Optimizing Software Packaging – What To Know About Advanced Installer

One of the best tools that IT professionals can have in their arsenal is a packaging tool. This simplifies their tasks and saves them time. Businesses need to provide their IT teams with comprehensive packaging tools that are easy to deploy and highly compatible.

One such product that has garnered a significant amount of interest is Advanced Installer. What you get with this powerful packaging tool for developers, businesses, and ISVs, among others, is an advanced application packaging software. It simplifies software deployment in a big way.

And before fully committing, organizations can try out the trial version. It comes with full features allowing them to make a more informed decisions. To help you with that task, let’s go over what you have to look forward to with Advanced Installer.

Introduction

As already mentioned, Advanced Installer is a software packaging and deployment tool designed to eliminate the challenges often encountered with packaging and updating software.

Clients get an all-in-one packaging tool that can create, edit, update, and repackage MSI, EXE, App-V, APPX, and MSIX. Because of the user-friendly and intuitive design as well as the plethora of features and capabilities, IT professionals should expect an application that optimizes the packaging process.

Businesses will also appreciate how easy the integration will be. They’ll also enjoy the compatibility that provides support for various platforms and formats. In addition, IT professionals can easily create customizable and visually appealing installers. They can also benefit from the integration of Advanced Installer with popular development tools and environments.

Ultimately, using Advanced Installer gives your organization a product that enables you to build reliable MSI packages. These meet the latest Microsoft Windows logo certification requirements and generally follow the recommended Windows Installer best practices.

Requirements

Before proceeding with the purchase and installation of Advanced Installer, it’s also important to be aware of the specific requirements that the application demands. In the table below, you’ll find both the hardware and software requirements that you need to know.

HardwareSoftware
Required minimum: Core 2 class CPU1GB RAM1366 × 768 screen resolution 2GB hard drive spaceAdvanced Installer IDE – for Advanced Installer to run properly on a system, you will need: Windows 7 or newer. The latest Windows Platform SDK. However, this is optional as it will only be required when building certain types of packages.
What is recommended: i5 class CPU4GB RAM1920 × 1200 screen resolution 10GB hard drive spaceCreate Install Packages – Advanced Installer produces MSI or EXE install files that are designed to run on: Windows 7 or newer Windows Server 2008 R2 or newer.  
 Create MSIX Packages – Advanced Installer produces MSIX packages that are designed to run on: Windows 10 version 1507 or newer Windows Server 2016 (Long Term Servicing Channel) or newer.
 For Java – Advanced Installer for Java can create install bundles to install Java programs on these versions of MacOS: Mac OS 10.x Power PC Mac OS 10.x Intel.
 Windows 10/11 Compatibility – Advanced Installer and the EXE/MSI install packages it generates have been shown to work on Windows 10 and Windows 11.

Latest upgrades

Some new, recently announced updates for Advanced Installer are available. One in particular of great interest is the new nested Context Menus for File Associations in MSIX. The goal of this feature is to give organizations a more organized and efficient user interface. It ultimately streamlines the management of file associations.

As a result of this, you should have improved navigation and better usability. Moreover, clients will now also find a reboot option for NewPrerequisite and UpdatePrerequisite command lines coupled with support for Java versions 19 through 22.

The above improvements combine with new translations for default strings, a refactored build log for improved clarity, and an AppInstaller theme that is now supporting BrowseDlg dialog for a better user experience. More than just the new features, however, Advanced Installer has addressed challenges that clients were facing, including:

  • Fix EXE icon issue in non-English language projects.
  • Addressing the problem of the “Install side-by-side” option not always preserved on upgrades.
  • Fixing the reboot prompt issues during uninstallation.
  • Resolved the issue that was causing files to be digitally signed twice in an MSIX build.
  • Address the problem causing the description field to fail to set MSI name in UAC using trusted signing.
  • Corrected the issue causing the system to not prompt for the certificate password when the entered password was incorrect.
  • Resolved the problem of scheduled tasks failing if they were scheduled to run at task creation.

Available features

In the table below, you’ll find a few of the wide range of features that Advanced Installer has to offer.

ArchitectEnterpriseProfessionalFreeware
Repackager – seamlessly capture, customize, and repackage existing installations into MSI packages. Upgrade legacy setups to Windows Installer technology.Updater – checking for downloads and installation of patches and updates is done automatically.IIS – Web Sites, Virtual Directories and Web Applications, App-Pools, User Accounts.MSI – create valid MSI setups for your applications that meet all the written and unwritten Windows Installer rules.
MSI Quick-Edit – enables you to create, transform, or edit existing MSI packages directly from the Advanced Installer GUI.JSON Files Updates – without writing any code, you can manage JSON files that are part of the installation package or present on the target machine.Multilingual and Localized – get over 30 translations that are all ready to use, as well as easy to modify and create.UAC – build installers that will run seamlessly on Windows 10/8.1/8/7/Vista supporting the security model.
MSIX Custom Scripts – use PowerShell scripts to resolve any of the compatibility issues of your application after you create an MSIX.Installer Continuous Integration – provides built-in support for integration with Azure DevOps, GitHub Actions, Jenkins, TeamCity, and Bamboo.Themes – also get over 50 built-in beautiful themes to give your installer a professional look.Imports – bring in relevant imports from Visual Studio, InstallShield LE, Inno Setup, WiX, Eclipse, NSIS, and regular MSI/MSM packages.
MSIX Package Editor – can offer an immediate view of your package content, enabling you to customize anything from Advanced Installer’s user interface.Dialog Editor – enables you to visually customize existing installer dialogs or create new ones entirely from scratch.Custom Actions – if you execute your code during installation, you can extend your installer’s capabilities.32-bit or 64-bit – provides the option to build setups that both run and install on 32-bit processors and/or the latest 64-bit Intel and AMD CPUs.
MSIX Modification Packages – enables you to extend and update your MSIX packages. You’ll also be able to separate your main application package from its updates, thus speeding up Windows 10 updates.Convert EXE installers to MSIs – an extremely capable wizard that converts any EXE setup into an MSI ready for network deployment through Active Directory.Native Launcher – create a native launcher for your Java applications and customize the process name, file name, icon, version, splash-screen, JRE/JDK detection and selection, user-friendly error handling.Side-by-side – if you have different versions of your application and want to not only install them simultaneously but have them running side by side, you can easily create packages for all the different versions.
Package Support Framework – the capabilities of the PSF integration for MSIX packages will allow you to minimize any AppCompat issues without writing any code.Office Add-ins – leverage the included specialized templates to greatly simplify the creation of installers for popular software platform extensions, plug-ins, and add-ins.Prerequisites – search for, download, and install prerequisite applications, frameworks, and run-times.Upgrades – older versions of your product installed on the user’s machine will be detected and upgraded. Additionally, installation over newer ones will be blocked.

Pricing and Licensing

Once you have decided to use Advanced Installer, you can go ahead and start the purchase from the purchase page. For those who may need additional clarification on any issue, they can quickly find assistance with the support team. Once completed, you can start planning to deploy the package you choose on certain machines.

Fortunately, there is no limit to the number of machines you can deploy a package. As long as you have a licensed version of Advanced Installer, you can successfully create an unlimited number of install packages. You can then distribute these packages royalty-free to any number of users

When it comes to the issue of upgrades, you can purchase your subscription/license upgrade from the upgrades page. After upgrading your subscription, you’ll need to log out before logging in again. Once logged into Advanced Installer, you can refresh your subscription details. For clients with perpetual licenses, their license keys won’t change.

All they have to do is run the registration wizard once more in Advanced Installer. You can get access to the features from the new edition to which you upgraded by opening the project in Advanced Installer. In the toolbar, go to Home > Options > Project Type tab, and choose the desired project type.

The table below contains information regarding the pricing structure.

 ArchitectEnterpriseProfessional
Cost$359 per user per month. The option for a team subscription is available.$139 per user per month. The option for a team subscription is available.$39 per user per month. The option for a team subscription is available.
What you getIn addition to everything that Enterprise offers, you will also get Repackager, MSI Quick-Edit, Reports Generator, App-V, MSIX (Re)packaging, MSIX Package Editor, SCCM, and Intune.In addition to everything you get in Professional, you also get CI/CD Integration, Dialog Editor, Updater, XML Patching, Databases, Trial and Licensing, Merge Modules Authoring, EXE to MSI (wrapper), Automated VM Testing, and Drivers.The main features available include Trusted Signing Native Integration, Visual Studio Extension, PowerShell Automation, MSIX, Themes, Services, Prerequisites, IIS, .NET, COM, ODBC, Internationalisation, Java Native Launcher, and Installer Analytics.

