Upgrading to Microsoft Configuration Manager (ConfigMgr) version 2503 is a critical step for IT administrators aiming to leverage the latest security enhancements and bug fixes. However, many have encountered a recurring issue during the prerequisite check
This error often appears even when the ODBC Driver 18 is already installed. This article delves into the root cause of this problem and provides a comprehensive solution.
Understanding the Issue
The Configuration Manager 2503 prerequisite checker mandates the installation of the Microsoft ODBC Driver 18 for SQL Server. However, the link provided in the error message (https://go.microsoft.com/fwlink/?linkid=2220989) directs users to an outdated version of the driver. Consequently, even if a version of the driver is installed, the prerequisite check may fail if it’s not the expected version.
Administrators have reported that installing the driver from the provided link results in a message indicating that a newer version is already present, yet the prerequisite check continues to fail. This inconsistency stems from the prerequisite checker not recognizing newer versions of the driver – Reddit – System Center Dudes
Recommended Solution
To resolve this issue, it’s essential to ensure that the correct version of the Microsoft ODBC Driver 18 for SQL Server is installed. The recommended version is 18.5.1.1 or later.
Choose the appropriate installer based on your system architecture (e.g., x64).
Step 3: Re-run the Prerequisite Check
After installing the correct version:
Open the Configuration Manager Console.
Navigate to Administration > Updates and Servicing.
Right-click on the Configuration Manager 2503 update and select Run prerequisite check.
The check should now pass without errors related to the ODBC driver.
Additional Considerations
Multiple ODBC Versions: Some administrators have multiple versions of the ODBC driver installed (e.g., versions 17, 18, and 19). While multiple versions can coexist, ensure that version 18.5.1.1 or later is present, as it’s the one recognized by the prerequisite checker.
Silent Installation: For automated deployments, the ODBC driver can be installed silently using the following command: bashCopyEditmsiexec /i msodbcsql18.msi /quiet /norestart
Replace msodbcsql18.msi with the actual filename of the downloaded installer.
Verify Installation: After installation, verify the driver version:
Open ODBC Data Source Administrator.
Navigate to the Drivers tab.
Ensure that ODBC Driver 18 for SQL Server is listed with version 18.5.1.1 or later.
Conclusion
The prerequisite check failure during the Configuration Manager 2503 upgrade, related to the Microsoft ODBC Driver 18 for SQL Server, is primarily due to version discrepancies. By uninstalling outdated versions and installing the recommended version 18.5.1.1 or later, administrators can ensure a smooth upgrade process.
In the realm of systems management, maintaining the stability and reliability of essential services is crucial for uninterrupted operations. A notable challenge that has emerged in this context involves the SMS_EXECUTIVE service, a vital component of the Configuration Manager, which is experiencing unexpected terminations shortly after startup. This issue not only hampers the functionality of the Configuration Manager but also poses significant concerns for system administrators who rely on this service for managing networked systems efficiently.
Overview of the Issue
The SMS_EXECUTIVE service, responsible for executing several critical tasks within the Configuration Manager infrastructure, including processing incoming data, executing administrative actions, and managing component threads, has been reported to crash moments after it is initiated. This abrupt termination of the service disrupts the normal workflow, leading to a series of operational challenges.
Scope of the Investigation
This post aims to delve into the potential causes of this issue, examining various aspects such as system logs, configuration settings, recent updates, and environmental factors that might contribute to the instability of the SMS_EXECUTIVE service. The primary objective is to isolate the root cause of the crash and provide a comprehensive analysis that can guide towards effective troubleshooting and resolution strategies.
Importance of Addressing the Issue
The stability of the SMS_EXECUTIVE service is paramount for the seamless operation of the Configuration Manager. Its failure not only impacts the efficiency of system management tasks but also poses risks related to security, compliance, and overall network health. Addressing this issue is thus critical for ensuring that the Configuration Manager continues to function as a robust and reliable tool for system administrators.
In the following sections, we will explore the technical details of the issue, outline the methodologies employed in the investigation, and discuss potential solutions to restore the functionality of the SMS_EXECUTIVE service effectively.
Identifying Potential Causes for the SMS_EXECUTIVE Service Crash
In order to effectively address the issue of the SMS_EXECUTIVE service crashing, it is essential to systematically identify and evaluate potential causes. This section outlines a structured approach for investigating various factors that could contribute to this problem.
1. System and Application Logs Analysis
Event Viewer Logs: A thorough examination of the Windows Event Viewer logs, specifically focusing on the Application and System logs around the time of the crash, can provide critical insights. Error messages or warnings preceding the crash are often indicative of underlying issues.
SMS_EXECUTIVE Logs: The Configuration Manager logs, particularly those related to SMS_EXECUTIVE, should be scrutinized for any unusual entries or error codes that could point towards the cause of the crash.
2. Configuration and Environment Review
Recent Changes: Any recent changes made to the system or the Configuration Manager settings could be a contributing factor. This includes updates, patches, or modifications in the configuration.
System Resources: Insufficient system resources, such as memory or CPU, can lead to service instability. Monitoring resource usage patterns around the time of the crash is crucial.
Network and Connectivity Issues: Network problems or connectivity interruptions can impact the functionality of the SMS_EXECUTIVE service, especially if it relies on remote components or databases.
3. Component Dependencies and Interactions
Dependent Services: Understanding the dependencies of the SMS_EXECUTIVE service, such as other Configuration Manager components or Windows services, is vital. If a dependent service is failing or unstable, it can cascade to the SMS_EXECUTIVE service.
Inter-Service Communication: Analyzing how SMS_EXECUTIVE interacts with other services and components within the Configuration Manager ecosystem can reveal potential points of failure.
4. Software Updates and Compatibility
Update History: Reviewing the history of updates applied to the Configuration Manager and the underlying operating system can help identify if a recent update might be causing compatibility issues.
Third-Party Software: The presence of third-party software or add-ons, particularly those that interface with the Configuration Manager, should be evaluated for compatibility and stability concerns.
5. Security and Access Control
Security Software Interference: Security solutions such as antivirus or firewall settings might be interfering with the operation of the SMS_EXECUTIVE service.
