There a several ways on using an external IP in Azure, What method to use is up to you. Remember there is no good or wrong but only different opinions or insights on how to use it.
Public IP addresses allow Internet resources to communicate inbound to Azure resources. Public IP addresses also enable Azure resources to communicate outbound to Internet and public-facing Azure services with an IP address assigned to the resource. The address is dedicated to the resource, until it is unassigned by you. If a public IP address is not assigned to a resource, the resource can still communicate outbound to the Internet, but Azure dynamically assigns an available IP address that is not dedicated to the resource.
Some of the resources you can associate a public IP address resource with are:
- Virtual machine network interfaces
- Internet-facing load balancers
- VPN gateways
- Application gateways
- Azure Firewall
- NAT Gateway
Matching SKUs must be used for load balancer and public IP resources. You can’t have a mixture of basic SKU resources and standard SKU resources. You can’t attach standalone virtual machines, virtual machines in an availability set resource, or a virtual machine scale set resources to both SKUs simultaneously.
Virtual Network NAT (network address translation) simplifies outbound-only Internet connectivity for virtual networks. When configured on a subnet, all outbound connectivity uses your specified static public IP addresses. Outbound connectivity is possible without load balancer or public IP addresses directly attached to virtual machines. NAT is fully managed and highly resilient.
So this is only for the Outbound connection. why not use the Resource group IP this is also “static” ? using this IP means that al VM’s must be in the same resource group and when the resource group changed the IP is also changing.
NAT is compatible with standard SKU public IP address resources or public IP prefix resources or a combination of both. You can use a public IP prefix directly or distribute the public IP addresses of the prefix across multiple NAT gateway resources. NAT will groom all traffic to the range of IP addresses of the prefix. Any IP whitelisting of your deployments is now easy.
So How to implement this. a step by step guide. GUI and powershell Looking at my demo setup, There are 2 vm’s both in a different Resource group.
Setting up the NAT gateway is done by 3 tabs to fill in the name and what vnet to use
We add a new NAT gateway.
We create a new resource group and choose NAT gateway name.
The Timeout we leave this on 4 min for now.
We configure an external IP and with a standard SKU. Basic is not supported.
the next step is choose the External outbound IP pool minimal is 2 and max is 256. this is not needed but only if you want to have a pool of External IP’s else it just go the one external ip
you can select max 2 prefixes
Configure which subnets of a virtual network should use this NAT gateway. Subnets with Basic load balancers or virtual machines that are using a Basic public IP are not compatible and cannot be used.
Note: While you do not have to complete this step to create a NAT gateway, the NAT gateway will not be functional until you have added at least one subnet. You can also add and reconfigure which subnets are included after creating the NAT gateway.
in the last step we tag the NAT gateway to a subnet. When checking the VM’s on this subnet for the outbound IP ( remember the VM does not need a public IP on the network card)
Here I have 2 VM’s getting both an IP from the prefix
If there is only a small prefix then both machines will get the same external outbound IP
With this time flow it recycles the External IP, depending on the scope and usage.
So in just a few steps you can use a useful gateway for all your outbound traffic.
Building this in Powershell is also easy. I use a semi automatic script as I want to choose my network. but you can change this to a fixed network if you want.
remember this will need the az.network latest module. in the old modules there is no get-AzNatGateway command. without this the posh is not working.
First we have some parameters
# Set the variables for the NAT Gateway.
$rg = ‘rg-rsm-natgw001’
$Location = ‘Westeurope’
$sku = ‘Standard’
$PublicIpname = ‘pup-rsm-natgw001’
$Publicprefixname = ‘pxp-rsm-natgw001’
$NatGatewayname=’gwn-rsm-natgateway001′
#create Rsource group
New-AzResourceGroup -Name $rg -Location $Location
First we make some external IP and or a range.
#create Standard SKUP public IP
$publicIP = New-AzPublicIpAddress -Name $PublicIpname -ResourceGroupName $rg -AllocationMethod Static -Location $Location -Sku $sku
$publicIP | Select-Object Name, ResourceGroupName, IpAddress, IdleTimeoutInMinutes, ProvisioningState
With the Zone attribute you can create zone redundancy, but this is not needed for this resource.
#create IP prefix ( how many IP’s are needed)
$publicIPPrefix = New-AzPublicIpPrefix -Name $Publicprefixname -ResourceGroupName $rg -Location $Location -PrefixLength 29
$publicIPPrefix | Select-Object Name, IPPrefix, PrefixLength, ProvisioningState
You can skip this if you want only one external IP.
Next is creating the gateway.
#Create NAT gateway
$natGateway = New-AzNatGateway -Name $NatGatewayname -ResourceGroupName $rg -PublicIpAddress $publicIP -PublicIpPrefix $publicIPPrefix -Location $Location -Sku $sku -IdleTimeoutInMinutes 4
$natGateway | Select-Object Name, ResourceGroupName, IdleTimeoutInMinutes , SKuText | Format-table -autosize –wrap
Now that the Gateway is created we can add a subnet to this. I used a point an click so that I can choose the network and subnet. but you can also use a variable to do this.
$virtualNetwork = Get-AzVirtualNetwork | Out-GridView -PassThru -Title "Pick the vnet that will be used for the NAT gateway"
$NATSubnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $virtualNetwork | Out-GridView -PassThru -Title "Pick the Subnet that will be used for the NAT gateway"
$NATSubnet.NatGateway = $natGateway
$virtualNetwork | Set-AzVirtualNetwork
The network is chosen and the subnet is selected.
In the Azure portal you can see the result.
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile
Like this:
Like Loading...
If you do a lot with Azure and PowerShell you may noticed that the latest module is important. as functions may not be there or properties are not listed correctly.
There are plenty of scripts around on how to update these modules.
With the Get-InstalledModule you will get a list of the modules on your system
When doing get module with the –listAvailable you will see all the versions
Get-Module -Name az.* -ListAvailable
here is the powershell code Like I said before there are tons of the same scripts around on github or blog post. So don’t invent the wheel again reuse and modify to your needs
Get-Module -Name az.* -ListAvailable |
Where-Object -Property Name -ne ‘Az.’ |
ForEach-Object {
$currentVersion = [Version] $_.Version
$newVersion = [Version] (Find-Module -Name $_.Name).Version
if ($newVersion -gt $currentVersion) {
Write-Host -Object "Updating $_ Module from $currentVersion to $newVersion"
Update-Module -Name $_.Name -RequiredVersion $newVersion -Force
Uninstall-Module -Name $_.Name -RequiredVersion $currentVersion -Force
}
}
Running this can tike some time as you can see In this case I have a lot of old and new modules and these are being updated to the latest versions
When updating this I had some PowerShell windows still open and got some errors, you can also do this by hand.
For sample – Install-Module -Name Az.Accounts -RequiredVersion 1.8.0 –Force
Hope this helps you to a better Azure PowerShell experience.
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile
Like this:
Like Loading...
When starting With Azure The Costs are important. If you have created a lot of resources you might want to know who owns the resources or what is the purpose of this resource.
Resource management: Your IT teams will need to quickly locate resources associated with specific workloads, environments, ownership groups, or other important information. Organizing resources is critical to assigning organizational roles and access permissions for resource management.
Tagging resources is the way to find the resource and keep it with the purpose that you used it for. but over time things may change or added.
There are tons of reasons why you should use Tagging
- Cost management and optimization
- Cloud accounting models
- ROI calculations
- Cost tracking
- Budgets
- Alerts
- Recurring spend tracking and reporting
- Post-implementation optimizations
- Cost-optimization tactics
- Operations management
- Security
- Governance and regulatory compliance
- Automation
- Workload optimization
That way items in your resource groups may be un tagged. You can set policys for this but when there is some wild resource you might wan to check it first be for tagging.
As you can see the TAG’s are not applied to all the resources.
When you check the cost on the tag or on the resource group you will see different numbers. For adding the tag to all resources in the Resource group We use a PowerShell line.
