Hi all, just a quick post today.  I found it difficult to find the location of the latest cmdlet updates for the Configuration Manager  PowerShell module while doing a general search on the web.

What we now have is The System Center Configuration Manager Cmdlet Library which checks for library updates on a daily basis and notifies you to download the updated library when searching the web. 

I’ve found that a lot of customers I visit when automating Configuration Manager do have older Powershell cmdlets and are not taking advantage of the latest Powershell cmdelts available to them, so If you haven't updated lately have a look at the link below

Here is the link the TechNet reference

https://technet.microsoft.com/en-us/library/dn958404(v=sc.20).aspx

and the link to the download

http://www.microsoft.com/en-us/download/confirmation.aspx?id=46681

Happy automating

George

Late last month we disabled the old Intune Account portal (http://account.manage.microsoft.com) and replaced it with the o365 portal (http://portal.office.com).

See http://blogs.technet.com/b/microsoftintune/archive/2015/09/01/intune-and-ems-subscriptions-now-available-in-the-office-365-portal.aspx for the formal announcement.

Since the change, there has been some confusion around how to create an Intune trial tenant. This guide should clear up each step required.

First, browse to the Microsoft Intune product page (http://www.microsoft.com/en-us/server-cloud/products/microsoft-intune/Features.aspx) and select the Try Now button.

You’ll find yourself directed to the http://portal.office.com page. Enter your registration details

Create your user ID, the tenant name (something.onmicrosoft.com) and a strong password. Note that this tenant name cannot be changed without recreating your tenant, so choose wisely.

You’ll get a confirmation page and email. Press the You’re ready to go… button to continue

You’ll be presented with a Getting started with Microsoft Intune page. To begin, press the Start button to begin creating users.

You’ll be redirected to the http://portal.office.com Office 365 admin centre. In the menu on the bottom left, you’ll see your Azure AD and Intune links, which means you’ve got your Intune trial started successfully.

If you wanted, you could now start enrolling devices using the first created user. This is the user that you created by default during the setup phase.

The Intune link should just automatically work, however for the Azure AD you need to activate a subscription. You’ll need to have either your EMS or AADP subscription, or enter some payment information into the signup process. I won’t do that here as I don't have either.

And that’s it. You can now go ahead and configure your public domain names, get some Active Directory sync happening and start configuring MDM policies.

Matt Shadbolt

Hi All,

A lot of customers I visit create their maintenance windows on  a monthly basis to patch servers, which is a boring and mundane task. I've dabbled in creating scripts with the help of some other PFE’s in the past but I recently created a very nice Dynamic PowerShell script that allows the creation of maintenance windows on a monthly basis and is based on the format of your collection. The idea came while I was onsite with one of my customers who formatted his collections similar to the following format.

MW – Patching – Day 1 08:00

This allowed me to take in the name of all collections and split the values to give me the day after patch Tuesday and the time of the day in 24 hour format of the maintenance windows.

Ill run through an example and then show you how it works in the script.

So based on the premise that Day 0 is patch Tuesday

The collection above will create a maintenance window for that collection on Day 1(Wednesday after patch Tuesday)  at 8:00am local time

The following script will work via PowerShell or you can incorporate it into Orchestrator which is what I have done with my customers with a slightly more complex script using PowerShell Remoting.

 Here is the entire script.

                       
#This Script will create maintenance windows dynamically for Monthly patches
           
#Add Variables
$Duration = '3' #Set the Maintenance windows duration e.g 1 for 1 hour
$CollectionName = 'Maintenancewindows*' #Add Collection Name can use * as a wildcard e.g. MW - Patching - Day*
$Exclude = '' #Add Collection Name can use * as a wildcard e.g. *OOB Day 0*
$MWException = 'Ad Hoc*' #name of exclusions for maintenance windows e.g. Ad Hoc*
$SiteCode = 'PRI' # Put your sitecode here
$Trace = "" #leave this as is to clear the Trace variable this is used for logging

#Import the Configuration Manager Module
Import-Module (Join-Path $(Split-Path $env:SMS_ADMIN_UI_PATH) ConfigurationManager.psd1)
CD "$($SiteCode):"

#Run the function to get Patch Tuesday
           
$Trace += "Getting Patch Tuesday `r `n"
#Get Patch Tuesday in appropriate format
$CurrentMonth = Get-Date -UFormat "%m"
$CurrentYear = Get-Date -UFormat "%Y"
$Day = "Tuesday"

function Get-DayOfMonth {

Param($year,[Parameter(ValueFromPipeline=$true)]$month,$day)

    Process {

    $daysInMonth = [datetime]::DaysInMonth($year,$month)

    1..$daysInMonth | Foreach-Object {

        $d = Get-Date  -Year $year -Month $month -Day $_

        if ($d.DayOfWeek -eq $day)
        {
            return $d
        }
        } | Select -Index 1
    }
}
           
           