Permissions and Access Rights: Ensuring that the SMS_EXECUTIVE service has appropriate permissions to execute its tasks is crucial. Incorrect permissions can lead to service failures.
UserShadowStack is a security feature introduced in Windows Server 2022, designed to enhance the protection against return-oriented programming (ROP) attacks, which are a common method used in exploiting software vulnerabilities.
Understanding UserShadowStack:
Concept of Shadow Stack: At its core, UserShadowStack implements a ‘shadow stack’, which is a secondary, protected stack that keeps track of the intended return addresses for each function call in a program. When a function is called, its return address is stored both on the regular stack and the shadow stack. When the function returns, the return address from the regular stack is compared with the one in the shadow stack. If they match, the program continues as normal; if not, it indicates potential tampering, likely due to an attempted ROP attack, and the system can take appropriate action, such as terminating the process.
Protection Mechanism: By ensuring the integrity of return addresses, UserShadowStack helps prevent attackers from hijacking the control flow of a program, which is a common technique in many sophisticated cyber attacks.
UserShadowStack in the Context of Hyper-V on Windows Server 2022:
Hyper-V is Microsoft’s hardware virtualization product, allowing users to create and run virtual machines. Each virtual machine runs its own operating system and is isolated from the host system. In this context, UserShadowStack can provide the following benefits:
Enhanced Security for Virtual Machines: When running on Windows Server 2022 with Hyper-V, UserShadowStack can be used to protect the virtual machines from ROP attacks. This is particularly important as virtual machines often run critical or sensitive applications, and their security is paramount.
Isolation and Containment: With Hyper-V, if an attack occurs within a virtual machine, it is typically contained within that VM, protecting the host system and other VMs. UserShadowStack adds an extra layer of defense within each VM, further reducing the risk of successful exploits.
Compatibility and Performance: UserShadowStack is designed to work seamlessly with Hyper-V, ensuring that the additional security does not significantly impact the performance or compatibility of the virtual machines.
In summary, UserShadowStack in Windows Server 2022 provides a robust mechanism to thwart ROP attacks by validating return addresses. When integrated with Hyper-V, it ensures that both the host environment and the virtual machines benefit from enhanced security without compromising performance or compatibility.
Run the following command and start your service again: Set-ProcessMitigation -Name smsexec.exe -Disable UserShadowStack
Can Microsoft’s Delivery Optimization and Configuration Manager help solve enterprise network efficiency problems supercharged by the coronavirus pandemic?
The COVID-19 pandemic has forced numerous companies to adopt hybrid working models. This has seen demand for bandwidth capacity increase considerably.
Couple bandwidth-busting traffic connecting from all over with spiraling data costs and network administrators have something to worry about. With no end in sight of this global pandemic, enterprises are now looking for solutions to counter these issues.
As a result, the question that’s now at the fore for many network administrators is how to improve network efficiency as cost-effectively as possible in the New Year.
COVID-19 and Network Efficiency
Pre-COVID,17% of the American workforce worked remotely at least 5 days per week. Since the onset of the pandemic, this number has increased to 44%.
With nearly6% of the population (i.e. 21 million people) having no high-speed connection, enterprises have begun to ask questions such as how best can they keep all their employees connected to their networks?
A range of solutions has been proposed in order to modernize the existing mainframes including the adoption of key technologies such as Microsoft’s Delivery Optimization, Connected Cache, and Configuration Manager.
Let’s examine each of these in greater detail.
What is Delivery Optimization
Delivery Optimization is an inbuilt Windows component. It’s distributed cache technology which means that it is software designed to act as an intermediary between an enterprise’s primary storage solutions and remote employees’ computer.
The benefits that Delivery Optimization provides include optimizing cloud download efficiency, minimizing internet bandwidth, and lowering the latency in data access.
This is excellent because you want to keep your internet bandwidth high. It translates to a faster and better experience for employees, particularly those working remotely.
What is Microsoft Connected Cache?
Microsoft Connected Cache is an application installed on a Windows Server 2012 or later. It is also a high-speed data storage function that works hand-in-hand with Delivery Optimization to reduce latency and improve efficiency.
Connected Cache acts as a dedicated cache on your enterprise network. This server-based solution caches the managed downloads that Delivery Optimization extracts from the Cloud.
It’s ideal for companies because it serves as a local cache on your on-premise network.
What is Microsoft Endpoint Configuration Manager
Microsoft Endpoint Configuration Manager, formerly known as System Center Configuration Manager (SCCM) or Systems Management Server (SMS) is a full-feature systems management software. It sets out to manage computers on a larger and streamlined scale.
Configuration Manager works by providing patch management, remote control, operating system deployment, software inventory, software distribution, and network access protection capabilities.
Now that we’re up to speed about what each of these features are and what they do, let’s look at the advantages and disadvantages of Delivery Optimization.
Delivery Optimization Pros
No Upfront Costs
For enterprises already encumbered by high remote operating costs, this is a welcome reprieve. There are no upfront costs because Delivery Optimization exists as part of Windows 10. Therefore, it’s a feature that’s paid for through your regular Windows 10 license.
Leverages Peer-to-Peer Efficiency
Delivery Optimization enables PCs connected to your network and to download updates in a more streamlined manner from other peers within the network that have already downloaded the content. In this way, there’s an overall reduction in bandwidth. This also mitigates update-related traffic.
Same Time Send/Reception of Update Files
Gone are the old days of having to wait long periods of time while update files sent and received in succession. Today, Delivery Optimization facilitates simultaneous sending and receiving of update files. This allows updates to easily and seamlessly take place.
Can Resume Interrupted Downloads
Do you remember the times when downloads would interrupt because of a network glitch and had to restart? This meant updating PCs across company networks took longer and sometimes pushed up data costs for enterprises. Thankfully, one of the perks of Delivery Optimization is the ability to resume downloads should they experience an interruption.
Load Balancing Capabilities
Network administrators can use all the help they can get to distribute workloads in a uniform manner across enterprise servers and employee PCs.
Load balancing is an incredibly important process as it promotes more efficient processing. It provides balance, so there are no uneven overloads on individual computer nodes. Delivery Optimization presents itself as a tool that expedites this distribution of network traffic.
