Thursday, April 28, 2016

Difference between Intune Standalone and ConfigMgr hybrid mode (part 2)

In an earlier blogpost i wrote about pros and cons between Intune standalone and ConfigMgr hybrid mode. Is this post I will mention the difference in speed between both solutions. This because Intune standalone (SAAS) is very fast (few seconds, sometimes few minutes) on enrollment of applications and/or policies. With ConfigMgr hybrid mode this is way slower, and can take up to multiple hours (or more) for making it happen. This is very annoying indeed!
I'm using the SAAS solution myself; using it for demo purpose on my Windows 10 Mobile (Lumia 950). When doing enrollment on that and start a deploying applications and/or policies, they will be visible in a few seconds. Just have a look at some examples on that:
When deploying applications, or changing icons (or something like that), they are visible almost immediately.
When using Allow manual unenrollment (No), Intune cannot be removed from a Windows Phone or Windows 10 Mobile. Way better, because this isn't possible on iOS or Android devices, or special configuration is needed (iOS).
When using Allow application store for Windows 10 Mobile (No), the store isn't available anymore. Just an example how easy an application can be blocked, but again for Windows Phone only.
This for both the tile on start screen as for the start menu present on Windows Phones. They will be greyed out on start screen and start menu. Just want to see more off that.

When using Allow Camera (No), the following message is given, presenting a black screen when choosing OK. A message that the camera is blocked would be better I guess then presenting a black screen, but maybe it will be in future.

As for ConfigMgr hybrid mode, this must be done in Configuration items and baselines, where not sure when they arrive. Monitoring - deployments is not the right place also, given a 'Unknown' status most of times. Did a lot of compliance checks and reboots on mobile devices, but nothing seem to happen..

As mentioned in an earlier blogpost: Still I truly believe in ConfigMgr hybrid mode, having best of both worlds. But Microsoft still needs some development for a way better experience on that!

More on that in a next blogpost. Thanks for reading.
Read more on part 1 and part 3

Monday, April 25, 2016

How to audit changes in ConfigMgr 2012 R2 or Current Branch

Sometimes it's needed to audit changes within ConfigMgr 2012 R2 or Current Branch. When changes are made, and you want to know who did some actions, it's good to know that most actions are logged.

Just start the ConfigMgr console, and go to the Monitoring tab. There choose System Status > Status Message Queries. There you will find 41 queries, based on: auditing, boundaries, collections, deployments, packages, programs, remote control activity, security roles, server components and site systems. Lot to find there :-)
Recently it was needed to audit changes, which were found in audit messages. One for the site and for a specific user. Those will tell you who did what and when: 
All Audit Status Messages for a Specific User: Audit status messages that track activity initiated by a specific user (when prompted, use the form DOMAIN\username).  
All Audit Status Messages from a Specific Site: Audit status messages reported at a specific site.
When needed it's good to know that this functionality is built-in the console. Hope it helps!

Thursday, April 21, 2016

Failed to create BitLocker recovery password on Surface Pro 4

When deploying tablets like Microsoft Surface or Lenovo Helix with Bitlocker encryption, I get the following error message:
Failed to create recovery password. Ensure that Active Directory is properly configured for use with BitLocker.

This with ConfigMgr Current Branch (1511). After deployment you will an yellow exclamation mark at the operating system drive.

Trick is, when deploying tablets you need to add another step in the task sequence. This step (Run command line) must be added before the 'Enable BitLocker' step. It can be done various ways, but Powershell is recommended here:
Powershell.exe -command "New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft -Name FVE; Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\FVE -Name OSEnablePrebootInputProtectorsOnSlates -Value 1 -Type DWord -Force"

After that you will see that BitLocker encryption is working, and the yellow exclamation mark will be gone! The recovery key is written in AD now. Just happy with this easy solution :-)


Wednesday, April 20, 2016

Difference between Intune Standalone and ConfigMgr hybrid mode

When using Microsoft Intune, you can choose between Intune Standalone and ConfigMgr hybrid mode. Both have their own pros and cons. Microsoft is still recommending hybrid mode, because then you have best of both worlds. Point is, I'm not convinced anymore. Both ConfigMgr and Intune are great products, where Intune still need some development on new features. Customers are not always convinced about the solution, asking more enterprise features.
Having a look at my experience so far, I detect the following:
Intune standalone (pros):
-Easy to setup, Software As A Service (SAAS) solution;
-Can be managed everywhere with internet access;
-Very fast on enrollment of applications and/or policies (!);
-Can be used for both patch management & antivirus on endpoints with internet access;
-New features are released immediately.
Intune standalone (cons):
-With ConfigMgr in-place, two consoles for management;
-On some parts, less features then hybrid mode;
-You need to sign-in at every application change.
ConfigMgr hybrid mode (pros):
-Recommended configuration by Microsoft;
-Best of both worlds in a single management console;
-More features then Intune standalone;
-Deployment types and deployments are easier to handle.
ConfigMgr hybrid mode (cons):
-Less easy to setup; on-premises ConfigMgr infrastructure needed;
-Cannot be managed from everywhere, on-premises ConfigMgr console needed;
-Way slower on enrollment of applications and/or policies (!);
-Cannot be used for both patch management & antivirus on endpoints with internet access, because you need direct access or internet-based client management (IBCM) for that;
-New features will released slower in hybrid mode.

So yes, Microsoft is working on the feature part, and new features are available in ConfigMgr hybrid mode sooner. This because of the Service Connection point in ConfigMgr Current Branch.
But what's most annoying, You cannot have both patch management & antivirus on endpoints with internet access, because a ConfigMgr agent will be present on the device. Not an Intune agent, pointing to a SAAS solution. Therefore additional solutions like direct access or internet-based client management (IBCM) are needed.

And overall; when deploying applications and/or policies from Intune standalone, they are applied in few seconds. Within ConfigMgr hybrid mode it can take multiple hours (or more) when something happens. Still I truly believe in ConfigMgr hybrid mode, having best of both worlds. But Microsoft still needs some development for a way better experience on that! Hope they will soon :-)

More on that in a next blogpost. Thanks for reading.
Read more on part 2 and part 3

Thursday, April 14, 2016

Enroll in to device management in Windows 10 not possible

In Windows 10 operating system (on both Mobile and full OS) the following can be done: Enroll in to device management. This on both domain-joined and non-domain-joined devices, where no ConfigMgr agent is present. When trying to enroll a new Windows 10 device however, the following message is displayed: System policies prevent you from connecting to a work or school account. Contact your support person for more information.

This because the account logged on has not enough permissions. Trick is you need local or domain admin permissions for it.

When logged in with local or domain admin permissions, enrollment is available as expected. When enrollment is done the following message is displayed: Well done! You're connected to work or school.

When logged in with user permissions again, enrollment is still not available. This because the following message is displayed: Another user on the system is already connected to a work or school. Please remove that work or school connection and try again.

If you ask me, I find all those messages bit of misleading. Why not mentioning you need special permissions for enrollment, instead of showing that system policies prevent you from connecting to a work or school account? That will help for sure!

Hope this will be more clear in a future release.

Source which points me to the solution: Kevin Kaminski's Virtual World

Wednesday, April 13, 2016

Issue in ConfigMgr Current Branch (1602) with Intune subscription

When using ConfigMgr in hybrid mode (with Intune integration) both fat clients and mobile devices can be managed within the same console. When you have an Intune subscription in-place within ConfigMgr Current Branch (1602) all seems okay, but when changing the subscription to another one you may experience a problem. In that situation enrollment on devices isn't working anymore.

Case is, within ConfigMgr a certificate is present named: SC_Online_Issuing. This certificate is used by ConfigMgr to communicate with the Intune subscription connected. Problem is, when changing the Intune subscription, the certificate will not be updated (because of an permission issue), causing issues on the new subscription. The message displayed is: Windows does not have enough information to verify this certificate.

Let's have a look at some logfiles and steps to work to a solution.

When changing the Intune subscription, have a look in dmpdownloader.log. It mentions:-ERROR: FastDownload Exception: [Microsoft.Management.Services.Common.SecurityTokenValidationException: An error has occurred - Operation ID (for customer support):
-Certmgr has not installed certificate yet, sleep for 1 minutes. Check whether the site has Intune subscription.

Have a look in dmpuploader.log too. It mentions:-WARNING: Cannot find a suitable certificate.
-ERROR: Exception occurred while calling REST UserAuth Location service The Dmp Connector failed to read the connector certificate.
-ERROR: StartUpload exception: [Failed to read any connector certificate]

I did a lot to solve the issue, but none was leading to a solution:
-Restart the Primary Site server;
-Intune subscription re-installation;
-Service Connection point re-installation;
-Check SC_Online_Issuing certificate;
-Check a lot of websites and logfiles.

After multiple hours off troubleshooting I did solve it this way:
-Remove SC_Online_Issuing certificate
-Check dmpdownloader.log and dmpuploader.log (WARNING: Cannot find a suitable certificate)
-Remove Intune subscription & Service Connection Point
-Restart the Primary Site server
-Add the Intune subscription again
-Install the Service Connection Point again
-Check if the certificate is present again

After that the new Intune subscription was working fine again, and enrollment was possible. The following message will be displayed in dmpuploader.log now:
-Found connector certificate with subject 'CN='

-Retreive cloud service version
-Account Action invoker thread is starting
-FastUpload thread is starting
-On Prem devfice notification thread is starting
-Ping cloud

Very happy that it works again, but feels like a big issue in ConfigMgr Current Branch! When changing the Intune subscription again, the issue will be back, and all steps must be taken again.

Source which points me to the solution:

This is the resolution from microsoft!
Go to Administration > Cloud Services > Right Click on the Intune Subscription > and configure Platforms. Click on Windows Phone 8.1 uncheck, then apply the change, then recheck.

