Azure Information Protection – Add a new policy (PREVIEW)

Now we can add new policy to target different different user group or specific user.

Click on Select which users/groups get this policy to assign the policy to targeted user or user group. User can be assigned to multiple policies. For this test, I assigned myself to 3 policies, Global (Default), IT Dept, and IT Dept 2.

After you Add a new label, the new label will park under the new policy. User belonging to multiple policies will get all labels applied to them in the policy.

I got additional 2 labels (For IT Dept and For IT Dept 2) apart from the 5 Default Labels from the Global Policy.

The Title and Tooltip in the red box is a Global Setting, which is only configurable in Global Policy.

The settings in the red box is configurable. The settings in the latest policy (The last, most bottom) will applied if the user belonging to multiple policies.

For my case, IT Dept 2 policy will applied, which the default label is For IT Dept 2.

If I move down IT Dept policy to the last, the default label should change to For IT Dept.

I think this is a good improvement, because it is now easier to assign Label with specific RMS template and settings to specific user/groups. Enjoy!!

Azure RMS Connector and SharePoint 2013 IRM Configuration

This is my very first post after I switched to www.kwokhau.com and this is also my very first time setup Azure RMS and SharePoint 2013 IRM integration. :)

I have an Azure RMS connector installed in my environment, hence I won’t cover the Azure RMS connector installation. I used the Azure RMS connector for File Server protection, and it is working fine.

First thing first, I launched Microsoft Rights Management connector administration tool and added the SharePoint server and the SharePoint service account to the list.

Note: I missed the SharePoint service account and I got the error below when I configure the IRM in SharePoint. Please remember to add the service account as well.

“The required Active Directory Rights Management Service Client (MSIPC.DLL) is present but could not be configured properly. IRM will not work until the client is configured properly.”

After added the SharePoint servers and service account, go to your SharePoint servers (Front-end SharePoint webservers, including those hosting the Central Administration server) and install the MSIPC client, it is available to download from https://www.microsoft.com/download/details.aspx?id=38396

After the installation, browse to Program Files\Active Directory Rights Management Services Client 2.1 and check the msipc.dll, make sure it is 1.0.2004.0 or later.

Next, run the GenConnectorConfig.ps1, the powershell script is together when you download the RMS Connector from https://www.microsoft.com/en-us/download/details.aspx?id=40839

Run PowerShell as Administrator and run the script, change the URL to your RMSConnector URL ".\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com –SetSharePoint2013"

The script actually helps you to configure some registry settings listed in https://docs.microsoft.com/en-us/information-protection/deploy-use/rms-connector-registry-settings. You can crosscheck and double confirm after run the script.

Okay, the configuration of Azure RMS Connector for SharePoint 2013 is done. Next is to enable the SharePoint IRM and then configure the Library Setting IRM.

Go to your SharePoint 2013 Central Administration, Security, and then click on the Configure information rights management.

Click Use this RMS Server: and enter your RMS connector URL, and then click OK.

Now, you can start configuring your Library Settings IRM

Configure the IRM settings above as per your requirements and then click OK. Upload some document (without RMS protected) to see the effect. Then you can try upload some RMS protected document to see the differences. HAVE FUN!!!

Remote Configuration Failed on Remote WSUS Server

Whenever you plan to setup a remote SUP, please remember that the Primary Site Server also require WSUS Admin Console as a prerequisite. You will receive Remote Configuration Failed on Remote WSUS in the WCM.log if you didn’t enable this prerequisite. You can enable the WSUS Admin Console under Remote Server Administration Tools.

Take note on KB3159706, causing WSUS stop working

If you are patching your SCCM Server or WSUS Server, please take note on KB3159706. The SCCM SUP will failed on software update sync and you’ll see error “Remote configuration failed on WSUS server” in the WCM.log.

You can either uninstall the patch or follow the guide https://support.microsoft.com/en-us/kb/3159706 to complete the postinstall.

