Anoop C Nair is Workplace Technology solution architect with 25+ years of experience. Microsoft Certified Trainer. Microsoft MVP from 2015 onwards for consecutive 11+ years! He is Blogger, Speaker, and Founder of HTMD Community and HTMD Conference. His main focus is on Device Management technologies like Intune, Windows, Cloud PC. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security.
Are You Having an Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr?
Are you having issues with Windows Information Protection (WIP, previously known as “Enterprise Data Protection – EDP” policies configured through the SCCM ConfigMgr CB 1606 production version?
If so, I was one of you. I’m talking about the issue I faced while deploying the WIP policy via the Windows 10 MDM channel. I will try to explain the problem which I had with WIP CI (for the specific scenario which I tested):-
When you open WIP CI, try to check whether everything is okay or not and exit out of CI with/without making any changes. Some values in CI XML will automatically change, breaking the entire CI.
Windows Information Protection WIP– Are You Having Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr
I’ve embedded a video below explaining this bug/issue. If you are new to WIP/EDP and want to know how to create, deploy, and test WIP with Windows 10, look at my previous post and video here.
The good news is that Microsoft’s new rollup update (KB3186654)most probably fixed this issue. I have done extensive testing with Windows Information Protection (WIP) policies/CIs after installing the new rollup on the SCCM CB 1606 server, and the results are very promising.
Name
Type
New Windows 10 WIP
General
Are You Having Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr – Table 1
Are You Having Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr – Fig.1
How to Create – Deploy WIP EDP Using SCCM CB 1606 and End-user experience of WIP
I tried creating new WIP CIs, editing the existing WIP CIs, etc. All the scenarios I tested worked well for me. I tested this with Windows 10 1607 build numbers 14393.00 and 14393.82 (via MDM channel). Are You Having an Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr Endpoint Protection?
Are You Having Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr – Video 1
Sample of the correct WIP CI with correct ConstantValue
Let’s discuss the Sample of the correct WIP CI with the correct ConstantValue. The below section helps you show the sample of the correct WIP CI with the correct ConstantValue.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Intune Company Portal App Login Issues with Windows 11 or Windows 10 Devices? Have you tried to Repair or Reset Company Portal App to fix the issue? The Intune company portal application is not allowed to log in when it is installed on Windows 10 or Windows 11.
The issue explained in the post below could be due to either Azure AD authentication issues or proxy issues. It won’t let you log in with your username and password.
The Company Portal app will get redirected to the login page repeatedly. Have you tried to log in to the Intune company portal from a Windows device, and can you reproduce this issue?
Fix Company Portal App Login Error Occurred AAD Auth Proxy Issues. This post also explains the Tenant Restriction Policy and company portal issues.
Whenever you have an issue with the Intune Company Portal app, it’s better to Reset, Repair, or Reinstall it before trying to do further troubleshooting. Otherwise, this could be another issue if you see the same problems with a more significant number of Windows 11 devices.
Intune Company Portal App Repair options are easy to use, unlike other Win32 or MSI applications. Since the Intune Company portal is a Microsoft Store Application, it has all the Reset, Repair, and Reinstall options.
To fix Intune Company Portal App Repair Reset Options, you need to follow the steps explained below.
Navigate to the Apps & Features option by right-clicking on the Start button from Windows 11.
Use the search function to find the Company Portal application.
Click on the three (3) vertical dots menu.
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.1
To repair the Company Portal Application on a Windows 11 device, select Advanced options, as shown in the screenshot below.
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.2
The first step I always recommend is to TERMINATE the company portal app by clicking on the TERMINATE button from Apps -> Apps & Features -> Company Portal Advanced Options.
Intune Company Portal App Repair
Let’s check the next option, the Intune Company Portal app repair option. If this app isn’t working correctly, you can try to repair it. The Company Portal app’s data will not be affected.
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.3
Company Portal App Repair Reset and Uninstall
Let’s check the following options to see if the Terminate and Repair options for the Company portal don’t work well. Company Portal App Repair, Reset, and Uninstall are the other options available on Windows 11 devices.
Company Portal REPAIR helps to fix the issue if the app is still not working as expected. The RESET will remove all the app-related data from the Windows 11 PC and give the Company Portal a fresh start.
The UNINSTALL button is the last resource for fixing theCompany Portal Application on Windows 11PC. After uninstalling the app, you can reinstall it from the Microsoft Store.
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.4
Well, this is a weird issue, so stay with me! Let’s learn how to Fix the Company Portal App Login Error that Occurred. This issue is only for the Intune Company portal application. There was no issue accessing the company portal Website. This issue is only applicable to Windows 10/11 devices.
