Preparing for the ConfigMgr extensions for 1E Endpoint Troubleshooting
A step-by-step guide to configuring prerequisites required for the ConfigMgr extensions for 1E Endpoint Troubleshooting, before Installing the 1E Toolkit.
Requirements
Supported Platforms
Supported versions of client OS and Configuration Manager that are supported by the Tachyon Configuration Manager Console extensions are:
Windows Server 2022
Windows Server 2019
Windows Server 2016
Windows 10 CB 21H2
Windows 11 CB 21H2
Windows 10 CB 21H1
Windows 10 CB 20H2
SCCM CB 2203
SCCM CB 2111
SCCM CB 2107
SCCM CB 2103
SCCM CB 2010
1E user accounts
To prepare 1E for using the Configuration Manager Console extensions, you will need a 1E user account that has at the Full Administrator role.
To use the 1E Configuration Manager Console extensions, you must have a 1E user account and Configuration Manager administrative user account. Guidance for this is given below in User roles.
User roles
The two systems, Configuration Manager and 1E, both use RBAC to define the capabilities for their corresponding users. To enable 1E instructions to be run from Configuration Manager, the Configuration Manager Console users must also have a presence defined in 1E. This presence can take many forms, for example you could define a user in 1E from an AD group and then add all your Configuration Manager users to that group - and manage the 1E roles for the users as a group, or you could define individual users in 1E for each Configuration Manager user - and manage the 1E roles on a per-user basis. You will likely have determined roles for your Configuration Manager users based on their function within the organization, the following heading provides a rough guide to matching 1E and Configuration Manager roles.
A rough comparison of the 1E User Roles and Configuration Manager Roles
The Configuration Manager Console may be installed and used by any user that is configured as an Administrative User. There are a number of Security Roles that may be given to the user and not all of these roles are permitted to use Configuration Manager to make changes that affect the network. When configuring any corresponding 1E users, you should take this into account when assigning the 1E Roles. For example, it would be unusual for a user with just the Read-only Analyst role in Configuration Manager to be granted the All Instructions Actioner role in 1E and therefore be able to perform 1E actions on all the devices in a particular collection but not be able to use Configuration Manager to perform any other tasks. There is no one-to-one mapping of the 1E and Configuration Manager roles, but the following table provides some rough comparisons between the two.
Tachyon Role | Configuration Manager Role |
|---|---|
Viewer | Read-only Analyst. |
Questioner | Read-only Analyst. |
Actioner | Examples of equivalent Configuration Manager roles could be:
|
Approver | Any Configuration Manager Security Role that would be appropriate for the Approver to approve actions run from Configuration Manager. |
Setting up 1E for Configuration Manager integration
The following instructions show how to configure the integration between Configuration Manager and 1E after the ConfigMgr extensions for 1E Endpoint Troubleshooting have been installed.
The animation below (available soon) shows an end-to-end example of configuring 1E to support the ConfigMgr extensions for 1E Endpoint Troubleshooting. This example generally uses the following steps. We'll highlight in the steps where optional decisions have been taken in the example.
1. Add the Configuration Manager Console extensions consumers to 1E
To run any of the Client Actions using 1E menu items, other than the Instruction Runner, you will need to add (register) the CmConsoleExtensions consumer to 1E using the Endpoint Troubleshooting Administration Consumers page. The steps to take are:
Logon to the 1EPortal using a user account with the Full Administrator role.
Navigate to the Settings→Instructions→ Consumers page
Click the Add button to create a new consumer
The new consumer should be configured with the default values, except for the following:
Parameter
Value
Name
CmConsoleExtensions
Maximum simultaneous instructions
10
Enabled
Check this checkbox
Click the Add button to save the new consumer
To run the Instruction Runner, you will need to add the RunInstructionUI consumer to 1E using the Endpoint Troubleshooting Administration Consumers page. The steps to take this are:
Log on to the Endpoint Troubleshooting as an administrator with the Consumer Administrators role
Navigate to the Administration Consumers page
Click the Add+ button to create a new consumer
The new consumer should be configured with the default values, except for the following:
Parameter
Value
Name
RunInstructionUI
Maximum simultaneous instructions
250
Enabled
Check this checkbox
Click the Add button to save the new consumer
2. Upload the Configuration Manager Console extensions product pack to 1E and create an instruction set
First upload the instructions:
Logon to the 1E Portal using a user account with the Full Administrator role.
Open the Settings application.
Navigate to the Settings→Instructions→Instruction sets page.
Click on the Upload button.
In the Open dialog navigate to the location of the 1E-ConfigMgrConsoleExtensions.zip file.
Select 1E-ConfigMgrConsoleExtensions.zip and click Open.
All the instructions contained in the zip file will initially be added to the default Unassigned instruction set. Instructions in the Unassigned instruction set cannot be used, so first you will need to create a new instruction set with the verification instructions.