First we connect to the Azure subscription or use the CLI
Connect-AzAccount
Login-AzAccount
Get-AzSubscription
Select-AzSubscription -Subscription "Microsoft Azure”
We select the resource group.
$RG = "rsmvprsg01"
When we check that resource group it has a tag. So there is no need to set an tag unless you want to set an extra tag to the resources.
Now We are setting the tag to all the resources that are in the resource group. Get-azresourcegroup and set the TAG.
$group = Get-AzResourceGroup -Name $rg
Get-AzResource -ResourceGroupName $group.ResourceGroupName | ForEach-Object {Set-AzResource -ResourceId $_.ResourceId -Tag $group.Tags -Force }
When looking in the Billing you might not see this directly
Drilling down on the resource you can see it is set.
If you did not had set the Tags then you need to define a tag first.
#Force Tags to all resources
#set tag no pre defined
Set-AzResourceGroup -Name $rg -Tag @{ env="Robert Smit"; RSM="ClusterMVP" }
- Define what each tag should be used to identify. Tag name : The exact term used for the tag, e.g. “Application” , “Department” , “Project”
Values: List all potential values for each tag name, e.g. “finance”, “website” , “name”
- Tag names can have up to 512 characters, values can have up to 256
- These characters aren’t supported with tags: < > % & / ?
$group = Get-AzResourceGroup -Name $rg
Get-AzResource -ResourceGroupName $group.ResourceGroupName | ForEach-Object {Set-AzResource -ResourceId $_.ResourceId -Tag $group.Tags -Force }
And you can do this also with the Azure CLI
Open the CLI in the Azure portal
I’ll use the same settings
env="Robert Smit"; RSM="ClusterMVP"
az tag create –name Env
az tag add-value –name Env –value "Robert Smit”
Now that the Tags are created we can add them to a resource group
az group update -n rsmdemo01–set tags.Env="Robert Smit" tags.MVP=ClusterMVP
Is sett two tags but you can set just one or multiple.
Enforce tagging rules with Azure policies can done easily as there are many examples here https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies
Assign policies for tag compliance
The Link will take you to the Github repository https://github.com/Azure/azure-policy
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile
Like this:
Like Loading...
ALTARO Software – Webinar
Critical Security Features in Office/Microsoft 365 Admins Simply Can’t Ignore
According to reports, since COVID-19 forced millions to work remotely, hackers have been taking this opportunity to exploit new vulnerabilities that have arisen. If your business uses Microsoft 365 or Office 365 to support remote workers, you need to be sure your security is as strong as it can be to avoid becoming another statistic in the coronavirus hackers hit list.
Office/Microsoft 365 has a serious amount of in-built security measures, but it’s not straight forward to enable them and ensure they are all configured correctly for your requirements. A free upcoming webinar from Altaro on May 27th is a must-attend event for all users of Office/Microsoft 365, even more so due to current concerns over COVID-19 exploits.
Presented by Microsoft MVP Andy Syrewicze and Altaro Technical Consultant and former Microsoft Senior Technical Evangelist Symon Perriman, this live demo webinar covers security features in the Office 365 stack that every administrator should be using including Azure AD, EMS Suite, Secure Score, Licensing for Security Features, and more!
As usual, Altaro hosts the webinar live twice on the same day to give as many people as possible the chance to attend live and ask their questions to the presenters. The first is at 3pm CEST/ 9am EDT/6am PDT and the second at 7pm CEST/ 1pm EDT/ 10am PDT. Both sessions have the same content so just choose the session with the best time for you. I’ll be attending so I’ll see you there!
Webinar Title: Critical Security Features in Office/Microsoft 365
Date: Wednesday, May 27, 2020
Time: Webinar presented live twice on the day.
Choose your preferred time:
· 3pm CEST / 6am PDT / 9am EDT
· 7pm CEST / 10am PDT / 1pm EDT
Save my seat.
Thanks for visit my blog
Robert
https://robertsmit.wordpress.com/
Like this:
Like Loading...
For some time I see all kinds of options to use Azure files, have some great ideas and thoughts. Connecting this over the vpn of use the azure files with a dfs. Useful maybe ? fun absolutely building things just a way that is maybe a bit different is fun and you may see other opportunities on how to use the resources.
Using Azure Files is not new, But using Azure files with Active directory Authentication is a long waited feature and now that it is GA we can use this.
Azure Files is a shared storage service that lets you access files via the Server Message Block (SMB) protocol, and mount file shares on Windows, Linux or Mac machines in the Azure cloud.
Azure Files supports identity-based authentication over Server Message Block (SMB) through two types of Domain Services: Azure Active Directory Domain Services (Azure AD DS) (GA) and Active Directory (AD).
Azure file shares only support authentication against one domain service, either Azure Active Directory Domain Service (Azure AD DS) or Active Directory (AD).
AD identities used for Azure file share authentication must be synced to Azure AD. Password hash synchronization is optional.
AD authentication does not support authentication against Computer accounts created in AD.
So what would be the option to use this, As a Cloud file share, in WVD or RDS, you can connect this directly to your clients if needed.
AD authentication can only be supported against one AD forest where the storage account is registered to. You can only access Azure file shares with the AD credentials from a single AD forest by default. If you need to access your Azure file share from a different forest
Azure Files supports Kerberos authentication with AD with RC4-HMAC encryption. AES Kerberos encryption is not yet supported.
So how to start with Azure Files. In this blog post I created a Powershell script that does the most of the Config to get you started with Azure Files.
First we need to address some parameters
#ResourceGroup name and location
$RG="rsg-blog-fileshare20"
$Location="eastus2"
$storageaccount="storfileserver20"
$shareName = "blogshare01"
These basis are needed to create the Azure resources but there is also a Special PowerShell module needed AzFilesHybrid Download and unzip the AzFilesHybrid PowerShell module
This module can be download from github and extracted on your machine
You may need to set the executionPolicy
#Azure file modules
#Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Currentuser
cd c:\AzFilesHybrid
Unblock-File .\CopyToPSPath.ps1
.\CopyToPSPath.ps1
The CopyToPSPath.ps1 will load the modules that are needed for this.
Our next step is importing the module AzFilesHybrid
Import-Module -name AzFilesHybrid -Force
Our next step is connect to our Azure subscription
#Connect to Azure
Connect-AzAccount
#Select the target subscription for the current session use your subscription ID
Get-AzSubscription
Select-AzSubscription –SubscriptionId 11111111-1111111111-111111111-11111-1
Now that the Azure subscription is connected we make a resource group and the storage account with the share.
#create Rsource group
New-AzResourceGroup -Name $RG -Location $Location
#create storage account
New-AzStorageAccount -ResourceGroupName $RG -Location $Location -Name $storageaccount -SkuName Standard_LRS -AccessTier Hot
#create storage Fileshare
New-AzRmStorageShare -ResourceGroupName $RG -StorageAccountName $storageaccount -Name $shareName -QuotaGiB 1024 #| Out-Null
Now that the storage account is created and the share we make a computer account for the AD rights, optional is the OU location where the computer account is stored.
Important action het is that this should run on a domain joined computer, as it needs to have access to the domain to create the computer account. Needless to say but you need a proper AD account to create the Computer account.
#join azure files to AD
Join-AzStorageAccount -ResourceGroupName $RG -Name $storageaccount -DomainAccountType "ComputerAccount" -OrganizationalUnitName "File Servers"
Now that the computer account is created we can move to the next steps, As I want to add a privatepoint and make sure my local DNS can find the fileshare.
So how does this look like in the Azure portal.
Here is the fileshare and file server with all the configuration options
The share is AD ready. The Option is enabled and ready to use
Now that we have the share in place we can configure the share. First we test the Connection from the Server to the Azure file share.
#test SMB connection
Test-NetConnection -ComputerName storfileserver20.file.core.windows.net -CommonTCPPort SMB
The file share can be used, but wait there is more, it al depends on your configuration. If you use the share only in Azure then DNS forwarders are not need, but just in case.
