CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

Browsing Posts in System Center Configuration Manager

Back in November at the MVP Summit we all where part of a Hackathon where all MVP’s submitted ideas for new features in Configuration Manager. Myself, Kim Oppalfens and Kaido Järvemets where part of a hackathon project that was either mine or Kim’s idea to start with, that can make it easier to do a proof of concept with mobile device management with Intune in Hybrid setup with Configuration Manager. To be able to use Intune in Hybrid with Configuration Manager the users that are allowed to enroll devices must be present in Configuration Manager and match the users in Azure AD which is why it normally requires AzureAD synchronization with AADConnect and matching UPN’s to be in-place before you can use it. To set that up to do a Proof-of-concept for instance can be a huge effort.

It also makes it really simple to setup Intune in a test environment with Technical preview of Configuration Manager. The result of that Hackathon project are now available in Configuration Manager technical preview 1604 and forward in the form of AzuredirectoryUserSync.exe which is located in the Configuration Manager install directory under Tools.

How do AzuredirectoryUserSync work then? It uses the Microsoft Graph API to read the user information from AzureAD and writes them to the Configuration Manager database so we can enroll devices in Intune/Configuration Manager to do a Proof of Concept or setup a test environment with technical preview of Configuration Manager without having to setup AADConnect and handle UPN challenges for instance. It takes 10 Minutes to setup an Intune subscription in Configuration Manager and import the users so you can start enrolling devices.

This is Great stuff!

So how do we do set it up then. To start with we need a Configuration Manager 1604 environment or later and an Intune trial.

  1. Create an Intune trial (http://aka.ms/intune)
  2. Log on to the office 365 portal and create a couple of test users (https://portal.office.com/AdminPortal/Home?switchtomoderndefault=true#/users)
    AzureSync1
  3. Log on to the O365 App Registration Tool (https://dev.office.com/app-registration)
    We use the account we created above for the Intune trial.
    AzureSync2
  4. Approve the permissions required for dev.office.com by pressing Accept
    AzureSync3
  5. Create an application with the following settings and permissions, this will grant the AzuredirectoryUserSync application permissions to read the user information from AzureAD. Select register App when done.
    Note that it must be exactly the settings displayed below.
    AzureSync5
  6. Copy the Client ID to clipboard and save it in a text file for use with the AzuredirectoryUserSync tool.
    AzureSync6
  7. On your Configuration Manager server open an elevated command prompt and run the following command. (Make sure that IE enhanced Security Configuration is not enabled, otherwise it will fail)
    AzureDirectoryUserSync.exe  -Tenant <tenant> -appClientId <appid> -redirecturi http://localhost:8000
    In my example that will be the following:
    AzureDirectoryUserSync.exe -Tenant CCMEXECTP5.onmicrosoft.com -appClientId d089f0bc-123b-4a96-a30f-a3375f3f1ca4 -RedirectURI http://localhost:8000
    You will be prompted to log in.
    AzureSync7
    And to accept the permissions needed for the SCCM AAD Sync application.
    AzureSync8 When the command finishes it looks like this with the numbers of users created in the last line.
    AzureSync9
  8. Launch the Configuration Manager console and you will now see the imported users there.
    AzureSync10
  9. We can now configure our Intune Subscription as we normally do and use these users to enroll devices.

This is really cool stuff and makes it so easy to do a Proof of Concept setup of Intune in Hybrid and to use the Technical Preview of Configuration Manager as well!

Note that the tool is in the technical preview which means it can change before release.

As shown and promised at MMS 2016 in Minnesota, probably the best tech event I ever attended by the way!!, I talked about and showed how I have installed applications dynamically using Configuration Manager for the last 4 years during my session with Kent Agerlund and Ryan Ephgrave. I love to keep it simple.

