Jump to content




Search the Community

Showing results for tags 'configmgr'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • General Stuff
    • Site News
    • Windows News
    • Suggestion box
    • General Chat
    • Events
    • Jobs
  • Cloud
    • Microsoft Intune
    • Azure
    • Office 365
  • Microsoft Deployment Toolkit
    • Deploying Windows 10, Windows 8.1, Windows 7 and more...
  • SMS, SCCM, SCCM Current Branch, SCCM Technical Preview
    • SMS 2003
    • Configuration Manager 2007
    • Configuration Manager 2012
    • System Center Configuration Manager (Current Branch)
    • How do I ?
    • Packaging
    • scripting
    • Endpoint Protection
  • Windows Server
    • Active Directory
    • KMS
    • Windows Deployment Services
    • NAP
    • Failover Clustering
    • PKI
    • Windows Server 2008
    • Windows Server 2012
    • Windows Server 2016
    • Windows Server 2019
    • Hyper V
    • Exchange
    • IIS/apache/web server
    • System Center Operations Manager
    • System Center Data Protection Manager
    • System Center Service Manager
    • System Center App Controller
    • System Center Virtual Machine Manager
    • System Center Orchestrator
    • Lync
    • Application Virtualization
    • Sharepoint
    • WSUS
  • Microsoft SQL Server
    • SQL Server
  • Windows General
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows Vista
    • Windows XP
    • how do I do this ?
    • windows screenshots

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Location


Interests

Found 30 results

  1. Hi WN I created a function to connect to the CMSite and load the cmdlet for ConfigurationManager. Could the function be improved in any way or is it as good it can be? is the logic best practice or? You can download it at : https://gallery.technet.microsoft.com/Connect-ConfigMgr64-db5e9d0a function Connect-ConfigMgr64 { $initParams = @{ } if ((Get-Module ConfigurationManager) -eq $null) { try { Import-Module "$($ENV:SMS_ADMIN_UI_PATH)\..\ConfigurationManager.psd1" @initParams -Scope Global } catch { $ModulePath = (Get-ItemProperty HKLM:\SOFTWARE\Wow6432Node\Microsoft\ConfigMgr10\Setup -Name "UI Installation Directory").'UI Installation Directory' Import-Module $ModulePath\bin\ConfigurationManager.psd1 -Scope Global } } if ((Get-Module ConfigurationManager) -ne $null) { $SiteCode = Get-PSDrive -PSProvider CMSITE if ((Get-PSDrive -Name $SiteCode -PSProvider CMSite -ErrorAction SilentlyContinue) -eq $null) { $ProviderMachineName = (Get-ItemProperty HKLM:\SOFTWARE\Wow6432Node\Microsoft\ConfigMgr10\AdminUI\Connection -Name Server).Server New-PSDrive -Name $SiteCode -PSProvider CMSite -Root $ProviderMachineName @initParams } if ((Get-PSProvider -PSProvider CMSite) -ne $null) { Set-Location $SiteCode":\" Write-Host 'Type "Get-Command -Module ConfigurationManager" for a list of SCCM CMDlets.' -ForegroundColor Green } else { $CustomError = [String]"Error: Can't find CMSite provider" Throw $CustomError } } else { $CustomError = [String]"Unable to locate System Center Configuration Manager installation folder!" Throw $CustomError } } Connect-ConfigMgr64
  2. Introduction Here’s some links with videos of all the Microsoft Intune and Configuration Manager, Windows 10 & Office 365 ProPlus content @ Microsoft Ignite in Florida last month. Intune/ConfigMgr: Mobile device and app management overview with Microsoft Intune System Center Configuration Manager overview and roadmap Conduct a successful pilot deployment of Microsoft Intune Manage and secure Android, iOS, and MacOS devices and apps with Microsoft Intune Learn how to use Microsoft Intune with the new admin console and Microsoft Graph API Secure access to Office 365, SaaS and on-premises apps with EMS Manage and protect Office 365 mobile apps with Microsoft Intune Deploying and using Outlook mobile in the Enterprise Manage mobile productivity with EMS Windows 10 & Office 365 ProPlus: Microsoft 365: Modern management and deployment (general session with Brad and Rob) Overview: Modern Windows 10 and Office 365 ProPlus management with EMS Transition to cloud-based management of Windows 10 and Office 365 ProPlus with EMS Modernize deployment & servicing of Windows 10 & Office 365 ProPlus with EMS Secure Windows 10 with Intune, Azure AD and System Center Configuration Manager
  3. Don’t miss out on a Free report giveaway for ConfigMgr! https://www.enhansoft.com/blog/asset-intelligence-computer-details-is-june-2017s-free-configmgr-report The Asset Intelligence Computer Details report is a brand new report! This report is designed to fill the gap created by ConfigMgr’s built-in AI reports. We heard that you wanted to see both the normalized and true product name software titles in one report, so you’ve got it! If you’re asking why you would need this information the answer is simple. Have you ever tried to determine who has SQL Server 2016 Management Studio (SSMS) only to discover that the normalized name is Microsoft SQL Server 2016 (all components) which not only includes SSMS, but also SQL Server Configuration Manager, SQL Server Data Tools, etc.? It’s impossible to know from the built-in AI reports who has SSMS without writing your own query, so we saved you the trouble! The Asset Intelligence Computer Details report will also display each title’s software category and software family. This information will help you better understand what each product does. For any software items with no date, the result 1980-02-14 will be displayed.