Registration process

After purchasing Advanced Installer, you can now begin the registration process. However, if you are using the Freeware version, registration is not necessary. Clients that opt for the Professional, Enterprise, and Architect versions will require a valid registration to continue use after the trial period has lapsed. All you need to do is navigate to the File > Help > Register menu.

ONLINE REGISTRATION

If you want to download the license online, then the first thing you’ll need is an internet connection. With that established, Advanced Installer will connect to the appropriate server and download the license file to your device.

REGISTRATION BY EMAIL

In this case, an internet connection is not a requirement for the device in question. Once you have noted your Computer ID, you can email it in using any other device connected to the internet. Coupled with the valid License Key, you should forward these details to support at advancedinstaller.com. You can also expect to receive your response within 48 hours. The response will contain your license file as well as additional instructions.

LICENSE SERVER REGISTRATION

This method of registration by using a license server is only a valid option for owners with floating licenses. You’ll need to verify that your network administrator has correctly installed and configured the License Server. You won’t be able to complete the registration if you don’t have both the server’s host name and the port number.

Wrap up

Organizations are constantly searching for productivity tools that can empower their teams and increase operational efficiency. Tools such as Advanced Installer are ideal in that they can simplify tasks such as packaging and deployment of software. The capabilities of this application will deliver a faster overall process and a seamless installation experience that minimizes headaches. And as we move forward Advanced Installer will only get better as the development team leverages the feedback from clients.

Troubleshooting Tenant Attach and Device Action Issues

Microsoft has given us countless different products and services over the last few decades. Undoubtedly, we know the important role they have played for individuals and businesses on the journey towards utilizing technology to better our lives. When looking at the Microsoft ecosystem, one of the best examples of undeniable excellence is the Microsoft Intune family of products.

With this product, Microsoft gives you an integrated solution that enables you to seamlessly manage all your devices. Central to this solution is the single console that we know as the Microsoft Intune admin center which brings together Intune and Configuration Manager.

The capabilities of this platform can offer your organization a premium device-management solution like no other. The area that we want to focus on today will have to do with the troubleshooting of tenant attach and device actions.

Comparing Tenant Attach to Co-management

For a lot of people, it may be difficult to distinguish between these two. So, let’s start by looking at where these two options differ. Both of these make up two of the three primary cloud attach features. For a Configuration Manager environment to be cloud-attached, it has to use at least one of the three primary cloud attach features.

Tenant Attach gives you the advantage of having your device records in the cloud as well as the ability to take actions on these devices from the cloud-based console. IT admins can perform remote actions on tenant-attached devices such as sync machine policy, sync user policy, run scripts on clients, deploy applications, and much more.

Furthermore, users will be able to manage endpoint security for the attached devices from the Intune admin center for both Windows Servers and Client devices.

On the other hand, Co-management is going to modify your on-premises Configuration Manager environment without the need for a significant migration effort.

One of the more attractive features of Co-management is how it allows you to easily switch workloads such as compliance policies from SCCM to Intune. By enabling you to manage workloads from the cloud, your organization gets to benefit from a simpler device management experience.

Tenant Attach prerequisites

To make use of Tenant Attach, you will need to meet the following requirements:

  • When you decide to apply this onboarding change, you’ll need to sign in using an account that is a Global Administrator.
  • An Azure cloud environment.
  • With version 2107, United States Government customers will be able to use tenant attach features in the US Government cloud such as account onboarding, tenant sync to Intune, device sync to Intune, and device actions in the Microsoft Intune admin center.
  • The Azure tenant and the service connection point must have the same geographic location.
  • To access the Microsoft Intune admin center, there needs to be at least one Intune license for the administrator.
  • The administration service in Configuration Manager needs to be functional.
  • If your central administration site has a remote provider, you need to follow the instructions for the CAS has a remote provider scenario in the CMPivot article.

PERMISSIONS

In addition to the above, there will also be a few requirements for the user accounts performing device actions and these include:

  • The user account should be a synced user object in Microsoft Entra ID (hybrid identity).
  • The Initiate Configuration Manager action permission under Remote tasks in the Microsoft Intune admin center.

The troubleshooting process

Now and again, all of us will encounter issues with the products and services we use. That’s why it’s important to work with providers that offer great support services so that we avoid downtime. Microsoft puts a lot of effort into ensuring that customers get as much support as they need for the various products in its ecosystem. Understandably, tenant attach is no different.

At this point, most admins should be aware that you can sync Configuration Manager clients to the Microsoft Intune admin center. And from that admin center, some client actions can run on the synchronized clients.

These available actions include the sync user policy, sync machine policy, and app evaluation cycle. After an administrator runs an action from the Microsoft Intune admin center, the notification request will forward to the Configuration Manager site. And from there, it will forward to the client.

LOG FILES

The logs you need to use will be found on the service connection point and these are:

  • CMGatewaySyncUploadWorker.log
  • CMGatewayNotificationWorker.log

You should also use the logs located on the management point:

  • BgbServer.log

Lastly, there are other logs that will be found on the client:

  • CcmNotificationAgent.log

Review your upload

You’ll need to follow the steps given below:

  • Open CMGatewaySyncUploadWorker.log from <ConfigMgr install directory>\Logs.
  • You will see the next sync time recorded in a log entry similar to this format Next run time will be at approximately: 02/28/2024 10:15:30.
  • The log entries that you should look at for device uploads should be something like this Batching N Records. In this instance, N represents the number of changed devices uploaded since the last upload.
  • Admins should expect uploads every 15 minutes for changes. However, once that is done, they will probably need to wait up to 10 minutes to view the client changes appearing in the Microsoft Intune admin center.

Configuration Manager components and log flow

SMS_SERVICE_CONNECTOR: Will utilize the Gateway Notification Worker to process the notification from the Microsoft Intune admin center.

SMS_NOTIFICATION_SERVER: Receives the notification and subsequently creates a client notification.

BgbAgent: The client gets the task and runs the requested action.

SMS SERVICE CONNECTOR

Following the initiation of an action from the Microsoft Intune admin center, the CMGatewayNotificationWorker.log will process the request.

Received new notification. Validating basic notification details…

Validating device action message content…

Authorized to perform client action. TemplateID: RequestMachinePolicy TenantId: a1b2c3a1-b2c3-d4a1-b2c3-d4a1b2c3a1b2 AADUserID:     a1b2c3a1-b2c3-d4a1-b2c3-d4a1b2c3a1b2

Forwarded BGB remote task. TemplateID: 1 TaskGuid: a43dd1b3-a006-4604-b012-5529380b3b6f TaskParam: TargetDeviceIDs: 1

A notification is received from the Microsoft Intune admin center.

Received new notification. Validating basic notification details..

Validation of user and device actions is carried out.

Validating device action message content…

Authorized to perform client action. TemplateID: RequestMachinePolicy TenantId: a1b2c3a1-b2c3-d4a1-b2c3-d4a1b2c3a1b2 AADUserID:     a1b2c3a1-b2c3-d4a1-b2c3-d4a1b2c3a1b2

Forwarding of the remote task to the SMS NOTIFICATION SERVER.

Forwarded BGB remote task. TemplateID: 1 TaskGuid: a43dd1b3-a006-4604-b012-5529380b3b6f TaskParam: TargetDeviceIDs: 1

SMS NOTIFICATION SERVER

At this point, you should be expecting a task to be sent from the management point to the corresponding client as soon as the message has been forwarded to the SMS NOTIFICATION SERVER. In the BgbServer.log, which is on the management point, you should see the following:

Get one push message from database.

Starting to send push task (PushID: 7 TaskID: 8 TaskGUID: A43DD1B3-A006-4604-B012-5529380B3B6F TaskType: 1 TaskParam: ) to 1 clients  with throttling (strategy: 1 param: 42)

BgbAgent

The last step will occur on the client and you can view it in the CcmNotificationAgent.log. As soon as the task has been received, it will then request the scheduler to carry out the action. And once the action has been carried out, a confirmation message will appear:

Receive task from server with pushid=7, taskid=8, taskguid=A43DD1B3-A006-4604-B012-5529380B3B6F, tasktype=1 and taskParam=

Send Task response message <BgbResponseMessage TimeStamp=”2020-01-21T15:43:43Z”><PushID>8</PushID><TaskID>9</TaskID><ReturnCode>1</ReturnCode></BgbResponseMessage> successfully.

Common issues

In this section, we’ll take a look at some of the issues that admins may often encounter.

Unauthorized to perform client action

For whatever reason, there may be situations where administrators may not have the required permissions in Configuration Manager. If that happens, you’ll see an Unauthorized response in the CMGatewayNotificationWorker.log.

Received new notification. Validating basic notification details..

Validating device action message content…

Unauthorized to perform client action. TemplateID: RequestMachinePolicy TenantId: a1b2c3a1-b2c3-d4a1-b2c3-d4a1b2c3a1b2 AADUserID: 3a1e89e6-e190-4615-9d38-a208b0eb1c78

Administrators should verify that the user running the action from the Microsoft Intune admin center has all the necessary permissions on the Configuration Manager site.

Known issues

Data synchronization failures

When there are issues with the hierarchy onboarding configuration, you may end up facing challenges with viewing the tenant attach details in the Microsoft Intune admin center. This could potentially happen in situations where onboarding a hierarchy that has already been onboarded occurs. However, you may also detect this issue from entries in the GenericUploadWorker.log and CMGatewayNotificationWorker.log files.

Workaround for data synchronization failures

Resetting the tenant attach configuration will require you to follow the steps below:

  • Offboard the hierarchy. If the tenant attach is already enabled, you need to disable device upload and offboard by editing the co-management properties.
  • In the Configuration Manager admin console, go to Administration > Overview > Cloud Services > Cloud Attach. (Select the Co-management node if it is version 2103 and earlier)
  • In the ribbon, select Properties for your co-management production policy.
  • Next, you need to remove the Upload to Microsoft Endpoint Manager admin center selection from the Configure upload tab.
  • Once everything’s completed, select Apply.

You need to give the service about 2 hours to clean up the existing record. Once the above has been completed, you can onboard the hierarchy again.

Example errors in log files that require resetting the tenant attach configuration

Errors for AccountOnboardingInfo and DevicePost requests in GenericUploadWorker.log

[GetNotifications] Response from https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification is: 401 (Unauthorized)

Response status code: 401 (Unauthorized) Activity ID: 4c536a72-fd7f-4d08-948a-3e65d2129e44

Web exception when getting new notification

Exception details:

[Warning][CMGatewayNotificationWorker][0][System.Net.WebException][0x80131509]

The remote server returned an error: (401) Unauthorized.    at Microsoft.ConfigurationManager.ServiceConnector.ExtensionMethods.<GetResponseAsync>d__13.MoveNext()

Response in the web exception: {“Message”:”An error has occurred.”}

Errors for device actions in CMGatewayNotificationWorker.log

[GetNotifications] Response from https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification is: 401 (Unauthorized)

Response status code: 401 (Unauthorized) Activity ID: 4c536a72-fd7f-4d08-948a-3e65d2129e44

Web exception when getting new notification

Exception details:

[Warning][CMGatewayNotificationWorker][0][System.Net.WebException][0x80131509]

The remote server returned an error: (401) Unauthorized.    at Microsoft.ConfigurationManager.ServiceConnector.ExtensionMethods.<GetResponseAsync>d__13.MoveNext()

Response in the web exception: {“Message”:”An error has occurred.”}

Specific devices don’t synchronize

Another issue that you may need to deal with has to do with specific devices, which also happen to be Configuration Manager clients, not being uploaded to the service. So, what devices should you expect to be potentially affected by this issue?

In scenarios where a device is a distribution point that uses the same PKI certificate for both the distribution point functionality and its client agent, then the device won’t be included in the tenant attach device sync.

Furthermore, administrators should look out for the behavior that is typical in such instances. During the on-boarding phase as you are going through the tenant attach process, a full sync will be carried out the first time.

You should be aware that any other sync cycles after this one will be delta synchronizations. If the impacted devices are updated in any way, that update will result in the device being removed from the sync.

When the Configuration Manager site is configured to require multi-factor authentication, most tenant attach features don’t work

More troubleshooting

If you find yourself in a situation where the SMS provider machine that communicates with the service connection point is configured to use multi-factor authentication, you won’t be able to install applications, run CMPivot queries, and perform other actions from the admin console.

Instead, you will get a 403 error code, forbidden. What you would normally do to address this is to configure the on-premises hierarchy to the default authentication level of Windows authentication.

The platform is designed to enable you to determine what the minimum authentication level should be for admins to access Configuration Manager sites. You should view this as a great feature for enhancing security because it means that admins have to sign in to Windows with the appropriate level before they can access Configuration Manager.

Authentication

Furthermore, this applies to all components that access the SMS provider. Configuration Manager supports a handful of authentication levels and these are as follows:

  • Windows authentication: Authentication with Active Directory domain credentials is necessary. Note that this setting represents the previous behavior, as well as the current default setting.
  • Certificate authentication. Authentication with a valid certificate that has been issued by a trusted PKI certificate authority is necessary. You also need to know that you don’t configure this certificate in Configuration Manager. Configuration Manager requires the admin to be signed into Windows using PKI.
  • Windows Hello for Business authentication: In this case, you need a strong two-factor authentication that’s linked to a device and also uses a PIN or biometrics. Before choosing this particular setting, you need to note that the SMS Provider and administration service will require the user’s authentication token to contain a multi-factor authentication (MFA) claim from Windows Hello for Business. In simple terms, all this means is that users of the console, SDK, PowerShell, or administration service are required to authenticate to Windows with their Windows Hello for Business PIN or biometric. If not done this way, the site rejects the user’s action. Another key thing to also remember is that this behavior is specific to Windows Hello for Business and does not apply to Windows Hello.

What to do when Configuration Manager components for tenant attach fail to connect to the backend cloud service

Another issue that some have encountered concerns the failure of Configuration Manager components for tenant attach to connect to the backend cloud service when you run a client action from the Microsoft Intune admin center. In those instances, you may see the error given below:

Failed to check and load service signing certificate. System.ArgumentException: Mismatch certificate subject name

According to the information available from Microsoft, this problem occurs in versions earlier than the Configuration Manager version 2203 hotfix rollup after a change in public certificates on July 27, 2022. The reason for this has to do with the change that came about in public certificates on July 27, 2022, where OU=Microsoft Corporation was removed from the public certificate.

Even though this change was carried out, the configuration manager database still retained the old subject name and this then caused the load check failure. Below are some example entries in the CMGatewayNotificationWorker.log file in the top-level site in the hierarchy:

Error occured when process notification with notification Id <notification Id>. Ignore the notification. SMS_SERVICE_CONNECTOR_CMGatewayNotificationWorker

Exception details: SMS_SERVICE_CONNECTOR_CMGatewayNotificationWorker

[Warning][CMGatewayNotificationWorker][0][System.IO.InvalidDataException][0x80131501]

Failed to check and load service signing certificate. System.ArgumentException: Mismatch certificate subject name at Microsoft.ConfigurationManager.ManagedBase.CertificateUtility.ServiceCertificateUtility.VerifyCertificate(X509Certificate2 certificate, Boolean crlCheck, X509Chain& certificateChain, X509Certificate2Collection extraStore)

and at Microsoft.ConfigurationManager.ManagedBase.CertificateUtility.ServiceCertificateUtility.Reload()

at Microsoft.ConfigurationManager.ManagedBase.CertificateUtility.ServiceCertificateUtility.Exists(String thumbprint)

and at Microsoft.ConfigurationManager.ServiceConnector.AccountOnboardingWorker.\<RefreshServiceSigningCertificateIfNotExistsAsync>d__19.MoveNext()

ADDRESSING THE ISSUE

To address this challenge, there are a couple of methods that you can employ. The first thing you can do is to install the Configuration Manager version 2203 hotfix rollup if you happen to be running Configuration Manager version 2203.

However, if your version of Configuration Manager is a previously supported one, you’ll first need to upgrade to Configuration Manager version 2203. After doing that, you can proceed with the installation of the Configuration Manager version 2203 hotfix rollup.

In the update rollup for Microsoft Endpoint Configuration Manager current branch, version 2203, the following issues have been addressed:

  • Application approvals through email not working with a cloud management gateway due to a missing Microsoft Entra token.
  • Metadata revisions to previously published metadata-only updates not being synchronized to Windows Server Update Services (WSUS) as expected.
  • If a window happens to be left open for a few minutes, the task Sequence Editor running on Windows Server 2022 would fail to apply changes to a task sequence. After this happens, you would see the following message:

Error connecting to provider, smsprov.log may show more details.

