Today I see that ConfigMgr current Branch B1602 released, I installed it onto 1511 today, and thought I’d put together a brief guide to provide a light overview of the installation process, showing how easy it is now that it is integrated into the product. Configuration Manager as a Service (CaaS) really is kicking in, with the flow of change ramping up.

The actual Updates and Servicing feature entirety relies on the Service Connection Point role that was introduced in Configuration Manager Current Branch (and LTSB), and I suspect that in a day or two, when standing up a Build 1511 Site server, and then deploying this role, you will see Build 1602 showing within minutes of the first sync, whereas today, it may take a few more hours before everyone can see the update pack globally.

To deploy a 1602 site server you must first deploy the ‘baseline’ build, which is currently 1511. You can move from 1511 to 1602 in both offline and online modes (offline servicing just means having the 1602 kit to hand and not downloading from the internet). After a year, a new baseline build should replace 1511, resulting in a single installation taking place to get to the current build. I would not expect that to last long, and that a double-install will be the norm, since these update packs are released (cadence) quite quickly.

Here’s the release version matrix for current branch as it now stands:

Note that 1602 updates a 1511 Database. It most likely will always be okay until it isn’t okay, so please make sure you are backing up your SQL DB Unlike past versions of Configuration Manager, if installing an update fails, you should not need to perform a site recovery, and instead can Retry the update installation. Therefore, while the test upgrade of the database is less critical than in past product versions, it still remains as a concern, and a recommended step (more so for production!).

On the subject of database changes and failure during upgrade, you should note this statement in the documentation here

Unlike past versions of Configuration Manager, if installing an update fails you should not need to perform a site recovery and instead can Retry the update installation. Therefore, while the test upgrade of the database is less critical than in past product versions it remains a recommended step.

Failure during upgrade can be retried, previously the show was over, and a restore was needed, pretty rad that!

• Here’s a 1511 Site server showing 1602 has arrived

• Clicking on the 1602 update pack will give you some options via the Ribbon or a Right click

I’ve already covered most of how the Updates and Servicing mechanism works in this blog post here, in this post I’ll simply walk lightly over deploying Current Branch Build 1602 to a lab based Stand-alone Primary Site server.

Let’s get the upgrade from B1511 to B1602 underway.

• Go create a device collection, call it Client Pre-deployment (Validation of B1602)
• Add some devices to the new collection, these will be automatically updated for us

• From the Console, go to Administration, Cloud Services, Updates and Servicing,
• If Build 1602 does not show, then from the ribbon or a right click select Check for updates
• If it shows then most likely its already been downloaded, but if it doesn’t show and initiating a check for updates or a recycle of the SMS_Executive service gets it to appear, check the DMPDownloader log file on the Site server

• You should see that something is afoot, a cab being downloaded, unpacked and verified

• Here you can see the download of the update pack has completed

Even though we can retry if there is any failure during the upgrade while dealing with SQL, it would make sense to copy your database over to a server hosting the same SQL edition (with service packs and hotfixes as the ConfigMgr Database Site server) so as to test the upgrade on your database using TestDBUpgrade. I’d do this every single time with production, for the lab I don’t bother. That a retry after upgrade failure is supported indicates that most likely over coming releases, we should see far more robustness of the whole SQL upgrade process until nursing it becomes a distant memory.

Check out Nickolaj Andersen post here on handling TestDBUpgrade, it is pretty simple, takes a bit of effort to keep SQL server like for like, although for 1602 I didn’t dig out where the install kit was pre-installation, and after it’d been downloaded, you’ll have to go find the installation kit (might be in cab only form at this point, or in unpacked form, go eek it out) in the ConfigMgr folder once 1602 state changes to available.

• One you are ready to proceed with the upgrade, from the Updates and Servicing node, right click the 1602 update pack

• Select Install Update Pack

• We’re welcomed by the Configuration Manager Updates Wizard
• You can tick Ignore any prerequisite check warnings and install this update regardless of missing requirements, so as to override any warnings regarding requirements not being met, or let it stall and notify you so you can resolve them
• Select Next

• This is where we select the features we want installed, as you can see 1602 delivers

• Apple Volume Purchase Program
• Windows 10 conditional access with health attestation service
• iOS Activation Lock management
• iOS App configuration

• Tick or untick the features you are interested in
• Select Next

• Your choice on whether you update your current production ConfigMgr Client package with Build 1602 Client kit straight off, or whether you stage the event, and when confident perform the update later
• Select Browse

• Find the collection you created earlier
• Select OK

• Looking good, we’re going to validate the client in pre-production, by deploying to a specific collection of devices and not the entire estate
• Select Next

• Tick the licence agreement checkbox
• Select Next

Select Next

• Select Close

• From the Updates and Servicing node we can see that things are underway

• If you have a CAS there is over 1GB of content that needs to be replicated, for a stand-alone primary this shouldn’t take more than a few minutes

• Once the staging is complete, the prerequisite checker will kick in

• This part will take a long time

• Once the prerequisite checker has completed with no errors (and that we’re ignoring or observing missing requirement warnings) you should see the status transition to Installing 

• Let’s take a look at the prerequisites
• Head to Monitoring, Site Servicing Status, and from the Ribbon or a right click select Show Status

• We can see what did and didn’t pass …
• Also check out the CMUpdate log

• Once the update packs status changes to installed, check out the SiteComp log to make sure all the components\roles have reinstalled correctly

• Here is a resource record of a device in the pre-production collection that was automatically updated for me

If you had any consoles open, after a bit of cruising they should start to prompt you to upgrade to a newer version. Opening a new 1511 console will produce the same prompt until it has been accepted, which will kick off the console upgrade.

• Accepting the upgrade will get the Console MSI downloaded from the Site server and the upgrade process underway

• MSI Logic detected that I had a Console related executable still in memory, Status Message Viewer, which was blocking the upgrade, so I closed that manually and clicked OK

The MSI Installer then rolls off the older version, and rolls on B1602.

• A quick nose around the Features node of Updates and Servicing shows us the features, which can be viewed in the documentation here:

Also, my three test clients all upgraded to 1602 as well. I did have a delay here, am not 100% sure right now what caused it, but the clients all kicked off their upgrades once they fetched their policy from the MP.

Okay that’s it, done, and it was easy wasn’t it!

Once we are all good with the client upgrade, we can switch 1602 Client kit to become the production kit used for all future clients deployments

• Navigate to the Updates and Servicing node again

• From the Ribbon or a Right click select Client Update Options

• Tick I am ready to make pre-production client version available to production
• Select OK
• Get the hierarchy Settings up and you’ll see that pre-production deployment has been turned off, and the production client version has changed to 5.00.8355.1000

You could also check at the file level to make sure the client files have been upgraded, perhaps I’ll circle back for that fully and update the guide another time, here is a shot of CCMSETUP.EXE to show its version (8355 is 1602)

Feature-wise In-place upgrade the operating system of site servers that run Windows Server 2008 R2 is a real winner, enabling many quick upgrades to supported OS versions without a backup\restore being needed. Very enabling, as is SQL Server AlwaysOn availability groups. For mobility there’s a whole bunch of iOS MDM related features pouring in too, nice, and cloud-wise we have more management over Office 365 usage\deployment. For the full list of features don’t forget to check out the documentation.

Thank you to all that attended the Configuration Manager and the Cloud event!

And a big thank you to our sponsors Flexera Software

The event was set for 50 attendees, but we had 8 slots reserved for the WMUG Team to make sure we had a seat. We were fully booked within the first week. On the day, our attrition rate was the lowest we've ever seen other than when we had Wally Mead over, and we were pretty much just down a handful of attendees.

This time we wanted more speakers to fit into the day so we reduced session times from 1 hour to 45 minutes, it seemed to work, gave us an additional slot at the end of the day, as a format it seemed to go down well with the attendees.

Before we move on we would like to thank those that cancelled and informed us of their non-attendance, it allowed us to pass their ticket to the reserves, good job!

The venue @ Microsoft Paddington in London was very well laid out, all our equipment worked (there were some niggles that failed a demo, but something we can resolve next time). We'll definitely go back, and we have taken note of those that would like Reading to go back on our venue list. I'm sure we'll see Reading at some point this year, as well as new venues (North of England and Ireland) being planned.

Paul Hossack was first up, with a presentation around the Flexera Software product range, was very provocative (security and keeping up with patching always is!), the audience really soaked that presentation up, lots of questions fired at Paul who had this nailed down hard, responding to all the questions with reasonable responses and style

Next up was Paul Winstanley (SCCMentor) from the WMUG Team who presented on Management Point Replica's and high availability of ConfigMgr. It provoked a lot of discussion on design and how architects should think when it comes to high availability

Followed by Gerry Hampson - Enterprise Mobility MVP and WMUG Teamie who touched on his favourite subject at the moment, managing Modern Devices using on premise Mobile Device Management. Pretty cool stuff, don't forget to check out his posts on the subject here

Next up Robert Marshall - Enterprise Mobility MVP and WMUG Leader who gave a whistle stop tour of Servicing, while impressing on the audience the importance of checking the integrity of backups and having a DEV environment to perform a TESTDBUPGRADE before upgrading DEV and PROD. By the time he'd finished everyone had a DEV lab setup due to his constant tutting at not having one (joking, practically everyone put their hand up when he asked if they had a DEV environment) and they knew to check backups before upgrading and not assuming the backups are solid :-) Read more from Robert Marshall on servicing here and here

Sam Erskine - Cloud and Datacenter Management MVP gave us a good overview of OMS, and dug deep to show us some of the features he thinks are mind-blowing, such as Event Log harvesting, as with all the other sessions, humour permeated the air and Sam entertained us well while covering off a novel but interesting technologoy

Matt White - MCS Consultant and WMUG teamie gave us a great overview of managing Modern Devices (Windows 10) in a cloud-only model. What a great way to show off how far things have come with the Cloud technologies at Microsoft

And to wrap the presentations on the day Phil Wilcock of 2Pint Software gave us a very detailed run through of BITS\BrancheCache and PeerCache, the depth was stunning, recounting tales of yore (the story behind BranchCache and its authors demise) as well as giving insight into areas of the subject matter, very revealing, empowering session. The audience would have eaten up a lot more but we ran out of time

As usual we had something to give away, and this time thanks to our sponsor Flexera Software we were able to give a Raspberry Pi (V3) away to a lucky winner

Well done Craig Strong! We hope to see some pictures of you and whatever you get the Pi to do!

Paul Winstanley gave away the prize, since Paul eats sleeps and lives Raspberry Pi! (Ask him what that is all about, interesting story ...)

We also had a special give-away, a USB Hub that was previously owned by the generous grand-father of SMS Wally Mead. Robert Marshall had this in his stash for a couple of years and it was time to let it go!

Keith Sanderson won the prize by guessing Who owned this device? I had to hint a just a little, but I did leave it open!

And finally, not really related to the event itself, but at the venue there was a Microsoft Surface Hub and some of us gave it a spin, if WMUG had the cash and a need for a meeting room We'd love to have one of these, so super cool!

All presentations except the Flexera Software presentation can be downloaded from here

Well, what is next, keep an eye on the WMUG Tweet account as we have two additional physical events lined up for the South of England, and a possible event taking place further North, as well in Ireland. We'll announce all of this as things are locked into place.

In the meantime, please do keep an eye on the WMUG Tweet account for our announcements for further WMUG Clinics - The intent is to rerun the same sessions from this event and go further, or dwell on areas that are of interest to the audience in an informal setting.

Again, thank you for attending, and thank you again to our very cool sponsors Flexera Software!

The WMUG TEAM

Join WMUG on the day for System Center Configuration Manager and on-premise\off-premise Cloud sessions.

Thursday, 31st March 2016.

Featuring three (3) Microsoft MVP's, Robert Marshall (EM), Gerry Hampson (EM) and Sam Erskine (CDM), alongside the WMUG team, guest speakers and our event sponsor, Flexera Software.

The agenda will be as follows:

The event is completely FREE to you including refreshments and lunch, courtesy of our sponsor for the day Flexera. Please note that registrants Name and Email address will be provided to the Sponsor, please do let us know if this is an issue for you. We view providing your details as a small token of gratitude towards the Sponsor, which enables the event to be free.

Flexera Software is the leading provider of next-generation software licensing, compliance, security and installation solutions for application producers and enterprises. Their next-generation software licensing, compliance and installation solutions are essential to ensure continuous licensing compliance.

We also have an open questions session back by popular demand, and of course some giveaways for those who make it to the end of the day.

So what are you waiting for? Register now! There are limited seats available, and as always, we expect these to fill up quickly. Don't delay or you may be disappointed. If you book and are unable to attend, please do cancel your booking via the event page so that others may take up the opportunity, thank you.

Venue location

Microsoft,

2 Kingdom Street,

LONDON,

W2 6BD

About the speakers:

Paul Hossack - Paul is our sponsor guest speaker for this event, and will give us a demo of Flexera Software product offerings. Paul has been securing networks since 2007. A seasoned project leader and encryption specialist, and most recently hardware firewall adept, Paul is an expert in his field. Now working with Flexera Software (formerly Secunia) he brings his skills to vulnerability defence.

Paul Winstanley - Independent contractor with 20+ years experience. 7 years specialised in Configuration Manager and Enterprise Client Management. Also a CGJam Contributor and Pi enthusiast who regularly teaches kids in his spare time.

Gerry Hampson - Senior Consultant Engineer with Ergo Group based in Dublin. Recently awarded his first MVP in Enterprise Client Management through his awesome work on gerryhampsoncm.blogspot.ie and Microsoft TechNet forums.

Robert Marshall - Owner and Senior Consultant at London based Consultancy SMSMarshall Ltd, specialists in ConfigMgr. Microsoft EM MVP in Configuration Manager since 2009, and WMUG founder in 2006.

