Anoop C Nair

Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc...
Intune Mobile App Assignment Exclude AAD Group Option

Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune

Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune. The Microsoft Intune team depreciated the application assignment type “Not Applicable for good reasons. So, you do not need to worry when you don’t see the “Not Applicable” assignment type for your Intune tenant.

“Not Applicable” will no longer be an option in the console but will be replaced by “Excluded Groups.” The Exclude Group option was already available for Configuration policies and is useful.

Do you remember the Groups in the Intune Silverlight portal? There was exclusion logic used in Intune groups in the Silverlight portal. I think the excluded Azure AD groups used in-app assignments do not use nested group logic (Implicit Exclusion Groups). 

I’m trying to explain two application assignment scenarios using Intune’s “Excluded Groups” logic in this post.

What are the New Features of Intune’s “Excluded Groups”

New app assignment process in Intune with an “Excluded Groups” option. Using the unique ” Excluded Groups ” option, you can now easily manage app assignments to groups with overlapping members or targeted with conflicting app assignment types by using the new “Excluded Groups” option.

How does the depreciation of “Not Applicable” effect?

Previously, the app assignment process in the Intune on Azure console allowed targeting groups with the “Not Applicable” assignment type. This will no longer be the case. The “Not Applicable” option will replace the “Excluded Groups” option.

This new feature manages app assignments, allowing an app to target a large group of users or devices while restricting it to a subset of the same group.

  • https://blogs.technet.microsoft.com/intunesupport/2018/02/02/new-feature-new-app-assignment-process-in-intune-with-an-excluded-groups-option/

What Do I Need to Do to Prepare for this Change?

Start using the new app assignment process and update your documentation if needed. Click on Additional Information to see screenshots and to read about different scenarios where this new feature can help you manage your app assignments.

I will try briefly explaining the new feature of excluded groups in Intune using the following two scenarios. I also have a video tutorial that explains both of these scenarios.

What Do I Need to Do to Prepare for this Change?
Scenario A – Facebook is available for All Users Except “Mumbai Users”
Scenario B – WhatsApp is available for All Bangalore Users Except the “L1 Team”
Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune – Table 1

Scenario A

I want to make the Facebook application available to “All Users” in the organization, but it should not be available for “Mumbai Users.”

Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune – Video 1

Launch Azure Portal and navigate to Microsoft Intune—Mobile Apps—Apps. Select the Facebook app that you want to assign. A dashboard related to the app is displayed.

  1. Select Assignments under the Manage section.
  2. Select Add Group to add the groups of users who are assigned the app.
  3. Select an Assignment type from the available types on the Add group blade. The available app assignments are “Available for enrolled devices,” “Available with or without enrollment,” and “Required.”
  4. Select “Available for enrolled devices” as the assignment type.
  5. Select Included Groups to select the group of users you want to make the Facebook app available.
  6. Select Yes to make “this app available to all users with enrolled devices”.
  7. Click OK to set the group to include.
  8. Select Excluded Groups to select the groups of users you want to make the Facebook app unavailable.
  9. Select the groups “Mumbai Users” to exclude, which makes this Facebook app unavailable for the users in Mumbai Users Azure AD groups.
  10. Click OK on the Add group blade. The app Assignments list is displayed.
  11. Click Save to make your group assignments active for the Facebook app.
Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune - Fig.1
Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune – Fig.1

Scenario B

I want to make the WhatsApp application available to “All Bangalore Users” in the organization, but it should not be available for the “L1 Team.” The video tutorial Intune App Assignment includes more details: Include Exclude Azure AD Groups.

  1. We need to follow the above steps from 1 to 7.
  2. Select Included Groups to select the groups of users that you want to make the WhatsApp application available.
  3. Select the “All Bangalore Users” Azure AD group to include, making this WhatsApp app available to users in that group.
  4. Click OK on the Add group blade to include the users. The app Assignments list is displayed to All Bangalore Users.
  5. Select Excluded Groups to select the groups of users that you want to make the WhatsApp app unavailable.
  6. Select the “L1 Team” group to exclude, making this WhatApps app unavailable for the L1 Team Azure AD group users.
  7. Click OK on the Add group blade. The app Assignments list is displayed.
  8. Click Save to activate your group assignments for the WhatApps app.
Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune - Fig.2
Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune – Fig.2

Resources

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc…

Reassign DPs Offset Days Phased Deployments

Reassign DPs Offset Days Phased Deployments with SCCM 1801

Let us learn Reassign DPs Offset Days Phased Deployments with SCCM 1801. Microsoft SCCM product group released SCCM CB preview 1801 with many new features. I think they are getting all set for the big bang SCCM CB 1802 production release with loads of new features.

The video tutorial “Reassign DPs Offset Days Phased Deployments” here can give you a visual experience of all of my favorite features of 1801.