Windows Native and Cumulative Updates Enabled
As a Windows 10 native feature, Delivery Optimization is Cumulative Updates enabled. This means that on all the PCs equipped with the DO feature, updates – both old and new – these can be bundled together into a single update package.
But it’s not all fun and games with Delivery Optimization. Here are a couple of disadvantages network administrators have to also contend with.
Delivery Optimization Cons
No Analytics and or Reporting
In Deloitte’sThe Analytics Advantage report, analytics are highlighted as important as they enable companies to drive business strategy and facilitate data-driven decisions. Thus, it comes as a big disappointment that Delivery Optimization provides no such insights neither in the form of analytics nor reports.
No Content Control
Being able to control both the content that’s being downloaded and transmitted across networks is imperative for network safety. The fact that Delivery Optimization doesn’t give network administrators such control is frustrating.
No Support for Windows 7/10 Migration
Are you thinking of migrating from Windows 7 to Windows 10? Well, unfortunately, you’ll have no help from Delivery Optimization. It’s not clear as to why the developers over at Microsoft thought it was a good idea to complicate migration in this way.
No Support Packages and App Deployment
That’s not all, but Delivery Optimization also offers no support for Packages and Application with Configuration Manager stand-alone deployments. This greatly hampers the standardization and streamlining process of installing software on employees’ work devices.
No Smart Agent
Delivery Optimization is a tool full of potential. However, it is baffling trying to understand why this supposed network optimizing resource has no smart agent to facilitate Optimal Source Selection.
No SCCM Support
Microsoft’s System Center Configuration Manager (SCCM) is integral in the management, deployment, and security of connected enterprise devices as well as apps within the network. However, this Windows product doesn’t receive any support which is a major disadvantage.
Needs Manual Boundary Definition
Boundaries, according to Microsoft, are network-specific locations on enterprise intranets that can contain your PCs or other devices making them easier to manage. When using Delivery Optimization, boundaries aren’t automatic, you have to take time to manually define each boundary you want to be created.
Needs Substantial Boundary Configuration
It’s not enough to manually define the boundaries required either, you also need to make sure that each boundary is properly configured. This additional work can be automated so it’s a wonder why Delivery Optimization doesn’t come with boundary configuration pre-set.
5 Steps to Improving Network Efficiency with Delivery Optimization
Faced with hybrid work models and more employees working remotely, enterprises must be smart about network management. Here are the top 5 ways to improve network efficiency using Delivery Optimization, Configuration Manager, and Microsoft Connected Cache in 2022.
When it comes to network efficiency, congestion in the network is one of the major network problems that most enterprises face. There are many causes of bottlenecks in your network which you will need to remove in order to improve network efficiency. These range from:
a) Network Overload
Network overload happens when you have numerous hosts within your broadcast domain. Delivery Optimization can aid in this particular case by allowing optimized cloud-managed downloads which reduce network pressure.
b) Broadcast Storms
Broadcast storms occur when you receive more requests on the network than it can handle.
c) Low Bandwidth
This occurs when there are too many people connected to the network at once. Delivery Optimization and Connected Cache are peer-to-peer cache technology and significantly help to lower the latency and minimize internet bandwidth.
d) Not Enough Retransmitting Hubs
Failure to have sufficient retransmitting hubs slows down your network. Retransmitting hubs are necessary in order to make data transmission across the network easier.
e) Multicasting
While created to help ease congestion, multicasting can in fact cause bottlenecks when two packets transferred simultaneously collide leading to congestion
f) Old Hardware
Technology is changing so fast and hardware components need to be routinely upgraded otherwise servers, routers, and switches can inadvertently lead to network congestion
g) Poor Configuration Management
When scripts are one-off or repetitive, they can introduce bugs that cause congestion. Thankfully Delivery Optimization and Configuration Manager can help to get rid of this issue.
h) Foreign Adapter Broadcasts
When rogue adapters connect to your network, this can increase the network load leading to bottlenecks. A rogue adapter is any device that connects oftentimes illegally onto your network and exists like a parasite until it’s removed. These foreign devices also pose a security threat.
Fortunately, network monitoring tools like Configuration Manager make it possible to handle the life cycle of all the devices and configurations within your network. Such visibility can assist in identifying slow traffic and congestion so you can eliminate it.
It doesn’t matter if it’s an installation of cumulative updates or new hardware, every element joining the company network must be properly configured. Failure to do so can lead to poor network efficiency.
When devices are incorrectly configured, they can’t communicate with their peers effectively. This will lead to routing problems and or increase latency.
Network administrators must ensure that each time a device is configured or reconfigured the network is tested to check network performance. Configuration Manager can be used to see whether the new configuration/reconfiguration is affecting the network negatively.
Improve Network Efficiency Step# 3.Educate Employees on Correct Network Usage
Now with more employees working remotely, it can be difficult to control what people do on the company network. However, it is pivotal to educate them on avoiding applications that are bandwidth-heavy and engaging in activities that consume a lot of data such as downloading movies, music videos, and other large files.
The more bandwidth employees are using in non-work-related activities, the less will be available for work slowing down the entire network. Configuration Manager can be used to curb non-work-related activities if necessary by blocking certain devices.
Improve Network Efficiency Step# 4.Consider Creating a Guest Network
Have you ever thought of creating a separate guest network for people visiting your company?
You don’t want strangers and outsiders to be able to connect to your enterprise network. This is a major security threat. By creating a disparate guest network they will have their own distinct network to connect to.
In this way, guests’ activities don’t interfere with enterprise bandwidth and security threats are reduced.
Improve Network Efficiency Step# 5.Compress Network Traffic and Data
Every day, colossal amounts of data are transmitted across enterprise networks. More so now, in a world where virtual meetings are the order of the day. These data-heavy online activities necessitate data compression and compression of network traffic.
By compressing enterprise data, companies get more out of their internet packages. And with Windows components like Delivery Optimization, you get to stretch your data out more.
You see, Delivery Optimization extracts content from the cloud, stores it in a temporary cache, where peer PCs/devices can easily access said files in smaller, minute data-friendly sizes without having to download all the large files for each connected device.
