Tuesday, 8 August 2017

See Intune Data Warehouse in action

We've heard a little about this feature recently but the Intune Data Warehouse is finally in public preview. It will give us powerful custom reporting with a dataset spanning up to 90 days of historical data. You can use Power BI or Excel to connect to the warehouse, or indeed any other tool that supports OData feeds.

There is a good blog post describing the feature but I wanted to see it in action with my own data. It is very easy to configure and get started.

Open the Intune admin console on your Azure Portal

Click on the Intune Data Warehouse tile on the bottom right of the screen. This opens the Intune Data Warehouse blade.

The blade gives us the instructions we need.
  • Download and install the Power BI desktop app
  • Download the Power BI template file
  • Open the Power BI template with the Power BI desktop app
  • Authenticate with your tenant

This is the Power BI app......

....and the Power BI template file. It contains a set of custom reports to get you started.

Install the app.

When the app installs select File -> Open.

Browse to the template file.

Select to Apply changes.

You will see the changes being applied.

The OData feed dialog box open. Select the Organizational account section. Sign in with an a global admin account on your tenant. Click Connect.....

.....and we can see the reports have been populated with our own data.

New ConfigMgr video training series

After months of work I'm very pleased to say that the second in this two-part series has been published by Packt Publishing. This involved a lot of weekends and late nights so thanks a lot to my wife for having a good sense of humour. Thanks also to Paul Winstanley (MVP and WMUG colleague) for reviewing the course.

The course is titled "Implementing Configuration Manager features" and is available here

The course contents are as follows:

Software Deployment
  • Configuration Manager Applications
  • Packages and Programs
Software Updates
  • Introduction to software updates
  • Deploy a software updates solution
  • Automatic Deployment rules
Operating System Deployment
  • Introduction to Operating System Deployment
  • Build and Capture a Windows 10 image
  • Deploying a Windows 10 image
  • Working with device drivers
Endpoint Protection
  • Endpoint Protection in Configuration Manager
  • Implementing Endpoint Protection
  • Protecting Endpoints
Intune hybrid
  • Integrating Configuration Manager with Microsoft Intune
  • Managing mobile devices
  • Advanced hybrid features

Monday, 7 August 2017

ConfigMgr 1706 - Azure Services wizard

ConfigMgr 1706 Current Branch was recently released and I got a chance to install it in my lab this weekend. The ConfigMgr product group have done an amazing job and I'm impressed with some of the new features, making it easier to deploy Windows 10, Office 365 and Surface drivers. However my favourite feature has to be the Azure Services wizard. We were given an advance preview of this feature under NDA months ago and it's great to see it in production.

So what is that all about?

The Azure Services Wizard provides a common configuration experience to set up Azure services in ConfigMgr. You can use it for configuring Cloud Management (Azure AD authentication and user discovery), OMS Connector, Upgrade Readiness and Windows Store for Business.

Look back at the 1610 console. See that the Windows Store for Business and the Upgrade Analytics Connector were separate nodes under Cloud Services. Remember that the OMS Connector wasn't available until 1702.

WSfB was configured independently of any other service.

Now look at the 1706 console. See the new Azure Services node. You will see that my WSfB configuration has already been migrated.

So how do we configure this? We'll need Azure tenant details and credentials to complete the process. We'll also create some web apps along the way and grant the required permissions to the web apps (thanks to Nick Hogarth who figured this out).

Right click on the Azure Services node and select Configure Azure Services.

The Azure Services Wizard is launched. Enter a suitable name and select an Azure service. You'll see that Windows Update for Business is missing as it's already configured in this environment. We'll select Cloud Management to allow clients to authenticate with the hierarchy using Azure AD

In the App Properties dialog box we see that we're going to have to create some apps - web app and Native Client app. Browse in the web app section.

Select Create in the Server app dialog box.

Enter the following information in the Create Server Application box.
  • Application name (suitable friendly name)
  • Home page URL (this does not have to exist - max 200 characters)
  • App ID URI  (this does not have to exist - max 200 characters)
  • Secret key validity period (2 years max)
Sign in to Microsoft Azure AD.

Enter your Azure AD credentials when prompted.

Your Azure AD Tenant Name is automatically detected.

The server app has been configured and can be selected.

Now browse in the Native Client app section.

Enter the following information in the Create Client Application box.
  • Application name (suitable friendly name)
  • Reply URL (this does not have to exist - max 200 characters)
Sign in to Microsoft Azure AD.

Your Azure AD Tenant Name is automatically detected.

The client app has been configured and can be selected.

Click Next to continue with the wizard when all the App Properties have been configured.

Now we can optionally choose to enable Azure AD Discovery. It allows you to add cloud-only users to your ConfigMgr environment.

Review the summary.

The Azure Services wizard has completed.

Some of my colleagues have discovered that you have to grant permissions to the web apps in Azure so that the solution can authenticate correctly (Nick Hogarth, Peter van der Woude).

In the Azure Portal, choose More Services -> App registrations

See the newly created server and client apps. Select each one in turn.

Select Required Permissions and choose Grant Permissions.

Review the SMS_AZUREAD_DISCOVERY_AGENT.log file for any errors.

So we've now completed the following:
  1. Added the Cloud Management Service
  2. Enabled Azure AD Discovery
How is that helpful?

Check this out. We won't need so much information the next time we need to add an Azure service.

This time I'll choose Upgrade Readiness.

This time I just need to choose a web app and I don't have to sign in to Azure.

I hope this blog post has been helpful. Until next time.....

Tuesday, 1 August 2017

ConfigMgr patching - KB4025339 fails to install on Windows Server 2016

I had this problem recently on a customer site. It's an easy fix but I wanted to share to save others time.

The CU for Windows Server 2016 July 2017 (KB4025339) failed to install on Windows Server 2016.

It's a pretty big update - over 1GB.

However the maximum run time of the update was incorrectly set to 10 minutes. Raising this to 60 minutes solves the problem.

Additional information:

I came across some other challenges while troubleshooting this issue.
  • The Windows Update log file is no longer available by default on Windows Server 2016. The file can be exposed using the PoSH cmdlet get-WindowsUpdateLog
  • However executing this command on the server resulted in this error:
    Cannot find path "C:\Program Files\Windows Defender\SymSrv.dll" because it does not exist".
There are a few ways to solve this problem. I did it by enabling the Windows Defender feature on the server and I could then continue.

I hope this information helps you. Until next time......

Tuesday, 30 May 2017

Intune app-based conditional access to SharePoint Online

App-based conditional access is a new recent addition to the Intune family and is a really useful feature. Only mobile apps that have Intune app protection policies applied to them can access SharePoint resources. This helps to prevent data leakage and protect our data. Let's see how to configure it and what it looks like in the field.

Sign into the Azure portal (https://portal.azure.com)
Choose More services from the left menu, then type Intune in the text box filter.

Choose Intune App Protection and select All Settings in the Intune mobile application management blade.

Choose the SharePoint Online tile. On the Allowed apps blade, choose Allow apps that support Intune app policies option to allow only apps that are supported by Intune app protection policies.

The Allowed apps are listed. Now open the Restricted user groups blade and choose Add user group.

Select the user groups that should receive the policy.

OK, so what does this look like on a device. For testing I'm using an iPhone and the "SharePlus for Office 365 and SharePoint" app.

SharePlus is an unmanaged app that you can use to work with your SharePoint libraries. I've installed it on the iPhone.

SharePlus cannot have Intune app protection policies applied so it will not be possible to authenticate the app to access SharePoint. An error is encountered. It isn't a very clear or intuitive error message but the functionality is perfect. Access is prevented by the app-based CA policy.

Once I remove the per-app CA policy, SharePlus can successfully authenticate with SharePoint Online. This is very cool.

Until next time.......

Stay secure using Skycure integration with Microsoft Intune

Skycure is one of the industry leaders in Mobile Threat Defense and the platform is very effective at proactively protecting mobile devices from a broad range of known and unknown threats.

Skycure can now integrate with Microsoft Enterprise Mobility + Security, which allows enterprises to secure mobile devices by leveraging data from three dimensions – user identity, device identity and real-time risk. This integration with Intune and Azure Active Directory allows administrators to dynamically control mobile access to corporate resources and data based on Skycure’s real-time risk and compliance analysis. It looks like an exciting partnership for Microsoft.

So, how does it work?

You install the Skycure mobile app on Android and iOS devices. The app captures file system, network stack, device and application telemetry, and sends it to the Skycure cloud service to assess the device's risk for mobile threats.

