Thank you to all that attended the Configuration Manager and the Cloud event!

And a big thank you to our sponsors Flexera Software

The event was set for 50 attendees, but we had 8 slots reserved for the WMUG Team to make sure we had a seat. We were fully booked within the first week. On the day, our attrition rate was the lowest we've ever seen other than when we had Wally Mead over, and we were pretty much just down a handful of attendees.

This time we wanted more speakers to fit into the day so we reduced session times from 1 hour to 45 minutes, it seemed to work, gave us an additional slot at the end of the day, as a format it seemed to go down well with the attendees.

Before we move on we would like to thank those that cancelled and informed us of their non-attendance, it allowed us to pass their ticket to the reserves, good job!

The venue @ Microsoft Paddington in London was very well laid out, all our equipment worked (there were some niggles that failed a demo, but something we can resolve next time). We'll definitely go back, and we have taken note of those that would like Reading to go back on our venue list. I'm sure we'll see Reading at some point this year, as well as new venues (North of England and Ireland) being planned.

Paul Hossack was first up, with a presentation around the Flexera Software product range, was very provocative (security and keeping up with patching always is!), the audience really soaked that presentation up, lots of questions fired at Paul who had this nailed down hard, responding to all the questions with reasonable responses and style

Next up was Paul Winstanley (SCCMentor) from the WMUG Team who presented on Management Point Replica's and high availability of ConfigMgr. It provoked a lot of discussion on design and how architects should think when it comes to high availability

Followed by Gerry Hampson - Enterprise Mobility MVP and WMUG Teamie who touched on his favourite subject at the moment, managing Modern Devices using on premise Mobile Device Management. Pretty cool stuff, don't forget to check out his posts on the subject here

Next up Robert Marshall - Enterprise Mobility MVP and WMUG Leader who gave a whistle stop tour of Servicing, while impressing on the audience the importance of checking the integrity of backups and having a DEV environment to perform a TESTDBUPGRADE before upgrading DEV and PROD. By the time he'd finished everyone had a DEV lab setup due to his constant tutting at not having one (joking, practically everyone put their hand up when he asked if they had a DEV environment) and they knew to check backups before upgrading and not assuming the backups are solid :-) Read more from Robert Marshall on servicing here and here

Sam Erskine - Cloud and Datacenter Management MVP gave us a good overview of OMS, and dug deep to show us some of the features he thinks are mind-blowing, such as Event Log harvesting, as with all the other sessions, humour permeated the air and Sam entertained us well while covering off a novel but interesting technologoy

Matt White - MCS Consultant and WMUG teamie gave us a great overview of managing Modern Devices (Windows 10) in a cloud-only model. What a great way to show off how far things have come with the Cloud technologies at Microsoft

And to wrap the presentations on the day Phil Wilcock of 2Pint Software gave us a very detailed run through of BITS\BrancheCache and PeerCache, the depth was stunning, recounting tales of yore (the story behind BranchCache and its authors demise) as well as giving insight into areas of the subject matter, very revealing, empowering session. The audience would have eaten up a lot more but we ran out of time

As usual we had something to give away, and this time thanks to our sponsor Flexera Software we were able to give a Raspberry Pi (V3) away to a lucky winner

Well done Craig Strong! We hope to see some pictures of you and whatever you get the Pi to do!

Paul Winstanley gave away the prize, since Paul eats sleeps and lives Raspberry Pi! (Ask him what that is all about, interesting story ...)

We also had a special give-away, a USB Hub that was previously owned by the generous grand-father of SMS Wally Mead. Robert Marshall had this in his stash for a couple of years and it was time to let it go!

Keith Sanderson won the prize by guessing Who owned this device? I had to hint a just a little, but I did leave it open!

And finally, not really related to the event itself, but at the venue there was a Microsoft Surface Hub and some of us gave it a spin, if WMUG had the cash and a need for a meeting room We'd love to have one of these, so super cool!

All presentations except the Flexera Software presentation can be downloaded from here

Well, what is next, keep an eye on the WMUG Tweet account as we have two additional physical events lined up for the South of England, and a possible event taking place further North, as well in Ireland. We'll announce all of this as things are locked into place.

In the meantime, please do keep an eye on the WMUG Tweet account for our announcements for further WMUG Clinics - The intent is to rerun the same sessions from this event and go further, or dwell on areas that are of interest to the audience in an informal setting.

Again, thank you for attending, and thank you again to our very cool sponsors Flexera Software!

The WMUG TEAM

Join WMUG on the day for System Center Configuration Manager and on-premise\off-premise Cloud sessions.

Thursday, 31st March 2016.

Featuring three (3) Microsoft MVP's, Robert Marshall (EM), Gerry Hampson (EM) and Sam Erskine (CDM), alongside the WMUG team, guest speakers and our event sponsor, Flexera Software.

The agenda will be as follows:

The event is completely FREE to you including refreshments and lunch, courtesy of our sponsor for the day Flexera. Please note that registrants Name and Email address will be provided to the Sponsor, please do let us know if this is an issue for you. We view providing your details as a small token of gratitude towards the Sponsor, which enables the event to be free.

Flexera Software is the leading provider of next-generation software licensing, compliance, security and installation solutions for application producers and enterprises. Their next-generation software licensing, compliance and installation solutions are essential to ensure continuous licensing compliance.

We also have an open questions session back by popular demand, and of course some giveaways for those who make it to the end of the day.

So what are you waiting for? Register now! There are limited seats available, and as always, we expect these to fill up quickly. Don't delay or you may be disappointed. If you book and are unable to attend, please do cancel your booking via the event page so that others may take up the opportunity, thank you.

Venue location

Microsoft,

2 Kingdom Street,

LONDON,

W2 6BD

About the speakers:

Paul Hossack - Paul is our sponsor guest speaker for this event, and will give us a demo of Flexera Software product offerings. Paul has been securing networks since 2007. A seasoned project leader and encryption specialist, and most recently hardware firewall adept, Paul is an expert in his field. Now working with Flexera Software (formerly Secunia) he brings his skills to vulnerability defence.

Paul Winstanley - Independent contractor with 20+ years experience. 7 years specialised in Configuration Manager and Enterprise Client Management. Also a CGJam Contributor and Pi enthusiast who regularly teaches kids in his spare time.

Gerry Hampson - Senior Consultant Engineer with Ergo Group based in Dublin. Recently awarded his first MVP in Enterprise Client Management through his awesome work on gerryhampsoncm.blogspot.ie and Microsoft TechNet forums.

Robert Marshall - Owner and Senior Consultant at London based Consultancy SMSMarshall Ltd, specialists in ConfigMgr. Microsoft EM MVP in Configuration Manager since 2009, and WMUG founder in 2006.

Sam Erskine- Samuel is our guest speaker, a CDM MVP, and an independent IT consultant and trainer, specializing in System Center and MS Cloud technologies. He is the content designer and lead author of several Microsoft System Center Cookbooks, and co-author of two System Center Unleashed books.

Phil Wilcock - Phil is our guest speaker, and has been in IT for a long time. Some would say too long. He started life as a farmer, ended up managing a huge Moo-Cow database (the DB was large not the cows), worked for Bill Gates for a while, co-founded 1e.com, went back to farming for a few years, trained as a Butcher and is now Director at 2pint Software, a specialist in Configuration Manager and presenter.

WMUG TechTalks presents an Overview of Flexera Software products and features.

Your host for this session is Robert Marshall - Enterprise Mobility MVP, and your presenter is Paul Hossack from Flexera Software.

This session is a repeat and extension of the session presented by the event sponsors at the recent WMUG Configuration and the Cloud event, with the opportunity for further Q&A with the Flexera Software presenter Paul Hossack.

Attendance is free, with the requirement for Skype for Business Full or Web App.

Tips

• Make sure you have Skype for Business Full or Web App installed before you join the meeting
• Mute your microphone
• Use the Chat feature of Skype for Business to ask questions

Click here to join the event on the 24th of May 2016 at 8PM UK BST time.

Paul Hossack - Paul will give us a demo of Flexera Software product offerings. Paul has been securing networks since 2007. A seasoned project leader and encryption specialist, and most recently hardware firewall adept, Paul is an expert in his field. Now working with Flexera Software (formerly Secunia) he brings his skills to vulnerability defence.

Robert Marshall - Owner and Senior Consultant at London based Consultancy SMSMarshall Ltd, specialists in ConfigMgr. Microsoft EM MVP in Configuration Manager since 2009, and WMUG founder in 2006.

Be aware, some of my customers and others in the community have been reporting issues once KB3159706 is deployed to their WSUS servers.

This is a known issue, and you’ll need to do the manual steps at the end of the KB3159706 article to get your WSUS server operational again.

This patch replaces KB3148812 which kind of had some ‘issues’.

Here is an example of the kind of whining you’ll get if you connect to WSUS once this patch has been automatically deployed, and the manual steps not carried out:

Thanks Nick Mitchell for the heads up!

After a long holiday away from blogging, I am back!

Over the next few months I plan on overviewing all the cool Technical Preview features, as well as rocking on back to Current Branch to kick the tyres on the super awesome functionality that is bundled.

One technology I haven’t covered much outside of work is Intune. I’m really liking how that technology is progressing, and I plan on pushing out a few posts over the coming weeks to explore what I am doing with it at customer sites.

Azure really has my ear as well, especially the integration we now have with ConfigMgr (Not just the Cloud DP!).

I am absolutely overjoyed at how things are going with ConfigMgr, an epic time to be a ConfigMgr admin.

Technical Preview 5 using Build 1606 or 1607 let's you play around with the new Cloud Proxy feature, and I thought I’d run up a guide on this awesome feature to help others reach out to play with it a bit more easily, as it is a very enabling architectural element for us to have in the design toolkit and worth checking out.

I found the release notes to be a little short on a few details when I got this guide underway, I had to come back to it for several attempts, Torsten Meringer another Enterprise Mobility MVP helped me out understanding what the Service Domain Name should be, CLOUDAPP.NET, and explained how he setup his Cloud Proxy Point certificate using PKI instead of a self-signed certificate, from there everything else just falls into place as documented.

After you’ve done this a few times it takes mere minutes to sail through, but for the first time it’s going to most likely take well over an hour to complete.

A key thing to note in the steps for enabling the Cloud Proxy Point is that your roles have to switch into HTTPS mode after you’ve added the Cloud Proxy Point role, I found that if you do not do this, the ConfigMgr Clients never see the Cloud Proxy Point. An example of how to manifest this unknowingly is if you remove the Cloud Proxy service and Cloud Proxy Point role, then try to put them back on without first switching your MP\DP\SUP roles to HTTP.

To get to the point where you can test out this Cloud Proxy point feature, you will need to have PKI setup already for your ConfigMgr environment.

For a lab you can simply switch your existing MP, DP and SUP if testing with, into HTTPS mode, but for a lab that is servicing non-HTTPS clients, you will need to setup a new Site system with which to host your new HTTPS based MP, DP and SUP roles.

Before you begin working through this guide, your MP\DP and SUP roles must be fully functional in HTTPS mode. Once you’ve tested them, and before you begin the guide, switch them to HTTP mode. I found if you don't, you’re clients will not get a Cloud ProxyPoint given to them when they do a Location Request while on the Intranet.

From your Active Directory Domain Controller, or a system running the RSAT tool, create a new Active Directory Security Group called ConfigMgr Cloud Proxy PKI Template

We’ll use this Security Group for two purposes, to generate the Cloud Proxy Point certificate and the Azure Management Certificate.

Now that the Security Group has been created, we next need to add the Site servers computer account to it, please go ahead and do that now.

Once done reboot the Site server so that its computer account token is updated with this new security group membership.

To proceed, we’ll concentrate on creating the Cloud Proxy certificate, this is created in the same way that you’d create a Cloud Distribution Point certificate as shown here for reference, we’ll set this certificate up below so no need to transition to the steps in that link.

Switch to your Certificate Authority server.

Open the Certificate Authority MMC snap-in, navigate down to Certificate Temples, from there right-click and Select Manage.

We’ll need to do the below steps twice, but hold off doing so for now, until I tell you later in the guide to return to this point.

The Certificate Templates console will appear (or switch to it if returning here), from there navigate to the Web Server template, right click and select Duplicate Template.

On the General tab, enter the new Template Name as ConfigMgr Cloud Proxy Point Certificate

Select the Request Handling tab, tick Allow private key to be exported

Select the Security tab and then Enterprise Admins, remove Enroll permissions for Enterprise Admins.

Add the new Security Group name ConfigMgr Cloud Proxy PKI Template

Tick Read (should already be ticked) and Enroll

Select OK

Right click Certificate Templates, select New, then select Certificate Template to Issue

Locate and select the ConfigMgr Cloud Proxy Point Certificate entry in the Enable Certificates Templates dialog

Select OK

That’s the Cloud Proxy Point PKI Certificate setup, we now need to setup the Azure Management certificate.

I’ve separated these two certificates out, as it is a more secure way of dealing with your Azure subscription, I could have opted to reuse the Cloud Proxy Point Certificate as the Azure Management Certificate, but I prefer the degree of separation.

So now return above where I told you earlier you’d be returning too, and use the following details to change the steps:

Call the template name the following: ConfigMgr Azure Management Certificate

In the Enable Certificate Templates dialog: Select the ConfigMgr Azure Management Certificate

When you are done, we’ll continue from here.

We’re going to request the Cloud Proxy Point and Azure Management Certificates from the Certificate Authority now, so that we can export them, and while we’re in the Certificates snap-in we’re going to fetch the Trusted Root Certificate.

Before we do this we’re going to have to think of a unique Azure Service name for our Cloud Proxy Point. This will be appended to a Domain Name called CLOUDAPP.NET, it must be unique, if you don’t get this right you’ll have to recreate the below Certificates once you find the problem and generate a unique service name.

An easy way to find out if a service name is taken is to ping it, if there is no DNS match you can try that as a service name. Later in this guide you’ll be asked to provide the Service Name and the Service Name FQDN, the latter just being your service name with .CLOUDAPP.NET appended.

From the Primary Site server, open the Certificates MMC snap-in for the Local Computer

Expand Personal and right click Certificates, select All Tasks and then Request New Certificate

The Certificate Enrollment dialog will now appear, from which you’ll need to tick both the ConfigMgr Cloud Proxy Point and ConfigMgr Azure Management Certificate entries

Both certificates need a Common Name configured, we’ll do the ConfigMgr Azure Management certificate entry first, so select the “More information …” link underneath it

From the Subject Name panel, and from the Type drop-down box, select Common Name

For Value enter your service FQDN.

Select Add

Select OK

Select the ConfigMgr Cloud Proxy Point certificate entry, and select the “More information …” link underneath it

From the Subject Name panel, and from the Type drop-down box, select Common Name

For Value enter your service FQDN.

Select Add

Select OK

Now select Enroll and Finish once done, while noting whether it is successful or not

You should end up with your two certificates back in the Certificate snap-in

Let’s export them, we need to do this twice for each certificate, starting with the ConfigMgr Azure Management certificate

Select the ConfigMgr Azure Management certificate, right click it, select All Tasks then Export

Select Next then Yes, export the private key

Select Next

Select Next

Tick the Password check box and give this certificate a strong password, note it as you’ll need this password

Select Next

Now to save the certificate by selecting Browse, give it a suitable name, this one will be saved in PFX file format, drop it into a common folder that you’ll return to again a few more times.

Repeat the export of the ConfigMgr Azure Management Certificate, but this time do not export the Private key, this will cause you to be prompted just for the filename, give it the same name as your previous certificate, this one will be saved in CER file format

Now do the same again for your ConfigMgr Cloud Proxy Point certificate, repeating the steps above to export it as a CER file.

Once you’re done exporting, go back to the Certificates snap-in, navigate to the Trusted Root Certification Authorities node, expand Certificates and select the root certificate for your domain. I’ve selected and highlighted mine here:

Right click it, select All Tasks then Export, accept the default format type, give it a name and store it along with the other certificates you’ve already exported naming it appropriately (YOURDOMAINRootCA.CER for example)

Now you need an Azure Trial, or a functioning Azure subscription, I’ll assume you will create a test subscription from new to check the Cloud Proxy feature out.

To setup a new Azure subscription you’re going to need a Microsoft account, if you don’t have one of those to hand, or spare, create a new one here

Go visit the Azure Trial and set yourself up a subscription, you’ll need an MS account (Live, Hotmail et al), a credit card (not-charged unless you upgrade to a paid subscription yourself) and your phone details. This will give you a 30 day or so trial to mess around with, and enough resources to run up a demo of the Cloud Proxy point.

Once you’ve subscribed and logged in, you will need to connect to the Azure Classic Portal, instead of the new Portal that you’ve most likely logged in with.

This is a requirement for a configuration element of the Cloud Proxy, Azure Management Certificates, a feature which I believe is deprecated but used by the Cloud Proxy feature today.

Visit MANAGE.WINDOWSAZURE.COM and login if necessary.

Once logged in, we’ll now upload our ConfigMgr Azure Management certificate to Azure itself, so as to gain access to the Azure Service Management API for the Cloud Proxy Point.

More can be read on Azure API Management Certificates here.

In the Azure Classic Portal, select Settings, then select Management Certificates

The Upload a Management certificate window will pop up in the browser, click the Folder icon and navigate to your ConfigMgr Azure Management certificate

Enter the strong password that you set when exporting this certificate

Note that it is uploaded to your Azure subscription.

Anyone flashing this Certificate around can completely control your Azure subscription, so tuck it away somewhere safe when done.

Note the Subscription ID, it’ll be in dashed notation like XXXX-XXXX-XXX-XXXX-XXXXX, store this away as you’ll need it in a moment and we’ll refer to it as your Subscription ID.

Now we’ll add the Cloud Proxy Service to the ConfigMgr Site server. To do this we visit the Administration workspace, and expand Cloud Services and select Cloud Proxy Service.

Select Create Cloud Proxy Service on the Ribbon, or via a Right click on Cloud Proxy Service

You’ll be greeted by the Create Cloud Proxy Service Wizard.

Enter your Subscription ID.

Select Browse and select your ConfigMgr Azure Management certificate

It’ll prompt you for the Certificates strong password, tap it in, then select Next

Now enter your Service Name, this is not your Service FQDN.

Select the Region you are testing in.

For Certificate File select Browse and navigate to the ConfigMgr Cloud Proxy Point certificate

The Service FQDN will automatically be populated from the certificates Common Name.

For Root certificate file select Browse and navigate to the Root Certificate that you exported earlier

Make sure Verify Client Certificate Revocation is not ticked, unless you are setup for it, if in doubt, untick.

Select Next

Select Next and then Finish

Now go monitor the CLOUDMGR log to see it provisioning the service into Azure, eventually you’ll also see the SMS_CLOUD_PROXYCONNECTOR log.

Once everything has settled down, from the ConfigMgr Console you should be able to see that the service has been setup correctly

In the above shots I’ve already had some traffic pass through, for a brand new setup the metrics should be white space.

I heard that if it shows Partially connected for an extended period of time, mine showed for a minute or two, then there was a problem provisioning the service. Try again, if it doesn’t work it is most likely a glitch.

Now that’s the Certificates and on-boarding of the services in Azure done, next we set up the Site server to use the Cloud Service, by installing a Cloud Proxy Point, and then we’ll do a quick run through with a Client test, run from a client on the Internet.

From the ConfigMgr Console, go to the Administration workspace, select Site Configuration and then Sites.

