This is a quick post on an issue that I come across recently at a customer who was unable to install the IIS role for setting up a distribution point.

As we all know, IIS is a prerequisite for setting up a distribution point in Configuration Manager.

During the installation of the IIS feature, you need to provide the path to source files, this will be usually the SXS folder from the OS media file as shown below.

I have specified the SxS folder during the installation of IIS and made sure that, the OS version matches the ISO file that was downloaded.

 This is the usual procedure that we all do to install the IIS feature and it always works, but in this case, it never worked for me.

Following is the error code:

The request to add or remove features on the specified server failed. The source files could not be found. Error Code 0x800f081f.

I tried a couple of times by changing the ISO to the latest one, but it failed with the same error code.

what other options do we have to install the IIS role now for DP to work?

If the SxS source files cannot be used by the server to install IIS, we will use the WIM file from the same ISO to install the IIS feature using Powershell cmdlet.

Following is the PowerShell syntax.

Install-windowsfeature web-server –source wim:D:\sources\install.wim:2

Here 2 refers to the index.

How do we know what index to use? This is based on the OS edition installed on the server.

You can check the OS edition on the server using WINVER from the RUN command.

Once you are done with this, run the following DISM command to know the index.

dism /get-wiminfo /wimfile:E:\sources\install.wim

Index 2 refers windows server 2019 standard with desktop experience

If your OS is datacenter with desktop experience, you need to use index 4.

once we have all the necessary information, run the PowerShell to install the IIS role.

Install-windowsfeature web-server –source wim:D:\sources\install.wim:2

Status after the Powershell command.

likewise, you can install all other features using the same format.

If the standard practice doesn’t work, we take other routes to make things work

Hope it helps!

Introduction:

Cloud management gateway (CMG) helps you to manage the configuration manager clients on the internet without any additional on-premise infrastructure.

Due to COVID-19, most of the workforce is working from home (with/without VPN), and managing the endpoints using Cloud Management Gateway (CMG) is immense. Many organizations have already implemented the CMG to manage the windows devices that are connected outside the office network or connected to an office network using VPN.

If you are yet to implement the cloud management gateway service in your organization and need assistance, please check here.

Implementation of CMG involves server authentication certification (PKI or Public) and client authentication (optional).

The server authentication certification is required to build a secure channel with CMG cloud service and the CMG cloud service creates an HTTPS service to which internet-based clients connect.

The server authentication certificate can be either public key infrastructure (PKI) or public providers such as DigiCert or other global providers.

Microsoft strongly recommends public and globally trusted certificate provider but again, it depends on the organization to use PKI or public cert.

For more information about the Cloud Management Gateway choices, please refer Jason post here

In this blog post, we will see how to create a CMG server authentication certificate from DigiCert.

Following are the steps:

Check the DNS name in the Azure portal (cloud classic services)?

First, we will need to identify a DNS name availability in the Azure portal.

Log in to the Azure portal, click on all services, select cloud services (classic)

Click on Add

Choose the DNS name that you want to create and verify it must exist (green tick box). If you get a red color then it is already taken and you must choose another.

If it exists, make a note of it. In my case, cmcb.cloudapp.net exist. Do not create any, just verify if it exists or not.

Create a CNAME record in the public DNS?

Next, we will have to go to the public DNS that you manage and create a CNAME record.

In my case, I have public DNS that is Eskonr.com and will create a CNAME record for cmcb.eskonr.com for the real hostname cmcb.cloudapp.net

In your organization, you may have to reach out to the team that manages the public DNS and provide the following details.

CNAME record for cmcb.cloudapp.net with cmcb.eskonr.com

Make sure that, cmcb.eskonr.com is not in use in your public DNS and it must be unique.

Following is the CNAME record in the public DNS. You can leave the default values such as 600.

Request a public certificate from DigiCert for CMG server authentication?

Now we will request a server authentication certification from DigiCert using the common name (CN) of the CNAME alias.

As part of the cert creation, we will use DigiCert Certificate Utility for Windows

we need to download the DigiCert windows utility from https://www.digicert.com/util/

Once the tool is downloaded, launch the diticertutil.exe tool

Click on the SSL and click create CSR

Enter the common name. This will be the CNAME record that we created in our public DNS (cmcb.eskonr.com). CMG server authentication certificate supports wildcards such as *.eskonr.com.

Click on Generate

Now you will see a CSR code which you can copy it to a txt file

Click on close

Request your SSL certificate for CMG cloud service:

We will now login to the DigiCert portal and select the certificate category, upload this CSR code, and do the payment.

Login to https://www.digicert.com/

After you log in to the DigiCert portal, you will see a request a certificate, and click on it will display the category list.

Once you select the certificate, you will be prompted with certificate details.

Upload the CSR file and choose the validity period. Based on your selection, the cost will be shown in the transaction summary.

In the prove control over your domain, I selected email as it is easy to confirm through email with one click.

There is a list of pre-defined email addresses of your domain. so you order the certificate, you can edit the order and choose the email address that you want to send the confirmation email to prove the control over the domain.

Once you are done with the payment and all, click on Submit certificate request.                                                                                        

Once the order confirmation is done, you will see the order status as pending.

Before DigiCert can issue your certificate, you must prove your control over the domains listed on the certificate.

On the order section, you can customize additional emails, renewal notice, renewal messages for this order, etc.

Once the order is approved, you can log in to the DigiCert portal and download the certificate.

Following is the sample email that I received from DigiCert.

Please note that, when you to go the download section, there are many formats that you can choose.

In my case, I selected the following.

You can also choose separate primary and intermediate .crt files (zipped)

I tried with .cer and .crt, both have the same output for CMG cert (pfx format).

Once the certs are downloaded, extract it, you will see cert with a common name (cmcb.eskonr.com) ends with .cer

Import SSL certificate:

Now go the computer that you ran the DigiCert tool earlier to generate the CSR, launch the tool and sing-in, click on SSL and click on import

Based on the cert that you downloaded earlier (.cer or .crt), choose the file name contains a common name (in my case it is cmcb.eskonr.com)

Once it is done, the certificate will be visible in the SSL certificate list.

Export the SSL certificate (PFX format):

Click on the certificate that we imported and select export certificate

To protect the certificate, key in a strong password

Finally, you will be prompted to save the .pfx certificate.

We have now successfully created a server authentication certificate that can be used to create a CMG cloud service using a public cert.

To set up a cloud management gateway service, please refer to this guide.

I hope this has been informative for you.

The other day, I have shared a Power BI report to an external user who is a guest in my office 365 tenant.

When you try to share a Power BI report, you get options such as notify users through email, etc.

I did select the notify email option to the gmail.com user who is the guest.

When the user receives an email, there will be a power BI URL to access the report, clicking on the URL will perform authentication and once this is done, the Power BI report should run but in the user case, the power Bi report stuck at loading for quite a long period.

The user has tried the power BI URL in IE, google chrome, edge chromium and user has the same experience with all the browsers.

Following is the end-user experience.

How to fix this issue?

Well, this is a known issue and Microsoft is looking into it. I have no details on the ETA.

So, is there any workaround while this is fixed at the product level?

The workaround for the guest user is to access the Power BI tenant URL and then browse to the shared power BI report.

How to get the power BI tenant URL?

Log in to the Power BI URL (by internal user), on the right side, click on the download icon.

Select about Power BI

Copy the Tenant URL.

Send it to the guest user to login.

When the guest user login to the tenant URL, they see the list of all Power BI reports that are shared with the user.

While this is fixed at the product level, you can send the instructions to the user to access the Power BI tenant URL first and then brwose to the reports rather using the default URL that is send by the system.

I hope it helps you.

Cloud management gateway (CMG) helps you to manage the configuration manager clients on the internet without any additional on-premise infrastructure.

Due to COVID-19, most of the workforce is working from home (with/without VPN), and managing the endpoints using Cloud Management Gateway (CMG) is immense. Many organizations have already implemented the CMG to manage the windows devices that are connected outside the office network or connected to an office network using VPN.

If you are yet to implement the cloud management gateway service in your organization and need assistance, please check here.

Implementation of CMG involves server authentication certification (PKI or Public) and client authentication (optional).

The server authentication certification is required to build a secure channel with CMG cloud service and the CMG cloud service creates an HTTPS service to which internet-based clients connect.

The server authentication certificate can be either public key infrastructure (PKI) or public providers such as DigiCert or other global providers.

Microsoft recommends public and globally trusted certificate provider but again, it depends on the organization to use PKI or public cert.

For more information about the Cloud Management Gateway choices, please refer Jason post here

Issue description:

I recently had a requirement to convert or redeploy the CMG cloud service from PKI to public cert.

If you want to make changes to the following configurations, then you need to consider to redeploy the CMG service.

• Classic deployment method to Azure Resource Manager
• Subscription
• Service name
• Private to public PKI
• Region

So how do you convert the existing CMG cloud service from PKI to public cert or redeploy the CMG cloud service?

Since the existing cloud service uses cloudapp.net and this domain is managed by Microsoft, we don’t a public cert matching that name.

The only possibility is to add another CMG cloud service with public cert and wait for the clients to be aware of the new CMG instance (both intranet and internet) before deleting the CMG with PKI.

In this blog post, I am going to use a certificate from DigiCert. There are various global trust providers, so please choose based on your organizational needs.

I recently published a blog post on how to secure a server authentication certificate for Cloud management gateway cloud service from DigiCert. For more details, please refer here.

This blog post assumes that you already have a server authentication certificate from a public provider. The server authentication certificate format should be .pfx and no other formats are supported at the time of writing this blog post.

How to verify if the CMG service is configured with PKI or public cert?

In the SCCM console, go to administration node, cloud services, cloud management gateway, on the right side, you will see service name ends with .cloudapp.net

Existing lab setup:

 A very simple and plain hierarchy with 1 primary site hosted with SQL (server A) and all client-facing roles such as MP, SUP, DP, etc for intranet clients.

The site is enabled with eHTTP and I don’t use client authentication certs.

CMG cloud service is created with PKI cert.

CMG connection point, MP, and SUP for internet facing are installed on server B. This is to isolate from intranet clients and internet clients.

Build version is 2002 which means, all my clients can make use of token-based authentication.

In addition to token-based, I have also hybrid AAD/AAD, so clients have the option to choose one of the authentication methods (Token/Hybrid AAD/AAD) with CMG cloud service.

Server B (SG-CM02) hosts the CMG CP, MP, and SUP roles.

You can create multiple CMG services in Azure, and you can create multiple CMG connection points. Multiple CMG connection points provide load balancing of client traffic from the CMG to the on-premises roles.

With the existing SCCM setup that I have, I am able to manage both internal clients and also internet-based clients successfully.

How to redeploy the CMG service using the public cert?

Since we already acquired the public cert, we will setup the new cloud service. For this, follow the Microsoft article. This is very straight forward and all the instructions available in the documentation.

As you can see, the service name does not contain .cloudapp.net

After a while, you will see that the configuration update completed.

To troubleshoot CMG deployments, use CloudMgr.log and CMGSetup.log on your site server logs.

We now have 2 CMG cloud services, but we have only 1 CMG connection point installed on server B and this CMG CP is linked to PKI cloud service.

Do not make any changes to the existing CMG CP in the dropdown selection. Just leave it. If you make any changes, it is going to impact the clients and internet-based clients are cannot communicate .

It is recommended to keep at least one active CMG for internet-based clients to receive an updated policy.

Until now, we created a new CMG service with public CA but we do not have a CMG CP linked to the new CMG service. This is must for clients to be aware of the new CMG service.

At this point, on an intranet or internet client, run the following PowerShell command to see the internet MP details.

(Get-WmiObject -Namespace Root\Ccm\LocationServices -Class SMS_ActiveMPCandidate | Where-Object {$_.Type -eq "Internet"}).MP

As you can see, I have only 1 active MP which is PKI cloud service.

For clients to be aware of the 2^nd cloud service that we recently created, we need to create additional CMG CP.

For this, build a new server or use the existing server to host additional CMG CP and link this with the new CMG cloud server (public CA).

From the console, Add a new site system role and select the CMG CP role.

In the cloud management gateway name, select the instance that we created with public cert (not with cloudapp.net).

Click next and finish.

To troubleshoot CMG service health, use CMGService.log and SMS_Cloud_ProxyConnector.log on the site server.

As you can see, we now have two CMG connection points and we have only 1 CMG MP.

We can also use CMG connection analyzer for real-time verification to aid troubleshooting.

The in-console utility checks the current status of the service, and the communication channel through the CMG connection point to any management points that allow CMG traffic.

As you can see below, the CMG channel for Management point is with server B. As I described in the beginning, server B (SG-CM02) holds the MP and SUP for internet facing clients.

At this point, we have 2 cloud services, 2 CMG CP and 1 MP, SUP to support internet-based clients. The internet support MP and SUP can be on any server and is independent of the CMG CP role.

Both intranet and internet clients will get the location of this new CMG service automatically in the next location request (every 24 hours) or when the SMS agent host service started.

Since we already have the working CMG, clients that are on the internet will receive information about the new CMG service in the above conditions.

As we are doing it in the lab, I don’t want to wait for longer, and to make this faster, restart the SMS agent host service on the internet-based client.

After the service restarted, wait for a few mins before we read the locationservices.log file.

As you can see in the log, the client has picked the new CMG cloud service.

Running the PowerShell script on the client shows that, there are 2 CMG cloud services that clients can pick any of them randomly for communication.

(Get-WmiObject -Namespace Root\Ccm\LocationServices -Class SMS_ActiveMPCandidate | Where-Object {$_.Type -eq "Internet"}).MP

Likewise, all the intranet and internet-based clients will know about the new CMG instance before we proceed to delete the old CMG instance. For this, we can probably wait for a couple of weeks assuming the device connects at least once to the internet to receive the new CMG info using the old CMG proxy.

If the old CMG service is removed, clients cannot communicate with the old CMG service to receive any new policies to get the information about the new CMG service.

If the internet clients are offline for a longer period and if they are not aware of the new CMG instance, then they can't communicate with a removed CMG and they must roam back to the intranet to know about the new CMG or reinstall the client with /mp parameter to specify the CMG's URL.

It is also important to distribute the content to the new cloud DP so that clients can get the location request from the CMG MP.

Now we will go back to SCCM console and do a search filter in the devices section with CMG proxy.

As you can see below, I have one device which is talking to new CMG service (online) and 2 devices were talking to old CMG service (offline).

It is good that we have got the new CMG service running and clients that are connected to the internet able to communicate with old CMG service, have got the information about new CMG service, but how do I know that all of my internet-based clients are aware of the new CMG service?

For this, you can create a collection or report based on the client's last policy request or hardware inventory or when was it last time online.

When you plan to delete the old CMG service, do not delete anything directly on the Azure portal, simply go to SCCM console and select the CMG instance and right click and delete. This will delete the VM instance, cloud DP and all other components from the Azure portal.

