SCCM: Co-management setup with SCCM Client installation

I decided to set up a test lab for co-management. Here is what I have:

Azure AD tenant. In addition to Primary *.onmicrosoft.com I have multiple custom domains registered.

SCCM 1806 on-prem

I started from deploying CMG as demonstrated in Justin’s video: https://www.youtube.com/watch?v=kTOPhVHyZtE 

The only difference – I did not use internal domain name for CMG, just left it as myname.cloudapp.net. That allowed me to avoid CNAME requirement.

after that I configured co-management as per https://www.youtube.com/watch?v=rTapalSHv6U

but unfortunately SCCM client was not installed on my test machine joined to Azure AD.

I am using enhanced HTTP on SCCM side; my internal MP operates in HTTP mode and there is no certificate installed on the the Client. I tried to be as close as possible to real BYOD scenario.

After some troubleshooting I sent the question to Technet forums https://social.technet.microsoft.com/Forums/en-US/4a7bb933-0f6e-4588-a5a1-c3b71f38d090/sccm-1806-client-installation-from-cmgdp?forum=ConfigMgrMDM 

Based on the forum discussion I replaced Intune MSI-based SCCM Client deployment to W32 App which Microsoft has currently in preview. Just as Martin recommended: https://www.imab.dk/deploy-the-sccm-client-using-microsoft-intune-and-the-cloud-management-gateway-no-pki-certificates/

Nick provided great help with tokens troubleshooting. I found his article here: https://nhogarth.net/2018/10/26/sccm-1806-cmg-hybrid-azure-ad-failed-to-get-ccm-access-token/

And do not forget to Approve the Client in SCCM console (at least in my case it was a workgroup machine and auto-approval was not enabled on SCCM).

It took ~15 min after approval before the Client got policy from SCCM MP.

After all everything is working, but took some time with research and troubleshooting…

Advertisements

SCCM: CMG Connector Analyzer fails

I installed Cloud MAnagement GAteway in my SCCM environment and ran CMG Connector Analyzer. It failed on the last test with

Failed to get ConfigMgr token with Azure AD token. Status code is ‘403’ and status description is ‘CMGConnector_Un-authorizedrequest’.
A possible reason for this failure is the CMG connection point failed to forward the message to the management point. The management point returned the following error: ‘Un-authorizedrequest’.

it turned out the account I used for the test has MFA and it looks like the Analyzer cannot handle that. So I signed in with a regular non-MFA account and this time the Connector passed successfully:

Azure: App Service cannot connect to vnet-base VM

Bumped into unusual issue today:

I do have a SQL Reporting Services VM on one of my Azure Vnets. I also have several App Services (Web Applications ) connected to it. Normally when I set up VNet integration for App Service Azure creates a P2S SSL VPN and routes 10.0.0.0/8, 172.16.0.0/16 and 192.168.0.0/16 ranges to the tunnel. An everything works fine.

I created a new App Service and configured it for Vnet Integration. Surprisingly the app was not able to connect to SSRS.

I ran Kudu debug console and found tcpping from the App to SSRS failed.

It turned out during P2S VPN creation Azure for some reasons added only 10.10.0.0/16 qnd 10.20.0.0/16 (???) as the tunnel destination.

Resolution: I added IP address of my SSRS to the table and successfully connected to the Web Service of my SSRS. I guess that happened because I an using hub-and-spoke for my vnet. The only question why it was working before for other App Services 

Hyper-V: Automatic VM Activation keys

AVMA keys used to automatically activated VMs running on a Hyper-V host are available here: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn303421(v=ws.11)#avma-keys

Windows 10: Cannot connect to Hyper-V after upgrade to 1809

I upgraded my W10 machine to 1809 (just before the fiasco forcing MS to stop delivery). My documents are intact, but what I found – Hyper-V on the machine cannot be connected anymore.

When I started Hyper-V MMC it did not connect to the local machine automatically and when I tried to force it I received and error:

“An error occurred while attempting to connect to server “xxx”. Check that the Virtual Machine Management service is running and that you are authorized to connect to the server.”

After some googling I found a solution from Anders Hanson which worked for me:

1. Open “Window Security”

2. Open “App & Browser control”

3. Click “Exploit protection settings” at the bottom

4. Switch to “Program settings” tab

5. Press “+” sign to add an exact path to a file or locate “C:\WINDOWS\System32\vmcompute.exe” in the list and expand it

6. Click “Edit”

7. Scroll down to “Code flow guard (CFG)” and uncheck “Override system settings”

8. Start vmcompute from powershell “net start vmcompute”

here is the original trail

Azure: Free Public cert for a Lab

Recently I needed a free certificate for my Azure Lab. With StartSSL stopped service since Jan 2018 there are still several options left. For example Comodo gives a 90-days trial.

I decided to try Let’s Encrypt service.

Since the service is free (donates are welcome) the process requires some work.

Luckely, I discovered a convenient tool developed by Sverrir Sigmundarson. It work in combination with Let’s Encrypt API Web site https://gethttpsforfree.com/

There is a nice Video Manual at https://www.youtube.com/watch?v=CzbZKrYo7HA

The tool itself is available on Github: https://github.com/sverrirs/GetHttpsForFree-UI

At the end of the process you get a certificate signed by the Public CA. to bind a private key and convert to PFX use OpenSSL command:

openssl pkcs12 -export -in Cert_cert.crt -inkey domain.key -out cert.pfx

Azure: WEB Listener cannot be deleted on Azure Application Gateway

Recently I had a project where I needed to put an Azure App Service behind App Gateway.

The Customer also asked to create HTTP-HTTPS redirection for better and-user experience.

I created two listeners (for port 80 and 443) and two rules: one for traffic on port 443 to redirect to my backend pool and the second one for traffic on port 80 – to redirect to my 443 listener. Everything worked fine. We progressed with the project and at a certain time needed to remove the listeners.

From my previous experience I knew – you never delete rules first – delete the listener first. Since we did have a redirection I deleted port 80 listener first. Azure kindly deleted associated rule. At least it is disappeared

Next I tried to delete 443 Listener and at that point got an error saying:

“Failed to save configuration changes to application gateway…. Error: Resource <Path to my 443 Listener> referenced by resource <Path to my HTTP-HTTPS redirection rule> was not found. Please make sure that the referenced resource exists and both resources are in the same region.”

Sounds weird taking in consideration I did not see the redirection rule in GUI.

So I brought Azure CLI (for some reasons MS provided commands for CLI, or maybe I just did not find those for PowerShell) and run

az network application-gateway redirect-config show -g <resource group name> –gateway-name <gateway name>

sure enough the rule was still there.

after that I run

az network application-gateway redirect-config delete –g <resource group name> –gateway-name <gateway name> –n <rule name>

and this time the rule was deleted completely.

After that the remaining listener was deleted without problems.

Azure: Azure File Sync–registered servers are offline

I am working with Azure File Sync service, it is GA last week and I have a Customer who requires a scenario where AFS can fit.

I tested workgroup servers with AFS in my Lab and everything was ok. After that I decided to check ACL transfer for domain machines. So I brought a DC and joined the servers to the domain. It was working and I successfully tested ACL transfer .

I finished tests, stopped VMs.

Today I started them back and found my AFS Service shows both servers offline and Server end-point Health is in Error state. I tried to restart services, reboot etc.. nothing helped. I tried to remove endpoint – the task failed with time out. Finally I succeeded to unregister one of servers and  re-install Storage Sync Client on it; rebooted and re-register. It came back nice and green.

So took a look at the dashboard and found the server name is changed to FQDN for the fixed server, but still a NETBIOS for the server who is offline state.

I guess if the server name changed, or a server is added to a domain the AFS client should be reinstalled…

SCCM: Windows 10 1803 lost Office 365 shortcuts in Start menu

A while ago I prepared a StartLayout.xml file to customize Start Screen for one of my Customers.