Update: The script is now updated so it supports nested groups and use _SMSTSMachineName as computername. Thanks to Daniel Marklund for great additions!
Installapps1

By reading the application name from the AD group description field instead of from a Collection in Configuration Manager we don’t need access to the Site Server during OSD, the local domain controller will be used. We can also pre-stage computers in AD without having a MAC address yet just by creating the computer in AD and the add it to the groups, the Unknown computer support can be used to deploy the machine for instance, you select the correct name and the applications are installed..

Here is how it works.

- I Use a naming convention for my AD groups which are used in Configuration Manager Collection queries to install applications for example a prefix of “App-“ or “A.” with a suffix for Install groups for instance “.i” something like this “A.7Zip.920.i”

Installapps2

-I put the exact name of the application in Configuration Manager in the Description field of the AD Group. If I don’t want to install the application during OSD simply remove the description.

Installapps3

Installapps4

-In the Task Sequence I run a script that reads the description field from all the groups that starts with my prefix and adds them to the COALESCEDAPPS variable so that they are installed automatically during OS deployment using the built-in step in Configuration Manager.

Installapps5

Then the applications will be installed dynamically

To implement it do the following.

  1. Download the script and add it to a Package in Configuration Manager here: Download
  2. Edit the two variables so it matches your naming convention for your AD groups.
    Installapps6
  3. Add the Application name to the AD groups description field in AD as shown above
  4. Add one step in the task sequence that runs the Powershell script, it must be run in the full Operating System after the “Setup Windows and Configuration Manager”
    Installapps7
  5. Then we add the step to install the applications dynamically.
    Installapps8
  6. On the Options tab for the Install Applications step add the following condition to prevent the task sequence from failing if you don’t have any applications to install.

    Installapps9

Then you are all set!

Thanks to my awesome colleague Johan Schrewelius, this script was actually a vbscript when the conference started! Johan rewrote it when I was presenting.

colleague

I wrote a post on how to add an Internet Explorer shortcut to the Start Menu in Windows 10 which turned out not to be the easiest thing to do. The post can be found here: http://ccmexec.com/2015/09/customizing-the-windows-10-start-menu-and-add-ie-shortcut-during-osd/

When I started to upgrade Windows 10 1507 – 1511 I realized that the “Internet Explorer.lnk” file is actually removed during the upgrade. It is actually removed wherever you put it, Program Files, Windows, Programdata and so on. It is a feature of in-place upgrade that has been around since Windows Vista!. Has it been an issue before? “NO!” but it will be now!

So we need to solve this, when doing modifications to Windows 10 like uninstalling apps and so on we must use a Task Sequence to upgrade from one Windows 10 version to the next otherwise all default apps will be installed and again for instance. So what we do is simply a step that copies the IE icon back after the upgrade is complete and the icon has been removed. The IE Shortcut must be there when the user logs on otherwise it will be removed from the start menu.

In our Windows 10 to Windows 10 upgrade Task Sequence it would look like this.

CopyIEicon1

What I did was add a PowerShell script to the package I used for the Start Menu customization that copies the IE icon as well as imports the start menu layout in the first place.
Basically it is the same script but I don’t import the default start menu, I only copy the IE icon back to the location is was before the Windows 10 1507 – Windows 10 1511 Upgrade. So a very simple solution!

The script only does the copying of the IE shortcut so it is very simple.

Copy-Item -Path $PSScriptRoot'\StartMenufiles\internet explorer.lnk' -Destination $env:SystemDrive'\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories'

Copy-Item -Path $PSScriptRoot'\StartMenufiles\internet explorer.lnk' -Destination $env:SystemDrive'\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories'

That way we still have the Internet Explorer shortcut on the end users Start Menu after the upgrade.

CopyIEicon2
I will cover this and much more on mine and Ronni Pedersen’s session at the Midwest Management Summit (MMS) in just  a couple of weeks! http://mmsmoa.com/ Hope to see you all there!

In Windows 10 by default a reminder is displayed to the end-user in the Notification area if there are three apps or more that launch automatically when you login. At least I think this is very annoying and it causes end-users to call the servicedesk and ask how they can disable the applications to improve performance. This is not a wanted scenario!

