featured

How to Block Windows Devices from Enrolling to Intune 1

How to Block Windows Devices from Enrolling to Intune

Let’s discuss how to block How to Block Windows Devices from Enrolling to Intune. I have seen a scenario where Intune exclusively manages iOS and Android devices.

Windows devices are managed through SCCM and must be disabled or prevented from enrolling in Intune. We can achieve this with new Intune Enrollment restriction policies. I have a blog post explaining “How to Use Intune Enrollment Restriction Rules“.

This post covers everything you need to know about stopping Windows devices from enrolling in Intune. It explains each step clearly so you can understand it easily. Whether you’re just starting out or want to improve your setup, this post will guide you through keeping your devices out of Intune’s management system.

I tested Windows 10 enrollment to Intune via “Add Work or School Account.” This was tested successfully before restricting Windows 10 devices from the Intune console. Check out the following message after the Windows 10 device is successfully enrolled. More details are in the video below.

How to Restrict Windows 10 Devices from Intune Management

This video provides a step-by-step guide on restricting Windows 10 devices from being managed through Intune. It covers all the necessary details, including the settings and configurations required to ensure proper restriction.

How to Block Windows Devices from Enrolling to Intune – Video 1

Add Work or School Account

“We’ve added your account successfully, and you can now access your organization’s apps and Services. The last step is setting up your new PIN to unlock this device.”

How to Block Windows Devices from Enrolling to Intune - Fig.1
How to Block Windows Devices from Enrolling to Intune – Fig.1

Change the Intune Device Enrollment Policy to Restrict Windows Device

Navigate through the New Azure portal Microsoft Intune – Device Enrollment – Enrollment restrictions. You will be able to see two Intune enrollment restriction policies: 1.

Device Type Restrictions and 2. Device Limit Restrictions. Device Type restriction is where we can restrict Windows (8.1 +) devices from enrolling on Intune.

This policy will prevent Windows 8.1 and later devices from Intune management and restrict Windows 10 device enrollment. Windows 10 mobile devices will also be blocked when we configure this policy.

How to Block Windows Devices from Enrolling to Intune - Fig.2
How to Block Windows Devices from Enrolling to Intune – Fig.2

End-User Experience of Windows 10 Device Restriction

I successfully added a Work or School account to a Windows 10 1703 device. The one change I noticed through the enrollment process is that it didn’t prompt for MFA. After this enrollment, the message I received differed from the one I got above.

We’ve successfully added your account, and you can access your organization’s apps and Services. Moreover, the machine was NOT available in the company portal application under the “My Devices” list. So, the device enrollment never failed as I expected. The device was enrolled without any error.

However, the main question is whether this device would be managed via Intune. Did the device receive Intune policies? The answer is in the paragraph below.

How to Block Windows Devices from Enrolling to Intune - Fig.3
How to Block Windows Devices from Enrolling to Intune – Fig.3

Experience on Azure – Intune Portal for Windows 10 Restriction

The Windows 10 enrolled device was NOT listed in Intune – All Devices (Microsoft AzureMicrosoft Intune – Devices – All Devices). However, the device was listed in Azure AD, as shown in the video tutorial.

The Windows 10 device was listed under Azure AD against the user’s devices (Microsoft Azure—Users and groups—All users > Kaith Nair). But, as you can see in the screenshot below, the Windows device is NOT MANAGED by INTUNE.

Hence, the device won’t receive any Intune policies or be managed through Intune. It also won’t have access to corporate mail, SharePoint, OneDrive, and Skype for Business.

NAMEENABLED/DISABLEDPLATFORMTRUST TYPEIS COMPLIANTMANAGED BY
Windows10_BYODEnabledWindows 10.0.15063.0WorkplaceNoneNone
How to Block Windows Devices from Enrolling to Intune – Table 1
How to Block Windows Devices from Enrolling to Intune - Fig.4
How to Block Windows Devices from Enrolling to Intune – Fig.4

References

  • Set Intune enrollment restrictions policies – here
  • How to configure device restriction settings in Microsoft Intune – here

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706 2

Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706

Let’s discuss the Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706. I continue to produce comparison videos with every production release of SCCM CB.

This post helps you go through the “Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706.” The previous week was busy because of the SCCM CB preview and production version release.

Being on a business trip didn’t stop me from upgrading my LAB environment to the SCCM CB 1706 production version. In this post, you will find all the details of the Feature Comparison Video between SCCM ConfigMgr CB 1702 and 1706.

