Some time back I wrote a free content downloader (superb if I don’t say so myself!) that currently contains 141 of the finest tools, scripts and ‘things’ that make us engineers go “Cool”.

Key features that make me want to reuse this tool are:

• No need to have to remember all the web locations for various tooling and content when I visit a customer
• Takes the clicks and pain out of getting content and tooling, just select and the tool brings it all down for you
• Keep on top of the latest versions for content and tooling, no stumbling across an older version
• An organic, living library curated by specialists, new content and tooling introduced regularly
• Products of interest from well-known Vendors, stuff most System Center Administrators should be aware of
• Free tools from well-known Vendors
• A Book library containing the latest releases
• A communities listing, so that you can find and join lively communities
• A Resources listing containing some documentation and support locations that are regularly used by seasoned administrators
• And finally, the tool automatically updates itself if there is  newer version released, it performs this check each time the tool is loaded, this removes the need to revisit the TechNet Gallery to download a newer version.

Here is what it looks like:

It is a very light-weight tool, with no installation footprint, you simply download the tool from the TechNet Gallery and unpack the ZIP , unblock the EXE (I haven’t signed up to an expensive Certificate programme that lets me run without initially being blocked, one day I will sign up to this programme and remove the need to unblock my executables like most vendors do), run the EXE and it’ll download the latest up to date manifest from the internet

You’ve got the option to select the System Center product so that you can view all of content related to it, but be warned I’m yet to populate the other products with much content beyond documentation links, meaning this tool is weighted towards ConfigMgr, since I am an Enterprise Mobility (ConfigMgr!) MVP and that is my focus and where my passion is at. I am looking for curators to manage the content for the other System Center products.

Keep an eye on the home page for the tool, the page that shows when you start it up, as we announce industry news there, currently we list major industry events that you may be interested in attending:

I am proud to be an Enterprise Mobility MVP and my 8th year. I work for SMSMarshall Ltd, a growing System Center consultancy based in the UK, London, I am the principle consultant and I specialise in troubleshooting and custom solutions. I hope you get a lot of benefit from this tool, I enjoyed writing it and enjoy maintaining it.

I solved two problems affecting System Center Store this week.

System Center Store uses a specific URL to fetch the zipped and encrypted XML Manifest file from the web, this URL (a Microsoft owned domain, SharePoint farm) is rated as Script\Medium risk by BlueCoat, which causes it to be blocked by some companies Proxy servers, depending on how they have configured the categories for blocking. This caused the tool to fail and misbehave. I’ve changed the URL to SMSMarshall.com, which is (until only recently) rated as Business  category by BlueCoat,, should reduce any blocking taking place. But even this would have failed if I hadn’t of dealt with another problem …

I work for SMSMarshall Ltd, a UK consultancy, and we found out that our website SMSMarshall.com was black listed by BlueCoat, rated as High risk. We’re not sure when this came about as we never noticed. We carried out some checks, scans, and nothing suspect was found on the website. The High risk rating caused it to be blocked at any company that employs a Proxy using BlueCoat technology. Ouch. That was quite a few companies unable to even visit the company website. A quick web-form request submission to BlueCoat had that sorted within 12 hours and I was able to have it verified by William Cullen (thanks Will!). The reason for it being rated high risk seems to be due to linking from the company website to a popular community forum which was rated High risk for whatever reason, this was a known issue late 2015, affected other websites that linked back to it, causing them to be rated High risk, most likely related, but we will never know as BlueCoat didn’t address why they rated it such, just responded that after review its been rated again.

So now, System Center Store should have a higher success rate when being used behind a proxy. Let me know on twitter @RobMVP if you have any problems with the tool, or post on the tools Comments section on the TechNet Gallery. I am especially keen to hear if it works behind Proxies with or without proxy configuration within the tool.

Join WMUG for an informal evening of chat and code

Wednesday 24th February, 2016 - 6:30PM to 8:30PM.

Mozilla London,
Third Floor,
101 St Martin's Lane,
3rd Floor London
WC2N 4AZ UK

An evening of code and chat at Mozilla Space, London. WMUG plan to introduce a series of club meetings focused around development and ConfigMgr. A chance for beginners and experts to mingle and discuss coding solutions using C# or PowerShell. WMUG hopes that attendees will learn how to be able to code up their own tools and DEV solutions by identifying gaps in the product, with the intention of releasing any finished code and tools onto GitHub and the TechNet Gallery. 

With an informal agenda, the initial meetup will lay the groundwork for further club meetings, and give the group a chance to get to know each other. Enterprise Management MVP, Robert Marshall, will be re-visiting his 'SDK and Development with ConfigMgr 2012' presentation demoed at the 'Enterprise Client Management for the Modern World' WMUG event last August at Microsoft.

The event is completely FREE to you, teas and coffees will be provided by our event hosts Mozilla. Spaces are limited to 8 attendees, so if you have interest in embellishing your coding skills to work with ConfigMgr, or just coding in general, then register quickly, this relaxed, informal meet-up should be an ideal starting point.

Note: Please consider bringing a laptop with you, so that you can follow along. We'll help setup your DEV environment and get you underway.

Microsoft have just released a hotfix (KB3122637) to resolve an issue around support for the Exchange Connector, that impacts both the older and new version of ConfigMgr. I’ll use this hotfix to demo the Updates and Servicing feature, also known as the Easy Setup Channel, and it really does make an administrators life easier.

This is something I’ve wanted for a very long time, to integrate updates so that we don’t have to manage them manually, and Microsoft have nailed this as far as I can see, without using SUS, which wasn’t an appropriate channel for content delivery for ConfigMgr due to interactivity and such.

Here is the hotfix that drives this guide along:

FIX: Mobile devices aren't listed in System Center Configuration Manager

 

Symptoms

In a Microsoft System Center Configuration Manager environment in which the Microsoft Exchange Server connector is configured for use with Microsoft Exchange Server 2013, mobile devices aren't listed as expected in the All Mobile Devices node of the administrator console. Additionally, errors that resemble the following are recorded in the EasDisc.log file on the Configuration Manager site server:

ERROR: [MANAGED] Invoking cmdlet Get-Recipient failed. Exception: System.Management.Automation.RemoteException: Cannot bind parameter 'Filter' to the target. Exception setting "Filter": "The value "$true" could not be converted to type System.Boolean….
STATMSG: ID=8817 SEV=W LEV=M SOURCE="SMS Server" COMP="SMS_EXCHANGE_CONNECTOR" …
ERROR: [MANAGED] Exception: Cannot bind parameter 'Filter' to the target. Exception setting "Filter": "The value "$true" could not be converted to type System.Boolean."
ERROR: Failed to check status of discovery thread of managed COM. error = Unknown error 0x80131501

Note This log entry is truncated for readability.

This issue applies to the following versions of System Center Configuration Manager:

• Microsoft System Center Configuration Manager version 1511
• Microsoft System Center 2012 Configuration Manager Service Pack 2
• Microsoft System Center 2012 R2 Configuration Manager Service Pack 1

For the older versions of ConfigMgr, you’d go through the usual steps of downloading this hotfix by requesting it initially (or in some cases directly downloading from within the Bulletin):

You’d then check your emails, find the offered link and click through, waiting for the download to finish, moving it onto the Site server and performing an installation, but for the latest version of ConfigMgr “System Center Configuration Manager” this can all be done in-console using the Updates and Servicing feature, and we’re going to see it in action as it delivers and installs a hotfix to a System Center Configuration Manager Build 1511 Standalone Primary Site server.

The Updates and Servicing feature operates on a 24 hour cycle, checking in with Microsoft via the Service Connection Point to see if an updated version of Manifest.CAB (becomes ConfigMgr.Update.Manifest.CAB) exists. You can shorten this cycle on the day of a release by recycling the SMS_SITE_COMPONENT_MANAGER service, which will make the Site perform this check. Once the CAB has been processed it’ll then validate that any available content is applicable to the Site server, and in the case of KB3122637 the validation check is to see if the Exchange Server Connector is configured for use.

Note for the curious, the CAB file is transitive, once processed, it is gone, you can catch the CAB if you are timely, eagle eyed and crack it open for a look, if so inclined.

Below you can see that the Site server became aware of the hotfix after processing the updated ConfigMgr.Update.Manifest.CAB file, and began to download the content for us from Microsoft using BITS over HTTPS:

You can check out the DMPDownloader log for a transcript of what is going on:

Once its downloaded, unpacked and made ready, a refresh in the Console will reveal its state change from Downloading to Available:

We’re now ready to apply this hotfix to the Site server.

Backup your site servers Database and CD.Latest folder, there is some good guidance on doing this from Kent Agerlund here. You should really do this every single time you make significant change to the Site server, such as applying a hotfix .We know the risk is low for a hotfix, but the effort to recover without being prepared is magnified if you do not have current backups,  and is less awesome than being prepared. Remember, we’re supposed to be the most diligent and careful of administrators due to the nature of this product, we are carved out this way eventually because we’re holding the reigns to a product that can cripple or wipe out an entire organisation, so taking the role seriously by making sure you are able to revert to a recent backup shows good diligence, and makes you look as cool as a cat to other administrators and your boss.

We’re going to run the prerequisite checker ahead of installing the hotfix, although the checker is run whenever you attempt to install, so this step will cause process duplication, but will give us insight into any failure points before we’ve committed the content for installation.

Right click the entry for KB3122637 and select Run prerequisite check

It’ll update the State to become Checking prerequisites:

After a short while and one console refresh later, the prerequisite checker has completed, and sput out a result for us to observe:

We can take a look at what messages came back for the prerequisite check, especially if it didn’t pass, you can either click Show Status, or visit Site Servicing which resides in the Monitoring Node:

Right click the entry, and vigorously demand access to Show Status using the left mouse button:

Here are the results:

Now return back to Administration, Updates and Servicing, right click KB3122637 and Select Install Update Pack:

We’re welcomed by the Configuration Manager Updates Wizard, friendly, full of brevity, and eager to service the site at a few clicks:

We get a list of content and what type, in this case Configuration Manager site server updates, Select Next:

Usual EULA, tick off I Accept … and Select Next:

Our summary is short and details what we will be applying, Select Next:

Ok that is it, the process is underway, Select Close:

Checking back in the Console shows us that the process has begun by invoking the prerequisite checker again:

A few minutes later the prerequisite checker completes successfully (passed):

Right clicking the entry above will show the context menu, and all entries are now greyed out during the servicing process, another indicator that we are underway:

Now we wait a short while and things will kick off. At this point head on over to the CMUpdate log file to see the action at a log level:

Once the hotfix installation is fully underway we’ll see that reflected in the Console, but this takes a bit of time to show up since the Site is taken down for the hotfix to be installed (SMS_EXECUTIVE and other services are stopped), and the status update is only changed when servicing is completed.

One more reference to the CMUpdate log, to show that the show is over, the hotfix is now installed:

A quick refresh of the console and we see the status is updated, and in this case, the update package containing the KB3122637 hotfix has been installed successfully:

And that is it, we’re done here.

Key take-away points here are:

• We initiated the installation in-console and didn’t visit a web browser, or use email to initiate the activity
• We did not download anything and did not have to man-handle any content whatsoever
• We could observe activity in several logs such as DMPDownloader and CMUpdate, as well as from within the Console but observed that the log is a better way to monitor activity
• Servicing a Site server becomes a cinch with the Updates and Servicing feature

The Updates and Servicing feature is the cornerstone for applying new builds and hotfixes.

