiple distribution points.

• Go to Software Library / Operating Systems / Boot Images
• Select your boot image and check the last Content Status date. It should match your setup date

Updating the Clients

Our preferred way to update our clients is by using the Client Upgrade feature: (You can refer to our complete post documenting this feature)

• Open the SCCM Console
• Go to Administration / Site Configuration / Sites
• Click the Hierarchy Settings in the top ribbon
• Select Client Upgrade tab
• The Upgrade client automatically when the new client update is available to the checkbox is enabled
• Review your time frame and adjust it to your needs

Reconfigure SQL Server AlwaysOn availability groups

If you use an availability group, reset the failover configuration to automatic. For more information, see SQL Server AlwaysOn for a site database.

Reconfigure any disabled maintenance tasks

If you disabled database maintenance tasks at a site before installing the update, reconfigure those tasks. Use the same settings that were in place before the update.

SCCM 2006 Upgrade Guide – Monitor SCCM Client Version Number

SCCM Reports Client Version

You can see our SCCM Client version reports to give detailed information about every client version in your environment. It’s the easiest way to track your client updates.

Collections

In conclusion, you can create a collection that targets clients without the latest client version because is very useful when it comes to monitoring a non-compliant client.

Here’s the query to achieve this: (You can also refer to our Set of Operational Collection Powershell Script which contains this collection)

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ClientVersion != '5.00.9012.1007'

The post Step-by-Step SCCM 2006 Upgrade Guide appeared first on System Center Dudes.

To enroll and manage iOS/MAC devices into Endpoint Manager, you need to create an Apple MDM Push Certificate. These certificates expire 365 days after you create them and must be renewed manually in the Endpoint Manager portal.

You will receive a notification email 30 days before the Apple MDM Push Certificate expires. It’s strongly recommended to renew the certificate before the expiration method.

If you don’t renew the certificate in time, you will need to re-enroll all Apple devices. In a lab environment, this can be done easily, but in a production environment with a hundred or thousand devices, this could mean a nightmare.

This post will describe how to Renew Apple MDM Push Certificate in Endpoint Manager

Verification

Besides the expiration email, you can see that your certificate is expired or the expiration date in the Endpoint Manager Portal.

• In the Endpoint Manager Portal
• Click Devices / iOS/iPadOS Enrollment and select Apple MDM Push Certificate

Antoher sign that your Apple MDM Push Certificate is expired would mean that users can’t access company ressource because the default company policy would block them.

If you tries to enroll the device, the company portal will send an error :

Couldn’t add your device. Contact your IT Admin for assistance with this issue. APNSCertificateNotValid

Renew Apple MDM Push Certificate in Endpoint Manager

Hopefully, you found out before your certificate expires…right ??… For this post, our certificate is expired for a while. The procedure to Renew Apple MDM Push Certificate in Endpoint Manager is still the same.

So this is how to do it :

• In the Endpoint Manager Portal
• Click Devices / Ios/iPadOS Enrollment and select Apple MDM Push Certificate

• In the Configure MDM Push Certificate pane
• Check the agreement in #1
• In the second step (#2), click on Download your CSR. A file will download in your browser. Keep this file for the next step
• On the third step (#3), click on Create your MDM Push Certificate

• You’ll be redirected on the Apple Push Certificate Portal
• Login using the Apple ID used to create the certificate in the first place

• In the Certificate Portal, select your Mobile Device Management Certificate and click Renew

• In the Renew Push Certificate Portal, click the Choose file button and provide the Intune.CSR file that you’ve downloaded in the previous step

• Click Upload

• On the next page, click Download. The MDM_ Microsoft Corporation_Certificate.pem file will download. Keep this file for the next steps.

• Back in the Endpoint Manager Portal
• Complete step 4 by entering your Apple ID
• Complete step 5 by entering the MDM_ Microsoft Corporation_Certificate.pem that you just downloaded
• Click Upload at the bottom

Validation

Once completed, refresh the page and look at the top of the pane. You certificate should show ACTIVE and the Days until expiration will show 365

You’ve successfully renewed Apple MDM Push Certificate in Endpoint Manager. You can now re-enroll your device if the certificate was expired. You don’t have anything else to do on your Apple device if the certificate was still valid before the renewal process.

The post Renew Apple MDM Push Certificate in Endpoint Manager appeared first on System Center Dudes.

Microsoft has released a long-awaited feature for Intune/Endpoint Manager administrators. Yet still, in “Preview”, you can start testing Endpoint Manager Group Policy Analytics now!

If you’re not familiar with Endpoint Manager… well it’s the “new” branding for Microsoft Intune, simple as that.

This feature lets you analyze your on-prem Group Policy Objects (GPO) and determine your level of modern management support.

This tool can also be extremely helpful to resolve conflicts between Group Policy Objects (GPO) and Microsoft Intune policy One of the major struggle when migrating devices to Endpoint Manager.

When you import a GPO, Endpoint Manager automatically analyzes the Group Policy and shows the policies “compliance” in Intune/Endpoint Manager. Obviously, this works only for policies applicable to Windows 10 computers.

So let’s try out the new Group Policy Analytics feature !

Backup your GPO

The first step you need to do in order to use Group Policy Analytic in Endpoint Manager is to backup the Group Policy you want to analyze.

• Open the Group Policy Manager console.
• Expand Forest / Domain / Domain Name / Group Policy Objects.
• Right-click on the appropriate GPO and select Back Up
• In the Back Up Group Policy Object window, enter the Location and Description details for the backup file.
• Click on the Back Up button to start the backup operation.

• You will see the progress in the Backup window. Click on OK when it completes the backup operation
• You’ll end up with a folder containing .xml files. The important file to keep is Gpreport.xml

Bonus Tip : You can also use Powershell to export your GPO by using the GroupPolicy module which is installed by default on an AD server.

Just change the -Name and -Path parameter to fit your needs.

Get-GPOReport -Name "GPO_Name" -ReportType XML -Path "C:\GPOName.xml"

Endpoint Manager Group Policy Analytics

Once your XML file is created, heads up to the Endpoint Manager admin center

• Browse to Devices
• Browse to Group Policy Analytics
• Click Import

• On the right, select your xml file you just imported and wait for the confirmation message

• Click on the X and come back to the main screen
• Endpoint Manager will analyze the GPO and tell if these settings in this Group policy has its “equivalent” into MDM Policies.
• In our example, only 9% of all policies have MDM Support. Let’s go ahead and click this percentage

• All settings are shown :
  • Setting name: Name of the parameter in the GPO
  • Group policy setting Category: Location on the GPO
  • MDM support: Indicates if the parameter is supported
  • Value: Parameter value
  • Min OS Version: The minimum OS version on which the setting can apply
  • Scope: Is it a computer or user GPO
  • CSP name: Name of the appropriate Intune CSP for the parameter
  • CSP Mapping : The actual CSP Mapping in Intune

• The interesting part is the CSP Mapping. Extremely useful to “convert” your GPO into Endpoint Manager policies.
  • Tip: if you need to copy the CSP Mapping to use it, you’ll have to use the Export button at the top for a more… user-friendly interface.
• For example our Show first sign-in animation setting is supported, is a Device policy and the CSP is ./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnableFirstLogonAnimation
• Once you have the CSP, you can create a device policy to match this setting in Endpoint Manager

So that’s it. A simple tool but a great one that I’m sure Microsoft will continue to develop to add more features in the future. That would ease the administrative task if you’re planning an MDM migration.

The post How to use Endpoint Manager Group Policy analytics appeared first on System Center Dudes.

When deploying Windows 10 operating system using SCCM (OSD), you will need to monitor SCCM task sequence progress. This allows us to track task sequence start, end time and most importantly errors (if any).

Our post will show 4 different ways to monitor SCCM task sequences. Each of them has its own benefits and drawbacks.

Monitor SCCM Task Sequence Using the Console

You can view the progress of a task sequence using the SCCM console. This method is simple and easy but permit to see the status of only one machine at the time. If your deployment staff don’t have access to the console or view deployment status, this option is not for you.

• Open the SCCM Console
• Go to Monitoring / Deployments
• Search and right-click the deployment linked to your Windows 10 task sequence
• On the menu, select View Status

• In the Deployment Status screen, select the In Progress tab for a running task sequence or the Success tab to review a completed task sequence
• At the bottom, click the Asset Details pane, right-click your device and select More Details

• On the Asset Message screen, click the Status tab
• You can view all task sequence Action Name with their Last Message Name

Console Status Message Queries

You can use Status Message Queries in the SCCM console to filter only task sequence messages. This method is useful to have messages from multiple devices instead of targeting a specific computer like in the previous methods. This method is a bit trickier to implement.

• The first step is to get the DeploymentID of your task sequence deployment
• Go to Monitoring / Deployments
• Add the DeploymentID column by right-clicking the top row. Note your DeploymentID, in our example 1002000B

• Go to Monitoring / System Status / Status Message Queries
• Right-click Status Message Queries and select Create Status Message Query

• On the General tab, enter a desired Name and click on Edit Query Statement

• On the Query Statement Properties window, click on Show Query Language

• Enter the following query in the Query Statement window

select
SMS_StatusMessage.*,SMS_StatMsgInsStrings.*,SMS_StatMsgAttributes.*,SMS_StatMsgAttributes.AttributeTime
from SMS_StatusMessage
left join SMS_StatMsgInsStrings on SMS_StatMsgInsStrings.RecordID = SMS_StatusMessage.RecordID
left join SMS_StatMsgAttributes on SMS_StatMsgAttributes.RecordID = SMS_StatusMessage.RecordID
where SMS_StatMsgAttributes.AttributeID = 401 and SMS_StatMsgAttributes.AttributeValue = "1002000B" and SMS_StatMsgAttributes.AttributeTime >= ##PRM:SMS_StatMsgAttributes.AttributeTime##
order by SMS_StatMsgAttributes.AttributeTime DESC

• Change the SMS_StatMsgAttributes.AttributeValue to reflect your DeploymentID

• Click OK
• In the Status Message Queries node, find your newly created Query, right-click on it and select Show Messages

• Select the desired Date and Time and click OK

• All messages from your selected deployment will be displayed for all devices that run it

SCCM Built-in Reports

There’s 28 built-in reports concerning task sequence in SCCM. The majority of the reports focus on statistics about overall deployments. To monitor progress, we refer to the 2 following reports :

• Task Sequence – Deployment Status / Status of a specific task sequence deployment for a specific computer
  • This report shows the status summary of a specific task sequence deployment on a specific computer.

