The majority of companies use SCCM to manage laptops, computers, servers and some for mobile devices, if they use Microsoft Intune in hybrid mode. In some situations, Intune and SCCM management is done by 2 different teams. Except for the Full Administrator role in SCCM, it’s possible to separate Intune with Configuration Manager infrastructure in the console by using security roles and security groups (RBAC).

The goal is to ensure that an Intune administrator does not access Configuration Manager client devices and objects, as you don’t want to end up with people who may wipes or manages mobile devices when they are supposed to be only Configuration Manager admins.

This post will explain how to strengthen security and separate Intune with Configuration Manager infrastructure in SCCM console.

Create Devices Collection for Intune Client

The first thing to do is create a device collection that targets Intune clients. There’s two ways to create a device collection, manually or automatically. A set of operational SCCM collections by MVP Benoit Lecours is available to install where you can use the Mobile Devices | All collection as your Intune clients device collection. If it’s the case, move to the next section, otherwise create the devices collection manually:

• Open the SCCM console and navigate to Assets and Compliance / Device Collections
• Right-click on Device Collections and select Create Device Collection

• From the General tab, enter a name for your collection and also limit the collection membership to All Systems, once you’re finish, click Next

• In the Query Rule Properties, enter a rule name and click Edit Query Statement
• On the Query Statement Properties, click Show Query Language and copy paste below WQL code

• Click Ok and Ok

• You’ll return to Membership Rules tab, click Next

• Click Next and Close

Create Security Scope to enhance SCCM Intune Security

Now that we can gather Intune devices in the console, we will create a security scope in order to assign this scope to all objects Intune. When we talk about objects in SCCM, we’re talking about configuration items, compliance policy, email profile, wifi profile, applications and many more.

• Open the SCCM console and navigate to Administration / Security
• Right-click on Security Scopes and select Create Security Scope

• On the Create and assign a security scope window, enter a name for your security scope like Intune
• By default, full admins have access to manage all security scope but you can add more admin groups if needed
• When done, click Ok

The security scope created for Intune is created :

Assign Security Scope to Intune Objects

Since we can now assign this new security scope, it is now time to assign it to all Intune objects. For example, an application that you deploy only for Intune clients versus applications that you deploy on Configuration Manager clients.

• Open the SCCM console and navigate to Software Library / Application Management / Applications
• Right-click on one or multiple Intune applications and select Set Security Scopes

• Remove check marks on all security scopes and add a check mark on Intune security scope

Repeat this section until all your Intune objects are tagged.

Create and Configure Security Role

The security roles were implemented in SCCM 2012 to add granularity in security with the SCCM console. This avoids giving full access to administrators who do not really have the knowledge to change certain configurations. Use it to minimize impacts and bad manipulations in the console. If you don’t understand the concept of security roles and security objects in SCCM, we suggested that you read this Technet post.

• To create a security role, open the SCCM console and navigate to Administration / Security
• Right-click on a security role you want to copy (in our example we select Asset Manager) and select Copy

• At the Copy Security Role window, enter a role name, and once you configured your permissions, click Ok

• You have now created your custom role for Intune

Create and Assign Administrative Users or Groups to the Intune Security Role

The final step is to assign all these configurations you’ve made, to an administrative users or groups. It’s best to use security groups in Active Directory for security management because it’s easier to manage, instead of constantly manage individual access in SCCM console. This section is the most important part because it’s the time to stick together all these configurations.

• Open the SCCM console and navigate to Administration / Security / Administrative Users
• Right-click on Administrative Users and select Add User or Group

• At the Add User or Group windows, choose the security group you create in Active Directory by clicking Browse 
• Click Add and choose the security role you created at the section 4, in our case it was Intune Asset Manager
• At the Assigned security scopes and collections section, remove all default instance
• Click on Add, select only the All Intune Clients and the security scope Intune as shown below

• Click Ok when you’re done

Summary

Finally, we suggest that you test your configuration by adding a test user in your Active Directory security group. Log into the SCCM console, only Intune mobile devices and objects will be visible. Additionally, the SCCM access delegation with RBAC is very useful in some situations and can help you avoid fatal errors.

How do you manage access in the SCCM console for you Intune Devices ?

The post How to Strengthen Security for Intune with RBAC in SCCM appeared first on System Center Dudes.

With the introduction of new Windows 10 service branches, you will need to upgrade your Windows 10 devices at a much faster pace. Hopefully, SCCM Current Branch (1511 and higher) has built-in features to help you fulfill this task. You can choose between Upgrade Task Sequence or the new Windows Servicing feature. This post will describe how to upgrade Windows 10 using SCCM Upgrade Task Sequence.

If you are running SCCM 1511 we recommend to use the Upgrade Task Sequence over the new servicing features. There is an issue in SCCM 1511 that make all Windows 10 languages and editions to be downloaded to the device when the ADR runs. This is fixed in SCCM 1602, using a new filter you can exclude unwanted languages and editions.

If you are running SCCM 1602 or later, it’s really a matter of preference of which process to use. Each one has their own advantages, the new servicing features is using the ADR/Software Update engine, the Task Sequence one is using Task Sequence engine. The Task Sequence method allows to run additional tasks after the upgrade or install new applications. Read both our post before making your decision or use both if needed.

In this post, we will be upgrading a Windows 10 1511 to Windows 10 1607 using SCCM 1606. You can use this method to upgrade any upcoming Windows 10 release. Refer to our other blog post if you’re looking to upgrade Windows 7 to Windows 10 using task sequences.

Requirement for Windows 10 SCCM Task Sequence Upgrade

In an upgrade task sequence, you will need to have the full Windows 10 1607 media imported in Operating System Upgrade Packages node in SCCM :

• Open the SCCM Console
• Go to Software Library \ Operating Systems \ Operating System Upgrade Packages
• Select Add Operating System Upgrade Packages

• Select the path where you extracted the Windows 10 ISO

• In the General tab, edit Name, Version and Comment fields, click Next

• In the Summary tab, review your choices and click Next

• Your operating system upgrade package is imported and ready to use in an upgrade task sequence

Distribute Operating System Upgrade Packages

• Select your newly imported operating system upgrade packages and select Distribute Content

Send it to all your distribution points where you will be doing Windows 10 upgrade

Create Windows 10 Upgrade Task Sequence

• Open the SCCM Console
• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click Task Sequence and select Create Task Sequence

• Select Upgrade an operating system from an upgrade package, click Next

• In the Task Sequence Information tab, modify the Task sequence name and description if needed, click Next

• In the Upgrade the Window Operating System tab, click Browse and select your imported package, click Ok then Next

• In the Include Updates tab, we’ll select Do not install any software updates

• In the Install Applications tab, add any applications you want to install after the upgrade, click Next

• Review your choices, click Next and close the Create Task Sequence Wizard

• If you right click your newly created task sequence and select Edit, you’ll notice that the task sequence is really simple. You can add additional steps if required

Deploy the Task Sequence

• Right click your newly created task sequence and select Deploy

• In the General tab, click Browse and select a collection that contains your Windows 10 devices to be upgraded. At this point, we recommend to select a collection containing a couple of devices to test your deployment. Click Next

• In the Deployment Settings tab, select the Purpose (Available or Required). For this post we will select Available, click Next

• In the Scheduling tab, select the desired date and time, click Next

• In the User Experience tab, select desired options and click Next

• In the Alerts tab, decide if you want to create alerts for the deployment and click Next

• In the Distribution Points tab, select desired options, click Next

• Review your settings, click Next and close the wizard

Deploy the Task Sequence on a Device

Now that our task sequence is targeted to our Windows 10 device, we need to open the Software Center to initiate the upgrade process.

Before launching, let’s look at our current Windows 10 version :

• Open a command prompt and enter ver
• We are running Windows 10 1511 (Build 10586)

• In the Start Menu, select Software Center. We are using the new Software Center, your screens may differ if you’re not.
• Browse to Operating Systems and select your task sequence

• Select Install

• Accept the warning by selecting Install Operating System (No, your data won’t be lost !)

• The installation process starts. You can monitor the progress in C:\Windows\CCM\Logs\SMSTSLog\SMSTS.log

• The computer will restart after about 5 minutes
• The whole upgrade process takes about 30 to 45 minutes and your device will be rebooted several time

• Once completed, log on the computer using your account. Windows is happy to tell you that it’s updated

• Open a command prompt and enter ver
• We are now running Windows 10 1607 (Build 14393)

Use the comment section to tell which upgrade method you are preferring.

The post Upgrade Windows 10 using SCCM Task Sequence appeared first on System Center Dudes.

With the introduction of new Windows 10 service branches, you will need to upgrade your Windows 10 devices at a much faster pace. Hopefully, SCCM Current Branch (1511 and higher) has built-in features to help you fulfill this task. You can choose between Upgrade Task Sequence or the new Windows Servicing feature. This post will describe how to use SCCM Windows 10 servicing plans to upgrade Windows 10 devices.

If you are running SCCM 1511 we recommend to use the Upgrade Task Sequence over servicing plans. SCCM 1511 has an issue that make all Windows 10 languages and editions to be downloaded to the device when the ADR runs. This is fixed in SCCM 1602, using a new filter you can exclude unwanted languages and editions.

