System Center Dudes https://www.systemcenterdudes.com SCCM Blog | Configuration Guides, Reports and Troubleshooting posts. Fri, 20 Apr 2018 14:32:15 +0000 en-US hourly 1 https://i2.wp.com/www.systemcenterdudes.com/wp-content/uploads/2015/06/logo.png?fit=32%2C29&ssl=1 System Center Dudes https://www.systemcenterdudes.com 32 32 67897261 SCCM Windows 10 Deployment Guide https://www.systemcenterdudes.com/sccm-windows-10-deployment-guide/ https://www.systemcenterdudes.com/sccm-windows-10-deployment-guide/#comments Mon, 16 Apr 2018 12:51:34 +0000 https://www.systemcenterdudes.com/?p=23143 The race to update Windows 7 computers from your environment is entering its home stretch. Microsoft will end Windows 7 support on January 14th, 2020. If you still have Windows 7 computers in your company, it’s time to seriously plan your migration. If you’ve been reading our blog for a while, you may have seen a couple (!) of post regarding Windows 10 migration. We thought that regrouping all posts in a single one would save you time finding all needed SCCM Windows 10 deployments resources to start. If you are still running SCCM 2012 and have plans to deploy Windows 10, ... Read More

The post SCCM Windows 10 Deployment Guide appeared first on System Center Dudes.

]]>
The race to update Windows 7 computers from your environment is entering its home stretch. Microsoft will end Windows 7 support on January 14th, 2020. If you still have Windows 7 computers in your company, it’s time to seriously plan your migration. If you’ve been reading our blog for a while, you may have seen a couple (!) of post regarding Windows 10 migration. We thought that regrouping all posts in a single one would save you time finding all needed SCCM Windows 10 deployments resources to start.

SCCM Windows 10 Deployment Guide

If you are still running SCCM 2012 and have plans to deploy Windows 10, we recommend starting with part 2 of this guide. (Hint: Deploy SCCM Current Branch).

We will update this post as we add more Windows 10 deployments posts on our blog.

SCCM Windows 10 Deployment Guide

Share this Post

The post SCCM Windows 10 Deployment Guide appeared first on System Center Dudes.

]]>
https://www.systemcenterdudes.com/sccm-windows-10-deployment-guide/feed/ 2 23143
Configure Delivery Optimization in SCCM Task Sequence https://www.systemcenterdudes.com/configure-delivery-optimization-in-sccm-task-sequence/ https://www.systemcenterdudes.com/configure-delivery-optimization-in-sccm-task-sequence/#comments Fri, 13 Apr 2018 12:22:33 +0000 https://www.systemcenterdudes.com/?p=54653 Windows 10 brings a new feature to optimize network performance when it comes to Windows Update. This feature is called Delivery Optimization. Delivery Optimization is a cloud-based service that allows computers on the same network to share updates files to prevent reaching out to Windows Update directly or to a remote WSUS.  Windows 10 clients must have access to the internet to be able to leverage Delivery Optimization to establish a peer-to-peer connection to another Windows 10 computer. With that said, Delivery Optimization as the potential of doing the opposite of what it was designed for. By default, the Download mode is ... Read More

The post Configure Delivery Optimization in SCCM Task Sequence appeared first on System Center Dudes.

]]>
Windows 10 brings a new feature to optimize network performance when it comes to Windows Update. This feature is called Delivery Optimization. Delivery Optimization is a cloud-based service that allows computers on the same network to share updates files to prevent reaching out to Windows Update directly or to a remote WSUS.  Windows 10 clients must have access to the internet to be able to leverage Delivery Optimization to establish a peer-to-peer connection to another Windows 10 computer.

Important Info
If you are using SCCM to deliver Windows Updates, Delivery Optimization has no positive or negative impact on the network. SCCM bypass this feature, except for one case, if Express Updates are used.

We recommend looking at BranchCache or Peer-to-Peer to help with bandwidth management.

This great blog post resume and compare both solutions in details

With that said, Delivery Optimization as the potential of doing the opposite of what it was designed for. By default, the Download mode is configured in LAN Mode. This means that every computer going on the internet through a single IP address like many businesses do will be considered in the same LAN network. This means a remote office could be considered local, then try to share Windows Updates on the internal WAN and then choke the network.

In this post, we will detail how to configure Delivery Optimization in a Task Sequence to prevent using the LAN mode by default.

If you are looking for more Windows 10 customization and configuration tips, see our previous posts :

Delivery Optimization Default Configuration

By default, Delivery Optimization is On for PCs on my local network

SCCM Delivery Optimization Task sequence

If we run the PowerShell command Get-DeliveryOptimizationStatus we can see that the Download Mode is set to 1, which is the LAN Mode

SCCM Delivery Optimization Task sequence

Important Info
If the Download Mode is set to 99, the proxy is likely preventing Delivery Optimization to reach the cloud service. this means that delivery Optimization is kind of turned off.

For the complete list of Download Mode, see the following article on Docs.Microsoft.com

In the registry HKLM/Software/Microsoft/Windows/CurrentVersion/DeliveryOptimization/Config it should be the default

SCCM Delivery Optimization Task sequence

Turn off Delivery Optimization

Delivery Optimization can be turned off manually under Windows Settings/Update & Security/Windows Update/Advanced Options/Delivery Optimization

SCCM Delivery Optimization Task sequence

This can also be done by adding a Reg_Dword to HKML\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config

  • Name : DODownloadMode
  • Value: 100

SCCM Delivery Optimization Task sequence

When modified by the registry, the Delivery Optimization service must be restarted to take effect.

SCCM Delivery Optimization Task sequence

It can also be enforced by a GPO :

  • Under Computer Configuration/Administrative Templates/Windows component/Delivery Optimization, enable the Download Mode and set it to Bypass(100)

SCCM Delivery Optimization Task sequence

How to configure SCCM Delivery Optimization Task sequence

We were asked in a project to update Windows 10 by using WSUS and that BranchCache would be leveraged to deliver updates more efficiently on the network.

When using BranchCache for Windows Update, Delivery Optimization must be set to ByPass for the Download Mode.

  • Add a Run Command line task
    • Name: Set DeliveryOptimization to ByPass
    • Command Line: Reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config /v DODownloadMode /t REG_DWORD /d 100 /f

SCCM Delivery Optimization Task sequence

  • Add a Restart task to make sure the service is set in ByPass mode

SCCM Delivery Optimization Task sequence

 

Simple as that!

Share this Post

 

The post Configure Delivery Optimization in SCCM Task Sequence appeared first on System Center Dudes.