#Add the names of all the selected collectionsinto an array
$Names = (get-cmdevicecollection | Where {$_.Name -like $CollectionName -and $_.Name -notlike $Exclude}).Name

#for each collection get the name and split it into multiple variables
Foreach ($Name in $Names)
{
    $CollectionID = (get-cmdevicecollection | Where {$_.Name -eq $Name}).CollectionID
    $NameSplit = $Name.split("")
            
        $Trace += "Splitting details for MW Monthly `r `n"
        $AddDays = $NameSplit[5]
        $AddHour = $NameSplit[6]
        $AddHoursplit = $AddHour.split(":")
        $AddHours = $AddHoursplit[0]
               
      

               
        #get the day for the Monthly MW Cycle
        $Trace += "getting date for MW Monthly `r `n"
        #Get Patch Tuesday
        $SUSecondTuesday = $CurrentMonth | Get-DayOfMonth -year $CurrentYear -day $Day | Get-Date -Format "yyyy/MM/dd" 

        #Add 1 Day to get Wednesdays Date
        $addday = (get-Date $SUSecondTuesday).AddDays($AddDays) | Get-Date -Format "yyyy/MM/dd HH:mm:ss"
        $addday = (get-Date $addday).AddHours($AddHours) | Get-Date -Format "yyyy/MM/dd HH:mm:ss"

        #Delete any Existing Maintenance windows which are older than today exluding any starting with either OOB* or Monthly *       
        $Trace += "getting MW details for MW Monthly `r `n"
        $MWNames = (Get-CMMaintenanceWindow -CollectionId $collectionID | Where {$_.Name -notlike $MWException}).Name
          
        Foreach ($MWName in $MWNames)
        {
            #Compmare the MW time with today
            $Starttime = (Get-CMMaintenanceWindow -CollectionId $collectionID -MaintenanceWindowName $MWName).Starttime
            $StartDate=(GET-DATE)
            $Timespan = NEW-TIMESPAN –Start $StartDate –End $Starttime
            $compare = ($Timespan).Days
            #If the MW is older than today delete it.
            If ($compare -like '-*')
            {
                $RemoveMW = Remove-CMMaintenanceWindow -CollectionId $CollectionID -MaintenanceWindowName $MWName -Force
                $Trace += "Removed the following Maintenance window $($MWName) from $($CollectionID) `r `n"
            }
         }

        #Create a Schedule
        $ScheduleDate = $addday
        $Schedule = New-CMSchedule -Start $ScheduleDate -DurationCount $Duration -DurationInterval Hours -Nonrecurring
               
        #Apply a Maintenance window
        $Trace += "Creating MW for MW Monthly `r `n"
        $NameMW = "Monthly $addday"
        $NewMW = New-CMMaintenanceWindow -CollectionID $CollectionID -ApplyTo SoftwareUpdatesOnly  -Name $NameMW -Schedule $Schedule
        $Trace += "Added the following Maintenance window to $($Name) $($NewMW) `r `n"
        $Trace

    }

Now lets break it down

The following function which was written by a fellow Senior PFE based out of Sydney helps us find the actual date of Patch Tuesday for this month

We then collect the names of the Collections excluding anything we specified in the $Exclude variable

We then create a ForEach loop to do the following in each collection

Split the name and adjust the Date and time for the schedule

Get existing maintenance windows and delete any older maintenance windows

Create a Schedule and create the monthly maintenance windows

Before we run the script well look at the collections. I have 4 collections only one that has current maintenance windows

When we look at the properties we can see that the collection has two current maintenance windows. An old one from last month that wed like to delete and one that in the future for the upcoming Sunday that somebody has already created on an Ad hoc basis that wed like to keep.

After the script runs we want the Ad Hoc Maintenance windows to still be there and the old Monthly one to be removed. Along with our new Monthly maintenance window so in the script well add ‘Ad hoc* to the $Exclude variable

Lets run the script and see what happens

I have highlighted two areas. Firstly we can see in my trace that we have gone and removed the old Monthly maintenance windows and we then created 4 new monthly maintenance windows.

If we go back into the console we can see that all of the collections have Maintenance windows now

Lets go into each one and make sure we have the correct times and dates

So this months patch Tuesday occurred this week on the 10th of November 2015. So I expect the following

MaintenanceWindows - Patching - Day 5 08:00 to have two maintenance windows. Ad Hoc and a monthly maintenance window on the 15th of November at 8:00am

Looking at the collection maintenance windows properties we have exactly that

MaintenanceWindows - Patching - Day 5 21:00 to have one maintenance window. A monthly maintenance window on the 15th of November at 9:00pm

MaintenanceWindows - Patching - Day 8 09:00 to have one maintenance window. A monthly maintenance window on the 18th of November at 9:00am

Finally MaintenanceWindows - Patching - Day 8 22:00 to have one maintenance window. A monthly maintenance window on the 18th of November at 10:00pm

Ensure that when you play with this script in your Dev environment that you change the variable to match your collection names maintenance windows and site code.