If you are running SCCM 1602 or later, it’s really a matter of preference of which process to use. Each one has their own advantages, the new servicing features is using the ADR/Software Update engine, the Task Sequence one is using Task Sequence engine. The Task Sequence method allows to run additional tasks after the upgrade or install new applications. Read both our post before making your decision or use both if needed.

In this post, we will be upgrading a Windows 10 1511 to Windows 10 1607 using SCCM 1606 serving plans. You can use this method to upgrade any upcoming Windows 10 release. You can’t use servicing plans to upgrade Windows 7 or Windows 8 computers.

SCCM Windows 10 Servicing Plans Requirements

Before using Windows 10 servicing plans you need :

• An Active Software Update Point
• Enable Heartbeat Discovery – Data displayed in the Windows 10 servicing dashboard is found by using discovery
• Install WSUS hotfixes and follow the required manual installation steps that are outlined in the KB3159706 article
• Install WSUS hotfix to enable WSUS support for Windows 10 feature upgrades
• Enable Windows 10 product and Upgrade classification in your software update point

Once the first 4 steps are completed, let’s bring Windows 10 upgrade packages to your software update point :

• Open the SCCM Console
• Go to Administration \ Site Configuration \ Sites
• On the top ribbon, select Configure Site component and Software Update Point

• In the Products tab, select Windows 10

• In the Classifications tab, select Upgrades

• Accept the prerequisite warning. Go back and install these hotfix if you haven’t done it before

• Close the Software Update Point component properties window
• Go to Software Library \ Windows 10 Servicing
• Right-click Windows 10 Servicing, select Synchronize Software Updates

• As for any Software Update synchronization process, follow the action in Wsyncmgr.log in your SCCM installation directory
• Once completed, go to Software Library \ Windows 10 Servicing \ All Windows 10 Updates
• You should have Windows 10 Upgrade packages listed

Feature Updates vs Upgrades

After your synchronization, you’ll notice 2 types of packages. This is a bit confusing. As you can see in the screenshot, for Windows 1607 Enterprise, we only has Feature Update to Windows 10 Enterprise we don’t have an Upgrade to Windows 10 Enterprise package for 1607… yet.

Why ?

The short story : At the time of this writing, the 1607 build is in the Current Branch readiness state. (listed as Feature Update). When this build falls into Current Branch for Business (Approximately 4 months), a new release will be available in Windows Update and then in SCCM (listed as Upgrade).

• Feature Upgrade : New build at the time of the release
• Upgrade : Feature Update + Servicing Update (Patches) since media first published

In this post, we’ll be using Feature Updates. During our tests, we also tried the Upgrade package on a 1507 computer (1507 -> 1511) without issues. If you have both available at the time of creating your servicing plan, use the Upgrade package since it include Servicing Updates.

Long Story : If you want the Microsoft version, refer to the complete Technet documentation.

The 2 key phrases from this documentation are :

• Feature upgrades that install the latest new features, experiences, and capabilities on devices that are already running Windows 10. Because feature upgrades contain an entire copy of Windows, they are also what customers use to install Windows 10 on existing devices running Windows 7 or Windows 8.1, and on new devices where no operating system is installed
• Approximately four months after publishing the feature upgrade, Microsoft uses Servicing Branch #1 again to republish/updated installation media for Windows 10 Pro, Education, and Enterprise editions. The updated media contains the exact same feature upgrade as contained in the original media except Microsoft also includes all the servicing updates that were published since the feature upgrade was first made available. This enables the feature upgrade to be installed on a device more quickly, and in a way that is potentially less obtrusive to users.

Create Servicing Plans

Now that we have Windows 10 upgrade packages in SCCM, we can create a servicing plan for our Windows 10 devices. Servicing Plan and Automatic Deployment Rules shares the same engine so you won’t be disoriented by servicing plans.

Looking at the Windows 10 Servicing dashboard, our 3 Windows 10 1511 are near expiration (Expire Soon).

• Go to Software Library \ Windows 10 Servicing \ Servicing Plan
• Right-click Servicing Plan and select Create Servicing Plan

• In the General Pane, give a Name and Description, click Next

• On the Servicing Plan tab, click Browse and select your Target Collection

• In the Deployment Ring tab :
  • Specify the Windows readiness state to which your servicing plan should apply
  • Specify how many days you want to wait before deploying

• In the Upgrade tab, specify the Language, Required and Title of the upgrade packages you want to deploy. This is a nice addition to the SCCM 1602 release, in 1511 all languages were downloaded

• Use the Preview button to ensure that you are targeting the right version (We are targeting Windows 10 1607 Enterprise en-us devices that are Required)

• In the Deployment Schedule tab, select the desired behavior

• In the User Experience tab, select the desired options

• In the Deployment Package tab, select Create a new deployment package and enter your Package Source path

• In the Distribution Points tab, select your distribution point

• In the Download Location tab, select Download software updates from the Internet

• In the Language Selection tab, select your language

• In the Summary tab, review your settings and close the Create Servicing Plan wizard

• Right-click your newly created Servicing Plan and select Run Now

• You can see that the deployment gets created in the Monitoring / Deployments section

Servicing Plan Deployment

Now that the deployment are triggered for clients, we will launch the installation manually using software center.

• Log on your Windows 10 computer
• We verify that we are running Windows 10 Enterprise version 1511 (Build 10586.218)

• Open the Software Center, under Updates, Feature Update to Windows 10 Enterprise 1607 is listed

• Select it and select Install

• Accept the warning by clicking Install Operating System. (Your data won’t be lost)

• Installation is running

• The computer will restart after about 5 minutes
• The whole upgrade process takes about 30 to 45 minutes and your device will be rebooted several time

• Once completed, log on the computer using your account. Windows is happy to tell you that it’s updated

• We are now running Windows 10 Enterprise version 1607 (Build 14393)

• Back in the Software Library \ Windows 10 Servicing \ Servicing Plan node
• Our machine is now listed as version 1607 and is no longer listed as Expire Soon
• The Service Plan Monitoring section can be used to monitor compliance and you can use the Deploy Now button to deploy the same service plan to a new collection

Use the comment section to tell which upgrade method you are preferring.

The post Upgrade Windows 10 using SCCM Servicing Plans appeared first on System Center Dudes.

The KMS server was first introduced with Windows Vista as an easy activation service for IT pros. Since then, each new release of Windows and Office provided a necessary update to KMS server, in order to keep offering activation keys to Windows and Office clients. The release of Windows 10 KMS activation and Office 2016 activation is no different then previous versions.

In this post, we will covert how to use an already configured KMS server for activation of Windows 10 and Office 2016.

Prerequisites for Windows 10 KMS

Your existing KMS server will most probably be good to manage licenses for Windows 10 and Office 2016.

Minimum OS requirement :

• Windows 7 and up
• Window Server 2008 R2 and up

Mandatory :

• Mandatory KB3079821 for Windows 7 and Windows server 2008 R2 to support Windows 10
• Mandatory KB3058168 for Windows 8/8.1  and Windows Server 2012/R2 to support Windows 10
• Microsoft Office Volume License pack to support Office 2016

Optional :

• Windows ADK 10 for Volume Activation Management Tool (VAMT) – Version 3.1
  • SQL server 2008 or later required  (SQL Server Express supported)

Locate your KMS Server

It is most probably been a long time since you’ve played around your KMS server. To find which server is acting as your KMS :

• Go to the DNS console / Forward Lookup Zones / <domain> /_TCP
• Look for the _VLMCS entry to get your KMS Server name

List Licensed Products on a KMS Server

Run the following command line on the KMS server to retrieve all installed licences :

• cscript c:\windows\system32\slmgr.vbs /dli all >> c:\temp\KMS.log

• In the KMS.log file, look for License status : Licensed to retrieve which product is supported by your KMS

Threshold for KMS Server Activation

Each Microsoft product supported by KMS server activation has a threshold to be an active KMS server. This mean that until the minimum concurrent activation request is met, the KMS server is not offering licenses for Windows and Office client.

• A minimum of 25 Windows 10 must be running and asking for KMS activation concurrently to enable the KMS server for Windows 10
• A minimum of 5 Office 2016 must be running and asking for KMS activation concurrently to enable the KMS server for Office 2016

For more information, read the Technet article.

Add Windows 10 KMS Key to a KMS Server

KMS key for Windows 10 is the same no matter which branch you are using.

• Run a command line as administrator
• Run the following command
  • slmgr /ipk <yourkey>

• Product key installed successfully

• To validate the key is installed, run the following command :
  • slmgr /dlv 20e938bb-df44-45ee-bde1-4e4fe7477f37
  • The long GUID is the Activation ID for Windows 10, which is generic

Add Office 2016 Key to KMS Server

All Office 2016 client volume editions products are pre-installed with a Generic Volume License Key (GVLK) key, which supports automatic activation for both KMS and Active Directory-Based Activation, so you will not need to install a product key.

