Monthly Archives: April 2016

How to reset Mobile Device Management Authority from Config Mgr to Intune

I have a demo/test environment for Intune enrollment where I have configured Configuration Manager as the Mobile Device Management Authority. I have been thinking about a change in approach, as most of my test devices are either lightly managed PC’s or mobile devices. So I wanted to change and use Microsoft Intune only as the MDM Authority.

Referring to the official documentation for setting Mobile Device Management Authority, https://technet.microsoft.com/en-us/library/mt346013.aspx, this can only be set initially when configuring the tenant, and cannot be changed later!

But, there is a way. You can create a Service Request ticket with Microsoft, and request a reset of the mobile device authority.

There are some caveats to this reset request though:

  • You will have to retire and delete all registered mobile devices
  • You will have to delete all MDM related configurations in Configuration Manager

Basically, this is a real start over with clean sheets. If that is what you want, read on, if not, stop here Winking smile.

In this blog article I will show the steps I went through to reset my MDM authority.

Step 1 – Create a Service Request

The first step is to create the Service Request, requesting a reset. Identify the issue by selection feature Intune Service Administration, and symptom Reset mobile device authority. Provide a summary and issue details, like for example below:

image

Review and continue:

image

Add details if needed:

image

Confirm and submit:

image

Service Request is now pending, awaiting response:

image

Step 2 – Await response on Service Request on next steps

After a couple of hours I got a response with a checklist to be completed:

image

Here’s the checklist:

·  Retire all Modern Devices (mobile devices) from within the Configuration Manager Console. It is important that you do not attempt to retire a device from the device itself for this procedure to be executed.
Let us Know if any devices are in a “pending state’

·  Point the Intune Subscription to an empty user collection, or, remove all users from the targeted collection.  and confirm in the CloudUserSync.log that all users are removed.

· Remove all users from the Intune User Group.

·  Run the following SQL Procedure on the CM server to ensure all licenses are removed from the DB:
Insert into MDMCloudUserNotification Select ItemKey, 3, 0 from User_Disc where CloudUserId is not null

·  Then restart the CloudUserSync thread in ConfigMgr (or restart SMS_Executive if easier) and then when CloudUserSync starts up, it should deprov the users.

Restart SMS Executive

To reset the SMS_COLLECTION_EVALUATOR thread through registry, Open Registry console, navigate till below mentioned registry
–> Right click Requested Operation –> Modify –> type ”Stop” and click on ok.

Do refresh till data value reset to “None” and then again edit it with “start” data value
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SMS\Components\SMS_EXECUTIVE\Threads\SMS_COLLECTION_EVALUATOR | Requested Operation

Confirmed users are removed from cloudusersync.log

Open cloudusersync.log from C:\Program Files\Microsoft Configuration Manager\Logs and look for messages that users are removed

Please ask customers to provide a couple of sample UPNs after they remove all user licenses and confirm in Viewpoint the sample users no longer have SCCM licenses.

· Delete the iOS APNs certificate

· Delete any and all published applications that are for MDM Devices

· Delete any and all polices that are for MDM Devices

·  Remove the Windows Intune Connector from within the Configuration Manager Console

Provide info:

Tenant ID: xxx.onmicrosoft.com

Global administrator email: xxx.domain.com

Step 3 – Do the checklist

Lets step through the main parts of the checklist.

Retire all Modern Devices

All Clients of Type Mobile must be retired:

image

Depending on the Device Type you can either select to only wipe company content or the device completely:

image

Or for typically a Windows 10 computer managed as a Mobile Device, you can only remove company content:

image

Warning notification:

image

After that the clients are in a status of “Pending Retire”, they will eventually be removed when they sync again. Some of my devices are inactive test devices, so I just turn them on and initiate a sync.

image

After a while I have still some devices left in a pending state. I know that these devices are not existing anymore, so they will not be able to sync. I will let the service request technician know about these, as instructed in the checklist.

In this case, the service request technician instructed me to remove the devices registered for the users in question in the Azure AD management portal (http://manage.windowsazure.com), select the user and removing any mobile devices registered.

