Monday, 19 February 2018

What's new with Windows AutoPilot?

There have been a few recent developments with Windows AutoPilot so I wanted to take a closer look. You can read my original experience with AutoPilot here

New version of PoSH script

Version 1.3 of the Get-WindowsAutoPilotInfo script has been published

I decided to have a look through the versions to see the history of changes

The original script was version 1.0


.\Get-WindowsAutoPilotInfo.ps1 -ComputerName <ComputerName> -OutputFile .\ComputerName.csv


Details captured:
  • Device Serial Number
  • Windows Product ID
  • Hardware Hash

The Append switch was added in version 1.1
Additional computer details are appended to the output file instead of overwriting the file.


.\Get-WindowsAutoPilotInfo.ps1 -ComputerName <ComputerName> -OutputFile .\ComputerName.csv -append


The Credential switch was added in version 1.2
This allowed us to add the credentials necessary to connect to remote computers. This switch is not supported when gathering details from the local computer.

The Partner switch was added in version 1.3
This allows us to specify that additional details required by the Partner Center are gathered (for use by CSPs). Presumably this will also be required when the OEM Vendors start to upload the computer details on our behalf.


.\Get-WindowsAutoPilotInfo.ps1 -ComputerName <ComputerName> -OutputFile .\ComputerName.csv -Partner


Details captured:
  • Device Serial Number
  • Windows Product ID
  • Hardware Hash
  • Manufacturer Name
  • Device model

SCCM Report

The second development involves ConfigMgr. A new report has been introduced in 1802 TP. The "Windows AutoPilot Device Information" report lists all the information that we would normally gather using the PoSH script.

I hope this information is useful. Until next time.......

Monday, 12 February 2018

Migrate to Microsoft Intune from another MDM solution

Customers have asked me about this many times. How can we easily migrate to Intune from another MDM solution? Therefore I've decided to test drive a tool that I heard about recently. EBF have developed a tool called the EBF Onboarder and it supports the migration to Intune from pretty much all the well known MDM vendors. You can read about it here

It's really easy to use.

So let's start with the source MDM solution. You can see that I have a device waiting to be migrated.......

......and this is the EBF Onboarder. Click on New Migration to start.

Enter a name for the migration. Be creative.

Now we're asked to choose the source MDM system. The following solutions are supported sources:
  • Blackberry UEM
  • MobileIron Core (VSP)
  • MobileIron Core (EAS unmanaged)
  • MobileIron Cloud
  • AirWatch
  • XenMobile
  • Good for Enterprise
  • SAP Afaria
  • MaaS360
  • Sophos Mobile Control
  • Cisco Meraki
  • SOTI MobiControl
  • jamf PRO

Enter credentials for the source system. 

Microsoft Intune is the default target system. Enter your credentials. We only need to enter the tenant ID if the user has access to multiple tenants.

Click Find Devices.

EBF Onboarder connects to the source system and lists the device(s) that we need. Click Save Migration

Confirm that you want to Save the migration project.

You are presented with the content of the migration email that will be sent to users. This can be customized. Save the email.....

...and here is the migration. Check the box beside the users name and you can then select Send Invitations. This is so simple to use.

Now lets have a look at the behaviour on this Android device.

The user receives the invitation from EBF Onboarder for Intune.

The user opens the email and clicks on the Start Migration link.

The user is re-directed to the Onboarder service and asked to select Start Migration.

The first step is to retire the device from the source system. It's alarmingly quick (approximately 30 seconds).

Retirement is complete and now the user in invited to enrol with Intune. They are instructed to follow the Microsoft Intune link.

The user is re-directed to Google Play store and asked to download and install the Microsoft Intune Company Portal. We're familiar with the rest of the process at this stage.

User authenticates with Intune.........

.....and continues with the setup process.

The device is being added to Intune.

Enrollment is complete.

The device is available for management in the Intune portal.

The two-step retire/registration process on the device took less than five minutes and was very straightforward for the user to understand and follow. I was very impressed.

You can sign up for a trial on the EBF website The trial allows you to migrate 20 devices from multiple source systems and only expires when the 20 have been migrated.

I hope you found this blog post interesting. Until next time.........

Thursday, 8 February 2018

Failed to publish package to WSUS

I had a funny problem on a customer site today while deploying a Flexera CSI solution for third party patching. I integrated the solution with WSUS but had problems creating the agent package. The package failed to be published to WSUS.