Sam Erskine- Samuel is our guest speaker, a CDM MVP, and an independent IT consultant and trainer, specializing in System Center and MS Cloud technologies. He is the content designer and lead author of several Microsoft System Center Cookbooks, and co-author of two System Center Unleashed books.

Phil Wilcock - Phil is our guest speaker, and has been in IT for a long time. Some would say too long. He started life as a farmer, ended up managing a huge Moo-Cow database (the DB was large not the cows), worked for Bill Gates for a while, co-founded 1e.com, went back to farming for a few years, trained as a Butcher and is now Director at 2pint Software, a specialist in Configuration Manager and presenter.

WMUG TechTalks presents an Overview of Flexera Software products and features.

Your host for this session is Robert Marshall - Enterprise Mobility MVP, and your presenter is Paul Hossack from Flexera Software.

This session is a repeat and extension of the session presented by the event sponsors at the recent WMUG Configuration and the Cloud event, with the opportunity for further Q&A with the Flexera Software presenter Paul Hossack.

Attendance is free, with the requirement for Skype for Business Full or Web App.

Tips

• Make sure you have Skype for Business Full or Web App installed before you join the meeting
• Mute your microphone
• Use the Chat feature of Skype for Business to ask questions

Click here to join the event on the 24th of May 2016 at 8PM UK BST time.

Paul Hossack - Paul will give us a demo of Flexera Software product offerings. Paul has been securing networks since 2007. A seasoned project leader and encryption specialist, and most recently hardware firewall adept, Paul is an expert in his field. Now working with Flexera Software (formerly Secunia) he brings his skills to vulnerability defence.

Robert Marshall - Owner and Senior Consultant at London based Consultancy SMSMarshall Ltd, specialists in ConfigMgr. Microsoft EM MVP in Configuration Manager since 2009, and WMUG founder in 2006.

Be aware, some of my customers and others in the community have been reporting issues once KB3159706 is deployed to their WSUS servers.

This is a known issue, and you’ll need to do the manual steps at the end of the KB3159706 article to get your WSUS server operational again.

This patch replaces KB3148812 which kind of had some ‘issues’.

Here is an example of the kind of whining you’ll get if you connect to WSUS once this patch has been automatically deployed, and the manual steps not carried out:

Thanks Nick Mitchell for the heads up!

After a long holiday away from blogging, I am back!

Over the next few months I plan on overviewing all the cool Technical Preview features, as well as rocking on back to Current Branch to kick the tyres on the super awesome functionality that is bundled.

One technology I haven’t covered much outside of work is Intune. I’m really liking how that technology is progressing, and I plan on pushing out a few posts over the coming weeks to explore what I am doing with it at customer sites.

Azure really has my ear as well, especially the integration we now have with ConfigMgr (Not just the Cloud DP!).

I am absolutely overjoyed at how things are going with ConfigMgr, an epic time to be a ConfigMgr admin.

Technical Preview 5 using Build 1606 or 1607 let's you play around with the new Cloud Proxy feature, and I thought I’d run up a guide on this awesome feature to help others reach out to play with it a bit more easily, as it is a very enabling architectural element for us to have in the design toolkit and worth checking out.

I found the release notes to be a little short on a few details when I got this guide underway, I had to come back to it for several attempts, Torsten Meringer another Enterprise Mobility MVP helped me out understanding what the Service Domain Name should be, CLOUDAPP.NET, and explained how he setup his Cloud Proxy Point certificate using PKI instead of a self-signed certificate, from there everything else just falls into place as documented.

After you’ve done this a few times it takes mere minutes to sail through, but for the first time it’s going to most likely take well over an hour to complete.

A key thing to note in the steps for enabling the Cloud Proxy Point is that your roles have to switch into HTTPS mode after you’ve added the Cloud Proxy Point role, I found that if you do not do this, the ConfigMgr Clients never see the Cloud Proxy Point. An example of how to manifest this unknowingly is if you remove the Cloud Proxy service and Cloud Proxy Point role, then try to put them back on without first switching your MP\DP\SUP roles to HTTP.

To get to the point where you can test out this Cloud Proxy point feature, you will need to have PKI setup already for your ConfigMgr environment.

For a lab you can simply switch your existing MP, DP and SUP if testing with, into HTTPS mode, but for a lab that is servicing non-HTTPS clients, you will need to setup a new Site system with which to host your new HTTPS based MP, DP and SUP roles.

Before you begin working through this guide, your MP\DP and SUP roles must be fully functional in HTTPS mode. Once you’ve tested them, and before you begin the guide, switch them to HTTP mode. I found if you don't, you’re clients will not get a Cloud ProxyPoint given to them when they do a Location Request while on the Intranet.

From your Active Directory Domain Controller, or a system running the RSAT tool, create a new Active Directory Security Group called ConfigMgr Cloud Proxy PKI Template

We’ll use this Security Group for two purposes, to generate the Cloud Proxy Point certificate and the Azure Management Certificate.

Now that the Security Group has been created, we next need to add the Site servers computer account to it, please go ahead and do that now.

Once done reboot the Site server so that its computer account token is updated with this new security group membership.

To proceed, we’ll concentrate on creating the Cloud Proxy certificate, this is created in the same way that you’d create a Cloud Distribution Point certificate as shown here for reference, we’ll set this certificate up below so no need to transition to the steps in that link.

Switch to your Certificate Authority server.

Open the Certificate Authority MMC snap-in, navigate down to Certificate Temples, from there right-click and Select Manage.

We’ll need to do the below steps twice, but hold off doing so for now, until I tell you later in the guide to return to this point.

The Certificate Templates console will appear (or switch to it if returning here), from there navigate to the Web Server template, right click and select Duplicate Template.

On the General tab, enter the new Template Name as ConfigMgr Cloud Proxy Point Certificate

Select the Request Handling tab, tick Allow private key to be exported

Select the Security tab and then Enterprise Admins, remove Enroll permissions for Enterprise Admins.

Add the new Security Group name ConfigMgr Cloud Proxy PKI Template

Tick Read (should already be ticked) and Enroll

Select OK

Right click Certificate Templates, select New, then select Certificate Template to Issue

Locate and select the ConfigMgr Cloud Proxy Point Certificate entry in the Enable Certificates Templates dialog

Select OK

That’s the Cloud Proxy Point PKI Certificate setup, we now need to setup the Azure Management certificate.

I’ve separated these two certificates out, as it is a more secure way of dealing with your Azure subscription, I could have opted to reuse the Cloud Proxy Point Certificate as the Azure Management Certificate, but I prefer the degree of separation.

So now return above where I told you earlier you’d be returning too, and use the following details to change the steps:

Call the template name the following: ConfigMgr Azure Management Certificate

In the Enable Certificate Templates dialog: Select the ConfigMgr Azure Management Certificate

When you are done, we’ll continue from here.

We’re going to request the Cloud Proxy Point and Azure Management Certificates from the Certificate Authority now, so that we can export them, and while we’re in the Certificates snap-in we’re going to fetch the Trusted Root Certificate.

Before we do this we’re going to have to think of a unique Azure Service name for our Cloud Proxy Point. This will be appended to a Domain Name called CLOUDAPP.NET, it must be unique, if you don’t get this right you’ll have to recreate the below Certificates once you find the problem and generate a unique service name.

An easy way to find out if a service name is taken is to ping it, if there is no DNS match you can try that as a service name. Later in this guide you’ll be asked to provide the Service Name and the Service Name FQDN, the latter just being your service name with .CLOUDAPP.NET appended.

From the Primary Site server, open the Certificates MMC snap-in for the Local Computer

Expand Personal and right click Certificates, select All Tasks and then Request New Certificate

The Certificate Enrollment dialog will now appear, from which you’ll need to tick both the ConfigMgr Cloud Proxy Point and ConfigMgr Azure Management Certificate entries

Both certificates need a Common Name configured, we’ll do the ConfigMgr Azure Management certificate entry first, so select the “More information …” link underneath it

From the Subject Name panel, and from the Type drop-down box, select Common Name

For Value enter your service FQDN.

Select Add

Select OK

Select the ConfigMgr Cloud Proxy Point certificate entry, and select the “More information …” link underneath it

From the Subject Name panel, and from the Type drop-down box, select Common Name

For Value enter your service FQDN.

Select Add

Select OK

Now select Enroll and Finish once done, while noting whether it is successful or not

You should end up with your two certificates back in the Certificate snap-in

Let’s export them, we need to do this twice for each certificate, starting with the ConfigMgr Azure Management certificate

Select the ConfigMgr Azure Management certificate, right click it, select All Tasks then Export

Select Next then Yes, export the private key

Select Next

Select Next

Tick the Password check box and give this certificate a strong password, note it as you’ll need this password

Select Next

Now to save the certificate by selecting Browse, give it a suitable name, this one will be saved in PFX file format, drop it into a common folder that you’ll return to again a few more times.

Repeat the export of the ConfigMgr Azure Management Certificate, but this time do not export the Private key, this will cause you to be prompted just for the filename, give it the same name as your previous certificate, this one will be saved in CER file format

Now do the same again for your ConfigMgr Cloud Proxy Point certificate, repeating the steps above to export it as a CER file.

Once you’re done exporting, go back to the Certificates snap-in, navigate to the Trusted Root Certification Authorities node, expand Certificates and select the root certificate for your domain. I’ve selected and highlighted mine here:

Right click it, select All Tasks then Export, accept the default format type, give it a name and store it along with the other certificates you’ve already exported naming it appropriately (YOURDOMAINRootCA.CER for example)

Now you need an Azure Trial, or a functioning Azure subscription, I’ll assume you will create a test subscription from new to check the Cloud Proxy feature out.

To setup a new Azure subscription you’re going to need a Microsoft account, if you don’t have one of those to hand, or spare, create a new one here

Go visit the Azure Trial and set yourself up a subscription, you’ll need an MS account (Live, Hotmail et al), a credit card (not-charged unless you upgrade to a paid subscription yourself) and your phone details. This will give you a 30 day or so trial to mess around with, and enough resources to run up a demo of the Cloud Proxy point.

Once you’ve subscribed and logged in, you will need to connect to the Azure Classic Portal, instead of the new Portal that you’ve most likely logged in with.

This is a requirement for a configuration element of the Cloud Proxy, Azure Management Certificates, a feature which I believe is deprecated but used by the Cloud Proxy feature today.

Visit MANAGE.WINDOWSAZURE.COM and login if necessary.

Once logged in, we’ll now upload our ConfigMgr Azure Management certificate to Azure itself, so as to gain access to the Azure Service Management API for the Cloud Proxy Point.

More can be read on Azure API Management Certificates here.

In the Azure Classic Portal, select Settings, then select Management Certificates

The Upload a Management certificate window will pop up in the browser, click the Folder icon and navigate to your ConfigMgr Azure Management certificate

Enter the strong password that you set when exporting this certificate

Note that it is uploaded to your Azure subscription.

Anyone flashing this Certificate around can completely control your Azure subscription, so tuck it away somewhere safe when done.

Note the Subscription ID, it’ll be in dashed notation like XXXX-XXXX-XXX-XXXX-XXXXX, store this away as you’ll need it in a moment and we’ll refer to it as your Subscription ID.

Now we’ll add the Cloud Proxy Service to the ConfigMgr Site server. To do this we visit the Administration workspace, and expand Cloud Services and select Cloud Proxy Service.

Select Create Cloud Proxy Service on the Ribbon, or via a Right click on Cloud Proxy Service

You’ll be greeted by the Create Cloud Proxy Service Wizard.

Enter your Subscription ID.

Select Browse and select your ConfigMgr Azure Management certificate

It’ll prompt you for the Certificates strong password, tap it in, then select Next

Now enter your Service Name, this is not your Service FQDN.

Select the Region you are testing in.

For Certificate File select Browse and navigate to the ConfigMgr Cloud Proxy Point certificate

The Service FQDN will automatically be populated from the certificates Common Name.

For Root certificate file select Browse and navigate to the Root Certificate that you exported earlier

Make sure Verify Client Certificate Revocation is not ticked, unless you are setup for it, if in doubt, untick.

Select Next

Select Next and then Finish

Now go monitor the CLOUDMGR log to see it provisioning the service into Azure, eventually you’ll also see the SMS_CLOUD_PROXYCONNECTOR log.

Once everything has settled down, from the ConfigMgr Console you should be able to see that the service has been setup correctly

In the above shots I’ve already had some traffic pass through, for a brand new setup the metrics should be white space.

I heard that if it shows Partially connected for an extended period of time, mine showed for a minute or two, then there was a problem provisioning the service. Try again, if it doesn’t work it is most likely a glitch.

Now that’s the Certificates and on-boarding of the services in Azure done, next we set up the Site server to use the Cloud Service, by installing a Cloud Proxy Point, and then we’ll do a quick run through with a Client test, run from a client on the Internet.

From the ConfigMgr Console, go to the Administration workspace, select Site Configuration and then Sites.

Assuming this is a Stand-alone Primary site server, select it and then select Properties, otherwise select the Primary you want to run the test on

From the Client Computer Communications tab, tick the box next to Use PKI client certificates (client authentication) when available text, and make sure to untick Clients check the certificate revocation list (CRL) for site systems.

Now add the Cloud Proxy Connector role to your Site server. No instructions needed for bedding this role in, just select and install it.

And to complete the server configuration switch your MP, DP and SUP to HTTPS mode, while making sure to tick the Allow Configuration Manager Cloud Proxy Traffic while switching to HTTPS in each of those roles properties dialogs. Make sure the roles are functioning, check the MPCONTROL log to make sure the MP is working fine.

That should be it.

You can go back if you like and look at the steps in the Technical Preview notes, to double check we’ve not missed anything, especially if you are buzzing up and down the guide trying to figure out why it isn’t working.

Now, to kick the wheels of this feature you’re going to need to have a ConfigMgr Client installed. Take care of that on a device that can be set to visit the Internet.

Once all of the above changes have been implemented, while on the Intranet recycle the CCMEXEC service on the ConfigMgr Client so that it gets a Location Services update, these occur every 24 hours if left alone, so recycling the service will speed this part of the testing up somewhat.

Once Policy has arrived and been processed by the ConfigMgr Client (go look at the messages and date stamps in the POLICYEVALUATOR log) open WBEMTEST and connect to ROOT\CCM\LOCATIONSERVICES, select Enum Classes… and select OK, navigate until you find the SMS_ActiveMPCandidate class, double click it, and then select the Instances button.

Here you can quite clearly see that the ConfigMgr Client knows all about our Cloud Proxy Management Point and will switch to it if it senses we’re on the Internet (out of any defined boundaries)

Now that we know that the ConfigMgr Client is ready to begin using the Cloud Proxy Point, let’s trigger it to do so.

I used a mobile hotspot to get a WIFI connection for my laptop to use, which was routing onto the internet.

Once I got the laptop on to the Internet, I checked the ClientLocation log, so as to see if the ConfigMgr Client was registering as being on the Intranet or Unknown (Internet in this case). Sure enough after a few moments it fired into life the Connection Type value changed to show as Unknown, which means Internet in our case, as can be seen below:

Now switch back to the ClientLocation log, after a few moments if not already done, there should be activity, and a switch taking place to the Cloud Proxy service instead of continuing to try the on-premise Management Point.

In the above shot you can see we’ve rotated over to using a new URL for the Management Point as:

CP1EMMVPTEST04.CLOUDAPP.NET/CCM_Proxy_MutualAuth.

Now you just need to open the PolicyEvaluator log, then trigger a Machine Policy Retrieval, watch from the log, confirm that Policy was retrieved, if it has it’s been retrieved from the Cloud Proxy service!

I also sent down a test Package\Program combination, one package with real content, another to just launch Notepad, all arrived as you’d expect when Machine Policy was triggered.

I didn’t test out the SUP as I didn’t have it configured in the lab, but am sure it’ll function just as fine as the Management Point and Distribution Point did, I’ll be sure to test that another time to make sure.

Enjoy the feature, I really rate this, I can see it becoming a major element in the architectural design process, one companies will use to extend their systems management ‘reach’ to their most difficult to manage, remote and not-well-connected to the core network end-points (with the condition that they at least have internet access), as well as to atypical remote office devices that have good internet access (serviced today by IBCM for example), with the added advantage of removing the need to host your on-premise ConfigMgr roles in public facing DMZs (so that IBCM can function), instead, Azure is used to route the traffic between the ConfigMgr Clients and your on-premise roles in a secure fashion.

A great feature. Cannot wait to see it develop further.

Tweet me on @RobMVP if you want to chat about the guide, any deviations you had to make, or if you just plain are stuck, will try to help.

Thank you to all that attended the WMUG 10th Anniversary event!

And a big thank you to our sponsors 1e

Our tenth Anniversary finally came along, who would believe it, we've been doing this for that long!

The event was initially set for 100, but what with it being the holiday period, we were aiming a bit too high, and with the reservations in the closing week at around 50, we decided to cap the event at 50, and on the day, I believe we had, including the WMUG Team, 35 attendees in the room. A good turn out!

For this event we had the pleasure of receiving two presenters that had to travel from abroad, Enterprise Mobility MVP Nickolaj Andersen travelled over from Sweden, and System Center Consultant Maurice Daly who travelled in from Ireland, Thanks guys.

The other guest presenters were our sponsors 1e with Brent Hunter, and then Enterprise Mobility MVP Robert Marshall, Terence Beggs who doubled up with Maurice Daly, Marcus Robinson and Aaron Czechowski. With Peter Egerton putting on an awesome IT Quiz, which we had a great time with and can see coming back.

For this event we had a virtual presentation, which was given by Aaron Czechowski, and it worked out perfectly. We will do more of these.

On the day, only one presentation suffering at the hands of the demo gods.

Once all the slide decks are in one place we'll update this post and link here.

Here's a run down of the day in pictures.

Arrival at the venue, attendees are greeted with fine imagery presented on a Microsoft Surface Hub, and refreshments before the day gets underway

The IT Crowd

We got them to wave to prove that they were not photo-shopped in

Brent Hunter from 1e gave us a wonderful presentation on Accelerated Windows 10 Deployments,

as well as giving us a brief overview of the technologies 1e offer in this space

One of the most significant hurdles a client estate upgrade will encounter is transitioning from BIOS to UEFI during a Windows 10 deployment, and 1e have this fully nailed down and painless

Robert Marshall was on next, but I cannot find his picture so he'll have to settle for a link here, to a blog-post he recently did on the very subject he presented on, Push-based Replica Management Points

Marcus Robinson put on presentation based on a very exotic and extremely powerful technology, DSC,

and showed us how easy it is to use for Azure automation

Maurice Daly and Terence Beggs who are both WMUG Community Contributors,

gave us a good grounding on where things are with Multi-factor Authentication

Enterprise Mobility MVP Nickolaj Andersen put PowerShell through its paces,

giving us cool examples of how to get at Configuration Manager to do almost everything using it

We then moved onto our Quiz, Guests versus our Panel of Experts, and the Guests won by a clear margin!

Well done Guests, some of those questions were, ahem, very exotic although IT related!

And good job Peter Egerton for coming up with the idea and hosting it.

The raffle got underway, for this event we had a book, a ticket and some hardware to give away

Congrats James Staunton for winning the System Center Universe ticket!

We should be hearing back from James once the event is over and he can give us a review

And thanks System Center Universe for giving us the free ticket to give-away!

Next up was a guy who's name shall remain a mystery until he steps forward (we lost the bit of paper with it on),

however he is the bearer of a Microsoft Band 2, kindly given away by our sponsors 1e

Congratulations Cristian Ceobanu for winning the Troubleshooting System Center Configuration Manager book

by none other than WMUG Leader Peter Egerton

Likewise for Keith Sanderon who also won the book

And finally, our virtual presenter Aaron Czechowski began his presentation over Skype

We were worried the link would drop ...

But he stayed with us, and gave us a run through on Current Branch features as well as the Technical Preview,

rounding off with a demo of the new Cloud Proxy Point

Aaron showing us more of his stuff, and with no interruptions to the link he was able to give us an excellent interactive presentation, over-the-wire, very nice, and a big thank you to Aaron!

Thank you again to all those that attended. Until next time.

Join WMUG for a day of Expert Windows Management and a bit of fun too on what will be our 10th anniversary event. 

Wednesday 13th July, 2016.

Microsoft UK
2 Kingdom Street
Paddington
London
W2 6BD

Featuring excellent speakers from the IT community and Microsoft alongside the WMUG team and our event sponsor 1E.

The agenda will be as follows:

Hey you!

ConfigMgr Current Branch Technical Preview build 1608 has released.

I highly recommend building a lab VM to host a technical preview build, seeketh out a guide from Niall Brady and others on how to setup the Technical Preview, having one so you can check out impending features is the way to be super cool and be up on the latest product developments.

Here’s a run down of the features available for tire kicking in 1608:

• ‘New Software’ indicators in Software Center: The Software Center Applications, Updates, and Operating Systems tabs now show which software was recently added. Numbers in the navigation pane show how many new software items are on each tab.
• Application Requests from Software Center:Users can now request approval for applications and view the request history for applications in the Application Details view in Software Center. The Request button in Application Details no longer redirects to the web-based Application Catalog.
• Improvements to Asset Intelligence: A new field has been added to the properties for inventoried software that lets you set a parent and child relationship with other software. In the Inventoried Software list, you can view the parent of any software and also hide child software.
• Keyboard Translation for Remote Control: By default in a remote control session, characters typed on the viewer’s keyboard are sent to the controlled device instead of the keys, whether or not their keyboard layouts match. This behavior may be turned off in the Remote Control viewer Action menu.
• Improvements to the Prepare ConfigMgr Client for Capture task sequence step: The Prepare ConfigMgr Client step will now completely remove the Configuration Manager client instead of only removing key information. When the task sequence deploys the captured operating system image, it will install a new Configuration Manager client each time.

That last one is VERY important.

Do you know why?

This removes a key argument or reason for using MDT for Gold\Master Image management, the desire to end up with a gold image that doesn’t contain a ConfigMgr Client (in a deactivated state).

I am not an MDT hater, every tool has a place, and there is a place for every tool, but immediately turning to MDT adds complexity often unnecessarily, and moves the novice to intermediate ConfigMgr Administrator (who are the ones mostly implementing or owning ConfigMgr, not rocket scientists) out of the ConfigMgr Console, and into a foreign tool, so as to perform a task that should stay with ConfigMgr, building and capturing images.

We know there are short-falls in what can\cannot be done, and this means MDT still reigns, although much of what it does can be achieved in the environment (Group Policy etc.). Realistically, there should be gaps in what they do as they service customers are different ends of the scale, but Windows 10 Management should be universal between ConfigMgr and MDT. MDT shouldn’t be the only product able to render a Gold\Master Image in a certain way (that most Enterprises opt for), especially if you’ve bought ConfigMgr and want to do it all there.

Consider the Windows 10 Cadence and how rapid it is now, yeah,  you won’t be creating a Gold Image that’ll last a year for much longer, well if you are doing LTSB sure, but CB or CBB, turning over an image often, will mean that MDT environment is going to be busier until we can shift to a single pane of glass, ConfigMgr.

Finding that I often do quick port tests related to ConfigMgr installations @ customer sites, and my traditional approach was to use TELNET and NETSTAT together, checking for ports marked as SYN (no synchronisation packet came back) as an indicator that the port is blocked or not being listened on, so I thought, why don’t I write a new (extensible) Tcp port checker to do the job for me.

Falling back to the classic Tcp port test, use TELNET to test a Tcp port, and NETSTAT to see what is happening:

TELNET IP PORT

NETSTAT –AN | FIND /I “SYN”

You have to do this fast, within a second or two, or you’ll miss the port SYN state and get no results back. Try it, has helped me out a lot over the years.

Well, half-way through coding this new tool, as I often just code for fun and, can get carried away between a mere thought and my hands whizzing back and forth in Visual Studio creating something, I checked to see if anyone else had a cool port checker, and found this (lol oops how can I forget that old Microsoft port checking puppy!), this, and another that I cannot locate the link for again, was ConfigMgr specific and was fed by a XLS, I’ll update the post another time if I remember, and include a call out to that tool as it was the first one I found.

So yeah, I wanted to call these tools out that came ahead of mine, go ahead, check them out, a port checker is a port checker after all, so choose your poison and get the result you want (Port open, Port closed).

My tool is Tcp only I’m afraid. Udp is a tricky beast to validate. If I can get something reasonable that is reliable (so many conditions can make testing Udp pointless), I’ll update the tool with it. Framework code for Udp is there, so implementing Udp is a cinch if I sort out the Udp Port checking logic.

This version doesn’t handle DNS lookup of the hostname very well, works for some of you, IP always works, I’ll fix this at the next release. And also IPV6 isn’t supported until the next release.

CheckPort for ConfigMgr is Wrapped as an MSI to make installing\uninstalling a breeze (thanks Flexera Software for InstallShield Express!).

Unblock the MSI if Windows warns you it is from an untrusted source. I am in two minds if I should buy a certificate to sign my tools so that they are trusted by Microsoft, but that costs £££, maybe one day.

I mentioned above that this thing is extensible, well it sure is, it can either run as a stand-alone EXE with all ConfigMgr rules built-in, or feed off of a four-column CSV file (Test name, Port Name, Port, Tcp\Udp) located in the same directory as the EXE. The MSI installer will drop a sample CSV file into the installation folder for you to check out.

Download the tool from the TechNet Gallery

And … enjoy!

In the following series of blog posts I will introduce you to C#, Visual Studio and the ConfigMgr SDK, and show you how to produce your own custom tooling easily.

The motivation behind this series of postings is to enable you to create community tools or bespoke tooling to assist you in your day-to-day ConfigMgr role, and thus to enhance the Community overall, as hopefully you’ll produce the very next best tool and we’ll all benefit from it.

To underpin the guide I’ve written a tool called MonitorMP which will keep an eye on the health of your Management Points outside of the ConfigMgr Console, the source code for this tool will be built up and completed by the time we’ve finished with the series of posts, at which point we’ll make the tool made available in both compiled and source code form and everyone that read this guide will feel somehow connected to it :)

Previous postings for this guide

Guide to creating your own ConfigMgr tools – Part 1

Guide to creating your own ConfigMgr tools – Part 2

Guide to creating your own ConfigMgr tools – Part 2 – Extended

Guide to creating your own ConfigMgr tools – Part 3

In this post we’re finally going to build the MonitorMP tool!

Let’s first lay out our requirements:

• .Net 4.0 as we want this to be highly available, and not require the latest .Net (4.5.1 or 4.5.2) to be installed
• Check all Management Points associated with a Site Server, to see if they respond to HTTP requests, green light, red light visual indicator
• Repeat the test on an interval
• Test HTTP only, HTTPS requires extra handling and is a great idea for a V2 made by the Community

That’s about it, all we want to do is check the Management Points for a response, and maybe schedule a repeating check just to stretch the project out a bit, and to include threading examples for you.