• Task Sequence – Deployment Status / History of a task sequence deployment on a computer
  • This report displays the status of each step of the specified task sequence deployment on the specified destination computer. If no record is returned, the task sequence has not started on the computer.

 

As you can see, readability is easier using the console but keep in mind that reports can be accessed without having console access.

SCD PowerBi OSD Dashboard

We offer a PowerBi Dashboard for you to buy to keep track of your Windows 10 deployment. The SCCM OSD PowerBi Dashboard gives you detailed information about your current operating system deployment statistics.

You can find the report on our shop or directly on the SCCM Windows 10 Report product page. We offer a 25% discount on this dashboard for you to use. Simply use code OSDMonitor at check out.

SCD SCCM OSD Report

If you’re not using PowerBi yet, we also offer an SSRS report to keep track of your Windows 10 deployment. The report gives you all the information needed to keep track of a deployment. Simple upload the report on your reporting point.

You can find the report on our shop or directly on the SCCM Windows 10 Report product page. We offer a 25% discount on this report for you to use. Simply use code OSDMonitor at check out.

Monitor SCCM task sequences using Community Tools

The ConfigMgr Task Sequence Monitor tool, developed by fellow blogger Trevor Jones, is a GUI application that makes use of the task sequence execution data in the ConfigMgr database to review or monitor ConfigMgr task sequences.  It can report data from historic deployments as well as monitor running ones. It’s been a while since the last update but still a good tool to use.

SMSTS.log

Last method we want to cover to monitor Windows 10 task sequence deployment is using the SMSTS.log file. This is the method you’ll want to use when you have a failing task sequence. The SMSTS.log file contains every details about every steps in your task sequence. It’s the first place to look to troubleshoot a problem with a specific deployment.

The downside of this file is that it’s stored locally on the computer (by default). Another downside is that this file location change depending on the stage you are at :

• Connect on the computer you want to troubleshoot
• Press the F8 key. A command prompt will open. If you have no command prompt by pressing F8, consult our Preparation post to enable Command Line support in your Boot image
• In the command windows, enter CMTrace to open the log viewer (it’s included by default in the latest WinPE version)

• Browse to the location when the file reside (see above table)

• The SMSTS.log opens and you can search for errors

There’s also methods to redirect your SMSTS.log automatically to a network share which could help :

• Using SLShare variable (MDT Integrated)
• Using the _SMSTSLastActionSucceeded variable

We hope this post will ease your Windows 10 deployments. Do you have a better alternative to monitor SCCM task sequence ? Leave your comments and suggestions in the comment section.

The post Monitor SCCM Task Sequence Progress appeared first on System Center Dudes.

Windows 10, Azure, and Endpoint Manager offer many different tools to gather and know more about what is going on in your environment. One of those is Log Analytics Workspace. Log Analytics workspace has the ability to collect data from Windows devices such as Events and performance data through the Microsoft monitoring agent. This can centralize Windows events to be analyzed and crunched to identify potential impacts happening to many computers.

While the Monitoring agent is free, the data hosted in Log Analytics Workspaces will cost a little per month for great insight. Based on past experience, you can expect ~100$/month for roughly 7000 devices reporting Errors and Warning.

In this post, we will describe how to configure the Azure Log Analytics Workspace to gather Windows10 Events centrally.

Windows10 Events log analytic – Prerequisites

• The following operating systems are supported to report event viewer by using the Log Analytics agent
  • Windows 7, 8 and 10
  • Windows Server 2008 SP2 and above
• Clients communicate to the Azure Monitor service over TCP 443

For mode details about the requirements, see Microsoft Docs

Create a Log Analytics Workspace

• Open the Azure portal and search for Log Analytics Workspaces
• Click on Add

• Select the subscription that the usage of Log Analytics Workspaces will be billed to. Specify a name for the instance name and select the region that it will be hosted to

• Select the Pricing tier. This will vary depending on your contract with Microsoft.

• Specify Tags if you wish so.

• Review final validation and create the Log Analytics workspace

• The Log Analytics workspace will be created within seconds.

Configuring Windows Event logs

• From the overview page of the newly created Log Analytics Workspaces, select the Resource just created

• Select Advanced Settings

• Under Data/Windows Event Logs, we need to add the events we wish to collect.
  • Simply type in the Events you wish to monitor, for example System, Application or Setup.

Careful what is selected

In most cases, avoid selecting Information since there are way too many information events generated per computer. This would have an impact on the cost associated with Log Analytics Workspace.

For some more specific event categories, Information may make sense, depending on what you are looking for.

• Once the list is completed, click Save

Download the Monitoring Agent

• In the workspace details, select Agent Management

• Download the Windows Agent based on the OS architecture needed

• Take note of the Workspace ID and Primary Key. They both will be required at the install time.

Important Info

If some computers do not have direct internet connection, and you still need to have events centralized, it is possible to configure a Log Analytics Gateway.

See Microsoft docs for more details

Install the Monitoring agent

The Monitoring agent can be installed manually or silently using an install command. Endpoint Manager or Configuration Manager can easily deploy this agent with the command line.

• When ran manually, the Workspace ID and Primary key will be asked within the install wizard

• To create a silent install, the setup.exe must first be extracted from the downloaded installer

• From a command prompt, use the following command to extract the content
  • MMASetup-AMD64.exe /c
  • a prompt will show to set the location

• The silent install command line should look like this

setup.exe /qn NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID="<WorkspaceID>" OPINSIGHTS_WORKSPACE_KEY="<Workspace Key>" AcceptEndUserLicenseAgreement=1

• Workspace ID and Workspace Key need to be specified.

For more details about the installation of the Monitoring agent, see Microsoft docs

Verify Agent communication

• On a computer that the Monitoring agent is installed, go to Control Panel, and select Microsoft Monitoring Agent

• On the tab Azure Log Analytics, the status of the agent is reported.

• After a few hours, the events will be available in Log Analytics workspaces.

How to view centralized Windows events

• In the Log Analytics Workspace, select Logs

• From there, queries can be made. While the query language isn’t intuitive, after a few queries, details can be sorted about the Windows events happening in your environment.

For more details about Log Analytics query language, see Microsoft Docs

Log Analytics query examples

Here’s a few example of queries for Windows10 Events log analytic

To list all events for a specific computer

Event | where  Computer  == "<computer name>"

To list all events returned by all computers

Event

To list counts of Errors in the System events

Event | where EventLog == "System" | where EventLevelName == "Error" | summarize count() by Source, EventID

Counts of specific event ID per computers

Event | where EventID == 5002 and EventLevelName == "Error" | summarize Event_Count=count() by Computer | sort by Event_Count

Counts of errors per day for all computers

Notice that you can use chart for easily pinpoint bad days. It is also possible to modify the Time Range for bigger overview. In the below example, digging what happened on September 9th would make sense since the number of errors globally was way higher then usual.

Event | where EventLog == "System" | where EventLevelName == "Error" | summarize events_count=count() by startofday(TimeGenerated) | sort by TimeGenerated asc nulls last

For more details about Log analytics agent, see Microsoft docs

The post Collect Windows10 Events in log analytic Workspace appeared first on System Center Dudes.

This blog post describes how to fix SCCM Bitlocker prompt for fixed drives when integrated the MBAM features with Configuration Manager.

Introduction

Starting with Configuration Manager 1910 onwards, Bitlocker features that were available in MBAM are now fully integrated into ConfigMgr and allows you to manage the Bitlocker drive encryption (BDE) for your windows clients without requiring any additional tools.

From Configuration Manager 2002 onwards, the Bitlocker management feature is no more a pre-release feature.

The Bitlocker functionalities that exist in Configuration Manager 1910 onwards, only supports the clients that are on-prem and joined to Active Directory ONLY.

You will not be able to use the Bitlocker features for clients that are Azure Active Directory-joined, workgroup clients, or clients in untrusted domains. The clients that are not on-prem domain joined, will not be able to authenticate with the recovery service to escrow keys.

For more information on how to set up the Bitlocker and deploy the policies, please refer to the Microsoft Documentation. For deployment and configuration of Bitlocker management using Configuration Manager, please refer to the Microsoft Documentation.

I was recently working with a customer who wants to implement the Bitlocker management using Configuration Manager 2002 and helps to eliminate the need of storing the keys in AD.

Just to give some information on the SCCM infrastructure, the customer was using ConfigMgr 2002 build with eHTTP and is self-signed certs. The Cloud Management Gateway was using public cert (Digicert). There is no PKI infra at all. Clients were using token-based authentication for CMG.

SCCM Bitlocker Prompt Problem

The Bitlocker policy helps you configure the drive encryption policy for OS drive and fixed drives.

Since the customer has a mix of devices with fixed drives, the policy should contain the Bitlocker settings for both OS and fixed drive.

When you create a policy with OS drive encryption and deploy it, the BDE process is seamless, and there is no UI prompt to the user, and it just works fine.

There are many options for you to choose when a fixed drive is present, and this is where I had the problem with the end-user experience.
So as part of the BDE for fixed drives, I have the following settings configured.

When the policy is deployed to clients that have fixed drivers, the user started seeing the following screen:

When end-users see this message, they have no idea what to do next.

How to Fix

The above UI prompt is happening due to the policy-setting we did in the Bitlocker policy in the fixed drive tab.

I took little time to read through the description of each setting configured in the fixed drive policy.

Based on the above theory, we have 2 options to disable the user input for the fixed drive encryption and make it completely seamless.

• Configure the Auto-Unlock for fixed data drive: Require Auto-Unlock OR
• Configure Fixed data drive password policy: Disabled

If you configure both the settings, you are still good to go but either one of them is mandatory to suppress the Bitlocker UI and do silent Bitlocker encryption.

After the changes are made and the client receives the updated policy, it started the fixed drive encryption silently and escrows the keys to the site server.

Hope it helps!

Recommended reading:

• Troubleshoot BitLocker
• BitLocker event logs

The post How to fix SCCM Bitlocker prompt for fixed drives appeared first on System Center Dudes.

In this post, we’ll guide you through the process to setup Microsoft Intune and then using it thought the new Endpoint Manager Portal.