The error was: Failed to publish package. Code: -2147467259. CreateDirectory failed.

Now I'm familiar with this error from my experience with System Center Updates Publisher. It's usually a permissions issue and that the logged on user does not have permissions to create a new folder in the UpdatesServicesPackages folder. Permissions was a good place to start troubleshooting.

I checked the NTFS permissions on the UpdatesServicesPackages folder but all looked normal
  • Full Control: Administrators, SYSTEM, WSUS Administrators
  • Read, Write: NETWORK SERVICE
  • List Folder Contents, Read, Read & Execute: Users/Everyone
I then thought I'd verify that my user account was in fact a member of the local administrators group on the server. That looked a bit weird. My user account AND SID were listed. That didn't look right to me so I figured that I needed to look into the health of the server.

I ran the PoSH cmdlet test-computersecurechannel and the result was worrying

Operation failed. Unknown interface.

Mmm, now I was getting a little concerned. Next step was to check the services and I found the little problem. The Workstation service was stopped (I have no idea how or why). Starting the service solved the problem and all was good again.

I could successfully create the package.

I hope this helps someone who encounters a similar problem. Until next time.....

Tuesday, 16 January 2018

Video training series "Manage ConfigMgr Internet clients with the Cloud Management Gateway"

I'm very pleased that TrueSec have just published my video training series 

Manage ConfigMgr Internet clients with the Cloud Management Gateway

There are five videos in the series:

Introduction to the CMG
This video is an Introduction to the Cloud Management Gateway. Previously when we wanted to manage ConfigMgr clients over the internet we would use Internet-based client management. This was a good technology with many advantages. However, there were also some disadvantages. Now we can use Cloud Management Gateway to manage these clients. It consists of a Microsoft Azure cloud service and a ConfigMgr site system role that communicates with the Azure service. Clients can then use the Azure service to communicate with ConfigMgr.
This is cool technology and gives us many advantages over traditional internet based client management.

Prerequisites for the Cloud Management Gateway
This video describes the general requirements for the successful implementation of a CMG solution. This includes specific ConfigMgr requirements and the certificates required for Cloud Distribution Point and Cloud Management Gateway.

Certificates for the Cloud Management Gateway
This video is all about certificates. These are the tasks that admins find the most difficult. We’ll be creating the certificates necessary for the configuration of the Cloud Distribution Point and the Cloud Management Gateway.

Configure the Cloud Management Gateway
In this video we will create the Cloud Distribution Point and Cloud Management Gateway. Then we’ll add the Cloud Management Gateway Connection Point.
Finally, we’ll configure the Management Point and Software Update Point to allow CMG traffic.

Managing clients with the Cloud Management Gateway
In this video we’ll have a look at a Windows 7 client and see how the behaviour changes when the client moves from the intranet to the internet. We’ll deploy software to the internet client. Finally, I’ll show you a couple of tricks that should be useful for your deployment.

I hope you enjoy the videos. Thanks to Johan Arwidmark and the guys at TrueSec.

Until next time......

New Intune features for Apple device management

I'm pretty busy at the moment with management of Apple devices using Microsoft Intune. Therefore I was particularly interested to see the new developments in this area in December.

Jamf Pro Integration

Jamf Pro is a very popular tool for the management of Apple devices (Mac, iPad, iPhone). 
  • Deployment
  • Device Management
  • App Management
  • Inventory
  • Self-service
  • Security
We can now integrate Intune and Jamf Pro. If your organization uses Jamf Pro to manage your end users' Macs, you can now use Microsoft Intune compliance policies with Azure Active Directory conditional access to ensure that devices in your organization are compliant.

Shut down iOS devices

This is a new iOS device action. We can now shut down iOS 10.3 supervised devices (immediately without warning to the end user).

Install Office apps on macOS devices

A new app type now allows us to install Office apps on macOS devices (Word, Excel, PowerPoint, Outlook, and OneNote).

Delete an iOS Volume Purchasing Program token

We can now delete the iOS Volume Purchasing Program (VPP) token using the console. This may be necessary when you have duplicate instances of a VPP token.

You can read about these and the other new features released in December in the What's new in Microsoft Intune doc site.

I'm looking forward to using these features over the coming weeks.

Until next time.....