• Execute the Microsoft Office Volume License pack

• Check the Accept Terms checkbox and click Continue

• Enter the KMS key from the Volume Licensing website, Click OK

• Once installed, we need to activate on the Internet, click Yes

• Confirmation of installed and activated

• To validate the key is installed, run the following command :
  • slmgr.vbs /dlv 98ebfe73-2084-4c97-932c-c0cd1643bea7

• Results :

KMS Client Setup Key

KMS client setup key are the default key to redirect Windows to find a KMS server on the network. Those should be use only on a Windows 10 client to redirect them to KMS server if they were activated by a MAK key.

By default, Windows will look for a KMS server automatically if no key is specified in the setup or after Windows installation.

Those keys can be used with the following command :

• slmgr /ipk <key>

This will force the computer to look for a KMS server instead of a MAK key.

Read the Technet article for more information.

Install Volume Activation Management Tool (VAMT)

The Volume Activation Management Tool is designed to help administrator management licenses for Windows and Office products. You can inventory licenses, manage MAK activation and KMS activation. This is an optional step and it can be installed on any computer on your network.

• Start the Windows 10 ADK installation (If you already have Windows 10 ADK installed, you can change it from Program and Features in Control Panel)
• Select Volume Activation Management Tool, click on Change

• Select Volume Activation Management Tool from the start menu

• Select the SQL server where you want the VAMT database to be created or install SQL Server Express locally using the link in the Database Connection Settings screen
• Our server will be the local server with default instance name and we will create a new database called VAMT

• VAMT is installed and connected to the database

Change Windows 10 Activation Method with Volume Activation Management Tool

When you have the minimum 25 concurrents Windows 10 on your network, you can use VAMT to change the activation method of clients remotely instead of using the manual process describe earlier in this post.

When changing the activation method from MAK to KMS with VAMT, Windows 10 clients will be activated with KMS client setup key. This will force a new try to find a KMS server for Windows 10 on the network. Once 25 computers is reached, KMS server will be up and allowing further activation.

To change a Windows 10 from MAK to KMS :

• Open VAMT, right-click on Products and select Discover products

• We need to find our Windows 10 computers :
  • This can be done using an LDAP query, IP Address, Name or in a Workgroup
• For this post, we will only find one computer. A full Active Directory search will take time. Manually entering your 25 Windows 10 computers, separated by a comma, might be a good idea.

• Our computer is found

• When the computer is found, VAMT will not know the license status until we query it. To query the license, right click on the computer and select Update license Status
  • If you use current credential, you must be local administrator of the remote computer
  • Computer must be accessible on the network to update the license status

• The computer will return one row per product found. In our case, the computer is running Windows 10 and Office 2016

• We now take a look at the Product key type column, we see that our Windows 10 is using a MAK key, while Office 2016 is already using the KMS

• Under Products / Windows
• Select one or more computers to change from MAK to KMS activation
• Right-click on it and choose Install Product Key

• Select Automatically select a KMS client key (GVLK) and click Install Key
  • You do not need to specify any key. The GVLK are generic and known by VAMT

• Wait for the Action Status to show Successfully installed the product key

• The computer now flagged as Non Genuine

• Go back to Products / Windows and select the computer again
• Right-click and select Volume activate / Activate
  • This will force the computer to try to activate using the KMS server

• Computer is now activated on the KMS server

• Activation is also visible in the Event Viewer

• In VAMT, the client is now Licensed and Genuine

Event Viewer for KMS Activation

You can see all activation requests that goes to this KMS server in the Event Viewer of the KMS server.

• Open Event Viewer / Applications and Services Logs / Key Management Service
• All activation requests are listed

On the client, you can also use Event Viewer to see activation requests :

• Open Event Viewer / Application Logs
• Looking for events number 12288 and 12289
• Here’s how to read 12289 events :

• Here’s how to read 12288 events :

Read the Technet article for more information on troubleshooting KMS.

Encountered Issues

Here’s a couple of support article that may comes handy. We encountered the following issues in various environments :

• Cohost Office 2016 KMS with an Office 2013 KMS
• Error : 0x80072EFE when activation
  • Check your internet access
  • Check your proxy configuration
• Error : 0xC004F015  for Windows 10 KMS key
  • You are not using the right Windows 10 KMS key
  • Follow the instruction using this support article
• More error codes can be found on this Technet article

The post Windows 10 KMS Activation and Management using Volume Activation Management Tool appeared first on System Center Dudes.

Congratulation to Nicolas Pilon for obtaining his first MVP award. Nicolas is the second SCD Contributor to receive the award !

The post Congratulation to Nicolas Pilon for obtaining his first MVP award. Nicolas is the second SCD Contributor to receive the award ! appeared first on System Center Dudes.

The second hotfix for SCCM Current Branch (1606) is now available. This post is a complete SCCM 1606 Update Rollup 1 (KB3186654) installation guide. If you’re looking for a complete SCCM 1511 installation guide, see our blog series which covers it all. You can’t install this upgrade if you are running SCCM 2012. You need to be running at least SCCM 1606.

Installing SCCM upgrades is important for your infrastructure. It fixes a lot of issues from SCCM 1606, which some of them are important.

New Update and Servicing Model

If you’re not familiar with the new SCCM servicing model, read our New Update and Servicing section of the 1602 upgrade post which explain it all.

You may wonder what’s the difference between a Cumulative Update (CU) and an Update Rollup (UR) :

A CU is a new servicing baseline. A post-CU1 hotfix requires CU1 first, whereas a post-UR1 hotfix doesn’t require UR1. Like CU, UR are cumulative which means that UR2 will include previous hotfixes.

*If you are running SCCM 1511 or 1602, you first need to upgrade to 1606 prior to apply this Update Rollup, see our blog which covers the upgrade process. Once completed, the Update Rollup 1 will be available under Update and Servicing node.

SCCM 1606 Update Rollup 1 Fixes

Consult this support page for a full list of issues fixed.

Before you begin

Downloading and installing this update is done entirely from the console. There’s no download link, the update will appear in your console once synchronized.

When you install an in-console update: (New Versions,CU,UR,KB)

• It automatically runs a prerequisite check. You can also run this check prior to starting the installation
• It installs at the central administration site (if you have one), and at primary sites automatically. You can control when each primary site server is allowed to update its infrastructure by using Service Windows for site servers
• After a site server updates, all affected site system roles (including instances of the SMS Provider) automatically update. Configuration Manager consoles also prompt the console user to update the console, after the site installs the update
• If an update includes the Configuration Manager client, you are offered the option to test the update in pre-production, or to apply the update to all clients immediately
• After a primary site is updated, secondary sites do not automatically update. Instead, you must initiate the secondary site update

In this post, we’ll be updating a standalone Primary Site Server, console and clients.

Before installing, check if your site is ready for the update :

• Open the SCCM console
• Go to Administration \ Cloud Services \ Updates and Servicing
• In the State column, ensure that the update is Available

• If it’s not available, right-click Updates and Servicing and select Check for Updates

• The update state will change to Downloading
• You can follow the download in Dmpdownloader.log

• The update files are stored in the EasyPayload folder in your SCCM Installation directory

SCCM 1606 Update Rollup 1 Installation Guide

Step 1 | SCCM 1606 Update Rollup 1 Prerequisite Check

Before launching the update, we recommend to launch the prerequisite check :

• Open the SCCM console
• Go to Administration \ Cloud Services \ Updates and Servicing
• Right-click the Configuration Manager 1606 Hotfix (KB3186654) update and select Run prerequisite check

• Nothing will happen, the prerequisite check runs in the background. All menu options will be grayed out during the check

• You can  monitor prerequisite check by going to Monitoring / Site Servicing Status, right-click your Update Name and select Show Status

• When completed the State column will show Prerequisite check passed

Step 2 | Launching the SCCM 1606 Update Rollup 1

We are now ready to launch the SCCM 1606 Update rollup 1. At this point, plan about 30 minutes for the update installation.

• Right click the Configuration Manager 1606 update and select Install Update Pack

• On the General tab, click Next

• In the Client Update Options, select the desired option for your client update
  • This new feature allows to update only clients member of a specific collection. Refer to the Technet article for more details

• On the License Terms tab, accept the licence terms and click Next

• On the Summary tab, review your choices and click Next

• On the Completion tab, close the wizard. The whole process took a minute but the installation is not over, it has been initiated

• During installation, the State column changes to Installing
• You can  monitor installation by going to Monitoring / Site Servicing Status, right-click your Update Name and select Show Status

• … or you can follow detailed installation progress in SCCM Installation Directory\Logs\CMUpdate.log

• When completed, you’ll notice the message There are no pending update package to be processed in the log file
• Monitoring / Site Servicing Status, right-click your Update Name and select Show Status, the last step will be Installation Succeeded

• Refresh the Updates and Servicing node, the State column will be Installed

Updating the consoles

Since 1602, the console has an auto-update feature. At console opening, if you are not running the latest version, you will receive a warning and the update will start automatically.

• Since all updates operations were initiated from the console, we didn’t close it during the process. We received a warning message when clicking certain objects. You will have the same message when opening a new console

• Click OK,  console update will starts automatically

• Wait for the process to complete. You can follow the progress in C:\ConfigMgrAdminUISetup.log and C:\ConfigMgrAdminUISetupVerbose.log. Once completed, the console will open and you’ll be running the latest version

Verification

Consoles

After setup is completed, verify the build number of the console. If the console upgrade was successful, the build number will be 5.0.8412.1307. Note that the Site Version is not changed to the Update rollup version. This is normal.

