Category: ConfigMgr

It’s a fact that the world is constantly changing and with it we can choose if we want to tag along or continue doing what we’ve been doing forever. This blog post is about shifting the mindset and daily work from traditional patch management and creating time to make efforts in other security related areas that matters. Change management at its finest!

Fundamental idea: We all know that we need Windows patches, and if you have made the move to Office 365 ProPlus the principle is the same, you need to deploy and install the patches that are released. It really is as simple as that. Testing is a must of course but the fact remains, you need those patches.

Traditional vs modern patch management

A discussion I have with many customers is the patching story around Windows 10 devices. The benefits of using Windows Update for Business (WUfB) are many although leaves less control. What matters in the end is that the Windows 10 devices are patched, and that it is done in a user-friendly manner.

If you compare all the components and the flow that needs to be in place for patching to work all the way in ConfigMgr, you realize there are quite a few things that can go wrong. And in my experience, things do go wrong far too often.

High level overview of all the steps and components in the patch flow using ConfigMgr

High level flow overview of patching using Windows Update for Business

By looking at the above comparisons it’s clear that there are a lot more to manage and a lot more can and more often so do go wrong when patching via ConfigMgr.

Maintaining and fixing the infrastructure or doing more valuable things?

With ConfigMgr you must spend significant time managing and making sure that infrastructure is up to date and working (orange colored bar below). The green colored bar illustrates how much time you typically spend on patch follow-up and fixing patches that could not be installed correctly etc.

With Windows Update for Business, you can focus almost entirely on follow-up and hopefully by doing so also shifting your security work to other areas patching other stuff such as insecure firmware, applications and drivers, so that it makes your environment safer overall.

Pros and cons for using Windows Update for Business

Here is my list of pros and cons of using Windows Update for Business, if you are still not convinced Windows Update for Business is the natural way to go.

• User friendly restart prompts. ConfigMgr isn’t exactly known for its user-unfriendly restart prompts. Using WUfB you get the built-in Windows 10 restart features which gives your end users more control, postponing and picking a time that suits them.
• Get control over devices away from office network. Many organizations have little, less or no control or possibility to patch devices that are solely on the internet or away from the network office. With WUfB that is not an issue as you can not only patch but also follow-up on each and every Windows device that has a working internet connection.
• Less error prone = higher patch level. By cutting all the steps and infrastructure components that need to be in place for patching via ConfigMgr you get a higher success rate of patching your Windows 10 devices.
• Timesaving for IT admins. No more spending time on approving patches and dealing with distribution and install problems. Instead leaves time to focus on other more relevant security work.
• Fully automatic. Well, you can achieve fully automation in ConfigMgr as well but not many do that as they want to stay in control. With WUfB everything is automatic and only if problems during the multiple testing phases are discovered is the flow paused.
• Less control. Yes, on the negative side, you lose control as you cannot really choose which Windows patches you deploy. This revolves back to the question which there is typically only one answer to: Do you really need this control as you need to have all Windows (and Office) patches?

Summary

By shifting to modern patch management using Windows Update for Business you can free time and put that time on patching other stuff, for example insecure firmware, applications or device drivers.

You can also focus on activating Windows features that raise security, such as the Windows Defender technologies Exploit Guard and Application Guard, or Microsoft Defender ATP which can take your security work to a level you could only dream of.

I’ve encountered quite an interesting issue when deploying a custom iOS (IPA) app using System Center Configuration Manager and Intune. The problem is that the deployment status for the app never reports as “Success” and is hung at “In progress”. As it turns out there is a mismatch in the version info that exist within the IPA file and the plist file that is included when deploying the IPA.

The CFBundleVersion listed within the IPA in the file info.plist

<key>CFBundleVersion</key>
<string>1.2.3</string>

must match the bundle-version found in the plist file that is used when creating the app deployment in Configuration Manager.

<key>bundle-version</key>
<string>1.2.3</string>

If these values do not match the status will never be reported as successful in the ConfigMgr console. After the September 2014 maintenance window for Intune I also suspect that this version mismatch is causing the app to be re-deployed over and over again, however this has yet to be confirmed.