]]>
https://www.systemcenterdudes.com/configure-delivery-optimization-in-sccm-task-sequence/feed/ 1 54653
SCCM Reports Manager Tool https://www.systemcenterdudes.com/sccm-reports-manager-tool/ https://www.systemcenterdudes.com/sccm-reports-manager-tool/#respond Mon, 09 Apr 2018 17:15:14 +0000 https://www.systemcenterdudes.com/?p=54666 SQL Reporting Services can be time-consuming when you need to download, upload or change data source on multiples reports. If you purchase one of our reports or our Complete Report Bundle, you had to upload every report and change their data source one-by-one. We developed a Powershell script to manage your reports on an SCCM Reporting Point. Based on your SCCM Reporting Point and SCCM site code, the tool allows to : Upload multiple reports from a specific folder — Useful if you have multiple RDL files to upload at once. Download all report from a specific SSRS folder — Useful if you ... Read More

The post SCCM Reports Manager Tool appeared first on System Center Dudes.

]]>
SQL Reporting Services can be time-consuming when you need to download, upload or change data source on multiples reports. If you purchase one of our reports or our Complete Report Bundle, you had to upload every report and change their data source one-by-one.

We developed a Powershell script to manage your reports on an SCCM Reporting Point.

Based on your SCCM Reporting Point and SCCM site code, the tool allows to :

  • Upload multiple reports from a specific folder — Useful if you have multiple RDL files to upload at once.
  • Download all report from a specific SSRS folder — Useful if you have multiple custom reports and are doing a migration to a new reporting point
  • Change data source of all reports from a specific SSRS folder — Useful if you upload multiple new reports and need to change their data sources
Important Info
The script needs PowerShell 2.0 and has been tested on SQL 2012 and SQL 2016 Reporting Point.

The SCCM Report Manager tool can be downloaded from my Technet Gallery page. Feel free to leave your comments and suggestions in the comments section.

SCCM Report Manager Tool Screenshots

SCCM Report Manager Tool

 

Share this Post

The post SCCM Reports Manager Tool appeared first on System Center Dudes.

]]>
https://www.systemcenterdudes.com/sccm-reports-manager-tool/feed/ 0 54666
New Product – SCCM Migration to new operating system Guide https://www.systemcenterdudes.com/sccm-migration-to-new-operating-system-guide/ https://www.systemcenterdudes.com/sccm-migration-to-new-operating-system-guide/#comments Thu, 05 Apr 2018 16:59:39 +0000 https://www.systemcenterdudes.com/?p=53552 With the release rhythm of SCCM and latest requirements on the OS and SQL side, sometimes, it’s inevitable to migrate to a newer operating system to remain under support and also gain new features as part of the latest SCCM Current Branch release. Over the years, we’ve done many migrations of all kinds, depending on the environment and needs. We created this complete SCCM Migration to new operating system guide based on our knowledge and experience. This guide is a refreshed version of our previous post about Side-by-Side Migration to new Hardware. It also includes answers and how-to to the ... Read More

The post New Product – SCCM Migration to new operating system Guide appeared first on System Center Dudes.

]]>
Consulting Services
Need help to upgrade or migrate your site ? Consult our fixed price consulting plans to see our rates !

With the release rhythm of SCCM and latest requirements on the OS and SQL side, sometimes, it’s inevitable to migrate to a newer operating system to remain under support and also gain new features as part of the latest SCCM Current Branch release.

Over the years, we’ve done many migrations of all kinds, depending on the environment and needs. We created this complete SCCM Migration to new operating system guide based on our knowledge and experience.

This guide is a refreshed version of our previous post about Side-by-Side Migration to new Hardware. It also includes answers and how-to to the most commonly asked questions on side-by-side migration. Also included: all the details to achieve the migration to a new operating system by using the Backup and Restore strategy.

This guide aims to help SCCM administrator evaluate, plan, understand and achieve a migration to a newer operating system for the SCCM site server.

The guide will help you achieve these tasks:

  • Compare both migration scenarios in details
    • Backup and restore
    • Side-by-Side migration
  • Achieve the migration by using the Backup and Restore strategy
  • Achieve the migration by using the side-by-side strategy
  • Follow up steps to get to the latest Current Branch build

This guide does not cover how to do In-place OS Upgrade for SCCM site server

This guide does not cover how to upgrade SQL

Download and own the latest version of SCCM Migration to new Hardware in a single PDF file.

The PDF file is a 62 pages document that contains all information to help SCCM administrator evaluate, plan, understand and achieve a migration to a newer operating system for the SCCM site server. Use our products page or use the button below to download it.

 

SCCM Migration to new operating system guide document screenshots

SCCM Migration Guide SCCM Migration Guide SCCM Migration Guide SCCM Migration Guide

Share this Post

The post New Product – SCCM Migration to new operating system Guide appeared first on System Center Dudes.

]]>
https://www.systemcenterdudes.com/sccm-migration-to-new-operating-system-guide/feed/ 1 53552
How to use the Windows 10 Security baseline https://www.systemcenterdudes.com/how-to-use-the-windows-10-security-baseline/ https://www.systemcenterdudes.com/how-to-use-the-windows-10-security-baseline/#comments Mon, 26 Mar 2018 14:28:13 +0000 https://www.systemcenterdudes.com/?p=41132 Microsoft has been releasing Security baseline since the Windows XP days. Windows 10 is no exception to this, except now there’s a new release of security baseline following each major build of Windows 10. The concept of the Security Baseline is to provide Microsoft guidance for IT administrators on how to secure the operating system, by using GPOs, in the following areas : Computer security User security Internet Explorer BitLocker Credential Guard Windows Defender Antivirus Domain Security Implementing the security baseline in GPOs is not a complex or long task. The challenge that the security baseline provide is that it ... Read More

The post How to use the Windows 10 Security baseline appeared first on System Center Dudes.

]]>
Microsoft has been releasing Security baseline since the Windows XP days. Windows 10 is no exception to this, except now there’s a new release of security baseline following each major build of Windows 10. The concept of the Security Baseline is to provide Microsoft guidance for IT administrators on how to secure the operating system, by using GPOs, in the following areas :

  • Computer security
  • User security
  • Internet Explorer
  • BitLocker
  • Credential Guard
  • Windows Defender Antivirus
  • Domain Security

Implementing the security baseline in GPOs is not a complex or long task. The challenge that the security baseline provide is that it will expose areas of the environment that are not secure.

This means that to follow all Microsoft security guidelines, it would be required to fix many other systems outside of Windows 10 to achieve this.

In this post, we will describe what is the Security baseline, how to use them and key points that will most likely be challenging for other systems in the environment

Prerequisites

  • Download the Security Baseline zip file that matches the Windows 10 version
    • A new version is released for each Windows 10 major build. First in draft and then for production, in the same link
    • Baselines are backward compatible, newer version provides mostly new GPOs to support Windows 10 newest features

Windows 10 Security baseline

  • Security access for Group Policy Management

Windows 10 Security Baseline Files

  • The downloaded zip file contains all the required bits to help implement the baseline in your environment.

Windows 10 Security baseline

  • Documentation folder contains a large Excel file with all the details of every configuration part of the baseline

Windows 10 Security baseline

  • GP Reports folder contains HTML report of GPO templates available as part of the Windows 10 Security Baseline

Windows 10 Security baseline

  • GPOs folder contain the actual GPO files that can be imported in the Group Policy Management console

Windows 10 Security baseline

  • Local_Script folder contains a script to install the security baseline into the local policy for Windows 10
    • this is more for testing the actual configuration

Windows 10 Security baseline

  • Templates contain ADML and ADMX files for additional settings in the GPOs

Windows 10 Security baseline

  • WMI Filters folder contains two WMI filters: Windows 10 and Internet Explorer 11

Windows 10 Security baseline

How to use Windows 10 Security Baseline

Add Templates to Central Store

  • Copy the ADMX from the Templates to the GPO Central Store

Windows 10 Security baseline

  • Copy the ADML from the templates to the GPO Central Store EN-US subfolder

Windows 10 Security baseline

Important Info
If you are not familiar with the Central Store for GPO, please see Microsoft documentation

Import GPOs

  • Create a new blank GPO

Windows 10 Security baseline

  • Right-click on the GPO, and select Import Settings

Windows 10 Security baseline

  • Click Next

Windows 10 Security baseline

  • Click Next, no need to take a backup of a new blank GPO.

Windows 10 Security baseline

  • Browse to the GPOs  folder and click Next

Windows 10 Security baseline

  • Select the GPO to be imported, based on the name and click Next

Windows 10 Security baseline

  • Click Next

Windows 10 Security baseline

  • Select  Copying them identically from the source and click next

Windows 10 Security baseline

  • Click Finish

Windows 10 Security baseline

  • Click the Settings tab to see all the configuration imported

Windows 10 Security baseline

Once the GPOs are imported, testing is key!

No magic trick here, start with test computers and then IT users/pilot users prior to applying this to production.

Key points that provide challenges

Here are some configurations that are part of the baseline that should be looked at up front as they might provide issues with your environment. The idea here is to have a better understanding of what is going on. Don’t go and change those settings to avoid issues. The issues should be fixed at the other end for better security.

Hardened UNC path

This setting is likely to give the following error when trying to process GPO on Windows 10.

Error
The processing of Group Policy failed. Windows attempted to read the file \\yourdomain.fqdn\sysvol\yourdomain.fqdn\Policies\{GPO GUID}\gpt.ini from a domain controller and was not successful.

The configuration Computer/Administrative Template/Network/Network Provider/Hardened UNC Path

Windows 10 Security baseline

Review the following post by Lee Stevens for details on the UNC hardening path to help define this setting for your environment

Internet Explorer process only computer GPO

If you have user GPO for Internet Explorer, in the Security Zone, adding the baseline for Internet Explorer will prevent those settings to be applied.

Windows 10 Security baseline

Two options are available if this causes issue:

  • Move your Internet Explorer configuration to computer GPO instead of user GPO
  • Change the configuration back to Not Configured for this GPO

More details on this KB from Microsoft

User Account Control

The user account control (UAC) is configured to the maximum level with the Security Baseline.

Windows 10 Security baseline

The default Windows 10 level is set to  Notify me only when applications try to make changes to my computer (level 3 out of 4)

Windows 10 Security baseline

This is configured by a local security policy

Windows 10 Security baseline

To modify the GPO, under the Windows 10 Computer GPO Computer/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control

Windows 10 Security baseline

Credential guard 

Having Credential guard in Windows 10 is categorized as a quick win solution as the requirement and setup is easy.

The default configuration as part of MSFT Windows 10 and Server 2016 – Credential Guard GPO is configured in a way that is likely to crash the computer or have an undesired requirement for future needs if applied as is.

Windows 10 Security baseline

We strongly recommend to carefully read the Help section of the Computer/Administrative Templates/System/Device Guard/Turn On Virtualization based security GPO

To take advantage of Credential Guard safely,  this would be the required configuration.

Windows 10 Security baseline

SMB v1

This topic is the most important of all key points. With Windows 10 v1709, SMB v1 is disabled by default. But what if you still need this in your environment?

Let me make this clear, we do not recommend enabling SMB v1.  It has been proven to be one of the most critical security hole as of late with malware like WannaCry.

On the other hand, sometimes we don’t have much choice to go against security.

So to leave SMB v1 enabled as part of the security baseline GPO, we suggest reading the following blog post by Aaron Margosis

The GPO settings for SMB v1 are under Computer/Administrative Templates/MS Security Guide

Windows 10 Security baseline

Issue with BitLocker on Windows 10 1709

The  MSFT Windows 10 RS3 – BitLocker GPO contains a setting to Disable new DMA devices, that broke some computer.

See the following blog post by Aaron Margosis for details on the issue.

The setting Computer/Administrative Templates/Windows Components/BitLocker Drive Encryption/Disable new DMA devices when this computer is locked, should be reviewed prior to being applied.

Windows 10 Security baseline

What to do when a new version of Security baseline is available?

A new version of Security baseline usually come out at the same time as a Windows 10 build goes RTM.

Microsoft has always released them as a DRAFT version that goes on for a couple months and then release the FINAL version.

Here’s a checklist for what to do when the new version is available :

  • Start by reviewing the Excel file to see what’s new to the baseline
    • Most of the new settings in the baseline will be in line with new features as part of the Windows 10 release

Windows 10 Security baseline

  • Update ADMX in the Central store with the ones from the latest Windows 10 build prior to adding new settings
  • New settings should then be added to your environment by one of the following :
    • Import the new GPOs
    • Add new settings to current GPO

Follow us on Twitter to get a notification when a new version of the Security baseline is released.

Bonus Tip

The Policy Analyzer is a great tool to compare current GPOs against the ones from the Security Baseline.

This can give an idea of the conflicting settings as well as additional settings from the Security Baseline

Windows 10 Security baseline

Share this Post

The post How to use the Windows 10 Security baseline appeared first on System Center Dudes.

