Intune: Configure Intune NDES Connector to get User certificates from Digicert (Symantec) Web Services

One of my Customers moving everything to Azure decided to replace internal Microsoft PKI with a managed solution from Digicert (Digicert bought Symantec certificate business recently).

At the present time Microsoft has an article describing Intune Configuration with Symantec PKI Manager Web Service: https://docs.microsoft.com/en-us/intune/certificates-symantec-configure

Unfortunately, it is not very clear what needs to be configured on Symantec (sorry, Digicert) side and I spent some time to get it working.

So, first of you need to talk to Digicert and get a Managed PKI environment.

After that, as per the article, generate a managed certificate and deploy your Managed PKI environment Root cert using Intune. It should be easy.

I took this certificate:

After that you need to add  a certificate profile on Symantec side (MS article does not provide any details on it):

I select Client Authentication (User)

Give your template a friendly name, select a PKI Web Services as Enrollment method and click Advanced Options:

Now we need to do an interesting trick. It is in “Troubleshooting” section of Microsoft article and apparently is required if your UPN have a special characters. I need it even though my UPN did not have them… So:

– Click Add field and select Common Name (CN) and Webservice Request. That will create a new Common Name tab at the bottom. DO NOT click Save

– Delete the old Common Name (CN) at the top of the list.

– You can customize other parameters. For example, I added an email as a Subject Alternative Name

– Now you can save

Copy Certificate Template OID, you will need it for Intune:

At this point you can Download/Install Intune Connector. The procedure is described well in the Microsoft article.

When the connector is up:

you can create an Intune PKSC 10 profile (I also added EKU even though it is not in the doc):

Save the settings, click Create the profile and assign it to a group of users.

After Intune policy update the certificate should be requested by Intune on a Client behalf and deployed to your device:

Advertisements

SCCM: CMG Provisioning Failed

Microsoft published an interesting Lab Set for Modern Desktop Management. Between projects I decided to install the kit and try Labs.

Here are some gotchas:

1. If Azure Account does not have an Azure Subscription in its own directory CMG installer cannot see the Subscription. Even if the account has rights to another subscription. I needed to create a new rial subscription linked to the same AAD to be able to proceed.

2. Even after that CMG provisioning failed. I checked the logs and found that Microsoft decided to not register Classic Compute (yes, CMG still uses Classic model). TO fix that I ran Powershell in Azure Portal and register requred provider:

register-azurermresourceprovider –providernamespace “Microsoft.ClassicCompute”

will see what additional surprises MS prepared…

SCCM: Client-Server traffic estimation

Found an interesting capacity test from SaudM. Can help to answer a Customer network team questions: https://blogs.technet.microsoft.com/manageabilityguys/2013/04/22/system-center-2012-configuration-manager-client-network-traffic-estimates-series-part-1-of-3/

SCCM: Server OS Upgrade on site server

Today I decided to test OS Upgrade on my SCCM 1810 site server. I never recommend it to my Customers preferring side-by-side as a cleaner solution, but since Microsoft listed it as a viable option I decided to see what will be an experience.

Original state: Windows Server 2012 R2 + SQL 2014 + SCCM 1810 with rollup and two updates

Target: Windows Server 2019 + SQL 2017 CU13 + SCCM 1810 with rollup and two updates

1. I started with SQL Upgrade

– SQL 2017 does not have reporting services, it should be installed separately. So, I guess ideally it make sense to backup database and recovery key for SSRS. Bot since I did not have any custom reports I decided just re-install SSRS. Note: SQL 2017 will uninstall SSRS, but leave its databases.

– SQL 2017 does not have SQL Management Studio, it should be installed separately. So I guess it make sense to uninstall SSMS before the upgrade. I did not do it, just installed the latest standalone SSMS on top, but I think it would be cleaner to uninstall the old one first.

– When I installed fresh SSMS the first time it miserably failed. I rebooted the machine and run installer again, at that time it finished successfully. 

– Since I did not delete SSRS databases and I did not bother backup recovery key I needed to create a new Reporting database with different name.

2. OS Upgrade.

– Check if there is any pending reboot

– Even though I did not have any my first upgrade failed. I rebooted the server and started again and this time OS upgraded successfully.

3. SCCM on new OS

– When I tried t start SCCM Console the connection to SCCM failed. I suspected some permission malfunctioning so I Reset the site using cd.latest folder. That did not help

– I found an forum post by Gordon Fecyk https://social.technet.microsoft.com/Forums/en-US/e1302081-fae4-4685-87ac-518636a14a24/permission-problems-after-os-upgrade-on-sccm-site-server?forum=ConfigMgrCBGeneral and checked WMI rights on my upgraded server – SMS\Site_Code was ok, but \SMS itself missed some permissions for SMS Admins group. I set the permissions as per the post and the Console connects to SCCM successfully.

