The idea for this blog post was born during the week of MVP Summit at Microsoft in Redmond (March 5-9). I realize that depending on who you talk to they have different point of views on things. The view on “co-management” is a great example.

The purpose of this blog post is to present the options that exist for organizations moving to modern management. “Co-management” is the door opener and path for moving to modern management.

Why modern management?

Modern management is what I would say moving away from on-premise dependencies, creating a more flexible and mobile workplace and more cost-efficient management of Windows devices. This means doing things in new smart ways rather than keep doing them as you’ve done them for the last “100 years” or so. Why would you stop doing what you are doing and start doing things in new ways? Well, one is to save time for IT as well as end users and as time is money, you will be able to reduce costs in your organization. It’s also about not reinventing the wheel, which is what basically every organization is doing today in some sense.

Some practical examples is doing a F12/PXE deployment of machines as soon as they come in to the organization. Think new, and stop doing reference image building and stop certifying hardware and use modern deployment tools such as AutoPilot and Intune to save time and modernize the deployment process.

Another example is that you can reduce complexity and remove infrastructure, say for instance patching. Dismantle old WSUS servers and do patching via Windows Update for Business, which means relying on existing Microsoft infrastructure rather than downloading everything from Microsoft, approving patches, distributing patches etc. Again, do not reinvent the wheel and repeat what Microsoft is already offering in terms of infrastructure.

There are many more examples but I think you get the idea of modern deployment and management, stop doing things the way you’ve always done them and think new.

Introduction and definition of “co-management”

At the Microsoft Ignite conference in September 2017, Microsoft announced what is called “co-management”. “Co-management” is the first and fundamental step on the way to modern management to be able to use existing Windows devices and configuration “as is” but at the same time add a modern management tool. After doing that you can start the switch to modern management, as the switch to the modern world will not be done overnight for most organizations.

Now, “co-management” means different things to different people. My view on “co-management”, regardless if the customer is using ConfigMgr or not, is to keep your Windows client “as is”. With that I mean Active Directory joined and configured via GPOs and then adding MDM-enrollment to that to be able to start doing new configuration via MDM. For the sake of making “co-management” clear I’ve chosen to divide the customers into two, the ones with ConfigMgr and the ones without it.

And as a note, the MDM tool to use for modern management is preferably Microsoft Intune (part of the Enterprise Mobility+Security suite).

Fundamental thoughts

My idea is that once you’ve decided to go down the path to modern management – no more and I mean no more work whatsoever should be put into adding new stuff to your legacy solutions. That includes not making scripts, configuration and applications deployed or configured via on-premise Active Directory or ConfigMgr. Instead, you do this in the modern management tool (if possible). Focus one hundred percent on moving the current resources to the modern management world instead!

Goals

The ultimate goal which is something to strive for, is fulfilled when configuration, patching and applications are managed by a modern management solution, and there are no dependencies to on-premise resources such as ConfigMgr, distributions points, GPOs etc.

Do I believe this goal can be achieved regardless of organization and size? Yes. However, there are many challenges on the way and it will for sure not be easy nor quick for many organizations. For many organizations, it’s going to take years but for smaller organizations I see great possibilities to reach the goal on a much shorter period of time.

Applications

One of the biggest challenges in the modern world lies with applications. In the best of worlds, applications are moving away from using Kerberos or other traditional authentication mechanisms, as well as legacy code or runtime requirements. Instead rely on modern authentication and preferably OAuth 2.0, providing means to further remove dependencies to on-premise Active Directory at the same time enabling possibilities to use conditional access for instance.

Application strategy moving forward is a separate chapter and I will not cover that more in this blog post. I will solely focus on the deployment of the applications, as this is very much relevant in the various “co-management” scenarios.

Current applications, that is traditional and legacy applications packaged as MSI or in EXE format, needs to be replaced, reworked or repackaged. Today, repackaging can be done by repackaging to the AppX format. Popular packaging software like AdminStudio has had this capability for several years but if you want a free option look at Advanced Installer which also has the capability to package apps in the AppX format.