]]>
https://www.systemcenterdudes.com/how-to-use-the-windows-10-security-baseline/feed/ 4 41132
Step-by-Step SCCM 1802 Upgrade Guide https://www.systemcenterdudes.com/step-by-step-sccm-1802-upgrade-guide/ https://www.systemcenterdudes.com/step-by-step-sccm-1802-upgrade-guide/#comments Fri, 23 Mar 2018 21:20:39 +0000 https://www.systemcenterdudes.com/?p=52767 Microsoft has released a new version of SCCM Current Branch. It’s now time to stay current and upgrade your environment! This post is a complete step-by-step SCCM 1802 upgrade guide. If you’re looking for a comprehensive SCCM installation guide, see our blog series which covers it all. You will be able to install 1802 if you are running SCCM 2012, this new version is a new baseline version. To install SCCM 1802 as an update, you must have SCCM 1702 installed. Keeping your infrastructure up to date is essential. You can benefit from the new features and fixes issues, which some of ... Read More

The post Step-by-Step SCCM 1802 Upgrade Guide appeared first on System Center Dudes.

]]>
Consulting Services
Need help to upgrade or migrate your site ? Consult our fixed price consulting plans to see our rates !

Microsoft has released a new version of SCCM Current Branch. It’s now time to stay current and upgrade your environment! This post is a complete step-by-step SCCM 1802 upgrade guide. If you’re looking for a comprehensive SCCM installation guide, see our blog series which covers it all. You will be able to install 1802 if you are running SCCM 2012, this new version is a new baseline version.

To install SCCM 1802 as an update, you must have SCCM 1702 installed.

Keeping your infrastructure up to date is essential. You can benefit from the new features and fixes issues, which some of them can be related to your SCCM. It’s also easier to upgrade to the latest version since Microsoft has implemented the new model of update servicing which is the in-console upgrade.

SCCM 1802 New Features and Fixes

SCCM 1802 includes lots of new features and enhancements in the site infrastructure, management insights, client management, co-management, compliance settings, application management, operating system deployment, software center, software updates, reporting, protect devices, configuration manager console.

You can consult the What’s new in version 1802 of System Center Configuration Manager Technet article for a full list of changes.

Here’s our list of favorite features:

Support for SCCM Current Branch Versions

Ensure to apply this update before you fall into an unsupported SCCM version. Read about the support end date of the prior version of the following Technet article.

Before you Begin

Downloading and installing this update is done entirely from the console. There’s no download link, the update will appear on your console once the Service Connection Point is synchronized.

If you’re running a multi-tier hierarchy, start at the top-level site in the hierarchy. After the CAS upgrade, you can begin the upgrade of each child site. Complete the upgrade of each site before you begin to upgrade the next site. Until all sites in your hierarchy are upgraded, your hierarchy operates in a mixed version mode.

Before applying this update, we strongly recommend that you go through the upgrade checklist provided on Technet. Most importantly, initiate a site backup before your upgrade.

In this post, we will update a stand-alone primary site server, consoles, and clients. Before installing, check if your site is ready for the update:

  • Open the SCCM console
  • Go to Administration \ Updates and Servicing
  • In the State column, ensure that the update Configuration Manager 1802 is Available

  • If it’s not available, right-click Updates and Servicing and select Check for Updates
Warning

The SCCM 1802 update is not yet available for everyone. If you need it right away you can run the Fast-Ring script and the update will show up.

  • If the update is not downloading, click on the button Download on the upper node. The update state will change to Downloading
  • You can follow the download in Dmpdownloader.log or by going to Monitoring / Updates and Servicing Status, right-click your Update Name and select Show Status

  • The process will first download the .CAB file and will then extract the file in the EasyPayload folder in your SCCM installation directory.
    • GUID : c78e7992-75db-4cd2-b89e-8024fc99884b
  • It can take up to 15 minutes to extract all files.

SCCM 1802 Upgrade Guide

Step 1 | SCCM 1802 Prerequisite Check

Before launching the update, we recommend launching the prerequisite check first. To see the prerequisite checklist, see the Microsoft Documentation

  • Open the SCCM console
  • Go to Administration \ Updates and Servicing
  • Right-click the Configuration Manager 1802 update and select Run prerequisite check

  • Nothing will happen, the prerequisite check runs in the background and all menu are unavailable during the check
  • One way to see progress is by viewing C:\ConfigMgrPrereq.log

  • You can also monitor prerequisite check by going to Monitoring / Update and Servicing Status, right-click your Update Name and select Show Status

  • When completed the State column will show Prerequisite check passed

Step 2 | Launching the SCCM 1802 update

We are now ready to launch the SCCM 1802 update. At this point, plan about 45 minutes to install the update.

  • Right-click the Configuration Manager 1802 update and select Install Update Pack

  • On the General tab, click Next

  • On the Features tab, checkboxes on the features you want to enable during the update

  • Don’t worry, if you don’t select one of the features now and want to enable it later, you’ll be able to so by using the console Administration \ Updates and Servicing \ Features

SCCM 1710 Upgrade Guide

  • In the Client Update Options, select the desired option for your client update

  • On the License Terms tab, accept the license terms and click Next

  • On the Summary tab, review your choices, click Next and close the wizard on the Completion tab

The whole process took a minute but the installation begins on the back end.

  • During installation, the State column changes to Installing

  • We suggest you monitor the progress, by navigating to Monitoring / Updates and Servicing Status, right-click your Update Name and select Show Status

Unfortunately, the status is not updated in real time. Use the Refresh button to update.

  • Open the SCCM log SCCM Installation Directory\Logs\CMUpdate.log with CMTrace

We’ve done numerous SCCM upgrades. Some installation start a couple of minutes after you complete the wizard but we’ve seen some installation starts after a 10 minutes delay. Do not reboot or restart any services during this period or your update can be stuck in “Prerequisite check passed” status. There’s actually no officially documented methods by Microsoft to fix that. Patience is the key!
  • When completed, you’ll notice the message There are no pending update package to be processed in the log file
  • Monitoring / Updates and Servicing Status, right-click your Update Name and select Show Status, the last step will be Installation Succeeded

  • Refresh the Updates and Servicing node in Administration, the State column will be Installed

Updating the Outdated Consoles

As a previous Cumulative update, the console has an auto-update feature. At console opening, if you are not running the latest version, you will receive a warning and the update will start automatically.

  • Since all updates operations were initiated from the console, we didn’t close it during the process. We received a warning message when clicking certain objects. You will have the same message when opening a new console

  • Click OK,  console update will start automatically

SCCM 1710 Upgrade Guide

SCCM 1710 Upgrade Guide

  • Wait for the process to complete. You can follow the progress in C:\ConfigMgrAdminUISetup.log and C:\ConfigMgrAdminUISetupVerbose.log. Once completed, the console will open and you’ll be running the latest version

Verification

Consoles

After setup is completed, verify the build number of the console. If the console upgrade was successful, the build number will be X and the version is now Version 1802.

Beginning with 1802, this is a new version nomenclature for the console. The console will no longer include the main build number (8634). The last 2 numbers refer to the admin console build number.

We had the whole explanation of the product group for the complete nomenclature but doesn’t have the official go to share this info for now.