To accomplish this, we’re going to need some tools from the .Net library:

• HttpWebResponse Class

HttpWebResponse allows us to easily open a TCP\IP session to  a destination device, issue some HTTP and retrieve the response

• Background Worker Thread Class

A Background Worker thread will allow us to set a schedule for repeating the test, and allows us to interact with the Form\UI thread to update our interface. The great thing about the Background Worker threads are their event support, such as DoWork, RunworkerCompleted, and the most important for us, ProgressChanged. These events can interact with the UI thread allowing us to update the UI with data

You now have two choices, if you are pretty sturdy with Visual Studio and C# already, then download the Source Code here and run the project to see the end result, skipping all the building up steps, or join me as I build the project step-by-step, so that you write it and gain from the experience.

Let’s get underway and step through building out our project together.

• Open Visual Studio and create a new Project
• Select Windows Forms Application
• Give the project the name ManageMP, and sort out the Location (accept the default or choose your development folder if you have one) then Select OK

We’ll begin designing the Form before we lay down a single line of code, so let’s get on with that now.

I’ll be asking you to drag some objects from the Toolbox onto the form, tweaking their properties and position\size attributes.

• Modify the Forms properties

• Set the Size to 667, 348
• Set the Maximum size to 667, 1000 (this sets the maximum form dimensions, 667 width meaning it cannot be adjusted widthways, with 1000 set for the height which lets the user resize lengthways)
• Set the Minimum size to 667,348 (this is the minimum form dimensions, 667 width and 348 height)
• Set the Text to MonitorMP
• You can set the Icon for the Form but this isn’t necessary to progress, you can download one I created earlier from here. Change the Forms Icon, and also change the Default Icon in the projects Properties. I suggest storing the ICO file in the Project folder:
• Select Icon to browse for your ICO file:

• Right click your Project and from the Application tab browse for an ICO file, you can also click Assembly Information to add metadata to the EXE that is shown when you right click it:

• Add a DataGridView

• Drag a DataGridView onto the form
• Set its Name to dgv_Mp
• Set its Location to 13, 12
• Set its Size to 626, 228
• Set the following properties to False

• TabStop
• AllowUserToAddRows
• AllowUserToDeleteRows
• AllowUserToResizeRows
• MultiSelect
• RowHeadersVisible
• ShowEditingIcon

• Set the following properties to True

• ReadOnly
• StandardTab

• Set AutoSizeRowsMode to AllCells
• Set Anchor to Top, Bottom, Left, Right (this allows the DataGridView to grow as you resize the form, we only need to do Top, Bottom as we are not allowing resizing of the form Widthways)
• Set AlternatingRowsDefaultCellStyle to DataGridViewCellStyle { BackColor=Color [A=255, R=224, G=224, B=224] } (Use the ellipses and select BackColor to pick a background colour, light grey, or a colour that you like)
• Right click this DataGridView control, select Edit Columns
• Select Add

• For Name enter c_mpName
• For HeaderText enter Name
• Select Add then Close
• For AutoSizeMode select AllCells

• Select Add

• For Name enter c_siteCode
• For HeaderText enter SiteCode
• Select Add then Close
• For AutoSizeMode select AllCells

• Select Add

• For Name enter c_State
• For ColumnType select DataGridViewImageColumn
• For HeaderText enter State
• Select Add then Close
• For AutoSizeMode select AllCells

• Select Add

• For Name enter c_mpStatus
• For HeaderText enter Status
• Select Add then Close_
• For AutoSizeMode select Fill

• Select OK

• Add a Label

• Drag a Label onto the form
• Set the Name to l_writtenBy
• Set the Text to “Written by X” and replace X with your name!
• Set the Location to 12, 254
• Set Anchor to Bottom
• Set TabIndex to 0

• Add a TextBox

• Drag a TextBox onto the form
• Set the Name to tb_Server
• Set the Location to 164, 254
• Set the Size to 169, 20
• Set Anchor to Bottom
• Set TabIndex to 1

• Add a Checkbox

• Drag a Checkbox onto the form
• Set the Name to cb_Timer
• Set the Location to 339, 254
• Set the Text to Enable Timer
• Set Anchor to Bottom
• Set TabIndex to 3

• Add a NumericUpDown

• Drag a NumericUpDown onto the form
• Set the Name to nud_timerMinutes
• Set the Location to 433, 252
• Set the Size to 47, 20
• Set Anchor to Bottom
• Set the Value to 5
• Set TabIndex to 4

• Add a Button

• Drag a Button onto the form
• Set the Name to b_Go
• Set the Text to Check Management Points
• Set the Location to 486, 250
• Set the Size to 153, 23
• Set Anchor to Bottom
• Set TabIndex to 2

• Add a Status Strip

• Drag a StatusStrip onto the Form
• Set the Name to ss_Messaging
• Right click the StatusStrip and Select Edit Items
• Select StatusLabel and Click Add
• Set the Name for toolStripStatusLabel1 to ssl_Entry
• Set the Text to blank (nothing) otherwise it will look like this:

• Now that is the form laid out, on your end it should look like this with <Name> replaced with your name

• In terms of position and sizing of the forms objects, not a little like this, but actually like this
• I simply compiled the completed project to get the Form showing for the above screenshot, but you should also be able to compile and run it right now to see the same.

Let’s write a line or two of code.

If you are new to coding in C# you’re about to see several cool techniques that help me code solid applications, for the more handy with C# there are no surprises here for you. I’m a mid-tier C# coder I guess, and could do things more efficiently in some places, make more use of .Net, but overall I get there.

Things we’ll cover:

• Methods used by the dompCheck BackgroundWorker thread, so as to populate the DataGridView
• Custom Class Collections to contain collections of custom classes that we’ll use to store multiple properties, and pass around between methods
• Threading, and thread management through global variables, as well as examples of passing our Custom Classes around using the ProgressChanged and RunWorkerCompleted BackgroundWorker thread events

Ok I was really just teasing you, no coding yet, first let’s cover off why I'm making references to the UI Thread, and mention creating a BackgroundWorker thread:

All Windows Form Applications start out life as Single-threaded applications. This means all the code you write for your application, and the User interface controls you add are all being processed by a single thread, called the Foreground thread.

So, if you burn out that thread the UI will lag out and become unresponsive, and if it does it for long enough the Operating System will sense this and offer to kill off the process for us.  We’ve all see this at one point in time. Not good. For Console based applications this isn’t much of an issue, unless you need concurrent activities taking place.

To go multi-threaded we hit an immediate wall, a custom thread cannot speak directly to the Foreground threads forms, such as the DataGridView and StatusStrip which we want to manipulate. We can code stuff into a normal Thread from the Thread Class, but it is a work of pain. To overcome this, we use a special kind of thread, and do away with coding our own way out of the situation. We use the BackgroundWorker thread, which is derived from the Thread Class itself, as a place to run our code, and hosts a bunch of methods and events we can fall back on to speak to the Foreground threads Form controls. The key event for reporting progress back up to the UI thread is the ProgressChanged event, which we can fire at will, the other of note is for when our BackgroundWorker thread is stopped, and is called the RunWorkerCompleted event. These two events can interact with the UI thread, allowing us to play with those form objects while still running the custom thread, or coming out of it.

There are a few good reasons for running code on the UI thread, but ideally if you can lob it off to a custom thread to get on with, is much better, things become more fluid in the UI, as in the user experiences a smoother ride. To read more on the BackgroundWorker thread, visit the MSDN library here.

The gap between single-threaded applications and multi-threaded is narrowed further for you, multi-threading your code is now within your reach!

Now let’s really begin coding. I’ll offer up code-blocks for you to copy\paste in, but please do watch out for the browser changing characters such as quotation marks.

Firstly, we need to add some references to the .Net 4.0 classes we want to use in the project

• Double click on the form to be taken to the Code view
• Replace all using clauses with the following:

using System;
using System.ComponentModel;
using System.Drawing;
using System.Windows.Forms;
using System.Net;
using System.IO;
using System.Management;
using System.Threading;

It should look like this:

We’re going to need some triggers to control the BackgroundWorker threads we’ll create soon, we set these as public.

• Add the following code below the Form1_Load method:

public volatile bool mpcheckRunning = false;
public volatile bool mpcheckStop = false;

public volatile bool timerRunning = false;
public volatile bool timerStop = false;

It should look like this:

We set these to volatile as we’re going to access these from threads, volatile forces the compiler to not optimise them, which would result in possibly offering  us an indexed value rather than the actual value (think of lazy values). Since we’re checking them from inside a thread we need them to be reliable, and must not change them from multiple threads. Booleans are not such a problem but changing a global string value for example, from multiple threads, could lead to the string becoming corrupted.

Now let’s create two very special classes that we’ll use to pass information around between methods. We’re using an Object Orientated Language, so instead of passing a single property back and forth between methods, or an array of properties like old school style, we can pass an entire object containing several properties, or even a collection of these objects.

We’ll do this when we check the Management Points, we’ll pass the MP Name, MP Port and MP State around as an ‘object’, and we’ll put all of these objects into a Collection, and in turn pass that around. It may sound complicated to begin with, but over time you’ll have to grown into doing this, so as to overcome certain obstacles when it comes to how much information you want to push around between the methods, especially BackgroundWorker thread events.

We need several more variables so let’s create them now.

• Add the following below the previous variables:

public volatile int nudtimerMinutes = 5; // Set to 5 to reflect the nud_timerMinutes controls default setting

public volatile ManagementPointCollection globalmpList = new ManagementPointCollection();

private static string unhealthyIcon = "iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAdxSURBVFhHrVdpbJRVFL0tQdpCqWzaQqldAdm3Ki2EtqKgqLhUAQVZKlsbBK0sResSBbcfRk1cEkMkGE1EUdyCqEkRSTEKLV1mpssMnW4zUIIKKAqYXs953zdlppQtepObmfm+984577777rsjl2sLRSIfEhmzQGQZvm9dLOLIEzmFzzb8Lpkn8vJskbvuFEnA8HBr1v9gAI+D5xf3iW54J2WQfjFhmJbmjFfHzAz13DXVfPI3n/M9xrXPFfl0lsgtQ0R62DBXblwxfN4LsX39O8YP1do7MrUhN0cb58/U5uWztfWxxepbv8J88jef8z3HcTzm6f0iX9wskg64K4vIIpH4NdFRWz4cmWwAvXOna8sjD6mvKP+SznEcz3mcv6pX5LEZIksBe3nRAHnqM/1i9n4zaYRZUXP+A10SXco5j/OJ81S/mDPTRZ4FfJTFcgHjykm+J2uceufc0iXwlTqj8WP2eIo4myNSDJoIi62Tcc8ZdiruTO7fgNCuW64ta5erP+h5V27GwYOfeR+81URiZa/IExNF5oOum8UaZEw47hnDFjzZv6FAWx9fohVPFmpV8Rr1rV3apQgjsvBhrXl+g3qfKVT/miUh74lLfBxTV2+RoTatZSCPY7YzcYL33CJ/WMtWL9XDB/br4aoKrXjiMSPIiOApwGr9RTwNeVq+4VE92tSkZyr2qw/POS6ARVzi83RMEnkbtD0tdhgE5PPocL86yOEEIHnLvlINWDOEVIDIhxX6IYDkLYV5ehDPDjuq7VGqf/68FwKBsXZZBybxyYMa4QXtqAB5JIsM1QWOGsm53+VYre/ALzbkOWs9WG5EHCE4RJYXrQ4hb29vN59/1zrU/zTEmpwoMPjkAZ9eL7IJ9FcJyysrWPDeU0AzwGufK9L2Np8B62z+ygo9sHallsHbamrsp5ZZ9KqnDvykvuJVtgALmzzkmyJSCgFxwtrOMspKFhgU8CPrl2nbaxv1dGODDRlqR+vr9ZjHbf+yLLD6P/Z8Z7YweAvo5CHfTJFGCEjnFmxlLW9afHfIQONMMmR22+ub9HSz1wBf1DrIvzc5wgRuxanxrT8XAZZt8qFMH4eAXOGtxgvFnT1SW1Yv7CDmZyuP0rplRsTRN17QMy2NhqBLs8lPluzU5oIHtXnFHOPcd4MTEIDTQD5s/RkIWCW8UnmrVceJ1mWkalMeIkEBXP2ji7Vpaa42opC4Zk1RV2G+nm6oN0Rd2Yndu9Rz+yQ9NGuyyXhGtbngAXNEiUfsuowUc4uCtx0CNjICbVTkGNzdiHANu1rd08ZA/VxEZJF10y24QxvuydKdCbHq2fmVTXe+NXz0vpYm9FPPjIkm2TiP8ynEc1u6wSaPHYGzEPASc6CEe+JMjTYCAu5M7aXurOHacG+WWU0F6nndB+/ZVBc2z+a39ODYZD10J/qFmTeYFTuTewbhRpscuE/kJAQUCTsZZmXN6NgQAXTHQNHKfqK7BvZR19Z3tf2fszbNRQy54IaIH2N7alX/UDw6ech3q4gPAhYI2yiey7rMtJCBTpJfLbp9QIw6d2y30UPtj30/6KmD5xcqmvvDLbp7QIRWDsBCgnDJQ74bkfwQkC3s4dhGuaaNU0dihBnECeVQ/1lavB4q3WtDhtrxr7djNddq3eQ0/XP/PvtpqHm/+kwrk7C111jkxCcPK2GSyPcQkAKXcPZwpu0aH9+htAKTdiX2V++ObTbcOfv9y23qGtFfq/pYUarPHm6qXmf79c0X1ZEQqVXXWpjEJ8/tSHzwPge3GhQ2kLylnDmjQxKmGlH4OTZSf9u2xYYE+Sdbkc19tKov3sfCAU4R7mmj9S/cggFre6XYPK+yV09c4pNntEgZaKcZchq7VzaQvK9ZCzoE2CKqB0friW8/x8o/BhBCyn2ND8eRCjNePShMq5Csh267QU973aZyVsaEhyQhcYmP/vAwmsNXQdvfYreN3SsbSHYutRMSQkXEhZlV1yDsjsQeWpPSXWvSwrU2LQzf4Ulh6kzsrs6UnlqbnqCuITEQ1Q0ebuYTj7gFvSL/wqbvAR3uovMtnN0rG8iSjE4iBoarMykCZzgKhN20dij2fYTldcNxtNJQwBIR5iSISItGlKIQIQgw5IO1JHOkFveN+WesSCV4UPsk0jB2YT3YvbKBpGKGLZATjniLhGQkdo8T9UzA97EQcT3eJcOvg1iM43jO43zikBy9oAv46+DXGKaLWBS7VzaQ3DMmDlfhSMERgoC6YSAdg/1Oh99oiagbCWGplgCOY7ZzHucz7PbKST7IMFyGRbB7ZQPJrOXRcaG+e5DpnqlD1JOJ+pARYwmY1FvdGYO0fnKyum8apa7pEzv+GTHh7D1n2C+58s7Wjd0rG0j2cPi/oJtHJOm32elaNnuGepbkaguuXU/evVqWe7N+M3WCbh6WqE9jHM85j5qd7Uy4C+755Ri711HD0cNloY26G50MlnN8Fe7zNbhSH8Gthq7qJKLly0R5tSsciwzPeehR+492FTwOzj+buXBowH3OK5W3Gi8W1narvF78L1iHifwL8wuwMVrk4vMAAAAASUVORK5CYII=";
private static string healthyIcon = "iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAgASURBVFhHpVcLUJXHFV65xJl4SaJYUBCIYFQe46PxkQykKCqWiw8UUKkQAQeDEASlithKqBpFJYqNEUrQyaTpVBAFxAcgaCgKBDDyEINOU2Oa1lESaAlGkNfXc/b/fy4iiXZymG/27r97znf27Nmzi3hWMV0u5hDiCVmEekIroVdtuc/feXyOqvLzhYzpCSGEfLsoqz7XfTPh/8kSrC8MwdbKaCTWxcmW+/ydx3meqY8oUPX0qqn/X0jZk5DluHUCfD9ehE2V6xFbHYFtVzdhd10CDt84gIxbqbLdXfcOfd8ox3kez2c90yXijOkysVA1+exCxOFj1o3+yivNAxsrw7GlJhoHG/fg2K20fhwl8mMEpVX6jIONSTR/g9RjfctQ8/umBhGrmn66EPlvHTba/rD6hJ9c0b6GHQOIFTLtt0Y++De3rMf6bMc+2qZLt1DsUSl+XHjlTB6cH4DNNVGqUQ0asRFHJZRx5ffjY7xFbIftSSfmiUSV6knhPeews8esNJBUMayQGL8N7Bud0MaNUJxguxZvmrfp3MQaldIoRM7ZnsV7xmE7eutIv7ICozGtPzQZIxUJF+Kw9i9BiDwZJr9lkD22y/YpCnUm44WNSq0IkYdw1nLiGPfcSKSQaWFORcbND/Ah4U9NhwnvI53aD28epu9HcKTqEGqbq9HZ04nb33+Jon+dlTp7yS7bZx7dbJFCtMMUdhJyIJ+PDme7ElotnMqKNSfSiSS1KUUevT/eSMahxn2U9XuRQu371D9Qk4Sm5ut4ROR9fX1g+ebBP/sXw6eDeXRzxR2itdPI53Dx4PN7gI6QsmrjalmZV5badIhI3sPB60nY37ATSfV/wLtUDzQk1SUi53o2EfdKYk3+/cM3/Q7wUWYe4oOJk0jQHIjnCqbsvUKobIHiAIf2yBcptMq9tD07satuOxKvbcXvrsYivmYj4mpisJXaTXkb0Nn9UKU1Su6d7H5b3DIP85n8UlQQ/Uh2IIvLKFcyjdy48g+I/KAsLrxiJo6v2YTYqkhEf7YOkRWhiCCElwbjVstNldIo5ffLpD7bUeymIZ54mE/3K/E1OeDCDtRzLd9Z+3s5gScyOTuRRmHnlSfVJ+Kdz+OwpXoDoirD8Fb5mwgpW4U1ZSsRcjEAuV9mq5RGae9qJ70dMj84bxS7aZKH+agwtZEDBnaglS8Uv0veklBzgkPPe74uNxg+xwxYkbkUYVeCEHJ5FX5Tugy+lwzwK/ZGZPZb6OntUWmNwkSJ1+LltrGddIpCGjnCPMxH90QXORDODvTyrWZ5fAS8i+fKhOIIsDNRmeFobKlHa0cLapor8PaFMASU+sCnZCEWX5gHv/xF+PbhtyqlIt293XJbOFKcI5wzB67vkdvnXUx3A/EwH/H2kQOJ/RGwPWEOi+PP49X8yVh7eTWSG3bJc/yotwt9tMIWIrr34C78znjD/9IiePz1dZz6e5ZKa5QEIgqgCPE2ca6wE+z0tNMTpX3mUSPQTQ4k9+eAS954OUHDjHwn1LZcVc1CnuuWh9/hq//+A4bjHog5G4E++hsohVR0PIvc5PYsv/hrLCh0xZQ8h8fsMo+aA+1aBOQpcC+Y8dhExqrSpbjTfls1rzhx/8E9FNw8h47uDvWrIs0d9yWZU44dXjllBausF56wx2AeeQrcxF0tB2Qd8C/1HlLBQHnR1tWm0gC99Pd9p7GviXvBzCH1B4N5ZB2YKm6QA/IUyEoYcSUYDicth1RaUOSK1ketKpUqFA1tC5Ibdw+pNxhsn3m4Eg4bJ0rIARcCVUN6w3GN9rzgNqQiY17h6/iu8/GMZ/niP40Ym6kfUmcw2L68C9xFM9EeJoxUHFBvw7CyQEzOsXlC0TJTgfv5mXTLGfeeIzDrrDOsM0fQOMM4d7ANtsv2mcdkkrhGtL6SnIUc0PMDku9r/1JDv5Ilg4yNIeNjskZg7Am9fJQ2tNRKbK/dDLucl2Bz6kWMO6mX42NpHs9lnYHOsF35HnAT98RwcYxoldtQE3698gOSXy5exe6KAyqxFRm2ztbDLtcM9nmj8MqZUXA8ZwHn8xaYTO0E6r+cO1KOW2ebyfnsjHSEYCiZi8Bsf1gEjuoYZivKiG4xwfge0IRfr/x2C8pbQUpzpANsyPqkGcbnvACHfHM4Een0ImvMLrHDaxdfxqyScdS3wuTzozEhfzTsaZ4tYRzpsDNLLs6Xb8IJMbY9dAU3EM0WgrkkHEr49cpOsMer/rYYU07bU4jNyPiLcC74BV4ttobbp/aYf8UJnlec4XF5IlypP42+u5Bzk86NxPjTL2HWeUcEl/tjbW4gJsXa99CxayLz7xEcJNFPiW6+SLQMHt22KH0BIstD4fepATMKJ8Kl0IJWbIO5ZZPgVTkF3pXT4FUxRfZnX7LD1KIxcC1xRlC5L+Lo5gz483LYhVt16KbLlTO5oyR4FtG9IdboPEXd1O2OCMpcgW2fxyC6JgyhVXQbfrYEvpUe8K6YLtvAKh+EVa9G7LUI7Kzbhoi8tXhj/2sYvlTcM3GWe85hf/rKB4uJg7AxdRMppl7ijsu2iVia7oWYc+uxr2oHMugh+sntDNnur34Xmws3YOVHyzBr11QMXymaTV3pqOlltnPC/fieP4NwttrpZogEesVUPLdcfP18sGjTvy26zGJEnz5KdI8IFe3P+Yu7pvPEDRMXWeG4yPA556P2ZLb/DOHKxeXTQAgn8H86yWrLff7O40qFe6oI8T/DdqaB4Tse/QAAAABJRU5ErkJggg==";

 

It should look like this (the icon strings are longer than this screenshot can show):

We’ve declared a variable representing how often a scheduled check of the Management Points should happen (in minutes) as nudtimerMinutes, we defined a Collection that is used to store the results of a scan for Management Points, and two strings that contain Base64 encoded representations of an Icon for Health and Unhealthy.

We’ll add in a Class called ManagementPoint, and we’ll define some internal properties that we can change such as Name, Port, State and SiteCode.

• Add the following code below the code variables you created previously:

public class ManagementPoint // ManagementPoint Class
{
    private string _Name;
    private int _Port;
    private string _State;
    private string _SiteCode;

    public string Name
    {
        get { return _Name; }
        set { _Name = value; }
    }

    public int Port
    {
        get { return _Port; }
        set { _Port = value; }
    }

    public string State
    {
        get { return _State; }
        set { _State = value; }
    }

    public string SiteCode
    {
        get { return _SiteCode; }
        set { _SiteCode = value; }
    }
}

It should look like this:

Now we’ve defined the ManagementPoint Class, let’s define a ManagementPoint Collection Class used as a container for multiple ManagementPoint Classes. This is a really neat way of storing a bunch of ManagementPoint objects and allows us to pass them around the project when needed.

• Add the following code below the ManagementPoint class that you created previously:

public class ManagementPointCollection : System.Collections.CollectionBase // ManagementPoint Collection Class
{
    public void Add(ManagementPoint amanagementPoint)
    {
        List.Add(amanagementPoint);
    }

    public void Remove(int index)
    {
        if (index > Count - 1 || index < 0)
        {

        }
        else
        {
            List.RemoveAt(index);
        }
    }

    public ManagementPoint Item(int Index)
    {
        return (ManagementPoint)List[Index];
    }
}

It should look like this:

This allows us to store MP classes in a Collection, pass them around and handle the Collection using a foreach statement. You’ll also notice that the Collection has three methods called Add, Remove and one called Item to return an object from the Collection based on its Index, this is how we handle the Collection when we put it to use.

Now that is in place, let’s create the basics just to get the thread started, and include the ability to stop it.

• Add a BackgroundWorker thread that will scan the Management Points

• Drag a BackgroundWorker onto the form
• Set the Name to dompCheck
• Set WorkerReportsProgress to True
• Set WorkerSupportsCancellation to True

• Add a BackgroundWorker thread that will schedule a scan if it is enabled

• Drag a BackgroundWorker onto the form
• Set the Name to doScheduling
• Set WorkerReportsProgress to True
• Set WorkerSupportsCancellation to True

• Select the dompCheck BackgroundWorker, you’ll find it has appeared here:

• Now select the Events tab on the Properties pane:

• The three events that the BackgroundWorker thread supports are shown here:

• DoWork handles the actual workload the thread is supposed to carry out
• ProgressChanged can be invoked by us, and it is executed on the UI thread so we get access to the forms controls
• RunWorkerCompleted is called when we exit the thread, it also executes on the UI thread and provides access to the forms controls

• Double click DoWork
• This will take you to the Code view, and will create a new method for DoWork
• Go back to the Form view and repeat this for ProgressChanged and RunWorkerCompleted. This is a very handy way to create the event methods

• Now go find the doScheduling BackgroundWorker using the form view, and repeat  the same way that you did with dompCheck and create the three event classes

All three events are now mapped to individual methods for both BackgroundWorker threads, all we need to do now is invoke the threads in our code when we want them.

Let’s create a basic method that I’m using to start the BackgroundWorker thread dompCheck.

• Add the following code below the ManagementPointCollection class that you created previously:

private void beginCheck()
{
    globalmpList = getmpList(); // Get the list of Management Points for this Site server

    if (!mpcheckRunning)
    {
        try
        {
            mpcheckStop = false;

            if (dompCheck.IsBusy != true)
            {
                dompCheck.RunWorkerAsync();
            }
        }
        catch (Exception ee)
        {

        }
    }
}

It should look like this:

Note: You may get warned that getmpList method doesn’t exist, we’re going to create it soon, and until we’ve laid out all the code the project won’t compile properly.

The beginCheck method is doing the following:

• Gets a list of Management Points from the target device
• Checks if the dompCheck thread is already running
• Resets mpcheckStop and mpcheckRunning triggers
• Starts the dompCheck BackgroundWorker thread

Since the thread we’re going to use to check the Management Points is configured, we can move onto coding the underlying methods that represent the events.

Key activities that we want to achieve for the Management Point checking thread are:

• Connect to WMI Namespace on a destination device
• Get the Name and Site Code of the first SMS Provider found
• Connect to the SMS Provider
• Retrieve a list of Management Points, their Site Code and their security type (HTTP\HTTPS)
• Test each Management Point and determine its health state
• Show the result in the DataGridView

So let’s begin designing some structure around that, while keeping an eye on modularity, dispersing tasks to different methods so that we can invoke them multiple times if needed. I prefer spinning things out into methods that I can invoke, it makes for more readable code and reduces having to multiply code in logic blocks, just call the method in multiple places instead.

We’ll create a new method now called checkMP, this will contain the HTTP code to test a Management Point, and is modularised so that we can invoke it from another method for each Management Point discovered.

• Add the following code below the beginCheck method that you created previously:

public string checkMP(string mpName, int mpPort)
{
    String httpresponseText = String.Empty;

    try
    {
        string connString = "HTTP://" + mpName + ":" + mpPort + "/sms_mp/.sms_aut?mplist";

        if (!mpcheckStop)
        {
            HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(connString);

            request.Timeout = 5 * 1000; // 2 Second time out

            request.Method = "GET";

            using (HttpWebResponse response = (HttpWebResponse)request.GetResponse())
            {
                Stream dataStream = response.GetResponseStream();
                StreamReader reader = new StreamReader(dataStream);
                httpresponseText = reader.ReadToEnd();
                reader.Close();
                dataStream.Close();
            }
        }
    }
    catch (Exception e)
    {
        return e.Message; // An error, return the lot!
    }

    if (httpresponseText.Contains("<MPList>"))
    {
        return "Healthy"; // Healthy
    }

    if (httpresponseText.Contains("The operation has timed out"))
    {
        return "Timed out"; // Timed out
    }

    return httpresponseText; // Most likely an error, return the lot!
}

It should look like this:

• This method is doing the following:

• Checks if the threads stop trigger is set and jumps out if it is
• Creates a HttpWebRequest object
• Forms up the URL to be used
• Sets the timeout to 5 seconds (5 * 1000 milliseconds)
• Handles the response, healthy, time out, or an error
• Notice that we break HTTPS checks because we hardcode HTTP to the front of the URL that we form up. If we wanted it to work with HTTPS Management Points we’d need to handle a few extra things anyway, this is definitely something someone else could do what with the source code for this project being publically available for modification.

Next up is the method handling the WMI communications. We’ll use it to get a list of Management Points from WMI on the Site server, and pass them back to whoever called the method as a ManagementPoint Collection class, so that we can loop through the Collection calling checkMP each time.

There are at least two ways of handling WMI queries for ConfigMgr, use the Microsoft Configuration Manager Class DLL’s, which you embed into your project, they contain a bunch of code for handling connection and querying of the SMS Provider, or use a .Net WMI ManagementScope class to connect to WMI on a Site server, and query for the SMS Provider so that we can obtain its server name along with the Site code to begin querying it.

• To use the ManagementScope class we need to add System.Management  in the Projects references

• Enter system.management or scroll through the list to find it, and Tick it so that its added to the project

Next we’ll create a method that we’ll use to update the StatusStrip, which will be used to report back errors during operation.

• Add the following code below the checkMP method that you created previously:

private void logMessage(string theMessage)
{
    ssl_Entry.Text = theMessage;
    ss_Messaging.Refresh();
}

It should look like this:

Note that we must never call this from a BackgroundWorker thread or we’ll create a wormhole (it’ll barf).

Next up is a method that converts a Base64 encoded string into a Bitmap image, quite handy for storing a Bitmap inside the project and not depending on an external file for it. We could add it to the project as a Reference but I prefer to encode and store them away like this.

• Add the following code below the logMessage method that you created previously:

private Bitmap loadimagefromString(string Image)
{
    try
    {
        byte[] imageBytes = Convert.FromBase64String(Image);

        MemoryStream ms = new MemoryStream(imageBytes);

        Bitmap streamImage = (Bitmap)Bitmap.FromStream(ms, true);

        return streamImage;
    }
    catch (Exception ee)
    {

    }

    return null;
}

It should look like this:

And now we create the getmpList method.

• Add the following code below the loadimagefromString method that you created previously:

private ManagementPointCollection getmpList()
{
    ManagementPointCollection mpCollection = new ManagementPointCollection();

    ManagementScope scope = new ManagementScope(@"\\" + tb_Server.Text + @"\root\SMS");

    SelectQuery query = new SelectQuery("select * from SMS_ProviderLocation");           

    try
    {
        string smsproviderserverName = String.Empty;
        string smsprovidersiteCode = String.Empty;

        using (ManagementObjectSearcher searcher = new ManagementObjectSearcher(scope, query))
        {
            try
            {
                ManagementObjectCollection smsProviders = searcher.Get();

                foreach (ManagementObject smsProvider in smsProviders)
                {
                    smsproviderserverName = smsProvider["Machine"].ToString();
                    smsprovidersiteCode = smsProvider["SiteCode"].ToString();

                    break; // Get only the first SMS Provider listed, we could do better here
                }
            }
            catch (Exception e)
            {
                logMessage("Error connecting to Site server - " + e.Message);
            }
        }

        if (smsproviderserverName != String.Empty) // Do not proceed if we haven't got a server
        {
            scope = new ManagementScope(@"\\" + smsproviderserverName + @"\root\SMS\Site_" + smsprovidersiteCode);

            query = new SelectQuery("select * from SMS_SCI_SysResUse where RoleName like " + (char)34 + "%" + "SMS Management Point" + "%" + (char)34);

            using (ManagementObjectSearcher searcher2 = new ManagementObjectSearcher(scope, query))
            {
                try
                {
                    ManagementObjectCollection mpList = searcher2.Get();

                    foreach (ManagementObject mp in mpList)
                    {
                        ManagementBaseObject[] properties = null; // Handle the SMS_EmbeddedProperty array

                        properties = (ManagementBaseObject[])mp["Props"];

                        bool isHTTPS = false;

                        foreach (ManagementBaseObject property in properties)
                        {
                            if (property["PropertyName"].ToString() == "SslState")
                            {
                                isHTTPS = Convert.ToBoolean(property["Value"]);

                                break;
                            }
                        }

                        smsproviderserverName = mp["NetworkOSPath"].ToString().Remove(0, 2).ToLower();

                        ManagementPoint addMP = new ManagementPoint();

                        addMP.Name = smsproviderserverName;

                        if (isHTTPS) addMP.Port = 443; else addMP.Port = 80; // Set Port 443 for HTTPS if the MP is configured for SSL, or Port 80 for HTTP

                        addMP.SiteCode = mp["SiteCode"].ToString();
                        addMP.State = String.Empty;

                        mpCollection.Add(addMP); // Add our MP to the MP Collection
                    }
                }
                catch (Exception e)
                {
                    logMessage("Error handling WMI - " + e.Message);
                }                       
            }
        }
        else
        {
            logMessage("Could not find an SMS Provider");
        }
    }
    catch (ManagementException e)
    {
        logMessage("Fatal error - " + e.Message);
    }

    return mpCollection;
}

It should look like this:

Essentially all our WMI interrogation code is in there, we return back a ManagementPoint Collection containing all the Management Points that were discovered. Note that we store the resulting health state from checkMP back into the ManagementPoint object before the collection is returned to the calling method.

We’ll now create a method called checkMPS, from which we’ll iterate through our globalmpList ManagementPoint Collection, and run checkMP for each time.

• Add the following code below the getmpList method that you created previously:

public void checkMPS()
        {           
            foreach(ManagementPoint mp in globalmpList)
            {
                string returnedState = checkMP(mp.Name, mp.Port);

                mp.State = returnedState; // We have the result, store it back into this ManagementPoint class instance

                if (mpcheckStop) break;
            }           
        }

It should look like this:

Next up are the event classes for dompCheck and doScheduling.

• Add the following code to the dompCheck_DoWork method:

mpcheckRunning = true; // Notify that we are running

            BackgroundWorker worker = sender as BackgroundWorker;

            if ((worker.CancellationPending == true))
            {
                e.Cancel = true;
            }

            if (!mpcheckStop)
            {
                checkMPS();
            }

It should look like this:

In this method we notify that the thread is running, check if it needs to be stopped, then kick off the checkMPS method which results in the globalmpList being updated for us.

There is no need to modify the dompCheck_ProgressChanged method as we’re not sending status or state back to the foreground thread from dompCheck.

• Add the following code to the dompCheck_RunWorkerCompleted method:

dgv_Mp.Rows.Clear(); // Clear the dgv_Mp rows

            Bitmap stateIcon = loadimagefromString(unhealthyIcon); // Default to unhealthy state icon

            foreach (ManagementPoint MP in globalmpList) // Iterate our global MP list
            {
                if (MP.State.ToLower().Contains("healthy"))
                {
                    stateIcon = loadimagefromString(healthyIcon); // Change to healthy state icon
                }

                dgv_Mp.Rows.Add(MP.Name, MP.SiteCode, stateIcon, MP.State); // Add the MP to dgv_Mp
            }

            mpcheckRunning = false; // Notify that we are finished
            mpcheckStop = false; // If we were forced, reset the trigger
            b_Go.Text = "Check Management Point"; // Change the b_Go Button text back

It should look like this:

I’ve commented the above code well enough to explain what is happening, but a recap is that we’re clearing the dgv_Mp DataGridView and populating it with the information stored in the ManagementPoint objects hanging out in the globalmpList.

I can see we’re real close to wrapping up here, so let’s crack on.

• Add the following code to doScheduling_DoWork method:

BackgroundWorker worker = sender as BackgroundWorker;

            if ((worker.CancellationPending == true))
            {
                e.Cancel = true;
            }

            DateTime nextCycle = DateTime.UtcNow;

            nextCycle = nextCycle.AddMinutes(nudtimerMinutes);

            while (1 == 1) // Enter an eternal loop!
            {
                if (timerStop) break; // Quick! Come this way to get out of the loop!

                Thread.Sleep(1000); // Sleep for one second

                int compareResult = DateTime.Compare(nextCycle, DateTime.UtcNow);

                if (compareResult < 0) // Time to trigger a Management Point check
                {
                    worker.ReportProgress(0, ""); // We just want to fire the ProgressChanged event, we do not have anything to pass to it

                    DateTime newCycle = DateTime.UtcNow; // Get current Date and Time

                    newCycle = newCycle.AddMinutes(nudtimerMinutes); // Add nudtimerMinutes to newCycle

                    nextCycle = newCycle; // Set nextCycle so that we can fire again
                }
            }

It should look like this:

What we’re doing above is creating a infinite loop, and from within it we are sleeping for a second, and checking if we’re supposed to invoke a Management Point check. We use DateTime and juggle things around a bit, and could have slept for the entire period, but I wanted the thread to be responsive to requests to stop. We actually get the dompCheck thread started by using the BackgroundWorker ReportProgress event, telling the thread that we want to report some progress back, and from the  ProgressChanged method we invoke the beginCheck method.

• Add the following to the doScheduling_ProgressChanged method:

if (!mpcheckRunning)
{
    beginCheck(); // Start the Management Point health state check thread
}

It should look like this:

As you can see, we check to see if the dompCheck thread is running, if it isn’t we call beginCheck which will start it for us.

• Add the following to the doScheduling_RunWorkerCompleted method:

timerStop = false; // Reset the threads stop trigger
timerRunning = false; // Declare the thread finished

It should look like this:

Now return to the Form view, and double click the cb_Timer Checkbox control. It’ll return you to Code view and create the cb_Timer_CheckedChanged method for you:

• Add the following to the cb_Timer_CheckedChanged method:

if (cb_Timer.Checked) // User has enabled the scheduler
{
    if (!timerRunning)
    {
        timerStop = false; // Reset the threads stop trigger

        if (doScheduling.IsBusy != true) // Start the scheduling thread              
        {
            doScheduling.RunWorkerAsync();
        }
    }
}
else // User has disabled the scheduler
{
    timerStop = true; // Stop the scheduling thread
}

It should look like this:

From this method we kick off the doScheduling BackgroundWorker thread or stop it depending on if you tick\untick the Checkbox.

Return back to the form view, double click the nud_timerMinutes control.

• Add the following to nud_timerMinutes_ValueChanged method:

try
            {
                nudtimerMinutes = Convert.ToInt16(nud_timerMinutes.Value); // Keep the global nudtimerMinutes variable up to date
            }
            catch (Exception ee)
            {

            }

It should look like this:

When the user makes a change to the value for the nud_timerMinutes control, we’ll change the global nudtimerMinutes variable to reflect the change, keeping them in sync.

Here comes our last block of code, return to Form view and double click the b_Go control.

• Add the following code to the b_Go method:

if (!mpcheckRunning)
{
    b_Go.Text = "Stop";

    beginCheck(); // Start the thread
}
else // Stop the thread
{
    mpcheckStop = true;
}

It should look like this:

That’s it. Now press Ctrl+Alt+B to compile the code. If you fitted this together properly you'll get success. On receiving Success, press F5 to run the application, test it out.

Once you point it at a Site server It should look like this:

Well, that was an epic guide!

Not only did we cover a stack of techniques that you can reuse for most of your projects, but we ended up with a tool that’s available on the TechNet Gallery here.

This wraps up this guide, sorry for the lengthy gap between posts, I think this one stretched across a whole year! At least we got there, and as you can see this last post took a lot of time to put together, and is why I was lagging behind doing it hehe. I’ll put together another development related guide soon, focusing more on using the ConfigMgr SDK, suggestions for guides always welcome.

I hope you’ve got something useful from this guide, at worst a working development environment, and a full blown C# project to act as an example for you to plunder as you build out your own projects.

Enjoy.

Robert Marshall – Enterprise Mobility MVP – Director and Principle consultant of SMSMarshall Ltd

System Center Configuration Manager Technical Preview Build 1609 was just released, and one of the most exciting enhancements, as an architect, is the redefinition of how a Boundary Group behaves.

Note that there is a bug with Boundary Groups in 1609, create the Boundary group then go back to it to, to be able to add references without crashing out.

Here’s the preview summary of the feature:

This preview introduces important changes to boundary groups and how they work with distribution points. These changes will help simplify the design of your content infrastructure while giving you more control over how and when clients fall-back to search additional distribution points as content source locations. This includes both on-premises and cloud-based distribution points.

These improvements replace concepts and behaviours you might be familiar with today (like configuring distribution points to be fast or slow) and replaces them with a new model that should be easier to setup and maintain. These changes are also groundwork for future changes that will improve other site system roles you associate to boundary groups.

The details  for this feature are Boundary Group nesting, which can be used to introduce layers that a site can fall back through all the way to the core network, either until there is no service delivered due to restrictions crossing network boundaries (defined by your Boundaries), or a service point is reached such as a DP, MP or SUP. The original “fall-back” option has become the Site Default Boundary Group, which can be populated with a site that will act as the “fall-back” site for anything that needs falling back too. The Site Default Boundary Group can also be disabled, or the functionality can, by not specifying a site as the fall-back Site. There’s a lot more detail in the Preview Notes for Build 1609 which are linked below

Two key things in the UI you’ll notice are within the Boundary Groups property sheet, the lack of a Connection property for the Site system servers, with the notion of Slow and Fast being obsoleted, and a new References tab as shown in the before\after shots below which is to form what are called relationships, neighbouring Boundary Groups that can be fallen back too:

When adding Relationships you’re given the ability to control the length of delay before falling back to specified Roles, and includes the ability to disable fall-back for any of the three types of bounded Role:

Here’s what a Relationship looks like once it has been defined in a Boundary Group:

An info graphic from the Preview Notes showing how fall-back can take place.

Very nice. The feature offers us a whole lot more control on fall-back to available services, controlling the durations before the fall-back takes place, can see this making a lot of customers very happy for network flow-control.

Check out the Preview Notes here

I decided a while back that when I finally set about to publically document the pathway to enable a new type of Replica Management Point in ConfigMgr, that I wouldn’t go into much detail explaining what a Replica Management Point is, or pitch their usefulness and all that, as we’d get bogged down in details that are already out there.

The likes of Brian Mason and Kent Agerlund have for many years been fleshing out their justification and use-cases, and produced some great guides to getting them up and running, even our Paul Winstanley at WMUG has put together a guide, so instead I thought I’d visualise a particular problem where a default Pull-based Replica Management Point falls short, and show how implementing a Push-based Replica Management Point solves that problem.

In the below shot, I’ve mocked up a visual showing how SQL is used by a Management Point in the three scenarios that it currently covers:

1. Management Point in close proximity to the Site Database (in terms of network location)
2. Management Point using Site Database to service Clients
3. Replica Management Point using a replica of the Site Database to service Clients

Now this works just fine as long as you’ve got communications pathways back to the Site servers Database, but when operating in restrictive environments and those pathways are blocked, it means taking Replica Management Points off the design board as a design element.

To get things underway, I’ll focus more on the reason for the drawback in using Replica Management Points in those environments, and show how to put them back on the design board.

So here we are, a very basic network and services diagram, showing on the left a trusted network, and on the right two untrusted networks.

The untrusted networks are not allowed to communicate back to the trusted network, for obvious reasons, and the communications back in that direction are blocked, as is shown using the red crosses above.

The Microsoft documentation for setting up a Replica Management Point guides the administrator into creating a subscription on the Replica SQL Database, which makes it a Pull-based method for replication. So by default, a Replica Management Point is a pull-based mechanism.

I would only recommend using a Push-based Replica Management Point sparingly, and if you need a standard Replica Management Point for high-availability, perhaps look at SQL Always-On as an alternative to hosting Replica SQL Databases.

With the firewall blocking communications back to the Site servers Database, it means that a Pull-based Replica Management Point will fail to function at all, as the underlying SQL replication mechanisms communication pathway back to the Site servers Database is blocked by the firewall.

The solution is pretty simple, nothing complicated about it, but comes with a few considerations, such as incurring a slight performance impact on the SQL database hosting the Subscription, and the supportability of the change to a standard Replica Management Points design. We’ll cover those both more in a moment.

To solve the problem then, all we need to do is rotate this pull-model around to become a push-model, and to achieve that we simply create the subscription on the Site server if it’s hosting the Site Database, or on a remote SQL, or remote SQL Cluster.

Changing the SQL Replication model to Push instead of Pull, means Replica Management Points can function in those environments that restrict access back to the trusted network.

Changing the Replica Management Points SQL replication mechanism to push-based completes part of the solution, but to finish up the Site system also needs to be considered, as by default the Site system will attempt to connect to the Site server, and fail in the problem scenario due to being blocked by the firewall.

The Management Point will essentially drop inventory reports and other material coming in from clients, such as Status and State Messages, into its own Inboxes, and the contents in the Inboxes, on its Site system, need to be replicated to the Site server, so that they can be processed into the Site database.

To solve this problem in a restrictive environment is easy, a feature that has been built into the ConfigMgr product for some time is to configure a Site system so that the Site server connects to it, rather than it connecting to the Site server, labelled up as Require the site server to initiate connections to this site system but more breezily titled Inter-site whizzy bang Inbox Pull Mode contraption thingy.

Here’s Site server to Site system replication visualised showing both modes of operation:

Now all of that is out of the way, and you clearly understand that this new type of Replica Management Point, push-based, is only for heavily restrictive environments, where Regulation\Compliance rules exist that do not tolerate connections being established from untrusted networks to trusted networks.

And you know already from reading this post, or are becoming more aware of the fact that for most people, implementing a Push-based Replica Management Point in their environment is probably a pointless exercise.

However, some of you have probably already figuring out that a Push-based Replica Management Point  could actually help you to manage more devices in the more restrictive parts of your environment, possibly replacing ConfigMgr Hierarchies specifically setup just to manage those devices, or bringing them fully into the companies System Management solution, ConfigMgr, rather than letting them continue being managed by stand-alone WSUS for patching and AD Group Policy or “by hand” software delivery.

But here is the catch, since we’ve changed how the Replica Management Point is implemented it is unsupported, not because it doesn’t work, just that it was never put on the test list, if it had, it would be one of our current design elements.

Another point to be made here is that a performance penalty will be incurred by the host of the Subscription, so if it is hosted on the Site server which has local SQL, there will be a slight performance impact, how big depends on the scale of your environment. The more Subscriptions you have, the more of a performance penalty is felt.

Base-lining and monitoring of SQL performance would help view performance before and after the change, and keep on top of performance nose-diving, but to be honest this won’t represent a problem for most customers that are not at large scale, only those that are running their SQL at a fair gallop (under-specification, over-used) already.

To solve the supportability issue, if you’re a Microsoft Premier customer you can get reasonable commercial support while this is implemented, but are open to Microsoft during a support engagement asking you to revert the Replica Management Point back to its default configuration (Pull-based SQL Replication) for reproduction of the problem you’re logging with them. Make sure you have a procedure for switching back and forth between Push and Pull in place in case you need to do it.

If you’re the type of environment that pays at least a token nod at not tolerating unsupported scenarios, and do not have a Microsoft Premier agreement in place so as to get a supportability statement sorted out, then you’re out of options, and implementing and dealing with any consequences is entirely your own choice.

For obvious reasons I only recommend readers of this post to implement while getting the nod from Microsoft Premier Support. I am not responsible if you decide to implement and your technical world for some reason ends because of it, even though it is entirely unlikely to happen.

Strap in, get ready, finally we’re going to finish up the post by showing how the replication is switched from pull to push mode.

The Microsoft Documentation for implementing a Replica Management Point is here:

To implement a Push-based Replica Management Point, we’ll follow the Microsoft documented instructions up to the To configure the database replica server section:

We’ll carry out step 1,but modify the step 2 procedure slightly, so as to produce the Push-based SQL Replication mechanism, then complete the rest of the overall Microsoft documented procedure.

2. On the site database server, use SQL Server Management Studio to connect to the local server, browse to the Replication folder, expand Local Publications, select the Publication and right click and select New Subscriptions…

a. Select the Publication and select Next

b. Select Run all agents at the Distributor.

As can be noted in the screenshots text, this changes the replication mechanism from pull to push, it is as easy as that.

c. Select Next

d. Select Add Subscriber and select Add SQL Server Subscriber… then connect to the SQL Replica database. Returning back to the New Subscription wizard, the Subscription database drop-down for the newly added subscriber needs some attention. If you’ve already pre-created the database, this is where you’d select it, otherwise create a new database.

e. Once you’ve taken care of the small matter of pointing at the Replica Database, select Next

Now go back to Step 2 in the To configure the database replica server section, and carry out steps f, g, h and i, and then complete the entire remaining procedure as documented by Microsoft. You can also enable the Notification Channel as instructed in the Microsoft documentation.

A quick check of the Publication see’s the Subscription has been added to it:

Having a nose around the actual Publication shows us what is being replicated (Articles):

And viewing the properties of the Subscription shows us it is in Push mode:

Your SQL Replication mechanism will now be push-based, and along with a Site system that is serviced by the Site server connecting to it,  you have a Management Point role that, along with its underlying Site system, is for the first time compliant with the needs of some of the most complex untrusted, but accessible, network environments out there.

Drop in a Distribution Point and you’ve now got Policy, Lookups and Content covered in the restrictive environment, Client Registrations too. OSD is but a mere click away. Nice.

While this is a great solution for on-premise devices, there are other ways coming about to service the same difficult to reach devices such as those in untrusted networks, as long as they have access to the internet . An up-and-coming feature called the Cloud Proxy Point, which is trialling in Build 1606 of the Technical Preview will open all of them up to management using a solution lashed together with Azure and on-premiseConfigMgr. I’ll be covering this technology in my next blog, as it is a killer way to handle devices on the internet or with on-premise but with internet access, without needing to place your Site Roles in a public facing DMZ. One of the most exciting features I’ve seen in a while as an architect, along with Intune, but quite a fiddly affair in comparison to Intune to get up and running.

Update (05/09/2016): 

Confirmed that with a Push-based Replica Management Point, the Client Notification Channel works fine. Nothing special needed to configure it beyond the documented steps.

I needed a brief moment to think of a suitable way to describe the feature for this posts title, as its pre-release name is Prevent installation of an application if a specified program is running, not as catchy as its in-console name of Installer Handling, which I decided not to use as it isn’t descriptive enough, and may not be the final name for the feature, and decided upon Recognise Deployment-blocking executables,which is not much shorter if I admit.

To get this feature into ConfigMgr Current Branch, I’ve recommended that customers install the PowerShell Application Deployment Toolkit (PADT), which I will still continue to recommend, as it is feature-rich, but now we have a simple implementation of one of the features PADT has, and it is coming down the feature-pipe being previewed initially in the Technical Preview of ConfigMgr.

Nothing is guaranteed, it could for some bizarre reason not make it into the daylight, but I’d expect to see this by the next series of releases of Current Branch.

The idea for this feature came about due to a UserVoice entry, which got 1,525 votes (at the time of publishing).

It doesn’t take much to setup a repro of this feature, to see it in action, once you have Technical Preview 1612 installed, which Niall Brady EM MVP has covered in this guide here.

Simply setup a deployment of an Application, open the Applications Deployment Type and find the new Installer Handling tab:

Select Add, then enter the name of the Applications executable filename:

Once that’s done, pop the Deployment Types changes into the database by selecting OK

This will then make its way down to the Client via Policy, and the new ConfigMgr 1612 TP Client-code will utilise it when initiating a deployment, as shown here:

I’ve launched the LogLauncher.exe executable on the target system before the deployment is launched from the new Software Center:

Saddle up:

It begins downloading the content, completes and then begins deployment, which then immediately fails with this message:

OK’d the message, closed the executable and rerun, completed successfully:

I had a nose around the logs, I don’t think they are logging activity around this feature yet, but I can see state messages going up to the MP, which are probably the error result for the deployment, followed by the success once I’d closed the executable and retried the deployment.

Eventually we’ll see this arrive in Current Branch, a built-in mechanism for stopping a deployment from getting underway if the User already has the application open. Handy.

A lot of my free time of late has been going into many things, one of which was redoing LogLauncher with modern ribbon look, and adding in some much needed functionality.

Just a moment ago I updated the TechNet Gallery with V3.0, here’s what it looks like now:

It has some strong features:

• Get at all ConfigMgr\SCCM logs easily, quickly
• Visualise changes to SCCM\ConfigMgr logs over time using the monitoring feature
• Open multiple logs in one trace tool, or open a trace tool for each log
• Integrates with the ConfigMgr Console for devices in their context menu\ribbon
• Log hints for known SCCM\ConfigMgr logs, hover over a log to see a tooltip description of the log
• Add custom locations for scanning for logs
• Launch directly from LogLauncher the Configuration Manager Support Center if it is installed
• Change a ConfigMgr\SCCM Site or a Clients Log Settings using the Log Settings feature, remember to restart the service for the Site or Agent for changes to take effect
• Toggle hiding of Archive logs (*.lo_)
• Remembers what devices you’ve scanned for easy access
• Diagnostic output for when things go wrong, for feedback to author as well as troubleshooting added locations
• Automatically scans the device the tool is run on
• Accepts device name entered on the command line (LogLauncher.exe <DEVICENAME>) for automation purposes

You can find the tool here over on TechNet Gallery

Enjoy,

I’ve released a point release for LogLauncher, it contains the following:

• Custom Locations now works on remote scans, instead of just local scans
• Progressive search implemented in the Log View, begin typing the log name to see it
• Monitoring in progress notifications introduced, red text in bottom left and applications title bar text changed to alert that monitoring it taking place
• The Product or Category being monitored will be shown with green text to denote that it is being monitored
• Orb now has File \ Exit implemented (top left of application window)
• Code and Cosmetic changes, aiming for a higher ease-of-use level

I think the Most Recent Used for device name is acting up, it seems to work here in the development environment but I saw one instance of it not storing device names when you scan them successfully. Try entering the device name and pressing Enter instead of just clicking away to the Scan button.

You can find the tool here over on TechNet Gallery

Enjoy,

Hot off the press comes Build 1702 for ConfigMgr Technical Preview!

Announcement

https://blogs.technet.microsoft.com/enterprisemobility/2017/02/27/update-1702-for-configuration-manager-technical-preview-branch-available-now/

Documentation

https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1702

Try It

https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview

Feature Summary

• Send feedback from the Configuration Manager console
• Changes for Updates and Servicing
• Peer Cache improvements
• Use Azure Active Directory Domain Services to manage devices, users, and groups
• Conditional access device compliance policy improvements
• Antimalware client version alert
• Compliance assessment for Windows Update for Business updates
• Improvements to Software Center settings and notification messages for high-impact task sequences
• Check for running executable files before installing an application
• Create PFX certificates with S MIME support
• New compliance settings for iOS devices
• Android for Work support

That's quite a busy release-list!

