Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1606 1

Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1606

SCCM ConfigMgr current branch (CB) 1610 has released on last Friday (18th Nov 2016). SCCM CB 1610 comes with loads of features and upgradation process via updates and servicing channel is very easy. It’s just couple of clicks and you are done with SCCM CB 1610 upgrade. You can directly upgrade your SCCM CB 1511 server to 1610. No need to go through all the other upgrades (1602/1606) available in your SCCM CB console. More details are available in the blog post here. The SCCM CB 1610 upgradation process is straight forward as I explained in the previous blog post video here.

Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1606 2

In this post, I’m sharing a comparison video of features between SCCM CB 1606 and 1610. These features discussed in the below video is very important for upcoming changes to SCCM ConfigMgr CB. If you are using hybrid version of SCCM CB to manage mobile devices and domain joined machines then the configuration and compliance policy updates are very important. I think, SCCM team invested loads of time improving the features of their product. SCCM CB is moving away from old fashion boundary setting like fast and slow boundaries. Rather investing more on current and neighbour boundary groups. This will help to evolve the product further in upcoming versions.

What is New in Version of SCCM 1610 feature comparison includes Boundary groups – current and neighbour boundary groups, Improvements on Windows Store for business, Cloud Management Gateway (internet client management), Immediate Policy sync for Intune-enrolled devices, Changes in Configuration and compliance policies, Lookout integration with SCCM CB 1610, Client Peer cache settings – client peer cache dashboard, enforcement of grace period, Content size filter in Software update ADR and monitoring of loads of components have been updated and new dashboards have been included.

Summery of features which I covered/compared in the following video :-

  1. New Features as part of SCCM CB 1610 updates and servicing
  2. Boundary Changes – Improvements for boundary groups – current boundary group vs neighbour boundary groups
  3. Improvements Windows Store for Business  – Modify the client secret key and delete a subscription to the store from SCCM Console
  4. Cloud management gateway for managing Internet-based clients – Cloud management gateway provides a simple way to manage Configuration Manager clients on the Internet.
  5. Immediate Policy sync for MDM channel Intune-enrolled devices
  6. Configuration policies – New policies included in SCCM CB 1610 – Android (23), iOS (4), Mac (4), Windows 10 desktop and mobile (37), Windows 10 Team (7), Windows 8.1 (11), and Windows Phone 8.1 (3).
  7. Compliance Policies settings improvements -Lookout integration compliance Policies
  8. Windows 10 Edition Upgrade Policy can be applied for SCCM CB 1610 – Now available for Intune and SCCM clients
  9. Client Agent – Client Peer Cache helps you manage deployment of content to clients in remote locations. Peer Cache is a built-in SCCM solution for clients to share content with other clients directly from their local cache. Enable Configuration Manager client in full OS to share content to Yes.
  10. Customizable Branding is also included in the SCCM CB 1610
  11. Enforcement grace period is one of the nice feature included in SCCM CB 1610
  12. Another nice feature included in SCCM CB 1610 Software Update ADR is Content Size
  13. Monitoring – Compliance policies Dash board and Client Data Source Dashboard
How to Expand SCCM CB Standalone Primary server with CAS server 4

How to Expand SCCM CB Standalone Primary server with CAS server

How can we expand the SCCM CB stand-alone primary server?  In this post, we will see how to expand the stand alone primary server and attach that server to CAS. We need to install a SCCM CB CAS server from the latest source files, we can get the latest source files from the stand alone primary server’s CD.Latest folder. More details about CD.Latest folder in my previous blog here. When do you want to covert/expand your SCCM CB stand-alone primary server to a hierarchy and install SCCM CB CAS?

The only one reason for this activity is “If your SCCM CB stand alone primary server and it is going out of support in terms of maximum number of supported clients”. As per the latest documentation from Microsoft, a stand alone primary server can support up to 175K clients. In case you have exceeded this magical number then you need to expand your stand-alone primary server to SCCM CB hierarchy with CAS.

I’ve created a video tutorial to explain the process of SCCM CB stand-alone primary server expansion. There are some important prerequisites we need to take into consideration before starting the expansion activity.

1) We have to install the new SCCM CB CAS server from the installation media (source files) -CD.Latest Folder- that matches the version of the stand-alone SCCM CB primary site.
2) The SCCM CB stand-alone primary site cannot be configured to migrate data from another SCCM hierarchy. Remove all those migration configuration before expansion.
3) The computer account of the SCCM CB CAS server must be a member of the Administrators group on the stand-alone primary site. You may or can remove this acount after the expansion.
4) The user account that runs setup to install SCCM CB CAS server must have FULL Admin or Infra Admin permissions at the stand-alone primary site.
5)We have to uninstall the following site system roles from the SCCM CB stand-alone primary site before you can expand the site :- Asset Intelligence synchronization point, Endpoint Protection point and Service connection point.
6) The port for the SQL Server Service Broker(4022) must be open between SCCM CB CAS and stand alone primary server.
Snippets from ConfigMgrSetup.log which may help you to trace the installation of CAS and connectivity between SCCM CB primary server:-
INFO: Registering SQL connection to primary site's SQL server BLRITPROCM.BLRITPRO.COM.
INFO: checking whether BLRITPROCM.BLRITPRO.COM is a standalone site and whether it has the matched version
INFO: Creating sender address on primary site BLRITPROCM.BLRITPRO.COM to access CAS site BLREMSCAS.BLRITPRO.COM.
INFO: Creating sender address on CAS site BLREMSCAS.BLRITPRO.COM to access primary site BLRITPROCM.BLRITPRO.COM.
INFO: Stored SQL Server computer certificate for Server [BLREMSCAS.BLRITPRO.COM] successfully on [BLRITPROCM.BLRITPRO.COM].
Successfully bulk copied file [C:\SEDO_LockableObjectTypes_bcp.bcp] into table [SEDO_LockableObjectTypes] with rows [20]. Configuration Manager Setup 17-08-2016 15:37:58 3936 (0x0F60)
Creating Service Broker routes for site BLR on SQL server BLREMSCAS.BLRITPRO.COM. ConfigurationManager Setup 17-08-2016 15:38:43 3936 (0x0F60)
INFO: RCM received a message from "BLRITPROCM.BLRITPRO.COM", BCP initialization has started. Configuration Manager Setup 17-08-2016 15:47:36 3576 (0x0DF8)
References :-
Expand the standalone primary server here
Installation of CAS server here
How to Create Configure and Deploy Windows 10 WIP Policies Using SCCM Intune 5

How to Create Configure and Deploy Windows 10 WIP Policies Using SCCM Intune

In this post, I’ll give an overview of Windows Information Protection (WIP)/Enterprise Data Protection (EDP) policy configuration and Windows 10  EDP End User Experience. What is WIP/EDP? It is very important to understand that WIP is accidental Data Leakage protection solution by Microsoft. Windows 10 enterprise has loads of security enhancements. I think, Microsoft invested heavily on mainly on 3 pieces and those are 1.  Secure Identities 2. Information Protection and 3. Threat Resistance.  Windows Information Protection/EDP is part of Information Protection. Within information protection, Microsoft recommend to have 1. Encryption (Bit locker), 2. WIP/EDP and  3. Azure Information Protection (or RMS).

Windows10_Protection_WIP_1

WIP/EDP is fully supported in Windows 10 anniversary edition (1607) which is released recently. We can use Intune standalone and SCCM CB 1606 to configure Windows Information Protection policies. Before implementing the WIP in your organization, it’s very important to find out which are the WIP enabled applications and we have to define which WIP mode the applications will be in Allow and Exempt.

Before I go into details, here is video tutorial to explain the configurations along with Windows 10 end user experience demo.   I used Windows 10 Insider Build 14342 with Microsoft Intune.

How to Create – Deploy WIP EDP Using SCCM CB 1606 and End-user experience of WIP :-

How to start Implementing Windows 10 Windows Information Protection Using Intune

Following are the quick steps to configure (Intune console) the Windows 10 EDP policies:-

Configure the list of Windows 10 Apps (Universal/Store or Desktop) which you wanted to protect through EDP
Select the EDP/WIP Mode of protection
Configure the Network locations/IP Range
Upload the Data Recovery certificates
EDP settings

Configure the list of Windows 10 Apps (Universal/store or Desktop) which you wanted to protect through WIP

There are two types of Apps in Intune console which we can configure Universal/Store and Desktop apps. To configure Windows 10 EDP/WIP policies, we need to first identify the applications which you wanted to protect via EDP policies. For that First thing we need to get the Publisher details and product name of the apps.  How to get those information ?
Intune Console:-
Windows10_Intune_EDP_Policies_1
SCCM Console :-
WIP_How_to_Add_App_Rules
You can find the publisher and product name of store, desktop apps using Local Security Policy –> Application Control Policies –> App Locker –> Package app Rules.
WIP_App_Publisher_Details_Package_Name_1

Select the WIP/EDP Mode of protection

Which mode of protection you wanted select for EDP polciy – I selected the block mode !! The protection modes available in EDP policy are  1. Block 2.Override 3. Silent 4.Off
Windows10_Intune_EDP_Policies_4

Configure the Network locations through EDP/WIP Policies

Network locations that the apps you configured can access. No other apps can access these locations. These network location settings are very important for EDP/WIP policy to work on Windows 10 machine !!

Below 4 network location settings are mandatory settings (I think):-
Primary Domain (my primary domain is trail tenant)
PuneITPro.onmicrosoft.com
Enterprise Cloud Domain (Exchange Online)
outlook.office.com|outlook.office365.com
Enterprise Network Domain (Dummy URL is fine I think – it worked for me)
blogs.anoopcnair.com
Enterprise IPv4 Range (Any IP range is fine I think – Hyper-V lab IP Range worked for me)
Internal IP range 192.0.0.1-192.255.255.254
Intune Console :-
Windows10_Intune_EDP_Policies_5
 SCCM Console :-
WIP_Corporate_Network_Definition

Configure WIP/EDP Data recovery agent cert

Configure WIP/EDP Data recovery agent cert is mandatory now !! The recommended way is to re-use the EFS DRA from your domain, when you have one. There are some other ways to create a test cert !!I have uploaded one as you can see in the below picture :-
 Windows10_Intune_EDP_Policies_6

Configure WIP/EDP Policy settings

WIP/EDP Settings – Last piece of WIP/EDP configuration in Intune. By default none of these settings are not enabled !!
Allow user to edit or decrypt data –> NO
Protect App content when the device is in locked state –> Yes
Windows10_Intune_EDP_Policies_7

Windows 10 WIP/EDP – End User Experience

In my example here :-

WordPad is NOT EDP protected APP – I tried to copy the enterprise mail content to an unprotected app and it gave me the following error “This is work content only – your organization, PuneITPro.onmicrosoft.com, doesn’t allow you to change the ownership of this content from work to Personal

Windows10_Intune_EDP_Policies_9
Notepad is EDP Protected APP – I tried to copy the enterprise mail content to an WIP/EDP protected app  (NOTEPAD) and it allowed me to copy the content.  And you should notice the EDP lock symbol.

Windows10_Intune_EDP_Policies_10

Internet Explorer(IE) provides a EDP Lock Symbol when you browse an Enterprise location :-

Windows10_Intune_EDP_Policies_8

Microsoft Edge provides an EDP Lock Symbol when you browse an Enterprise location :-

Windows10_Intune_EDP_Policies_11

OneDrive universal application provides an EDP Lock Symbol for enterprise OneDrive account but not for personal OneDrive account

Windows10_Intune_EDP_Policies

Reference :- Here

Video Guide How to Migrate SCCM CB Primary server to New Hardware 6

Video Guide How to Migrate SCCM CB Primary server to New Hardware

How to Migrate SCCM CB 1606 primary server to new hardware or new virtual server? How to restore SCCM CB primary server from full SCCM backup? I’ll try to answer these two questions in this blog post and the video.  I used SCCM CB full backup to migrate primary server into virtual server. In this scenario, I’ve SCCM CB primary site server and Database server on the same box. After the migration Intune/cloud communication was not working and all the logs (CloudUserSync.log, DMPUploader.log and DMPDownloader.log) filled with “Certmgr has not installed certificate yet, sleep for 1 minutes.“. The resolution was to remove Intune subscription and add it back. More details about “Migrate SCCM CB Primary server to New Hardware or to new virtual server”