After you delete the old CMG instance, the clients that are aware of the new CMG service, they will automatically pick it upand continue to communicate . You don’t have to do anything for this, but clients that are not aware of the new CMG instance, must roam back to an intranet or install the client using internet-based client switches.

I hope this post has been informative for you.

The following are some of the blog posts on CMG for your reference:

Cloud Management Gateway Community Session with the Patch My PC Team

Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager

Managing Patch Tuesday with Configuration Manager in a remote work world 

Mastering Configuration Manager Bandwidth limitations for VPN connected Clients

Get Azure IP Ranges for Your Cloud Management Gateway

Forcing Configuration Manager VPN Clients to get patches from Microsoft Update

Real-world costs for using a Cloud Management Gateway (CMG) with ConfigMgr

Software update deployment report for CMG enabled

CMG Cost estimation calculator

After the configuration manager current branch 2002 released, there are 4 update rollups and 1 hotfix (out-of-band) (if am tracking them correctly) released by Microsoft.

Following are the complete list of update rollups (first 4) and hotfix (last) for configuration manager version 2002.

KB4553501

KB4563473

KB4567007

KB4560496

KB4575774

Today, Microsoft has released hotfix (out-of-band) for the following issue:

After updating to Configuration manager current branch, version 2002, the New-CMTSStepPrestartCheck PowerShell cmdlet returns an error resembling the following when used.

The action "Check Readiness for Upgrade" is invalid. The property OSArchitecture contains an unsupported value 64-bit. The task sequence must be corrected before it can be used with SMS. Unspecified error (Error: 80004005; Source: Windows)

This error occurs due to changes in the Check Readiness task sequence step in version 2002.

Unlike other update rollup’s which usually appear in the console (updates and servicing), this hotfix is not available in the console and must download and install manually.

If you want to import the hotfix into the configuration manager console (updates and servicing), you can use update registration tool.

You can download the hotfix from this location. This update is around 50mb in size.

To apply this hotfix, you must have the configuration manager build 2002 along with recently released update rollup KB4560496.

After applying this update, you don't have to restart the server.

Configuration Manager uses collection evaluation to update collection membership, based on the collection rules you define. Collection evaluation scope and timing differ depending on site and collection configuration and evaluation type.

With Configuration Manager Technical preview release 2008, a new feature is introduced that helps to integrate collection Evaluation viewer into the configuration manager console directly.

With this new feature, we don’t need to run the standalone tool ceviewer,exe (servertools) to monitor collection evaluation data.

We can now use the console to view and monitor the collection evaluation process for troubleshooting issues such as slow collection evaluation.

The configuration manager console now displays the following information:

• Historic and live information for full and incremental collection evaluations
• The evaluation queue status
• The time for collection evaluations to complete
• Which collections are currently being evaluated
• The estimated time that a collection evaluation will start and complete

How to view the collection evaluation data in the console?

In the Configuration Manager console, go to Assets and Compliance > Overview > Device Collections.

Under the device collection, the new column called ‘Evaluation (Full) Last Completion Time’ is now enabled now by default.

Following are the list of properties for the collection that you can select to view:

You can also view the View the summary of collection information

On the summary page, you also see the Related Objects give links to view status of the collection in the specific queue under the Collection Evaluation node in the Monitoring workspace.

By clicking on each link will creates a new node is created where you can see the evaluation status for the specific collection.

You can also Monitoring collection evaluation queues from the Monitoring node.

From the Monitoring workspace, go to the Collection Evaluation node.

Clicking on the collection evaluation folder show you the total number of collections in queue and queue length is listed as a summary.

The following status summaries for the evaluation queues are listed:

• Number of collections in queue
• Queue length
• Current evaluation collection
• Current evaluation started on
• Current evaluation elapsed (seconds)

 The following queues are summarized and have their own sub nodes under the Collection Evaluation:

Full Evaluation Queue: For collections due for full evaluation

Incremental Evaluation Queue: For collections with incremental evaluation

Manual Evaluation Queue: For collections that an administrator has manually selected for evaluation from the console

New Evaluation Queue: For newly created collections

This is great feature that helps administrators to view and troubleshoot the collection evaluation process.

For more information about the Collection evaluation

https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/collections/collection-evaluation

With COVID-19 around the globe, the organizations who are using Configuration Manager have shown much interest in Cloud Management Gateway.

Cloud Management Gateway helps you to manage the clients on the internet. For more information on how to setup CMG, please refer https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/setup-cloud-management-gateway

A customer who recently deployed Cloud management gateway, wanted to monitor the software update compliance for the CMG connected devices ONLY.

As these CMG devices are on internet and focus for patch compliance status is always have high visibility from the management prospective.

I know that there are several default software update compliance reports available and i also posted some custom reports on software update compliance but knowing the compliance status only for CMG connected devices is something that is not availabel unless you crate a collection for CMG connected devices and run the deault or custom compliance reports.

So lets start how to get a compliance report for CMG connected devices.

When I first started creating the SQL code for compliance reports for CMG connected devices, I started searching for the SQL view’s that has the information about the CMG info.

As usual, I looked at the SQL views documentation to find the right SQL views for this requirement and have found BGB_ResStatus .

So doing a simple query select top 10 * from BGB_ResStatus reveals the following information.

This information is coming from a fast channel (BGB) from the client. If you want to know more information about fast channel communication in the configuration manager, please refer to this post

To create a collection or identify devices that are connected to CMG, we can do so by adding the new attribute value to the device collection and search for the value ccm_proxy_mutual

Or follow this post to create a collection or report for CMG connected devices.

The SCCM client automatically determines whether it's on the intranet or the internet. If the client can resolve a domain controller or an on-premises management point, it sets its connection type to Currently intranet. Otherwise, it switches to Currently Internet and uses the location of the CMG service to communicate with the site.

When the client switches to the internet and select the CMG service for communication, the client management point information can be seen in the console and the database as something like http://CMG servicename/CCM_Proxy_Mutualauth/ and this will be recorded into AccessMP.

Until the client connects to the on-premise network, the ACCESSMP holds the CMG service name.

The following are the SQL views that I will use to create the software update compliance report for CMG connected devices.

v_Update_ComplianceStatusAll

v_r_system

v_FullCollectionMembership

v_AuthListInfo

BGB_ResStatus

Based on the above data, I have created 2 reports

Summary of the compliance status for the CMG connected devices

List of clients with specific software update compliance status for the update group.

2^nd report is linked to the first report and the parameters are hidden for the 2^nd report, so you will have to run the first report to go to 2^nd report.

1. Summary of the compliance status for the CMG connected devices

To see the list of required or unknown clients, click on the link (blue icon).

Since Technet is going offline very soon, I have uploaded the reports into my Github account. Download the report, upload it to your SSRS folder, change the data source, and run it.

Make sure you upload the reports into the same folder and do not change the 2^nd report name as it is linked to the first report.

Happy patching!

Microsoft released Configuration Manager Technical preview build 2009 with some cool features applicable to cloud management gateway.

This technical preview is for lab purpose ONLY and can be installed on 3 successive build versions which are from 1906,1907 and 1908.

The latest active baseline version available is 2007 and can be downloaded from the Evaluation Center.

If you want to build lab, download the baseline version (2007) and then do in-console update to latest preview build 2009.

The following features are available with Configuration Manager technical preview build 2009:

• Cloud management gateway with Azure VM scale set

Cloud management gateway deployments now use the Azure virtual machine scale set, which introduces support for Azure Cloud Solution Provider subscriptions.

• Deploy an operating system over CMG using boot media

An admin can now reimage devices on the Internet over cloud management gateway using boot media

• Improved Windows Server device restart experience for non-administrator accounts

Administrators can now allow low-rights users to perform Configuration Manager initiated restarts for Windows Server.

• Improvements to in-console notifications

You now have an updated look and feel for in-console notifications. Notifications are more readable and the action link is easier to find. Additionally, the age of the notification is displayed to help you find the latest information. If you dismiss a notification, that action is now persistent for a user across consoles.

• Notifications for devices no longer receiving updates

To help you manage security risk in your environment, you will be notified in-console about devices with operating systems that are past the end of support date and that are no longer eligible to receive security updates.

• Remote control anywhere using Cloud Management Gateway

An admin or helpdesk operator can now connect to a client via remote control over the Internet via cloud management gateway.

• View Collection Relationships

You can now view dependency relationships between collections in a graphical format. Limiting, include, and exclude relationships are shown.

• Wake machine at deployment deadline using peer clients on the same remote subnet

When you enable 'Send wake-up packets' on a deployment, the site will now identify another client that's awake on the same remote subnet. The awake client then sends a wake on LAN request (magic packet).

Configuration Manager Technical Preview 2009 :

Technical preview 1909 site version:5.00.9030.1000

Client version (1909):5.00.9030.1000

One of most requested feature in the recent times after the cloud management gateway introduced is the Remote control for internet connected devices.

Remote control for CMG connected devices was first introduced in technical preview version 1906 which is now improved.

Prerequisites for remote control over CMG connected devices:

1. You need to enable the remote tools in the client settings and add the user or group as permitted viewer for remote control.
2. Update the configuration manager client to the latest version (1909)
3. The client needs to be online

What are the authentication methods used in the remote control of internet device?

• A valid PKI client certificate
• Azure Active Directory (Azure AD)
• Token-based authentication

The above authentication methods aren't unique to remote control. If you properly configure clients to communicate with a CMG, HTTPS management points, or sites with enhanced HTTP, then they already use a supported authentication method.

Now lets test the remote control over internet connected device.

I have a device (Win10-11) that is on the internet is ONLINE and connected to CMG:

Right click on the device and select the remote control.

select the option to Connect via CMG or HTTPS MP for any of the following scenarios:

• CMG
• HTTPS management point
• Enhanced HTTP site

• Address: The target address of the client. To connect using CMG, you must use the FQDN. You can't use the hostname or IP address.
• Connect via CMG or HTTPs MP: This option allows for fallback from a TCP direct connection to use the CMG service.
• Server name: The CMG service name to which the current user and target client can connect.
• HTTPS port: If needed, change the default port from 443.
• Verify server certificate revocation: If the CRL DP location isn't accessible for the current user, disable this option for testing purposes.
• Azure environment: This option will prompt for sign in with your Azure AD credentials. Then, select the Azure environment for that user.
• Click OK to connect. Remote control will attempt a direct connection first, then fallback to CMG for connection.

• Please make sure the fully qualified domain name (FQDN) of the applicable service for CMG or https MP.

In my case, the CMG is using public cert and is CMTPTP1.eskonr.com.

If you are using the certs from CA, then you will have something like CMTPTP1.cloudapp.net.

When you click on Ok, it will prompt for Azure AD authentication and follow the remote-control settings on the target device.

Authentication:

If the user is permitted to view the remote control of the device and the device is online,

The end-user receives a pop-up to approve or deny the remote control request.

Finally, we can do a remote control for CMG connected device just like we do it for corporate network-connected devices.

Troubleshooting:

How to troubleshoot the remote-control issues for internet connected devices?

When you perform a remote control, there is cmrcviewer.log under %temp% folder

If any non-permitted user is trying to perform a remote control, it will be tracked in the ccm_sts log located on the management point logs.

Following is the log that shows Koneti\eswar is not permitted viewer to perform remote control of the device.

When I authenticated the Azure AD with different user (Eswar.koneti) who have permissions to remote control, it works.

If the device is Offline in the console, and you try to do remote control, you will see the following screen:

There are many other cool features available in this release.

Happy testing!

The post Configuration Manager Remote control for CMG Connected devices first appeared on All about Microsoft Endpoint Manager.

Azure Active Directory (Azure AD) is the future and is Microsoft’s cloud-based identity and access management service, which helps your users to sign in and access resources.

Azure AD contains a large number of enterprise applications such as the gallery, on-premise, custom-developed, and non-gallery applications.

For more information about Application Management in Azure AD, please refer https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-application-management

Most of the Enterprise apps with Microsoft as a publisher in the Azure AD comes with the default properties such as Enabled for users to sign-in’ and ‘AppRoleAssignmentRequired’ which will have DLP issues if you don’t closely monitor the application behaviour.

For example, there is an enterprise application called Azure DevOps which is by default enabled with a setting called ‘Enabled for users to sign-in’ and ‘AppRoleAssignmentRequired’ is set to False.

Most of the Microsoft applications have ‘AppRoleAssignmentRequired’ is set to False, what it means is, any user who tries to access the application is allowed and ready to use the app.

When user assignment is required, only those users you explicitly assign to the application (either through direct user assignment or based on group membership) will be able to sign in. They can access the app on their My Apps page or by using a direct link.

When the assignment is not required, either because you've set this option to No or because the application uses another SSO mode, any user will be able to access the application if they have a direct link to the application or the User Access URL in the application’s Properties page.

The setting ‘Enabled for users to sign-in’ is available the GUI in the azure portal and can be altered whereas AppRoleAssignmentRequired is not visible in the UI for all applications and you have to use the PowerShell to make the changes.

Do you really need to allow the Azure DevOps application used by the entire org? Any concerns raised by the security team (DLP issues) on such applications which allow the user to use without any assignment required?

The customer had a requirement from the security team to monitor all the Microsoft applications (Enterprise applications) and get the properties of each application and see if the required settings are acceptable or not.

With this, we have decided to extend this request further to automate the process of monitoring the newly added applications by Microsoft and email if there are any added newly with the help of PowerShell script.

The powershell script will help you to generate the list of all Microsoft applications for you to review them and it also create another csv file for any newly added applications from the last time the script ran.

How do we know if there are any newly added apps by Microsoft?

Well, the first time you try to run the script, it will generate the list of Microsoft apps and save it into a CSV file.

In the next schedule, the PowerShell script generates the list of Microsoft applications and compare this list with its previously generated list and if there are newly added apps by Microsoft, get the properties of each application and send an Email.

This process will repeat hence you can take necessary action on the newly added apps before users start accessing the applications.

The PowerShell script is available in GitHub.

The following are the lines in the script to be edited with your customizations and make it for schedule task.

4,13,14,22,24,84

The PowerShell script does the following.

1. Read the credentials that are provided in the script.
2. Generate the list of Azure AD Microsoft apps with properties.
3. Check if any previous CSV file exists for comparison, if exist, compare the results and create new CSV file for newly added apps.
4. If there are any newly added apps, send the CSV file to the recipients as per the script.

Sample output for newly added apps:

Following are the PowerShell command lines to change the setting for ‘Enabled for users to sign-in’ and AppRoleAssignmentRequired.

Set-AzureADServicePrincipal -ObjectId <Replace with App Service Principal ID>  -AccountEnabled $false

Set-AzureADServicePrincipal -ObjectId <Replace with App Service Principal ID>  -AppRoleAssignmentRequired $true

You can use the above cmdlets to change the settings for the list of applications supplied in CSV file.

