Wednesday, 28 December 2016

Recover a ConfigMgr Current Branch site - my ramblings

System Center Configuration Manager landing page

I have some time off this week so I'm getting through some of the jobs that I've been putting on the long finger for a while. One of those jobs is to move my ConfigMgr lab to new hardware. I could've just copied the VHDX files and created new VMs but where is the fun in that? I haven't had to recover a ConfigMgr Current Branch site yet so I thought that this would be a good opportunity to test the process before I have to do it in production. Note that I will be recovering ConfigMgr Current Branch 1610 (standalone Primary Site).

I previously blogged about the new backup requirements for ConfigMgr Current Branch. You can read that blog post here. Essentially you must ensure that you back up the CD.Latest folder. This folder contains that installation files required to recover in case of a disaster and the contents change every time you upgrade. In order to recover a site you must have a copy of these installation files and the version MUST match the version of the site contained in the backup. During this process I will deliberately use the wrong installation files first to see what happens.

Backup best practice.

First I'd like to offer a little advice on backup best practice for ConfigMgr Current Branch (or ConfigMgr in general). The product includes a maintenance task which backs up the required files to recover a site (this includes the CD.Latest folder). However this isn't the recommended approach among serious ConfigMgr admins. It is recommended to use a SQL maintenance plan instead. You have a little bit more work to do to make sure that you include everything as CD.Latest folder is not automatically included. Steve Thompson has a great blog on this here.

Some of the considerations in a production environment are as follows:
  • SQL backup compresses the files rather than just copying them
  • SQL backup includes retention periods and data integrity checks
  • SQL backup allows you to select other databases like ReportServer and SUSDB
  • SQL backup does not require any interruption to ConfigMgr services
  • SQL backups allow you to configure email notifications
  • SQL backup allows more scheduling control
Remember also that there are a number of additional items that should be backed up to assist in recovery in case of a disaster, for example:
  • Make a note of the current SQL server version (very important)
  • Content library
  • Source files
  • SSRS
OK, so I've spent some time going on about why SQL backup is better. However I didn't use it for this job. I used the trusty maintenance task as it's only my lab and just a once-off job. I also didn't bother with the additional items. I just copied what I wanted to retain.


So what is to be done in advance? The following tasks are required once I have my backup:
  • Turn off old CM server (if it is still alive)
  • Create new VM and install Operating System (does not have to be the same OS as before but the same drive configuration is recommended), patch and join to domain
  • The server name must be the same as previously
  • Install server prerequisites (Nickolaj Andersen has a great tool for this)
  • Install ADK for Windows 10 (there are a number of versions but they all have some issues - do your research first before you pick one)
  • Install the same SQL version as before
So now let's recover the site. I'll do it wrong first to show you the difference.

Recover the site - the wrong way

Let's use traditional thinking here. In previous versions of ConfigMgr we would just download the ISO and recover from backup - so let's do that.

The latest version of Current Branch is 1606. See that there are Current Branch and Long Term Service Branches. LTSB is not suitable in any situation in my opinion. 

What happens when I try to install this version and use my 1610 backup?

The restore fails as expected with the error:

"The site was being recovered using a different build number than the build version of the ConfigMgr backup. The recovery build number must match with the previous installed build version".

(I don't like the way the wizard allows you to continue to the actual setup before failing. It should fail earlier, perhaps at the dialog box where you configure the location of the backup files. After all the wizard interrogates the backup at that stage and knows that you are recovering a primary site as opposed to a CAS. In my opinion it should also know at that stage that there is a version mismatch.)

Recover the site - the correct way

Now let's do it right. Copy the backup contents to the new server and launch splash.hta (found in the root of CD.Latest).

Complete the wizard to recover the site. It's pretty similar to the regular site installation wizard.

Select "Install".

Read the information before you begin.

Choose "Recover a site".

In my case I want to recover the site server and database from backup. Your needs may be different.

The wizard detects that you have a backup of a primary site. Other options are greyed out.

Enter the license key.

Accept the various license terms.

Download the prerequisite files.

Choose the ConfigMgr installation folder.

The server name and database name are prepopulated.

Choose the database and log file locations (I'm choosing defaults in my lab - you would not do this in production).

Read the telemetry information. Click Next to continue.

Read the settings summary and click Next to continue.

Prerequisites check has passed with some warnings. Click "Begin Install".

The recovery commences. This can take a while. This one took about 45 minutes for a very small lab environment......

...and we're done.

Finally we are warned about some post-recovery tasks.

Everything looks OK.

Note: now have a look at the security permissions on the System Management container. The old site server computer account will be seen as Unknown (even though the new one has the same name). Remove it and delegate full control to the new server.

I hope this blogpost was useful. Until next time.....

Tuesday, 22 November 2016

Microsoft Intune - enterprise enrollment CNAME best practice

I was asked this question recently and I didn't know the answer so I did some research.

What is the correct DNS CNAME record to configure for Enterprise Enrollment of mobile devices with Intune?

First, I should explain that this CNAME is only required if you are enrolling Windows devices. It is not required for iOS and Android.

There are three options:
  1. Redirect to
  2. Redirect to
  3. Don't configure a CNAME at all
So this is the scoop on the three options:
  1. This is a throwback to the early stages of this technology. It still works but is now deemed to be less secure and not recommended by Microsoft. You will still find this referenced on many online blog posts simply because they have not been updated.
  2. This is now the recommended configuration. It uses a secure channel (hence the -s).
  3. This will also work but means that the user has to enter "" as the server name during the enrollment process. This would be #2 in terms of preference.

Edit Feb 1st 2017: is being deprecated on Feb 11th 2017 and will no longer work for enrolling Windows devices.

You should to create a CNAME in DNS that redirects to

You can see this information in the official docs

I hope this clears up any confusion. Until next time.......

Monday, 21 November 2016

Microsoft are listening to feedback?? - my experience

My favourite part of the being in the MVP Program is being able to provide feedback directly to the product group. The cynical view is that they just don't listen so there is no point in providing feedback. However this is simply not the case. I have a little story I would like to share.

Last year I deployed an Intune Proof of Concept for one of my customers. We carried out intensive testing of the various elements, one of which was mobile application management. We created MAM policies to restrict the integration between managed and unmanaged apps. This worked very well and data could not be transferred between managed and unmanaged apps. Unfortunately, it worked a little too well. If I clicked on a telephone number in Outlook or the managed browser I was unable to launch the phone dialer app on the device (as it was unmanaged) and I couldn't make a phone call. This just didn't make sense to me.

I filed a DCR (bug) on Microsoft Connect (you will need a Microsoft Live to access this) to allow special access to specific unmanaged apps (eg. phone dialer).

"While using Intune Managed Applications it would be good if users could integrate with specific device components eg phone dialer. Users should be able to make a telephone call by selecting the number in the Managed App. They currently can't - I've tested it. The operation is not permitted".

The DCR was actioned and closed. I'm pleased to say that ALL MAM-aware Office apps and the Intune Managed Browsers (for both iOS and Android) have now been upgraded to incorporate this request. I've just successfully tested with Outlook and Managed Browser.

If a feature doesn't make sense to you or doesn't work the way you think it should then let Microsoft know. The products will only improve with user feedback.

For bugs use Microsoft Connect: 

For feature suggestions use UserVoice.

ConfigMgr CB 1610 delivers features I've been waiting for

System Center Configuration Manager Current Branch 1610 was released on 18th November. You must opt in to fast ring to see 1610 in the ConfigMgr console early. Full details can be found here

Many new features are available such as:
  • Windows 10 Upgrade Analytics
  • Office 365 Servicing Dashboard and app deployment
  • Software Updates Compliance Dashboard
  • Cloud Management Gateway
  • Client Peer Cache
  • Enhancements in Software Center
  • New remote control features
However I've been looking at the less publicized enhancements. In particular there are two very simple improvements that I have been waiting for.

1. Windows Store for Business integration

I previously published a blog post on configuring native integration with ConfigMgr and Windows Store for Business. You can read that here

This feature was delivered as "pre-release" in 1606. It was very useful but a little limited in terms of troubleshooting. Synchronization failed in my lab environment and I couldn't do anything about it.

WsfbSyncWorker.log file displayed the synchronization error.

However I was very limited on what I could do in the console. I could only view the Properties of the WSfB account......

....and everything was grayed out. This wasn't that helpful. Kim Oppalfens figured out a way to remove the account using WMI but I'm pretty sure that it wouldn't be supported.

Enhancements have been added in 1610.

Now we can easily delete the account and add a new one.

We can also edit the account settings.

I've now been able to fix my synchronization problem.

2. Send a Sync Request to Intune enrolled device

Previously synchronization had to be initiated using the Intune Company Portal on the mobile device itself.

Now we can send a sync request to the device directly from the ConfigMgr console. This is a huge improvement. We no longer have to guide users to do this for themselves.

Until next time.......

Thursday, 6 October 2016

Use REST APIs to access Microsoft Intune data

Microsoft recently published information on using REST API calls to communicate with Intune to retrieve management data. This is really cool. It uses Microsoft Graph which exposes multiple API’s from Microsoft cloud services. The data retrieved can be very useful in troubleshooting.

So how do we get started?

Navigate to Graph Explorer

See the Graph Explorer interface. Click Sign in to access the Intune service. A new page opens and you are prompted to log in.

You are then warned that the API Explorer needs permission to the following (it's a lot but remember this is also for Office 365, not just Intune):

  • Sign you in and read your profile  
  • Read and write access to your mail   
  • Read directory data  
  • Access the directory as you  
  • Read your files  
  • View your basic profile  
  • Read and write selected files  
  • Have full access to your calendars   
  • Read and write all users' full profiles  
  • Read items in all site collections  
  • Create, read, update and delete your tasks and projects (preview)  
  • View your OneNote notebooks (preview)  
  • Sign in as you  
  • Read your calendars   
  • Read and write all groups  
  • Read selected files  
  • Read your mail   
  • Have full access to your files  
  • Read all groups  
  • View and modify your OneNote notebooks (preview)  
  • View your email address  
  • View and modify OneNote notebooks that you can access (preview)  
  • Access your data anytime  
  • Have full access to the application's folder  
  • Read and write to your mailbox settings (preview)  
  • Have full access to all files you have access to  
  • Read identity risk event information  
  • Create pages in your OneNote notebooks (preview)  
  • Read all users' full profiles  
  • Read all users' basic profiles  
  • Read and update your profile  
  • Read your relevant people list (preview)  
  • Read and write directory data  
  • Have full access of your contacts   
  • Read all files that you have access to  
  • View OneNote notebooks that you can access (preview)  
  • Sign you in and read your profile  
  • Send mail as you   
  • Limited access to your OneNote notebooks for this app (preview)  
  • Read your tasks  
  • Read your contacts
You have to accept this to continue.....

....and now you're ready to query for information.

So how does it work?

The interface uses GET and POST REST APIs to communicate with the service backend to retrieve data for various items. The commands are URLs but they won’t work in a browser, you must use them in the Graph Explorer URL bar.

So what kind of information can we get?

Here are some examples:

1. Get data relating to all devices for a specific user (replace the user UPN in the URL)

In my case the URL is:

See the output for a specific device. Useful troubleshooting information is returned.

"approximateLastSignInDateTime": "2016-04-25T12:25:58Z",
"deviceId": "85a9e8e4-21cb-45cc-87f5-8c2056a3c18e",
"deviceMetadata": null,
"deviceVersion": 2,
"displayName": "gerry_Android_4/25/2016_12:26 PM",
"isCompliant": false,
"isManaged": true,
"onPremisesLastSyncDateTime": null,
"onPremisesSyncEnabled": null,
"operatingSystem": "Android",
"operatingSystemVersion": "4.4.2",
"physicalIds": [],
"trustType": "Workplace"

2. Get data for a specific user

In my case the URL is:

See the output for a specific user

"@odata.context": "$metadata#users/$entity",
"id": "c5ab8188-7124-4a97-bdfe-66bda5f634a0",
"businessPhones": [],
"displayName": "Gerry",
"givenName": "Gerry",
"jobTitle": null,
"mail": "",
"mobilePhone": null,
"officeLocation": null,
"preferredLanguage": null,
"surname": null,
"userPrincipalName": ""

See the full Microsoft article here

I hope this is useful. Until next time.....

Wednesday, 5 October 2016

Improvements in app blacklisting with Intune

The August update of the Intune service has introduced major improvements in mobile app management. Previously you could create app blacklists but these policies would only block apps on Windows devices. They would not prevent the installation or use of apps on Android or iOS devices. For these devices you could only report non-compliance if a blacklisted app was installed.

So what are these improvements?

We can now create custom policies to allow and block apps for Samsung KNOX enabled Android devices.

  • Once an app is blocked, it cannot be activated or run on the device, even if it is already installed.
  • Specifying which apps are allowed designates which apps can be installed from the Google Play store. When a list of allowed apps is defined, no other apps can be installed from the store.
On iOS 9.3 and later (supervised devices only) we can add a list of hidden and shown apps to the iOS general configuration policy.
  • Apps that are specified as hidden can’t be viewed or launched by users.
  • When you specify a list of apps to be shown, no other apps can be viewed or launched.

Let's have a look at the custom Android policy and then we'll see the behaviour on a device.

In the Microsoft Intune administration console, choose Policy > Configuration Policies > Add.

In the Create a New Policy dialog box, expand Android, choose Custom Configuration, and then choose Create Policy.

Provide a name and optional description for the policy and then, in the OMA-URI Settings section, choose Add.

We want to specify the allowed apps so that all other apps will be blocked.

Note: You can find the package ID of an app by browsing to the app on the Google Play store. The package ID is contained in the URL of the app's page.

For example, the package ID of the Microsoft Word app is as the URL is

The package ID of the Adobe Reader app is com.adobe.reader as the URL is

In the Add or Edit OMA-URI Setting dialog box, specify the following:

  • Setting name - Enter AllowInstallPackages.
  • Setting description - List of apps that users can install from Google Play.
  • Data type - String.
  • OMA-URI - ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/AllowInstallPackages
  • Value - List of the Package IDs you want to allow. Use ; : , as delimiter. (Example: packageID1,packageID2). In my case this is com.adobe.reader,

Click OK.

Save Policy.

In the Policy workspace, select the policy and click Manage Deployment.
In the Manage Deployment dialog box, select one or more groups to which you want to deploy the policy, then click Add > OK.

User experience

So what happens on the device. I'm using an Android device with Samsung Knox enabled (Samsung Galaxy S4 phone).
I've tried to install an app that isn't on the allowed list.

I can't install the app and get the notification that "Security policy prevents installation of this application".

Then I tried to install Adobe Reader which is on the allowed list.

No problem.

This is very straightforward to configure and works instantly.

It's worth mentioning the supported devices again.
  • Samsung Knox enabled Android devices (must be Samsung Knox - I was unable to get this working on an Android without Samsung Knox) 
  • Supervised iOS devices 9.3 and later (supervised mode can be enabled on iOS devices using the Apple Device Enrolment Program or the Apple Configurator Tool) 

I hope this was useful. Until next time.......

Thursday, 29 September 2016

My second book

I am very pleased to be co-author for the latest book in the System Center Configuration Manager Unleashed series (published by Sams). The book is titled  "System Center Configuration Manager Current Branch Unleashed".

The author list is:
  • Kerrie Meyler (MVP) (Co-author)
  • Greg Ramsey (MVP) (Co-author)
  • Kenneth van Surksum (MVP) (Co-author)
  • Michael Wiles (Dell) (Co-author)
  • Gerry Hampson (MVP) (Co-author)
  • Saud Al-Mishari (Microsoft) (Co-author)
  • Garth Jones (MVP) (Contributing author)
  • Byron Holt (MVP) (Contributing author)

The chapter list is as follows:
  1. Configuration Management Basics
  2. Configuration Manager Overview
  3. Looking Inside Configuration Manager
  4. Architecture Design Planning
  5. Network Design
  6. Installing System Center Configuration Manager
  7. Migrating to System Center Configuration Manager
  8. Using the Configuration Manager Console
  9. Client Management
  10. Managing Compliance
  11. Creating and Managing Applications and Deployment Types
  12. Creating and Managing Packages and Programs
  13. Distributing and Deploying Applications and Packages
  14. Managing Software Updates
  15. Integrating Intune Hybrid into Your Configuration Manager Environment
  16. Managing Mobile Devices
  17. Conditional Access
  18. Endpoint Protection
  19. Configuration Manager Queries
  20. Configuration Manager Reporting
  21. Operating System Deployment
  22. Security and Delegation in Configuration Manager
  23. Backup, Recovery, and Maintenance
Writing a book can be a very time-consuming process. However I've submitted my four chapters ahead of schedule after several re-writes (Kerrie is a tough taskmaster). The chapters will then undergo technical and editorial reviews (probably more re-writes). The book is scheduled to be published in early 2017 and will be available on Amazon.

Currently it is available for pre-order

Thursday, 1 September 2016

Real world tips for implementing mobile application management without enrollment

MAM without enrollment is a really cool way of protecting corporate data on BYOD devices. Some users simply do not want to enrol their devices in Intune so this gives us IT Pros an alternative management method.

MAM policies can be configured for apps in these scenarios:
  • On devices enrolled in Microsoft Intune: These devices are typically corporate owned devices.
  • On devices enrolled in a third-party Mobile device management (MDM) solution: These devices are typically corporate owned devices.
  • On devices not enrolled in any mobile device management solution: These devices are typically employee owned devices that are not managed or enrolled in Intune or other MDM solutions.
I will walkthrough the solution and offer some real world tips along the way.

Tip #1: MAM policies should not be used in conjunction with third party mobile app management or secure container solutions.

Administrator configuration

Configuration of this solution is carried out in the Azure Portal

Select More Services.

Start to type Intune and select Intune.

The Intune mobile application management blade opens. Select App Policy.

Select Add a policy.

Give the policy a name and choose a platform. I'm choosing Android for now. Highlight Select Required Apps.

Choose the apps that you want to deploy a MAM policy to. Click Select to choose the apps.

Notice that only Microsoft apps are currently available. So how do I allow my users to securely open email attachments - PDFs for example?

Tip #2: No special considerations are required for iOS. Outlook for iOS has an in-app viewer built in.

Tip #3: The RMS Sharing App must be used for opening secure PDFs on Android devices.

Now highlight Configure required settings. There are a number of options to choose from. The default options are sufficient unless you specifically need to change a setting.

Tip #4: If you are familiar with Intune Mobile Application Management you will know that you must create a MAM policy and a Managed Browser policy. In MAM without enrolment they are integrated and there is no Managed Browser policy. There is one setting "Restrict web content to display in the Managed Browser".

Click OK to save your settings.

Click Create to create the policy.

Select App Policy again.

Highlight the policy that you have created.

Select User Groups.

Select Add Users Group to deploy the MAM policy.

User experience (Android)

Download and install the required apps from the Google Play store. Don't forget the RMS Sharing app as discussed above.

I got this error when I tried to open Outlook (now a protected MAM app).

"Before you can use your work account with this app, you must install the free Intune Company Portal app. Tap "Go to store" to continue".

Tip #5: You must install the Company Portal app on an Android device in order to use MAM without enrolment (even though you will not be enrolling the device). This is not the case with iOS.

Click Go to store and install the Company portal app. No further action is required with this app.

Corporate data is now secured by MAM policy. Try it out.

I hope this information was useful. Until next time......