  • In situations where the Client checking status frequency (minutes) value has been set below 60, the BitLocker compliance status will be temporarily inaccurate.
  • Admins have also experienced the incorrect removal of some users and their group memberships by the SMS_AZUREAD_DISCOVERY_AGENT thread of the SMA_Executive service in cases when the site server is configured with a non-US English locale. You’ll have have noticed the removals occurring when the discovery cycle runs after the 12th day of the month. Errors will be recorded in the SMS_AZUREAD_DISCOVERY_AGENT.log file at various times during the discovery cycle and they will be similar to the following:
  1. ERROR: Encountered SqlException The conversion of a nvarchar data type to a datetime data type resulted in an out-of-range value.

2. ERROR: Exception message: [The conversion of a nvarchar data type to a datetime data type resulted in an out-of-range value.]

3. ERROR: Group full sync request failed. Exception: System.NullReferenceException: Object reference not set to an instance of an object.

More troubleshooting

  • When adding a CMPivot query as a favorite, it is split into two lines and characters are removed.
  • When searching Software Update Groups in the Configuration Manager console, the Name criteria is not an option.
  • Instead of the value you may have previously noticed, the Browse button for Content location in the properties for a deployment would return an empty location.
  • The implicit uninstall setting won’t be respected by an application that is targeted to a device collection but deployed in the context of the user.
  • Typing a Name value in the Create Orchestration Group wizard occurs at a below normal speed.
  • A misleading error message (false negative) is generated on a target distribution point that is co-located with a site server. You could expect to see this during content distribution from a parent site to a child site. In the distmgr.log, the false negative will appear in this format:

~RDC:Failed to set access security on \\<SiteServerFQDN>\SMSSIG$\<PkgID>.1.tar for package <PkgID> signature file

Conclusion

In some cases, unfortunately, both options involving installation of the Configuration Manager version 2203 hotfix rollup may not work to fix the above issues. For those situations, you’ll need to open a support ticket with the Configuration Manager support team.

From there, you’ll be able to get the appropriate assistance to resolve the problem in the supported version of Configuration Manager in your environment.

SMS_EXECUTIVE crashes on Hyper-V due to UserShadowStack

Introduction

In the realm of systems management, maintaining the stability and reliability of essential services is crucial for uninterrupted operations. A notable challenge that has emerged in this context involves the SMS_EXECUTIVE service, a vital component of the Configuration Manager, which is experiencing unexpected terminations shortly after startup. This issue not only hampers the functionality of the Configuration Manager but also poses significant concerns for system administrators who rely on this service for managing networked systems efficiently.

Overview of the Issue

The SMS_EXECUTIVE service, responsible for executing several critical tasks within the Configuration Manager infrastructure, including processing incoming data, executing administrative actions, and managing component threads, has been reported to crash moments after it is initiated. This abrupt termination of the service disrupts the normal workflow, leading to a series of operational challenges.

Scope of the Investigation

This post aims to delve into the potential causes of this issue, examining various aspects such as system logs, configuration settings, recent updates, and environmental factors that might contribute to the instability of the SMS_EXECUTIVE service. The primary objective is to isolate the root cause of the crash and provide a comprehensive analysis that can guide towards effective troubleshooting and resolution strategies.

Importance of Addressing the Issue

The stability of the SMS_EXECUTIVE service is paramount for the seamless operation of the Configuration Manager. Its failure not only impacts the efficiency of system management tasks but also poses risks related to security, compliance, and overall network health. Addressing this issue is thus critical for ensuring that the Configuration Manager continues to function as a robust and reliable tool for system administrators.

In the following sections, we will explore the technical details of the issue, outline the methodologies employed in the investigation, and discuss potential solutions to restore the functionality of the SMS_EXECUTIVE service effectively.

Identifying Potential Causes for the SMS_EXECUTIVE Service Crash


In order to effectively address the issue of the SMS_EXECUTIVE service crashing, it is essential to systematically identify and evaluate potential causes. This section outlines a structured approach for investigating various factors that could contribute to this problem.

1. System and Application Logs Analysis

  • Event Viewer Logs: A thorough examination of the Windows Event Viewer logs, specifically focusing on the Application and System logs around the time of the crash, can provide critical insights. Error messages or warnings preceding the crash are often indicative of underlying issues.
  • SMS_EXECUTIVE Logs: The Configuration Manager logs, particularly those related to SMS_EXECUTIVE, should be scrutinized for any unusual entries or error codes that could point towards the cause of the crash.

2. Configuration and Environment Review

  • Recent Changes: Any recent changes made to the system or the Configuration Manager settings could be a contributing factor. This includes updates, patches, or modifications in the configuration.
  • System Resources: Insufficient system resources, such as memory or CPU, can lead to service instability. Monitoring resource usage patterns around the time of the crash is crucial.
  • Network and Connectivity Issues: Network problems or connectivity interruptions can impact the functionality of the SMS_EXECUTIVE service, especially if it relies on remote components or databases.

3. Component Dependencies and Interactions

  • Dependent Services: Understanding the dependencies of the SMS_EXECUTIVE service, such as other Configuration Manager components or Windows services, is vital. If a dependent service is failing or unstable, it can cascade to the SMS_EXECUTIVE service.
  • Inter-Service Communication: Analyzing how SMS_EXECUTIVE interacts with other services and components within the Configuration Manager ecosystem can reveal potential points of failure.

4. Software Updates and Compatibility

  • Update History: Reviewing the history of updates applied to the Configuration Manager and the underlying operating system can help identify if a recent update might be causing compatibility issues.
  • Third-Party Software: The presence of third-party software or add-ons, particularly those that interface with the Configuration Manager, should be evaluated for compatibility and stability concerns.

5. Security and Access Control

  • Security Software Interference: Security solutions such as antivirus or firewall settings might be interfering with the operation of the SMS_EXECUTIVE service.
  • Permissions and Access Rights: Ensuring that the SMS_EXECUTIVE service has appropriate permissions to execute its tasks is crucial. Incorrect permissions can lead to service failures.

The specific issue identified from Event viewer:

Faulting application name: smsexec.exe, version: 0.0.0.0, time stamp: 0x00000000
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000409
Fault offset: 0x00007ffa5dc03d86
Faulting process id: 0x530
Faulting application start time: 0x01da4ae272f45384
Faulting application path: F:\Program Files\Microsoft Configuration Manager\bin\X64\smsexec.exe
Faulting module path: unknown
Report Id: 6463f350-fe42-4528-8849-c2489e6d558d
Faulting package full name:
Faulting package-relative application ID:

The issue is caused by UserShadowStack

UserShadowStack is a security feature introduced in Windows Server 2022, designed to enhance the protection against return-oriented programming (ROP) attacks, which are a common method used in exploiting software vulnerabilities.

Understanding UserShadowStack:

  1. Concept of Shadow Stack: At its core, UserShadowStack implements a ‘shadow stack’, which is a secondary, protected stack that keeps track of the intended return addresses for each function call in a program. When a function is called, its return address is stored both on the regular stack and the shadow stack. When the function returns, the return address from the regular stack is compared with the one in the shadow stack. If they match, the program continues as normal; if not, it indicates potential tampering, likely due to an attempted ROP attack, and the system can take appropriate action, such as terminating the process.
  2. Protection Mechanism: By ensuring the integrity of return addresses, UserShadowStack helps prevent attackers from hijacking the control flow of a program, which is a common technique in many sophisticated cyber attacks.

UserShadowStack in the Context of Hyper-V on Windows Server 2022:

Hyper-V is Microsoft’s hardware virtualization product, allowing users to create and run virtual machines. Each virtual machine runs its own operating system and is isolated from the host system. In this context, UserShadowStack can provide the following benefits:

  1. Enhanced Security for Virtual Machines: When running on Windows Server 2022 with Hyper-V, UserShadowStack can be used to protect the virtual machines from ROP attacks. This is particularly important as virtual machines often run critical or sensitive applications, and their security is paramount.
  2. Isolation and Containment: With Hyper-V, if an attack occurs within a virtual machine, it is typically contained within that VM, protecting the host system and other VMs. UserShadowStack adds an extra layer of defense within each VM, further reducing the risk of successful exploits.
  3. Compatibility and Performance: UserShadowStack is designed to work seamlessly with Hyper-V, ensuring that the additional security does not significantly impact the performance or compatibility of the virtual machines.

In summary, UserShadowStack in Windows Server 2022 provides a robust mechanism to thwart ROP attacks by validating return addresses. When integrated with Hyper-V, it ensures that both the host environment and the virtual machines benefit from enhanced security without compromising performance or compatibility.

Run the following command and start your service again: Set-ProcessMitigation -Name smsexec.exe -Disable UserShadowStack

Key Things To Know About Windows Safeguard Holds

Updating your computers and mobile devices is something that requires regular attention. Indeed this is rather important for a few reasons. For example, there are security updates to enhance your security posture and reduce the risk of breaches. Another important reason is to fix problems with applications. Additionally, updates can remedy issues with the operating system itself. This is where Windows safeguard holds come into play.

But, even though we perform updates expecting to improve the user experience, it doesn’t always work out that way. There are compatibility issues with particular devices sometimes. And in the worst of scenarios, you might lose connectivity, key functionality, or data. This is why Microsoft has systems in place to try and limit any problems to as few devices as possible.

What are Windows safeguard holds?

By leveraging data on compatibility and quality, Microsoft can identify issues that may cause a Windows client feature update to fail or rollback. In the instances where such issues arise, applying safeguard holds to update service helps.

Consequently, this action will prevent the affected devices from installing the update. It thereby protects them from any issues. Microsoft can also employ safeguard holds when clients, partners, or Microsoft internal validation find issues. It’s helpful for those issues that cause severe problems and there is no immediate solution available. Examples of possible events include loss of key functionality, rollback of update, and data loss.

With the use of safeguard holds, devices with known issues won’t be offered new versions of an operating system. However, once a fix has been found and verified, the update will become available.

Microsoft’s objective with safeguard holds is to enable clients to have a flawless experience when their devices are updating to new versions of Windows client. Those that use the Windows Update service for the deployment of new versions of Windows to their devices would already have benefited from the use of holds for known issues. These clients include all those using Windows Update for Business.

Looking at issues

When Microsoft describes how safeguard holds work, there is a lot of mention of the issues for which holds apply. But, what exactly are these issues? There are known issues. These are problems that can manifest after an upgrade is discovered by Microsoft or reported by clients or partners. Only after assessment and confirmation of an issue, for a specific set of devices, can it fall under known issues.

The next type are likely issues. As the name suggests, these issues are suspected, but not yet confirmed. What we have here are issues that have been picked up by the machine learning service across millions of unmanaged devices, corporate or personal. The service performs daily scans. And it searches for app or driver malfunctions, rollback during setup, connectivity issues, and more.

Subsequently, the machine learning service then looks for links among device hardware and software characteristics. This will then help to identify a larger set of devices yet to perform any updates to protect them. Basically what goes on in these instances is that there are issues that are yet to be confirmed. However, because they are likely it’s good practice to safeguard the at-risk devices.

How does it work?

Here are additional aspects to understand when recognizing how Windows safeguard holds work.

Identification of known issues

As one would expect, the process would naturally start by identifying the relevant issues. Microsoft has a setup that allows for the collection of feedback from various channels. This information is regarding known issues about a Windows update, now collected for your review.

Although there is an internal testing process, Microsoft also requires feedback from Windows Insiders, clients, and partners. And then, as issues are identified, device-specific criteria develop and for application to affected devices as a safeguard hold. These devices will no longer have access to updates until a fix is found and implemented.

Identification of likely issues

For the safeguarding of likely issues, Microsoft can use data obtained across millions of daily devices. Unmanaged by IT, these devices are installing the upgrade from the Windows Update.

All the diagnostic data that Microsoft has from the millions of client devices feeds into the machine learning system. From this, identity patterns associated with update-related disruptions can then be automatically identified. All data usage follows Microsoft’s privacy policy.

Safeguarding of devices

The actual safeguarding of devices can begin once the machine learning algorithm picks up a pattern. After this happens, a temporary safeguard hold for a likely issue is implemented. How long this hold remains in place can vary. But the priority will be device protection rather than progress.

This means the user experience can be preserved and IT staff can have fewer things to worry about. Because of the resultant delay, the few weeks you get can be used to decide how to proceed with the update in a way that keeps your devices protected and productive. The system intends to address the temporary hold for a likely issue in a matter of four to six weeks. This can be done in one of two ways:

  • Confirmation of the likely issue which consequently sees it transitioned to a known issue and thus sees the safeguard hold maintained.
  • In the second scenario, the issue is deemed to be a false positive and therefore the hold will be removed and devices can therefore begin updating.

Known and Unknown Issues

In the first option mentioned where the issue has been confirmed meaning the device is not in a position to update, the classification changes to a known issue. What this does is that it will continue to delay the upgrading of the device until a fix has been found and implemented.

When the system determines that the issue was actually a false positive, all unaffected devices will have the safeguard hold removed. In that case, any upgrades that are approved by the IT team may proceed as normal. According to information from Microsoft, two main criteria are used to determine whether to implement automatic safeguard holds for likely issues. These are:

  • In cases where deployment to consumer devices that are likely exposed to the issue has been paused.
  • The second criterion concerns situations where there are issues that are under active investigation by Microsoft engineers.

When it comes to Windows Update, Windows safeguard holds will be kept in place until the Microsoft investigation has been completed and a fix has been developed and verified. Only then will the solution be made available to the affected devices and update deployment restored.

So devices can only resume being offered updates after a fix has been delivered by Windows Update or a third party thereby lifting the safeguard hold. Under those circumstances, customers can be offered a seamless protection experience.

Taking advantage of Windows safeguard holds

Making use of the features that Microsoft has put in place can go a long way in improving the security posture of your organization. Leveraging safeguard holds will help you to get a better update deployment experience. These features will be available to you via the likes of Microsoft Intune, PowerShell SDK, Update Compliance, and Microsoft Graph.

You’ll find that deployment scheduling controls are consistently available. But, you need to, first of all, configure your devices to share diagnostic data with Microsoft and leverage available reporting tools. Without performing this action you won’t be able to benefit from the unique deployment protections tailored to devices under your management.

§  Pre-requisites

Before you can start benefiting from everything that safeguard holds have to offer, you need to meet a few requirements. These are:

Something that you do need to be aware of is that safeguards holds are applied to Windows Update for Business deployments by default. This is to ensure that your environment can benefit from optimal user experience and so opting out or doing manual updates is not recommended. However, in strict IT environments and for validation purposes you may still do that.

Keep track of safeguard holds reporting

One thing that you’ll want to do to stay up to date is to be meticulous about verifying safeguard hold records. When a safeguard hold is put in place, you can go to the M365 Admin Center or the Known Issues sections of the Windows release health dashboard online to get more information about the issue in question. The system also allows you to keep track of all the devices in your environment through up-to-date reporting.

For those that use Update Compliance, you can access information regarding which devices under your management are affected by which specific safeguard holds. To do this, you’ll have to check your safeguard hold report. For those who use Intune, on the other hand, safeguard holds are now visible in the Feature Update Failures Report.

How to opt-out

If you decide to opt-out, you can do so using the Local Group Policy Editor. This can be done by following the steps given below:

  • Navigate to the Open the Local Group Policy Editor (gpedit.msc).
  • In that section, look for the policy location in the left pane of the Local Group Policy Editor.
  • Next, head over to the right pane of Manage updates in the Windows Updates section of the Local Group Policy Editor. Proceed to tap on Disable safeguards for Feature Updates.

Microsoft recommendations

Until a solution has been developed and implemented and the safeguard hold has been released, Microsoft strongly cautions against performing manual updates. If you choose to opt-out of a safeguard hold, you should do so knowing that the concerned devices will be at risk of being affected by known performance issues.

So if you have made the decision that you still want to opt out despite the risk, you should make sure that you perform rigorous tests that will help you to verify the degree of the potential impact.

There is a way, however, for you to reduce your risk of being affected by issues and still opt-out. This can be possible as long as your IT admins check in regularly with Update Compliance and the Windows release health dashboard. If you’re in this position, you can have a greater degree of security when temporarily opting out so that you can enable an update to proceed.

As mentioned previously, this is still only recommended when in strict IT environments and for validation purposes. Furthermore, you should be aware that even if you do opt out, this will be temporary and only lasts the time it takes to complete the update. So as soon as that is done, the safeguard hold is automatically reapplied.

Wrap up about Windows safeguard holds

Compatibility issues are nothing new and we’ve all probably encountered them at one point or another. The frustration that this can cause as well as the cost in productivity terms can be immense. Loss of data or connectivity from an update that hasn’t worked out can mean downtime for the affected users.

That is why Microsoft has developed a service that is capable of monitoring quality and compatibility. Having this data means that issues can be swiftly identified and thus limit the number of devices that are affected.