But first, let’s start this post by clarifying the various services we’ll talk about in our post.

• Microsoft Azure is a set of cloud services to help your organization meet your business challenges. This is where you build, manage, and deploy applications on a massive, global network using your favourite tools and frameworks.
• Microsoft Intune was and is still one of Azure services to manage your devices. The “old” Intune Portal you were accessing in Azure has moved to the new Microsoft Endpoint Manager admin center.
• Endpoint Manager is a unified management platform for Microsoft Intune and Configuration Manager. (Endpoint security, device management, and intelligent cloud actions)

This graph from Microsoft makes a good job explaining it:

So to wrap up… before you were accessing the Microsoft Intune portal through Azure, now Microsoft wants you to use the new Endpoint Manager Portal. This makes sense since Co-Management and Tenant Attach features from Configuration Manager (SCCM) also synchronize to Microsoft Endpoint Manager.

This will also be the portal to configure Auto-Pilot, Endpoint Analytics and Defender ATP.

If you’re wondering if you can use Intune with your current licensing, Microsoft Intune is included in the following licenses:

• Microsoft 365 E5
• Microsoft 365 E3
• Enterprise Mobility + Security E5
• Enterprise Mobility + Security E3
• Microsoft 365 Business Premium
• Microsoft 365 F1
• Microsoft 365 F3
• Microsoft 365 Government G5
• Microsoft 365 Government G3

So now that you’re familiar with the concept, you’re ready to manage some devices in Microsoft Intune.

Table of Content

• Setup Microsoft Intune Tenant
• Set the MDM Authority
• Create Users
• Intune License Assignment
• Customize the Intune Company Portal
• Create a Compliance Policy
• Enroll Devices
• Application Deployment
• Device Configuration Profile
• Dashboard
• What’s next

Setup Microsoft Intune Tenant

The first step before going in the Endpoint Manager Portal is to setup a Microsoft Intune Tenant. If you don’t have an Intune portal yet, you can sign in for a 30-day trial.

If you already have a Microsoft work or school account, sign in with that account and add Intune to your subscription. If not, you can sign up for a new account to use Intune for your organization.

• Once subscribed, check your email and verify your account using the provided link
• You’ll be directed to the Microsoft 365 admin center. If you have only cloud-based accounts go ahead and assign licences to your accounts in the 365 portal.
• If you’ll be using your organization’s custom domain name or synchronize user account information from on-premises Active Directory, we’ll need to add your organization domain.

• Go to Setup / Domains. Choose Add domain, and type your custom domain name. Select Use this domain at the bottom

• In the Verify domain dialog box select the option to create the TXT record in your DNS hosting provider.
• Select the desired option and Click Continue

• On the Verify page, enter your DNS Provider at the top
• Once the TXT information has been updated on your DNS Provider, click Verify

• There may be a delay, it may take up to 15 minutes for DNS changes to take effect. 
• Once completed your domain will be listed as Healthy. The OnMicrosoft domain cannot be removed.

Endpoint Manager

Once your initial Microsoft Intune setup is completed, you can close the Office portal and open the Endpoint Manager Admin Center.

Set the MDM Authority

For tenants using the 1911 service release and later, the MDM authority is automatically set to Intune.

The MDM authority determines how you manage your devices. Before choosing the MDM Authority, read the Microsoft Documentation to understand the key concept.

In our post, the MDM Authority will be set to Intune.

• Go to Devices. The Add MDM Authority blade will popup
• To switch the MDM authority from Office 365 to Intune and enables coexistence, select Intune MDM Authority  / Add

Create Users And Assign Licences

Before enrolling devices, we need to create users. Users will use these credentials to connect to Intune. For our test, we will create users manually in our Azure Active Directory domain but you could use Azure AD Connect to sync your existing accounts.

• In the Endpoint Manager Admin Center
• Select Users
• On the All Users page, click New user on the top
• Enter information for the user, such as Name and User name
• Go ahead and create your accounts

• Under Profile, complete user information

• Under Identity, you can see that the source of authority is Azure AD

• Under Groups, choose a group to add the user to. If you don’t have any group, skip this step and do not add the user to a group. In our example, we are adding it to the All Intune Users group

• Under Assigned Role, assigned a Directory Role to your user

Intune License Assignment

We now need to assign the user with a license that includes Intune before enrollment. If you don’t assign an Intune licence to your user, you won’t be able to enroll their devices.

You can assign a license by users or you can use groups to assign your license more effectively. Repeat the step for all your users or groups.

• Click on the user that you just created
• Click on Licenses on the left and then Assignment on the top

• Select the desired license for your user and click Save at the bottom
• Also, ensure that Microsoft Intune is selected

Customize the Intune Company Portal

The Intune company portal is for users to enroll devices and install apps. The portal will be on your user devices. You’ll want to customize it to increase your user trust before doing any actions in the portal.

So we’ll customize it to reflect our company branding.

• In the Microsoft Endpoint Manger Admin Center
• Click on Tenant administration / Customization

• In the Edit Customization Policy window, we enter our Organization Name, color and Logo

There’s plenty of other options to customize, go ahead and customize what you need. When completed, click the Review + Save button at the bottom

Create a Compliance Policy

Before enrolling a device using this user, it’s best practice to create a basic compliance policy.

In our example, we will create a basic security setting that will allow monitoring iOS device compliance. We will check Jailbroken devices, check for an OS version and require a password policy.

• In the Microsoft Endpoint Manager Admin Center
• Select Devices / Device compliance / Policies / Create Policy

• For the Platform, select iOS/iPadOS, click Create
• Enter a Policy Name and a Description, click Next

• In Settings, select Device Health, under Jailbroken devices, select Block
• Under Device Properties, in Minimim OS version, enter 11
• Click Next

• In the Action for compliance screen, leave default options. Meaning that all non-compliant device will be marked as “Non-Compliant” immediately

• Once created, the policy must be assigned to a group
• Select groups to include
• Click Next

• On the review screen, review your choice and click Create

• You can also repeat the steps to create a policy for Android and Windows devices if needed

Enroll Devices

We are now ready to enroll devices into Microsoft Intune. With the various OS: Android, Windows and iOS and specific scenarios with BYOD and corporate device, there are so many ways to enroll devices.

We’ll show you one way to enroll a personal iOS device (BYOD) but you can refer to Microsoft Documentation which covers every possible scenario.

To enroll and manage iOS/MAC devices into Endpoint Manager, you first need to create an Apple MDM Push Certificate. These certificates expire 365 days after you create them and must be renewed manually in the Endpoint Manager portal.

• In the Endpoint Manager Portal
• Click Devices / iOS/iPadOS Enrollment and select Apple MDM Push Certificate

• Check the agreement in #1
• In the second step (#2), click on Download your CSR. A file will download in your browser. Keep this file for the next step
• On the third step (#3), click on Create your MDM Push Certificate

• You’ll be redirected on the Apple Push Certificate Portal
• Login using your Apple ID or create one

• In the Get Started section, click Create a Certificate

• Check the I have read and agree to these terms and conditions check box and click Accept

• Click Browse and select the .CSR file you created previously, click Upload

• Your certificate is now created and available for download. The certificate is valid for 1 year. You will need to repeat the process of creating a new certificate each year to continue managing iOS devices.
• Click on Download
• Ensure that the file is a .PEM and save it to a location on your server.

• Back in the Endpoint Manager Portal
• Complete step 4 by entering your Apple ID
• Complete step 5 by entering the MDM_ Microsoft Corporation_Certificate.pem that you just downloaded
• Click Upload at the bottom

• Once the certificate is created, you can now enroll an iOS device using a user which has an Intune licence.
• To enroll an iOS device, you must install the Microsoft Intune Company Portal App. It can be installed on any iOS device having iOS 6 and later. (iPhone and Ipad)

The Intune Company Portal app will allows to perform the following actions:

• Monitor mobile devices with Microsoft Intune
• Enable access to company resources with Microsoft Intune
• Deploy software to mobile devices in Microsoft Intune
• Configure security policy for mobile devices in Microsoft Intune
• Help protect your data with remote wipe, remote lock, or passcode reset using Microsoft Intune

To download the App :

• Open the App Store on your device and search for Intune Company Portal. (Or use this direct link)
•  Install the App and open it

• Enter your credentials

• select Begin at the bottom

• Review and click Continue

• Review and click Continue

• You’ll get prompted to install the Management Profile, click on Allow. You will be prompt to enter your Iphone passcode

• Open Settings and select Pofile Downloaded

• Select Install at the top

• Click Install at the bottom

• On the Warning page, select Install
• On the Remote Management warning, select Trust

• Select Done at the top

• Back in the company Portal, select Continue Now

• If everything was setup correctly, you should have all 3 green check mark. Click Continue

The device will make its initial compliance check. If you have any app assignment, you’ll also receive an installation notification at this point. Since your tenant is brand new, you shouldn’t have any. Let’s create an app to install on our devices.

For our example, we’ll install the Microsoft Authenticator App

Intune Application Deployment – CREATE THE MICROSOFT AUTHENTICATOR APP

We will now add the Microsoft Authenticator app to our Intune portal. We will begin with the iOS version. This can be used for any other application if needed.

iOS

• Login to your Endpoint Manager Admin Center
• Select App / All Apps

• Select App (1), Add (2), iOS Store App (3) and Select (4) at the bottom

• Click on Search the App Store, on the search box, enter Microsoft, select Microsoft Authenticator and click Select

• Enter the App information and click Next at the bottom

• In the Scope screen, click Next

• On the Assignment tab, this is where you enter the group you want to deploy the app. Add your group to the desired deployment option.

• On the Review + Create tab, review all your choices and click on Create at the bottom

• You’ll see a confirmation at the top right

• After creation, you’ll be sent to the Microsoft Authenticator app screen. Go to the Properties tab if you need to modify anything like Assignments. You can also see Deployment statistics on this screen

Android Devices

We will now do the same step for the Android version of Microsoft Authenticator app.

