What Would it Take to Move from SCCM to Intune?

1wearandtear

Every week I’m on a conference call with customers who are using, or interested in using, SCCM and Intune/EMS.  Every single conversation finds its way into the following questions:

  1. “Should I use Intune to manage Windows 10 Surface Pro and Dell/HP laptops outside the network?”
  2. “Should I integrate SCCM and Intune?”
  3. “Can I just move all my SCCM infrastructure into Azure?”

Good questions.  Unfortunately, the answers aren’t yet fully-baked.  The answer to each is “it depends”.

But during one call in particular, we had a bunch of crusty old SCCM engineers discussing the past, present and future of the product.  This wound up in a discussion about “what would it take?” …to switch to Intune as the primary management interface, even for on-prem devices.  The gist of this was not about “eventually” or long-term, but rather, what could be dropped in our lap sooner, and make us say “oh, snap! time to reconsider!”

Anyhow, we came up with the following:

1 – Hybrid Deployments

The ability to configure application deployments in a cloud console, while directing clients to fetch the content from on-prem sources.  The reverse of cloud DPs, if you will.  The application configuration resides in the cloud, and the source content, and deployment content, are hosted on-prem.

This could be handled with the Intune client being equipped to poke for the on-prem location as a means to determine on/off prem status.  If on-prem, download the content from the on-prem DP.  Otherwise, follow the configuration (wait, or download from another source).  The goal would be to support cloud clients, mobile clients and on-prem clients, where each could pull content based on proximity, performance and least cost.

This would also span out to OSD as well.  If the WIM files, driver packages, and other bits were available from an on-prem source (via PXE/WinPE) it could work. Maybe it would require something like iPXE Anywhere, or maybe not.

2 – Expanded Deployment Types

Intune would need to be able to deploy more flexible types of instructions.  Such as EXE files with additional parameters (aka “switches”), MSI’s with MST transforms.  PowerShell scripts would be nice too.

3 – Full Inventory

This is actually two parts combined.  The first being a split inventory detection that pulls a complete (e.g. SCCM-style) WMI inventory data set from a full Windows client, but does the status quo for other clients.  The second part being a means for leveraging that extended inventory to save time/effort in other areas (targeting policies, apps, etc.)

And speaking of inventory, is there a CIM-like equivalent for mobile platforms like iOS, Android, etc.?

Summary

Granted, this is *not* enough for SCCM to throw in the towel and surrender.  But these seem to be the most-used features in SCCM which are not replaceable with Intune, yet.

If this is true, or “accurate”, then it doesn’t seem like such a tall hill to climb.  We were not entirely sober at the time, so it’s quite possible we overlooked something here.  Maybe something embarrassingly obvious, but hey.

Thoughts?  Substance or Garbage?  Let me know.

 

The Ballad of Orchestrator

wpid-chinese-take-out.jpgIf I had a dollar for every time I’ve had a discussion with someone who works with Microsoft System Center, while I stare at the floor, wondering why they never bothered to have that weird reddish-brown stain removed, and it’s in their main lobby, as they describe the pain, and effort they endured to build some crazy semi-automated chain of mouse traps using a wheelbarrow full of third-party utilities, truckloads of scripting, and a few crates of some long-forgotten Windows CLI utilities, registry hacks and whatever, and after they were done, I’d be thinking to myself “that was one stupidly-long run-on sentence”, but I end up saying, “You know? You could’ve knocked that out in a lot less time using Orchestrator”, well, I’d be rich enough to not have time to write a blog.  I’d be too busy having my toenails custom painted while skydiving from my private jet onto the deck of my private yacht. Floating in the lagoon of my private island.  Okay, that’s a big stretch.

Yeah.

First off, 99.999999999% of the time, here’s what the response is, “What’s Orchestrator?”

(15 seconds of awkward silence ensues)

Whatever Microsoft has paid their marketing folks, I would like to officially ask for 10% of it, just for doing my part to inform their customers, “well, it’s this amazing virtual Lego kit that you can use to build just about anything. Oh, and by the way, you already paid for it.”  That might help pay a few bills at least.  I think that I’ve earned it.  Or I could be delusional too.