Intune compliance policies now include a rule for Skycure mobile threat defense, which is based on the Skycure risk assessment. If the device is found to be non-compliant, access to resources like Exchange Online and SharePoint Online are blocked. Users on blocked devices receive guidance from the Skycure mobile app to resolve the issue and regain access to corporate resources.

How can I get started?

The solution is supported on Android 4.1 and later and iOS 8 and later.

You will also need the following subscriptions:
  • Azure Active Directory Premium
  • Microsoft Intune
  • Skycure Mobile Threat Defense subscription (get a trial here)

Steps to configure the solution:
  1. Configure Skycure to use Azure Active Directory Single Sign On (SSO) - enter your Azure tenant ID in the Skycure Management console.
  2. Download Skycure iOS app configuration policy - log in to the Skycure Management Console to download the iOS app configuration policy.
  3. Add Skycure apps, Microsoft Authenticator and iOS app configuration policy - add the apps and the policy in the Intune portal.
  4. Deploy Skycure apps, Microsoft Authenticator and iOS app configuration policy - deploy the apps and policy to your users.
  5. Set up Skycure integration with Intune - add Skycure apps into Azure AD to have Single Sign On capabilities. Configure the Intune connector in the Skycure Management console.
  6. Enable Skycure Mobile Threat Defense in Intune - configure the Skycure and Intune integration in the Intune administrator console
  7. Create Skycure Mobile Threat Defense compliance policy in Intune - create Skycure compliance policy in the Intune console and apply to conditional access policy.
You can read more about this exciting new development in the official documentation

Until next time......

Tuesday, 18 April 2017

Test driving OMS Upgrade Readiness

Last week I advised a smaller customer on their upcoming Windows 10 migration. As a smaller shop (approx. 100 users) they don't have access to the usual tools that I would recommend, although they use MDT for imaging and WSUS for patching. They don't have any tool for hardware and software inventory so we were unable to have a conversation about application compatibility. I thought this would be a good opportunity to test drive Upgrade Readiness, a "free" component of Microsoft Operations Management Suite (OMS). Let me clarify that, I was told it was free but I was unsure what I'd actually get.

This is from the Microsoft TechNet article, looks hopeful:

"You can use Upgrade Readiness to plan and manage your upgrade project end-to-end. Upgrade Readiness works by establishing communications between computers in your organization and Microsoft. Upgrade Readiness collects computer, application, and driver data for analysis. This data is used to identify compatibility issues that can block your upgrade and to suggest fixes that are known to Microsoft".

Getting Started

Upgrade Readiness is a component of OMS and was formerly known as Upgrade Analytics which was previously known as Windows Analytics (I mention this as you'll still see these terms). The first step in this process is to sign up and create an OMS Workspace. This must be linked to an Azure subscription (either new or existing) even though you will not be charged.

Navigate to the following page to sign up for Upgrade Readiness (even though the page still says Windows Analytics).

If you already have an Azure subscription you should sign in with the subscription owner account. This is to allow you to easily link your new OMS Workspace with your existing Azure subscription.

If you are already using OMS you can choose "Existing OMS Customers". Otherwise choose "New Customers". This is the one we need.

This is the "Create New Workspace" page of OMS. 
Choose a workspace name eg. yourdomain

From now you will access your workspace using this link:


Enter the rest of your details (Workspace region, name, contact email address, phone number, company name and country).
Select Create to create your OMS workspace.

The OMS workspace has been created and your Azure subscription is available. Choose Link to link your workspace with your subscription.

If you don't have an Azure subscription (ie the account you have signed in as is not the owner of any Azure subscriptions), you will need to create one before you can continue. Select "Create New" and run through the wizard to create a new Azure subscription. You will need a credit card for this although you will not be charged if you only want the free Upgrade Readiness.

The OMS workspace has been created and linked to your Azure subscription. Now you have to add the Upgrade Readiness solution. Check that box and select Add. (I've also added Update Compliance (Preview) but that is optional).

This is our OMS workspace. See that the Data Plan = Free in the top right corner. We'll have a look at that again later.

Configuring OMS

See that Upgrade Readiness requires configuration. Click on the tile and the Settings dashboard opens. Navigate to the Windows telemetry panel.

Copy and save your commercial ID key. You’ll need to insert this key into the Upgrade Readiness deployment script later so it can be deployed to user computers.