• Login to your Endpoint Manager Admin Center
• Select App / All Apps

• Select App (1), Add (2), Android store app (3) and Select (4) at the bottom

• Click on Search the App Store, on the search box, enter Microsoft, select Microsoft Authenticator and click Select

• Enter the App information like the Name and Description
• In the Appstore URL enter: https://play.google.com/store/apps/details?id=com.azure.authenticator
  • This ID is found by searching the App on the Google Play Store
  • Search for Microsoft Authenticator App and select it
  • Copy and paste the URL from your browser
• Click Next at the bottom after all information has been entered

• In the Scope screen, click Next

• On the Assignment tab, this is where you enter the group you want to deploy the app. Add your group to the desired deployment option

• On the Review + Create tab, review all your choices and click on Create at the bottom

• You’ll see a confirmation at the top right

• After creation, you’ll be sent to the Microsoft Authenticator app screen. Go to the Properties tab if you need to modify anything like Assignments. You can also see Deployment statistics on this screen

Review and Test App Deployment

Both Applications has now been added to our Intune tenant and is ready to test on an iOS or Android device

• On an iOS device, open the Company Portal and if you configured everything correctly, you’ll see the Microsoft Authenticator app

Device Configuration Profile

Using Microsoft Intune, you can enable or disable different settings and features as you would do using Group Policy on your Windows computers.

You can create various type of configuration profile. Some to configure devices, others to restrict features, even some to configure your email or wifi settings.

For our post, let’s create a Wifi connection profile for our users so they get to access to your Wi-Fi network without configuring it. This is just an example, you can create a configuration profile for many other different settings.

• Login to your Endpoint Manager Admin Center
• Go to Devices / Configuration profiles / Create profile

• In Platform, select iOS/iPadOS and in Profile, select Wi-Fi, click Create at the bottom

• Give a Name and Description to your newly created profile, click Next

• In Configuration Settings, enter your Wifi settings, for our post we create a basic WPA2 profile but the WPA2-Enterprise is also supported, click Next

• Assign the desired scope tag, click Next

• Assign the profile to the desired user/groups, click Next

• Review your settings and click Create

You’ve just created your first configuration profile. You can now check the available options and create different configurations for different OS.

Dashboard

There’s still one last thing that you should start looking at. The Microsoft Intune Dashboard displays overall details about the devices and client apps in your Intune tenant. If you have some device, just take a look at what’s displayed there. it gives a good overview of your progress.

To access the Dashboard, simply select Dashboard on the left pane.

For our example, we can quickly sees the action point we should focus on.

Setup Microsoft Intune – What’s next

So to wrap up, we’ve set up Microsoft Intune Tenant, configure it for your company need, enroll some devices, configure a basic compliance policy, create a configuration profile and deploy your first app.

So what’s next? There’s still so much to cover. We suggested that you start looking at :

• Enroll Windows devices
• Enroll Android Devices
• App Protection Policy and Mobile application management (MAM)
• Device Profiles (One example : Enable And Manage Windows Defender Firewall Using Intune)
• Device Restrictions policy
• Conditional Access (One exemple : Block Tiktok Using Intune Device Compliance Policy And Conditional Access)
• Windows 10 Software Update in Intune
• Setup CoManagement (if using Configuration Manager)
• Setup Windows 10 Auto Enrollment
• Configure Windows 10 AutoPilot

Enroll more device, play with different options and most importantly test, test and test ! We’ll be doing more in depth post in the following week to cover more Microsoft Intune configuration options.

The post Setup Microsoft Intune and manage it in Endpoint Manager appeared first on System Center Dudes.

Cloud management gateway (CMG) is a new chapter in Microsoft Endpoint Manager Configuration Manager (MEMCM). It is getting improved better and better in each version that gets released. If you look at the technical preview build that was released recently (version 2009), it has a remote control feature for CMG connected devices which is very much needed to support the internet-connected devices and there are many other good features in the technical preview build that might ship in the next production build. But that’s a whole other topic. In this blog post, I will describe the SCCM CMG Policy Violation error that I recently come across at a customer while deploying the SCCM Cloud Management Gateway service.

Due to the COVID-19, lot of workforce is working from home and managing the endpoints over internet or VPN is at most important and meet the compliance.

You can refer to our guide for a complete Cloud Management Gateway installation.

Refer to this TechNet blog if you need more information about managing remote machines with cloud management gateway.

Every time I set up a CMG service, there is always something to learn from it and this time, I have learnt something new about the resource group and region.

Just to brief about the customer infra, SCCM 2006, self-signed certificate, e-HTTP enabled, wild card certificate from public CA for server authentication.

With SCCM 2002+, clients can use token-based authentication if you don’t have PKI, hybrid Azure AD join or Azure AD join. These are different authentication methods for the client to authenticate with CMG service.

SCCM CMG Policy Violation Problem

We used the wild card certificate for the CMG server authentication and started the CMG setup.

We had selected the existing resource group called SCCM and the region as East US.

After the completion of the setup, I had looked the console for the status and status shows provisioning service failed error.

So I have looked at the CMGsetup log on the primary site server log files and found the following error several times.

Error: Resource Manager – Unexpected exception: Hyak.Common.CloudExeception: InvalidTemplatedeployment: The template deployment failed because of the policy violation. Please see the details for more information. Check monitor/activity log on Azure portal for more information.

SCCM CMG Policy Violation Solution

To find the actual reason for this failure (the policy violation) :

• I have logged into the Azure portal
• go the Subscription where the CMG service was targeted for the deployment
• Click Activity log
• In the activity log, you will see several alerts

• Click on any one of the activity log, you will see more information about the error.

• We had the following message: Invalid resource group location ‘East US’. The Resource group already exists in location ‘CentralUS’.

If you remember the region that was selected for the resource group (SCCM) in the CMG setup, it was East US and this resource group SCCM already created with region CentralUS hence a mismatch.

So now, we have couple of options to fix the issue:

1. Change the region for the existing resource group in the subscription from CentralUS to East US
2. Select Central US in the CMG setup wizard for the existing resource group SCCM
3. Create a new resource group and choose the wanted location

• We tried option #1… but we can’t change the location of a resource group once it is created… let’s try #2

• We will now go with either option #2 or #3. We decided to try option 2 by simply changing the region that matches the resource group region Central US in the CMG setup wizard.

This time, the CMG setup wizard successfully executed, and the services were in place in no time. The SCCM CMG Policy Violation error didn’t happen this time

Conclusion

If you want to use the existing resource group for the CMG setup, make sure, you select the same region that was used in the Azure subscription else you will run into this SCCM CMG Policy Violation error.

The post How to resolve SCCM CMG Policy Violation Error appeared first on System Center Dudes.

Desktop Analytics is a cloud-based service that integrates with Configuration Manager. Desktop Analytics is now available and replaces Windows Analytics, which retired on January 31, 2020.

When you integrate Desktop Analytics with Configuration Manager, it provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows clients. It combines data from your organization with data aggregated from millions of devices connected to Microsoft cloud services.

Following are the benefits of Desktop Analytics:

• Device and software inventory: Inventory of apps and Windows version.
• Pilot identification: Identify your group pilot for a test deployment before going in production
• Issue identification: Using aggregated market data along with data from your environment, the service predicts potential issues to getting and staying current with Windows. It then suggests potential solutions.
• Configuration Manager integration: The service cloud-enables your existing on-premises infrastructure. Use this data and analysis to deploy and manage Windows on your devices.

One of the things that SCCM is currently missing is SCCM Desktop Analytics reports.

When you implement Desktop Analytics in your infrastructure, there are no custom reports that you can use to monitor the connection health status except the connection health dashboard that is available in the console.

If you want to monitor the desktop analytics connection health status, you can launch the console and monitor the status and troubleshoot the client issues that have enrollment issues but it’s not really practical.

Also, note that monitoring the connection status using the console takes a few clicks every time to see the list of clients that have connection health issues and it consumes a lot of time.

What if you have a custom report to monitor the connection health that provides you all the information that you need to be aware and client health status that is failing to enroll in Desktop Analytics service?

We have an SCCM Desktop Analytics report for you to monitor the desktop analytics health and also list all the devices with their enrollment status.

This report can be run against a specific collection to know the status of clients in DA.

This report has the following details:

• Desktop Analytics connection
• Desktop Analytics last synchronization
• Connection health with a count of devices based on its enrollment status
• Top 5 issues of enrollment failures
• List of devices that are eligible for DA with its status.

The list of devices shown in the report are excluded with the following as they do not qualify for DA:

• Decommissioned
• Obsolete
• Inactive
• Unmanaged
• Devices running Long Term Servicing Channel (LTSC) versions of Windows 10
• Devices running Windows Server

If you run the report against any collection that has the clients with the above criteria, they won’t show up on the device list.

SCCM Desktop Analytics Report – Download

You can download this report by visiting our new online shop

For more information about the description of enrollment status, refer to the Microsoft documentation.

The post Monitor Desktop Analytics Health using SCCM Report appeared first on System Center Dudes.

I was asked to restrict domain user access on a Windows 10 device managed by Intune. The computer was configured as a Single-App Kiosk mode so we needed to prevent a user to use CTRL-ALT-DEL and log on the computer using his domain credentials.

After searching through the Intune Device restrictions available for Windows 10, I couldn’t find any UI settings for that. I had to use a Custom Profile type for that. (Custom Profiles are also called OMA-URI Settings) This blog post will describe how to Create an Intune Device Profile Restriction User Login to restrict login rights

This post assumes that you have a valid Intune subscription and that your Windows 10 device is Intune Managed.

• Open the Endpoint Manager Console
• Go to Configuration Profile

• Then click Create Profile at the top

• Platform: Windows 10 and later
• Profile: Custom
• Click Create at the bottom

• In the Basics pane, enter a Name and Description, click Next

• On the Configuration Settings pane, click Add

• Enter a Name and Description for your policy
  • OMA-URI : ./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn
  • Data Type : String
  • Value :

<![CDATA[*S-1-5-113]]>

The challenge was to find the correct syntax of the CDATA value. The documentation is stating to use group names like “Administrator” or “Remote Desktop Users” but our testing revealed that is was not working in non-English Operating systems. As mentioned in the comment section of the article we decided to try using the account SID. Reading through the documentation we selected the S-1-5-113 (LOCAL_ACCOUNT). This ensure that only local accounts can log to the machine, preventing our domain user to use their account.

We also decide to add another setting to make sure that the MDM Policy wins over Group policy. Since Windows 1803 there’s a new Policy CSP setting called ControlPolicyConflict that includes the policy of MDMWinsOverGP. This ensures that the Intune policy wins if there’s a group policy with the same settings.

• To add the second settings, on the Custom OMA-URI Settings pane on the right, click Add
• Enter a Name and Description for your policy
  • OMA-URI : ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
  • Data Type : Integer
  • Value : 1

• Click Ok then Save
• Click on Next

• On the Scope tab, assign a Scope if needed, click Next

• On the Assignments tab, assign your profile to a test device or test group

• In the Applicability Rules tab, assign a rule if needed. Click Next

• Review your Configuration Profile and click Create

Intune Device Profile User Login Restriction Monitoring

To monitor the deployment of your Intune Profile :

• Click Device Status at the bottom of the Profile you just created

• The machine(s) that received the profile will be listed, click on it.
• The Device overview pane will open, click on Device Configuration and click your policy on the right
• You can see the deployment status and the last status update, you can click on it to have more information

On the Device, when trying to log using a domain account, the users receive the following notification :

The post Create an Intune Device Profile for User Login Restriction appeared first on System Center Dudes.

Beginning with SCCM 2006, you can now create a new boundary type. The SCCM VPN Boundary type helps to manage your remote clients. An upgraded SCCM client now sends a location request which includes information about its network configuration.

Your management point can determine if the client is on a VPN connection based on this new information. You may want to use the SCCM VPN Boundary to set some options to differ when your clients are on a VPN connection. For example, redirect your VPN client on different site servers, disable Peer download or prefer cloud-based sources.

If you’re not familiar with boundary and boundary groups, let’s define it this way: a boundary is a network location that can contain one or more devices that you want to manage. By using boundary groups, clients can find an assigned site and locate content when they have to install software, such as applications, software updates, and operating system images.

There is no prioritization with boundaries or boundary groups. A client falling inside multiple boundaries will apply all settings applicable to the boundary groups that those boundaries are members of.

SCCM vpn boundary type Requirement

Before you can benefit from this new feature, you need to upgrade your servers and client to SCCM 2006.

Once you upgrade your SCCM server, you need some information on your clients connected to a VPN connection. Once you have this information, you create a new boundary in SCCM. Let’s see how to do that.

How to Configure

You may wonder how does SCCM will define if a client is on a VPN or not?

Well, it’s pretty simple, it can use 3 different methods :

Auto Detect any VPN solution that uses the point-to-point tunnelling protocol (PPTP).

If this solution doesn’t work for you, you can create a VPN boundary based on the Connection Name. To use this option simply use the name of the network adapter in Windows for the VPN connection.

• On a client connected to VPN
• Run an ipconfig /all on a command line window
• In our example the Connection Name is SCD

You can also use the Connection Description field. To use this option simply use the Description of the network adapter in Windows for the VPN connection.

• On a client connected to VPN
• Run an ipconfig /all on a command line window
• In our example the Connection Description is SCD

Now that we have this information we can head to the SCCM Console and create a new VPN Boundary based on the desired option.

• Go to Administration / Hierarchy Configuration / Boundaries
• Right-click Boundary and select Create Boundary
• In the Create Boundary window, select VPN as Type

• Create your VPN boundary based on the desired option. (Auto Detect, Connection Name or Connection Description)

• On the Boundary Group tab
• Click Add to assign your new boundary to an existing Boundary Group. You can select more than one if needed.
  • If you need to create a new Boundary group, click Ok and create your Boundary Group in the Boundary Group pane
• Once the Boundary Group is set, click Ok

That’s it, you’re all set to manage your remote client using the new SCCM VPN Boundary type.

If you need to monitor your clients and know in which boundary and boundary group they are configured, we have built a report just for that.

Let us know if you have any questions using the comment section.

The post Create an SCCM VPN Boundary Type to manage your remote clients appeared first on System Center Dudes.

I was recently helping out a customer who wanted to manage Android mobile devices using Endpoint Manager for users in China.

What is different from managing Android mobile devices for users in China and out of China? There is a significant difference and it is due to the services available on an Android mobile device that is required for managing the devices using Microsoft Intune.

Microsoft Endpoint Manager provides 2 ways of protecting the mobile devices which are MAM-WE (Application management without enrollment) and Device enrollment (MDM).

Following are some of the major differences between MDM vs MAM (app protection policies):

If you are managing the corporate data on the mobile device (BYOD) using MAM, you don’t need to think of the device having GMS services or not as it works with corporate apps and no enrollment is required, but if you planned to do MDM (device management), you would need Google Mobile Services (GMS) and is prerequisite for device enrollment (Android enterprise/work profile).

What is GMS? – Endpoint Manager Android China

Google Mobile Services (GMS) is a collection of Google applications and APIs that help support functionality across devices. These apps work together seamlessly to ensure your device provides a great user experience right out of the box.

Google mobile services (GMS) is part of the Android operating system which is used to connect to Google services and it is not free.

Why is GMS not available for users in People’s Republic of China?

A year ago, U.S put a ban on Chinese tech giant Huawei to do business with any organization that operates in the United States.

As part of this announcement, Google declared that they would comply with the Huawei ban and Huawei will longer have access to the core applications on an Android device such as Gmail, YouTube, Google Drive, and the big piece Google Play Store. For more information on the Huawei ban, please read here

So, what other options do we have to manage the Android devices without GMS?

If you look at the Android device enrollment types, we have 2 options:

1. Device Administrator (Legacy)
2. Android enterprise enrollment (work profile).

For #1, device administrator, you don’t need GMS services but the features you get from Microsoft Intune are very limited. Google has already announced about the depreciation of the device admin https://developers.google.com/android/work/device-admin-deprecation and is highly encouraged to use Android enterprise for devices where GMS available.

For #2 Android Enterprise enrollment such as work profile, COBO (company-owned business Only), COSU (corporate-owned single user), COPE (company-owned personally enabled), you will need GMS.

Since our requirement is to manage the Android devices (corporate-owned) with no GMS services, we will need to fallback to the device admin enrollment type with limited Intune features until the GMS services available. This will help us to push the applications to end-users and control other device settings due to business requirements.

For limitations of Intune device admin where GMS is not available, please read the Microsoft Documentation

How do we configure the device enrollment options for Android device administrator?

In Microsoft Intune, the default device restriction policy enabled with all platforms and applied to all devices with default priority. Anything you create new will have a high priority.

With this default setting, if a user (with/without GMS) try to enroll the Android device to Endpoint Manager, the device picks up the Android enterprise (work profile) type as default and do the enrollment process but this will fail on a device that doesn’t have GMS services because Android enterprise requires GMS.

To use the Android device administrator, we will need to do the following tasks:

1. Create an AD/AAD sec group and add users who will be participating in the device Legacy enrollment profile.
2. Create new device enrollment type restriction, select Block for Android enterprise (Work profile)

To achieve this :

• Open the Endpoint Manager Portal
• Go to Devices / Enroll Devices

• Click Enrollment Restrictions and then Create Restriction / Device Type Restriction

• Select Block for Android enterprise (Work profile)

• In the Assignment Tab, apply this restriction to a group of users that you created in step 1

• This legacy enrollment type applies to the users based on their priority

Android Enterprise (work profile) and Android device administrator platforms have the following behavior based on their assignment:

• If both platforms are allowed for the same user, then users will be enrolled with a work profile if their device supports it, otherwise, they will enroll as DA.
• If both platforms are allowed for the group and refined for specific and non-overlapping versions, then users will receive the enrollment flow defined for their OS version.
• If both platforms are allowed but blocked for the same versions, then users on devices with the blocked versions will be taken down the Android device administrator enrollment flow and then get blocked from enrollment and prompted to sign out.

Users can visit the respective store apps provided by the device manufacturer such as AppGalary for Huawei etc and install the Microsoft Company portal and other Intune supported apps.

When the user tries to enroll the device, they go through the device admin enrollment process and receive the device management policies that are pushed by the Intune admin.

You can refer to this post for more information about managing the Android devices in the China region

The post Manage Android devices without GMS using Microsoft Endpoint Manager appeared first on System Center Dudes.

Yammer is an enterprise social networking service used for private communication within organizations. Yammer helps you to connect and engage users across your organization, thereby you can discuss ideas, share updates, and network with others around the globe.

To access Yammer, you can either use a web browser or desktop client application. I like the browser app on windows device but individual choice

In this blog post, we will see how to deploy using Endpoint Manager the Yammer App desktop client using Microsoft Endpoint Manager (Intune).

Yammer desktop app is available in both exe and MSI file (machine wide installer).

If you want to deploy Yammer using .exe file using Intune, you can create a win32 app and deploy it to the user group.

If you want to deploy Yammer using MSI, the Yammer Machine-Wide Installer is installed on the client machine (C:\Program Files (x86)\Yammer Installer), and it installs the Yammer Desktop app for users the next time they log in to their machine.

How does the Yammer MSI installation work? The Yammer MSI will place an installer in Program Files. Whenever a user signs into a new Windows User Profile, the installer will be launched and a copy of the Yammer desktop app will be installed in that user’s App folder. If a user already has the Yammer app installed in the App folder, the MSI installer will skip the process for that user.

This process something similar to Microsoft Teams machine-wide installer. But in this blog post, we will go through the steps for deploying the exe (extracted from MSI) file using win32 app to users.  Unlike the MSI installer, this method works for users who already have windows profile created and logged into the device.

If you are doing an Autopilot kind of scenario, would suggest planning for MSI installer and is much easier.

Endpoint Manager Yammer App Deployment

So now, let’s take a look at the exe deployment.

• Download the Yammer desktop client (MSI)
• Once the MSI file is downloaded, install the MSI on to the device to get the .exe file

We will now use this the desktop app (yammerdesktop.exe) to create a win32 app and deploy using Microsoft Endpoint Manager (Intune).

To create a win32 app, we will use the win32 content prep tool. The packaging tool converts application installation files into the .intunewin format.

• Download the win32 content prep tool from

• Once downloaded the tool, unzip the file to get IntuneWinAppUtil.exe
• Open cmd and run IntuneWinAppUtil.exe
• The setup will ask for the source folder, setup file, and output folder to save the output. Provide all the required information.

• Once the file is processed, we will get a win32 app in .intunewin and ready to create app in Intune.

How to create win32 app for Yammer desktop in Intune:

• Sign in to Endpoint Manager portal
• Select Apps / All apps / Add

• On the Add app pane, click Select app package file.