Problem Statement – Fix Company Portal App Login Error
Windows 10 devices started getting error messages when users tried to launch the Company portal app. The error details are given below.
Login error occurred – An error occurred while attempting to log in to Company Portal Login Error.
You get two options:
Share Details
Close
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.5
Send Company Portal App for Windows 10 Logs
You can try to click on Share details to get the Company portal app log for Windows 10 or 11 devices. The message shows “Sending the Logs to Microsoft.“
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.6
Now you can share the details with Microsoft using the Onenote file. Requesting help with the company portal app for Windows 10 or Windows 11.
NOTE! – You can send the company portal app logs for Windows 10 using the following method as well:
Open the Company Portal app.
Select Help & support > Get help.
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.7
Details of Company Portal App Log
Describe the problem you’re experiencing. The Company Portal has collected your logs (Diagnostics ID: 2WWEWN) and sent them to Microsoft to help troubleshoot. Your description will help us understand what happened and how to fix the problem. After you’ve described the situation, send this email to your company support for more help.
Troubleshooting – Fix Company Portal App Login Error
Now, let’s enter the real troubleshooting scenario of the Company Portal app for Windows 10 devices.
First, I couldn’t find much information from the Microsoft logs mentioned in the above section.
I started looking at event logs to get more details.
Navigate to Microsoft-Windows-AAD/Operational (Azure AD authentication-related errors).
The following event ID 1098 shows an error that started when I tried to launch the company portal app.
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.8
Event Log Details
The following are the company portal login issues with Windows 11/10 devices. As you can see in the paragraphs below, these logs are taken from event logs.
Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 15/07/2020 16:00:58
Event ID: 1098
Task Category: AadTokenBrokerPlugin Operation
Level: Error
Keywords: Operational,Error
User:
Computer:
Description:
Error: 0xCAA82EE2 The request has timed out.
Exception of type 'class HttpException' at xmlhttpwebrequest.cpp, line: 163, method: XMLHTTPWebRequest::ReceiveResponse.
Log: 0xcaa10083 Exception in WinRT wrapper.
Logged at authorizationclient.cpp, line: 233, method: ADALRT::AuthorizationClient::AcquireToken.
Request: authority: https://login.microsoftonline.com/common, client: 8ba1a5c7-f19a-5de9-a1f1-7178c8d51343, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-2666988183-1750391847-2906264630-3525785777-2857982319-3063633125-1907478113
Log: 0xcaa1007b Acquire token failed.
Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 15/07/2020 16:00:58
Event ID: 1098
Task Category: AadTokenBrokerPlugin Operation
Level: Error
Keywords: Operational,Error
User:
Computer:
Description:
Error: 0xCAA82EE2 The request has timed out.
Exception of type 'class HttpException' at xmlhttpwebrequest.cpp, line: 163, method: XMLHTTPWebRequest::ReceiveResponse.Log: 0xcaa1007b Acquire token failed.
Logged at aggregatedtokenrequest.cpp, line: 70, method: AggregatedTokenRequest::AcquireToken.
Request: authority: https://login.microsoftonline.com/common, client: 8ba1a5c7-f19a-5de9-a1f1-7178c8d51343, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-2666988183-1750391847-2906264630-3525785777-2857982319-3063633125-1907478113, resource: 00000002-0000-0000-c000-000000000000, correlation ID (request): 9d18dbac-d522-4d6e-8d14-c3e7610ec34c
0xcaa9004b Exception during nonce request
Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 16/07/2020 10:11:06
Event ID: 1098
Task Category: AadTokenBrokerPlugin Operation
Level: Error
Keywords: Operational,Error
User:
Computer:
Description:
Error: 0xCAA82EE2 The request has timed out.
Exception of type 'class HttpException' at xmlhttpwebrequest.cpp, line: 163, method: XMLHTTPWebRequest::ReceiveResponse.
Log: 0xcaa9004b Exception during nonce request.
Request: authority: https://login.microsoftonline.com/common, client: 8ba1a5c7-f19a-5de9-a1f1-7178c8d51343, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-2666988183-1750391847-2906264630-3525785777-2857982319-3063633125-1907478113, resource: 00000002-0000-0000-c000-000000000000, correlation ID (request): 9d18dbac-d522-4d6e-8d14-c3e7610ec34c
Fix Company Portal App Login Error Occurred
A proxy server tenant restriction was implemented using the following: Use tenant restrictions to manage access to SaaS cloud applications. For more details, see https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions.
The company portal app for Windows 10 or Windows 11 requires authentication to Azure AD through https://login.microsoftonline.com. These URLs are available in the above event logs. Tenant restrictions require TLS inspection only on traffic to Azure AD, not to the Office 365 cloud services.
It seems the TLS inspection for the following URL caused the issue. At least one of the following URLs is required:
https://enterpriseregistration.windows.net
https://login.microsoftonline.com
https://device.login.microsoftonline.com
https://autologon.microsoftazuread-sso.com (If you use or plan to use seamless SSO)
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.9
Intune Company Portal Login Issues
After 3 login attempts, the company portal application will show you the following error: “Login error occurred – an error occurred while attempting to login“. You may also get the following details in the error log.
Have you ever seen this? The following scenarios show this issue in different Intune/AAD tenants. The table below helps you show more details.
The Issue in Different Intune/AAD Tenants
Windows 10 AAD Joined
Windows 10 MDM enrolled (Work account)
Windows 10 OOBE
FIX Intune Company Portal App Login Issues with Windows 10/11 – Table 1
I don’t have any solution for this issue yet. If you can reproduce this issue then please do comment on this post. When I remove add Work or School account from Settings – Accounts – Access work or school, then I’m able to login to the Intune company portal.
However, it will (obviously) say, “You need to add your device before you can install apps.” If you select “Don’t add this device,” the Intune company portal will proceed to the next page, which will show you the “my devices” list, etc., with a note, “It looks like you need to add this device so that you can install apps.”
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.10
Log File Details – Intune Company Portal:-
Intune Company Portal Login Issues with Windows 10 Anniversary Update.
Microsoft.Management.Services.SelfServicePortal.CommonViewModels.ServiceLoginPageViewModel.<AuthenticateWithExceptionHandlingAsync>d__36.MoveNext()
2016-09-03T06:03:13.4876367Z WARN Event None 400 f67a7f1d-54e3-41e0-a838-e39ec3385ba3 3-0-0 Displaying error dialog
Title: Login error occurred
Message:An error occurred while attempting to login.
Exception: Microsoft.Management.Services.SelfServicePortal.Common.Portable.Authentication.IntuneAuthenticationException: Failed to authenticate with AAD
at Microsoft.Management.Services.SelfServicePortal.Extensions.AzureAD.Common.Authentication.AuthenticationResultHelper.ThrowIfAuthenticationStatusIsNotSuccess(AuthenticationStatus authenticationStatus)
at Microsoft.Management.Services.SelfServicePortal.Extensions.AzureAD.Common.Authentication.AzureADAuthenticationService.<AuthenticateAsync>d__0.MoveNext()
Resolution – Proxy Issue
The client app (in this case, Company Portal) should support tenant restrictions. I overlooked this point while writing this post. Microsoft docs already document that client software must request tokens directly from Azure AD so that the proxy infrastructure can intercept traffic.
NOTE! – The company portal (website) works well with tenant restrictions.
The proxy servers removed the OMT feature for TLS inspection for AAD authentication communication, which fixed the Company Portal.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His primary focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss How to Convert SCCM CB from an Evaluation Version to the Full Version Configuration Manager.
How do I upgrade the SCCM CB evaluation version to a licensed version? In the video tutorial embedded below, we will see how to convert the SCCM/ConfigMgr current branch evaluation version to the full version.
This activity should be performed using the application shortcut “Configuration Manager Setup,” which is already available on the primary or CAS server. I’m using the SCCM Current Branch (CB) 1606 CAS server to perform this activity.
This post provides all the details on converting SCCM CB from the Evaluation Version to the Full Configuration version.
Table of Contents
How to Convert SCCM CB from Evaluation Version to Full Version Configuration Manager – Fig.1
How to Convert SCCM CB from Evaluation Version to Full Version Configuration Manager
Using the same method, we must covert all the site servers (CAS, Child Primaries, and Stand-alone primary servers). Before performing this site maintenance activity via Configuration Manager setup, you must ensure a valid 25-character product key from Volume Licensing or MSDN!
SCCM Setup Wizard
Upgrade the evaluation edition to a licensed edition. Enter the 25-character product key
How to Convert SCCM CB from Evaluation Version to Full Version Configuration Manager – Table 1
How to Convert SCCM CB from Evaluation Version to Full Version Configuration Manager – Fig.2
Logs – Evaluation Version to Full Version?
You can verify the SCCM CB 1606 Eval version to the Full version upgrade process via the log file called ConfigMgrSetup.log. Following are some of the snippets from the log file.
INFO: IsProductKeyValid, Dll path:C:\PROGRAM FILES\MICROSOFT CONFIGURATION MANAGER\BIN\X64\PidGenX.dll. Configuration Manager Setup 18-08-2016 06:11:28 3812 (0x0EE4) INFO: PidGenX confirmed that the product key is valid. Configuration Manager Setup 18-08-2016 06:11:31 3812 (0x0EE4) INFO: Specified product key is for VL. Configuration Manager Setup 18-08-2016 06:11:31 3812 (0x0EE4) INFO: Successfully Converted from Evaluation to Full Product Version. Configuration Manager Setup 18-08-2016 06:12:03 1564 (0x061C)
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
How to Expand SCCM CB StandalonePrimary server with CAS server Configuration Manager ConfigMgr? In this post, we will see how to expand the stand-alone primary server and attach it to CAS.
We need to install an SCCM CB CAS server from the latest source files, we can get the latest source files from the stand-alone primary server’s CD.Latest folder.
Here are more details about CD. The latest folder in my previous blog is here. When do you want to convert/expand your SCCM CB stand-alone primary server to a hierarchy and install SCCM CB CAS?
The only reason for this activity is “If your SCCM CB stand-alone primary server is going out of support in terms of a maximum number of supported clients”.
Table of Contents
How to Expand SCCM CB Standalone Primary Server with CAS Server Configuration Manager ConfigMgr – Fig.1
Introduction – How to Expand SCCM CB Standalone Primary Server with CAS Server
As per the latest documentation from Microsoft, a stand-alone primary server can support up to 175K clients. If you have exceeded this magical number, you must expand your stand-alone primary server to the SCCM CB hierarchy with CAS.
SCCM Site Hierarchy
Monitoring
Overview
Site Hierarchy
CAS
BLR
How to Expand SCCM CB Standalone Primary Server with CAS Server Configuration Manager ConfigMgr – Table 1
How to Expand SCCM CB Standalone Primary Server with CAS Server Configuration Manager ConfigMgr – Fig.2
More Details – How to Expand SCCM CB Standalone Primary Server with CAS Server
I’ve created a video tutorial to explain the process of expanding the SCCM CB stand-alone primary server. Before starting the expansion activity, we need to consider some essential prerequisites.
We must install the new SCCM CB CAS server from the installation media (source files) –CD.Latest Folder- that matches the version of the stand-alone SCCM CB primary site.
The SCCM CB stand-alone primary site cannot be configured to migrate data from another SCCM hierarchy. Remove all those migration configurations before expansion.
The SCCM CB CAS server’s computer account must be a member of the Administrators group on the stand-alone primary site. You may or may not remove this account after the expansion.
The user account that runs setup to install the SCCM CB CAS server must have FULL Admin or Infra Admin permissions at the stand-alone primary site.
Before you can expand the site, we have to uninstall the following site system roles from the SCCM CB stand-alone primary site: the Asset Intelligence synchronization point, the Endpoint Protection point, and the Service connection point.
The SQL Server Service Broker(4022) port must be open between SCCM CB CAS and a stand-alone primary server.
ConfigMgrSetup.log
Snippets from ConfigMgrSetup.log which may help you to trace the installation of CAS and connectivity between SCCM CB primary server:-
INFO: Registering SQL connection to primary site's SQL server BLRITPROCM.BLRITPRO.COM. INFO: checking whether BLRITPROCM.BLRITPRO.COM is a standalone site and whether it has the matched version INFO: Creating sender address on primary site BLRITPROCM.BLRITPRO.COM to access CAS site BLREMSCAS.BLRITPRO.COM. INFO: Creating sender address on CAS site BLREMSCAS.BLRITPRO.COM to access primary site BLRITPROCM.BLRITPRO.COM. INFO: Stored SQL Server computer certificate for Server [BLREMSCAS.BLRITPRO.COM] successfully on [BLRITPROCM.BLRITPRO.COM]. Successfully bulk copied file [C:\SEDO_LockableObjectTypes_bcp.bcp] into table [SEDO_LockableObjectTypes] with rows [20]. Configuration Manager Setup 17-08-2016 15:37:58 3936 (0x0F60) Creating Service Broker routes for site BLR on SQL server BLREMSCAS.BLRITPRO.COM. ConfigurationManager Setup 17-08-2016 15:38:43 3936 (0x0F60) INFO: RCM received a message from "BLRITPROCM.BLRITPRO.COM", BCP initialization has started. Configuration Manager Setup 17-08-2016 15:47:36 3576 (0x0DF8)
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
How to Recover SCCM CB Primary Server Using SQL Database Backup Configuration Manager ConfigMgr with the following video tutorial from the HTMD community.
Let’s see “How to Recover SCCM CB Primary Server Using SQL Database Backup.” Sometimes, you must restore the SQL on a new virtual server or hardware. I have also included that in the post below.
The critical point here is that “SCCM CB full backup” is not required to restore your SCCM CB primary server. Instead, you can restore or recover the primary site server from SQL backup and CD—latest folder backup (along with package source folders, WSUS folders/DBs, etc.).
This post provides all the details on recovering the SCCM CB primary server using the SQL database backup configuration manager configMgr.
The following are the prerequisites for Recovering the SCCM CB primary server using SQL database backup configuration manager configMgr.
Remove existing SCCM servers from the domain, ensuring you know local admin account details.
Shutdown existing SCCM servers
Rename existing SCCM servers in Vcenter or HyperV to .old
Rename the new SCCM server in Vcenter/HyperV to the existing SCCM server names
Delete existing SCCM servers from AD
Remove new SCCM/ConfigMgr servers from the domain and reboot, ensuring you have local admin account details.
Log onto new SCCM/ConfigMgr servers using the local admin account
Change IPs of new SCCM servers to reflect old SCCM server IP details
Change new SCCM server names to existing SCCM server names and reboot
Log on to new SCCM servers as the local admin account
Add new SCCM servers to the domain and reboot
Verify the OU, System Management Access, and AD membership information for the new SCCM/ConfigMgr servers. Reboot if you have made any changes above
Storage migrates any back-end storage in VMware/HyperV to ensure that vmdk files and vmx/VHDX files are named correctly.
How to Recover SCCM CB Primary Server Using SQL Database Backup Configuration Manager ConfigMgr?
I have another three posts and videos related to SCCM Current Branch backup and recovery options. You can refer to those posts from here.
The SCCM CB standalone primary server should be installed from CD.Latest folder (p.s – this is because we are making a recovery of the server). I used the native SQL backup option from SQL Management Studio to back up the SQL DB.
Once the recovered server OS was up and running with all the prerequisites(ADK, WSUS, SQL), I restored the SQL DB using Management Studio from the SQL full backup file. The video tutorial below explains all these processes.
How to Recover SCCM CB Primary Server Using SQL Database Backup Configuration Manager ConfigMgr – Fig. 1
Also, note the “post-recovery” process in addition to removing and adding Intune subscriptions. It would be best to ensure that all the accounts configured in the SCCM ConfigMgr CB console are removed and added back.
If a hotfix is installed on the SCCM CB server, we must install it after the recovery Wizard is completed. During recovery, we must follow the following SCCM CB primary server prerequisites.
Prerequisites for the SCCM CB Primary Server
The hostname Should be the same
Drive Letters should be the same
The installation path should be the same
Should have the same patch level
Better to have the same IP: All the prerequisite apps should be installed: SQL Databased is already restored (manually)
How to Recover SCCM CB Primary Server Using SQL Database Backup Configuration Manager ConfigMgr – Table 1
Recover SCCM CB Primary Server Using SQL Database Backup
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s learn How to Restore or Recover the SCCM Standalone Primary Server Configuration Manager ConfigMgr.
This is another video tutorial to demonstrate “How to restore or recover an SCCM standalone primary server“. The prerequisite for this type of recovery (explained in the video and the table below). Introduction – I will use SCCM CB full backup to restore or recover the Site Database server in this scenario.
The SCCM Site Server and Site Database Recovery options I selected during the recovery process are essential. In this scenario, I opted to reinstall the site server part of SCCM CB site server recovery and for the “Recover DB using SCCM full backup” option to recover the site server database.
Another question I get as part of the SCCM CB hybrid (with Intune integration) is:- Do we need to re-enroll the mobile devices once the SCCM CB server is restored/Recovered? The answer is there in the video 🙂
Prerequisites – How to Restore or Recover SCCM Standalone Primary Server Configuration Manager ConfigMgr
Do we need the following to Restore or Recover the SCCM Standalone Primary Server? The table below shows the prerequisites: How to Restore or Recover SCCM Standalone Primary Server Configuration Manager ConfigMgr.
Prerequisites
SCCM full backup
FQDN – The server name should be the same as the existing server
Drive Letters should be the same
The installationpath should be the same
It should have the same patch level
Better to have the same IP (to avoid opening new Firewall rules)
How to Restore or Recover SCCM Standalone Primary Server Configuration Manager ConfigMgr – Table 1
If you have a question about “How to take the full backup of the SCCM CB server, ” it is explained in the previous post here. So, I won’t cover that topic in this post or video. Also, SCCM CB primary server migration to new hardwareis already covered in the post here.
