Search the Community
Showing results for tags 'ConfigMgr'.
-
Hi, I need to update drivers on existing machine how can I do this for all of the drivers We have over 1000 machine which required new drivers as old one are causing issue with performance
-
After I installed the Configuration Manager 2111 Hotfix on the server, several people are no longer to run the Configuration Management Console. They get the message "The Configuration Manager Console cannot connect to the Configuration Manager site database. Verify the following" However I am able to run the console from the server and my PC.
- 12 replies
-
- sccm
- config mngr
-
(and 1 more)
Tagged with:
-
Client upgrade behavior
bramk posted a topic in System Center Configuration Manager (Current Branch)
Hi, We have this behavior when upgrading the Config Manager client and i'm just curious if someone recognizes it and dealt with it before. This is what happens; After a Client upgrade of the Config Manager client to 1910 some desktops fall into sleep mode, they shouldn't because their powersettings are set with Collection based power scheme. If you reboot the device everthing works again. With the upgrade to 1810 i noticed something similiar, client temporary unaware of settings, with surpressed reboots for workstations on the Deployment of Software Updates. These devices had pending reboots and rebooted directly after the upgrade of the client. It was not supressed at that time. The upgrade of the client is done via the build in Pre-production Client Deployment collection. I'm now thinking of another approach next time. Create a custom deployment of the CCM client with triggered communication between client and server. But you'd expect this as something default... Is there a way to prevent this? -
Team, In a recent Security Audit at my workplace , it was found that SSLv3 was enabled on IBCM server. We need to disable SSLv3 , TLSv1 & enable TLSv1.2 . Did anybody done this… Kindly share your Observations.. Also, Any Support article, guide will be of great help. I have done the changes as per reading on Internet under... HKey_Local_MachineSystemCurrentControlSetControlSecurityProviders SCHANNELProtocols Now, my Internet Based clients are not communicating to IBCM server at all. No Policy since the changes made.. Kindly suggest..
-
Patch Connect Plus, a third-party add-on for SCCM, brings two new features - Application Management, and Admin Tools to make your SCCM experience comprehensive. Application Management: 1. Select your desired application that needs to be created in SCCM from a vast repository of applications 2. Customize the application deployment with custom scripts and pre-defined application templates Admin Tools: 1. Access 25 of the most essential client management tools from SCCM console 2. Perform a wide range of functions like on-demand client operation, client troubleshooting, and system management actions You can try the fully functional version free for 30 days! Drop a comment should you have any query.
-
Hi Everyone,
I'm a new Level 2 Technician as i was previously Level 1 technician and my main role was helping users troubleshoot issues on their Computer and recently had a few colleagues from Level 3 started helping me get into SCCM environment were i flourishing from their Wisdom, so found your site and started to visit this site to learn a few things and decided to register.
Thank you for visiting my page
-
Hi, I thought I would advertise my book here as I need all the shout-outs I can get! The book is entitled: ConfigMgr - An Administrator's Guide to Deploying Applications using PowerShell I think it's pretty good, but then again, I'm probably biased. You can get it here: https://leanpub.com/configmgr-DeployUsingPS Sorry about this advert - I hate adverts too. Sometimes, you just...gotta.
-
Hey Windows Pros, I work as a tech-marketer for ManageEngine. We have some exciting news from Patch Connect Plus, which I thought will be valuable to you. We have introduced "Standard edition" which offers third-party software catalogs to your SCCM 1806. These catalogs can also be used to publish to SCUP too. So if you'd like to avail a free trial and see how it works on your SCCM environment, you can get started here. Here's a list of applications supported: https://www.manageengine.com/sccm-third-party-patch-management/supported-applications.html You can learn how to add the third-party catalogs to SCCM from the video: You can write to sales@manageengine.com if you would like to avail an extension of the free trial(30 days default)/avail more applications under the Standard edition for catalogs. Happy to help.