So you can see that with a little bit of PowerShell you can actually save yourself a lot of time and effort. This is just a very small example of how you can automate Configuration Manager so download the latest set of cmdlets and start enjoying the power of automation.

PLEASE NOTE this script is a sample only and should be adjusted to your unique environment and thoroughly tested in a development environment before any use.

A quick reminder that Windows Server 2003 is coming to end of life and will be unsupported after July 14 2015 – a mere 20 days away.

While your Server 2003 OS will continue to run it is important to note that for people using System Center Endpoint Protection (SCEP) for antivirus – definition updates will no longer be provided.

From the Configuration Manager Team Blog: –

“On this same date, customers using System Center Endpoint Protection or Forefront Endpoint Protection on Windows Server 2003 will stop receiving updates to antimalware definitions and the engine for Windows Server 2003. “

You can detect operating systems with SCEP installed using Compliance Settings in Configuration Manager and reporting on the value of the following registry key.

HKLM\Software\Microsoft\Microsoft Antimalware\EndOfLifeState

A value of 2 means that the operating system is nearing end of life – while a value of 3 means the operating system is no longer supported by the SCEP client.

So what can you do – not a lot unfortunately except continue to migrate applications and services residing on legacy systems. As the team blog states: –

“We have found in our research that the effectiveness of antimalware solutions on out-of-support operating systems is limited. Given the fast pace of technology, it has become increasingly important that customers use modern software and hardware that is designed to help protect PCs and servers against today’s threat landscape.”

Details on how you can plan for migration and tools which can help can be found here

I ran into this issue when configuring SCEP/NDES certificate registration for an Intune tenant.

Following all the best practice configuration steps, left me with an SCEP enrollment page returning Internal Server Error 500 instead of the expected 200.

I found that the Device Registration Service was not starting correctly. In the event logs I found it attempting to start and then stopping

The two most helpful event are the EventID 137

Failed to find the Device Registration Service object at DeviceRegistrationService.

Additional information
Error Message: The object does not exist..
Error Result code: NoSuchObject.

and EventID 157

An error occurred.

Additional information
Error: Failed to find the Device Registration Service object in the configuration naming context in domain contoso.com.

It’s essentially saying that the DeviceRegistrationService objects have not been successfully written to AD.

If I browse the Configuration partition of my Active Directory, I can see there is no Device Registration Configuration

And if I run the following Get-AdfsDeviceRegistration PowerShell cmdlet, I’ll get a configuration error

To fix this, run Initialize-ADDeviceRegistration

You’ll then find the Device Registration Configuration objects in your Active Directory

Start the Device Registration Service again, and all should start as expected.

Restart the NDES server just to be sure everything is talking correctly, and test the SCEP URL again. This time we should get a 200 instead of 500

Matt Shadbolt

Ran into this doozy this week while trying to re-add the NDES role services.

The specified service already exists. 0x80070431 (WIN32: 1073 ERROR_SERVICE_EXISTS)

The fix is to ensure there are no lingering NDES configuration.

From Regedit, delete the following key (back it up first!)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP

Matt Shadbolt

When I deploy web apps to Android devices they never show up in the Apps list. Where the heck are they!?

Intune Web Apps are basic URL shortcuts that are delivered to Intune managed devices. They’re great for dropping links on devices to your Intranet, your favourite SaaS web portal or that website that all of your users require day-to-day.

When you deploy a web app to an iOS device, the web app is displayed on the users home screen just like any iOS application.

Many people expect the same to be true for Android deployments. This isn’t the case. You’ll find the deployed web app from within the Intune Widget.

To view the web app, you’ll need to add the Intune Widget to your home screen.

Press and hold the background of your home screen until it allows you to edit the apps/wallpapers/etc. You’ll see a Widgets option. Press that icon.

Find the Company Portal widget

Select and hold the widget. You’ll be prompted to drop the widget onto your preferred home screen

Let it go in place, and you’ll now see your deployed Web Apps

Matt Shadbolt

SCEP (Simple Certificate Enrollment Protocol) and NDES (Network Device Enrollment Service) are the mechanisms we currently use to deploy certificates to our mobile devices via Intune and Configuration Manager. The tech is very (very) cool, but for the average ConfigMgr admin it’s got quite a steep learning curve.

Once you (kinda) understand how it all works, you’ll begin to test your configuration. Testing NDES and SCEP is a pain in the neck, as there are so many moving parts. Worst is having to troubleshoot certificate enrollment on the tiny screens of your mobile devices.

Luckily, we can test & troubleshoot via our Windows workstations.

In my scenario, I’ve got an NDES server hosted in Azure. I know the NDES server is ‘up’ as browsing the URI works fine (http://ndes.mydomain.com/CertSrv/mscep). I want to test that the NDES certificate template is deployed correctly, and the certificate is valid.