Note: You can easily check the content of info.plist within the IPA by renaming the IPA to ZIP and extract its contents. Use a plist viewer of your choice (there are several free for trial) to check the CFBundleVersion.

When adding the Monitoring and Administration Feature of MBAM 2.5 and checking the System Center Configuration Manager Integraton features in the setup wizard you typically enter the URL to the Reporting Server, for instance http://configmgrsrv/ReportServer. If you get the error

The SQL Reporting Services URL that point to the MBAM reports is not valid

it actually means that you before installing the Monitoring and Administration features must install the MBAM Reports feature. That is even though you are integrating MBAM into System Center Configuration Manager. Why is that? Because when integrating MBAM with ConfigMgr, the only reports that are managed in ConfigMgr are the compliance reports.

If you are using System Center Configuration Manager 2012 R2 and Windows Intune to deploy email profiles to your iOS devices you should be aware of the fact that the email policy will vanish from your users’ iOS devices and then user then need to log in to the company portal for the email profile to get deployed once again to the iOS device. This is true in the following scenarios:

• You make a change to the email policy, for instance changing the name of the email policy in the ConfigMgr console.
• You install Cumulative Update 2 for System Center Configuration Manager 2012 R2.

No status on a fix for this bug at the moment.

A common setup when using System Center Configuration Manager to deploy is to have an OSD collection which has a required deployment. Moving clients to that Collection will let them be reinstalled or installed. After deployment is done you typically want the machine removed from that collection. There are a few ways of doing that but my favorite is using an Orchestrator runbook.

Orchestrator Runbook Configuration

Note: In this guide I assume that you have installed System Center Orchestrator 2012 SP1 or 2012 R2 in your environment.

1. First you need to download and install the Orchestrator Integration for Configuration Manager which will add the items we are using to remove the machines from a Collection in Orchestrator Runbook Designer.

2. Start Orchestrator Runbook Designer and setup the connection to the ConfigMgr primary site server by going to Options > SC 2012 Configuration Manager.

3. Add a connection to your SCCM server and make sure to test the connection using the Test connection button before proceeding.

4. Now Create a new Runbook and go to Activities > Runbook control and drag “Initialize data” to the Orchestration pane. Do the same by choosing SC12012 Configuration Manager under Activities, and then drag  “Delete Collection Rule” out on the Orchestration pane.

5. Hover over the Initialize data icon and then drag the arrow to the Delete Collection Rule. It should look like the below image.

6.  Right click Initialize Data and choose Properties. Add two details and name them CollectionID and ClientName.

7. Right click Delete Collection Rule and choose Properties. Start by choosing the connection you created in step 3. Note: Do not type in the text as below, instead right click the area right to Collection and choose Subscribe > Published Data. Choose CollectionID and click OK. Repeat for Membership Rule. Choose Finish when done.

If you type in the text manually you will get this error when executing the runbook: The SMS Provider reported an error. Details: Generic failure

8. Before proceeding I strongly recommend that you execute the runbook in test mode, supplying a client name and collection ID of a machine located in the collection you want the client removed from.

Note: Do not forget to check in the runbook after testing and when you are done, or it will fail to execute during operating system deployment.

Task Sequence Configuration

Now that the runbook is running successfully you can use it in your Task Sequence. Note: This requires that you have integrated Microsoft Deployment Toolkit with Configuration Manager and that you are using an MDT Task Sequence.

Modify a task sequence and create a New group. The recommended section to run the Runbook is in the State Restore phase of the Task Sequence. To be on the safe side first run a “Gather”, then you must add “Use Toolkit Package” and last but not least execute the actual runbook by adding the “Execute Runbook” step.

Also note that runbooks are run with the SCCM network access account so you must add that account to the Orchestrator user group that you have assigned, check the permissions and which group name to add to the relevant Orchestrator group in  Runbook Designer by right clicking the name of the runbook tab and then choose Permissions.