The ConfigMgr team just released a hotfix rollup for ConfigMgr Current Branch Build 1610, KB4010155. (28/02/2017)

Lots of little changes, worth reading the list in the KB Update rollup for System Center Configuration Manager current branch, version 1610

Key for those of you that have Management Point Replica’s in place, the SPROC is fixed

I setup Intune quite a lot for Intune Hybrid POC’s, and I thought I’d run off a simple guide for those that want to spin this stuff up in their own lab at home.

The goal of this guide is to get it running so you can tinker with the features available through Mobile Device Management (MDM), this isn’t a guide on how to get Intune and ConfigMgr setup for a production environment, and it falls short of covering what you can do with Intune with the supported platforms (Windows, IOS and Android).

Here are the key things you will need to do before you can proceed to enroll devices into your environment, and I’ll walk you through each action:

1. Choose to either setup a Public DNS , reuse an existing one that you own, or use the one Microsoft gives you when you sign up for an Intune Evaluation, see notes below *
2. Register for an Intune Evaluation or an EMS Evaluation or even both here and here, see notes below **
3. Configure Intune to recognise your Public DNS, if required
4. Configure your Active Directory to use an additional UPN, if required, see notes below ***
5. Configure your Active Directory test user(s) UPN, if required, see notes below ****
6. Synchronise your lab Active Directory with Azure Active Directory from your Intune Evaluation using ADConnect here
7. Provide the AD Users that you wish to allow to enroll devices, with an Intune license
8. Configure ConfigMgr with your Intune evaluation
9. Enroll devices, for this I’ll show an Android being enrolled, and if my wife let’s me, a recent iPhone!

Notes:

* You can either use your own Public DNS record that you can point a device at when enrolling, or use the one Microsoft provides when you sign up for an Intune Evaluation, there are alternatives to DNS such as enrolling using Azure, but this is limited to Windows 10 devices and not within the scope of all Mobile Devices

** Both the Intune and EMS evaluations give access to Intune, only one or the other is needed. You can register for both. Doing so will require registering the Intune evaluation first, and then while remaining logged in to Intune, and in the same browser session, visit the EMS link and go through the motions of associating your EMS evaluation with your Intune evaluation.

*** You’ll only need to do this if your Public DNS is not going to be the same as your lab’s Active Directory forest and domain, say you already have a Domain Controller and it doesn’t match with your Public DNS. If you are able to choose and create a Public DNS first, then you should go straight to using your Public DNS as your Active Directory name (example.com as an example)

**** You’ll only need to do this if your Public DNS differs from your Active Directory Forest and domain name

To be able to even get to the above stuff, you’re going to need the ground-work established, in the form of the following:

• A device with Hyper-V , and a good amount of memory available
  
• At least one Domain Controller

No need for more than one Domain Controller, unless you need different directory services to play with, such as testing trusts between domains, forests and things around their complex configurations.

If you are starting out then a simple test environment consisting of one domain controller, destined to be used to kick the tires on Mobile Device Management using Hybrid Intune with ConfigMgr, will do

• A Standalone Primary Site server running either Technical Preview if you want to check out the latest pre-release features, or Current Branch, with at least 6GB with SQL Memory usage throttled back to 4GB at a minimum.

There is a correlation between how much memory and how much patience an administrator has, the more memory available the less patience needed, there is another variable Disk IOPS ,but let’s not go there, just make sure you are not saturating your disk subsystems with too many Virtual Machines ,such that things run at a snails pace

Let’s assume you have a stable lab environment that meets the above requirements, a public DNS record, and get on with setting it all up.

For the guide, instead of using the Public DNS record Microsoft provides when running up an Intune Evaluation, I used SYSTEMCENTER.CO.UK as the Public DNS record hosted by GoDaddy, letting Microsoft configure the DNS entries automatically for me. nice touch. My Lab Active Directory is not called SYSTEMCENTER.CO.UK, therefore I had to configure UPN suffixes and set a User account’s UPN to make all this work.

Setup a new Public DNS, or reuse an existing one that you own

Later on, when you register for an Intune Evaluation, Microsoft will give you a personalised Domain name ending with .onmicrosoft.com, if you are going to use that then you’ll need to do the UPN sections below and can skip this section.

An example of the DNS scenarios are:

Mismatched DNS and AD names:

• Public DNS: Example.com or Example.onmicrosoft.com
• Active Directory: InternalLab.com

Matched DNS and AD names

• Public DNS: Example.com
• Active Directory: Example.com

If you’re going to use your own DNS, my best advice would be to do three things:

1. Have a read of this
   
2. Choose a DNS hosting Provider, Microsoft have a relationship with GoDaddy and Register.com, others will work ,you’ll just have to configure their DNS Zone entries manually
   
3. Choose a DNS name, if this is going to go beyond an evaluation, and you’re setting up inside a company, use an appropriate domain-name name, otherwise be creative

Once you have your DNS created, or already have one, its time to move on.

Register for an Intune Evaluation or an EMS Evaluation

To get Intune Hybrid with ConfigMgr working, you’re going to need an Intune Evaluation, or alternatively an Enterprise Mobility + Security (EMS) Evaluation.

The EMS evaluation contains an Intune license, as well as access to a bunch of EMS features, the Intune evaluation obviously gives you just that, and both can be signed up for and combined together.

You can either go just for the Intune Evaluation step below, or the EMS step, or do both.

Here we go.

Setup an Intune Evaluation

The Intune registration process is quite straightforward, I’ll cover the key highlights.

• You’ll be prompted for details about yourself, along with some basic contact details
  
• It’ll ask you to create a Username for the first user in your Intune (Evaluation) Tenant, you can call this whatever you want, it’ll become the Global Administrator, call it Administrator, Admin, your choice
  
• It’ll ask you to enter a company name to prefix before .onmicrosoft.com, this can anything you want that is available, it’ll tell you if your choice is not available, you could use your Public DNS as the prefix (Example.com, you’d enter Example so it becomes example.onmicrosoft.com), or something entirely random.

Once you’ve clicked Create my account you’ll be prompted to prove you are not a robot, by verifying a 6 digit code sent via SMS to your mobile, go through the motions until it tells you that you are done.

Click You’re ready to go and head to your inbox, within minutes you should see an on-boarding email with information about your trial.

Setup an EMS Evaluation

Setting up your EMS Evaluation is a cinch once you’ve got your Intune Evaluation up and running, simply remain logged into the Intune Portal and from the same web browser session, visit the EMS Evaluation page. You’ll be prompted to add the Enterprise Mobility + Security E5 package to your Intune Evaluation account.

Made so easy, just click Yes, add it to my account

If you’re opting to just use an EMS evaluation, then fill in the registration details and set yourself up an evaluation.

Done. 250 users for 3 months of EMS usage, not a bad run for an evaluation, considering what you get, the EMS suite of products including Intune.

You should see an email in your inbox  for this evaluation as well.

There isn’t any need to do anything further with Intune or EMS at this point in time.

Configure Intune to recognise your Public DNS

You can skip this step if you are using the <CompanyName>.onmicrosoft.com domain that Microsoft sets up when you register for an Intune Evaluation.

If you have your own Public DNS and you want to use that, then Intune will need to be told to verify and recognise the domain. Visit the Intune Portal at portal.office.com and select Setup \ Domains to get underway.

Clicking Add Domain will prompt you for details about your domain.

If Microsoft have a relationship with the DNS provider hosting your DNS record, they can automatically add the Zone file entries for you, such as the CNAME entries for device enrollment, as well as other records to support the EMS+Intune suite of products.

If Microsoft doesn’t have this relationship and you have to do it by hand, here is the documentation on what is needed to edit your Public DNS’s zone file.

If you needed too, once you’ve have the Domain verified by Intune, you’re ready to move on.

Configure your Active Directory to use an additional UPN if required

You can skip this step if your Public DNS is the same as your Active Directory Forest and Domain name. If that is the case, and your lab domain is example.com, and your Public DNS record is example.com, the same, skip over this section.

So you’re Public DNS record is either your own unique DNS which differs from your Active Directory Forest name, or the one Microsoft provided.

Either way, you will need to add these as additional UPN’s to your Active Directory, so that you can assign them as UPN’s to Active Directory User accounts that’ll be used to enroll with mobile devices.

Intune will then recognise the user when they attempt to enroll a device.

For this guide I built using the following:

Mismatched DNS and AD names:

• Public DNS: SystemCenter.co.uk
• Active Directory: InternalLab.com

The procedure is quite straight forward for this lab environment, visit your Domain Controller and open Active Directory Domains and Trusts, right click the Active Directory Domains and Trusts [ Servername ] entry and select Properties then add your UPN suffix:

You can see that I’ve already added an alternative UPN suffix for a Public DNS record that I own SystemCenter.co.uk.

Add yours.

Once you’ve added your Public DNS, or the <CompanyName>.onmicrosoft.com address Microsoft gave you, it’ll show up as an option when opening a User account in Active Directory Users and Computers.

Configure your Active Directory test user(s) UPN

Again, you’ll only need to handle the UPN stuff if your Public DNS is different from your Active Directory Forest and Domain name. If that is not the case, and your lab domain is example.com and your Public DNS record is example.com, the same, then skip over this section.

For testing I suggest creating a new Active Directory User account specifically for enrollment, you can use an existing account if you wish.

For this test user which will be used for device enrollment, under the Account tab of the User accounts properties, you can see I’ve changed the UPN to the UPN suffix that I added using Active Directory Domains and Trusts. If you were using <CompanyName>.onmicrosoft.com as your public DNS, the one Microsoft provides for free, you’d see it here and be able to choose it.

In Intune Hybrid mode with ConfigMgr, the principle reason why you want the AD Users UPN suffixes to contain your Public DNS, or the <CompanyName>.onmicrosoft.com Microsoft provided DNS, is so that their account is synchronised to Azure AD, and recognised by Intune during enrollment due to the DNS being verified (added) by Intune.

Intune won’t recognised your AD Users UPN if it isn’t the verified Public DNS, or the DNS record that Microsoft provides, and since I expect no one will build a lab to match the Microsoft provided DNS, most likely they have a mismatch than a match between the AD name and the DNS name, it means the AD User has to have the Public DNS or the Microsoft provided DNS as an UPN entry, so that they can be recognised by Intune during enrollment.

Synchronise your lab Active Directory with Azure Active Directory using ADConnect

Now we need to synchronise the on-premise (your lab) Active Directory (AD) with the Azure Active Directory (AAD), so that AAD knows about your users accounts, and their UPN if it was touched.

This isn’t that difficult to setup in a lab environment, simply download ADConnect from here and install it onto your lab Domain Controller, and provide it with your Intune Global Administrator account details, while entering or providing the information it needs to synchronise the Active Directory objects to Azure. I’d let it replicate everything rather than restricting it, at least for setting up this lab.

Microsoft Docs have a good walk through on how to setup ADConnect here.

Provide the AD Users that you wish to allow to enroll devices, with an Intune license

Once you see the Users appearing in the Intune Portal (intune.office.com), you will be able to see if you’ve done all of this properly.

Go to Users > Active Users, and you should see the Users from your labs AD listed.

Click on the user account you want to use for enrollment of a device, note that it should be the one you will add to your ConfigMgr user-based collection for Intune Users later on in this guide when you integrate ConfigMgr with Intune.

Once the User is shown in the Intune Portal, select Edit under Product Licenses.

Now assign the EMS licence, the Intune licence, or both, to the Azure Active Directory User.

Configure ConfigMgr with your Intune evaluation

This is it, once ConfigMgr is made the MDM Authority for Intune, you could technically perform device enrolment's.

I’m using Technical Preview currently at 1702, and the procedure for setting up ConfigMgr to become the MDM Authority for your new Intune Evaluation isn’t that complicated at all.

Visit your Current Branch or Technical Preview Site server, make sure you have the Service Connection Point already setup as part of the Servicing feature of ConfigMgr, you probably let it install during setup. The Service Connection Point in Online mode is a mandatory requirement.

Add a Microsoft Intune Subscription from Administration \ Cloud Services \ Microsoft Intune Subscription node in the ConfigMgr Console.

The process is straight forward, it’ll ask you for your Intune Global Administrator Username and Password, the user-based collection you want to use that gives permissions to users so that they can perform an enrollment of their device, and some branding information.

After the wizard finishes you then turn on the platforms you wish to support, Windows, IOS or Android.

The procedure for adding Intune to ConfigMgr is well documented, and as long as you have an Intune Evaluation, and the collection already created, passing through the wizard should be a breeze.

If you have issues with unexpected errors when trying to login during integration of ConfigMgr with Intune, have a look at turning off IE’s compatibility mode, as well as setting IE to allow scripts to run.

Once you’ve completed this task, you can visit the Intune Portal at manage.microsoft.com to see that the MDM Authority has been set for ConfigMgr.

You will also want to enable and run an Active Directory User Discovery on the Site server, so that ConfigMgr knows about your AD Users, once done you can then add your device enrollment account(s) to the Collection referenced when you added the Intune subscription to ConfigMgr.

The platform is now ready for device enrollment.

Enroll devices,

Now since we have three platforms to perform enrollment on, I’m going to stop here and leave it for future guides.

I enrolled a Samsung Galaxy S7 Edge with ease using Technical Preview Build 1702, and there is much more to cover, for now you should have Intune and ConfigMgr talking together nicely, your AD synchronising to your Azure AD, and your DNS all sorted out.

From here you can setup the platform details for IOS, attempt to configure settings for mobiles, diving into a technically rich area of activity right now, mobile device management.