In the third post of this blog series about Windows 10 Deployment using SCCM, we will show you how to create a SCCM Windows 10 Build and Capture Task Sequence and deploy it. Complete the preparation of your environment before reading this post. You will be able to edit this task sequence later to customize it to your environment.

The goal of a build and capture task sequence is to capture a reference machine OS in order to redeploy its configuration multiple time. As a best practice, we recommend not to add too much software and customization to your reference image. Rather, use the task sequence steps to customize your deployment which decrease management operation tasks in the long run.

For example, if you want to include Adobe Reader to your reference image because all your users need it, do not install it on your reference machine and do your capture. Instead, use the Installed Software step in the capture task sequence. When a new version of Adobe Reader will be released, it will be a matter of a couple of click to replace the old version with the new one.

Create SCCM Windows 10 Build and Capture Task Sequence

• Open the SCCM Console
• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click Task Sequences and select Build and capture a reference operating system image

• On the Task Sequence Information tab enter a task sequence Name and Description
• Select the desired boot image

• On the Install Windows pane, select the Image package and Image index you imported in part 1
• Leave the Product key blank, if you are using MAK keys, read this post on how to handle that in your Task Sequence. (Hint : Even with MAK key, you need to leave the Product key blank)
• Enter a password for the local Administrator account

• In the Configure Network pane, select to Join a workgroup. There’s no reason to join a domain when creating a build and capture task sequence. You’ll still be able to join a domain when creating a task sequence to deploy this image

• On the Install Configuration Manager Client pane, select your Configuration Manager Client Package and enter your installation properties

• On the Include Updates pane, select the desired Software Update task
  • All Software Updates will install the updates regardless of whether there is a deadline set on the deployment (on your OSD collection)
  • Mandatory Software Updates will only install updates from deployments that have a scheduled deadline (on your OSD collection)
  • Do not install any software updates will not install any software update during the Task Sequence

• On the Install Applications tab, click on the Star Icon to add any application that you want to be installed during your build and capture deployment. These applications will be part of the reference image, we recommended adding only software that need to be included in every deployment… and even there, I prefer add it to a deployment task sequence rather to include it in my image. The reason is pretty simple, if you need to make an application change, you only have 1 step to change to your task sequence rather than redo the whole build and capture process and then modify your task sequence with the new image. Some likes to add Office or other big applications that every users needs to reduce deployment time.

• On the System Preparation tab, click Next

• On the Image Properties tab, enter the desired information

• On the Capture Image tab, select the path where you want to save the .WIM file
• Enter the account to access the folder. This account needs write permission

• On the Summary tab, review your choices and complete the wizard

Deploy Windows 10 Build and Capture Task Sequence

Now that our Task Sequence is created, we will deploy it to a collection and start a Windows 10 Build and capture. It’s strongly recommended to deploy a build and capture on a virtual machine.

• Open the SCCM Console
• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click your Windows 10 Build and Capture Task Sequence and select Deploy

• On the General pane, select your build and capture collection. This is the collection that will receive the Windows 10 installation and be captured to create the new WIM file

• Select the Purpose of the deployment
  • Available will prompt the user to install at the desired time
  • Required will force the deployment at the deadline (see Scheduling)
• In the Make available to the following drop down, select the Only media and PXE. This will ensure that you do not send the deployment on clients. This is also useful to avoid errors, using this options you *could* send the deployment to All Systems and no clients would be able to run the deployment from Windows

• On the Scheduling tab, enter the desired available date and time. On the screenshot, we can’t create an Assignment schedule because we select Available in the previous screen

• In the User Experience pane, select the desired options

• In the Alerts tab, check Create a deployment alert when the threshold is higher than the following checkbox if you want to create an alert on the failures

• On the Distribution Point pane, select the desired Deployment options. We will leave the default options

• Review the selected options and complete the wizard

PXE Boot

Now that we’ve created our task sequence and that it’s deployed. We can start the deployment on the machine. Make sure that the system you want to capture is a member of your deployment collection and start the device. (See this Technet article to know how to import a computer).

For this example, we will be using a virtual machine running on Hyper-V.

• The machine is booting and waiting for the PXE to respond

• Our SCCM Distribution point is sending the boot image to our VM

• The Welcome to the Task Sequence Wizard pops-up. This is because of the Available purpose in the Deployment Settings. If we had a Required deployment, the task sequence would start right away. Click Next

• All the available task sequence are listed. In our example we have our deployment and our build and capture task sequence. Select the Build and Capture task sequence and click Next

• The Task Sequence starts

Monitoring

See our blog post on this topic which covers the various ways to monitor your task sequence progress.

The post Windows 10 Deployment | Create SCCM Windows 10 Build and Capture Task Sequence appeared first on System Center Dudes.

In the fourth post of this blog series about Windows 10 Deployment using SCCM, we will show you how to upgrade a Windows 7 to Windows computer 10 using SCCM task sequence upgrade.

The goal of an upgrade task sequence is to upgrade an existing operating system to Windows 10 without loosing any data and installed software. This post assumes that you are running SCCM 1511 or SCCM 1602 and that you completed the preparation of your environment for Windows 10.

If you are running SCCM 2012 R2 SP1, the product team has release important information about SCCM task sequence upgrade that you can find in this blog post.

In the past, an in-place upgrade scenario was not a reliable and popular option to deploy the latest version of Windows. With Windows 10, it’s now reliable and features an automatic rollback in case something goes wrong. This scenario can also be considered faster than the wipe and reload deployment scenarios, since applications and drivers don’t need to be reinstalled.

When to use In-Place Upgrade Scenario ?

Consider using SCCM upgrade task sequence if :

• You need to keep all existing applications and settings on a device
• You need to migrate Windows 10 to a later Windows 10 release (ex: 1511 to 1602)
• You don’t need to change the system architecture (32 bits to 64 bits)
• You don’t need to change the operating system base language
• You don’t need to downgrade a SKU (Enterprise to Pro). The only supported path is Pro to Enterprise or Enterprise to Enterprise)
• You don’t need to change the BIOS architecture from legacy to UEFI
• You don’t have multi-boot configuration

Windows 10 is now managed as a service, this upgrade process can also be used to migrate Windows 10 to a later Windows 10 release or you can use the new Windows 10 servicing feature in SCCM 1602 and later.

Possible Upgrade Path when using SCCM Task Sequence Upgrade

• Windows 7, Windows 8 and Windows 8.1 can use this method to upgrade to Windows 10
• You can’t upgrade a Windows XP or Windows Vista computer to Windows 10
• Windows 10 is the only final destination OS (You can’t upgrade a Windows 7 to Windows 8.1 using this method)

Requirements

• As stated in the start of this blog post, you need at least SCCM 2012 R2 SP1 (or SCCM 2012 SP2) to support the upgrade task sequence
• You cannot use a custom image for this scenario, you must start from the original WIM from the Windows 10 media

Three major vendors have supported workarounds documented on their support sites :

Understanding the In-Place Upgrade Process

If you want to understand all the phases in the upgrade process, we strongly recommend watching the Upgrading to Windows 10: In Depth video from the last Microsoft Ignite event.

Create SCCM Task Sequence Upgrade Windows 7 to Windows 10

Enough writing, let’s create a SCCM task sequence upgrade for a Windows 7 deployment.

• Open the SCCM Console
• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click Task Sequences and select Upgrade an operating system from upgrade package

• In the Task Sequence Information tab, enter a Task Sequence Name and Description

• On the Upgrade the Windows Operating System tab, select your upgrade package by using the Browse button. If you don’t have imported an upgrade package yet, use the step provided in our preparation blog post

• On the Include Updates tab, select the desired Software Update task
  • All Software Updates will install the updates regardless of whether there is a deadline set on the deployment (on your OSD collection)
  • Mandatory Software Updates will only install updates from deployments that have a scheduled deadline (on your OSD collection)
  • Do not install any software updates will not install any software update during the Task Sequence

• On the Install Applications tab, select any application you want to add to your upgrade process

• On the Summary tab, review your choices and click Next

• On the Competition tab, click Close

Edit the SCCM Task Sequence Upgrade

Now that we have created the task sequence, let’s see what it looks like under the hood:

• Open the SCCM Console
• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click your upgrade task sequences and select Edit

As you can see, it’s fairly simple. SCCM will take care of everything in a couple of steps :

• The Upgrade Operating System step contains the important step of applying Windows 10

Deploy the SCCM Upgrade Task Sequence

We are now ready to deploy our task sequence to the computer we want to upgrade. In our case, we are targeting a Windows 7 computer.

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click Task Sequences and select Deploy

• On the General pane, select your collection. This is the collection that will receive the Windows 10 upgrade. For testing purposes, we recommend putting only 1 computer to start

• On the Deployment Settings tab, select the Purpose of the deployment
  • Available will prompt the user to install at the desired time
  • Required will force the deployment at the deadline (see Scheduling)
• You cannot change the Make available to the following drop-down since upgrade packages are available to client only

• On the Scheduling tab, enter the desired available date and time. On the screenshot, we can’t create an Assignment schedule because we select Available in the previous screen

• In the User Experience pane, select the desired options

• In the Alerts tab, check Create a deployment alert when the threshold is higher than the following check-box if you want to create an alert on the failures

• On the Distribution Point pane, select the desired Deployment options. We will leave the default options

• Review the selected options and complete the wizard

Launch the Upgrade Process

Now that our upgrade task sequence is deployed to our clients, we will log on our Windows 7 computer and launch a Machine Policy Retrieval & Evaluation Cycle from Control Panel / Configration Manager Icon

• Open the new Software Center from the Windows 7 Start Menu
• You’ll see the SCCM upgrade task sequence as available. We could have selected the Required option in our deployment schedule, to launch automatically without user interaction at a specific time

• When ready, click on Install

• The following warning appears

• Click on Install Operating System

• The update is starting, the task sequence Installation Progress screen shows the different steps

• The WIM is downloading on the computer and saved in C:\_SMSTaskSequence

• You can follow task sequence progress in C:\Windows\CCM\Logs\SMSTSLog\SMSTS.log

• After downloading, the system will reboot

• The computer restart and is loading the files in preparation of the Windows 10 upgrade

• WinPE is loading

• The upgrade process starts. This step should take about 15 to 30 minutes depending of the device hardware

• Windows 10 is getting ready, 2-3 more minutes and the upgrade will be completed

• Once completed the SetupComplete.cmd script runs. This step is important to set the task sequence service to the correct state

• Windows is now ready, all software and settings are preserved

The post Windows 10 Deployment | SCCM Task Sequence Upgrade Windows 7 to Windows 10 appeared first on System Center Dudes.

Microsoft Intune is a mobile device management tool that supports a variety of operating systems. Obviously, Intune supports the popular operating system Mac OSX. Since November 2015, companies that use standalone version, it’s possible to install the Intune client on MAC OSX devices. With the latest release of SCCM 1602, hybrid environment can enrol MAC OSX.

The Microsoft Intune client allows the deployment of policies, SCEP certificates, VPN and WiFi profiles. It’s also a new way to inventory your MAC. Before enrolling a Mac OSX in Intune, a compliance policy must be configured to apply a minimum of security control. This post will explain how to set up a SCCM Mac Compliance Policy for Microsoft Intune client.

MAC OS X Pre-Requisite

Before you begin, ensure that you configure your Microsoft Intune infrastructure correctly. This post is also part of the complete MDM installation guide blog series.

Once, Microsoft Intune is configured, we will check if SCCM is configured to support MAC OSX:

• From the SCCM console, navigate to Administration / Cloud Services / Microsoft Intune Subscriptions
• Right click on Microsoft Intune Subscription 
• Select Configuration Platforms and iOS and Mac OS X (MDM)

• In the APNs Certificate tab, make sure Enable iOS and Mac OS X (MDM) enrollment is selected

Configure SCCM Mac Compliance Policy

• To create a compliance policy in SCCM, open the SCCM console and navigate to Assets and Compliance / Compliance Settings / Compliance Policies
• Right click on Compliance Policies and select Create Compliance Policy

• In the General tab of the Create Compliance Policy Wizard, enter the Name of the desired policy
• Select Compliance rules for devices managed without the Configuration Manager client and choose iOS
• Click Next

• At the Supported Platforms tab, select Mac OS X
• Make sure All Mac OS X MDM Clients is selected and click Next

• In the Rules tab, configure rules accordingly the level of safety and productivity sought by your business
• Click on New to add a new rule, when it’s completed, click Next

• In the Summary tab, confirm the compliance policy setting details and click Next

• SCCM Mac compliance policy completed, click Close

Deploy the Compliance Policy for Microsoft Intune Client

To deploy the compliance policy for all users that enroll MacOS:

• Open the SCCM console and navigate to Assets and Compliance / Compliance Settings / Compliance Policies
• Right click on the new compliance policy created for Mac OSX and select Deploy

• In the Deploy Compliance Policy window, click on Browse and select your Intune subscription collection. In our case, it’s All Intune Users
• Specify the compliance evaluation schedule for this compliance policy

You are now ready to install the Microsoft Intune Client on your MAC OSX devices.

The post How to set up MAC OSX Compliance Policy for Microsoft Intune Client with SCCM appeared first on System Center Dudes.

Did you ever wanted to install the Microsoft Intune client on MAC OSX? Microsoft Intune standalone supports Apple operating systems since November 2015. SCCM 1602 is required to support the Microsoft Intune client with the SCCM connector (hybrid environment). The Intune client is a lightweight version of the SCCM client. You can deploy some policies, SCEP certificates, VPN and WiFi profiles. There is also a hardware inventory scan on the devices.

In a previous post, we explained how to set up a compliance policy for MAC OSX, now that our client is ready to receive the compliance policy, we will install the Microsoft Intune client on Mac OS X devices.

Install the Intune Client Mac

There is still no way to automatically install the client.

• Connect on the MAC OSX devices that you want to install Microsoft Intune client
• Open Safari and go to manage.microsoft.com
• Click on This device is either not enrolled or the Company Portal can’t identify it

• Click on Enroll

• This message is a warning message of the management profile requirement, click on Install

• Now, the installation process will need to install the Management Profile, click on Install

• You will be prompt to enter full admin credential to installation a new management profile into your MAC OSX device
• Enter your password and click OK

• The MDM and SCEP Enrollment will be requested, click Continue

• Another confirmation to install the Management Profile, Click Install

• Management Profile installation is completed when you reach this window

• Don’t be surprised, if you see this little warning. Microsoft Intune is in the process of approving the device installation. Wait few seconds and it will disappear

• Choose your active device and click on Select

The Intune client installation is now complete. From now on, your device will appear on the manage.microsoft.com portal and SCCM.

Verification

There’s a few ways to determine if the Microsoft Intune client is correctly installed.

• From the SCCM console, navigate to Assets and Compliance / Devices 
• In the Devices node, search the device you recently installed
• If your Mac does not appear, it’s a sign that the installation failed

Once the client is installed, you should be able to check the hardware inventory of the device. Note that the Microsoft Intune client Mac is not considered as a normal SCCM client, it’s considered like a mobile device.

• Right-click on the device name, select Start and Resource Explorer

• All information of the device appears at this place for only one device.

Finally, using an inventory report such as our Intune Devices, it can help identify all your company assets. All MAC OSX devices with the Intune client will be listed in this report.

The post How to install Microsoft Intune Client for MAC OSX appeared first on System Center Dudes.

Last January, Microsoft released an update for Intune standalone environment in which you can import international mobile equipment identity (IMEI) numbers for mobile device platforms that have an IMEI number to help identify corporate-owned mobile devices. Once enrolled in Intune, devices with imported IMEI numbers are tagged as Corporate, which can be used for applying policies that are different than those applied to Personal devices.

http://www.iphonetopics.com/

What happens if you use an Intune hybrid environment? SCCM has no built in tool to add a list of IMEI numbers and switch device owners from Personal to Company when devices are enrolled. In this post, we will configure SCCM to identify devices based on a list of IMEI numbers and change their ownership from Personal to Company.

Before starting, you can read the difference between both ownership attributes.

Preparing the Collection

The first step is to extract all IMEI numbers of your corporate-owned devices. The idea is to create a list of IMEI numbers and use it to create membership rules for a devices collections in SCCM.

Follow below format and repeat for each additional numbers:

The IMEI number of iOS mobile devices is displayed differently of Android devices in SCCM.

• Android = 123456789012345
• iOS = 12 123456 123456 1

Make sure you have the correct format otherwise your collection will not work correctly. You are now ready to create the device collection based on your IMEI number list.

• From the console, navigate to Assets and Compliance / Device Collections
• Right click and click on Create Devices Collection
• At the General tab, choose a collection Name and limit the collection membership to All Mobile Devices by clicking on Browse

• In the Membership Rules tab, click on Add Rule and Query Rule
• In the Query Rule Properties, choose a query rule Name and click on Edit Query Statement to modify the query rule
• In the Query Language tab, click in the Query Statement and copy paste this query
• Modify all SCCM Intune IMEI Numbers with your list of numbers

• Click Ok and Ok again

• Configure the update membership based on your needs and click Next

• In the Summary tab, confirm and click Next

• The device collection is now created, click Close

The devices that matches the IMEI number provided in the query will start to populate the collection.

Take note that this collection won’t change the attribute device ownership from Personal to Company. However you will be able to apply specific policies or deploy applications to these devices.

Modify Device Ownership to Company

Each enrolled devices in Microsoft Intune are automatically tagged as Personal, this is by design. The only situation where you will see your devices tagged as Company, is by using DEP program from Apple.

Use the collection you just created in conjunction with one of the following method to change the attribute of your devices from Personal to Company.

• Manually
• Automatically with a PowerShell script
• Automagically set the mobile device owner to company

The 3 ways are appropriate depending on the amount of mobile devices you manage.

Using Reporting with Device Ownership Company

If your management team ask you to list all Company mobile devices, you can use our mobile devices inventory report and using search parameter Company.

Take a look to our Mobile Device Management Guide for more details about Microsoft Intune.

SCCM Intune IMEI Numbers

The post Use IMEI Numbers with SCCM and Intune to identify Corporate Devices appeared first on System Center Dudes.

As an IT professional, you already know that a security breach can be devastating. It can also be expensive, $4 million on average according to a 2015 survey sponsored by IBM.

Microsoft System Center Configuration Manager (ConfigMgr) can play a huge part in preventing attacks and implementing an enterprise-wide security solution. ConfigMgr helps companies make sure all endpoints are current with the latest security fixes, configured correctly, behaving normally, and only running authorized applications.

However, like almost everything else in IT these days, ConfigMgr itself is a target for hackers who can use it to distribute malware, take control of computers with access to private data, and engage in all manner of nefarious activity. According to a recent Adaptiva survey of more than 150 IT professionals, 70 percent expressed concern about potential security vulnerabilities in their Microsoft ConfigMgr environments.

Securing the perimeter of your company’s network is usually the #1 priority, and rightly so. However, securing ConfigMgr should also be a key part of your organization’s cyber defense strategy. A full list of security topics for ConfigMgr admins could span dozens or hundreds of topics. In this blog, I am giving you a place to start by explaining some key considerations and pointing you to some helpful online resources.

Restrict and Review ConfigMgr Administrative Users

This may seem obvious, but you’d be surprised how many companies overlook it. Admin privileges are the keys to the kingdom, and many IT shops hand them out too freely. Some basic guidelines are:

• Make sure that nobody has ConfigMgr permissions except people who specifically need them.
• Use role-based security and least privilege management (LPM) to make sure that nobody has more privileges than needed.
• Look into all new administrators. Some companies perform a background check, others consider it sufficient to just contact references.
• Review the assignments on a regular basis. Just because somebody needed ConfigMgr superpowers a year ago does not mean they still need them today.
• Check the audit logs once in a while to see that nobody is overstepping their bounds. This one is getting into the hard-to-justify-spending-the-time realm, but it will keep your company safer if you do it.

Secure the ConfigMgr SQL Server(s)

Securing SQL Servers is a critical part of any security strategy, and that definitely applies to ConfigMgr. In some companies a DBA will be responsible for SQL security, but as a ConfigMgr admin you will likely install SQL server and may end up owning its security.

SQL security is a vast topic, but there are a few very basic things that should apply in almost every deployment. First, always use Windows Authentication (never Mixed Mode). Second, secure the “sa” account by disabling it, deleting it, or protecting it with a complex password—the default password is the first thing hackers try.

Third, don’t forget SQL Express! In an architecture with secondary site servers, ConfigMgr may install SQL Express from files on the primary (unless you point it to a SQL Server instance instead). Those SQL Express install files may be out of date, so be sure to update after installation. However, the broader point is to make sure you update it regularly. Last year, Microsoft issued a SQL Express patch that fixed a remote execution vulnerability, so the threat is real—and easy to mitigate.

Lock-down Windows 10 OSD

Windows 10 OSD is a vast field about which volumes could be written. Some OSD security basics that will serve as a good jumping off point include:

• Never deploy task sequences to the All Unknown Computers collection
• Limit deployment to systems that have specifically been whitelisted/allowed for OSD
• Ensure that Task Sequences are kept clear of sensitive data
• Restrict physical access to OSD media
• Physically protect any physical system you use to create references images

Go Deep with Security

I’ve mentioned only few key things to look for. Other areas of ConfigMgr security include: permissions and authorization, server management, client management, content, and even business priorities. Also, to truly secure your systems management environment, you’ll need look at business processes in addition to systems and configurations.

To learn more, Adaptiva has put together a few educational security resources that go into much more detail:

Top 20 Security Best Practices Report PDF

Top 20 SCCM Security Best Practices Webinar: Recording & Slides

SCCM Security Checklist

Securing ConfigMgr

The post How to Start Securing ConfigMgr in the Enterprise appeared first on System Center Dudes.

As an SCCM administrator, it’s important to learn the concept of troubleshooting a Configuration Manager client installation. By targeting the SCCM client installation error codes, you will have a better idea of what is happening during client installation. The error codes is not an exact science, they can defer depending on the situation. For a better understanding about error codes, read this great post from Jason Sandys.

These codes appears in ccmsetup logs, located on in C:\windows\ccmsetup\logs. During the installation process, monitor the ccmsetup.log using cmtrace.exe and locate each error codes.

There are other logs, on which the SCCM client installation relates. If you don’t find enough information in the ccmsetup.log, scan all related log files in c:\windows\ccm\logs. Use the command line net helpmsg, for more information about your return error code.

SCCM Console

You can also add the Last Installation Error in the SCCM console:

• Open the SCCM console and navigate to Assets and Compliance / Devices
• In the devices view, right click on the header and select Last Installation Error

There are chances that the last error code return an empty value for a device.

SCCM Client Installation Error Codes

This post from Technet Forums (Thanks to Charlie Hawkins), has inspired us to prepare a list of all error codes, that can happen during the SCCM client installation. Some errors have been added based on our personal experiences.

Don’t forget to put emphasis on the prerequisites of the SCCM client, this will increase your success percentage during client installation. You can also check the list of client commands list, as an additional help for troubleshooting your SCCM clients.

Reporting

Knowing the client installation status from reports, reduces the amount of devices without SCCM client installed in your IT infrastructure. It’s also increase your effectiveness, when it’s time to tackle all unhealthy clients.

One of our System Health report is made especially for the Configuration Manager Client. This report now shows the last SCCM client installation error codes, including the description of the installation deployment state. This report will help you achieve the *near* 100% client installation, that project managers loves to see.

The post List of SCCM Client Installation Error Codes appeared first on System Center Dudes.

Offline Servicing in SCCM is the process through which you can inject software updates in your operating system WIM files.

This process can alleviate your build and capture yearly/bi-yearly WIM updates that you most likely run in your enterprise. However, as much as this process is great to shorten your gold image updates, it’s still not perfect. Why? The answer is quite simple. Even if your gold image contains products such as Microsoft Office, offline servicing will not apply Office patches even though these are downloaded to your Software Update Point. Only core Windows applications can get patched through this process.

What are the type of core applications that you can apply patches to? Obviously, Windows, Internet Explorer, .Net Framework and so on and so forth. (also called CBS, for Component Based Servicing)

SCCM Offline Servicing Overview

Here’s what happens in the background when you start the SCCM Offline servicing process :

1. SMS_Executive starts the SMS_Offline_Servicing_Manager either via a schedule or manually, depending on how you configured it
2. SCCM copies your WIM in a temporary folder
3. The WIM gets mounted (or extracted if you will) to a mount directory
   • By using DISM the Offline Servicing will attempt to see if a given software update is applicable (installed or not) to your WIM file. If not, it injects it
4. This gets repeated for all software updates
5. The image gets unmounted and the WIM is rebuild
6. A backup of the WIM is created
7. The new WIM gets copied back to its original location
8. Your distribution point gets updated (if you chose to update them) or else, you should plan to update them

How to Initiate SCCM Offline Servicing

So now that we have all this theory explained, let’s get our hands dirty. How do we actually do this?

• From the SCCM console, navigate to Software Library / Operating System / Operating System Images
• Right click on your image you wish to inject patches to and choose Schedule Updates

• You can either choose to select all software updates or only a subset. Make sure the correct architecture is selected for your Wim and click Next 

• Set a Schedule if you want to plan ahead, if not, choose As soon as possible. To your choosing, select to Continue on error and Update the distribution points with the image, click Next

• Validate your selections and click Close

Monitoring

You can monitor the process via 3 log files :

• OfflineServicingMgr.log  – ConfigMgrInstallPath\Logs

You can refer to the high level steps above to match the numbers in the screenshots with the steps

• SMS_Executive calls SMS_OFFLINE_SERVICE_MANAGER (1)

• A backup is taken (2)

• WIM file gets mounted (3)

• Updates get applied (4)

• WIM gets unmounted (5)

• The backup copy is moved (6)

• WIM gets copied back (7)

• DISM.log  – Windows\Logs\Dism\DISM.log

You can also view the details of what DISM does patch per patch in this log. Take heed though, DISM.log tends to be very chatty/verbosy.

• DistMgr.log – ConfigMgrInstallPath\Logs

To view your WIM file get distributed on all your DPs.

Here’s to hoping this clears up the whole Offline Servicing for you all!

The post Inject Software Updates in your WIM using SCCM Offline Servicing appeared first on System Center Dudes.

In this post we will describe how to customize your windows 10 image to personalize it to your company. There’s an infinite amount of customization that can be made but i’ll try to cover the more frequent one, those that are asked 95% of every Windows 10 projects I was involved in. You could also do all those modifications through group policies if you want to enforce those settings.

SCCM Windows 10 Customization Package

Before we begin any customization, we will create a Windows 10 Customization package that we will use in our task sequence. It will be empty to start but we will create the folders and scripts during this blog post.

• Open the SCCM Console
• Go to Software Library / Application Management / Packages
• Create a new package
• On the Package tab, enter a Name, Description, Manufacturer and Source folder (this is where all scripts will be stored)

• On the Program Type tab, select Do not create a program

• On the Summary tab, review your choices and complete the wizard

File Association

The first item we will be covering is file association. By default, Windows 10 uses Microsoft Edge to open every PDF files and HTTP links. For this post, we will redirect PDF files to Adobe Reader and HTTP/HTTPS to Internet Explorer. You can redirect any extension to any software. You just need to make sure that the application that you associate is installed during your Windows 10 deployment (or in your image).

The first step is to make the association manually, we will then export the configuration to a XML file and we will use DISM in our task sequence to import the configuration.

• Log on a Windows 10 machine
• Open Control Panel / Programs / Default Programs / Set Associations

• Navigate to .PDF and click on Change Program

• Select Adobe Reader and click OK

• Your .PDF files are now associated to Adobe Reader
• For Internet Explorer association, select HTTP Protocol, .HTM and .HTML files, change program to Internet Explorer

Now that our associations has been done, we need to export the associations to a XML file using DISM :

• Open an elevated command prompt
• Run the following command : Dism /Online /Export-DefaultAppAssociations:C:\Temp\SCDAppAssoc.xml
  • (Change the XML file name and path if desired but make sure that the directory exists or you’ll get an error code 3)

The XML file can be opened using any text editor. You can see our modifications has been made. It’s possible to change manually in this file but it’s a bit tricky to find ProdId and ApplicationName.

• Copy the XML file to your Windows 10 customization package in the FileAssociations Folder

• Open the SCCM Console and browse to Packages
• Right-click your Windows 10 Customization package and select Update Distribution Point

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run Command Line
  • Name : Set File Association
  • Command line : Dism.exe /online /Import-DefaultAppAssociations:FileAssociations\SCDAppAssoc.xml
  • Check the Package box and specify your Windows 10 customization package
• Position this step after the Windows image has been deployed

Setting the Default Windows 10 Wallpaper

We will now change the default Windows 10 wallpaper to a corporate one.

• The default Windows 10 wallpapers are stored in the C:\Windows\Web\Wallpaper\Windows\ folder
• Windows 10 also support 4K wallpapers which are stored in C:\Windows\Web\4K\Wallpaper\Windows

For our post, we will delete the 4K wallpapers and overwrite the default img0.jpg file. If you need to support 4K wallpaper, just place them in the 4K folder before updating your distribution points and the script will copy it to the right location.

By default, you can’t modify those files, we will use a PowerShell script to change the security of the folder and overwrite the wallpaper file. We will grant access to the SYSTEM account since it’s the account used during the SCCM task sequence.

• Create a new WallPaper\DefaultRes and WallPaper\4K folder in your Windows 10 customization directory
• Rename your wallpaper to img0.jpg copy it in the WallPaper\DefaultRes directory
• If 4K support is needed, copy your files in the WallPaper\4K Directory

Create a new Powershell script in the root of the Wallpaper directory and copy this code into it :

#Take OwnerShip of the files
TAKEOWN /f C:\Windows\WEB\Wallpaper\Windows\img0.jpg
TAKEOWN /f C:\Windows\Web\4K\Wallpaper\Windows\*.*
#Set permissions for SYSTEM Account
ICACLS C:\Windows\WEB\Wallpaper\Windows\img0.jpg /Grant 'System:(F)'
ICACLS C:\Windows\Web\4K\Wallpaper\Windows\*.* /Grant 'System:(F)'
#Delete the files
Remove-Item C:\Windows\WEB\Wallpaper\Windows\img0.jpg
Remove-Item C:\Windows\Web\4K\Wallpaper\Windows\*.*
#Copy the files
Copy-Item $PSScriptRoot\DefaultRes\img0.jpg C:\Windows\WEB\Wallpaper\Windows\img0.jpg
Copy-Item $PSScriptRoot\4k\*.* C:\Windows\Web\4K\Wallpaper\Windows

You’ll end up with the following structure :

• Open the SCCM Console and browse to Packages
• Right-click your Windows 10 Customization package and select Update Distribution Point

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run PowerShell Script
  • Name : Set Wallpaper
  • Script Name : Wallpaper\ChangeWallpaper.ps1
  • PowerShell execution policy : Bypass
• Position this step after the Windows image has been deployed

Change Lock Screen Image

The lock screen image is the image you see when the computer is locked. To change it, we must copy our image locally on the computer and then modify a registry key to read it.

• Create a new LockScreen folder in your Windows 10 customization directory
• Create a new LockScreen.cmd file and copy the following code

• Create a new LockScreen.reg file and copy the following code (watch out of the “” when copy/pasting)

• Copy the image you want to set as the lock screen. For this blog post we will call it LockScreen.jpg. If you rename this file, make sure to change the script to fit this name.

You’ll end up with the following structure :

• Open the SCCM Console and browse to Packages
• Right-click your Windows 10 Customization package and select Update Distribution Point

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run Command Line
  • Name : Set File Association
  • Command line : cmd.exe /c LockScreen\LockScreen.cmd
  • Check the Package box and specify your Windows 10 customization package
• Position this step after the Windows image has been deployed

Disable Microsoft Consumer Experiences

The latest Windows 10 feature upgrade includes a new feature that automatically installs a few apps from the Windows Store. Some apps like Candy Crush and Minecraft gets installed, we don’t think that belong to a work environment so we’ll delete it.

The good news is that it’s quite simple to disable. You need to disable a function called Microsoft Consumer Experiences. We will do this using a registry modification :

• Create a new ConsumerExperience folder in your Windows 10 customization directory
• Create a new DisableConsumerExperience.reg file and copy the following code :

You’ll end up with the following structure :

• Open the SCCM Console and browse to Packages
• Right-click your Windows 10 Customization package and select Update Distribution Point

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run Command Line
  • Name : Disable Consumer Experience
  • Command line : Regedit.exe /s ConsumerExperience\DisableConsumerExperience.reg
  • Check the Package box and specify your Windows 10 customization package
• Position this step after the Windows image has been deployed

Create Custom Start Menu

We will now create a default Windows 10 start menu that will be used on every Windows 10 machine by default. If you add shortcuts to applications, make sure that you’ve include them in your task sequence or you’ll end up with a start menu looking like swiss cheese. (empty spots)

• Log on a Windows 10 machine
• Manually configure the Start Menu
• Create a new StartMenu folder in your Windows 10 customization package
• Start an elevated PowerShell and run the following command : Export-StartLayout -Path “C:\Temp\StartMenu.bin”
• Copy the StartMenu.bin file to your Windows 10 customization package in the StartMenu folder

• Open the SCCM Console and browse to Packages
• Right-click your Windows 10 Customization package and select Update Distribution Point

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run Command Line
  • Name : Set Start Menu Layout
  • Command line : Powershell.exe Import-StartLayout -LayoutPath StartMenu\StartMenu.bin -MountPath C:\
  • Check the Package box and specify your Windows 10 customization package
• Position this step after the Windows image has been deployed

Set Windows 10 Pinned Taskbar items

Windows 10 permits to “pin” program on the task bar for easy access. Here’s how to create a standard task-bar for your Windows 10 users.

• Create a new PinTaskBar folder in your Windows 10 customization directory
• Log on a Windows 10 computer
• Manually pin all the desired program using the Pin to taskbar option

• Copy the links from %AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar to your Windows 10 customization package in the PinTaskBar directory. This directory is hidden, so be sure to show Hidden Items

• Open Registry Editor
• Export the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband key to Win10Taskbar.reg

• Copy the Win10Taskbar.reg file to your Windows 10 customization package in the PinTaskBar directory
• Edit the Win10Taskbar.reg file using a text editor and replace the beginning of the first line
  • Replace HKEY_Current_User to HKEY_LOCAL_MACHINE\defuser

• The final string will be : HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband
• Create a new Win10Taskbar.cmd file in your Windows 10 customization package in the PinTaskBar directory and copy the following code :

You’ll end up with the following structure :

• Open the SCCM Console and browse to Packages
• Right-click your Windows 10 Customization package and select Update Distribution Point

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run Command Line
  • Name : Set Taskbar Pins
  • Command line : cmd.exe /c PinTaskBar\Win10Taskbar.cmd
  • Check the Package box and specify your Windows 10 customization package
• Position this step after the Windows image has been deployed

Conclusion

If you correctly follow this post, you’ll end up with this structure in your Windows 10 Customization package :

And you’ll have 6 new steps in your Windows 10 task sequence :

You can now deploy your Windows 10 task sequence to a test machine and all customization should be there. See our post on how to monitor your task sequence if something goes wrong or simply if you want to track the progress.

We hope this post will help you out for your Windows 10 customization. Feel free to post your customization using the comment section. We will update this post on a regular basis when we have more to share.

The post SCCM Windows 10 Customization using Task Sequences appeared first on System Center Dudes.

In this post we will be looking at using SCCM dynamic queries to populate collections in our deployments. As a SCCM administrator, you most likely had to plan out mass deployments to all your servers or workstations or even both. How did you go ahead and populate your collections? Queries? Since the introduction of SCCM 2012, we now have a multitude of options, most notably:

• Direct membership
• Queries
• Include a collection
• Exclude a collection

Chances are, if you are deploying a new software to be part of a baseline for workstations (for example), you will also add it to your task sequence.

In my passed life, I must admit, I really did like queries. They can be such a powerful tool to populate your collections. I always was looking for ways to pimp the usual types of queries we use. For example, my fellow dude Benoit has given us a fabulous list of operational collections that we can use for our day to day deployments. Now, with SCCM 2012 we could create a deployment collection and simply include one of the operation collections and voilà.

But, that stays static. What I mean by that is if your collection targets 500 workstations, you will always target 500 workstations minus or more the workstations that get added as the query gets updated.

I personally like when things are a little more dynamic. If I target a deployment for 500 workstations, I would like to see that collection drop to 50, 40, 25 or whatever the count of objects as the deployment succeeds on workstations.

SCCM Dynamic Queries in layman’s terms

We have a deployment. Let’s use 7-Zip as an example. We want to deploy this on all our workstations. We would typically create a collection with a query along the lines of Select all objects where the operating system is like “workstation”. Simple right?

Now, let’s beef that up. What if we add to the same query another criteria that excludes all workstations where the Deployment ID for 7-Zip is successful? When we create the collection/deployment we will be targeting all workstations. As the workstations install the software and return a success code to their management point, this query will rerun itself and should yield less and less objects.

Caveat for your deployments

Now, you can use this for all your deployments. But to be optimal, you need to use Package deployments and not applications. Why? Simply because packages have the ability to have a custom schedule where you can repeat a schedule and set a rerun behavior whereas the Applications don’t have that possibility. So I will list all relevant information below for your queries, but aside from monitoring or reporting purposes, you won’t be able to rerun a deployment, unless you really delete and recreate a new deployment.

A real world example for a package deployment using SCCM Dynamic Queries

So I stated earlier, we start with a very basic package for 7-Zip.

And as we typically do, this program is deployed to a collection, in this case I went very originally with Deploy 7-Zip.

Nothing special with our collection the way we usually do it. Like I said, this is usually a collection along the lines of All Laptop or All Windows 7 & 10 and so on. My current query lists a grand total of 4 objects in my collection.

Let’s right click this collection and go to the Membership Rules tab. You can clearly see the type of rule is set to Query. Let’s click on Edit to view the details of my query. Note: I set my updates on collections at 30 minutes. This is my personal lab. I would in no case set this for a real live production collection. Most aggressive I would typically go for would be 8 hours.

Let’s press Show Query Language to go in text edit mode.

As you can see above, I added:

Replace XYZ12345 in the above query with your DeploymentID. Understanding WQL can be a challenge if you never played around with it. To understand it, let’s break it down in two parts.

1. In between the parenthesis, I am asking SCCM to give me all objects (Resource ID) where the DeploymentID is XYZ12345 (our 7-Zip deployment) and the StatusType is 1 (success).
2. Since we want to exclude these machines from the collection I simply negate the above query with a not statement. So give me all IDs that are not part of that sub-selection.

Press Ok. As you can see in the screenshot below, my count went down by two since I already had successfully deployed it to half my test machines.

Pimp my package deployment

Ok, now that we have that dynamic query up and running, why not try and improve on the overall deployment technique, shall we? As you know, a program will be deployed when the Assignment schedule time is reached. If you have computers that are offline, they will receive their installation when they boot up their workstation, unless you have a maintenance window preventing it. But, let’s say you have a quite a few workstations you want to deploy,  you will more than likely have some failures here and there. Unless you have set a recurring schedule, it will not rerun. By having a dynamic collection like we did above, combined to a recurring schedule, you can reattempt the installation on all workstations that failed the installation without starting the process for nothing on a workstation that succeeded to install it.

As I said earlier, the goal of this post is not necessarily to replace your deployment methods. It’s simply to give you an alternate method of deploying software on your objects and viewing in real time the success of the deployment. As the count goes down, you know which machines received it successfully and which didn’t.

Do you guys have any other methods to do this? If so, I would be curious to hear you guys out.

The post How to use SCCM Dynamic Queries in your Deployment Collections appeared first on System Center Dudes.

Since SCCM 1511, you can use the new upgrade task sequence to easily upgrade a Windows 7 computer to Windows 10. But what if you want to upgrade a computer from a 32-bits operating system to Windows 10 64-bits ? You can’t use the upgrade task sequence for this specific scenario. Another reason would be that your company decided to use the wipe and reload option in your Windows 10 migration project. In those cases you will need to use USMT to capture data and settings from the users profiles before applying the new operating system.

This post will describe how to upgrade a 32-bits computer to Windows 10 64-bits using USMT and SCCM. This post will be using hard-links without using a State Migration Point. Continue reading if you are not familiar with those terms, we will explain it later.

Since you’re at the step of deploying Windows 10, we assume that you already installed at least SCCM 1511 and the latest Windows ADK before reading this post. If not, read our related posts :

1. SCCM 1511 Upgrade Guide
2. Windows 10 Deployment | Prepare your environment

USMT Basics

Let’s start by giving a couple of facts about the User State Migration Tool :

• Latest USMT version is 5.0
• Latest Windows ADK 10 includes the latest version
• Supports capturing data and settings from Windows Vista and later (including Windows 10)
• Supports restoring the data and settings to Windows 7 and later (including Windows 10)
• Supports migrating from a 32-bit operating system to a 64-bit operating system, but not the other way around

What gets Migrated

By default, USMT migrates many settings (user profile, Control Panel configurations, files, and more). The default configuration files that are used in Windows 10 deployments are MigUser.xml and MigApp.xml. These two configurations files migrates the following data and settings:

• Folders from each profile (My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders)
• USMT templates migrate the following file types: .accdb, .ch3, .csv, .dif, .doc*, .dot*, .dqy, .iqy, .mcw, .mdb*, .mpp, .one*, .oqy, .or6, .pot*, .ppa, .pps*, .ppt*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl*, .vsd, .wk*, .wpd, .wps, .wq1, .wri, .xl*, .xla, .xlb, .xls*.
• Operating system component settings
• Application settings

If needed, you can create a custom configuration files to includes more files types or settings. See the following Technet post for detailed instructions.

For more details on what USMT migrates, see this Technet article. For more information on the USMT overall references, see this Technet article.

Where to Store the User Data and Settings

You can capture USMT data locally (Hard-links) or remotely using a State Migration Point in SCCM (File Copy).

• Hard-link migration takes advantage of advanced features of the NTFS file system that allow files to physically remain in-place and intact even after the drive is wiped (not formatted). When restored, pointers to the files are restored, so the files never physically have to be copied or moved outside the machine. To use hard-linking, select the Capture locally by using links instead of copying files option in the Capture User State task
• File copy: If hard-linking is not selected, the traditional file copy method for storing user state is used. This file copy method literally copies all identified user state data to an alternative location requiring extra disk space and extra time to complete the copy

• To store the user state data on a state migration point (File Copy), you must first Configure a state migration point to store the user state data
• To store the user state data on the destination computer for update deployments (Hard-Link), you must :
  • Add Capture User State steps to your task sequence and configure it to use local folder using links
  • Add Restore User State steps to your task sequence and configure it to restores the user state using those links

This post will focus on the hard-links option and will not describe how to customize the task sequence to use the state migration point.

Verify SCCM Windows 10 USMT Package

To store the user state locally or on a state migration point, you must create a package that contains the USMT source files that you want to use. This package is used in the Capture User State step of the migration task sequence.