If you do not you will get this error in the  ZTIExecuteRunbook.log (where all events related to the runbooks are stored):

Unexpected response from web service. 405 Method Not Allowed
< ?xml version=”1.0″ encoding=”utf-8″ standalone=”yes”?>
< error xmlns=”http://schemas.microsoft.com/ado/2007/08/dataservices/metadata“>
<code></code>
<message xml:lang=”sv-SE”>The requested operation requires Publish permissions on the
Runbook</message>
< /error> ZTIExecuteRunbook 2014-07-03 10:01:56 0 (0x0000)

Happy orchestration and deploying!

When deploying Windows 8.1 Machines using System Center Configuration Manager 2012 R2, me and as good as everyone ever done a Windows 8.1 deployment using CM2012R2, has seen the issue. The issue is that the first time a user log in to the deployed machine, it gives an error:

The Group Policy Client service failed the sign-in.
The universal unique identifier (UUID) type is not supported.

The problem has been seen from time to time but at last there is a solution to this elusive problem. The solution or workaround actually, is provided in KB2976660: First logon fails with “The universal unique identifier (UUID) type is not supported”.

Encountered an interesting issue doing Windows 8.1 Deployment using ConfigMgr 2012 R2. A specific model was constantly failing at the very last step in the task sequence. The smsts.log revealed a few errors with the codes 80070002 and 80072ee2, failing at random files every time from the MDT Toolkit Package.

A few examples:

DownloadFiles() failed. 80072ee2.
DownloadContentAndVerifyHash() failed. 80070002.

It seems Microsoft is aware of the issue and the current workaround is to set the following variables first in the task sequence to address the problem until it hopefully will be fixed in a coming hotfix.

SMSTSDownloadRetryCount = 5
SMSTSDownloadRetryDelay = 15

After settings these variables the deployment finish as expected.

There is something fishy going on when deploying email profiles to iOS devices using Windows Intune and ConfigMgr 2012 R2. When you have deployed an email profile to an iOS (7.1) device you cannot choose to send pictures from that email account, as the account is then missing from the drop down menu when choosing “From”.

If you go into the Mail app in iOS and then write a new mail then you can choose the deployed email account, the problem is just related to sharing pictures (possibly also other stuff) via the  “Share button” > Mail feature in iOS.

Note: If you go to Settings > Mail, Contacts, Calendars you cannot see the email account listed in “Default account”.

UPDATE: Turns out that this is indeed not a bug but a feature. You must activate “Allow email to be sent from third-party applications” in the email policy.

Related article: Notes from the field – iOS device management using ConfigMgr 2012 and Windows Intune

I encountered a stuck deployment at the “Getting ready” stage when deploying Windows 8.1 at a customer site the other day. None of the logs produced by the task sequence gave any indications on the problem at that stage so to find the real problem I had to turn to the Windows setup log setupact.log which is found in C:\Windows\Panther\UnattendGC.

In clear text it stated a few lines of this code. It kept on retrying to join the domain every ten seconds.

2014-03-14 10:48:23, Warning                      [DJOIN.EXE] Unattended Join: DsGetDcName failed: 0x54b, last error is 0x0, will retry in 10 seconds...

That particular problem was caused by the fact that the domain name to be joined was not entered as a FQDN in the task sequence. Note there are other causes of a failed domain join but remember that if your Windows 8.1 installation hang at “Getting ready”, examine the setupact.log and find the root cause and fix it.

Interesting to say is that this behavior seems to be different in Windows 8.1 than in previous Windows versions (at least Windows 7), where a failed domain join would be skipped and the deployment would continue leaving the machine in a workgroup mode.

UPDATE: It can also be caused by the network not having a connection at all. So check the network cable could also be a solution.

There are not that much real world info on managing iOS devices using Windows Intune and ConfigMgr. I am talking about managing iOS devices, not settings up iOS enrollment or the tons of guides on how to publish and deploy a web link to the App Store. This blog post was born to give some deeper level of insight into iOS management using Windows Intune together with System Center Configuration Manager 2012 R2.

UPDATE March 18 2014: Bug deploying email profiles to iOS using ConfigMgr / Intune

Troubleshoot MDM in Intune / ConfigMgr

The biggest challenge as I have learnt is that troubleshooting mobile device management using ConfigMgr and Intune leaves a lot to wish for. There really are not that much you can see in terms of what is going on between ConfigMgr, Intune cloud service and the mobile device itself. There are no force buttons to push or pull stuff so you are pretty much left in the dark many times. Apparently there is only one action you can take to force all policies (compliance settings and email profiles for instance) to the iOS device and that is to install an app from the Company Portal iOS app or from the web interface at m.manage.microsoft.com. Apart from that you just have to wait, wait and wait for things to happen.

Custom iOS app deployment options and important knowledge

One of the most not so much talked about feature is the ability to sideload an in-house or custom developed iOS app (IPA file). It is easily done as any other application deployment by adding the IPA and the PLIST file, then distributing it to the cloud distribution point. Although the plist manifest file is required to add the application for deployment it seems to be of no use as the plist file is not distributed with the IPA file itself to the distribution point. I suppose it is more of a way of knowing that you are not deploying apps from the App Store (IPA files, not the web links).

When deploying an IPA you have three options:

1. Deploy it as Available to Users
This will make the app published and available for install, but only in the web interface, i.e. “m.manage.microsoft.com”. For some reason which I do not know you will not see this app if you are using the Company Portal app. Once again I do not know the background for this but it is really inconsistent behavior and makes the iOS Company Portal app more or less unusable. I have filed a Design Request Change for this at Microsoft Connect.

UPDATE: This is an Apple “feature” and a limitation in what they allow the MDM vendors to do.

2. Deploy it as Required to Users
This will install the app automatically for targeted users. A note will pop up on the screen of the iOS device asking if “m.manage05sub.microsoft.com want to install the following app, is that OK”? After clicking OK/yes the app is installed (or should we say sideloaded to be correct).

3. Deploy it as Required to Devices
This will install the app automatically for targeted devices. A note will pop up on the screen of the iOS device asking if “m.manage05sub.microsoft.com want to install the following app, is that OK”? After clicking OK/yes the app is installed (or should we say sideloaded to be correct).

Log files – shake it baby!

Well, there are a few log files on the CM side but I have not found any relevant information in them, all you can see is that there is some kind of communication with Intune but that’s about it. So basically there are no logs to turn to when troubleshooting. There is however one log file and that can be accessed from an iOS device by logging into the Company Portal app. After login, shake the phone. Yes, you heard me, shake the phone and you will see options to send the log file via email for further analysis. However, although I have read many log files over the years this log file is among the more hard to interpret. They will however likely be more useful to Intune technical support technicians (more on that later). I have filed a DCR for more insight into Intune or the communication via ConfigMgr at Microsoft Connect.

iPad and iPhone collections

Divide iOS devices into collections for iPads and iPhones which is good if you for instance want to target different compliance settings to iPads and iPhones. Create a collection based on “Mobile Device Computer System” where the “Device Model” is like %ipad% and %iphone%.

The query to list all iPhones in a collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "%iphone%"

The query to list all iPads in a collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "%ipad%"

Email profiles be aware

Do not let the official ConfigMgr blog screenshots fool you. When creating an email profile the Exchange ActiveSync Host should be entered without http:// or https:// as mistakenly demonstrated in the screenshot.

UserLicenseTypeInvalid error message

The error UserLicenseTypeInvalid when trying to enroll an iOS device. Most likely this is due to users not being synced to the Intune service because they are missing from the “Intune users” collection or that there is a problem with actually syncing from CM to Intune. More about that in this blog post.

The Intune Support

Do not hesitate to contact the Intune technical support whenever you encounter a problem. As you have no insight into Intune contacting support is many times the only way to figure it what is or what is not going on with your mobile device management.  Support phone numbers for Intune specifically are listed at the Microsoft Support web site.