Servers

  • Go to Administration \ Site Configuration \ Sites
  • Right-click your site and select Properties
  • Verify the Version and Build number

SCCM 1802 Upgrade Guide

Clients

The client version will be updated to 5.00.8634.1007 (after updating, see section below)

SCCM 1802 Client Package distribution

You’ll see that the 2 client packages are updated:

  • Navigate to Software Library \ Application Management \ Packages

SCCM 1710 Upgrade Guide

  • Check if the update is successful, otherwise, select both packages and initiate a Distribute Content to your distribution points

Boot Images

Boot images will automatically update during setup. See our post on upgrade consideration in a large environment to avoid this if you have multiple distribution points.

  • Go to Software Library / Operating Systems / Boot Images
  • Select your boot image and check the last Content Status date. It should match your setup date

Updating the Clients

Our preferred way to update our clients is by using the Client Upgrade feature: (You can refer to our complete post documenting this feature)

  • Open the SCCM Console
  • Go to Administration / Site Configuration / Sites
  • Click the Hierarchy Settings in the top ribbon
  • Select Client Upgrade tab
  • The Upgrade client automatically when the new client update is available to check box is enabled
  • Review your time frame and adjust it to your needs

SCCM 1802 Upgrade Guide

Monitor SCCM Client Version Number

SCCM Reports Client Version

You can see our SCCM Client version reports to give detailed information about every client version in your environment. It’s the easiest way to track your client updates.

SCCM 2012 - System Health Configuration Manager SS

Collections

In conclusion, you can create a collection that targets clients without the latest client version because is very useful when it comes to monitoring non-compliant client.

Here’s the query to achieve this: (You can also refer to our Set of Operational Collection Powershell Script which contains this collection)

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ClientVersion != '5.00.8634.1007'

Share this Post

 

The post Step-by-Step SCCM 1802 Upgrade Guide appeared first on System Center Dudes.

]]>
https://www.systemcenterdudes.com/step-by-step-sccm-1802-upgrade-guide/feed/ 6 52767
Updating your Mobile Devices against Meltdown and Spectre with Intune https://www.systemcenterdudes.com/intune-ios-meltdown-spectre/ https://www.systemcenterdudes.com/intune-ios-meltdown-spectre/#respond Thu, 22 Mar 2018 05:44:50 +0000 https://www.systemcenterdudes.com/?p=52770 Everyone has heard of Meltdown, and Spectre vulnerabilities in modern computers leak passwords and sensitive data. In case you don’t, the most important thing to remember is to update all devices that mainly have an Intel processor, including mobile devices. If you are using Microsoft Intune to manage mobile devices in your organization, you can configure compliant rules to force the users to update their operating system version. For those who want to keep their old OS version, will lose their access to Office 365 at one point. It’s essential that employees know the importance of updating their devices more often, ... Read More

The post Updating your Mobile Devices against Meltdown and Spectre with Intune appeared first on System Center Dudes.

]]>
Everyone has heard of Meltdown, and Spectre vulnerabilities in modern computers leak passwords and sensitive data. In case you don’t, the most important thing to remember is to update all devices that mainly have an Intel processor, including mobile devices. If you are using Microsoft Intune to manage mobile devices in your organization, you can configure compliant rules to force the users to update their operating system version.

For those who want to keep their old OS version, will lose their access to Office 365 at one point. It’s essential that employees know the importance of updating their devices more often, without being enforced. On the other hand, updating OS means some types of the device won’t be supported anymore. In case your company accepts BYOD, some users will require purchasing a new mobile device. In the end, securing your endpoints is more important.

In this post, we will use the Meltdown and Specter vulnerabilities with iOS platform. The iOS version that resolves Meltdown and Specter vulnerabilities are 11.2.5, to further protect against Spectre exploits. Take note that this guide can be useful for future breach, other supported platforms, and the new versions as well.

Intune App Protection (Warning)

There are two ways to enforce a minimum iOS version, the first is enabling a warning message on each connectivity to an app, and giving the users a grace period to update their devices or, the second, quite simply blocking access to Office 365 right away.

Using Intune App Protection allows IT to send a warning message to the devices and keeping access to company data. This popup will appear each time the users will connect to a company app, like Outlook. This technique slightly eases productivity and don’t affect user experience. At this stage, it’s not mandatory to be enrolled in Intune.

Intune iOS Meltdown Spectre

  • Click on Add a policy and enter the name of the policy iOS Minimum Version 11.2.5
  • iOS
  • Select Apps blade and select all applications from the list
  • Once you finish, click on Select

Intune iOS Meltdown Spectre

  • Click on Settings blade and scroll down in the right section till you see Require minimum iOS operating system (Warning Only)
  • Select Yes and enter the version you want to enforce. In our example, is 11.2.5
  • Click on Ok and select Pin to Dashboard if you want to see the statistics of this policy in your Azure Dashboard.

Intune iOS Meltdown Spectre

The policy is completed, it’s now the time to deploy the policy to an AAD group.

  • Select the policy you just created.

Intune iOS Meltdown Spectre

  • In the Assignments node, you include the group of people you want to target
  • Make sure you are on the Include tab and select groups to include
Tips: Test your policy with colleagues before deploying at large.

Intune iOS Meltdown Spectre

  • Find the AAD group you want to target and click Select

Under those circumstances, expect the users to get this kind of warning message if they are not compliant. It won’t affect access, and the user can continue working by clicking Ok.

Intune iOS Meltdown Spectre

The good thing about sending a message to user’s device is they are not losing productivity and can manage to upgrade their devices during off-hours with personal wifi. The sad thing is the breach still there. What you can do is giving few days (3-7) grace period, and once it’s over, kill the switch.

Intune App Protection (Block)

In order to block access to mainly Office 365 app, you can still use Intune App Protection. At this stage, it’s not mandatory to be enrolled in Intune.

  • Return to Policy Settings blade of your policy and disable the warning message
  • Enable Require minimum iOS operating system and enter 11.2.5

Intune iOS Meltdown Spectre

Now, if the user still has not updated their mobile device, their access will be blocked and this message will be displayed.

Intune iOS Meltdown Spectre

There are only 2 options, Remove Account or Go Back.

Compliance Policy State with Conditional Access (Block)

Unfortunately, the next step is to protect access to your company’s data by using Conditional Access. Business data is precious nowadays, and breaches are expensive for businesses. That’s the reason why it’s essential to make sure your mobile devices comply with security policies.

With Microsoft Intune, you can configure a device compliance policy that enforces a required minimum operating system version. Assign that policy to users by using AAD groups. Overall, using conditional access is more efficient than only Intune App Protection.