1. Run command prompt with administrative rights
2. Enter "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing
3. Restart the WSUS Service
4. Restart the SMS_EXECUTIVE Service

If SSL is enabled on the WSUS server, follow the guide in https://support.microsoft.com/en-us/kb/3159706

Update 1602: Client Notification and Online Status Improvement

You can now update to 1602 already, it’s been out there since second week of March. You can easily update it from the Update and Servicing node. Below is the screenshot taken when I update my lab from 1511.

The very first improvement that you can easily check it out is the Client Online Status. Previously SCCM admin would need a “ping” tool to determine the computers online status before they perform deployment or log checking. SCCM admin can now determine the online status of the machine by the Icon. Green little tick means Online, while Grey little x means Offline. A computer is considered online if it is connected to it's assigned management point. To indicate that the computer is online, the client sends ping-like messages to the management point. If the management point doesn't receive a message after 5 minutes, the client is considered offline.

Another improvement is the Client Notification. Other than computer policy and user policy, the Client Notification now comes with more actions that we can only have if we install “Right Click Tools”.

These are some small minor improvements that mean a lot to the SCCM admin daily operation.

Cheers,
Hau

Windows 10 Servicing via SCCM 1511, Error 0x8007007E

Gotcha!!! If you are like me, missed the prerequisites KB 3095113 of WSUS to support Windows 10 Upgrade/Servicing on your SCCM WSUS server, and you have already sync-ed and downloaded the Upgrade in your SCCM.

If you are having certificate error while downloading the upgrade with SCCM 1511, please look at this hotfix, https://support.microsoft.com/en-us/kb/3127032.

If your download is always showing 0% while downloading the Upgrade, no fear, check the Ethernet status in the Task Manage Performance tab or you can monitor the status in patchdownloader.log located in %temp% with cmtrace.

Back to the topic, I’ve already sync-ed and downloaded the “Upgrade to Windows 10 Enterprise, version 1511, 10586 - en-us, Volume” and “Upgrade to Windows 10 Pro, version 1511, 10586 - en-us, Volume” in the SCCM 1511 and then manually deploy it to my Windows 10 Collection.

My Windows 10 client received and downloaded the Upgrade in C:\ccmcache but failed to install with error code 0x8007007E.

I’ve tried a lot of troubleshooting and find out that I’m actually missing a very important update for the WSUS to support Windows 10 Feature Update, KB 3095113. This doesn’t work so smooth by just applying the update. Below is the steps I taken to fix the issue.

On my SCCM Server:

1. Install the prerequisites of the KB 3095113. https://support.microsoft.com/en-us/kb/2919442 followed by https://support.microsoft.com/en-us/kb/2919355
2. Install KB 3095113
3. Uninstall SCCM SUP
4. Uninstall WSUS Server role
5. Delete WSUS DB, and D:\WSUS
6. Reboot OS
7. Reinstall WSUS Server Role
8. Install SCCM SUP
9. Manual trigger Sync Software Update

On my test client:

1. Stopped the services below
   • net stop wuauserv
   • net stop cryptSvc
   • net stop bits
   • net stop msiserver
2. Delete C:\Windows\Software Distribution
3. Delete C:\Windows\System32\catroot2
4. Delete the folder contain the .esd downloaded in ccmcache folder
5. Delete C:\$Windows.~BT\Sources
6. Reboot the OS
7. Trigger the upgrade from Software Center

I tried not to uninstall the WSUS and SUP after installed the updates in the SCCM server, but it doesn’t works, I’m still getting the same error code 0x8007007E.

Note: I’m performing this in my lab environment, use this fix at you own risk

Regards,
Hau

Client Setup Found HTTPS Distribution Point

Distribution Point can be operating in HTTP mode or HTTPS mode. It is up to your choice on how you set it up. I went to help out this customer with difficulties to push client. Below is what I found out from a computer ccmsetup.log.

The environment here is very small, a Primary Site hosting all the roles with 300+ clients. The ccmsetup.log tells us that it manage to found a distribution point with the address https://sccmserver. Mr.customer confirmed with us that the SCCM is in http mode, not https. 

The setting in the Distribution Point showing the distribution point is operating in HTTPS mode. 

I helped customer to switched it to HTTP mode and repush the SCCM Client. The ccmsetup.log tell us that the system manage to find a distribution point and using BITS to download the client files.