The post provides a look at the differences and improvements between the two versions, helping you understand what has changed and how the updates can benefit your system management.

Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706

In the comparison video tutorial, we see the SCCM console GUI changes. What are the new nodes added to the 1706 console? We also see some deep dives into new features, tools, and settings introduced in the SCCM CB 1706 version.

Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706
ConsoleSCCM CB 1706
Version1706
Console version5:00.8540.1300
Site Version5.0.8540.1000
Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706 – Table 1
  • Console – SCCM CB 1706 = Version 1706
  • Console version: 5:00.8540.1300
  • Site Version: 5.0.8540.1000
Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706 - Fig.1
Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706 – Fig.1

Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706

There are 24 Features in SCCM CB 1706, whereas only 21 in 1702. 3 new features were added in SCCM CB 1706 production release. The important point to note here is some pre-release features are still not ready for production release.

These are Cloud Management Gateway, Server Groups, TS Pre-Caching Device Guard, and Client Peer Cache, which are still in pre-release.

The new features introduced in SCCM CB 1706 are Create and Run Scripts, Surface Driver Updates, and PFX Create.

Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706 - Fig.2
Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706 – Fig.2

Compare the New Tools and Features of SCCM CB 1706

Client Peer Cache support for express installation files for Windows 10 and Office 365.  There are improvements for SQL Server Always On Availability Groups.

Update Reset tool is released with the SCCM CB 1706 production version. The CMUpdateReset.exe tool helps to fix issues when in-console updates have problems downloading or replicating content to primary servers.

The SCCM CB 1706 production release includes improvements for software update points working with boundary groups.

Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706 - Fig.3
Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706 – Fig.3

You have improved the integration of SCCM and Azure AD (AAD). These improvements streamline how you configure the Azure services you use with SCCM and help you manage clients and users who authenticate through Azure AD.

There are some new Compliance Settings (Configuration Items) for Windows 10 Intune-managed clients. The updated/improved categories are Password, Device, Store, and Microsoft Edge.

Android for Work configuration items for the Allow data sharing between work and personal profile settings descriptions have been updated.

NEW Compliance Policy Rules in SCCM CB 1706 Production Version

The following are very important compliance policies available in the SCCM CB 1706 version. Required Password Type—Either Alphanumeric or Numeric is supported for Windows phones, Windows devices, and iOS.

Block USB debugging on Devices, Block apps from unknown sources, and Require threat scan on apps. Compliance policies are supported for Android Devices.

Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706 - Fig.4
Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706 – Fig.4

New Additions in Application Management – SCCM CB 1706

We can deploy PowerShell Scripts from the SCCM CB 1706 console. Run scripts on collections of Windows client PCs and on-premises managed Windows PCs. The script runs in nearly REAL TIME on client devices.

NEW MAM Policy setting in SCCM CB 1706 – Block Screen Capture (only for Android), Disable contact sync, and Disable printing.  Software Updates – Manage Microsoft Surface driver updates, which is ONLY possible when your SUPs are on SERVER 2016.

SCCM CB 1706 Security Improvement

SCCM CB 1706 can deploy Device Guard policy management. Device Guard is a group of Windows 10 features designed to protect PCs against malware and other untrusted software.

References

What’s new in version 1706 of SCCM CB

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

SCCM ConfigMgr CB 1707 Preview Upgrade Video Tutorial 3

SCCM ConfigMgr CB 1707 Preview Upgrade Video Tutorial

Let’s discuss the SCCM ConfigMgr CB 1707 Preview Upgrade Video Tutorial. The SCCM/ConfigMgr CB 1707 preview version was released last week. I enjoyed upgrading my SCCM CB 1706 preview version to 1707.

As expected, this was a straightforward process for me. I didn’t see any issues during the upgrade process of SCCM CB 1707. We see the SCCM ConfigMgr CB 1707 Preview Upgrade Video Tutorial in this post.

Preview versions of SCCM CB should NOT be deployed to a production environment. This is similar to the Windows Insiders program, which helps SCCM admins test the new features of SCCM CB.

Before installing this technical preview version, you can review the limitations of the SCCM CB version.

SCCM 1707 Preview Guide Upgrade Process and New Feature Overview

In this video, you will find all the details about the SCCM 1707 Preview Guide Upgrade process and an overview of the new features. The guide will walk you through each step of the upgrade process, ensuring you understand how to implement it smoothly.

SCCM ConfigMgr CB 1707 Preview Upgrade Video Tutorial – Video 1

SCCM ConfigMgr CB 1707 Preview Upgrade Video Tutorial

The screenshot below provides a comprehensive look at the new features introduced in SCCM 1707, helping you make the most of the latest updates and improvements.

SCCM ConfigMgr CB 1707 Preview Upgrade Video Tutorial - Fig.1
SCCM ConfigMgr CB 1707 Preview Upgrade Video Tutorial – Fig.1

What are the New Features Introduced in the SCCM CB 1707 Preview?

My favorite features of the SCCM CB 1707 preview version are Windows Defender application guard policies for Windows 10 RS3 and PowerShell Script parameter investments.

  • Client Peer Cache support for express installation files for Windows 10 and Office 365
  • Surface Device dashboard
  • Percent of Surfaces
  • Percent of Surface models
  • Top five operating system versions
  • Configure and deploy Windows Defender Application Guard policies for Windows 10 RS3
  • Add parameters when you deploy PowerShell scripts

Known Issues with SCCM CB 1707 Upgrade

SCCM CB 1707 upgrade process has not changed much. It’s the same as the preview SCCM CB preview upgrades. New features have been introduced in this preview version. There are some known issues with an upgrade when you install a passive primary server. 

The issue is the only application for the SCCM environment with 1706 TP and used the site server always-on, a feature that means the passive site server was configured.

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

SCCM Upgrade Guide Updates and Servicing Configuration Manager 4

SCCM Upgrade Guide Updates and Servicing Configuration Manager

Let’s discuss the SCCM Upgrade Guide Updates and Servicing Configuration Manager. Microsoft SCCM team released the production version of SCCM 1706. The SCCM 1706 updates are available as an in-console update for previously installed sites that run SCCM CB versions 1606, 1610, or 1702.

In this post, we see the SCCM 1706 in-place upgrade video tutorial and the secret behind the success of SCCM CB Updates and Servicing. The SCCM 1706 upgrade step-by-step video guide is here. This provides more details about the replication, pre-requisite checks, SCCM CB 1702 to 1706 upgrade process, how to enable pre-released Features, etc.

Also, I have another post, “Feature Comparison Video SCCM ConfigMgr CB 1702 VS 1706,” – (published later this week).

The secret is the continuous improvements that Microsoft SCCM PG (Product Group) implemented in SCCM CB. There are loads of things involved in a constant improvement story.

Step by Step Guide Upgrade Process of SCCM CB 1702 to 1706

In this video, you will learn everything you need about upgrading the SCCM Current Branch from version 1702 to 1706. The guide breaks down the process into easy-to-follow steps. You’ll get clear instructions on preparing for the upgrade, running the upgrade, and verifying the upgrade’s success.

SCCM Upgrade Guide Updates and Servicing Configuration Manager – Video 1

What is the Secret of the SCCM Updates and Servicing Model?

This post will examine prerequisite checks during the console update and servicing process. SCCM PG uses feedback and telemetry data to improve prerequisite checks.

SCCM Upgrade Guide Updates and Servicing Configuration Manager - Fig.1
SCCM Upgrade Guide Updates and Servicing Configuration Manager – Fig.1

Why are the Prerequisite Checks Important in the Updates & Servicing Model?

Prerequisite checks are essential parts of the SCCM CB updates and servicing framework. Do you know how many prerequisite checks there are in this framework? SCCM CB updates and serves as a prerequisite checker that validates whether the entire SCCM CB infra is ready for an in-place upgrade. Hence, it can ensure a 99% success rate in the promotion.

The release of SCCM CB 1706 includes 62 prerequisite checks. I never knew that the SCCM CB upgrade process involves 62 reviews to ensure that everything is OK before starting the upgrade.

I have listed all the checks included in the production version of SCCM CB 1706. The prerequisite checks cover CAS, Primary servers, and remote site systems servers.

It also includes SQL version, Collation settings, and Replication link verification. SCCM CB prerequisite checks consist of unsupported configurations (NAP, System Health Validation Point) with an SCCM CB environment.

List of SCCM 1706 Prerequisites

Let’s discuss the list of SCCM 1706 Prerequisites. The list below helps you understand the SCCM Prerequisites.

  • Upgrade Assessment Toolkit is no longer supported
  • Administrative rights on-site system
  • Administrative rights on the central administration site
  • Connection to SQL server on CAS
  • Check Server Service is Running
  • Domain Membership
  • Active Directory Domain Functional Level Checks
  • Free Disk space on-site server
  • Pending System Restart
  • Read-Only Domain Controller
  • Site Server FQDN Length
  • Microsoft XML Core Services 6.0(MSXML6.0)
  • Windows Server 2003-based channel hotfix
  • Microsoft Remote Differential Compression (RDC) library is registered on the computer specified for SCCM site server installation.
  • Microsoft Windows Installer
  • Existing SCCM server component installed on target site server
  • Firewall Exceptions for SQL Server
  • Firewall Exception for SQL server (Standalone primary)
  • SQL server service running account
  • Dedicated SQL Server Instance
  • Parent/Child database collation
  • Minimum .NET Framework version for SCCM
  • Windows Deployment Tools Installed
  • User State Migration Tool (USMT) installed
  • Primary FQDN
  • Site Code in Use
  • Verify CAS version
  • Required SQL Server Collation
  • Backlogged Inboxes
  • DP package version
  • SQL Server Database collation
  • Share Name in Package
  • Software Update Point in NLB configuration
  • Migration active source hierarchy
  • Unsupported upgrade path
  • Active Replica MP
  • Parent Site replication status
  • Unsupported site system role “Out of band service point.”
  • The System health Validation point site system role is NO longer supported
  • Network Access Protection (NAP) is no longer supported
  • Verify Database Consistency
  • SQL Server Sysadmin rights
  • SQL server admin rights for reference site
  • Site Server computer account administrative rights
  • SQL Server Version
  • SQL Server Edition
  • SQL Server TCP port
  • Case-insensitive collation on SQL server
  • Validate FQDN of SQL server computer
  • Windows Failover Cluster
  • Windows PE Installed
  • SMS Provider machine has the same domain as the site server
  • Custom Client Agent Settings have NAP enabled
  • Default Client Agent Settings have NAP enabled
  • SQL Availability group configured for the readable secondary server
  • SQL Availability group configured for manual failover
  • SQL Availability group configured on the default instance
  • SQL Index creates Memory Option
  • SQL Server Supported version
  • Unsupported site server operating system version for setup
  • Unsupported Operating System version for Site System Role
  • SUP using a Load Balancer(NLB/HLB)is no longer supported

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Security Compliance Manager SCM Installation Video Configuration Manager 5

Security Compliance Manager SCM Installation Video Configuration Manager

Let’s discuss the Security Compliance Manager SCM Installation Video Configuration Manager. Security Compliance Manager (SCM) provides security baseline management for organizations.

This post will see the Security Compliance Manager Installation Video Guide. SCM helps accelerate your organization’s ability to manage the security and compliance process efficiently.

SCM is mainly used to set up Microsoft technologies ‘security and compliance baselines. It includes support for Server Operating Systems, Client Operating Systems, IE, Office, Exchange, and Microsoft MCS USGCB (United States Government Configuration Baseline). The Security Compliance Manager Installation Video helps to install and configure SCM v4.

SCM 4.0 supports Windows 10 and Server 2016 baselines and bug fixes. SCM enables you to quickly configure and manage computers and your private cloud using Group Policy and SCCM.

Microsoft Visual C++ 2010 Redistributable, .NET Framework 3.5, and SQL Server 2008 Express got installed during SCM installation. This software is a prerequisite for SCM.

Security Compliance Manager SCM Installation Video Configuration Manager

We need to install .NET Framework 3.5 on Windows 10 machines as it comes with .NET Framework 4.0 version. There is some surprising news about the future of SCM releases from Microsoft at the bottom of this post.

Microsoft Security Compliance Manager SetupStatus
SQL Server ExpressInstalling
Microsoft Security Compliance ManagerInstalling
Security Compliance Manager SCM Installation Video Configuration Manager – Table 1
Security Compliance Manager SCM Installation Video Configuration Manager - Fig.1
Security Compliance Manager SCM Installation Video Configuration Manager – Fig.1

SCM V4 Installation and Importing of Default Baselines

The first step after installing SCM is importing all the default baselines to the database. Default baselines are Windows 7, Windows 2012, Exchange, and Internet Explorer.