  • To configure a compliance policy, navigate to https://portal.azure.com then click on Intune blade and Device Compliance

Intune iOS Meltdown Spectre

  • Click on Policies and Create Policy

Intune enforce iOS version

  • You will arrive at the Create Policy properties, enter a policy name like iOS Minimum Operating System Version
  • You can add a description of your policy, it’s not a mandatory field
  • Choose the Platform, in our case, is iOS
  • Click on Settings – Device Properties and in the Minimum OS version field, enter the version you want to enforce 11.2.5
  • Select Ok, OK and Create

Intune enforce iOS version

  • Once the policy is created, click Assignments blade to deploy the policy to users.

Intune iOS Meltdown Spectre

  • The Assignment properties, click on Select groups to include, select your specific group and click Select to confirm
  • You can also select the option All Users by clicking on Selected Groups

Intune iOS Meltdown Spectre

  • In conclusion, you click Save when you’ve finished with the assignment
Tips: Test your policy with colleagues before deploying at large.

Intune iOS Meltdown Spectre

The configuration of the device compliance policy is completed and assigned to users. We are now ready to configure the conditional access to make sure all users that will try to access company data from not compliant devices, will be blocked.

  • Click on the Conditional Access in Microsoft Intune blade or from Azure Active Directory blade, select Policies, and New Policy to create a new conditional access policy

Intune iOS Meltdown Spectre

  • The first thing you need to do is giving a name to your policy
  • From the Assignments section, click on Users and groups and select your specific groups or All users
  • Once it’s completed, click on Select and Done

Intune iOS Meltdown Spectre

  • In the Assignments section, click on Cloud Apps and select All cloud apps or a specific app
  • Click Done

Intune iOS Meltdown Spectre

  • Still, in the Assignments section, click on Conditions blade and Device Platforms
  • Enable the settings by clicking on Yes just beside Configure
  • In the Include tab, select iOS
  • Click Done and Done

Intune iOS Meltdown Spectre

  • In the Access Controls section, click on Grant blade
  • Select Grant access option and click checkbox Require device to be marked as compliant
  • Click Select

Intune iOS Meltdown Spectre

  • Enable the policy and click on Create

Now that the conditional access rule and device compliance is configured, once the users start to authenticate to some applications from their mobile devices, they will start to receive this kind of message.

Not Enrolled in Intune

If your mobile device is not enrolled in Intune, you will get this message.

Intune iOS Meltdown Spectre

Click on Enroll and follow the step to enroll the device in Intune.

Not Compliant

If your mobile device is enrolled in Intune but not compliant, you will get this message.

Intune iOS Meltdown Spectre

A good way to see why your device is not compliant is to open the Company Portal app and do a compliance check.

Intune iOS Meltdown Spectre

At this point, the only option you have is updating your operating system before thinking of connecting to the company apps.

If you want to monitor Spectre and Meltdown vulnerability on workstations using SCCM, you can take a look at this post.

Good luck!

Share this Post

The post Updating your Mobile Devices against Meltdown and Spectre with Intune appeared first on System Center Dudes.

]]>
https://www.systemcenterdudes.com/intune-ios-meltdown-spectre/feed/ 0 52770
How to help Intune users Using Intune Troubleshooting Portal https://www.systemcenterdudes.com/how-to-help-intune-users-using-intune-troubleshooting-portal/ https://www.systemcenterdudes.com/how-to-help-intune-users-using-intune-troubleshooting-portal/#respond Wed, 21 Mar 2018 13:53:09 +0000 https://www.systemcenterdudes.com/?p=53030 The Intune troubleshooting portal can be used by Intune administrators to view information about a specific Intune user. It can be used to troubleshoot many problems for example, licensing problem, the devices assigned to a user, details about enrollment issues, compliance issues, app installation failure and much more. The Intune Troubleshooting portal can also give suggested remediation steps to resolve issues. You need at least the  HelpDesk Operator role (RBAC) to use the troubleshooting portal. How to use the Intune Troubleshooting Portal Go to your Azure portal Select Microsoft Intune On the Intune pane, in the Help and Support section, select Troubleshoot On the left, click Select to select a user to troubleshoot ... Read More

The post How to help Intune users Using Intune Troubleshooting Portal appeared first on System Center Dudes.

]]>
The Intune troubleshooting portal can be used by Intune administrators to view information about a specific Intune user. It can be used to troubleshoot many problems for example, licensing problem, the devices assigned to a user, details about enrollment issues, compliance issues, app installation failure and much more. The Intune Troubleshooting portal can also give suggested remediation steps to resolve issues.

You need at least the  HelpDesk Operator role (RBAC) to use the troubleshooting portal.

How to use the Intune Troubleshooting Portal

  • Go to your Azure portal
  • Select Microsoft Intune
  • On the Intune pane, in the Help and Support section, select Troubleshoot

Intune Troubleshooting Portal

  • On the left, click Select to select a user to troubleshoot

Intune Troubleshooting Portal

  • Select a user, click Select at the bottom

Intune Troubleshooting Portal

  • Once your  user is selected, you can view the full dashboard for this device

Intune Troubleshooting Portal

 

Let’s see what every section covers :

#1 – Account Status

Shows the status of the current Intune tenant as Active or Inactive

#2 – User Status

Shows the status of the user’s Intune license and statistics about device compliance, number of apps, and app compliance…

#3 – Group Membership

Shows in which Intune group the user belongs.

#4 – Assignments

Details about the assignments for the selected user. A drop-down, let you choose between Mobile apps, Compliance policies, Configuration policies, App protection policies, Windows 10 update rings and Enrollment restrictions. In our example, we selected Compliance Policies

Intune Troubleshooting Portal

Intune Troubleshooting Portal

  • Then you click a policy, you are sent to the Device compliance policy section and you can troubleshoot your policy.

Intune Troubleshooting Portal

#5 – Devices

Show detailed information about the devices assigned to the selected user.

Intune Troubleshooting Portal

  • When clicked, you are sent to the device information pane

Intune Troubleshooting Portal

#6 – App Protection Status

This shows the details about the app protection policies that are assigned to the selected user. At this time you cannot drill-down to the app protection section when a policy is clicked.

Intune Troubleshooting Portal

#7- Enrollment Failure

Shows the details about devices enrollment failures for the user. Each row shows an enrollment attempt.

Intune Troubleshooting Portal

  • When clicked on an attempt you are given more detail about the error. In our example, the Apple push certificate was not configured in our tenant

Intune Troubleshooting Portal

This is a very nice addition to the Intune portal. A must have for your help desk and Intune adminstrator !

Share this Post

The post How to help Intune users Using Intune Troubleshooting Portal appeared first on System Center Dudes.

]]>
https://www.systemcenterdudes.com/how-to-help-intune-users-using-intune-troubleshooting-portal/feed/ 0 53030
How to install SCCM 1710 Hotfix Rollup 2 (KB4086143) https://www.systemcenterdudes.com/how-to-install-sccm-1710-hotfix-rollup-2-kb4086143/ https://www.systemcenterdudes.com/how-to-install-sccm-1710-hotfix-rollup-2-kb4086143/#comments Wed, 07 Mar 2018 14:49:47 +0000 https://www.systemcenterdudes.com/?p=51636 The second Hotfix Rollup for SCCM Current Branch (1710) is now available. This post is a complete SCCM 1710 Hotfix Rollup 2 (KB4086143) installation guide. If you’re looking for a complete SCCM Current Branch installation guide, see our blog series which covers it all. You can’t install this upgrade if you are running SCCM 2012. You need to be running SCCM 1710 to apply this update. Installing SCCM upgrades is important for your infrastructure. It fixes a lot of issues from SCCM 1710, which some of them are important. New Update and Servicing Model If you’re not familiar with the new SCCM servicing ... Read More

The post How to install SCCM 1710 Hotfix Rollup 2 (KB4086143) appeared first on System Center Dudes.

]]>
Consulting Services
Need help to upgrade or migrate your site ? Consult our fixed price consulting plans to see our rates !

The second Hotfix Rollup for SCCM Current Branch (1710) is now available. This post is a complete SCCM 1710 Hotfix Rollup 2 (KB4086143) installation guide. If you’re looking for a complete SCCM Current Branch installation guide, see our blog series which covers it all. You can’t install this upgrade if you are running SCCM 2012. You need to be running SCCM 1710 to apply this update.

Installing SCCM upgrades is important for your infrastructure. It fixes a lot of issues from SCCM 1710, which some of them are important.

New Update and Servicing Model

If you’re not familiar with the new SCCM servicing model, read our New Update and Servicing section of the 1602 upgrade post which explain it all.

You may wonder what’s the difference between a Cumulative Update (CU) and an Update Rollup (UR)/Hotfix RollUp (HR) :

A CU is a new servicing baseline. A post-CU1 hotfix requires CU1 first, whereas a post-UR1 hotfix doesn’t require UR1. Like CU, UR is cumulative which means that UR2 will include previous hotfixes.

*If you are running SCCM 1511, 1602, 1606,1610, 1702 and 1706 you first need to upgrade to 1710 prior to applying this Hotfix Rollup, see our blog which covers the upgrade process. Once completed, the Hotfix Rollup will be available under Update and Servicing node.

List of SCCM 1710 Hotfix Rollup 2 Fixes

This hotfix rollup brings the long-awaited fix for Office 365 updates users interaction. Previous attempt to manage led to inconsistency for the user experience, like the Office product would close without any warning, while it was expected to be the case.

The new hotfix bring a simple restart notice (SCCM regular reboot) if any Office product is open while an update has been installed.

We will update our post on Office 365 updates, once we have successfully tested this change.

Consult the Microsoft support page for a full list of fixed issues.

Before you begin

Downloading and installing this update is done entirely from the console. There’s no download link, the update will appear on your console once synchronized.

When you install an in-console update: (New Versions, CU, UR, KB)

  • It automatically runs a prerequisite check. You can also run this check prior to starting the installation
  • It installs at the central administration site (if you have one), and at primary sites automatically. You can control when each primary site server is allowed to update its infrastructure by using Service Windows for site servers
  • After a site server updates, all affected site system roles (including instances of the SMS Provider) automatically update. Configuration Manager consoles also prompt the console user to update the console, after the site installs the update
  • If an update includes the Configuration Manager client, you are offered the option to test the update in pre-production, or to apply the update to all clients immediately
  • After a primary site is updated, secondary sites do not automatically update. Instead, you must initiate the secondary site update

In this post, we’ll be updating a standalone Primary Site Server, console and clients.

Reminder
It’s a best practice to have some exclusions for your antivirus/anti-malware software on the SCCM server. Here a list of exclusions from SCCM 2012, which is still valid for CB as far as we know.You could also consider disabling the AV prior to installing the update and re-enable it once completed.
Before installing, check if your site is ready for the update :
  • Open the SCCM console
  • Go to Administration \ Cloud Services \ Updates and Servicing
  • In the State column, ensure that the update is Available

SCCM 1710 Hotfix Rollup 2

  • If not already downloaded, hit Download
  • If it’s not available, right-click Updates and Servicing and select Check for Updates

SCCM 1710 Hotfix Rollup 2

  • The update state will change to Downloading
  • You can follow the download in Dmpdownloader.log

The update files are stored in the EasyPayload folder in your SCCM Installation directory

SCCM 1710 Update Rollup 2

SCCM 1710 Hotfix Rollup 2 Installation Guide

Step 1 | SCCM 1710 Hotfix Rollup Prerequisite Check

Before launching the update, we recommend to launch the prerequisite check:

  • Open the SCCM console
  • Go to Administration \ Cloud Services \ Updates and Servicing
  • Right-click the Configuration Manager 1710 Hotfix (KB4086143) update and select Run prerequisite check

SCCM 1710 Update Rollup 2

  • Nothing will happen, the prerequisite check runs in the background. All menu options will be grayed out during the check

SCCM 1710 Update Rollup 2

  • You can  monitor prerequisite check by going to Monitoring / Site Servicing Status, right-click your Update Name and select Show Status
  • When completed the State column will show Prerequisite check passed

SCCM 1710 Update Rollup 2

Step 2 | Launching the SCCM 1710 Hotfix Rollup 2

We are now ready to launch the SCCM 1710 Hotfix Rollup. At this point, plan about 30 minutes for the update installation.

  • Right-click the Configuration Manager 1710 update and select Install Update Pack

SCCM 1710 Update Rollup 2

  • On the General tab, click Next

SCCM 1710 Update Rollup 2

  • In the Client Update Options, select the desired option for your client update
    • This new feature allows updating only clients member of a specific collection. Refer to our post here

SCCM 1706 Update Rollup 1

  • On the License Terms tab, accept the license terms and click Next

SCCM 1706 Update Rollup 1

  • On the Summary tab, review your choices and click Next

SCCM 1710 Update Rollup 2

  • On the Completion tab, close the wizard. The whole process took a minute but the installation is not over, it has been initiated

SCCM 1710 Update Rollup 2

  • During installation, the State column changes to Installing
  • You can  monitor installation by going to Monitoring / Site Servicing Status, right-click your Update Name and select Show Status

SCCM 1710 Update Rollup 2

  • … or you can follow detailed installation progress in SCCM Installation Directory\Logs\CMUpdate.log

SCCM 1710 Update Rollup 2

Warning
We’ve done numerous SCCM  installation/upgrade. Some installation start a couple of minutes after you complete the wizard but we’ve seen some installation starts after a 10 minutes delay. Do not reboot or restart any services during this period or your update could be stuck in “Prerequisite check passed” status and all other options grayed out. There’s actually no officially documented methods by Microsoft to fix that. Patience is the key!
  • When completed, you’ll notice the message There are no pending update package to be processed in the log file
  • Refresh the Updates and Servicing node, the State column will be Installed

Updating the consoles

Since 1602, the console has an auto-update feature. At console opening, if you are not running the latest version, you will receive a warning and the update will start automatically.