He called me today saying everything worked fine for Windows 10 1703 and 1709, but as soon as he created an image for Windows 10 1803, Office 365 Applications shortcuts are disappeared (except One Note).

Sure enough, Microsoft decided it is a good idea to change shortcut names for all apps except One  Note

so whatever was   “Word 2016.lnk” is “Word.lnk” now! Great idea.

So I needed to create another Startlayout.xml file for 1803 image now. Leaving One Note with “2016”  

version for pre-Windows 10 1803:

<LayoutModificationTemplate xmlns:defaultlayout=”http://schemas.microsoft.com/Start/2014/FullDefaultLayout” xmlns:start=”http://schemas.microsoft.com/Start/2014/StartLayout” xmlns=”http://schemas.microsoft.com/Start/2014/LayoutModification” xmlns:taskbar=”http://schemas.microsoft.com/Start/2014/TaskbarLayout” Version=”1″>   <LayoutOptions StartTileGroupCellWidth=”6″ />   <DefaultLayoutOverride>     <StartLayoutCollection>       <defaultlayout:StartLayout GroupCellWidth=”6″>         <start:Group Name=”Genaral”>           <start:Tile Size=”2×2″ Column=”0″ Row=”0″ AppUserModelID=”microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar” />           <start:SecondaryTile AppUserModelID=”Microsoft.WindowsAlarms_8wekyb3d8bbwe!App” TileID=”LocalTime” DisplayName=”” Size=”4×2″ Column=”2″ Row=”0″ Arguments=”TIMEAPP_CITY_TILE_TYPE” Square150x150LogoUri=”ms-appx:///Assets/WorldClockMedTile.png” Wide310x150LogoUri=”ms-appx:///Assets/WorldClockWideTile.png” ShowNameOnSquare150x150Logo=”true” ShowNameOnWide310x150Logo=”true” BackgroundColor=”#00000000″ ForegroundText=”light” />         </start:Group>         <start:Group Name=”Office”>           <start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Word 2016.lnk” />           <start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”0″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Outlook 2016.lnk” />           <start:DesktopApplicationTile Size=”2×2″ Column=”4″ Row=”2″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Skype for Business 2016.lnk” />           <start:DesktopApplicationTile Size=”2×2″ Column=”4″ Row=”0″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Excel 2016.lnk” />           <start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”2″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\PowerPoint 2016.lnk” />           <start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”2″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\OneNote 2016.lnk” />         </start:Group>         <start:Group Name=”Revera Tools”>           <start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Cisco\Cisco AnyConnect Secure Mobility Client\Cisco AnyConnect Secure Mobility Client.lnk” />           <start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”0″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk” />           <start:DesktopApplicationTile Size=”2×2″ Column=”4″ Row=”0″ DesktopApplicationLinkPath=”%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk” />         </start:Group>         <start:Group Name=”Browsers”>           <start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationLinkPath=”%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk” />           <start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”0″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk” />         </start:Group>       </defaultlayout:StartLayout>     </StartLayoutCollection>   </DefaultLayoutOverride>     <CustomTaskbarLayoutCollection PinListPlacement=”Replace”>     <defaultlayout:TaskbarLayout>       <taskbar:TaskbarPinList>         <taskbar:DesktopApp DesktopApplicationLinkPath=”%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk”/>         <taskbar:DesktopApp DesktopApplicationLinkPath=”%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk”/>       </taskbar:TaskbarPinList>     </defaultlayout:TaskbarLayout>   </CustomTaskbarLayoutCollection> < /LayoutModificationTemplate>