This works but we will create an endpoint now to make sure the share is not listening to all requests
You can use private endpoints for your Azure Storage accounts to allow clients on a virtual network (VNet) to securely access data over a Private Link. The private endpoint uses an IP address from the VNet address space for your storage account service. Network traffic between the clients on the VNet and the storage account traverses over the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet.
Using private endpoints for your storage account enables you to:
- Secure your storage account by configuring the storage firewall to block all connections on the public endpoint for the storage service.
- Increase security for the virtual network (VNet), by enabling you to block exfiltration of data from the VNet.
- Securely connect to storage accounts from on-premises networks that connect to the VNet using VPN or ExpressRoutes with private-peering.
Creating the Private endpoint is a bit tricky in PowerShell and quicker in the GUI if you do this in several steps as in the blog post.
So we give the Connection a name and place it in a region
Selecting the Resource that we want to point, in this case it is the Files server and I bind this to the Network
All the steps are completed.
Now that the PrivateLink is created We add the DNS zone if not already done. this is needed when local Clients “on-premises” want to connect to the share
This DNS zone is needed as we want to access from the on-premises Machine to the Azure share. connected over the VPN tunnel. You can also choose to connect over the internet, Or have the option to add the Azure file share to the DFS
First we are making a DNS forwarder rule that is needed for the creating DNS forwarding rule set, which defines which Azure services you want to forward requests.
$ruleset=New-AzDnsForwardingRuleSet -AzureEndpoints StorageAccountEndpoint
$ruleset.DnsForwardingRules
The Core.windows.net forwarder is needed. the IP 168.63.129.16 is the Microsoft DNS
# Deploy and configure DNS forwarders
New-AzDnsForwarder -DnsForwardingRuleSet $ruleSet -VirtualNetworkResourceGroupName "rsg-vnet-sponsor01" -VirtualNetworkName "Azure-vnet-sponsor01" -VirtualNetworkSubnetName "Management"
Confirm DNS forwarders:
Resolve-DnsName -Name storfileserver20.file.core.windows.net
Make sure you configure on the on-premises DNS the Forwarder to the Azure DNS, in this case to my Azure AD VM that runs also DNS
Now that the DNS is in place we can connect to the Azure files share in the cloud but also on premises with the connection routed to the VPN tunnel instead of direct to the internet.
Setting Permissions on the Azure Files Shares is not complicated.
With the general availability of AADDS authentication for Azure Files, Microsoft introduced three Azure built-in roles for granting share-level permissions to users:
•Storage File Data SMB Share Reader allows read access in Azure Storage file shares over SMB.
•Storage File Data SMB Share Contributor allows read, write, and delete access in Azure Storage file shares over SMB.
•Storage File Data SMB Share Elevated Contributor allows read, write, delete and modify NTFS permissions in Azure Storage file shares over SMB.
Azure Files supports the full set of NTFS basic and advanced permissions. You can view and configure NTFS permissions on directories and files in an Azure file share by mounting the share and then using Windows File Explorer or running the Windows icacls or Set-ACL command.
To configure NTFS with Admin permissions, you must mount the share by using your storage account key from your domain-joined VM.
The following sets of permissions are supported on the root directory of a file share:
- BUILTIN\Administrators:(OI)(CI)(F)
- NT AUTHORITY\SYSTEM:(OI)(CI)(F)
- BUILTIN\Users:(RX)
- BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
- NT AUTHORITY\Authenticated Users:(OI)(CI)(M)
- NT AUTHORITY\SYSTEM:(F)
- CREATOR OWNER:(OI)(CI)(IO)(F)
Mount a file share from the command prompt
Use the Windows net use command to mount the Azure file share. Remember to replace the placeholder values in the following example with your own values. For more information about mounting file shares, see Use an Azure file share with Windows.
net use <desired-drive-letter>: \\<storage-account-name>.file.core.windows.net\<share-name> /user:Azure\<storage-account-name> <storage-account-key>
Configure NTFS permissions with icacls
Use the following Windows command to grant full permissions to all directories and files under the file share, including the root directory. Remember to replace the placeholder values in the example with your own values.
icacls <mounted-drive-letter>: /grant <user-email>:(f)
An other option with Azure files is Connect your Azure files to the DFS server
First I had to play a bit with the naming convention as the root of the file is not the share.
Below is the azure folder. so the share name would be \\storfileserver20.file.core.windows.net\blogshare03
As I use now the internal DNS and with the DFSN link
I can do domain name \ share and the files are being placed on the Azure file share. here you can also see that the naming is one step deeper. in the domain share name then there is the linked folder to the Azure Files.
On the time that I wrote this blog the Azure files snapshots came also GA.
there is no scheduled counter behind this. just press and shoot but with an script or automation account you can create nice solutions to keep your files save.
Hope this blog is helpful, It helped me to play with this and got some other ideas than just pasting the net use command to a device and then place the files. still there is nothing wrong with that.
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile
Like this:
Like Loading...
For Some time it is possible to join devices to the Azure AD. Personally I know this was working for Windows 10 but Windows Server 2019, in this blog post I’ll show some ideas and thoughts. It would be nice if native Azure MFA would work to log on. Also for some options your Azure AD needs to be at least P1.
Organizations can now utilize Azure Active Directory (AD) authentication for their Azure virtual machines (VMs) running Windows Server 2019 Datacenter edition or Windows 10 1809 and later. Using Azure AD to authenticate to VMs provides you with a way to centrally control and enforce policies. Tools like Azure Role-Based Access Control (RBAC) and Azure AD Conditional Access allow you to control who can access a VM. This Blog shows you how to create and configure a Windows Server 2019 VM to use Azure AD authentication and how to remove the Azure AD join and switch back to Active directory Domain join.
The following Windows distributions are currently supported during the preview of this feature:
- Windows Server 2019 Datacenter
- Windows 10 1809 and later
So the machine below is in a workgroup but Azure AD joined. on a server is it not visible that the machine is Azure AD joined in the UI.
In the Configuration properties in an Azure VM we can set the following properties. Login with AAD credentials. This is during creation of the new VM that way the VM is directly Azure AD joined.
Just deployed a new VM. and this VM is Azure AD joined, but what if you want to domain join this machine can we do a hybrid domain join for short NO.
Remember Some options only work if you have a P1 or a P2 Azure AD license here you can find the differences https://azure.microsoft.com/en-us/pricing/details/active-directory/
Looking at the devices in the Azure AD devices we can see the Server is Azure AD Joined.
Giving Access to the VM can be based on RBAC
Two RBAC roles are used to authorize VM login:
- Virtual Machine Administrator Login: Users with this role assigned can log in to an Azure virtual machine with administrator privileges.
- Virtual Machine User Login: Users with this role assigned can log in to an Azure virtual machine with regular user privileges.
To allow a user to log in to the VM over RDP, you must assign either the Virtual Machine Administrator Login or Virtual Machine User Login role. An Azure user with the Owner or Contributor roles assigned for a VM do not automatically have privileges to log in to the VM over RDP. This is to provide audited separation between the set of people who control virtual machines versus the set of people who can access virtual machines.
Select the VM and choose IAM press Add and add role assignment. just as you do with other workloads.
Or use the Azure CLI
$username=(az account show –query user.name –output tsv)
$vm=(az vm show –resource-group rsg-adjoin001 –name 2019vmadjoin –query id -o tsv)
az role assignment create –role "Virtual Machine Administrator Login" –assignee $username –scope $vm
But what If we want to do a Domain join ?
There is no hybrid domain join and no console unjoin. Redeploy would not be the best option right.
With the DSRegCmd /Leave we can unregister the VM from the Azure AD.
now back to the Domain join without a reboot we can join the VM direct to the Classic Active directory.
Remember a reboot is needed for this.
Now the VM is normal AD joined.
This option is still in preview and after removing the Azure AD still shows that the VM is Azure Ad joined, it seems there is no trigger to remove the AADLoginForWindows extention in the VM.
The hybrid join could me a great addition to make VM’s connectable with Azure MFA. But for now we can assign policy’s and rules.
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile
Like this:
Like Loading...
At MSIgnite 2019 was announced that SCCM is now MEMCM and that Intune and MEMCM can be managed in one portal. With the update 2002 this option is finally there. Microsoft Endpoint Manager is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune into a single console called Microsoft Endpoint Manager admin center.
Where to start with Microsoft Endpoint Configuration Manager for this update.
http://endpoint.microsoft.com/
When opening the Microsoft Endpoint Configuration Manager console the update is not there. this is the update is released in Rings and I want to download this update from the fast ring. When starting this make sure your servers are healthy and are patched. If you run a tight virus scanner on the MEMCM then you may need to disable this during the install
As the update is rolled out globally in the coming weeks, it will be automatically downloaded, and you’ll be notified when it’s ready to install from the “Updates and Servicing” node in your Configuration Manager console. If you can’t wait to try these new features, see these instructions on how to use the PowerShell script to ensure that you are in the first wave of customers getting the update. By running this script, you’ll see the update available in your console right away.
https://download.microsoft.com/download/7/c/4/7c48f2c7-f433-414b-a901-753a61c7956d/EnableEarlyUpdateRing2002.exe
After downloading and extracting the file we have a PowerShell script
Running this Powershell script in Admin Mode. With the Server name and I do a verbose to see a bit more output.
C:\EnableEarlyUpdateRing2002> .\EnableEarlyUpdateRing2002.ps1 -siteServer mvpsccm17 -Verbose
C:\EnableEarlyUpdateRing2002> .\EnableEarlyUpdateRing2002.ps1 -siteServer mvpsccm17 –Verbose
Now that the Script has run the Update services will trigger the fast ring to get the update
Press check for updates and do a refresh.
The Microsoft Endpoint Configuration Manager update 2002 is now available for download.
Now that the Update is downloaded we can trigger the Install.
This Process is a Next Next Close wizard and the only choice you need to make is run the agent in a test collection or strait into production
Here you have the option to test this update in an isolated Collection.
In this case I go strait into the production as this is my demo lab server
I Accept and my end date of the SA.
Well this was a pretty strait forward process now in the back ground Microsoft Endpoint Configuration Manager is updating the servers.
The progress can be followed in the log files when go to status the logs will be opened.
when the preparations are done Microsoft Endpoint Configuration Manager will start the installation. This can take some time so be patient. Don’t do a sudden reboot etc.
If you had a pending reboot the installation will fail, Reboot the server first then do the update.
Or check the Task Manger when the update is finished.
When the Update is Finished and opening the Microsoft Endpoint Configuration Manager Admin Console The update of the console is triggered and need to install.
The update is installed. and we can configure Co-Management
The default setting for device upload is All my devices managed by Microsoft Endpoint Configuration Manager. If needed, you can limit upload to a single device collection.
I choose All
Now that the installation is finished we can see the connector.
You can verify this in the Azure AD there is an app registration called ConfigMgrSvc
- Open CMGatewaySyncUploadWorker.log from <ConfigMgr install directory>\Logs.
- The next sync time is noted by log entries similar to Next run time will be at approximately: 04/02/2020 11:45:05
- For device uploads, look for log entries similar to
Batching N records. N is the number of devices uploaded to the cloud.
- The upload occurs every 15 minutes for changes. Once changes are uploaded, it may take an additional 5 to 10 minutes for client changes to appear in Microsoft Endpoint Manager admin center. http://endpoint.microsoft.com/
In a browser, navigate to http://endpoint.microsoft.com/ or https://aka.ms/memac
below You see only MEMAC
When the Machines are Hybrid AD joined you can see both devices. the sync take some time.
This is the start to manage the devices from MEMAC. In the next blog I’ll show you more on the management.
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile
Like this:
Like Loading...