In addition, the fact that this data is obtained from various sources including clients and Microsoft partners enables the creation of a very comprehensive compilation of information. Once issues are identified, safeguard holds are applied to allow for an investigation to take place, and a solution to be developed and applied. I think it’s pretty safe to say that safeguard holds can go a long way in giving users a streamlined experience and IT greater peace of mind.

Microsoft Defender for Endpoint Tamper Protection Extends Client Coverage

Every business needs to be on top of its game when it comes to matters of the security of its IT infrastructure. Because even the smallest of vulnerabilities can be exploited to devastating effect. And Microsoft Defender ATP is ready to mitigate those risks.

Not recognizing these risks can potentially cause the shutting down of a business, at best temporarily. And research has shown that the cost of downtime to a company can quite easily run into hundreds of thousands of dollars.

As we can all imagine, the losses that a business would suffer would be colossal, to say the least. Hence the need to enhance one’s security to keep bad actors at bay. By using Tamper Protection, you immediately strengthen the security of your business.

Why Tamper Protection?

Arguably the greatest challenges to an organization’s IT infrastructure come in the form of malware or malicious apps that tamper with your security settings and potentially create vulnerabilities in your system.

With these changes having been made, your organization becomes a significantly easier target for cybercriminals. It is with this in mind that Microsoft introduced Tamper Protection two years ago.

Simply put, and as the name itself implies, the Microsoft Defender ATP feature essentially locks Microsoft Defender thus preventing anyone from tampering with your security settings. Including modifications that may be made by administrators.

As a key element of Microsoft’s security strategy, Tamper Protection helps to ensure that Windows 10 clients do not need third-party anti-virus software.

However, Tamper Protection does not have an impact on third-party antivirus registration. So this means that third-party antivirus offerings will still register with the Windows Security application. By using Tamper Protection, you can prevent the following:

  • Deactivation of virus and threat protection.
  • Deactivation of real-time protection.
  • Disabling of behavior monitoring.
  • Disabling antivirus (such as IOfficeAntivirus (IOAV))
  • Blocking of cloud-delivered protection.
  • Removal of security intelligence updates.

Extending client coverage

With the obvious benefits that Tamper Protection brings to any organization, it only makes sense to try and extend coverage wherever possible. And this is what Microsoft did with their announcement in September last year.

This feature was extended to cover ConfigMgr 2006-only clients on both Windows 10 and Windows Server 2019, delivered via Tenant Attach. To enable Tenant Attach, the process is fairly straight forward and you can find the instructions provided here.

Having done that, you can then go to Endpoint security > Antivirus in the MEM admin center. From there you can proceed to create and deploy the Tamper Protection setting. After that, you’ll then need to configure the aforementioned setting.

This you will then deploy to a Configuration Manager collection of devices. If you want to view the policy status, go to the Monitoring > Deployments section which you find in ConfigMgr. However, you can also find it in the policy status in the Endpoint Manager Admin center

Utilizing Tenant Attach

Tenant Attach provides a method for attaching your ConfigMgr hierarchy to your tenant and leverages the capabilities available from the cloud. This includes things such as discovering cloud users and groups, synchronizing Azure AD groups from a device collection, etc.

Moreover, you can sync your on-prem only ConfigMgr clients into the MEM admin center thus enabling the delivery of Endpoint security configuration policies to your on-prem clients.

With this tool, a device does not necessarily have to be enrolled in Intune. In fact, it can be managed by either ConfigMgr or Intune. Alternatively, devices can also be co-managed.

Management of Tamper Protection

In addition to managing Tamper Protection using tenant attach as described above, there are a few other management options available. These are:

  1. Management of Tamper Protection using the Microsoft Defender Security Center. You can turn Tamper Protection on or off for your tenant via the Microsoft Defender Security Center. This option is on by default for all new deployments and the setting is applied tenant-wide. So it affects all devices that are running Windows 10 or Windows Server 2016 or Windows Server 2019.
  2. Management of Tamper Protection using Intune. If your organization’s subscription includes Intune then Tamper Protection can be turned on or off in the Microsoft Endpoint Manager admin center.
  3. Management of Tamper Protection on an individual device. Tamper Protection can be managed via the Windows Security app by individuals who are either home users or are not under settings managed by a security team. To do this, however, you need to have the appropriate admin permissions on your device to change security settings.

Keeping track of security data

Having preventive measures in place does not negate the need for constantly reviewing the security information.

You need to regularly check what is going on within your system so that you can stay on top of things because several tampering attempts are usually a sign of something bigger. And that may potentially be a bigger cyberattack.

Cybercriminals can attempt to alter your organization’s security settings as a way to persist and stay undetected.

Therefore, in every business, security teams should review information about such attempts, and then take the appropriate actions to mitigate threats.

The system is designed to raise alerts in the Microsoft Defender Security Center when tampering attempts are made. By utilizing tools such as endpoint detection and response and advanced hunting capabilities, you can investigate further and then implement the necessary measures to address the problem/s.

Wrap up

Microsoft is looking to tackle the surge in cybercrime head-on. Bad actors are constantly seeking out weaknesses in organizations’ systems and occasionally they find them. This is why businesses need to leverage the next-gen security strategies that Microsoft can offer.

With features like Tamper Protection, you get additional security to help your organization block nefarious elements from altering your security settings and leaving you vulnerable. Advanced breaches and increasing incidences of ransomware campaigns need all businesses to start getting proactive about their security. Otherwise, the consequences could prove to be very costly.

Microsoft Endpoint Manager – New, Exciting Features To Know About

When it comes to Microsoft Endpoint Manager (MEM), there’s always a steady stream of new features that clients should be paying attention to.

Technology is constantly changing and the products that we use need to improve as well. Especially if we consider the recent surge in cybercrime as seen in the FBI’s 2020 internet crime report.

No business is immune and as such, technology companies have to consistently enhance their products to ensure that clients’ data is secure. With security in mind, let’s take a look at the exciting new features that Microsoft is bringing to the MEM platform.

Enhancing security through Microsoft Endpoint Manager filters

Microsoft Endpoint Manager has now made it possible for IT admins to use filters to target apps, policies, and other workload types to specific devices.

By utilizing these filters, IT admins get more flexibility and can better protect data within applications, simplify app deployments, and speed up software updates.

Furthermore, it is now easier for admins to comply with their organizational policies and compliance requirements by deploying:

  • A Windows 10 device restriction policy only to the corporate devices of users in a particular department without including personal devices,
  • An iOS app to only the iPad devices for users in another department,
  • An Android compliance policy for mobile phones to all users in the company but exclude Android-based meeting room devices that don’t support the settings in that mobile phone policy.

To see how to make use of these filters, check out this video.

Windows 10 Enterprise multi-session support

Windows 10 Enterprise multi-session is a new Remote Desktop Session Host exclusive to Windows Virtual Desktop on Azure which allows multiple concurrent user sessions. Additionally, with this feature, users get the benefit of a familiar Windows 10 experience. In addition, IT can benefit from the cost savings that a multi-session allows and use existing per-user Microsoft 365 licensing.

By leveraging Intune, you can manage multi-session remote desktops with device-based configurations like a shared, user-less Windows 10 client. Moreover, you can enroll Hybrid Azure AD joined VMs in Intune automatically and target with OS scope policies and apps.

This means that now you can:

  • Host multiple concurrent user sessions using the Windows 10 Enterprise multi-session SKU exclusive to Windows Virtual Desktop on Azure.
  • Manage multi-session remote desktops with device-based configurations like a shared, user-less Windows 10 Enterprise client.
  • Automatically enroll Hybrid Azure AD-joined virtual machines in Intune and target them with device scope policies and apps.

Policy management made simpler

Using the settings catalog simplifies the process of customizing, setting, and managing device and user policy settings. Remember, managing policy configuration through custom Open Mobile Alliance Uniform Resource Identifier (OMA-URI) policy is not the easiest of tasks to undertake.

Moreover, what the 2105 service release does is support your move from Group Policy Objects (GPO) or custom OMA-URI to cloud-based consolidated policies.

Clients will be happy to note that 5,000 settings have been added to the settings catalog for Edge, Office, and OneDrive, including additional settings for macOS and Windows.