This post covers everything you need to know about adjusting the offset days for phased deployments using SCCM 1801.

We will break down how to reassign these settings in simple steps, making it easier to manage your deployment schedule effectively. Whether you are new to SCCM or need a refresher, this guide will help you navigate the process smoothly.

My Favorite Features of SCCM 1801 Preview

Reassign DPs and Phased deployment features are limited to the SCCM admin console experience. The SCCM CB 1801 client side is NOT ready to test these features. The table below provides more details.

My Favorite Features of SCCM 1801 Preview
Reassign DPs
ADR Offset Days schedule
Phased Deployments for Task Sequences
Software Center Live Preview
Reassign DPs Offset Days Phased Deployments with SCCM 1801 – Table 1

How to Reassign DPs in SCCM?

Reassigning DPs is my favorite feature of SCCM 1801. I know that SCCM admins have struggled for ages to migrate TBs of content from one DP server to another DP server. In most cases, this could be because of changes or redesigns of SCCM hierarchies.

Reassign DPs Offset Days Phased Deployments with SCCM 1801 - Fig.1
Reassign DPs Offset Days Phased Deployments with SCCM 1801 – Fig.1

SCCM 1801 has additional functionality to move a distribution point (DP) from a primary site to another primary site or from under a secondary spot to a primary site.

  • \Administration\Overview\Distribution Points

SCCM ADR Challenge of 2nd Tuesday

Creating ADRs when part of Asia and Australia is always a challenge. Microsoft releases patches every second Tuesday, but for some parts of the world (the Asia continent), it won’t be Tuesday.

Hence, a special script of manual intervention is required for patch Tuesday ADR to work correctly.

Offset Days option in custom Automatic Deployment Rule (ADR) schedule. As I mentioned above, improvements to the Automatic Deployment Rule evaluation schedule are helpful. You can now schedule an ADR evaluation to be offset from a base day.

Check if a custom schedule that deploys updates offset from a base day has been created. The video tutorial “Reassign DPs Offset Days Phased Deployments” provides more details.

\Software Library\Overview\Software Updates\Automatic Deployment Rules
Custom – Monthly – 2nd Tuesday – Offset (days)

Reassign DPs Offset Days Phased Deployments with SCCM 1801 - Fig.2
Reassign DPs Offset Days Phased Deployments with SCCM 1801 – Fig.2

Software Center “Live Preview” from SCCM Client Settings

Improvements to Client Settings for the Software Center are really modern stuff from the SCCM team. You don’t need to deploy NEW software center client settings to devices and test changes.

Instead, you can see the live preview on the SCCM console. Thank you for making the SCCM admin’s life easier!!

The video tutorial “Reassign DPs Offset Days Phased Deployments” provides more details of the software center customization live experience.

Enabling the ‘Hide unapproved applications in the Software Center’ setting in the new Software Center client settings is another option. 

The client settings for Software Center now have a Customise button where users can preview their customization before deploying them to machines. Users can also hide unapproved applications in the Software Center.

  • \Administration\Overview\Client Settings
Reassign DPs Offset Days Phased Deployments with SCCM 1801 - Fig.3
Reassign DPs Offset Days Phased Deployments with SCCM 1801 – Fig.3

Phased Deployments for SCCM Task Sequences

SCCM Phased deployments automate a coordinated, sequenced rollout of software without creating multiple implementations. This feature is available only for Task Sequences in this version of SCCM. I hope it will be useful for Windows 10 servicing models.

I assume phased deployments are getting input from status filtering rules. Status filter rules will check the criteria for phased rollout, and if the deployment failure is more than 5% (this % can be customized), it will automatically STOP the deployment.

  • \Software Library\Overview\Operating Systems\Task Sequences

In this Technical Preview version, the phased deployment wizard can be completed for task sequences in the admin console. However, deployments are not created. Following is the example of phased deployment from my lab environment. 

More details are available in the video tutorialReassign DPs Offset Days Phased Deployments“.

Phased Deployment Configuration
• Phased Deployment Name: Phase Deployment
• Phased Deployment Description:
Collections in this Phased Deployment
• Collection(s): TP100017
• Collection(s): SMSDM003

Resources

Capabilities in Technical Preview 1801 for System Center Configuration Manager

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc…

Intune to Restrict NON Patched Windows Devices

Use Intune to Restrict Non-patched Windows Devices from Accessing Email

Let’s discuss using Intune to restrict non-patched Windows devices from accessing EmailSecurity patching, which is vital to every organization. Now, with Intune, you can restrict Windows 10 devices that are not patched with the latest patches from accessing mail. Non-patched devices are risky to the organization.

There are two options to limit Windows devices from connecting to the corporate network. We will see these options in the following sections of the article.