  4. Hi, I'm attempting to upgrade our customers production instance of SCCM from Current Branch version 1511 up to version 1610. Here's the story so far..... 1) Successfully upgraded the dev SCCM server from CB 1511 to 1610. It passed all prerequisite checks. Server 2012 box with SQL Server 2014 SP1 2) Ran prerequisite check on prod SCCM box for the 1610 upgrade and noticed that there was a warning about the version of SQL Server. Checked the version and found it to be SQL Server 2012 which is not a supported version for SCCM current branch 3) Stopped all Configmgr services and upgraded SQL Server on the prod SCCM server to SQL 2014 SP1. The process ran smoothly without issue with the exception of that I cannot seem to manually stop the SMS_Executive service - it just says 'stopping' and eventually times out. This is an ongoing issue. What I did was disable all services and restarted the server so that all services were not running when the server came back online 4) Re-ran the SCCM 1610 prerequisite check and this time it passed the SQL server version and everything else. All ok there so I thought I can now install the 1610 upgrade 5) Attempted to run the upgrade to 1610 and the end result was that it failed.The CMUpdate logs shows SQL related issues. I have attached the whole log to this post 6)There was an option to re-install the 1610 update so I did that. It then got stuck at running the prerequisite check so I ran the following command to delete the entry from the SQl DB: DELETE FROM CM_TGT.dbo.CM_UpdatePackages WHERE PackageGuid='af633310-e419-44b3-9e0e-ab93d57087cf'; Running this removed the update package from the SCCM console 7) I restarted the SMS_DMP_DOWNLOADER service and checked the dmpdownloder log and it appeared that it was re-downloading the 1610 package but then it errored showing "ERROR: Failed to download redist for af633310-e419-44b3-9e0e-ab93d57087cf with command /RedistUrl http://go.microsoft.com/fwlink/?LinkID=831290 /LnManifestUrl http://go.microsoft.com/fwlink/?LinkID=831291 /RedistVersion 201610 /ProxyUri http://proxy.tnet.internal:8080/ /ProxyUserName TNET\MSSCService /ProxyUserPassword 3082017F06092A864886F70D010703A08201703082016C020102318201303082012C020102801497DC0957A8D11CFE2D104C34B13BE010B2C4716C300D06092A864886F70D0101010500048201006095AE9A8B36976488E450652906CEC00F35EADBE8ABA6E08A60BB091163F9DC9DB114B82FFAB91FFFA7E98773EBE02B6E6D482D55FE47F506BD9D71C183E1D709A6B912C2E85AC7E10F7A52C1B8470F07DD13EA10F74EB9873D6FA43ADF1B1735A5EE4AAB957440B78B2D496D0AAD3A11EFBA9F8296AA24162E0AF8EBD8F57225DD122344B40A3B964AE7D508104891F164E1DFABC4E2F80E8025B9F2A498FD94F271563AE644A0AD9B91FA069A4579C9A375540BAF38A77EA78322BABBEFED31067D61BD8BA9F0B54EBB9A7931FD2A6B5D3DC6CF7B2DB2243030074F17DADF4561DA3AC3BBAB4408D3FA0D6EA72864EB35E4A890A2AAAF98C2B28A09F6CE24303306092A864886F70D010701301406082A864886F70D030704088A6E28EFAFDD00798010932CB1B7E2912B29692FECCDB4A59E70 /NoUI "\\TWPSCCM1VTO.tnet.internal\EasySetupPayload\af633310-e419-44b3-9e0e-ab93d57087cf\redist" . I have attached the whole dmpdownloder log as well. 8) I re-ran the SQL command to delete from the DB. Again the 1610 update was removed from SCCM and after a server re-start it again attempted to download the 1610 update but it fails.It does say to re-start the SMS_Executive service but I cannot do that manually so i have to re-start the server to stop and start the service So the end result of all of the above is that now the SCCM 1610 upgrade gets stuck at "Downloading" and I cannot seem to progress or get past this to run the install again. Any help anyone could give me would be much appreciated Is there anything i'm missing here? Happy to provide other logs if needed or further info if any of this is not clear CMUpdate.log dmpdownloader.log
  5. Hi there, Recently we upgraded from SCCM 2012 to 1606 Current Branch. Most clients are updated successfully. I have some of them that are Failed. As show here: However, when I look at the details, it's hard to understand why. The correct client version should be: 5.00.8412.1307 In this screenshot you can see some clients that have the Failed status. Client Version Reported From DDR has the correct version. Client Version Reported From FSP/MP has the wrong ersion. Many of the clients in that list both have wrong version and all of them have a different reason for the failure. Some of those are: 0x80072ee7,Unknown Error (-2147012889) - Failed to download file over WINHTTP at address. 0x80004005,Unspecified error - Invalid ccmsetup command line. 0x80200065,Unknown Error (-2145386395) - Failed to download files through BITS at address. 0x80004005,Unspecified error - Failed to find an available source. 0x00000000,Success - Cannot install prerequisite file 0x00000000,Success - Failed to find an available source. And so on... How to tackle these issues? What is your experience with client upgrades? I don't use Client Push... I've let CM deploy the new version automatically after the upgrade.
  6. Businesskasper

    1602: IIS Kerberos Authentication Broken?

    Hi, I'm new here, please be gentle Someone seems to have played with our SCCM IIS. I think Windows Authentication with Kerberos doesn't work anymore. Login to the Application Catalog only works when you put "NTLM" over "Negotiate" in IIS. The Distribution Point only works, when you allow Anonymous Authentication in SCCM - Distribution Points. What doesn't work, is when Users try to reevaluate user policies. PolicyAgent.log: Synchronous policy assignment request with correlation guid {A16140B0-151C-4A9B-8A67-283CE38FEE8A} for User S-1-5-21-1960130858-3242946568-2400973019-36681 completed with status 80070005 I tried reinstalling Windows Authentication -> SCCM didn't work at all anymore, until I reregistered ASP.NET and other nasty Bits. I tried reinstalling the Management Point -> Log says success, still users can't authenticate and can't get Policies. Any Ideas? Can I just uninstall all System Roles, reinstall IIS and install System Roles again? Thank you Greetz
  7. Hi Guys, I've been building my Win10 image lately and for some reason SCCM refuses to complete any OSD Task Sequences successfully (on Win 10, or our old Win8.1 TS). It seems to be failing to setup the SCCM Client and then rebooting to a half built OS. smsts.log is here: https://pastee.org/7dkq5 I don't have a CCMSetup.log, it doesn't get that far. Any ideas? The key line that seems to stick out for me is: <![LOG[The action (Setup Windows and Configuration Manager) requested a retry]LOG]!><time="13:16:09.927-60" date="08-14-2015" component="TSManager" context="" type="1" thread="1260" file="engine.cxx:271"> <![LOG[Reboot to local harddisk]LOG]!><time="13:16:09.927-60" date="08-14-2015" component="TSManager" context="" type="1" thread="1260" file="engine.cxx:469"> I've been trying to work this out for the past few days now and I'm tearing my hair out Thanks!!
  8. Hi Everyone, I wanted to let you know that this month's free report giveaway is Patch Compliance Progression by Collection For each PC within a collection, the Patch Compliance Progression by Collection report will provide you with a count of missing software updates (patches) and the last hardware inventory date. The deployed state report parameter allows you to select the deployed state of the software update. The deployed states are: Yes – The effected software update is deployed within your environment No – The effected software update is NOT deployed within your environment Both The status count parameter allows you to select whether or not expired software updates are included in the status count. In ConfigMgr, software updates that are expired are still listed. When complying with standards such as the Payment Card Industry Data Security Standard (PCI DSS), expired software updates should always be excluded from status counts. Yes – Expired software updates are included within the status count No – Expired software updates are NOT included within status count The classification report parameter enables you to select which software update classification to display within the report. The update classifications, listed in order of severity, are: Critical Updates, Security Updates, Definition Updates, Service Packs, Update Roll-ups, Updates, Tools, and Feature Packs. Click here to read more about update classifications. To learn more about it see our website. http://www.enhansoft.com/resources#current-monthly-report
  9. I have a 2012 R2 SP1 primary site that is servicing the main campus of the University I work at. All the site servers are located in the main campus data center. We also have a remote campus about 15 miles away from the main campus which utilizes the the servers in the main campus data center. For the most part this hasn't caused any issues, however when techs at the remote campus try to PXE boot and image a device, the TFTP portion of the boot process takes 10+ min to download the boot image as opposed to the 30 sec it takes on the main campus. Compounded when imaging multiple machines at once, 10 minutes turns into 20, 30, and so on, and is not feasible for the techs at the remote site. We have worked with our network engineers to verify that there were no problems on the network causing this difference and after A LOT of testing we determined that everything is working correctly as it is currently designed. The time difference comes from how TFTP works with the whole send 1 packet, receive 1 packet process. On the main campus, this isn't much of a problem but the minuscule bit of extra time between packets going back and forth from the main campus to the remote campus adds up to the extra time in the boot process (we actually drew out the math). So now, half of us are of the mind that we need to put a DP at the remote campus wants to start doing registry hacks and messing with DLLs to increase the TFTP window size. Is there any criteria (Physical distance, bandwidth, latency, clients managed, etc) on when it is appropriate to place a DP (or any other roles) at a remote site? Any documentation I can show about the matter would be helpful. Thanks!
  10. Would anybody happen to know what may be causing my packages to sit at 0.0% compliance once deployed to any specific collection? Applications deploy within 20 minutes, so there's no issues there. I need a specific package that references a .bat file togo out and uninstall ALL Java on a specific collection, but the package that contains the .bat file, will not deploy. It's been "deployed" longer than the software cycle so that's not what Im waiting for. Zero errors on DP. Also, would any of you knowledgable helpful folks be able to shed some light on scripting the deployment of the .bat file via Appplication that install Java 8u51? I've tried it multiple ways, but no success? Thank you in advance for all your support.
  11. I've created an PDF that contains the content of the series I did about integrating Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On. All the following parts are covered in the PDF: How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On – Part 1: Introduction and prerequisites; How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On – Part 2: Install and configure Active Directory Federation Service; How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On – Part 3: Configure directory synchronization; How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On – Part 4: Integrate ConfigMgr and Microsoft Intune. Before this link was only available via my own blog, but it's now also available for a wider audience here at windows-noob. The guide can be downloaded here:https://gallery.technet.microsoft.com/How-to-integrate-Intune-cb04f7a5
  12. In the first part of this blog series I went through the introduction and the prerequisites, in the second part I went through the installation and configuration of AD FS and in the third part I went through the directory synchronization. This fourth part of the blog series will finally be about ConfigMgr and Microsoft Intune. During this part the last configurations will be done to get the required UPNs to ConfigMgr and to synchronize this information to Microsoft Intune. Synchronize new UPN to ConfigMgr To correctly synchronize the correct user information via Microsoft Intune, it is required to discover the most recent UPN changes to the users. Open the Configuration Manager console and navigate to Administration > Overview > Hierarchy Configuration > Discovery Methods, right-click Active Directory User Discovery and select Run Full Discovery Now.Create a Microsoft Intune collection To allow user to enroll their mobile device through Microsoft Intune it’s required to specify which user are allowed to perform this action. This is done by specifying a collection during the configuration of the Microsoft Intune connector. First we need to create this collection. Open the Configuration Manager console and navigate to Assets and Compliance > Overview, right-click User Collections and select Create User Collection. The Create User Collection Wizard will show. Provide a name like All Microsoft Intune Users and limit the collection to the All Users collection. Walk through the wizard and simply add a few users that a required to enroll their devices through Microsoft Intune. Add Windows Intune Subscription To integrate Microsoft Intune with ConfigMgr it’s required to add the subscription to ConfigMgr. Open the Configuration Manager console and navigate to Administration > Overview > Cloud Services, right-click Windows Intune Subscriptions and select Add Windows Intune Subscription. The Create Windows Intune Subscription Wizard will show. On the Getting started page, click Next. On the Windows Intune Subscription page, click Sign In. In the Set the Mobile Device Management Authority dialog box, select I understand.. and click OK. In the Subscription dialog box, specify the Microsoft Intune subscription details and click Sign In. Back on the Windows Intune Subscription page, click Next. On the General Configuration page, select the collection All Microsoft Intune Users (created in the previous step), provide some company details, specify the site code and click Next. On the Platforms page, click Next. On the Company Contact Information page, specify the contact details of the company and click Next. On the Company Logo page, click Next. On the Summary page, click Next. On the Completion page, click Close. Add the Windows Intune Connector role To connect Microsoft Intune with ConfigMgr the last step is to install the Windows Intune Connector. Open the Configuration Manager console and navigate to Administration > Overview > Site Configuration > Servers and Site System Roles, right-click \\<PrimairySiteServer> and select Add Site System Roles. On the General page, click Next. On the Proxy page, click Next. On the System Role Selection page, select the Windows Intune Connector and click Next. On the Summary page, click Next. On the Completion page, click Close. Verify the Single Sign-On in Microsoft Intune After integrating Microsoft Intune and ConfigMgr the last step is to verify that it’s all working. On a Windows device navigate to PC Settings > Network > Workplace and provide the on-premises credentials of a user that is a member of the All Microsoft Intune Users collection. Notice that this will also redirect to the on-premises AD FS for verifying the credentials. Notice after that a successful enrollment with the on-premises credentials.
  13. In the first part of this blog series I went through the introduction and the prerequisites and in the second part I went through the installation and configuration of AD FS. This third part of the blog series will be all about configuring, configuring and configuring. First it's required to add the public domain name to the Microsoft Online Services, then I'll add the public domain name as a UPN to the users and then I'll enable active directory synchronization. Enable Active Directory Synchronization The first thing is that I have to enable Active Directory synchronization in the Microsoft Online Services. This allows me to synchronize our on-premises users to the Azure AD. First connect to the Microsoft Online Services by using the following command, which will prompt for credentials. In the credentials dialog box provide the credentials of the Microsoft Intune subscription.Connect-MsolService –Credential $cred After that it’s possible to enable Active Directory synchronization by using the following command.Set-MsolDirSyncEnabled -EnableDirSync $true After using the command to enable Active Directory synchronization it’s required to confirm the action by simply answering with Y. To verify a successful configuration, simply logon to the Account portal and verify the Active Directory synchronization setting by navigating to Management > Users. It should display the following information. Add public User Principal Name to users To enable the user to use the public domain name to logon to their devices, and the Microsoft Online Services, it’s necessary to add the public domain name as their primary User Principal Name (UPN). These configurations will be done through PowerShell. To add a UPN for a forest use the following command. In that command the Identity is the forest name and the UPNSuffixes is the public domain name.Set-ADForest -Identity "PTCLOUD" -UPNSuffixes @{Add="petervanderwoude.nl"} To verify the success of the PowerShell action, simply open the Properties of one of the Active Directory Domains and Trusts and check the UPN Suffixes tab. To set the UPN as a user’s primary UPN use the following command. In that command the SearchBase is the OU that contains the required users and the UserPrincipalName is the public domain name.Get-ADUser -Filter * -SearchBase 'OU=NORMAL USERS,OU=USERS,OU=PTCLOUD,DC=PTCLOUD,DC=LOCAL' -Properties userPrincipalName | foreach { Set-ADUser $_ -UserPrincipalName "$($_.samaccountname)@petervanderwoude.nl"} To verify the success of the PowerShell action, simply open the Properties of one of the users and check the Account tab. Install and configure Microsoft Azure Active Directory Sync Services The next thing is to install and configure the Microsoft Azure Active Directory Sync Services. This tool will allow us to synchronize the on-premises user with the Azure AD. On the Welcome to Azure AD Sync page, specify an Installation path, select I agree to the License terms and click Install. On the Connect to Azure AD page, specify the credentials of the Microsoft Intune subscription and click Next. On the Connect to AD DS page, specify the information of the on-premises forest (see prerequisites) and click Add Forest. After the forest is added click Next. On the Uniquely identifying your user page, click Next. On the Optional features page, click Next. On the Ready to configure page, click Configure. On the Finished page, click Finish. Verify user synchronization After setting up the user synchronization it’s important to verify the success. In the Account portal, navigate to Management and click Users. In the Users overview it should start showing the synchronized users. Note: In my overview it shows a user with the public domain name UPN, a user without and the initial administrator.
  14. In the first part of this blog series I went through the introduction and the prerequisites. This second part of the blog series will be all about installing and configuring Active Directory Federation Services (AD FS) and the AD FS proxy, which is the Web Application Proxy (WAP) in Server 2012 R2. AD FS will be used to federate with Microsoft Azure AD for the authentication of the user’s on-premises. Install Active Directory Federation Services The first thing that’s required is to install is AD FS. This installation will be done through PowerShell on the CLDSRV01. To install AD FS use the following PowerShell command.Install-WindowsFeature Adfs-Federation -IncludeManagementTools To verify the success of the PowerShell action, simply look at the output of the action. Configure the federation server After installing AD FS it’s required to configure the federation server. This configuration will be done through PowerShell on the CLDSRV01. The first steps will get the required input for the command. Get the certificate thumbprint of the certificate (see prerequisites). To get this information run the command below. This will provide a nice overview of the thumbprints of the different certificates. Simply look for the one that belongs to the mentioned certificate.dir Cert:\LocalMachine\My To provide the credentials of the service account for AD FS run the following command and provide the credentials.$ADFSCred = Get-Credential To configure AD FS run the following command. In this command CertificateThumbprint is the thumbprint of the required certificate (first step) and ServiceAccountCredential is the supplied credentials (second step).Install-AdfsFarm -CertificateThumbprint "6532759C67678B50811739261B101B87916C1BC4" -FederationServiceName "sts.petervanderwoude.nl" -ServiceAccountCredential $ADFScred To verify the success of the PowerShell action, simply look at the output of the action. Install Web Application Proxy The next component that needs to be installed is WAP. This installation will be done through PowerShell on the CLDSRV00. One important thing to note here is that this server should be able to resolve the public federation service name to the CLDSRV01.PTCLOUD.LOCAL. This can be solved to either add an entry to the host file or by adding the information to DNS. To install WAP use the following PowerShell command.Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools To verify the success of the PowerShell action, simply look at the output of the action. Configure Web Application Proxy After the installation of WAP it’s required to configure it to connect to the AD FS server. This will be done through PowerShell on the CLDSRV00. Get the certificate thumbprint of the certificate (see prerequisites). To get this information run the command below. This will provide a nice overview of the thumbprints of the different certificates. Simply look for the one that belongs to the mentioned certificate.dir Cert:\LocalMachine\My To perform the configuration of WAP run the following command in which CertificateThumbprint is the thumbprint of the required certificate (previous step) and FederationServiceName is the name of the configured federantion service. Also, this command will ask for the credentials with enough permissions to configure the federation services.Install-WebApplicationProxy –CertificateThumbprint "6532759C67678B50811739261B101B87916C1BC4" -FederationServiceName "sts.petervanderwoude.nl" To verify the success of the PowerShell action, simply look at the output of the action. Verify the AD FS Sign-In page After installing and configuring AD FS and WAP it’s very important to know for sure that it’s working. This testing can be done on any device connected to the Internet. Open the Internet Explorer and browse to https://sts.petervanderwoude.nl/adfs/ls/idpinitiatedsignon.htm Click Sign in and provide the required credentials and click Sign in again. This should change the displayed text to You are signed in. Note: Replace the public domain for the personal (or company’s) own public domain name. Create a trust between AD FS and Azure AD The next thing that’s required is to configure the federation with the Microsoft Online Services. To do this it’s required to add the public domain name to the Microsoft Online Services as a federated domain. This will allow us to use the public domain name for the various Microsoft Online Services. This configuration will be done through PowerShell on the CLDSRV02. First connect to the Microsoft Online Services by using the following command, which will prompt for credentials. In the credentials dialog box provide the credentials of the Microsoft Intune subscription.Connect-MsolService –Credential $cred After that it’s required to also connect with the on-premises AD FS by using the following command.Set-MsolADFSContext -Computer cldsrv01.ptcloud.local Now it’s possible to add a new federated domain, by using the following command.New-MsolFederatedDomain –DomainName petervanderwoude.nl A message will show that it’s required to verify the specified domain name, by adding a TXT record to the domain registar. Logon to the domain registar and specify the information about the TXT record. After specifying the TXT record it’s required to run the previous command again. This time to verify the domain name.New-MsolFederatedDomain –DomainName petervanderwoude.nl To verify the success of the PowerShell action, simply look at the output of the action. Another place to verify a successful configuration is to simply logon to the Account portal and verify the Single sign-on setting by navigating to Management > Users. It should display the following information. Verify the Single Sign-On configuration After installing and configuring AD FS and WAP it’s very important to know for sure that it’s working. Open the Internet Explorer and browse to https://portal.manage.microsoft.com/ Click Use another account and provide the required credentials and click Sign in. After specifying the public UPN of the user the page will redirect to the on-premises AD FS. Note: Replace the public domain for the personal (or company’s) own public domain name.
  15. Introduction In this blog series I’m going to show how to setup a basic configuration of Microsoft Intune, integrated with System Center 2012 R2 Configuration Manager, in combination with and on-premises Active Directory Federation Services (AD FS) for a single sign-on experience. After successfully completing this blog series a user will be able to use his on-premises credentials to access the services of Microsoft Intune. As part of setting up single sign-on, it’s also required to set up directory synchronization. Together, these features integrate the local and cloud directories. It’s only required to set up single sign-on, Active Directory synchronization, and a registered domain on time for a Microsoft Online Service. If Microsoft Office 365 is already used, or any other Microsoft Online Service, then some of the steps, of this blog series, may be completed already. After setting up single sign-on, Active Directory synchronization, or a registered domain for Microsoft Intune, these items will be available for all Microsoft Online services. This information and configurations provided in this blog series are not meant for production environments. It’s purely meant for a lab setup to experiment with the possibilities. I divided this blog series in the following four parts. How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On – Part 1: Introduction and prerequisites;This first part is about what blog series will deliver and what the prerequisites are that need to be in place. How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On – Part 2: Install and configure Active Directory Federation Service;This second part is about installing and configuring AD FS, WAP and single sign-on. How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On – Part 3: Configure directory synchronization;This third part is about configuring the synchronization of the on-premises user accounts to the Azure AD. How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On – Part 4: Integrate ConfigMgr and Microsoft Intune;This fourth part is about integrate Microsoft Intune with ConfigMgr to leverage the single sign-on experience. After the last part of this series is done the status of the environment will be similar as to what is described by Niall in his first part of his series about How can I manage modern devices using System Center 2012 R2 Configuration Manager? - Part1. Basically the next parts of his series can be used to do the required following configurations. The only difference is that the environment will use an on-premises single sign-on experience. Prerequisites I would like to start this blog series with a small list of prerequisites that need to be in place for various different reasons. Also, these prerequisites will contain the servers that I’ll be using during this setup. In the following part I’ll be referring to the different server names to indicate were I’m performing the actions. Register a public domain name In this blog series I’ll be using the public domain name of petervanderwoude.nl. This domain name will be used for the single sign-on configuration. Simply replace every reference to this public domain name with a personal (or company) owned public domain name. Create a Microsoft Intune subscription In this blog series I’ll be using the Microsoft Intune subscription myptcloud.onmicrosoft.com. This subscription will be used for the single sign-on configuration. Simply replace every reference to this subscription with a personal (or company) owned subscription. Register a trial Microsoft Intune subscription here: http://www.microsoft.com/en-us/server-cloud/products/microsoft-intune/try.aspx Prepare the required servers In this blog series I will be referring to multiple servers. Even for a lab environment this should be the minimum number of server used. Of course it’s possible to user more servers to split more roles. Simply replace every reference to these server names with personal (or company) lab server names. CLDSRV00 (WORKGROUP)This server is Internet-facing and will be hosting the Web Application Proxy (WAP). CLDSRV01 (PTCLOUD.LOCAL)This server is the domain controller and will be hosting Active Directory Federation Services (AD FS). CLDSRV02 (PTCLOUD.LOCAL)This server is the ConfigMgr server and will be hosting the Azure Active Directory Synchronization Tool. Install the required Azure AD PowerShell Module In this blog series the Azure AD PowerShell Module is required on the CLDSRV02 to perform actions to manage the Microsoft Online Services. This module is available for download here: http://go.microsoft.com/fwlink/p/?linkid=236297 Create the required service accounts In this blog series I’m using the following service accounts. Of course the names can be adjusted to fit different naming conventions. Simply replace any reference to these service accounts with personal (or company) lab service accounts. svcAD-ADFS (domain user)This service account is used for running AD FS. svcAD-AADSS (domain user)This service account is used for the synchronization between the on-premise AD and the Azure Active Directory. Create the required DNS Records In this blog series the following public DNS records are required to be in place. EnterpriseEnrollment (CNAME);This record has to point to EnterpriseEnrollment.manage.microsoft.com and is used for the device enrollment of Windows Phone, Windows RT and Windows 8.1. STS (A);This record has to point to a personal (or company) owned public ip that is directed to WAP and is used to publicly register the AD FS service for access by public services. Create the required certificates In this blog series the following certificates are required to be in place. Web server certificate;This certificate is used during the configuration of AD FS (and WAP).I’ll use a certificate issued from an internal PKI. In this case it’s important to have a common name and to have the appropriate DNS names. This certificate needs to be installed on the CLDSRV00 and the CLDSRV01. Note: A self-signed certificate, or a certificate from an internal PKI will provide problems with devices that can’t install the root certificate.
  16. Hi All, Could you please recommend me any sort of data or link which explians how SCCM works internally, about design concepts and working principal of ConfigMgr. I have gone through many sites and videos but they only talk about how to work on SCCM with features however they do not talk about how SCCM works\inner working of ConfigMgr. Thanks very much in Advance! Regards, Chandan
  17. Hello, I'm working on deploying a new master image, however I am running into an issue and I'm not sure of my way around it. I have a feeling what I am trying to do is either/both outside-the-box and/or just wrong. My Goal To bring deployment time down from 2-3 hours to 30-45 minutes. The master image will contain: Specific applications all users will receive Updates up to the quarter (latest build) of the mater image (intend to rebuild the master image every quarter, rolling any new updates and applications required into it When using the mater image in a new task sequence I intend to run additional scripts to further modify the image on a user-to-user, group-to-group basis (security permissions, drive letter reassignment, etc.). My Problem I am able to create my mater image with CCM Client installed, as many guides suggest; however when I add this master image, containing the CCM Client, to a new task sequence I cannot then run further actions on the image. Any attempt to boot into the applied OS without running the "Setup Windows and ConfigMgr" step results in a failed task sequence. I do not want to run the step again as it will attempt an uninstall, then re-install, of the already installed CCM Client on the master image. I have had issues in the past where either the uninstall, or re-install, of CCM Client in these situations have caused the task sequence deployments to crash 50% or more of the time. My Question Is there a way to perform more actions in a task sequence, after applying a master image that already has CCM Client installed, without re-installing CCM? Can I run a step the will perform all the steps in preparing the environment to continue installations without actually performing the CCM setup? I would appreciate any and all advice/pointers I receive in this matter. Thank you.
  18. Configuration Manager cannot connect to the site (server.domain.com) I have a handful of users in a group called SCCMADMINS. All users can access the console from their desk and connect to ConfigMgr except for one. The user also tried logging in at another users desk and also could not access the console. That other user logged on before and after to the console successfully. Their is no log at "Program Files\Microsoft Configuration Manager\AdminConsole\AdminUILog". The client was installed from the R2 ISO. Just for a test I added the user explicitely to local admins on the server and in the the console and that person could still not log in. None of the other users are having issues. Any ideas? Thanks
  19. Hi, trying out some compliance settings in our environment. Seems to work fine for a majority of my clients, but around 50 will not report back. Trying to find out why. Any ideas?
  20. Hi, For over a week I have been trying to solve an issue with a new SCCM 2012 R2 install in my environment. The infrastructure is as follows. Windows 2008 R2 Server Enterprise patched to SP1 and all current updates SQL Server 2012 SP1 WSUS 3.0 SP2 + patches SCCM 2012 R2 - Single Site server running in HTTPS mode All running on one server hosted on VMware ESXi 5.1 Update 1 + VMware Tools 9.0.5 The install of SCCM itself is successful but when I try to install report service point role, the following error is logged. But there are NTFS partitions available, and there are no network issues. I have tried looking for srsp.log files but don't exist. I have completed uninstalled and reinstalled all server components (SQL, SCCM, WSUS, IE e.t.c) but with the same result. I would appreciate any help in resolving this. SMS_SITE_COMPONENT_MANAGER Site Component Manager could not find an NTFS partition on site system "\\xxxx.xxx.xx" to hold the Configuration Manager Server Components' files. Possible cause: The site system does not contain an NTFS partition. Solution: Using the Windows Disk Administrator, create an NTFS partition on the site system, or convert an existing FAT partition to NTFS. Possible cause: The site system is not exporting the default drive letter shares, such as "\\xxxx.xxx.xx\C$", "\\xxxx.xxx.xx\D$", and so on. Solution: You might have disabled the default drive letter shares for security purposes. Configuration Manager requires these shares. Please re-enable these shares using the Windows Disk Administrator. Possible cause: The site system is turned off, not connected to the network, or not functioning properly. Solution: Verify that the site system is turned on, connected to the network, and functioning properly. Possible cause: Site Component Manager does not have sufficient access rights to remotely administer the site system. Solution: Verify that the accounts are properly configured to allow the site server to remotely administer the site system. Possible cause: Network problems are preventing Site Component Manager from properly accessing the site system. Solution: Investigate and correct any problems on your network. SMS_SITE_COMPONENT_MANAGER Site Component Manager failed to configure site system "\\xxxx.xxx.xx" to receive Configuration Manager Server Components. Solution: Review the previous status messages to determine the exact reason for the failure. Site Component Manager cannot install any Configuration Manager Server Components on this site system until the site system is configured successfully. Site Component Manager will automatically retry this operation in 60 minutes. To force Site Component Manager to immediately retry this operation, stop and restart Site Component Manager using the Configuration Manager Service Manager.
  21. How can I configure business hours for ALL CLIENTS?? Having some problems getting applications installed, software center just says "past due... will be.." Is it possible to disable business hours so that they won't mess up application deployments, if the admin wants to have full control of when the applications will be installed??! Thanks in advance.
  22. My environment Configuration Manager 2012 SP1 Integrated MDT 2012 U1 1 Site Server with all roles (DP, SUP, MP, etc) Reference Windows 7 X64 Pro image Deployed using MDT integrated task sequence in ConfigMgr 2012 SP1 The reference image did use C: for the OSDisk I'm attempting to deploy my reference image to virtual machines using VMware. The image does get pushed down however it installs the OS to D: DiskPart on the deployed image shows the following: Volume 0 E: DVD-ROM Volume 1 BDEDrive Volume 2 D: OSDisk I have edited my task sequence to OSDPreserveDriveLetter=True BDEDrive is checked "do not assign a drive letter to this partition" under PreInstall -> Format Disk Here is my customsettings.ini [settings] Priority=Default Properties= OSDMigrateConfigFiles,OSDMigrateMode [Default] SLShare=\\SERVER\logs$ DoCapture=NO ComputerBackupLocation=NONE BDEInstallSuppress=YES MachineObjectOU=OU=Workstations,DC=DOMAIN,DC=NET OSDMigrateMode=Advanced OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:DOMAIN\* OSDMigrateConfigFiles=Miguser.xml,Migapp.xml
  23. Question: I have SCCM 2012 running. Installed the ConfigMgr 2012 Client on my machine and also had the CU2 update hit soon after. Everything installed and the Client went from version 5.00.7804.1000 to 5.00.7804.1202 Since we still haven't fully migrated from SCCM 2007 to SCCM 2012 I went and pushed Client 2007 to my machine which removed the 2012 Client and installed Client 2007. Then a few days later I figured I was going to use my machine as the primary machine for a bunch of testing and re-pushed Client 2012 to my machine. It re-installed itself however now I am not getting the CU2 update. Is there something that I have to reset for my machine to notice that it needs CU2 again? Thank you.
  24. We're installing a new SCCM 2012 instance in our environment, and learned that we cannot get Endpoint Protection definition files to download if the workstation has a version of the Windows Update Agent that is too old. We're trying to use a query based rule to create a collection of workstations that don't have the latest version of the WUA so that we can rectify those machines before we install SCEP and the definitions get out of date. So, we've created our "Managed Clients" collection and have a second collection that uses that as a parent collection along with the following query: select SMS_R_SYSTEM.ResourceID, SMS_R_SYSTEM.ResourceType, SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier, SMS_R_SYSTEM.ResourceDomainORWorkgroup, SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_WINDOWSUPDATEAGENTVERSION on SMS_G_System_WINDOWSUPDATEAGENTVERSION.ResourceId = SMS_R_System.ResourceId where SMS_G_System_WINDOWSUPDATEAGENTVERSION.Version like "%7.4.7600.256%" to identify those that are up to date, and a 'NOT LIKE' version to identify those that are out of date. However, neither device collection has any workstations. And when we query the SQL database at the backend of our site, it doesn't appear as though any workstations are reporting this data, even though both Hardware & Software inventories are turned on in the default client policy (and not overridden anywhere else). Any thoughts on why the WUA Version isn't being reported, or another way to end-around this issue and prevent our SCEP definition files from getting out of date before we know we have a problem?
  25. I currently have SCCM 2007 and SCCM 2012 SP1 in my testing environment. When discovering Active Directory sites, subnets, users, and computers in SCCM 2012 SP1, can that affect your anything in my SCCM 2007 hierarchcy? Thanks, P
×