Microsoft Tunnel Gateway changes

There are a couple of changes to note for the Microsoft Tunnel Gateway:

  • Microsoft Tunnel Gateway (MTG) is now out of preview and thus is generally available. However, while the MTG server component is out of preview, the following Microsoft Tunnel apps are not – Microsoft Tunnel standalone app (for both Android and iOS) and Microsoft Defender for Endpoint with support for Microsoft Tunnel for Android.
  • Custom setting support in VPN profiles for Microsoft Tunnel for Microsoft Defender for Endpoint for Android. New changes here mean that you can now use custom settings in the VPN Profile for Microsoft Tunnel to configure Microsoft Defender for Endpoint when using the Microsoft Defender for Endpoint as your Microsoft Tunnel client app for Android and as an MTD app.

Device security with Microsoft Endpoint Manager

Another update that is certain to make MEM clients happy is that conditional access on Jamf-managed macOS devices for Government Cloud is now available.

By using Intune’s compliance engine, you can now evaluate Jamf-managed macOS devices for Government Cloud.

All one has to do to achieve this is to activate the compliance connector for Jamf. The steps on how to do that can be found here.

New Microsoft Endpoint Manager settings available

There are new settings now available when creating a device restrictions policy for iOS/iPadOS (14.5 devices and newer). Moreover, these are the updates that have been introduced:

  • Block Apple Watch auto unlock: You can set this to Yes and this will prevent users from unlocking their device with Apple Watch.
  • Allow users to boot devices into recovery mode with unpaired devices: If you want to allow users to boot their device into recovery with an unpaired device, you can set this one to Yes.
  • Block Siri for dictation: To disable connections to Siri servers so that users can’t use Siri to dictate text, set to Yes.

To view these settings you can go here.

App management

Clients will now get new tiles that show the number of app installation failures for the tenant. You can find these in the Home, Dashboard, and Apps Overview panes. All one has to do is follow a few simple steps:

  • Go to the Microsoft Endpoint Manager admin center,
  • To view the Home pane select Home,
  • Alternatively, if you want to view the Dashboard pane select Dashboard.
  • And to view the Apps Overview pane, select Apps > Overview.

Wrap up

Microsoft Endpoint Manager has many different ways that various companies can use it. It gives you a fantastic platform to gather end-point information. Also, it gives you the ability to push out Microsoft Desktop apps, Microsoft Edge as well as several other apps. And by consistently updating the features, Microsoft can help your business to operate more efficiently and enhance your data security and privacy.

Why Cloud Management Gateway Is So Important Now

With the prevailing global situation requiring more and more people to work from home, businesses need to ensure that productivity does not suffer. And to do that, you need to effectively manage remote devices. Hence the need for technology such as the Cloud Management Gateway (CMG).

By utilizing the CMG, your business has an alternative to IBCM that most would consider a significant upgrade. This creates a favorable environment that allows your organization to eliminate the obstacles of having a remote workforce. Needless to say but the CMG can play a massive role in your organization and its importance is certainly worth discussing.

Requirements

Before you can use the Cloud Management Gateway you need to meet the following requirements:

  • An Azure subscription to host the CMG,
  • You need a Full administrator or Infrastructure administrator user account in Configuration Manager,
  • During the initial creation of certain components, the participation of an Azure admin is needed,
  • You need at least one on-premises Windows server to host the CMG connection point,
  • A server authentication certificate for the CMG,
  • There needs to be an integration of the site with Azure AD to deploy the service with Azure Resource Manager,
  • Depending on your client OS version and authentication model, other certificates may be required,
  • Clients are required to use IPv4.

When is it useful?

There are several scenarios where the CMG could come in handy and they include the following:

  • For management of traditional Windows 10 clients using modern identity which can either be hybrid or pure cloud domain-joined with Azure AD.
  • For management of traditional Windows clients with Active Directory domain-joined identity. The clients included are Windows 8.1 and Windows 10.
  • For installation of the Configuration Manager client on Windows 10 devices over the internet.
  • For new device provisioning with co-management.

Benefits to your business

CMG enables your Enterprise admins to perform several actions. Among the things they can do, they can manage the following over the internet:

  • Push software updates and enable endpoint protection,
  • Inventory and client status,
  • Compliance settings,
  • Software distribution,
  • Windows 10 in-place upgrades,
  • Manage branch office devices over less expensive internet instead of across expensive WAN or VPN connections.

Eliminates complications

Although Internet-based client management (IBCM) has been around for years, a lot of users tend to find it complicated. CMG aims to be a simpler solution. It is an Azure-hosted service that manages internet-based clients through a new role called the cloud management gateway connector point.

By adding the CMG to your environment, you’ll get an intermediary cloud solution. And this can be your bridge to a full cloud management solution of your Windows 10 devices through Microsoft Intune.

Also, your organization doesn’t need to expose on-premises infrastructure to the internet and neither will you require additional infrastructure. So by using the CMG, you get rid of a lot of what users don’t like about IBCM.

Manage internet clients

Cloud Management Gateway helps you to easily and effectively manage clients that are on the internet. Often, there are going to be events in your environment that will require a swift response.

However, previously this was problematic for clients that would not be currently on-premises. By leveraging the CMG, you can manage clients all over the world as long as they have an internet connection.

Furthermore, it doesn’t require you to buy any additional IT infrastructure. So unlike IBCM that would need additional hardware that you need to maintain, for the CMG you just need to have Azure.

Strengthen your security

The moment you have systems that are not directly connected to your IT infrastructure, your data security is at an increased risk. This is particularly evident with remote work.

Although a lot of businesses have responded by using VPNs, you cannot adequately protect workstations through VPN channels. Hence the importance of the Cloud Management Gateway.

With it, you can better manage devices connected to the Internet and thus improve your corporate security posture. This is further enhanced by the fact that you can leverage Microsoft Azure services so that there is no need to expose your infrastructure to the internet.

Cost management

Whenever you use cloud services, you will incur costs associated with your usage. And the Cloud Management Gateway is no exception. Fortunately for clients, Microsoft intends to help you to keep those costs under control. You can do this through client settings, for instance, where you can determine which clients can access the CMG.

Another feature you can leverage is virtual machine configuration. The latter enables you to choose between 1 and 16 virtual machines per instance of Cloud Management Gateway. Also, if you want to, you can stop the CMG so that it’s no longer serving clients.

Therefore, to optimize user experience for all clients, the CMG helps to reduce the unavoidable costs that come with cloud services.

Constantly evolving

Another reason why the CMG is so important is how the technology is constantly evolving. There has been a lot of innovation taking place such as the ability to automatically do a client install through the CMG.

This is a great option to have because it eliminates the need for the client to be on the intranet. In addition, the platform is adaptable to your organization’s needs. So it can handle several scenarios such as:

  • Traditional PC management (Windows 7, 8.1, 10),
  • Modern PC management (Windows 10 with modern identity),
  • Internet client installs.

Wrap up

Every organization should be looking for ways to make the most of its IT investments. Thus from the information available, we can see that every environment that uses ConfigMgr can benefit from using the Cloud Management Gateway. And you can leverage the CMG for clients all across the globe. The convenience that this provides you cannot be overstated. As the world changes and technology evolves, we need platforms that can help organizations to become more efficient and enhance productivity.

Microsoft Endpoint Manager: Benefits of Being Able to View Hardware Inventory in MEM

In July 2020, Microsoft announced the release of update 2007 for the Technical Preview Branch of Microsoft Endpoint Configuration Manager (MECM). And with that, came a feature that now allows you to view hardware inventory for a tenant-attached Configuration Manager device in the admin center. With most pieces of hardware in offices today being connected to the internet, being able to view hardware inventory is extremely important. Microsoft Endpoint Manager (MEM) now offers that capability and thus gives your business several advantages.

Getting set up

Before you can use this feature, there are several requirements that you will need to meet:

  • You need to have an environment that’s tenant attached with uploaded devices,
  • You need either Microsoft Edge (version 77 and later) or Google Chrome,
  • You need a user account that has been discovered with both Active Directory user discovery and Azure Active Directory (Azure AD) user discovery. Simply put, this means that the user account should be a synced user object in Azure.

In addition, the user account will require the following permissions:

  • Admin User role for the Configuration Manager Microservice application in Azure AD. This role will be added in Azure AD from:

Enterprise applications  >  Configuration Manager Microservice  >  Users and groups  >  Add user.

If you have Azure AD premium, groups will be supported.

Network security

The security of your network should be something of great concern. Especially in a world where cybercrime is increasing at an alarming rate. Having said that, we can begin to see why a hardware inventory in MEM feature could come in very handy.

Keeping track of all the hardware in your organization is no mean feat. Particularly for businesses that have also employed bring-your-own-device (BYOD) policies.

You need to have a system that can readily provide you with the necessary information on all devices. This helps your IT team to maintain high levels of network security, prevent breaches, and manage any potential issues that may arise.