Regardless of the option you choose below for “co-management”, moving to this new packaging format is the way to move forward. At least for the option which is customers with no ConfigMgr, moving to this new package format is a requirement because there is no good way of deploying the applications unless you move to this new package format.

Note: MSIX is a new packaging format to come, as published on GitHub: MSIX Packaging recently, but for the moment AppX is the way to proceed until Microsoft eventually publish more information on MSIX.

Deployment Options

Customers without ConfigMgr

Option 1 (the only option for customers without ConfigMgr): Hybrid joined machines

(on-premise Active Directory joined + Azure AD registered/joined + GPO to set MDM auto enrollment)

If you do not use ConfigMgr, to activate “co-management” all you have to do is to make sure that your Windows 10 clients (1709 and later) are configured with the GPO setting to enable automatic MDM enrollment.

After that, start to move the GPO configuration over and add new configuration to MDM instead of using GPOs. Dismantle local infrastructure such as WSUS and start relying on Windows Update for Business. Also, look into AutoPilot.

Note: For hybrid joined machines it seems that Microsoft has not yet made (as of March 2018) it possible to be able to run PowerShell scripts via the Intune Management Extension. This is a very sad limitation because that means you have no way of deploying scripts for filling in the gap on current limitations of MDM, as you move to modern management.

Customers with ConfigMgr

Option 2: Hybrid joined machines (with Co-management in ConfigMgr unconfigured)

(on-premise Active Directory joined + Azure AD registered/joined + GPO to set MDM auto enrollment + ConfigMgr-agent installed via ConfigMgr)

This option mean you just connect your Windows 10 clients to your MDM solution with the GPO setting to enable automatic MDM enrollment, then stop doing what you are doing with GPOs and ConfigMgr today and instead do that in the MDM solution. This is the least effort option where you try to touch the ConfigMgr solution as little as possible and instantly just start the move away from ConfigMgr. This option is more suitable for smaller and rather simple ConfigMgr environments.

Option 3: Hybrid joined machines (with Co-management in ConfigMgr activated)

(on-premise Active Directory joined + Azure AD registered/joined + co-management activated in ConfigMgr + ConfigMgr-agent installed via ConfigMgr)

I suppose you can say that this is the true “co-management” in terms of what Microsoft would describe it as. This is the recommended way for most organizations that want to start the journey to modern management.

Option 4: Cloud joined machines (with Co-management in ConfigMgr activated)

(Azure AD joined + MDM joined + ConfigMgr-agent deployed via Intune)

Well this option is a good one but as the devices are not connected to an on-premise Active Directory, it requires that you have moved all GPOs and have managed to provide access to all on-premise resources for users when they are outside the company network. This option is more for future use, although this option might be good for some customers already.

Note: Even though devices are not connected to the on-premise Active Directory, they are able to use single sign on to access recourses on the internal network such as printers, network shares and other resources in the Active Directory domain. This is true as long as the device is on an internal network and has contact with an on-premise domain controller, where a Kerberos TGT is issued for accessing on-premise resources.

How to activate “co-management”

Option 1 and 2

For options 1 and 2 you configure your Windows devices and set the GPO “Enable automatic MDM enrollment using default Azure AD credentials” to Enabled. The GPO setting is located in Computer Configuration > (Policies) > Administrative Templates > Windows Components > MDM.

Option 3 and 4

The Microsoft Docs is the place to go to activate “co-management” in ConfigMgr. This includes the optional agent deployment via Intune.

Verify MDM connectivity and that your Windows clients are being “co-managed”

1. Dsregcmd command line

Run the following command to see if your devices are connected to Azure AD:

dsregcmd /status

The value for AzureAdJoined should read YES and MdmUrl should be set to for instance https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc

2. Modern control panel “Access work or school”

To check if the device has registered properly with the MDM tool you can also look in the modern control panel “Access work or school” (located in Accounts). Click any of the Windows logos or the briefcase and if you have the Info button you know that you have an active MDM enrollment for this device.

3. In the GUI of the MDM tool

Of course, the device should also pop up in your MDM solution and in Intune it will display as “MDM” is the device is Azure AD joined with MDM enrollment and it will show “MDM/ConfigMgr” if you are using ConfigMgr (or using option 1, that is not using ConfigMgr but still activating MDM enrollment for hybrid joined machines).

Troubleshooting

AzureAdJoined = NO

If AzureAdJoined is NO when you run “dsregcmd /status” then your devices have not registered with Azure AD which is required to be using “co-management”. Check the following:

1. Check Event Viewer and the log Applications and Services Logs > Microsoft > Windows > AAD > Operational. Optionally go to View and click Show Analytic and Debug Logs to get additional logs, and in AAD get the Analytic log which you must Enable before it will start logging.

No automatic MDM enrollment is made

If the MdmUrl is empty when you run “dsregcmd /status” and there is no “Info” button in Access work or school, then verify the following:

1. Make sure that you are using Windows 10 v1709 or later.
2. (Option 1 and 2) Verify that the GPO with MDM enrollment applies to the device.
3. (Option 3 and 4) Verify in the CoManagementHandler.log that CoManagementSettings_AutoEnroll equals True.
4. Verify that MDM automatic enrollment is configured in Azure AD, i.e. Azure Portal > Azure AD > Mobility (MDM and MAM). Also check that the user is covered by the MDM User Scope.
5. Verify that the user logging into the machine has an Azure AD Premium license assigned.
6. Check Event Viewer and the log Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin. Optionally go to View and click Show Analytic and Debug Logs to get additional logs, and in DeviceManagement-Enterprise-Diagnostics-Provider get the Debug log which you must Enable before it will start logging.

This problem is interesting as it is not easily discoverable if you do not stare at the screen during the entire upgrade process, and hey, who does that? However, this is a very interesting finding when it comes to Windows as a Service that I am certain will affect many more enterprise customers (see cause section below).

Problem

Initiate an upgrade of Windows 10 to another version of Windows 10 using an inplace-upgrade task sequence via System Center Configuration Manager. The upgrade runs smooth until it reaches 75% (of the Upgrade step) where setup reboots the machine and then continue the last step of the upgrade, which is the migration phase. However, at 76% the user is presented with the login screen and the user thinks “well, the upgrade is done, let’s login!” after which the user login only to see a reboot a few minutes later, and also a rollback to the previous version of Windows.

The upgrade process is still running although the logon screen is presented, and when the user login, the migration engine of Windows setup shows a bunch of MIG errors due to files becoming locked. At the same time a rollback to the previous version of Windows 10 is initiated. The rollback by the way works very well! 

Cause

The cause of this issue is the software Net iD, which is a very common smart card application/credential provider for governments and others, providing smart card logon capabilities for all types of smart cards. When that piece of software is installed it somehow (still not determined exactly what is going on) interfere with the upgrade and the consequence is that the login screen is displayed although the upgrade continue in the background.

Workaround

Uninstall the Net iD client before doing inplace-upgrade to another Windows 10 version, and then install it as one of the last steps during the upgrade.

Most books written about Microsoft products are very focused on one single product. A book about Windows Server covers all you need about the server OS itself. A book about System Center Configuration Manager covers everything you need to know about ConfigMgr in its bubble and a book about a Windows client covers everything you need to know about the client itself.

The book Enterprise Client Management using Windows Server 2012 R2 and System Center 2012 R2 covers not only the Windows client (Windows 7 as well as 8.1) but how to manage it using Windows Server 2012 R2 and the System Center 2012 R2 products. So all in all a complete scenario on how to manage your Windows clients in the enterprise in a very effective way using Microsoft management tools available.

The book is now also available on Kindle as of mid April 2015!

A common setup when using System Center Configuration Manager to deploy is to have an OSD collection which has a required deployment. Moving clients to that Collection will let them be reinstalled or installed. After deployment is done you typically want the machine removed from that collection. There are a few ways of doing that but my favorite is using an Orchestrator runbook.

Orchestrator Runbook Configuration

Note: In this guide I assume that you have installed System Center Orchestrator 2012 SP1 or 2012 R2 in your environment.

1. First you need to download and install the Orchestrator Integration for Configuration Manager which will add the items we are using to remove the machines from a Collection in Orchestrator Runbook Designer.

2. Start Orchestrator Runbook Designer and setup the connection to the ConfigMgr primary site server by going to Options > SC 2012 Configuration Manager.

3. Add a connection to your SCCM server and make sure to test the connection using the Test connection button before proceeding.

4. Now Create a new Runbook and go to Activities > Runbook control and drag “Initialize data” to the Orchestration pane. Do the same by choosing SC12012 Configuration Manager under Activities, and then drag  “Delete Collection Rule” out on the Orchestration pane.

5. Hover over the Initialize data icon and then drag the arrow to the Delete Collection Rule. It should look like the below image.

6.  Right click Initialize Data and choose Properties. Add two details and name them CollectionID and ClientName.

7. Right click Delete Collection Rule and choose Properties. Start by choosing the connection you created in step 3. Note: Do not type in the text as below, instead right click the area right to Collection and choose Subscribe > Published Data. Choose CollectionID and click OK. Repeat for Membership Rule. Choose Finish when done.

If you type in the text manually you will get this error when executing the runbook: The SMS Provider reported an error. Details: Generic failure

8. Before proceeding I strongly recommend that you execute the runbook in test mode, supplying a client name and collection ID of a machine located in the collection you want the client removed from.

Note: Do not forget to check in the runbook after testing and when you are done, or it will fail to execute during operating system deployment.

Task Sequence Configuration

Now that the runbook is running successfully you can use it in your Task Sequence. Note: This requires that you have integrated Microsoft Deployment Toolkit with Configuration Manager and that you are using an MDT Task Sequence.

Modify a task sequence and create a New group. The recommended section to run the Runbook is in the State Restore phase of the Task Sequence. To be on the safe side first run a “Gather”, then you must add “Use Toolkit Package” and last but not least execute the actual runbook by adding the “Execute Runbook” step.

Also note that runbooks are run with the SCCM network access account so you must add that account to the Orchestrator user group that you have assigned, check the permissions and which group name to add to the relevant Orchestrator group in  Runbook Designer by right clicking the name of the runbook tab and then choose Permissions.

If you do not you will get this error in the  ZTIExecuteRunbook.log (where all events related to the runbooks are stored):

Unexpected response from web service. 405 Method Not Allowed
< ?xml version=”1.0″ encoding=”utf-8″ standalone=”yes”?>
< error xmlns=”http://schemas.microsoft.com/ado/2007/08/dataservices/metadata“>
<code></code>
<message xml:lang=”sv-SE”>The requested operation requires Publish permissions on the
Runbook</message>
< /error> ZTIExecuteRunbook 2014-07-03 10:01:56 0 (0x0000)

Happy orchestration and deploying!

When deploying Windows 8.1 Machines using System Center Configuration Manager 2012 R2, me and as good as everyone ever done a Windows 8.1 deployment using CM2012R2, has seen the issue. The issue is that the first time a user log in to the deployed machine, it gives an error:

The Group Policy Client service failed the sign-in.
The universal unique identifier (UUID) type is not supported.

The problem has been seen from time to time but at last there is a solution to this elusive problem. The solution or workaround actually, is provided in KB2976660: First logon fails with “The universal unique identifier (UUID) type is not supported”.

There is something fishy going on when deploying email profiles to iOS devices using Windows Intune and ConfigMgr 2012 R2. When you have deployed an email profile to an iOS (7.1) device you cannot choose to send pictures from that email account, as the account is then missing from the drop down menu when choosing “From”.

If you go into the Mail app in iOS and then write a new mail then you can choose the deployed email account, the problem is just related to sharing pictures (possibly also other stuff) via the  “Share button” > Mail feature in iOS.

Note: If you go to Settings > Mail, Contacts, Calendars you cannot see the email account listed in “Default account”.

UPDATE: Turns out that this is indeed not a bug but a feature. You must activate “Allow email to be sent from third-party applications” in the email policy.

Related article: Notes from the field – iOS device management using ConfigMgr 2012 and Windows Intune

There are not that much real world info on managing iOS devices using Windows Intune and ConfigMgr. I am talking about managing iOS devices, not settings up iOS enrollment or the tons of guides on how to publish and deploy a web link to the App Store. This blog post was born to give some deeper level of insight into iOS management using Windows Intune together with System Center Configuration Manager 2012 R2.

UPDATE March 18 2014: Bug deploying email profiles to iOS using ConfigMgr / Intune

Troubleshoot MDM in Intune / ConfigMgr

The biggest challenge as I have learnt is that troubleshooting mobile device management using ConfigMgr and Intune leaves a lot to wish for. There really are not that much you can see in terms of what is going on between ConfigMgr, Intune cloud service and the mobile device itself. There are no force buttons to push or pull stuff so you are pretty much left in the dark many times. Apparently there is only one action you can take to force all policies (compliance settings and email profiles for instance) to the iOS device and that is to install an app from the Company Portal iOS app or from the web interface at m.manage.microsoft.com. Apart from that you just have to wait, wait and wait for things to happen.

Custom iOS app deployment options and important knowledge

One of the most not so much talked about feature is the ability to sideload an in-house or custom developed iOS app (IPA file). It is easily done as any other application deployment by adding the IPA and the PLIST file, then distributing it to the cloud distribution point. Although the plist manifest file is required to add the application for deployment it seems to be of no use as the plist file is not distributed with the IPA file itself to the distribution point. I suppose it is more of a way of knowing that you are not deploying apps from the App Store (IPA files, not the web links).

When deploying an IPA you have three options:

1. Deploy it as Available to Users
This will make the app published and available for install, but only in the web interface, i.e. “m.manage.microsoft.com”. For some reason which I do not know you will not see this app if you are using the Company Portal app. Once again I do not know the background for this but it is really inconsistent behavior and makes the iOS Company Portal app more or less unusable. I have filed a Design Request Change for this at Microsoft Connect.

UPDATE: This is an Apple “feature” and a limitation in what they allow the MDM vendors to do.

2. Deploy it as Required to Users
This will install the app automatically for targeted users. A note will pop up on the screen of the iOS device asking if “m.manage05sub.microsoft.com want to install the following app, is that OK”? After clicking OK/yes the app is installed (or should we say sideloaded to be correct).

3. Deploy it as Required to Devices
This will install the app automatically for targeted devices. A note will pop up on the screen of the iOS device asking if “m.manage05sub.microsoft.com want to install the following app, is that OK”? After clicking OK/yes the app is installed (or should we say sideloaded to be correct).

Log files – shake it baby!

Well, there are a few log files on the CM side but I have not found any relevant information in them, all you can see is that there is some kind of communication with Intune but that’s about it. So basically there are no logs to turn to when troubleshooting. There is however one log file and that can be accessed from an iOS device by logging into the Company Portal app. After login, shake the phone. Yes, you heard me, shake the phone and you will see options to send the log file via email for further analysis. However, although I have read many log files over the years this log file is among the more hard to interpret. They will however likely be more useful to Intune technical support technicians (more on that later). I have filed a DCR for more insight into Intune or the communication via ConfigMgr at Microsoft Connect.

iPad and iPhone collections

Divide iOS devices into collections for iPads and iPhones which is good if you for instance want to target different compliance settings to iPads and iPhones. Create a collection based on “Mobile Device Computer System” where the “Device Model” is like %ipad% and %iphone%.

The query to list all iPhones in a collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "%iphone%"

The query to list all iPads in a collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "%ipad%"

Email profiles be aware

Do not let the official ConfigMgr blog screenshots fool you. When creating an email profile the Exchange ActiveSync Host should be entered without http:// or https:// as mistakenly demonstrated in the screenshot.

UserLicenseTypeInvalid error message

The error UserLicenseTypeInvalid when trying to enroll an iOS device. Most likely this is due to users not being synced to the Intune service because they are missing from the “Intune users” collection or that there is a problem with actually syncing from CM to Intune. More about that in this blog post.

The Intune Support

Do not hesitate to contact the Intune technical support whenever you encounter a problem. As you have no insight into Intune contacting support is many times the only way to figure it what is or what is not going on with your mobile device management.  Support phone numbers for Intune specifically are listed at the Microsoft Support web site.