• Select a Windows installation file with the extension .intunewin

• Click OK
• Provide all the necessary information for the app

• In the Program tab:
  • Install command: “yammerdesktop.exe” /s
  • Uninstall command: C:\users\%username%\AppData\Local\Update.exe” –uninstall –s
  • Install behavior: User

In the Requirements tab :

• OS Architecture : 64-bit
• Minimum Operating System : Windows 10 1709

In the Detection Rules tab:

• Select Manually configure detection rules, click on Add

• Since the yammer is installed in the user app data profile, we will need to use the user profile path to check for the installation status
• Path: C:\users\%username%\AppData\Local\yammerdesktop
• File or folder name:yammer.exe
• Detection method: File or folder exists

• On the Review + Save tab
• Target the application to a security group (users)
• Review the information before saving the changes.

• The application is now created

• Please wait for the content to upload. This will take a few minutes

The Yammer application is now created and targeted to the users.

End-user experience

When a user logged into the machine or already logged into the device, based on the sync cycle, the user receives the notification (these notifications can be suppressed in the assignment settings).

• After a while, the user will see a success notification and there will be a shortcut placed on the desktop.

• Desktop shortcut

• Application installation status can monitored from Endpoint portal.

For understanding win32 app deployment status codes, please refer to my blog article on the subject. For more information about win32 apps. Follow the Microsoft Documentation

The post Deploy Yammer desktop application using Microsoft Endpoint Manager appeared first on System Center Dudes.

Based on the popularity of my previous post published in 2018 and 2019, I decided to do a 2020 refresh of the SCCM Must have 2020 Tools and blog list since there’s always new stuff coming out.

I also added must-have blog posts that you should have already read.

The tools are listed in no particular order. The list could have been longer but I needed to choose from my top personal list. If you feel that I’ve forgotten your awesome contribution to the SCCM community, please use the comment section to promote it.

SCCM MUST HAVE 2020 TOOLS and BLOG LIST

If I would have told you at the beginning of the year that we’ll almost all be working from home for the next year, you probably would believe me. Well, 2020 had a surprise for us… a global pandemic. This shitty COVID had made everyone review their own work methods.

Even more, if you’re the person managing remote workers in your company. Hopefully, SCCM/Endpoint Point Configuration Manager was already ready for it and the CMG became rapidly the most popular feature.

Rob York from Microsoft has published a complete article on the subject: Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager

Pause a Task Sequence when you want with just a variable

This quick method will allow pausing a TS when you want without adding a step in your TS, as many times as you want. What makes it different from the other methods? With this method, you won’t have to create a step in your TS to pause it. You will be able to pause the TS dynamically, as many times as you want.

Developed by Damien Van Robaeys, you can know more about this tool on his webpage.

Build a ConfigrMgr lab with AutomatedLab

AutomatedLab is a PowerShell module for building lab environments with simple PowerShell code.

The benefit of using AutomatedLab is the simplicity it offers to build and throw away environments of varying complexity. Also, it offers a huge range of functions to customize your lab to how you want it.

Developed by Adam Cook, the module can be found on GitHub and more documentation also on their website.

TSBackground

This tool is not new but has a significate update. TSBackground replaces BGInfo as well as its predecessor OSDBackground as background (Wallpaper) generator during OS Deployment with Configuration Manager

Developed by Johan Schrewelius, the module can be found on the Onevinn website.

Deploy Service Announcement Toast Notifications in Windows 10 with MEMCM

This script lets you create custom Toast Notification using the Windows 10 Runtime API. This is very useful to inform your user of anything you can think of.

Developed by Ben Whitmore, the tool is well documented on his website

Automated User Deployment using AD Group

This script automate the deployment of application to user collection using AD Groups. The script does the following actions:

• Creates AD Groups based on the Names of CM Apps
• Adds a security group to that for easy testing
• Creates CM User Collections
• Creates Available Deployments of the associated apps.
• Adds the new AD Group to that User Collection

Developed by Gary Blok, the script is available on his GitHub Repo

CMG and VPN split tunnelling

Another great blog article from Gerry Hampson about using a Cloud Management Gateway in a split tunnelling scenario.

We often hit this situation when doing CMG Installation. It is important to note the distinction between internet-based clients and those using the VPN. They are both remote clients but ConfigMgr handles them differently.

Gerry describe and tell how to configure both scenario on his blog post.

Demystifying Windows 10 Feature Update Blocks

A level 400 post by one of our contributor, Adam Gross.

His post goes deep into describing how Feature Update works and is handle by your computer. You may end up with a headache after reading it but it’s too good to be missed.

You can read the full blog article on Adam’s personal blog.

Fully Automate Software Update Maintenance in Configuration Manager

This script lets you fully Automate Software Update Maintenance in Configuration Manager. Yet not new, it has been updated recently and I haven’t included it in my previous “Must Have” posts. Shame on me!

The script does the following :

• Detect if synchronization is occurring and wait for success before resuming.
• Decline superseded updates.
• Decline updates by a list of titles.
• Decline updates based on external plugin scripts.
• Output a comma-delimited list of declined updates.
• Run the WSUS Cleanup Wizard.
• Initiate a software update synchronization.
• Remove expired and declined updates from software update groups.
• Delete software update groups that have no updates.
• Combine software update groups into yearly groups.
• Set the maximum run time for updates by title.
• Remove unneeded files from the deployment package source folder.
• Update the deployment packages used by ADRs either monthly or yearly.
• Directly call the stored procedures to delete obsolete updates.
• Add crucial indexes that make WSUS run faster overall.
• Delete updates that have been declined from the WSUS database entirely.

Developed by Bryan Dam, the script is available on his personal blog

Export all your hardware hashes from ConfigMgr

If you’ve done Autopilot Deployment, you know that one of the requirements is to get the Hardware Hash of the machine in order to import it into Endpoint Manager.

Michael Niehaus, former Microsoft PM on the Autopilot team has a script and blog post to export all your hardware hashes from ConfigMgr. Pretty useful!

We hope this list was helpful. Thanks to all the contributors that helped the SCCM community with their tools, blog posts and time.

The post List of SCCM Must-Have Tools and blog – 2020 Edition appeared first on System Center Dudes.

In September 2019, Microsoft announced that Intune was finally able to distribute Win32 applications. This was a major show stopper to go full MDM for Windows 10 devices for many companies and would keep using SCCM/MEMCM to fulfill this duty. In this post, we will detail how to deploy Win32 Apps with Endpoint Manager. We’ll deploy Google Chrome with the MSI installer as an example.

Win32 Apps Endpoint Manager Prerequisites

• Download the Microsoft Win32 Content Prep Tool from GitHub

Prepare Endpoint Manager Win32 application

First, you need to “wrap” all the required files into an Endpoint Manager (Intune) format. To do so, Microsoft has a tool that will “convert” your application into a .intunewin file at the end of the process. The generated .intunewin file contains all compressed and encrypted source setup files and the encryption information to decrypt it.

Important Info

• To view help, run IntuneWinAppUtil.exe -h.

• Download the Microsoft Win32 Content Prep Tool and have the desired application source files (In our case Google Chrome)
• Open a command prompt as admin and browse to the folder of IntuneWinAppUtil.exe
• Run the following command line
  • IntuneWinAppUtil.exe -c <source folder> -s <source setup file> -o <output folder>
  • In this example we used Google Chrome : IntuneWinAppUtil.exe -c C:\temp\Installers -s GoogleChromeStandaloneEnterprise.msi -o C:\temp

• The resulting file is a 72Mb .intunewin. Keep this file for the next steps
• At this point, the source files are ready for Intune

Create Intune Win32 Application

• Go to the Endpoint Manager portal
• Browse to Apps / All Apps and click Add

• Select Windows app(Win32) from the App type drop list

• On the App Information pane click Select App package file and select the previously created .intunewin file and click Ok

• Complete the missing App Information. Click Next

• Depending on the application format, install and uninstall command lines will be auto-completed. Adjust the parameter if needed. Click Next

• On the Requirement pane, OS architecture and minimum OS are required. Click Next

• Detection rules work the same way as in ConfigMgr application model. In the case of an MSI, it is simple. Select Manually configure detection rule, select rule type MSI and the MSI Product Code should be auto-populated. Click Next

• On the Dependencies tab: Software dependencies are applications that must be installed before this application can be installed. Adjust if needed. Click Next

• Modify the Scope tags if needed

• On the Assignment tab, select the group of users or computer to deploy the Win32 App

• Review your Win32 App setting and click Create

• At this point, it will upload the.IntuneWin file.

• Soon after, a notification will display to say it’s ready to go!

Deploy and Test your Win32 App

• On a target computer by your deployment, open the Company portal

• Installation are log in the IntuneManagementExtension.log that can be found under C:\ProgramData\Microsoft\IntuneManagementExtension\Logs

• In the Endpoint Management console, you can browse to Apps / All Apps / Google Chrome and select Device Install Status

If you encounter an issue during the deployment, it’s like in the SCCM world. You must troubleshoot your deployment based on the error code.

We’ve gathered extra resources for better Win32 App troubleshooting :

• Error Codes For Troubleshooting App Installation Issues – Contains a list of common error codes
• Details on Intune Win32 Application Troubleshooting

The post Deploy Win32 Apps with Endpoint Manager (Intune) appeared first on System Center Dudes.

This blog post will cover all the task needed to deploy the new SCCM Windows 10 20H2 Upgrade. We will cover scenarios for new and existing computers that you may want to upgrade.

Microsoft published the Windows 10 20H2 feature update on VLSC on October 20th. This is the first Windows 10 feature update following the new naming convention. From now on, the new Windows 10 release will be called “Windows 10 version 20H2” (instead of “Windows 10 version 2004”).

If you haven’t planned your Windows 7 migration to Windows 10, this post will help prepare your SCCM Server to deploy Windows 10 20H2. You may also need to deploy Windows 10 2H02 to your existing Windows 10 computer to stay supported or to benefits from the new features.

Before deploying a new Windows 10 feature upgrade, you need to have a good plan. Test it in a lab environment, deploy it to a limited group and test all your business applications before broad deployment. Do not treat a feature upgrade as normal monthly software updates. Treat it as a new operating system as if you were upgrading Windows 7 to Windows 10.

You can also follow our complete Windows 10 Deployment blog post series if you’re unfamiliar with the whole upgrade process.

Table of Content

• Prerequisites
• Check if you have an SCCM Supported version
• Upgrade your Windows ADK
• Download Windows 10 20H2 ISO
• Mount and extract the ISO file
• Upgrade Strategy – Task Sequence or Servicing Plans
• Import the WIM SCCM to use with your new computer Task Sequence
• Distribute your Wim File
• Import the Upgrade Package in SCCM to use with your new computer Task Sequence
• Distribute your Upgrade Package File
• Create a Windows 10 Upgrade Task Sequence for Windows 10 (and Win 7 or 8.1 computers)
• Create a Windows 10 Task Sequence for new Windows 10 computers
• Edit your Windows 10 20H2 Task Sequences
• Deploy the SCCM Windows 10 20H2 Upgrade Task Sequence
• Launch the Upgrade Process on a Windows 10 computer
• Launch the Process on a new Windows 10 computer
• Update your Automatic Deployment Rules and Software Update, groups
• Import your ADMX

Prerequisite Windows 10 20H2 Upgrade

SCCM Version

At the time of this writing, the SCCM Support Matrix hasn’t been updated. We’ll update the post as soon as they do.

We assumed that for Windows 10 20H2, you’ll need at least SCCM 2002 in order to support it as a Windows 10 client. See the following support matrix if you’re running an outdated SCCM version and make sure to update your site.

Windows ADK

At the time of this writing, the SCCM Support Matrix hasn’t been updated. We’ll update the post as soon as they do.

Before capturing and deploying a Windows 10 20H2 image, make sure that you’re running a supported version of the Windows ADK. Windows recommends using the Windows ADK that matches the version of Windows you’re deploying. If you’re already running an ADK version on your SCCM server, see our post on how to install a new version.

Download Windows 10 20H2 ISO

In order to deploy Windows 10 20H2 using SCCM to a new device, we need to download the .ISO file. To get the ISO file, you can either download it from MSDN or VLSC.

• In the portal, find Windows 10 (business editions), Version 20H2
• Select the architecture and language, Click on Download

• Save the ISO file on your SCCM file repository

Mount and Extract Windows 10 20H2 ISO

Before you can import the Operating System into SCCM, mount and extract the Windows 10 ISO to a folder on your SCCM File repository.

We like to save all the ISO content in one folder for the full operating system (Ex: Win10-20H2-FullMedia) and extract the Install.wim file from the \Sources folder to another directory. (Ex:Win10-20H2-Wim). You’ll understand why later in this guide.

Upgrade Strategy – Task Sequence or Servicing Plan?

You can’t use servicing plans to upgrade Windows 7/8 to Windows 10. For migration, you must use an upgrade task sequence.

In order to upgrade an existing Windows 10 to Windows 20H2, you have 2 choices: You can use an upgrade Task Sequence or you can use Servicing Plans.

There a strong debate over which is the best method. We prefer to use Upgrade Task Sequence for the simple reason that it’s more customizable. You can run pre-upgrade and post-upgrade tasks which will be mandatory if you have any sort of customization to your Windows 10 deployments.

For example, Windows 10 is resetting pretty much anything related to regional settings, keyboard, start menu and taskbar customization. Things are getting better from one version to another but if you’re upgrading from an older build, let’s say 1903, expect some post-configuration tasks… and the only way to do that is using a task sequence.

Servicing Plan has the simplicity, you set your option and forget, as for Automatic Deployment Rules does for Software Updates. We yet did not have any client that doesn’t want any control over Windows 10 upgrade in their organization. We totally understand the point of Servicing Plan and they’ll be useful in a couple of releases when Windows 10 upgrades will be an easy task… but for now, it’s not, unfortunately.

Import SCCM Windows 10 20H2 Operating System

We will now import the Windows 10 20H2 WIM file for Operating System Deployment. You should have downloaded the ISO file in the first step of this guide.

We will be importing the default Install.wim from the Windows 10 media for a “vanilla” Windows 10 deployment. You could also import a WIM file that you’ve created through a build and capture process.

This WIM file will be used for new computers, to upgrade an existing Windows 10, you need to import an Operating System Upgrade Packages. We will cover this in the next section.

• Open the SCCM Console
• Go to Software Library / Operating Systems / Operating System Images
• Right-click Operating System Images and select Add Operating System Image

• On the Data Source tab, browse to your WIM file. The path must be in UNC format
• You can now select to import only a specific index from the WIM file. We selected the Windows 10 Enterprise index
• Select your Architecture and Language at the bottom and click Next

• In the General tab, enter the Name, Version and Comment, click Next

• On the Summary tab, review your information and click Next
• Complete the wizard and close this window
• The import process will take about 5 minutes to complete

Distribute your SCCM Windows 10 20H2 Operating System Image

We now need to send the Operating System Image (WIM file) to our distribution points.

• Right-click your Operating System Image, select Distribute Content and complete the Distribute Content wizard

Add Operating System Upgrade Packages

We will now import the complete Windows 10 media in Operating System Upgrade Packages. This package will be used to upgrade an existing Windows 10 or a Windows 7 (or 8.1) device to Windows 10 using an Upgrade Task Sequence.

• Open the SCCM Console
• Go to Software Library / Operating Systems / Operating System Upgrade Packages
• Right-click Operating System Upgrade Packages and select Add Operating System Upgrade Packages

• In the Data Source tab, browse to the path of your full Windows 10 media. The path must point to an extracted source of an ISO file. You need to point at the top folder where Setup.exe reside
• You can now select to import only a specific index from the WIM file. We selected the Windows 10 Enterprise index
• Select your Architecture and Language at the bottom and click Next

• In the General tab, enter the Name, Version, and Comment, click Next

• On the Summary tab, review your information and click Next and complete the wizard

Distribute your Operating System Upgrade Packages

We now need to send the Operating System Upgrade Package to your distribution points.

• Right-click your Operating System Upgrade Package, select Distribute Content and complete the Distribute Content wizard

Create an Upgrade SCCM Task Sequence for previous Windows 10 Computers and Windows 7

Let’s create an SCCM task sequence upgrade for a computer running a previous version of Windows 10.

Once again, this Task Sequence could be used to upgrade a Windows 7 or 8.1 computer.

• Open the SCCM Console
• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click Task Sequences and select Upgrade an operating system from upgrade package

• In the Task Sequence Information tab, enter a Task Sequence Name and Description

• On the Upgrade the Windows Operating System tab, select your upgrade package by using the Browse button
• Select your Edition Index depending on the edition you want to deploy. If you select just 1 index as per our indication in previous steps, you’ll see just 1 index to select from.

• On the Include Updates tab, select the desired Software Update task
  • All Software Updates will install the updates regardless of whether there is a deadline set on the deployment (on your OSD collection)
  • Mandatory Software Updates will only install updates from deployments that have a scheduled deadline (on your OSD collection)
  • Do not install any software updates will not install any software update during the Task Sequence

• On the Install Applications tab, select any application you want to add to your upgrade process

• On the Summary tab, review your choices and click Next and click Close

Create a Task Sequence for new Windows 10 Computer

• Still in Software Library \ Operating Systems \ Task Sequences
• Right-click Task Sequences and select Install an existing image package

• In the Task Sequence Information tab, enter a Task Sequence Name, Description and select your X64 Boot Image

• On the Install Windows tab, select your image package by using the Browse button
• Select the Image Index and enter a product key. If you have a valid KMS server, you can skip the product key

• In the Configure Network tab, select the Domain and OU in which the computer account will be created. Also enter valid credentials to join the domain.

• In the Install Configuration Manager tab, select your Client Package

• On the State Migration tab, select if you want to capture user settings and files. For our example, we’ll turn it off

• On the Include Updates tab, select the desired Software Update task
  • All Software Updates will install the updates regardless of whether there is a deadline set on the deployment (on your OSD collection)
  • Mandatory Software Updates will only install updates from deployments that have a scheduled deadline (on your OSD collection)
  • Do not install any software updates will not install any software update during the Task Sequence

• On the Install Applications tab, select any application you want to add to your upgrade process

• On the Summary tab, review your choices and click Next and click Close

Edit your Windows 10 20H2 Task Sequences

Now that we have created the upgrade and new computer task sequences, let’s see what it looks like under the hood.

• Open the SCCM Console
• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click your upgrade or new computer task sequences and select Edit

As you can see, it’s fairly simple. SCCM will take care of everything in a couple of steps :

• The Upgrade Operating System step contains the important step of applying Windows 10
• Ensure to choose the right Edition

Deploy the SCCM Windows 10 20H2 Upgrade Task Sequence

We are now ready to deploy our task sequence to the computer we want to upgrade. In our case, we are targeting a Windows 10 computer that is running Windows 10 1909.

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click Task Sequences and select Deploy

• On the General pane, select your collection. This is the collection that will receive the Windows 10 upgrade. For testing purposes, we recommend putting only 1 computer to start

• On the Deployment Settings tab, select the Purpose of the deployment
  • Available will prompt the user to install at the desired time
  • Required will force the deployment at the deadline (see Scheduling)
• You cannot change the Make available to the following drop-down since upgrade packages are available to clients only

• On the Scheduling tab, enter the desired available date and time. On the screenshot, we can’t create an Assignment schedule because we select Available in the previous screen

• In the User Experience pane, select the desired options

• In the Alerts tab, check Create a deployment alert when the threshold is higher than the following check-box if you want to create an alert on the failures

• On the Distribution Point pane, select the desired Deployment options. We will leave the default options

• Review the selected options and complete the wizard

Launch the Upgrade Process on a Windows 10 computer

Everything is now ready to deploy to our Windows 10 computers. For our example, we will be upgrading a Windows 10 1909 to Windows 10 20H2. This task sequence can also be used to upgrade existing Windows 7 or 8.1 computers to install Windows 10 20H2.