DisableApps_1

This notification is triggered by a Schedule Task called “StartupAppTask” that resides under Microsoft, Windows and Application Experience in the Task Scheduler. So to stop it we simply disable that Task and then the reminders go away! :D

DisableApps_2How do we do this during OSD you might ask?

Well we run a simple Powershell script when we are on the full Operating System in the Task Sequence like the example below shows, then the task is disabled and never run at all for the end-users.

Powershell command:

powershell.exe -NoProfile -ExecutionPolicy ByPass -Command "&{ Disable-ScheduledTask -TaskName '\Microsoft\Windows\Application Experience\StartupAppTask'}"

DisableApps_3

You can disable this task in many ways, I prefer to do it this way then I know that it is always disabled.

I hope this is useful to more than me!

I get a lot of questions if there are any difference in functionality in Intune Standalone and in Hybrid with Configuration Manager. There are a lot of differences, in this post I will show how to setup the Apple Volume Purchase Program(VPP) integration in Configuration Manager 1602 with Intune and cover the differences in functionality between Intune Standalone and Configuration Manager/Intune Hybrid.

The Apple Volume Purchase Program comes in two different version one for Business and one for Education. Both programs work in the same way making it possible to volume purchase applications and deploy them with a MDM solution of your choice. When you sign up you download your Apple VPP token that is then imported into the MDM solution that you want to use. This token is valid for one year. More information can be found here: http://www.apple.com/business/vpp/

There are some things to keep in when it comes to the Apple VPP Program in Configuration Manager, for more information see the following link where these limitations are taken from. https://msdn.microsoft.com/en-us/library/mt627954.aspx

  • Only one VPP account and token is supported
  • Only the Apple Volume Purchase Program for Business is supported.
  • Once you associate an Apple VPP account to Intune, you cannot subsequently associate a different account. For this reason, it’s very important that more than one person has the details of the account you use.
  • If you have previously used a VPP token with a different MDM product in your existing Apple VPP account, you must generate a new one to use with Configuration Manager.
  • Each token is valid for one year.
  • By default, Configuration Manager syncs with the Apple VPP service twice a day to ensure that your licenses are synchronized with Configuration Manager.
  • Only changes to your licenses are synchronized. However, once every 7 days, a full synchronization will be performed.
  • When you click Sync to perform a manual sync, this will always perform a full synchronization.
  • If you need to recover, or restore you Configuration Manager database, we recommend that you perform a manual sync afterwards to ensure that your synchronized license data is up to date.
  • While you can deploy iOS volume-purchased apps to user or device collections, VPP apps you deploy to a device without a user (for instance, a device you enrolled without user affinity using the Device Enrollment Program (DEP) or Apple Configurator) will not be installed.

The differences between Intune Standalone and Intune/ConfigMgr Hybrid are actually bigger than you think. The table below illustrates the different deployment types and targets and if it works in Standalone/Hybrid.

Deployment Type

Intune/ConfigMgr Hybrid

Intune Standalone

User Required

X

X

User Available

X

Device Required

X

Device Available

So how do we configure Apple VPP in Configuration Manager? To start with you need the following:

  • Apple VPP Token that is to be used.
  • An account that is Global Administrator in your Intune Subscription used for Configuration Manager.

In the Configuration Manager Admin Console the Apple VPP Program is configured in under Software Library as shown below.

VPP2

We select to add “Create Apple Volume Purchase Program Token” which actually doesn’t create a token for you, you must have your token available.

VPP3_1

VPP4

In the next dialog you must log on to Intune with an account with Global Administrator permissions. Note that if you log on with an account without the required permissions the wizard will fail with a cryptic error message so make sure you have the correct permissions for your account.

VPP5

Then the token is uploaded.

VPP6

When the token is uploaded a Synchronization is started, the full synchronization downloads the information about which apps you have bought with your Apple VPP account and the license information for them how many you bought and how many are in use. After that Configuration Manager will synchronize twice a day to ensure that the license information is updated and it does a full synchronization once a week.

VPP7

Under the licensed apps we now have our applications and all information about them available in the console.

VPP8

We can now deploy the iOS application that we downloaded the information for through the Apple VPP program.

VPP9

We select the “App Package for iOS from App Store” option and then Browse.

VPP10

In the next dialog we now have two tabs, one for the App Store and one for Apple Volume Purchase Program and under the “Apple Volume Purchase Program” we can now choose the apps that are bought through the Apple VPP program and deploy them.

VPP11

We can then import the application based on the information from the Apple VPP Program.

VPP12

VPP13

Now we have an application with a link to the application in the Apple VPP Business Store which we can deploy as normal in Configuration Manager. We can deploy it both to Users and to Devices and that is the big difference between Intune Standalone and Intune/Configuration Manager in Hybrid as I mentioned above. When we deploy it to devices the device must have a user affinity which means that it doesn’t work for iOS devices enrolled via DEP without user affinity.

In Intune standalone we can only deploy Apple VPP apps to Users and only as required as shown here as well.

VPP9_2

We select the user group, only user groups are shown.

VPP9_I

And then we select deployment action and only Required Install is allowed.

VPP9_3

Support for Apple VPP program in Intune has been one of the most frequent feature requests for Intune and it is great that it is available!
It is also cool that Hybrid actually delivers!! Hybrid Rules!

  • Currently, each organization can have only one VPP account and token.

  • Only the Apple Volume Purchase Program for Business is supported.

  • Once you associate an Apple VPP account to Intune, you cannot subsequently associate a different account. For this reason, it’s very important that more than one person has the details of the account you use.

  • If you have previously used a VPP token with a different MDM product in your existing Apple VPP account, you must generate a new one to use with Configuration Manager.

  • Each token is valid for one year.

  • By default, Configuration Manager syncs with the Apple VPP service twice a day to ensure that your licenses are synchronized with Configuration Manager.

    Only changes to your licenses are synchronized. However, once every 7 days, a full synchronization will be performed.

    When you click Sync to perform a manual sync, this will always perform a full synchronization.

  • If you need to recover, or restore you Configuration Manager database, we recommend that you perform a manual sync afterwards to ensure that your synchronized license data is up to date.

  • While you can deploy iOS volume-purchased apps to user or device collections, VPP apps you deploy to a device without a user (for instance, a device you enrolled without user affinity using the Device Enrollment Program (DEP) or Apple Configurator) will not be installed.

In Configuration Manager CB 1511 the Windows 10 Servicing feature was introduced which gives us a great view of the Windows 10 versions used in our environment and a tool to schedule the updates of Windows 10 versions.

Windows10Servicing0

What is happeing when we create Service Plans is basically an ADR which deploys the Windows Upgrade packages according to the Service Plan. In 1511 there was an issue that all Windows 10 versions where downloaded when the ADR ran, there are some workarounds like blocking the non wanted versions of Windows 10 using the WSUS Console. This is now fixed in 1602, there is a new option to filter out which versions of Windows 10 we want to deploy.

The new step in 1602 is Upgrades it didn’t exist in 1511. In my case i select “Swedish” and “Enterprise,” using the “,” to filter out the Enterprise N version which I don’t want to download or deploy.

Windows10Servicing2

The preview feature is great! using it we can make sure only the Windows 10 versions we want to deploy will be downloaded and used.
Windows10Servicing3If you haven’t tried the new Windows 10 servicing feature before it is time to start now.
The new update model of Configuration Manager is great, fixing issues and adding feature faster than ever before!!

One of the new features in the newly released version of Configuration Manager CB 1602 is that in-place upgrade of the Server OS from 2008 R2 -> 2012 R2 is now supported. This will save a lot of time and money for many customers out there, great that it is finally supported!

I upgraded my old Server 2008 R2 test environment to Configuration Manager CB 1511 which has been with me since Configuration Manager 2012 RTM was released. The upgrade of the OS was pretty straight forward, IMPORTANT!! WSUS MUST be uninstalled before the upgrade, more information can be found here: https://technet.microsoft.com/library/hh852345.aspx failure to do this will have serious results according to the documentation.

My setup looks like this, I actually cheated and configured a new server running server 2012 R2 with WSUS and the Windows 10 hotfix and changed to that as the active WSUS server before the upgrade, and Yes I know it is not supported ;-) Will see if I can document the steps for a setup with a local SQL and SUP as well.

Primary Site Server:
-Server 2008 R2
-MP, DP and so on… no SUP

Site System:
-Server 2012 R2
-SUP

SQL Server:
-Server 2012 R2
-SQL Server 2012

Here is how I did it, If the SUP/WSUS and SQL is installed on the same server there are a few additional steps which is not included here.

1. Backup, Backup, Backup.. make sure you have a WORKING backup in case anything goes wrong.

2. Uninstall antivirus from the server if not System Center Endpoint Protection is used then there is no need, this is just to be on the safe side for the upgrade itself.

3. Restart Server

4. Uninstall WSUS, in my case the admin console only otherwise the full product !Important must uninstall WSUS! Read the article above.

5. Disable Configuration Manager services that are set to start automatically, to be able to sort out any issues after the upgrade with drivers e.t.c before ConfigMgr is started.

Services

6. Restart Server

7. Upgrade Server OS using in-place upgrade, make sure to use the updated Server 2012 R2 media and make sure to review any warnings that you are prompted with.
UpgradeServer

8. Verify that the upgrade was successful, review event logs and start IIS Manager and review the IIS settings, my IIS was disabled, see note below.

9. Install WSUS Admin console (or full WSUS depending on local or remote SUP)

10. Install Hotfix KB 3095113, that adds Windows 10 Upgrade support https://support.microsoft.com/en-us/kb/3095113

11. Start Configuration Manager Services and change startup to Automatic for the services that we changed above.

12. Verify that everything is working, System Status, Component status…

13. Install Anti-virus

14. Install all Software Updates for Server 2012 R2, I was struggling when to do this but I decided to do it after I verified that Configuration Manager was working to make potential troubleshooting easier.

That is how I did it and it seems to be working just fine. I ran into a couple of things with the OS upgrade itself, no big deal at all.

1. IIS and WAS was disabled during upgrade due to “incompatibility with the current setup”, I have a lot of test websites, webservices and stuff so I assume that was why, I cleaned up the IIS from old websites. I had to change the startup type of the services to automatic and then start them, then everything worked fine.
UpgradeServer2

UpgradeServer3

2. .NET Optimization ran for about 15 minutes consuming a lot of CPU, check that before you freak out that the system is slower ;-)

3. CCMRepair was also launched automatically which also consumed some CPU.

That is how I did it.

When managing Windows Defender on Windows 10 with Configuration Manager you will see an error when you use the Group Policy Management Console to view the Group Policy Result on a computer. Looking something like this.

Defender3The reason for this is that Configuration Manager writes the values that you set in a policy as DWORD but the Group Policy will write the values as String instead. That is the reason why the error “Registry Value…… is of unexpected type. Both will work so this is more a cosmetic error and basically only visible under Group Policy Result in GPMC.

It can be illustrated easy by creating a Group Policy that applies an exclusion for .wim and in the Configuration Manager Antimalware policy we create an exclusion for .iso. When looking at the registry key on a client under the Policies key we can see that the values are of different type.

Defender2

Is this a big problem, NO as the Windows Defender client reads and use both values in the example above so basically the only thing that is impacted is the Group Policy result view in GPMC. Note that I used the example above and applied different exclusions using GPO and Configuration Manager, this is not recommended to use in a production environment from a troubleshooting perspective.