For more information, please refer https://docs.microsoft.com/en-us/powershell/module/azuread/set-azureadserviceprincipal?view=azureadps-2.0

The post Monitor Azure AD Enterprise applications using powershell script first appeared on All about Microsoft Endpoint Manager.

Microsoft has released Microsoft Endpoint Manager Configuration Manager build 2006 (MEMCM) via the opt-in method (fast-ring) on 8^th of August, followed by slow-ring (GA) on 31^st Aug.

If you want to install a new Configuration Manager site (fresh build), you can download the baseline version which is 2003 from the volume licensing portal, and then do an in-console update to 2006.

For more information about what’s new in Configuration Manager 2006, please refer https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006

 And for a step-by-step guide to 2006, https://systemcenterdudes.com/step-by-step-sccm-2006-upgrade-guide/  

Once you complete the CAS/Primary site server update, you need to manually upgrade any secondary sites by right-clicking on the site and choose the upgrade.

You also need to update your Configuration Manager clients to the latest version (2006) to avail the new client features that were added.

As usual, whenever there is a new configuration manager build released, there are always new SQL views for the newly released/updated features which will help us to generate custom reports without doing any MOF extensions (in case you have done it for these).

In Configuration Manager 2006, there are few SQL Views added compared to its previous version 2002 listed below for your reference.

Since the Technet gallery is retiring very soon, I have uploaded the Microsoft Endpoint Manager SQL Views for the build 2006 and also the previous builds to Github for your reference.

Download the SQL views for reporting from Github

Happy reporting!

Recommended reading:

SQL Server views in Configuration Manager

Creating custom reports by using SQL Server views in Configuration Manager

The post What is new in Configuration Manager 2006 for custom reports first appeared on All about Microsoft Endpoint Manager.

Microsoft released an in-console update (KB4580678) that helps you to enables the Run scripts feature from the Microsoft Endpoint Manager admin center (Intune) and is now available to the customers who have enabled the tenant attach in Configuration Manager. This update also resolves other tenant attach related issues and is a prerequisite to use the Run scripts feature from the admin center (Intune).

If you have not yet started the tenant attach process, please start now https://docs.microsoft.com/en-us/mem/configmgr/tenant-attach/ and take actions of your devices from mobile anywhere without accessing the configuration manager console.

Along with enabling the run script features from MEM admin center, it also fix the following issues:

• Features, such as Scripts, in the admin center do not appear for users that are assigned to all security scopes but are not full administrators.
• Internet-based links to approve or deny user application requests via email fail in Microsoft Endpoint Configuration Manager current branch, version 2006. This occurs for internet-based clients managed with a cloud management gateway (CMG).
  The administrator will receive an HTTP Error 400 when clicking the email link. Note that requests can still be approved using the Configuration Manager console, or other channels such as WMI that rely on the Configuration Manager administration service.
• The online status listed for devices on the internet connecting via a cloud management gateway (CMG) in the Configuration Manager console may be incorrect. This occurs when the CMG connection point is co-located with the service connection point, and the management point is co-located with the SMS provider.

This update is only available to customers who have enabled the tenant attach process and must be running on build version 2006.

After the installation of the update, you don’t need to restart the server.

If you have any secondary sites, you need to update them by right click on the site and choose recover the secondary site.

Alternatively, you can also check the status of your secondary sites using the SQL query.

select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')

If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.

If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.

How to run the scripts using MEM Admin center?

Launch https://endpoint.microsoft.com, Select Devices then All Devices.

Select a device that is synced from Configuration Manager via tenant attach.

Click on scripts (preview)

You will see all the scripts that were directly targeted the device. If you have run the scripts against a specific collection where device is member of, won’t be shown here.

As you can see, I ran 2 scripts on a device that were recently executed.

User can now select the script and initiate it from the web directly.

It would nice to have list all scripts that are available in Configuration manager based on the RBAC for the user to be shown for each device so user can pick the script and run if needed instead of showing only the scripts that ran already.

For more information about pre-req, permissions for run scripts, please refer https://docs.microsoft.com/en-us/mem/configmgr/tenant-attach/scripts

Troubleshooting the client details in the admin center for tenant attach, please refer https://docs.microsoft.com/en-us/mem/configmgr/tenant-attach/troubleshoot-client-details

The post Rollup update for Tenant attach - Run scripts first appeared on All about Microsoft Endpoint Manager.

Microsoft Ignite 2020 is a virtual event with so much interesting content around Microsoft endpoint manager.

Following are some of the key takeaways from the recent discussion with MEM Program Manager’s on Managing Android devices with Microsoft Endpoint Manager.

1. Intune has full android enterprise support across all scenarios.
2. Recent public preview release for the management of corporate-owned devices with a work profile.
3. Google is decreasing support for device administrator management and recommended to move to work profile using android enterprise
4. Extensive configuration of the Microsoft Launcher app on fully managed devices
5. Support for management of rugged devices with OEMconfig
6. Support for enrolling dedicated devices into Azure AD Shared mode (soon).

Following are the 5 methods of android management using Intune:

With the lightest-weight management on the left and the most locked down on the right (MDM).

1) and 2) are the BYOD personal devices, of which 1) is managed only at the app level using app protection policies.

The rest of the 4 cases are through Google's Android Enterprise program.

Device 2) is BYOD and configured with a work profile, which is the one personal type of management in Android Enterprise. It creates a work profile on the device where the corporate apps and data are kept separate from the rest of the user's personal device.

Device 3) is corporate-owned with a work profile, which is in preview now and has a similar end-user experience as personally-owned work profile devices but with additional device-level management capabilities since it is a company-owned device.

It offers separation between the work and personal profiles but with more device-level control than for personally owned work profile devices,  including the ability to remotely factory-reset the device and manage system updates. The public preview includes the ability to create multiple enrollment profiles with unique non-expiring tokens so that a variety of configuration settings- assigning configure apps.

Device 4) is fully managed and admins have management of the entire device and the user does not see a separation between work and personal information.

Device 5) is dedicated management for use in kiosk scenarios and other cases without a single user affinity.

To help you visualize how many Android devices you have in your environment across all the device management scenarios, Microsoft has added this bar chart on the Android Overview page.

To see the list of the android devices with enrollment type, you can click on the android solution hyperlink enabled.

If you have any android users who enrolled using device administrators and move users from DA management to work profile management, Microsoft has added a compliance setting to make those DA devices non-compliant.

Enrollment of company-owned devices:

All three include options for streamlined enrollment using Google zero-touch, Samsung's Knox Mobile Enrollment, and additional out-of-the-box enrollment methods like QR code scanning.

Upcoming features for corporate-owned devices with work profile:

These corporate management methods offer incredible management depth, even for the most locked-down scenarios, with capabilities like manufacturer-specific configuration with OEMconfig.

Microsoft added extensive integration with the Microsoft Launcher app for fully managed devices, now allowing you to set it as the default launcher app on the device and configure many different aspects of the user's experience,  including setting custom wallpaper, showing or hiding the dock, and choosing the placement of the search bar.

Enabling first-line workers with intune:

Azure AD shared device mode with Managed home screen:

Managed Google play (MGP):

And finally what’s new in Intune Android support:

For complete demonstration, please watch https://youtu.be/jbD5kQzOkAc

For a complete list of Microsoft Endpoint Manager sessions at Ignite 2020, please refer https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/microsoft-endpoint-manager-at-microsoft-ignite-2020/ba-p/1681322

Another month pass by and Microsoft released Technical preview for Configuration Manager 2010. These technical previews will be released every month and is for lab purpose ONLY.