-
- patch connect plus
- sccm
- (and 4 more)
-
Hi WN I created a function to connect to the CMSite and load the cmdlet for ConfigurationManager. Could the function be improved in any way or is it as good it can be? is the logic best practice or? You can download it at : https://gallery.technet.microsoft.com/Connect-ConfigMgr64-db5e9d0a function Connect-ConfigMgr64 { $initParams = @{ } if ((Get-Module ConfigurationManager) -eq $null) { try { Import-Module "$($ENV:SMS_ADMIN_UI_PATH)\..\ConfigurationManager.psd1" @initParams -Scope Global } catch { $ModulePath = (Get-ItemProperty HKLM:\SOFTWARE\Wow6432Node\Microsoft\ConfigMgr10\Setup -Name "UI Installation Directory").'UI Installation Directory' Import-Module $ModulePath\bin\ConfigurationManager.psd1 -Scope Global } } if ((Get-Module ConfigurationManager) -ne $null) { $SiteCode = Get-PSDrive -PSProvider CMSITE if ((Get-PSDrive -Name $SiteCode -PSProvider CMSite -ErrorAction SilentlyContinue) -eq $null) { $ProviderMachineName = (Get-ItemProperty HKLM:\SOFTWARE\Wow6432Node\Microsoft\ConfigMgr10\AdminUI\Connection -Name Server).Server New-PSDrive -Name $SiteCode -PSProvider CMSite -Root $ProviderMachineName @initParams } if ((Get-PSProvider -PSProvider CMSite) -ne $null) { Set-Location $SiteCode":\" Write-Host 'Type "Get-Command -Module ConfigurationManager" for a list of SCCM CMDlets.' -ForegroundColor Green } else { $CustomError = [String]"Error: Can't find CMSite provider" Throw $CustomError } } else { $CustomError = [String]"Unable to locate System Center Configuration Manager installation folder!" Throw $CustomError } } Connect-ConfigMgr64
-
- sccm
- powershell
-
(and 1 more)
Tagged with:
-
Introduction Here’s some links with videos of all the Microsoft Intune and Configuration Manager, Windows 10 & Office 365 ProPlus content @ Microsoft Ignite in Florida last month. Intune/ConfigMgr: Mobile device and app management overview with Microsoft Intune System Center Configuration Manager overview and roadmap Conduct a successful pilot deployment of Microsoft Intune Manage and secure Android, iOS, and MacOS devices and apps with Microsoft Intune Learn how to use Microsoft Intune with the new admin console and Microsoft Graph API Secure access to Office 365, SaaS and on-premises apps with EMS Manage and protect Office 365 mobile apps with Microsoft Intune Deploying and using Outlook mobile in the Enterprise Manage mobile productivity with EMS Windows 10 & Office 365 ProPlus: Microsoft 365: Modern management and deployment (general session with Brad and Rob) Overview: Modern Windows 10 and Office 365 ProPlus management with EMS Transition to cloud-based management of Windows 10 and Office 365 ProPlus with EMS Modernize deployment & servicing of Windows 10 & Office 365 ProPlus with EMS Secure Windows 10 with Intune, Azure AD and System Center Configuration Manager
-
Don’t miss out on a Free report giveaway for ConfigMgr! https://www.enhansoft.com/blog/asset-intelligence-computer-details-is-june-2017s-free-configmgr-report The Asset Intelligence Computer Details report is a brand new report! This report is designed to fill the gap created by ConfigMgr’s built-in AI reports. We heard that you wanted to see both the normalized and true product name software titles in one report, so you’ve got it! If you’re asking why you would need this information the answer is simple. Have you ever tried to determine who has SQL Server 2016 Management Studio (SSMS) only to discover that the normalized name is Microsoft SQL Server 2016 (all components) which not only includes SSMS, but also SQL Server Configuration Manager, SQL Server Data Tools, etc.? It’s impossible to know from the built-in AI reports who has SSMS without writing your own query, so we saved you the trouble! The Asset Intelligence Computer Details report will also display each title’s software category and software family. This information will help you better understand what each product does. For any software items with no date, the result 1980-02-14 will be displayed.