  • Since all updates operations were initiated from the console, we didn’t close it during the process. We received a warning message when clicking certain objects. You will have the same message when opening a new console

SCCM 1710 Update Rollup 2

  • Click OK,  console update will start automatically

SCCM 1706 Update Rollup 1

SCCM 1706 Update Rollup 1

SCCM 1706 Update Rollup 1

  • Wait for the process to complete. You can follow the progress in C:\ConfigMgrAdminUISetup.log and C:\ConfigMgrAdminUISetupVerbose.log. Once completed, the console will open and you’ll be running the latest version

Verification

Consoles

After setup is completed, verify the build number of the console. If the console upgrade was successful, the build number will be 5.0.8577.1115. Note that the Site Version is not changed to the Hotfix Rollup version. This is normal.

SCCM 1710 Update Rollup 2

Clients

The client version will be updated to 5.00.8577.1115 (after updating, see section below)

SCCM 1710 Update Rollup 2

SCCM 1710 Hotfix Rollup 2 Client Package distribution

You’ll see that the 2 client packages are updated:

  • Navigate to Software Library \ Application Management \ Packages

SCCM 1706 Update Rollup 1

  • Check if both packages were updated, if not, select both packages and initiate a Distribute Content to your distribution points

Updating the Clients

Our preferred way to update our clients is by using the Client Upgrade (You can refer to our complete post documenting this feature) feature:

  • Open the SCCM Console
  • Go to Administration / Site Configuration / Sites
  • Click the Hierarchy Settings in the top ribbon
  • Select Client Upgrade tab
  • The Upgrade client automatically when the new client update are available checkbox has been enabled
  • Review your time frame and adjust it to your needs

SCCM 1710 Update Rollup 2

Monitor SCCM Client Version Number

You can see our SCCM Client version reports to give detailed information about every client’s versions in your environment. It’s the easiest way to track your client updates.Collections

You can also create a collection that targets clients without the latest client version. I use it to monitor which client hasn’t been updated yet.

SCCM 2012 - System Health Configuration Manager SS

Collections

Here’s the query to achieve this: (You can also refer to our Set of Operational Collection Powershell Script which contains this collection)

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ClientVersion != '5.00.8577.1115'

Share this Post

The post How to install SCCM 1710 Hotfix Rollup 2 (KB4086143) appeared first on System Center Dudes.

]]>
https://www.systemcenterdudes.com/how-to-install-sccm-1710-hotfix-rollup-2-kb4086143/feed/ 11 51636
How to enable SCCM 1710 Co-Management https://www.systemcenterdudes.com/how-to-enable-sccm-1710-co-management/ https://www.systemcenterdudes.com/how-to-enable-sccm-1710-co-management/#comments Thu, 01 Mar 2018 16:41:25 +0000 https://www.systemcenterdudes.com/?p=47160 With the release of SCCM 1710, one of the key new features is the Co-Management possibility with Microsoft Intune. There are two main paths to reach to co-management: Windows 10 devices managed by Configuration Manager and hybrid Azure AD joined get enrolled into Intune Windows 10 devices that are enrolled in Intune and then install with the Configuration Manager client We will describe how to enable co-management and enroll an SCCM managed Windows 10 device into Intune. SCCM 1710 Co-Management Prerequisites SCCM 1710 or later A new SCCM KB is available to fix an enrollment issue for the client Azure ... Read More

The post How to enable SCCM 1710 Co-Management appeared first on System Center Dudes.

]]>
With the release of SCCM 1710, one of the key new features is the Co-Management possibility with Microsoft Intune.

There are two main paths to reach to co-management:

  1. Windows 10 devices managed by Configuration Manager and hybrid Azure AD joined get enrolled into Intune
  2. Windows 10 devices that are enrolled in Intune and then install with the Configuration Manager client

We will describe how to enable co-management and enroll an SCCM managed Windows 10 device into Intune.

SCCM 1710 Co-Management Prerequisites

Concept of SCCM 1710 Co-Management

Microsoft provides a great diagram that explains how the workload is managed when co-management is activated.

The co-management provide the ability to offload some workload to Intune. There are 3 categories of workloads :

Once a workload is offloaded to Intune, SCCM no longer manages those settings on the Windows client.

The co-management is designed to allow administrators to Pilot to specific computers before completely offload a workload to Intune, allowing a smooth transition.

Enable SCCM 1710 Co-Management

Here’s how to enable comanagement.

  • Go to Administration / Cloud Services / Co-Management and select Configure Co-Management

  • Enter your Intune Credentials

  • Select who can Automatic Enroll in Intune
    • We strongly recommend beginning with Pilot. This will require selecting a collection to limit allowed computers only
    • This can be changed later when ready to production roll-out

  • Configure the Workloads
    • This can be left to all SCCM for now and adjusted later on

  • Select a computer collection to be used for pilot

  • Summary, click Next

  • Co-Management is then enabled

  • Under Properties / Enablement, the Automatic enrollment can be changed from Pilot to Production

  • Under Properties / Workloads, it’s possible to set the slider for the different workloads and assign them to Pilot or Intune

Before changing any workload to pilot, it’s time to enroll a computer into Intune, while still managed by SCCM.

Enroll Windows 10 1709 client into Intune for Co-management

  • The first step is to enable the GPO to enable Auto MDM Enrollment with AAD Token
    • Location : Computer Configuration/Administrative Template/Windows Components/MDM

Important Info
If you don’t see the GPO, your Central store needs to be updated with the latest ADMX from Windows 10 1709

  • Next, add the computer to the Pilot collection for Co-Management

  • After the next machine policy update, the client will begin to enroll.
    • On the client, the CoManagementHandler.log will provide the details.
    • Note that during our testing, this took awhile to get going in the logs. Many errors show up before it work correctly, without changing a thing. Patience is key.

After a little while (hours) the client will change from MDM – none to MDM – Intune

Before MDM managed

After MDM managed

  It will eventually report that the device is managed by MDM/ConfigMgr Agent

 

At that point, it’s time to configure Intune policy to eventually switch Workloads

More details about switching workload to Intune on Docs

Share this Post

The post How to enable SCCM 1710 Co-Management appeared first on System Center Dudes.

]]>
https://www.systemcenterdudes.com/how-to-enable-sccm-1710-co-management/feed/ 4 47160