And there is more, such as poking around at this Updates and Servicing mechanism such as Offline servicing, and going under the hood, in WMI, SQL, and is something maybe I’ll do in another guide.

For now, you’ve just witnessed how easy it is to provision “content” from the new servicing model, which came from product group developers\engineers who put it together, all the way down the chain, through the testing group, mostly dog fooded in the TP releases, then to System Center Configuration Manager Current Branch, and most likely you, unless you are running the long term service branch.

With this servicing model Microsoft is better capable of responding\reacting to issues and providing fixes than ever before, and I like it.

I thought I’d cover On premise Mobile Device Management using ConfigMgr Build 1511. So let’s take a look.

The simplified list of the pro’s and con’s of mobile device management versus full client management, laid out on the Microsoft TechNet page tell us

Moving from zero using this

To a fully operational one of these

May seem like climbing this, in just your pants

But with a guide to hand, the problem is broken down and thus, we get all the climbing kit laid out in front of us, and have a personal Sherpa to help get up there!

Ahead of my climb to get On Premise MDM working, fellow MVP climbers Panu Saukko, Kent Agerlund and Gerry Hampson already summited and provide their own guides, one for TP3 and a more recent one by Gerry for B1511, this is my attempt to make it to the top using the documentation and B1511, while leaning on Gerry to figure out that I needed to do this, for the enrolment roles

This guide is of epic length, there are lots of screenshots, multiple step by step procedures, frequent summaries of activity and of specific steps, and requests for you to go further and set a few things up on your own, such as PKI. I did not run through this guide a second time to repro due to the vastness of the steps involved, but believe it should all hang together and result in Windows 10 devices enrolling correctly.

What we’re going to need is a lab environment consisting of the following:

1. An Intune Trial  (30 day evaluation is more than enough!)
2. A Certificate Authority serving your Forest  (Server 2012 R2)
3. An activated copy of  Windows 10 Enterprise (Virtual machine or Physical)
4. An additional Server 2012 R2 Site system for native mode (PKI) roles
5. A Stand-alone Primary  Hierarchy  with a single Site system is enough, running on Windows 2012 R2, Build 1511 minimum or higher with at least the following roles deployed

• Primary Site Service Connection Point
• Site system Remote Secure Management Point
• Site system Secure Distribution Point
• Site system Secure Enrollment Point
• Site system Secure Enrollment proxy point

The need for Intune is for licensing purposes only, devices will not talk to Intune, instead they will have a relationship with the Site server that the device is enrolled with. Setting up an Intune evaluation is well documented, I won’t include it in this guide, see Niall’s guide here that includes the steps for the sign up process, but do not proceed to integrate Intune with your Site server, return back here for that. If you’re using the browser on the site server you may need to turn off IESC to avoid prompts during sign up, and add login.microsoftonline.com to the safe\trusted zone if you get stuck.

You’re going to need Certificate Services in your lab, if you do not have one setup then go and roll your own Certificate Authority on your lab domain. Guidance on going through this procedure can be found here Install a Root Certification Authority, but please do have a look around for other guide to get a good overview of what is needed to get PKI up and running.

You’re also going to need to setup a few more roles to get Certificate Services fit for purpose. The Roles required and their installation order are:

1. Certificate AuthorityandCertificate Authority Web Enrollment
2. Certificate Enrollment Web Service after

There are a lot of guides on setting up your Certificates, the Certificate Templates and issuing Certificates for ConfigMgr, nothing has changed much at all with PKI and ConfigMgr guides from several years back, one of which from Microsoft I’m going to be lazy and point too here, and a community one here.

Once you’ve gone through that lot you’ll have certificates ready for use on the MP\DP web server and the clients.

Now that the Certificate Authority is up and running, you need to perform an additional step that we didn’t need too in the past when playing with PKI and ConfigMgr in the lab, and that is to setup a Certificate Revocation List held on a Distribution Point (CDP).

The tiniest of background on this is  that any certificates that have been revoked by the Certificate Authority will be listed in the Certificate Revocation List, and this list is made available via IIS over HTTP to any Operating System that wants to verify that a certificate is valid. Windows 10 during registration for Mobile Device Management, will check to see if the certificate being used for authentication is valid, if it is not then access is denied. Validity depends on the certificate duration having not yet expired, or from intentionally invalidating certificates by the Certificate Authority for security purposes (compromised, risk mitigation).

Setting up an Certificate Revocation List Distribution Point, and telling the Certificate Authority to use it is a pretty simple process, fully documented by Microsoft and others, but I describe the steps here so that you do not have to travel out of the guide to continue with this set of configuration steps.

Let’s get underway.

Later on, we’re going to modify Certificate Templates on the Certificate Authority so that they include a reference to the soon to be created CDP using an FQDN, so that this works, we need to create a DNS A record that resolves to the IP address of the Certificate Authority that will host the CDP.

I assume you have your DNS service running on your lab Domain Controller, so head on to it.

• Open the DNS management console 
• Expand the Forward Lookup Zones node and right click your domain entry
• Add in a HOST A record called crldp as shown in the example below
• Add the IP address of the server hosting the CDP

• Select Add Host to add it to your Forward Lookup zone.

You can test this by opening a CMD prompt and using NSLOOKUP or PING, so as to make sure it resolves by is name crldp, and the FQDN equivalent for your domain. All devices that you enrol should be able to resolve this FQDN and get a response.

Now that the DNS entry has been created and it points to the CDP, we next create a folder and an IIS Virtual Directory (website) to build the framework needed for the CDP to respond to requests for certificate validation.

For the lab I create a folder on the root of the C: volume called CRLD (I should have used CDP, if you change this be aware of it as several key steps ahead rely on this) on my Certificate Authority server hosting the CDP, this can be a different drive\path of your choosing, just make a note of it for later.

• Share the newly created folder out using a hidden share by right clicking the Folder, selecting Properties and selecting the Share tab. From there select Advanced Sharing, tick Share this folder, and add the $ (Dollar) suffix so that it looks like this:

• Select Permissions and for Everyone select Full Control.

• The folders Sharing tab should now look like this:

• Select Close
• Remaining on the Certificate Authority that is hosting the CDP (assuming you’ve set it up to use IIS, which it should in the lab), fire up the Internet Information Services console
• From within the Internet Information Services console, expand out the Sites node, right click Default Web Site then select Add Virtual Directory
• In the Alias type CRLD
• For Physical Path type C:\CRLD

• Select OK
• Remaining in the console, selecting the new Virtual Directory (CRLD) and switching to Content view will show that the Virtual Directory (our new CDP website) is empty, since the Certificate Authority has not yet published too it

Now, we need to allow double escaping and Directory Browsing for our new Virtual Directory

• Remaining on the CRLD Virtual Directory, Switch back to Features View, then scroll down to Management and double click Configuration Editor.
• Now that the editor has appeared, from the Section drop down navigate through System.WebServer to Security and onto Request Filtering. Now set allowDoubleEscaping to True and click Apply.

• Click back on your CRLD virtual directory, and navigate to the IIS section, double click Directory Browsing, select Enable

All of that came from this Microsoft guide.

Next up is to add the CDP to the CRL Distribution Point location list extension for the clients to use, when attempting to validate Certificates.

• Open the Certificate Authority Management Console
• Right click your Certificate Authority and select Properties

• From Properties Select Add

• Wipe the Location field as we’re about to reconstruct it, and type http://crldp.<domain>.com/
• Select CaName from the variable drop down and select Insert
• Select CRLNameSuffix and Insert it, then select DeltaCRLAllowed and insert it then add .crl
• It should look like this with your domain name

• This is the same dialog that shows the end of the Location field

• Select OK

• Back at the Extensions tab and while highlighting the newly created entry, tick the following check boxes

1. Include in CRLs. Clients use this to find Delta CRL locations.
2. Include in CDP extension of issued certificates.
3. Include in the IDP extension of issued CRLs

• We haven’t clicked OK for a reason, hold off

In my lab, this doesn’t allow me to publish the CRL to the CDP, it will however include this extension modification in any future certificates issued by the Certificate Authority.

To publish the CRL to the CDP, I had to repeat the above steps with some different inputs.

• Add another CRL Distribution Point, this time so that we can publish to it by clicking Add again
• Wipe the Location field as we’re about to reconstruct it, and type file://C:\CRLD\
• Select CaName from the variable drop down and select Insert
• Select CRLNameSuffix and Insert it, then select DeltaCRLAllowed and insert it then add .crl
• It should look like this

• This is the same dialog that shows the end of the Location field

• Back at the Extensions tab and while highlighting the newly created entry, tick the following check boxes

1. Publish CRLs to this location
2. Publish Celta CRLS to this location

• Now select the Exit Module tab, and Select Properties

• Tick the Allow certificates to be published to the file system
• Select OK

• Opt to recycle Active Directory Certificate Services, only takes a moment to complete.

Great, we’ve got several things in place now, an Intune trial, Certificate Services, a DNS entry, a  directory for the CDP, an IIS Virtual Directory, and the CDP has been configured for publishing and client use in Certificate Services.

Let’s make the Certificate Authority publish the CRL to the CDP.

• From Certificate Authority console, right click Revoked Certificates, select All Tasks then Publish

• Select a New CRL:

• Select OK
• You should now see the Full and Delta CRL’s listed in the CRLD directory from File Explorer, it should not take more than a few moments

• You can point a browser at the CDP and should see the main and delta certificate lists as well

If any of this is broken, circle back to see where you’ve possibly deviated.

Now we turn to the Intune Evaluation, so as to integrate it with ConfigMgr for Hybrid mode.

• From the ConfigMgr Console create a User Collection to host the accounts that can perform Intune device enrolment

• I’ve called it Intune On-Premise Enrollment Users

• I’ve not enabled incremental updates or a schedule, I'll be adding a test user manually. Complete the Collection wizard
• Make sure you have Active Directory User Discovery enabled, and that at least one discovery of the Forest\Domain has taken place, confirm the user you want to do all the device enrolment with is seen by ConfigMgr
• Add the enrolment administrator you’ve selected from your discovered Users to the newly created collection

Before you can continue, your Site server must have the Service Connection Point role installed, a prerequisite for Intune, make sure this is done, and that it is working. Once you have a working Service Connection Point (not blocked by a Proxy, Firewall, is synchronising) proceed.

• From the ConfigMgr Console now go to Administration, expand Cloud Services, and right click Microsoft Intune Subscriptions, finally select Add Microsoft Intune Subscription

• Select Next

• Select Sign In

• Tick off “I understand …” and Select OK

• Sign into Intune using your Intune administrator account. If this fails, at the top of the guide I mentioned adding the Intune website to Internet Explorers Safe Zone …

• You’ll see that the sign in is greyed out and you can proceed, Select Next

• Select Browse
• Select your newly created User Collection for Intune use

Select OK

• Add some details, company name, choose colour scheme, select Site code, Select Next

• Select Next

• Add in a logo if you want, Select Next

• Select Next

• Select Next

• Select Next

• Select Close

Now we need to enable the Windows Platform for support via On premise MDM.

• Right click the Subscription that has just shown up in the Microsoft Intune Subscriptions pane

• Select Configure Platforms then Select Windows

• Tick Enable Windows enrolment
• Select OK

Since Mobile Device Management requires a secure Management Point and Distribution Point, and because I want to run the Primary in HTTP mode due to the Fallback Status point residing there, we need a new Site system - “We’re going to need a bigger boat!”.

Make sure your new Site system has a web certificate in place before you proceed, if you jumped the gun and gave it a certificate before we changed the Extension properties on the Certificate Authority, reissue the certificate to get the updated extensions for the CRL Distribution Point properties. I’m not sure if this is an important step for the web server certificate, most likely just the client certificate, but get it done anyway or circle back to it if things won’t work.

A Windows 10 device that has been domain joined will receive a Trusted Root Certificate as well as a Client Certificate, the trusted root cert from the domain join, and the client cert from a group policy that should already be setup to auto enrol devices. For workgroup devices, make sure you’ve exported your Trusted Root Certificate, and the Client Certificate (use the DP Client certificate if you made one, or the WINPE Boot Image as they all have the Client Authentication purpose) as you’ll need them.

• Create a VM for your new Site system, install IIS and make sure IIS is configured for an MP and DP, has the site servers computer account added to local administrators, and has the web certificate added (see this guide for the steps)
• From the ConfigMgr Console create the new site system,  make sure your Site server is in the local administrators group of the Site System beforehand, setup the roles using HTTPS mode. Note that when adding roles, include the internal FQDN in the Internet FQDN field

• Add the Enrollment Point and Enrollment proxy point

• Select Next

• Nothing to configure, Select Next

• Select Next, Next, Close.
• Check SITECOMP log to confirm the roles were installed correctly. Also check the components log files on the Site system. If the Site system that you are installing these roles onto has not yet been configured for HTTPS\SSL yet, you’re going to get errors. Restarting Site Component manager on the Site server will retry if you fall foul of a prerequisite issue
• I had problems in this area, I had to reboot the Site system before the roles would install and activate correctly. A significant indicator that something is up is if the CMEnrollmentService.log is missing. I re-seated the roles then rebooted, but I suspect and Gerry Hampson has confirmed, that a single reboot after initial role deployment would have fixed the problem

• Once you know that HTTPS is working fine for the two roles you just installed, go ahead and install the Management Point and Distribution Point in HTTPS mode
• Make sure the Distribution Point is configured as below, importing the Distribution Point Client certificate
  

• Tick Allow mobile devices to connect to this distribution point
• Make sure your Management Point is configured as below. I had issues with the Management Point where I had to configure SQL permissions for the newly created Site system by hand, so that the Management Point had access to the smsdbrole_DMP and smsdbrole_MP SQL roles

• Tick Allow mobile devices and Mac computers to use this management point
• Make sure both roles go on correctly, MPControl log on the Site system should let you know all is well with the Management Point, and DistMgr on the Site server will let you know if the Distribution Point went on ok and is working.

• Import the exported Trusted Root Certificate into your Site server. Note that I do not think this step should be necessary. If you skip it and get stuck at the end of the guide with devices that won’t enrol, come back here and set it. I don’t think this is necessary in B1511 and onwards but I imported while I was troubleshooting (it did not move things forward at the time) so cannot confirm myself.

If you want too, you can install the ConfigMgr Agent onto a device in HTTPS mode and deploy something to it, this will test your MP and DP running in HTTPS mode.

We’ll now make a change to the Default Client Settings so that Users will be able to enrol Modern Devices (Windows 10 et al), we’ll first create a Certificate Profile, and specify the Trusted Root Certificate that is used to verify authenticity of the device. This certificate is not passed to the device being enrolled, it is merely being used to validate authenticity of the device being enrolled.

• From the ConfigMgr Console head to Assets and Compliance, expand Compliance Settings, Company Resource Access and right click Certificate Profiles, select Create Certificate Profile

• Enter a descriptive name
• Select Trusted CA certificate
• Select Next

• Point to your exported Certificate Authority Root Certificate file, making sure the Destination store is Computer certificate store – Root
• Select Next

• Select Windows 10

• Select Next, Close

Now we need to configure Default Client settings to allow modern devices to enrol.

• Open up your Default Client settings

• Make sure Allow users to enroll modern devices is set to Yes
• Select Set Profile …

• Select Create

• Give it a descriptive Name
• Select the Management site code
• Select the newly created Certificate Profile from the Certification Configuration pane
• Select OK

• Select OK

• Your Client Settings should now be enabled and show the enrolment profile being used

Now on the Windows 10 device, if it is in workgroup mode import the Trusted Root Certificate into the computers Trusted Root Certification Authorities store, and the Client certificate into the Personal store, both for the Computer. If it is domain joined this isn’t necessary, both certificates are provided, the root certificate is issued during the domain join, and the client certificate auto-enrolled via Group Policy (if all is setup correctly!).

The Client certificate is necessary so that the device can contact the Device Management Point for policy, and the Distribution Point for content post-enrolment. The trusted root certificate is needed to get the enrolment underway via the HTTPS enabled Enrollment Proxy Point, which wouldn’t trust us if we didn’t have it.

If in workgroup mode without the trusted root certificate, you’ll get blocked as in the example below. Without the client certificate you’ll enrol but have issues later on with deployments to the device.

Now let’s manually enrol a device. Note that there is the option to bulk enrol which is covered here, it leverages ConfigMgr and the Windows 10 ADK to produce a package that can be executed on a Windows 10 device, automating and watering down the enrolment process to just handling the execution of a package (local interaction) on the device.

I’m using an activated version of Windows 10 Enterprise Build 10240.

• Open Settings

• Click Accounts

• Click Connect

• Tap in the credentials (UPN) for the Intune enrolment administrator that you put in the user collection a while back and select Continue

• Now you’ll be prompted for the Enrollment Proxy Point FQDN, select Continue
• We are now talking to the ConfigMgr Enrollment Proxy Point!

• Tap in the credentials (UPN) again and select Sign In

• This is pretty much confirmation that we’re able to talk to the Enrollment Point
• Let Windows store the credentials away, and Select Yes to get underway

• We wait a few moments for the process to complete

• That’s it, the device is enrolled. Select Done
• If the device wouldn’t enrol, you can take a look at the devices event log, open Applications and Services , take a bit of time to render the list, then expand Microsoft, Windows and DeviceManagment-Enterprise-Diagnostics-Provider, click Admin and you’ll be greeted with events that may show why the enrolment failed
• Click on the Intune Evaluation grey box, it will expand out to show multiple buttons

• Clicking Info will show us whether the sync is underway, problems with certificates will cause this to fail instantly

• Errors at this point are most likely going to be due to the enrolment point or the enrolment proxy point not installing correctly, or the certificates are not configured correctly. If you are in doubt whether your PKI is working, install a ConfigMgr Agent in HTTPS mode and test it.

• Open up the ConfigMgr Console and go look for your Windows 10 device by its host name in the Devices node

• You’ll see that it has a different icon than for a normal device, a mobile device,
• Right click and select Start then Resource Explorer
• It may take a few minutes for it to appear, but we will see a limited set of inventory appear, for now this really is all we’ve got

• Come back to ConfigMgr, and right click the device again

• As you can see the options for this resource record are different than that of a normal device resource record

• A good end to end test is to tell the device to lock . Make sure the device is unlocked, then select Remote Device Actions and select Remote Lock

• We’ll be prompted to confirm

Head to your device, confirm that the console session has locked.

And to wrap things up here is a shot of part of the resource record

Well, for those of you that made it up the mountain, congratulations!

I’d recommend checking out Kent, Panu and Gerry’s guides as well since they had bits I've not covered here as deeply on troubleshooting.

I found this handy to lookup MDM Errors

Today I see that ConfigMgr current Branch B1602 released, I installed it onto 1511 today, and thought I’d put together a brief guide to provide a light overview of the installation process, showing how easy it is now that it is integrated into the product. Configuration Manager as a Service (CaaS) really is kicking in, with the flow of change ramping up.

The actual Updates and Servicing feature entirety relies on the Service Connection Point role that was introduced in Configuration Manager Current Branch (and LTSB), and I suspect that in a day or two, when standing up a Build 1511 Site server, and then deploying this role, you will see Build 1602 showing within minutes of the first sync, whereas today, it may take a few more hours before everyone can see the update pack globally.

To deploy a 1602 site server you must first deploy the ‘baseline’ build, which is currently 1511. You can move from 1511 to 1602 in both offline and online modes (offline servicing just means having the 1602 kit to hand and not downloading from the internet). After a year, a new baseline build should replace 1511, resulting in a single installation taking place to get to the current build. I would not expect that to last long, and that a double-install will be the norm, since these update packs are released (cadence) quite quickly.

Here’s the release version matrix for current branch as it now stands:

Note that 1602 updates a 1511 Database. It most likely will always be okay until it isn’t okay, so please make sure you are backing up your SQL DB Unlike past versions of Configuration Manager, if installing an update fails, you should not need to perform a site recovery, and instead can Retry the update installation. Therefore, while the test upgrade of the database is less critical than in past product versions, it still remains as a concern, and a recommended step (more so for production!).

On the subject of database changes and failure during upgrade, you should note this statement in the documentation here

Unlike past versions of Configuration Manager, if installing an update fails you should not need to perform a site recovery and instead can Retry the update installation. Therefore, while the test upgrade of the database is less critical than in past product versions it remains a recommended step.

Failure during upgrade can be retried, previously the show was over, and a restore was needed, pretty rad that!

• Here’s a 1511 Site server showing 1602 has arrived

• Clicking on the 1602 update pack will give you some options via the Ribbon or a Right click

I’ve already covered most of how the Updates and Servicing mechanism works in this blog post here, in this post I’ll simply walk lightly over deploying Current Branch Build 1602 to a lab based Stand-alone Primary Site server.

Let’s get the upgrade from B1511 to B1602 underway.

• Go create a device collection, call it Client Pre-deployment (Validation of B1602)
• Add some devices to the new collection, these will be automatically updated for us

• From the Console, go to Administration, Cloud Services, Updates and Servicing,
• If Build 1602 does not show, then from the ribbon or a right click select Check for updates
• If it shows then most likely its already been downloaded, but if it doesn’t show and initiating a check for updates or a recycle of the SMS_Executive service gets it to appear, check the DMPDownloader log file on the Site server

• You should see that something is afoot, a cab being downloaded, unpacked and verified

• Here you can see the download of the update pack has completed

Even though we can retry if there is any failure during the upgrade while dealing with SQL, it would make sense to copy your database over to a server hosting the same SQL edition (with service packs and hotfixes as the ConfigMgr Database Site server) so as to test the upgrade on your database using TestDBUpgrade. I’d do this every single time with production, for the lab I don’t bother. That a retry after upgrade failure is supported indicates that most likely over coming releases, we should see far more robustness of the whole SQL upgrade process until nursing it becomes a distant memory.

Check out Nickolaj Andersen post here on handling TestDBUpgrade, it is pretty simple, takes a bit of effort to keep SQL server like for like, although for 1602 I didn’t dig out where the install kit was pre-installation, and after it’d been downloaded, you’ll have to go find the installation kit (might be in cab only form at this point, or in unpacked form, go eek it out) in the ConfigMgr folder once 1602 state changes to available.

• One you are ready to proceed with the upgrade, from the Updates and Servicing node, right click the 1602 update pack

• Select Install Update Pack

• We’re welcomed by the Configuration Manager Updates Wizard
• You can tick Ignore any prerequisite check warnings and install this update regardless of missing requirements, so as to override any warnings regarding requirements not being met, or let it stall and notify you so you can resolve them
• Select Next

• This is where we select the features we want installed, as you can see 1602 delivers

• Apple Volume Purchase Program
• Windows 10 conditional access with health attestation service
• iOS Activation Lock management
• iOS App configuration

• Tick or untick the features you are interested in
• Select Next

• Your choice on whether you update your current production ConfigMgr Client package with Build 1602 Client kit straight off, or whether you stage the event, and when confident perform the update later
• Select Browse

• Find the collection you created earlier
• Select OK

• Looking good, we’re going to validate the client in pre-production, by deploying to a specific collection of devices and not the entire estate
• Select Next

• Tick the licence agreement checkbox
• Select Next

Select Next

• Select Close

• From the Updates and Servicing node we can see that things are underway

• If you have a CAS there is over 1GB of content that needs to be replicated, for a stand-alone primary this shouldn’t take more than a few minutes

• Once the staging is complete, the prerequisite checker will kick in

• This part will take a long time

• Once the prerequisite checker has completed with no errors (and that we’re ignoring or observing missing requirement warnings) you should see the status transition to Installing 

• Let’s take a look at the prerequisites
• Head to Monitoring, Site Servicing Status, and from the Ribbon or a right click select Show Status

• We can see what did and didn’t pass …
• Also check out the CMUpdate log

• Once the update packs status changes to installed, check out the SiteComp log to make sure all the components\roles have reinstalled correctly

• Here is a resource record of a device in the pre-production collection that was automatically updated for me

If you had any consoles open, after a bit of cruising they should start to prompt you to upgrade to a newer version. Opening a new 1511 console will produce the same prompt until it has been accepted, which will kick off the console upgrade.

• Accepting the upgrade will get the Console MSI downloaded from the Site server and the upgrade process underway

• MSI Logic detected that I had a Console related executable still in memory, Status Message Viewer, which was blocking the upgrade, so I closed that manually and clicked OK

The MSI Installer then rolls off the older version, and rolls on B1602.

• A quick nose around the Features node of Updates and Servicing shows us the features, which can be viewed in the documentation here:

Also, my three test clients all upgraded to 1602 as well. I did have a delay here, am not 100% sure right now what caused it, but the clients all kicked off their upgrades once they fetched their policy from the MP.

Okay that’s it, done, and it was easy wasn’t it!

Once we are all good with the client upgrade, we can switch 1602 Client kit to become the production kit used for all future clients deployments

• Navigate to the Updates and Servicing node again

• From the Ribbon or a Right click select Client Update Options

• Tick I am ready to make pre-production client version available to production
• Select OK
• Get the hierarchy Settings up and you’ll see that pre-production deployment has been turned off, and the production client version has changed to 5.00.8355.1000

You could also check at the file level to make sure the client files have been upgraded, perhaps I’ll circle back for that fully and update the guide another time, here is a shot of CCMSETUP.EXE to show its version (8355 is 1602)

Feature-wise In-place upgrade the operating system of site servers that run Windows Server 2008 R2 is a real winner, enabling many quick upgrades to supported OS versions without a backup\restore being needed. Very enabling, as is SQL Server AlwaysOn availability groups. For mobility there’s a whole bunch of iOS MDM related features pouring in too, nice, and cloud-wise we have more management over Office 365 usage\deployment. For the full list of features don’t forget to check out the documentation.

Thank you to all that attended the Configuration Manager and the Cloud event!

And a big thank you to our sponsors Flexera Software

The event was set for 50 attendees, but we had 8 slots reserved for the WMUG Team to make sure we had a seat. We were fully booked within the first week. On the day, our attrition rate was the lowest we've ever seen other than when we had Wally Mead over, and we were pretty much just down a handful of attendees.

This time we wanted more speakers to fit into the day so we reduced session times from 1 hour to 45 minutes, it seemed to work, gave us an additional slot at the end of the day, as a format it seemed to go down well with the attendees.

Before we move on we would like to thank those that cancelled and informed us of their non-attendance, it allowed us to pass their ticket to the reserves, good job!

The venue @ Microsoft Paddington in London was very well laid out, all our equipment worked (there were some niggles that failed a demo, but something we can resolve next time). We'll definitely go back, and we have taken note of those that would like Reading to go back on our venue list. I'm sure we'll see Reading at some point this year, as well as new venues (North of England and Ireland) being planned.

Paul Hossack was first up, with a presentation around the Flexera Software product range, was very provocative (security and keeping up with patching always is!), the audience really soaked that presentation up, lots of questions fired at Paul who had this nailed down hard, responding to all the questions with reasonable responses and style

Next up was Paul Winstanley (SCCMentor) from the WMUG Team who presented on Management Point Replica's and high availability of ConfigMgr. It provoked a lot of discussion on design and how architects should think when it comes to high availability

Followed by Gerry Hampson - Enterprise Mobility MVP and WMUG Teamie who touched on his favourite subject at the moment, managing Modern Devices using on premise Mobile Device Management. Pretty cool stuff, don't forget to check out his posts on the subject here

Next up Robert Marshall - Enterprise Mobility MVP and WMUG Leader who gave a whistle stop tour of Servicing, while impressing on the audience the importance of checking the integrity of backups and having a DEV environment to perform a TESTDBUPGRADE before upgrading DEV and PROD. By the time he'd finished everyone had a DEV lab setup due to his constant tutting at not having one (joking, practically everyone put their hand up when he asked if they had a DEV environment) and they knew to check backups before upgrading and not assuming the backups are solid :-) Read more from Robert Marshall on servicing here and here

Sam Erskine - Cloud and Datacenter Management MVP gave us a good overview of OMS, and dug deep to show us some of the features he thinks are mind-blowing, such as Event Log harvesting, as with all the other sessions, humour permeated the air and Sam entertained us well while covering off a novel but interesting technologoy

Matt White - MCS Consultant and WMUG teamie gave us a great overview of managing Modern Devices (Windows 10) in a cloud-only model. What a great way to show off how far things have come with the Cloud technologies at Microsoft

And to wrap the presentations on the day Phil Wilcock of 2Pint Software gave us a very detailed run through of BITS\BrancheCache and PeerCache, the depth was stunning, recounting tales of yore (the story behind BranchCache and its authors demise) as well as giving insight into areas of the subject matter, very revealing, empowering session. The audience would have eaten up a lot more but we ran out of time

As usual we had something to give away, and this time thanks to our sponsor Flexera Software we were able to give a Raspberry Pi (V3) away to a lucky winner

Well done Craig Strong! We hope to see some pictures of you and whatever you get the Pi to do!

Paul Winstanley gave away the prize, since Paul eats sleeps and lives Raspberry Pi! (Ask him what that is all about, interesting story ...)

We also had a special give-away, a USB Hub that was previously owned by the generous grand-father of SMS Wally Mead. Robert Marshall had this in his stash for a couple of years and it was time to let it go!

Keith Sanderson won the prize by guessing Who owned this device? I had to hint a just a little, but I did leave it open!

And finally, not really related to the event itself, but at the venue there was a Microsoft Surface Hub and some of us gave it a spin, if WMUG had the cash and a need for a meeting room We'd love to have one of these, so super cool!

All presentations except the Flexera Software presentation can be downloaded from here

Well, what is next, keep an eye on the WMUG Tweet account as we have two additional physical events lined up for the South of England, and a possible event taking place further North, as well in Ireland. We'll announce all of this as things are locked into place.

In the meantime, please do keep an eye on the WMUG Tweet account for our announcements for further WMUG Clinics - The intent is to rerun the same sessions from this event and go further, or dwell on areas that are of interest to the audience in an informal setting.

Again, thank you for attending, and thank you again to our very cool sponsors Flexera Software!

The WMUG TEAM

Join WMUG on the day for System Center Configuration Manager and on-premise\off-premise Cloud sessions.

Thursday, 31st March 2016.

Featuring three (3) Microsoft MVP's, Robert Marshall (EM), Gerry Hampson (EM) and Sam Erskine (CDM), alongside the WMUG team, guest speakers and our event sponsor, Flexera Software.

The agenda will be as follows:

The event is completely FREE to you including refreshments and lunch, courtesy of our sponsor for the day Flexera. Please note that registrants Name and Email address will be provided to the Sponsor, please do let us know if this is an issue for you. We view providing your details as a small token of gratitude towards the Sponsor, which enables the event to be free.

Flexera Software is the leading provider of next-generation software licensing, compliance, security and installation solutions for application producers and enterprises. Their next-generation software licensing, compliance and installation solutions are essential to ensure continuous licensing compliance.

We also have an open questions session back by popular demand, and of course some giveaways for those who make it to the end of the day.

So what are you waiting for? Register now! There are limited seats available, and as always, we expect these to fill up quickly. Don't delay or you may be disappointed. If you book and are unable to attend, please do cancel your booking via the event page so that others may take up the opportunity, thank you.

Venue location

Microsoft,

2 Kingdom Street,

LONDON,

W2 6BD

About the speakers:

Paul Hossack - Paul is our sponsor guest speaker for this event, and will give us a demo of Flexera Software product offerings. Paul has been securing networks since 2007. A seasoned project leader and encryption specialist, and most recently hardware firewall adept, Paul is an expert in his field. Now working with Flexera Software (formerly Secunia) he brings his skills to vulnerability defence.

Paul Winstanley - Independent contractor with 20+ years experience. 7 years specialised in Configuration Manager and Enterprise Client Management. Also a CGJam Contributor and Pi enthusiast who regularly teaches kids in his spare time.

Gerry Hampson - Senior Consultant Engineer with Ergo Group based in Dublin. Recently awarded his first MVP in Enterprise Client Management through his awesome work on gerryhampsoncm.blogspot.ie and Microsoft TechNet forums.

Robert Marshall - Owner and Senior Consultant at London based Consultancy SMSMarshall Ltd, specialists in ConfigMgr. Microsoft EM MVP in Configuration Manager since 2009, and WMUG founder in 2006.

Sam Erskine- Samuel is our guest speaker, a CDM MVP, and an independent IT consultant and trainer, specializing in System Center and MS Cloud technologies. He is the content designer and lead author of several Microsoft System Center Cookbooks, and co-author of two System Center Unleashed books.

Phil Wilcock - Phil is our guest speaker, and has been in IT for a long time. Some would say too long. He started life as a farmer, ended up managing a huge Moo-Cow database (the DB was large not the cows), worked for Bill Gates for a while, co-founded 1e.com, went back to farming for a few years, trained as a Butcher and is now Director at 2pint Software, a specialist in Configuration Manager and presenter.

WMUG TechTalks presents an Overview of Flexera Software products and features.

Your host for this session is Robert Marshall - Enterprise Mobility MVP, and your presenter is Paul Hossack from Flexera Software.

This session is a repeat and extension of the session presented by the event sponsors at the recent WMUG Configuration and the Cloud event, with the opportunity for further Q&A with the Flexera Software presenter Paul Hossack.

Attendance is free, with the requirement for Skype for Business Full or Web App.

Tips

• Make sure you have Skype for Business Full or Web App installed before you join the meeting
• Mute your microphone
• Use the Chat feature of Skype for Business to ask questions

Click here to join the event on the 24th of May 2016 at 8PM UK BST time.

Paul Hossack - Paul will give us a demo of Flexera Software product offerings. Paul has been securing networks since 2007. A seasoned project leader and encryption specialist, and most recently hardware firewall adept, Paul is an expert in his field. Now working with Flexera Software (formerly Secunia) he brings his skills to vulnerability defence.