Friday, April 8, 2016

Some small bugs found in ConfigMgr Current Branch (1602)

Last days I did use ConfigMgr Current Branch a lot. A few small bugs were seen and a big one too. That one is mentioned in another blogpost. This bug was about changing an Intune subscription or tenant in the ConfigMgr console. I did see some small bugs too, which I posted on Let's have a look at them.

When connecting an Intune subscription, without the new Service Connection point in-place, the following message is displayed: To enable use the Add Site System Roles wizard to add the Intune Connector role. Then, click Configure Platforms to enable the necessary platforms. This must be the new Service Connection point instead.

When creating a new application, based on Windows app package in the Windows Store, the following message is displayed: "To identify the Windows Store link for this application, browse to a computer that has the application installed."

This was the situation in earlier versions indeed, but when clicking on "Browse" now the Windows store is opened instead of browsing to a computer. Way better, but misleading this way..

When creating applications/apps for Windows 10 Mobile, you must choose Windows Phone app package in the Windows Phone store. Why not Windows app package in the Windows store? (because all Windows stores are merged now)

When creating Configuration Items or Compliance Settings for Windows 10 Mobile, sometimes they are found beneath Windows Phone, the other time beneath Windows 8.1 and 10. Not sure if Microsoft knows where to find Windows 10 Mobile too :-)
Within mobile device settings the OS is called both Windows 10 Mobile and Windows Mobile 10 (other way around).

As mentioned in an earlier blogpost, Health attestation isn't working for Windows devices yet. The only device mentioning here is a mobile device. Hope it will be available in a later release.

Probably there are more (small) bugs found in ConfigMgr Current Branch (1602), so just use comments to mention them!

Update 13-4: When doing a full wipe on Windows Phone or Android devices, the following message is displayed: "This device might have Activation Lock enabled and might require the user's Apple id and password to be entered to be reactivated." This seems to be a message for Apple devices, not for other devices?

All bugs mentioned are posted on too.
Hope it helps!

Wednesday, April 6, 2016

Update KMS hosts for Windows 10 activation

Last month I did a blogpost on Usage of Microsoft Office 2016 KMS Host or ADBA License Pack. This time I want to show you what's needed to update existing KMS hosts for Windows 10 activation.

When KMS is installed on Windows Server 2008 R2 a hotfix is needed. It can be found here: Microsoft

After that a special key is needed. It's called Windows Srv 2012R2 DataCtr/Std KMS for Windows 10. You can find it on the following location:

On the Volume License Servicing Center go to Licenses > Relationship Summary, instead of going to 'Downloads and Keys' where you can find it normally. Navigate to the License ID and open the details of it, then select Product Keys. In that you find the key needed for Windows 10 activation mentioned earlier.

Just use the commands Slmgr -ipk <product key> and Slmgr -ato on your KMS host to update it for Windows 10 activation, and you will be fine! This also on Windows Server 2008 R2 :-)

Activating Windows 10 on Windows Server 2008 R2, Windows Server 2012 and 2012 R2 KMS hosts
Windows 10 KMS Requirements (outdated)
Find and Update Your KMS Service Host Key To Activate Windows 10

Monday, April 4, 2016

Health attestation in ConfigMgr Current Branch (1602)

Within ConfigMgr Current Branch (1602) a new feature called Health Attestation is available. It can be found in 'Client Settings > Enable communication with Health Attestation Service = Yes' and in 'Monitoring > Security > Health Attestation'.

With Health Attestation lets the administrator ensure that client computers have the following trustworthy BIOS, TPM, and boot software configurations enabled:

-Early-launch antimalware (ELAM) - protects your computer when it starts up and before third-party drivers initialize.
-BitLocker - software that lets you encrypt all data stored on the Windows operating system volume.
-Secure Boot - a security standard developed by members of the PC industry to help make sure that your PC boots using only software that is trusted by the PC manufacturer.
-Code Integrity - a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory.

Very nice to see there's a new dashboard to, which shows the following information:
-Health Attestation Status - share of devices in compliant, noncompliant, error, and unknown states
-Devices Reporting Health Attestation - percentage of devices reporting Health Attestation status
-Noncompliant Devices by Client Type - share of mobile devices and computers that are noncompliant
-Top Missing Health Attestation Settings - number of devices missing the health attestation setting, listed per setting

Unfortunately the functionality is not working yet. Hope it will be available in a later release. Very nice to see new functionality every few months! Microsoft is doing a good job here :-)

Update 5-4: After some time waiting there is something visible now. A mobile device is added, which misses BitLocker and Early-launch antimalware. Not as much as expected.. Hope to see more soon!

Friday, April 1, 2016

My contributions on the Microsoft TechNet Gallery

Besides of sharing my knowledge on Microsoft TechNet Forums (most on ConfigMgr OS deployment), I want to share some handy scripts too. Therefore I did some contributions on the Microsoft TechNet Gallery. Hope you like them as I do.

Set Computername during deployment
Show Computername during deployment
Match SCCM content library with WMI

When handy, leave a comment and give a rating please ;)

My TechNet profile: Henk_Hoogendoorn