Assuming this is a Stand-alone Primary site server, select it and then select Properties, otherwise select the Primary you want to run the test on

From the Client Computer Communications tab, tick the box next to Use PKI client certificates (client authentication) when available text, and make sure to untick Clients check the certificate revocation list (CRL) for site systems.

Now add the Cloud Proxy Connector role to your Site server. No instructions needed for bedding this role in, just select and install it.

And to complete the server configuration switch your MP, DP and SUP to HTTPS mode, while making sure to tick the Allow Configuration Manager Cloud Proxy Traffic while switching to HTTPS in each of those roles properties dialogs. Make sure the roles are functioning, check the MPCONTROL log to make sure the MP is working fine.

That should be it.

You can go back if you like and look at the steps in the Technical Preview notes, to double check we’ve not missed anything, especially if you are buzzing up and down the guide trying to figure out why it isn’t working.

Now, to kick the wheels of this feature you’re going to need to have a ConfigMgr Client installed. Take care of that on a device that can be set to visit the Internet.

Once all of the above changes have been implemented, while on the Intranet recycle the CCMEXEC service on the ConfigMgr Client so that it gets a Location Services update, these occur every 24 hours if left alone, so recycling the service will speed this part of the testing up somewhat.

Once Policy has arrived and been processed by the ConfigMgr Client (go look at the messages and date stamps in the POLICYEVALUATOR log) open WBEMTEST and connect to ROOT\CCM\LOCATIONSERVICES, select Enum Classes… and select OK, navigate until you find the SMS_ActiveMPCandidate class, double click it, and then select the Instances button.

Here you can quite clearly see that the ConfigMgr Client knows all about our Cloud Proxy Management Point and will switch to it if it senses we’re on the Internet (out of any defined boundaries)

Now that we know that the ConfigMgr Client is ready to begin using the Cloud Proxy Point, let’s trigger it to do so.

I used a mobile hotspot to get a WIFI connection for my laptop to use, which was routing onto the internet.

Once I got the laptop on to the Internet, I checked the ClientLocation log, so as to see if the ConfigMgr Client was registering as being on the Intranet or Unknown (Internet in this case). Sure enough after a few moments it fired into life the Connection Type value changed to show as Unknown, which means Internet in our case, as can be seen below:

Now switch back to the ClientLocation log, after a few moments if not already done, there should be activity, and a switch taking place to the Cloud Proxy service instead of continuing to try the on-premise Management Point.

In the above shot you can see we’ve rotated over to using a new URL for the Management Point as:

CP1EMMVPTEST04.CLOUDAPP.NET/CCM_Proxy_MutualAuth.

Now you just need to open the PolicyEvaluator log, then trigger a Machine Policy Retrieval, watch from the log, confirm that Policy was retrieved, if it has it’s been retrieved from the Cloud Proxy service!

I also sent down a test Package\Program combination, one package with real content, another to just launch Notepad, all arrived as you’d expect when Machine Policy was triggered.

I didn’t test out the SUP as I didn’t have it configured in the lab, but am sure it’ll function just as fine as the Management Point and Distribution Point did, I’ll be sure to test that another time to make sure.

Enjoy the feature, I really rate this, I can see it becoming a major element in the architectural design process, one companies will use to extend their systems management ‘reach’ to their most difficult to manage, remote and not-well-connected to the core network end-points (with the condition that they at least have internet access), as well as to atypical remote office devices that have good internet access (serviced today by IBCM for example), with the added advantage of removing the need to host your on-premise ConfigMgr roles in public facing DMZs (so that IBCM can function), instead, Azure is used to route the traffic between the ConfigMgr Clients and your on-premise roles in a secure fashion.

A great feature. Cannot wait to see it develop further.

Tweet me on @RobMVP if you want to chat about the guide, any deviations you had to make, or if you just plain are stuck, will try to help.

Thank you to all that attended the WMUG 10th Anniversary event!

And a big thank you to our sponsors 1e

Our tenth Anniversary finally came along, who would believe it, we've been doing this for that long!

The event was initially set for 100, but what with it being the holiday period, we were aiming a bit too high, and with the reservations in the closing week at around 50, we decided to cap the event at 50, and on the day, I believe we had, including the WMUG Team, 35 attendees in the room. A good turn out!

For this event we had the pleasure of receiving two presenters that had to travel from abroad, Enterprise Mobility MVP Nickolaj Andersen travelled over from Sweden, and System Center Consultant Maurice Daly who travelled in from Ireland, Thanks guys.

The other guest presenters were our sponsors 1e with Brent Hunter, and then Enterprise Mobility MVP Robert Marshall, Terence Beggs who doubled up with Maurice Daly, Marcus Robinson and Aaron Czechowski. With Peter Egerton putting on an awesome IT Quiz, which we had a great time with and can see coming back.

For this event we had a virtual presentation, which was given by Aaron Czechowski, and it worked out perfectly. We will do more of these.

On the day, only one presentation suffering at the hands of the demo gods.

Once all the slide decks are in one place we'll update this post and link here.

Here's a run down of the day in pictures.

Arrival at the venue, attendees are greeted with fine imagery presented on a Microsoft Surface Hub, and refreshments before the day gets underway

The IT Crowd

We got them to wave to prove that they were not photo-shopped in

Brent Hunter from 1e gave us a wonderful presentation on Accelerated Windows 10 Deployments,

as well as giving us a brief overview of the technologies 1e offer in this space

One of the most significant hurdles a client estate upgrade will encounter is transitioning from BIOS to UEFI during a Windows 10 deployment, and 1e have this fully nailed down and painless

Robert Marshall was on next, but I cannot find his picture so he'll have to settle for a link here, to a blog-post he recently did on the very subject he presented on, Push-based Replica Management Points

Marcus Robinson put on presentation based on a very exotic and extremely powerful technology, DSC,

and showed us how easy it is to use for Azure automation

Maurice Daly and Terence Beggs who are both WMUG Community Contributors,

gave us a good grounding on where things are with Multi-factor Authentication

Enterprise Mobility MVP Nickolaj Andersen put PowerShell through its paces,

giving us cool examples of how to get at Configuration Manager to do almost everything using it

We then moved onto our Quiz, Guests versus our Panel of Experts, and the Guests won by a clear margin!

Well done Guests, some of those questions were, ahem, very exotic although IT related!

And good job Peter Egerton for coming up with the idea and hosting it.

The raffle got underway, for this event we had a book, a ticket and some hardware to give away

Congrats James Staunton for winning the System Center Universe ticket!

We should be hearing back from James once the event is over and he can give us a review

And thanks System Center Universe for giving us the free ticket to give-away!

Next up was a guy who's name shall remain a mystery until he steps forward (we lost the bit of paper with it on),

however he is the bearer of a Microsoft Band 2, kindly given away by our sponsors 1e

Congratulations Cristian Ceobanu for winning the Troubleshooting System Center Configuration Manager book

by none other than WMUG Leader Peter Egerton

Likewise for Keith Sanderon who also won the book

And finally, our virtual presenter Aaron Czechowski began his presentation over Skype

We were worried the link would drop ...

But he stayed with us, and gave us a run through on Current Branch features as well as the Technical Preview,

rounding off with a demo of the new Cloud Proxy Point

Aaron showing us more of his stuff, and with no interruptions to the link he was able to give us an excellent interactive presentation, over-the-wire, very nice, and a big thank you to Aaron!

Thank you again to all those that attended. Until next time.

Join WMUG for a day of Expert Windows Management and a bit of fun too on what will be our 10th anniversary event. 

Wednesday 13th July, 2016.

Microsoft UK
2 Kingdom Street
Paddington
London
W2 6BD

Featuring excellent speakers from the IT community and Microsoft alongside the WMUG team and our event sponsor 1E.

The agenda will be as follows:

Hey you!

ConfigMgr Current Branch Technical Preview build 1608 has released.

I highly recommend building a lab VM to host a technical preview build, seeketh out a guide from Niall Brady and others on how to setup the Technical Preview, having one so you can check out impending features is the way to be super cool and be up on the latest product developments.

Here’s a run down of the features available for tire kicking in 1608:

• ‘New Software’ indicators in Software Center: The Software Center Applications, Updates, and Operating Systems tabs now show which software was recently added. Numbers in the navigation pane show how many new software items are on each tab.
• Application Requests from Software Center:Users can now request approval for applications and view the request history for applications in the Application Details view in Software Center. The Request button in Application Details no longer redirects to the web-based Application Catalog.
• Improvements to Asset Intelligence: A new field has been added to the properties for inventoried software that lets you set a parent and child relationship with other software. In the Inventoried Software list, you can view the parent of any software and also hide child software.
• Keyboard Translation for Remote Control: By default in a remote control session, characters typed on the viewer’s keyboard are sent to the controlled device instead of the keys, whether or not their keyboard layouts match. This behavior may be turned off in the Remote Control viewer Action menu.
• Improvements to the Prepare ConfigMgr Client for Capture task sequence step: The Prepare ConfigMgr Client step will now completely remove the Configuration Manager client instead of only removing key information. When the task sequence deploys the captured operating system image, it will install a new Configuration Manager client each time.

That last one is VERY important.

Do you know why?

This removes a key argument or reason for using MDT for Gold\Master Image management, the desire to end up with a gold image that doesn’t contain a ConfigMgr Client (in a deactivated state).

I am not an MDT hater, every tool has a place, and there is a place for every tool, but immediately turning to MDT adds complexity often unnecessarily, and moves the novice to intermediate ConfigMgr Administrator (who are the ones mostly implementing or owning ConfigMgr, not rocket scientists) out of the ConfigMgr Console, and into a foreign tool, so as to perform a task that should stay with ConfigMgr, building and capturing images.

We know there are short-falls in what can\cannot be done, and this means MDT still reigns, although much of what it does can be achieved in the environment (Group Policy etc.). Realistically, there should be gaps in what they do as they service customers are different ends of the scale, but Windows 10 Management should be universal between ConfigMgr and MDT. MDT shouldn’t be the only product able to render a Gold\Master Image in a certain way (that most Enterprises opt for), especially if you’ve bought ConfigMgr and want to do it all there.

Consider the Windows 10 Cadence and how rapid it is now, yeah,  you won’t be creating a Gold Image that’ll last a year for much longer, well if you are doing LTSB sure, but CB or CBB, turning over an image often, will mean that MDT environment is going to be busier until we can shift to a single pane of glass, ConfigMgr.

I decided a while back that when I finally set about to publically document the pathway to enable a new type of Replica Management Point in ConfigMgr, that I wouldn’t go into much detail explaining what a Replica Management Point is, or pitch their usefulness and all that, as we’d get bogged down in details that are already out there.

The likes of Brian Mason and Kent Agerlund have for many years been fleshing out their justification and use-cases, and produced some great guides to getting them up and running, even our Paul Winstanley at WMUG has put together a guide, so instead I thought I’d visualise a particular problem where a default Pull-based Replica Management Point falls short, and show how implementing a Push-based Replica Management Point solves that problem.

In the below shot, I’ve mocked up a visual showing how SQL is used by a Management Point in the three scenarios that it currently covers:

1. Management Point in close proximity to the Site Database (in terms of network location)
2. Management Point using remote Site Database to service Clients
3. Replica Management Point using a replica of the Site Database to service Clients

Now this works just fine as long as you’ve got communications pathways back to the Site servers Database, but when operating in restrictive environments and those pathways are blocked, it means taking Replica Management Points off the design board as a design element.

To get things underway, I’ll focus more on the reason for the drawback in using Replica Management Points in those environments, and show how to put them back on the design board.

So here we are, a very basic network and services diagram, showing on the left a trusted network, and on the right two untrusted networks.

The untrusted networks are not allowed to communicate back to the trusted network, for obvious reasons, and the communications back in that direction are blocked, as is shown using the red crosses above.

The Microsoft documentation for setting up a Replica Management Point guides the administrator into creating a subscription on the Replica SQL Database, which makes it a Pull-based method for replication. So by default, a Replica Management Point is a pull-based mechanism.

I would only recommend using a Push-based Replica Management Point sparingly, and if you need a standard Replica Management Point for high-availability, perhaps look at SQL Always-On as an alternative to hosting Replica SQL Databases.

With the firewall blocking communications back to the Site servers Database, it means that a Pull-based Replica Management Point will fail to function at all, as the underlying SQL replication mechanisms communication pathway back to the Site servers Database is blocked by the firewall.

The solution is pretty simple, nothing complicated about it, but comes with a few considerations, such as incurring a slight performance impact on the SQL database hosting the Subscription, and the supportability of the change to a standard Replica Management Points design. We’ll cover those both more in a moment.

To solve the problem then, all we need to do is rotate this pull-model around to become a push-model, and to achieve that we simply create the subscription on the Site server if it’s hosting the Site Database, or on a remote SQL, or remote SQL Cluster.

Changing the SQL Replication model to Push instead of Pull, means Replica Management Points can function in those environments that restrict access back to the trusted network.

Changing the Replica Management Points SQL replication mechanism to push-based completes part of the solution, but to finish up the Site system also needs to be considered, as by default the Site system will attempt to connect to the Site server, and fail in the problem scenario due to being blocked by the firewall.

The Management Point will essentially drop inventory reports and other material coming in from clients, such as Status and State Messages, into its own Inboxes, and the contents in the Inboxes, on its Site system, need to be replicated to the Site server, so that they can be processed into the Site database.

To solve this problem in a restrictive environment is easy, a feature that has been built into the ConfigMgr product for some time is to configure a Site system so that the Site server connects to it, rather than it connecting to the Site server, labelled up as Require the site server to initiate connections to this site system but more breezily titled Inter-site whizzy bang Inbox Pull Mode contraption thingy.

Here’s Site server to Site system replication visualised showing both modes of operation:

Now all of that is out of the way, and you clearly understand that this new type of Replica Management Point, push-based, is only for heavily restrictive environments, where Regulation\Compliance rules exist that do not tolerate connections being established from untrusted networks to trusted networks.

And you know already from reading this post, or are becoming more aware of the fact that for most people, implementing a Push-based Replica Management Point in their environment is probably a pointless exercise.

However, some of you have probably already figuring out that a Push-based Replica Management Point  could actually help you to manage more devices in the more restrictive parts of your environment, possibly replacing ConfigMgr Hierarchies specifically setup just to manage those devices, or bringing them fully into the companies System Management solution, ConfigMgr, rather than letting them continue being managed by stand-alone WSUS for patching and AD Group Policy or “by hand” software delivery.

But here is the catch, since we’ve changed how the Replica Management Point is implemented it is unsupported, not because it doesn’t work, just that it was never put on the test list, if it had, it would be one of our current design elements.

Another point to be made here is that a performance penalty will be incurred by the host of the Subscription, so if it is hosted on the Site server which has local SQL, there will be a slight performance impact, how big depends on the scale of your environment. The more Subscriptions you have, the more of a performance penalty is felt.

Base-lining and monitoring of SQL performance would help view performance before and after the change, and keep on top of performance nose-diving, but to be honest this won’t represent a problem for most customers that are not at large scale, only those that are running their SQL at a far gallop (under-specification, over-used) already.

To solve the supportability issue, if you’re a Microsoft Premier customer you can get reasonable commercial support while this is implemented, but are open to Microsoft during a support engagement asking you to revert the Replica Management Point back to its default configuration (Pull-based SQL Replication) for reproduction of the problem you’re logging with them. Make sure you have a procedure for switching back and forth between Push and Pull in place in case you need to do it.

If you’re the type of environment that pays at least a token nod at not tolerating unsupported scenarios, and do not have a Microsoft Premier agreement in place so as to get a supportability statement sorted out, then you’re out of options, and implementing and dealing with any consequences is entirely your own choice.

For obvious reasons I only recommend readers of this post to implement while getting the nod from Microsoft Premier Support. I am not responsible if you decide to implement and your technical world for some reason ends because of it, even though it is entirely unlikely to happen.

Strap in, get ready, finally we’re going to finish up the post by showing how the replication is switched from pull to push mode.

The Microsoft Documentation for implementing a Replica Management Point is here:

To implement a Push-based Replica Management Point, we’ll follow the Microsoft documented instructions up to the To configure the database replica server section:

We’ll carry out step 1,but modify the step 2 procedure slightly, so as to produce the Push-based SQL Replication mechanism, then complete the rest of the overall Microsoft documented procedure.

2. On the site database server, use SQL Server Management Studio to connect to the local server, browse to the Replication folder, expand Local Publications, select the Publication and right click and select New Subscriptions…

a. Select the Publication and select Next

b. Select Run all agents at the Distributor.

As can be noted in the screenshots text, this changes the replication mechanism from pull to push, it is as easy as that.

c. Select Next

d. Select Add Subscriber and select Add SQL Server Subscriber… then connect to the SQL Replica database. Returning back to the New Subscription wizard, the Subscription database drop-down for the newly added subscriber needs some attention. If you’ve already pre-created the database, this is where you’d select it, otherwise create a new database.

e. Once you’ve taken care of the small matter of pointing at the Replica Database, select Next

Now go back to Step 2 in the To configure the database replica server section, and carry out steps f, g, h and i, and then complete the entire remaining procedure as documented by Microsoft. You can also enable the Notification Channel as instructed in the Microsoft documentation.

A quick check of the Publication see’s the Subscription has been added to it:

Having a nose around the actual Publication shows us what is being replicated (Articles):

And viewing the properties of the Subscription shows us it is in Push mode:

Your SQL Replication mechanism will now be push-based, and along with a Site system that is serviced by the Site server connecting to it,  you have a Management Point role that, along with its underlying Site system, is for the first time compliant with the needs of some of the most complex untrusted, but accessible, network environments out there.

Drop in a Distribution Point and you’ve now got Policy, Lookups and Content covered in the restrictive environment, Client Registrations too. OSD is but a mere click away. Nice.

While this is a great solution for on-premise devices, there are other ways coming about to service the same difficult to reach devices such as those in untrusted networks, as long as they have access to the internet . An up-and-coming feature called the Cloud Proxy Point, which is trialling in Build 1606 of the Technical Preview will open all of them up to management using a solution lashed together with Azure and on-premiseConfigMgr. I’ll be covering this technology in my next blog, as it is a killer way to handle devices on the internet or with on-premise but with internet access, without needing to place your Site Roles in a public facing DMZ. One of the most exciting features I’ve seen in a while as an architect, along with Intune, but quite a fiddly affair in comparison to Intune to get up and running.

Update (05/09/2016): 

Confirmed that with a Push-based Replica Management Point, the Client Notification Channel works fine. Nothing special needed to configure it beyond the documented steps.

Finding that I often do quick port tests related to ConfigMgr installations @ customer sites, and my traditional approach was to use TELNET and NETSTAT together, checking for ports marked as SYN (no synchronisation packet came back) as an indicator that the port is blocked or not being listened on, so I thought, why don’t I write a new (extensible) Tcp port checker to do the job for me.

Falling back to the classic Tcp port test, use TELNET to test a Tcp port, and NETSTAT to see what is happening:

TELNET IP PORT

NETSTAT –AN | FIND /I “SYN”

You have to do this fast, within a second or two, or you’ll miss the port SYN state and get no results back. Try it, has helped me out a lot over the years.

Well, half-way through coding this new tool, as I often just code for fun and, can get carried away between a mere thought and my hands whizzing back and forth in Visual Studio creating something, I checked to see if anyone else had a cool port checker, and found this (lol oops how can I forget that old Microsoft port checking puppy!), this, and another that I cannot locate the link for again, was ConfigMgr specific and was fed by a XLS, I’ll update the post another time if I remember, and include a call out to that tool as it was the first one I found.