First, you’ll need to create an .inf file that will hold some request information. It should include the requests Subject name and the RequestType as a minimum. You can also add all the optional attributes you want or need. For example, my NDES template has a minimum key length of 2048, so I needed to add the KeyLength attribute too. (Certreq.exe INI File Structure)

request.inf

[NewRequest]
Subject = “CN=TestNDESCert”
RequestType = SCEP
KeyLength = 2048

Once we have our request .inf, we need to create a certificate request. From a command line with Admin elevation

certreq –v –config ndes.mydomain.com –username MYDOMAIN\Administrator –p Password –new request.inf scepRequest.req

Lets break this down.

certreq –v –config ndes.mydomain.com is my NDES server that’s publically available. The certreq documentation notes that to use https you must specify the URI instead of the FQDN, however in my testing on Windows 10 I could not get https to work. From my tracing I found certreq dropping a “http://” in-front of any URL that I passed into the command-line. SO, if you’re using https, you may have to enable http for this sort of testing.

-username MYDOMAIN\Administrator –p Password is my test users username and password

-new request.inf scepRequest.req is the verb calling a new request feeding my request.inf (created above) and an output file scepRequest.req

You should get something like this back from the command

If you now check on the CA, you should see a certificate has been issues to this client

Now that we have our request, we need to submit it to the NDES server to receive our certificate.

certreq -v -config ndes.sa.mattslabs.com -submit scepRequest.req scepCert.cer

This is pretty straight forward. Submit the newly created scepRequest.req request file, and receive a certificate scepCert.cer from the NDES server.

Finally, install the certificate and view it in your Certificates – Current User MMC snap-in

certreq -accept scepCert.cer

Happy testing!

Matt Shadbolt

Hi all, just a quick post today.  I found it difficult to find the location of the latest cmdlet updates for the Configuration Manager  PowerShell module while doing a general search on the web.

What we now have is The System Center Configuration Manager Cmdlet Library which checks for library updates on a daily basis and notifies you to download the updated library when searching the web. 

I’ve found that a lot of customers I visit when automating Configuration Manager do have older Powershell cmdlets and are not taking advantage of the latest Powershell cmdelts available to them, so If you haven’t updated lately have a look at the link below

Here is the link the TechNet reference

https://technet.microsoft.com/en-us/library/dn958404(v=sc.20).aspx

and the link to the download

http://www.microsoft.com/en-us/download/confirmation.aspx?id=46681

Happy automating

George

Late last month we disabled the old Intune Account portal (http://account.manage.microsoft.com) and replaced it with the o365 portal (http://portal.office.com).

See http://blogs.technet.com/b/microsoftintune/archive/2015/09/01/intune-and-ems-subscriptions-now-available-in-the-office-365-portal.aspx for the formal announcement.

Since the change, there has been some confusion around how to create an Intune trial tenant. This guide should clear up each step required.

First, browse to the Microsoft Intune product page (http://www.microsoft.com/en-us/server-cloud/products/microsoft-intune/Features.aspx) and select the Try Now button.

You’ll find yourself directed to the http://portal.office.com page. Enter your registration details

Create your user ID, the tenant name (something.onmicrosoft.com) and a strong password. Note that this tenant name cannot be changed without recreating your tenant, so choose wisely.

You’ll get a confirmation page and email. Press the You’re ready to go… button to continue

You’ll be presented with a Getting started with Microsoft Intune page. To begin, press the Start button to begin creating users.

You’ll be redirected to the http://portal.office.com Office 365 admin centre. In the menu on the bottom left, you’ll see your Azure AD and Intune links, which means you’ve got your Intune trial started successfully.

If you wanted, you could now start enrolling devices using the first created user. This is the user that you created by default during the setup phase.

The Intune link should just automatically work, however for the Azure AD you need to activate a subscription. You’ll need to have either your EMS or AADP subscription, or enter some payment information into the signup process. I won’t do that here as I don't have either.

And that’s it. You can now go ahead and configure your public domain names, get some Active Directory sync happening and start configuring MDM policies.

Matt Shadbolt

Hi All,

A lot of customers I visit create their maintenance windows on  a monthly basis to patch servers, which is a boring and mundane task. I've dabbled in creating scripts with the help of some other PFE’s in the past but I recently created a very nice Dynamic PowerShell script that allows the creation of maintenance windows on a monthly basis and is based on the format of your collection. The idea came while I was onsite with one of my customers who formatted his collections similar to the following format.

MW – Patching – Day 1 08:00

This allowed me to take in the name of all collections and split the values to give me the day after patch Tuesday and the time of the day in 24 hour format of the maintenance windows.

Ill run through an example and then show you how it works in the script.

So based on the premise that Day 0 is patch Tuesday

The collection above will create a maintenance window for that collection on Day 1(Wednesday after patch Tuesday)  at 8:00am local time

The following script will work via PowerShell or you can incorporate it into Orchestrator which is what I have done with my customers with a slightly more complex script using PowerShell Remoting.

 Here is the entire script.

                       
#This Script will create maintenance windows dynamically for Monthly patches
           
#Add Variables
$Duration = '3' #Set the Maintenance windows duration e.g 1 for 1 hour
$CollectionName = 'Maintenancewindows*' #Add Collection Name can use * as a wildcard e.g. MW – Patching – Day*
$Exclude = '' #Add Collection Name can use * as a wildcard e.g. *OOB Day 0*
$MWException = 'Ad Hoc*' #name of exclusions for maintenance windows e.g. Ad Hoc*
$SiteCode = 'PRI' # Put your sitecode here
$Trace = "" #leave this as is to clear the Trace variable this is used for logging

#Import the Configuration Manager Module
Import-Module (Join-Path $(Split-Path $env:SMS_ADMIN_UI_PATH) ConfigurationManager.psd1)
CD "$($SiteCode):"

#Run the function to get Patch Tuesday
           
$Trace += "Getting Patch Tuesday `r `n"
#Get Patch Tuesday in appropriate format
$CurrentMonth = Get-Date -UFormat "%m"
$CurrentYear = Get-Date -UFormat "%Y"
$Day = "Tuesday"

function Get-DayOfMonth {

Param($year,[Parameter(ValueFromPipeline=$true)]$month,$day)

    Process {

    $daysInMonth = [datetime]::DaysInMonth($year,$month)

    1..$daysInMonth | Foreach-Object {

        $d = Get-Date  -Year $year -Month $month -Day $_

        if ($d.DayOfWeek -eq $day)
        {
            return $d
        }
        } | Select -Index 1
    }
}
           
           

#Add the names of all the selected collectionsinto an array
$Names = (get-cmdevicecollection | Where {$_.Name -like $CollectionName -and $_.Name -notlike $Exclude}).Name

#for each collection get the name and split it into multiple variables
Foreach ($Name in $Names)
{
    $CollectionID = (get-cmdevicecollection | Where {$_.Name -eq $Name}).CollectionID
    $NameSplit = $Name.split("")
            
        $Trace += "Splitting details for MW Monthly `r `n"
        $AddDays = $NameSplit[5]
        $AddHour = $NameSplit[6]
        $AddHoursplit = $AddHour.split(":")
        $AddHours = $AddHoursplit[0]
               
      

               
        #get the day for the Monthly MW Cycle
        $Trace += "getting date for MW Monthly `r `n"
        #Get Patch Tuesday
        $SUSecondTuesday = $CurrentMonth | Get-DayOfMonth -year $CurrentYear -day $Day | Get-Date -Format "yyyy/MM/dd" 

        #Add 1 Day to get Wednesdays Date
        $addday = (get-Date $SUSecondTuesday).AddDays($AddDays) | Get-Date -Format "yyyy/MM/dd HH:mm:ss"
        $addday = (get-Date $addday).AddHours($AddHours) | Get-Date -Format "yyyy/MM/dd HH:mm:ss"

        #Delete any Existing Maintenance windows which are older than today exluding any starting with either OOB* or Monthly *       
        $Trace += "getting MW details for MW Monthly `r `n"
        $MWNames = (Get-CMMaintenanceWindow -CollectionId $collectionID | Where {$_.Name -notlike $MWException}).Name
          
        Foreach ($MWName in $MWNames)
        {
            #Compmare the MW time with today
            $Starttime = (Get-CMMaintenanceWindow -CollectionId $collectionID -MaintenanceWindowName $MWName).Starttime
            $StartDate=(GET-DATE)
            $Timespan = NEW-TIMESPAN –Start $StartDate –End $Starttime
            $compare = ($Timespan).Days
            #If the MW is older than today delete it.
            If ($compare -like '-*')
            {
                $RemoveMW = Remove-CMMaintenanceWindow -CollectionId $CollectionID -MaintenanceWindowName $MWName -Force
                $Trace += "Removed the following Maintenance window $($MWName) from $($CollectionID) `r `n"
            }
         }

        #Create a Schedule
        $ScheduleDate = $addday
        $Schedule = New-CMSchedule -Start $ScheduleDate -DurationCount $Duration -DurationInterval Hours -Nonrecurring
               
        #Apply a Maintenance window
        $Trace += "Creating MW for MW Monthly `r `n"
        $NameMW = "Monthly $addday"
        $NewMW = New-CMMaintenanceWindow -CollectionID $CollectionID -ApplyTo SoftwareUpdatesOnly  -Name $NameMW -Schedule $Schedule
        $Trace += "Added the following Maintenance window to $($Name) $($NewMW) `r `n"
        $Trace

    }

Now lets break it down

The following function which was written by a fellow Senior PFE based out of Sydney helps us find the actual date of Patch Tuesday for this month

We then collect the names of the Collections excluding anything we specified in the $Exclude variable

We then create a ForEach loop to do the following in each collection

Split the name and adjust the Date and time for the schedule

Get existing maintenance windows and delete any older maintenance windows

Create a Schedule and create the monthly maintenance windows

Before we run the script well look at the collections. I have 4 collections only one that has current maintenance windows

When we look at the properties we can see that the collection has two current maintenance windows. An old one from last month that wed like to delete and one that in the future for the upcoming Sunday that somebody has already created on an Ad hoc basis that wed like to keep.

After the script runs we want the Ad Hoc Maintenance windows to still be there and the old Monthly one to be removed. Along with our new Monthly maintenance window so in the script well add ‘Ad hoc* to the $Exclude variable

Lets run the script and see what happens

I have highlighted two areas. Firstly we can see in my trace that we have gone and removed the old Monthly maintenance windows and we then created 4 new monthly maintenance windows.

If we go back into the console we can see that all of the collections have Maintenance windows now

Lets go into each one and make sure we have the correct times and dates

So this months patch Tuesday occurred this week on the 10th of November 2015. So I expect the following

MaintenanceWindows – Patching – Day 5 08:00 to have two maintenance windows. Ad Hoc and a monthly maintenance window on the 15th of November at 8:00am

Looking at the collection maintenance windows properties we have exactly that

MaintenanceWindows – Patching – Day 5 21:00 to have one maintenance window. A monthly maintenance window on the 15th of November at 9:00pm

MaintenanceWindows – Patching – Day 8 09:00 to have one maintenance window. A monthly maintenance window on the 18th of November at 9:00am

Finally MaintenanceWindows – Patching – Day 8 22:00 to have one maintenance window. A monthly maintenance window on the 18th of November at 10:00pm

Ensure that when you play with this script in your Dev environment that you change the variable to match your collection names maintenance windows and site code.

So you can see that with a little bit of PowerShell you can actually save yourself a lot of time and effort. This is just a very small example of how you can automate Configuration Manager so download the latest set of cmdlets and start enjoying the power of automation.

PLEASE NOTE this script is a sample only and should be adjusted to your unique environment and thoroughly tested in a development environment before any use.

In mid-November 2015, we released a service update to Microsoft Intune. It was a massive update for us, and included a huge amount of new features. You can view the announcement post here.

One of the features announced has gone a little under the radar, and that’s co-existence with MDM for Office 365

You can now activate and use both MDM for Office 365 and Intune concurrently on your tenant and set the management authority to either Intune or MDM for Office 365 for each user to dictate which service will be used to manage their mobile devices. User’s management authority is defined based on the license assigned to the user. If the user is assigned with the EMS or Intune license, Intune will manage user’s devices and apps. If the user is assigned with the Office 365 license (without the EMS or Intune license), then MDM for Office 365 will manage user’s devices. Stay tuned for a detailed blog post on this topic in the coming weeks.

This is great news for customers who currently use the built-in MDM for Office 365. For those unfamiliar, MDM for Office 365 is a limited set of MDM features and controls that comes as part of your Office 365 subscription. It’s a really great feature for a lot of customers who are new to Office 365, and want to ensure their data and devices are secure without a whole lot of effort.

While MDM for Office 365 is great, it’s certainly no Intune!

We find that many customers are interested in Intune, however a lot want to start quickly and initially choose MDM for Office 365. Traditionally, this MDM Authority decision, once made, could not be easily changed. Further, once it was set/changed, every user across the organization had to use the single MDM Authority – be it Microsoft Intune or MDM for Office 365.

With the Intune Co-existence with MDM for Office 365 feature, we can now assign a set of users to use MDM for Office 365, and another set of users to be Intune enabled.

How do we enable Co-existence?

There’s actually not much we need to do. Users who are assigned EMS or Intune licenses are automatically managed by Intune, and users who are assigned an Office 365 license (and no Intune license) will use the MDM for Office 365 authority.

To enable MDM for Office 365, browse to the http://portal.office.com portal, select the MOBILE MANAGEMENT tab and select ENABLE MDM. Office 365 will then do the MDM Authority provisioning. Once complete, the MOBILE MANAGEMENT tab will allow you to manage MDM policies and devices. For a complete setup guide, visit https://support.office.com/en-us/article/Manage-mobile-devices-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd

From the Intune side, when you attempt to set the MDM Authority (to either ConfigMgr or Intune Standalone) there is some new text. Previously, you couldn’t “Add” Intune as the MDM Authority, you had to “Set” Intune as the MDM Authority. Meaning it was one or the other. Now, we see that the MDM Authority is set to Office 365, however we have the option to Add Intune as a subsequent MDM Authority.

Here I’ve got two users, both have an Office 365 E3 license. The Matt.IntuneMDM account also has an Intune A Direct license assigned.

From the Matt.MDMOffice365 account, I should get blocked to my Office 365 email unless I’ve enrolled into the MDM for Office 365 service. I’ve downloaded the Outlook app and entered my credentials. Office 365 can see that my device is not enrolled, so it’s prompting for MDM for Office 365 enrollment. Once enrolled, I’ll receive all of the security policies set – such as password/encryption/etc requirements.

From the MOBILE MANAGEMENT tab in the Office 365 Portal, I can see my device has been enrolled

Now, I’ll perform the same process using my Matt.IntuneMDM account, which has an Intune Direct A license applied. Because this license is applied, the devices this user attempts to use will be managed by the Intune MDM authority, not the MDM for Office 365 authority.

And as I’ve not set anything up in Intune (no Conditional Access for Office 365), my email access will be granted without enrolling.

And that’s about it. I’ve got two separate Office 365 users – one with an Intune license and one without, both being secured by MDM.

Matt Shadbolt | Program Manager | Enterprise Client & Mobility (Intune)

One problem with dropping the year from our product name (it’s System Center Configuration Manager now) is that it can be tricky to search for documentation!

One page I visit almost weekly is the Supported Configurations page.

Here is the landing page for the ConfigMgr 1511 Supported Configurations

https://technet.microsoft.com/en-us/library/mt589499.aspx

Here is the page outlining supported client counts (how many Intune devices do we support?) and site system scale (how many MP’s do you need?)

https://technet.microsoft.com/en-us/library/mt589738.aspx 

Here is the page describing the SQL requirements (CU requirements, collation requirements, etc)

https://technet.microsoft.com/en-us/library/mt589592.aspx 

And finally, the page listing recommended hardware specs for ConfigMgr

https://technet.microsoft.com/en-us/library/mt589500.aspx

At Ignite Australia 2015, I was very proud to be one of the first publically demonstrating the Intune MAM without enrollment features, announced by Satya in November. The Intune MAM without enrollment features allow organizations to protect their Office apps on iOS and Android without the need to enroll their devices in Intune MDM. This means for customers who already have an MDM vendor, or don’t wish to manage their users devices via MDM, they can protect access to Office 365 and company data. This includes cut/copy/paste restrictions, preventing ‘save-as’, jailbreak detection, PIN requirements and the ability to remote wipe MAM protected data.

For more information, there’s some great Technet walkthroughs.

Configure data loss prevention app policies with Microsoft Intune

Get started with mobile app management policies in the Azure portal

Create and deploy mobile app management policies with Microsoft Intune

Monitor mobile app management policies with Microsoft Intune

Wipe managed company app data with Microsoft Intune

End-user experience for apps associated with Microsoft Intune mobile app management policies

At time of posting, the following Apps support MAM w/out enrollment.

iOS

OneDrive
Excel
PowerPoint
Word
Outlook

Android

OneDrive
Outlook

Stay tuned for more and more apps being MAM enabled!

You can access the new Intune MAM console via the https://portal.azure.com portal. You’ll need either Intune or EMS licenses available (and applied) to all of your users to enable these features.

Happy MAM-ing!

Matt Shadbolt

Hi Aussie MDM admins!

I thought it would be handy to put together a list of Authorized Apple DEP resellers, and their DEP reseller ID’s. If you know of anymore, or need me to update/fix any of the list items below, please use the comments below!

Matt

One challenge many Intune admins face is keeping on top of which apps do/don’t support Mobile Application Management (MAM) policies. With the general availability of MAM without enrollment, this gets even harder to manage.

The MAM team have recently released a new portal that will show you all of the MAM enabled apps, and what MAM features they support.

https://www.microsoft.com/en-au/server-cloud/products/microsoft-intune/partners.aspx 

On the page, you’ll find all of the Intune MAM partners – be they Adobe, Box, SAP or even the Office team.

Selecting each app will display the MAM scenarios they support (MDM with MAM or MAM without Enrollment), what platforms they support and whether or not they’re multi-identity capable.

You’ll also find some very handy links to the apps in the Apple or Google app stores!

So bookmark this page, and hit it up every few weeks as the list of MAM enable apps is expanding at a rapid rate!

Matt Shadbolt
Senior Program Manager
Enterprise Client and Mobility – Intune

A feature that has recently been released, allows you as an IT Pro to publish a list of categories in which an end-user performing a device enrollment may choose a category to tag a device.

This allows devices to be automatically added to Intune groups, based on the end-user selection. Specific policies/apps/profiles can be deployed to these groups.

To utilize this feature, you’ll want Intune groups created for each category. To do this, open your Intune admin console and create three new blank Intune groups.

Now enable and configure the Device Group Mapping feature.  Browse to ADMIN > Mobile Device Management > Device Group Mapping

Flip the switch to enable Device Group Mapping

You’ll then be presented with two steps. Step 1: Create device groups is only required if you haven’t created your groups previously. Step 2: Manage device group mapping rules is where you’ll map your device category to the device group

Click the Add button and enter the required info. The text box is the description your users will see, and the device group is the Intune group the device will become a member of.

Once complete, you should have a mapping rule for each of your groups

Press the save button when complete and get a test device.

When any user now enrolls their device, they will be presented with a choice of which group the device should become a member of

And selecting this group will drop the device into the correct Intune group

Note that when you enable this feature, it’s enabled for all of your Intune licensed users. Currently, there is no way to target this feature to a subset of users, nor target a custom set of categories for a subset of users.