Wrap up
2020 and 2021 have disrupted the way business is done. With more companies eager to try out hybrid work models that allow employees to work remotely with some days in the office, network administrators have their work cut out for them in terms of making sure networks are efficient and running at optimal round the clock.
And with so much uncertainty about when things will return to normal, enterprises need to get comfortable with the idea of remote work. Resources such as Delivery Optimization and Configuration Manager will prove to be more and more important in 2022 and beyond.
Relying on such Windows features, organizations can rest easy knowing that there are tools to help with improving network efficiency in a cost-effective manner.
Every business needs to be on top of its game when it comes to matters of the security of its IT infrastructure. Because even the smallest of vulnerabilities can be exploited to devastating effect. And Microsoft Defender ATP is ready to mitigate those risks.
Not recognizing these risks can potentially cause the shutting down of a business, at best temporarily. And research has shown that the cost of downtime to a company can quite easily run into hundreds of thousands of dollars.
As we can all imagine, the losses that a business would suffer would be colossal, to say the least. Hence the need to enhance one’s security to keep bad actors at bay. By using Tamper Protection, you immediately strengthen the security of your business.
Why Tamper Protection?
Arguably the greatest challenges to an organization’s IT infrastructure come in the form of malware or malicious apps that tamper with your security settings and potentially create vulnerabilities in your system.
With these changes having been made, your organization becomes a significantly easier target for cybercriminals. It is with this in mind that Microsoft introduced Tamper Protection two years ago.
Simply put, and as the name itself implies, the Microsoft Defender ATP feature essentially locks Microsoft Defender thus preventing anyone from tampering with your security settings. Including modifications that may be made by administrators.
As a key element of Microsoft’s security strategy, Tamper Protection helps to ensure that Windows 10 clients do not need third-party anti-virus software.
However, Tamper Protection does not have an impact on third-party antivirus registration. So this means that third-party antivirus offerings will still register with the Windows Security application. By using Tamper Protection, you can prevent the following:
Deactivation of virus and threat protection.
Deactivation of real-time protection.
Disabling of behavior monitoring.
Disabling antivirus (such as IOfficeAntivirus (IOAV))
Blocking of cloud-delivered protection.
Removal of security intelligence updates.
Extending client coverage
With the obvious benefits that Tamper Protection brings to any organization, it only makes sense to try and extend coverage wherever possible. And this is what Microsoft did with their announcement in September last year.
This feature was extended to cover ConfigMgr 2006-only clients on both Windows 10 and Windows Server 2019, delivered via Tenant Attach. To enable Tenant Attach, the process is fairly straight forward and you can find the instructions provided here.
Having done that, you can then go to Endpoint security > Antivirus in the MEM admin center. From there you can proceed to create and deploy the Tamper Protection setting. After that, you’ll then need to configure the aforementioned setting.
This you will then deploy to a Configuration Manager collection of devices. If you want to view the policy status, go to the Monitoring >Deployments section which you find in ConfigMgr. However, you can also find it in the policy status in the Endpoint Manager Admin center
Utilizing Tenant Attach
Tenant Attach provides a method for attaching your ConfigMgr hierarchy to your tenant and leverages the capabilities available from the cloud. This includes things such as discovering cloud users and groups, synchronizing Azure AD groups from a device collection, etc.
Moreover, you can sync your on-prem only ConfigMgr clients into the MEM admin center thus enabling the delivery of Endpoint security configuration policies to your on-prem clients.
With this tool, a device does not necessarily have to be enrolled in Intune. In fact, it can be managed by either ConfigMgr or Intune. Alternatively, devices can also be co-managed.
Management of Tamper Protection
In addition to managing Tamper Protection using tenant attach as described above, there are a few other management options available. These are:
Management of Tamper Protection using the Microsoft Defender Security Center. You can turn Tamper Protection on or off for your tenant via the Microsoft Defender Security Center. This option is on by default for all new deployments and the setting is applied tenant-wide. So it affects all devices that are running Windows 10 or Windows Server 2016 or Windows Server 2019.
Management of Tamper Protection using Intune. If your organization’s subscription includes Intune then Tamper Protection can be turned on or off in the Microsoft Endpoint Manager admin center.
Management of Tamper Protection on an individual device. Tamper Protection can be managed via the Windows Security app by individuals who are either home users or are not under settings managed by a security team. To do this, however, you need to have the appropriate admin permissions on your device to change security settings.
Keeping track of security data
Having preventive measures in place does not negate the need for constantly reviewing the security information.
You need to regularly check what is going on within your system so that you can stay on top of things because several tampering attempts are usually a sign of something bigger. And that may potentially be a bigger cyberattack.
Cybercriminals can attempt to alter your organization’s security settings as a way to persist and stay undetected.
Therefore, in every business, security teams should review information about such attempts, and then take the appropriate actions to mitigate threats.
The system is designed to raise alerts in the Microsoft Defender Security Center when tampering attempts are made. By utilizing tools such as endpoint detection and response and advanced hunting capabilities, you can investigate further and then implement the necessary measures to address the problem/s.
Wrap up
Microsoft is looking to tackle the surge in cybercrime head-on. Bad actors are constantly seeking out weaknesses in organizations’ systems and occasionally they find them. This is why businesses need to leverage the next-gen security strategies that Microsoft can offer.
With features like Tamper Protection, you get additional security to help your organization block nefarious elements from altering your security settings and leaving you vulnerable. Advanced breaches and increasing incidences of ransomware campaigns need all businesses to start getting proactive about their security. Otherwise, the consequences could prove to be very costly.
When it comes to Microsoft Endpoint Manager (MEM), there’s always a steady stream of new features that clients should be paying attention to.
Technology is constantly changing and the products that we use need to improve as well. Especially if we consider the recent surge in cybercrime as seen in the FBI’s 2020 internet crime report.
No business is immune and as such, technology companies have to consistently enhance their products to ensure that clients’ data is secure. With security in mind, let’s take a look at the exciting new features that Microsoft is bringing to the MEM platform.
Enhancing security through Microsoft Endpoint Manager filters
Microsoft Endpoint Manager has now made it possible for IT admins to use filters to target apps, policies, and other workload types to specific devices.
By utilizing these filters, IT admins get more flexibility and can better protect data within applications, simplify app deployments, and speed up software updates.
Furthermore, it is now easier for admins to comply with their organizational policies and compliance requirements by deploying:
A Windows 10 device restriction policy only to the corporate devices of users in a particular department without including personal devices,
An iOS app to only the iPad devices for users in another department,
An Android compliance policy for mobile phones to all users in the company but exclude Android-based meeting room devices that don’t support the settings in that mobile phone policy.
Windows 10 Enterprise multi-session is a new Remote Desktop Session Host exclusive to Windows Virtual Desktop on Azure which allows multiple concurrent user sessions. Additionally, with this feature, users get the benefit of a familiar Windows 10 experience. In addition, IT can benefit from the cost savings that a multi-session allows and use existing per-user Microsoft 365 licensing.
By leveraging Intune, you can manage multi-session remote desktops with device-based configurations like a shared, user-less Windows 10 client. Moreover, you can enroll Hybrid Azure AD joined VMs in Intune automatically and target with OS scope policies and apps.
This means that now you can:
Host multiple concurrent user sessions using the Windows 10 Enterprise multi-session SKU exclusive to Windows Virtual Desktop on Azure.
Manage multi-session remote desktops with device-based configurations like a shared, user-less Windows 10 Enterprise client.
Automatically enroll Hybrid Azure AD-joined virtual machines in Intune and target them with device scope policies and apps.
Policy management made simpler
Using the settings catalog simplifies the process of customizing, setting, and managing device and user policy settings. Remember, managing policy configuration through custom Open Mobile Alliance Uniform Resource Identifier (OMA-URI) policy is not the easiest of tasks to undertake.
Moreover, what the 2105 service release does is support your move from Group Policy Objects (GPO) or custom OMA-URI to cloud-based consolidated policies.
Clients will be happy to note that 5,000 settings have been added to the settings catalog for Edge, Office, and OneDrive, including additional settings for macOS and Windows.
Microsoft Tunnel Gateway changes
There are a couple of changes to note for the Microsoft Tunnel Gateway:
Microsoft Tunnel Gateway (MTG) is now out of preview and thus is generally available. However, while the MTG server component is out of preview, the following Microsoft Tunnel apps are not – Microsoft Tunnel standalone app (for both Android and iOS) and Microsoft Defender for Endpoint with support for Microsoft Tunnel for Android.
Custom setting support in VPN profiles for Microsoft Tunnel for Microsoft Defender for Endpoint for Android. New changes here mean that you can now use custom settings in the VPN Profile for Microsoft Tunnel to configure Microsoft Defender for Endpoint when using the Microsoft Defender for Endpoint as your Microsoft Tunnel client app for Android and as an MTD app.
Device security with Microsoft Endpoint Manager
Another update that is certain to make MEM clients happy is that conditional access on Jamf-managed macOS devices for Government Cloud is now available.
By using Intune’s compliance engine, you can now evaluate Jamf-managed macOS devices for Government Cloud.
All one has to do to achieve this is to activate the compliance connector for Jamf. The steps on how to do that can be found here.
New Microsoft Endpoint Manager settings available
There are new settings now available when creating a device restrictions policy for iOS/iPadOS (14.5 devices and newer). Moreover, these are the updates that have been introduced:
Block Apple Watch auto unlock: You can set this to Yes and this will prevent users from unlocking their device with Apple Watch.
Allow users to boot devices into recovery mode with unpaired devices: If you want to allow users to boot their device into recovery with an unpaired device, you can set this one to Yes.
Block Siri for dictation: To disable connections to Siri servers so that users can’t use Siri to dictate text, set to Yes.
Clients will now get new tiles that show the number of app installation failures for the tenant. You can find these in the Home, Dashboard, and Apps Overview panes. All one has to do is follow a few simple steps:
Alternatively, if you want to view the Dashboard pane select Dashboard.
And to view the Apps Overview pane, select Apps > Overview.
Wrap up
Microsoft Endpoint Manager has many different ways that various companies can use it. It gives you a fantastic platform to gather end-point information. Also, it gives you the ability to push out Microsoft Desktop apps, Microsoft Edge as well as several other apps. And by consistently updating the features, Microsoft can help your business to operate more efficiently and enhance your data security and privacy.
With the prevailing global situation requiring more and more people to work from home, businesses need to ensure that productivity does not suffer. And to do that, you need to effectively manage remote devices. Hence the need for technology such as the Cloud Management Gateway (CMG).
By utilizing the CMG, your business has an alternative to IBCM that most would consider a significant upgrade. This creates a favorable environment that allows your organization to eliminate the obstacles of having a remote workforce. Needless to say but the CMG can play a massive role in your organization and its importance is certainly worth discussing.
Requirements
Before you can use the Cloud Management Gateway you need to meet the following requirements:
An Azure subscription to host the CMG,
You need a Full administrator or Infrastructure administrator user account in Configuration Manager,
During the initial creation of certain components, the participation of an Azure admin is needed,
You need at least one on-premises Windows server to host the CMG connection point,
A server authentication certificate for the CMG,
There needs to be an integration of the site with Azure AD to deploy the service with Azure Resource Manager,
Depending on your client OS version and authentication model, other certificates may be required,
Clients are required to use IPv4.
When is it useful?
There are several scenarios where the CMG could come in handy and they include the following:
For management of traditional Windows 10 clients using modern identity which can either be hybrid or pure cloud domain-joined with Azure AD.
For management of traditional Windows clients with Active Directory domain-joined identity. The clients included are Windows 8.1 and Windows 10.
For installation of the Configuration Manager client on Windows 10 devices over the internet.
For new device provisioning with co-management.
Benefits to your business
CMG enables your Enterprise admins to perform several actions. Among the things they can do, they can manage the following over the internet:
Push software updates and enable endpoint protection,
Inventory and client status,
Compliance settings,
Software distribution,
Windows 10 in-place upgrades,
Manage branch office devices over less expensive internet instead of across expensive WAN or VPN connections.
Eliminates complications
Although Internet-based client management (IBCM) has been around for years, a lot of users tend to find it complicated. CMG aims to be a simpler solution. It is an Azure-hosted service that manages internet-based clients through a new role called the cloud management gateway connector point.
By adding the CMG to your environment, you’ll get an intermediary cloud solution. And this can be your bridge to a full cloud management solution of your Windows 10 devices through Microsoft Intune.
Also, your organization doesn’t need to expose on-premises infrastructure to the internet and neither will you require additional infrastructure. So by using the CMG, you get rid of a lot of what users don’t like about IBCM.
Manage internet clients
Cloud Management Gateway helps you to easily and effectively manage clients that are on the internet. Often, there are going to be events in your environment that will require a swift response.
However, previously this was problematic for clients that would not be currently on-premises. By leveraging the CMG, you can manage clients all over the world as long as they have an internet connection.
Furthermore, it doesn’t require you to buy any additional IT infrastructure. So unlike IBCM that would need additional hardware that you need to maintain, for the CMG you just need to have Azure.
Strengthen your security
The moment you have systems that are not directly connected to your IT infrastructure, your data security is at an increased risk. This is particularly evident with remote work.
Although a lot of businesses have responded by using VPNs, you cannot adequately protect workstations through VPN channels. Hence the importance of the Cloud Management Gateway.
With it, you can better manage devices connected to the Internet and thus improve your corporate security posture. This is further enhanced by the fact that you can leverage Microsoft Azure services so that there is no need to expose your infrastructure to the internet.
Cost management
Whenever you use cloud services, you will incur costs associated with your usage. And the Cloud Management Gateway is no exception. Fortunately for clients, Microsoft intends to help you to keep those costs under control. You can do this through client settings, for instance, where you can determine which clients can access the CMG.
Another feature you can leverage is virtual machine configuration. The latter enables you to choose between 1 and 16 virtual machines per instance of Cloud Management Gateway. Also, if you want to, you can stop the CMG so that it’s no longer serving clients.
Therefore, to optimize user experience for all clients, the CMG helps to reduce the unavoidable costs that come with cloud services.
Constantly evolving
Another reason why the CMG is so important is how the technology is constantly evolving. There has been a lot of innovation taking place such as the ability to automatically do a client install through the CMG.
This is a great option to have because it eliminates the need for the client to be on the intranet. In addition, the platform is adaptable to your organization’s needs. So it can handle several scenarios such as:
Traditional PC management (Windows 7, 8.1, 10),
Modern PC management (Windows 10 with modern identity),
Internet client installs.
Wrap up
Every organization should be looking for ways to make the most of its IT investments. Thus from the information available, we can see that every environment that uses ConfigMgr can benefit from using the Cloud Management Gateway. And you can leverage the CMG for clients all across the globe. The convenience that this provides you cannot be overstated. As the world changes and technology evolves, we need platforms that can help organizations to become more efficient and enhance productivity.
With cyber threats being such a huge problem, the last thing your organization needs is vulnerable security. And this can be worsened if malicious actors manage to disable your security. So with that in mind, Microsoft introduced Tamper Protection to increase your organization’s security by making it significantly harder for cybercriminals to infiltrate your network.
It gives you a better security posture and allows your IT team to ensure greater protection over corporate resources. And so today we’re going to dive into what exactly Microsoft Endpoint Manager Tamper Protection is and what it can do for your organization.
What is Tamper Protection?
Microsoft Endpoint Manager Tamper Protection is a relatively new feature that was created to prevent potential attackers from making changes to the configuration of Microsoft Defender on Windows 10 clients. Therefore, this feature doesn’t allow malicious actors to disable features such as:
Real-time protection,
Anti-virus protection,
Cloud-delivered protection,
Removing security intelligence updates.
By blocking these actions, Tamper Protection keeps attackers from getting easy access to your data or installing malware. Without being able to do this, attackers can’t compromise your devices or exploit sensitive information.
Functionality
The key thing that Microsoft Endpoint Manager Tamper Protection does for you is it locks Microsoft Defender Antivirus to keep people from making modifications to your security system. These modifications could otherwise be made through apps and methods like:
Configuring settings in Registry Editor on your Windows device
Using PowerShell cmdlets to make changes to settings
Using group policies to edit or remove security settings
However, Tamper Protection won’t stop you from seeing your security settings or affect how third-party antivirus apps register with the Windows Security app. For organizations using Windows 10 Enterprise E5, it’s the security team that will manage Tamper Protection and so individual users can’t change the setting.
How to enable Tamper Protection
Your IT admins can use Microsoft Intune to turn Tamper Protection on or off for all managed computers using the Microsoft Endpoint Manager (MEM) admin center portal. And to make changes to Microsoft Endpoint Manager Tamper Protection, admins will need to have permissions such as security or global admin. To have access to Tamper Protection, your organization should:
Have Intune licenses such as Microsoft 365 E5,
Have computers running Windows 10 versions 1709, 1803, 1809, or later,
Use Windows security with security intelligence updated to version 1.287.60.0 or later,
Have machines using antimalware platform version 4.18.1906.3 and antimalware engine version 1.1.15500.X (or later).
With all the requirements met, follow the steps below to get access:
Go to MEM admin center and sign in with the right credentials,
Select Devices and choose Configuration Profiles,
Create a profile with the characteristics below:
Once you turn on Tamper Access, you won’t have any need to turn it off unless if it affects other validated tools.
Tamper Protection for Configuration Manager
With version 2006 of Configuration Manager, you can leverage tenant attach to manage Tamper Protection settings on:
Windows 10,
Windows Server 2016, and
Windows Server 2019.
Tenant attach allows you to sync your on-premises-only Configuration Manager devices into the MEM admin center. Following this, you can deliver endpoint security configuration policies to on-premises collections and devices. A few simple steps are all you need:
Go to the MEM admin center > Endpoint security > Antivirus,
Choose Create Policy,
You can now deploy the policy to your device collection.