Clients

The client version will be updated to 5.00.8412.1307 (after updating, see section below)

SCCM 1606 Update rollup 1 Client Package distribution

You’ll see that the 2 client packages are updated :

• Navigate to Software Library \ Application Management \ Packages

• Check if both package were updated, if not, select both package and initiate a Distribute Content to your distribution points

Updating the Clients

Our preferred way to update our clients is by using the Client Upgrade feature :

• Open the SCCM Console
• Go to Administration / Site Configuration / Sites
• Click the Hierarchy Settings in the top ribbon
• Select Client Upgrade tab
• The Upgrade client automatically when the new client update are available checkbox has been enabled
• Review your time frame and adjust it to your needs

Monitor SCCM Client Version Number

You can see our SCCM Client version reports to give detailed information about every clients versions in your environment. It’s the easiest way to track your client updates.

Collections

You can also create a collection that targets clients without the latest client version. I use it to monitor which client haven’t been updated yet.

Here’s the query to achieve this: (You can also refer to our Set of Operational Collection Powershell Script which contains this collection)

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ClientVersion != '5.00.8412.1006'

Happy updating !

The post How to apply SCCM 1606 Update Rollup 1 (KB3186654) appeared first on System Center Dudes.

Windows as a service provides a new way to think about building, deploying, and servicing the Windows operating system. Microsoft will releases new builds two to three times per year rather than the traditional upgrade cycle. Instead of doing traditional Windows deployment projects, you will need a continuous updating process which will reduce the overall effort required to maintain Windows 10 devices in your environment.

SCCM Windows 10 Upgrades Summary

This post will look at the available tools in SCCM to manage and deploy Windows 10 upgrades. We have broken down the post in 4 different sections :

• Windows 10 Servicing Dashboard
• What’s missing in the Windows 10 Servicing Dashboard
• Windows 10 reports
• Windows 10 Collections

SCCM Windows 10 Servicing Dashboard

The Windows 10 servicing dashboard provides information about Windows 10 computers in your environment, active servicing plans, compliance information, and so on. Let’s get a look at the different dashboard tiles:

• Windows 10 Usage tile (1): Provides a breakdown of Windows 10 builds. Windows Insiders builds are listed as other as well as any builds that are not yet known. The Service Connection Point is responsible of this data.
• Windows 10 Rings tile (2): Provides a breakdown of Windows 10 by branch and readiness state . The LTSB segment will be all LTSB versions (For example : Windows 10 LTSB 2015). The Release Ready segment corresponds to Current Branch (CB), and the Business ready segment is Current Branch for Business (CBB)
• Create Service Plan tile (3): Provides a quick way to create a servicing plan
• Expired tile (4): Displays the percentage of devices that are on a build of Windows 10 that is past its end of life. The computers in this category should be upgraded to the next build version. We’ll talk about the available options later in this post. (Task Sequence and Services Plans)
• Expire Soon tile (5): Displays the percentage of computers that are on a build that is near end of life (within about four months), similar to the Expired tile
• Alerts tile (6): Displays active alerts
• Service Plan Monitoring tile (7): Display servicing plans that you have created and a chart of the compliance for each. This gives you a quick overview of the current state of the servicing plan deployments. If an earlier deployment ring meets your expectations for compliance, then you can select a later servicing plan (deploying ring) and click Deploy Now instead of waiting for the servicing plan rules to be triggered automatically
• The Windows 10 Builds tile (8): Display is a fixed image time line that provides you an overview of the Windows 10 builds that are currently released and gives you a general idea of when builds will transition into different states.

What’s missing in the Windows 10 Servicing Dashboard

The Windows 10 Servicing Dashboard is a good starting point but it lacks important functions to be able to do your work to update Windows 10 as tiles are not clickable :

• What if I need to have the list of Windows 10 devices per rings or versions ?
• What if I need to have the list of Windows 10 that are Expired or Expiration Soon
• In our example 33% of my devices are in the Expiration Soon state. Great, but how many devices is that ? A simple tooltip showing the number would have been a nice idea.

For those reasons, we decided to make your life easier by developing tools to help with your Windows 10 upgrades deployments.

Windows 10 Reports

Unfortunately, there’s no built-in report to track your Windows 10 devices. Some report in the Upgrade Assessment may help you but some of those reports are limited to Windows 7 and Windows 8. We decided to create our own Windows 10 report. Similar to the Windows 10 dashboard visually but which can easily list machines in different support state and their inventory.

See our Asset – Windows 10 report page to see the complete feature list.

Windows 10 Collections

As for any other deployments, you will need to create your own device collections in order to deploy your Windows 10 service plans or task sequences. Our Set of operational collections contains 67 collections which contains 9 Windows 10 collections to begin with :

Service Plan Vs Task Sequences

Once you’ve targeted your Windows 10 devices to upgrade, it’s a matter of deploying a service plan or a task sequence to those machine to keep them in the right support state. To decide which methods suits your organisation needs, read our complete step-by-step post which guide you thought the whole process :

• Upgrade Windows 10 using SCCM Servicing Plans
• Upgrade Windows 10 using SCCM Task Sequence

Using a combination of the tools provided in this post, you should be set to start your Windows 10 as a service management. Feel free to provides tips and other tools that make your life easier using the comment section.

The post Manage Windows 10 Upgrades using SCCM (Windows as a Service) appeared first on System Center Dudes.

Starting with Windows 10, version 1607, you can create a deep link to launch the Windows 10 enrollment app using an URI link. This allows to send a user-friendly display text to your user to simplify their device enrollment. You can use this link in an email sent to your users or add this link to an internal web page that users refer for enrollment.

The URI link must use the following format :

• ms-device-enrollment:?mode=mdm

At the time of this writing, the only supported mode value is mdm.

User Experience using Windows 10 Deep Link Enrollment

When clicking the link, Windows 10 will launch the enrollment app in a special mode that only allows MDM enrollments.

For example, you could send the following link to your users :  Click here to enroll your Windows 10 device

This is fairly straight forward, no need to explain to the user how to find the enrollment app. (This process is similar to the Enroll into device management option in Windows 10, v1511).

If the device finds an endpoint that only supports on-premises authentication, the page will change and ask for the user password. If the device finds an MDM endpoint that supports federated authentication, the user will be presented with a new window that will ask additional authentication information. Users may also be prompted to provide a second factor of authentication if your IT policy requires it.

After you complete the wizard, your device will be connected to your organization’s MDM.

Log files

If anything goes wrong, you can collect logs by going to :

•  Settings / Accounts / Access work or school
• Click the Export your management logs under Related Settings section
• Click Export and follow the path displayed to retrieve your log files

See this Technet article for further details about MDM enrollment and Windows 10 deep link enrollment.

The post How to use Windows 10 Deep Link Enrollment appeared first on System Center Dudes.

Before starting a Windows 10 migration project, it’s always a good idea to be informed. There was so much information about Windows 10 in the past year : the OS itself has a couple of new features that you need to first understand. Your infrastructure needs various updates before you can start managing Windows 10 devices. The Windows 10 servicing options are also a huge chunk to understand. This can be overwhelming at first so we decided to compile a list of documentation that we found helpful during our multiple deployment projects.

Come back often as this list will continue to growth with time as Microsoft release interesting documentation on a weekly basis.

General Documentation

Huge compiled list of documentation provided by Microsoft about various topics :

• Windows 10 Documentation hub

Introduction to the new Windows 10 device management strategies :

• Windows 10 update history

An overview of requirements, editions, and languages available for Windows 10 :

• Windows 10 specifications

Windows 10 New features

Find out what’s new in Windows 10 and get an overview of key features for IT professionals :

• Credential Guard
• Device Guard
• Device management
• Enterprise Data Protection
• Enterprise management for Windows 10 devices
• Microsoft Passport
• Provisioning packages
• Windows 10 browsing options
• Windows spotlight on the lock screen
• Windows Store for Business

Windows 10 Improvements

Learn about the improvements in Windows 10 :

• AppLocker
• BitLocker
• Security auditing
• Trusted Platform Module
• User Account Control

Education

Take advantage of free, online training courses from Microsoft Virtual Academy and walk through the latest features and functionality.

• Getting started with Windows 10 for IT professionals
• Preparing your enterprise for Windows as a Service

Update your deployment skills

Familiarize with the latest deployment strategies, and download free tools to ease the deployment process.

• Windows 10 deployment considerations

Device management

Learn new policies for devices that are running Windows 10. This post include new GPO and MDM policies

• New policies for Windows 10

Windows 10 Servicing

This post is the post to go if you need to understand CBB and LTSB editions. It’s also an absolute must to understand the different Windows 10 servicing options :

• Update Windows 10 in the enterprise

• Windows 10 servicing options for updates and upgrades

Download Windows 10

Links for downloading a Windows 10 media to get started :

• Download a free 90-day evaluation of Windows 10 Enterprise
• Download the Windows 10 deployment and management lab kit

Prepare for deployment

There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. Information about Deployment tools (MDT, SCCM), Management Tools (AD, GPO, WSUS) and Activation tools (KMS) :

• Windows 10 infrastructure requirements
• Windows 10 KMS Activation and Management using Volume Activation Management Tool

Begin the process of evaluating the impact of application compatibility in your deployment project :

• Get started with application compatibility in a Windows deployment

Understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task :

• Windows 10 deployment scenarios

Upgrade to Windows 10 with System Center Configuration Manager

Learn how to upgrade to Windows 10 using MDT and Configuration Manager :

• Upgrade to Windows 10 with System Center Configuration Manager
• Managing Windows 10 with SCCM 2012
• SCCM Windows 10 Deployment | Prepare your environment
• Windows 10 Deployment | Create SCCM Windows 10 Build and Capture Task Sequence
• Refreshing a Windows 7 Computer to Windows 10 using USMT and SCCM

Windows 10 Customization

Read about Windows 10 customizing options by reading our blog posts :

• Customize your Windows 10 deployment using SCCM Task Sequences
• Windows 10 | Inject Language Pack with DISM

Windows 10 Servicing using System Center Configuration Manager

Everything you need to know to manage Windows 10 as a service :

• Manage Windows 10 Upgrades using SCCM (Windows as a Service)
• Upgrade Windows 10 using SCCM Servicing Plans
• Upgrade Windows 10 using SCCM Task Sequence

Windows 10 Reports

Use our report to has better visibility of Windows 10 devices in your organisation :

• Asset – Windows 10

The post Windows 10 Resources and Links for SCCM Administrators appeared first on System Center Dudes.

Beginning with SCCM 1606, you can create device categories to automatically add devices into device collections when you are using SCCM and Intune in a hybrid scenario. (In a standalone scenario, this feature is named Device group mapping).

At enrollment time, the mobile users are required to choose a device category. Once a device category is selected, the device is added to the corresponding collection based on a new collection membership : Device Category Rule. Device categories can also be set manually on a single device using the SCCM Console.

Here’s everything you need to know in order to manage this new features :

Create SCCM Device Categories

• Open the SCCM Console
• Go to Assets and Compliance / Device Collections
• On the top ribbon, click Manage Device Categories

• In the Manage Device Categories dialog box, you can create, edit, or remove categories. For our post, we will be creating a Test category

Create Device Category Rule

When you associate a collection with a device category, all devices in specified category will be added to that collection. To create a Device category rule :

Change the category of a device

• Go to Assets and Compliance / Devices
• Select a device and click Change Category on the top ribbon
• In the Edit Device Category window, choose the category to apply to this device, then click OK

• You can also select Clear Category if you want to remove all category assign to this device

Unfortunately, it’s not possible right now to select multiple devices to assign a category.

View category assign to a device

• Go to Assets and Compliance / Devices
• Right-click the heading of one of the columns in the Devices list then select Device Category

• Device Category will be listed for all devices in that view

From there, only your imagination is the limit as what you want to deploy to your collections based on devices category.

The post How to configure SCCM Device Categories appeared first on System Center Dudes.

Starting with SCCM 1606, a new pre-release feature allows to configure server group settings for a collection. This is a major change that gives much more flexibility to your patch management process as you can coordinate maintenance operation to optimize server up-time.

Server groups permit to define specific collection settings for software updates installation :

• Allow a percentage of machines to be updated at the same time
• Allow a number of machines to be updated at the same time
• Specify the maintenance sequence
• Configure PowerShell scripts to run custom actions before and after your deployments

How does Server Groups works ?

The Technet explanation is pretty clear :

When you deploy software updates to a collection that has server group settings configured, SCCM determines how many computers in the collection can install the software updates at any given time and makes the same number of deployment locks available. Only computers that get a deployment lock will start software update installation. When a deployment lock is available, a computer gets the deployment lock, installs the software updates, and then releases the deployment lock when software updates installation successfully completes. Then, the deployment lock becomes available for other computers. If a computer is unable to release a deployment lock, you can manually release all server group deployment locks for the collection.

SCCM Server Group Requirement

Since this is a pre-release feature, after your 1606 upgrade, you must enable the feature manually :

• Go to Administration \ Site Configuration \ Sites
• Select your site and click on the Hierarchy Settings icon on the top ribbon

• In the General tab, check the Consent to use Pre-Release features and click Ok

• Go to Administration \ Cloud Services \ Updates and Servicing \ Features
• Right-click Pre-Release – Server groups and select Turn On

Create a Collection for a Server Group

The server group settings are configured in the properties of a device collection. To create a collection and configure the server group settings:

• Create a device collection that contains the desired computers in the server group
• Go to  Assets and Compliance \ Device Collections, right-click the collection you just created and then select Properties
• On the General tab, check the All devices are part of the same server group box and  click Settings

• On the Server Group Settings page, specify one of the following settings:
  • Allow a percentage of machines to be updated at the same time: Specifies that only a certain percentage of clients are updated at any one time. If, for example, the collection has 10 clients, and the collection is configured to update 30% of clients at the same time, then only 3 clients will install software updates at any given time.
  • Allow a number of machines to be updated at the same time: Specifies that only a certain number of clients are updated at any one time.
  • Specify the maintenance sequence: Specifies that the clients in the collection will be updated one at a time in the sequence that you configure. A client will only install software updates after the client that is ahead of it in the list has finished installing its software updates.
• Specify whether to use a pre-deployment (node drain) script or post-deployment (node resume) script

Deploy Software Updates to the Server Group and Monitor Status

To deploy software updates to the server group collection, you use the typical deployment process. After you deploy the software updates, you can monitor the software update deployment in the SCCM console. In addition to the standard monitoring views for software updates deployment, the Waiting for lock state is displayed when a client is waiting for its turn to install the software updates. You can review the UpdatesDeployment.log file for more information.

Clear the Deployment Locks for Computers in a Server Group

When a computer fails to release a deployment lock, you can manually release all server group deployment locks for the collection. It’s recommended to clear locks only when a deployment is stuck updating computers in the collection and there are computers that are still not compliant.

To clear a deployment lock :

• Go to Assets and Compliance / Device Collections
• Right-click the desired collection and select Clear Server Group Deployment Locks

We’ll keep an eye on this feature and hope it makes it to a production feature in the next SCCM release. We’ll update this post if new features are added.

The post How to configure SCCM Server Group appeared first on System Center Dudes.

Since SCCM 1511, a new feature is available to ease the client upgrade process. SCCM pre-production client deployment is an integrated way for SCCM administrators to test the upgrade and functionality of the new SCCM client before production deployment.

In previous SCCM upgrade posts, we explained how to upgrade the SCCM client using standard process after a major upgrade. In this post, we will explain how to plan, configure and use the new pre-production client deployment feature after a SCCM 1606 upgrade.

Pre-Requisite

• SCCM 1511 or later
• SCMC Client must be installed on a device prior testing the upgrade
• A collection created for pre-production client

SCCM Pre-Production Client Package

On a SCCM 1511 and later primary site, a new default package is available : Configuration Manager Client Piloting package.

The source files are located under Program Files\Microsoft Configuration Manager\StagingClient

Collection

We need a collection to target the pre-production client deployment. This collection can be an existing collection or a new one. Usually we targeted IT and pilots devices.

Step 1 | Upgrade Process

To use the pre-production client to it’s full potential, you must set the Client Update Options in the Upgrade Wizard during a site upgrade.

If we select the Upgrade without validating, the client package will be updated to the latest version. This mean :

• Client Push installation will use the latest version of the client
• Operating system deployment with Setup and Configure ConfigMgr task will install the latest version of the client
• If automatic client upgrade is activated on the hierarchy, all clients will be upgraded within the number of days defined in the Hierarchy options

If you prefer to test the upgrade and functionality of new client, it’s not a good process for you.

To use the pre-production client, in the Update Wizard, select Validate in Pre-Production Collection instead :

This will automatically upgrade the clients of the specified collection once the site upgrade is completed.

Validate SCCM Pre-Production Client Deployment is Enabled

• Go to Administration / Site configuration / Sites
• Select Hierarchy settings

• Under the Client Upgrade tab, Pre-Production client version is up to the latest version, while the Production client version is a version behind.

• The Configuration Manager Client Piloting Package is automatically updated

Test in Task Sequence

It’s possible to use the pre-production client in a task sequence.

• On the Setup Windows and ConfigMgr task, select Use pre-production client package when available and select your pre-production client package

Step 2 | Monitoring Piloting Upgrade

Once the site has completed the upgrade, the clients in the pre-production client collection will initiate the client upgrade after their next machine policy retrieval cycle. You can follow the pre-production client deployment in the console.

• First, let’s look at the client version prior pre-production client upgrade

• Go to Monitoring / Client Status / Pre-production client deployment
• Verify that your devices are compliant

• If we look back at the client, the Client version as been updated :

Step 3 | Promote SCCM Pre-Production Client for Production Deployment

When we are done with testing, it’s time to Promote the pre-production client.

