MECM 2002 Cloud Management Gateway Configuration

I have been looking at setting up MECM cloud management gateway (CMG) for a while but haven’t been able to, due to the need for PKI or Azure AD joined.

With the recent release of MECM 2002 this has added a new feature,  that allows token based authentication. I decided to do a test deployment in my lab to see how this would work before deploying to our production environment.

With a CMG we can manage clients that don’t regularly connect back to the cooperate network which has become more of a priority recently.

There is a cost for running the VM’s in Azure that will be used as the CMG and for outbound data transfers. Johan Arwidmark has done a good real world cost estimates for a CMG.

https://deploymentresearch.com/real-world-costs-for-using-a-cloud-management-gateway-cmg-with-configmgr/

First step should be to have a read of the docs for planning a CMG

https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/plan-cloud-management-gateway

To use token base authentication require MECM 2002, so that is a pre-requisites for deploying a CMG in this way.

https://docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/deploy-clients-cmg-token

There will be some required permission in Azure also for deploying the CMG.

  • Account that has Global Admin and Subscription Owner roles.
  • Content filter rules to allow outbound access (If there is a proxy or Firewall filtering traffic)

There will also be a requirement for a cert to be applied to the CMG, it is  recommend to have a third party cert as it should automatically trusted by clients.

From looking through the documents below are the required URL https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/network/internet-endpoints#cmg-connection-point

*.cloudapp.net

*.blob.core.windows.net

login.microsoftonline.com

Once all pre-requisites have been confirmed we can start to configure the CMG. We will need to pick a unique cloud service name as this will be required later, easiest way to check if the name you have select is unique is to logon to Azure go to cloud services (classic)

CloudService

Once the cloud service has been checked,  then we need to configure the Azure services.

Logon to the MECM console and go to Administration > Cloud services > Azure services.

Click configure Azure servicesCMG1

Give the service a name and select cloud management CMG2

We need to configure a server and client applications CMG5Give the applications a name and sign in to Azure using a account with the required permission CMG3CMG4I just left user discovery enabled. CMG6Click next to finish configuring the Azure services. CMG7Once finished the Azure service should now be showing CMG8The Azure AD tenant should also show with both application we just created. CMG9

 

Once this has all been configured we can now start to setup the CMG.

To start the configuration go to Administration > Cloud services > Cloud Management Gateway

Click Create Cloud Management GatewayCMG10

Select AzurePublicCloud and sign in. (If the subscription ID doesn’t show it might be the account you are using is not an owner of the subscription.)CMG11

Now we need to configure the cloud services, this is where we will use the name we checked earlier.

  • Select the cert file, this needs to be a PFX with the private key (I am using one created on my internal CA but in production I will be using a third party CA like digicert or godaddy)
  • The cert name will be automatically set the deployment services name so this is why we should confirm the name before hand so we can generate the cert with the same name.
  • Select the region the CMG will be configured in
  • Either select a existing or create a new resource group (I chose new one to keep the CMG separate from my other Azure resources)
  • Select the required amount of VM’s this can go up to 16 (for high availability it recommend to configure 2 VM’s at least)
  • Tick the required security authentication I just ticked Enforce TLS 1.2
  • I also ticked using CMG and cloud distribution point

CMG12I left the alerting as default CMG13Just follow the wizard to complete. CMG15

Once completed the CMG should show as provisioning started 

This slideshow requires JavaScript.

We can also logon to Azure to verify the cloud service has been created. CMG18

After the CMG has been configured we then need to install the Cloud management connection point to connect MECM to the CMG.

Go to Administration > site configuration > servers and site system roles, Add the Cloud management gateway connection point to the primary site server in MECM

This slideshow requires JavaScript.

After the role has been configured we need to configure a few steps on the site server, management point and software update point (if installed and configured)

Open the management point properties and tick the allow configuration manager cloud management gateway traffic. (If the tick box for is greyed out there is an additional step required.) 

Go to Administration > site configuration > sites, then configure the primary site to use configuration manager generated certificate in communication security. Once this is done go back to the management point and the tick box should now be available.

CMG27

CMG23CMG24To allow the software update point to communicate with the CMG, tick the allow configuration manager cloud management gateway traffic. CMG26After this has been configured the clients should now pick up a the CMG as a internet based management point in the network tab of client agent properties. CMG25

Once the client moves off the internal network and does a location lookup we should see that the connection type will change to internet from internal. CMG29

We can also check the location services log to see if the CMG is being picked up. CMG28

MECM check for all updates that are required but not deploy SQL Query

Recently we had an issues where some software updates where missed during regular patching cycle, I wanted to have an automated report to list all updates that where required on more than one system but no deployed.

First I checked the Microsoft SQL views for software updates

https://docs.microsoft.com/en-us/configmgr/develop/core/understand/sqlviews/software-updates-views-configuration-manager

The three tables I used where,

V_UpdateComplianceStatus: This table is used to the get status code for updates. Status of 2 means the update is required.

v_UpdateInfo: This table is used to get information on each update

https://docs.microsoft.com/en-us/configmgr/develop/core/understand/sqlviews/software-updates-views-configuration-manager#v_updateinfo

v_Update_ComplianceSummary: This table is used to get compliance of each update to see how many devices are missing the updates.

https://docs.microsoft.com/en-us/configmgr/develop/core/understand/sqlviews/software-updates-views-configuration-manager#v_update_compliancesummary

select distinct
UI.DatePosted as ‘Release Date’,
UI.articleid as ‘ArticalID’,
UI.Title,
Update_Required=(case when UCS.Status=2 then ‘Yes’ end),
CS.NumMissing,
Updates_Deployed=(case when UI.IsDeployed=0 then ‘NotDeployed’ end),
UI.InfoURL as InformationURL

from V_UpdateComplianceStatus UCS
join v_UpdateInfo UI on UI.CI_ID=UCS.CI_ID
join v_Update_ComplianceSummary CS on CS.CI_ID=UCS.CI_ID
WHERE UCS.Status=2 and UI.IsDeployed=0
order by NumMissing desc

Below is what the query return looks like in SQL Management Studio.missing1To confirm the query is working we can create a  search filter for all software updates to make sure they match.missing2Last step was to create a weekly email report using SQL Server Reporting Services (SSRS).

To create a new report (MECM reporting point role will need to be installed for this) go to Monitoring > Reporting > Reports.missing3I created a custom Reports folder to keep any report I created.

Right click on reports and click create reportmissing4

Give the report a name and a folder path the report will be stored. missing5Follow the report wizard to finish the report creation. missing6missing7Once the report wizard completed the report builder should load. missing8First create a new dataset. Right click on Datasets > Add Datasetsmissing9

Give the Dataset a name, Use a dataset embedded in my report, Data source and select the MECM data source and query type as text. Last part is to copy the query to the query field.missing10Once that click ok and the dataset should show under datasets. missing11

Next we create a table for the report view. missing12Select the dataset we create.missing13I just wanted to use all values so drag all row to the value box.missing14Next just go through the rest of the wizard. Once completed you should see something similar to the below. I  added a text box at the top for a tile and added in some grey filling on the table. missing16Now save the report and we can run from the MECM console to see what the report will look like. missing17Last step is to create subscription to send a the weekly report missing18Select report delivered by Email and put in the required detail and report to be included.(Email settings need to be configured in SSRS before you can select email as a deliver option)missing19Set the schedule that is required and complete the wizard. missing20The report should now be sent out weekly as a csv file.

 

 

MBAM Policy Error code: -2147217402 on Windows 10 1903

I was installing MBAM 2.5 SP1 client on Windows 10 1903 during SCCM task sequence. Once the device was built and the user tried to put in a pin and start the encryption it would fail.

The below error was showing in the MBAM event logs. fail1We currently install MBAM successfully on Windows 1809 so it didn’t look like a MBAM server issue or connection issue. I checked and there was a newer servicing release from May 2019

https://support.microsoft.com/en-us/help/4505175/may-2019-servicing-release-for-microsoft-desktop-optimization-pack

This update adds support for Windows 10 1903. I applied this update and can now encrypt successfully.

Surface Pro 6 1TB Disk 0 not found SCCM OSD

We recently started to build the new surface pro 6 1TB using SCCM. When imaging the task sequence kept failing at the format and partitioning step. When I checked the SMSTS log I could see the below errors

Invalid disk number specified: 0

OSDDiskPart.exe failed: 0x80070490

error1

From the error the problem was that there was no disk 0 available, I usually only see this when there are driver issues with the storage controller.

To check and see what disk where available, we can open a command prompt in the task sequence (As long as it’s enabled on the boot image) with F8 and run diskpart, once diskpart has opened use the list disk command to view available disk.

On the surface pro there was no disk 0 or 1 but instead the 1TB disk shows as disk 2 which is the reason the format is failing as by default the disk that is to be formatted and partitioned is disk 0.

I had a look online and the reason seems to be that the 1TB disk in the Surface Pro 6 is actually 2 x 512GB disk mirrored using Storage Spaces technology. See support KB below.

https://support.microsoft.com/en-us/help/4046108/disk0-not-found-when-you-deploy-windows-on-surface

This is why the disk shows as 2 and the default disk number is set to 0.

error2

The support KB says to change the format task to use disk 2 but this would require a second task sequence which is not ideal as it means more management overhead.

To work around this I have created an additional format and partition step in my existing task sequence and use WMI query’s to apply the specific format step for the Surface Pro 6 1TB.

WMI query to exclude device with no disk 0

Disk index: SELECT * FROM Win32_DiskDrive WHERE Index = “0”error3

WMI query for surface pro 6 1TB

Disk index: SELECT * FROM Win32_DiskDrive WHERE Index = “2”

Select surface pro device: SELECT * from Win32_ComputerSystem WHERE Model LIKE “%Surface Pro 6%”error4

Once the query is set on the format and partition disk step in the task sequence, set the disk number to 2.error5Now I can image the surface pro 6 1TB model successfully.

Create Windows 10 Answer file

In a previous post we went through creating and deploying language packs there was an additional step to create a Windows 10 answer file, I though it might be helpful to do a post on creating a basic answer file using Windows System Image Manager (SIM).

First step is to install Windows Assessment and deployment kit (ADK). To download the latest ADK use the below link:

https://go.microsoft.com/fwlink/?linkid=2086042

UASelect deployment tools. UA2Once the install has finished, go to the start menu and down to Windows Kits and open Windows System Image Manager .

UA4

First step is to select a Windows image file, to get the image file just need to extra the required Windows ISO to a folder.UA5Below is the extracted ISO.UA12Go to Sources > install.wim.UA6Select the version.UA7Next create a new answer file.UA8Go to Windows Image

UA13

Select Components, on the components below is the different type and examples

amd_64 =64bit components, only used on x64 installs

wow_64 = 32bit components or support components for 32bit installed on x64, only used on x64 installs

x86 = 32bit components installed on x86, only used on x86 installs

I used “amd64_Microsoft-Windows-Shell-Setup_10.0.17763.1_neutral” > “OOBE” and click Add settings to Pass 7 oobeSystem.

UA9.pngEdit “amd64_Microsoft-Windows-Shell-Setup__neutral” to add in Register Owner and any other details as required.UA11Next edit the required OOBE settings.UA10Once all the settings have been added save the answer file.UA14Last step is to create a package for the answer file and apply the answer file in the SCCM task sequence.UA15

Below is the content of the XML file.

<?xml version=”1.0″ encoding=”utf-8″?>
<unattend xmlns=”urn:schemas-microsoft-com:unattend”>
<settings pass=”oobeSystem”>
<component name=”Microsoft-Windows-Shell-Setup” processorArchitecture=”amd64″ publicKeyToken=”31bf3856ad364e35″ language=”neutral” versionScope=”nonSxS” xmlns:wcm=”http://schemas.microsoft.com/WMIConfig/2002/State&#8221; xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”&gt;
<OOBE>
<HideEULAPage>true</HideEULAPage>
<HideLocalAccountScreen>true</HideLocalAccountScreen>
<HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
<HideOnlineAccountScreens>true</HideOnlineAccountScreens>
<HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
<ProtectYourPC>3</ProtectYourPC>
<SkipMachineOOBE>true</SkipMachineOOBE>
<SkipUserOOBE>true</SkipUserOOBE>
</OOBE>
<RegisteredOwner>TheSleepyAdmin</RegisteredOwner>
</component>
</settings>
<cpi:offlineImage cpi:source=”” xmlns:cpi=”urn:schemas-microsoft-com:cpi” />
</unattend>

 

Configure Branch Cache SCCM 1810

We recently started to roll out Windows 10 and started to see spikes on our WAN links caused by the increased size of updates. We looked at installing local DP’s on each site but this would add a lot of over head for managing these DP’s.

We then looked at using branch cache, I decided to do a post on enabling branch cache in SCCM.

First I need to check on clients if branch cache was enabled to do this run the below command.

netsh branchcache show status all

BC1

Once confirmed we need to enable branch cache in SCCM client settings this can be either enabled on an existing device policy or create a new policy I am going with a new policy.

Logon to SCCM Admin console > Administration > Client settings

Right click on client settings > Create Custom Client Device SettingsBC2

Give the policy a Name and select Client Cache SettingsBC6

set the below settings

  • Change Configure BranchCache to Yes
  • Change Enable BranchCache to Yes
  • Configure the cache size settings (default is 10%)

BC3

As part of Windows 10 OS it does it’s own branch Cache while downloading updates and it will overwrite SCCM client settings. To disable this setting we can create a group policy and apply just to windows 10 OS’s.

Below is the location of the settings that need to be disabled

Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ Delivery Optimization, set (Download Mode) to disabledBC5

If the policy is not showing it is probable because the ADMX template for windows 10 has not been added.

The last part is to enable Branch Cache in SCCM for the distribution points by selecting the properties of the distribution point as given below.BC4

To test that the policy has been applied, go to a client device and update the machine policy. Then run netsh command again and we should now see branch cache has been enabled.

netsh branchcache show status allBC7

SCCM Task Sequence Windows 10 Language Pack’s Install

On a recent project there was a requirement to install different language pack’s and configure regional / keyboard settings. I was having issue getting this working so I though I would do a post on how I ended up getting it working correctly.

To skip the OOBE initial setup screen we can use a unattended XML answer file. I have done a different post for creating a basic answer file see link below.

https://thesleepyadmins.com/2019/05/31/create-windows-10-answer-file/

If this is not setup you will be prompted to complete the initial Windows 10 setup along with selecting the language settings.

The next problem I had was trying to find the language packs I ended up downloading the language pack ISO from the Microsoft visual studio site.

lp

Once downloaded I need to mount the ISO and copy the required lp3

Once all the required language packs where copied. Create a new packages for each packlp4lp5lp6lp7lp8

The next step is to configure the XML file’s that will be used to configure the regional and keyboard settings for each language pack. I used this support how to as a reference for the XML:

https://support.microsoft.com/en-ie/help/2764405/how-to-automate-regional-and-language-settings-in-windows-vista-window

Below is the XML file that was used for the German language pack:

lp11

Below is the export from the above XML file: (Check double quotes if coping as the format can change when coping and that will cause issues)

<gs:GlobalizationServices xmlns:gs=”urn:longhornGlobalizationUnattend”>

<!– user list –>
<gs:UserList>
<gs:User UserID=”Current” CopySettingsToDefaultUserAcct=”true” CopySettingsToSystemAcct=”true”/>
</gs:UserList>

<!– system locale –>
<gs:SystemLocale Name=”de-DE”/>

<!–User Locale–>
<gs:UserLocale>
<gs:Locale Name=”de-DE” SetAsCurrent=”true” ResetAllSettings=”false”/>
</gs:UserLocale>

<!–location–>
<gs:LocationPreferences>
<gs:GeoID Value=”94″/>
</gs:LocationPreferences>

<!– input preferences –>
<gs:InputPreferences>
<gs:InputLanguageID Action=”add” ID=”0407:00000407″ Default=”true”/>
<gs:InputLanguageID Action=”remove” ID=”0409:00000409″/>
</gs:InputPreferences>

</gs:GlobalizationServices>

I used the below sites to get the GEO ID & the Input Locales

GEO ID : https://docs.microsoft.com/en-ie/windows/desktop/Intl/table-of-geographical-locations

Input Locales: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs

Once we have all the language packs completed create a single package with all the XML’s file’s or add the XML’s to the Language packages created above. I went with one package for all the XML’slp15

Next step is to add the steps to the Windows 10 task sequence

Add a run command line task, use the command below and replace with the required language pack .cab file. Select the corresponding package.

Below is for the german .cab

dism.exe /norestart /online /add-package /packagepath:.\Microsoft-Windows-Client-Language-Pack_x64_de-de(German).cablp10

After this step add a restart task lp12

Next step is to apply the XML file’s to set the regional / Keyboard settings. Below is the command line I used

rundll32.exe shell32,Control_RunDLL intl.cpl,,/f:”.\German.xml”

When copying the command above check that the double quotes are in the correct format or the command could fail to apply the xml fileLP13

After this step do another restart, the last step I did was to configure time zone for each region. I used the below site to get the time zone values

Time Zone Values: https://support.microsoft.com/en-us/help/973627/microsoft-time-zone-index-values

Below is the command line to set the time zones

cmd.exe /c tzutil.exe /s “W. Europe Standard Time”lp14

Below is the finished task sequence with all languages addedlp17

Last step was to set a condition to apply each package. I used host name as the condition to apply the language packs as each country has its own naming convention this was the easiest way for melp16

Once this is competed I tested and all packages were applied without error.

lp1lp2

SUP Migration WUHandler Error CWuaHandler::SetCategoriesForStateReportingExclusion

Just want to put this up in case anyone else run in to this issue. I had to test migrated WSUS and SUP role from my Primary site server to its own standalone server, so I could complete the same task in production.

After the migration all updates showed as unknown for all devices. I check the update deployment log and WUAHandler.log under c:\Windows\CCM and the update scan started but just sat at  the below log output

Assignment({968F78AA-AE13-495C-83D9-74920944C702}) already in progress state (AssignmentStateDetecting). No need to evaluate

sup2

When I checked the WUAHandler log I could see the below but the site never registered the new WSUS server.

CWuaHandler::SetCategoriesForStateReportingExclusion called with {GUDI } for bundles

I checked the general bits like the site status, component status and wsyncmgr.log all where green and working correctly. I then checked a few post online and most pointed to a Content version / MinSourceVersion miss match issue from the WSUS DB.

I checked this and my content version was the same as in MinSourceVersion so that was not the issue.  I then had a look at the Window update registry key on the clients to see if the new WSUS was registered. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

It wasn’t 😦

Finally had a look boundary (Should have done this first ) and turns out I was a bit forgetful and didn’t add the new site server to the boundary group’s so no client’s where able to see the new SUP server.

Once I added to all boundary groups and did an update scan cycle all updates started to show a few hours later and the WUAHanlder log now showed the WSUS connection.

sup3

yay it’s all fixed 🙂

Point to take away, always add new site servers to boundary groups first 🙂

 

Removing WSUS on SCCM Server Causes HTTP Error 500.19

Recently I was migrating my WSUS deployment off my SCCM server to a new standalone server so that I could enable Windows 10 and Windows Server 2016 updates.

After removing the role I started getting critical alerts for the management Point, Clients couldn’t be installed and I was getting 500.19 error from the SCCM IIS site.

SCCM MP Errorsccmerror2

IIS Errorsccmerror

I had a quick search and found a blog post by Jörgen Nilsson that had the reason for the error.

https://ccmexec.com/2014/03/uninstalling-wsus-on-primary-site-server-causing-http-error-500/

When removing the WSUS role there are configuration settings that are written to the Applicationhost.config that reference a .dll file used by WSUS that is removed during the WSUS role removal. The Applicationhost.config is located under C:\Windows\System32\inetsrv\config

If we check the Applicationhost.config there should be an entry the same as below:

<scheme name=”xpress” doStaticCompression=”false” doDynamicCompression=”true” 
dll=”C:\Windows\system32\inetsrv\suscomp.dll” staticCompressionLevel=”10″ 
dynamicCompressionLevel=”0″ />

Running the following command will remove the references of .dll that is installed by WSUS

%windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/httpCompression /-[name=’xpress’]sccmerror3

After running the above command the management point is back working and I can now access all SCCM URL’ssccmerror4

SCCM 1806 Software Center Customisation

Since SCCM 1710 there was the addition to device settings to allow customisation of software center 1806 added an additional customisation to add a custom web page as an additional tab. As above you need to be at 1710 or above to have these customisation options.

by default the below would be the basic colour and appearance for the software center:

soft1

To start I usually create a new policy to test before pushing out to all users.

  • Open SCCM console
  • Go to Administration > Client settings

Right click and create a new policy (I called mine Custom Software Center)soft2

Click the Software Center check box in the policysoft3

Under device settings set select these new settings to specify company information to yes. soft4

Then go to customize. Edit company name, set color scheme and add a company picture. Below is the default settings. The logo image file needs to be a maximum size is 400×100 and 750kbsoft5

Here is the updated settingssoft6

To add a custom tab with URL to a support site or blog post. Go to tabs and put a check box on: Specify a custom tab for Software Center. (This is only available if SCCM is 1806 or above.)

  • Add a custom tab name
  • Add a URL

soft7

Once finished editing the policy it then needs to be deployed to the require collection. Right click on the custom policy and go to deploy.soft8

Then select the device collection to deploy tosoft10

Once the policy is deployed, go to a device in the collection to update the machine policy. Go to Control Panel > Configuration Manager > Actions > Machine policy retrieval & Evaluation cycle and click run now. soft11

Once the policy is updated the Software Center should be updated with the new color scheme, company logo and custom URLsoft12.png