Anyhow, for those who still begin every explanation with “it was called Opalis, once…”, and have ripped open that Christmas box and put the batteries inside, you know what I’m talking about.  You also know the dreaded feeling of hearing someone say one of the following:

“They didn’t make any changes to it in System Center 2016”

“It’s dead, Jim.  Long live the cloud.”

Sad.  Truly sad. It never really had it’s glory day (imho).  Isolated moments of sheer awesomeness are to be found, for sure.  But on a ubiquitous (see?  you didn’t think I could whip out a big word like ubiquitous, did you?) and pervasive scale? No; not what it really deserved. It was that incredible 2nd string player, drafted in the 2nd round, that was capable of smashing records, but never got on the field, and now it’s hitting retirement age.

Not so fast.

Just like Arnold Schwarzenegger (I cheated on the spelling, I had to), it can still press a few hundred pounds while smiling.  Maybe while clenching a cigar in it’s mouth at the same time.

Some interesting use-cases I’ve seen in the past year or two…

  • The typical New-Hire / Employee-Term scenario runbooks, but with extensions for ordering facilities services (phone, desk, chair, whiteboard), telecom (phone), computer equipment (HR app checkbox for “mobile user” triggers order for laptop or tablet), and notifying front desk security personnel with employee photo.  And don’t forget the standard AD group memberships, attributes, and OU management stuff.
  • Monitoring file system folder where app-devs upload final code check-ins, read specific files to create SCCM applications, deployment types, detection methods, requirements, as well as distribute to certain DP groups, and deploy to Collections (with additional parameters)

There have been a few others.  Some were just discussions around “what if…”, which could have easily turned into more amazing concoctions, but I didn’t stick around long enough to find out if they did.

Alas, before I toss back a ceremonial shot (of something cheap, like me), I have to say I’ve spent some time with Azure Automation runbook authoring and I have to say, it’s very, very promising indeed.

CMWT How-To: Enable Client Tools

CMWT Client Tools are a set of Javascript-based features which enable invoking local services in order to connect to, and manage remote clients.  This is much like the infamous “right-click Tools” for the SCCM Console.  The features provided in CMWT at this point are not as robust as the one mentioned, but that may change (as always – it all depends on user feedback).

The caveat for this feature is that it requires using Internet Explorer, rather than Google Chrome, or Firefox.  I have not tested this with Edge yet, as my site server is still on Windows Server 2012 R2.

The reason for this is in how IE handles clientside scripting and security controls.  So, to enable this in IE, you need to follow the instructions in the provided CMWT Installation Guide, but I will cover this process in this blog post as well.

  1. In Internet Explorer, open CMWTtools01
  2. Click the gear icon at the top right (settings), and select “Internet Options”tools02
  3. Select the Security tab.
    tools03
  4. Make sure CMWT is included in either the Local intranet, or Trusted sites security zones.
  5. Select the appropriate security zone.
  6. Scroll down to “Initialize and script ActiveX controls not marked as safe for scripting”
  7. Change the setting from “Disable” to “Prompt”tools04
  8. Click OK, and click OK again to close Settings
  9. Browse to select a particular Device you wish to manage or connect to.  For this example, I’m connecting to desktop “D001”, which I happen to know is online and accessible.
  10. Click the drop-down menu of options, and select “Tools tools05
  11. Click on one of the first four (4) tools, such as Manage.
    tools01
  12. If you set the ActiveX security option to “Prompt” you should get a warning…
    tools06.PNG
  13. Click Yes and the tool should open.
    tools07

Note that even if you cannot configure the options in IE to make this work (usually due to company security policies), or if you’re using Chrome, Safari, or Firefox, the actual command statement is shown to the right of each tool.  This allows you to copy and paste it into a Run command box and launch it directly.

That’s it!

Preposterous Profile Propagation Perils

peimei

Question:  “Is it advisable to migrate Windows user data when refreshing or replacing their computer?”  This was asked in the context of two scenarios:

  1. Migrating an existing Windows 7 machine to Windows 10
  2. Refreshing a hosed-up Windows 10 machine to a known state

For scenario 2, I recommend the “Reset this PC” feature in Windows 10 1607.

For scenario 1, here’s my long-winded response:  Avoid allowing your environment to get into this scenario in the first place.

I compare this with how I treat my phone.  My photos, contacts, emails, bookmarks, apps list and settings are all stored in the cloud. The only items I’d lose if my phone were lost or stolen would be SMS threads.  Not a concern.  My phone, to me, is 100% disposable.  I don’t sweat losing anything valuable if my phone were crushed under a truck wheel, dropped in a bathtub, or doused in gasoline and ignited with a blow torch (although, that would be kind of cool, hmmm).

Desktops and laptops should be no different.  Now, I’m not saying “the cloud” is the primary solution here.  ANY centralized repository will suffice as an “off-device” storage point.

Why?

Because of the following potential faults:

  • Migrating data and settings is costly.  It takes time to design, build, test and maintain for an organization.  The more variations in the environment, the more work is often required on the back end.  Even when a process/system has been in place for a long time, that doesn’t justify it’s existence (i.e. “because that’s the way we’ve always done it” = space shuttle O-ring maintenance processes too)
  • Having data stored locally is a liability.  Period.  Ask any attorney.
  • Having data stored locally is a security risk. Ask your InfoSec person (drink additional coffee first)
  • Having data stored locally adds need for disk encryption, RMS and DLP controls (more time and cost).
  • Having data stored locally incurs additional storage capacity and performance requirements on each device (depending upon the nature of data formats)

If a device is lost, destroyed, or stolen, you will need to address…

  • the potential lost of a vital copy/version of each document on the device.
  • the potential leak of private/sensitive information on the device.
  • the additional downtime incurred from replacing the user’s device as compared with providing them a “vanilla” device which immediately restores their access to all documents they need to do their job.

Is it always possible to implement this client-centric data model?  No.  There are a variety of reasons, one classic example is local processing requirements, such as CAD, media authoring, music production, etc. (high-bandwidth or high CPU demand, particularly when extensive graphic performance are a concern).

However, over the last ten (10) years of consulting and FTE work where I’ve been involved with deployment processes, I’ve only seen a few that really needed it (mentioned above).  The majority don’t really need to support local storage of business data.

The reason I bring this up is that I often see a lot of hand-wringing, project investment, and focused effort on applying a “solution” to the wrong problem.  This is just one example.  I have plenty of others to share if you’d like me to.

Another SCCM SQL Query: SQL Server Hosts

Find Windows Server computers which have some version of SQL Server installed…

SELECT DISTINCT
  dbo.v_R_System.Name0 AS [Name], 
  dbo.v_R_System.ResourceID AS ResourceID,
  dbo.v_R_System.SMS_Unique_Identifier0 AS [GUID],
  dbo.v_R_System.Resource_Domain_OR_Workgr0 AS Domain,
  dbo.v_R_System.AD_Site_Name0 AS ADSiteName,
  dbo.v_R_System.Client0 AS Client 
FROM dbo.v_R_System 
  INNER JOIN dbo.v_GS_ADD_REMOVE_PROGRAMS 
  ON dbo.v_GS_ADD_REMOVE_PROGRAMS.ResourceID = dbo.v_R_System.ResourceId 
  INNER JOIN dbo.v_GS_System
  ON dbo.v_GS_SYSTEM.ResourceId = dbo.v_R_System.ResourceId 
WHERE 
  (dbo.v_GS_ADD_REMOVE_PROGRAMS.DisplayName0 LIKE 'Microsoft SQL Server%')
  AND
  (dbo.v_GS_SYSTEM.SystemRole0 = 'Server')

SCCM / SQL – Machines Not Scanned in 15 Days

Here’s a SQL query to return machines which have not run a Software Updates scan within the past 15 days.

SELECT DISTINCT 
  dbo.v_R_System.ResourceID, 
  dbo.v_R_System.Name0 AS ComputerName, 
  dbo.v_ScannedUpdates.ScanTime
FROM 
  dbo.v_ScannedUpdates INNER JOIN
  dbo.v_R_System ON 
  dbo.v_ScannedUpdates.ResourceID = dbo.v_R_System.ResourceID
WHERE 
  (dbo.v_ScannedUpdates.ScanTime IS NULL)
  OR
  (DATEDIFF(dd, dbo.v_ScannedUpdates.ScanTime, GETDATE()) > 15)