More details – How to Restore or Recover SCCM Standalone Primary Server
Table 1:- SCCM CB Site Server and Site Database Recovery options demonstrated in the above video are highlighted.
How to Restore or Recover SCCM Standalone Primary Server Configuration Manager ConfigMgr – Fig.1
SCCM ConfigMgr CB How to Restore or Recover Primary Standalone Server
This is another video tutorial to demonstrate “How to restore or recover the SCCM/ConfigMgr CB standalone primary server“. The prerequisite for this type of recovery (explained in the video and the table below) – we need to have SCCM/ConfigMgr CB full backup, the Server name should be the same as the existing server, the Drive Letters should be the same, the Installation Path should be same, Should have same patch level and Better to have the same IP (to avoid opening new Firewall rules).
How to Restore or Recover SCCM Standalone Primary Server Configuration Manager ConfigMgr – Video 1
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
This is a quick post and video about “How to Download the Latest Version of Windows 10 ISO.” There are three methods for downloading the Windows 10 anniversary update (1607).
How to download Windows 10 ISO? Login to TechNet Evaluation Center with Hotmail/Outlook/Live ID and Download Free Windows 10 ISO – Enterprise version. This evaluation is to test Windows 10 1607 for free for 90 days.
How to download Windows 10 ISO 1607 Anniversary update from MSDN? Login to the MSDN Subscriptions Center (for Visual Studio/MSDN subscribers) from here and download the Windows 10 ISO.
In this post, you will find all the details on how to Download the Latest Version of Windows 10 ISO.
How to Download the Latest Version of Windows 10 ISO – Fig.1
How to Download Windows 10 ISO 1607 Anniversary Update from VLSC? – How to Download the Latest Version of Windows 10 ISO
You can log in to the Volume Licensing Service Center (for Volume License customers) from here and download the Windows 10 ISO.
If you already use Windows 10 1511, you can get the updated version from Settings –> Update and Security. How do you download Windows 10 Anniversary Update 1607 for your home machines? How do you Download the Latest Version of Windows 10 ISO?
Download the Latest Version of Windows 10 ISO
Download Windows 10, version 1607 update from Windows Update or Windows Update for Business.
If updates are not appearing on your Windows 10 machine, use the Windows 10 Update Assistant utility.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss how to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection. Endpoint Protection is the new solution that will replace Windows Information Protection (WIP).
In this post, I’ll overview the Windows Information Protection (WIP)/Enterprise Data Protection (EDP) policy configuration and Windows 10 EDP End User Experience.
WIP/EDP is fully supported in the recently released Windows 10 anniversary edition (1607),y. We can use Intune standalone and SCCM CB 1606 to configure Windows Information Protection policies. Endpoint Protection policies?
Before implementing the WIP in your organization, it’s essential to find out which WIP-enabled applications are available, and we have to define which WIP mode the applications will be in, Allow or Exempt.
Before I go into details, here is a video tutorial explaining the configurations and a Windows 10 end-user experience demo. I used Windows 10 Insider Build 14342 with Microsoft Intune.
It is essential to understand that WIP is a Microsoft accidental Data Leakage protection solution. Windows 10 enterprise has loads of security enhancements. I think Microsoft invested heavily mainly in 3 pieces, and those are
1. Secure Identities 2. Information Protection 3. Threat Resistance.
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Data Protection Options? Endpoint Protection
Windows Information Protection/EDP is part of Information Protection. For information protection, Microsoft recommends having the following.
Data Protection Options? Endpoint Protection
Encryption (Bit locker),
WIP/EDP
Azure Information Protection (or RMS).
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Table 1
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.1
How to Create – Deploy WIP EDP Using SCCM CB 1606 and End-User Experience of WIP
I’ll give an overview of the Windows Information Protection (WIP)/Enterprise Data Protection (EDP) policy configuration and Windows 10 EDP End User Experience through this video.
Endpoint ProtectionHow to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Video 1
Following are the Quick Steps to Configure (Intune Console) the Windows 10 EDP Policies
Configure the list of Windows 10 Apps (Universal/Store or Desktop) that you want to protect through EDP Select the EDP/WIP Mode of protection, Configure the Network locations/IP Range, and Upload the Data Recovery certificates and EDP settings.
Configure the List of Windows 10 Apps (Universal/Store or Desktop) that You Want to Protect through WIP
There are two types of Apps in the Intune console, which we can configure Universal/Store and Desktop apps. To configure Windows 10 EDP/WIP policies, we must first identify the applications you want to protect via EDP policies.
First, we need to obtain the publisher details and app product names. We do this through the Intune Console.
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.2
SCCM Console
Specify app rules for applying the enterprise data EDP policy. Only apps that meet these rules will be allowed to access enterprise resources, and all other apps will be blocked from doing so.
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.3
The store’s publisher, product name, and desktop apps are found using Local Security Policy –> Application Control Policies –> App Locker –> Package app Rules.
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.4
Select the WIP/EDP Mode of Protection
Which mode of protection did you want to select for the EDP policy – I selected the block mode !! The protection modes available in the EDP policy are listed in the below table. 1. Block 2. Override 3. Silent 4. Off
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.5
Configure the Network Locations through EDP/WIP Policies
Network locations that the apps you configure can access. No other apps can access these locations. These network location settings are critical for EDP/WIP policy to work on Windows 10 machines!! Below 4 network location settings are mandatory settings (I think):-
Primary Domain (my primary domain is trail tenant)
Outlook.office.com|outlook.office365.com Enterprise Network Domain (The Dummy URL is fine, I think – it worked for me)
blogs.anoopcnair.com Enterprise IPv4 Range (Any IP range is fine, I think – Hyper-V lab IP Range worked for me) Internal IP range 192.0.0.1-192.255.255.254Intune Console.
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.6
SCCM Console
Define your corporate network boundary to be protected by Enterprise data protection. Access to these network locations will be restricted to only the apps that meet the app criteria defined in the App rules.
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.7
Configure WIP/EDP Data Recovery Agent Cert
Configuring the WIP/EDP Data recovery agent cert is mandatory now !! The recommended way is to re-use the EFS DRA from your domain when you have one. There are some other ways to create a test cert !! I have uploaded one, as you can see in the below picture.
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.8
Configure WIP/EDP Policy Settings
WIP/EDP Settings – The last WIP/EDP configuration in Intune. By default, none of these settings are enabled !! Allow user to edit or decrypt data –> NO. Protect App content when the device is in a locked state –> Yes.
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.9
Windows 10 WIP/EDP – End User Experience
In my example here – WordPad is NOT a protected APP – I tried to copy the enterprise mail content to an unprotected app, and it gave me the following error: “This is work content only – your organization, PuneITPro.onmicrosoft.com, doesn’t allow you to change the ownership of this content from work to Personal”
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.10
Notepad is an EDP-protected app. I tried to copy the enterprise mail content to a WIP/EDP-protected app (NOTEPAD), which allowed me to do so. You should notice the EDP lock symbol.
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.11
Internet Explorer(IE) provides an EDP Lock Symbol when you browse an Enterprise location.
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.12
Microsoft Edge provides an EDP Lock Symbol when you browse an Enterprise location.
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.13
OneDrive universal application provides an EDP Lock Symbol for enterprise OneDrive accounts but not personal OneDrive accounts.
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.14
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
How to Migrate SCCM CB Primary Server to New Hardware Configuration Manager ConfigMgr? How do we Migrate the SCCM CB 1606 primary server to new hardware or a new virtual server?
How can I restore the SCCM CB primary server from the full SCCM backup? I’ll try to answer these two questions in this blog post and the video.
I used SCCM CB full backup to migrate the primary server into a virtual server. In this scenario, the SCCM CB primary site server and Database server are on the same box.
After the migration, Intune/cloud communication was not working, and all the logs (CloudUserSync.log, DMPUploader.log, and DMPDownloader.log) filled with “Certmgr has not installed certificate yet, sleep for 1 minute.”.
The resolution was to remove the Intune subscription and add it back. More details about “Migrate SCCM CB Primary server to New Hardware or new virtual server“. How to Migrate SCCM CB Primary server to New Hardware Configuration Manager ConfigMgr.
Prerequisites Migrate SCCM CB Primary server to New Hardware– How to Migrate SCCM CB Primary Server to New Hardware Configuration Manager ConfigMgr Best Guide
The prerequisites we must follow while migrating the SCCM CB primary server to new hardware are: How to SCCM CB Primary server to New Hardware Configuration Manager ConfigMgr.
FQDN Hostname Should be the same
Drive Letters should be the same
The installation path should be the same
Should have the same patch level
Better to have the same IP
How to Migrate SCCM CB Primary Server to New Hardware Configuration Manager ConfigMgr Best Guide – Fig.1
Tips – Migrate the SCCM CB Primary server to New Hardware
Let’s discuss the following steps to help you complete the migration steps efficiently.
