How to Recover SCCM CB Primary Server Using SQL Database Backup 1

How to Recover SCCM CB Primary Server Using SQL Database Backup

Let’s see “How to Recover SCCM CB Primary Server Using SQL Database Backup”. Sometimes you need to restore the SQL back on the new virtual server or hardware, I have included that also in the below post

So the important point over here is “SCCM CB full backup” is not required for restoring your SCCM CB primary server. Rather, you can restore or recover the primary site server from SQL backup and CD.Latest folder backup (along with package source folders, WSUS folders/DBs etc…).

Prerequisites:

  • Remove existing SCCM servers from domain ensuring you know local admin account details
  • Shutdown existing SCCM servers
  • Rename existing SCCM servers in Vcenter or HyperV to .old
  • Rename new SCCM server in Vcenter/HyperV to existing SCCM server names
  • Delete existing SCCM servers from AD
  • Take new SCCM/ConfigMgr servers off domain and reboot ensuring you have local admin account details
  • Log onto new SCCM/ConfigMgr servers using local admin account
  • Change IPs of new SCCM servers to reflect old SCCM server IP details
  • Change new SCCM servers names to existing SCCM server name and reboot
  • Log on to new SCCM servers as the local admin account
  • Add new SCCM servers to domain and reboot
  • Verify OU, System Management Access, and AD membership information of new SCCM/ConfigMgr servers. Reboot if you have made any changes above
  • Storage migrate any back end storage in VMware/HyperV to ensure that vmdk files and vmx/VHDX files are named correctly

I’ve another 3 posts and videos related to SCCM Current Branch backup and recovery options. You can refer to those posts from here.

The installation of the SCCM CB standalone primary server should be done from CD.Latest folder (p.s – this is because we are doing recovery of the server). I used the native SQL backup option to from SQL management studio to backup the SQL DB.

And once the recovered server OS is up and running with all the prerequisites(ADK, WSUS, SQL), I restored the SQL DB using management studio from SQL full backup file. All these processes are explained in the below video tutorial.

Recover SCCM CB Primary Server Using SQL Database Backup
Recover SCCM CB Primary Server Using SQL Database Backup

Also, make note of “post recovery” process apart from removal and addition of Intune subscriptions. You need to make sure that all the accounts which are configured in SCCM ConfigMgr CB console should be removed and added back.

If there is any hotfix installed on the SCCM CB server then we need to install the same hotfix after the completion of the recovery Wizard.

Following are the prerequisites which we need to follow during the recovery process SCCM CB primary server:- Hostname Should be same :
Drive Letters should be the same :
Installation Path should be same:
Should have same patch level:
Better to have the same IP: All the prerequisite apps should be installed: SQL Databased is already restored (manually):

Recover SCCM CB Primary Server Using SQL Database Backup

Here is the end to end recovery experience video. (1) How to Recover or restore SCCM CB Primary server using SQL Database Backup – YouTube.

Resources

How to Restore or Recover SCCM Standalone Primary Server 2

How to Restore or Recover SCCM Standalone Primary Server

This is another video tutorial to demonstrate “How to restore or recover SCCM standalone primary server“. The prerequisite for this type of recovery (explained in the video and the table below) – we need to have SCCM full backup, Server name should be same as existing server , Drive Letters should be same, Installation Path should be same, Should have same patch level and Better to have the same IP (to avoid opening new Firewall rules).

If you have question “How to take the full backup of SCCM CB server” then it is already explained in the previous post here. So I’m not going to cover that topic in this post or video. Also, SCCM CB primary server migration to new hardware is already covered in the post here. In this scenario, I’m going to use SCCM CB full backup to restore or recover Site Database server.

SCCM Site Server and Site Database Recovery options which I selected during the recovery process is very important. In this scenario, I opted to use reinstall the site server part of SCCM CB site server recovery and I opted for “Recover DB using SCCM full backup” option to recover the site server database.

Another question I get as part of SCCM CB hybrid (with Intune integration) is :-  Do we need to re enroll the mobile devices once the SCCM CB server is restored/Recovered ? The answer is there in the video 🙂

More details about SCCM ConfigMgr CB 1606 How to Plan Backup and Recovery https://www.anoopcnair.com/what-are-the-options-for-sccm-cb-1606-backup-and-recovery/

Table 1 :- SCCM CB Site Server and Site Database Recovery options demonstrated in the above video is highlighted

SCCM_CB_Restore_Recovery

How to Create Configure and Deploy Windows 10 WIP Policies Using SCCM Intune 3

How to Create Configure and Deploy Windows 10 WIP Policies Using SCCM Intune

In this post, I’ll give an overview of Windows Information Protection (WIP)/Enterprise Data Protection (EDP) policy configuration and Windows 10  EDP End User Experience. What is WIP/EDP? It is very important to understand that WIP is accidental Data Leakage protection solution by Microsoft. Windows 10 enterprise has loads of security enhancements. I think, Microsoft invested heavily on mainly on 3 pieces and those are 1.  Secure Identities 2. Information Protection and 3. Threat Resistance.  Windows Information Protection/EDP is part of Information Protection. Within information protection, Microsoft recommend to have 1. Encryption (Bit locker), 2. WIP/EDP and  3. Azure Information Protection (or RMS).

Windows10_Protection_WIP_1

WIP/EDP is fully supported in Windows 10 anniversary edition (1607) which is released recently. We can use Intune standalone and SCCM CB 1606 to configure Windows Information Protection policies. Before implementing the WIP in your organization, it’s very important to find out which are the WIP enabled applications and we have to define which WIP mode the applications will be in Allow and Exempt.