Optimize productivity

By leveraging the hardware inventory feature in Microsoft Endpoint Manager, you can keep track of how devices are performing. The last thing your business needs is to have computers worth tens of thousands of dollars operating at subpar levels.

With accurate information on hardware inventory, you can easily see how the devices in your organization are performing. You can then address any issues that may arise to streamline productivity from top to bottom. If you are going to invest in expensive, high-tech devices, you need them to operate as they should.

Reduce overhead costs with Microsoft Endpoint Manager

Well-managed IT infrastructure can help your organization to reduce overhead costs. The ability to view hardware inventory in MEM is going to give IT a bird’s eye view of all your IT infrastructure. And this enables you to effectively manage all hardware from procurement till retirement.

Doing this will cut your costs by doing away with issues such as IT overspend and non-compliance. Working in this manner will fully optimize your productivity, as mentioned above.

Lifecycle management

MEM’s view hardware inventory feature helps you to keep track of hardware from purchase, how it is used, and finally to its retirement. With this kind of actionable data readily available, it simplifies the decisions you make in the future. such as new purchases and upgrades.

Moreover, you can easily keep track of contracts with vendors. This is especially helpful to know when to renew those contracts or make purchase orders. All these things add significant benefits to your business by increasing operational efficiency while minimizing risks.

Enhance IT efficiency

If there is anything that is abundantly clear from what your organization will gain from MEM’s view hardware feature it’s that it will simplify life for IT teams. Significantly. With the data available to them, it makes it far less likely for any issues to arise during audits. Also, it creates less workload by eliminating the need for manual tracking and scanning of devices. Your IT department will inevitably operate more efficiently by being able to easily keep tabs on all hardware.

Asset protection and Microsoft Endpoint Manager

Another key advantage that comes with being able to keep track of your organization’s hardware is increased asset protection. Keeping track of devices allows you to not only get performance-related data but location data as well.

And having this information will help to mitigate the risk of loss or theft of devices. Therefore, utilizing the view hardware inventory in MEM tool helps your organization to easily stay on top of the work status of an asset, its physical location, and disposition.

Better overall governance

Viewing hardware inventory is going to give you an increased degree of visibility. Because of the accurate data at your disposal concerning your IT infrastructure, you’ll have a better handle of key assets. Therefore, they are less likely to be misplaced, misused, or underutilized.

And so with all these advantages, it simplifies the process of coming up with more effective governance protocols. This is something that will hugely benefit the entire organization from top to bottom and not just your IT department.

Keeping track of assets with Microsoft Endpoint Manager

There’s no denying that keeping tabs on your hardware is just as essential and important as the software management side of things. After all, technology is a huge investment for any business. And so how you keep track of your hardware will inevitably affect your bottom line.

Having real-time, accurate information about your assets goes a long way in the optimization of productivity. Not to mention enhancing the overall security of your business. Viewing hardware inventory in Microsoft Endpoint Manager is an incredible tool that should help your business become more efficient. The benefits are clear for us all to see.

Microsoft Endpoint Configuration Manager: Latest Improvements to the Product Lifestyle Dashboard

Information is key for any business to function optimally. That is why there is such a massive increase in the use of big data during the last decade. But, this information is not only that which you can obtain externally. It’s also information concerning your internal operations. And this is where Microsoft’s Product Lifecycle Dashboard enters the fray. It simplifies the way your organization functions in a big way. By providing you with information concerning all the products that you have installed on devices that are managed by Microsoft Endpoint Configuration Manager, tracking is simple. This is a fantastic feature that has fresh improvements, too. We’ll be going over all the latest below.

Getting started with Microsoft Endpoint Manager

Microsoft made a few changes over the years. And from version 1806 you’ll now be able to use the Configuration Manager product lifecycle dashboard to view the Microsoft Lifecycle Policy. So what exactly does this ‘dashboard’ do?

The Product Lifecycle Dashboard is a management tool. It shows the state of the Microsoft Lifecycle Policy for any Microsoft products installed on devices managed with Microsoft Endpoint Configuration Manager.

Not only that, but you also receive data concerning the various Microsoft products in your environment. This includes supportability state, and support end dates. Therefore by using both Asset Intelligence and the Asset Intelligence Synchronization Point, the dashboard can give you a clear overview of the lifecycle of each product.

By using the dashboard, you can easily find out what support is available for each product. With this information in hand, it will allow you to plan accordingly and update all products before their support expires. And then from version 1810, the dashboard also adds information for System Center 2012 Configuration Manager and later.

What are the requirements?

As a product continues to improve, the requirements to use that product will also expectedly change. For you to see data in the product lifecycle dashboard, you need the following:

  • Internet Explorer 9 or later
  • You need to install and configure a service connection point role. And the latter must be online or synchronized regularly if offline.
  • For hyperlink functionality in the dashboard, you need a reporting services point.
  • You need to configure and synchronize the asset intelligence synchronization point.

Using the dashboard

This tool looks to make it easier for your organization to have access to up-to-date data about the products that you are using. And by leveraging the inventory data that the site collects from managed devices, the dashboard displays information about all current products. However, not all versions are supported. Only Windows Server 2008 and later, Windows XP and later, SQL Server 2008 and later, will have information displayed for OSs and SQL Server. To access the lifecycle dashboard in the Microsoft Endpoint Configuration Manager console:

1) Go to the Assets and Compliance workspace,

2) Expand Asset Intelligence,

3) Select the Product Lifecycle node.

What else do you get?

Clients will find that from the newer version of SCCM 1902, they’ll get information for installed versions of Office 2003 through Office 2016. And this data is available after the site runs the lifecycle summarization task, which is something that occurs every 24 hours. In addition, you can also benefit from using the dashboard even if you don’t have Configuration Manager. You can use Azure Monitor Logs to provide a Dashboard to help with managing the supportability of your environment.

Upgrading products with Microsoft Endpoint Manager

Taking a simple look at your dashboard will allow you to see any products that need to be updated urgently. When you have several computers to deal with and you need to know which ones need upgrades, all you need to do is click on the hyperlinks in the Number in environment column and that will show you a report.

And doing this will direct you to the Lifecycle 01A – Computers with a specific software product report. This is a huge improvement when you consider that in the past you had to investigate problem clients individually to find out whether or not an upgrade was needed.

Reports in the product lifecycle set

In addition to the dashboard, you have additional reports that are available as well. These you’ll find in the Microsoft Endpoint Configuration Manager console, where you then go to Monitoring workspace and you expand Reporting. The new reports, which are found under the Asset Intelligence category are as follows:

  • Lifecycle 01A — Computers with a specific software: See a list of computers/pcs on which a specified product is detected.
  • Lifecycle 02A — List of machines with expired products: This report, which you can filter by product name, shows you all the computers/pcs which have expired products on them.
  • Lifecycle 03A — List of expired products found: See details for products in your ecosystem that have expired lifecycle dates.
  • Lifecycle 04A — General Product Lifecycle overview: Here you can see a list of product lifecycles and filter by product name and days to expiration.
  • Lifecycle 05A — Product lifecycle dashboard: From version 1810, this report will have similar information as the in-console dashboard. All you have to do is choose a category to view the products in your environment as well as the days of support remaining.

Wrap up about Microsoft Endpoint Manager

Every organization needs products that will help them to optimize their time. And as the number of available products increases, the choice of which product to go for becomes harder. Microsoft’s Product Lifecycle Dashboard gives your business many benefits that businesses have needed for a long time.

Reduce the time you spend trying to keep track of all the products you have installed on countless devices with a simple, easy to use dashboard. If you’re looking for a tool that gives you a more efficient way of device management, then the Product Lifecycle Dashboard is one that is certainly worth a look.

Automate Configuration Manager Application Creation

A simple script example to automate the application creation process in ConfigMgr or Configuration Manager.

RebootBehavior set to NoAction, Accepted values: BasedOnExitCode, NoAction, ForceReboot, ProgramReboot
AutoInstall $true – indicates whether a task sequence action can install the application
Added Action to Distribute the Content to the DP Group at the end

Configuration Manager Checklist:

  • Application Name
  • With a deployment type: Same application name
  • Content Location
  • Installation Program
  • Uninstall program
  • Repair Program
  • Detection method (a specific MSI Product code)
  • User expierence: Install for system if resource is device; otherwise install for user
  • Logon requirement: weather or not a user is logged on

    Published on Github:

https://github.com/ThomasMarcussen/assortedScripts/blob/master/Create_SCCMApplication_1.0.1.ps1