So yeah, I wanted to call these tools out that came ahead of mine, go ahead, check them out, a port checker is a port checker after all, so choose your poison and get the result you want (Port open, Port closed).

My tool is Tcp only I’m afraid. Udp is a tricky beast to validate. If I can get something reasonable that is reliable (so many conditions can make testing Udp pointless), I’ll update the tool with it. Framework code for Udp is there, so implementing Udp is a cinch if I sort out the Udp Port checking logic.

This version doesn’t handle DNS lookup of the hostname very well, works for some of you, IP always works, I’ll fix this at the next release. And also IPV6 isn’t supported until the next release.

CheckPort for ConfigMgr is Wrapped as an MSI to make installing\uninstalling a breeze (thanks Flexera Software for InstallShield Express!).

Unblock the MSI if Windows warns you it is from an untrusted source. I am in two minds if I should buy a certificate to sign my tools so that they are trusted by Microsoft, but that costs £££, maybe one day.

I mentioned above that this thing is extensible, well it sure is, it can either run as a stand-alone EXE with all ConfigMgr rules built-in, or feed off of a four-column CSV file (Test name, Port Name, Port, Tcp\Udp) located in the same directory as the EXE. The MSI installer will drop a sample CSV file into the installation folder for you to check out.

Download the tool from the TechNet Gallery

And … enjoy!

In the following series of blog posts I will introduce you to C#, Visual Studio and the ConfigMgr SDK, and show you how to produce your own custom tooling easily.

The motivation behind this series of postings is to enable you to create community tools or bespoke tooling to assist you in your day-to-day ConfigMgr role, and thus to enhance the Community overall, as hopefully you’ll produce the very next best tool and we’ll all benefit from it.

To underpin the guide I’ve written a tool called MonitorMP which will keep an eye on the health of your Management Points outside of the ConfigMgr Console, the source code for this tool will be built up and completed by the time we’ve finished with the series of posts, at which point we’ll make the tool made available in both compiled and source code form and everyone that read this guide will feel somehow connected to it :)

Previous postings for this guide

Guide to creating your own ConfigMgr tools – Part 1

Guide to creating your own ConfigMgr tools – Part 2

Guide to creating your own ConfigMgr tools – Part 2 – Extended

Guide to creating your own ConfigMgr tools – Part 3

In this post we’re finally going to build the MonitorMP tool!

Let’s first lay out our requirements:

• .Net 4.0 as we want this to be highly available, and not require the latest .Net (4.5.1 or 4.5.2) to be installed
• Check all Management Points associated with a Site Server, to see if they respond to HTTP requests, green light, red light visual indicator
• Repeat the test on an interval
• Test HTTP only, HTTPS requires extra handling and is a great idea for a V2 made by the Community

That’s about it, all we want to do is check the Management Points for a response, and maybe schedule a repeating check just to stretch the project out a bit, and to include threading examples for you.

To accomplish this, we’re going to need some tools from the .Net library:

• HttpWebResponse Class

HttpWebResponse allows us to easily open a TCP\IP session to  a destination device, issue some HTTP and retrieve the response

• Background Worker Thread Class

A Background Worker thread will allow us to set a schedule for repeating the test, and allows us to interact with the Form\UI thread to update our interface. The great thing about the Background Worker threads are their event support, such as DoWork, RunworkerCompleted, and the most important for us, ProgressChanged. These events can interact with the UI thread allowing us to update the UI with data

You now have two choices, if you are pretty sturdy with Visual Studio and C# already, then download the Source Code here and run the project to see the end result, skipping all the building up steps, or join me as I build the project step-by-step, so that you write it and gain from the experience.

Let’s get underway and step through building out our project together.

• Open Visual Studio and create a new Project
• Select Windows Forms Application
• Give the project the name ManageMP, and sort out the Location (accept the default or choose your development folder if you have one) then Select OK

We’ll begin designing the Form before we lay down a single line of code, so let’s get on with that now.

I’ll be asking you to drag some objects from the Toolbox onto the form, tweaking their properties and position\size attributes.

• Modify the Forms properties

• Set the Size to 667, 348
• Set the Maximum size to 667, 1000 (this sets the maximum form dimensions, 667 width meaning it cannot be adjusted widthways, with 1000 set for the height which lets the user resize lengthways)
• Set the Minimum size to 667,348 (this is the minimum form dimensions, 667 width and 348 height)
• Set the Text to MonitorMP
• You can set the Icon for the Form but this isn’t necessary to progress, you can download one I created earlier from here. Change the Forms Icon, and also change the Default Icon in the projects Properties. I suggest storing the ICO file in the Project folder:
• Select Icon to browse for your ICO file:

• Right click your Project and from the Application tab browse for an ICO file, you can also click Assembly Information to add metadata to the EXE that is shown when you right click it:

• Add a DataGridView

• Drag a DataGridView onto the form
• Set its Name to dgv_Mp
• Set its Location to 13, 12
• Set its Size to 626, 228
• Set the following properties to False

• TabStop
• AllowUserToAddRows
• AllowUserToDeleteRows
• AllowUserToResizeRows
• MultiSelect
• RowHeadersVisible
• ShowEditingIcon

• Set the following properties to True

• ReadOnly
• StandardTab

• Set AutoSizeRowsMode to AllCells
• Set Anchor to Top, Bottom, Left, Right (this allows the DataGridView to grow as you resize the form, we only need to do Top, Bottom as we are not allowing resizing of the form Widthways)
• Set AlternatingRowsDefaultCellStyle to DataGridViewCellStyle { BackColor=Color [A=255, R=224, G=224, B=224] } (Use the ellipses and select BackColor to pick a background colour, light grey, or a colour that you like)
• Right click this DataGridView control, select Edit Columns
• Select Add

• For Name enter c_mpName
• For HeaderText enter Name
• Select Add then Close
• For AutoSizeMode select AllCells

• Select Add

• For Name enter c_siteCode
• For HeaderText enter SiteCode
• Select Add then Close
• For AutoSizeMode select AllCells

• Select Add

• For Name enter c_State
• For ColumnType select DataGridViewImageColumn
• For HeaderText enter State
• Select Add then Close
• For AutoSizeMode select AllCells

• Select Add

• For Name enter c_mpStatus
• For HeaderText enter Status
• Select Add then Close_
• For AutoSizeMode select Fill

• Select OK

• Add a Label

• Drag a Label onto the form
• Set the Name to l_writtenBy
• Set the Text to “Written by X” and replace X with your name!
• Set the Location to 12, 254
• Set Anchor to Bottom
• Set TabIndex to 0

• Add a TextBox

• Drag a TextBox onto the form
• Set the Name to tb_Server
• Set the Location to 164, 254
• Set the Size to 169, 20
• Set Anchor to Bottom
• Set TabIndex to 1

• Add a Checkbox

• Drag a Checkbox onto the form
• Set the Name to cb_Timer
• Set the Location to 339, 254
• Set the Text to Enable Timer
• Set Anchor to Bottom
• Set TabIndex to 3

• Add a NumericUpDown

• Drag a NumericUpDown onto the form
• Set the Name to nud_timerMinutes
• Set the Location to 433, 252
• Set the Size to 47, 20
• Set Anchor to Bottom
• Set the Value to 5
• Set TabIndex to 4

• Add a Button

• Drag a Button onto the form
• Set the Name to b_Go
• Set the Text to Check Management Points
• Set the Location to 486, 250
• Set the Size to 153, 23
• Set Anchor to Bottom
• Set TabIndex to 2

• Add a Status Strip

• Drag a StatusStrip onto the Form
• Set the Name to ss_Messaging
• Right click the StatusStrip and Select Edit Items
• Select StatusLabel and Click Add
• Set the Name for toolStripStatusLabel1 to ssl_Entry
• Set the Text to blank (nothing) otherwise it will look like this:

• Now that is the form laid out, on your end it should look like this with <Name> replaced with your name

• In terms of position and sizing of the forms objects, not a little like this, but actually like this
• I simply compiled the completed project to get the Form showing for the above screenshot, but you should also be able to compile and run it right now to see the same.

Let’s write a line or two of code.

If you are new to coding in C# you’re about to see several cool techniques that help me code solid applications, for the more handy with C# there are no surprises here for you. I’m a mid-tier C# coder I guess, and could do things more efficiently in some places, make more use of .Net, but overall I get there.

Things we’ll cover:

• Methods used by the dompCheck BackgroundWorker thread, so as to populate the DataGridView
• Custom Class Collections to contain collections of custom classes that we’ll use to store multiple properties, and pass around between methods
• Threading, and thread management through global variables, as well as examples of passing our Custom Classes around using the ProgressChanged and RunWorkerCompleted BackgroundWorker thread events

Ok I was really just teasing you, no coding yet, first let’s cover off why I'm making references to the UI Thread, and mention creating a BackgroundWorker thread:

All Windows Form Applications start out life as Single-threaded applications. This means all the code you write for your application, and the User interface controls you add are all being processed by a single thread, called the Foreground thread.

So, if you burn out that thread the UI will lag out and become unresponsive, and if it does it for long enough the Operating System will sense this and offer to kill off the process for us.  We’ve all see this at one point in time. Not good. For Console based applications this isn’t much of an issue, unless you need concurrent activities taking place.

To go multi-threaded we hit an immediate wall, a custom thread cannot speak directly to the Foreground threads forms, such as the DataGridView and StatusStrip which we want to manipulate. We can code stuff into a normal Thread from the Thread Class, but it is a work of pain. To overcome this, we use a special kind of thread, and do away with coding our own way out of the situation. We use the BackgroundWorker thread, which is derived from the Thread Class itself, as a place to run our code, and hosts a bunch of methods and events we can fall back on to speak to the Foreground threads Form controls. The key event for reporting progress back up to the UI thread is the ProgressChanged event, which we can fire at will, the other of note is for when our BackgroundWorker thread is stopped, and is called the RunWorkerCompleted event. These two events can interact with the UI thread, allowing us to play with those form objects while still running the custom thread, or coming out of it.

There are a few good reasons for running code on the UI thread, but ideally if you can lob it off to a custom thread to get on with, is much better, things become more fluid in the UI, as in the user experiences a smoother ride. To read more on the BackgroundWorker thread, visit the MSDN library here.

The gap between single-threaded applications and multi-threaded is narrowed further for you, multi-threading your code is now within your reach!

Now let’s really begin coding. I’ll offer up code-blocks for you to copy\paste in, but please do watch out for the browser changing characters such as quotation marks.

Firstly, we need to add some references to the .Net 4.0 classes we want to use in the project

• Double click on the form to be taken to the Code view
• Replace all using clauses with the following:

using System;
using System.ComponentModel;
using System.Drawing;
using System.Windows.Forms;
using System.Net;
using System.IO;
using System.Management;
using System.Threading;

It should look like this:

We’re going to need some triggers to control the BackgroundWorker threads we’ll create soon, we set these as public.

• Add the following code below the Form1_Load method:

public volatile bool mpcheckRunning = false;
public volatile bool mpcheckStop = false;

public volatile bool timerRunning = false;
public volatile bool timerStop = false;

It should look like this:

We set these to volatile as we’re going to access these from threads, volatile forces the compiler to not optimise them, which would result in possibly offering  us an indexed value rather than the actual value (think of lazy values). Since we’re checking them from inside a thread we need them to be reliable, and must not change them from multiple threads. Booleans are not such a problem but changing a global string value for example, from multiple threads, could lead to the string becoming corrupted.

Now let’s create two very special classes that we’ll use to pass information around between methods. We’re using an Object Orientated Language, so instead of passing a single property back and forth between methods, or an array of properties like old school style, we can pass an entire object containing several properties, or even a collection of these objects.

We’ll do this when we check the Management Points, we’ll pass the MP Name, MP Port and MP State around as an ‘object’, and we’ll put all of these objects into a Collection, and in turn pass that around. It may sound complicated to begin with, but over time you’ll have to grown into doing this, so as to overcome certain obstacles when it comes to how much information you want to push around between the methods, especially BackgroundWorker thread events.

We need several more variables so let’s create them now.

• Add the following below the previous variables:

public volatile int nudtimerMinutes = 5; // Set to 5 to reflect the nud_timerMinutes controls default setting

public volatile ManagementPointCollection globalmpList = new ManagementPointCollection();

private static string unhealthyIcon = "iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAdxSURBVFhHrVdpbJRVFL0tQdpCqWzaQqldAdm3Ki2EtqKgqLhUAQVZKlsbBK0sResSBbcfRk1cEkMkGE1EUdyCqEkRSTEKLV1mpssMnW4zUIIKKAqYXs953zdlppQtepObmfm+984577777rsjl2sLRSIfEhmzQGQZvm9dLOLIEzmFzzb8Lpkn8vJskbvuFEnA8HBr1v9gAI+D5xf3iW54J2WQfjFhmJbmjFfHzAz13DXVfPI3n/M9xrXPFfl0lsgtQ0R62DBXblwxfN4LsX39O8YP1do7MrUhN0cb58/U5uWztfWxxepbv8J88jef8z3HcTzm6f0iX9wskg64K4vIIpH4NdFRWz4cmWwAvXOna8sjD6mvKP+SznEcz3mcv6pX5LEZIksBe3nRAHnqM/1i9n4zaYRZUXP+A10SXco5j/OJ81S/mDPTRZ4FfJTFcgHjykm+J2uceufc0iXwlTqj8WP2eIo4myNSDJoIi62Tcc8ZdiruTO7fgNCuW64ta5erP+h5V27GwYOfeR+81URiZa/IExNF5oOum8UaZEw47hnDFjzZv6FAWx9fohVPFmpV8Rr1rV3apQgjsvBhrXl+g3qfKVT/miUh74lLfBxTV2+RoTatZSCPY7YzcYL33CJ/WMtWL9XDB/br4aoKrXjiMSPIiOApwGr9RTwNeVq+4VE92tSkZyr2qw/POS6ARVzi83RMEnkbtD0tdhgE5PPocL86yOEEIHnLvlINWDOEVIDIhxX6IYDkLYV5ehDPDjuq7VGqf/68FwKBsXZZBybxyYMa4QXtqAB5JIsM1QWOGsm53+VYre/ALzbkOWs9WG5EHCE4RJYXrQ4hb29vN59/1zrU/zTEmpwoMPjkAZ9eL7IJ9FcJyysrWPDeU0AzwGufK9L2Np8B62z+ygo9sHallsHbamrsp5ZZ9KqnDvykvuJVtgALmzzkmyJSCgFxwtrOMspKFhgU8CPrl2nbaxv1dGODDRlqR+vr9ZjHbf+yLLD6P/Z8Z7YweAvo5CHfTJFGCEjnFmxlLW9afHfIQONMMmR22+ub9HSz1wBf1DrIvzc5wgRuxanxrT8XAZZt8qFMH4eAXOGtxgvFnT1SW1Yv7CDmZyuP0rplRsTRN17QMy2NhqBLs8lPluzU5oIHtXnFHOPcd4MTEIDTQD5s/RkIWCW8UnmrVceJ1mWkalMeIkEBXP2ji7Vpaa42opC4Zk1RV2G+nm6oN0Rd2Yndu9Rz+yQ9NGuyyXhGtbngAXNEiUfsuowUc4uCtx0CNjICbVTkGNzdiHANu1rd08ZA/VxEZJF10y24QxvuydKdCbHq2fmVTXe+NXz0vpYm9FPPjIkm2TiP8ynEc1u6wSaPHYGzEPASc6CEe+JMjTYCAu5M7aXurOHacG+WWU0F6nndB+/ZVBc2z+a39ODYZD10J/qFmTeYFTuTewbhRpscuE/kJAQUCTsZZmXN6NgQAXTHQNHKfqK7BvZR19Z3tf2fszbNRQy54IaIH2N7alX/UDw6ech3q4gPAhYI2yiey7rMtJCBTpJfLbp9QIw6d2y30UPtj30/6KmD5xcqmvvDLbp7QIRWDsBCgnDJQ74bkfwQkC3s4dhGuaaNU0dihBnECeVQ/1lavB4q3WtDhtrxr7djNddq3eQ0/XP/PvtpqHm/+kwrk7C111jkxCcPK2GSyPcQkAKXcPZwpu0aH9+htAKTdiX2V++ObTbcOfv9y23qGtFfq/pYUarPHm6qXmf79c0X1ZEQqVXXWpjEJ8/tSHzwPge3GhQ2kLylnDmjQxKmGlH4OTZSf9u2xYYE+Sdbkc19tKov3sfCAU4R7mmj9S/cggFre6XYPK+yV09c4pNntEgZaKcZchq7VzaQvK9ZCzoE2CKqB0friW8/x8o/BhBCyn2ND8eRCjNePShMq5Csh267QU973aZyVsaEhyQhcYmP/vAwmsNXQdvfYreN3SsbSHYutRMSQkXEhZlV1yDsjsQeWpPSXWvSwrU2LQzf4Ulh6kzsrs6UnlqbnqCuITEQ1Q0ebuYTj7gFvSL/wqbvAR3uovMtnN0rG8iSjE4iBoarMykCZzgKhN20dij2fYTldcNxtNJQwBIR5iSISItGlKIQIQgw5IO1JHOkFveN+WesSCV4UPsk0jB2YT3YvbKBpGKGLZATjniLhGQkdo8T9UzA97EQcT3eJcOvg1iM43jO43zikBy9oAv46+DXGKaLWBS7VzaQ3DMmDlfhSMERgoC6YSAdg/1Oh99oiagbCWGplgCOY7ZzHucz7PbKST7IMFyGRbB7ZQPJrOXRcaG+e5DpnqlD1JOJ+pARYwmY1FvdGYO0fnKyum8apa7pEzv+GTHh7D1n2C+58s7Wjd0rG0j2cPi/oJtHJOm32elaNnuGepbkaguuXU/evVqWe7N+M3WCbh6WqE9jHM85j5qd7Uy4C+755Ri711HD0cNloY26G50MlnN8Fe7zNbhSH8Gthq7qJKLly0R5tSsciwzPeehR+492FTwOzj+buXBowH3OK5W3Gi8W1narvF78L1iHifwL8wuwMVrk4vMAAAAASUVORK5CYII=";
private static string healthyIcon = "iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAgASURBVFhHpVcLUJXHFV65xJl4SaJYUBCIYFQe46PxkQykKCqWiw8UUKkQAQeDEASlithKqBpFJYqNEUrQyaTpVBAFxAcgaCgKBDDyEINOU2Oa1lESaAlGkNfXc/b/fy4iiXZymG/27r97znf27Nmzi3hWMV0u5hDiCVmEekIroVdtuc/feXyOqvLzhYzpCSGEfLsoqz7XfTPh/8kSrC8MwdbKaCTWxcmW+/ydx3meqY8oUPX0qqn/X0jZk5DluHUCfD9ehE2V6xFbHYFtVzdhd10CDt84gIxbqbLdXfcOfd8ox3kez2c90yXijOkysVA1+exCxOFj1o3+yivNAxsrw7GlJhoHG/fg2K20fhwl8mMEpVX6jIONSTR/g9RjfctQ8/umBhGrmn66EPlvHTba/rD6hJ9c0b6GHQOIFTLtt0Y++De3rMf6bMc+2qZLt1DsUSl+XHjlTB6cH4DNNVGqUQ0asRFHJZRx5ffjY7xFbIftSSfmiUSV6knhPeews8esNJBUMayQGL8N7Bud0MaNUJxguxZvmrfp3MQaldIoRM7ZnsV7xmE7eutIv7ICozGtPzQZIxUJF+Kw9i9BiDwZJr9lkD22y/YpCnUm44WNSq0IkYdw1nLiGPfcSKSQaWFORcbND/Ah4U9NhwnvI53aD28epu9HcKTqEGqbq9HZ04nb33+Jon+dlTp7yS7bZx7dbJFCtMMUdhJyIJ+PDme7ElotnMqKNSfSiSS1KUUevT/eSMahxn2U9XuRQu371D9Qk4Sm5ut4ROR9fX1g+ebBP/sXw6eDeXRzxR2itdPI53Dx4PN7gI6QsmrjalmZV5badIhI3sPB60nY37ATSfV/wLtUDzQk1SUi53o2EfdKYk3+/cM3/Q7wUWYe4oOJk0jQHIjnCqbsvUKobIHiAIf2yBcptMq9tD07satuOxKvbcXvrsYivmYj4mpisJXaTXkb0Nn9UKU1Su6d7H5b3DIP85n8UlQQ/Uh2IIvLKFcyjdy48g+I/KAsLrxiJo6v2YTYqkhEf7YOkRWhiCCElwbjVstNldIo5ffLpD7bUeymIZ54mE/3K/E1OeDCDtRzLd9Z+3s5gScyOTuRRmHnlSfVJ+Kdz+OwpXoDoirD8Fb5mwgpW4U1ZSsRcjEAuV9mq5RGae9qJ70dMj84bxS7aZKH+agwtZEDBnaglS8Uv0veklBzgkPPe74uNxg+xwxYkbkUYVeCEHJ5FX5Tugy+lwzwK/ZGZPZb6OntUWmNwkSJ1+LltrGddIpCGjnCPMxH90QXORDODvTyrWZ5fAS8i+fKhOIIsDNRmeFobKlHa0cLapor8PaFMASU+sCnZCEWX5gHv/xF+PbhtyqlIt293XJbOFKcI5wzB67vkdvnXUx3A/EwH/H2kQOJ/RGwPWEOi+PP49X8yVh7eTWSG3bJc/yotwt9tMIWIrr34C78znjD/9IiePz1dZz6e5ZKa5QEIgqgCPE2ca6wE+z0tNMTpX3mUSPQTQ4k9+eAS954OUHDjHwn1LZcVc1CnuuWh9/hq//+A4bjHog5G4E++hsohVR0PIvc5PYsv/hrLCh0xZQ8h8fsMo+aA+1aBOQpcC+Y8dhExqrSpbjTfls1rzhx/8E9FNw8h47uDvWrIs0d9yWZU44dXjllBausF56wx2AeeQrcxF0tB2Qd8C/1HlLBQHnR1tWm0gC99Pd9p7GviXvBzCH1B4N5ZB2YKm6QA/IUyEoYcSUYDicth1RaUOSK1ketKpUqFA1tC5Ibdw+pNxhsn3m4Eg4bJ0rIARcCVUN6w3GN9rzgNqQiY17h6/iu8/GMZ/niP40Ym6kfUmcw2L68C9xFM9EeJoxUHFBvw7CyQEzOsXlC0TJTgfv5mXTLGfeeIzDrrDOsM0fQOMM4d7ANtsv2mcdkkrhGtL6SnIUc0PMDku9r/1JDv5Ilg4yNIeNjskZg7Am9fJQ2tNRKbK/dDLucl2Bz6kWMO6mX42NpHs9lnYHOsF35HnAT98RwcYxoldtQE3698gOSXy5exe6KAyqxFRm2ztbDLtcM9nmj8MqZUXA8ZwHn8xaYTO0E6r+cO1KOW2ebyfnsjHSEYCiZi8Bsf1gEjuoYZivKiG4xwfge0IRfr/x2C8pbQUpzpANsyPqkGcbnvACHfHM4Een0ImvMLrHDaxdfxqyScdS3wuTzozEhfzTsaZ4tYRzpsDNLLs6Xb8IJMbY9dAU3EM0WgrkkHEr49cpOsMer/rYYU07bU4jNyPiLcC74BV4ttobbp/aYf8UJnlec4XF5IlypP42+u5Bzk86NxPjTL2HWeUcEl/tjbW4gJsXa99CxayLz7xEcJNFPiW6+SLQMHt22KH0BIstD4fepATMKJ8Kl0IJWbIO5ZZPgVTkF3pXT4FUxRfZnX7LD1KIxcC1xRlC5L+Lo5gz483LYhVt16KbLlTO5oyR4FtG9IdboPEXd1O2OCMpcgW2fxyC6JgyhVXQbfrYEvpUe8K6YLtvAKh+EVa9G7LUI7Kzbhoi8tXhj/2sYvlTcM3GWe85hf/rKB4uJg7AxdRMppl7ijsu2iVia7oWYc+uxr2oHMugh+sntDNnur34Xmws3YOVHyzBr11QMXymaTV3pqOlltnPC/fieP4NwttrpZogEesVUPLdcfP18sGjTvy26zGJEnz5KdI8IFe3P+Yu7pvPEDRMXWeG4yPA556P2ZLb/DOHKxeXTQAgn8H86yWrLff7O40qFe6oI8T/DdqaB4Tse/QAAAABJRU5ErkJggg==";

 

It should look like this (the icon strings are longer than this screenshot can show):

We’ve declared a variable representing how often a scheduled check of the Management Points should happen (in minutes) as nudtimerMinutes, we defined a Collection that is used to store the results of a scan for Management Points, and two strings that contain Base64 encoded representations of an Icon for Health and Unhealthy.

We’ll add in a Class called ManagementPoint, and we’ll define some internal properties that we can change such as Name, Port, State and SiteCode.

• Add the following code below the code variables you created previously:

public class ManagementPoint // ManagementPoint Class
{
    private string _Name;
    private int _Port;
    private string _State;
    private string _SiteCode;

    public string Name
    {
        get { return _Name; }
        set { _Name = value; }
    }

    public int Port
    {
        get { return _Port; }
        set { _Port = value; }
    }

    public string State
    {
        get { return _State; }
        set { _State = value; }
    }

    public string SiteCode
    {
        get { return _SiteCode; }
        set { _SiteCode = value; }
    }
}

It should look like this:

Now we’ve defined the ManagementPoint Class, let’s define a ManagementPoint Collection Class used as a container for multiple ManagementPoint Classes. This is a really neat way of storing a bunch of ManagementPoint objects and allows us to pass them around the project when needed.

• Add the following code below the ManagementPoint class that you created previously:

public class ManagementPointCollection : System.Collections.CollectionBase // ManagementPoint Collection Class
{
    public void Add(ManagementPoint amanagementPoint)
    {
        List.Add(amanagementPoint);
    }

    public void Remove(int index)
    {
        if (index > Count - 1 || index < 0)
        {

        }
        else
        {
            List.RemoveAt(index);
        }
    }

    public ManagementPoint Item(int Index)
    {
        return (ManagementPoint)List[Index];
    }
}

It should look like this:

This allows us to store MP classes in a Collection, pass them around and handle the Collection using a foreach statement. You’ll also notice that the Collection has three methods called Add, Remove and one called Item to return an object from the Collection based on its Index, this is how we handle the Collection when we put it to use.

Now that is in place, let’s create the basics just to get the thread started, and include the ability to stop it.

• Add a BackgroundWorker thread that will scan the Management Points

• Drag a BackgroundWorker onto the form
• Set the Name to dompCheck
• Set WorkerReportsProgress to True
• Set WorkerSupportsCancellation to True

• Add a BackgroundWorker thread that will schedule a scan if it is enabled

• Drag a BackgroundWorker onto the form
• Set the Name to doScheduling
• Set WorkerReportsProgress to True
• Set WorkerSupportsCancellation to True

• Select the dompCheck BackgroundWorker, you’ll find it has appeared here:

• Now select the Events tab on the Properties pane:

• The three events that the BackgroundWorker thread supports are shown here:

• DoWork handles the actual workload the thread is supposed to carry out
• ProgressChanged can be invoked by us, and it is executed on the UI thread so we get access to the forms controls
• RunWorkerCompleted is called when we exit the thread, it also executes on the UI thread and provides access to the forms controls

• Double click DoWork
• This will take you to the Code view, and will create a new method for DoWork
• Go back to the Form view and repeat this for ProgressChanged and RunWorkerCompleted. This is a very handy way to create the event methods

• Now go find the doScheduling BackgroundWorker using the form view, and repeat  the same way that you did with dompCheck and create the three event classes

All three events are now mapped to individual methods for both BackgroundWorker threads, all we need to do now is invoke the threads in our code when we want them.

Let’s create a basic method that I’m using to start the BackgroundWorker thread dompCheck.

• Add the following code below the ManagementPointCollection class that you created previously:

private void beginCheck()
{
    globalmpList = getmpList(); // Get the list of Management Points for this Site server

    if (!mpcheckRunning)
    {
        try
        {
            mpcheckStop = false;

            if (dompCheck.IsBusy != true)
            {
                dompCheck.RunWorkerAsync();
            }
        }
        catch (Exception ee)
        {

        }
    }
}

It should look like this:

Note: You may get warned that getmpList method doesn’t exist, we’re going to create it soon, and until we’ve laid out all the code the project won’t compile properly.

The beginCheck method is doing the following:

• Gets a list of Management Points from the target device
• Checks if the dompCheck thread is already running
• Resets mpcheckStop and mpcheckRunning triggers
• Starts the dompCheck BackgroundWorker thread

Since the thread we’re going to use to check the Management Points is configured, we can move onto coding the underlying methods that represent the events.

Key activities that we want to achieve for the Management Point checking thread are:

• Connect to WMI Namespace on a destination device
• Get the Name and Site Code of the first SMS Provider found
• Connect to the SMS Provider
• Retrieve a list of Management Points, their Site Code and their security type (HTTP\HTTPS)
• Test each Management Point and determine its health state
• Show the result in the DataGridView

So let’s begin designing some structure around that, while keeping an eye on modularity, dispersing tasks to different methods so that we can invoke them multiple times if needed. I prefer spinning things out into methods that I can invoke, it makes for more readable code and reduces having to multiply code in logic blocks, just call the method in multiple places instead.

We’ll create a new method now called checkMP, this will contain the HTTP code to test a Management Point, and is modularised so that we can invoke it from another method for each Management Point discovered.

• Add the following code below the beginCheck method that you created previously:

public string checkMP(string mpName, int mpPort)
{
    String httpresponseText = String.Empty;

    try
    {
        string connString = "HTTP://" + mpName + ":" + mpPort + "/sms_mp/.sms_aut?mplist";

        if (!mpcheckStop)
        {
            HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(connString);

            request.Timeout = 5 * 1000; // 2 Second time out

            request.Method = "GET";

            using (HttpWebResponse response = (HttpWebResponse)request.GetResponse())
            {
                Stream dataStream = response.GetResponseStream();
                StreamReader reader = new StreamReader(dataStream);
                httpresponseText = reader.ReadToEnd();
                reader.Close();
                dataStream.Close();
            }
        }
    }
    catch (Exception e)
    {
        return e.Message; // An error, return the lot!
    }

    if (httpresponseText.Contains("<MPList>"))
    {
        return "Healthy"; // Healthy
    }

    if (httpresponseText.Contains("The operation has timed out"))
    {
        return "Timed out"; // Timed out
    }

    return httpresponseText; // Most likely an error, return the lot!
}

It should look like this:

• This method is doing the following:

• Checks if the threads stop trigger is set and jumps out if it is
• Creates a HttpWebRequest object
• Forms up the URL to be used
• Sets the timeout to 5 seconds (5 * 1000 milliseconds)
• Handles the response, healthy, time out, or an error
• Notice that we break HTTPS checks because we hardcode HTTP to the front of the URL that we form up. If we wanted it to work with HTTPS Management Points we’d need to handle a few extra things anyway, this is definitely something someone else could do what with the source code for this project being publically available for modification.

Next up is the method handling the WMI communications. We’ll use it to get a list of Management Points from WMI on the Site server, and pass them back to whoever called the method as a ManagementPoint Collection class, so that we can loop through the Collection calling checkMP each time.

There are at least two ways of handling WMI queries for ConfigMgr, use the Microsoft Configuration Manager Class DLL’s, which you embed into your project, they contain a bunch of code for handling connection and querying of the SMS Provider, or use a .Net WMI ManagementScope class to connect to WMI on a Site server, and query for the SMS Provider so that we can obtain its server name along with the Site code to begin querying it.

• To use the ManagementScope class we need to add System.Management  in the Projects references

• Enter system.management or scroll through the list to find it, and Tick it so that its added to the project

Next we’ll create a method that we’ll use to update the StatusStrip, which will be used to report back errors during operation.

• Add the following code below the checkMP method that you created previously:

private void logMessage(string theMessage)
{
    ssl_Entry.Text = theMessage;
    ss_Messaging.Refresh();
}

It should look like this:

Note that we must never call this from a BackgroundWorker thread or we’ll create a wormhole (it’ll barf).

Next up is a method that converts a Base64 encoded string into a Bitmap image, quite handy for storing a Bitmap inside the project and not depending on an external file for it. We could add it to the project as a Reference but I prefer to encode and store them away like this.

• Add the following code below the logMessage method that you created previously:

private Bitmap loadimagefromString(string Image)
{
    try
    {
        byte[] imageBytes = Convert.FromBase64String(Image);

        MemoryStream ms = new MemoryStream(imageBytes);

        Bitmap streamImage = (Bitmap)Bitmap.FromStream(ms, true);

        return streamImage;
    }
    catch (Exception ee)
    {

    }

    return null;
}

It should look like this:

And now we create the getmpList method.

• Add the following code below the loadimagefromString method that you created previously:

private ManagementPointCollection getmpList()
{
    ManagementPointCollection mpCollection = new ManagementPointCollection();

    ManagementScope scope = new ManagementScope(@"\\" + tb_Server.Text + @"\root\SMS");

    SelectQuery query = new SelectQuery("select * from SMS_ProviderLocation");           

    try
    {
        string smsproviderserverName = String.Empty;
        string smsprovidersiteCode = String.Empty;

        using (ManagementObjectSearcher searcher = new ManagementObjectSearcher(scope, query))
        {
            try
            {
                ManagementObjectCollection smsProviders = searcher.Get();

                foreach (ManagementObject smsProvider in smsProviders)
                {
                    smsproviderserverName = smsProvider["Machine"].ToString();
                    smsprovidersiteCode = smsProvider["SiteCode"].ToString();

                    break; // Get only the first SMS Provider listed, we could do better here
                }
            }
            catch (Exception e)
            {
                logMessage("Error connecting to Site server - " + e.Message);
            }
        }

        if (smsproviderserverName != String.Empty) // Do not proceed if we haven't got a server
        {
            scope = new ManagementScope(@"\\" + smsproviderserverName + @"\root\SMS\Site_" + smsprovidersiteCode);

            query = new SelectQuery("select * from SMS_SCI_SysResUse where RoleName like " + (char)34 + "%" + "SMS Management Point" + "%" + (char)34);

            using (ManagementObjectSearcher searcher2 = new ManagementObjectSearcher(scope, query))
            {
                try
                {
                    ManagementObjectCollection mpList = searcher2.Get();

                    foreach (ManagementObject mp in mpList)
                    {
                        ManagementBaseObject[] properties = null; // Handle the SMS_EmbeddedProperty array

                        properties = (ManagementBaseObject[])mp["Props"];

                        bool isHTTPS = false;

                        foreach (ManagementBaseObject property in properties)
                        {
                            if (property["PropertyName"].ToString() == "SslState")
                            {
                                isHTTPS = Convert.ToBoolean(property["Value"]);

                                break;
                            }
                        }

                        smsproviderserverName = mp["NetworkOSPath"].ToString().Remove(0, 2).ToLower();

                        ManagementPoint addMP = new ManagementPoint();

                        addMP.Name = smsproviderserverName;

                        if (isHTTPS) addMP.Port = 443; else addMP.Port = 80; // Set Port 443 for HTTPS if the MP is configured for SSL, or Port 80 for HTTP

                        addMP.SiteCode = mp["SiteCode"].ToString();
                        addMP.State = String.Empty;

                        mpCollection.Add(addMP); // Add our MP to the MP Collection
                    }
                }
                catch (Exception e)
                {
                    logMessage("Error handling WMI - " + e.Message);
                }                       
            }
        }
        else
        {
            logMessage("Could not find an SMS Provider");
        }
    }
    catch (ManagementException e)
    {
        logMessage("Fatal error - " + e.Message);
    }

    return mpCollection;
}

It should look like this:

Essentially all our WMI interrogation code is in there, we return back a ManagementPoint Collection containing all the Management Points that were discovered. Note that we store the resulting health state from checkMP back into the ManagementPoint object before the collection is returned to the calling method.

We’ll now create a method called checkMPS, from which we’ll iterate through our globalmpList ManagementPoint Collection, and run checkMP for each time.

• Add the following code below the getmpList method that you created previously:

public void checkMPS()
        {           
            foreach(ManagementPoint mp in globalmpList)
            {
                string returnedState = checkMP(mp.Name, mp.Port);

                mp.State = returnedState; // We have the result, store it back into this ManagementPoint class instance

                if (mpcheckStop) break;
            }           
        }

It should look like this:

Next up are the event classes for dompCheck and doScheduling.

• Add the following code to the dompCheck_DoWork method:

mpcheckRunning = true; // Notify that we are running

            BackgroundWorker worker = sender as BackgroundWorker;

            if ((worker.CancellationPending == true))
            {
                e.Cancel = true;
            }

            if (!mpcheckStop)
            {
                checkMPS();
            }

It should look like this:

In this method we notify that the thread is running, check if it needs to be stopped, then kick off the checkMPS method which results in the globalmpList being updated for us.

There is no need to modify the dompCheck_ProgressChanged method as we’re not sending status or state back to the foreground thread from dompCheck.

• Add the following code to the dompCheck_RunWorkerCompleted method:

dgv_Mp.Rows.Clear(); // Clear the dgv_Mp rows

            Bitmap stateIcon = loadimagefromString(unhealthyIcon); // Default to unhealthy state icon

            foreach (ManagementPoint MP in globalmpList) // Iterate our global MP list
            {
                if (MP.State.ToLower().Contains("healthy"))
                {
                    stateIcon = loadimagefromString(healthyIcon); // Change to healthy state icon
                }

                dgv_Mp.Rows.Add(MP.Name, MP.SiteCode, stateIcon, MP.State); // Add the MP to dgv_Mp
            }

            mpcheckRunning = false; // Notify that we are finished
            mpcheckStop = false; // If we were forced, reset the trigger
            b_Go.Text = "Check Management Point"; // Change the b_Go Button text back

It should look like this:

I’ve commented the above code well enough to explain what is happening, but a recap is that we’re clearing the dgv_Mp DataGridView and populating it with the information stored in the ManagementPoint objects hanging out in the globalmpList.

I can see we’re real close to wrapping up here, so let’s crack on.

• Add the following code to doScheduling_DoWork method:

BackgroundWorker worker = sender as BackgroundWorker;

            if ((worker.CancellationPending == true))
            {
                e.Cancel = true;
            }

            DateTime nextCycle = DateTime.UtcNow;

            nextCycle = nextCycle.AddMinutes(nudtimerMinutes);

            while (1 == 1) // Enter an eternal loop!
            {
                if (timerStop) break; // Quick! Come this way to get out of the loop!

                Thread.Sleep(1000); // Sleep for one second

                int compareResult = DateTime.Compare(nextCycle, DateTime.UtcNow);

                if (compareResult < 0) // Time to trigger a Management Point check
                {
                    worker.ReportProgress(0, ""); // We just want to fire the ProgressChanged event, we do not have anything to pass to it

                    DateTime newCycle = DateTime.UtcNow; // Get current Date and Time

                    newCycle = newCycle.AddMinutes(nudtimerMinutes); // Add nudtimerMinutes to newCycle

                    nextCycle = newCycle; // Set nextCycle so that we can fire again
                }
            }

It should look like this:

What we’re doing above is creating a infinite loop, and from within it we are sleeping for a second, and checking if we’re supposed to invoke a Management Point check. We use DateTime and juggle things around a bit, and could have slept for the entire period, but I wanted the thread to be responsive to requests to stop. We actually get the dompCheck thread started by using the BackgroundWorker ReportProgress event, telling the thread that we want to report some progress back, and from the  ProgressChanged method we invoke the beginCheck method.

• Add the following to the doScheduling_ProgressChanged method:

if (!mpcheckRunning)
{
    beginCheck(); // Start the Management Point health state check thread
}

It should look like this:

As you can see, we check to see if the dompCheck thread is running, if it isn’t we call beginCheck which will start it for us.

• Add the following to the doScheduling_RunWorkerCompleted method:

timerStop = false; // Reset the threads stop trigger
timerRunning = false; // Declare the thread finished

It should look like this:

Now return to the Form view, and double click the cb_Timer Checkbox control. It’ll return you to Code view and create the cb_Timer_CheckedChanged method for you:

• Add the following to the cb_Timer_CheckedChanged method:

if (cb_Timer.Checked) // User has enabled the scheduler
{
    if (!timerRunning)
    {
        timerStop = false; // Reset the threads stop trigger

        if (doScheduling.IsBusy != true) // Start the scheduling thread              
        {
            doScheduling.RunWorkerAsync();
        }
    }
}
else // User has disabled the scheduler
{
    timerStop = true; // Stop the scheduling thread
}

It should look like this:

From this method we kick off the doScheduling BackgroundWorker thread or stop it depending on if you tick\untick the Checkbox.

Return back to the form view, double click the nud_timerMinutes control.

• Add the following to nud_timerMinutes_ValueChanged method:

try
            {
                nudtimerMinutes = Convert.ToInt16(nud_timerMinutes.Value); // Keep the global nudtimerMinutes variable up to date
            }
            catch (Exception ee)
            {

            }

It should look like this:

When the user makes a change to the value for the nud_timerMinutes control, we’ll change the global nudtimerMinutes variable to reflect the change, keeping them in sync.

Here comes our last block of code, return to Form view and double click the b_Go control.

• Add the following code to the b_Go method:

if (!mpcheckRunning)
{
    b_Go.Text = "Stop";

    beginCheck(); // Start the thread
}
else // Stop the thread
{
    mpcheckStop = true;
}

It should look like this:

That’s it. Now press Ctrl+Alt+B to compile the code. If you fitted this together properly you'll get success. On receiving Success, press F5 to run the application, test it out.

Once you point it at a Site server It should look like this:

Well, that was an epic guide!

Not only did we cover a stack of techniques that you can reuse for most of your projects, but we ended up with a tool that’s available on the TechNet Gallery here.

This wraps up this guide, sorry for the lengthy gap between posts, I think this one stretched across a whole year! At least we got there, and as you can see this last post took a lot of time to put together, and is why I was lagging behind doing it hehe. I’ll put together another development related guide soon, focusing more on using the ConfigMgr SDK, suggestions for guides always welcome.

I hope you’ve got something useful from this guide, at worst a working development environment, and a full blown C# project to act as an example for you to plunder as you build out your own projects.

Enjoy.

Robert Marshall – Enterprise Mobility MVP – Director and Principle consultant of SMSMarshall Ltd

Put simply, literally just a handful of customers will be opting to install System Center Configuration Manager Long-Term Service Branch.

For 99% of the rest of us, Current Branch is the install base that should be chosen. It’s where the action is at.

A recent Enterprise Mobility blog post on TechNet Blogs, described the Current Branch (CB) and Long-Term Service Branch (LTSB) ‘servicing’ models:

If I was to have to distil a one-liner to describe LTSB it’d have to be “LTSB is for down-grading due to SA expiration, and for environments that need the current Windows 10 LTSB and ConfigMgr LTSB to remain static for a decade”.

Notable points about LTSB:

• There will be no updates at all for this servicing model
• 10 years of patch support
• No commitments from the Product Group to maintain this servicing model
• No Cloud technology at all, most fun bling has been stripped out
• Windows 10 LTSB as of now are supported, all future Windows 10 LTSB not supported
• Your Software Assurance agreement has expired, and you need to roll back to a version of System Center Configuration Manager that you do have support for, the previous option was to roll back to ConfigMgr 2012 R2, you can now roll back to ConfigMgr LTSB
• Obviously the product servicing model has been yanked out

David James the director of engineering for ConfigMgr recently tweeted showing what the choice should be:

And Kim Oppalfens sums it all up quite nicely here:

When it comes time to install ConfigMgr, practically almost all of you will be selecting Current Branch, the only time you’d choose LTSB is to monkey around with it for a look in the lab, unless you are one of those 1% (possibly even less!) of customers that truly need LTSB.

Finished up coding Version 2 of the Log Launcher in readiness for a weekend release. Weekends are not the best time to release tools I’ve found, but heck why sit on it a whole weekend waiting for Monday

I wrote this tool for the primary reason that I get tired of tapping in paths to get at logs in different locations, when I am on-site with a Customer I often have to navigate around logs looking things up, and I waste time trying to recall paths and punching them in.

Put simply LogLauncher retrieves logs from a variety of ConfigMgr-related locations and presents them in an easy to use interface, from which you can launch the logs using CMTrace (if you have it), or just sit there and watch the logs activity represented visually using a colour gradient.

The built-in log locations are all dynamically checked, so if you’ve installed to custom path locations, LogLauncher should still be able to find logs.

Now all you need to do is run this on the device you want to view logs for, or run it and connect remotely to a device.

Before I proceed with the shots and feature call-outs I’d like to thank the tool testers who helped find bugs and suggest ideas for Version 2 of LogLauncher, they are, in no particular order:

Zeng Yinghua (Sandy)

Mark Aldridge

Simon Dettling

Paul Winstanley

Due to these folks I was able to commit to a heavy re-write of the tool, which resulted in some funky ‘issues’ here and there. Thanks for all the back and forth over email as you tested it!

Ok onwards with the tool review.

The tool is located on the TechNet Gallery where I store all my tools:

Features:

• Automatically scans the local device when started up
• Selectable colour gradient applied to logs that have changed
• Show\Hide Archive logs (*.lo_)
• Open multiple logs in a single CMTrace
• Add your own custom log locations
• Connect to local or remote devices (Remote Admin and Remote Registry required for remote usage)
• Right-click Context menu available in Log list view for opening a single or selection of logs or log folders
• Detection of a variety of available logs:

• ConfigMgr Agent, Server or Site
• SQL Server
• IIS Server
• Windows Logs
• ConfigMgr vendors

• 1e
• Adaptiva
• 2Pint

• WSUS Server
• Any log location you care to add
• Preferences stored in HKEY_CURRENT_USER (Software\SMSMarshall\LogLauncher) and used on launch
• Launch LogLauncher with the name of a device, and it will automatically scan the device on start-up (LogLauncher.exe DeviceName)
  One of over 70 awesome sayings shown whenever a scan is performed, adding what could be a high note to the sessions log browsing!

This is what you’ll see when pointing the tool at a device running the ConfigMgr Agent with the ConfigMgr Console installed:

And here is a Site server, Current Branch Build 1610:

The built-in log locations not enough? Need to add more? Simple, add them as Custom Locations!

And here is the monitoring running with a custom colour gradient showing which logs were last modified:

I’ve also added a diagnostics page showing what went wrong, and what wasn’t found:

I’m absolutely sure the tool will be of use to you, as it was designed to join my tooling kit that I use when visiting customers for the particular purpose of reducing the amount of time it takes me to be looking at logs!

The soure code for the tool can be found here (C#, Visual Studio 2015 project) 

Enjoy – Robert Marshall – Enterprise Mobility MVP - @RobMVP

I needed a brief moment to think of a suitable way to describe the feature for this posts title, as its pre-release name is Prevent installation of an application if a specified program is running, not as catchy as its in-console name of Installer Handling, which I decided not to use as it isn’t descriptive enough, and may not be the final name for the feature, and decided upon Recognise Deployment-blocking executables,which is not much shorter if I admit.

To get this feature into ConfigMgr Current Branch, I’ve recommended that customers install the PowerShell Application Deployment Toolkit (PADT), which I will still continue to recommend, as it is feature-rich, but now we have a simple implementation of one of the features PADT has, and it is coming down the feature-pipe being previewed initially in the Technical Preview of ConfigMgr.

Nothing is guaranteed, it could for some bizarre reason not make it into the daylight, but I’d expect to see this by the next series of releases of Current Branch.

The idea for this feature came about due to a UserVoice entry, which got 1,525 votes (at the time of publishing).

It doesn’t take much to setup a repro of this feature, to see it in action, once you have Technical Preview 1612 installed, which Niall Brady EM MVP has covered in this guide here.

Simply setup a deployment of an Application, open the Applications Deployment Type and find the new Installer Handling tab:

Select Add, then enter the name of the Applications executable filename:

Once that’s done, pop the Deployment Types changes into the database by selecting OK

This will then make its way down to the Client via Policy, and the new ConfigMgr 1612 TP Client-code will utilise it when initiating a deployment, as shown here:

I’ve launched the LogLauncher.exe executable on the target system before the deployment is launched from the new Software Center:

Saddle up:

It begins downloading the content, completes and then begins deployment, which then immediately fails with this message:

OK’d the message, closed the executable and rerun, completed successfully:

I had a nose around the logs, I don’t think they are logging activity around this feature yet, but I can see state messages going up to the MP, which are probably the error result for the deployment, followed by the success once I’d closed the executable and retried the deployment.

Eventually we’ll see this arrive in Current Branch, a built-in mechanism for stopping a deployment from getting underway if the User already has the application open. Handy.

I setup Intune quite a lot for Intune Hybrid POC’s, and I thought I’d run off a simple guide for those that want to spin this stuff up in their own lab at home.

The goal of this guide is to get it running so you can tinker with the features available through Mobile Device Management (MDM), this isn’t a guide on how to get Intune and ConfigMgr setup for a production environment, and it falls short of covering what you can do with Intune with the supported platforms (Windows, IOS and Android).

Here are the key things you will need to do before you can proceed to enroll devices into your environment, and I’ll walk you through each action:

1. Choose to either setup a Public DNS , reuse an existing one that you own, or use the one Microsoft gives you when you sign up for an Intune Evaluation, see notes below *
2. Register for an Intune Evaluation or an EMS Evaluation or even both here and here, see notes below **
3. Configure Intune to recognise your Public DNS, if required
4. Configure your Active Directory to use an additional UPN, if required, see notes below ***
5. Configure your Active Directory test user(s) UPN, if required, see notes below ****
6. Synchronise your lab Active Directory with Azure Active Directory from your Intune Evaluation using ADConnect here
7. Provide the AD Users that you wish to allow to enroll devices, with an Intune license
8. Configure ConfigMgr with your Intune evaluation
9. Enroll devices, for this I’ll show an Android being enrolled, and if my wife let’s me, a recent iPhone!

Notes:

* You can either use your own Public DNS record that you can point a device at when enrolling, or use the one Microsoft provides when you sign up for an Intune Evaluation, there are alternatives to DNS such as enrolling using Azure, but this is limited to Windows 10 devices and not within the scope of all Mobile Devices

** Both the Intune and EMS evaluations give access to Intune, only one or the other is needed. You can register for both. Doing so will require registering the Intune evaluation first, and then while remaining logged in to Intune, and in the same browser session, visit the EMS link and go through the motions of associating your EMS evaluation with your Intune evaluation.

*** You’ll only need to do this if your Public DNS is not going to be the same as your lab’s Active Directory forest and domain, say you already have a Domain Controller and it doesn’t match with your Public DNS. If you are able to choose and create a Public DNS first, then you should go straight to using your Public DNS as your Active Directory name (example.com as an example)

**** You’ll only need to do this if your Public DNS differs from your Active Directory Forest and domain name

To be able to even get to the above stuff, you’re going to need the ground-work established, in the form of the following:

• A device with Hyper-V , and a good amount of memory available
  
• At least one Domain Controller

No need for more than one Domain Controller, unless you need different directory services to play with, such as testing trusts between domains, forests and things around their complex configurations.

If you are starting out then a simple test environment consisting of one domain controller, destined to be used to kick the tires on Mobile Device Management using Hybrid Intune with ConfigMgr, will do

• A Standalone Primary Site server running either Technical Preview if you want to check out the latest pre-release features, or Current Branch, with at least 6GB with SQL Memory usage throttled back to 4GB at a minimum.

There is a correlation between how much memory and how much patience an administrator has, the more memory available the less patience needed, there is another variable Disk IOPS ,but let’s not go there, just make sure you are not saturating your disk subsystems with too many Virtual Machines ,such that things run at a snails pace

Let’s assume you have a stable lab environment that meets the above requirements, a public DNS record, and get on with setting it all up.

For the guide, instead of using the Public DNS record Microsoft provides when running up an Intune Evaluation, I used SYSTEMCENTER.CO.UK as the Public DNS record hosted by GoDaddy, letting Microsoft configure the DNS entries automatically for me. nice touch. My Lab Active Directory is not called SYSTEMCENTER.CO.UK, therefore I had to configure UPN suffixes and set a User account’s UPN to make all this work.

Setup a new Public DNS, or reuse an existing one that you own

Later on, when you register for an Intune Evaluation, Microsoft will give you a personalised Domain name ending with .onmicrosoft.com, if you are going to use that then you’ll need to do the UPN sections below and can skip this section.

An example of the DNS scenarios are:

Mismatched DNS and AD names:

• Public DNS: Example.com or Example.onmicrosoft.com
• Active Directory: InternalLab.com

Matched DNS and AD names

• Public DNS: Example.com
• Active Directory: Example.com

If you’re going to use your own DNS, my best advice would be to do three things:

1. Have a read of this
   
2. Choose a DNS hosting Provider, Microsoft have a relationship with GoDaddy and Register.com, others will work ,you’ll just have to configure their DNS Zone entries manually
   
3. Choose a DNS name, if this is going to go beyond an evaluation, and you’re setting up inside a company, use an appropriate domain-name name, otherwise be creative

Once you have your DNS created, or already have one, its time to move on.

Register for an Intune Evaluation or an EMS Evaluation

To get Intune Hybrid with ConfigMgr working, you’re going to need an Intune Evaluation, or alternatively an Enterprise Mobility + Security (EMS) Evaluation.

The EMS evaluation contains an Intune license, as well as access to a bunch of EMS features, the Intune evaluation obviously gives you just that, and both can be signed up for and combined together.

You can either go just for the Intune Evaluation step below, or the EMS step, or do both.

Here we go.

Setup an Intune Evaluation

The Intune registration process is quite straightforward, I’ll cover the key highlights.

• You’ll be prompted for details about yourself, along with some basic contact details
  
• It’ll ask you to create a Username for the first user in your Intune (Evaluation) Tenant, you can call this whatever you want, it’ll become the Global Administrator, call it Administrator, Admin, your choice
  
• It’ll ask you to enter a company name to prefix before .onmicrosoft.com, this can anything you want that is available, it’ll tell you if your choice is not available, you could use your Public DNS as the prefix (Example.com, you’d enter Example so it becomes example.onmicrosoft.com), or something entirely random.

Once you’ve clicked Create my account you’ll be prompted to prove you are not a robot, by verifying a 6 digit code sent via SMS to your mobile, go through the motions until it tells you that you are done.

Click You’re ready to go and head to your inbox, within minutes you should see an on-boarding email with information about your trial.

Setup an EMS Evaluation

Setting up your EMS Evaluation is a cinch once you’ve got your Intune Evaluation up and running, simply remain logged into the Intune Portal and from the same web browser session, visit the EMS Evaluation page. You’ll be prompted to add the Enterprise Mobility + Security E5 package to your Intune Evaluation account.

Made so easy, just click Yes, add it to my account

If you’re opting to just use an EMS evaluation, then fill in the registration details and set yourself up an evaluation.

Done. 250 users for 3 months of EMS usage, not a bad run for an evaluation, considering what you get, the EMS suite of products including Intune.

You should see an email in your inbox  for this evaluation as well.

There isn’t any need to do anything further with Intune or EMS at this point in time.

Configure Intune to recognise your Public DNS

You can skip this step if you are using the <CompanyName>.onmicrosoft.com domain that Microsoft sets up when you register for an Intune Evaluation.

If you have your own Public DNS and you want to use that, then Intune will need to be told to verify and recognise the domain. Visit the Intune Portal at portal.office.com and select Setup \ Domains to get underway.

Clicking Add Domain will prompt you for details about your domain.

If Microsoft have a relationship with the DNS provider hosting your DNS record, they can automatically add the Zone file entries for you, such as the CNAME entries for device enrollment, as well as other records to support the EMS+Intune suite of products.

If Microsoft doesn’t have this relationship and you have to do it by hand, here is the documentation on what is needed to edit your Public DNS’s zone file.

If you needed too, once you’ve have the Domain verified by Intune, you’re ready to move on.

Configure your Active Directory to use an additional UPN if required

You can skip this step if your Public DNS is the same as your Active Directory Forest and Domain name. If that is the case, and your lab domain is example.com, and your Public DNS record is example.com, the same, skip over this section.

So you’re Public DNS record is either your own unique DNS which differs from your Active Directory Forest name, or the one Microsoft provided.

Either way, you will need to add these as additional UPN’s to your Active Directory, so that you can assign them as UPN’s to Active Directory User accounts that’ll be used to enroll with mobile devices.

Intune will then recognise the user when they attempt to enroll a device.

For this guide I built using the following:

Mismatched DNS and AD names:

• Public DNS: SystemCenter.co.uk
• Active Directory: InternalLab.com

The procedure is quite straight forward for this lab environment, visit your Domain Controller and open Active Directory Domains and Trusts, right click the Active Directory Domains and Trusts [ Servername ] entry and select Properties then add your UPN suffix:

You can see that I’ve already added an alternative UPN suffix for a Public DNS record that I own SystemCenter.co.uk.

Add yours.

Once you’ve added your Public DNS, or the <CompanyName>.onmicrosoft.com address Microsoft gave you, it’ll show up as an option when opening a User account in Active Directory Users and Computers.

Configure your Active Directory test user(s) UPN

Again, you’ll only need to handle the UPN stuff if your Public DNS is different from your Active Directory Forest and Domain name. If that is not the case, and your lab domain is example.com and your Public DNS record is example.com, the same, then skip over this section.

For testing I suggest creating a new Active Directory User account specifically for enrollment, you can use an existing account if you wish.

For this test user which will be used for device enrollment, under the Account tab of the User accounts properties, you can see I’ve changed the UPN to the UPN suffix that I added using Active Directory Domains and Trusts. If you were using <CompanyName>.onmicrosoft.com as your public DNS, the one Microsoft provides for free, you’d see it here and be able to choose it.

In Intune Hybrid mode with ConfigMgr, the principle reason why you want the AD Users UPN suffixes to contain your Public DNS, or the <CompanyName>.onmicrosoft.com Microsoft provided DNS, is so that their account is synchronised to Azure AD, and recognised by Intune during enrollment due to the DNS being verified (added) by Intune.

Intune won’t recognised your AD Users UPN if it isn’t the verified Public DNS, or the DNS record that Microsoft provides, and since I expect no one will build a lab to match the Microsoft provided DNS, most likely they have a mismatch than a match between the AD name and the DNS name, it means the AD User has to have the Public DNS or the Microsoft provided DNS as an UPN entry, so that they can be recognised by Intune during enrollment.

Synchronise your lab Active Directory with Azure Active Directory using ADConnect

Now we need to synchronise the on-premise (your lab) Active Directory (AD) with the Azure Active Directory (AAD), so that AAD knows about your users accounts, and their UPN if it was touched.

This isn’t that difficult to setup in a lab environment, simply download ADConnect from here and install it onto your lab Domain Controller, and provide it with your Intune Global Administrator account details, while entering or providing the information it needs to synchronise the Active Directory objects to Azure. I’d let it replicate everything rather than restricting it, at least for setting up this lab.

Microsoft Docs have a good walk through on how to setup ADConnect here.

Provide the AD Users that you wish to allow to enroll devices, with an Intune license

Once you see the Users appearing in the Intune Portal (intune.office.com), you will be able to see if you’ve done all of this properly.

Go to Users > Active Users, and you should see the Users from your labs AD listed.

Click on the user account you want to use for enrollment of a device, note that it should be the one you will add to your ConfigMgr user-based collection for Intune Users later on in this guide when you integrate ConfigMgr with Intune.

Once the User is shown in the Intune Portal, select Edit under Product Licenses.

Now assign the EMS licence, the Intune licence, or both, to the Azure Active Directory User.

Configure ConfigMgr with your Intune evaluation

This is it, once ConfigMgr is made the MDM Authority for Intune, you could technically perform device enrolment's.

I’m using Technical Preview currently at 1702, and the procedure for setting up ConfigMgr to become the MDM Authority for your new Intune Evaluation isn’t that complicated at all.

Visit your Current Branch or Technical Preview Site server, make sure you have the Service Connection Point already setup as part of the Servicing feature of ConfigMgr, you probably let it install during setup. The Service Connection Point in Online mode is a mandatory requirement.

Add a Microsoft Intune Subscription from Administration \ Cloud Services \ Microsoft Intune Subscription node in the ConfigMgr Console.

The process is straight forward, it’ll ask you for your Intune Global Administrator Username and Password, the user-based collection you want to use that gives permissions to users so that they can perform an enrollment of their device, and some branding information.

After the wizard finishes you then turn on the platforms you wish to support, Windows, IOS or Android.

The procedure for adding Intune to ConfigMgr is well documented, and as long as you have an Intune Evaluation, and the collection already created, passing through the wizard should be a breeze.

If you have issues with unexpected errors when trying to login during integration of ConfigMgr with Intune, have a look at turning off IE’s compatibility mode, as well as setting IE to allow scripts to run.

Once you’ve completed this task, you can visit the Intune Portal at manage.microsoft.com to see that the MDM Authority has been set for ConfigMgr.

You will also want to enable and run an Active Directory User Discovery on the Site server, so that ConfigMgr knows about your AD Users, once done you can then add your device enrollment account(s) to the Collection referenced when you added the Intune subscription to ConfigMgr.

The platform is now ready for device enrollment.

Enroll devices,

Now since we have three platforms to perform enrollment on, I’m going to stop here and leave it for future guides.

I enrolled a Samsung Galaxy S7 Edge with ease using Technical Preview Build 1702, and there is much more to cover, for now you should have Intune and ConfigMgr talking together nicely, your AD synchronising to your Azure AD, and your DNS all sorted out.

From here you can setup the platform details for IOS, attempt to configure settings for mobiles, diving into a technically rich area of activity right now, mobile device management.

Join WMUG for a day of Windows 10 and Azure Cloud

Friday the 21st of April 2017

This event will be held at a different location than normal, at the Hotel Xenia

Hotel Xenia

160 Cromwell Road

London SW5 0TL, UK

Sponsored by the Mac Management specialists Parallels

Featuring three (3) Microsoft MVP's, Robert Marshall (EM) and Gerry Hampson (EM) and Sam Erskine (CDM), alongside the most excellent WMUG team, guest speakers and our event sponsor, Parallels

The agenda will be as follows:

The event is completely FREE to you including refreshments and lunch, courtesy of our sponsor for the 

Please note that registrants Name and Email address will be provided to the Sponsor, please do let us know if this is an issue for you. We view providing your details as a small token of gratitude towards the Sponsor, which enables the event to be free.

To register click the REGISTER button on this page and proceed to enter your details. We thrive on attendance, so only register if you can make it!

Couple weeks back I mentioned that Client Registration is broken for Management Point Replicas.

I escalated it up to the product group and the great news is that it looks likely to be fixed at the next current branch hotfix rollup for 1702, no promises there, but they are aware of it  which is good.

I also asked for a problem\solution post on TechNet or wherever it should be hosted, so that customers who have this issue can work around it quickly, however, said work if done may be beaten by the hotfix release, so the only obvious option is to wait for the hotfix to arrive.

If you didn’t know you had this issue and cannot wait for a hotfix rollup, say you need to patch new Servers using SCCM, then the good news is that you can either raise a ticket with Premier, or take a look at REPLICATEDOBJECTS on your Primary Site server, note that spGetLockState and DeploymentMutex are probably missing, insert them into that table like a boss, and then redo the publication setup and subscriptions to get things working again.

UPDATE: Update Roll-up (UR) for Current Branch 1702 has been released which fixes this issue

A complete dump of the REPLICATEDOBJECTS table used to replicate the SQL objects to a Management Point Replica when the Publication is created:

ActiveDirectoryForests MP
ActiveDirectoryForestTrusts MP
ActiveDirectoryObjectInfo MP
AppOfflineLicense MP
AutoClientUpgradeConfigs MP
AutoClientUpgradeSettings MP
BGB_Server MP
BoundaryEx MP
BoundaryGroup MP
BoundaryGroupMembers MP
BoundaryGroupRelationships MP
BoundaryGroupSiteSystem MP
CEP_CollectionPolicies MP
CEP_ServiceWindows MP
CI_ApplicationModelInfo MP
CI_AssignmentTargetedCIs MP
CI_AssignmentTargetedGroups MP
CI_CategoryInstances MP
CI_Certificates MP
CI_CIAssignments MP
CI_CICategories MP
CI_CICategories_All MP
CI_CIDocuments MP
CI_CIEULA MP
CI_CIRelationTypeMapping MP
CI_CIStatus MP
CI_ConfigurationItemContents MP
CI_ConfigurationItemRelations MP
CI_ConfigurationItemRelations_Flat MP
CI_ConfigurationItems MP
CI_ConfigurationItemsOptionalRelations MP
CI_ContentFiles MP
CI_ContentPackages MP
CI_Contents MP
CI_DocumentStore MP
CI_LocalizedProperties MP
CI_Models MP
CI_Types MP
CI_UpdateCIs MP
CI_UpdateInfo MP
CI_UpdateSources MP
ClientAgent MP
ClientAgentProperty MP
ClientAgentProperty_Value MP
ClientBaseline MP
ClientDeploymentSettings MP
ClientKeyData MP
ClientKeyDataCertExtend MP
ClientPfxCertificates MP
ClientPilotingConfigs MP
ClientSettings MP
ClientSettingsAssignments MP
ClientSettingsAssignments_L MP
CM_Certificates MP
CM_UpdatePackages MP
Collections MP
Collections_G MP
Collections_L MP
CommonMACAddresses MP
CommonSMBIOS_GUIDs MP
ContentDPMap MP
CrpRequests MP
DeploymentMutex MP
DepPolicyAssignment MP
DeviceDiscoveryTranslation MP
DeviceMPSettings MP
DistributionPoints MP
DMP_FetchAPNSCertPolicies MP
DMP_FetchAPNSCSRPolicies MP
DMP_FetchAppModelPolicies MP
DMP_FetchAuthenticationPolicy MP
DMP_FetchBrandingInfoPolicies MP
DMP_FetchClientAgentPolicies MP
DMP_FetchDCMPolicies MP
DMP_FetchDepTokenPolicy MP
DMP_FetchEnrollmentPolicy MP
DMP_FetchInventoryPolicies MP
DMP_FetchMaintenanceWindowPolicies MP
DMP_FetchMEPPolicies MP
DMP_FetchPolicyData MP
DMP_FetchWP8AppMgmtPolicy MP
DMP_GetAppOfflineLicense MP
DMP_GetDeviceActions MP
DMP_GetDeviceManagementState MP
DMP_GetDeviceSMSID MP
DMP_GetDiscoveryTranslations MP
DMP_GetMachinePolicies MP
DMP_GetMDMCICertificates MP
DMP_GetMDMCrpRequests MP
DMP_GetMDMNdesList MP
DMP_GetPackageVersion MP
DMP_GetPolicies MP
DMP_GetPolicyAssignments MP
DMP_GetPolicyUserInfo MP
DMP_GetProviderCert MP
DMP_GetSettings MP
DMP_GetSoftwareDistBody MP
DMP_GetSoftwareDistIDs MP
DPInfo MP
Drs_Signals MP
EasySetupSettings MP
EN_ClientCertificateRecords MP
EULA_Content MP
EULA_LocalizedContent MP
Feature_EC MP
Flat_Group_User_Relationship MP
fn_GetBuildNumber MP
fn_IsPassportForWorkCI MP
fn_IsTermsAndConditionsCI MP
fn_ListCIs MP
fn_ListDeploymentTypeCIs MP
Fn_localefallback MP
Fn_LocalizedCIProperties MP
fn_MIG_ClientKeyData MP
fn_SMSDefaultZero MP
fn_SplitString MP
fnConvertBinaryToBase64String MP
fnConvertBinaryToHexString MP
fnConvertLocalToUTC MP
fnConvertXmlToIndentedString MP
fnCurrentSiteVersion MP
fnCurrentSiteVersion_INT MP
fnCurrentSiteVersion_INT_TABLE MP
fnDMGetAccountID MP
fnDMGetDeviceIDBySMSID MP
fnDMGetUserIDByObjectGuid MP
fnDMGetUserIDByUniqueName MP
fnGetCertSubjectAltName MP
fnGetCertSubjectName MP
fnGetNumericIPAddress MP
fnGetParentSiteCode MP
fnGetSiteCode MP
fnGetSiteNumber MP
fnGetSiteNumberBySiteCode MP
fnGetSiteSystemName MP
fnIsOfficeContent MP
fnIsSecondary MP
fnIsSiteServerUpgradeAction MP
fnMDMCalculateHash MP
fnMP_GetBoundaryGroupsXML MP
fnSplitString MP
GetAppPackage MP
GetMPLocationForIPAddressAndADSite MP
GetMPLocationForIPSubnet MP
ImportedMachineIdentity MP
IntuneAccountInfo MP
IntuneServiceLocations MP
InventoryAction MP
InventoryClass MP
InventoryClassProperty MP
LANG_Installed MP
LANG_Installed_L MP
LastPXEAdvertisement MP
MachineIdGroupXRef MP
MDMAppPolicyMapping MP
MDMCertificates MP
MDMCIRelations MP
MDMClientIdentity MP
MDMCrpCertificates MP
MDMDeviceActionResults MP
MDMDeviceActions MP
MDMDeviceManagementStates MP
MDMNdesList MP
MDMPolicy MP
MDMPolicyAssignment MP
MDMUserApplicationState MP
MDMUserApplicationTargetingHistory MP
MDMUserPolicyAssignment MP
MIG_Client MP
MIG_SiteInfo MP
MP_BgbCheckResync MP
MP_BgbGetPushMessage MP
MP_GetAffinityForClientID MP
MP_GetAllInventoryClasses MP
MP_GetAssignedMPListForSite MP
MP_GetAssignedSite MP
MP_GetAutoClientUpgradeConfigs MP
MP_GetCertificateRequestToken MP
MP_GetCertificateRevokeStateForSMSID MP
MP_GetClientIDFromMacAddress MP
MP_GetClientIDFromSmbiosID MP
MP_GetClientIDFromWTGDeviceID MP
MP_GetClientPackageInfo MP
MP_GetComplianceServiceInfo MP
MP_GetContentCloudDPUrls MP
MP_GetContentCloudDPUrlsBGR MP
MP_GetContentDPInfo MP
MP_GetContentDPInfoProtected MP
MP_GetContentDPInfoUnprotected MP
MP_GetContentFileHash MP
MP_GetContentInformation MP
MP_GetContentWUMULocations MP
MP_GetCRPCertificates MP
MP_GetCurrentBGDPList MP
MP_GetDHAUrlList MP
MP_GetDynamicPolicyAssignments MP
MP_GetEncryptionCertificateForSMSID MP
MP_GetHINVLastUpdateTime MP
MP_GetInternetMPListForSite MP
MP_GetInventoryClassProperties MP
MP_GetListOfMPsInSite MP
MP_GetListOfMPsInSiteOSD MP
MP_GetLocalMPListForSite MP
MP_GetLocalSitesFromAssignedSite MP
MP_GetMachineIdentity MP
MP_GetMachinePolicyAssignments MP
MP_GetMigrationInfoForRestoreClient MP
MP_GetMigrationInfoUsersForRestoreClient MP
MP_GetMPListForSite MP
MP_GetMPListForSiteEx MP
MP_GetMPSitesFromAssignedSite MP
MP_GetPeerDPList MP
MP_GetPendingPackagesForBranchDP MP
MP_GetPfxCertificateList MP
MP_GetPfxThumbprintList MP
MP_GetPolicyBody MP
MP_GetPolicyBodyAfterAuthorization MP
MP_GetPortalCertificates MP
MP_GetPortalInfo MP
MP_GetProtectedDPList MP
MP_GetProtectedSMPSites MP
MP_GetProxyMPListForSite MP
MP_GetSdmDocument MP
MP_GetSecretDataRequestToken MP
MP_GetSiteInfo MP
MP_GetSiteInfoUnified MP
MP_GetSiteInfoUnifiedBGR MP
MP_GetSiteInfoUnifiedBGRWSUS MP
MP_GetStateMigAssocInfo MP
MP_GetStateMigClientInfo MP
MP_GetSuperPeerContentLocations MP
MP_GetToken MP
MP_GetUnprotectedSMPSites MP
MP_GetUserAndUserGroupPolicyAssignments MP
MP_GetUserIdentificationXml MP
MP_GetWebServcieInfo MP
MP_GetWSUSServerLocations MP
MP_GetWSUSServerLocations_WithBGR MP
MP_IsClientRegistered MP
MP_IsPolicyBodyAuthorized MP
MP_MatchDrivers MP
NBS_GetPxeAction MP
NBS_GetPxeBootAction MP
NBS_LookupDevice MP
NBS_LookupPxeDevice MP
PackageContentInfoHash MP
PendingRegistrationData MP
PfxCertificates MP
PkgPrograms MP
PkgPrograms_G MP
PkgPrograms_L MP
PkgStatus MP
PkgStatus_G MP
PkgStatus_L MP
Policy MP
PolicyAssignment MP
PortalInfo MP
ProgramOffers MP
ProgramOffers_G MP
ProgramOffers_L MP
Proxy_RoleEndpoint MP
Quar_QuarantineCIs MP
ResPolicyChange MP
ResPolicyMap MP
SC_Address MP
SC_Address_Property MP
SC_AddressType MP
SC_ClientCfg_Property MP
SC_ClientComponent MP
SC_ClientComponent_Property MP
SC_ClientConfiguration MP
SC_Component MP
SC_Component_Property MP
SC_Component_PropertyList MP
SC_Configuration MP
SC_Configuration_Property MP
SC_GlobalProperty MP
SC_GlobalProperty_Property MP
SC_Properties MP
SC_RoleType MP
SC_SiteDefinition MP
SC_SiteDefinition_Property MP
SC_SysResUse MP
SC_SysResUse_Property MP
SC_SysResUse_ServiceWindow MP
SC_UserAccount MP
SC_UserAccount_Property MP
SEDO_LockableObjectComponents MP
SEDO_LockableObjects MP
SEDO_LockableObjectTypes MP
ServerKeyData MP
SettingsPolicy MP
SiteExchangeKeys MP
Sites MP
SiteWork MP
SMS_ConfigurationData MP
SMS_ConfigurationVariables MP
SMSContentHash MP
SMSData MP
SMSPackageHash MP
SMSPackages MP
SMSPackages_G MP
SMSPackages_L MP
SoftwarePolicy MP
sp_BgbConfigSSBForRemoteService MP
sp_BgbConfigSSBForReplicaDB MP
sp_GetCertSubjectAltName MP
sp_GetCertSubjectName MP
sp_GetPublicKeyForSMSID MP
sp_GetPublicKeySMSUID MP
spAddSSBRoute MP
spCreateDBMasterKey MP
spGetCloudDPToken MP
spGetContentInfoHash MP
spGetLockState MP
spGetRandomPassword MP
spGetResourceClientState MP
spGetSiteExchangeKey MP
spUpdateMDMDeviceActionResult MP
spUpdateMDMOnPremDevicePinResetResult MP
spUpdateSSBEndPoint MP
StateMigration MP
StateMigrationAssociation MP
StateMigrationAssociationUsers MP
SuperPeerClients MP
SuperPeerContentCacheMap MP
SuperPeerContentMap MP
SuperPeers MP
SupportedPlatforms MP
SysResList MP
System_AUX_Info MP
System_DISC MP
System_IP_Address_ARR MP
System_IP_Subnets_ARR MP
System_IPv6_Prefi_ARR MP
System_MAC_Addres_ARR MP
System_Resource_N_ARR MP
System_SMS_Assign_Arr MP
System_SMS_Instal_ARR MP
System_System_Rol_ARR MP
TS_AppReferences MP
TS_References MP
TS_TaskSequence MP
TSAppPolicy MP
UnknownSystem_DISC MP
Update_SyncStatus MP
User_DISC MP
User_Group_DISC MP
User_User_Group_Name_ARR MP
UserAppModelSoftwareRequest MP
UserMachineRelation MP
UserMachineSourceRelation MP
UserMachineTypeRelation MP
v_ActiveClients MP
v_BundledConfigurationItems_All MP
v_Categories MP
v_CI_DriverHardwareIDs MP
v_CI_DriversCIs MP
v_CIAppDependenceRelations MP
v_CICategories MP
v_CICategories_All MP
v_CIContents MP
v_CIContents_All MP
v_CIEULA_LocalizedContent MP
v_CIRelation MP
v_CIRelation_All MP
v_CIRelationEx MP
v_ConfigurationItems MP
v_EULAContent MP
v_LocalizedCIProperties_SiteLoc MP
v_UpdateCIs MP
v_UpdateContents MP
vCI_AssignmentTargetedCIs MP
vCI_AssignmentTargetedGroups MP
vCIAllContents MP
vClientSettingsAssignments MP
vDistributionPoints MP
vMDMAppPolicyMapping MP
vProxy_Roles MP
vSMS_CI_GlobalConditions MP
vSMS_CIDocuments MP
vSMS_CIPlatform MP
vSMS_CIRelation MP
vSMS_CIRelation_Flat MP
vSMS_ConfigurationItems MP
vSMS_SC_Address MP
vSMS_SC_ClientComponent MP
vSMS_SC_ClientConfiguration MP
vSMS_SC_Component MP
vSMS_SC_Configuration MP
vSMS_SC_GlobalProperty MP
vSMS_SC_SiteDefinition_Properties MP
vSMS_SC_SysResUse MP
vSMS_SC_SysResUse_Properties MP
vSMS_TaskSequencePackage MP
vSMS_Valid_CM_Certificates MP
vSysResList MP
WebServiceInfo MP
WSUSServerLocations MP
XMLConfigStore MP

Thought I’d give one of the new features in ConfigMgr Technical Preview build 1705 called Improvements for SQL Server Always On Availability Groups a walk through, so that I could soak up all the SQL AlwaysOn Availability Group and Windows Server Failover Clustering knowledge.

From the docs:

With this release, you can now use asynchronous commit replicas in the SQL Server Always On availability groups you use with Configuration Manager. This means you can add additional replicas to your availability groups to use as off-site (remote) backups, and then use them in a disaster recovery scenario.

As it says, the reason why you’d run an Availability Group asynchronous Replica is for off-site backup, in the event that you lose your cluster fully, the asynchronous replica can be used for rapid disaster recovery.

To kick the tires on recovery would require restoring the site and loads of work, and since an asynchronous replica DB is the same but with possible data loss (the nature an asynchronous replication), it is the same process as restoring from a full cold backup, so I’ll not test it for now, instead I’ll get the feature working and leave it there.

So what does a SQL AlwaysOn Availability Group asynchronous replica mean or do.

Let’s take a step back. In an Availability Group, when a SQL transaction is to be committed to the Primary instance database it is first replicated to each Replica and committed into its database, once that is done successfully the commit at the Primary instance completes. This means the primary waits around a lot for replicas to commit the transactions being replicated to them, they need to perform well and be physically close network-wise. It makes for high integrity compared to the asynchronous replica, which the Primary instance doesn’t wait around for, it just sends transactions to it and doesn’t wait for acknowledgement, which means that some data “in transit” could be lost if an ‘event’ occurred. With Technical Preview 5 you can now restore from an asynchronous replica database as a supported scenario.

So let’s build us an Availability Group and get ConfigMgr to play ball with it.

The last time I built a cluster was NT4 days, things haven’t changed too much in terms of standing one up, so that wasn’t difficult, but I had several learning experiences around standing up SQL AlwaysOn, which I dare say helped me bottom out my knowledge on the subject.

This guide is not for production usage, you could certainly distil it into a procedure to be applied in production, instead this guide is for lab work only.

Before you can get things underway you’re going to need the following, so as to keep on the rails throughout this guide.

Media

• Operating System – Windows 2016 DataCenter with UI
• SQL Server 2016 (SP if you want, CU’s, whatever ConfigMgr supports)
• SQL Management Console SSMS-Setup-ENU-R16.5.3-B13.0.16106.4

Virtual Machines

1. Domain Controller
2. SQL Server Replica\Node A (192.168.1.170) – 2GB Memory – Single disk
3. SQL Server Replica\Node B (192.168.1.171) – 2GB Memory – Single disk
4. SQL Server Replica\Node C (192.168.1.172 – 2GB Memory – Single disk)
5. A pre-built ConfigMgr Technical Preview Build 1705 Site server with SQL locally installed (can be remote but heck …)

The account that you do all the action with, the one you’ll login, please make it a Domain Administrator, it’ll cut through the ‘butter’ faster, if you want to tighten down then follow the guide and analyse everything post-build.

Right then, get your cool juice and saddle up, as we’re about to ride out and get ourselves SQL AlwaysOn Availability Group  working with ConfigMgr.

Prepare the SQL Server AlwaysOn Replicas

Go ahead and stand up three virtual machines using Windows Server 2016 DataCenter with Desktop.

Once built do the following:

• Give them a name
  
  

• VM1– CMSQLAONA – 192.168.1.170
• VM2– CMSQLAONB – 192.168.1.171
• VM3– CMSQLAONA – 192.168.1.172
  
  

• Join to your Domain
  
  
• Fix their IP and make a note
  
  
• Add the Computer Account of the Technical Preview Primary Site server to the local administrator group on each replica
  
  
• Make sure all replicas have been rebooted to commit the configuration changes
  
  
• At this point I switch on Remote Access for RDP, and turn off the Windows Firewall on the Domain Profile, from there I add in the servers to RDCMan so I can move off of the Hyper-V host.

Install the Windows Failover Clustering feature

Let’s do this in one go across all three nodes.

• Fire up the PowerShell ISA, paste in the below script and let it go:

$serverList = "CMSQLAONA","CMSQLAONB","CMSQLAONC"

ForEach ($server in $serverList)
{
    Install-WindowsFeature -computername $server –Name Failover-Clustering –IncludeManagementTools
}

• After a while you’ll have the clustering feature enabled on all three nodes.
  

Create a Windows Cluster

We’re now going to create our Windows Cluster, this breaks down into two tasks:

1. Create a Network Share for the File Share Witness
2. Create the cluster itself.

The Network share will be used to enable a file system quorum, so that we can introduce a basic cluster into our lab.

Create a Network Share for the Quorum

I chose the Domain Controller to host this share, it is highly available to the lab. The file share witness will not handle large volumes of data, and as a result, will utilise a small footprint during its lifecycle.

• Create a new folder on the Domain Controller anywhere of your choosing, call it CMSQLAOFSW, I’ll use C:\CMSQLAOFSW
  
  
• Share the folder out, give the Full Control share permissions to Everyone
  
  

The ACL’s to this folder will be changed during the Cluster creation process, during which a domain user account representing the name you give the Cluster will be created and given Full Control permissions. The account you are installing with will need to be a Local Administrator on the Domain Controller for all this magic to happen.

• Navigate into your share by referencing it as a UNC in Start\Run, to confirm you are able to access it

Easy. You’ll be creating another share later on.

Create the Windows Cluster

Head over to CMSQLAONA and fire up the Failover Cluster Manager. Its an admin-interface based on ancient MMC technology, so do the right thing, and turn off the Action menu like a Boss!

• Right click Failover Cluster Manager in the left hand pane, then select Create Cluster

• Once the wizard fires up, click through the welcome page and add in your Cluster Nodes CMSQLAONA, CMSQLAONB and CMSQLAONC using the browse button.
  
  
• Once you have all three Nodes listed as below, then click Next
  
  
  

• Next up is testing the cluster nodes by running a set of validation steps, you don’t have to run this but I’d let it run in case there is something exotic about your environment that’ll catch you out later on

• Click Next to pass through the Before You Begin page, select Run all tests (recommended), its the default anyway, and proceed with the wizard by clicking Next

• Have a nose through the list of tests, click Next when ready to run them

• The validation test should pass if you stand the virtual machines up from the ISO’s, but scrolling down you’ll notice that it complains about redundancy for network connections in the Validate Network Communications step, which you’d resolve as part of hardening a procedure for production use, but can ignore in the lab

• You can click on View Report to see a nice HTML based report

• Let’s carry on configuring the Cluster, select Finish in the wizard

• Enter SQLAOCluster as the Cluster Name
  
  
• Give the Cluster Name the IP of 192.168.1.174 or whatever IP you’ve set aside for you lab environment
  
  
• Select Next

• Select Next

• Note that warning about the disk witness, we’re going to use a File Share Witness (FSW) so this can be ignored
  
  
• Select Finish to wrap up
  
  
• Once the wizard has finished, RDP to your DNS server which is no doubt on your Domain Controller, and check out the new record created for the Cluster Name

• You now have a Windows Cluster, but to complete it you will need to add in the Quorum Witness. Our choice of a File Share Witness is driven by the need for simplicity, in a lab environment a disk can be shared amongst VM’s, but it takes the complexity level up a notch, fortunately we can use a SMB File Share to perform the Quorum duties, which is highly uncomplicated to setup, so let’s get it done
  
  
• Return to the Failover Cluster Manager

• Right click SQLAOCluster, select More Actions, and select Configure Cluster Quorum Settings…

• If you do not understand what a Quorum Witness is, please stop and deep dive the subject for a bit, get this foundational knowledge under your belt so as to help round off. I recommend doing this for any part of the guide that takes you out of your comfort zone, when you get that twinge its your brain prompting you to fill the gap, for Quorum Witnesses read here
  
  
• Have a read of the Before You Begin notes before you skip over
  
  

• Select Next

• Select Select the quorum witness
  
  
• Select Next

• Select Configure a file share witness, note the cool Cloud Witness as well as the classic disk witness
  
  
• Select Next

• Punch in the UNC to your File Share Witness share, you can browse to it or manually enter it. If you manually enter then here’s a top tip, always test a UNC by copy\pasting it into Start\Run to make sure you can browse it, obviously if your account doesn’t have rights this method doesn’t work, in those cases I NET USE and pass the credentials to make sure all is well
  
  
• Select Next

• Confirm and click Next

• Select Finish
  
  
• Note that Witness now changes to File Share Witness (FSW), and shows the UNC path to it

• Paste the File Share Witness UNC into Start\Run, to see the file system objects just created by the Cluster

You now have a Windows Server Failover Cluster.

Ping the Cluster Name and you will get a ping response back from the IP you specified during the setup of the Cluster Name, I keep wanting to say Cluster Interface, I think this is what we called it years ago, or perhaps it just makes more sense to my brain to call it an interface as that is what it is.

Worth noting that we won’t be using the Cluster Name at all for the SQL AlwaysOn Availability Groups. The SQL AO AG’s have their own Cluster Name concept called a Listener. You’ll come to that shortly.

Install SQL 2016 on the SQL AlwaysOn Replicas

• We’ll run SQL using a domain user account so visit your Domain Controller and create a user called CMClusterService, make note of the password, it only needs to be a Domain User

If you run SQL Server using SYSTEM context you’ll need to handle the certificate transfer, I didn’t test this but saw it called out in some Microsoft SQL documentation, it might handle transferring the certificates for you, I did see a call out in some logs when creating the Availability Group that suggest certificates are being exchanged automatically between the Replicas in the Availability Group.

We’ll cookie cut the installation of CMSQLAONB and CMSQLAONC using an INI file we create from installing SQL 2016 manually on CMSQLAONA.

• Insert the SQL ISO media into the CMSQLAONA, CMSQLAONA and CMSQLAONA virtual machines
  
  
• Login to CMSQLAONA
  
  
• Run the Setup.exe on the SQL DVD Media:

• Select Installation

• Select New SQL Server stand-alone installation or add features to an existing installation
  
  
  

• Tick to accept the license terms and select Next

• Tick Use Microsoft Updates to check for updates (recommended) unless you do not have access to the Internet
  
  
• Select Next

• Select Next

• If it finds anything, let it install

• Choose Database Engine Services and keep default paths
  
  
• You could add in Reporting Services, it’ll require another account and also some special handling for the ConfigMgr Reporting Point role. I’ve skipped doing this, since I have SQL Reporting Services and its database on the Primary, along with the ConfigMgr Reporting Point role, which will point to the SQL AlwaysOn Availability Group Listener you’re about to encounter later on in the guide
  
  
• Select Next

• Select Next

• Okay so now we want to set the startup type for the Agent and Server to Automatic
  
  
• Enter the domain user account credentials (CMClusterService) you created for the SQL Cluster for both the Agent and Server services
  
  
• Select the Collation Tab (this is a highly important step)

• Select the SQL collation, used for backwards compatibility radio button, change the collation to SQL_Latin1_General_CP1_CI_AS
  
  
• Select OK

• Select OK

• Add the local Administrators group
  
  
• Add your domain account as well
  
  
• Leave Data Directories, TempDB and FILESTREAM alone
  
  
• Select Next

• Put that path into the clipboard as we’re about to automate the silent unattended installation of two SQL Servers using a modified version of it
  
  

C:\Program Files\Microsoft SQL Server\130\Setup Bootstrap\Log\20170613_143153\ConfigurationFile.ini

• Edit the file and make the following amendments:
  
  

1. False to True for IACCEPTROPENLICENSETERMS
2. False to True for QUIET
3. Put a ; semicolon character before UIMODE

• Copy the file to a newly created folder C:\SQLInstall on both CMSQLAONB and CMSQLAONC
  
  
• Now click Install to get the SQL installation underway on CMSQLAONA
  
  
• Login to CMSQLAONB and fire up a CMD prompt
  
  
• Begin the SQL installation by modifying the passwords in the command below then running it:
  
  

D:\SETUP.EXE /CONFIGURATIONFILE=”C:\SQLInstall\ConfigurationFile.ini” /IAcceptSQLServerLicenseTerms /SQLSVCPASSWORD="<PASSWORD>" /AGTSVCPASSWORD="<PASSWORD>"

• Follow through with the same unattended silent SQL installation steps on CMSQLAONC

• While those SQL installations are bubbling away, go back to CMSQLAONA, and install SQL Management Studio. Back in the day, the studio was part and parcel of the SQL Setup, they diverged into separate installs, which means the console is unlinked from the SQL setup, and can easily be updated with a smaller media footprint
  
  
• Launch the SQL Management Studio installer

• Select Install
  
  
• You can install this on one all three nodes, or just the primary one you’ll be working from, I’ll install to CMSQLAONA only, and do all administration of SQL from there
  
  
• This one can take forever, even on a fast system. Go get yourself some Tea!
  
  

• I recommend pinning the Studio to the Taskbar

Configure SQL

We now need to make some configuration changes to the SQL Server engines on all three of our SQL servers.

Set SQL Engine Memory limits

I recommend that you calculate the memory limits based on how much you added when you created the virtual machines, they can in a small environment run on as little as 1GB.

• RDP onto CMSQLAONA and open Microsoft SQL Server Management Studio using Run as administrator option
  
  
• Connect the studio to all three nodes CMSQLAONA,  CMSQLAONB and CMSQLAONC
  
  
• With the root nodes expanded it’ll look like this:
  
  

• Right click CMSQLAONA and select Properties, then select Memory
  
  

• Repeat for CMSQLAONB and CMSQLAONC

Permission all Nodes for Primary Site access

• Add the computer account of the Primary Site server to the local Administrator group on both CMSQLAONA, CMSQLAONB and CMSQLAONC
  
  
• The CMSQLAONC entry above is redundant in this lab setup, since CMSQLAONC is running in Asynchronous mode and the Primary Site will not establish a direct connection

Bring in the CM Database

Now this is where my lab complicates things. I’ve already taken my Technical Preview 5 Primary Site towards the dark side, and its currently running its brain on a 3-node SQL AlwaysOn Availability Group. I’m going to export the DB and import it CMSQLAONA, but it means the shots will be off when it shows recovery mode.

Since my site database already resides on a SQL AlwaysOn Availability Group, it is running as FULL And not SIMPLE recovery mode. You will most likely be running SQL on the Primary, and it will most likely already be running in SIMPLE recovery mode, in this case the backup steps are the same to liberate a backup of the CM database from that SQL installation.

Take down ConfigMgr

We need to stop ConfigMgr from talking to the Database. At this point the show is over for ConfigMgr, service will resume once the Availability Group is setup and ConfigMgr told to use it.

For my lab all I need to do is wind down the services on the Primary, no site systems exist which could be connecting to the database, but its the primary that’d do the writing to the database anyway.

• RDP over to your ConfigMgr Current Branch Technical Preview 5 Site server
  
  
• Open the Services (MMC) console
  
  
• Stop the following services in this order
  
  

1. ConfigMgr Task Sequence Agent
2. Configuration Manager Remote Control
3. CONFIGURATION_MANAGER_UPDATE
4. SMS Agent Host (if installed)
5. SMS_NOTIFICATION_SERVER
6. SMS_SITE_COMPONENT_MANAGER
7. SMS_EXECUTIVE
8. SMS_SITE_SQL_BACKUP
9. SMS_SITE_VSS_WRITER

• You could use the PREINST /STOPSITE command, but that’ll mark everything for reinstallation the moment you start the services up. This isn’t necessary, since we’re going to start the site up by changing the SQL configuration from the Setup program, which’ll induce component installation behaviour
  
  
• A good working practice is to disable services when you are putting them to sleep for administrative purposes, so that if the server reboots by accident, it won’t come back up and start the application before you are ready

Backup and Move the ConfigMgr Database

I’m now going to backup the ConfigMgr CTP database (CM_CTP), and move the backup file to the CMSQLAONA node in the following location C:\SQLBackup

• Visit SQL Management Studio on the target SQL Server currently hosting your site database
  
  
• Find the site database, right click it and select Tasks and then Back Up…

• For a standalone primary with SQL locally installed, you’ll be backing up a database running in SIMPLE recovery mode, which means the file extension for your backup will be BAK and not TRN, which is the case when you are already running in FULL recovery mode
  
  
• Enter your preferred backup path location, and enter the file name as CMBackup-<CURRENTDATE>.BAK (TRN if you are moving from one SQL AlwaysOn Availability Group to another)
  
  
• Copy the TRN or BAK file over to a new folder called C:\CMBackup on CMSQLAONA
  

Configure the SQL Engine on all Nodes

We’ll modify the SQL Engine on all three node before creating the Availability Group, as doing it later will require micro-managing the Availability Group, failing over between the nodes so as to configure each of them.

• Select CMSQLAONA and click New Query
  
  
• To confirm you are about to run queries against the correct node, take a look at the bottom right of the yellow status bar, it’ll show you the name of the server the query will be run against, as will the studio applications status bar:

SQL Management Studio Application Title bar:

SQL Management Studio Status Bar

• Paste this lot in and click Execute

USE Master;

GO

SP_CONFIGURE 'show advanced options', 1;

RECONFIGURE WITH OVERRIDE;

GO

EXEC SP_CONFIGURE 'max text repl size',2147483647 ;

RECONFIGURE WITH OVERRIDE;

GO

EXEC SP_CONFIGURE 'clr enabled', 1;

RECONFIGURE WITH OVERRIDE;

GO

The result should be:

Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.

Configuration option 'max text repl size (B)' changed from 65536 to 2147483647. Run the RECONFIGURE statement to install.

Configuration option 'clr enabled' changed from 0 to 1. Run the RECONFIGURE statement to install.

• Select CMSQLAONB
  
  
• Paste the same as above and click Execute
  
  
• Select CMSQLAONC
  
  
• Paste the same as above and click Execute

Restore the ConfigMgr Database

It’s time to restore the ConfigMgr database..

• Remain within SQL Management Studio on CMSQLAONA
  
  
• Select CMSQLAONA and right click Databases, select Restore Database…
  
  

• You’ll be presented with the Restore Database page

• Select Device and select the ellipses…
  
  
  

• Select Add
  
  
  
• Navigate to C:\CMBackup and select the CMBackup file

• Select OK

• Select OK

• You can click on Files and you’ll see it is going to restore the Database to the default SQL locations:

• Select OK to get on with the recovery of CM_CTP

Configure SQL Database CM_CTP

Next up is more SQL configuration, but this time not the SQL Engine but the site database.

For this series of steps, you’ll stay on CMSQLAONA and inside SQL Management Studio, and you will change the database name used in the steps to whatever you called your site database, mine is called CM_CTP.

• Select CMSQLAONA and then select New Query

Change Recovery Model from SIMPLE to FULL

Use CM_CTP;

ALTERDATABASECM_CTPSETRECOVERYFULL;

Take stock and contemplate how you’re going to handle SQL Transaction Logs now that you’ll be in FULL recovery mode, and how they mass up on you consuming disk space, and regularly need backing up. I’m going to totally leave you hanging, and let you read up on how to handle this.

Set SA owner on DB

UseCM_CTP;

EXECsp_changedbowner'sa'

Set TRUSTWORTHY bit on DB

USECM_CTP;

ALTERDATABASECM_CTPSETTRUSTWORTHYON;

Enable SERVICEBROKER on DB

UseCM_CTP;

ALTERDATABASECM_CTPSETENABLE_BROKER;

Enable SERVICEBROKERPRIORITY on DB

UseCM_CTP;

ALTERDATABASECM_CTPSET HONOR_BROKER_PRIORITY ON;

You can verify the configuration of SQL by running the following SQL script which is taken from the ConfigMgr Documentation:

Note: You can paste this into your existing query window or create a new one making sure you are focused on the correct SQL server, select what you paste in and then click Execute to execute the selection (change the USE CM_CTP to your database name)

USE CM_CTP

SET NOCOUNT ON

DECLARE @dbname NVARCHAR(128)

SELECT @dbname = sd.name FROM sys.sysdatabases sd WHERE sd.dbid = DB_ID()

IF (@dbname = N'master' OR @dbname = N'model' OR @dbname = N'msdb' OR @dbname = N'tempdb' OR @dbname = N'distribution' ) BEGIN
RAISERROR(N'ERROR: Script is targetting a system database.  It should be targeting the DB you created instead.', 0, 1)
GOTO Branch_Exit;
END ELSE
PRINT N'INFO: Targetted database is ' + @dbname + N'.'

PRINT N'INFO: Running verifications....'

IF NOT EXISTS (SELECT * FROM sys.configurations c WHERE c.name = 'clr enabled' AND c.value_in_use = 1)
PRINT N'ERROR: CLR is not enabled!'
ELSE
PRINT N'PASS: CLR is enabled.'

DECLARE @repltable TABLE (
name nvarchar(max),
minimum int,
maximum int,
config_value int,
run_value int )

INSERT INTO @repltable
EXEC sp_configure 'max text repl size (B)'

IF NOT EXISTS(SELECT * from @repltable where config_value = 2147483647 and run_value = 2147483647 )
PRINT N'ERROR: Max text repl size is not correct!'
ELSE
PRINT N'PASS: Max text repl size is correct.'

IF NOT EXISTS (SELECT db.owner_sid FROM sys.databases db WHERE db.database_id = DB_ID() AND db.owner_sid = 0x01)
PRINT N'ERROR: Database owner is not sa account!'
ELSE
PRINT N'PASS: Database owner is sa account.'

IF NOT EXISTS( SELECT * FROM sys.databases db WHERE db.database_id = DB_ID() AND db.is_trustworthy_on = 1 )
PRINT N'ERROR: Trustworthy bit is not on!'
ELSE
PRINT N'PASS: Trustworthy bit is on.'

IF NOT EXISTS( SELECT * FROM sys.databases db WHERE db.database_id = DB_ID() AND db.is_broker_enabled = 1 )
PRINT N'ERROR: Service broker is not enabled!'
ELSE
PRINT N'PASS: Service broker is enabled.'

IF NOT EXISTS( SELECT * FROM sys.databases db WHERE db.database_id = DB_ID() AND db.is_honor_broker_priority_on = 1 )
PRINT N'ERROR: Service broker priority is not set!'
ELSE
PRINT N'PASS: Service broker priority is set.'

PRINT N'Done!'

Branch_Exit:

That script is dead handy!

We’re looking for INFO and PASS only

INFO: Targetted database is CM_CTP.
INFO: Running verifications....
PASS: CLR is enabled.
PASS: Max text repl size is correct.
PASS: Database owner is sa account.
PASS: Trustworthy bit is on.
PASS: Service broker is enabled.
PASS: Service broker priority is set.
Done!

Configure SQL Security for Primary Site server

We’re going to recreate the SQL login for the site server to use, this will have been lost as SQL Engine logins are not backed up when you backup a database, the SQL logins are present in the database but not on the new SQL server.

• Expand CMSQLAONA, Security and right click Logins, now select New Login…

My Primary’s hostname is CMCBTP so I’ll create the new login as its computer account

• Select Server Roles

• Make sure public is ticked, it should be by default
  
  
• I added sysadmin as I was troubleshooting on the first go around setting up a Availability Group, the site server doesn’t need these rights, but the account you are logged in as when working through this guide must have sysadmin rights
  
  
• Select OK
  
  
• Expand CMSQLAONB, Security and right click Logins, now select New Login…

Again use the Primary’s site servers hostname, CMCBTP$

• Make sure public is ticked

• Select OK

Enable SQL AlwaysOn Feature

Next up is enabling the SQL AlwaysOn feature on all three Replicas. This feature will not light up until a replica is a member of a Windows Server Failover Cluster.

• From CMSQLAONA open SQL Server Configuration Manager

• Select SQL Server Services, right click SQL Server (MSSQLSERVER) and select Properties
  
  
• Now visit the AlwaysOn High Availability tab
  
  
• Select Enable AlwaysOn Availability Groups

• Select OK
  
  
• Restart the SQL Server service for the change to take effect, as it warned you. You can restart the service inside the Configuration Manager console, right click SQL Server (MSSQLSERVER) and select Restart

Note: The AlwaysOn feature would not light up and be greyed out, if this server wasn’t a node in a Windows Cluster, didn’t I just say that? It is worth repeating!

• Perform this step on each of the remaining replicas CMSQLAONB and CMSQLAONC

Create a Network Share to facilitate the transfer of the site database CM_CTP to all Availability Group Replicas

When we create the Availability Group we need to somehow get the site database copied across to all remaining replicas, CMSQLAONB and CMSQLAONC. Well we can do this manually or we can let SQL do it for us using a file share.

I created this file share on CMSQLAONA, as this is a bridgehead for doing all the SQL administrative work so far, let’s create it here.

• Open File Explorer
  
  
• Create a new folder on CMSQLAONA called C:\CMDBTransfer
  
  
• Share the folder out

• Give the Full Control share permissions to Everyone

• Select OK
  
  
• Right click the CMDBTransfer folder, select Properties and then the Security tab
  
  
• Set the ACL’s so that the SQL Account YourDomain\CMClusterService has full permissions

• Select OK
  

Create a SQL AlwaysOn Availability Group

Good to create the Availability Group now. We’ll begin the creation of the Availability Group on CMSQLAONA.

• Return to SQL Management Studio
  
  
• Navigate to CMSQLAONA
  
  
• Right click AlwaysOn High Availability

• Select New Availability Group Wizard…

• Have a read
  
  
• Select Next

• We’ll now name our Availability Group as ConfigMgrAG
  
  
• You could call it whatever you want, if you change it keep an eye out for references to ConfigMgrAG fruther into the guide, and substitute for whatever you chose
  
  
• Select Next

• It see’s our database, select it
  
  

Note: When I first took my ConfigMgr Tech Preview site database from a local install into the first availability group lab that I created, the text in this dialog was different, some actions where needed, and size of DB was mentioned, as well as results of a prerequisite check. I might move my ConfigMgr Current branch into an Availability Group, which means I’ll see this wizard again, return here and amend for the differences. In the meantime you might need to wing this section a bit, by doing whatever the prerequisite checker asks of you

• Select Next

We are now going to add in the Replicas that will participate in the Availability Group, that’ll be all three cluster nodes CMSQLAONA, CMSQLAONB and CMSQLAONC

• Select Add Replica…

• Enter CMSQLAONB and select Connect

• Select Add Replica…
  
  
• Enter CMSQLAONB and select Connect

• Note that CMSQLAONA is listed as a Primary Replica, and CMSQLAONB and CMSQLAONB are listed as Secondary Replica’s
  
  
• For CMSQLAONA tick Automatic Failover (Up to 3), tick Synchronous Commit (Up to 3) and select Yes for Readable Secondary
  
  
• For CMSQLAONB tick Automatic Failover (Up to 3), tick Synchronous Commit (Up to 3) and select Yes for Readable Secondary
  
  
• For CMSQLAONC, which we’ll use to enable the Technical Preview Build 1705 feature for AlwaysOn, Asynchronous Availability Group replica support, untick Automatic Failover (Up to 3), untick Synchronous Commit (Up to 3) and select Yes for Readable Secondary

• Select the Listener tab

• Select Create an availability group listener
  
  

Note: The Listener is actually a DNS record that will be used by Applications when they attempt to connect to the Availability Group, earlier in the guide I called out a link on tooling up knowledge-wise on what a Listener is, so I’ll forgo being an echo-chamber and repeat what you already knew or just learnt.

• Enter ConfigMgrAGL as the listener DNS name
  
  
• Enter 1433 as the Port
  
  
• Enter an IP address for the listener to use, I used 192.168.1.173 for ConfigMgrAGL
  
  
• If you build further Availability Groups, they will have their own unique listener, much like a Cluster Name (interface!)
  
  
• Select Next

The site database needs to be transferred to the other two Replica in the Availability Group, SQL can automatically do this for us, with that share we created, or we can handle it manually ourselves. Guess which method we’re opting for!

• Select Full
  
  
• Enter the full path to the CMDBTransfer share you created earlier(\\CMSQLAONA\CMDBTransfer)
  
  
• Select Next

• And all the ducks line up
  
  
• Select Next

• Select Finish to get things underway

• Time for more tea

• More tea

• Great we’re done here
  
  
• Visit your DNS server and you’ll see a new A record has been created for your new Availability Group ConfigMgrAGL

• From CMSQLAONA visit the SQL Management Studio
  
  
• Expand out CMSQLAONA and the Availability Group nodes

• You did that :-)
  
  
• I am assuming it all worked out, well done!
  
  
• Let’s see if its really working, bring up the Dashboard, a right click off the Availability Node

• Select Show Dashboard

• Click on ConfigMgrAG to drill down

• If you are not seeing Green you’ve derailed somewhere, not very helpful of me but I would recommend reading any critical or warning messages it produces, take it from there
  
  
• Note that you can administer most of the Availability Group from here, a primary to note is that you launch the failover wizard from the dashboard but can launch it from a right click on your Availability Group in Object Explorer

Final SQL Configurations

The site database now residing on CMSQLAONB was transferred there using SQL Backup and Restore, which means that some database settings haven’t been carried across. These need to be set, or normalised, but we cannot straight connect and configure, we need to tell the Availability Group to failover to that replica then perform the tasks. So let’s get on with that

• From SQL Management Studio right click your Availability Group, you can do this from any of the Replica nodes but the assumption for this guide is that CMSQLAONA is your Primary instance, and the others replicas are Secondary Replicas, so do your right click from CMSQLAONA

• Select Next

• Tick CMSQLAONB which should be the nominated Replica for Failover
  
  
• Select Next

• Select Connect

• It won’t let you interact other than with the buttons, select Connect

• Select Next

• Select Next

• Select Close
  
  
• You’ll see the dashboard show critical, leave it alone for a few moments, it auto refreshes, proceed when it returns to a healthy state
  
  
• Notice our Primary instance is now CMSQLAONB

• Select CMSQLAONB in the Object Explorer then select New Query:

Use CM_CTP;

EXECsp_changedbowner'sa'

USE CM_CTP;

ALTERDATABASE CM_CTP SETTRUSTWORTHYON;

Use CM_CTP;

ALTERDATABASE CM_CTP SET HONOR_BROKER_PRIORITY ON;

• Execute that lot on CMSQLAONB

• I did not have to set ENABLE_BROKER in my lab, so I've pulled the following step as not required:

Use CM_CTP;

ALTERDATABASE CM_CTP SETENABLE_BROKER;

• Rerun the following validation script:

SET NOCOUNT ON

DECLARE @dbname NVARCHAR(128)

SELECT @dbname = sd.name FROM sys.sysdatabases sd WHERE sd.dbid = DB_ID()

IF (@dbname = N'master' OR @dbname = N'model' OR @dbname = N'msdb' OR @dbname = N'tempdb' OR @dbname = N'distribution' ) BEGIN
RAISERROR(N'ERROR: Script is targetting a system database.  It should be targeting the DB you created instead.', 0, 1)
GOTO Branch_Exit;
END ELSE
PRINT N'INFO: Targetted database is ' + @dbname + N'.'

PRINT N'INFO: Running verifications....'

IF NOT EXISTS (SELECT * FROM sys.configurations c WHERE c.name = 'clr enabled' AND c.value_in_use = 1)
PRINT N'ERROR: CLR is not enabled!'
ELSE
PRINT N'PASS: CLR is enabled.'

DECLARE @repltable TABLE (
name nvarchar(max),
minimum int,
maximum int,
config_value int,
run_value int )

INSERT INTO @repltable
EXEC sp_configure 'max text repl size (B)'

IF NOT EXISTS(SELECT * from @repltable where config_value = 2147483647 and run_value = 2147483647 )
PRINT N'ERROR: Max text repl size is not correct!'
ELSE
PRINT N'PASS: Max text repl size is correct.'

IF NOT EXISTS (SELECT db.owner_sid FROM sys.databases db WHERE db.database_id = DB_ID() AND db.owner_sid = 0x01)
PRINT N'ERROR: Database owner is not sa account!'
ELSE
PRINT N'PASS: Database owner is sa account.'

IF NOT EXISTS( SELECT * FROM sys.databases db WHERE db.database_id = DB_ID() AND db.is_trustworthy_on = 1 )
PRINT N'ERROR: Trustworthy bit is not on!'
ELSE
PRINT N'PASS: Trustworthy bit is on.'

IF NOT EXISTS( SELECT * FROM sys.databases db WHERE db.database_id = DB_ID() AND db.is_broker_enabled = 1 )
PRINT N'ERROR: Service broker is not enabled!'
ELSE
PRINT N'PASS: Service broker is enabled.'

IF NOT EXISTS( SELECT * FROM sys.databases db WHERE db.database_id = DB_ID() AND db.is_honor_broker_priority_on = 1 )
PRINT N'ERROR: Service broker priority is not set!'
ELSE
PRINT N'PASS: Service broker priority is set.'

PRINT N'Done!'

Branch_Exit:

• Again we’re looking for INFO and PASS only:

INFO: Targetted database is CM_CTP.
INFO: Running verifications....
PASS: CLR is enabled.
PASS: Max text repl size is correct.
PASS: Database owner is sa account.
PASS: Trustworthy bit is on.
PASS: Service broker is enabled.
PASS: Service broker priority is set.
Done!

That’s it, use the failover wizard to switch back to the CMSQLAONA replica node as the Primary instance

Set the SQL SPN’s

While we’re running SQL with a domain user account we’re going nowhere at the application layer (ConfigMgr) without Service Principal Names (SPN’s). We’ll create them by hand.

• RDP to your Domain Controller or wherever you are hosting Microsoft DNS
  
  
• Open ADSIEDIT
  
  
• Navigate down to Users and find the CN-CMClusterService entry

• Double click it or select Edit
  
  
• Add in the following SPN entries so that ConfigMgr can find the SQL Service:
  
  

MSSQLSvc/CMSQLAONA:1433

MSSQLSvc/CMSQLAONA.SMSM.COM:1433

MSSQLSvc/CMSQLAONB:1433

MSSQLSvc/CMSQLAONB.SMSM.COM:1433

MSSQLSvc/CMSQLAONC:1433

MSSQLSvc/CMSQLAONC.SMSM.COM:1433

• We only need the CMSQLAONA and CMSQLAONB entries, since they are the active replicas in synchronous mode that ConfigMgr will use, but we’ll add CMSQLAONC so that you can play around with changing the roles in the Availability Group
  
  
• Select OK

• Select OK

Configure the Availability Group for Maintenance Mode (failover = Manual)

Before we can let ConfigMgr take a look at the new Availability Group we need to set it to Manual Failover mode. Perhaps in the future we’ll be able to work on Availability Groups without having to put them into manual mode, which would be every single time you service the ConfigMgr product, as is the case with Management Point Replicas which need to literally brought down before you can upgrade. I’d like to see these two areas ironed out to reduce administrator burden from lighting up cool features.

• Return to CMSQLAONA and to the SQL Management Studio
  
  
• Select CMSQLAONA which should be the Primary instance, check the Dashboard to confirm
  
  
• Right click your Availability Group and select Properties

• Set the Failover mode for CMSQLAONA and CMSQLAONB to Manual

• You have to do this on the Primary instance, which means the correct SQL server, as I said the dashboard lets you know which Replica is the Primary instance.

• You can see the Failover mode in the Dashboard

• Once they are set to Manual you are good to move onto configuring ConfigMgr

Configure ConfigMgr to use the SQL AlwaysOn Availability Group

We can now turn to ConfigMgr and ask it politely to start using our new Availability Group.

• Launch ConfigMgr Setup from the installation folder, not the installation media. Run C:\Program Files\Microsoft Configuration Manager\bin\X64\Setup.exe and select Run as administrator

• Select Next

• Select Perform site maintenance or reset this site

• Select Modify SQL Server configuration

• Enter the Availability group Listener FQDN for your ConfigMgrAG Availability Group
  
  
• Select Next

• It’ll detect the SQL AlwaysOn Availability Group and thrown a warning before you proceed
  
  
• Select Begin
  
  
• Open the ConfigMgrSetup log using LogLauncher
  
  
• Keep an eye on that log and pray!
  
  
• Once it is done you’ll get green in the configuration wizard

• You’ll also see happiness in the log, tailing off with the following

• If you are seeing SSPI errors review your SPN work, most likely related, other issues could be connectivity, not enough account permissions, some steps missed
  
  
• Go check out SMSDBMON on your Primary, it’ll show you DB activity, if there is a problem it’ll show there

Reconfigure Availability Group Failover mode

We’ve now got ConfigMgr pointing at the Availability Group, we can now return the Failover Mode to Automatic.

• Return to CMSQLAONA and to the SQL Management Studio
  
  
• Select CMSQLAONA which should be the Primary instance, check the Dashboard to confirm
  
  
• Right click your Availability Group and select Properties

• Set the Failover mode for CMSQLAONA and CMSQLAONB to Automatic
  
  
• Select OK

Reporting Point

If you had one running its most likely pointing at the old SQL Database that was home for the site database, that’ll be all ugly and broken now, so remove the Reporting Point role, add the role back, when configuring the role use the Availability Group Listener. The SRSRP log should show that the data sources have been updated with the Availability Group Listener name.

If your going to edit reports you’ll need the latest Report Builder V3, which you can find here

WSUS

Forget it. It’s unsupported.

Are there any options?

Yes, read here, it has everything to do with WSUS trying to be a bad boy and putting the SUSDB database into single-user mode, which an Availability Group won’t have any of. As you’ll see in this guide, its just a matter of procedure, and you can have WSUS running its database in an Availability Group, not the one being used by ConfigMgr, a new one dedicated for WSUS usage.

A great source of information alongside the SQL Documentation library came from here Prepare to use SQL Server Always On availability groups with Configuration Manager, which takes you to the ConfigMgr Documentation library, a world-class documentation library.

Another source very worthy of a mention is this article from Benjamin Reynolds at Microsoft titled Moving the ConfigMgr site database to an Always On Availability Group, he writes up on how to do what I do above, but he does it to a production database while minimising down time. You’ll find both articles complement each other in that Benjamin skips over some aspects whereas I document their steps. Using both you can build out your lab and put together an ace plan to do a production run at some point.