You can also remove the devices from the user with MSOnline PowerShell module:

Get-MsolDevice -RegisteredOwnerUpn yourupn@domain.com | Remove-MsolDevice

Or for all users that have workplace joined devices:

Get-Msoldevice -All | Where {$_.DeviceTrustType -eq ‘Workplace Joined’} | Remove-MsolDevice

Point the Intune Subscription to an empty user collection and remove cloud synced users

I created a User Collection with a query that I know will not return any users, for example a non existing domain:

image

After that I update the Intune Subscription to use that collection:

image

Connect to the SQL site database, and run the following SQL query to ensure all licenses are removed from the DB:

Insert into MDMCloudUserNotification Select ItemKey, 3, 0 from User_Disc where CloudUserId is not null

After that, restart the “SMS Executive” service, and look in the CloudUserSync.log to confirm that all users are removed.

image

Reset the SMS_COLLECTION_EVALUATOR thread through registry, Open Registry console, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SMS\Components\SMS_EXECUTIVE\Threads\SMS_COLLECTION_EVALUATOR

–> Right click Requested Operation –> Modify –> type ”Stop” and click on ok.

Do a refresh till data value reset to “None” and then again edit it with “start” data value

Take another look in cloudusersync.log from <configuration manager install dir>\Logs and look for messages that users are removed.

The service request technician might ask customers to provide a couple of sample UPNs after they remove all user licenses and confirm in Viewpoint the sample users no longer have SCCM licenses.

Remove MDM configurations from Config Mgr

After the users are removed, MDM configurations must be removed from Configuration Manager.

Delete the iOS APNs certificate:

How?

image

Delete any and all published applications that are for MDM Devices:

Under Software Library, find all applications for the Mobile Devices. Before the applications can be deleted, any deployments must be removed first.

Delete any and all polices that are for MDM Devices:

Under Asset and Compliance, delete all related to Mobile Devices..

  • Compliance Settings|Configuration Baselines and Deployments
  • Compliance Settings|Configuration Items
  • Compliance Settings|Compliance Policies
  • Company Resource Access|Certificate Profiles
  • Company Resource Access|Email Profiles
  • Company Resource Access|VPN Profiles
  • Company Resource Access|Wi-Fi Profiles

Finally, remove the Windows Intune Connector from within the Configuration Manager Console.

Step 4 – Update the Service Request

After I cleaned up, I provided my info to the service request technician and confirmed that I had completed the checklist:

Tenant ID: xxx.onmicrosoft.com

Global administrator email: xxx.domain.com

After a few days, I got the response that I should keep my hands off the subscription during the reset process:

image

Step 5 – MDM Authority Reset Confirmation

A couple of days later I got the confirmation that the MDM authority was now reset:

image

Checking in the Intune Management Portal (http://manage.microsoft.com), I can now select to set Microsoft Intune as the Mobile Device Management Authority:

image

Summary

All in all the whole process for me took 9 days. Some of these days was for me to complete the checklist, the rest was basically waiting for responses on questions, updates and the confirmation.

End result was as expected, I can now register my mobile devices with Microsoft Intune the MDM authority.

If I later want to go back to Configuration Manager as MDM Authority, I would have to do basically the whole reset process again, except that the cleanup will be in Microsoft Intune. A service request will provide details on that as well, and if I do it on a later time, I will put up a blog article on that as well!

Missing groups prevents upgrade of Azure AD Connect

This is just a short blog article on a problem I experienced when upgrading Azure AD Connect from a previous version. This was a small environment where the Azure AD Connect server was running on the Domain Controller.

When starting the upgrade process I noticed that a message was displayed that a “Group with name ADSyncAdmins was not found in the Machine context”. When I clicked to Upgrade anyway, an error message was displayed that it was “Unable to upgrade the Synchronization Service”:

image

Looking into the event log, I found this error:

Product: Microsoft Azure AD Connect synchronization services — Error 25037.The groups entered do not all exist or cannot be found. Verify that each group name is correct, and then try again.

image

Since this was a Domain Controller, and there is no Local Users and Groups, I created the ADSyncAdmins group in Active Directory, as a Domain Local Security group. Trying the upgrade again, I got a new group that was missing:

image

So I ended up creating these 4 groups that was missing:

  • ADSyncAdmins
  • ADSyncBrowse
  • ADSyncOperators
  • ADSyncPasswordSet

After that I was able to successfully finish the upgrade of Azure AD Connect.

Awarded MVP Enterprise Mobility! Introducing myself to the community.

On Friday April 1th I got one of the best e-mails in my professional IT career so far, Awarded MVP for Enterprise Mobility for 2016!

image

This is my first MVP Award, and I’m incredibly proud and honored to be part of such as amazing community and network of professionals.

I thought this was a good opportunity to introduce myself to the community, so in this blog post I will write a little more about myself and what I do.

Some personal info

I’m from Norway, a town called Sarpsborg some 100 kilometers south of Oslo. I work as a Architect for Cloud and Datacenter solutions at Skill AS, a Microsoft Partner with offices in both Oslo and Sarpsborg. My company has received numerous partner prizes and finalist awards over the last years, embracing the Cloud and Microsoft especially.

I’m born in 1971, at an age where I’m old enough to know how and when to use my experience when I need to, and young enough to eagerly learn new stuff and use technology to solve challenges and use solutions creatively. When I’m not working I spend time with my family, I’m married and have two boys at the age of 10 and 12. Its all about football (soccer) in the spare time, and at least 3 of us are huge Arsenal fans. You can guess who 😉 We also spend a lot of time in our cabin in the mountains, where we ski (cross country) a lot. This is where we recharge our batteries, a very needed window of family quality time in a mostly hectic work and activity filled weeks.

Work and career

I’ve been in the IT industry for over 20 years now. When I started I did IT support on IBM OS/2 machines, my first internet e-mail experience was using 3270 terminals and if I remember correctly something called Office Vision. I wrote documents using Lotus Ami Pro, Later I achieved my first Microsoft MCP certifications on Windows 95 and Word 6.0. From there on it has been mainly Microsoft products and solutions for me!

A large part of my first career I spent at a private educational institution, and was an instructor for Microsoft Official Curriculum courses. I kept my Microsoft Certified Trainer certification from 1997-2012. I have spent thousands of hours teaching students and business IT pros on MCSE certifications for NT 4.0, Windows 2000, 2003 and beyond. For a few years I was even a Citrix Certified Instructor. While working as an instructor I started to get more in to consulting as well, working at customer sites and presenting company seminars.

I remember that I could hold the BackOffice 4.5 CD folder in my hand, and say that I had knowledge of all Microsoft management, productivity and server solutions! Try to say that today 😉 The first “System Center” product I worked on was SMS 2.0, later I started working with Microsoft Operation Manager (MOM) from 2000 and up, I have been working with e-mail and productivity from Microsoft Mail via Exchange 5.0 to todays Exchange Online and Office 365, identity solutions from “User Manager of Domains” to Azure Active Directory. It has really been a great journey, but nothing compares to how rapid Microsoft and Cloud solutions evolve these days,

After leaving the educational institution, I worked for a few years as a consultant and freelance training, before I worked some years at an Application Service Provider. I was working with the Datacenter and Infrastructure, moving into virtualization slowly by using Virtual Server 2005! Exchange 2007 was my first meeting with PowerShell, love at first sight, and offered Hosted Exchange as a Service. If only we had something called Office 365 and Azure Stack etc.. 😉

In 2010 and till today I have been with my current employer, Skill. In these years I have been working more and more with Azure, Office 365, Enterprise Mobility Suite and System Center, while at the same time been working closely with Microsoft, being a P-TSP for Cloud OS and Datacenter management.

Community

Over the last years I have been more and more engaged in the community of IT-professionals, visiting conferences, using social media, blogging and networking with other MVP’s and other community influencers. I have also been a speaker at local events and at conferences like Experts Live, Nordic Infrastructure Conference and will also be speaker at this years System Center Universe in Berlin, August.

It is with huge pride my contributions has led me to receiving the MVP award, and I can only look forward to contributing more in the years to come. While Enterprise Mobility and especially Azure AD is an area I focus greatly on, I will also continue to contribute in areas related to Azure, Cloud and Datacenter Management (CDM) with OMS, Service Manager, Operations Manager and more as these are solutions I work a lot with in my daily work as well. I will especially look for contributions where EMS, CDM and Azure can work together and play to each others strengths 🙂

Thanks for reading, looking forward to engage with you all. In addition to this blog, you can follow me at social media using:

Twitter: @skillriver

LinkedIn: linkedin.com/in/jvelven