Microsoft Azure Active Directory (Azure AD) and Microsoft Intune bring the power of the intelligent cloud to Windows 10 device management, including management capabilities for BitLocker. Some of these capabilities work on Windows 10 Pro, while other capabilities require Windows 10 Enterprise or Education editions.
The first step to managing BitLocker using Microsoft Intune is to visit the new Microsoft Endpoint Manager admin center. Select Endpoint security > Disk encryption, and then Create policy. Enter in the Platform and Profile indicated in the screen capture below, and then select Create.
Next, enter the basics, such as the name of the policy and an optional description,
Then move on to Configuration settings. Notice you can search for a specific setting, like “fixed drive policy,” or you can scroll through the settings.
Also notice the options offered for key rotation.
This setting, which requires Windows 10, version 1909 or later, will change the recovery key when the recovery key is used to unlock a drive.
Important notice!!
As you enable settings, additional settings may appear. For example, Enabling Fixed drive encryption expands more options: Recovery key file creation and Configure BitLocker recovery key package.
Finally, add Scope tags (optional), assign the new policy to specific groups of users or devices, and select Create.
The settings that can be configured here include:
BitLocker – Base Settings
Enable full disk encryption for OS and fixed data drives
Require storage cards to be encrypted (mobile only)
When integrating your Windows 10 devices into Microsoft Endpoint Manager, you may encounter policy conflicts where the same setting is configured both on-premises via GPO and Intune. When this happens it can be a complete nightmare, so in this post I will show you how to identify GPOS not supported by MDM.
When integrating your Windows 10 devices into Microsoft Endpoint Manager, you may encounter policy conflicts where the same setting is configured both on-premises via GPO and Intune. When this happens it can be a complete nightmare, so in this post I will show you how to configure Microsoft Endpoint Manager so that your MDM policies rein over GPO.
Lets get to it and launch Microsoft Endpoint Manager dashboard –> Go to Devices –> Configuration Profile –> Create Profile
Platform – Windows 10 and later Profile – Custom
Click Create
Click Add and enter the below
Name: ConflictPolicyConflict Description: Enter value if required OMA-URI: ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP Data type: Integer Value: 1
Click Save –> Press Next
If you are using Scope Tags – Define your tags and Press Next
Define your selected groups of machines for the profile and Press Next
Define applicability rules if in use and Press Next
Press Create
This will now force MDM Policies to win over Group Policies assigned to a Windows 10 device.
There is a registry key that decreases the delay for end-users to see their administratively assigned libraries via the OneDrive sync client.
Important Note
The purpose of this Proactive Remediation profile is so that the reg key is set everytime a user reboots the client device. As this key is removed at reboot. Proactive Remediation is a solution that detects if this registry key exists and if not, create it, on a recurring schedule.
So lets get creating the Proactive Remediation profile
First of all, we need to create Configuration Profile within Microsoft Endpoint Manager, you’ll need to gather the SharePoint document library ID or ID), for all the locations you would like to publish to your Windows 10 Devices. In this blog I am going to publish the Blogabout Cloud Library to all my devices.
A window will now appear, (if you receive any prompts to open OneDrive ignore it), click Copy library ID, keep this handy.
Creating the Configuration Profile
In order to apply the configuration to your Windows 10 devices that are enrolled into Microsoft Endpoint Manager. Launch Microsoft Endpoint Manager go to Devices –> Configuration Profiles –> Create Profile
Select Windows 10 and Administrative Templates
Press Next
Provide a Name for the profile and brief description as shown below
Under Computer Configuration and OneDrive, look for the setting Configure team site libraries to sync automatically
Click Enable Enter the name you would like to be displayed and the Library ID as shown below
I am now going to recommend a number of other Microsoft OneDrive settings
Setting
Configuration
Silently sign in users to the OneDrive sync app with their Windows credentials
Enabled
Silently move Windows known folders to OneDrive
Enabled
Use OneDrive Files On-Demand
Enabled
Require user to confirm large delete operations
Enabled
Convert synced team site files to online-only files
Enabled
That completes the Configuration Profile setup, deploy this to your test users before deploying to production.
In my next post I am going to be looking leverage Proactive Remediation to decrease the synchronization time of assigned libraries to the Windows 10 device. The Microsoft default is 8 hours before the assigned libraries are published.
I have been recently important ADMX templates and been generating potential errors that IT Administrators may encounter. This post is one of the errors you may receive if you don’t configure the Custom Profile correctly.
So as you can see from below I am receiving an Error Code 0x87d10190, the cause of this error is due to the string being incorrect.
When typing, copying or pasting in the string for the ADMX template you need to ensure you copy everything. Making sure there is no additional characters or spaces in the string. In my case, I missed a full stop at the start of the string as shown below.
Once adding in the full stop, the profile was successfully applied to the targeted devices.
As a big adovcate of PowerShell Scripts in Microsoft Endpoint Manager, I definitely welcome the recent changes which Microsoft have implemented. This will have some positive effects on most organisations but maybe not as welcomed by others and heres why?
In my experience some organisations like to leverage PowerShell to modify applications that have been installed using Win32 apps. An example I have experience within this space is Java ( Oh the horror ). This organisation still required a fat install of java to run a legacy application and Java was inserted using GPO with reg hive modified to prevent the regular and annoying pop up for updates.
So to address this we installed Java via W32 apps and used a PowerShell script from Microsoft Endpoint Manager to modify the key.
What you will probably need to do is allow your script to fail. Once the script has failed, the Win32 apps will then be installed, and If the script fails, the Intune management extension agent retries the script three times for the next three consecutive Intune management extension agent check-in. The check in period is every 60 minutes so in that time you should have succesfully installed all Win32 apps.
Here is the new channges for PowerShell scripts.
PowerShell scripts execute before apps, and time out reduced
There are some updates to PowerShell scripts:
Microsoft Intune management extension execution flow is reverted back to processing PowerShell scripts first, and then running Win32 apps.
To resolve an Enrollment Status Page (ESP) time out issue, PowerShell scripts time out after 30 minutes. Previously, they timed out after 60 minutes.
Sometimes you may come across special cases where either your customer or your own organisation might need to implement a solution which increases your security footprint. This post is no different and inspired from the MS-100 exam which I have recently taken and passed.
During the lab question I was asked how you would implement MFA for end user who want to enroll Windows 10 devices. So lets get to it…
Provide your policy a “Name” Select the user(s) or group(s) you want to apply the policy to Click Cloud apps and actions – Click Select Apps and search then select Microsoft Intune Enrollment.
Under Grant – Select Require multi-factor authentication
Select on to enable the policy
Heres the process I had to go through to join a Windows 10 device to my tenant with MFA.
In the below screenshot is a configuration setting I have in my tenant for defining if devices are Corporate or Personally owned
All my corporate apps are now available for install.
In this part we will go through the complete installation of SQL 2017 and configure SQL before installing SCCM Current Branch 1806 or higher.
Important Info
If you are planning on installing an older version of SQL, please follow our previous post here
Click the following link to see all supported SQL versions. For this post, I am going to install SQL 2017 on a separate server. (DB01)
Execute Setup.exe from the SQL installation media, select New SQL server stand-alone installation
Provide the product key and click Next
Review and Click Next
Check Use Microsoft Update to check for updates and click Next
Select SQL Server Feature Installation
Please Note
Some steps following steps in the wizard are automatically skipped where no action is required. For example, Products Updates, Install setup Files and Install Rules might be skipped.
Select the Database Engine feature and specify the SQL installation directory. This is the directory for the program files and shared features
Select Default instance and ensure that your instance is created on the SQL Volume
Set all services to run as the SQL Server Account that you created previously and set the services startup type to Automatic
On the Collation tab, set the Database Engine to use SQL_Latin1_General_CP1_CI_AS
In the Server Configuration tab, set the authentication mode to Windows Authentication and in the SQL Server Administrators add your SCCM Admins group
In the Data Directories tab set your drive letters correctly for your SQL databases, Logs, TempDB, and backup
On the TempDB, complete the various information based on the Database sizing section below.
Click Install
Complete the installation by clicking Close
Install SQL Server Management Studio (SSMS)
Back in the SQL Server Installation Center, click on Install SQL Server Management tools.
This will redirect you to the Download page of SQL Server Management Studio. SSMS is no longer tied to the SQL server installation in terms of version.
Adjust the installation path if need, then click Install
Install SQL Reporting Services
Back in the SQL Server Installation Center, click on Install SQL Reporting Services.
The SQL reporting services is just like the Management console, it requires a
Click on Install Reporting Services
Provide the Product key
Accept License terms
Click Next
Select the installation path, click Install
A reboot is required after the installation
Apply SQL 2017 CU22 or higher
At the time of this writing, the latest SQL Cumulative Update is CU22. We will install it in order to have an updated SQL Installation. Note that CU2 is the minimum requirement
Download and execute SQL 2017 CU22 Accept the license terms and click Next
Leave default values, click Next
Wait for Check File in Use and click Next
Click Update
Update completed, might require a reboot
SPN Creation
When you configure SQL Server to use the local system account, a Service Principal Name (SPN) for the account is automatically created in Active Directory Domain Services. When the local system account is not in use, you must manually register the SPN for the SQL Server service account.
Since we are using a domain account, we must run the Setspn tool on a computer that resides in the domain of the SQL Server. It must use Domain Administrator credentials to run.
Run both commands to create the SPN, Change the server name and account name in each commands.
setspn -A MSSQLSvc/db01:1433 officec2r\svc.sql
setspn -A MSSQLSvc/db01.officec2r.com:1433 officec2r\svc.sql
To verify the domain user SPN is correctly registered, use the Setspn -L command
setspn –L officec2r\svc.sql
SQL Configuration
SCCM setup verifies that SQL Server reserves a minimum of 8 GB of memory for the primary site. To avoid, the warning, we’ll set the SQL Server memory limits to 8GB-12GB (80% of available RAM). Open SQL Server Management Studio
Right click the top SQL Server instance node
Select Properties
In the Memory tab define a limit for the minimum and maximum server memory. Configure and limit the memory to 80% of your server available RAM. In my case I have 16GB available.
Minimum 8192
Maximum 12288
SQL Communications
To ensure proper SQL communication, verify that settings are set accordingly in SQL Network configurationOpen SQL Server Configuration Manager
Go to SQL Server Network Configuration / Protocols forSCCM
On the Right Pane, right-click TCP/IP and select Properties
In the Protocol tab
Enable: YES
Listen All : NO
In the IP Addresses tab
IP1 (which should have your Server IP)
Active : YES
Enabled : YES
All other IP and IP ALL
Active : YES
Enabled : NO
TCP Dynamic Ports : Blank value
TCP Port : 1433
Once the modification has been made, restart the SQL Server Service.
The server is now ready for the SCCM installation. We will now run the prerequisite checker and proceed to the complete SCCM Installation. We will install a stand-alone Primary site.
Disks IOs are the most important aspect of SCCM performance. We recommend configuring the disks following SQL Best practice. Split the load on a different drives. When formatting SQL drives, the cluster size (block size) in NTFS must be 64KB instead of the default 4K. See the previously recommended reading to achieve this.
Letter
Content
Size
C:\
Windows
100GB
D:\
SCCM
200GB
E:\
SQL Database (64K)
40GB
F:\
SQL TempDB (64K)
40GB
G:\
SQL Transaction Logs (64K) SQL TempDB Logs
40GB
Showing 1 to 5 of 5 entries
Primary Site server prerequisites
Once your hardware is carefully planned, we can now prepare our environment and server before SCCM Installation.
Active Directory schema extension
You need to extend the Active Directory Schema only if you didn’t have a previous installation of SCCM in your domain. If you have SCCM 2007 already installed and planing a migration, skip this step.
Logon to a server with an account that is a member of Schema Admins security group
From SCCM ISO run .\SMSSETUP\BIN\X64\extadsch.exe
Check schema extension result, open Extadsch.log located in the root of the system drive
Create the System Management Container
Configuration Manager does not automatically create the System Management container in Active Directory Domain Services when the schema is extended. The container must be created one time for each domain that includes a Configuration Manager primary site server or secondary site server that publishes site information to Active Directory Domain Services
Start ADSIEdit, go to the System container and create a new Object
Select Container
Enter System Management
Set security permission
Open properties of the container System Management created previously
In the Security tab, add the site server computer account and Grant the Full Control permissions
Click Advanced, select the site server’s computer account, and then click Edit
In the Applies to list, select This object and all descendant objects
Click OK and close the ADSIEdit console
SCCM Accounts
Create the necessary accounts and groups created before installation. You can use a different name but I’ll refer to these names throughout the guide.
Server Account / GroupName
Description
svc.sql
SQL Server Services Account
svc.sccmnaa
SCCM Network Access Account
svc.sccmcp
Domain account for SCCM client push install
svc.sqlrep
Domain account for use with reporting services User
svc.sccmdj
Domain account used to join machine to the domain during OSD
SCCM Admins Group
Domain group containing all SCCM Admins Group
SCCM Site Servers
Domain group containing all SCCM servers in the hierarchy Group
When creating these services accounts I use a push script utilizing a CSV file. You CSV file will need to contain the following heading;
Then use the script below
Function Create-BulkADUsers {
# Import active directory module for running AD cmdlets
Import-Module activedirectory
#Store the data from ADUsers.csv in the $ADUsers variable
$ADUsers = Import-csv C:\_build\bulk_users.csv
#Loop through each row containing user details in the CSV file
foreach ($User in $ADUsers)
{
#Read user data from each field in each row and assign the data to a variable as below
$Username = $User.username
$Password = $User.password
$Firstname = $User.firstname
$Lastname = $User.lastname
$OU = $User.ou #This field refers to the OU the user account is to be created in
$email = $User.email
$streetaddress = $User.streetaddress
$city = $User.city
$zipcode = $User.zipcode
$state = $User.state
$country = $User.country
$telephone = $User.telephone
$jobtitle = $User.jobtitle
$company = $User.company
$department = $User.department
$Password = $User.Password
#Check to see if the user already exists in AD
if (Get-ADUser -F {SamAccountName -eq $Username})
{
#If user does exist, give a warning
Write-Warning "A user account with username $Username already exist in Active Directory."
}
else
{
#User does not exist then proceed to create the new user account
#Account will be created in the OU provided by the $OU variable read from the CSV file
New-ADUser `
-SamAccountName $Username `
-UserPrincipalName "$Username@officec2r.com" `
-Name "$Firstname $Lastname" `
-GivenName $Firstname `
-Surname $Lastname `
-Enabled $True `
-DisplayName "$Lastname, $Firstname" `
-Path $OU `
-City $city `
-Company $company `
-State $state `
-StreetAddress $streetaddress `
-OfficePhone $telephone `
-EmailAddress $email `
-Title $jobtitle `
-Department $department `
-AccountPassword (convertto-securestring $Password -AsPlainText -Force) -ChangePasswordAtLogon $True
}
}
Write-Host "Info: User Accounts created" -ForegroundColor Green
For the required groups I use the following PowerShell cmdlet
New-ADGroup -Name "RODC Admins" -SamAccountName RODCAdmins -GroupCategory Security -GroupScope Global -DisplayName "RODC Administrators" -Path "CN=Users,DC=Fabrikam,DC=Com" -Description "Members of this group are RODC Administrators"
Network Configuration
Make sure that the server has a static IP as this is critical for the success of this deployment.
Firewall Configuration
If your Firewall is configured then you will need to run this script in an elevated command prompt order to open the necessary ports needed for SCCM.
Please Note: This script is designed based on using the default ports, if you are using custom ports. Change the values before running the script.
To prevent SCCM from placing content on hard disks where you don’t wish for it to be held. Place a file name no_sms_on_drive.sms on the root drive.
Windows Server Features
On the Primary site server, the following components must be installed before SCCM installation. We’ll install all these components using a PowerShell script.
.Net Framework 3.51 SP1
.Net Framework 4
IIS
Remote Differential Compression
BITS Server Extension
WSUS 3.0 SP2
Report Viewer
ADK for Windows 8.1
Roles and features
On the Site Sever computer, open a PowerShell command prompt as an administrator and type the following commands. This will install the required features without having to use the Windows Server GUI.
Ensure that all components are showing as SUCCESS as an EXIT Code. It’s normal to have Windows Update warnings at this point.
Report Viewer
You will now require the Report Viewer, please download and install – here
ADK for Windows 10
You will now require the ADK for Windows 10, please download and install – here
Select the default path
Select No and Press Next
Click Accept the License Agreement
Select – Deployment Tools – Windows Pre-Installation Environmet – User State Migration ToolInstall the following components
Press Install
Active Directory
Add the computer account of all your site servers in the SVC.SCCMSS AD group
Ensure that the group has Full Control on the SYSTEM Container in Active Directory
Local Admin accounts
Add both SCCM computer account and the SCCM Admin account to the local administrator group on the site server.
SCCM-Admins
SCCM-SiteServers
SCCM Client
If applicable, uninstall SCCM 2007 client and FEP if present on the server before the installation. If the client is present, the 2012 SCCM Management Point installation will fail.
Windows Updates
Run windows update and patch your server to the highest level
In part 2 we will look at the installation process for SQL Server.