Continuous reviewing
Even with Microsoft Endpoint Manager Tamper Protection enabled, your admins need to have the ability to continually review your security posture. Otherwise, you won’t fully benefit if you cannot see the tamper attempts or report them.
To resolve this challenge, you can subscribe to the Microsoft Defender for Endpoint service. This will provide you with a dashboard that shows you all the security issues that you need to be aware of. These include flagged tamper attempts with all the necessary details to investigate further.
Using third-party security tools
Although Microsoft Endpoint Manager Tamper Protection can work with third-party security tools, some of these can make changes to security settings. By using real-time threat information, Tamper Protection can assess the potential risks of software and suspicious activities. Ideally, your IT admins should update your security intelligence to version 1.287.60.0 or later. And this action will protect the system security settings in the Registry and log any attempts to modify those settings without generating errors.
What about endpoint management tools?
As for endpoint management tools, you can use them with Microsoft Endpoint Manager Tamper Protection. With limits, of course. Admins retain the possibility of establishing a centralized setting for Tamper Protection using management tools.
However, other tools/platforms cannot change settings that are under the protection of Tamper Protection. For that, admins would require Windows Security to manage those.
If you have a Windows enterprise-class license or computers running Windows 10 Enterprise E5, you need to opt into global Tamper Protection. Below are some unified endpoint management platforms that cannot override Tamper Protection:
Microsoft Intune,
System Center Configuration Manager,
Windows System Image Manager configuration,
Group Policy,
Any other Windows Management Instrumentation tools and administrative roles.
Wrap up
The key to staying ahead of cybercriminals is a continual upgrading of existing security features. And this is precisely what Microsoft is doing with Tamper Protection. With this feature, you can address one of the potential areas of weakness in your security infrastructure. You can prevent unwanted visitors from disabling critical security features.
Since Microsoft Endpoint Manager Tamper Protection was specifically designed for enterprise environments, it is ideal for enhancing organizational security and making your organization less vulnerable to attack. Class-leading security has become a necessity for all of us and features like this can play a massive role in safeguarding our enterprises.
Information is key for any business to function optimally. That is why there is such a massive increase in the use of big data during the last decade. But, this information is not only that which you can obtain externally. It’s also information concerning your internal operations. And this is where Microsoft’s Product Lifecycle Dashboard enters the fray. It simplifies the way your organization functions in a big way. By providing you with information concerning all the products that you have installed on devices that are managed by Microsoft Endpoint Configuration Manager, tracking is simple. This is a fantastic feature that has fresh improvements, too. We’ll be going over all the latest below.
Getting started with Microsoft Endpoint Manager
Microsoft made a few changes over the years. And from version 1806 you’ll now be able to use the Configuration Manager product lifecycle dashboard to view the Microsoft Lifecycle Policy. So what exactly does this ‘dashboard’ do?
The Product Lifecycle Dashboard is a management tool. It shows the state of the Microsoft Lifecycle Policy for any Microsoft products installed on devices managed with Microsoft Endpoint Configuration Manager.
Not only that, but you also receive data concerning the various Microsoft products in your environment. This includes supportability state, and support end dates. Therefore by using both Asset Intelligence and the Asset Intelligence Synchronization Point, the dashboard can give you a clear overview of the lifecycle of each product.
By using the dashboard, you can easily find out what support is available for each product. With this information in hand, it will allow you to plan accordingly and update all products before their support expires. And then from version 1810, the dashboard also adds information for System Center 2012 Configuration Manager and later.
What are the requirements?
As a product continues to improve, the requirements to use that product will also expectedly change. For you to see data in the product lifecycle dashboard, you need the following:
Internet Explorer 9 or later
You need to install and configure a service connection point role. And the latter must be online or synchronized regularly if offline.
For hyperlink functionality in the dashboard, you need a reporting services point.
You need to configure and synchronize the asset intelligence synchronization point.
Using the dashboard
This tool looks to make it easier for your organization to have access to up-to-date data about the products that you are using. And by leveraging the inventory data that the site collects from managed devices, the dashboard displays information about all current products. However, not all versions are supported. Only Windows Server 2008 and later, Windows XP and later, SQL Server 2008 and later, will have information displayed for OSs and SQL Server. To access the lifecycle dashboard in the Microsoft Endpoint Configuration Manager console:
1) Go to the Assets and Compliance workspace,
2) Expand Asset Intelligence,
3) Select the Product Lifecycle node.
What else do you get?
Clients will find that from the newer version of SCCM 1902, they’ll get information for installed versions of Office 2003 through Office 2016. And this data is available after the site runs the lifecycle summarization task, which is something that occurs every 24 hours. In addition, you can also benefit from using the dashboard even if you don’t have Configuration Manager. You can use Azure Monitor Logs to provide a Dashboard to help with managing the supportability of your environment.
Upgrading products with Microsoft Endpoint Manager
Taking a simple look at your dashboard will allow you to see any products that need to be updated urgently. When you have several computers to deal with and you need to know which ones need upgrades, all you need to do is click on the hyperlinks in the Number in environment column and that will show you a report.
And doing this will direct you to the Lifecycle 01A – Computers with a specific software product report. This is a huge improvement when you consider that in the past you had to investigate problem clients individually to find out whether or not an upgrade was needed.
Reports in the product lifecycle set
In addition to the dashboard, you have additional reports that are available as well. These you’ll find in the Microsoft Endpoint Configuration Manager console, where you then go to Monitoring workspace and you expand Reporting. The new reports, which are found under the Asset Intelligence category are as follows:
Lifecycle 01A — Computers with a specific software: See a list of computers/pcs on which a specified product is detected.
Lifecycle 02A — List of machines with expired products: This report, which you can filter by product name, shows you all the computers/pcs which have expired products on them.
Lifecycle 03A — List of expired products found: See details for products in your ecosystem that have expired lifecycle dates.
Lifecycle 04A — General Product Lifecycle overview: Here you can see a list of product lifecycles and filter by product name and days to expiration.
Lifecycle 05A — Product lifecycle dashboard: From version 1810, this report will have similar information as the in-console dashboard. All you have to do is choose a category to view the products in your environment as well as the days of support remaining.