Windows version = Specify the major.minor.build.CU number here. The version number must correspond to the version returned by the winvercommand.

I have uploaded a video tutorial to my YouTube channel. I hope this video will help you set these restrictions on your Intune test tenant.

Subscribe to the YouTube channel

Use Intune to Restrict Non-patched Windows Devices from Accessing Email

I would recommend testing these in a staging environment before implementing them in production. As you are aware, patching is essential in any modern workplace project implementation.

Intune and Windows Update for Business can ensure all the Windows devices managed through Intune are patched promptly.

There is no need for on-prem components like WSUS to patch Windows 10 devices using Intune and Windows Update for Business. Setting the Windows 10 Update rings in Intune will not create security concerns.

Read my previous post, “How to Setup Windows 10 Software Update Policy Rings in Intune Azure Portal,” to learn more about Windows 10 update rings.

How Do You Restrict Non-patched Windows Devices from Enrolling in Intune?

This option is available only for NEW Windows devices that are enrolled in the Intune environment via the MDM channel. It is not available for Intune PC agent-managed devices.

The setting explained in this section won’t apply to already enrolled and non-patched Windows devices.

If you have already enrolled and non-patched Windows devices, you need to check out the compliance policy option mentioned in the section below.

Servicing OptionVersionOS BuildMax/Min
Semi Annual Channel170916299.201Maximum Version
Semi-Annual Channel170315063.877Minimum Version
Use Intune to Restrict Non-patched Windows Devices from Accessing Email – Table 1
Use Intune to Restrict Non-patched Windows Devices from Accessing Email - Fig.1
Use Intune to Restrict Non-patched Windows Devices from Accessing Email – Fig.1

We need to set up Intune enrollment restriction policies to restrict Windows devices from enrolling in Intune. The above table is the best reference for setting up Intune enrollment restriction policies for non-patched Windows devices.

First, we need to decide on your Windows 10 minimum and maximum patch level requirements. More patch-level version details are available at http://aka.ms/win10releasenotes.

In my video, I have selected Windows 10’s minimum patch level of 10.0.15063.877 and maximum patch level of 10.0.16299.201. You can also leave the top patch level blank if you want to support all the latest patched Windows devices. 

I have uploaded a video tutorial to my YouTube channel. This video provides a more detailed explanation of how to set up enrollment restriction policies.

You can read my previous post, “How to Prevent Windows Devices from Enrolling to Intune“. This post provides more details about setting up Intune enrollment policies. This also covers the end-user experience of Windows 10 devices if the device patch level is lower than the “Minimum version”.

For example

I have a Windows 10 device, and it’s a non-patched device. And the patch version of that device is “10.0.15063.250“. In this scenario, Intune will check whether the device is patched with a minimum version of the patch required for the organization, which is 10.0.15063.877.

The current patch level of the Windows 10 device is below the minimum version requirement set in the enrollment restriction policy. Hence the device won’t be allowed to enroll in Intune. Update the patches on that Windows 10 device to register to Intune successfully.

Use Intune to Restrict Non-patched Windows Devices from Accessing Email - Fig.2
Use Intune to Restrict Non-patched Windows Devices from Accessing Email – Fig.2

How Can We Force Users to Install Patches on Windows 10 Devices to Access Emails?

Most end-users are not always happy to install the latest patches and restart their devices on time. But as IT admins, it’s our responsibility to secure the enterprise environment with the latest patches.

Intune can probably help you force users to install patches on their non-patched Windows devices.

We can create a new compliance policy in Intune to set rules and force users to install patches immediately. The policy gives an option to set minimum and maximum patch levels for Windows devices.

When a device does not match the minimum compliance requirement, that device will be flagged as non-compliant.

When you have conditional access associated with compliance policies, the Windows device will lose access to enterprise applications (like mail, SharePoint Online, Skype, etc.) associated with that conditional access policy.

Once users update their Windows version with the latest patches, their devices get access back to mail.

You can create a WINVER command to decide your organisation’s baseline Windows 10 version with a certain patch level. You can also use the following links to get the latest patch versions of Windows 10.

In my scenario, I set up a new compliance policy with a minimum patch level of 10.0.15063.877 and a maximum patch level of 10.0.16299.201.

This will ensure that all Windows 10 devices with access to enterprise applications are patched, and the patch level version will be greater than 10.0.15063.877.

I have uploaded a video tutorial to my YouTube channel. This video provides a more detailed explanation of how to create a new compliance policy for minimum and maximum patch levels supported within your organization.

Navigate to the Azure portal, “Microsoft Azure—Microsoft Intune—Device Compliance—Policies,” and create a new compliance policy called “Restrict Window device depending on patches.”

Use Intune to Restrict Non-patched Windows Devices from Accessing Email - Fig.3
Use Intune to Restrict Non-patched Windows Devices from Accessing Email – Fig.3

Resources

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc…

SCCM Status Summerizers and Health Monitoring Details

SCCM Site Component Status Summarizers Troubleshoot Issues Configuration Manager ConfigMgr

Let’s discuss the SCCM Site Component Status Summarizers Troubleshoot Issues Configuration Manager ConfigMgr. SCCM ConfigMgr CB health monitoring is well-connected with SCCM Status Summarizers.

All monitoring solutions, such as custom scripts and SCOM management packs for SCCM, use SCCM Status Summarizers to get the detailed health status of your SCCM infra. This post will provide details on SCCM status summarizers and health monitoring.

I uploaded a video to YouTube that explains “SCCM Site Status Summarizers Health Details WMI class and Data via SQL Tables and Views“. The following link has a script and solution I used back in SMS 2003 SCCM MP Health Check Script and Automatic Mail.

Do you know how to Reset the SCCM CB Critical Site Component Status Summarizer Counter? The previous blog post will help you understand the process.

You may Subscribe to the YouTube channel

What are SCCM Status Summarizers?

The summary class (SMS_SummarizerStatus) within WMI helps you determine the health or status of different aspects of SCCM/ConfigMgr CB Infrastructure.

The SCCM status summarizers get input from status messages, states, and counts. This status gives us a real-time (Almost?) view of the health of

  • SCCM CB sites
  • Site components
  • Packages
  • Applications
  • Deployments
SCCM Site Component Status Summarizers Troubleshoot Issues Configuration Manager ConfigMgr - Fig.1
SCCM Site Component Status Summarizers Troubleshoot Issues Configuration Manager ConfigMgr – Fig.1

List of SCCM CB Status Summarizers

The current branch version of SCCM/ConfigMgr has four status summarizers. These summarizer classes summarize the status and state message data. The table below provides more details of the SCCM CB status summarizers list.

List of SCCM CB Status Summarizers
Application Deployment Summarizer
Application Statistics Summarizer
Component Status Summarizer
Site System Status Summarizer
SCCM Site Component Status Summarizers Troubleshoot Issues Configuration Manager ConfigMgr – Table 1

From the SCCM health check monitoring perspective, the main ones are the SCCM component status summarizer and site system summarizer.

The deployment status of applications, Task Sequences, and packages will be displayed as part of the application deployment summarizer.

The application statistics summarizer helps configure how often application statistics should be updated.

Health Details of SCCM Site via WMI Class

The WMI class “SMS_SummarizerSiteStatus” can help us determine the overall health or status of an SCCM CB site. If the SMS_SummarizerSiteStatus object’s Status property value is “0,” then the SCCM site is healthy.

More details about SMS_SummarizerSiteStatus

The following are other WMI classes that you can refer to for more details about SCCM status summaries.

  • SMS_SUMDeploymentStatistics
  • SMS_SUMDeploymentStatus
  • SMS_SummarizationInterval
  • SMS_SummarizationSettings
  • SMS_SummarizerSiteStatus
  • SMS_SummarizerStatus
SCCM Site Component Status Summarizers Troubleshoot Issues Configuration Manager ConfigMgr - Fig.2
SCCM Site Component Status Summarizers Troubleshoot Issues Configuration Manager ConfigMgr – Fig.2

The WMI class SMS_SummarizerRootStatus provides different colour indications in the SCCM CB console. SCCM Status Summarizers and Health Monitoring are interlinked.

One example MOF file is given below.

[Description(“This class contains a rollup Green/Yellow/Red status about the current site, and all its child sites. “), dynamic: ToInstance, provider(“ExtnProv”), read, DisplayName(“Summarizer – Root Status”)]
class SMS_SummarizerRootStatus : SMS_BaseClass
{
[Description(“”), key, enumeration(“GREEN(0),YELLOW(1),RED(2)”)] uint32 Status;
[Description(“This method will take the SiteCode and the Component as the input paramters, and return an arrays of strings: the TallyIntervals, and also the default interval.”), static, implemented] sint32 GetTallyIntervals([in, SizeLimit(“3”)] string SiteCode, [in] string ComponentName, [out] string TallyIntervals[], [out] string DefaultInterval);
};

The following WMI query will contain information, warnings, and error messages since Monday. TallyInterval value “00011280001A2000” = Monday.

More details about Tally Interval

  • SELECT Infos, Warnings, Errors
  • FROM SMS_SiteDetailSummarizer
  • WHERE TallyInterval = “00011280001A2000”

Results of the above WMI query

instance of SMS_SiteDetailSummarizer
{
Errors = 129;
Infos = 368;
Warnings = 51;
};

Health Details of SCCM Site via SQL Views

SCCM Status Summarizers and Health Monitoring details will help streamline and fine-tune your SCCM infra’s monitoring efforts. The SCCM site health data is stored in four SQL views.

We can query the following SQL views for more details on the SCCM status summarizer. Component status summarizer lists summary status information for all SCCM components at different intervals.

  • v_ComponentSummarizer = Component Summary
  • v_SiteDetailSummarizer = Overview
  • v_SiteSystemSummarizer = Site System Summary
  • v_SummarizerSiteStatus = Site Server Summary
SCCM Site Component Status Summarizers Troubleshoot Issues Configuration Manager ConfigMgr - Fig.3
SCCM Site Component Status Summarizers Troubleshoot Issues Configuration Manager ConfigMgr – Fig.3

References

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc…

Install Hotfix KB4057517 of SCCM CB 1710

To Fix 13 Issues Install Hotfix KB4057517 of SCCM CB 1710 Configuration Manager ConfigMgr

SCCM Product Group released the long-awaited rollup hotfix KB4057517 for SCCM CB 1710. You need not download the hotfix KB 40575517 separately; it will be available within your SCCM CB 1710 console.

This fix won’t be visible on the servers if you have not upgraded to the 1710 version of SCCM. From my perspective, this must install a hotfix for SCCM.

This fixes 13 documented issues with the current production version of SCCM. I completed the upgrade on my LAB environment and uploaded it.

One of our posts shows the List of Issues Fixed with SCCM 2403 KB26186448. The update addresses several key issues, enhancing the SCCM’s functionality and reliability.

Subscribe to the YouTube channel for more Videos

Install Fix for SCCM CB 1710 Rollup KB4057517 – Windows Server 2008

HotFix Rollup KB4057517 is available to download for all online and connected SCCM 1710 site servers. HotFix Rollup KB4057517 is downloaded and started the installation process. This is not going to take a long time to install.

To Fix 13 Issues Install Hotfix KB4057517 of SCCM CB 1710 Configuration Manager ConfigMgr – Video 1

I recommend testing the rollup hotfix KB4057517 installation on your pre-prod or staging environment before installing it on production SCCM servers. Read the rollup hotfix KB4057517 release note here.

To Fix 13 Issues Install Hotfix KB4057517 of SCCM CB 1710 Configuration Manager ConfigMgr
Console Version 5.00.8577.1108
Site Version 5.0.8577.1000
To Fix 13 Issues Install Hotfix KB4057517 of SCCM CB 1710 Configuration Manager ConfigMgr – Table 1
To Fix 13 Issues Install Hotfix KB4057517 of SCCM CB 1710 Configuration Manager ConfigMgr - Fig.1
To Fix 13 Issues Install Hotfix KB4057517 of SCCM CB 1710 Configuration Manager ConfigMgr – Fig.1

13 Fixes Included in SCCM CB 1710 in KB4057517

Let’s discuss the 13 Fixes Included in SCCM CB 1710 in KB4057517. The list below helps you see them.

  1. Azure AD Authentication with SCCM MP issue
  2. SCCM clients fall back faster than the time that is a specified issue
  3. Retrying a large single-file download – Office 365 update files
  4. Download failures-Office 365 Application Installation Wizard
  5. Persist content in the client cache related issues
  6. SCCM Client Notification Restart request is processed incorrectly
  7. Decommission-related State message – CO-Management incorrectly
  8. State messages sent by Azure AD users issues
  9. Windows Server 2008 SP2 – SCCM Clients are not upgraded issues
  10. The client restarts the issues process of retrying a TS policy download
  11. Conditional Access Policy Issues for Domain Joined machines
  12. The download of express updates may fail for Windows 10
  13. Office 365 Client Installation wizard-related issues

How to Install Hotfix KB4057517 on SCCM Secondary Servers

I don’t have secondary servers in my lab environment. But I recommend you follow the instructions in the release notes of rollup hotfix KB4057517. After installing this update on a primary site, pre-existing secondary sites must be manually updated.

To update a secondary site in the Configuration Manager console, click Administration, click Site Configuration, click Sites, click Recover Secondary Site, and select the secondary location. The primary site then reinstalls that secondary site by using the updated files.

This reinstallation will not affect the secondary site’s configurations and settings. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.

Please run the following SQL Server command on the site database to check whether the updated version of a secondary site matches that of its primary parent site.

dbo.fnGetSecondarySiteCMUpdateStatus (‘SiteCode_of_secondary_site’)

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc…

Monitor Meltdown Spectre Vulnerabilities with SCCM Configuration Manager ConfigMgr 1

Monitor Meltdown Spectre Vulnerabilities with SCCM Configuration Manager ConfigMgr

Monitor Meltdown Spectre Vulnerabilities with SCCM Configuration Manager ConfigMgr. Microsoft has released a Microsoft-signed CAB file here to check and monitor Meltdown Spectre Vulnerabilities.

In this post, we will see a video tutorial that explains how to download, Import, and deploy the configuration baseline for Microsoft Security Advisory ADV180002.

I tested the CAB file import process on the SCCM CB 1710 production version. However, I’m not sure whether this will work for the previous version of the SCCM (SCCM 2012 R2) environment.

It may not work as it has the latest OS versions selected as Supported platforms (Server 2016 etc..)

Monitor Meltdown Spectre Vulnerabilities with SCCM Configuration Manager ConfigMgr – Video 1

Monitor Meltdown Spectre Vulnerabilities with SCCM Configuration Manager ConfigMgr

This Compliance Settings configuration baseline confirms whether Windows 10, Windows 7, Server 2008, Server 2012, and Server 2016 have enabled the protections needed to protect against the Meltdown Spectre Vulnerabilities.

Download the Microsoft signed CAB file

Subscribe YouTube Channel

Monitor Meltdown Spectre Vulnerabilities with SCCM Configuration Manager ConfigMgr - Fig.1
Monitor Meltdown Spectre Vulnerabilities with SCCM Configuration Manager ConfigMgr – Fig.1

Following are the High-Level Steps

Download the Microsoft Signed CAB file from the TechNet Gallery. Import a configuration Data CAB file to check whether SCCM-managed machines are safe from Meltdown and Spectre.

  1. Check Meltdown CI properties. The PowerShell script is used to confirm whether the systems are vulnerable or not.
  2. Check Spectre CI properties. The PowerShell script is used to confirm whether the system is vulnerable or not.
  3. Check and confirm the baseline properties before deploying it to devices.
  4. Monitor compliance report for Meltdown Spectre Vulnerabilities
NameTypeDevice TypeRevision
CVE-2017-5715-Branch Target InjectionApplication Windows1
CVE-2017-5754-Rogue Data Cache LoadApplicationWindows1
Monitor Meltdown Spectre Vulnerabilities with SCCM Configuration Manager ConfigMgr – Table 1
Monitor Meltdown Spectre Vulnerabilities with SCCM Configuration Manager ConfigMgr - Fig.2
Monitor Meltdown Spectre Vulnerabilities with SCCM Configuration Manager ConfigMgr – Fig.2

Resources

Microsoft has released a Microsoft-signed CAB file here to check and monitor Meltdown Spectre Vulnerabilities. In this post, we will see a video tutorial that explains how to download, Import, and deploy the configuration baseline for Microsoft Security Advisory ADV180002.

Monitor Meltdown Spectre Vulnerabilities with SCCM Configuration Manager ConfigMgr – Video 2

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc…

Intune-SCCM-Free-Virtual-Labs-to-Get-Hands-On-Experience

Intune SCCM Free Virtual Labs to Get Hands On Experience

Let’s discuss the Intune SCCM Free Virtual Labs to Get Hands-On Experience. Acquire the SCCM, Intune, Windows 10, and Azure cloud skills at your own pace. As I mentioned in the “Future of SCCM Admin Jobs” post, these new skills are essential for our job security.

In this post, you will see Free SCCM Virtual Labs by Microsoft. Setup – Free Azure Lab And Azure For Students Lab Setup HTMD Blog (anoopcnair.com).

Microsoft provides free SCCM Virtual Labs to help IT Admins and Developers learn new technologies. The old links to SCCM and Intune TechNet Virtual Labs are NOT working.

This post provides more details about SCCM Intune Windows 10 hands-on lab training. NO LABS are available now. Intune SCCM Certification Learning Exams HTMD Blog (anoopcnair.com)

VideoHow to Use New Microsoft Virtual Labs

Intune SCCM Free Virtual Labs to Get Hands On Experience – Have TechNet Virtual Labs been migrated to the Azure platform?

It seems that the TechNet virtual labs have been migrated to the Azure platform. From the jump host server detail, virtual labs have been migrated to Azure Cloud Apps.

The new virtual LABs platform requires a Remote Desktop Protocol (RDP) client. This will work when you have an RDP client on MacOS machines.

  • jumphostek5ehejhpwq5g.southcentralus.cloudapp.azure.com:3389

However, I couldn’t find any communication or announcement from Microsoft. Two previous posts contain information about SCCM and Intune TechNet virtual labs.

There were 36 hands-on labs available for SCCM and Intune. However, none of these hands-on labs are accessible at the moment. I only saw a Microsoft Excel hands-on lab in the TechNet virtual lab portal.

Intune SCCM Free Virtual Labs to Get Hands On Experience - Fig.1
Intune SCCM Free Virtual Labs to Get Hands On Experience – Fig.1

Microsoft moved TechNet Labs http://technet.microsoft.com/en-us/virtuallabs to a new hosting solution or Azure called Microsoft Self-Paced Labs. More details about Self-paced labs are here –  https://www.microsoft.com/handsonlabs/SelfPacedLabs.

Advantages of Microsoft Self-Paced Hands-on labs

Microsoft technologies are getting changed frequently. The IT pros struggle to get their private labs updated at the same pace as Microsoft is releasing new features.

Microsoft self-paced labs ( Free SCCM Virtual Labs) can help IT Pros get hands-on experience with new technology features. As of 08-Jan-2017, only 289 Self-paced Labs were available.

The migration to Azure CloudApps suits IT admins who want to learn new technologies using an agile method. The new platform does not depend on browsers or OSs.

These SCCM Intune Windows 10 Hands-On Labs training will run on Chrome, Firefox, Safari, Mac-OS, etc. Microsoft Azure, Intune, SCCM, etc., and hands-on labs (Free SCCM Virtual Labs) are readily available for IT pros to get the experience.

Microsoft self-paced hands-on labs enable IT Pros to experience a software product or technology using a cloud-based private virtual environment.

IT Pros or SCCM admins will be given instructions and access to one or more SCCM SQL virtual servers. No additional software or setup is required. We need to complete these instructions within 120 minutes or less.

Enjoy hands-on learning according to your schedule with Microsoft’s free, Self-paced Labs. This will surely help keep your cloud knowledge fresh.

Intune SCCM Free Virtual Labs to Get Hands On Experience - Fig.2

Intune SCCM Free Virtual Labs to Get Hands On Experience – Fig.2

SCCM Intune and Windows 10 Virtual Labs

Following are the links to get access to Hands-on virtual labs. There are only 5 Self-paced Labs for SCCM. As I explained in the video tutorial here, you need to download the RDP file into your machine.

Once the RDP file is downloaded, launch the file to connect to the Jump host server in the Azure cloud. This jump host server will have all the instructions and details to complete the hands-on training activities. These guidelines could vary depending on technology like Intune, SCCM, Azure, or Windows 10.

SCCM Hands-On Labs Training

NOTE—As of 14 May 2019, only two labs are available for SCCM. Start searching with the keyword “Configuration Manager.”

SCCM CO-Management Lab

Getting Started with Co-Management and System Center Configuration Manager and Intune SC00116.

SCCM Windows 10 In-place Upgrade Task Sequence

Microsoft 365 Deployment Workshop – OS00203

https://www.microsoft.com/handsonlabs/SelfPacedLabs#keywords=Configuration%20Manager&page=1&sort=Newest https://www.microsoft.com/handsonlabs/SelfPacedLabs#keywords=ConfigMgr&page=1&sort=Newest

Microsoft Intune – Free Virtual Labs

Secure your enterprise data on mobile devices with Microsoft 365 and Microsoft Intune… OS00198

https://www.microsoft.com/handsonlabs/SelfPacedLabs#keywords=Intune&page=1&sort=Newest

Windows 10 – Self-paced Labs – Hands-On Labs Training

Let’s discuss the Windows 10 self-paced Labs hands-on labs training.

https://www.microsoft.com/handsonlabs/SelfPacedLabs#keywords=Windows%2010&page=1&sort=Newest
Intune SCCM Free Virtual Labs to Get Hands On Experience - Fig.3

Intune SCCM Free Virtual Labs to Get Hands On Experience – Fig.3

List of SCCM Intune Windows 10 Hands-On Labs Training

Free SCCM Virtual Labs – Most labs are unavailable, but Microsoft promised to work on this topic to provide more virtual labs.

Intune Hands-On Labs Training

Let’s discuss the Intune Hands-On Labs Training. The list below helps you to show it.

Intune Hands-On Labs Training
Acquire Trial Accounts for Intune Enterprise Mobility Suite (EMS) Lab Series
Configure Conditional Access to Exchange Online
Configure ActiveSync Email Profiles
Configure Mobile Application Management (MAM) Without Enrolling Devices
Configure Mobile Application Management (MAM)
Deploy MSI Applications to Windows 10 Using Intune and Mobile Device Management (MDM)
Configure Multi-Factor Authentication for Mobile Device Management (MDM)
Intune SCCM Free Virtual Labs to Get Hands On Experience – Table 1
  • Microsoft Intune – Acquire Trial Accounts for Intune Enterprise Mobility Suite (EMS) Lab Series
  • Microsoft Intune – Configure Conditional Access to Exchange Online
  • Microsoft Intune – Configure ActiveSync Email Profiles
  • Microsoft Intune – Configure Mobile Application Management (MAM) Without Enrolling Devices
  • Microsoft Intune – Configure Mobile Application Management (MAM)
  • Microsoft Intune – Deploy MSI Applications to Windows 10 Using Intune and Mobile Device Management (MDM)
  • Microsoft Intune – Configure Multi-Factor Authentication for Mobile Device Management (MDM)

Windows 10 Hands-On Labs Training

Let’s discuss the Windows 10 Hands-On Labs Training. The section below helps you to demonstrate it.

Upgrade to Windows 10 with System Center Configuration Manager Microsoft Intune – Deploy MSI Applications to Windows 10 Using Intune and Mobile Device Management (MDM). Upgrade to Windows 10 using the Microsoft Deployment Toolkit or System Center Configuration Manager. Customize the Windows 10 start menu and taskbar during deployment. Troubleshoot device management in Windows 10. Simplify Windows 10 deployment by using provisioning packages Exploring Virtualization on Windows 10 and Windows Server 2016, Upgrade to Windows 10 by using the Microsoft Deployment Toolkit or System Center Configuration Manager Enable and secure a remote workforce by joining Windows 10 to Azure Active Directory Windows 10 and Enterprise Mobility Windows 10 and Enterprise Mobility – Move between Servicing Rings using a Group Policy Object Windows 10 and Enterprise Mobility – Deploying Windows 10 using Microsoft Deployment Toolkit.

SCCM Hands-On Labs Training

Let’s discuss the SCCM Hands-On Labs Training. The screenshot below helps you provide it.

Intune SCCM Free Virtual Labs to Get Hands On Experience - Fig.4
Intune SCCM Free Virtual Labs to Get Hands On Experience – Fig.4
  • Upgrade to Windows 10 with System Center Configuration Manager
  • Manage Office 365 ProPlus with System Center Configuration Manager
  • Upgrade to Windows 10 using the Microsoft Deployment Toolkit or System Center Configuration Manager
  • Upgrade to Windows 10 by using the Microsoft Deployment Toolkit or System Center Configuration Manager
  • Deploying Windows 8.1 with ConfigMgr 2012 R2 and MDT 2013

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc…

FIX SCCM CB Redist Files Download Issue 2

FIX SCCM CB Redist Files Download Issue

Let’s FIX the SCCM CB Redist Files Download Issue. In this post, you will see how to Fix the SCCM CB Download Issue. In this post, we will see the Fix to SCCM CB Redist Download Issue and the walkthrough of the new features.

In my scenario, REDIST prerequisite files were not downloading. The ConfigMgrSetup.log showed errors related to the REDIST file download. If you have problems downloading redist files, the ConfigMgrSetup.log is the best place to find the issue’s root.

Once the prerequisite files are downloaded, then copy those files to D:\Program Files \Microsoft Configuration Manager\EasySetupPayload\<Update PackageGUID >\Redist folder.

I don’t recommend doing this in your production environment. Robert Marshall’s tip helped me resolve the issue, and I mentioned this in the tweet.

SCCM CB Download Stuck at Redist Step – FIX SCCM CB Redist Files Download Issue

I am having trouble downloading the SCCM CB version in my test lab. I have gone through my previous posts to fix the download issue.

The following post, “CMUpdateReset.exe Tool Fixes SCCM CB Update Download Issue,” provides more details. However, it didn’t work for me this time. I got the following error in the DMPDownloader.log.

I downloaded the prerequisite files separately using SETUPDL.EXE as I explained in my previous post “Learn How to Download SCCM ConfigMgr CB Prerequisite Files“.

FIX SCCM CB Redist Files Download Issue - Fig.1
FIX SCCM CB Redist Files Download Issue – Fig.1

SCCM Download Issues

I could see that the SCCM 1712 update had been downloaded on the following path: “D: Program FilesMicrosoft Configuration ManagerEasySetupPayload.”

But the status does not change from Downloading to Ready to Install. The fix for the SCCM CB preview 1712 Redist download issue has been explained below.

ERROR: Failed to download redist for 51d629d3-c355-4b80-ad6f-ba44b27f84ed with command /RedistUrl http://go.microsoft.com/fwlink/?LinkID=860262 /LnManifestUrl http://go.microsoft.com/fwlink/?LinkID=860266 /RedistVersion 201712 /NoUI “\\SCCMTP1.INTUNE.COM\EasySetupPayload\51d629d3-c355-4b80-ad6f-ba44b27f84ed\redist” Failed to download redist for 51d629d3-c355-4b80-ad6f-ba44b27f84ed.

FIX SCCM CB Redist Files Download Issue - Fig.2
FIX SCCM CB Redist Files Download Issue – Fig.2

The following are the 5 high-level processes that happen in the background when the SCCM CB updates are downloaded to your server.

5 High-Level Processes that Happen in the Background when the SCCM CB Updates
Process update package
Download the updated package cab file
Extract update package payload
Download redist
Report package as downloaded
FIX SCCM CB Redist Files Download Issue – Table 1

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc…