IT Consultant Everyday Notes

Just some problems/solutions storage

Tag Archives: Intune

Intune: Configure Intune NDES Connector to get User certificates from Digicert (Symantec) Web Services

One of my Customers moving everything to Azure decided to replace internal Microsoft PKI with a managed solution from Digicert (Digicert bought Symantec certificate business recently).

At the present time Microsoft has an article describing Intune Configuration with Symantec PKI Manager Web Service: https://docs.microsoft.com/en-us/intune/certificates-symantec-configure

Unfortunately, it is not very clear what needs to be configured on Symantec (sorry, Digicert) side and I spent some time to get it working.

So, first of you need to talk to Digicert and get a Managed PKI environment.

After that, as per the article, generate a managed certificate and deploy your Managed PKI environment Root cert using Intune. It should be easy.

I took this certificate:

image

image

After that you need to add  a certificate profile on Symantec side (MS article does not provide any details on it):

image

image

I select Client Authentication (User)

image

Give your template a friendly name, select a PKI Web Services as Enrollment method and click Advanced Options:

image

Now we need to do an interesting trick. It is in “Troubleshooting” section of Microsoft article and apparently is required if your UPN have a special characters. I need it even though my UPN did not have them… So:

– Click Add field and select Common Name (CN) and Webservice Request. That will create a new Common Name tab at the bottom. DO NOT click Save

– Delete the old Common Name (CN) at the top of the list.

image

– You can customize other parameters. For example, I added an email as a Subject Alternative Name

image

– Now you can save

Copy Certificate Template OID, you will need it for Intune:

image

At this point you can Download/Install Intune Connector. The procedure is described well in the Microsoft article.

When the connector is up:

image

you can create an Intune PKSC 10 profile (I also added EKU even though it is not in the doc):

image

Save the settings, click Create the profile and assign it to a group of users.

After Intune policy update the certificate should be requested by Intune on a Client behalf and deployed to your device:

image

Advertisements

Azure: Deploy One Drive Known Folder Move with Intune

I am preparing for an Autopilot project for one of my Customers. Microsoft recommends to use One Drive for Business for User data migration.

I tried a couple off approaches how it can be achieved with Intune:

1. Using OMA-DM as per Deploy OneDrive KFM with Microsoft Intune OMA-URI

2. Using Powershell Management Extension: How to deploy OneDrive Known Folder Move with Intune

Both approaches are working; personally I prefer OMA-DM hoping Microsoft will add this option to a standard profile options.

SCCM: Co-management setup with SCCM Client installation

I decided to set up a test lab for co-management. Here is what I have:

Azure AD tenant. In addition to Primary *.onmicrosoft.com I have multiple custom domains registered.

SCCM 1806 on-prem

I started from deploying CMG as demonstrated in Justin’s video: https://www.youtube.com/watch?v=kTOPhVHyZtE 

The only difference – I did not use internal domain name for CMG, just left it as myname.cloudapp.net. That allowed me to avoid CNAME requirement.

after that I configured co-management as per https://www.youtube.com/watch?v=rTapalSHv6U

but unfortunately SCCM client was not installed on my test machine joined to Azure AD.

I am using enhanced HTTP on SCCM side; my internal MP operates in HTTP mode and there is no certificate installed on the the Client. I tried to be as close as possible to real BYOD scenario.

After some troubleshooting I sent the question to Technet forums https://social.technet.microsoft.com/Forums/en-US/4a7bb933-0f6e-4588-a5a1-c3b71f38d090/sccm-1806-client-installation-from-cmgdp?forum=ConfigMgrMDM 

Based on the forum discussion I replaced Intune MSI-based SCCM Client deployment to W32 App which Microsoft has currently in preview. Just as Martin recommended: https://www.imab.dk/deploy-the-sccm-client-using-microsoft-intune-and-the-cloud-management-gateway-no-pki-certificates/

Nick provided great help with tokens troubleshooting. I found his article here: https://nhogarth.net/2018/10/26/sccm-1806-cmg-hybrid-azure-ad-failed-to-get-ccm-access-token/

And do not forget to Approve the Client in SCCM console (at least in my case it was a workgroup machine and auto-approval was not enabled on SCCM).

It took ~15 min after approval before the Client got policy from SCCM MP.

After all everything is working, but took some time with research and troubleshooting…

Nokia Lumia 835: Camera application failed “Something went wrong”

I tried to make a quick photo and got “Something went wrong” error on my phone Sad smile

I searched Intenet a bit and it looked like the issue is wide spread and people most often send the device to service since it a hardware issue.

I was almost there, but decided to think again if I changed anything recently. Sure enough I tested Microsoft Intune mobile device management and subscribed my phone to it. Even though “Camera off” policy was not enabled there it looks like it broke the device somehow.

So, I un-enroll from Intune and tried camera again. Now it works! Smile

Bottom line, I am not saying it will fix the issue in all cases, but at least worth to try to un-enroll you device from any sort of Mobile Device Management solution (if you have rights) and try without it.

SCCM: Intune and SCCM–ways to do MDM

found a nice article on Technet clearly explaining when you may want integrate Intune and SCCM and when use Intune as a standalone product: https://technet.microsoft.com/en-US/library/dn957912.aspx