For more information about the technical preview and how to use it, please refer https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/technical-preview

The active baseline version as of today for technical preview is 2007 and this can be downloaded from Evaluation Center.

Following are the new features in Technical preview 2010.

Deploy a task sequence to a user as an app model deployment type

Starting in the release, you can now deploy a non-OS deployment task sequence to a user-based collection when you add a task sequence deployment type to an application either to install or uninstall the app.

To create Create a task sequence for non-OS deployments, please refer https://docs.microsoft.com/en-us/mem/configmgr/osd/deploy-use/create-a-task-sequence-for-non-operating-system-deployments

Enable user proxy for software update scans

Beginning with the September 2020 cumulative update, HTTP-based WSUS servers will be secure by default. A client scanning for updates against an HTTP-based WSUS will no longer be allowed to leverage a user proxy by default. If you still require a user proxy despite the security trade-offs, a new software updates client setting is available to allow these connections. Learn more about the September 2020 changes to improve security for Windows devices scanning WSUS.

Improvements to scenario health

With scenario health, you can now monitor the health of the channel used for client actions. If you've onboarded to cloud management. This improvement helps to surface potential issues with client actions from Microsoft Endpoint Manager admin Center. This monitoring can also be used for on-premises client actions such as CMPivot, Run scripts, and waking up machines.

Run this action from \Monitoring\Overview\Scenario Health

Shortcut to status messages

You now have an easier way to view status messages for the deployment, content, device and user objects.

Following are the objects that you can select:

• Devices
• Users
• Content
• Deployments
  • Monitoring workspace
    • Phased deployments (select Show Deployments from the Phased Deployments node)
  • Deployments tab in the details pane for:
    • Packages
    • Task sequences

Right click on the selected object, Choose ‘Show Status Messages’ from the ribbon for a selected object.

Support for Windows 10 Enterprise LTSC on Desktop Analytics

The long-term servicing channel (LTSC) was designed for Windows 10 devices and use cases where the key requirement is that functionality and features don’t change over time. The LTSC servicing model prevents Windows 10 Enterprise LTSC devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. For customers that want to shift from LTSC to the semi-annual servicing channel to have access to new features, services, and other major changes, Desktop Analytics now supports enrolling and evaluating LTSC devices in your deployment plans.

Syntax highlighting for scripting languages in the Configuration Manager console

To assist you when creating scripts and queries in the Configuration Manager console, you will now see syntax highlighting. Supported languages include PowerShell, JavaScript/JScript, VBScript and SQL/WQL.

Defender App Control policy supports Windows Server 2016+ clients now

Configuration Manager to-date has supported Defender App Control policies for Windows 10 clients. We're extending this support to include Windows Server 2016+ endpoints.

Technical preview 2010 build installation:

Monitor the content download status from dmpdownloader.log

Once the content is download and is ready to install, install the update.

Site version: 500.9032.1000

Client version:5.00.9032.1000

Happy testing the preview build.

we had a requirement to hide the notification previews for teams and also outlook when there is any mail or conversation that happens on mobile devices due to security reasons.

Microsoft Endpoint Manager (Intune) app protection policies has setting for admins to be able to block organizational data from appearing in Teams mobile notifications (e.g. message preview, channel, or sender name) on both iOS and Android end-user lock screens using the Intune Application Protection Policy (APP).

This will allow you to specify how org data is shared via OS notifications for org accounts.

In your intune app protection policies, edit the policy, under data protection, there is setting called ‘Org data notifications’ which is by default configured to ‘Allow’.

You are allowed to configured the following values:

• Block: Do not share notifications.
  • If not supported by the application, notifications will be allowed.
• Block org data: Do not share org data in notifications. For example, "You have new mail"; "You have a meeting".
  • If not supported by the application, notifications will be blocked.
• Allow: Shares org data in the notifications

This policy used to support only for outlook mobile devices but now from Sep 29, 2020, this is being supported for Teams mobile devices as well.

You need to revalidate the intune app protection policies that are configured and applied to outlook/teams for this setting.

For this feature to be effective on the mobile devices, the teams iOS must be on and above v. 2.0.22 and Android on and above v. 1.0.0.2020091301

For more information about Intune App protection policies, please refer https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policies

I was recently assisting a customer on the Configuration Manager upgrade and after the upgrade is done, we need to upgrade the console on endpoint devices to the latest version.

When you install/update your configuration manager site, there will be a change in the console version which needs to be updated on all your endpoints that have the console installed.

If your site is running a new version of Configuration Manager build but your users are at lower version, users will be prompted to install the new console version, next time when they launch the console but it has the following prerequisites to install the console:

§ You have local Administrator rights on the target computer for the console.

§ You have read permissions to the location of the Configuration Manager console installation files.

we follow the standard method by creating a collection that identifies the devices running a lower version of the console, create an application using the admin console files and deploy it silently to upgrade the console.

To create a collection (device), use the following WQL Query:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where (SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "Microsoft Endpoint Configuration Manager Console" or SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "System Center Configuration Manager Console")
and SMS_G_System_ADD_REMOVE_PROGRAMS.Version < "5.2006.1024.1000"

Replace the console version that matches your site.

Now, we will create an application using the latest admin console setup files and deploy it to the collection.

Grab the following files from <Configuration Manager installation media>\SMSSETUP\BIN\I386 and copy them to a source folder.

• ConsoleSetup.exe
• AdminConsole.msi
• ConfigMgr.AC_Extension.i386.cab
• ConfigMgr.AC_Extension.amd64.cab

On the source folder where you placed the above files, create a batch script and use the following silent installation command line switch.

ConsoleSetup.exe /q TargetDir="%ProgramFiles%\ConfigMgr Console" DefaultSiteServerName=SG-CM01.intranet.eskonr

Replace the siteservername

Create an application with deployment type as script and use the following detection method.

Detection method:

Type: File system

Type: File

Path:%ProgramFiles(x86)%\Microsoft Configuration Manager\AdminConsole\bin

File or folder: Microsoft.ConfigurationManagement.exe

Value:5.2006.1024.1000

Replace the value that matches your site server console version.

Deploy the application to the collection that we created initially.

Monitor the deployment using built-in reports/in-console or your custom reports.

Following is the SQL query to find the count of devices with configuration manager console versions.

select arp.DisplayName0,arp.Version0,count(*) Total From v_Add_Remove_Programs arp
where arp.DisplayName0 like 'Microsoft Endpoint Configuration Manager Console'
or arp.DisplayName0 like 'System Center Configuration Manager Console'
group by arp.DisplayName0,arp.Version0

You can also monitor the console versions that are connected to Configuration manager console using the security view in the console.

\Administration\Overview\Security\Console Connections

Hope it helps!

Microsoft released Configuration Manager technical preview version 2010.2 which is 2nd release for Oct 2020. These Technical previews released every month for testing, explore new and improved features and provide feedback in case of any issues.

This Technical previews brings the following new and improved features.

Tenant attach: Troubleshooting portal lists a user’s devices based on usage

Tenant attach: Create and deploy firewall policies

Enhancements to applications in Microsoft Endpoint Manager admin Center

Manage BitLocker policies and escrow recovery keys over a cloud management gateway (CMG)

Improvements to deploy an OS over CMG using boot media

Desktop Analytics support for new Windows 10 data level

Immediate distribution point fallback for clients downloading software update delta content

Disable Azure AD authentication for onboarded tenants

Additional options when creating app registrations in Azure Active Directory

Validate internet access for the service connection point

Improvements to the administration service

For more information about the features https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2020/technical-preview-2010-2

You can install this Technical preview from the console, updates and servicing node.