-
Hi, I'm attempting to upgrade our customers production instance of SCCM from Current Branch version 1511 up to version 1610. Here's the story so far..... 1) Successfully upgraded the dev SCCM server from CB 1511 to 1610. It passed all prerequisite checks. Server 2012 box with SQL Server 2014 SP1 2) Ran prerequisite check on prod SCCM box for the 1610 upgrade and noticed that there was a warning about the version of SQL Server. Checked the version and found it to be SQL Server 2012 which is not a supported version for SCCM current branch 3) Stopped all Configmgr services and upgraded SQL Server on the prod SCCM server to SQL 2014 SP1. The process ran smoothly without issue with the exception of that I cannot seem to manually stop the SMS_Executive service - it just says 'stopping' and eventually times out. This is an ongoing issue. What I did was disable all services and restarted the server so that all services were not running when the server came back online 4) Re-ran the SCCM 1610 prerequisite check and this time it passed the SQL server version and everything else. All ok there so I thought I can now install the 1610 upgrade 5) Attempted to run the upgrade to 1610 and the end result was that it failed.The CMUpdate logs shows SQL related issues. I have attached the whole log to this post 6)There was an option to re-install the 1610 update so I did that. It then got stuck at running the prerequisite check so I ran the following command to delete the entry from the SQl DB: DELETE FROM CM_TGT.dbo.CM_UpdatePackages WHERE PackageGuid='af633310-e419-44b3-9e0e-ab93d57087cf'; Running this removed the update package from the SCCM console 7) I restarted the SMS_DMP_DOWNLOADER service and checked the dmpdownloder log and it appeared that it was re-downloading the 1610 package but then it errored showing "ERROR: Failed to download redist for af633310-e419-44b3-9e0e-ab93d57087cf with command /RedistUrl http://go.microsoft.com/fwlink/?LinkID=831290 /LnManifestUrl http://go.microsoft.com/fwlink/?LinkID=831291 /RedistVersion 201610 /ProxyUri http://proxy.tnet.internal:8080/ /ProxyUserName TNET\MSSCService /ProxyUserPassword 3082017F06092A864886F70D010703A08201703082016C020102318201303082012C020102801497DC0957A8D11CFE2D104C34B13BE010B2C4716C300D06092A864886F70D0101010500048201006095AE9A8B36976488E450652906CEC00F35EADBE8ABA6E08A60BB091163F9DC9DB114B82FFAB91FFFA7E98773EBE02B6E6D482D55FE47F506BD9D71C183E1D709A6B912C2E85AC7E10F7A52C1B8470F07DD13EA10F74EB9873D6FA43ADF1B1735A5EE4AAB957440B78B2D496D0AAD3A11EFBA9F8296AA24162E0AF8EBD8F57225DD122344B40A3B964AE7D508104891F164E1DFABC4E2F80E8025B9F2A498FD94F271563AE644A0AD9B91FA069A4579C9A375540BAF38A77EA78322BABBEFED31067D61BD8BA9F0B54EBB9A7931FD2A6B5D3DC6CF7B2DB2243030074F17DADF4561DA3AC3BBAB4408D3FA0D6EA72864EB35E4A890A2AAAF98C2B28A09F6CE24303306092A864886F70D010701301406082A864886F70D030704088A6E28EFAFDD00798010932CB1B7E2912B29692FECCDB4A59E70 /NoUI "\\TWPSCCM1VTO.tnet.internal\EasySetupPayload\af633310-e419-44b3-9e0e-ab93d57087cf\redist" . I have attached the whole dmpdownloder log as well. 8) I re-ran the SQL command to delete from the DB. Again the 1610 update was removed from SCCM and after a server re-start it again attempted to download the 1610 update but it fails.It does say to re-start the SMS_Executive service but I cannot do that manually so i have to re-start the server to stop and start the service So the end result of all of the above is that now the SCCM 1610 upgrade gets stuck at "Downloading" and I cannot seem to progress or get past this to run the install again. Any help anyone could give me would be much appreciated Is there anything i'm missing here? Happy to provide other logs if needed or further info if any of this is not clear CMUpdate.log dmpdownloader.log
-
Hi there, Recently we upgraded from SCCM 2012 to 1606 Current Branch. Most clients are updated successfully. I have some of them that are Failed. As show here: However, when I look at the details, it's hard to understand why. The correct client version should be: 5.00.8412.1307 In this screenshot you can see some clients that have the Failed status. Client Version Reported From DDR has the correct version. Client Version Reported From FSP/MP has the wrong ersion. Many of the clients in that list both have wrong version and all of them have a different reason for the failure. Some of those are: 0x80072ee7,Unknown Error (-2147012889) - Failed to download file over WINHTTP at address. 0x80004005,Unspecified error - Invalid ccmsetup command line. 0x80200065,Unknown Error (-2145386395) - Failed to download files through BITS at address. 0x80004005,Unspecified error - Failed to find an available source. 0x00000000,Success - Cannot install prerequisite file 0x00000000,Success - Failed to find an available source. And so on... How to tackle these issues? What is your experience with client upgrades? I don't use Client Push... I've let CM deploy the new version automatically after the upgrade.