The Windows 10 and Server 2016 baselines will not be automatically imported to the SCM DB. We must manually import the Windows 10 1607, Server 2016, and Server 2012 R2 baselines to the SCM DB.

Security Compliance Manager SCM Installation Video Configuration Manager - Fig.2
Security Compliance Manager SCM Installation Video Configuration Manager – Fig.2

Download Windows 10 1607 Baseline

From the SCM V 4.0 version home page, we can select “Download Microsoft Baseline automatically” to download and import the Windows 10 1607 baseline.

This is explained in the video tutorial. Windows 10 1607 Security compliance baseline contains BitLocker Security, Computer security compliance, Credential guard security, Domain security compliance, and user security compliance.

Security Compliance Manager SCM Installation Video Configuration Manager - Fig.3
Security Compliance Manager SCM Installation Video Configuration Manager – Fig.3

Define Security Policy for your Organization

Windows 10 1607 domain security compliance 1.0 has many critical severity settings. This page of SCM shows us the default values of Windows 10 1607 and gives us Microsoft’s recommended value for each security setting. This baseline has two segregations: account lock and password attribute.

If I take an example of “Password attributes” –> Minimum Password age, there are 3 values 1. Default 2. Microsoft and 3. Customized. For example, the values of the Microsoft column in the Windows 10 1607 baseline are the ones I would like to implement as security policies for an organization.

Security Compliance Manager SCM Installation Video Configuration Manager - Fig.4
Security Compliance Manager SCM Installation Video Configuration Manager – Fig.4

References

Security Compliance Manager (SCM) retired; new tools and procedures

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

SCCM SCUP 2017 How to Publish 3rd Party App PatcheMAIN

SCCM SCUP 2017 How to Publish 3rd Party App Patches

Let’s discuss the SCCM SCUP 2017 How to Publish 3rd Party App Patches. I have published a post about installing and configuring the SCUP 2017 preview version.

You can have a look at that post before going through this post. More details SCUP 2017 Preview Installation and Configuration Video Guide

The SCUP installation process is straightforward. Similar to SCCM, the SCUP console has different workspaces. This post will show how to publish third-party app patches using SCCM SCUP 2017.

The first step is to import a third-party Application Catalog to SCUP 2017. The following are out-of-the-box Partner Software Update Catalogs with the SCUP 2017 preview version.

Adobe Acrobat X, Adobe Acrobat 11, Adobe Reader X, Dell Business Client, Dell Server, Fujitsu PRIMERGY, HP Client, and HPE ProLiant.

SCCM Built-in Third-party Software Update Publishing Feature without SCUP – NO Need for SCUP Anymore

This video provides comprehensive details about the SCCM built-in third-party software update publishing feature, eliminating the need for SCUP. SCCM now offers an easy process for publishing third-party software updates directly within its interface without relying on SCUP anymore.

SCCM SCUP 2017 How to Publish 3rd Party App Patches – Video 1

SCCM SCUP 2017 How to Publish 3rd Party App Patches

We must add third-party applications to SCCM SUP products like Abode, Dell, Fujitsu, and HP. To do so, navigate through SCCM Settings, Configure Site Components, Software Update Point, Products, and Adobe Systems. Inc. – Abode Acrobat.

SCCM SCUP 2017 How to Publish 3rd Party App Patches - Fig.1
SCCM SCUP 2017 How to Publish 3rd Party App Patches – Fig.1

SCUP 2017 Publish 3rd Party Apps Updates to SCCM 

We are ready to publish the 3rd part of the app updates to SCCM. Right-click on all the updates from SCUP and publish them to SCCM CB.

Select the Automatic option while deploying the 3rd party app updates to SCCM. The automatic option is available only when SCCM integration is selected in SCUP.

Click Automatic to allow updates. The publisher will query SCCM to determine whether the selected software updates are published with full content or only metadata.

In this mode, software updates are only published when they meet the client request count and package source size thresholds specified on SCCM. Only the software update definition(metadata) is published if neither threshold is met.

Confirmation
1 Updates were selected for publish
1 Updates were published metadata only
SCCM SCUP 2017 How to Publish 3rd Party App Patches – Table 1
SCCM SCUP 2017 How to Publish 3rd Party App Patches ConfigMgr | Configuration Manager Endpoint Manager
SCCM SCUP 2017 How to Publish 3rd Party App Patches – Fig.2

We also need to Sign all software updates with a new publishing certificate when published software updates have not changed but their certificate has changed.

SCCM Software Update Sync after Publishing 3rd Party Apps

SCCM All Software Update Sync to have the newly added Acrobat 11 and other app product updates in the SCCM console.

We have published one new update from the SCUP console, bringing the total number of third-party updates to five. After the SYNC, SCCM should have five Acrobat updates.

SCCM SCUP 2017 How to Publish 3rd Party App Patches - Fig.3
SCCM SCUP 2017 How to Publish 3rd Party App Patches – Fig.3

References

SCCM + SCUP Wiki https://blogs.technet.microsoft.com/jasonlewis/

System Center Updates Publisher June 2017 Preview is now available https://blogs.technet.microsoft.com/enterprisemobility/2017/07/03/system-center-updates-publisher-june-2017-preview-is-now-available/

System Center Updates Publisher https://docs.microsoft.com/en-us/sccm/sum/tools/updates-publisher/ 

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

SCUP 2017 Preview Installation and Configuration Video Guide 6

SCUP 2017 Preview Installation and Configuration Video Guide

Let’s discuss the SCUP 2017 Preview Installation and Configuration Video Guide. Microsoft recently released the preview version of System Center Updates Publisher (SCUP)2017, which adds support for Windows 10 and Windows Server 2016.

SCUP is a stand-alone tool that enables 3rd party applications (non-Microsoft apps) or LOB application developers to manage custom updates.

SCUP can be integrated with WSUS and SCCM. This post will provide a video guide for SCUP 2017 preview installation and configuration.

More details about How to Publish 3rd Party Abode Acrobat Patches via SCCM SCUP 2017. The SCUP installation process is straightforward, as you can see in the video embedded in this post. Similar to SCCM, we have different workspaces in the SCUP console.

SCUP 2017 Preview Installation and Configuration Video Guide – Install SCUP 2017 on Server 2016

Those SCUP workspaces are Updates Workspace, Publications Workspace, Rules Workspace, and Catalogs Workspace. You can navigate to “Update Workspace – Overview” and add updated catalogs from partners like Adobe.

SCUP 2017 Preview Installation and Configuration Video Guide - Fig.1
SCUP 2017 Preview Installation and Configuration Video Guide – Fig.1

Import 3rd Party Application Catalog to SCUP 2017

Add partner software updates catalogs allow us to download/Import third-party app catalogs like Adobe Acrobat 11 Updates. This initiates the Acrobat11_Catalog.cab file download. As part of the process, we must also accept the catalog’s security validation from a vendor like Adobe System. 

Several updates are available in a catalog or cab file, like Acrobat11_Catalog.cab. The Adobe Acrobat 11 update catalog has 20 updates available, similar to Acrobat 11.0.18 Update and Acrobat 11.0.20 Update. All these updates are imported to SCUP.

There are options to edit/customize third-party application updates imported into SCUP. The package information tab has all the details about the location from which the actual source file, like AcrobatUpd11001.msp, will be downloaded.

We can also specify the installation command line, etc., for each update. There are several options to customize each update. The following are the main customization options for each update: the package, Information, Optional Info, Prerequisite, Supersedence, Applicability, Installed, etc.

SCUP 2017 Preview Installation and Configuration Video Guide - Fig.2
SCUP 2017 Preview Installation and Configuration Video Guide – Fig.2

SCUP 2017 Integration with SCCM and WSUS

SCUP can be integrated with WSUS and SCCM. One prerequisite for this integration is SCUP and WSUS (+ SCCM) connectivity. This connectivity must publish third-party patch updates to WSUS and then to SCCM.

The SCUP console has a checkbox option to enable publishing updates to an update server (WSUS server). As you explained in the above video, you must create a self-signed certificate for WSUS connectivity. A similar option enables configuration manager (SCCM) integration with SCUP 2017.

SCUP 2017 Preview Installation and Configuration Video Guide - Fig.3
SCUP 2017 Preview Installation and Configuration Video Guide – Fig.3

The configuration options and workspaces have not changed in the SCUP 2017 preview version (compared with previous versions of SCUP). I recommend installing WSUS and the SUP component from the SCCM console before connecting the SCUP with WSUS. 

As you can see in the screenshot above, the test connection succeeded. However, no signing certificate was detected for the update server. You cannot publish content to the update server without registering a signing certificate.

SCUP 2017 Certificate Export and Import Activities

We need to export the WSUS certificate from MMC and import it to the locations mentioned below. We must also add the signing certificate used for publishing to the following certificate stores on the SCUP and WSUS computers: Trusted Publishers and Trusted Root Certificate Authorities.

  • The settings for this connection are not saved until we click OK on the Options dialog box.
  • The WSUS and SCCM connection tests were successful after the certificates were imported to MMC.
  • Now, we are ready to publish the updates to WSUS. Publish the updates to WSUS and SCCM via SCUP.
SCUP 2017 Preview Installation and Configuration Video Guide - Fig.4
SCUP 2017 Preview Installation and Configuration Video Guide – Fig.4

Reference

System Center Updates Publisher June 2017 Preview is now available

System Center Updates Publisher

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………

Server 2016 Domain Join Error Code 0x0000267C Windows Server Troubleshooting Issues on Domain Join 7

Server 2016 Domain Join Error Code 0x0000267C Windows Server Troubleshooting Issues on Domain Join

Let’s discuss the Server 2016 Domain Join Error Code 0x0000267C Windows Server Troubleshooting Issues on Domain Join. Editing a host file can be dangerous, and it can be misleading. This is the first lesson of this post.

We will see how to perform the domain join operation for Server 2016 and How to avoid Server 2016 Domain Join Error Code 0x0000267C. I was not able to join the server to the domain.

I tried using the domain’s NetBIOS name to complete FQDN without success. However, I was confident that the DNS server was configured correctly on the newly built server. The troubleshooting and domain join processes are explained in the video here.

The DC server was unreachable from the newly built server because of firewall configurations on the local server. Disabling the firewall on the server resolved the reachability issue.

The Basic Checks We Need to Perform before Joining a Server 2016 to Domain are

  1. Ping DC server with IP
  2. Ping DC server with a short name
  3. Ping DC server with FQDN
  4. Remove the host file entries if there is an entry with the domain name or DC server name.
  5. Check that the required Firewall ports are opened between the member and DC servers.
  6. Check the antivirus software (Symantec/MacAfee) is NOT blocking the communication.

How to Domain Join Server 2016 Error Code 0x0000267C

This video provides a comprehensive guide on resolving the Domain Join error code 0x0000267C on Windows Server 2016. This error typically indicates issues with DNS configuration or network connectivity, which are crucial for successfully joining a server to a domain.

Server 2016 Domain Join Error Code 0x0000267C Windows Server Troubleshooting Issues on Domain Join – Video 1

Server 2016 Domain Join Error Code 0x0000267C Windows Server Troubleshooting Issues on Domain Join

I received the following domain join error on the server 2016 machine. An Active Directory Domain Controller (AD DC) for the domain “Intune.com” could not be contacted. Ensure that the domain name is typed correctly. If the name is correct, click details for troubleshooting information. I made sure that the domain name was correctly entered.

C:\Windows\Debug\dcdiag.txt is the log file that can provide more details when you have any issues with domain join. I checked the DCDIAG.log file, and it gave more information about the domain join issue.

Server 2016 Domain Join Error Code 0x0000267C Windows Server Troubleshooting Issues on Domain Join - Fig.1
Server 2016 Domain Join Error Code 0x0000267C Windows Server Troubleshooting Issues on Domain Join – Fig.1

Domain Join Error Details

Let’s discuss the details of the Domain Join Error. The screenshot below will provide more information to help you understand the issue better. This error typically occurs when there are problems with DNS configuration or network connectivity, which are essential for successfully joining a Windows Server 2016 to a domain.

  • The screenshot will highlight the specific error messages and details that can guide us in troubleshooting and effectively resolving the problem.
An error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "intune.com".
The error was: "No DNS servers configured for local system." 
(error code 0x0000267C DNS_ERROR_NO_DNS_SERVERS)
The query was for the SRV record for _ldap._tcp.dc._msdcs.intune.com

Server 2016 Domain Join Error NO DNS SERVER

Resolution

The domain name was correctly mentioned during the server 2016 domain join process. Also, the server can ping the domain and DC. However, when I checked the host file of the local 2016 server, I found some domain name mapping entries. I deleted those entries from the host file.

Also, I checked the IPCONFIG information on the server and noticed that the DNS server IP was not configured. Rather, it was configured as a gateway device IP. I removed the gateway IP and correctly configured the DNS server IP in the IPCONFIG utility.

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.