Step-by-step configuring Enterprise State Roaming (ESR) with Azure AD Connect Password sync

During the last couple of month, we had a lot of discussions with our customers regarding the new modern way to roam user settings. I’m sure that you agree with me, that roaming profiles are a legacy way to do this.

Microsoft introduced Enterprise State Roaming a while ago. First a consumer version was available when Windows 8 was released. Microsoft accounts did roam user settings to the cloud. Settings like Wi-Fi Profiles, Internet Explorer Settings and Start menu configurations where roamed.

With ESR you can now roam settings to Azure in a professional enterprise way. Some prerequisites are necessary when you would use Domain Joined Devices to roaming user settings:

  • Licensing: Azure AD Premium Plan / or EM&S Licenses
  • Azure AD Connect latest version
  • Device Write back activated in Azure AD Connect
  • Password sync enabled in Azure AD Connect
  • ESR enabled on the Azure Tenant
  • Windows 10 Enterprise 1607 / Windows Server 2016
  • Domain Joined Devices

2017-02-07-08_04_21-s2021-dc

Let’s have a look at the implementation steps:

Step 1: Get Licenses

The first step is to activate a trial license of an Azure AD Premium plan. You can use an Azure AD P1 or P2 or even an EM&S. EM&S is not available for trial. For large enterprises contact your CSP to assign you some EM&S trial licenses to your tenant. Without an active plan, you won’t be able to enable ESR on Azure.

Step 2: Enable ESR on the Azure AD tenant

Go to your old Azure portal (manage.windowsazure.com) and login as a global admin. Under your directory select “CONFIGURE” and navigate to “devices”. “Enable the Users may sync settings and enterprise app data” option. You can select an Azure AD Group or allow ALL users to sync settings.
1-active-directory-microsoft-azure-and-4-more-pages-%e2%80%8e-microsoft-edge

Step 3: Configure your local AD

During the setup, you need to configure device write back in your On-Prem Active Directory. Use the PowerShell scripts bellow to enable device writeback:

Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory\Connect\AdPrep\AdSyncPrep.psm1"

$ aadAdminCred = Get-Credential

Initialize-ADSyncDomainJoinedComputerSync AdConnectorAccount [connector account name] -AzaadAdminCred;ureADCredentials $

When you run $aadAdminCred = Get-Credential, you are required to type a user name. For the user name, use the following format: user@example.com

When you run the Initialize-ADSyncDomainJoinedComputerSync cmdlet, replace [connector account name] with the domain account that’s used in the Active Directory connector account. This is based on the MS article here.

Step 4: Register your devices

I’m not covering the part when you use AD FS. This is a different way to do this and you will need to setup some clame rules on your AD FS Servers. Please follow the steps in the above link under step 3.

In a no federated scenario you need some requirement do have a device registered automatically:

  • You are either running Windows 10 and Windows Server 2016 on your device
  • Your devices are domain-joined
  • Password sync using Azure AD Connect is enabled

If all of these requirements are satisfied, you don’t have to do anything to get your devices registered.

Registerd devices appearing after that in you on-Prem AD under the root\RegisteredDevices. Make sure you have Device Wirteback enabled on your Azure AD Connect configuration.

2017-02-06-15_59_38-s2021-dc

Step 5: Create a Group Policy object to control the rollout of automatic registration

To control the rollout of automatic registration of domain-joined computers with Azure AD, you have to deploy the Register domain-joined computers as devices Group Policy to the computers you want to register.

GPO to enable: Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration. Right-click Register domain joined computers as devices and “Enable” the policy.

2017-02-06-16_05_30-s2021-dc

During a reboot or a user’s sign in to Windows the device will be registered to Azure and written back to the On-Prem Active directory. You will not be able to see the device name in the dsa.msc. For that launch the Active Directory Administrative Center where you have an additional row of the devices “Display name”.

2017-02-06-16_13_01-s2021-dc

Step 6: Usage

When a user now logs in to his domain joined (or Azure AD joined)  Windows 10 machine using his UPN, the user account is added to the users profile and visible under Settings – Accounts – Email & App accounts as a Work Account.

2017-02-06-16_20_05-hwa10001

The user sync setting is enabled by default and users can change this options. Under Settings – Accounts – Sync your settings you will also recognize that the users UPN is used to sync all the settings.

2017-02-07-07_51_20-hwa10001

Conclusion::

Try it out! You will recognize that settings are changed immediately. For example, change the wallpaper, the taskbar position or even Internet Explorer favorites. This is a great feature for roam user settings across enterprise devices. The next step will be to use conditional access for those users:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access

First look at the new #OneDrive Admin Center (Preview)

The new OneDrive Admin Center Preview  is now available since a few days. During the past it was just a pain in the a** for admins to manage the OneDrive for Business settings. This has pretty changed a with the new portal which is not yet GA.

If your tenant already has been upgraded then you will be able to access your portal with a Global Admin account using the URL https://admin.onedrive.com

Let’s have a look on the settings.

Home Tab
The home tabs shows just the welcome message.

2017-01-09-11_38_02-onedrive-for-business-admin-preview-internet-explorer

Sharing Tab
On the sharing tab you find all the settings for sharing files outside of your organization. Let them share files outside the company using OneDrive or SharePoint, setting up sharing links, anonymous accces, limiting sharing to a sepzific domainand also what external users can do.

onedrive-for-business-admin-preview-sharing

Sync
The sync tab allows the admin to have control over the syncing settings. Also you have a link for downloading always the latest and newest OneDrive Client and another link to the support.office.com website to see the latest syncing issues.

Following options can be configured:

  • let users install the sync client from the OneDrive website
  • Allow syncing onlx PCs joined to specific domain
    • Enter a GUID for your domain(s)
  • Block syncing of specific file types
    • Enter file extentions you don’t want. For example mp3

onedrive-for-business-admin-preview-sync

Storage
Use the storage tab to configure the limits of the users storage. Default OneDrive value is 1024 MB. In here you can also set the retention time for accounts that have been marked as deleted.

Device Access
These settings applies to OneDrive an SharePoint.

  • Control Access based on a network location
    • Enter here your IP addresses or ranges for access to OneDrive. IPv4 & IPv6 is supported.
  • Mobile Application Management trough Intune is supported. You need an Intune license to use this option.

onedrive-for-business-admin-preview-intune

After assigning an Intune license to your GA Account you will be able to modify the settings for device management. This is an disadvantage in my point of view. It should be possible to change settings as admin without having any licenses applied.

Compliance
A few regulatory, legal and technical standards for OneDrive can be set here. This part helps to protect your data and preform security standard settings.

  • Auditing
    • View users activities related to OneDrive – deleted, shared, moved files
    • DLP – Data loss prevention, protect your organizations sensitive data
    • Configure retention policies
    • eDiscovery for emails, documents an Skype for Business conversations
    • Alerting, user and admin logs will be created

Note also the title of the page which gives you a hint to the Security and Compliance Center of Office 365.

I’m pretty sure that the new portal will be integrated into the Office 365 Admin Center. Until then, the admin portal is a good way to manage your OneDrive settings. Try it out today.

 

 

 

 

An easy way to add Langauge Packs to Windows 10 1511

Today I would like to show you how you can add Language Packs to Windows 10 Current Branch 1511 with using the Windows Imaging and Configuration Designer. This nice tool is a part of the new ADK’s and available since a while.

With the Windows Imaging and Configuration Designer, short WICD, you’re able to create pkkg Files. This files can be deployed to Windows Desktops or even Windows Mobile Devices.

First make sure you have the right ADK installed. Download it from here. It is still recommended to use the “older” version instead of the 1511 ADK. For more details check this links:
https://blogs.technet.microsoft.com/configmgrteam/2015/11/20/issue-with-the-windows-adk-for-windows-10-version-1511/

Also download the correct version of the Language packs. There is dedicated ISO available for Windows 10 1511 which contains x86 and x64 LPs. Mount the ISO and copy the required lp.cab files to a shared folder. You can use a single folder and rename the LPs instead of using subfolders. (Just rename each cab so they can all exist in the same folder e.g. de-de.cab for German etc…).

This could look like this:

0.1

Start the WICD and create a new provisioning package and save the project to a share.

1

2

Hit next for the “Next” options

3
Select “Common to all Windows desktop editions” and click “Next”

4.PNG
Leave this blank and click “Finish”

5.PNG

On the newly created project expand the Deployment assets – Language packages and browse to your LP cab files. You have to select each LP for import. in my case I only use one single LP – German. Name it and click Add at the bottom.

Now you can create the PPKG file. On the Menu select Export and then “Provision package”. On the “Build” windows click Next (or change the settings if you like).

7.PNG

Do not encrypt the ppkg file for now. Select where to save the ppkg package
8

Hit Build to build the package
9
10

 

 

 

 

 

 

 

 

October security #updates causing #SCOM 2012 R2 console #crash

Microsoft releasd last week two new updates during the newly announced servicing model.

This updates, named”October, 2016 Security Only Quality Update for Windows Server 2012 R2 (KB3192392)” and “October, 2016 Security Monthly Quality Rollup for Windows Server 2012 R2 (KB3185331)” causing the System Center Operation Manager Console crashing when tying to use the Windows Computers view.

crash

Solution
Currently there is no other way as removing the update from your management servers where the SCOM console is installed.

Let me know if you have a better solution!

 

ConfigMgr 1606 – Configure Office 365 Client Agent Settings(Configuration Manager Current Branch)

Hi reader,

The newest Version of System Center Configuration Manager Current Branch (1606) is rolling out these days with a lot of new features and opportunities.

As the update is rolled out globally in the coming weeks, it will be automatically downloaded and you will be notified when it is ready to install from the “Updates and Servicing” node in your Configuration Manager console. If you can’t wait to try these new features, this PowerShell script can be used to ensure that you are in the first wave of customers getting the update.

Beginning in Configuration Manager version 1606, you can use the Configuration Manager client setting to manage the Office 365 client agent. Configure your Client Settings \ Software Updates Settings. There you can find now a new option called “Enable management of the Office 365 Client Agent“.

Capture

After you configure this setting and deploy Office 365 updates, the Configuration Manager client agent communicates with the Office 365 client agent to download Office 365 updates from a distribution point and install them. Configuration Manager takes inventory of Office 365 ProPlus Client settings.

Find more details on TechNet: https://technet.microsoft.com/en-us/library/mt741983.aspx

Configuration Manager 1602- backup your CD.Latest folder

Today I got a support case where I had to restore my first ConfigMgr Current Branch 1602.

No prob, we do have a nice SQL DB backup of the ConfigMgr database.

Let’s do the following:

  1. Close all consoles
  2. Stop all SMS Services (will also be done by the recovery wizard)
  3. Start the setup.exe from the CD.Latest (“Your Install Directory”\Microsoft Configuration Manager\cd.latest\SMSSETUP\BIN\X64)

But here I got stock. The “Recovery Site” option was greyed out. Of course I tried different ways to start the splash.hta or the setup.exe using admin rights. No way. The option was never available.

123

During research I found that the Site Maintenance job in ConfigMgr is also creating a folder called CD.Latest. But the customer did never activate the Site Maintenance job as they use a third party backup solution to backup the SQL Databases.

However, I configured the Site Maintenance Task and started the SMS_SITE_BACKUP service. This was creating the CD.Latest folder under my backup folder.

124

With this version of the setup.exe file could restore the database .

What we did:

–          Stopped all services
–          Detached the no longer needed CM_”SiteCode” database from the SQL Server using the SQL Server Management Studio
–          Restored the good database from Sunday (used the SQL option “override existing files”)
–          Started CD.Latest from the newly created backup folder (F:\Backup\W01Backup\CD.Latest)
–          Used “Site Database that has manually recovered” as we restored it in SQL

125

Conclusion

Please be aware of a very important change required to your backup strategy in Configuration Manager 1511, 1602 (and later). As you know regular upgrades will be available for the product (every 4 months or so) and you will be able to upgrade using update packages in the “Updates and Servicing” node of the Administration > Cloud Services workspace.

–          Make sure you enable the “Site Maintenance” Job for the site.
–          Backup the Backup folder as this will allow you to restore the ConfigMgr 1602 server in case of a bare metal restore

This folder will be required when you are recovering a failed site so it must be included in a backup strategy. Note that the built in backup maintenance task will back up this folder automatically. Also note that there is no point in backing up this folder once. It must be ongoing because, when upgrades are installed, Configuration Manager also updates the CD.Latest folder with the current files.

Find more informations on TechNet:
https://technet.microsoft.com/en-us/library/mt703293.aspx

 

Hyper-V error during RDS VDI collection creation

For a RDS VDI test environment we decided to use an internal switch on the Hyper-V server. This is not working.

As a consequence, in Hyper-V the external network was not up. This resulted in the following error during the creation of a VDI collection:

D90C3088

 

Server computer.domain.com either does not have a virtual switch configured or none of the configured virtual switches have an IP address assigned

This is unlikely to be a concern in any type of real life environment because those will have the external NIC connected at all times. However, it may occur when you are in a test environment and are trying to isolate from the production environment.

Conclusion: You have to configure an external switch which is connected to a physical LAN cable. DHCP is enough but of course you can also set a static IP on the NIC.