If you want to setup Technical Preview lab, please refer https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/set-up-your-lab

if you don't see the update, click on check for updates, monitor the log dmpdownloader.log

When the update is downloaded, you will see it in the console ‘ready to install’

Right click on the update and install it, after a while and if the installation is success, you will see warning to install new console version.

Site version:5.00.9039.1000

Client Version:5.00.9039.1000

Once the site is upgraded, you also need to upgrade the clients to the latest version to support the client features.

How do we get the Bitlocker supported for clients that are connected to CMG?

If you already have working Bitlocker policies created, make sure that, you have got the remote client upgraded to the latest client of the tech preview build and deploy the Bitlocker policies to internet based client.

There is no change to the setup process of Bitlocker management and it works with your existing configuration.

References:

https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2020/technical-preview-2010-2

https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/technical-preview

Google has already announced the depreciation of the android enrollment using device administrator, for more information, please refer to https://developers.google.com/android/work/device-admin-deprecation and is highly encouraged to use Android enterprise for devices where GMS available.

There is still a need to fallback to device admin in countries where there are no GMS available such as mainland China. If you don't have GMS services available, the device cannot be managed by Microsoft Endpoint Manager using the work profile. I recently did a blog post on this, for more information, please refer to https://systemcenterdudes.com/endpoint-manager-android-china/

In this blog post, we will see how to move android users from device administrator to work profile (enterprise enrollment).

If you have created enrollment restrictions for users (due to other reasons such as no GMS etc) to use android device administrator, please remove the users from the enrollment group.

You can verify that from the enrollment restrictions policy.

Once you validated the enrollment restrictions, we will verify the number of devices/users that are enrolled using device admin.

You can also do a quick filter based on android (device administrator).

we will now configure the android compliance policy to move android devices from device administrator to work profile management with setting Block devices managed with device administrator.

When we configure this setting, it makes the android device non-compliant and the user clicks on the non-compliant, resolve. This process will take them to remove the device admin and enroll using the work profile. (When this process happens, make sure the user is not a member of the device admin enrollment). If user is a member of both device admin enrollment and enterprise enrollment, the enterprise enrollment profile takes precedence.

we will now go to the android compliance policy and edit the existing policy (if you have any) or create a new policy with platform: android device administrator.

Go to the android device compliance policy https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesAndroidMenu/compliancePolicies and edit/create policy.

Click on the  android device admin policy, the Compliance settings page, in the Device Health section, set Block devices managed with device administrator , save policy.

Click review and save.

You can also customise the Actions for noncompliance such as email to user, send push notification etc.

Once the configuration is done, assign the policy to group of users who have devices enrolled with device admin.

once you save the changes, the device will be marked as non-compliant in the endpoint portal.

End-User Experience:

Moving the device from device admin to work profile is straight forward and end-user can do it

Based on the actions for non-compliance, user get notified and user can launch the company portal, click on device tab, select the android device, click on Resolve.

The process involves with the following steps.

1. Remove current management

2.Create work profile

3.Activate work profile

4.Update device settings.

After the enrollment is completed, a device will appear in the endpoint portal with OS as ‘Android work profile’.

The old entry for device admin still appears and it get removed as part of the device clean up (if you have configured) or you can perform clean up using script.

For troubleshooting, please refer https://docs.microsoft.com/en-us/mem/intune/enrollment/android-move-device-admin-work-profile#troubleshooting

There are times where you need to troubleshoot the Microsoft Teams client issues such as app crashing, poor call quality, new features not working as expected, etc.

When you get any of such issues, you will need to collect the team’s client logs to investigate further and if possible, you likely need to share the logs with the Microsoft support engineer for further help.

There are different logs in Teams client that help you to troubleshoot the issue. The following are the important set of logs.

•  Debug logs
•  Media logs
•  Desktop logs
• Event viewer

As the teams client installed in the user profile (%appdata%), the log collection needs to be done from the user profile. so you need to request user and assist them to get these logs.

These common logs located in different folders under the user profile and guiding the user for these logs would take longer and sometimes get annoyed.

Except for Debug logs, all other logs are readily available for remote collection.

Debug logs is something that needs user intervention (not possible remotely) and the user needs to press shortcut Ctrl + Alt + Shift + 1 to generate the debug logs.

For more information about the log files and troubleshooting Teams client, please refer https://docs.microsoft.com/en-us/microsoftteams/log-files 

From this article, we know the location of the Teams log files, we can make use of Microsoft Endpoint Manager Configuration Manager scripts feature to collect the client logs for troubleshooting the teams issue remotely.

The scripts feature simplify building custom tools to administer software and let you accomplish mundane tasks quickly, allowing you to get large jobs done more easily and more consistently. For more information about PowerShell scripts from Configuration Manager Admin console, please refer here

This script can be used manually or remotely using Configuration Manager.

What does this script do?

1. The script check if the user logged into the machine or not, if yes, then collect the media logs, desktop logs,debug logs and event viewer from the locations and store it in C:\Temp\Teamslog

2.If no user logged into the machine , the script does nothing.

3. Once the logs are collected and store it on the share drive, the temp logs from local drive C:\temp\teamslog will be removed.

What is required to run the script?

1. You will need to provide the log share name to store the logs. The logs are zip and store it with username-timestamp.zip.

2. You will need notify user to use the shortcut Ctrl + Alt + Shift + 1 to generate debug logs. Once this is done, the script will look for the debug logs and collect it.

3. If user don’t run the Ctrl + Alt + Shift + 1, the script will not collect the debug logs but collect other logs if available.

Once you have filled in the log share, you can use take this script and use it in Configuration Manager scripts and run it on device where user logged for the log collection.

The script is uploaded to github, you can download it from here.

For teams client troubleshooting, please refer https://docs.microsoft.com/en-us/MicrosoftTeams/troubleshoot/teams-welcome

Over the last couple of years, I have been using this method to extract the status messages for various components in Configuration Manager such as SMS provider, Site server and client.

These status messages critical and useful when it comes to troubleshooting the components, clients etc. Status messages are similar to Windows NT Events and they have a severity, ID, description, etc.

These status messages ID appear in lot of places like logs, event viewer,configuration manager console. During the troubleshooting, it is hard to find out the description for the status message ID that you looking for and not everything can be found on the internet during the search.

As the current branch gets released every 3 months (based on the past trends), there will be changes to the status message IDs (addition/deletion) and it is always important to keep a copy of the status message ID’s for each build that you are working with.

In this blog post, we will see how to generate the status message IDs, description for your Configuration Manager build.

What is required to generate the status messages?

1. You will need the following dll files that are available in your your CAS/Primary site server for your current build

CLIMSGS.DLL

PROVMSGS.DLL

SRVMSGS.DLL

These dll files located in your site server location: <CM Installed directory:>\bin\X64\system32\smsmsgs

2. Copy these dll files to a folder on your computer.

3. Now download the script from Github, save it in the same folder where you copied the dll files.

4. Run the script. The script will create an excel file with 3 sheets called client, site server and sms provider and list down the status message ID’s along with description.

5. Output

Every time when you update your Configuration Manager build version, you can get the updated dll files and run the script.

I hope you found this useful.

References:

https://gallery.technet.microsoft.com/scriptcenter/Enumerate-status-message-6e7e1761

I was asked by a customer to find the devices with excluded apps in C2R products such as Office 365 Proplus or Microsoft 365 Apps or Office 2019 etc.

When you create a configuration file for C2R products such as office 365 proplus/Microsoft 365 Apps, you can define which app in Microsoft 365 Apps product not to be installed such as Word, Excel, PowerPoint, Publisher, Visio, or Skype. If you don't want Publisher installed with those applications, use the ExcludeApp element to remove it

Following are the allowed values to be used in the configuration for Exclude App element.

• ID="Access"
• ID="Excel"
• ID="Groove"
• ID="Lync"
• ID="OneDrive"
• ID="OneNote"
• ID="Outlook"
• ID="PowerPoint"
• ID="Publisher"
• ID="Teams"
• ID="Word"

Following is the sample configuration file that I have used to deploy Microsoft 365 Apps that have few apps excluded.

<Configuration>
<Add OfficeClientEdition="64" Channel="Monthly">
         <Product ID="O365ProPlusRetail">
             <Language ID="en-us"/>
             <ExcludeApp ID="OneDrive"/>
             <ExcludeApp ID="Groove"/>
             <ExcludeApp ID="Lync"/>
         </Product>
     </Add>
     <Display Level="Standard" AcceptEULA="TRUE"/>
     <Property Name="AUTOACTIVATE" Value="1" />
     <Logging Level="Standard" Path="C:\windows\o365proplus"/>
</Configuration>

Likewise, there will be multiple configuration files created and deployed to end-users based on the requirement, and at one point in time, it is good to have a report to find out the devices with their list of excluded apps.

When you deploy the C2R product using Endpoint Manager tool, there is no built-in report feature to identify what apps are excluded on specific devices.

How do we inventory the devices with excluded apps in Microsoft 365 apps?

Let's start analysing the data that is stored on the endpoint for office/Microsoft 365 apps.

Following the registry key that have the information about the C2R products.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration

As you can see, there is a lot more information stored in the registry including O365ProPlusRetail.ExcludedApps

This tells us that, on this device, the 3 apps were excluded (onedrive,groove,lync) that we have used in the configuration file above.

How do we bring this data into Configuration Manager? are there built-in tool or inventory that gather the information?

There are some built-in reports available with information about office 365 products but If you want anything custom as we see now, we must extend the inventory and that can be achieved with a popular tool called RegKeyToMOF.

Detailed Steps:

1. Use RegKeyToMOF to generate configuration.mof and inventory.mof, compile the mof for syntax errors.

2. Import the inventory.mof and configuration.mof

3. Verify the mof changes and also on the SQL Side as well.

3. Deploy the client setting to test device collection.

4. Initiate machine policy cycle on the test device, trigger hardware inventory.

5. Monitor the hardware inventory on the site server and check the SQL results if any data received.

1. Use RegKeyToMOF to generate configuration.mof and inventory.mof:

Download the RegKeyToMOF.exe tool from Technet

On a device that you have installed Office 365 proplus/Microsoft 365 Apps or Office 2019, copy the tool and run the tool to generate a custom MOF file.

Browse to HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\Office\ClickToRun\Configuration

At this point, we can export the configuration.mof, inventory.mof (to import in admin/) using the tool, save the mof files.

The exported mof file contains lot of information and we will need to trim down this to actual requirement.

Following is my configuration.mof and inventory.mof (Trimmed version):

Configuration.mof:

// RegKeyToMOF by Mark Cochrane (with help from Skissinger, SteveRac, Jonas Hettich, Kent Agerlund & Barker)
// this section tells the inventory agent what to collect
// 16/10/2018 3:05:03 PM

#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("Configuration", NOFAIL)
[DYNPROPS]
Class Configuration
{
[key] string KeyName;
String ProPlus2019RetailExcludedApps;
String O365ProPlusRetailExcludedApps;

};

[DYNPROPS]
Instance of Configuration
{
KeyName="RegKeyToMOF";
[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\Configuration|ProPlus2019Retail.ExcludedApps"),Dynamic,Provider("RegPropProv")] ProPlus2019RetailExcludedApps;

[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\Configuration|O365ProPlusRetail.ExcludedApps"),Dynamic,Provider("RegPropProv")] O365ProPlusRetailExcludedApps;
};

Black font is something that must match as per the registry key where as brown font is something that can be customised at your convivence and must be same.

Inventory.mof:

// RegKeyToMOF by Mark Cochrane (with help from Skissinger, SteveRac, Jonas Hettich, Kent Agerlund & Barker)
// this section tells the inventory agent what to report to the server
// 16/10/2018 3:05:03 PM
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("Configuration", NOFAIL)
[SMS_Report(TRUE),SMS_Group_Name("o365ExcludedApps"),SMS_Class_ID("o365ExcludedApps")]
Class Configuration: SMS_Class_Template
{
[SMS_Report(TRUE),key] string KeyName;
[SMS_Report(TRUE)] String ProPlus2019RetailExcludedApps;
[SMS_Report(TRUE)] String O365ProPlusRetailExcludedApps;
};

Download the mof files from github

If you have added more attributes from the registry, make sure you compile the mof file for any syntax errors.

Compile the mof file using mofcomp.exe filename.mof

Once the mof files are validated, we are now ready to make changes on the SCCM server.

2. Import the inventory.mof and configuration.mof:

Copy the mof files to your CAS/Primary site.

Browse to SCCM installed directory, <Installed Dir>\Program Files\Microsoft Configuration Manager\inboxes\clifiles.src\hinv

Take a backup of configuration.mof before making any changes.

Edit the configuration.mof, go to the last line in the file, copy the content from config.mof (custom code) at the bottom of the file.

Save the changes.

Now open the SCCM console, go to administration, client settings, edit the default client settings, go to hardware inventory

Click on set classes

Click on import, select the inventory.mof file that you have downloaded or created your own.

Click on import.

Make sure you untick the o365, because we don't want these changes to be applied to all devices in default client settings.

This step will help us to import the settings, create a SQL view etc.

Monitor datalder.log on your site for changes.we will now see that, the SQL view and store procedure is created successfully.

By querying select * from v_GS_o365ExcludedApps0, you get empty results.

we will now create new client settings or use existing client setting that you want to deploy to test collection for monitoring the results.

On your new or existing test client settings, edit, click on hardware inventory, set classes and tick o365Excludedapps

We have now completed the changes on the site server.

3. Deploy the client setting to test device collection.

4. Initiate machine policy cycle on the test device, trigger hardware inventory.

we will move on to the client and initiate machine policy cycle for client to receive these changes, initiate hardware inventory.

Initiate hardware inventory and monitor the log InventoryAgent.log

Collection: Namespace = \\.\root\cimv2; Query = SELECT __CLASS, __PATH, __RELPATH, KeyName, O365ProPlusRetailExcludedApps, ProPlus2019RetailExcludedApps, VisioPro2019RetailExcludedApps FROM Configuration; Timeout = 600 secs.

we will now move to SQL database and run the query to test the results.

select sys.Netbios_Name0,
  exc.O365ProPlusRetailExcludedApp0,
  exc.ProPlus2019RetailExcludedApp0
  from [v_GS_o365ExcludedApps0] exc
  inner join v_R_System_Valid sys
  on sys.ResourceID=exc.ResourceID

we have now successfully gathered the required data using the custom inventory report.

For more information about:

Overview of Office Deployment Tool, please refer https://docs.microsoft.com/en-us/deployoffice/overview-office-deployment-tool

Office deployment tool configuration options, please refer https://docs.microsoft.com/en-us/deployoffice/office-deployment-tool-configuration-options

Hope you find this post useful.