Click Subscribe for Upgrade Readiness. The button changes to Unsubscribe. Unsubscribe from the Upgrade Readiness solution if you no longer want to receive upgrade-readiness information from Microsoft.

Click Overview on the Settings Dashboard to return to your OMS workspace portal. The Upgrade Readiness tile now displays summary data. Click the tile to open Upgrade Readiness.

Proxy Configuration

The following endpoints should be whitelisted. They need to be accessible in order for your clients to send telemetry data to Microsoft. This data will subsequently be displayed in Upgrade Readiness.

  • https://*vortex*.data.microsoft.com/

Connected User Experience and Telemetry component endpoint. User computers send data to Microsoft through this endpoint.
  • https://*settings*.data.microsoft.com/

Enables the compatibility update KB to communicate with Microsoft.
  • https://go.microsoft.com/fwlink/?LinkID=544713
  • https://compatexchange1.trafficmanager.net/

This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system.
If you are using a Windows Compatibility Update published after February 2017 (appraiser.dll version >= 10.0.14979) you don’t need access to these endpoints

Client configuration - compatibility updates

The compatibility update KB scans your computers and enables application usage tracking. If you don’t already have the KBs installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using WSUS or ConfigMgr. I'm just running a pilot for now so I'll install them manually.

For Windows 7 I need the following

Windows 7 SP1
Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see https://support.microsoft.com/kb/2952664

KB 3150513
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see https://support.microsoft.com/kb/3150513
NOTE: KB2952664 must be installed before you can download and install KB3150513.

There are different KB requirements for the various operating systems. You'll find that information here

Client configuration - execute Upgrade Readiness deployment script

The Upgrade Readiness deployment script does the following:
  1. Sets commercial ID key + CommercialDataOptIn + RequestAllAppraiserVersions keys.
  2. Verifies that user computers can send data to Microsoft.
  3. Checks whether the computer has a pending restart. 
  4. Verifies that the required KBs are installed.
  5. If enabled, turns on verbose mode for troubleshooting.
  6. Initiates the collection of the telemetry data that Microsoft needs to assess your organization’s upgrade readiness.
  7. If enabled, displays the script’s progress in a cmd window, providing you immediate visibility into issues (success or fail for each step) and/or writes to log file.

Download the script package from here. See here for full script instructions but you have to edit the script with the following information:
  • Location for log information
  • Commercial ID
  • Log behaviour

Executing RunConfig.bat.

In my pilot I copied the script files locally to a folder C:Temp\Pilot. I also used a local log file C:\Windows\Temp.

What does Upgrade Readiness give us?

I onboarded two Windows 7 clients for my pilot.

This is what I could see in my OMS workspace after a few days.

Drill into Upgrade Readiness to see more details.

Scroll over. Now we can see really useful information. We can find applications and drivers with known issues. These are the issues we need to resolve before the Windows 10 deployment.

Note that the information can be exported to Excel and saved locally. That's really cool.

The not-so-good stuff

I have a few little problems with the solution which I felt I should mention:
  • Windows 7 computers require that two KBs are installed for the solution to work. KB2952664 and KB3150513 are required. It's unfortunate that KB2952664 has to be installed already before KB3150513 can be installed. I appreciate that computers should be fully patched but that isn't always the case. I needed multiple reboots for my pilot clients with this customer. It will now be a little awkward to automate this to the remaining clients using a Group Policy computer startup script.
  • This TechNet article contains exit codes for the upgrade readiness script. 0 is the "successful" exit code. However I got a 0 code even though the script could not run and a log file was not created. This was a little confusing.
  • It can take quite a while to onboard devices - up to 3 days for my second pilot client.
  • Windows 10 Version 1703 is not yet available as a target version. Perhaps it's too early, or perhaps it will be available when 1703 is declared business ready.
  • The free data plan is a little restrictive. The daily upload limit is 500MB and the data retention period is 7 days. Note that the initial upload for each client is expected to average 2MB.
  • You can increase this by purchasing an another offering.

Next steps

Integrate Upgrade Readiness with ConfigMgr to access client upgrade compatibility data in the admin console. You'll then be able to target devices for upgrade or remediation from the device list.

Final Verdict

I'm generally quite happy with the solution. It will do exactly what I need for this customer.

Until next time......