• Log on your Windows 10 computer and launch a Machine Policy Retrieval & Evaluation Cycle from Control Panel / Configuration Manager Icon

• Open the new Software Center from the Windows 10 Start Menu
• You’ll see the SCCM upgrade task sequence as available. We could have selected the Required option in our deployment schedule, to launch automatically without user interaction at a specific time
• When ready, click on Install

• On the Warning, click Install

• The update is starting, the task sequence Installation Progress screen shows the different steps

• The WIM is downloading on the computer and saved in C:\_SMSTaskSequence
• You can follow task sequence progress in C:\Windows\CCM\Logs\SMSTSLog\SMSTS.log
• After downloading, the system will reboot
• The computer restart and is loading the files in preparation for the Windows 10 upgrade

• WinPE is loading

• The upgrade process starts. This step should take between 60-90 minutes depending on the device hardware
• Windows 10 is getting ready, 2-3 more minutes and the upgrade will be completed

• Once completed the SetupComplete.cmd script runs. This step is important to set the task sequence service to the correct state

• Windows is now ready, all software and settings are preserved. Validate that you are running Windows 10 20H2 (Build 19042.330)

Launch the Process on a new Windows 10 computer

To install the Windows 10 20H2 operating system, the process is fairly the same except to start the deployment.

For my test, I’m booting a new VM. PXE boot the VM and press Enter for network boot service.

• On the Welcome to task sequence wizard screen, enter the password and click Next

• Select your Windows 10 20H2 Task Sequence and click Next
• The process will start and if everything goes right, should be fully automated.

If you encounter any issues, please see our troubleshooting guide.

Create Software Update Group

One important thing in any OSD project is to make sure that the deployment of every machine is up to date. Before deploying Windows 10 20H2, make sure that your Software Update Point is configured to include Windows 10 patches.

Once Windows 10 is added to your Software Update Point, we will create a Software Update Group that will be deployed to our Windows 10 deployment collection. This way, all patches released after the Windows 10 media creation (or your Capture date) will be deployed during the deployment process.

To create a Windows 10 Software Update Group :

• Open the SCCM Console
• Go to Software Library / Software Updates / All Software Updates
• On the right side, click Add Criteria, select Product, Expired and Superseded
  • Product : Windows 10
  • Expired  : No
  • Superseded: No
  • Title contains 20H2
• Select only the latest Cumulative Updates that apply  (x64 or x86) and select Create Software Update Group
• Once created, go to Software Library / Software Updates / Software Update Groups
• Right-click your Windows 10 SUG and deploy it to your OSD deployment collection

Import ADMX File

If you’re responsible for managing group policy in your organization. Ensure that you import the latest Windows 10 20H2 ADMX file on your domain controller.

Bonus Resources

After your SCCM Windows 10 20H2 Upgrade, need a report to track your Windows 10 devices? We developed a report to help you achieve that :

Asset – Windows 10 SCCM Report

The post Deploy Windows 10 20H2 using SCCM/MEMCM appeared first on System Center Dudes.

You may have read our article on how to Setup Microsoft Intune and manage it in Endpoint Manager. This blog post describes how to use Endpoint manager to enroll iOS devices.

With the various OS: Android, Windows and iOS and specific scenarios with BYOD and corporate device, there are so many ways to enroll devices.

We’ll show you one way to enroll a personal iOS device (BYOD) but you can refer to Microsoft Documentation which covers every possible scenario.

Endpoint Manager Enroll iOS Requirements

To enroll and manage iOS/MAC devices into Endpoint Manager, you first need to create an Apple MDM Push Certificate. These certificates expire 365 days after you create them and must be renewed manually in the Endpoint Manager portal.

• In the Endpoint Manager Portal
• Click Devices / iOS/iPadOS Enrollment and select Apple MDM Push Certificate

• Check the agreement in #1
• In the second step (#2), click on Download your CSR. A file will download in your browser. Keep this file for the next step
• On the third step (#3), click on Create your MDM Push Certificate

• You’ll be redirected on the Apple Push Certificate Portal
• Login using your Apple ID or create one

• In the Get Started section, click Create a Certificate

• Check the I have read and agree to these terms and conditions check box and click Accept

• Click Browse and select the .CSR file you created previously, click Upload

• Your certificate is now created and available for download. The certificate is valid for 1 year. You will need to repeat the process of creating a new certificate each year to continue managing iOS devices.
• Click on Download
• Ensure that the file is a .PEM and save it to a location on your server.

• Back in the Endpoint Manager Portal
• Complete step 4 by entering your Apple ID
• Complete step 5 by entering the MDM_ Microsoft Corporation_Certificate.pem that you just downloaded
• Click Upload at the bottom

• Once the certificate is created, you can now enroll an iOS device using a user that has an Intune licence.
• To enroll iOS device, you must install the Microsoft Intune Company Portal App. It can be installed on any iOS device having iOS 6 and later. (iPhone and Ipad)

Enroll the iOS Device

The Intune Company Portal app will allows to perform the following actions:

• Monitor mobile devices with Microsoft Intune
• Enable access to company resources with Microsoft Intune
• Deploy software to mobile devices in Microsoft Intune
• Configure security policy for mobile devices in Microsoft Intune
• Help protect your data with remote wipe, remote lock, or passcode reset using Microsoft Intune

To download the App :

• Open the App Store on your device and search for Intune Company Portal. (Or use this direct link)
•  Install the App and open it

• Enter your credentials

• select Begin at the bottom

• Review and click Continue

• Review and click Continue

• You’ll get prompted to install the Management Profile, click on Allow. You will be prompt to enter your Iphone passcode

• Open Settings and select Pofile Downloaded

• Select Install at the top

• Click Install at the bottom

• On the Warning page, select Install
• On the Remote Management warning, select Trust

• Select Done at the top

• Back in the company Portal, select Continue Now

• If everything was setup correctly, you should have all 3 green check mark. Click Continue

The device will make its initial compliance check. If you have any app assignment, you’ll also receive an installation notification at this point.

The post How to use Microsoft Endpoint Manager to enroll iOS devices appeared first on System Center Dudes.

On October 27th, 2020, Microsoft released an update to definitively remove Adobe Flash Player (KB4577586) from all Windows 8.1+ and Windows 10 1607+ Operating System.

This important update is needed for Adobe Flash end of support on December 31, 2020. For now, the only way to deploy his Adobe Flash Player update to your devices is by using SCCM. The update has not been released to Windows Update yet. This means that if you want to use your SCCM Update Point to deploy it, you’ll have to manually import the update first and then create a software update synchronisation.

This post will describe every step you need to take in order to Deploy Adobe Flash Player Update to Windows 10 using SCCM/MEMCM or Microsoft Intune.

Here’s the important information you need to know :

• Applying this update will remove Adobe Flash Player from your Windows device
• After this update has been applied, this update cannot be uninstalled
• Microsoft warns that if another security update for Adobe Flash Player is released, customers who take this removal update will still be offered the security update.

Downloading the Update

The first step to do add the Adobe Flash Update to your SCCM server or Intune Tenant is to manually download the Adobe Flash update (KB4577586).

For now, it’s not possible to import the update directly in your WSUS. We’ve tried it and get this error.

• Connect to your primary SCCM Server
• Open the Microsoft Update Catalog Web Site
• Type in the hotfix number (4577586) in the search field and click on Search

• In the Search Result, Click on Add for every patch you wish to add to WSUS. In my example, I only needed it for Windows 10 1903, so that’s the one I added. When you are done, press View Basket at the top

• Confirm your choice in your basket and finally, uncheck Import directly into Windows Server Update Services checkbox and click on Download

• Select a download location for the .MSU file. We suggest to save it in your SCCM File Repository as we’ll create a package with it

• You can now close your browser window

If you need the Microsoft Intune Instructions, just skip directly to the Intune section

Create the SCCM Package

We will now create the SCCM Package to deploy this MSU file. Package are soooo 2012, it’s true but in that case, it’s so simple that why add the complexity of creating an application.

• Open the SCCM Console
• Go to Software Library\ Application Management \ Packages
• Right-click and select Create Package

• Select Standard Program, click Next

• Enter a Name for your program and description. Check the This program contains source files. Point your source file on the path you saved the MSU file.

• Enter this as a command line : (change the patch name if you are using another version. We are using Windows 10 1903). You can refer to the Microsoft Documentation for more installation options
  • wusa.exe “windows10.0-kb4577586-x64_ec16e118cd8b99df185402c7a0c65a31e031a6f0” /quiet /norestart
• Program can run : Whether or not a user is logged on
• Keep everything else default, click Next

• In the Requirement window, select Windows 10 64bits. Adjust to your Windows version if needed.

• Review and Complete the wizard

• Now, let’s distribute the files to our Distribution Points
• Right-Click your package and select Distribute Content

• Add your prefered Distribution Point and complete the wizard

• We will now deploy the Adobe Flash Update to a Windows 10 1903 machine
• Click on the Program tab at the bottom, select the program for your package and select Deploy

• Select a Collection to deploy your Adobe Update, click Next

• On the deployment setting, select your Purpose. We select Required as we want it to run automatically.

• Set your desired schedule

• In User Experience, we decided to skip Maintenance Windows

• Complete the Wizard

Testing the Adobe Flash Update

We will now test our deployment.

On a Windows 10 Machine, refresh the Machine Policy and wait for the program to execute. You won’t see anything as this is a silent installation.

You can monitor the installation in C:\Windows\CCM\Logs\Execmgr.log.

We are looking for an installation exit code 0 :

Adobe Flash Update deployment using Intune

If you want to deploy the Adobe Flash Update using intune, you must use the Win32 App installation method.

We won’t describe it from the start to the end since our previous blog post is pretty clear.

Here’s the important information to consider :

• Use the Microsoft Win32 Content Prep Tool to convert the .msu file into the .intunewin format.
• The installation command line will be : (change the patch name if you are using another version. We are using Windows 10 1903).
  • wusa.exe “windows10.0-kb4577586-x64_ec16e118cd8b99df185402c7a0c65a31e031a6f0” /quiet /norestart -Wait
• Uninstall command: wusa.exe /uninstall /kb:4577586 /quiet
• As a detection rule, use custom detection script :

$result = systeminfo.exe | findstr KB4577586

if ($result)
 {
    Write-Output "Found KB4577586"
    exit 0
 }
 else
 {
    exit 1
 }

Adobe Flash Update SCCM Intune Monitoring

Once you’ve deployed the Adobe Flash Update to your devices. There’s a couple of ways to monitor which machine has the KB4577586 applied.

You can use CMPivot to have live results, using this query :

SoftwareUpdate | summarize countif( (KBArticleIDs == ‘KB4577586’) ) by Device | where (countif_ > 0)

The post Deploy Adobe Flash Player Update using SCCM/MEMCM or Microsoft Intune – KB4577586 appeared first on System Center Dudes.