Tuesday, 23 June 2020

Microsoft Endpoint Manager tenant attach.

Introduction

There are various ways in which you can build a bridge between your on premise Configuration Manager infrastructure and your Azure cloud tenant.  Understandably many administrators exercise great caution before making any major changes to their on premise management capabilities and will push back against any changes - until their confidence levels are high.

The cloud offers so many advantages in terms of mobile device management that push back is an approach no longer plausible - tenant attach is a great way to make a start.  There is no requirement to already have a Cloud Management Gateway (CMG) configured. Setup requires only a few clicks of a wizard.

In this blog I take a very fresh Configuration build on preview 2005 and configure Tenant Attach.  And again the Azure Tenant is also a fresh configuration.  No clients are on the tenant and only three clients are on the on premise SCCM site - a the primary site itself and a DC both running Server 2019  builds 1808 and a Windows 10 client on build version 2004.

The SCCM site is not even configured for co-management and neither is it configured for PKI, although of course it should be.  The point here is to illustrate the simplicity of the Tenant Attach feature.

Using the Configure co-management Wizard

1) Open the Configuration Manager console and navigate to Administration\Overview\Cloud Services\Co-management.  Right-click and select Configure co-management.  The co-management configuration wizard window appears.  We do not want to enable co-management thus deselect Enable automatic client enrollment for co-management.



3) Click on Sign In and enter in your Intune account credentials, click Next and then the password and Next again.  When the Sign in option is grayed out as shown you are ready to click on Next.



4) Click on Next.  A message appears stating that an AAD application will be registered in your tenant.  Click on Yes to create the AAD Application.



5) The Configure upload to Microsoft Endpoint Manager appears.  Ensure that All my devices is selected (or a specific collection if you prefer) and also select Enable Endpoint Analytics for devices uploaded to Microsoft Endpoint Manager.




6) Click on Next.  The Enable co-management window appears.  In this exercise we do not want to enable co-management thus ensure None is selected for Automatic enrollement in Intune and click on Next again.


7) The Workloads window appears, again click on Next without modifying the defaults.


8) The Staging window appears.  Click on Next to continue.


9) The Summary windows appears. Click on Next to complete the Tenant Attachment






Uploads to the tenant will occur every 15 minutes.

Verify Machine Accounts in the Microsoft Endpoint Manager

Open your tenant Microsoft Endpoint Manager admin center and navigate to Devices\All Devices.  Your SCCM devices should appear - in this case the three machines with an SCCM client are now showing in the portal.  You can troubleshoot issues by examining the CMCSyncUploadWorker.log file on your primary site server.








Monday, 22 June 2020

Microsoft Endpoint Configuration Manager and SQL collation

Some will have done this:  SCCM (or Microsoft Endpoint Configuration Manager as it is now called) requires SQL_Latin1_General_CP1_CI_AS collation specified when installing SQL.  We install SQL before installing SCCM and thus because this collation is not the default, we then have to go back and reinstall SQL with the correct SQL collation.  And even if we have specified the correct collation we can still get the error when running the SCCM prerequisite checker.

And why is this? The clue might in the next Failed check - SQL Server sysadmin rights.  You need to ensure your installation account is a member of the sysadmins SQL group.  Without such rights the checker is unable to determine the collation and thus we see the initial failure, even though the collation is correct.


In addition ensure Named Pipes in the SQL Server Configuration Manager for both server and client.


And you should also check you SQL Server (MSSQLSERVER) service is running.



Wednesday, 17 June 2020

Using Azure Administrative Units

Introduction

Administrative Units are a great way to logically manage the administration of various departments in your organisation and also to delegate administrative privileges to particular members of each department.

In this article we go through the process of creating Administrative Units for a hypothetical book store organisation called Great Books.  This store has two administrative departments, one for books of fiction and one for books of non fiction.  We will create the following objects.


  • A user called FictionClerk for the fiction department.
  • A user called NonFictionClerk for the non fiction department
  • A departmental administrator called FictionAdmin for the fiction department
  • A departmental administrator called NonFictionAdmin for the non fiction department.
  • A group called Great Books of Fiction (optional)
  • A group called Great Books of Non Fiction (Optional)
  • An Administrative Unit called Non Fiction Unit
  • An Administrative Unit called Fiction Unit
  • Populate the Administrative Units with their respective groups
  • Populate the Administrative Units with their respective users
  • Configure the Roles and Administrators for each Administrative Units
  • Apply the correct license for each Unit Administrator.

We will then test a scenario where the FictionAdmin attempts to reset a password for the FictionClerk.  And we will then test the scenario where the FictionAdmin attempts to reset a password for the NonFictionClerk

Create the Users

Open your Azure Portal and navigate to Azure Active Directory All Users and click on New User to create the FictionAdmin user as follows.

User name: FictionAdmin
Name: FictionAdmin
Password: Let me create the password (and set it as desired)
Block Sign in: No
Usage location: United Kingdom




Click on Create and the FictionAdmin user is created.  Do the same for the FictionClerk, NonFictionClerk and NonFictionAdmin users.

Create the Groups

In the Azure portal navigate to Group\All Groups and click on New Group.

Create the Great Books of Fiction group as follows:

Membership type: Assigned
Source: Cloud
Type: Security
Members: FictionAdmin, FictionClerk




Create the Great Books of Non Fiction group as follows:

Membership type: Assigned

Source: Cloud
Type: Security
Members: NonFictionAdmin, NonFictionClerk

Create the Administrative Units


Navigate to Administrative Units (Preview)  and click on Add and create the Non Administrators Unit as follows:

Name: Non Fiction Unit
Description: Non Fiction Unit




Create the Fiction unit as follows:

Name: Fiction Unit

Description: Fiction Unit

Populate the Administrative Units with their respective groups

Navigate to Administrative Units (Preview) and click on the Fiction Unit and click on Groups and click on Add and ensure that the Great Gooks of Non Fiction group is added.
Likewise Navigate to Administrative Units (Preview) and click on the  Fiction Unit and click on Groups and click on Add and ensure that the Great Gooks of Fiction group is added.

Populate the Administrative Units with their respective users

Navigate to Administrative Units (Preview) and click on the  Fiction Unit and click on Users and click on Add Member and ensure that the FictionClerk user is added.


Similarly do the same on the Non Fiction Unit, ensuring that the NonFictionClerk account is added to the Users of the Administrative Unit.

Configure the Roles and Administrators

Navigate to Administrative Units (Preview) and select the Fiction Unit and click on Roles and administrators (Preview)

Click on the Password administrator role and then click on Add assignments and select the FictionAdmin user.



Click on Add and the FictionAdmin user is added to the Password Administrator role.



Complete the above also for the Non Fiction Unit ensuring that theNonFictionAdmin user is added to the Password Administrator Role


Apply the License for each Administrative Unit administrator

Navigate to All Users and select the FictionAdmin account and click on Licenses.  Click on Assignments and under Select Licenses click on  Active Directory Premium and ensure that the respective license option service is selected.




Repeat the above for the FictionClerk account, as well as the NonFictionAdmin and NonFictionClerk accounts.

Test Scenario - The FictionAdmin resets a password for the FictionClerk account

Login into the Azure portal with the FictionAdmin account and navigate to Azure Active Directory and Users and select the FictionClerk User




Click on Reset password, the following message appears

A temporary password is then presented for the FictionClerk user.

Test Scenario - The FictionAdmin resets a password for the  NonFictionClerk account

Login into the Azure portal with the FictionAdmin account and navigate to Azure Active Directory and Users and select the NonFictionClerk User account.

Click on Reset password.  A message appears stating that this operation is not possible.