Jump to content

All Activity

This stream auto-updates

  1. Today
  2. that's not how I read it, I interpret the docs mentioned above as you need to install the DP role on a computer in the untrusted forest, and open ports to allow for communication back to the trusted forest
  3. Yesterday
  4. Hi, that means I can install the Distribution Point in the Primary forest and only define in the Boundary Group that the Clients from the untrusted Remote forest use the DP from the Primary forest, Right ? Thanks in advance
  5. I think this covers it.. Primary sites support the installation of site system roles on computers in remote forests. When a site system role accepts connections from the internet, as a security best practice, install the site system roles in a location where the forest boundary provides protection for the site server (for example, in a perimeter network). To install a site system role on a computer in an untrusted forest: Specify a Site System Installation Account, which the site uses to install the site system role. (This account must have local administrative credentials to connect to.) Then install site system roles on the specified computer. Select the site system option Require the site server to initiate connections to this site system. This setting requires the site server to establish connections to the site system server to transfer data. This configuration prevents the computer in the untrusted location from initiating contact with the site server that's inside your trusted network. These connections use the Site System Installation Account. To use a site system role that was installed in an untrusted forest, firewalls must allow the network traffic even when the site server initiates the transfer of data. Additionally, the following site system roles require direct access to the site database. Therefore, firewalls must allow applicable traffic from the untrusted forest to the site's SQL Server: Asset Intelligence synchronization point Endpoint Protection point Enrollment point Management point Reporting service point State migration point For more information, see Ports used in Configuration Manager.
  6. Hi, thanks for your answer. Yesterday I got the information, that we have to use the untrusted method. Do I need more than a DP role in the remote forest (we want a special DP for those clients - or can we put that DP in the local forest - of I understood the informations from Microsoft correctly, than it is not possible, right?) ? Do you have a good guide or hands on to fullfill the requirements ? Something like your guide for the PKI implementation. Thanks in advance
  7. Last week
  8. if the other forest is untrusted: Install site system roles in that untrusted forest, with the option to publish site information to that Active Directory forest To use a site system role that was installed in an untrusted forest, firewalls must allow the network traffic even when the site server initiates the transfer of data. When a two-way forest trust exists, Configuration Manager doesn't require any additional configuration steps.
  9. Hi. Thanks for the Link. I just need to know in addition if I have a trust between the 2 forests where I had to place a Distribution Point for the clients from the second forest. Must it be in the second forest or can it be also in the Primary forest ? Thanks in advance
  10. start here https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/communications-between-endpoints#bkmk_noforesttrust if you can't find what you need please explain what is missing
  11. Hi Everybody. I need to know how to add a second forest to my MEMCM environment. What type of AD Trust is required? What I have to do within a trusted and also in an untrusted forest ? Has anybody a guide for me how to do it? Do I Need to extend the AD scheme in the second forest? What Firewall Ports do I have to Open ? What I have to do in addition in MEMCM or somewhere else? Thanks in advance Regards Flo
  12. With the shift in the computing paradigm to the cloud, the Azure ecosystem is quickly becoming a critical platform for IT pros to grasp and adopt. But how do you make the leap while maintaining security, manageability, and cost-control? Whether you’re making new VMs directly in the cloud, have VMs in your own datacenter and are looking to migrate to Azure, or you’re looking to manage VMs with cloud-based tools regardless of where they live, The SysAdmin Guide to Azure Infrastructure as a Service (Iaas) will teach you to set up and maintain a high-performing Azure IaaS environment. Written by veteran IT consultant and trainer Paul Schnackenburg, Altaro’s free 100+ page second edition eBook covers how to create VMs, size them correctly, and manage storage, networking, and security, along with backup. You’ll also learn how to operate groups of VMs, deploy resources based on templates, manage security, and automate your infrastructure. There are also two new chapters on Automanage and Azure Arc to help you bring a lot of automation to IaaS, all lessening the burden on your time. One thing that has changed significantly over the past couple of years is the shift towards making IaaS VMs more like PaaS services. VMs are great but they require a lot of maintenance and care, whereas all the business is really interested in are the applications and data that run inside of them. This explains the popularity of PaaS services such as managed Kubernetes (AKS) and Azure Functions (serverless). If you’re new to the cloud (or have experience with Amazon Web Services and/or Google Cloud Platform but not Azure) this eBook will cover the basics as well as advanced skills. And given how fast things change in the cloud, it covers the why (as well as the how) so that as features and interfaces are updated, you’ll know how to proceed. Make the cloud work for you - download your free copy today!
  13. And every time i try to do this, i get: I did specify for the WinPE environment to have powershell installed
  14. Earlier
  15. Not in the Device Event logs itself. But I have read some where that if the existing devices were Azure AD joined already with the standard license, then you upgrade to the intune licenses... The existing devices will not automatically join. I'm trying to look around and confirm that as we speak. That might explain why it wouldn't work and if I manually unjoin the device and rejoin them, it will then enrol
  16. did the event logs reveal anything about the problem ?
  17. Hi Everyone, I've tried to do some searches here but didn't narrow down to my solution. Story: I've updated my licenses and upgraded Standard to now Business Premium, which now I would be able to enroll and manage my devices. Issue: None of the devices that are currently Azure AD Joined are enrolling into Intune. They still show MDM none and N/A for Compliant. Now, if I would disconnect the user from the device and azure join them again, then the device will become compliant and enroll into intune. Spot checked: verified licenses for the users. verified auto-enrollment for all users enabled MDM. verified on several devices for the Device state to confirm azure AD joined and URL. verified the Device settings that all users can join devices. Checked enrollment restrictions. My Question: It is odd to me that if I Azure AD join a device now, it will work, but none of the current legacy devices before the license upgrade would auto enroll. I prefer not going to each machine and have the users unjoin and rejoin for this to work. Is there anything i'm missing or not catching? Thanks,
  18. What is wrong with the built-in reports for this?
  19. Please help with a query that returns all workstations with Adobe Acrobat, MS Visio, and Java installed, last user logged on and timestamp. I can't find any default report in SCCM with these criteria.
  20. Introduction If you've been looking at my guides, you'll know that I've used httptriggers in functionapps to add functionality to Windows Autopilot, below are some examples of that. Adding devices to an Azure AD group after Windows Autopilot is complete - part 1 Adding devices to an Azure AD group after Windows Autopilot is complete - part 2 Gathering logs and sending an email when resetting Windows Autopilot - part 1 Gathering logs and sending an email when you need to reset Windows Autopilot - part 2 Gathering logs and sending an email when you need to reset Windows Autopilot - part 3 Adding devices or users to an Azure AD group after Windows Autopilot is complete but only when the device is marked as Compliant Using the updated & secure Retire My PC app via Company Portal These work great, but for security reasons the secret attached to the function app itself will expire (after 6 months by default) and should be renewed before that time. Trust me, I learned the hard way. Discovering the problem You might forget to renew the secret and that's when you'll notice things not behaving the way they should. I first became aware of the problem before Christmas, I came into work on the Monday, and kicked off some Windows Autopilot installs but they didn't work correctly. I noticed that the triggers responsible for adding devices to Azure AD groups after Windows Autopilot is complete, but only when the device is marked as compliant were no longer working. I started my investigation on a client with the issue, and the following was reported in the log file. One line jumped out at me, UPN not found, FATAL. Yeah, that doesn't sound good. I then logged into Azure and found the trigger responsible. I fed it with some known good values and looked at the output. The first thing to note is it output the same error (1), even though I supplied a known good UPN (2). Therefore, I knew the error UPN not found, FATAL was a red-herring. I also noticed that there were error code 401 (unauthorized) in the console output (3). That was my first clue ! Next, I select App Registrations in Azure Active Directory, selected the Graph_function app and was greeted with a red error on top showing me that a certificate or secret had expired. Clicking on Certificates and secrets, showed the expired secret. Fixing expired secrets Now that I identified the problem, it was time to fix it. In the Certificates & secrets section, click on + New client secret (1), give it a suitable name (2), select when it expires from the drop down menu (3) and finally Add it (4). The new secret will appear. Notice the expiry date. Now, copy the new secret value. Next, locate the trigger(s) that use the previous secret. It's stored as $AccessSecret in my httptrigger examples. Replace that expired value with the value you copied from the newly created secret and then save your changes. Job done ! Repeat the above exercise for each trigger that uses the expired secret. Conclusion Nothing lasts forever, especially secrets. Now that you know how to renew your expired secrets, maybe it's a good idea to look at your app registrations and take note of when they expire, and pro-actively renew them before they expire next time ! If you'd like to automate that take a look at Peter Klapwijk's post here.
  21. We have WU blocked as all patching is handled by MEMCM. I found this workaround script to temporarily enable in the registry, add the feature, then set the registry back to what is was prior. $currentWU = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "UseWUServer" | select -ExpandProperty UseWUServer Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "UseWUServer" -Value 0 Restart-Service wuauserv Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability –Online Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "UseWUServer" -Value $currentWU Restart-Service wuauserv
  22. here's the error, verify that the source files are in the locations specified in your -source path, Add-WindowsCapability : The source files could not be found.
  23. Hi, I'm trying to install RSAT tools on Windows 10 20H2 but it keep failing Step I use to install. I download the FOD from Microsoft site "Windows 10 2004 FOD" which is also for 20H2 Then run this script to extract the files $FoD_Source = "C:\Downloads\W10RSAT_FOD\2004\2004_FoD_Disk.iso" Mount-DiskImage -ImagePath "$FoD_Source" $path = (Get-DiskImage "$FoD_Source" | Get-Volume).DriveLetter $lang = "en-US" $dest = New-Item -ItemType Directory -Path "$env:SystemDrive\temp\RSAT_2004_$lang" -force Get-ChildItem ($path+":\") -name -recurse -include *~amd64~~.cab,*~wow64~~.cab,*~amd64~$lang~.cab,*~wow64~$lang~.cab -exclude *languagefeatures*,*Holographic*,*NetFx3*,*OpenSSH*,*Msix* | ForEach-Object {copy-item -Path ($path+“:\”+$_) -Destination $dest.FullName -Force -Container} #get metadata copy-item ($path+":\metadata") -Destination $dest.FullName -Recurse copy-item ($path +“:\"+“FoDMetadata_Client.cab”) -Destination $dest.FullName -Force -Container #Dismount ISO Dismount-DiskImage -ImagePath "$FOD_Source" Then use this script to install the RSAT tools $FoD_Source = "$env:SystemDrive\temp\RSAT_2004_en_US" $RSAT_FoD = Get-WindowsCapability –Online | Where-Object Name -like 'RSAT*' #Install RSAT Tools Foreach ($RSAT_FoD_Item in $RSAT_FoD) { Add-WindowsCapability -Online -Name $RSAT_FoD_Item.name -Source $FoD_Source -LimitAccess } but i get this error message Add-WindowsCapability : The source files could not be found. Use the "Source" option to specify the location of the files that are required to restore the feature. For more information on specifying a source location, see https://go.microsoft.com/fwlink/?LinkId=243077. At line:1 char:39 + ... $RSAT_FoD){Add-WindowsCapability -Online -Name $RSAT_FoD_Item.name - ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Add-WindowsCapability], COMException + FullyQualifiedErrorId : Microsoft.Dism.Commands.AddWindowsCapabilityCommand
  24. The client cannot process the task sequence because the total size of the task sequence exceeds the limit for members of this collection. Five task sequences were deployed, three of which were around 1349KB in size. Reduce the number and size of task sequences of collection members to deploy back to normal use
  25. Hello , i have the same problem in my TS , but i resolved it by adding before install application ( GPUPdate / force and restart service CCMEXEC ) you can do a PS1 scrip : net stop ccmexec and net start ccmexec . Thank you Hamza SMAILI
  26. Introduction This is part 9 in a series of guides about cloud attach in Microsoft Endpoint Manager, with the aim of getting you up and running with all things cloud attach. This part will focus on renewing expiring certificates. This series is co-written by Niall & Paul, both of whom are Enterprise Mobility MVP’s with broad experience in the area of modern management. Paul is 5 times Enterprise Mobility MVP based in the UK and Niall is 11 times Enterprise Mobility MVP based in Sweden. In part 1 we configured Azure AD connect to sync accounts from the on premise infrastructure to the cloud. In part 2, we prepared Azure resources for the Cloud Management Gateway, in part 3 we created the cloud management gateway and verified that everything was running smoothly. In part 4 we enabled co-management. With co-management, you retain your existing processes for using Configuration Manager to manage PCs in your organization and you gain the additional advantage of being able to transfer workloads to the cloud via Endpoint Manager (Intune). In part 5 we enabled the compliance policies workload and reviewed how that affected a co-managed computer. In this part we will enable conditional access and see how that can be used to deny access to company resources. In part 6 we configured conditional access and used it to deny access to company resources unless the device was encrypted with BitLocker. In part 7 we showed you how to co-manage Azure AD devices. In part 8 we enabled Tenant Attach and looked briefly at it's features. In this part we'll renew a soon to be expired certificate which we created about a year ago in part 2. Below you can find all parts in this series. Cloud attach - Endpoint Managers silver lining - part 1 Configuring Azure AD connect Cloud attach - Endpoint Managers silver lining - part 2 Prepare for a Cloud Management Gateway Cloud attach - Endpoint Managers silver lining - part 3 Creating a Cloud Management Gateway Cloud attach - Endpoint Managers silver lining - part 4 Enabling co-management Cloud attach - Endpoint Managers silver lining - part 5 Enabling compliance policies workload Cloud attach - Endpoint Managers silver lining - part 6 Enabling conditional access Cloud attach - Endpoint Managers silver lining - part 7 Co-managing Azure AD devices Cloud attach - Endpoint Managers silver lining - part 8 Enabling tenant attach Cloud attach - Endpoint Managers silver lining - part 9 Renewing expiring certificates A certificates validity is set in stone when it's created, and as time passes the certificates validity will eventually expire. When a certificate expires, anything that relied on it to approve communication will no longer work, so keeping a close eye on your certificates validity and noting when they expire is a good practice to avoid any disruption to services within your organization. Note: The Configuration Manager console (as of ConfigMgr version 2111) does NOT keep you alerted of the expiring certificate, so you'll have to keep track of it yourself by paying attention to those emails from your certificate provider. Digicert does however notify you by email about the coming expiration, at 90 days, 30 days and 7 day intervals. Step 1. Create a new CSR Note: You should avoid using the CSR generated during the initial certificate creation, as this is not secure and can compromise your SSL certificate usage. In Part 2 of this series, we downloaded a digital certificate utility from DigiCert for creating a Certificate Signing Request (CSR) but you can do this process on an IIS server see here. A CSR is a block of encoded text that is given to a Certificate Authority when applying for an SSL Certificate. It is usually generated on the server where the certificate will be installed and contains information that will be included in the certificate such as the organization name, common name (domain name), locality, and country. Source Using the tool above (from Digicert, our external SSL certificate provider, there are many to choose from), click on Generate to create the CSR. After generating the CSR, save it to a file. Step 2. Reissue the expiring certificate Next, login to your certificate provider (in this case Digicert) and locate the soon to be expired certificate. To the right click on Reissue Now. In the window that appears paste in the newly generated CSR from step 1. Enter a reason why you want the certificate reissued and then click on Request reissue. Finally, click on Confirm request. At this point, you will see a summary screen like this, take note that to complete the process you'll have to prove ownership of the domain by clicking on Prove control over domains. We chose the option to use a DNS TXT Record (recommended). Copy the TXT record and then login to your Domain Name registrar (eg: godaddy) and select the domain name, then paste in the DNS txt record value, below is the record created from above. Note: If your domain name registrar is GoDaddy or uses the same UI as GoDaddy, you may need to temporarily delete any CNAME that matches the hostname prior to adding the TXT record. After validating the TXT record, you can delete the TXT record and add the CNAME back. This seems to be a bug in their UI. After creating the TXT record you can verify it with dnschecker.org, as shown here, this is helpful in troubleshooting whether your DNS record (TXT, CNAME etc...) is valid or not. Be sure to enter the cloudattachcmg prefix (yours will be different obviously) into the record for the TXT DNS validation otherwise it might have problems finding the TXT record. Step 3. Download the CRT After verifying that you own the domain, you'll be able to download the reissued CRT (certificate) from the certificate provider (eg: DigiTrust). Step 4. Import the CRT Next, import the downloaded CRT back into the Digicert tool by clicking on Import and pointing it to the extracted CRT file in the zip you downloaded. Step 5. Export the pfx Select the Imported certificate, click on Export Certificate choose the option to export pfx You'll be prompted for a password and you'll be informed of the successful export. Step 6. Reconfigure the Cloud Management Gateway In the ConfigMgr console, select Cloud Services and select Cloud Management Gateway. In the CMG properties, choose the Settings tab and click Browse beside the currently expiring PKI certificate Point it to the previously exported PFX file and enter the password when prompted Click Apply, notice that the Certificate File will have changed The CloudMgr.log will record this old certificate deletion and the addition of the reissued certificate. At this point, the hard work is done and your certificate is reissued, and your CMG is reconfigured to use the new certificate. You can verify the CMG is working properly by running the Connection Analyzer. Job done, please join us in the next Cloud Attach blog post, early next year !
  1. Load more activity
  • Create New...