Wrap up about Microsoft Endpoint Manager
Every organization needs products that will help them to optimize their time. And as the number of available products increases, the choice of which product to go for becomes harder. Microsoft’s Product Lifecycle Dashboard gives your business many benefits that businesses have needed for a long time.
Reduce the time you spend trying to keep track of all the products you have installed on countless devices with a simple, easy to use dashboard. If you’re looking for a tool that gives you a more efficient way of device management, then the Product Lifecycle Dashboard is one that is certainly worth a look.
The importance of data analysis has been steadily growing in the last couple of decades. And as technology has continued to evolve, the tools that we have available to us have significantly improved. These tools help businesses get a clearer view of their operations. One of the more recent offerings is Microsoft Endpoint Manager Analytics (MEMA). With this product, Microsoft is aiming to help organizations measure and improve their productivity. These days, businesses are placing significant emphasis on the degree of productivity of their employees. Therefore it’s important to have a way to actually see this and that’s what we’ll be going over below.
What is Microsoft Endpoint Manager Analytics?
Endpoint Analytics is essentially a new feature that Microsoft has added to Microsoft Productivity Score. What it does is to provide you with information on how the organization is operating as well as the experiences that your users are receiving. Moreover, it can pinpoint policies or hardware issues that are slowing down devices and then make any necessary changes without causing needless disruptions. Therefore, Endpoint Analytics can provide insights that are normally unavailable to IT because of a lack of visibility into the end-user experience. And it can offer this service at a better cost as compared to the costly support channel that you would otherwise use.
Getting started with Microsoft Endpoint Manager
Once you’ve met all the requirements, the actual process of enrolling a device is pretty straightforward. For Intune-managed devices, you need to go to the Onboard in the Endpoint Analytics portal. When you’re enrolling devices that are managed by Configuration Manager, there are a few steps to follow. Firstly, you have to go and enable Endpoint Analytics data collection in Configuration Manager. Next, you’ll need to enable data upload from Configuration Manager. And the last step involves onboarding in the Endpoint Analytics portal. You will see the connector status light up in Microsoft Endpoint Manager once you have successfully enabled.
Startup performance
This is an area that can be of great concern when it comes to causing delays to your employees. By measuring time to productivity, you can easily see where users are losing time. Endpoint Analytics will help your organization by identifying lengthy boot and sign-in times and then resolving them. In addition, you’ll get a couple of recommended actions that you can take to improve startup times. Having this data at hand enables you to evaluate your startup performance. You can then use this data and compare it to other organizations thus getting a better view of how you’re doing as a business.
Software optimization with Microsoft Endpoint Manager
A lot of the time, increasing productivity only requires you to optimize your current software. MEMA plays a key role by providing you with information for improving user experience by optimizing your operating system as well as the versions of Microsoft software that you are already using. You’ll get to benefit from insights for various deployment and management services. Among these are Windows Autopilot, Microsoft Intune, Configuration Manager, Windows 10, and Azure Active Directory. Although you may already be using these platforms, analytics gives you data that helps you to get the most out of them.
Swift problem resolution
In the past, one of the major causes of delays has been users having to wait for IT to resolve problems. However, Endpoint Analytics provides proactive remediation scripting. Simply put, this great feature will resolve common support issues on any of your endpoints. Not only that, but it will fix these problems before users even know there’s an issue. There are built-in scripts that you can use for common issues. But, there is also the possibility of authoring your own scripts based on what issues your users frequently encounter.
Licensing requirements for Microsoft Endpoint Manager
A valid Microsoft Endpoint Manager license is necessary to enroll devices in Endpoint Analytics. In addition, for proactive remediations, one of the following licenses for managed devices will be required:
Windows 10 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
Windows 10 Education A3 or A5 (included in Microsoft 365 A3 or A5)
Windows Virtual Desktop Access E3 or E5
Requirements for Intune devices
Devices under co-management or enrolled in Intune running Windows 10 Pro, Windows 10 Pro Education, Windows 10 Enterprise, or Windows 10 Education. Windows 10 Home isn’t supported. Only devices with Windows 10 Enterprise, Education, or Pro version 1903 or later will get startup performance insights. It’s also important to note that workplace joined or Azure AD registered devices won’t be supported. Lastly, you need to ensure that the Connected User Experiences and Telemetry service are running.
Configuration Manager requirements
For devices that are under the management of Configuration Manager, you’re going to need a minimum of Configuration Manager version 2002 with KB4560496 – Update rollup for Microsoft Endpoint Configuration Manager version 2002 or later. Also, the Configuration Manager clients need to be upgraded to version 2002 or later. And then you should ensure that the Microsoft Endpoint Manager tenant is attached. Another thing to remember is that enrolled devices that meet the Intune requirements will send required functional data directly to Microsoft public cloud.
Enhance your productivity
Common issues that trouble most organizations should not have to persist indefinitely. Time is a priceless commodity and your business needs to strive to fully enhance productivity. Hence the importance of software such as Microsoft Endpoint Manager Analytics. Its ability to furnish you with a comprehensive overview of how your organization is operating has the potential to make it key to your business strategies. Evaluating the problem areas affecting your users and resolving them without disruption will immediately improve workflow. Although Endpoint Analytics is still very much a new product, it’s certainly one that looks like most businesses could need.
I ran into this issue, where after sometime the SMS Build-in backup function would fail. When running the SMS_SITE_BACKUP from Window Services (services.msc) it would fail with some of the following errors:
SMS_SITE_BACKUP failed. Please see previous errors.
Error: SMS Writer service either does not exist or is not running .
Error: GatherWriterMetadata failed.
SMS_SITE_BACKUP failed. Please see previous errors.
Resolution: List the VSS writers available with the following command: VSSADMIN list writers If you find the SMS Writer to be missing run the following commands:
Net stop SMS_SITE_VSS_WRITER Net start SMS_SITE_VSS_WRITER
This should add it back to the list as shown below. Now restart you SMS_SITE_BACKUP (can be done form services.msc) and review the logfile: smsbkup.log. it should now be running.
The issue here was caused by another backup solution using the Volume Shadow Copy Service (VSS). So fixing also required the other solution to be removed/reconfigured.
