Saturday 27 August 2016

ConfigMgr Current Branch - native integration with Windows Store for Business

System Center Configuration Manager landing page

The eagerly awaited 1606 version of ConfigMgr Current Branch was recently released. As we have come to expect from the ConfigMgr team this version is full of enhancements and new features. There are changes in the following areas and you can find full details on TechNet
  • Updates and servicing
  • Accessibility
  • Administration
  • On premises Mobile Device Management
  • Application Management
  • Software Updates
  • Operating System Deployment
  • Compliance Settings
  • Device Configuration and Protection
  • Remote Control
I really like the subtle change in the Updates and Servicing node. The clutter of previous versions has been removed.


Only the latest version (and hotfix) is now listed.


Click on the History button on the ribbon to see the previous versions.

My two favourite features of this version continue the trend of "cloud integration".
  • Sync data from Configuration Manager to the Microsoft Operations Management Suite
  • Windows Store for Business integration
In this blog I'll concentrate on the WSfb integration. In a previous blog I described the WSfB and explained how to set up a store account so I won't repeat that here. Follow the steps below to integrate WSfB with ConfigMgr. At the end of the blog I list the issues encountered by me and some colleagues in configuring the solution.

Turn on Windows Store for Business integration

WSfB integration is a pre-release feature (even though it doesn't say so in the ConfigMgr console). You must first give you consent to use pre-release features.

Navigate to Administration > Site Configuration > Sites. Select your site and choose Hierarchy Settings in the ribbon above.


Tick the box Consent to use Pre-Release features.


Navigate to Administration > Cloud Services > Updates and Servicing > Features. Right click Windows Store for Business Integration and select Turn on.


Accept the warning to turn on the feature. Close and re-open the Configuration Manager console. The Windows Store for Business node is now available under Cloud Services.

Register ConfigMgr as a management tool in WSfB

For this step we are going to need access to the Azure and WSfB portals for the tenant.

Open the Azure Portal. Select your Azure Active Directory and click Applications > Add


Select Add an application my organization is developing.


Choose a suitable name for the application and select Web application and/or Web API. Click the arrow to continue.


Enter a URL for the Sign-on URL and App ID URI. The URL needs to be the same for both but doesn't have to exist. Click on the tick to complete the wizard.


The app has been added. Click on Configure from the menu at the top.


Note the Client ID (copy it as we'll need it later).


Under Keys select a duration and then click Save. This will create a new client key. You will only be able to copy the client key while on this page so don't navigate away until you have completely finished the process.

Copy the client key. We'll need it later.

Now log into the WSfB to add Configuration Manager as the store management tool. Select Settings > Management tools.


Click Add a management tool.


Search for the application you just created in AAD and click Add.


Activate the management tool (I missed this step first time round - see "Issues encountered" below).


Only one management tool can be active at a time.


If you are going to use offline-licensed apps navigate to the Manage > Account Information page.



Select Show offline licensed apps.

Add WSfB store account in Configuration Manager console.

Navigate to Administration > Cloud Services > Windows Store for Business.


Right click and choose Add Windows Store for Business account.


Read the instructions and verify that you have already carried out the steps.


Enter your tenant name. Enter the Client ID and Client key that you copied earlier. Click Verify. This verifies that the Client ID and Key are correct. It doesn't check that you have correctly added a management tool.

Add a location to store the content.


Select Application Catalog languages.


WSfB integration has been configured.


First sync has succeeded.


See WsfbSyncWorker.log file for progress.


Apps are available in Software Library > Application Management > License Information for Store Apps.

Application content has been downloaded.

Create application.

Create a ConfigMgr application as normal. Right click an app in Software Library > Application Management > License Information for Store Apps.


Select Create Application.


Review the information and click Next.


Application information was imported from the appx package.


Enter a suitable name and details.


The application has been created.


See the application and deployment types. The app can now be distributed and deployed as normal.

Issues encountered.

I just wanted to share some issues encountered by me and some of my colleagues while configuring the solution.

1. Unauthorized - this one happened to me.


The first sync failed and the error below appeared in the WsfbSyncWorker.log file.

Error occured making http request calling 'GET' method on 'https://bspmts.mp.microsoft.com/V1/Inventory?maxResults=1000&modifiedSince=0001-01-01T00:00:00.0000000': (Unauthorized) 'Unauthorized'.

This was caused by the fact that I had added my app as a management tool for WSfB but I had missed the step the activate the tool. This meant that ConfigMgr was not authorized as a client to manage the WSfB. Once I activated the app and restarted the SMS_CloudConnection component the sync started and I could see the apps downloading to the content share (and could see them in the Software Library).

2. Proxy authentication

The error below appeared in the WsfbSyncWorker.log file.

                          ErrorCode: unknown_error
                          StatusCode: 407
[24, PID:9024][08/22/2016 14:20:04] :Failed authenticate with the Windows Store for Business.

The correct proxy credentials had been configured and the Software Update Point on the same server was able to authenticate.

Proxy support for WSfB has not yet been implemented. It is planned for a future release. As a workaround, set the proxy in the system level IE proxy settings on the server where the SCP is installed.

3. Delete and re-create the WSfB account

You've made a mistake and you want to start again. Try it. You can't remove the WSfB account in the console. This has not yet been exposed but you can get out of trouble using WMI.

I believe my colleague will be posting a blog post shortly on how to do this so I don't want to interfere with that.

I hope this information in this blog post will be of use to you.

Until next time..... 

Sunday 7 August 2016

ConfigMgr Current Branch - real world migration from ConfigMgr 2012R2

System Center Configuration Manager landing page

ConfigMgr Current Branch 1606 was released to GA this week and there has been a lot of excitement about the in-place upgrade to the latest version. I've done quite a number of upgrades from ConfigMgr 2012R2 to Current Branch so I thought that this would be a good time to describe some of the real world issues associated with this operation. Many of the ConfigMgr 2012R2 implementations we encounter are installed on Windows 2008R2 servers. This was ok at the time. However if we want to configure Windows 10 servicing we now require Windows Server 2012R2 on the Primary Site Server and Software Update Points.

Previously I've blogged about migrating using ConfigMgr's built-in migration process. See that here This works well and you can migrate from many previous versions (as far back as ConfigMgr 2007 SP2). In this case though you end up with a new site code and this isn't always the required outcome.

In this blog I'll describe the steps required to upgrade from ConfigMgr 2012R2 (installed on Windows Server 2008R2) to Current Branch 1606 (installed on Windows Server 2012R2).

ConfigMgr 1602 supports the in-place upgrade of the Operating System from Windows Server 2008R2 to Windows 2012R2. See the details here However some customers don't like in-place upgrades of the operating system and would like to start off with a freshly installed OS. To achieve this we must back up the site and restore it to a new Windows 2012R2 server. I've listed the high level steps to carry out this operation below:

Notes:
  1. In this blog I'm referring to the 2008R2 server as "old" and the 2012R2 server as "new"
  2. These steps are based on migrating a standalone Primary Site server configured as a Software Update Point.
Migration steps:
  • If you are using VMs take a snapshot of old
  • Back up the existing environment - I like to back up all the SQL databases with a SQL maintenance plan. It's also easy to back up the ConfigMgr site on old using the native ConfigMgr Site Backup maintenance task. Restart the SMS_Site_Backup component to start the backup immediately and monitor progress in the smsbkup.log file.
  • Deploy new Windows 2012R2 server, fully patch and join domain - use any name for now but use the same drive configuration as old.
  • Install Windowd ADK 10 - you can still use ADK 1511 (download it here) . A new ADK version 1607 has just been been released and can be downloaded here. Official ConfigMgr support for ADK 1607 has not been announced at time of writing.
  • Install ConfigMgr 2012 pre-requisites on new as normal (roles and features)
  • Copy source content, content library, WSUS metadata share from old to new while retaining permissions - if you are using VMs it's easier to detach the VHDs from old and attach them to new.
  • Turn off old.
  • Rename new box to original Primary Site Server name
  • Optionally re-use the static IP address on new. It shouldn't matter as ConfigMgr uses DNS. However it can be useful to avoid recreating firewall rules.
  • Re-delegate permissions on System Management container
  • Install a supported SQL server version
  • Install WSUS (use SQL database) and carry out the initial WSUS metadata share configuration (use a different share name than previously, do not configure WSUS)
  • Stop WSUS services and detach WSUSDB
  • Rename SUSDB.mdf and SUSDB.ldf
  • Restore SUSDB database from old with overwrite option selected
  • Copy WSUS metadata from old share location to new share location
  • Start WSUS services
  • Install WSUS hotfix KB3095113
  • Install ConfigMgr 2012R2 and choose the recover site option, finish the wizard (we can only restore to the same ConfigMgr version)
  • Carry out the ConfigMgr 2012R2 post-recovery tasks as directed - eg update account passwords
  • Re-configure the Software Update Point to use port 8530/8531 instead of 80/443 - examine WCM.log for success
  • Verify ConfigMgr site and component status
  • Test ConfigMgr functionality
  • Run TestDBUpgrade for ConfigMgr Current Branch 1511
  • Perform in-place upgrade to ConfigMgr Current Branch 1511
  • Back up Configuration.mof (it will be overwritten by the upgrade)
  • Perform in-console upgrade to ConfigMgr Current Branch 1602 or 1606
  • Optionally install MDT and re-configure integration
  • Upgrade ConfigMgr clients to 1602/1606

Issues encountered


I encountered a number of issues during the process (mostly WSUS Issues).
  • If there is an existing WSUS GPO you must change the port from 80 to 8530
  • You may have to additionally open port 8530 between VLANs
  • I was unable to open the WSUS console. The following error appeared in the event log "The WSUS administration console has encountered an unexpected error. Index was outside the bounds of the array". This was solved by adding the HTTP Activation feature (I'd forgotten that one).
  • WSUS broke after KB3159706 - see TechNet forum for more details. This was solved by opening an elevated Command Prompt window, and then running "C:\Program Files\Update Services\Tools\wsusutil.exe postinstall /servicing"
  • Reporting was broken - there were duplicates of all reports preceded by an underscore. This was solved by removing and re-adding the reporting point


I hope some of the information here will be helpful for you. Until next time....