Microsoft Intune: April Update brings more features

April 20, 2015 Leave a comment

Microsoft-IntuneMicrosoft is updating its Intune service this week and will be introducing an additional set of new features.

A quick overview of the new cloud only –or standalone- features that are part of this release:

  • Management of Office mobile apps (Word, Excel, and PowerPoint) for Android tablets.
  • Ability to restrict access to Exchange on-premises for Exchange ActiveSync clients on Android devices.
  • Ability to create WiFi profiles with pre-shared keys (PSK) for Android devices.
  • Ability to resolve certificate chains on Android devices without the need to deploy each intermediate certificate individually.
  • Deployment of .appx bundles to Windows Phone 8.1 devices.
  • Managed Browser app for iOS devices that controls actions that users can perform, including allow/deny access to specific websites.
  • Management of Work Folders app for iOS devices.
  • Updated Endpoint Protection agent for managing Windows PCs.
  • Ability to manage Windows Defender on Windows 10 PCs running Windows 10 Technical Preview without need for separate Microsoft Intune Endpoint Protection agent to be installed.
  • Combined Microsoft Intune Company Portal websites for PCs and mobile devices to provide a more consistent user experience across platforms.
  • Added Windows and Windows Phone Company Portal apps to the Microsoft Download Center to provide an additional option for accessing these app downloads.
  • Enhanced user interface for overview pages within Intune admin console.

Details on when the updates are taking place per service instance can be found here.

Until next time.

Tim

Categories: Microsoft Intune Tags:

Update on the ConfigMgr 2012 Update Scan Issue – Windowsupdate.log Error 8007000E

April 16, 2015 Leave a comment

Last week Kim blogged about an issue with Windows 7 and Software Updates that some of his customers had been reporting.

Kim had already outlined the issue and the symptoms, plus also provided a few workarounds which may help in resolving it. Through this post I wanted to inform you that now Microsoft has published a blog post that:

a) gives some more details on the root cause of the problem

b) outlines some possible workarounds and

c) most importantly : states a hotfix is in the pipeline which will be available in (late) Q2

You can find the full details here.

I ran into the same issue at one of my customers last week and have been working with Microsoft support to get this resolved. Below you can read some findings and experiences from the past days.

The workaround to Move wuauserv (Windows Update Agent) to its own SVCHost.exe instance did not prove to be very successful. Although we saw the scan job succeeding on a few clients at first, after a few additional scans the issue returned.

Next step was cleaning up WSUS. First we needed to verify what we could potentially clean up using the script provided by Microsoft:

image

To get things back on the rails in the end the only successful method was to run WSUS cleanup script to decline all superseded updates. Running the script with the –DeclineLastLevelOnly switch was not sufficient.

Important: Before running this cleanup script make sure to identify if any of the updates are still needed! It could be a superseding update has not yet been released due to your internal approval and/or release processes!

And while you are checking that also note that the script output may be misleading. Set the LastLevel column filter to False if you are actually looking for the Last Level Superseded Updates.

clip_image001

Running the script itself took around 15 minutes.

Note: if you are running multiple SUPS in your environment you should only run this on one SUP – the one with Windows Update set as synchronization source.

Hope it helps!

Tim

UDM: Conditional Access – Saving of Access Rules to Exchange has failed (error: A2CE0100)

March 29, 2015 Leave a comment

A few days ago we have been working on extending our hybrid demo environment. We made some changes required to demonstrate conditional access with Exchange online. Details on how we set things up will follow shortly in another post.

Once the basics were in place we implemented a policy that would block a user to access their mailbox when using an unmanaged device.

The policy was properly deployed to a collection which included my demo user, however I noticed my demo user could still sync his mail on an iPhone 5 which was not enrolled. Even after an hour or two this condition remained unchanged so something was wrong.

Initial investigation did not show anything out of the ordinary in the Configuration Manager console. However in the Intune console I noticed an entry in the Alerts node:

Saving of Access Rules to Exchange has failed


Microsoft Intune was unable to set the requested mobile device access rules or related settings in Exchange due to the following error: A2CE0100

 

image

Unfortunately the “View Troubleshooting Information” link is broken. So is the one on the top right in the console and the right-click one. As such it was hard to find any further details on this specific error.

I made a few attempts to get things working, including the following:
– Modifying the compliance policy (increasing the revision number)
– Removing and adding the user from and to the target collection
– Removing and recreating the deployment of the compliance policy

I can confirm none of the above resolves the issue. The policy still did not get applied.

In the end to get things working again what I had to do was to delete the compliance policy,  recreate it from scratch, and deploy it again.

image

When synching mail on the iPhone 5 a few minutes later, the policy kicked in.

image

Although the problem was solved and we now have a working demo scenario; in the end I have no idea what went wrong initially and how I could have been troubleshooting this in a more optimized way. Whatever it was it does not seem to resolve itself. Also the repeat count of the alert not increasing indicates the system itself does not do any retries.

I definitely see a few areas for improvement here:

  • Fixing the link to the troubleshooting information so the admin can troubleshoot properly and in a most optimized way.
  • Exposing Intune alerts to the Configuration Manager Console so the admin does not have to look in multiple locations.
  • Having the system retry the action “Saving of Access Rules” at least a few times. In case the alert repeat counter increases the admin can further look into a blocking issue. Otherwise there may have just been a glitch and the issue would have resolved itself.

If you are ever facing the same issue, I hope this article will save you some troubleshooting time!

Tim

Microsoft Intune: March updates quick overview

March 6, 2015 Leave a comment

As announced previously Microsoft is planning to release updates to Intune on a monthly basis. The service update for March is ongoing as we speak and will include the following new features for Intune standalone:

  • Ability to streamline the enrollment of iOS devices purchased directly from Apple or an authorized reseller with the Device Enrollment Program (DEP)
  • Ability to restrict access to SharePoint Online and OneDrive for Business based upon device enrollment and compliance policies
  • Management of OneDrive apps for iOS and Android devices
  • Ability to deploy .appx files to Windows Phone 8.1 devices
  • Ability to restrict the number of devices a user can enroll in Intune

For hybrid customers (UDM) there is also a new feature:

  • The ability to create custom WiFi profiles with pre-shared keys (PSK) for Android devices

Unfortunately still a rather unfair balance for those working with a hybrid setup, although in the original announcement Microsoft is indicating that delivering new features for those hybrid customer remains a top priority as well.

More details on the Microsoft Intune blog.

Until next time.

Tim

UDM with ConfigMgr and Intune – why CU’s Matter

February 27, 2015 Leave a comment

When delivering sessions on Unified Device Management (UDM) with Configuration Manager and Intune we have always stressed the fact that running on the latest CU level is really important. If you attended our most recent session in Zurich you may recall the following slide header:

image

 

A post that was published on the Configuration Manager Team Blog yesterday now gives a perfect overview on why those CU’s matter: as of CU2 there were a lot of fixes and improvements included related specifically to Mobile Device Management.

First there was CU2 which included fixes and improvements related to policies. CU3 included Simple Certificate Enrollment Protocol (SCEP) related fixes and the latest CU4 added the following:

  • Attempts to enroll a device in a user collection containing security groups will fail with an access denied error.
  • Inventory data collected from mobile devices and the Windows Intune connector may be for the wrong device if two devices synchronize simultaneously.
  • Hotfix extends client notification in System Center 2012 R2 Configuration Manager to MDM devices http://support2.microsoft.com/kb/2990658
  • Mobile Device Management settings are not applied to cloud-managed users in System Center 2012 R2 Configuration Manager http://support2.microsoft.com/kb/3002291

For a full history and overview of what was included in which CU have a look at the original post. Remember that these updates are cumulative so installing CU4 is sufficient as it includes everything from previous releases.

So our recommendation remains: apply the latest available Cumulative Update to your Configuration Manager environment as soon as possible!

Until next time!

Tim

Microsoft Intune: February update introduces more new features

February 6, 2015 Leave a comment

MicrosoftIntune_LogoThe February update for Microsoft Intune just got announced on the Microsoft Intune blog. It will be released between February 6th (today!) and February 11th. You can check the status page for more specific timeframes here.

This update will include the following new features for Intune standalone:

  • Management of Office mobile apps (Word, Excel, and PowerPoint) for Android devices, including ability to restrict actions such as copy, cut, and paste outside of the managed app ecosystem.
  • Management of the OneNote app for iOS devices.
  • Ability to browse and install apps on Windows Phone 8.1 devices using Intune Company Portal website.
  • Deployment of WiFi profiles for Windows devices using XML import and Windows Phone devices using OMA-URI.
  • Support for Cisco AnyConnect per-app VPN configurations for iOS devices.
  • Ability to require encryption on Windows 8.1 (x86) devices.
  • Ability to set minimum classification of platform updates to be installed automatically on Windows 8.1 (x86) devices.

As part of the announcement Microsoft is also mentioning a more frequent release cadence: in the future they will be releasing new features to Intune on a monthly basis.

Have a nice weekend!

Tim

Implementing Configuration Manager 2012 R2 Cumulative Update 4

February 4, 2015 Leave a comment

Earlier on I have installed the newly released Cumulative Update 4 for Configuration Manager 2012 R2 in my lab. This blog post outlines the steps done during this implementation and can be used as a step by step guide.

First step is to get the sources for the CU here. The KB article also gives a full overview of the fixes and improvements in this update. As the name indicates, this update also contains all elements fixed or added in one of the previously released CU’s.

Note that this update is only applicable to Configuration Manager 2012 R2 – if you are currently still running Configuration Manager 2012 SP1 the latest available cumulative update is CU5.

The CU is applicable directly to the following components:

    • CAS
    • Primary Sites (standalone or in a hierarchy)
    • Secondary Sites
    • SMS Provider(s)
    • Console(s)

    Additionally it contains updates for the following components:

    • CAS
    • Primary Sites
    • Secondary Sites
    • SMS Provider(s)
    • Consoles
    • Clients

    The lab we are upgrading does not contain all the components listed above, a CAS and Secondary Site(s) are not present.

    Primary site

    Cumulative Updates for Configuration Manager are implemented top-down so we start with the site server of the standalone primary site. Before running the installer with elevated privileges ensure there are no more console connections.

image

 

The installation wizard kicks off.

clip_image001

On the welcome screen, click next.

clip_image002

Accept the License Agreement and click Next.

clip_image003

Verify the prerequisite checks and click Next.

clip_image004

Leave the option to update the locally installed console.

clip_image005

Leave the option to update the site database and click Next.

clip_image006

During the setup process we can opt to create packages to support updating other components in the infrastructure. Leave the options to have these packages created and click Next.

clip_image007

Leave the default settings for the servers package and click Next.

clip_image008

Leave the default settings for the console package and click Next.

clip_image009

Leave the default settings for both the x86 and x64 client package and click Next.

clip_image010

Review the setup summary and click Install when ready.

clip_image011

Progress is shown for each action.

clip_image012

Install completed! Click Finish to close the wizard.

Notice the mention that a reboot is required.

clip_image013

If you are interested in the more technical details about the installation and would like to see what is happening behind the scenes, have a look at the log file cm12-r2cu4-kb3026739-x64-enu.log  located in the %windir%\temp folder.

After the installation you can do a few verification checks to see if the CU got implemented.

First one is to look for the following entries in Programs & Features > View Installed Updates.

clip_image014

Second one would be to look in the registry in HKLM\Software\Microsoft\SMS\Setup

image

And lastly you can also check the version in the console (see About Configuration Manager):

image

 

As we opted to have some packages created to support implementing the CU in our environment these should now also be visible in the console. Go to the software library and select packages. Select the Configuration Manager Updates folder and then type CU4 in the search box to quickly locate those packages.

image

Important: Do not forget to distribute the content of these packages to your Distribution Points!

Important (2): Do not forget to update your boot images. This can be done by selecting a boot image, right-clicking it and then selecting the action to Update Distribution Points.

Secondary Sites

If there are any Secondary Sites in your environment the next step is to implement the CU on those sites. The server update package can be used to automate this. To target the site servers a collection can be built which is populated based on the following query:

    • select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
      SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS_64 on SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceId = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName = "System Center 2012 R2 Configuration Manager Secondary Site Setup"

Consoles

    As part of the implementation process on the site server the locally installed console was updated. Any remaining remote consoles in the environment can be updated using the console upgrade package.

    To build a collection containing the machines with the console installed the following query could be used:

  • select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM. ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceId = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "System Center 2012 R2 Configuration Manager Console"

    Clients

    Last but not least we also need to get the CU installed on our clients. There are multiple approaches to accomplish this; one method could be to deploy the client update packages created automatically during the implementation process.

As there is a package per processor architecture we will also create matching collections to target our deployments. This is an example query for a collection containing all 64-bit clients with a client version not equal to CU4:

  • select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
    SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SYSTEM on SMS_G_System_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_R_System.ClientVersion != "5.00.7958.1501" and SMS_G_System_SYSTEM.SystemType = "X64-based PC"
    The query for the collection with 32-bit clients is identical; just replace “x64-based PC” with “x86-based PC”.

A client with CU4 installed will display the following version in its properties:

image

Version numbers for some of the components are also updated:

imageimage

 

As you can see the experience for implementing this CU is pretty straightforward and identical to the previously released CU’s.

Until next time!

Tim

Follow

Get every new post delivered to your Inbox.

Join 604 other followers