Tuesday, 8 August 2017

See Intune Data Warehouse in action

We've heard a little about this feature recently but the Intune Data Warehouse is finally in public preview. It will give us powerful custom reporting with a dataset spanning up to 90 days of historical data. You can use Power BI or Excel to connect to the warehouse, or indeed any other tool that supports OData feeds.

There is a good blog post describing the feature but I wanted to see it in action with my own data. It is very easy to configure and get started.

Open the Intune admin console on your Azure Portal

Click on the Intune Data Warehouse tile on the bottom right of the screen. This opens the Intune Data Warehouse blade.

The blade gives us the instructions we need.
  • Download and install the Power BI desktop app
  • Download the Power BI template file
  • Open the Power BI template with the Power BI desktop app
  • Authenticate with your tenant

This is the Power BI app......

....and the Power BI template file. It contains a set of custom reports to get you started.

Install the app.

When the app installs select File -> Open.

Browse to the template file.

Select to Apply changes.

You will see the changes being applied.

The OData feed dialog box open. Select the Organizational account section. Sign in with an a global admin account on your tenant. Click Connect.....

.....and we can see the reports have been populated with our own data.

New ConfigMgr video training series

After months of work I'm very pleased to say that the second in this two-part series has been published by Packt Publishing. This involved a lot of weekends and late nights so thanks a lot to my wife for having a good sense of humour. Thanks also to Paul Winstanley (MVP and WMUG colleague) for reviewing the course.

The course is titled "Implementing Configuration Manager features" and is available here

The course contents are as follows:

Software Deployment
  • Configuration Manager Applications
  • Packages and Programs
Software Updates
  • Introduction to software updates
  • Deploy a software updates solution
  • Automatic Deployment rules
Operating System Deployment
  • Introduction to Operating System Deployment
  • Build and Capture a Windows 10 image
  • Deploying a Windows 10 image
  • Working with device drivers
Endpoint Protection
  • Endpoint Protection in Configuration Manager
  • Implementing Endpoint Protection
  • Protecting Endpoints
Intune hybrid
  • Integrating Configuration Manager with Microsoft Intune
  • Managing mobile devices
  • Advanced hybrid features

Monday, 7 August 2017

ConfigMgr 1706 - Azure Services wizard

ConfigMgr 1706 Current Branch was recently released and I got a chance to install it in my lab this weekend. The ConfigMgr product group have done an amazing job and I'm impressed with some of the new features, making it easier to deploy Windows 10, Office 365 and Surface drivers. However my favourite feature has to be the Azure Services wizard. We were given an advance preview of this feature under NDA months ago and it's great to see it in production.

So what is that all about?

The Azure Services Wizard provides a common configuration experience to set up Azure services in ConfigMgr. You can use it for configuring Cloud Management (Azure AD authentication and user discovery), OMS Connector, Upgrade Readiness and Windows Store for Business.

Look back at the 1610 console. See that the Windows Store for Business and the Upgrade Analytics Connector were separate nodes under Cloud Services. Remember that the OMS Connector wasn't available until 1702.

WSfB was configured independently of any other service.

Now look at the 1706 console. See the new Azure Services node. You will see that my WSfB configuration has already been migrated.

So how do we configure this? We'll need Azure tenant details and credentials to complete the process. We'll also create some web apps along the way and grant the required permissions to the web apps (thanks to Nick Hogarth who figured this out).

Right click on the Azure Services node and select Configure Azure Services.

The Azure Services Wizard is launched. Enter a suitable name and select an Azure service. You'll see that Windows Update for Business is missing as it's already configured in this environment. We'll select Cloud Management to allow clients to authenticate with the hierarchy using Azure AD

In the App Properties dialog box we see that we're going to have to create some apps - web app and Native Client app. Browse in the web app section.

Select Create in the Server app dialog box.

Enter the following information in the Create Server Application box.
  • Application name (suitable friendly name)
  • Home page URL (this does not have to exist - max 200 characters)
  • App ID URI  (this does not have to exist - max 200 characters)
  • Secret key validity period (2 years max)
Sign in to Microsoft Azure AD.

Enter your Azure AD credentials when prompted.

Your Azure AD Tenant Name is automatically detected.

The server app has been configured and can be selected.

Now browse in the Native Client app section.

Enter the following information in the Create Client Application box.
  • Application name (suitable friendly name)
  • Reply URL (this does not have to exist - max 200 characters)
Sign in to Microsoft Azure AD.

Your Azure AD Tenant Name is automatically detected.

The client app has been configured and can be selected.

Click Next to continue with the wizard when all the App Properties have been configured.

Now we can optionally choose to enable Azure AD Discovery. It allows you to add cloud-only users to your ConfigMgr environment.

Review the summary.

The Azure Services wizard has completed.

Some of my colleagues have discovered that you have to grant permissions to the web apps in Azure so that the solution can authenticate correctly (Nick Hogarth, Peter van der Woude).

In the Azure Portal, choose More Services -> App registrations

See the newly created server and client apps. Select each one in turn.

Select Required Permissions and choose Grant Permissions.

Review the SMS_AZUREAD_DISCOVERY_AGENT.log file for any errors.

So we've now completed the following:
  1. Added the Cloud Management Service
  2. Enabled Azure AD Discovery
How is that helpful?

Check this out. We won't need so much information the next time we need to add an Azure service.

This time I'll choose Upgrade Readiness.

This time I just need to choose a web app and I don't have to sign in to Azure.

I hope this blog post has been helpful. Until next time.....

Tuesday, 1 August 2017

ConfigMgr patching - KB4025339 fails to install on Windows Server 2016

I had this problem recently on a customer site. It's an easy fix but I wanted to share to save others time.

The CU for Windows Server 2016 July 2017 (KB4025339) failed to install on Windows Server 2016.

It's a pretty big update - over 1GB.

However the maximum run time of the update was incorrectly set to 10 minutes. Raising this to 60 minutes solves the problem.

Additional information:

I came across some other challenges while troubleshooting this issue.
  • The Windows Update log file is no longer available by default on Windows Server 2016. The file can be exposed using the PoSH cmdlet get-WindowsUpdateLog
  • However executing this command on the server resulted in this error:
    Cannot find path "C:\Program Files\Windows Defender\SymSrv.dll" because it does not exist".
There are a few ways to solve this problem. I did it by enabling the Windows Defender feature on the server and I could then continue.

I hope this information helps you. Until next time......

Tuesday, 30 May 2017

Intune app-based conditional access to SharePoint Online

App-based conditional access is a new recent addition to the Intune family and is a really useful feature. Only mobile apps that have Intune app protection policies applied to them can access SharePoint resources. This helps to prevent data leakage and protect our data. Let's see how to configure it and what it looks like in the field.

Sign into the Azure portal (https://portal.azure.com)
Choose More services from the left menu, then type Intune in the text box filter.

Choose Intune App Protection and select All Settings in the Intune mobile application management blade.

Choose the SharePoint Online tile. On the Allowed apps blade, choose Allow apps that support Intune app policies option to allow only apps that are supported by Intune app protection policies.

The Allowed apps are listed. Now open the Restricted user groups blade and choose Add user group.

Select the user groups that should receive the policy.

OK, so what does this look like on a device. For testing I'm using an iPhone and the "SharePlus for Office 365 and SharePoint" app.

SharePlus is an unmanaged app that you can use to work with your SharePoint libraries. I've installed it on the iPhone.

SharePlus cannot have Intune app protection policies applied so it will not be possible to authenticate the app to access SharePoint. An error is encountered. It isn't a very clear or intuitive error message but the functionality is perfect. Access is prevented by the app-based CA policy.

Once I remove the per-app CA policy, SharePlus can successfully authenticate with SharePoint Online. This is very cool.

Until next time.......