version for Windows 10 1803

<LayoutModificationTemplate xmlns:defaultlayout=”http://schemas.microsoft.com/Start/2014/FullDefaultLayout” xmlns:start=”http://schemas.microsoft.com/Start/2014/StartLayout” xmlns=”http://schemas.microsoft.com/Start/2014/LayoutModification” xmlns:taskbar=”http://schemas.microsoft.com/Start/2014/TaskbarLayout” Version=”1″>    <LayoutOptions StartTileGroupCellWidth=”6″ />    <DefaultLayoutOverride>      <StartLayoutCollection>        <defaultlayout:StartLayout GroupCellWidth=”6″>          <start:Group Name=”Genaral”>            <start:Tile Size=”2×2″ Column=”0″ Row=”0″ AppUserModelID=”microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar” />            <start:SecondaryTile AppUserModelID=”Microsoft.WindowsAlarms_8wekyb3d8bbwe!App” TileID=”LocalTime” DisplayName=”” Size=”4×2″ Column=”2″ Row=”0″ Arguments=”TIMEAPP_CITY_TILE_TYPE” Square150x150LogoUri=”ms-appx:///Assets/WorldClockMedTile.png” Wide310x150LogoUri=”ms-appx:///Assets/WorldClockWideTile.png” ShowNameOnSquare150x150Logo=”true” ShowNameOnWide310x150Logo=”true” BackgroundColor=”#00000000″ ForegroundText=”light” />          </start:Group>          <start:Group Name=”Office”>            <start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Word.lnk” />            <start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”0″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Outlook.lnk” />            <start:DesktopApplicationTile Size=”2×2″ Column=”4″ Row=”2″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Skype for Business.lnk” />            <start:DesktopApplicationTile Size=”2×2″ Column=”4″ Row=”0″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Excel.lnk” />            <start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”2″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\PowerPoint.lnk” />            <start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”2″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\OneNote 2016.lnk” />          </start:Group>          <start:Group Name=”Revera Tools”>            <start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Cisco\Cisco AnyConnect Secure Mobility Client\Cisco AnyConnect Secure Mobility Client.lnk” />            <start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”0″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk” />            <start:DesktopApplicationTile Size=”2×2″ Column=”4″ Row=”0″ DesktopApplicationLinkPath=”%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk” />          </start:Group>          <start:Group Name=”Browsers”>            <start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationLinkPath=”%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk” />            <start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”0″ DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk” />          </start:Group>        </defaultlayout:StartLayout>      </StartLayoutCollection>    </DefaultLayoutOverride>      <CustomTaskbarLayoutCollection PinListPlacement=”Replace”>      <defaultlayout:TaskbarLayout>        <taskbar:TaskbarPinList>          <taskbar:DesktopApp DesktopApplicationLinkPath=”%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk”/>          <taskbar:DesktopApp DesktopApplicationLinkPath=”%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk”/>        </taskbar:TaskbarPinList>      </defaultlayout:TaskbarLayout>    </CustomTaskbarLayoutCollection> </LayoutModificationTemplate>

Azure: How to create a group of devices deployed by Autopilot

With Intune update we can create a dynamic group containing all devices deployed by Autopilot (and use this group for Application and Policy assignments).

Here is how to do that (according MS doc):

Create an AutoPilot device group

1. In Intune in the Azure portal, choose Device enrollment > Windows enrollment > Devices.

2. In the Group blade:

   1. For Group type, choose Security.
   2. Type a Group name and Group description.
   3. For Membership type, choose either Assigned or Dynamic Device.

3. If you chose Assigned for Membership type in the previous step, then in the Group blade, choose Membersand add AutoPilot devices to the group. AutoPilot devices that aren’t yet enrolled are devices where the name equals the serial number of the device.

4. If you chose Dynamic Devices for Membership type above, then in the Group blade, choose Dynamic device members and type any of the following code in the Advanced rule box.

   • If you want to create a group that includes all of your AutoPilot devices, type (device.devicePhysicalIDs -any _ -contains "[ZTDId]")
   • If you want to create a group that includes all of your AutoPilot devices with a specific order ID, type: (device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881")
   • If you want to create a group that includes all of your AutoPilot devices with a specific Purchase Order ID, type: (device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342")

   After adding the Advanced rule code, choose Save.

5. Choose Create.

Keep in mind dynamic group may take several hours to run a query to populate the group. Fortunately the sync can be forced from Devices node in Intune Autopilot section.