Matt Shadbolt
Senior Program Manager
Enterprise Client and Mobility – Intune

When speaking with customers and partners, the most common discussions is around choosing Intune standalone (cloud only) or hybrid (ConfigMgr).

It’s an important decision, as it’s not particularly easy to change your mind once device deployment has begun.

We’ve recently published a TechNet article that aims to make your decision easier. The document includes an overview of what the main differences are between standalone and hybrid, an easy to follow design decision workflow, and a high-level pros and cons of each option.

Choose between Microsoft Intune standalone and hybrid mobile device management with System Center Configuration Manager

This document will be updated as technology changes, so be sure to check back regularly as many of these design decisions will be redundant in future releases of Intune/ConfigMgr.

I hope you find the new doc useful!

Matt Shadbolt
Senior Program Manager
Enterprise Client and Mobility – Intune

The ability to deploy Win32 MSI apps to MDM enrolled devices is becoming more popular and there is a lot of great information out their on how to deploy MSI payloads either through Intune Standalone or Intune Hybrid (ConfigMgr).

This post is aimed at assisting you in some troubleshooting steps when things go wrong.

For this example I will be deploying an Office 365 ProPlus MSI Installer created using the Office 365 ProPlus Install Tool which is available here

Issue 1: The MSI Application does not appear in the Company Portal

Common Cause: MSI deployment over MDM is only available to Windows 10+

Issue 2: The MSI Job is not created

Things to check:

Did the Mobile MSI Job get delivered to the Client?

Check the registry for the following keys:

• HKLM\SOFTWARE\Microsoft\EnterpriseDesktopManagement\S-0-0-00-0000000000-00000000000-00000000000-0000000000-00\MSI\<MSIProductID> (For Device targeted MSI Deployment)
• HKLM\SOFTWARE\Microsoft\EnterpriseDesktopManagement\<UserSID>\MSI\<MSIProductID> (For User targeted MSI Deployments)

Issue 3: The application never installs

Things to check:

1. Check the Status and LastError registry values.
2. Value definitions below

• 70 = Successfully installed/uninstalled
• 10 = Initialized
• 20 = DownloadInProgress
• 25 = PendingDownloadRetry
• 30 = DownloadFailed
• 40 = DownloadCompleted
• 48 = PendingUserSession
• 50 = EnforcementInProgress
• 55 = PendingEnforcementRetry
• 60 = EnforcementFailed
• 70 = EnforcementCompleted

Issue 4: Download Failure

Check the status of the BITS Job

Run Bitsadmin /list /allusers

Run Bitsadmin /info <BITSJobID> /verbrose

Finally Check Logs

For Device targeted MSI deployments, logs will be written to %windows%\temp\<MSIProductID>.msi.log

For User targeted MSI Deployments, logs will be written to %temp%\MSIProductID.msi.log

Example: C:\users\Ian\AppData\Local\Temp\……..

That is about it, so once you work through these items you should have successfully deployed your MSI payload over the MDM channel

A couple of months ago, we moved the Intune health status data from the http://status.manage.microsoft.com dashboard into the Office 365 Health Dashboard.

We believe the experience is much better, having health information targeted at your tenants region and wrapped up into the overall Office 365 portal.

It also means we can use the Microsoft Online API’s to query the health status.

To start, I’ve ripped off some code from my old colleague, Cam Murray. Shout out to his blog, and here’s the post.

https://blogs.technet.microsoft.com/cammurray/2014/09/23/using-powershell-to-obtain-your-tenants-office365-health-dashboard/

His post explains in detail, but essentially we’re connecting using our Intune admin credentials and receiving ALL of the Office 365 health status.

I’ve then added a couple of lines that do the status filtering to only Intune, and some basic formatting to make it readable.

$cred = get-credential
$jsonPayload = (@{userName=$cred.username;password=$cred.GetNetworkCredential().password;} | convertto-json).tostring()
$cookie = (invoke-restmethod -contenttype "application/json" -method Post -uri "https://api.admin.microsoftonline.com/shdtenantcommunications.svc/Register" -body $jsonPayload).RegistrationCookie
$jsonPayload = (@{lastCookie=$cookie;locale="en-US";preferredEventTypes=@(0,1)} | convertto-json).tostring()
$events = (invoke-restmethod -contenttype "application/json" -method Post -uri "https://api.admin.microsoftonline.com/shdtenantcommunications.svc/GetEvents" -body $jsonPayload)

$intuneEvents = $events.Events | ?{$_.AffectedServiceHealthStatus.InternalName -eq 'Intune'}
$intuneEvents | Select-Object -ExpandProperty Messages -ErrorAction SilentlyContinue | Format-Table -Wrap Status, PublishedTime, MessageText

The output will look something like this

You could of course then use this info to pipe into your monitoring solution (such as SCOM) or even set the script as a scheduled task to send you an email when there are outages.

Hope this helps, and thanks to Cam for doing all the heavy lifting!

Matt Shadbolt
Senior Program Manager
Enterprise Client and Mobility – Intune