• Go to Administration / Cloud Services / Updates and Servicing, select the update and click Promote Pre-production Client

• Screen to confirm. We can see the difference between each package. Click Promote

<

Important Note

Keep in mind that at this point, if you have the client automatic upgrade enabled for your hierarchy, this will begin the upgrade of all clients according to targeted window you configured

Validate Promote to Production Client

• Under Administration / Site Configuration / Sites, select Hierarchy settings and tab Client Upgrade

• Production client version is now the same a the Pre-production client. Also, the check box for Upgrade all client in the pre-production collection was unchecked
• The Configuration Manager Client package as been updated
• Screen shot before the Promote to production

• Screen shot after the Promote to production

• Under Monitoring / Client Status / Production Client Deployment, we already have a recap of which client are or not compliant

Known Issue

If the Promote Pre-Production client is grayed-out, you have an issue with Role based administration.

If the user that try to Promote Pre-Production client, is part of an Active Directory group and is member of the Full Administrator security scope, then the button will be grey- out.

The workaround is to add the account, directly in Administrative Users and give the security role Full Administrator

For more information here

The post SCCM Pre-Production Client Deployment appeared first on System Center Dudes.

In this post, we will deploy the newly released Windows 2016 with SCCM 1606. We will describe how to create a SCCM Windows 2016 deployment task sequence and deploy it to your servers. If you’re new to operating system deployment, read the preparation of your environment post before reading this one.

This task sequence will help you deploy a “vanilla” Windows 2016 using the default Install.wim from the Windows 2016 media. This means that you’ll end up with a basic Windows 2016 with the SCCM client and nothing else.

You will be able to edit this task sequence later to customize it to your environment.

Prepare your Operating Systems

We will now import the Windows 2016 WIM file before deployment.

We will start by importing the default Install.Wim from the Windows 2016 media. You could also import a WIM file that you’ve created through a build and capture process.

• Mount the Windows 2016 ISO file
• Go to the Sources folder
• Copy the Install.Wim file to your SCCM repository. You can rename the Wim file if needed

• Open the SCCM Console
• Go to Software Library / Operating Systems / Operating System Images
• Right click Operating System Images and select Add Operating System Image

• On the Data Source tab, browse to the WIM file you just imported. The path must be in UNC format

• In the General tab, enter the Name, Version and Comment, click Next

• On the Summary tab, review your information and click Next

• Complete the wizard and close this window

Distribute your Operating System Image

We now need to send the Operating System Image (WIM file) to our distribution points.

• Right click your Operating System Image, select Distribute Content and complete the Distribute Content wizard

Create SCCM Windows 2016 Deployment Task Sequence

• Open the SCCM Console
• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click Task Sequences and select Create Task Sequence

• On the Task Sequence wizard, select Install an existing image package

• On the Task Sequence Information pane, enter the desired Name, Description and Boot Image

• On the Install Windows pane, select the Image package and Image index. We will select the second index which is Windows 2016 Standard edition.
• Leave the check box beside Partition and Format the target computer before installing the operating system
• Uncheck Configure task sequence for use with Bitlocker
• Leave the Product key blank, if you are using MAK keys, read this post on how to handle that in your Task Sequence. (TL;DR: Even with MAK key, you need to leave the Product key blank)
• Enter an Administrator password if needed

• In the Configure Network pane, you can select to Join a workgroup or domain. If you select Join a domain, enter your domain information, OU and credentials

• On the Install Configuration Manager Client pane, select your Configuration Manager Client Package and enter your installation properties

• On the State Migration pane, we will remove all checkbox as we don’t want to use User State Migration at this time

• On the Include Updates pane, select the desired Software Update task
  • Required for installation will install the updates regardless of whether there is a deadline set on the deployment (on your OSD collection)
  • Available for installation will only install updates from deployments that have a scheduled deadline (on your OSD collection)
  • Do not install any software updates will not install any software update during the Task Sequence

• On the Install Applications tab, click on the Star Icon to add any application that you want to be installed during your deployment. Only applications will be listed. If you need to add packages, you can add it by editing the task sequence later. Theses applications will be deployed each time the task sequence is executed.

• On the Summary tab, review your settings and click Next

• On the Completion tab, click Close

Deploy Windows 2016 Task Sequence

Now that your Task Sequence is created, we will deploy it to a collection and start a Windows 2016 deployment.

• Open the SCCM Console
• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click your Windows 2016 Task Sequence and select Deploy

• On the General pane, select your collection. This is the collection that will receive the Windows 2016 installation. For testing purposes, we recommend putting only 1 computer to start

• Select the Purpose of the deployment
  • Available will prompt the user to install at the desired time
  • Required will force the deployment at the deadline (see Scheduling)
• In the Make available to the following drop down, select the Only media and PXE. This will ensure that you do not send the deployment on clients. This is also useful to avoid errors, using this options you *could* send the deployment to All Systems and no clients would be able to run the deployment from Windows

• On the Scheduling tab, enter the desired available date and time. On the screenshot, we can’t create an Assignment schedule because we select Available in the previous screen

• In the User Experience pane, select the desired options

• In the Alerts tab, check Create a deployment alert when the threshold is higher than the following checkbox if you want to create an alert on the failures

• On the Distribution Point pane, select the desired Deployment options. We will leave the default options

• Review the selected options and complete the wizard

PXE Boot

Now that we’ve created our task sequence and that it’s deployed. We can start the deployment on the machine. Make sure that your system is a member of your deployment collection and start the device. For this example, we will be using a virtual machine running on Hyper-V.

• The machine is booting and waiting for the PXE to respond

• Our SCCM distribution point is sending the boot image to our VM

• The Welcome to the Task Sequence Wizard pops-up. This is because of the Available purpose in the Deployment Settings. If we had a Required deployment, the task sequence would start right away. Click Next

• All the available task sequence are listed. In our example we have only 1 deployment on our collection so only 1 task sequence is available. Select the task sequence and click Next

• The Task Sequence starts

Completed !

Monitoring

See our blog post on this topic which covers the various ways to monitor your Task Sequence progress.

The post Deploy Windows 2016 using SCCM Task Sequence appeared first on System Center Dudes.

We came across a strange issue today on Windows 10 devices that we haven’t seen since the Windows Vista days. Users has started to get prompts for User Account Control(UAC) when connecting to some printers. The Point and Print feature is responible for this as it easily allow standard users to install printer drivers from trusted print server.

The problem appeared right after applying last July monthly updates. (MS16-087)

Windows 10 Point Print UAC Prompt Cause

Microsoft as tightened the requirement for printer drivers on print servers.

If you :

• Are using a print server
• Allow standard user to install printer drivers using the Point and Print Group Policy
• Are using old printer driver that might have the following :
  • Non-package-aware v3 printer drivers
  • Unsigned or expired certificate validation drivers

Following MS16-087 installation, you receive a UAC prompt and a Connect to Printer error after a printer installation attempt. (A policy is in effect on your computer which prevents you from connecting to this print queue. Please contact your system Administaor)

Here’s the list of the specific KB per OS that create the issue :

• KB3163912
  •  Windows 10
• KB3172985
  • Windows 10 v1511
• KB3170455
  • Windows Vista
  • Windows 7
  • Windows 8.1
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2

How to fix it

Part 1

Part 1 of the solution is available in the October 2016 Preview of Monthly Quality Rollup available for all operating system except Windows 10 (October 16th). Microsoft has released an update that lets network administrators configure policies that permit the installation of print drivers that they consider are safe. This update also allows  network administrators to deploy printer connections that they consider safe.

This mean, if you are facing the issue, the official fix for it will be available for production use on the next Patch Tuesday (November 8th) as part of the Monthly Quality Rollup.

KB in preview

For Windows 7 and Windows Server 2008 R2 : https://support.microsoft.com/en-ca/kb/3192403

For Windows Server 2012 : https://support.microsoft.com/en-ca/kb/3192406

For Windows 8.1 and Windows Server 2012 R2 : https://support.microsoft.com/en-ca/kb/3192404

KB in production

For Windows 10 RTM : https://support.microsoft.com/en-ca/kb/3192440

For Windows 10 1511 : https://support.microsoft.com/en-ca/kb/3192441

Part 2

Part 2 consist having the right GPO settings for Point and Print.

Two GPO settings must be applied :

• Under Computer Configuration / Policies / Administrative Templates / Printers, set Package Point and Print – Approved server to Enabled
  • Each print server must be added to the list with the fully qualified server name

• Under Computer Configuration / Policies / Administrative Templates / Printers, set  Point and Print Restrictions to Enabled
  • Each print server must be added to the list with the fully qualified server name, seperated by semi-colons
  • When installing driver for new connection, select Do not show warning or elevation prompt
  • When installing driver for existing connection, select Do not show warning or elevation prompt

The post Windows 10 | Point and Print printer installation prompt UAC appeared first on System Center Dudes.

The third upgrade for SCCM Current Branch is now available. This post is a complete step-by-step SCCM 1610 upgrade guide. If you’re looking for a complete SCCM installation guide, see our blog series which covers it all. You can’t install this upgrade if you are running SCCM 2012. You need to be at least at SCCM 1511.

Installing SCCM upgrades is very important to your infrastructure. It adds new feature and fixes lots of issues, which some of them are important.

New Update and Servicing Model

If you’re not familiar with the new SCCM servicing model, read our New Update and Servicing section of the 1602 upgrade post which explain it all.

Similar to SCCM 1606, if you need to make a new SCCM installation, you can’t install SCCM 1610 directly. You need to install SCCM 1511 (or 1606) first and then apply SCCM 1610 from the console. SCCM 1606 is the baseline version if you’re starting from scratch.

*If you are running SCCM 1511, 1602 or 1606, the latest updates will be replaced by SCCM 1610 in the SCCM Console after installation. If you are on SCCM 1511, you won’t be able to install 1602 or 1606 after 1610. You can skip all previous versions and install SCCM 1610 directly which contains all 1602 and 1606 fixes and features.

SCCM 1610 New Features and Fixes

If you’ve been installing SCCM Technical Preview in your lab, SCCM 1606 contain most features included in the latest Technical Previews (1605 and up).

1610 includes lots of new features and enhancements in Windows 10 and Office 365 management, application management, end user experience, client management and also includes new functionality for customers using Configuration Manager in hybrid mode with Microsoft Intune.

Consult this Technet article for a full features list. 1606 also applies the latest KB/fixes to fix known bugs, including KB3202796, KB3192616, KB3186654 and KB3180992

Here’s our list of favorite features :

• Office 365 Servicing Dashboard and app deployment to clients features help you to deploy Office 365 apps to clients as well as track Office 365 usage and update deployments.
• Software Updates Compliance Dashboard allows you to view the current compliance status of devices in your organization and quickly analyze the data to see which devices are at risk.
• Cloud Management Gateway provides a simpler way to manage Configuration Manager clients on the Internet. You can use the SCCM console to deploy the service in Microsoft Azure and configure the supported roles to allow cloud management gateway traffic.
• Client Peer Cache is a new built-in solution in Configuration Manager that allows clients to share content with other clients directly from their local cache with monitoring and troubleshooting capabilities.
• Enhancements in Software Center including customizable branding in more dialogs, notifications of new software, improvements to the notification experience for high-impact task sequence deployments, and ability for users to request applications and view request history directly in Software Center.

Before you begin

Downloading and installing this update is done entirely from the console. There’s no download link, the update will appear in your console once the Service Connection Point is synchronized.

If you’re running a multi-tier hierarchy, start at the top-level site in the hierarchy. After the top-level site upgrades, you can begin the upgrade of each child site. Complete the upgrade of each site before you begin to upgrade the next site. Until all sites in your hierarchy are upgraded, your hierarchy operates in a mixed version mode.

Before applying this update, we strongly recommend that you go through the upgrade check list provided on Technet. Most importantly, initiate a site backup before your upgrade.

In this post, we’ll be updating a standalone Primary Site Server, consoles and clients.

Before installing, check if your site is ready for the update :

• Open the SCCM console
• Go to Administration \ Cloud Services \ Updates and Servicing
• In the State column, ensure that the update is Available

• If it’s not available, right-click Updates and Servicing and select Check for Updates

• The update state will change to Downloading

• You can follow the download in Dmpdownloader.log or by going to Monitoring / Site Servicing Status, right-click your Update Name and select Show Status

• The process will first download a .CAB file and will then extract the file in the EasyPayload folder in your SCCM Installation directory. It can take up to 15 minutes to extract all files.

SCCM 1610 Upgrade guide

Step 1 | SCCM 1610 Prerequisite check

Before launching the update, we recommend to launch the prerequisite check :

• Open the SCCM console
• Go to Administration \ Cloud Services \ Updates and Servicing
• Right-click the Configuration Manager 1610 update and select Run prerequisite check

• Nothing will happen, the prerequisite check runs in the background. All menu options will be grayed out during the check

• One way to see progress is by viewing C:\ConfigMgrPrereq.log

• You can also monitor prerequisite check by going to Monitoring / Site Servicing Status, right-click your Update Name and select Show Status

• When completed the State column will show Prerequisite check passed

Step 2 | Launching the SCCM 1610 update

We are now ready to launch the SCCM 1610 update. At this point, plan about 45 minutes for the update installation.

• Right click the Configuration Manager 1610 update and select Install Update Pack

• On the General tab, click Next

• On the Features tab, select the features you want to update

• If you don’t select one of the feature now and want to enable it later, you’ll be able to so by using the console in Administration \ Cloud Services \ Updates and Servicing \ Features

• In the Client Update Options, select the desired option for your client update
  • This new feature allows to update only clients member of a specific collection. Refer to our pre-production client deployment post for more details

• On the License Terms tab, accept the licence terms and click Next

• On the Summary tab, review your choices and click Next

• On the Completion tab, close the wizard. The whole process took a minute but the installation is not over, it has been initiated

• During installation, the State column changes to Installing

• You can  monitor installation by going to Monitoring / Site Servicing Status, right-click your Update Name and select Show Status

• … or you can follow detailed installation progress in SCCM Installation Directory\Logs\CMUpdate.log

• When completed, you’ll notice the message There are no pending update package to be processed in the log file
• Monitoring / Site Servicing Status, right-click your Update Name and select Show Status, the last step will be Installation Succeeded

• Refresh the Updates and Servicing node, the State column will be Installed

Updating the consoles

As previous Cumulative update, the console has an auto-update feature. At console opening, if you are not running the latest version, you will receive a warning and the update will start automatically.

• Since all updates operations were initiated from the console, we didn’t close it during the process. We received a warning message when clicking certain objects. You will have the same message when opening a new console
• Click OK,  console update will starts automatically

• Wait for the process to complete. You can follow the progress in C:\ConfigMgrAdminUISetup.log and C:\ConfigMgrAdminUISetupVerbose.log. Once completed, the console will open and you’ll be running the latest version

Verification

Consoles

After setup is completed, verify the build number of the console. If the console upgrade was successful, the build number will be 5.0.8458.1500. You can also notice that Version 1610 is stated.

Servers

• Go to Administration \ Site Configuration \ Sites
• Right-click your site and select Properties
• Verify the Version and Build number

Clients

The client version will be updated to 5.00.8458.1005 (after updating, see section below)

SCCM 1610 Client Package distribution

You’ll see that the 2 client packages are updated :

• Navigate to Software Library \ Application Management \ Packages

• Check if both package were updated, if not, select both package and initiate a Distribute Content to your distribution points

Boot Images

Boot images are automatically updated during setup. See our post on upgrade consideration in large environment to avoid this if you have multiple distribution points.

• Go to Software Library / Operating Systems / Boot Images
• Select your boot image and check the last Content Status date. It should match your setup date

Updating the Clients

Our preferred way to update our clients is by using the Client Upgrade feature : (You can refer to our complete post documenting this feature)

• Open the SCCM Console
• Go to Administration / Site Configuration / Sites
• Click the Hierarchy Settings in the top ribbon
• Select Client Upgrade tab
• The Upgrade client automatically when the new client update are available checkbox has been enabled
• Review your time frame and adjust it to your needs

Monitor SCCM Client Version Number

SCCM Reports Client Version

You can see our SCCM Client version reports to give detailed information about every clients versions in your environment. It’s the easiest way to track your client updates.

Collections

You can also create a collection that targets clients without the latest client version. I use it to monitor which client haven’t been updated yet.

Here’s the query to achieve this: (You can also refer to our Set of Operational Collection Powershell Script which contains this collection)

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ClientVersion != '5.00.8458.1005'

Happy updating !

The post Step-by-Step SCCM 1610 Upgrade Guide appeared first on System Center Dudes.

We came across an issue today while adding Windows 7 drivers for a new computer model to be deployed by SCCM. After deployment, the computer was showing an Unknown device warning in Device Manager even after installing all available drivers for the model. (Sorry for french screenshots)

Troubleshoot Windows 7 Unknown Device TPM

The first step to troubleshoot this issue is to get the Device ID of the unknown device.

In the Properties of the faulty device, Details tab, note the Device ID for the device :  ACPI\MSFT0101

When searching for the Device ID on the web, you will find out that this is the Trusted Platform Module (TPM) chip.

But why is it showing as unknown ? CAB files from DELL usually provide all necessary drivers.

When launching TMP.msc, we get an error that the TPM is not available :

If we disable TPM in the BIOS, the Unknown device is gone. But this is not the solution as this will prevent using BitLocker.

Problem

Windows 7 is not compatible by default with TPM v2.0 chips.

Solution

The solution is to install an on-demand KB2920188 from Microsoft.

After installing KB2920188, the Trusted Platform Module 2.0 is correctly installed.

Lauching TPM.msc, it shows that TPM can now be used and showing version 2.0.

The post Windows 7 Unknown Device TPM 2.0 Compatibility Issue appeared first on System Center Dudes.

We get this question a lot : C:\ drive gets full after a couple of week running SCCM, what are the best practices to save disk space on a SCCM server ? The first thing we propose is to delete SCCM IIS logs files. It’s an absolute must to implement a solution to delete SCCM IIS logs files from your primary server.

The SCCM IIS logs files are usually in C:\Inetpub\Logs\LogFiles and are increasing at a rapid pace. In my lab environment with 50 clients, it’s growing at about 1MB per day. Not much… but in a site i’m actually managing with a couple thousand clients, it grows 150 MB a day. It could fill up a drive pretty quickly.

There are numerous ways to manage SCCM IIS log files :

1. Delete the logs manually or using a schedule task
2. Use a Powershell script
3. Disable the IIS Logs completely
4. Enable Folder Compression

Delete SCCM IIS Logs File Manually

IIS log files are mainly for troubleshooting and reviewing security. If neither are of immediate interest to you, then you can turn off logging or write a script to delete them. An easy way to do this is by using the Foreach command in a Windows Server Task Scheduler. We will delete all IIS log files that are older than 30 days :

• On your SCCM server, start Task Scheduler
• On the right pane pane, select Create Basic Task

• On the Create Basic Task Wizard, name your task and click Next

• On the Trigger section, select Weekly

• Select the desired schedule. We select to run every Sunday

• In the Action section, select Start a program

• In the Start a Program section, entrer the following command : Forfiles.exe -p C:\inetpub\logs\LogFiles\W3SVC1 -m *.log -d -30 -c “Cmd.exe /C del @path\”
• You can change the number of days if desired (30)

• It’s important to select Yes in the warning, it will split your command to fill the Add Argument section

You can test your job by running your job manually or wait for the schedule to trigger the task. After running you should have no file older than 30 days and should free some space from your drive.

PowerShell or VBS Script

You can also delete SCCM IIS logs file using PowerShell or VBS script. Here’s 3 scripts that works fine and which can also be used with a Configuration Item in order to run when your server is not compliant. Pick the one that fits your needs :

• Ronnie Pedersen Powershell
• Stephen Owen Powershell
• VBS Script to delete files older than 7 days

Disable IIS logging

If you really don’t care about keeping SCCM IIS logs files, you can disable it completely in IIS Manager or redirect the log files on another drive : (We do not recommend disabling it, it won’t hurt SCCM directly but you could be unable to run some report (IE : Distribution Point utilization) which are based on these files.)

• Open IIS Manager
• On the left pane, select your server
• On the right pane, select Logging

• In the Logging pane, click Disable in the Actions section
• If you prefer to change the log file location, you can do it by typing the new location in the Directory box

Enable Folder Compression

Enabling folder compression won’t free up space but could help if you don’t want to delete the files (IIS log files compress to about 2% of their original size). You must be an administrator to perform this procedure :

• Click the File Manager icon in the icon bar
• Move to the folder containing IIS log files (by default, C:\inetpub\logs\LogFiles)
• Right-click on the folder and click Properties
• On the General tab of the Properties page, click Advanced
• Click Compress contents to save disk space, and then click OK

• Click Apply, and then select whether to compress the folder only, or the folder, its subfolders, and its files.
• Click OK.

Verify that the folder contents are compressed. The name of the folder and the name of each file should be colored in blue, and the size of a compression file should be smaller.

The post How to Manage SCCM IIS Log Files appeared first on System Center Dudes.

This month, SCCM 1610 was released with a bunch of new features, including exiting Intune features. One of these Intune feature is to send sync request directly from the SCCM console. It’s a new remote actions that Intune administrators will use daily. For example, you can send sync request to a mobile device that is having deployment or client health issue.

In fact, each mobile devices managed by Intune need to communicate with Intune to get the latest policy and compliance state. Normally, the Intune client synchronizes every 6 hours for iOS and 8 hours for Android. Additionally, there’s a scan every 15 minutes in the first 6 hours of enrollment. The mobile device can be synchronized as well from the Company Portal application.

Take note that Send Sync Request is unavailable for the moment in Intune standalone. Maybe one day!

SCCM 1610 Send Sync Request

• Open the SCCM Console, navigate to Devices and search for the targeted mobile device you want to sync
• Right-click on the mobile device, select Remote Devices Actions and Send Sync Request

There’s no confirmation window or message when you send sync request with the console and it takes approximately 10-15 seconds before the mobile device begin synchronization. You can monitor DMPUploader.log on the SCCM server to confirm if the send sync request succeed.

There’s also no possibility to send sync request to multiple mobile devices at the same time, as for any Remote Device Actions.

Don’t be too rough with the send sync request action with the same device, otherwise you will get a message that the sync request temporarily disabled. There’s a 5 minutes grace period before you can resend sync request to the same device.

Make sure to upgrade your SCCM current branch version to 1610 before using this new feature.

Manually Sync Request from Company Portal

• To manually force a Sync Request on a device, the user open the Company Portal app and select the device he wants to sync in My Devices section
• The device details windows will appear, click on Sync

The collection Mobile Devices | iPad used in this post, is a collection from our set of operational SCCM collections.

Are you using SCCM 1610 send sync request feature? What are the situations in which you use it?

The post Send Sync Request to Intune Mobile Devices from SCCM 1610 Console appeared first on System Center Dudes.

Prior to SCCM 1610, you may had an issue when trying to image multiple Surface or ultrabook devices using the same USB to Ethernet Adapter.  A USB adapter is needed because the devices lack a built in Ethernet port. This issue could also apply when trying to image Surface devices using the Docking Station. Following a UserVoice idea, it has been fixed in SCCM 1610 and it’s now easier to ignore a particular MAC Addresses from an OS deployment.

Cause

Before heading to the solution, we’ll explain why this was a problem in previous SCCM releases :

• SCCM uses SMBIOS to identify computers and fallback to MAC Addresses if SMBIOS is not available
• SMBIOS is the GUID stored in the device’s BIOS or UEFI. It’s unique to the device and SCCM uses it to recognize imported computers
• When computers are not imported, SCCM will use their Ethernet MAC Addresses by default

The problem is that MAC Addresses are unique identifiers of network interfaces but when reusing the same USB to Ethernet adapter for multiple deployments, your MAC Address is not unique. SCCM think that’s the same device and your device don’t receive the Task Sequence.

Solution to Ignore SCCM Duplicate Hardware Identifiers

Using SCCM 1606 or prior

The solution is to add each MAC Address of the USB Adapter to the list of Mac Addresses to be excluded from Data Discovery.

• Open Regedit
• Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Components \SMS_DISCOVERY_DATA_MANAGER

• Edit the ExcludeMACAddress key and enter each MAC Address (one per line)

Using SCCM 1610 or Later

Beginning with SCCM 1610, you can provide a list of hardware IDs that SCCM will ignore when using PXE boot and client registration. You can now exclude the MAC address and SMBIOS GUID in the console so that same adapters can easily be reused.

• In the SCCM console, go to Administration / Site Configuration / Sites
• On the top ribbon, click Hierarchy Settings

• In the Client Approval and Conflicting Records tab
• In the Duplicate hardware identifiers section, click Add and enter your MAC Address or SMBIOS GUID to exclude

Another nice addition from the development team in order to facilitate your deployments. We encourage to fill an UserVoice item when you have suggestion to make SCCM better. This is a great example of suggestion to production implementation and another reason to upgrade to Current Branch as soon as possible.

The post How to Ignore SCCM Duplicate Hardware Identifiers appeared first on System Center Dudes.

Starting in SCCM 1610, you can use the new Software Updates Dashboard to view the compliance status of devices in your organization and analyze devices that are at risk. This is the third dashboard since the Current Branch release which is a great effort from the product group to give better visibility on the data gathered by your Configuration Manager clients. We already made an overview of the Windows 10 Servicing dashboard and the Office 365 Management dashboard will also be a topic in a future post.

SCCM Software Updates Dashboard Overview

To open the dashboard :

• Open the SCCM console
• Go to Monitoring / Security / Software Updates Dashboard

The dashboard is divided in 5 sections :

• Devices Compliance Status
• Missing Updates by Category
• Critical Alerts
• Last Successful Synchronization Time
• Devices Missing Updates

Devices Compliance Status

Gives a number of devices the are compliant and non-compliant based on the Compliance Status Filters options using the 3 dots in the upper right corner. In our example 17 devices are compliant and 37 are not.

In the Compliance Status Filter section, you can decide which Updates Category and the update time frame that you want included in the calculation.

Missing Updates by Category

This section is self-explanatory. By clicking on a section of the pie chart, the selected updates are displayed in the Devices Missing Updates section. In our example, we clicked on the 7 Update Rollups

Critical Alerts

The Critical Alerts section show any alerts related to Software Updates like Automatic Deployment Rules that has failed.

When clicking on the 1, we get redirected to Monitoring \ Alerts \ Critical – Updates which gives more details about the error.

Last Successful Synchronization Time

This section is self-explanatory, the Last Successful Synchronization Time on your Software Update Point

Devices Missing Updates

This section is interesting but incomplete. In our example, we clicked on the 7 Update Rollups in the Missing Updates by Category section. The pane show those 7 Updates and the number of devices which requires the update. When clicking on a column, it would have been nice to have a list of those 30 devices for Article 890830 but you get redirected to the Microsoft Support page instead. This is logic since there’s nothing that group those devices (ie : in a collection).

Where it gets incomplete is that if we select 25 Security Updates, only 10 updates are displayed. There’s a maximum of 10 updates to be shown in the chart which is… odd. Impossible to see the 15 other updates out of the 25.

Conclusion

The new Software Updates dashboard is a really nice addition but as the other dashboards, it still lacks major features to rely on for your overall compliance. We still suggest to use built-in reports or our Software Updates reports to monitor your compliance. How do you monitor your software update compliance ?

Deployment – Software Updates

System Health – Software Updates

The post SCCM Software Update Dashboard Overview appeared first on System Center Dudes.