Migrate the SCCM CB Primary server to New Hardware
1. Document local SMS group memberships of existing server
2. Perform differential Robocopy of the backup folders to the new server (Package Source\DP files\WSUS)
3. Shutdown Current SCCM CB Server
4. Delete the AD object of the existing SCCM Server from Active Directory Users and Computers
5. Rename the new server to the old SCCM CB server name
6. Give the New Server an OLD IP address (Optional)
7. Perform Domain Join of the new SCCM CB server. Provide FULL ACCESS to new SCCM CB computer object in the System Management container and also add to respective AD groups wherever required.
8. Install all the prerequisites – ADK, WSUS, SQL, etc…
9. Run the setup from CD.Latest folder to get the latest binaries of the existing CB site.
How to Migrate SCCM CB Primary Server to New Hardware Configuration Manager ConfigMgr Best Guide – Table 1
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss SCCM ConfigMgr CB: How to Plan Backup Recovery Configuration Manager Best Options. What are the backup and recovery options changes in SCCM ConfigMgr CB 1606? Nothing much changed in terms of backup apart from taking a backup of the CD.Latest folder.
The CD.LATEST folder is also backed up as part of the SCCM CB full backup. Why do we need the CD.LATEST as part of the SCCM CB full backup? This is because it is a source file for when you want to recover an SCCM CB site server!
Why can’t we use the baseline version, which can be downloaded from MSDN/Volume Licensing sites? Those binaries can’t be used because they are not the same version of SCCM CB that is installed in your primary server/CAS.
The baseline version of SCCM CB production is 1511, and if you upgraded/updated the site to SCCM CB 1606 using Updates and Servicing, you can’t use the 1511 version source files to recover the primary site.
When Do You Want to Run SCCM CB Setup from CD.LATEST Folder? – SCCM ConfigMgr CB How to Plan Backup Recovery Configuration Manager Best Options
Only when you are trying to recover a site !! In the following video, I try to explain the process of back and restore. Also, when to select which option during the recovery process.
There is always a question of whether to use SCCM full backup or just SQL backup to restore the functionality of SCCM sites. My answer is, “It depends.”
SCCM CB supports both the scenarios mentioned above; however, in some of the scenarios, you may need a full SCCM CB backup to complete the restore. The SCCM restore and recovery come with loads of permutations and combinations, as I explained in the table below and the video above.
SCCM ConfigMgr CB How to Plan Backup Recovery | Configuration Manager Best Options
After watching the video, I hope you will gain some clarity about those scenarios. What are the changes in SCCM CB 1606 Backup and Recovery options—YouTube? SCCM ConfigMgr CB How to Plan Backup Recovery | Configuration Manager Best Options?
SCCM ConfigMgr CB How to Plan Backup Recovery | Configuration Manager Best Options
Table 1: SCCM CB Site Server and Site Database Recovery Options
The screenshot below shows the SCCM CB Site Server and Site Database Recovery Options. It shows the SCCM CB Site Server options such as the CAS, Stand-Alone Primary, Child Primary and Secondary Remote Site.
SCCM ConfigMgr CB How to Plan Backup Recovery | Configuration Manager Best Options
Installation
Site Server
Site Database
Setup only part of recovery
Recover Site Server
Reinstall the site server
Recover DB using CM backup
Create a new DB
Manually Recovered DB
Skip DB Recovery
CAS
Install setup from CD.LATEST Folder
Only when you’ve SCCM Full Backup
Reconfigure the settings
Only when you’ve SCCM Full Backup
Only When you’ve a hierarchy
Use SQL Backup or any other backup. Changes made retrieved from Primary
Only valid when the site DB is on a different computer
Stand-Alone Primary
Install setup from CD.LATEST Folder
Only when you’ve SCCM Full Backup
Reconfigure the settings
Only when you’ve SCCM Full Backup
Not Applicable
Use SQL Backup or any other backup. Lose site changes after the last backup
Only valid when the site DB is on a different computer
Child Primary
Install setup from CD.LATEST Folder
Only when you’ve SCCM Full Backup
Reconfigure the settings
Only when you’ve SCCM Full Backup
Only When you’ve a hierarchy
Use SQL Backup or any other backup. Changes made retrieved from CAS
Only valid when the site DB is on a different computer
Secondary
Use CM Console to recover Secondary Site
No recovery
No recovery
No recovery
No recovery
No recovery
No recovery
SCCM ConfigMgr CB How to Plan Backup Recovery | Configuration Manager Best Options
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