- 1 reply
-
- sccm 1606
- current branch
-
(and 3 more)
Tagged with:
-
Hi, I'm new here, please be gentle Someone seems to have played with our SCCM IIS. I think Windows Authentication with Kerberos doesn't work anymore. Login to the Application Catalog only works when you put "NTLM" over "Negotiate" in IIS. The Distribution Point only works, when you allow Anonymous Authentication in SCCM - Distribution Points. What doesn't work, is when Users try to reevaluate user policies. PolicyAgent.log: Synchronous policy assignment request with correlation guid {A16140B0-151C-4A9B-8A67-283CE38FEE8A} for User S-1-5-21-1960130858-3242946568-2400973019-36681 completed with status 80070005 I tried reinstalling Windows Authentication -> SCCM didn't work at all anymore, until I reregistered ASP.NET and other nasty Bits. I tried reinstalling the Management Point -> Log says success, still users can't authenticate and can't get Policies. Any Ideas? Can I just uninstall all System Roles, reinstall IIS and install System Roles again? Thank you Greetz
-
Hi Everyone, I wanted to let you know that this month's free report giveaway is Patch Compliance Progression by Collection For each PC within a collection, the Patch Compliance Progression by Collection report will provide you with a count of missing software updates (patches) and the last hardware inventory date. The deployed state report parameter allows you to select the deployed state of the software update. The deployed states are: Yes – The effected software update is deployed within your environment No – The effected software update is NOT deployed within your environment Both The status count parameter allows you to select whether or not expired software updates are included in the status count. In ConfigMgr, software updates that are expired are still listed. When complying with standards such as the Payment Card Industry Data Security Standard (PCI DSS), expired software updates should always be excluded from status counts. Yes – Expired software updates are included within the status count No – Expired software updates are NOT included within status count The classification report parameter enables you to select which software update classification to display within the report. The update classifications, listed in order of severity, are: Critical Updates, Security Updates, Definition Updates, Service Packs, Update Roll-ups, Updates, Tools, and Feature Packs. Click here to read more about update classifications. To learn more about it see our website. http://www.enhansoft.com/resources#current-monthly-report
-
I have a 2012 R2 SP1 primary site that is servicing the main campus of the University I work at. All the site servers are located in the main campus data center. We also have a remote campus about 15 miles away from the main campus which utilizes the the servers in the main campus data center. For the most part this hasn't caused any issues, however when techs at the remote campus try to PXE boot and image a device, the TFTP portion of the boot process takes 10+ min to download the boot image as opposed to the 30 sec it takes on the main campus. Compounded when imaging multiple machines at once, 10 minutes turns into 20, 30, and so on, and is not feasible for the techs at the remote site. We have worked with our network engineers to verify that there were no problems on the network causing this difference and after A LOT of testing we determined that everything is working correctly as it is currently designed. The time difference comes from how TFTP works with the whole send 1 packet, receive 1 packet process. On the main campus, this isn't much of a problem but the minuscule bit of extra time between packets going back and forth from the main campus to the remote campus adds up to the extra time in the boot process (we actually drew out the math). So now, half of us are of the mind that we need to put a DP at the remote campus wants to start doing registry hacks and messing with DLLs to increase the TFTP window size. Is there any criteria (Physical distance, bandwidth, latency, clients managed, etc) on when it is appropriate to place a DP (or any other roles) at a remote site? Any documentation I can show about the matter would be helpful. Thanks!
-
Hi Guys, I've been building my Win10 image lately and for some reason SCCM refuses to complete any OSD Task Sequences successfully (on Win 10, or our old Win8.1 TS). It seems to be failing to setup the SCCM Client and then rebooting to a half built OS. smsts.log is here: https://pastee.org/7dkq5 I don't have a CCMSetup.log, it doesn't get that far. Any ideas? The key line that seems to stick out for me is: <![LOG[The action (Setup Windows and Configuration Manager) requested a retry]LOG]!><time="13:16:09.927-60" date="08-14-2015" component="TSManager" context="" type="1" thread="1260" file="engine.cxx:271"> <![LOG[Reboot to local harddisk]LOG]!><time="13:16:09.927-60" date="08-14-2015" component="TSManager" context="" type="1" thread="1260" file="engine.cxx:469"> I've been trying to work this out for the past few days now and I'm tearing my hair out Thanks!!
-
Would anybody happen to know what may be causing my packages to sit at 0.0% compliance once deployed to any specific collection? Applications deploy within 20 minutes, so there's no issues there. I need a specific package that references a .bat file togo out and uninstall ALL Java on a specific collection, but the package that contains the .bat file, will not deploy. It's been "deployed" longer than the software cycle so that's not what Im waiting for. Zero errors on DP. Also, would any of you knowledgable helpful folks be able to shed some light on scripting the deployment of the .bat file via Appplication that install Java 8u51? I've tried it multiple ways, but no success? Thank you in advance for all your support.
- 2 replies
-
- package
- application
-
(and 3 more)
Tagged with:
-
I've created an PDF that contains the content of the series I did about integrating Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On. All the following parts are covered in the PDF: How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On – Part 1: Introduction and prerequisites; How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On – Part 2: Install and configure Active Directory Federation Service; How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On – Part 3: Configure directory synchronization; How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On – Part 4: Integrate ConfigMgr and Microsoft Intune. Before this link was only available via my own blog, but it's now also available for a wider audience here at windows-noob. The guide can be downloaded here:https://gallery.technet.microsoft.com/How-to-integrate-Intune-cb04f7a5
-
- Microsoft Intune
- Configuration Manager
-
(and 4 more)
Tagged with:
-
In the first part of this blog series I went through the introduction and the prerequisites, in the second part I went through the installation and configuration of AD FS and in the third part I went through the directory synchronization. This fourth part of the blog series will finally be about ConfigMgr and Microsoft Intune. During this part the last configurations will be done to get the required UPNs to ConfigMgr and to synchronize this information to Microsoft Intune. Synchronize new UPN to ConfigMgr To correctly synchronize the correct user information via Microsoft Intune, it is required to discover the most recent UPN changes to the users. Open the Configuration Manager console and navigate to Administration > Overview > Hierarchy Configuration > Discovery Methods, right-click Active Directory User Discovery and select Run Full Discovery Now.Create a Microsoft Intune collection To allow user to enroll their mobile device through Microsoft Intune it’s required to specify which user are allowed to perform this action. This is done by specifying a collection during the configuration of the Microsoft Intune connector. First we need to create this collection. Open the Configuration Manager console and navigate to Assets and Compliance > Overview, right-click User Collections and select Create User Collection. The Create User Collection Wizard will show. Provide a name like All Microsoft Intune Users and limit the collection to the All Users collection. Walk through the wizard and simply add a few users that a required to enroll their devices through Microsoft Intune. Add Windows Intune Subscription To integrate Microsoft Intune with ConfigMgr it’s required to add the subscription to ConfigMgr. Open the Configuration Manager console and navigate to Administration > Overview > Cloud Services, right-click Windows Intune Subscriptions and select Add Windows Intune Subscription. The Create Windows Intune Subscription Wizard will show. On the Getting started page, click Next. On the Windows Intune Subscription page, click Sign In. In the Set the Mobile Device Management Authority dialog box, select I understand.. and click OK. In the Subscription dialog box, specify the Microsoft Intune subscription details and click Sign In. Back on the Windows Intune Subscription page, click Next. On the General Configuration page, select the collection All Microsoft Intune Users (created in the previous step), provide some company details, specify the site code and click Next. On the Platforms page, click Next. On the Company Contact Information page, specify the contact details of the company and click Next. On the Company Logo page, click Next. On the Summary page, click Next. On the Completion page, click Close. Add the Windows Intune Connector role To connect Microsoft Intune with ConfigMgr the last step is to install the Windows Intune Connector. Open the Configuration Manager console and navigate to Administration > Overview > Site Configuration > Servers and Site System Roles, right-click \\<PrimairySiteServer> and select Add Site System Roles. On the General page, click Next. On the Proxy page, click Next. On the System Role Selection page, select the Windows Intune Connector and click Next. On the Summary page, click Next. On the Completion page, click Close. Verify the Single Sign-On in Microsoft Intune After integrating Microsoft Intune and ConfigMgr the last step is to verify that it’s all working. On a Windows device navigate to PC Settings > Network > Workplace and provide the on-premises credentials of a user that is a member of the All Microsoft Intune Users collection. Notice that this will also redirect to the on-premises AD FS for verifying the credentials. Notice after that a successful enrollment with the on-premises credentials.
-
- Microsoft Intune
- Configuration Manager
-
(and 3 more)
Tagged with:
-
In the first part of this blog series I went through the introduction and the prerequisites and in the second part I went through the installation and configuration of AD FS. This third part of the blog series will be all about configuring, configuring and configuring. First it's required to add the public domain name to the Microsoft Online Services, then I'll add the public domain name as a UPN to the users and then I'll enable active directory synchronization. Enable Active Directory Synchronization The first thing is that I have to enable Active Directory synchronization in the Microsoft Online Services. This allows me to synchronize our on-premises users to the Azure AD. First connect to the Microsoft Online Services by using the following command, which will prompt for credentials. In the credentials dialog box provide the credentials of the Microsoft Intune subscription.Connect-MsolService –Credential $cred After that it’s possible to enable Active Directory synchronization by using the following command.Set-MsolDirSyncEnabled -EnableDirSync $true After using the command to enable Active Directory synchronization it’s required to confirm the action by simply answering with Y. To verify a successful configuration, simply logon to the Account portal and verify the Active Directory synchronization setting by navigating to Management > Users. It should display the following information. Add public User Principal Name to users To enable the user to use the public domain name to logon to their devices, and the Microsoft Online Services, it’s necessary to add the public domain name as their primary User Principal Name (UPN). These configurations will be done through PowerShell. To add a UPN for a forest use the following command. In that command the Identity is the forest name and the UPNSuffixes is the public domain name.Set-ADForest -Identity "PTCLOUD" -UPNSuffixes @{Add="petervanderwoude.nl"} To verify the success of the PowerShell action, simply open the Properties of one of the Active Directory Domains and Trusts and check the UPN Suffixes tab. To set the UPN as a user’s primary UPN use the following command. In that command the SearchBase is the OU that contains the required users and the UserPrincipalName is the public domain name.Get-ADUser -Filter * -SearchBase 'OU=NORMAL USERS,OU=USERS,OU=PTCLOUD,DC=PTCLOUD,DC=LOCAL' -Properties userPrincipalName | foreach { Set-ADUser $_ -UserPrincipalName "$($_.samaccountname)@petervanderwoude.nl"} To verify the success of the PowerShell action, simply open the Properties of one of the users and check the Account tab. Install and configure Microsoft Azure Active Directory Sync Services The next thing is to install and configure the Microsoft Azure Active Directory Sync Services. This tool will allow us to synchronize the on-premises user with the Azure AD. On the Welcome to Azure AD Sync page, specify an Installation path, select I agree to the License terms and click Install. On the Connect to Azure AD page, specify the credentials of the Microsoft Intune subscription and click Next. On the Connect to AD DS page, specify the information of the on-premises forest (see prerequisites) and click Add Forest. After the forest is added click Next. On the Uniquely identifying your user page, click Next. On the Optional features page, click Next. On the Ready to configure page, click Configure. On the Finished page, click Finish. Verify user synchronization After setting up the user synchronization it’s important to verify the success. In the Account portal, navigate to Management and click Users. In the Users overview it should start showing the synchronized users. Note: In my overview it shows a user with the public domain name UPN, a user without and the initial administrator.
-
- Microsoft Intune
- Configuration Manager
-
(and 4 more)
Tagged with:
-
In the first part of this blog series I went through the introduction and the prerequisites. This second part of the blog series will be all about installing and configuring Active Directory Federation Services (AD FS) and the AD FS proxy, which is the Web Application Proxy (WAP) in Server 2012 R2. AD FS will be used to federate with Microsoft Azure AD for the authentication of the user’s on-premises. Install Active Directory Federation Services The first thing that’s required is to install is AD FS. This installation will be done through PowerShell on the CLDSRV01. To install AD FS use the following PowerShell command.Install-WindowsFeature Adfs-Federation -IncludeManagementTools To verify the success of the PowerShell action, simply look at the output of the action. Configure the federation server After installing AD FS it’s required to configure the federation server. This configuration will be done through PowerShell on the CLDSRV01. The first steps will get the required input for the command. Get the certificate thumbprint of the certificate (see prerequisites). To get this information run the command below. This will provide a nice overview of the thumbprints of the different certificates. Simply look for the one that belongs to the mentioned certificate.dir Cert:\LocalMachine\My To provide the credentials of the service account for AD FS run the following command and provide the credentials.$ADFSCred = Get-Credential To configure AD FS run the following command. In this command CertificateThumbprint is the thumbprint of the required certificate (first step) and ServiceAccountCredential is the supplied credentials (second step).Install-AdfsFarm -CertificateThumbprint "6532759C67678B50811739261B101B87916C1BC4" -FederationServiceName "sts.petervanderwoude.nl" -ServiceAccountCredential $ADFScred To verify the success of the PowerShell action, simply look at the output of the action. Install Web Application Proxy The next component that needs to be installed is WAP. This installation will be done through PowerShell on the CLDSRV00. One important thing to note here is that this server should be able to resolve the public federation service name to the CLDSRV01.PTCLOUD.LOCAL. This can be solved to either add an entry to the host file or by adding the information to DNS. To install WAP use the following PowerShell command.Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools To verify the success of the PowerShell action, simply look at the output of the action. Configure Web Application Proxy After the installation of WAP it’s required to configure it to connect to the AD FS server. This will be done through PowerShell on the CLDSRV00. Get the certificate thumbprint of the certificate (see prerequisites). To get this information run the command below. This will provide a nice overview of the thumbprints of the different certificates. Simply look for the one that belongs to the mentioned certificate.dir Cert:\LocalMachine\My To perform the configuration of WAP run the following command in which CertificateThumbprint is the thumbprint of the required certificate (previous step) and FederationServiceName is the name of the configured federantion service. Also, this command will ask for the credentials with enough permissions to configure the federation services.Install-WebApplicationProxy –CertificateThumbprint "6532759C67678B50811739261B101B87916C1BC4" -FederationServiceName "sts.petervanderwoude.nl" To verify the success of the PowerShell action, simply look at the output of the action. Verify the AD FS Sign-In page After installing and configuring AD FS and WAP it’s very important to know for sure that it’s working. This testing can be done on any device connected to the Internet. Open the Internet Explorer and browse to https://sts.petervanderwoude.nl/adfs/ls/idpinitiatedsignon.htm Click Sign in and provide the required credentials and click Sign in again. This should change the displayed text to You are signed in. Note: Replace the public domain for the personal (or company’s) own public domain name. Create a trust between AD FS and Azure AD The next thing that’s required is to configure the federation with the Microsoft Online Services. To do this it’s required to add the public domain name to the Microsoft Online Services as a federated domain. This will allow us to use the public domain name for the various Microsoft Online Services. This configuration will be done through PowerShell on the CLDSRV02. First connect to the Microsoft Online Services by using the following command, which will prompt for credentials. In the credentials dialog box provide the credentials of the Microsoft Intune subscription.Connect-MsolService –Credential $cred After that it’s required to also connect with the on-premises AD FS by using the following command.Set-MsolADFSContext -Computer cldsrv01.ptcloud.local Now it’s possible to add a new federated domain, by using the following command.New-MsolFederatedDomain –DomainName petervanderwoude.nl A message will show that it’s required to verify the specified domain name, by adding a TXT record to the domain registar. Logon to the domain registar and specify the information about the TXT record. After specifying the TXT record it’s required to run the previous command again. This time to verify the domain name.New-MsolFederatedDomain –DomainName petervanderwoude.nl To verify the success of the PowerShell action, simply look at the output of the action. Another place to verify a successful configuration is to simply logon to the Account portal and verify the Single sign-on setting by navigating to Management > Users. It should display the following information. Verify the Single Sign-On configuration After installing and configuring AD FS and WAP it’s very important to know for sure that it’s working. Open the Internet Explorer and browse to https://portal.manage.microsoft.com/ Click Use another account and provide the required credentials and click Sign in. After specifying the public UPN of the user the page will redirect to the on-premises AD FS. Note: Replace the public domain for the personal (or company’s) own public domain name.
-
Introduction In this blog series I’m going to show how to setup a basic configuration of Microsoft Intune, integrated with System Center 2012 R2 Configuration Manager, in combination with and on-premises Active Directory Federation Services (AD FS) for a single sign-on experience. After successfully completing this blog series a user will be able to use his on-premises credentials to access the services of Microsoft Intune. As part of setting up single sign-on, it’s also required to set up directory synchronization. Together, these features integrate the local and cloud directories. It’s only required to set up single sign-on, Active Directory synchronization, and a registered domain on time for a Microsoft Online Service. If Microsoft Office 365 is already used, or any other Microsoft Online Service, then some of the steps, of this blog series, may be completed already. After setting up single sign-on, Active Directory synchronization, or a registered domain for Microsoft Intune, these items will be available for all Microsoft Online services. This information and configurations provided in this blog series are not meant for production environments. It’s purely meant for a lab setup to experiment with the possibilities. I divided this blog series in the following four parts. How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On – Part 1: Introduction and prerequisites;This first part is about what blog series will deliver and what the prerequisites are that need to be in place. How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On – Part 2: Install and configure Active Directory Federation Service;This second part is about installing and configuring AD FS, WAP and single sign-on. How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On – Part 3: Configure directory synchronization;This third part is about configuring the synchronization of the on-premises user accounts to the Azure AD. How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On – Part 4: Integrate ConfigMgr and Microsoft Intune;This fourth part is about integrate Microsoft Intune with ConfigMgr to leverage the single sign-on experience. After the last part of this series is done the status of the environment will be similar as to what is described by Niall in his first part of his series about How can I manage modern devices using System Center 2012 R2 Configuration Manager? - Part1. Basically the next parts of his series can be used to do the required following configurations. The only difference is that the environment will use an on-premises single sign-on experience. Prerequisites I would like to start this blog series with a small list of prerequisites that need to be in place for various different reasons. Also, these prerequisites will contain the servers that I’ll be using during this setup. In the following part I’ll be referring to the different server names to indicate were I’m performing the actions. Register a public domain name In this blog series I’ll be using the public domain name of petervanderwoude.nl. This domain name will be used for the single sign-on configuration. Simply replace every reference to this public domain name with a personal (or company) owned public domain name. Create a Microsoft Intune subscription In this blog series I’ll be using the Microsoft Intune subscription myptcloud.onmicrosoft.com. This subscription will be used for the single sign-on configuration. Simply replace every reference to this subscription with a personal (or company) owned subscription. Register a trial Microsoft Intune subscription here: http://www.microsoft.com/en-us/server-cloud/products/microsoft-intune/try.aspx Prepare the required servers In this blog series I will be referring to multiple servers. Even for a lab environment this should be the minimum number of server used. Of course it’s possible to user more servers to split more roles. Simply replace every reference to these server names with personal (or company) lab server names. CLDSRV00 (WORKGROUP)This server is Internet-facing and will be hosting the Web Application Proxy (WAP). CLDSRV01 (PTCLOUD.LOCAL)This server is the domain controller and will be hosting Active Directory Federation Services (AD FS). CLDSRV02 (PTCLOUD.LOCAL)This server is the ConfigMgr server and will be hosting the Azure Active Directory Synchronization Tool. Install the required Azure AD PowerShell Module In this blog series the Azure AD PowerShell Module is required on the CLDSRV02 to perform actions to manage the Microsoft Online Services. This module is available for download here: http://go.microsoft.com/fwlink/p/?linkid=236297 Create the required service accounts In this blog series I’m using the following service accounts. Of course the names can be adjusted to fit different naming conventions. Simply replace any reference to these service accounts with personal (or company) lab service accounts. svcAD-ADFS (domain user)This service account is used for running AD FS. svcAD-AADSS (domain user)This service account is used for the synchronization between the on-premise AD and the Azure Active Directory. Create the required DNS Records In this blog series the following public DNS records are required to be in place. EnterpriseEnrollment (CNAME);This record has to point to EnterpriseEnrollment.manage.microsoft.com and is used for the device enrollment of Windows Phone, Windows RT and Windows 8.1. STS (A);This record has to point to a personal (or company) owned public ip that is directed to WAP and is used to publicly register the AD FS service for access by public services. Create the required certificates In this blog series the following certificates are required to be in place. Web server certificate;This certificate is used during the configuration of AD FS (and WAP).I’ll use a certificate issued from an internal PKI. In this case it’s important to have a common name and to have the appropriate DNS names. This certificate needs to be installed on the CLDSRV00 and the CLDSRV01. Note: A self-signed certificate, or a certificate from an internal PKI will provide problems with devices that can’t install the root certificate.
-
- Microsoft Intune
- Configuration Manager
-
(and 2 more)
Tagged with:
-
Hi All, Could you please recommend me any sort of data or link which explians how SCCM works internally, about design concepts and working principal of ConfigMgr. I have gone through many sites and videos but they only talk about how to work on SCCM with features however they do not talk about how SCCM works\inner working of ConfigMgr. Thanks very much in Advance! Regards, Chandan
-
Hello, I'm working on deploying a new master image, however I am running into an issue and I'm not sure of my way around it. I have a feeling what I am trying to do is either/both outside-the-box and/or just wrong. My Goal To bring deployment time down from 2-3 hours to 30-45 minutes. The master image will contain: Specific applications all users will receive Updates up to the quarter (latest build) of the mater image (intend to rebuild the master image every quarter, rolling any new updates and applications required into it When using the mater image in a new task sequence I intend to run additional scripts to further modify the image on a user-to-user, group-to-group basis (security permissions, drive letter reassignment, etc.). My Problem I am able to create my mater image with CCM Client installed, as many guides suggest; however when I add this master image, containing the CCM Client, to a new task sequence I cannot then run further actions on the image. Any attempt to boot into the applied OS without running the "Setup Windows and ConfigMgr" step results in a failed task sequence. I do not want to run the step again as it will attempt an uninstall, then re-install, of the already installed CCM Client on the master image. I have had issues in the past where either the uninstall, or re-install, of CCM Client in these situations have caused the task sequence deployments to crash 50% or more of the time. My Question Is there a way to perform more actions in a task sequence, after applying a master image that already has CCM Client installed, without re-installing CCM? Can I run a step the will perform all the steps in preparing the environment to continue installations without actually performing the CCM setup? I would appreciate any and all advice/pointers I receive in this matter. Thank you.
- 2 replies
-
- SCCM 2012 R2 CU2
- CCM Client
- (and 6 more)