• Open the SCCM Console
• Go to Software Library / Application Management / Packages
• Right-click the User State Migration Tool for Windows 10 package and select Properties
• On the Data Source tab, ensure that the package is using the ADK 10 – Which is per default C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\User State Migration Tool
• Right-click the User State Migration Tool for Windows 10 package and select Distribute Content

• If you have no User State Migration Tool for Windows 10 package, just create (without any programs) and distribute it

Creating the Capture and Restore User State Data Task Sequence

To capture and restore the user state, you must first create a new task sequence, but before, we’ll explain the different options in the User State Menu :

• Request State Store : This step is needed only if you store the user state on the State Migration Point
• Capture User State : This step captures the user state data and stores it on the State Migration Point or locally using hard-links
• Restore User State : This step restores the user state data on the destination computer. It can retrieve the data from a user state migration point or from hard-links
• Release State Store : This step is needed only if you store the user state on the State Migration Point. This step release this data from the State Migration Point

When you create a new task sequence from the latest SCCM version, the wizard takes care of the essential steps. Let’s create it and see what are the options :

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click Task Sequence and select Create Task Sequence
• Select Install an existing image package

• On the Task Sequence Information tab, enter your Task sequence name, Description and Boot Image

• On the Install Windows tab, uncheck Partition and format the target computer and Configure task sequence for use with Bitlocker
  • If a format and partition of the disk is selected, it would wipe all data on the drive, including the USMT data. Instead, the Apply Operating System task will delete of all files and directories occurs on the drive minus protected USMT folders

• On the Configure Network tab, select to join your domain and specify the account to use

• On the Install Configuration Manager Client tab, select your client package

• On the State Migration tab, check Capture user settings and files, select your USMT Package
• Select Save user settings and files locally and check Capture locally by using links instead of by copying files

• If needed check the Capture Network Settings and Capture Windows Settings. See the attached links for more information about these options

• In the Include Update tab, select the desired update behavior

• On the Install Applications tab, select any applications that you want to include in your task sequence

• On the Summary tab, review your choices, click Next and complete the wizard

• Now that the task sequence is created, we’ll edit it and review the steps
• Right-click your newly created task sequence and click Edit
• You’ll notice 3 USMT steps has been created :
  • Set Local State Location : This step specify the directory where the local state will be saved. We are using the builtin variable OSDStateStorePath and set the value to %_SMSTSUserStatePath% but you can use a specific location if needed

• Capture User Files and Settings : This is the step when USMT will run the ScanState command. You will see this command in SMSTS.log when monitoring your task sequence. (By default : C:\_SMSTaskSequence\Packages\<YourPackageID>\amd64\scanstate.exe C:\_SMSTaskSequence\UserState /o /localonly /efs:copyraw /c /hardlink /nocompress /l:C:\Windows\CCM\Logs\SMSTSLog\scanstate.log /progress:C:\Windows\CCM\Logs\SMSTSLog\scanstateprogress.log /i:C:\_SMSTaskSequence\Packages\<ID>\amd64\migdocs.xml /i:C:\_SMSTaskSequence\Packages\<ID>\amd64\migapp.xml)

• Restore User Files and Settings : This is the step when USMT will run the LoadState command. You will see this command in SMSTS.log when monitoring your task sequence (By default : C:\_SMSTaskSequence\Packages\<YourPackageID>\amd64\loadstate.exe C:\_SMSTaskSequence\UserState /ue:<computername>\* /c /hardlink /nocompress /l:C:\WINDOWS\CCM\Logs\SMSTSLog\loadstate.log /progress:C:\WINDOWS\CCM\Logs\SMSTSLog\loadstateprogress.log /i:C:\_SMSTaskSequence\Packages\<ID>\amd64\migdocs.xml /i:C:\_SMSTaskSequence\Packages\<ID>\amd64\migapp.xml)

Add Support for WinPE

Now that we created a basic task sequence for USMT, we suggest to add a step to support offline capture. If you start your task sequence from PXE, you will need this new step because the step we just created will fail in Windows PE. We will add a step and condition to run depending of the environment in which the task sequence is ran.

• Right-click the task sequence you just created, select Edit
• Select the Capture User Files and Settings step
• Duplicate the task by doing CTRL-C, CTRL-V
• A new Capture User Files and Settings step is created, select the Capture in Off-line mode (Windows PE only) check box and rename the step to add (WinPE) at the end
• Rename the other Capture User Files and Settings step to (FullOS)
• You’ll end up with 2 similar Capture User Files and Settings step. One for Online mode (FullOS) and one for Offline mode (WinPE)

• Select the Capture User Files and Settings (Full OS) step and click on the Options tab
• Select Add Condition, Task Sequence Variable
  • Variable : _SMSTSInWinPE
  • Condition : Equals
  • Value : False

• Select the Capture User Files and Settings (WinPE) step and click on the Options tab
• Select Add Condition, Task Sequence Variable
  • Variable : _SMSTSInWinPE
  • Condition : Equals
  • Value : True

• Click Apply and Ok to close the task sequence

Deploy SCCM Windows 10 USMT Task Sequence

We are now ready to deploy our Windows 10 USMT task sequence to the Windows 7 computer we want to upgrade.

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click your USMT Task Sequence and select Deploy
• On the General pane, select your collection. This is the collection that will receive the Windows 10 upgrade using USMT. For testing purposes, we recommend putting only 1 computer to start

• On the Deployment Settings tab, select the Purpose of the deployment
  • Available will prompt the user to install at the desired time
  • Required will force the deployment at the deadline (see Scheduling)
• You cannot change the Make available to the following drop-down since upgrade packages are available to client only

• On the Scheduling tab, enter the desired available date and time. On the screenshot, we can’t create an Assignment schedule because we select Available in the previous screen

• In the User Experience pane, select the desired options

• In the Alerts tab, check Create a deployment alert when the threshold is higher than the following check-box if you want to create an alert on the failures

• On the Distribution Point pane, select the desired Deployment options. We will leave the default options

• Review the selected options and complete the wizard

Testing on the Target Computer

For the sake of this post we created a VM with Windows 7 32 bits. We will run our newly created task sequence to upgrade to Windows 10 64 bits.

I also created multiple files in the user profile to shows the USMT actions. We simply created text documents in the various libraries and on the desktop.

• We open the Software Center, select our task sequence and click Install

• The computer will launch the USMT action before rebooting in Windows PE and install Windows 10

• Once the process completed, we have a brand new Windows 10 migrated with my files where I left them. Even the psycho tortoise wallpaper has made the move.

We hope this post will ease your Windows 10 migrations. Leave a comment if you have any questions.

The post Refreshing a Windows 7 Computer to Windows 10 using USMT and SCCM appeared first on System Center Dudes.

The starting point of all mobile management project is enrolling devices. Without enrollment, you can’t manage any devices. When running in hybrid mode, the enrollment process is different than running Microsoft Intune in standalone mode.

The SCCM Intune Connector role keeps connectivity between both end (SCCM on-premise and the Cloud). Both environments must be synchronized, otherwise, you have chance of getting Intune error User License Type Invalid during Intune enrollment on your mobile devices. This post will explains how to resolve this issue.

Intune Error User License Type Invalid

This is the error message shown just before the enrollment process when you click Enroll :

If you take a look, at the Company Portal log from the mobile device, you will see :

<ErrorType>UserLicense</ErrorType><Message>Invalid User License</Message>

** How to see Company Portal log? Please read this Technet post ** 

Cloud User Sync

During the configuration of the Intune subscription in your SCCM, you need to create and configure a user collection. Users that require to be enrolled in Intune must be member of that collection.

Every 5 minutes, new collection modifications are synchronized with the Cloud (Intune). To see how it works, opens cloudusersync.log using CMTrace located in the SCCM logs folder on your primary site server.

Let’s say you enabled Intune A license for one user, if the user enroll his device before its account is synchronized from SCCM to the Cloud, the user will receive the Intune error User License Type Invalid.

Every time we had this issue, it was because the user was not member of the Intune users collection or the user information was not properly synchronized with the Cloud.

Resolution

Normally, full users sync with the Cloud should occur every 7 days and delta sync every 24 hours. To resolve the synchronization problem, you can force a full sync by using registry.

1. Open Regedit from the command line, regedit.exe
2. Navigate to HKLM\Software\Microsoft\SMS\Components\SMS_Cloud_UserSync\LastFullSyncTimeStamp
3. Set Base to Decimal and modify Value Data to 1 and click Ok

To start a synchronization, force a restart of the Cloud User Sync thread from the SMS Executive service. You can do it from the Registry or Service Manager in SCCM. Since we are already in registry, follow these steps.

1. Under the Windows Registry, navigate to HKLM\Software\Microsoft\SMS\Components\SMS_Executive\Threads\SMS_Cloud_UserSync
2. Find the Requested Operation string and edit the Value Data to Stop
3. Refresh the page by pressing F5, the Current State should be Stopped
4. Return to the Request Operation string and edit the Value Data to Start
5. Refresh the page again by pressing F5, the Current State should be Running

When the services are restarted, review again CloudUserSync.log to confirm all users in the collection are evaluated.

After you see the confirmation on the log, ask the user to retry the enrollment process, the user should be able to enroll his devices again.

Did this solution resolve your issue?

The post Intune Client | Error User License Type Invalid appeared first on System Center Dudes.

Windows 10 Deployment Methods

If your company runs Microsoft System Center Configuration Manager (SCCM), and you’re trying to figure out the best way to deploy Windows 10, you have choices. Specifically, there four key options you might want to choose between:

1. Microsoft Deployment Toolkit (MDT) standalone
2. MDT and SCCM
3. SCCM Standalone
4. MDT integrated with SCCM

Making the right selection to meet the needs of your organizations is not always clear so in this blog post, we’ll briefly explain each option, and outline some of the trade-offs between them.

Microsoft Deployment Toolkit Standalone

The MDT is a free toolkit for automating deployment of Windows 10 to computers. It works with other versions too, but Windows 10 is the big deployment topic these days. Basically, MDT configures unattended setup files for Windows, and it packages other needed content and files. This gives you an image file you can distribute and use to migrate systems to Windows 10.

MDT as a standalone tool is great for tiny environments without a lot of computers to migrate. MDT is also a fine fit for environments that are not connected. It is not fully automated, instead using what Microsoft calls Lite Touch Installation (LTI). (I kind of like that they used the fun spelling of the word light.) Some human interaction is required to complete the deployment.

It’s generally fast for creating reference images, and it doesn’t require much infrastructure. In general, with MDT, you should use thin reference images instead of thick.

The work you do with MDT can usually be applied to other deployment methods, so if you start small with MDT standalone and then go big later you don’t have to start from scratch. Roughly 90% of what you do with MDT standalone is applicable with SCCM deployments if you move up later.

MDT and SCCM

If you are in a very big organization, then Microsoft recommends a combination of MDT and SCCM. More specifically, if you have thousands of computers and many different applications to manage it’s a good direction to consider.

Here’s how it works. You build and test your images using MDT standalone. Then you can deploy the images to a small number of pilot/test users with Windows Deployment Services (WDS), a network-based Windows installation technology from Microsoft for doing LTI deploys using PXE. (Like MDT, WDS is free.) Then once it’s all confirmed to be golden, you can do mass rollouts with SCCM.

SCCM Standalone

SCCM actually can create OS images in the WIM format. Usually images created this way are thick, but that’s optional, it can create thin images as well. Then once an image is created, you can deploy it with SCCM the same way you would deploy an image that was created in MDT.

However, this method of creating images is not considered especially robust. The Microsoft SCCM Product Team recently stated unofficially at MMS that they will be expanding SCCM to include all the functionality of MDT. The reason, they said, is that customers shouldn’t have to use two tools to do Windows deployments. However, they were extremely clear that MDT will always exist as a standalone product also. No time frames were given for any of this.

MDT Integrated with SCCM

Now here is a truly powerful combination. By integrating MDT into SCCM, admins get awesome new powers. You can now use Task Sequences to utilize MDT’s rules, which provides a lot more deployment flexibility. It exposes a number of other advanced capabilities as well. This combo also lets you do fully automated deployments, Zero Touch Installation (ZTI) in Microsoft speak. With ZTI there is no user intervention on the targeted computer, and it’s ideal for distributed, high-volume environments.

Choosing the Best OSD Solution

Ultimately, this is a difficult decision that only you can make, based on what you know about your company’s environment and needs. There also may be some trial and error, but remember, starting with MDT is always safe. Work you do there applies to all the other scenarios, except SCCM native, which is less commonly used.

You should also evaluate your entire SCCM architecture. If you have a large number of operating locations, or thousands of endpoints, you may want to investigate content distribution engines such as Adaptiva OneSite’s Windows 10 Rapid OSD. It can eliminate the need for remote servers (DPs, PXE points, SMPs), speed WAN distribution, and lighten your workload as an admin.

Whatever method you choose, be sure to check in with System Center Dudes for the latest deployment tips and technologies. To learn more about OSD options with SCCM, you can also check out Adaptiva’s recent report co-written by Microsoft MVPs on the “Top 10 Best Practices on Windows 10 OSD with ConfigMgr” available here.

The post Which Windows 10 Deployment Methods Suits You? appeared first on System Center Dudes.

Injecting language pack into Windows 10 WIM images can be achieved in many different ways. MDT has a module to easily import image. SCCM can do it within a task sequence while the image is offline/online. You will also be able to do it by using DISM from the Windows ADK.

In this post, we will detail the process of injecting language packs into a Windows 10 WIM images using DISM.

Injecting a language pack with DISM provides a modified Install.wim that can later be used as a standalone solution to deploy Windows 10 from a media (DVD, USB) or as  a Windows OS source for  MDT or SCCM. This solution can also be used with our previous post as we explained how to create and capture a custom Windows 10 image.

Pre-Requisites for SCCM Inject Language Pack Windows 10

You must install few tools and plugins, before you get there.

• Windows ADK for Windows 10 (Download)
• Windows 10 1511 Enterprise ISO file
• Language Pack for Windows 10 same Current Branch version

Preparation

• Create a folders structure like this one below

• Copy the extracted Windows 10 ISO files to EN-FR-fr folder

• Mount your ISO language packs

• Browse to the needed language pack folder

• Copy your language folder (FR-FR) into the LangPack folder This folder must contain only one file (LP.cab)

Inject Language Pack Windows 10

To use DISM command lines,  we need the Deployment and Imaging Tools Environment from the Windows 10 ADK.

• Right click on Deployment and Imaging Tools Environment icon and select Run as administrator

• Type  dism /get-mountedimageinfo to validate if any other WIM are mounted
  • You can see that we don’t have any mounted image. If you have any, unmount it first before proceeding to the next steps

• We now need the information from the Install.WIM from the Windows 10 1511 EN-US
• Run the following command : (change to the path where you copied your sources files in the first steps)

• You must have at least a Windows 10 Enterprise Technical Preview installed to advanced
• Run the following command to mount the image :

• This will mount the WIM file to the Mount folder.

• Run the following command to inject the language pack into the mounted WIM

• At this point, the language pack is injected into the mounted WIM
• Now we need to commit changes, run the following command :

• Once changes are commited, WIM must be unmounted.
• Run the following command :

After the unmount is completed, take look at the Install.wim within EN-FR-fr folder. The modified Install.wim will be slightly bigger and modified date will be modified.

• Install.wim EN-FR-fr folder

Logs and More Info

If you experiment this problem with any of the command line from DISM, you can use the log file located in C:\Windows\Logs\DISM 

Even if not up-to-date, this Technet article can help with DISM Command lines options.

Inject Install.wim with Language Pack

We now have a source media with 2 languages in it. It can be used to install Windows 10 from a media source (manual install), for MDT and SCCM.

Bonus : Unattend.xml

In order to prevent the choice of language to prompt at first boot, an Unattend.xml file must be configured to answer the question from the Out-of-the-box experience (OOBE).

To create or modify an Unattend.xml file we need Windows System Image Manager, from the Windows ADK.

In the Unattend.xml file, the Microsoft-Windows-International-Core_neutral must be configured in the Specialize and OOBE System phase.

The 2 settings that needs to be configured for language packs are UILanguage and UILanguageFallback.

It must be configured the same way for both sections.

In the example bellow, FR-FR would be the default language,  and EN-US would be the Fallback language.

More information on Windows System Image Manager here

The post Windows 10 | Inject Language Pack with DISM appeared first on System Center Dudes.

Do organization pay too much for your software licensing? Paying more licences than you use doesn’t make your company really effective, especially when we talk about IT Cost Transparency. Do you know how much money your company spend for software licensing versus their utilization?

Using inventory, SCCM detect if an application is installed, it also monitors usage using Software Metering and uninstall application using deployment mechanisms. Combining all, you can deliver a great solution to minimize licences cost to your organisation.

Software metering is a great feature that is not always well known by the business. Company must take the advantage of monitoring the usage and automatically uninstalling application that are unused. For more details about Software Metering, read this TechNet post.

This post shows how to automatically uninstall unused applications with SCCM witch is also part 5 of the Asset Intelligence Blog Series.

Pre-Requisites

The first thing you must do is enable and configure the software metering based on Asset Intelligence. Software metering is a feature used in SCCM to monitor and collect software usage data. The data collected from all the devices must be present in SCCM database, otherwise it won’t works.

You also need to decide what will be the grace period in days, before you consider an unused application. If you’re too aggressive, users will need to reinstall the applications more frequently and loose productivity time. On the other side, being too loose, you will overpaid your licence usage. We will use a 120 days value.

Collections

Create all the devices collections assigned to an application. You create collections that will :

1. Installed : Target devices where the application is installed
2. Last Usage in last 120 Days : Target devices that use the application in last 120 days
3. Warning Zone : Create a warning zone to make sure the uninstaller will be executed on device that have at least run the application one time
4. Last Usage over 120 Days : Target devices that use the application over 120 days

Installed

This collection lists all devices that have the application installed. You have the possibility to use data from Add Remove Programs or Asset Intelligence, we suggest to use Asset Intelligence. Using only software metering data to target the amount of installation results to not relevant information. The Query Rule for the collection is:

** Change the application name in the query with your selected application.

Last Usage in last 120 days

This collection lists all devices that use the application properly in the last 120 days and will not be uninstalled. The Query Rule for the collection is:

** Change the application name in the query with your selected application and the number 120 days  with your grace period time.

Warning Zone

Warning Zone shows devices that have the software installed without being used for 120 days. The Membership Rules are :

• Include the Installed collection
• Exclude devices from the Last Usage in last 120 days collection

Last Usage over 120 days

The collection Last Usage over 120 days contains devices that used at least one time the software over 90 days.

By limiting the collection membership to the Warning Zone, it targets devices that have at least run the software. You make sure to not uninstall application on devices mostly new or devices that newly received the software or simply never use it.

** Change the application name in the query with your selected application

Uninstall Deployment

Prepare your uninstaller command and once approved, deploy to the Last Usage over 90 days collection. Make sure the deployment is quite or minimum of warning (What?). If your company use System Center Orchestrator, we suggest to take a look at this blog series by Neil Peterson. He wrote a couple of posts on Software Metering Deep Dive and Automation, The Basics, The Collections and Orchestrator Integration. The integration with Orchestrator ensures that users are warned before getting their application uninstalled. 

Verification

There’s not much thing to for verification since the mechanism is based on installed software. As soon the device is completely uninstall the software do a hardware inventory scan, the devices will be excluded from Installed collection. You can also use our Inventoried Software report that monitor software last usage based on installation.

If you are interested to configure software metrics and monitor usage with SCCM, take time to read our Asset Intelligence Blog Series:

• Part 1 | Why should you use Asset Intelligence in SCCM 2012
• Part 2 | How to maximize the use of Asset Intelligence with Labels
• Part 3 | Create Custom Reports with Labels of Asset Intelligence
• Part 4 | Merging Last Usage of Software Metering with Custom Labels of Asset Intelligence
• Part 5 | Automatically Uninstall Unused Applications based on Software Metering with SCCM

SCCM Automatically uninstall application

The post Automatically Uninstall Unused Applications with SCCM appeared first on System Center Dudes.

The second upgrade for SCCM Current Branch (1511) is now available. This post is a complete step-by-step SCCM 1606 upgrade guide. If you’re looking for a complete SCCM 1511 installation guide, see our blog series which covers it all. You can’t install this upgrade if you are running SCCM 2012. You need to be at least at SCCM 1511.

Installing SCCM upgrades is very important to your infrastructure. It adds new feature and fixes lots of issues, which some of them are important.

New Update and Servicing model

If you’re not familiar with the new SCCM servicing model, read our New Update and Servicing section of the 1602 upgrade post which explain it all.

Similar to SCCM 1602, if you need to make a new SCCM installation, you can’t install SCCM 1606 directly. You need to install SCCM 1511 first and then apply SCCM 1606 from the console. SCCM 1511 is still the baseline version if you’re starting from scratch.

*If you are running SCCM 1511 or 1602, the latest updates will be replaced by SCCM 1606 in the SCCM Console after installation. If you are on SCCM 1511, you won’t be able to install 1602 after 1606, you can skip it and install SCCM 1606 directly which contains all 1602 features.

SCCM 1606 New features and fixes

If you’ve been installing SCCM Technical Preview in your lab, SCCM 1606 contain most features included in the latest Technical Previews (1603 and up).

Consult this Technet article for a full features list. 1606 also applies the latest KB/fixes to fix known bugs…. Including KB3155482 but not KB3174008 (which was release a week prior to 1606). If you had already installed KB3174008, 1606 will revert the fixes included in KB3174008. Microsoft recommendation is to skip this KB (unless you are really blocked by this), update to 1606 and wait for a new KB that will be available for 1606 soon. (Which will include KB3174008).

Here’s our list of favorite features

• Option for clients to switch to a new software update point
  • You can enable the option for Configuration Manager clients to switch to a new software update point when there are issues with the active software update point.
• Per-app VPN for Windows 10 devices
  • For Windows 10 devices managed using Configuration Manager with Intune, you can add a list of apps that automatically open a VPN connection that you have configured through the Configuration Manager admin console. You have the option of restricting VPN traffic to those apps, or you can continue to allow all traffic through the VPN connection.
• Customize the RamDisk TFTP block size and window size on PXE-enabled distribution points
  • You can customize the RamDisk TFTP block size and window size for PXE-enabled distribution points. If you have customized your network, it could cause the boot image download to fail with a time-out error because the block or window size is too large. The RamDisk TFTP block size and window size customization allow you to optimize TFTP traffic when using PXE to meet your specific network requirements
• Improvements to the Install software updates task sequence
  • A new task sequence variable, SMSTSSoftwareUpdateScanTimeout, is available to give you the ability to control the timeout on the software updates scan during the Install software updates task sequence step. The default value is 30 minutes.
  • There have been improvements to logging. The smsts.log log file will contain new log entries that reference other log files that will help you to troubleshoot issues during the software updates installation process.

Before you begin

Downloading and installing this update is done entirely from the console. There’s no download link, the update will appear in your console once synchronized.

If you’re running a multi-tier hierarchy, start at the top-level site in the hierarchy. After the top-level site upgrades, you can begin the upgrade of each child site. Complete the upgrade of each site before you begin to upgrade the next site. Until all sites in your hierarchy are upgraded, your hierarchy operates in a mixed version mode.

Before applying this update, we strongly recommend that you go through the upgrade check list provided on Technet. Most importantly, initiate a site backup before your upgrade.

In this post, we’ll be updating a standalone Primary Site Server, console and clients.

Before installing, check if your site is ready for the update :

• Open the SCCM console
• Go to Administration \ Cloud Services \ Updates and Servicing
• In the State column, ensure that the update is Available

• If it’s not available, right-click Updates and Servicing and select Check for Updates

• The update state will change to Downloading

• You can follow the download in Dmpdownloader.log

• The update files are stored in the EasyPayload folder in your SCCM Installation directory

SCCM 1606 Upgrade guide

Step 1 | SCCM 1606 Prerequisite check

Before launching the update, we recommend to launch the prerequisite check :

• Open the SCCM console
• Go to Administration \ Cloud Services \ Updates and Servicing
• Right-click the Configuration Manager 1606 update and select Run prerequisite check

• Nothing will happen, the prerequisite check runs in the background. All menu options will be grayed out during the check

• One way to see progress is by viewing C:\ConfigMgrPrereq.log

• You can also monitor prerequisite check by going to Monitoring / Site Servicing Status, right-click your Update Name and select Show Status

• When completed the State column will show Prerequisite check passed

Step 2 | Launching the SCCM 1606 update

We are now ready to launch the SCCM 1606 update

• Right click the Configuration Manager 1606 update and select Install Update Pack

• On the General tab, click Next

• On the Features tab, select the features you want to update

• If you don’t select one of the feature now and want to enable it later, you’ll be able to so by using the console in Administration \ Cloud Services \ Updates and Servicing \ Features

• In the Client Update Options, select the desired option for your client update
  • This new feature allows to update only clients member of a specific collection. Refer to the Technet article for more details

• On the License Terms tab, accept the licence terms and click Next

• On the Summary tab, review your choices and click Next

• On the Completion tab, close the wizard. The whole process took a minute but the installation is not over, it has been initiated. From now on, no more GUI, you need to use log files to monitor the installation

• During installation, the State column changes to Installing
• You can  monitor installation by going to Monitoring / Site Servicing Status, right-click your Update Name and select Show Status

• … or you can follow detailed installation progress in SCCM Installation Directory\Logs\CMUpdate.log

• When completed, you’ll notice the message There are no pending update package to be processed in the log file
• Monitoring / Site Servicing Status, right-click your Update Name and select Show Status, the last step will be Installation Succeeded

• Refresh the Updates and Servicing node, the State column will be Installed

Updating the consoles

As in 1602, the console has an auto-update feature. At console opening, if you are not running the latest version, you will receive a warning and the update will start automatically.

• Since all updates operations were initiated from the console, we didn’t close it during the process. We received a warning message when clicking certain objects. You will have the same message when opening a new console
• Click OK,  console update will starts automatically

• Wait for the process to complete. You can follow the progress in C:\ConfigMgrAdminUISetup.log and C:\ConfigMgrAdminUISetupVerbose.log. Once completed, the console will open and you’ll be running the latest version

Verification

Consoles

After setup is completed, verify the build number of the console. If the console upgrade was successful, the build number will be 5.0.8412.1003. You can also notice that Version 1606 is stated.

Servers

• Go to Administration \ Site Configuration \ Sites
• Right-click your site and select Properties
• Verify the Version and Build number

Clients

The client version will be updated to 5.0.8412.1006 (after updating, see section below)

SCCM 1606 Client Package distribution

You’ll see that the 2 client packages are updated :

• Navigate to Software Library \ Application Management \ Packages

• Check if both package were updated, if not, select both package and initiate a Distribute Content to your distribution points

Boot Images

Boot images are automatically updated during setup. See our post on upgrade consideration in large environment to avoid this if you have multiple distribution points.

• Go to Software Library / Operating Systems / Boot Images
• Select your boot image and check the last Content Status date. It should match your setup date

Updating the Clients

Our preferred way to update our clients is by using the Client Upgrade feature :

• Open the SCCM Console
• Go to Administration / Site Configuration / Sites
• Click the Hierarchy Settings in the top ribbon
• Select Client Upgrade tab
• The Upgrade client automatically when the new client update are available checkbox has been enabled
• Review your time frame and adjust it to your needs

Monitor SCCM client version number

SCCM Reports Client Version

You can see our SCCM Client version reports to give detailed information about every clients versions in your environment. It’s the easiest way to track your client updates.

Collections

You can also create a collection that targets clients without the latest client version. I use it to monitor which client haven’t been updated yet.

Here’s the query to achieve this: (You can also refer to our Set of Operational Collection Powershell Script which contains this collection)

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ClientVersion != '5.00.8412.1006'

Happy updating !

The post Step-by-Step SCCM 1606 Upgrade Guide appeared first on System Center Dudes.

A few month ago, Microsoft released Windows Store for Business to help IT administrators to buy, manage and distribute Windows Store Apps on Windows 10 devices. At that time, the solution was useful but not fully operational from an administration perspective. Windows Store for Business integration with SCCM is a new feature of SCCM 1606 and it’s a great addition.

This new feature offers the possibility for an enterprise to distribute and manage apps for Windows 10 devices while using similar methods for standard 32-bits applications.

Key Features

• Manage Volume-Purchased apps
• Synchronize the list of purchased apps
• Apps that are synchronized appear in SCCM Console
• Easy creation of apps from the Windows Store for Business using the Application model
• Same distribution and deployment methods as standard applications
• Review licensing information in the SCCM console

Limitations

• Support only free apps. Paid apps can’t be managed with the integration for now.
• For hierarchy with  a central administration site and at least one primary site, deployment of offline Windows Store for Business apps to devices managed by Intune

This post will detail how to integrate the Windows Store for Business with SCCM 1606 and how to deploy a Business App to a Windows 10 computer.

SCCM Windows Store for Business integration Pre-Requisites

• Windows 10 version 1511 and up
• Azure AD with an account Global Administrator
• SCCM Current Branch 1606 (Follow our upgrade guide)
• Supported browser to access Windows Store for Business website
  • Internet Explorer 10 and up
  • Microsoft Edge
  • Chrome current version
  • Firefox current version
• Proxy Configuration
  • All those URLs must be allowed to acquire, install or update apps
    • login.live.com
    • login.windows.net
    • account.live.com
    • clientconfig.passport.net
    • windowsphone.com
    • *.wns.windows.com
    • *.microsoft.com
    • *.msftncsi.com/ncsi.txt

You can read more information on this TechNet post.

Azure Active Directory required configurations

In order to integrate Windows Store for Business, a Web API must be created in Azure AD for SCCM.

• Open Azure AD via https://manage.windowsazure.com/
• Select Applications and click Add at the bottom

• Select Add an application my organization is developing

• Type an application name like Microsoft ConfigMgr and select Web application and/or Web API

• Specify the Sign-on URL and APP ID URL by following this format https://yourdomain.com/SCCM
  • Make sure both links are the same

• Highlight the application created and select Configure

• Under Keys, select the duration and then click Save
  • Do NOT close this window as we’ll need these information later to integrate in SCCM

Sign Up for Windows Store for Business

• Go to https://www.microsoft.com/business-store and click Sign In

• Sign-in with a Global Administrator account

• Accept agreement by checking the box and click Accept

• Windows Store for Business is now enabled

Configure Windows Store for Business

Permissions

First, it’s a good idea to have a look at the roles and permissions for the Windows Store for Business. They are NOT related to SCCM roles and permissions.

• Go to Settings – Permissions

• You must be a Global Administrator to assign roles and permissions

• For more details on roles and permissions for Windows Store for Business, please read this TechNet post

Offline Licensed

In order to install offline applications, we must allow Windows Store for Business to do it

• Go to Manage – Account Information

• Scroll to Offline licensing section
• Check the box Show offline licensed apps to people

Management Tools

Windows Store for Business must add a management tool for SCCM integration. This management tool is the Web API created in previous steps.

• Go to Settings – Management Tools

• Click Add a Management Tool

• Search for Microsoft ConfigMgr or the name specified in the WEB API from the earlier steps

• Be sure he Microsoft ConfigMgr tool is Active

Integration with SCCM Current Branch 1606

After the upgrade to SCCM CB 1606, a new feature is available for Windows Store for Business Integration.

• Go to Administration / Cloud Services / Updates and Servicing / Features

• Find Windows Store for Business Integration and right-click to Turn-On

• Windows Store for Business will then be visible under Administration / Cloud Services
  • Please allow couple of minutes to see it

• Right-click on Windows Store for Business and select Add Windows Store for Business Account

• Click Next

• Provide your Tenant Name, Client ID, Client Secret key and a location to store the application content downloaded
  • These are from the Web API created earlier
  • Verify the information provided

• Select the required Languages for your environment

• Validate the Summary

• Windows Store for Business wizard completed and click Close

• Windows Store for Business is now integrated to SCCM 1606

• Under Software Library / Application Management / License Information for Store App, we now see purchased apps
  • The initial sync from the Windows Store for Business will take some time
  • In our case it took a good 30 minutes before we saw are purchased apps

Take the Apps Offline

• Go in the Windows Store for Business web site and Select Shop or Search store at the top to find an app

• For this post, we chose Microsoft Remote Desktop

• Select Offline then Get the app

• The app is added to your Inventory

• Within the next 24 hours, SCCM will sync with Windows Store for Business and then we will see the purchased app in the SCCM console

How to deploy an App with SCCM on Windows 10

• Under Software Library / Application Management / License Information for Store App, select the App and right click Create Application

• Click Next

• The application information is imported to SCCM, then click Next

• Specify information and click Next

• Validate Summary and click Next

• Completed summary

• An Application as been created under Software Library / Application Management / Application

• From this point, the app is manageable just as any other applications

• The source as been downloaded to the source folder for Windows Store apps

• First we Distribute Content to distribution point

• Next, we will Deploy the application

• From the Software Center click on the App Microsoft Remote Desktop

• We can see the detail of the App and click Install

• We can follow the progress

• If installed with success, we can uninstall it from here if needed.

• App Remote desktop is now available from the start menu!

For more information on Windows Store for Business integration, read this TechNet post.

The post SCCM Windows Store for Business Integration appeared first on System Center Dudes.

One of the challenges faced by workstation administrators, is to manage the local administrator account in large environment. One of the options was to use Group Policy Preferences, but that was before KB2962486 removed the possibility to set password using Group Policy Preferences. Since then, Microsoft as come up with a solution : Local Administrator Password Solution (LAPS).

Here’s the benefits of using LAPS :

• Unique password for local administrator per computer
• Password available from Active Directory, if needed to use local administrator account
• Remotly change the local administrator password
• Ability to use a custom administrator account

Limitation :

• Only the local administrator account can be managed or a custom local account as administrator.

In this post, we will detail how to install Local Administrator Password Solution (LAPS) to manage the local administrator password on a Windows 10 computer.

High-level steps to install Local Administrator Password Solution (LAPS)

Pre-requisite

• Download LAPS here
  • Download both x86 and x64 version as this MSI will be deployed on clients to be managed
  • Detailed documentation is also available from that link
• Active Directory requirement
  • Windows Server 2003 SP1 and above
• Minimum OS requirement
  • Vista with current SP and above
  • Windows Server 2003 with current SP and above
• .NET Framework 4.0
• PowerShell 2.0 and above

Management Computer

First step is to install the management tools for LAPS on a computer.

• Execute LAPS.x64.msi from the downloaded files

• Click Next

• Accept Terms and click Next

• Install all the Management Tools
  • If you plan to manage this computer, you can also install the AdmPwd GPO Extension

• Click Install

• Click Finish

• In the start Menu, LAPS UI is available

Active Directory preparation

Preparing the Active Directory for LAPS is a two steps configuration :

• Schema extension
• Edit permissions (ACL)

Schema Extension

The Active Directory Schema needs to be extended to add two new attributes that store :

• Passwords of the managed local Administrator account for each computer
• Timestamp of password expiration

Both attributes are added to the may-contain attribute set of the computer class.

ms-Mcs-AdmPwd – Stores the password in clear text

ms-Mcs-AdmPwdExpirationTime – Stores the time to reset the password

Update the Schema 

• Open up an Administrative PowerShell window and use this command to import the module :

• To update the Schema, use this command :

Edit permissions

Active Directory permissions should be modified for the following reasons and needs :

• Remove the default permission
• Add Computers rights to update the password and expiration  (write)
• Allow specific user or group to read the password
• Allow specific user or group to reset (write) the password for a computer

All of those needs are manageable on specific OU and child OU. This will be different for each organisation needs.

For an easy setup, use the PowerShell commands from the module AdmPwd.ps as it will do exactly what we need.

Remove default permission

By default, read permission could be available to many users trough the all extended rights on a Specific OU. This should be uncheck if needed :

• Open ADSIEdit
• Right Click on the OU that contains the computer accounts that you are installing this solution on and select Properties
• Click the Security tab
• Click Advanced
• Select the Group(s) or User(s) that you don’t want to be able to read the password and then click Edit
• Uncheck All extended rights

Allow computers to update password and expiration time

The Write permission on the ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd attributes of all computer accounts has to be added to the SELF built-in account. This is required so the machine can update the password and expiration timestamp of its own managed local Administrator password. This is managed per OU.

• Run the following command to add the rights to SELF built-in account to a specific OU

Allow specific user or group to read password

To allow users or groups to read the stored password of the managed local administrator account, the Control_access permission must be given to ms-Mcs-AdmPwd attribute.

• To do so, run the following Powershell command line :

Allow specific user or group to reset password

To allow users or groups to reset the  password for a  managed local administrator account, the write permission must be added on ms-Mcs-AdmPwdExpirationTime .

• To do so, run the following powershell command line:

Group Policy

LAPS is manageable by GPO using a new template.

The templates are located on the management computer :

• %WINDIR%\PolicyDefinitions\AdmPwd.admx
• %WINDIR%\PolicyDefinitions\en-US\AdmPwd.adml

If you use the Central Store, you need to copy both files to \\domain\Sysvol\Policies\PolicyDefinition

The settings are located under Computer Configuration\Administrative Templates\LAPS

Available settings :

• Password Settings
  • Complexity
  • Lenght
  • Age(days)
• Name of the administrator account to manage
  • Do not configure if you use the default name
• Do not allow password expiration time longer than required by policy
• Enable local admin password management
  • this must be enabled in order to manage the local administrator password.

Clients to be managed

To manage a client, we must install LAPS on it by using the same MSI files downloaded in the prerequisite section :

• Create a standard package in SCCM

• Add a program to that package with the following command line :

• Deploy the package to the client you want to manage
• Package can also be deployed as part of Task sequence

How to read and reset passwords

• Start LAPS UI from the Start menu

• Search for computer name
• Password is available with expire date and time

• To reset the password, select a new Expiration time and click Set

• Status of the request is displayed at the bottom

• Hit search after a minute or two, and a new password with expiration time will be available

Source : documentation of LAPS

Bonus – Add Laps to SCCM Console

Thanks to Mike -S- for this awesome LAPS  Extension for SCCM console and it works just fine with Current branch (tested with 1602 so far).

Leave your LAPS experience in the comment section.

The post How to install Local Administrator Password Solution (LAPS) appeared first on System Center Dudes.

This post describe how to inventory Office 365 using SCCM 1606. We will also provide a free report at the end of the post that you could use on your Reporting Point to easily display Office 365 inventory data.

SCCM 1606 introduces new hardware inventory classes for Office 365 configurations. You no longer need to edit your MOF files to gather Office 365 inventory. If you are using SCCM 1602 or below, follow Jason Sandys post which describe Office 365 inventory process using a MOF customization.

If your goal is to deploy Office 365 updates, refer to our post on how to manage Office 365 updates using SCCM.

SCCM Office 365 inventory report post summary :

• Office 365 Inventory Data explained
• How to enable Office 365 Inventory classes
• Verify Office 365 Inventory data on a client
• How to upload and use our free Office 365 report

Office 365 Inventory Data

Office 365 is using new update channels and update mechanism. Tracking versions and update channels is an important task. The good news is that it’s easy to do using SCCM 1606 but the data needs to be interpreted as it’s not straight forward (mostly for update channel).

Here’s the complete definition of the update channel and their meaning :

Update Channels

Other data

Here’s the definition of other information gathered by the new hardware class. We haven’t found definition for all fields, unfortunately Technet documentation is not completed. If you have any information on your environment, feel free to share it using the comment section.

How to enable Office 365 Inventory

After upgrading to SCCM 1606, your Default Client Settings should already gather the new inventory class. Here’s the step to check if it’s enabled :

• Open the SCCM Console
• Go to Administration / Client Settings
• Right-Click your Default Client Setting, select Properties

• Click on Hardware Inventory
• Click on Set Classes

• Ensure that Office365ProPlusConfiguration is enabled, click OK (remove unneeded field if necessary)

Verification

Now that our classes are enabled, trigger a Machine Policy Retrieval & Evaluation Cycle (to have the latest Client Settings) followed by an Hardware inventory Cycle on a computer that has Office installed. Once the inventory is completed, check the inventory using Resource Explorer :

• In the SCCM Console
• Right-Click your device, select Start / Resource Explorer
• Confirm that you have OFFICE365PROPLUSCONFIGURATIONS listed

SCCM Office 365 inventory report

Now that your inventory is gathering Office 365 data, we created a report to display the results. This report is free to use.

To use the report :

• Download the RDL file
• Upload the report to your Reporting Point and change the data source
• Run the report

Is this information useful ? Share your comments using the comment section.

The post SCCM Office 365 Inventory Report appeared first on System Center Dudes.

With the increasing speed of new Windows 10 releases, SCCM administrators will be faced with new testing process before deploying to all your users. During this process at a customer, we found an hardware inventory problem affecting only Windows 1607 devices. We were able to reproduce the problem in our lab and finally decided to submit the problem to Microsoft. They confirmed that it’s actually a bug that seems to reside in the latest Windows 10 1607 release. We had no inventory problem on this device using Windows 10 1511 and no changes were made in SCCM. The hardware inventory just stopped working after the Windows 1607 upgrade. We also reproduce the problem on a fresh Windows 1607 deployment.

Our setup is on SCCM 1606 but this error is present also on SCCM 1511.

We found 2 links that is identifying the problem. You can up vote the Connect item if you’re affected by this problem.

• Technet Forum
• Microsoft Connect

What’s causing the SCCM Hardware Inventory Problem on Windows 10 1607

The problem reside under the file encryption feature in Windows 10 1607 which cause an error when trying to send the file to the management point. The EFS feature is not new to Windows 10. It has been in Windows for years. Read more about EFS on this Technet article.

Here’s how to check if you’re affected by this problem :

• We’ll start by checking the server logs which there’s no entries related to the device in the MP_Hinv.log and Dataldr.log on the Management Point
• On the client InventoryAgent.log, we can see that the XML was generated and sent to Management Point
  • Inventory: Starting reporting task Reporting: 92 report entries created Inventory:
  • Reporting Task completed in 18.785 seconds
  • Inventory: Successfully sent report.
  • Destination:mp:MP_HinvEndpoint, ID: {831C6FFD-651A-48A3-F187DCFB38FB}, Timeout: 80640 minutes MsgMode: Signed, Not Encrypted
  • Inventory: Cycle completed in 109.319 seconds

Since BITS is used to send the reports, we’ll check the BITS jobs status on our affected client :

• Open a PowerShell session
• Launch the command : Get-BitsTransfer -allusers -verbose

• Check the JobState column, you can see TransistentError on CCM Message Upload jobs
• On a administrator command prompt, we’ll look at the job status
• Type the following command : Bitsadmin /list /allusers /verbose

• See the error code 0x8007177f – This machine is disabled for file encryption for our job {831….8FB}
• Browsing to the path of the file (C:\Windows\CCM\ServiceData\LocalPayload) we can see that jobs are pilling up

The machine effectively has EFS disabled by Group Policy but it was also disabled on Windows 1511 using the same GPO without any SCCM hardware inventory problem.

Workaround

At the time of writing this post, there’s only a workaround proposed by Microsoft Support. Enabling EFS on the affected clients which means that your users can suddenly encrypt files and folders on their system… Maybe not a good solution for all environment.

To enable EFS on the affected client :

• Open Regedit
• Browse to HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\EFS\
• Change the EfsConfiguration key value from 1 to 0 – (Yes 0 means Enabled and 1 is disabled)
• Reboot the system

• Once rebooted, initiate a manual hardware inventory and the process should complete successfully

We’ll update this post if we have new information about this SCCM Hardware Inventory problem on Windows 10 1607. Meanwhile, use the Connect Item to up-vote or use the comment section to share your experience.

The post SCCM Hardware Inventory Problem on Windows 10 1607 appeared first on System Center Dudes.