Robert Marshall - Owner and Senior Consultant at London based Consultancy SMSMarshall Ltd, specialists in ConfigMgr. Microsoft EM MVP in Configuration Manager since 2009, and WMUG founder in 2006.

After a long holiday away from blogging, I am back!

Over the next few months I plan on overviewing all the cool Technical Preview features, as well as rocking on back to Current Branch to kick the tyres on the super awesome functionality that is bundled.

One technology I haven’t covered much outside of work is Intune. I’m really liking how that technology is progressing, and I plan on pushing out a few posts over the coming weeks to explore what I am doing with it at customer sites.

Azure really has my ear as well, especially the integration we now have with ConfigMgr (Not just the Cloud DP!).

I am absolutely overjoyed at how things are going with ConfigMgr, an epic time to be a ConfigMgr admin.

I decided a while back that when I finally set about to publically document the pathway to enable push-based Replica Management Points in ConfigMgr, that I wouldn’t go into much detail explaining what they actually are, or pitch their usefulness and all that, as we’d get bogged down in details that are already out there.

The likes of Brian Mason and Kent Agerlund have for many years been fleshing out their justification and use-cases, and produced some great guides to getting them up and running, even our Paul Winstanley at WMUG has put together a guide, so instead I thought I’d visualise a particular problem where a default Pull-based Replica Management Point falls short, and show how implementing a Push-based Replica Management Point solves that problem.

In the below shot, I’ve mocked up a visual showing how SQL is used by a Management Point in the three scenarios that it currently covers:

1. Management Point in close proximity to the Site Database (in terms of network location)
2. Management Point using remote Site Database to service Clients
3. Replica Management Point using a replica of the Site Database to service Clients

Now this works just fine as long as you’ve got communications pathways back to the Site servers Database, but when operating in restrictive environments and those pathways are blocked, it means taking Replica Management Points off the design board as a design element.

To get things underway, I’ll focus more on the reason for the drawback in using Replica Management Points in those environments, and show how to put them back on the design board.

So here we are, a very basic network and services diagram, showing on the left a trusted network, and on the right two untrusted networks.

The untrusted networks are not allowed to communicate back to the trusted network, for obvious reasons, and the communications back in that direction are blocked, as is shown using the red crosses above.

The Microsoft documentation for setting up a Replica Management Point guides the administrator into creating a subscription on the Replica SQL Database, which makes it a Pull-based method for replication. So by default, a Replica Management Point is a pull-based mechanism.

I would only recommend using a Push-based Replica Management Point sparingly, and if you need a standard Replica Management Point for high-availability, perhaps look at SQL Always-On as an alternative to hosting Replica SQL Databases.

With the firewall blocking communications back to the Site servers Database, it means that a Pull-based Replica Management Point will fail to function at all, as the underlying SQL replication mechanisms communication pathway back to the Site servers Database is blocked by the firewall.

The solution is pretty simple, nothing complicated about it, but comes with a few considerations, such as incurring a slight performance impact on the SQL database hosting the Subscription, and the supportability of the change to a standard Replica Management Points design. We’ll cover those both more in a moment.

To solve the problem then, all we need to do is rotate this pull-model around to become a push-model, and to achieve that we simply create the subscription on the Site server if it’s hosting the Site Database, or on a remote SQL, or remote SQL Cluster.

Changing the SQL Replication model to Push instead of Pull, means Replica Management Points can function in those environments that restrict access back to the trusted network.

Changing the Replica Management Points SQL replication mechanism to push-based completes part of the solution, but to finish up the Site system also needs to be considered, as by default the Site system will attempt to connect to the Site server, and fail in the problem scenario due to being blocked by the firewall.

The Management Point will essentially drop inventory reports and other material coming in from clients, such as Status and State Messages, into its own Inboxes, and the contents in the Inboxes, on its Site system, need to be replicated to the Site server, so that they can be processed into the Site database.

To solve this problem in a restrictive environment is easy, a feature that has been built into the ConfigMgr product for some time is to configure a Site system so that the Site server connects to it, rather than it connecting to the Site server, labelled up as Require the site server to initiate connections to this site system but more breezily titled Inter-site whizzy bang Inbox Pull Mode contraption thingy.

Here’s Site server to Site system replication visualised showing both modes of operation:

Now all of that is out of the way, and you clearly understand that this new type of Replica Management Point, push-based, is only for heavily restrictive environments, where Regulation\Compliance rules exist that do not tolerate connections being established from untrusted networks to trusted networks.

And you know already from reading this post, or are becoming more aware of the fact that for most people, implementing a Push-based Replica Management Point in their environment is probably a pointless exercise.

However, some of you have probably already figuring out that a Push-based Replica Management Point  could actually help you to manage more devices in the more restrictive parts of your environment, possibly replacing ConfigMgr Hierarchies specifically setup just to manage those devices, or bringing them fully into the companies System Management solution, ConfigMgr, rather than letting them continue being managed by stand-alone WSUS for patching and AD Group Policy or “by hand” software delivery.

But here is the catch, since we’ve changed how the Replica Management Point is implemented it is unsupported, not because it doesn’t work, just that it was never put on the test list, if it had, it would be one of our current design elements.

Another point to be made here is that a performance penalty will be incurred by the host of the Subscription, so if it is hosted on the Site server which has local SQL, there will be a slight performance impact, how big depends on the scale of your environment. The more Subscriptions you have, the more of a performance penalty is felt.

Base-lining and monitoring of SQL performance would help view performance before and after the change, and keep on top of performance nose-diving, but to be honest this won’t represent a problem for most customers that are not at large scale, only those that are running their SQL at a far gallop (under-specification, over-used) already.

To solve the supportability issue, if you’re a Microsoft Premier customer you can get reasonable commercial support while this is implemented, but are open to Microsoft during a support engagement asking you to revert the Replica Management Point back to its default configuration (Pull-based SQL Replication) for reproduction of the problem you’re logging with them. Make sure you have a procedure for switching back and forth between Push and Pull in place in case you need to do it.

If you’re the type of environment that pays at least a token nod at not tolerating unsupported scenarios, and do not have a Microsoft Premier agreement in place so as to get a supportability statement sorted out, then you’re out of options, and implementing and dealing with any consequences is entirely your own choice.

For obvious reasons I only recommend readers of this post to implement while getting the nod from Microsoft Premier Support. I am not responsible if you decide to implement and your technical world for some reason ends because of it, even though it is entirely unlikely to happen.

Strap in, get ready, finally we’re going to finish up the post by showing how the replication is switched from pull to push mode.

The Microsoft Documentation for implementing a Replica Management Point is here:

To implement a Push-based Replica Management Point, we’ll follow the Microsoft documented instructions up to the To configure the database replica server section:

We’ll carry out step 1,but modify the step 2 procedure slightly, so as to produce the Push-based SQL Replication mechanism, then complete the rest of the overall Microsoft documented procedure.

2. On the site database server, use SQL Server Management Studio to connect to the local server, browse to the Replication folder, expand Local Publications, select the Publication and right click and select New Subscriptions…

a. Select the Publication and select Next

b. Select Run all agents at the Distributor.

As can be noted in the screenshots text, this changes the replication mechanism from pull to push, it is as easy as that.

c. Select Next

d. Select Add Subscriber and select Add SQL Server Subscriber… then connect to the SQL Replica database. Returning back to the New Subscription wizard, the Subscription database drop-down for the newly added subscriber needs some attention. If you’ve already pre-created the database, this is where you’d select it, otherwise create a new database.

e. Once you’ve taken care of the small matter of pointing at the Replica Database, select Next

Now go back to Step 2 in the To configure the database replica server section, and carry out steps f, g, h and i, and then complete the entire remaining procedure as documented by Microsoft. You can also enable the Notification Channel as instructed in the Microsoft documentation.

A quick check of the Publication see’s the Subscription has been added to it:

Having a nose around the actual Publication shows us what is being replicated (Articles):

And viewing the properties of the Subscription shows us it is in Push mode:

Your SQL Replication mechanism will now be push-based, and along with a Site system that is serviced by the Site server connecting to it,  you have a Management Point role that, along with its underlying Site system, is for the first time compliant with the needs of some of the most complex untrusted, but accessible, network environments out there.

Drop in a Distribution Point and you’ve now got Policy, Lookups and Content covered in the restrictive environment, Client Registrations too. OSD is but a mere click away. Nice.

While this is a great solution for on-premise devices, there are other ways coming about to service the same difficult to reach devices such as those in untrusted networks, as long as they have access to the internet . An up-and-coming feature called the Cloud Proxy Point, which is trialling in Build 1606 of the Technical Preview will open all of them up to management using a solution lashed together with Azure and on-premiseConfigMgr. I’ll be covering this technology in my next blog, as it is a killer way to handle devices on the internet or with on-premise but with internet access, without needing to place your Site Roles in a public facing DMZ. One of the most exciting features I’ve seen in a while as an architect, along with Intune, but quite a fiddly affair in comparison to Intune to get up and running.

Join WMUG for a day of Expert Windows Management and a bit of fun too on what will be our 10th anniversary event. 

Wednesday 13th July, 2016.

Microsoft UK
2 Kingdom Street
Paddington
London
W2 6BD

Featuring excellent speakers from the IT community and Microsoft alongside the WMUG team and our event sponsor 1E.

The agenda will be as follows:

Technical Preview 5 using Build 1606 or 1607 let's you play around with the new Cloud Proxy feature, and I thought I’d run up a guide on this awesome feature to help others reach out to play with it a bit more easily, as it is a very enabling architectural element for us to have in the design toolkit and worth checking out.

I found the release notes to be a little short on a few details when I got this guide underway, I had to come back to it for several attempts, Torsten Meringer another Enterprise Mobility MVP helped me out understanding what the Service Domain Name should be, CLOUDAPP.NET, and explained how he setup his Cloud Proxy Point certificate using PKI instead of a self-signed certificate, from there everything else just falls into place as documented.

After you’ve done this a few times it takes mere minutes to sail through, but for the first time it’s going to most likely take well over an hour to complete.

A key thing to note in the steps for enabling the Cloud Proxy Point is that your roles have to switch into HTTPS mode after you’ve added the Cloud Proxy Point role, I found that if you do not do this, the ConfigMgr Clients never see the Cloud Proxy Point. An example of how to manifest this unknowingly is if you remove the Cloud Proxy service and Cloud Proxy Point role, then try to put them back on without first switching your MP\DP\SUP roles to HTTP.

To get to the point where you can test out this Cloud Proxy point feature, you will need to have PKI setup already for your ConfigMgr environment.

For a lab you can simply switch your existing MP, DP and SUP if testing with, into HTTPS mode, but for a lab that is servicing non-HTTPS clients, you will need to setup a new Site system with which to host your new HTTPS based MP, DP and SUP roles.

Before you begin working through this guide, your MP\DP and SUP roles must be fully functional in HTTPS mode. Once you’ve tested them, and before you begin the guide, switch them to HTTP mode. I found if you don't, you’re clients will not get a Cloud ProxyPoint given to them when they do a Location Request while on the Intranet.

From your Active Directory Domain Controller, or a system running the RSAT tool, create a new Active Directory Security Group called ConfigMgr Cloud Proxy PKI Template

We’ll use this Security Group for two purposes, to generate the Cloud Proxy Point certificate and the Azure Management Certificate.

Now that the Security Group has been created, we next need to add the Site servers computer account to it, please go ahead and do that now.

Once done reboot the Site server so that its computer account token is updated with this new security group membership.

To proceed, we’ll concentrate on creating the Cloud Proxy certificate, this is created in the same way that you’d create a Cloud Distribution Point certificate as shown here for reference, we’ll set this certificate up below so no need to transition to the steps in that link.

Switch to your Certificate Authority server.

Open the Certificate Authority MMC snap-in, navigate down to Certificate Temples, from there right-click and Select Manage.

We’ll need to do the below steps twice, but hold off doing so for now, until I tell you later in the guide to return to this point.

The Certificate Templates console will appear (or switch to it if returning here), from there navigate to the Web Server template, right click and select Duplicate Template.

On the General tab, enter the new Template Name as ConfigMgr Cloud Proxy Point Certificate

Select the Request Handling tab, tick Allow private key to be exported

Select the Security tab and then Enterprise Admins, remove Enroll permissions for Enterprise Admins.

Add the new Security Group name ConfigMgr Cloud Proxy PKI Template

Tick Read (should already be ticked) and Enroll

Select OK

Right click Certificate Templates, select New, then select Certificate Template to Issue

Locate and select the ConfigMgr Cloud Proxy Point Certificate entry in the Enable Certificates Templates dialog

Select OK

That’s the Cloud Proxy Point PKI Certificate setup, we now need to setup the Azure Management certificate.

I’ve separated these two certificates out, as it is a more secure way of dealing with your Azure subscription, I could have opted to reuse the Cloud Proxy Point Certificate as the Azure Management Certificate, but I prefer the degree of separation.

So now return above where I told you earlier you’d be returning too, and use the following details to change the steps:

Call the template name the following: ConfigMgr Azure Management Certificate

In the Enable Certificate Templates dialog: Select the ConfigMgr Azure Management Certificate

When you are done, we’ll continue from here.

We’re going to request the Cloud Proxy Point and Azure Management Certificates from the Certificate Authority now, so that we can export them, and while we’re in the Certificates snap-in we’re going to fetch the Trusted Root Certificate.

Before we do this we’re going to have to think of a unique Azure Service name for our Cloud Proxy Point. This will be appended to a Domain Name called CLOUDAPP.NET, it must be unique, if you don’t get this right you’ll have to recreate the below Certificates once you find the problem and generate a unique service name.

An easy way to find out if a service name is taken is to ping it, if there is no DNS match you can try that as a service name. Later in this guide you’ll be asked to provide the Service Name and the Service Name FQDN, the latter just being your service name with .CLOUDAPP.NET appended.

From the Primary Site server, open the Certificates MMC snap-in for the Local Computer

Expand Personal and right click Certificates, select All Tasks and then Request New Certificate

The Certificate Enrollment dialog will now appear, from which you’ll need to tick both the ConfigMgr Cloud Proxy Point and ConfigMgr Azure Management Certificate entries

Both certificates need a Common Name configured, we’ll do the ConfigMgr Azure Management certificate entry first, so select the “More information …” link underneath it

From the Subject Name panel, and from the Type drop-down box, select Common Name

For Value enter your service FQDN.

Select Add

Select OK

Select the ConfigMgr Cloud Proxy Point certificate entry, and select the “More information …” link underneath it

From the Subject Name panel, and from the Type drop-down box, select Common Name

For Value enter your service FQDN.

Select Add

Select OK

Now select Enroll and Finish once done, while noting whether it is successful or not

You should end up with your two certificates back in the Certificate snap-in

Let’s export them, we need to do this twice for each certificate, starting with the ConfigMgr Azure Management certificate

Select the ConfigMgr Azure Management certificate, right click it, select All Tasks then Export

Select Next then Yes, export the private key

Select Next

Select Next

Tick the Password check box and give this certificate a strong password, note it as you’ll need this password

Select Next

Now to save the certificate by selecting Browse, give it a suitable name, this one will be saved in PFX file format, drop it into a common folder that you’ll return to again a few more times.

Repeat the export of the ConfigMgr Azure Management Certificate, but this time do not export the Private key, this will cause you to be prompted just for the filename, give it the same name as your previous certificate, this one will be saved in CER file format

Now do the same again for your ConfigMgr Cloud Proxy Point certificate, repeating the steps above to export it as a CER file.

Once you’re done exporting, go back to the Certificates snap-in, navigate to the Trusted Root Certification Authorities node, expand Certificates and select the root certificate for your domain. I’ve selected and highlighted mine here:

Right click it, select All Tasks then Export, accept the default format type, give it a name and store it along with the other certificates you’ve already exported naming it appropriately (YOURDOMAINRootCA.CER for example)

Now you need an Azure Trial, or a functioning Azure subscription, I’ll assume you will create a test subscription from new to check the Cloud Proxy feature out.

To setup a new Azure subscription you’re going to need a Microsoft account, if you don’t have one of those to hand, or spare, create a new one here

Go visit the Azure Trial and set yourself up a subscription, you’ll need an MS account (Live, Hotmail et al), a credit card (not-charged unless you upgrade to a paid subscription yourself) and your phone details. This will give you a 30 day or so trial to mess around with, and enough resources to run up a demo of the Cloud Proxy point.

Once you’ve subscribed and logged in, you will need to connect to the Azure Classic Portal, instead of the new Portal that you’ve most likely logged in with.

This is a requirement for a configuration element of the Cloud Proxy, Azure Management Certificates, a feature which I believe is deprecated but used by the Cloud Proxy feature today.

Visit MANAGE.WINDOWSAZURE.COM and login if necessary.

Once logged in, we’ll now upload our ConfigMgr Azure Management certificate to Azure itself, so as to gain access to the Azure Service Management API for the Cloud Proxy Point.

More can be read on Azure API Management Certificates here.

In the Azure Classic Portal, select Settings, then select Management Certificates

The Upload a Management certificate window will pop up in the browser, click the Folder icon and navigate to your ConfigMgr Azure Management certificate

Enter the strong password that you set when exporting this certificate

Note that it is uploaded to your Azure subscription.

Anyone flashing this Certificate around can completely control your Azure subscription, so tuck it away somewhere safe when done.

Note the Subscription ID, it’ll be in dashed notation like XXXX-XXXX-XXX-XXXX-XXXXX, store this away as you’ll need it in a moment and we’ll refer to it as your Subscription ID.

Now we’ll add the Cloud Proxy Service to the ConfigMgr Site server. To do this we visit the Administration workspace, and expand Cloud Services and select Cloud Proxy Service.

Select Create Cloud Proxy Service on the Ribbon, or via a Right click on Cloud Proxy Service

You’ll be greeted by the Create Cloud Proxy Service Wizard.

Enter your Subscription ID.

Select Browse and select your ConfigMgr Azure Management certificate

It’ll prompt you for the Certificates strong password, tap it in, then select Next

Now enter your Service Name, this is not your Service FQDN.

Select the Region you are testing in.

For Certificate File select Browse and navigate to the ConfigMgr Cloud Proxy Point certificate

The Service FQDN will automatically be populated from the certificates Common Name.

For Root certificate file select Browse and navigate to the Root Certificate that you exported earlier

Make sure Verify Client Certificate Revocation is not ticked, unless you are setup for it, if in doubt, untick.

Select Next

Select Next and then Finish

Now go monitor the CLOUDMGR log to see it provisioning the service into Azure, eventually you’ll also see the SMS_CLOUD_PROXYCONNECTOR log.

Once everything has settled down, from the ConfigMgr Console you should be able to see that the service has been setup correctly

In the above shots I’ve already had some traffic pass through, for a brand new setup the metrics should be white space.

I heard that if it shows Partially connected for an extended period of time, mine showed for a minute or two, then there was a problem provisioning the service. Try again, if it doesn’t work it is most likely a glitch.

Now that’s the Certificates and on-boarding of the services in Azure done, next we set up the Site server to use the Cloud Service, by installing a Cloud Proxy Point, and then we’ll do a quick run through with a Client test, run from a client on the Internet.

From the ConfigMgr Console, go to the Administration workspace, select Site Configuration and then Sites.

Assuming this is a Stand-alone Primary site server, select it and then select Properties, otherwise select the Primary you want to run the test on

From the Client Computer Communications tab, tick the box next to Use PKI client certificates (client authentication) when available text, and make sure to untick Clients check the certificate revocation list (CRL) for site systems.

Now add the Cloud Proxy Connector role to your Site server. No instructions needed for bedding this role in, just select and install it.

And to complete the server configuration switch your MP, DP and SUP to HTTPS mode, while making sure to tick the Allow Configuration Manager Cloud Proxy Traffic while switching to HTTPS in each of those roles properties dialogs. Make sure the roles are functioning, check the MPCONTROL log to make sure the MP is working fine.

That should be it.

You can go back if you like and look at the steps in the Technical Preview notes, to double check we’ve not missed anything, especially if you are buzzing up and down the guide trying to figure out why it isn’t working.

Now, to kick the wheels of this feature you’re going to need to have a ConfigMgr Client installed. Take care of that on a device that can be set to visit the Internet.

Once all of the above changes have been implemented, while on the Intranet recycle the CCMEXEC service on the ConfigMgr Client so that it gets a Location Services update, these occur every 24 hours if left alone, so recycling the service will speed this part of the testing up somewhat.

Once Policy has arrived and been processed by the ConfigMgr Client (go look at the messages and date stamps in the POLICYEVALUATOR log) open WBEMTEST and connect to ROOT\CCM\LOCATIONSERVICES, select Enum Classes… and select OK, navigate until you find the SMS_ActiveMPCandidate class, double click it, and then select the Instances button.

Here you can quite clearly see that the ConfigMgr Client knows all about our Cloud Proxy Management Point and will switch to it if it senses we’re on the Internet (out of any defined boundaries)

Now that we know that the ConfigMgr Client is ready to begin using the Cloud Proxy Point, let’s trigger it to do so.

I used a mobile hotspot to get a WIFI connection for my laptop to use, which was routing onto the internet.

Once I got the laptop on to the Internet, I checked the ClientLocation log, so as to see if the ConfigMgr Client was registering as being on the Intranet or Unknown (Internet in this case). Sure enough after a few moments it fired into life the Connection Type value changed to show as Unknown, which means Internet in our case, as can be seen below:

Now switch back to the ClientLocation log, after a few moments if not already done, there should be activity, and a switch taking place to the Cloud Proxy service instead of continuing to try the on-premise Management Point.

In the above shot you can see we’ve rotated over to using a new URL for the Management Point as:

CP1EMMVPTEST04.CLOUDAPP.NET/CCM_Proxy_MutualAuth.

Now you just need to open the PolicyEvaluator log, then trigger a Machine Policy Retrieval, watch from the log, confirm that Policy was retrieved, if it has it’s been retrieved from the Cloud Proxy service!

I also sent down a test Package\Program combination, one package with real content, another to just launch Notepad, all arrived as you’d expect when Machine Policy was triggered.

I didn’t test out the SUP as I didn’t have it configured in the lab, but am sure it’ll function just as fine as the Management Point and Distribution Point did, I’ll be sure to test that another time to make sure.

Enjoy the feature, I really rate this, I can see it becoming a major element in the architectural design process, one companies will use to extend their systems management ‘reach’ to their most difficult to manage, remote and not-well-connected to the core network end-points (with the condition that they at least have internet access), as well as to atypical remote office devices that have good internet access (serviced today by IBCM for example), with the added advantage of removing the need to host your on-premise ConfigMgr roles in public facing DMZs (so that IBCM can function), instead, Azure is used to route the traffic between the ConfigMgr Clients and your on-premise roles in a secure fashion.

A great feature. Cannot wait to see it develop further.

Tweet me on @RobMVP if you want to chat about the guide, any deviations you had to make, or if you just plain are stuck, will try to help.

Hey you!

ConfigMgr Current Branch Technical Preview build 1608 has released.

I highly recommend building a lab VM to host a technical preview build, seeketh out a guide from Niall Brady and others on how to setup the Technical Preview, having one so you can check out impending features is the way to be super cool and be up on the latest product developments.

Here’s a run down of the features available for tire kicking in 1608:

• ‘New Software’ indicators in Software Center: The Software Center Applications, Updates, and Operating Systems tabs now show which software was recently added. Numbers in the navigation pane show how many new software items are on each tab.
• Application Requests from Software Center:Users can now request approval for applications and view the request history for applications in the Application Details view in Software Center. The Request button in Application Details no longer redirects to the web-based Application Catalog.
• Improvements to Asset Intelligence: A new field has been added to the properties for inventoried software that lets you set a parent and child relationship with other software. In the Inventoried Software list, you can view the parent of any software and also hide child software.
• Keyboard Translation for Remote Control: By default in a remote control session, characters typed on the viewer’s keyboard are sent to the controlled device instead of the keys, whether or not their keyboard layouts match. This behavior may be turned off in the Remote Control viewer Action menu.
• Improvements to the Prepare ConfigMgr Client for Capture task sequence step: The Prepare ConfigMgr Client step will now completely remove the Configuration Manager client instead of only removing key information. When the task sequence deploys the captured operating system image, it will install a new Configuration Manager client each time.

That last one is VERY important.

Do you know why?

This removes a key argument or reason for using MDT for Gold\Master Image management, the desire to end up with a gold image that doesn’t contain a ConfigMgr Client (in a deactivated state).

I am not an MDT hater, every tool has a place, and there is a place for every tool, but immediately turning to MDT adds complexity often unnecessarily, and moves the novice to intermediate ConfigMgr Administrator (who are the ones mostly implementing or owning ConfigMgr, not rocket scientists) out of the ConfigMgr Console, and into a foreign tool, so as to perform a task that should stay with ConfigMgr, building and capturing images.

We know there are short-falls in what can\cannot be done, and this means MDT still reigns, although much of what it does can be achieved in the environment (Group Policy etc.). Realistically, there should be gaps in what they do as they service customers are different ends of the scale, but Windows 10 Management should be universal between ConfigMgr and MDT. MDT shouldn’t be the only product able to render a Gold\Master Image in a certain way (that most Enterprises opt for), especially if you’ve bought ConfigMgr and want to do it all there.

Consider the Windows 10 Cadence and how rapid it is now, yeah,  you won’t be creating a Gold Image that’ll last a year for much longer, well if you are doing LTSB sure, but CB or CBB, turning over an image often, will mean that MDT environment is going to be busier until we can shift to a single pane of glass, ConfigMgr.

I decided a while back that when I finally set about to publically document the pathway to enable a new type of Replica Management Point in ConfigMgr, that I wouldn’t go into much detail explaining what a Replica Management Point is, or pitch their usefulness and all that, as we’d get bogged down in details that are already out there.

The likes of Brian Mason and Kent Agerlund have for many years been fleshing out their justification and use-cases, and produced some great guides to getting them up and running, even our Paul Winstanley at WMUG has put together a guide, so instead I thought I’d visualise a particular problem where a default Pull-based Replica Management Point falls short, and show how implementing a Push-based Replica Management Point solves that problem.

In the below shot, I’ve mocked up a visual showing how SQL is used by a Management Point in the three scenarios that it currently covers:

1. Management Point in close proximity to the Site Database (in terms of network location)
2. Management Point using remote Site Database to service Clients
3. Replica Management Point using a replica of the Site Database to service Clients

Now this works just fine as long as you’ve got communications pathways back to the Site servers Database, but when operating in restrictive environments and those pathways are blocked, it means taking Replica Management Points off the design board as a design element.

To get things underway, I’ll focus more on the reason for the drawback in using Replica Management Points in those environments, and show how to put them back on the design board.

So here we are, a very basic network and services diagram, showing on the left a trusted network, and on the right two untrusted networks.

The untrusted networks are not allowed to communicate back to the trusted network, for obvious reasons, and the communications back in that direction are blocked, as is shown using the red crosses above.

The Microsoft documentation for setting up a Replica Management Point guides the administrator into creating a subscription on the Replica SQL Database, which makes it a Pull-based method for replication. So by default, a Replica Management Point is a pull-based mechanism.

I would only recommend using a Push-based Replica Management Point sparingly, and if you need a standard Replica Management Point for high-availability, perhaps look at SQL Always-On as an alternative to hosting Replica SQL Databases.

With the firewall blocking communications back to the Site servers Database, it means that a Pull-based Replica Management Point will fail to function at all, as the underlying SQL replication mechanisms communication pathway back to the Site servers Database is blocked by the firewall.

The solution is pretty simple, nothing complicated about it, but comes with a few considerations, such as incurring a slight performance impact on the SQL database hosting the Subscription, and the supportability of the change to a standard Replica Management Points design. We’ll cover those both more in a moment.

To solve the problem then, all we need to do is rotate this pull-model around to become a push-model, and to achieve that we simply create the subscription on the Site server if it’s hosting the Site Database, or on a remote SQL, or remote SQL Cluster.

Changing the SQL Replication model to Push instead of Pull, means Replica Management Points can function in those environments that restrict access back to the trusted network.

Changing the Replica Management Points SQL replication mechanism to push-based completes part of the solution, but to finish up the Site system also needs to be considered, as by default the Site system will attempt to connect to the Site server, and fail in the problem scenario due to being blocked by the firewall.

The Management Point will essentially drop inventory reports and other material coming in from clients, such as Status and State Messages, into its own Inboxes, and the contents in the Inboxes, on its Site system, need to be replicated to the Site server, so that they can be processed into the Site database.

To solve this problem in a restrictive environment is easy, a feature that has been built into the ConfigMgr product for some time is to configure a Site system so that the Site server connects to it, rather than it connecting to the Site server, labelled up as Require the site server to initiate connections to this site system but more breezily titled Inter-site whizzy bang Inbox Pull Mode contraption thingy.

Here’s Site server to Site system replication visualised showing both modes of operation:

Now all of that is out of the way, and you clearly understand that this new type of Replica Management Point, push-based, is only for heavily restrictive environments, where Regulation\Compliance rules exist that do not tolerate connections being established from untrusted networks to trusted networks.

And you know already from reading this post, or are becoming more aware of the fact that for most people, implementing a Push-based Replica Management Point in their environment is probably a pointless exercise.

However, some of you have probably already figuring out that a Push-based Replica Management Point  could actually help you to manage more devices in the more restrictive parts of your environment, possibly replacing ConfigMgr Hierarchies specifically setup just to manage those devices, or bringing them fully into the companies System Management solution, ConfigMgr, rather than letting them continue being managed by stand-alone WSUS for patching and AD Group Policy or “by hand” software delivery.

But here is the catch, since we’ve changed how the Replica Management Point is implemented it is unsupported, not because it doesn’t work, just that it was never put on the test list, if it had, it would be one of our current design elements.

Another point to be made here is that a performance penalty will be incurred by the host of the Subscription, so if it is hosted on the Site server which has local SQL, there will be a slight performance impact, how big depends on the scale of your environment. The more Subscriptions you have, the more of a performance penalty is felt.

Base-lining and monitoring of SQL performance would help view performance before and after the change, and keep on top of performance nose-diving, but to be honest this won’t represent a problem for most customers that are not at large scale, only those that are running their SQL at a far gallop (under-specification, over-used) already.

To solve the supportability issue, if you’re a Microsoft Premier customer you can get reasonable commercial support while this is implemented, but are open to Microsoft during a support engagement asking you to revert the Replica Management Point back to its default configuration (Pull-based SQL Replication) for reproduction of the problem you’re logging with them. Make sure you have a procedure for switching back and forth between Push and Pull in place in case you need to do it.

If you’re the type of environment that pays at least a token nod at not tolerating unsupported scenarios, and do not have a Microsoft Premier agreement in place so as to get a supportability statement sorted out, then you’re out of options, and implementing and dealing with any consequences is entirely your own choice.

For obvious reasons I only recommend readers of this post to implement while getting the nod from Microsoft Premier Support. I am not responsible if you decide to implement and your technical world for some reason ends because of it, even though it is entirely unlikely to happen.

Strap in, get ready, finally we’re going to finish up the post by showing how the replication is switched from pull to push mode.

The Microsoft Documentation for implementing a Replica Management Point is here:

To implement a Push-based Replica Management Point, we’ll follow the Microsoft documented instructions up to the To configure the database replica server section:

We’ll carry out step 1,but modify the step 2 procedure slightly, so as to produce the Push-based SQL Replication mechanism, then complete the rest of the overall Microsoft documented procedure.

2. On the site database server, use SQL Server Management Studio to connect to the local server, browse to the Replication folder, expand Local Publications, select the Publication and right click and select New Subscriptions…

a. Select the Publication and select Next

b. Select Run all agents at the Distributor.

As can be noted in the screenshots text, this changes the replication mechanism from pull to push, it is as easy as that.

c. Select Next

d. Select Add Subscriber and select Add SQL Server Subscriber… then connect to the SQL Replica database. Returning back to the New Subscription wizard, the Subscription database drop-down for the newly added subscriber needs some attention. If you’ve already pre-created the database, this is where you’d select it, otherwise create a new database.

e. Once you’ve taken care of the small matter of pointing at the Replica Database, select Next

Now go back to Step 2 in the To configure the database replica server section, and carry out steps f, g, h and i, and then complete the entire remaining procedure as documented by Microsoft. You can also enable the Notification Channel as instructed in the Microsoft documentation.

A quick check of the Publication see’s the Subscription has been added to it:

Having a nose around the actual Publication shows us what is being replicated (Articles):

And viewing the properties of the Subscription shows us it is in Push mode:

Your SQL Replication mechanism will now be push-based, and along with a Site system that is serviced by the Site server connecting to it,  you have a Management Point role that, along with its underlying Site system, is for the first time compliant with the needs of some of the most complex untrusted, but accessible, network environments out there.

Drop in a Distribution Point and you’ve now got Policy, Lookups and Content covered in the restrictive environment, Client Registrations too. OSD is but a mere click away. Nice.

While this is a great solution for on-premise devices, there are other ways coming about to service the same difficult to reach devices such as those in untrusted networks, as long as they have access to the internet . An up-and-coming feature called the Cloud Proxy Point, which is trialling in Build 1606 of the Technical Preview will open all of them up to management using a solution lashed together with Azure and on-premiseConfigMgr. I’ll be covering this technology in my next blog, as it is a killer way to handle devices on the internet or with on-premise but with internet access, without needing to place your Site Roles in a public facing DMZ. One of the most exciting features I’ve seen in a while as an architect, along with Intune, but quite a fiddly affair in comparison to Intune to get up and running.

Update (05/09/2016): 

Confirmed that with a Push-based Replica Management Point, the Client Notification Channel works fine. Nothing special needed to configure it beyond the documented steps.

Finding that I often do quick port tests related to ConfigMgr installations @ customer sites, and my traditional approach was to use TELNET and NETSTAT together, checking for ports marked as SYN (no synchronisation packet came back) as an indicator that the port is blocked or not being listened on, so I thought, why don’t I write a new (extensible) Tcp port checker to do the job for me.

Falling back to the classic Tcp port test, use TELNET to test a Tcp port, and NETSTAT to see what is happening:

TELNET IP PORT

NETSTAT –AN | FIND /I “SYN”

You have to do this fast, within a second or two, or you’ll miss the port SYN state and get no results back. Try it, has helped me out a lot over the years.

Well, half-way through coding this new tool, as I often just code for fun and, can get carried away between a mere thought and my hands whizzing back and forth in Visual Studio creating something, I checked to see if anyone else had a cool port checker, and found this (lol oops how can I forget that old Microsoft port checking puppy!), this, and another that I cannot locate the link for again, was ConfigMgr specific and was fed by a XLS, I’ll update the post another time if I remember, and include a call out to that tool as it was the first one I found.

So yeah, I wanted to call these tools out that came ahead of mine, go ahead, check them out, a port checker is a port checker after all, so choose your poison and get the result you want (Port open, Port closed).

My tool is Tcp only I’m afraid. Udp is a tricky beast to validate. If I can get something reasonable that is reliable (so many conditions can make testing Udp pointless), I’ll update the tool with it. Framework code for Udp is there, so implementing Udp is a cinch if I sort out the Udp Port checking logic.

This version doesn’t handle DNS lookup of the hostname very well, works for some of you, IP always works, I’ll fix this at the next release. And also IPV6 isn’t supported until the next release.

CheckPort for ConfigMgr is Wrapped as an MSI to make installing\uninstalling a breeze (thanks Flexera Software for InstallShield Express!).

Unblock the MSI if Windows warns you it is from an untrusted source. I am in two minds if I should buy a certificate to sign my tools so that they are trusted by Microsoft, but that costs £££, maybe one day.

I mentioned above that this thing is extensible, well it sure is, it can either run as a stand-alone EXE with all ConfigMgr rules built-in, or feed off of a four-column CSV file (Test name, Port Name, Port, Tcp\Udp) located in the same directory as the EXE. The MSI installer will drop a sample CSV file into the installation folder for you to check out.

Download the tool from the TechNet Gallery

And … enjoy!

System Center Configuration Manager Technical Preview Build 1609 was just released, and one of the most exciting enhancements, as an architect, is the redefinition of how a Boundary Group behaves.

Here’s the preview summary of the feature:

This preview introduces important changes to boundary groups and how they work with distribution points. These changes will help simplify the design of your content infrastructure while giving you more control over how and when clients fall-back to search additional distribution points as content source locations. This includes both on-premises and cloud-based distribution points.

These improvements replace concepts and behaviours you might be familiar with today (like configuring distribution points to be fast or slow) and replaces them with a new model that should be easier to setup and maintain. These changes are also groundwork for future changes that will improve other site system roles you associate to boundary groups.

The details  for this feature are Boundary Group nesting, which can be used to introduce layers that a site can fall back through all the way to the core network, either until there is no service delivered due to restrictions crossing network boundaries (defined by your Boundaries), or a service point is reached such as a DP, MP or SUP. The original “fall-back” option has become the Site Default Boundary Group, which can be populated with a site that will act as the “fall-back” site for anything that needs falling back too. The Site Default Boundary Group can also be disabled, or the functionality can, by not specifying a site as the fall-back Site. There’s a lot more detail in the Preview Notes for Build 1609 which are linked below

Two key things in the UI you’ll notice are within the Boundary Groups property sheet, the lack of a Connection property for the Site system servers, with the notion of Slow and Fast being obsoleted, and a new References tab as shown in the before\after shots below which is to form what are called relationships, neighbouring Boundary Groups that can be fallen back too:

When adding Relationships you’re given the ability to control the length of delay before falling back to specified Roles, and includes the ability to disable fall-back for any of the three types of bounded Role:

Here’s what a Relationship looks like once it has been defined in a Boundary Group:

An info graphic from the Preview Notes showing how fall-back can take place.

Very nice. The feature offers us a whole lot more control on fall-back to available services, controlling the durations before the fall-back takes place, can see this making a lot of customers very happy for network flow-control.

Check out the Preview Notes here

Today I see that ConfigMgr current Branch B1602 released, I installed it onto 1511 today, and thought I’d put together a brief guide to provide a light overview of the installation process, showing how easy it is now that it is integrated into the product. Configuration Manager as a Service (CaaS) really is kicking in, with the flow of change ramping up.

The actual Updates and Servicing feature entirety relies on the Service Connection Point role that was introduced in Configuration Manager Current Branch (and LTSB), and I suspect that in a day or two, when standing up a Build 1511 Site server, and then deploying this role, you will see Build 1602 showing within minutes of the first sync, whereas today, it may take a few more hours before everyone can see the update pack globally.

To deploy a 1602 site server you must first deploy the ‘baseline’ build, which is currently 1511. You can move from 1511 to 1602 in both offline and online modes (offline servicing just means having the 1602 kit to hand and not downloading from the internet). After a year, a new baseline build should replace 1511, resulting in a single installation taking place to get to the current build. I would not expect that to last long, and that a double-install will be the norm, since these update packs are released (cadence) quite quickly.

Here’s the release version matrix for current branch as it now stands:

Note that 1602 updates a 1511 Database. It most likely will always be okay until it isn’t okay, so please make sure you are backing up your SQL DB Unlike past versions of Configuration Manager, if installing an update fails, you should not need to perform a site recovery, and instead can Retry the update installation. Therefore, while the test upgrade of the database is less critical than in past product versions, it still remains as a concern, and a recommended step (more so for production!).

On the subject of database changes and failure during upgrade, you should note this statement in the documentation here

Unlike past versions of Configuration Manager, if installing an update fails you should not need to perform a site recovery and instead can Retry the update installation. Therefore, while the test upgrade of the database is less critical than in past product versions it remains a recommended step.

Failure during upgrade can be retried, previously the show was over, and a restore was needed, pretty rad that!

• Here’s a 1511 Site server showing 1602 has arrived

• Clicking on the 1602 update pack will give you some options via the Ribbon or a Right click

I’ve already covered most of how the Updates and Servicing mechanism works in this blog post here, in this post I’ll simply walk lightly over deploying Current Branch Build 1602 to a lab based Stand-alone Primary Site server.

Let’s get the upgrade from B1511 to B1602 underway.

• Go create a device collection, call it Client Pre-deployment (Validation of B1602)
• Add some devices to the new collection, these will be automatically updated for us

• From the Console, go to Administration, Cloud Services, Updates and Servicing,
• If Build 1602 does not show, then from the ribbon or a right click select Check for updates
• If it shows then most likely its already been downloaded, but if it doesn’t show and initiating a check for updates or a recycle of the SMS_Executive service gets it to appear, check the DMPDownloader log file on the Site server

• You should see that something is afoot, a cab being downloaded, unpacked and verified

• Here you can see the download of the update pack has completed

Even though we can retry if there is any failure during the upgrade while dealing with SQL, it would make sense to copy your database over to a server hosting the same SQL edition (with service packs and hotfixes as the ConfigMgr Database Site server) so as to test the upgrade on your database using TestDBUpgrade. I’d do this every single time with production, for the lab I don’t bother. That a retry after upgrade failure is supported indicates that most likely over coming releases, we should see far more robustness of the whole SQL upgrade process until nursing it becomes a distant memory.

Check out Nickolaj Andersen post here on handling TestDBUpgrade, it is pretty simple, takes a bit of effort to keep SQL server like for like, although for 1602 I didn’t dig out where the install kit was pre-installation, and after it’d been downloaded, you’ll have to go find the installation kit (might be in cab only form at this point, or in unpacked form, go eek it out) in the ConfigMgr folder once 1602 state changes to available.

• One you are ready to proceed with the upgrade, from the Updates and Servicing node, right click the 1602 update pack

• Select Install Update Pack

• We’re welcomed by the Configuration Manager Updates Wizard
• You can tick Ignore any prerequisite check warnings and install this update regardless of missing requirements, so as to override any warnings regarding requirements not being met, or let it stall and notify you so you can resolve them
• Select Next

• This is where we select the features we want installed, as you can see 1602 delivers

• Apple Volume Purchase Program
• Windows 10 conditional access with health attestation service
• iOS Activation Lock management
• iOS App configuration

• Tick or untick the features you are interested in
• Select Next

• Your choice on whether you update your current production ConfigMgr Client package with Build 1602 Client kit straight off, or whether you stage the event, and when confident perform the update later
• Select Browse

• Find the collection you created earlier
• Select OK

• Looking good, we’re going to validate the client in pre-production, by deploying to a specific collection of devices and not the entire estate
• Select Next

• Tick the licence agreement checkbox
• Select Next

Select Next

• Select Close

• From the Updates and Servicing node we can see that things are underway

• If you have a CAS there is over 1GB of content that needs to be replicated, for a stand-alone primary this shouldn’t take more than a few minutes

• Once the staging is complete, the prerequisite checker will kick in

• This part will take a long time

• Once the prerequisite checker has completed with no errors (and that we’re ignoring or observing missing requirement warnings) you should see the status transition to Installing 

• Let’s take a look at the prerequisites
• Head to Monitoring, Site Servicing Status, and from the Ribbon or a right click select Show Status

• We can see what did and didn’t pass …
• Also check out the CMUpdate log

• Once the update packs status changes to installed, check out the SiteComp log to make sure all the components\roles have reinstalled correctly

• Here is a resource record of a device in the pre-production collection that was automatically updated for me

If you had any consoles open, after a bit of cruising they should start to prompt you to upgrade to a newer version. Opening a new 1511 console will produce the same prompt until it has been accepted, which will kick off the console upgrade.

• Accepting the upgrade will get the Console MSI downloaded from the Site server and the upgrade process underway

• MSI Logic detected that I had a Console related executable still in memory, Status Message Viewer, which was blocking the upgrade, so I closed that manually and clicked OK

The MSI Installer then rolls off the older version, and rolls on B1602.

• A quick nose around the Features node of Updates and Servicing shows us the features, which can be viewed in the documentation here:

Also, my three test clients all upgraded to 1602 as well. I did have a delay here, am not 100% sure right now what caused it, but the clients all kicked off their upgrades once they fetched their policy from the MP.

Okay that’s it, done, and it was easy wasn’t it!

Once we are all good with the client upgrade, we can switch 1602 Client kit to become the production kit used for all future clients deployments

• Navigate to the Updates and Servicing node again

• From the Ribbon or a Right click select Client Update Options

• Tick I am ready to make pre-production client version available to production
• Select OK
• Get the hierarchy Settings up and you’ll see that pre-production deployment has been turned off, and the production client version has changed to 5.00.8355.1000

You could also check at the file level to make sure the client files have been upgraded, perhaps I’ll circle back for that fully and update the guide another time, here is a shot of CCMSETUP.EXE to show its version (8355 is 1602)

Feature-wise In-place upgrade the operating system of site servers that run Windows Server 2008 R2 is a real winner, enabling many quick upgrades to supported OS versions without a backup\restore being needed. Very enabling, as is SQL Server AlwaysOn availability groups. For mobility there’s a whole bunch of iOS MDM related features pouring in too, nice, and cloud-wise we have more management over Office 365 usage\deployment. For the full list of features don’t forget to check out the documentation.