Before I go into details, here is video tutorial to explain the configurations along with Windows 10 end user experience demo.   I used Windows 10 Insider Build 14342 with Microsoft Intune.

How to Create – Deploy WIP EDP Using SCCM CB 1606 and End-user experience of WIP :-

How to start Implementing Windows 10 Windows Information Protection Using Intune

Following are the quick steps to configure (Intune console) the Windows 10 EDP policies:-

Configure the list of Windows 10 Apps (Universal/Store or Desktop) which you wanted to protect through EDP
Select the EDP/WIP Mode of protection
Configure the Network locations/IP Range
Upload the Data Recovery certificates
EDP settings

Configure the list of Windows 10 Apps (Universal/store or Desktop) which you wanted to protect through WIP

There are two types of Apps in Intune console which we can configure Universal/Store and Desktop apps. To configure Windows 10 EDP/WIP policies, we need to first identify the applications which you wanted to protect via EDP policies. For that First thing we need to get the Publisher details and product name of the apps.  How to get those information ?
Intune Console:-
Windows10_Intune_EDP_Policies_1
SCCM Console :-
WIP_How_to_Add_App_Rules
You can find the publisher and product name of store, desktop apps using Local Security Policy –> Application Control Policies –> App Locker –> Package app Rules.
WIP_App_Publisher_Details_Package_Name_1

Select the WIP/EDP Mode of protection

Which mode of protection you wanted select for EDP polciy – I selected the block mode !! The protection modes available in EDP policy are  1. Block 2.Override 3. Silent 4.Off
Windows10_Intune_EDP_Policies_4

Configure the Network locations through EDP/WIP Policies

Network locations that the apps you configured can access. No other apps can access these locations. These network location settings are very important for EDP/WIP policy to work on Windows 10 machine !!

Below 4 network location settings are mandatory settings (I think):-
Primary Domain (my primary domain is trail tenant)
PuneITPro.onmicrosoft.com
Enterprise Cloud Domain (Exchange Online)
outlook.office.com|outlook.office365.com
Enterprise Network Domain (Dummy URL is fine I think – it worked for me)
blogs.anoopcnair.com
Enterprise IPv4 Range (Any IP range is fine I think – Hyper-V lab IP Range worked for me)
Internal IP range 192.0.0.1-192.255.255.254
Intune Console :-
Windows10_Intune_EDP_Policies_5
 SCCM Console :-
WIP_Corporate_Network_Definition

Configure WIP/EDP Data recovery agent cert

Configure WIP/EDP Data recovery agent cert is mandatory now !! The recommended way is to re-use the EFS DRA from your domain, when you have one. There are some other ways to create a test cert !!I have uploaded one as you can see in the below picture :-
 Windows10_Intune_EDP_Policies_6

Configure WIP/EDP Policy settings

WIP/EDP Settings – Last piece of WIP/EDP configuration in Intune. By default none of these settings are not enabled !!
Allow user to edit or decrypt data –> NO
Protect App content when the device is in locked state –> Yes
Windows10_Intune_EDP_Policies_7

Windows 10 WIP/EDP – End User Experience

In my example here :-

WordPad is NOT EDP protected APP – I tried to copy the enterprise mail content to an unprotected app and it gave me the following error “This is work content only – your organization, PuneITPro.onmicrosoft.com, doesn’t allow you to change the ownership of this content from work to Personal

Windows10_Intune_EDP_Policies_9
Notepad is EDP Protected APP – I tried to copy the enterprise mail content to an WIP/EDP protected app  (NOTEPAD) and it allowed me to copy the content.  And you should notice the EDP lock symbol.

Windows10_Intune_EDP_Policies_10

Internet Explorer(IE) provides a EDP Lock Symbol when you browse an Enterprise location :-

Windows10_Intune_EDP_Policies_8

Microsoft Edge provides an EDP Lock Symbol when you browse an Enterprise location :-

Windows10_Intune_EDP_Policies_11

OneDrive universal application provides an EDP Lock Symbol for enterprise OneDrive account but not for personal OneDrive account

Windows10_Intune_EDP_Policies

Reference :- Here

Video Tutorial How to Install SCCM CB Update Rollup via New Updates and Servicing channel 7

Video Tutorial How to Install SCCM CB Update Rollup via New Updates and Servicing channel

This is a video tutorial which helps to understand the process of SCCM/ConfigMgr CB Update and Servicing. Learn How to Install SCCM CB 1602 Update Rollup KB 3155482 via New Updates and Servicing channel.  Today, Microsoft released new  Update Rollup KB 3155482 for SCCM CB 1602 and that is already available in my LAB setup as you can see in the video.  This is available under “\Administration\Overview\Cloud Services\Updates and Servicing”. No features in this Update rollup for SCCM 1602 !!!

How to Install SCCM CB 1602 Update Rollup via New Updates and Servicing channel

How to install the Rollup? Right click on the available update and complete the Wizard !! Update is already download to C:\Program Files\Microsoft Configuration Manager\EasySetupPayload\59bca34e-df87-4041-b9b7-f53395849e81.
Following are the 3 logs which have keep watching while updating the hotfix. 1) dmpdownloader.log 2) CMUpdate.log and 3) hman.log.
You can also check the status via SCCM CB console “\Monitoring\Overview\Site Servicing Status”. In this Video, you can see there was a error in the HMAN.log because it was not able to conatct local AD and that is very specific to my lab you can safely ignore that 😉 I disabled my internet connection and that resolved issue of AD connectivity.
SCCM_CB_1602_Rollup_Update_Install
AS you can see in the video the update Rollup has been installed successfully
Thank you for watching !!!!