ConfigMgr 1606 – Configure Office 365 Client Agent Settings(Configuration Manager Current Branch)

Hi reader,

The newest Version of System Center Configuration Manager Current Branch (1606) is rolling out these days with a lot of new features and opportunities.

As the update is rolled out globally in the coming weeks, it will be automatically downloaded and you will be notified when it is ready to install from the “Updates and Servicing” node in your Configuration Manager console. If you can’t wait to try these new features, this PowerShell script can be used to ensure that you are in the first wave of customers getting the update.

Beginning in Configuration Manager version 1606, you can use the Configuration Manager client setting to manage the Office 365 client agent. Configure your Client Settings \ Software Updates Settings. There you can find now a new option called “Enable management of the Office 365 Client Agent“.

Capture

After you configure this setting and deploy Office 365 updates, the Configuration Manager client agent communicates with the Office 365 client agent to download Office 365 updates from a distribution point and install them. Configuration Manager takes inventory of Office 365 ProPlus Client settings.

Find more details on TechNet: https://technet.microsoft.com/en-us/library/mt741983.aspx

Configuration Manager 1602- backup your CD.Latest folder

Today I got a support case where I had to restore my first ConfigMgr Current Branch 1602.

No prob, we do have a nice SQL DB backup of the ConfigMgr database.

Let’s do the following:

  1. Close all consoles
  2. Stop all SMS Services (will also be done by the recovery wizard)
  3. Start the setup.exe from the CD.Latest (“Your Install Directory”\Microsoft Configuration Manager\cd.latest\SMSSETUP\BIN\X64)

But here I got stock. The “Recovery Site” option was greyed out. Of course I tried different ways to start the splash.hta or the setup.exe using admin rights. No way. The option was never available.

123

During research I found that the Site Maintenance job in ConfigMgr is also creating a folder called CD.Latest. But the customer did never activate the Site Maintenance job as they use a third party backup solution to backup the SQL Databases.

However, I configured the Site Maintenance Task and started the SMS_SITE_BACKUP service. This was creating the CD.Latest folder under my backup folder.

124

With this version of the setup.exe file could restore the database .

What we did:

–          Stopped all services
–          Detached the no longer needed CM_”SiteCode” database from the SQL Server using the SQL Server Management Studio
–          Restored the good database from Sunday (used the SQL option “override existing files”)
–          Started CD.Latest from the newly created backup folder (F:\Backup\W01Backup\CD.Latest)
–          Used “Site Database that has manually recovered” as we restored it in SQL

125

Conclusion

Please be aware of a very important change required to your backup strategy in Configuration Manager 1511, 1602 (and later). As you know regular upgrades will be available for the product (every 4 months or so) and you will be able to upgrade using update packages in the “Updates and Servicing” node of the Administration > Cloud Services workspace.

–          Make sure you enable the “Site Maintenance” Job for the site.
–          Backup the Backup folder as this will allow you to restore the ConfigMgr 1602 server in case of a bare metal restore

This folder will be required when you are recovering a failed site so it must be included in a backup strategy. Note that the built in backup maintenance task will back up this folder automatically. Also note that there is no point in backing up this folder once. It must be ongoing because, when upgrades are installed, Configuration Manager also updates the CD.Latest folder with the current files.

Find more informations on TechNet:
https://technet.microsoft.com/en-us/library/mt703293.aspx

 

Hyper-V error during RDS VDI collection creation

For a RDS VDI test environment we decided to use an internal switch on the Hyper-V server. This is not working.

As a consequence, in Hyper-V the external network was not up. This resulted in the following error during the creation of a VDI collection:

D90C3088

 

Server computer.domain.com either does not have a virtual switch configured or none of the configured virtual switches have an IP address assigned

This is unlikely to be a concern in any type of real life environment because those will have the external NIC connected at all times. However, it may occur when you are in a test environment and are trying to isolate from the production environment.

Conclusion: You have to configure an external switch which is connected to a physical LAN cable. DHCP is enough but of course you can also set a static IP on the NIC.

Issue removing old SQL Server from ConfigMgr

Situation before migration:

1x Primary Site ConfigMgr 2012 R2 no CU (OS Win 2008 R2) – no OS upgrade Support (*)
2x Secondary Sites 2012 R2 no CU
1x SQL Server 2008 R2 SP2 no CU
2’500 Clients worldwide

Goal:

1 Primary Site Current Branch 1511
New OS Windows Server 2012 R2
1 local installed SQL Server
no more Secondary Sites
several DP’s around the world

Most of the things went smoothly but at one point for now we stuck. We’re not able to remove the old remote SQL Server. The Server still appears in the Site System Roles and if we try to remove the Site Database server role (remove is not greyed out) we recieve the error: “The Server cannot be deleted because it contains the following roles:”

811577

We also tried to change the reg keys under SMS_Site_Componets_Manager\Multisite Componet Server\”Name of remote SQL”\Deinstallation Start Time\ set to 1.

811594

 

Solution

Run the following Query in SQL Management Studio in order to find and replace the orphaned relationships.

Change with the corresponding names in < > and run against the SCCM DB :

 *************************************************************

use CM_<sitecode>
declare @ServerName varchar(15)
set @ServerName=’<orphanFQDN>

delete from statusmessages where machinename=@ServerName
delete from Summarizer_Components where MachineName like ‘%’+@ServerName+’%’
delete from summarizer_sitesystem where sitesystem like ‘%’+@ServerName+’%’
delete from statusmessageinsstrs where insstrvalue like ‘%’+@ServerName+’%’
delete from sysreslist where servername=@ServerName
delete from sc_sysresuse where nalpath like ‘%’+@ServerName+’%’

 *************************************************************

After that, reboot the Primary Site. This will remove the server from your Management Console and ConfigMgr Database.

(*)
ConfigMgr CB 1602 no supports OS Upgrade from 2008 R2 to 2012 R2. Make sure you uninstall WSUS first.

https://technet.microsoft.com/en-us/library/mt622084.aspx?f=255&MSPPError=-2147217396

Cheers, Al

 

 

 

 

 

ConfigMgr 1511 MP Troubleshooting – HTTP test request failed, status code is 403. “Forbidden” – Managing MAC OSx

I have recently faced following issue “HTTP test request failed, status code is 403. “Forbidden” ” on Management Point and was not Abel to connect MAC OSx Devices to the MP. To fix this issue, I followed the below steps and maybe you can do so.

Issue

We have HTTPS enabled on the Management Point for managing MAC OSx Clients and it is still not able authenticate. Due to this it is reporting this error.

The MPControl.log is reporting following error:
“Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden” “HTTP test request failed, status code is 403. ‘Forbidden”

error1

Solution

Look at the IIS Log files under your inetpub folder for more details of the error. The log files are located under  (C or D drive)  \inetpub\logs\Logfiles\W3SVC1

As you see in the below highlighted line error code 403 13, which indicates an issue with Client Certificate Revocation (CRL) Check on IIS.

error2

To fix this issue disable the Revocation check. Client Certificate Revocation is enabled by default. We need to delete all existing bindings on IIS and readd them again. The easiest way to do this is using the netsh command.

  1. Run the below command line and make a note of the details
    netsh http show sslcert
    blog_060115_3
  2. Delete existing SSL bindings
    netsh http delete sslcert ipport=0.0.0.0:443
    blog_060115_4
  3. Readd SSL binding and disable CRL check
    netsh (enter)
    http add sslcert ipport=0.0.0.0:443 certhash= 6cfa619aa7cb9eed29d1ccb0ec783ee40d20281c appid={4dc3e181-e14b-4a21-b022-59fc669b0914}  certstorename=My  verifyclientcertrevocation=disable
    blog_060115_5
  4. Run “netsh http show sslcert” again to check the status of the CRL check
    blog_060115_6
  5. Check the mpcontrol.log. The error is gone.

Tray again to connect your MAC OSx ConfigMgr Client to your ConfigMgr Primary Site Server. You should now be able to connect. Your MAC will also appear in the ConfigMgr console.

blog_060115_7.PNG

Connection to ConfigMgr established:

blog_060115_9.PNG

Now manage your MAC under “Devices” in the ConfigMgr Console:

blog_060115_8

Use this as a workaround if you’re not able to publish the CRL for your Site Servers.

Enjoy ConfigMgr!

 

House of cards – new WSUS Option in ConfigMgr 1511

In the past we used the guide from Kent Agerlund (MVP) for cleaning up the WSUS Database in ConfigMgr, also called the house of cards! This guide is still very popular and of course necessary for having a correct configured WSUS Server. As Kent mentioned, you should do the cleanup task every Monday morning before you start any other work :-)!

But now we got a new option in ConfigMgr 1511 when we setup the Software Update Point. This will allow ConfigMgr to cleanup the WSUS Database and remove any obsolet updates from the WSUS DB.

1

To enable and run the WSUS cleanup job

  1. In the Configuration Manager console, navigate to Administration > Overview > Site Configuration > Sites.

  2. Click Configure Site Components in the Settings group, and then click Software Update Point to open Software Update Point Component Properties.

  3. Click the Supersedence Rules tab, select Run WSUS cleanup wizard, and then click OK.

Thanks to the MS Product Team to integrate this feature in future ConfigMgr versions!

 

 

Error connecting truogh RD Gateway 2012 R2

In some cases you recieve an error when you try to connect trough the RD Gateway using a RDP Connection. The error is a generic error for the user and does not help you to find out the reason.

“Remote Desktop can’t connect to the remote computer “computername” for one of these reasons: …”

1

The Event Viewer on the RD Gateway server shows errors in the Microsoft\Windows\TerminalServices-Gateway\Operational log like this:

The user “domain\username”, on client computer “remote-ip”, did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server.
The following authentication method was attempted: “NTLM”. The following error occurred: “”

Also under the security logs you will find the Event 6274 Audit Failure. Error message: “The authentication or accounting record could not be written to the configured accounting datastore. Ensure that the logfile location is available, has available space, can be written to, and that the directory on the SQL server is available.”

2

Solution

Open up the Server Manager on your RD Gateway Server and expand Roles > Network Policy Server > NPS (Local) > Accounting. In the main section, click the “Change Log File Properties”.

3

 

Uncheck the checkbox “If logging fails, discard connection requests”. If you have a Server Farm for Gateways in use, make sure you configure all the Gateway Server the same way. After that try again to connect.