Select the 16 instructions you want to add to the new set, by clicking the checkbox at the start of each instruction row in the list.
Click the Add new set button in the button panel to the right of the page.
In the Add new instruction set popup subsequently displayed, and type:
1E ConfigMgrConsoleExtensions as the name.
Tachyon Configuration Manager console extensions as the description.
Ensure that the Include 16 selected instructions checkbox is checked.
Click the Add button to add the new instruction set, with the selected instructions.
3. Enable Configuration Manager Console user access to 1E
You will need to ensure that the account you will be using to run the Configuration Manager Console is also represented in 1E with appropriate permissions.
The roles and permissions are described in the following table.
Role/Permission | Description |
|---|---|
Viewer | This permission is required for any instruction set you want listed in the Instruction Runner. The Viewer permission is automatically included as part of the Questioner and Actioner permissions. |
Questioner | This permission is required for any instruction set you want the Configuration Manager/1E user to ask questions on using the Instruction Runner. The Questioner permission is automatically included as part of the Actioner permission. |
Actioner | This permission is required for any instruction set you want the Configuration Manager/1E user to run actions on using the Instruction Runner. If you are not using the Instruction Runner and want to run any of the other options directly accessible from the Client Actions using 1E sub-menu, you will need to set the Actioner permission on the Microsoft Configuration Manager instruction set for the Configuration Manager/1E user. |
In our example we use the following steps to define the user access for a specific Configuration Manager Console user, called CMUser01, to the 1E ConfigMgrConsoleExtensions instruction set created earlier. This involves creating a custom role for that Instruction set and then assigning the custom role to the user. You would normally use a domain security group for all of your Configuration Manager Console users, but here we are using a single user CMUser01.
To create a custom role:
Navigate to the Settings→Permissions→Roles page.
Click the Add button to start the add role process.
On the New role page set the name as 1E ConfigMgrConsoleExtensions and click the Save button.
The new role will be added to the Roles page. Locate its entry and click on the link in the Name column for that row.
In the Permissions section:
In the Instruction Sets list scroll down and select the 1E ConfigMgrConsoleExtensions instruction set.
Select the Actioner and Questioner checkboxes from the list of permissions.
Click the Save button.
Navigate to the Settings→Permissions→Assignments page.
Select 1E ConfigMgrConsoleExtensions.
Select the plus button and select the CMUser01 and the All Devices management group, click Save.
Instructions
Instruction text (ReadablePayload) | Type | Description | Instruction file name | Version |
|---|---|---|---|---|
Question | Evaluates the ConfigMgr Client health on the device over the last <numdays> days. The health will be reported as 'Poor' if it has not updated any one of the three time critical items. If all updated then they are considered 'Average' if two thirds of all the checks are ok, and 'Good' if everything is within expected parameters. This instruction makes use of a PowerShell script and will only work on Windows devices. | 17 | ||
Question | Returns all the SCCM client components installed on the device. This instruction makes use of a PowerShell script and will only work on Windows devices. | 17 | ||
Question | Returns the ConfigMgr management points configured on the device. This instruction makes use of a PowerShell script and will only work on Windows devices. | 17 | ||
Question | Enables and starts the ConfigMgr client service (CcmExec). The service start will be delayed by a number of seconds up to the specified stagger value. | 14 | ||
Question | Stops and disables the ConfigMgr client service (CcmExec). | 14 | ||
Action | Triggers the application deployment evaluation cycle. This trigger will be delayed by a number of seconds up to the specified stagger value. | 14 | ||
Action | Trigger a client health check and remediation. This trigger will be delayed by a number of seconds up to the specified stagger value. | 15 | ||
Action | Trigger the discovery data collection cycle. This trigger will be delayed by a number of seconds up to the specified stagger value. | 14 | ||
Action | Trigger a file collection cycle. This trigger will be delayed by a number of seconds up to the specified stagger value. | 14 | ||
Action | Trigger a hardware inventory cycle. This trigger will be delayed by a number of seconds up to the specified stagger value. | 14 | ||
Action | Trigger a machine policy retrieval and evaluation cycle. This trigger will be delayed by a number of seconds up to the specified stagger value. | 14 | ||
Action | Triggers the software inventory cycle. This trigger will be delayed by a number of seconds up to the specified stagger value. | 14 | ||
Action | Trigger a software metering usage report cycle. This trigger will be delayed by a number of seconds up to the specified stagger value | 14 | ||
Action | Triggers a software update deployment evaluation cycle. This trigger will be delayed by a number of seconds up to the specified stagger value. | 14 | ||
Action | Triggers a software update scan cycle. This trigger will be delayed by a number of seconds up to the specified stagger value. | 14 | ||
Action | Triggers a Windows installer source list update cycle. This trigger will be delayed by a number of seconds up to the specified stagger value. | 14 |