Real-time application installation for devices

This week a new blog post again! During my vacation, I’ve been looking at some statistics of my blog and I noticed that my posts about app deployment related subjects are getting a lot of traction lately. That was a trigger for to make this post about a really nice application deployment feature that’s introduced in Configuration Manager, version 1906. That feature is to install applications for a device. The really nice part of this is that it uses the client notification channel to create a real-time application installation experience. In this post I’ll quickly go through the prerequisites, followed by the application deployment configuration. I’ll end this post by looking at the application installation trigger and the corresponding application requests.

Optional feature

Let’s start with the first prerequisites that should be in place to install applications for devices. That prerequisite is to enable the optional-release feature Approve application request for users and device. That can be achieved by simply following the next 2 steps:

  1. Open the Configuration Manager administration console and navigate to Administration > Overview > Updates and Servicing > Features
  2. Select Approve application request for users and device and click Turn on in the Home tab

Application deployment

The second prerequisite that should be in place is that the application should be deployed as available, with administrator approval, to a device collection. That can be achieved by following the next x steps for deploying an application: .

  1. Open the Configuration Manager administration console and navigate to Software Library > Overview > Application Management > Applications
  2. Select the an app and click Deploy in the Home tab to open the Deploy Software Wizard
  3. On the General page, browse to a device collection and click Next

This can be a generic collection, as the correct configuration will not result in a policy that is sent to the client.

  1. On the Content page, verify that the content is on a distribution point and click Next
  2. On the Deployment Settings page, select Install as Action, select Available as Purpose, select An administrator must approve a request for this application on the device and click Next

This is the most important configuration that should be configured in the deployment. This configuration will make sure that the application is available for installation on a device, without it being available for installation by the user.

  1. On the Scheduling page, click Next
  2. On the User Experience page, click Next
  3. On the Alerts page, click Next
  4. On the Summary page, click Next
  5. On the Completion page, click Close

Note: This feature can help with reducing the need for separate collections for every application.

Install application for device

Before looking at the actual actions, make sure that the required permissions are in place. The (administrative) user, performing the application installation trigger, needs at least the following permissions:

  • Application: Read, Approve
  • Collection: Read, Read Resource, Modify Resource, View Collected File

Now let’s have a look at the most interesting part, the actual application installation trigger. When using an administrative user account, with the required permissions, simply open the Configuration Manager administration console and navigate to Assets and Compliance > Overview > Devices. The administrative user can now right-click the device and click Install Application (see Figure 3).

That will provide the administrative user with an overview of the available apps for that specific device (see Figure 4). Selecting an application and clicking OK, will trigger the application installation by using the client notification channel.

Note: The application installation trigger and process can be monitored by following the logs related to client notification and application management.

Application requests

Let’s end this post by having a look at the application requests. Every triggered application installation will resolve into an approved application request that can be found in the Configuration Manager administration console by navigating to Software Library > Overview > Application Management > Application Requests (see Figure 5). It’s registered as an application request for all users on that specific device. An administrative user can also deny this request again, as shown in the same figure below. Doing this will trigger the uninstall of the application, when an uninstall command is defined in the configuration of application.

More information

For more information about installing applications for devices, please refer to the doc Install applications for a device.

Another new discovery method: Meet the Azure Active Directory Group Discovery!

This week is back to the world of Configuration Manager. With the release of Configuration Manager, version 1906, a lot of new features are introduced. Even a few very nice pre-release features. One of these pre-release features is the subject of this post, the Azure Active Directory Group Discovery. The Azure Active Directory Group Discovery can be used to discover user groups and members of those groups from Azure AD. In case there are users found in Azure AD user groups that haven’t been previously discovered, those users will be added as user resources in Configuration Manager. A user group resource record is created when the group is a security group. In this post I’ll briefly show the prerequisites, followed by the configuration steps. I’ll end this post by showing the administrator experience.

Prerequisites

Let’s start with the prerequisites that should be in place to configure the Azure Active Directory Group Discovery. The following 2 prerequisites should be configured.

1 Enable pre-release feature: The pre-release feature must be enabled. That can be achieved by simply doing the following: Open the Configuration Manager administration console and navigate to Administration > Overview > Updates and Servicing > Features. Select Azure Active Directory user group discovery and click Turn on in the Home tab;
CM-AADUGD-Prerelease
2 Enable cloud management: The cloud management Azure service must be added. That can be achieved by doing the following: Open the Configuration Manager administration console and navigate to Administration > Overview > Cloud Services > Azure Services. Click Configure Azure Services in the Home tab and follow the documented instructions here;

Configuration

When the prerequisites are in place it’s time to look at the actual configuration steps. The following 7 steps walk through the required configuration steps for enabling Azure Active Directory Group Discovery.

1 Open the Configuration Manager administration console and navigate to Administration > Overview > Cloud Services > Azure Services;
2 Select the Cloud Management Azure service and click Properties in the Home tab, to open the Cloud Management Properties dialog box;
CM-AADUGD-Properties
3

CM-AADUGD-CMPropertiesOn the Cloud Management Properties dialog box, select the Discovery tab, select Enable Azure Active Directory Group Discovery and click Settings to open the Azure AD Group Discovery Settings dialog box.

Note: The Settings button will be disabled when Enable Azure Active Directory Group Discovery is not selected.

4

CM-AADUGD-AADGDSOn the Azure AD Group Discovery Settings dialog box, select the Discovery Scopes tab and click Add to open the Select Azure Active Directory Objects dialog box.

Note: Once an Azure AD group is added, it will be shown in the overview of this dialog box.

5

CM-AADUGD-SAADOOn the Select Azure Active Directory Objects dialog box, (optionally add a name in the Name starts with text box) click Search to find the specific Azure AD group(s), select the Azure AD group and click OK.

Important: The search results will show cloud only Azure AD groups for both users and devices. Also, credentials will be requested when searching for Azure AD groups for the first time.

Note: Repeat this step for all applicable Azure AD groups.

6

CM-AADUGD-CMPropertiesPSBack on the Azure AD Group Discovery Settings dialog box, select the Poling Schedule tab. Use this tab to make adjustments to the discovery schedule.

Note: At this moment delta discovery is disabled.

7 Back on the Cloud Management Properties dialog box, click OK.

Note: Keep in mind that this is currently still a preview features.

Administrator experience

Now let’s end this post with the most interesting part, the administrator experience. From an administrative perspective, this configuration introduces at least the following new items.

1 Discovery method: One of the most interesting items is the new Azure Active Directory Group Discovery itself. After the configuration is finished the discovery method can be found by navigating to Administration > Overview > Cloud Services > Azure Services. Selecting the cloud management Azure service, and selecting the Azure Active Directory Group Discovery Agent Type, provides the option Run Full Discovery Now.
CM-AADUGD-Overview
2 Log file: One of the most important items is the log file SMS_AZUREAD_DISCOVERY_AGENT.log. This log files provides the information about the full and delta discoveries of the Azure Active Directory User Discovery and about the full discoveries of the Azure Active Directory Group Discovery (as shown below). The nice part is that the log file also provides information about the Microsoft Graph requests that it uses for the different discoveries.
CM-AADUGD-Log
3 CM-AADUGD-GroupPropCloud-only user groups: The most useful item is the availability of the cloud-only user groups in the on-premises environment. These user groups can be recognized by only having the Agent Name of SMS_AZUREAD_USER_GROUP_DISCOVERY_AGENT (as shown on the right). The availability of the cloud-only user groups in the Configuration Manager environment, and the availability of the new attributes for existing user groups, enables a whole lot of new scenarios. Most of these scenarios are related to co-managing Windows 10 devices with Configuration Manager and Microsoft Intune.
4 Group properties: The overall most interesting, most important and most useful item is the information in the database. The main user group tables and views now contain additional fields for cloud-related information. Some nice information can be found below, were I used a simple query to get some basic information about user groups. That information shows a few important differences with normal user groups. The group contains Azure AD information.
CM-AADUGD-SQL

More information

For more information about the Azure Active Directory Group Discovery, please refer to the Configure Azure Active Directory user group discovery section in the documentation about configuring discovery methods for Configuration Manager

Quick tip: Configure primary device via Software Center

This week a relatively short blog post about a recently introduced feature in Configuration Manager, version 1902. That feature is the option for the user to select a device as a primary device, by using Software Center. Previously the Application Catalog was still required to provide users with that specific option. That was also practically the only reason to still use the Application Catalog. From that perspective, this also provides a clear path for further simplifying the Configuration Manager hierarchy. In this post I’ll show how to enable the option for the user to configure a primary device via Software Center, followed by the end-user experience.

Configuration

Now let’s have a look at the configuration that enables the option for the user to configure a device as a primary device, by using Software Center. That configuration can be achieved by using Client Settings. The 3 steps below show how to enable this option for the users.

1 Open the Configuration Manager administration console and navigate to Administration > Overview > Client Settings;
2 Now either open/create a new Custom Client User Settings and select the Software Center section, or open open the Default Client Settings and select the User Device Affinity section;
3

SCPU-UserSettingsIn the User Device Affinity section, select Yes with Allow user to define their primary devices and click OK;

Note: When using the Default Client Settings this setting is available in the separate section of User Settings. When using Custom Client User Settings this setting is the only available setting. Also, when using Custom Client User Settings, make sure to deploy the Client Settings to a user collection.

Note: Theoretically, when Automatically configure user device affinity from usage data is set to No, the administrator must still approve the affinity request. However, my experience is that the primary user configuration is immediately processed.

End-user experience

Let’s end this post by having a quick look at the end-user experience. When the user now opens Software Center and navigates to the Options section, the user will find a new checkbox named I regularly use this computer to do my work. When that checkbox is selected, the user will be marked as the primary user of that specific device.

SCPU-UserExperience

More information

For more information about lettings users create their own device affinity, refer to this article about User device affinity (section Let users create their own device affinities).

Always apply baseline to co-managed devices

Like the last couple of weeks, this week is also about co-management. This week is all about another nice detail that can be really useful, in specific use cases. That detail is the ability to always apply a configuration baseline to co-managed devices. Even when the Device configuration workload is switched from Configuration Manager to Microsoft Intune. That can be useful for configurations that are not available yet via Microsoft Intune, or for compliance checks that need to be performed and consolidated in one location. In this post I’ll provide a short introduction about the different configuration options, followed by the steps to configure a configuration baseline to co-managed devices when the workload is switched to Microsoft Intune. I’ll end this post with the end-results.

Introduction

When looking at the evaluation of baselines, co-management provides the administrator with 3 different configuration options (of which the third options is the main subject of this post):

  1. Apply Configuration Baselines via Configuration Manager when the Device configuration workload is set to Configuration Manager:
  2. Apply Device configuration profiles via Microsoft Intune when the Device configuration workload is set to Microsoft Intune:
  3. Apply Configuration Baselines via Configuration Manager as an exception to Device configuration profiles via Microsoft Intune when the Device configuration workload is set to Microsoft Intune

Configuration

Let’s start by having a look at the configuration. I’ll do that by going through an example that will create a baseline to verify the update compliance of co-managed devices. That will provide an easy method to verify compliance and consolidate the results. Below are 4 steps that walk through the process.

1 Open the Configuration Manager administration console and navigate to Assets and Compliance > Overview > Compliance Settings > Compliance Baselines;
2 On the Home tab, click Create Configuration Baseline to open the Create Configuration Baseline dialog box;
3a

AlwaysApply-Step01On the Create Configuration Baseline dialog box, provide the following information and click OK to create the configuration baseline.

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description; 
  • Configuration data: See step 3b;
  • Select Always apply this baseline even for co-managed clients;

Explanation: The check Always apply this baseline even for co-managed clients in the baseline will make sure that the baseline is always applicable to co-managed devices. Even when the Device configuration workload is set to Microsoft Intune.

3b

AlwaysApply-Step02On the Create Configuration Baseline dialog box, click Add > Software Update to open the Add Software Updates dialog box. On the Add Software Updates dialog box, find the required software update and click OK.

Explanation: This configuration will make sure that this baseline will verify the compliance of all co-managed devices for the latest cumulative update.

4

AlwaysApply-Step03Right-click the just created baseline and click Deploy to open the Deploy Configuration Baselines dialog box. Leave everything default, select the collection for this baseline deployment and click OK.

Explanation: This configuration will make sure that this baseline is deployed to the required collection and will make sure that this baseline is only used for compliance and not for remediation.

Note: The setting Always apply this baseline even for co-managed clients in the baseline, as mentioned in step 3a, can be used to make sure that the baseline is always applied on co-managed devices.

End-results

Now let’s continue by having a look at the results on a co-managed device. Below are two examples of one of a co-managed device. First an overview of the Configuration Manager Properties, followed by a look in the DCMAgent.log file. Both are client-side details, as the server-side will provide status information similar like for any other device.

1 AlwaysApply-ConfigMgrPropertiesThe first example that I would like to show, is the Configurations tab in the Configuration Manager Properties. The Configurations tab shows the deployed baseline, including the last evaluation time and the compliance state. Similar to the evaluation of a baseline when the Device configuration workload is still set to Configuration Manager;
2 The second example that I would like to show, is the DCMAgent.log file. That log file records high-level information about the evaluation, conflict reporting, and remediation of configuration items and applications. Specifically to this post, this log file provides information about the status of the Device configuration workload (first arrow below) and provides information about specifically enabled baselines (second arrow below);
AlwaysApply-DCMAgent

More information

For more information about co-managed devices and configuration baselines, please refer to this article about creating configuration baselines in System Center Configuration Manager.

Switching the Office Click-to-Run apps workload

This week is all about the Office Click-to-Run apps workload. More specifically, this week is all about what’s happening, from a Configuration Manager perspective, when switching the Office Click-to-Run apps workload to Microsoft Intune. Switching the Office Click-to-Run apps workload to Microsoft Intune will make sure that the Office Click-to-Run app will be installed via Microsoft Intune and no longer via Configuration Manager. In this post I’ll show how to switch the Office Click-to-Run apps workload to Microsoft Intune, followed by what is actually making sure that Configuration Manager will no longer install Office Click-to-Run apps. I’ll end this post with a summary.

Configuration

Let’s start with the easy part, in this case, the configuration. Assuming that co-management is already configured, the following 3 steps will walk through the process of switching the Office Click-to-Run apps workload to Microsoft Intune.

1 Open the Configuration Manager administration console and navigate to Administration > Overview > Cloud Services > Co-management;
2 Select CoMgmtSettingsProd and click Properties in the Home tab, to open the Properties dialog box;
3

O365W-ComanangementPropertiesOn the Properties dialog box, navigate to the Workloads tab. On the Workloads tab, move the slider with Office Click-to-Run apps to Intune.

Note: When there is a need to first test this configuration with a pilot group, simply move the slider with Office Click-to-Run apps to Pilot Intune. In that case make sure to configure a Pilot collection on the Staging tab of the Properties dialog box. 

Note: This configuration change will update the configuration baseline that is used to apply the co-management configuration to Configuration Manager clients. That baseline is shown on Configuration Manager clients as CoMgmtSettingsProd (and for pilot devices also CoMgmtSettingsPilot).

Effect of the configuration

Now let’s continue by looking at the effect of this configuration, from a Configuration Manager perspective. I’ll do that by showing the Global Condition that is used, I’ll do that by showing how that Global Condition is used and I’ll do that by showing what happens on the client device.

1 The first thing that I want to look at is the Global Condition that is used. Starting with Configuration Manager, version 1806, the Intune O365 ProPlus management condition is created as a Global Condition in Configuration Manager. That condition is used to make sure that the Configuration Manager client can no longer install the Office Click-to-Run app on co-managed devices, as the condition will be added as a requirement to the app. That is achieved by a VBScript, in the condition, that queries SELECT * FROM DeviceProperty WHERE DeviceIsO365IntuneManaged=TRUE in the root\ccm\cimodels namespace. Based on the results of the query, the VBScript will either return true or false. That return value will be used to evaluate the requirement of the app.
O365W-ConfigMgrConsole
2 O365W-AppRequirementThe second thing that I want to look at is the default configuration of the Office Click-to-Run app that is created when walking through the Microsoft Office 365 Client Installation Wizard. More specifically, the Requirements tab of the created Deployment Type. After a new Office Click-to-Run app is created, the Intune O365 ProPlus management condition is added as requirement to the Deployment Type. The value is configured to False, to make sure that the Office Click-to-Run app is not installed when the Office Click-to-Run apps workload is switched to Intune (or to Pilot Intune).
3 O365W-WbemTestThe third thing that I want to look at is the change on a co-managed device after the Office Click-to-Run apps workload is switched to Intune. Starting with Configuration Manager, version 1806, the Configuration Manager client has a new DeviceProperty named DeviceIsO365IntuneManaged in the root\ccm\cimodels namespace.Based on the configuration of the Office Click-to-Run apps workload, this property is configured to either TRUE or FALSE. That is done during the evaluation of the CoMgmtSettingsProd (and for pilot devices also CoMgmtSettingsPilot) baseline on Configuration Manager clients.

Note: Together these 3 things will make sure that the Configuration Manager client will no longer install any deployed Office Click-to-Run apps when the Office Click-to-Run apps workload is switched.

Summary

Let’s end this post with a summary of what is happening from a Configuration Manager perspective.

  • A relatively new Global Condition, named Intune O365 ProPlus management, is available in Configuration Manager;
  • The Intune O365 ProPlus management condition is used to verify if the co-managed device should use Configuration Manager or Intune for installing the Office Click-to-Run app;
  • The Intune O365 ProPlus management condition is added by default to to Office Click-to-Run apps created through the Microsoft Office 365 Client Installation Wizard;
  • A relatively new DeviceProperty, named DeviceIsO365IntuneManaged, is available in the Configuration Manager client configuration in WMI;
  • The DeviceIsO365IntuneManaged property is used to contain the status of the co-managed device, regarding whether Configuration Manager or Intune should be used to install the Office Click-to-Run app;
  • The DeviceIsO365IntuneManaged property is configured based on the status of the Office Click-to-Run apps workload in the co-management configuration;
  • The Office Click-to-Run app is deployed via Configuration Manager and the Configuration Manager client verifies the status of the DeviceIsO365IntuneManaged property by using the Intune O365 ProPlus management condition.

More information

For more information regarding the Office Click-to-Run apps workload, please refer to this article about Co-management workloads.

Move the content library to a remote location

This week is all about moving the content library to a remote location in Configuration Manager, version 1806. Moving the content library to a remote location is an important step in making a Configuration Manager hierarchy high available. Configuration Manager, version 1806, introduced site server high availability for a standalone primary site server role by installing an additional site server in passive mode. To complete that high available configuration it’s also smart to move the content library to a remote location. That will make sure that the content library is still available when the active site server went down. This post will provide the prerequisites for moving the content library, the steps to move the content library and the flow when moving the content library.

Prerequisites

Before actually moving the content library to a remote location, make sure that the following prerequisites are in place:

  • Create a folder on a network share that will be used as the location for the content library;
  • Provide the site server account with read and write permissions to the created folder;
  • Make sure that the site server doesn’t have the distribution point role.

Move content library

Now let’s have a look at actually moving the content library. This action is actually relatively simply and can be achieved by performing the following four steps.

1 Open the Configuration Manager administration console and navigate to Administration > Overview > Site Configuration > Sites;
2

Select the site and click Manage Content Library on the Site section of the Home tab, to open the Manage Content Library dialog box;

Note: The option will be grayed out when the site server has the distribution point role.

3

CM_MCL-NewLocationOn the Manage Content Library dialog box, provide the just created new folder and click Move;

Note: The Current Location will be empty when the current content library is divided on multiple disks.

Important to mention is that this action actually only copies the content library to the specified remote location. It doesn’t remove the content library from the old location. That would be a manual action.

Follow the flow

Let’s end this post by following the flow through the main log files and the Configuration Manager administration console. In my opinion always the most interesting part. I would like to divide this into three sections, 1) the actual trigger of the move content library action, 2) the start of the copy content action and 3) the end of the copy content action.

The trigger

The trigger of the action to move the content library to a remote location is logged in SMSProv.log. That log file shows the execution of the SetContentLibraryLocation method of the SMS_Site class. That method can also be used for automation with PowerShell. CM-MCL-SMSProvlog

The start

CM_MCL-StatusPercentage

The actual start of the action to move the content library to a remote location is logged in distmgr.log. That log file shows the source and destination location followed by the status of the action. It also shows that it will update the information in the Configuration Manager administration console, which is also shown above. At this point the location in the console is still the current location.

CM-MCL-distmgrlog

The end

CM_MCL-StatusPercentage-done

The end of the action to move the content to a remote location is also logged in distmgr.log. That log file shows that after the content is copied, the content will also be validated and once that’s completed it will state that the action is completed. It also shows that it updated the information in the Configuration Manager administration console, which is also shown above. At this point the location in the console is the new location.

CM-MCL-distmgrlog-done

More information

More information about the content library and the flowchart for managing content, please refer to the following articles:

Software Center is getting close to awesome!

It’s almost been too long ago since I’ve done my latest post about Software Center. Luckily there are enough reasons introduced with Configuration Manager, version 1806,  to devote another blog post to Software Center, as Software Center is getting close to awesome. Yes, I deliberately say close to awesome, as we always need to leave options open for improvement. In this post I’ll focus on three great new additions to Software Center: 1) infrastructure improvements, 2) a custom tab and 3) maintenance windows.

No more application catalog website point and web service point required

Let’s start with the first and, in my opinion, best improvement related to Software Center. Starting with Configuration Manager, version 1806, available user-targeted apps can be made available in Software Center without using the application catalog website point and the application web service point. Both of these roles are no longer required. Software Center now relies on management points to get the information about available user-targeted apps. This also implies that the agent must be updated to provide the new functionality.

I’ve removed both of the mentioned roles. To completely clean up the configuration, especially from a Software Center perspective, also the Open the Application Catalog web site link must be removed (or actually be hidden) from Software Center. Otherwise it will still show a gray unneeded text. To achieve this, simply follow the next four steps.

1 Open the Configuration Manager administration console and navigate to Administration > Overview > Client Settings;
2 Now either open/create a new Custom Client Device Settings and select the Software Center section, or open open the Default Client Settings and select the Software Center section;
3 In the Software Center section, select Yes with Select these new settings to specify company information and click Customize with Software Center settings to open the Software Center Customization dialog box;
4

SC_Customization-GeneralOn the Software Center Customization dialog box, select the General tab and provide at least the following information;

  • Select Hide Application Catalog link in Software Center;

Note: In my example I’ve only selected to hide the Application Catalog link. Below is an example of the link in Software Center that will be removed. I deliberately left the link, to show that it’s not a link anymore and to show what will be removed;

SC_InstallationStatus

Custom configurable tab available for linking to a webpage

The second, also pretty good, improvement, is the ability to add a custom tab to Software Center. The administrator can define a name for the custom tab and the administrator can specify a URL that should be opened in the custom tab. It can be an internal webpage and an external webpage. The latter option would of course require an Internet connectivity. This also implies that the agent must be updated to provide the new functionality. To achieve this, simply follow the next four steps.

1 Open the Configuration Manager administration console and navigate to Administration > Overview > Client Settings;
2 Now either open/create a new Custom Client Device Settings and select the Software Center section, or open open the Default Client Settings and select the Software Center section;
3 In the Software Center section, select Yes with Select these new settings to specify company information and click Customize with Software Center settings to open the Software Center Customization dialog box;
4

SC_Customization-TabsOn the Software Center Customization dialog box, select the Tabs tab and provide at least the following information;

  • Select Specify a custom tab for Software Center;
  • Tab name: Provide a custom name;
  • Content URL: Provide a valid URL;

Note: In my example the custom tab is named Contact and it refers to the contact page of my blog. An example of the user experience is shown below.

SC_CustomTab

Next scheduled maintenance window is shown

The third improvement is a little bit smaller, but can provide really useful information to the end-user. The third improvement is the availability of the next available maintenance window within Software Center. Previously this required a little bit of custom scripting, but now the information is available within the Upcoming section of the Installation status tab in Software Center. This also implies that the agent must be updated to provide the new functionality.

SC_InstallationStatus

More information

More information about what’s new related to Software Center in the latest current branch version, please refer to this article about What’s new in version 1806 of Configuration Manager current branch – Software Center.

Rename a device via Windows 10 MDM

This blog post uses the Accounts configuration service provider (CSP), to create a local user account on Windows 10 devices. This area was added in Windows 10, version 1803.

This weeks blog post is a follow up on last weeks post about creating a local user account via Windows 10 MDM. This week is also about the Accounts CSP, but this this time I’ll use the Accounts CSP for renaming a Windows 10 device. This can be useful with maintaining a specific naming convention. I’ll show the available nodes, I’ll show how to configure them and I’ll end this post by showing the end-user experience. Also, I’m pretty sure this will be possible via Windows AutoPilot at some point in time, but, even then, this can be useful for existing devices.

Overview

Like last week, let’s start by having a look at the tree of the Accounts CSP. That enables everybody to use this post without switching between this post and my previous post.

Available nodes

The Accounts CSP contains nodes for renaming a computer account and for the creation of a user account. To get a better understanding of the different nodes, it’s good to walk through the available nodes. Specifically those related to the device name, as those are the subject of this post. Let’s go through those related nodes.

  • .Device/Vendor/MSFT/Account – Defines the root node for the Accounts CSP;
  • Domain – Defines the interior node for the domain account information;
  • ComputerName – Defines the name of the device.

Configurable nodes

There is basically only one configurable node related to the naming of the device. The ComputerName node. The ComputerName node can be any string within the standard requirements for a device name. Besides that, it also allows a couple of macros. The table below provides an overview of them.

Macro Description
%RAND: <# of digits>%

This macro can be used to generate a random number with the specified number of digits, as part of the device name.

Example: CLDCLN%RAND:6%

%SERIAL%

This macro can be used to set the serial number of the device, as part of the device name.

Example: CLDCLN%SERIAL%

Note: The random number macro can create pretty bizarre behavior when targeted at devices (or users). It will keep on renaming the device. In that case make sure to use a Dynamic Device group filtered on disaplayName (for example filtered on Starts With DESKTOP). That will prevent constant renaming of the devices, as the devices will eventually loose the membership of the group.

Configure

Now let’s continue by having a look at the configuration to rename a device. In other words, create a device configuration profile with the previously mentioned custom OMA-URI setting. The following three steps walk through the creation of that device configuration profile. After that simply assign the created profile to a device group.

1 Open the Azure portal and navigate to Intune > Device configuration > Profiles;
2 On the Devices configuration – Profiles blade, click Create profile to open the Create profile blade;
3a

On the Create profile blade, provide the following information and click Create;

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description;
  • Platform: Select Windows 10 and later;
  • Profile type: Select Custom;
  • Settings: See step 3b.
3b

MSI-CN-SerialOn the Custom OMA-URI Settings blade, provide the following information and click Add to open the Add row blade. On the Add row blade, provide the following information and click OK (and click OK in the Custom OMA-URI blade);

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description;
  • OMA-URI: ./Device/Vendor/MSFT/Accounts/Domain/ComputerName;
  • Data type: Select String;
  • Value: CLDCLN%SERIAL% (or use the other example of CLDCLN%RAND:6%).

Note: At some point in time this configuration will probably become available in the Azure portal without the requirement of creating a custom OMA-URI.

End-user experience

Let’s end this post by having a quick look at the end-user experience. There is not that much to be shown, besides the actual device name. However, it’s good to see that it automatically generates a name within the restrictions of a device name. Below on the right is a screenshot of the serial number of the device and below on the left is a screenshot of the generated device name. It contains the specified prefix with the added serial number. When the serial number is too long, it will use the maximum number of characters that are allowed for a device name. It uses the characters starting from the back.

CN-Serial-Properties CN-Serial-CMD

Note: The reporting in the Azure portal still provides me with a remediation failed error message, while the actual rename of the device was a success.

More information

For more information about the Accounts CSP, refer to this article named Accounts CSP.

Create a local user account via Windows 10 MDM

This blog post uses the Accounts configuration service provider (CSP), to create a local user account on Windows 10 devices. This area was added in Windows 10, version 1803, which is currently available as Insider Preview build.

This week is all about creating local user accounts via Windows 10 MDM. That can for example make life a bit easier with troubleshooting an offline device. A fallback account. In this post I’ll show how this can be achieved by using the Accounts CSP. I’ll show the available nodes and I’ll show how to configure them. I’ll end this post by showing the end-user experience. Also, spoiler alert, it’s good to note that this is not a pretty administrator experience at this moment, but I’m pretty sure that will be fixed when it’s a built-in configuration in Microsoft Intune.

Overview

Let’s start by having a look at the tree of the Accounts CSP.

Available nodes

The Accounts CSP contains nodes for renaming a computer account and for the creation of a user account. To get a better understanding of the different nodes, it’s good to walk through the available nodes. Specifically those related to user accounts, as those are the subject of this post. Let’s go through those related nodes.

  • .Device/Vendor/MSFT/Account – Defines the root node for the Accounts CSP;
  • Users – Defines the interior node for the user account information;
  • [UserName] – Defines the username of the new local user account;
  • Password – Defines the password for the new local user account;
  • LocalUserGroup – Defines the local user group for the new local user account.

Configurable nodes

There are basically two configurable nodes related to the creation of a local user account. The Password node and the LocalUserGroup node. The [UserName] node should contain the username and can be anything. The table below provides an overview of the configurable nodes.

Node Value Description
Password

String

This required setting allows the administrator to set the password for the new local administrator account.
LocalUserGroup Integer
1 – (Default) Users
2 – Administrators
This optional setting allows the administrator to control the local user group of the new local administrator account.

Note: The password value can be any valid string and is visible as plaintext in the Azure portal.

Configure

Now let’s continue by having a look at the required and optional configuration to create a local user account on the device. In other words, create a device configuration profile with the previously mentioned custom OMA-URI settings. The following three steps walk through the creation of that device configuration profile. After that simply assign the created profile to a user or device group.

1 Open the Azure portal and navigate to Intune > Device configuration > Profiles;
2 On the Devices configuration – Profiles blade, click Create profile to open the Create profile blade;
3a

On the Create profile blade, provide the following information and click Create;

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description;
  • Platform: Select Windows 10 and later;
  • Profile type: Select Custom;
  • Settings: See step 3b and 3c.
3b

LU_PasswordOn the Custom OMA-URI Settings blade, provide the following information and click Add to open the Add row blade. On the Add row blade, provide the following information and click OK;

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description;
  • OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/TestUser/Password;
  • Data type: Select String;
  • Value: P@ssw0rd!.
3c

LU_GroupOn the Custom OMA-URI Settings blade, provide the following information and click Add to open the Add row blade. On the Add row blade, provide the following information and click OK (and click OK in the Custom OMA-URI blade);

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description;
  • OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/TestUser/LocalUserGroup;
  • Data type: Select Integer;
  • Value: 2.

Note: At some point in time this configuration will probably become available in the Azure portal without the requirement of creating a custom OMA-URI.

End-user experience

Let’s end this post by having a quick look at the end-user experience. There’s actually not that much to be shown. Only the created account. Below on the left is a screenshot of the default configuration of the created user account, including the full name, and below on the right is a screenshot of the group memberships of the created user account.

TestUser01 TestUser02

Note: The reporting in the Azure portal still provides me with a remediation failed error message, while the actual account creation was a success.

More information

For more information about the Accounts CSP, refer to this article named Accounts CSP.

Co-management and the ConfigMgr client

This blog post is a follow-up on this earlier post about deploying the ConfigMgr client via Microsoft Intune. In this post I want to look more at the behavior of the ConfigMgr client in a co-management scenario. I want to show the available configurations and, more importantly, I want to show the behavior of the ConfigMgr client. I want to show the corresponding configuration and the messages in the different log files.

Co-management configuration

Now let’s start by looking at the different configuration options of co-management and the configuration values. To look at the available configuration options, simply follow the next three steps (assuming the initial co-management configuration is already created).

1 Open the Configuration Manager administration console and navigate to Administration > Overview > Cloud Services > Co-management;
2 Select CoMgmtSettingsProd and click Properties in the Home tab;
3

ComanagementPropertiesNavigate to the Workloads tab, which provides the option to switch the following workloads from Configuration Manager to Intune:

  • Compliance policies;
  • Resource access policies (this contains VPN, Wi-Fi, email and certificate profiles);
  • Windows Update policies.

Note: Looking at the current Technical Preview version, the number of available workloads will quickly increase.

ConfigMgr client behavior

Now let’s make it a bit more interesting and look at the behavior of the ConfigMgr client. By that I mean the configuration changes of the ConfigMgr client that can be noticed in the log files. The co-management configuration related log file is the CoManagementHandler.log (as shown below). That log file shows the processing of the configuration and the MDM information related to the device.

Log_ComanagementHandler

The values in the CoManagementHandler.log are shown, after a configuration change, in both hex and decimal. These values relate to the following workload distribution.

Value Configuration Manager Microsoft Intune
1 (0x1) Compliance policies, Resource access policies, Windows update policies
3 (0x3) Resource access policies, Windows Update policies Compliance policies
5 (0x5) Compliance policies, Windows Update policies Resource access policies
7 (0x7) Windows Update policies Compliance policies, Resource access policies
17 (0x11) Compliance policies, Resource access policies Windows Update policies
19 (0x13) Resource access policies Compliance policies, Windows Update policies
21 (0x15) Compliance policies Resource access policies, Windows Update policies
23 (0x17) Compliance policies, Resource access policies, Windows Update policies

Compliance policies

When co-management is enabled, the ConfigMgr client will verify if it should apply compliance policies. Before applying them. That information is shown in the ComplRelayAgent.log (as shown below). It shows the current configuration (for a translation of the workload flags see the table above) and what it means for the status of the compliance policies. After that it will perform an action on the policy. In this case it won’t report a compliance state.

Log_ComplRelayAgent

Resource access policies

When co-management is enabled, the ConfigMgr client will also verify if it should apply resource acces policies. Before applying them. That information is shown in the CIAgent.log (as shown below). As that log file is used for a lot more operations, it might be a bit challenging to find the information. It shows the current configuration (for a translation of the workload flags see the table above) and what it means for the status of the resource access policies. After that it will perform an action on the policy. In this case it will skip the related CI.

Log_CIAgent

Windows Update policies

When co-management is enabled, the ConfigMgr client will also verify if it should apply Windows Update for Business policies. Before applying them. That information is shown in the WUAHandler.log (as shown below). It shows the current configuration (for a translation of the workload flags see the table above) and what it means for the status of the Windows Update for Business policies. After that it will perform an action on the policy. In this case it will look for assigned policies.

Log_WuaHandler