Following are the prerequisites which we need to follow while migrating SCCM CB primary server to new hardware:-
Hostname Should be same :
Drive Letters should be same :
Installation Path should be same:
Should have same patch level:
Better to have the same IP:
The following steps will help to complete the migration steps easily  
1.Document local SMS group memberships of existing server
 
2.Perform differential Robocopy of the backup folders to the new server (Package Source\DP files\WSUS)
 
3.Shutdown Current SCCM CB Server
 
4.Delete AD object of existing SCCM Server from Active Directory Users and Computers
 
5.Rename new server to the old SCCM CB server name
 
6.Give New Server OLD IP address (Optional)
 
7. Perform Domain Join of new SCCM CB server. Provide FULL ACCESS to new SCCM CB computer object in System Management container and also add to respective AD groups wherever required.
 
8. Install all the prerequesites – ADK, WSUS, SQL etc….
 
9. Run the setup from CD.Latest folder to get the latest binaries of existing CB site
SCCM ConfigMgr CB 1606 How to Plan Backup and Recovery 7

SCCM ConfigMgr CB 1606 How to Plan Backup and Recovery

What are the changes there in backup and recovery options in SCCM ConfigMgr CB 1606? Nothing much changed in terms of backup apart from taking backup of CD.Latest folder. CD.LATEST folder is also getting backed up as part of SCCM CB full backup. Why do we need CD.LATEST as part of SCCM CB full backup? It’s because, this is source file when you want to recover a SCCM CB site server ! Why can’t we use the baseline version which can be downloaded from MSDN/Volume Licensing sites? Those binaries can’t be used because that is not the same version of SCCM CB which is installed in your primary server/CAS. The baseline version of SCCM CB production is 1511 and if you upgraded/updated the site to SCCM CB 1606 using Updates and Servicing then you can’t use 1511 version source files to recover the primary site. When do you want to Run SCCM CB Setup from CD.LATEST Folder? Only when you are trying recover a site !! In the following video, I try to explain the process of the back and restore. Also, when to select which option during the recovery process.

There is always a question whether to use SCCM full backup or just use SQL backup to restore the functionality of SCCM sites. So my answer to that question would be “it depends”. SCCM CB supports both the scenarios mentioned above however in some of the scenarios you may need full SCCM CB backup to complete the restore. The SCCM restore and recovery comes with loads of permutations and combinations as I explained in the below table and the above video. I hope, you will get some clarity about those scenarios after watching the video.

SCCM_CB_1606_Backup_and_Recovery_options_1

Table 1 : SCCM CB Site Server and Site Database Recovery options

SCCM_CB_1606_Backup_and_Recovery_options_2

Installation       Site Server                                Site Database
Setup only part of recovery Recover Site Server Reinstall the site server Recover DB using CM backup Create a new DB Manually Recovered DB Skip DB Recovery
CAS Install setup from CD.LATEST Folder Only when you’ve SCCM Full Backup Reconfigure the settings Only when you’ve SCCM Full Backup Only When you’ve a hierarchy Use SQL Backup or any other backup. Changes made retrieved from Primary Only valid when the site DB is on a different computer
Stand-Alone Primary Install setup from CD.LATEST Folder Only when you’ve SCCM Full Backup Reconfigure the settings Only when you’ve SCCM Full Backup Not Applicable Use SQL Backup or any other backup. Lose site changes after the last backup Only valid when the site DB is on a different computer
Child Primary Install setup from CD.LATEST Folder Only when you’ve SCCM Full Backup Reconfigure the settings Only when you’ve SCCM Full Backup Only When you’ve a hierarchy Use SQL Backup or any other backup. Changes made retrieved from CAS Only valid when the site DB is on a different computer
Secondary Use CM Console to recover Secondary Site No recovery No recovery No recovery No recovery No recovery No recovery

Reference :- here