Archive for the ‘MEMCM’ Tag

How to join Windows Server 2019 to the Azure AD #AAD #Winserv #WIMVP #AD #Hybrid #Azure   Leave a comment

For Some time it is possible to join devices to the Azure AD. Personally I know this was working for Windows 10 but Windows Server 2019, in this blog post I’ll show some ideas and thoughts. It would be nice  if native Azure MFA would work to log on. Also for some options your Azure AD needs to be at least P1.

Organizations can now utilize Azure Active Directory (AD) authentication for their Azure virtual machines (VMs) running Windows Server 2019 Datacenter edition or Windows 10 1809 and later. Using Azure AD to authenticate to VMs provides you with a way to centrally control and enforce policies. Tools like Azure Role-Based Access Control (RBAC) and Azure AD Conditional Access allow you to control who can access a VM. This Blog shows you how to create and configure a Windows Server 2019 VM to use Azure AD authentication and how to remove the Azure AD join and switch back to Active directory Domain join.

The following Windows distributions are currently supported during the preview of this feature:

  • Windows Server 2019 Datacenter
  • Windows 10 1809 and later

So the machine below is in a workgroup but Azure AD joined. on a server is it not visible that the machine is Azure AD joined in the UI.

image

In the Configuration properties in an Azure VM we can set the following properties. Login with AAD credentials. This is during creation of the new VM that way the VM is directly Azure AD joined.

image

Just deployed a new VM. and this VM is Azure AD joined, but what if you want to domain join this machine can we do a hybrid domain join for short NO.

image

Remember Some options only work if you have a P1 or a P2 Azure AD license here you can find the differences https://azure.microsoft.com/en-us/pricing/details/active-directory/

image

Looking at the devices in the Azure AD devices we can see the Server is Azure AD Joined.

image

Giving Access to the VM can be based on RBAC

Two RBAC roles are used to authorize VM login:

  • Virtual Machine Administrator Login: Users with this role assigned can log in to an Azure virtual machine with administrator privileges.
  • Virtual Machine User Login: Users with this role assigned can log in to an Azure virtual machine with regular user privileges.

To allow a user to log in to the VM over RDP, you must assign either the Virtual Machine Administrator Login or Virtual Machine User Login role. An Azure user with the Owner or Contributor roles assigned for a VM do not automatically have privileges to log in to the VM over RDP. This is to provide audited separation between the set of people who control virtual machines versus the set of people who can access virtual machines.

Select the VM and choose IAM press Add and add role assignment. just as you do with other workloads.

image

image

Or use the Azure CLI

$username=(az account show –query user.name –output tsv)

$vm=(az vm show –resource-group rsg-adjoin001 –name 2019vmadjoin –query id -o tsv)

az role assignment create  –role "Virtual Machine Administrator Login" –assignee $username –scope $vm

image

But what If we want to do a Domain join ?

There is no hybrid domain join and no console unjoin. Redeploy would not be the best option right.

image

With the DSRegCmd /Leave we can unregister the VM from the Azure AD.

image

now back to the Domain join without a reboot we can join the VM direct to the Classic Active directory.

image

Remember a reboot is needed for this.

image

Now the VM is normal AD joined.

This option is still in preview and after removing the Azure AD still shows that the VM is Azure Ad joined, it seems there is no trigger to remove the AADLoginForWindows extention in the VM.

The hybrid join could me a great addition to make VM’s connectable with Azure MFA. But for now we can assign policy’s and rules.

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted April 6, 2020 by Robert Smit [MVP] in Windows Server 2019

Tagged with , , ,

Installing tenant attach with Microsoft Endpoint Configuration Manager Update 2002 #MEMCM #MEMAC #ConfigMgr   Leave a comment

At MSIgnite 2019 was announced that SCCM is now MEMCM and that Intune and MEMCM can be managed in one portal. With the update 2002 this option is finally there.  Microsoft Endpoint Manager is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune into a single console called Microsoft Endpoint Manager admin center.

Where to start with Microsoft Endpoint Configuration Manager for this update.

Installing tenant attach with Microsoft Endpoint Configuration Manager Update 2002

http://endpoint.microsoft.com/

When opening the Microsoft Endpoint Configuration Manager console the update is not there. this is the update is released in Rings and I want to download this update from the fast ring. When starting this make sure your servers are healthy and are patched. If you run a tight virus scanner on the MEMCM then you may need to disable this during the install

Installing tenant attach with Microsoft Endpoint Configuration Manager Update 2002

 

Microsoft Endpoint Configuration Manager

 

As the update is rolled out globally in the coming weeks, it will be automatically downloaded, and you’ll be notified when it’s ready to install from the “Updates and Servicing” node in your Configuration Manager console. If you can’t wait to try these new features, see these instructions on how to use the PowerShell script to ensure that you are in the first wave of customers getting the update. By running this script, you’ll see the update available in your console right away. 

https://download.microsoft.com/download/7/c/4/7c48f2c7-f433-414b-a901-753a61c7956d/EnableEarlyUpdateRing2002.exe

Microsoft Endpoint Configuration Manager

After downloading and extracting the file we have a PowerShell script

image

Running this Powershell script in Admin Mode. With the Server name and I do a verbose to see a bit more output.

C:\EnableEarlyUpdateRing2002> .\EnableEarlyUpdateRing2002.ps1 -siteServer mvpsccm17 -Verbose

Microsoft Endpoint Configuration Manager

C:\EnableEarlyUpdateRing2002> .\EnableEarlyUpdateRing2002.ps1 -siteServer mvpsccm17 –Verbose

Now that the Script has run the Update services will trigger the fast ring to get the update

image

Press check for updates and do a refresh.

Microsoft Endpoint Configuration Manager

The Microsoft Endpoint Configuration Manager update 2002 is now available for download.

Microsoft Endpoint Configuration Manager

imageimage

Now that the Update is downloaded we can trigger the Install.

Microsoft Endpoint Configuration Manager

This Process is a Next Next Close wizard and the only choice you need to make is run the agent in a test collection or strait into production

imageMicrosoft Endpoint Configuration Manager

Here you have the option to test this update in an isolated Collection.

image

In this case I go strait into the production as this is my demo lab server

imageMicrosoft Endpoint Configuration Manager

I Accept and my end date of the SA.

Microsoft Endpoint Configuration Manager Microsoft Endpoint Configuration Manager

Well this was a pretty strait forward process now in the back ground Microsoft Endpoint Configuration Manager is updating the servers.

image

The progress can be followed in the log files when go to status the logs will be opened.

image

when the preparations are done Microsoft Endpoint Configuration Manager will start the installation. This can take some time so be patient. Don’t do a sudden reboot etc.

image

If you had a pending reboot the installation will fail, Reboot the server first then do the update.

image

Or check the Task Manger when the update is finished.

image

When the Update is Finished and opening the Microsoft Endpoint Configuration Manager Admin Console The update of the console is triggered and need to install.

 image

image

image

The update is installed. and we can configure Co-Management

imageimage

The default setting for device upload is All my devices managed by Microsoft Endpoint Configuration Manager. If needed, you can limit upload to a single device collection.

image I choose Allimage

imageimageimageimageimage

Now that the installation is finished we can see the connector.

image

You can verify this in the Azure AD there is an app registration called ConfigMgrSvc

image

 

  1. Open CMGatewaySyncUploadWorker.log from <ConfigMgr install directory>\Logs.
  2. The next sync time is noted by log entries similar to Next run time will be at approximately: 04/02/2020 11:45:05

image

  1. For device uploads, look for log entries similar to Batching N records. N is the number of devices uploaded to the cloud.
  2. The upload occurs every 15 minutes for changes. Once changes are uploaded, it may take an additional 5 to 10 minutes for client changes to appear in Microsoft Endpoint Manager admin center. http://endpoint.microsoft.com/

In a browser, navigate to http://endpoint.microsoft.com/  or https://aka.ms/memac

below You see only MEMAC

image

When the Machines are Hybrid AD joined you can see both devices. the sync take some time.

image

This is the start to manage the devices from MEMAC. In the next blog I’ll show you more on the management.

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

  • Twitter

  • RSS Azure and Microsoft Windows Server Blog

  • %d bloggers like this: