Anoop is Microsoft MVP! He is a Solution Architect on enterprise client management with more than 17 years of experience (calculation done in the year 2018) in IT. He is Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, Intune. He writes about technologies like SCCM, SCOM, Windows 10, Azure AD, Microsoft Intune, RMS, Hyper-V etc...
SCCM Console Keyboard Shortcuts and a Quick Video Guide Configuration Manager ConfigMgr MEMCM? SCCM console shortcuts are handy in some scenarios like during the demos, training sessions, etc… We can just “show off” that we have some handy SCCM CB Console keyboard shortcuts.
In this video post, we will some very useful SCCM Console keyboard shortcuts. How many of you have used MMC keyboard shortcuts with SCCM 2007 MMC console? Those MMC shortcuts won’t work with SCCM CB versions.
SCCM CB preview version introduced new keyboard shortcuts like CTL + M, CTL + T, etc.. I’m not a frequent user of SCCM console keyboard shortcuts, but I think it could be useful at times.
As you can see in the video below, I have not used MOUSE at all to move around the SCCM CB console.
Ctrl + M – Sets focus on the main (central) pane. You can select each computer as I showed in the video using CTL + M SCCM CB console keyboard shortcut.
Left pane – as I showed in the video – select users, devices, user collections. Ctrl + T – Sets focus to the top node in the navigation pane. If the focus was already in that pane, the focus is set to the last node you visited.
Set the focus to the top node in the navigation pane. If the focus was already in that pane, the focus is set to the last node you visited.
Ctrl + I
Set the focus to the breadcrumb bar, below the ribbon.
Ctrl + L
Set the focus to the Search field, when available.
Ctrl + D
Set the focus to the details pane, when available.
Alt
Change the focus in and out of the ribbon.
Set focus to search – When the SEARCH option is available. Ctrl + L – Sets focus on the Search field, when available. I have shown this search in the embedded video. Press CTL + T keyboard shortcut to set focus on search and start searching computers/users/Site servers etc…
Focus Summary Details pane to Ctrl + D. Sets focus to the details pane, when available. Press the ALT button from the keyboard to change focus in and out of the ribbon.
Ctrl + I – Sets focus to the breadcrumb bar, below the ribbon. This shortcut will set focus on the path for example \Assets and Compliance\Overview\Users.
SCCM Keyboard Shortcuts
CMPivot Console Keyboard Shortcuts
Let’s check what are the CMPIvot Keyboard shortcuts available to make the SCCM admin’s life easy.
Keyboard shortcut
Purpose
Ctrl + 1
Set the focus on the first tab.
Alt + <
To back to the address
CMPivot Console Keyboard Shortcuts
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
SCCM CB Preview 1706 Upgrade New Capabilities Overview Video Configuration Manager MEMCM? SCCM team released the newest PREVIEW version of SCCM CB 1706. I know most of us are waiting for the production release of SCCM CB 1706. I hope the production release of SCCM CB 1706 will happen somewhere next month?
As per my previous experience and analysis, not all newly introduced features got added to the production version. I expect the same thing might happen with the production version of SCCM CB 1706.
I don’t think all the new features introduced in the PREVIEW version of 1706 will make it to the production version of SCCM CB 1706. I’ll provide SCCM CB Preview Version 1706 Upgrade and New capabilities Overview Video guide in this post.
Site server role high availability – Now, you can create a passive primary server with SCCM CB 1706 preview version, and this passive primary server will use the same SQL database. The passive SCCM primary server can’t write anything to the DB. How to create SCCM CB Passive Primary server? Go to Administration > Site Configuration > Sites and start the Add Site System Roles Wizard in the console.
SCCM CB Preview 1706 Upgrade New Capabilities Overview Video Configuration Manager MEMCM
SCCM CB SUP and Boundary Group Improvements
It improved boundary groups for SCCM CB 1706 preview software update points (SUP). Fallback for SUPs now uses a configurable time for fallback to neighbor boundary groups, with a minimum of 120 minutes.
Independent of the fallback configuration, a client who attempts to reach the last software update point is used for 120 minutes. After failing to reach its original server for two hours, the client switches to a shorter cycle for contacting a new SUP.
Trigger Compliance Notification Alerts from SCCM CB 1706
There are some great improvements in Device compliance policy improvements. You can configure a time-ordered sequence of actions applied to devices that fall out of compliance. For example, you can notify users of non-compliant devices via e-mail or mark those devices as non-compliant.
This can be done via \Assets and Compliance\Overview\Compliance Settings\Compliance Policies\Compliance Notification Templates.
SCCM CB Preview 1706 Upgrade New Capabilities Overview Video Configuration Manager MEMCM
SCCM CB Compliance Policy options for AAD Registration and Antimalware
Also, I could see the new compliance policies for full SCCM clients, which can be used in conjunction with Conditional Access for Managed PCs. Those compliance policies are Azure Active Directory Registration and Antimalware presence.
SCCM CB Preview 1706 Upgrade New Capabilities Overview Video Configuration Manager MEMCM
Android and iOS Enrollment Restrictions are Available in SCCM CB 1706
Admins can now specify that users can not enroll personal Android or iOS devices in their hybrid environment, limiting enrollment to pre-declared company-owned devices or DEP-enrolled devices. You can configure this from Intune subscription under Cloud Services.
New client settings for Automatically Register the Domain Joined Devices to Azure AD (Default client policies)
New client settings to Configuration Manager. You’ll find these in the Cloud Services section. These settings give you the following capabilities: Control which Configuration Manager clients can access a configured cloud management gateway. Automatically register Windows 10 domain-joined SCCM clients with Azure Active Directory.
SCCM CB Preview 1706 Upgrade New Capabilities Overview Video Configuration Manager MEMCM
Other important Capabilities of SCCM CB 1706 PREVIEW version
Create and Run Scripts – Create and run PowerShell scripts from the SCCM console
Device Health Attestation assessment for compliance policies for conditional access
Android for Work application management policy for copy-paste
Android and iOS enrollment restrictions
New mobile application management policy settings
New Windows configuration item settings
Cisco (IPsec) support for macOS VPN profiles
Support for Entrust certification authorities
Configure Windows Update for Business deferral policies
Manage Microsoft Surface driver updates
PXE network boot support for IPv6
Changes to the Azure Services Wizard to support Upgrade Readiness.
SCCM console Accessibility improvements
Specify a different content location for installing content and uninstalling content
Hide task sequence progress
Include trust for specific files and folders in a Device Guard policy
Resources
Capabilities in Technical Preview 1706 for SCCM CB – Here
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Intune MSI Application Deployment Video Guide Microsoft Endpoint Manager Step by Step Guide? How to upload and deploy MSI applications to Windows 10 machines with Intune via Azure console? MSI application deployment could be one of the most used features in Intune (at least for a couple of years).
In this video post, we will see the step-by-step MSI application deployment (Intune LOB application deployment) process.
NOTE! – Do not include the msiexec command or arguments, such as /i or /x, as they are automatically used. For more information, see Command-Line Options. If the .MSI file needs additional command-line options, consider using Win32 app management.
Introduction – Intune MSI Application Deployment
This post is also an end-to-end guide to creating MSI applications in Intune via the Azure portal. I already blogged about MSI MDM deployment via the MDM channel in the following post, “How to Deploy MSI App to Intune MDM Using SCCM CB and Intune“. This will include:-
Uploading the MSI LOB app to Intune
Deployment or Assignment options
End-User Experience on Windows 10 machine
How to Troubleshooting with event logs and Pending Sync
How to get application installation status messages back to Intune console
Upload MSI LOB application to Intune
Uploading the MSI LOB app to Intune is a very straightforward process. Login to Azure portal and navigate via Microsoft Intune -> Mobile Apps -> Apps -> + Add button and select app type as “Line-of-Business app”. Click on “App package file,” browse to the MSI source file location and click on the OK button, as you can see in the video here.
Intune MSI Application Deployment Video Guide Microsoft Endpoint Manager Step by Step Guide
You have to complete/fill the “App information” section before you can proceed with uploading the MSI to Intune. There are a couple of mandatory fields which you need to fill in. Command-line options are also available in this section. But, as per my experience, you can see in the video as well.
I have not used any silent switch for MSI, but by default, Intune/MDM on Windows 10 will install the app as silent (without any user interaction or input). Click on the ADD button to complete the MSI app creation process in Intune on the Azure portal.
Deployment or Assignment options of MSI Intune LOB application deployment
It would be best to wait until the application is successfully uploaded to Intune before you can create an assignment (or deployment). An assignment is a method that we use to deploy MSI applications to Windows 10 devices. You can deploy applications to Azure AD dynamic user groups or device groups. In this video/scenario, I used the AAD dynamic user group to target the MSI LOB apps. More details are available in the video here. There are different deployment types available in Intune.
Available – The user needs to go into the company portal and trigger the installation Not applicable – Won’t get installed Required – Forcefully get installed without any user interaction Uninstall – Remove the application from the device Available with or Without enrollment – Mobile Application Management (MAM) without MDM enrollment scenarios.
Intune MSI Application Deployment Video Guide Microsoft Endpoint Manager Step by Step Guide
End-User Experience on Windows 10 machine
Windows 10 machines will get the new application deployment policy once the assigned user is logged into that machine. What is the option to speed up the application deployment to the machines? You need to sync with Intune services using the following method (manually).
You can go to “Settings – Access Work or School – Work or School Account – Info (click on this button)” and click on Sync. This will initiate Windows 10 machine sync with Intune services, and after a successful sync, the machine will get the latest application policies.
How to Troubleshooting with event logs and Pending Sync
Unlike SCCM/ConfigMgr deployments, we don’t have log files to look at the application installation status via the MDM channel on Windows 10 machines. So, you need to rely on the Company portal for troubleshooting the MSI application troubleshooting.
As you can see in the following pic, the installation is waiting for “Pending Sync“. In this scenario, you can immediately initiate a manual sync to kick start the installation process, as I mentioned above.
Intune MSI Application Deployment Video Guide Microsoft Endpoint Manager Step by Step Guide
Event logs – Windows Logs – Applications are where you can get the status of MSI application installation via MDM or Intune channel on to Windows 10 machine.
How to get application installation status messages back to Intune console
To get the installation status of the MSI LOB apps to Intune on the Azure portal, you need to sync your work or school accounts with Intune services. The installation status will be blank in Intune blade unless the device is not synced with Intune after installing the application on the Windows 10 machine.
Initiate the sync via “Settings – Access Work or School – Work or School Account – Info (click on this button)” and click on Sync. Once the sync is completed successfully, you can try to check the Intune Device Install Status in Intune to check the status.
Intune MSI Application Deployment Video Guide Microsoft Endpoint Manager Step by Step Guide
How to add Windows line-of-business (LOB) apps to Microsoft Intune – here
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Hyper-V Backup Step by Step Installation Configuration Video Guide Altaro Backup Guide? In this post, we will see the details of the Hyper-V backup step-by-step installation and configuration guide. I have to build a hyper-v server 2016 with three VMs.
This is my new SCCM CB lab, and Altaro VM backup has been installed and configured on that server to take backup of my hyper-v VMs.
The restoration process of Hyper-v VMs from Altaro VM Backup will be covered in the future blog post. This blog post will cover the installation, configuration, VM backup, backup retention, and VM backup health check.
I’ve covered the all topics mentioned above in the video tutorial
Recently, Altaro released Altaro VM Backup v7 with vSphere 6.5 and Windows Server 2016 support, concurrency update, and the new Cloud Management Console; more details here. They have included other features into the latest version of the Altaro VM backup v7 boot VM from Backup and Augmented Inline Deduplication. The new Unlimited Plus Edition also comes with a new online console.
In general, this version will give you considerably increased backup concurrency per Hypervisor, and added with Altaro’s inline deduplication technology; the user can benefit from huge storage space saving and much better backup speeds.
Hyper-V Backup Step by Step Installation Configuration Video Guide Altaro Backup Guide
Step1 – Connecting to Hyper-V and Discovering VMS
Hosts – This is the step where the Hyper-v machines have been discovered via Altaro VM backup. I have an SCCM infrastructure setup with this Hyper-V lab. So, Altaro was able to find the 3 VMs as part of the STEP 1 discovery.
STEP 2 – Setting up Backup locations for VM backups
Backup Locations – This is the place where we set up a backup location for each Hyper-V VM. You can provide network location and external hard disk. Setting up a backup site is just easy. Altaro backup automatically discovers the external hard disk or USBs connected to your Hyper-V server. You can drag and drop your VMs to a particular backup location, and that is it!
Hyper-V Backup Step by Step Installation Configuration Video Guide Altaro Backup Guide
The scheduling of backup tasks for Hyper-V VMs via Altaro Hyper-V backup is very easy. You can set up a retention policy of Hyper-V VMs backups as per your organizational requirement.
Advanced settings will provide you the options to customize and skip IOS files from Hyper-V VM backups. And if your organization has some encryption requirements while backing up VMs, then Altaro has an out-of-box setting to configure the encryption of VMs.
STEP 3 – Hyper-V VM Backup, Retention Schedules, and Reports
Step 3 is the last stage which I’m going to cover in this post. This is all about taking the backup of Hyper-V VMs using the Altaro backup solution. When you click on the “+” symbol on the right side of your VM and click on the “Take Backup” button, then Altaro will send the instructions to the hypervisor. You can also schedule the Hyper-V VM backups for automation of the backup process.
Hyper-V Backup Step by Step Installation Configuration Video Guide Altaro Backup Guide
You can also check and verify the backup which has already been completed. Schedule Test Drills and Test – Verify backups options are for automating the validation of Hyper-V VMs backup. There are useful out-of-box reports that will provide you with the details about the Altaro Backup jobs completed.
Retention policies are useful to automate the deletion of old Hyper-V VM backups on a particular schedule. As per my testing, this is very useful to have better storage management. Check out the video tutorial to know more about Altaro services and file systems. 8 Altaro Services are running on the hyper-v server.
Hyper-V Backup Step by Step Installation Configuration Video Guide Altaro Backup Guide
Conclusion:-
This post covered installation, configuration, VM backup, backup retention, and VM backup health check. In the later post, I will cover the recovery options of the Altaro VM Backup solution in detail. Overall I had a great user experience with the installation, configuration, and VM backup of Altaro VM Backup. The drag and drop options for VMs are the most favorite option in Altaro VM backup. Stay tuned for the next post restore topic.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
My Experience of Microsoft MVP Community Connect 2017 India | Most Valuable Professional? Last week, I attended Microsoft MVP Community Connect 2017 India in Coorg. Coorg is located on the southern side of India, and it’s also known as “The Scotland of India”.
This is a global event that is in full swing around the globe. Previously this event was called “MVP Open Days”. Last year this was conducted in Hyderabad. These events are an opportunity for MVP communities to gather together, learn new skills, and celebrate everything being an MVP has to offer.
It was a great experience for me to meet Microsoft leaders. The interactions with community leaders from Microsoft helped me to understand the strategies. The best part of the event is that I got the chance to interact with fellow MVPs.
Those interactions and networking will help to understand their point of view about the cloud, Azure, and Openness, etc.. I learned a lot from each of the fellow MVPs like how do they conduct community events, how do they write blog posts, how do they create video tutorials, etc…
My Experience of Microsoft MVP Community Connect 2017 India | Most Valuable Professional
Microsoft MVP Community Connect 2017 gave me a great opportunity to learn new things.
1. Different Strokes – Virtual Communication Cues
2. Stories Are Us – Written Communication Cues
3. Improvise and Improve – Spoken (social) Communication Cues
Coorg is an excellent place to be around this time of the year. The climate was just superb; it was drizzling. We didn’t have proper mobile network connections, so it was disconnected from the world. But, we had a Wi-Fi connection available, so it was ok for an emergency. Moreover, the resort was very nice in the middle of the forest.
My Experience of Microsoft MVP Community Connect 2017 India | Most Valuable Professional.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Difference Between Intune Enrollment Restriction Device Restriction Profile? I was going through one of the TechNet documentation and got confused with enrollment restriction policies and device restriction policies. I have posted about both of these policies.
Device restrictions are entirely different from Enrollment restrictions. Both options have different use cases and that will be explained in this post. These two policies are used in modern device management solutions like Intune and Azure AD.
Enrollment Device Platform Restrictions
Intune Device restriction profiles (Enrollment Device Platform Restrictions) are policies similar to GPO from the traditional device management world. Most enterprise organizations use GPO to restrict corporate-owned devices. These are security policies that need to apply to devices. Intune Device restriction policies control a wide range of settings and features of mobile devices (iOS, Android, macOS, and Windows 10).
MDM – Allow or Block
Allow – min/max range
Personally owned devices – Allow or Block
Device Type Restriction in Intune
Enrollment device platform restrictions make more sense. Navigate to Devices – Enroll Devices – Enrollment Device Platform Restrictions.
Enrollment Device Platform Restrictions
This type of policy could be applicable to different categories including security, browser, hardware, and data sharing settings. For example, you could create a device restriction profile policy that prevents users of Windows devices from sharing the internet or using Cortana, etc.
Intune Device Restriction profiles can be deployed to specific users/devices in AAD groups whereas Intune Enrolment restriction policies can’t be deployed to specific user/device groups in Azure AD. More details are available in the following section of this post.
Intune Device Limit Restrictions
Enrollment is the first part of Mobile Device Management (MDM). Why do we need to enroll a mobile device into Intune? Enrollment is the first step for management. When a device is enrolled in Intune, they have issued an MDM certificate, which that device then uses to communicate with the Intune service.
In several scenarios, we need to block employees from enrolling their personal devices into the corporate management platform. You want to block devices that are not secured enough to enroll in Intune. For example, You want to block personal devices from enrolling.
Also, we could be able to block lower OS version devices How is this possible from Intune? Difference Between Intune Enrollment Restriction Device Restriction Profile | Configuration Manager ConfigMgr
Navigate through Microsoft Intune – Enroll Devices – Enrollment device limit restrictions. You would be able to see two Intune enrollment restrictions policies called
1. Device Type Restrictions and 2. Device Limit Restrictions.
Device Type restriction is where we can define which platforms, versions, and management types can enroll. So all other devices are blocked from Intune enrollment.
The only problem with Intune enrollment restrictions that I can think of is: – Device type restrictions in Intune are deployed to “All Users, ” and we can’t deploy or assign Intune enrollment restriction policies to “specific user group”. At the moment, the device type restrictions policies are tenant-wide configurations.
Device Limit Restrictions in Intune
Navigate to Devices – Enroll Devices – Enrollment Device Limit Restrictions to configure the limitation.
Device Limit Restrictions in Intune
Difference Between Intune Enrollment Restriction Device Restriction Profile ?
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Intune How to Setup Android Work Support Step by Step Guide Microsoft Endpoint Manager? Google’s strategic approach is to support management only via the Android Work channel, and Microsoft Intune’s strategy is to support Android work. In this post, we will see how to set up Android work support in Intune portal.
As you can see in the embedded video guide attached to this post, we will see how to unbind or change the Gmail/Google account which we used to set up Android work support in Intune Azure portal.
Once the existing Gmail account has been removed, then we can use a different Gmail account to configure, or set up Android Work support in Intune Azure console.
How to Unbind Android Work Account from Intune Azure Portal
We need to unbind the account from Intune Azure console when we want to change the Setup Android Work Google account. Unbind button in Intune Azure removes support for Android Work enrollment and removes the relationship between the Android work account Gmail and Intune.
I have seen some delay in the process of unbinding the Gmail account from Intune blade in the Azure portal. As you can see in the video here, I removed the Gmail account from the Android work setting in Intune blade in the Azure portal, but it took 2 minutes to reflect these changes. However, the removal of Android Work was immediately reflected on Intune Silverlight portal.
Setup Android Work Support in Intune Azure Portal
The configuration or setup of Android Work support in Intune Azure portal is very similar to the one in the Silverlight portal. You just need to click on the Configure button, and that will open up a pop where you can log in with a new Gmail or Android work account. The Google configuration wizard will help you to set up the connection between Intune and Google API like Google Play for Work, Android Work management, etc…
Setting up Android Work Enrollment & Management via Intune
Android for Work enrollment settings is also the same as Intune Silverlight console. We get three options for setting up Android work enrollment in Intune Azure portal.
1. Manage all devices as Android – This is opposite to Google’s strategic approach regarding managing the Android devices 2. Manage supported devices as Android for Work – As per my testing, all the Android 6.0 and above devices are supported for Android work enrollment and management via Intune. I have a blog post that explains A4W supportability “Intune Entry Level Low-Cost Device Support for Android for Work Enrollment“. Hence this is my best bet option for enrollment. 3. Manage supported devices for users only in these groups as Android Work – This could be used in case of testing or pilot process if your organization doesn’t have any test Intune environment.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
SCCM ConfigMgr CB Download Upgrade Step by Step Guide Configuration Manager Endpoint Manager? This Saturday, the Microsoft SCCM team released the latest version of a technical preview. I have blogged about the two exciting features of the SCCM ConfigMgr CB version in the following post “SCCM ConfigMgr AAD User Discovery and Client Authentication with Cloud Identities“.
This is not the production version of the SCCM ConfigMgr CB version. You should not install this version of SCCM in a production environment. Technical preview versions of SCCM CB will get released every month.
Introduction SCCM ConfigMgr CB Download Upgrade
I would recommend SCCM admins install the TP version of SCCM CB in your lab environment so that they can keep up with the new features which are getting enabled in every TP release.
SCCM CB TP 1705 comes with loads of new features, and I will discuss some of the features in detail in upcoming blog posts. In this post, we will how did I complete the download and installation of SCCM ConfigMgr CB TP 1705.
You can refer to the video hereor the embedded at the start of this post. In this post download and upgrade of the SCCM ConfigMgr CB TP version have been segregated into SIX parts. As you can in the below picture, you may need to start the download (Available to Download).
SCCM ConfigMgr CB TP 1705 – Download of the content
SCCM ConfigMgr CB TP 1705 – Available to Install
SCCM ConfigMgr CB TP 1705 – Pre Requisite checks
SCCM ConfigMgr CB TP 1705 – Installation Process
SCCM ConfigMgr CB TP 1705 – Post Installation Steps
SCCM ConfigMgr CB TP 1705 – Console Upgrades
SCCM ConfigMgr CB TP 1705 – Download of the content
Download SCCM CB 1705 content from the Microsoft content server. You can check the content download status from the log file called DMPDownloader.log. Also, the status of content can be analyzed via Ethernet connection via Task Manager – Performance. Apart from all these, you can check the size of the cab file from the folder called “EasySetupPayload.” All these are explained in the SCCM CB installation video guide.
Once the content download of SCCM ConfigMgr has been completed, then we can start the installation process of SCCM CB TP 1705. Right-click on the update and tap on “Install update pack“. This action will initiate an upgrade wizard for the upgrade process. You can select a couple of important options as part of this upgrade wizard. Monitor this process via CMUpdate.log and SCCM CB console.
SCCM ConfigMgr CB TP 1705 – Prerequisite checks
Before the start of the installation, the upgrade process will carry out the prerequisite checks like disk space available on the server. This will also include loads of other checks to ensure that the upgrade process will go through without any issues.
SCCM ConfigMgr CB TP 1705 – Installation Process
Once the necessary pre-checks have been completed, then the actual upgrade process will start. CMUpdate.log is your friend in this SCCM ConfigMgr CB TP 1705 upgrade process. Upgrading the ConfigMgr Database is the most important and time-consuming step in this SCCM CB installation process. Install files is another process that may take a long time to finish as you see in the video embedded in this video post.
SCCM ConfigMgr CB TP 1705 – Post Installation Steps
Post-installation steps of SCCM CB 1705 is critical, and this is the step where the installation of SCCM Executive service will get installed. Along with this, SQL-based replication services, SMS hierarchy manager, etc.. have been installed in this step. SiteComp.log is your best friend in this step to monitor the progress of that installation.SCCM ConfigMgr CB TP 1705 – Console Upgrades
Upgrade of the SCCM CB TP 1705 console is the last step of the in-console upgrade process. This has been explained in the SCCM video tutorial in the embedded video in this post. The SCCM CB TP 1705 console version is “5.00.8525.100” and the site Server version is “5.00.8525.100”.
Resources
Update 1705 for Configuration Manager Technical Preview Branch – Available Now! here More detailed Technical details on SCCM CB TP 1705 – here
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices? In this post, we will go through creating and deploying SCEP Certificate to Windows 10 Devices (How to Deploy SCEP Certificate to Windows Devices).
NDES connector should be installed on your Data Center, and NDES connector should be able to talk to CA server and with Azure AD App proxy connector if you are using Azure app proxy. I’m not going to cover the setup of NDEs and the Azure AD App proxy connector. Those two configurations are very complex and very well explained in other blogs.
All these configurations are explained in the video above or you can watchit here
Deploying SCEP Certificate to Windows10 Devices will help connect corporate resources like Wi-Fi and VPN profiles. Before creating Windows 10 SCEP Certificate in Intune, you need to create and deploy a certificate chain. The certificate chain includes the Root CA certificate and the Intermediate /Issuing CA certificate.
There are 3 certificate profiles available in Intune those are TRUSTED Certificate, SCEP Certificate, and PKCS certificate. We are not going to use the PKCS certificate for SCEP profile deployment.
Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices
Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices. Following are the high-level tasks for deploying SCEP Certificate to Windows10 Devices via Intune:-
Create and Deploy iOS Root CA certificate using Intune Azure Portal Create and Deploy iOS Intermediate/Issuing CA Certificate using Intune Azure Portal Create and Deploy SCEP Certificate to iOS Devices using Intune Azure Portal
Create and Deploy Windows 10 Root CA, Windows 10 Intermediate/Issuing CA Certificate Profiles
As the first step, we need to create a Root CA cert profile. To create a Root CA cert, navigate through Microsoft Intune – Device Configuration – Profiles – Create profile. Select the platform as Windows 10 and profile type as Trusted Certificate. You need to browse and upload your ROOT CA cert (Name of the cert = ACN-Enterprise-Root-CA.CER)from your CA server.
In Windows 10 Trusted certificate profile, we need to select a destination store. For the root cert profile, we need to select Computer Certificate store -root. Once settings are saved, you need to deploy the root cert profile to the required Windows 10 devices.
Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices
We need to follow the same process for Intermediate/Issuing CA certificate profile deployment via Intune. Make sure that you are uploading issuing CA cert (Name of cert = ACN-Issuing-CA-PR1.CER) from your CA server.
Another point we need to take care of is the destination store. We need to select the destination store as Computer Certificate Store – Intermediate. Click OK – Create to finish the creation of Issuing cert profile.
Deploy Windows 10 Root CA and Intermediate/Issuing CA Certificate Profiles to the same group of Windows 10 devices. We can use either AAD User or Device group to deploy these profiles. However, I would prefer to use AAD dynamic device groups wherever possible.
Create and Deploy Windows 10 SCEP profile via Intune – Intune Create SCEP Certificate Profiles
To create and deploy a SCEP profile to Windows 10 devices, navigate through Microsoft Intune – Device Configuration – Profiles – “Create profile“. Select the platform as Windows 10 and profile type as SCEP Certificate.
There is some specific setting you need to put in when you create a SCEP profile for Windows 10 device. Loads of these configurations can differ as per the CA server setup and another on-prem component setup.
Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices
The certificate validity period is 1 year, which is the standard in the industry. There are four options for Key storage provider (KSP), and those are Enrol to trusted platform Module(TPM) KSP if present Software KSP, Enrol to Trusted platform module(TPM), otherwise fail, Enrol to passport, otherwise fail and Enrol to Software KSP.
In this scenario, I have selected Enrol to trusted platform Module(TPM) KSP if present Software KSP. We need to select the subject name format value depending on your organizational requirement. In this scenario, I selected a common name as email. Subject alternative name as UPN. Key usage is a digital signature and key encipherment. The key Size value is 2048. Hash algorithm value (SHA-2) should be the latest one if your CA supports the same.
Another important point is to link the SCEP profile with the ROOT cert profile you already created. If you have not created any ROOT cert and intermediate/issuing CA cert profiles in Intune, it won’t allow you to create a SCEP profile. Extended key usage is another setting, and it should automatically get populated. One example here is “Client Authentication – 1.3.6.1.5.5.7.4.3.”
Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices
The last set of settings for Windows 10 SCEP profiles in Intune is Enrollment Settings. I would recommend keeping the renewal threshold of certificates as the default value of 20%. SCEP server URLs (e.g., https://acnndes-sccz.msappproxy.net/certsrv/mscep/mscep.dll) are very important. These are the URL/s to which Windows 10 devices will go and request SCEP certs.
So, this should be reachable from the internet. As I mentioned above, you can use Azure AD app proxy URLs here. In this scenario, I will use Azure AD app proxy settings.
SCEP profile cert will be deployed to users’ stores in the following format “ACN-Issuing-CA-PR5“.
End-User Windows 10 Certificate Store Experience – Intune Create SCEP Certificate Profiles
SCEP profile will be deployed to Current User\Personal\Certificates = “ACN-Issuing-CA-PR5”
Root and Intermediate CA cert will be deployed to Local Computer\Intermediate Certification Authorities\Certificates = ACN-Enterprise-Root-CA.CER and ACN-Issuing-CA-PR1.CER
Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices
Resources
Configure and manage SCEP certificates with Intune – New Azure Portal – here
How to configure certificates in Microsoft Intune – New Azure Portal – here
How to Protect NDES with Azure AD Application Proxy – here
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices using Endpoint Manager? We need to take care of some prerequisites before creating SCEP Certificate in Intune. You need to have on-prem infrastructure components available before creating SCEP Certificates in Intune.
I’m not going to cover the setup of NDEs and Azure AD App proxy connectors. Those two configurations are complex and well explained in loads of other blogs. This post will cover how to create and deploy a SCEP Profile to iOS Devices via Intune blade in the Azure portal.
All these configurations are explained in the video above or you can watchit here
Deployment of SCEP Certificate to iOS devices will help connect to corporate Wi-Fi and VPN profiles etc… Before creating iOS SCEP Certificate in Intune, you need to create and deploy a certificate chain. The certificate chain includes the Root CA certificate and the Intermediate/Issuing CA certificate.
There are 3 certificate profiles available in Intune, and those are TRUSTED Certificate, SCEP Certificate, and PKCS certificate. We are not going to use the PKCS certificate for SCEP profile deployment. Following are the high-level tasks list for deploying SCEP Profile to iOS Devices (Deploy SCEP profiles to iOS Devices):-
Create and Deploy iOS Root CA certificate using Intune Azure Portal
Or Create and Deploy an iOS Intermediate CA certificate using Intune Azure Portal
Create and Deploy SCEP Certificate to iOS Devices using Intune Azure Portal
Intune – Create – Deploy SCEP Certificate to iOS Devices – Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices using Endpoint Manager
Create and Deploy iOS Root CA, iOS Intermediate/Issuing CA Certificate Profiles
As the first step, we need to create a Root CA cert profile. To create Root CA cert, navigate through Microsoft Intune – Device Configuration – Profiles – Create profile (Deploy SCEP profiles to iOS Devices). Select the platform like iOS and profile type as Trusted Certificate. You need to browse and upload your ROOT CA cert (Name of the cert = ACN-Enterprise-Root-CA.CER) from your CA server.
Once settings are saved, you need to deploy the root cert profile to the required iOS devices. The same process needs to follow for Intermediate/Issuing CA certificate profile deployment via Intune. Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices using Endpoint Manager?
Make sure that you are uploading issuing CA cert (Name of cert = ACN-Issuing-CA-PR1.CER) from your CA server. All these configurations are explained in the video above or you can watch them here.
Create and Deploy iOS SCEP Certificate Profile for iOS Devices
To create a SCEP certificate profile, navigate Microsoft Intune – Device Configuration – Profiles – Create a profile. While creating iOS SCEP Certificate, we need to select Profile type as “SCEP certificate” and platform as iOS.
The next step is configuring the settings, these settings are very important, and we need to consult with your CA team when you create a SCEP Certificate. Loads of these configurations can differ as per the CA server setup and another on-prem component setup (Deploy SCEP profiles to iOS Devices).
The certificate validity period is 1 year, which is the standard in the industry. The subject name format is also depending on your organization’s preference. In this scenario, I selected a common name as email. Subject alternative name as UPN. Key usage is a digital signature and key decipherment. The key Size is 2048.
Another important point is to link the SCEP Certificate with the ROOT cert profile you already created. If you have not created any ROOT cert in Intune, it won’t allow you to create a SCEP Certificate. Extended key usage is another setting, and it should automatically get populated.
One example here is Client Authentication – 1.3.6.1.5.5.7.4.3. Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices using Endpoint Manager?
Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices using Endpoint Manager
The last set of settings for iOS SCEP profiles in Intune is Enrollment Settings. I would recommend keeping the renewal threshold of certificates as the default value of 20%. SCEP server URLs are very important. These are the URLs to which iOS devices will go and request SCEP certs.
So, this should be reachable from the internet. As I mentioned above, you can use Azure AD App proxy URLs here (e.g., https://acnndes-sccz.msappproxy.net/certsrv/mscep/mscep.dll ). In this scenario, I will use Azure AD App proxy settings. All these configuration details are explained in the video here.
SCEP certificate will be in the following format “ACN-Issuing-CA-PR5“.
Resources
Configure and manage SCEP certificates with Intune – New Azure Portal – here
How to configure certificates in Microsoft Intune – New Azure Portal – here
How to Protect NDES with Azure AD Application Proxy – here
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