– Software Update Point is down (in Server Console WSUS requires additional configuration. I fixed it using:

“%PROGRAMFILES%\Update Services\Tools\wsusutil.exe” postinstall CONTENT_DIR=f:\WSUS SQL_INSTANCE_NAME=”localhost”

– Reporting Point is down too – fixed by resetting reporting service access account (in properties of Reporting Service Point in SCCM Console).

Will see how SCCM will work now

Still prefer side-by-side…

Azure: Deploy One Drive Known Folder Move with Intune

I am preparing for an Autopilot project for one of my Customers. Microsoft recommends to use One Drive for Business for User data migration.

I tried a couple off approaches how it can be achieved with Intune:

1. Using OMA-DM as per Deploy OneDrive KFM with Microsoft Intune OMA-URI

2. Using Powershell Management Extension: How to deploy OneDrive Known Folder Move with Intune

Both approaches are working; personally I prefer OMA-DM hoping Microsoft will add this option to a standard profile options.

SCCM: Best Practice Tips and Tricks from systemcenterdudes

https://www.systemcenterdudes.com/sccm-best-practices/

Windows 10: Install RSAT

With 1803 MS includes RSAT into W10 Image as an optional feature. On Enterprise Edition it should be installed with Powershell as described here: http://woshub.com/install-rsat-feature-windows-10-powershell/

SCCM: Third-party Updates download failed with: “Error: Failed to download content ID XXXXXXX. Error: The thread is not in background processing mode”

I rebuilt my SCCM 1811 TP Lab and decided to offload WSUS content folder from my SCCM server. I put it on a file server where I do have my SCCM Source folders. Microsoft Updates worked just fine, but when I  tried to download an Adobe Update (used new SCCM Third-party Update support) I got “Error: Failed to download content ID <ID of my  update>. Error: The thread is not in background processing mode.

I checked Advanced settings of my WSUS App Pool and found the content share was registered incorrectly (“\\”  was missed) and content subfolders were not accessible.

so I fixed this issue firs (added “\\” before the server name and immediately could see the sub-folders.

 

Unfortunately that was not enough to resolve the issue. Luckily I found an article on Shavlik forum discussing similar issue.

So, for my Adobe update package I switch download settings from “Download Software Updates from Internet”

to “Download software updates from a location on my network”

This is weird – my old SCUP was working perfectly fine without that, but it looks like SCCM feature works differently now. Anyway, as soon as I did that my Adobe update was downloaded successfully:

SCCM: Co-management setup with SCCM Client installation

I decided to set up a test lab for co-management. Here is what I have:

Azure AD tenant. In addition to Primary *.onmicrosoft.com I have multiple custom domains registered.

SCCM 1806 on-prem

I started from deploying CMG as demonstrated in Justin’s video: https://www.youtube.com/watch?v=kTOPhVHyZtE 

The only difference – I did not use internal domain name for CMG, just left it as myname.cloudapp.net. That allowed me to avoid CNAME requirement.

after that I configured co-management as per https://www.youtube.com/watch?v=rTapalSHv6U

but unfortunately SCCM client was not installed on my test machine joined to Azure AD.

I am using enhanced HTTP on SCCM side; my internal MP operates in HTTP mode and there is no certificate installed on the the Client. I tried to be as close as possible to real BYOD scenario.

After some troubleshooting I sent the question to Technet forums https://social.technet.microsoft.com/Forums/en-US/4a7bb933-0f6e-4588-a5a1-c3b71f38d090/sccm-1806-client-installation-from-cmgdp?forum=ConfigMgrMDM 

Based on the forum discussion I replaced Intune MSI-based SCCM Client deployment to W32 App which Microsoft has currently in preview. Just as Martin recommended: https://www.imab.dk/deploy-the-sccm-client-using-microsoft-intune-and-the-cloud-management-gateway-no-pki-certificates/

Nick provided great help with tokens troubleshooting. I found his article here: https://nhogarth.net/2018/10/26/sccm-1806-cmg-hybrid-azure-ad-failed-to-get-ccm-access-token/

And do not forget to Approve the Client in SCCM console (at least in my case it was a workgroup machine and auto-approval was not enabled on SCCM).

It took ~15 min after approval before the Client got policy from SCCM MP.

After all everything is working, but took some time with research and troubleshooting…

SCCM: CMG Connector Analyzer fails

I installed Cloud MAnagement GAteway in my SCCM environment and ran CMG Connector Analyzer. It failed on the last test with

Failed to get ConfigMgr token with Azure AD token. Status code is ‘403’ and status description is ‘CMGConnector_Un-authorizedrequest’.
A possible reason for this failure is the CMG connection point failed to forward the message to the management point. The management point returned the following error: ‘Un-authorizedrequest’.

it turned out the account I used for the test has MFA and it looks like the Analyzer cannot handle that. So I signed in with a regular non-MFA account and this time the Connector passed successfully: