Starting in SCCM 1610, you can use the new Office 365 Client Management dashboard from the Configuration Manager console. This is the fourth dashboard since the Current Branch release which is a great effort from the product group to give better visibility on the data gathered by your Configuration Manager clients. We already made an overview of the Windows 10 Servicing dashboard and the Software Update dashboard if you’re interested to read that out. You can also refer to our post about managing Office 365 Updates with SCCM and our free Office 365 report if want complete information about how to deploy and inventory Office 365 in your environment.

SCCM Office 365 Client Management Dashboard Overview

To open the dashboard :

• Open the SCCM console
• Go to Software Library / Office 365 Client Management

The dashboard displays charts for the following:

• Number of Office 365 clients
• Office 365 client versions
• Office 365 client languages
• Office 365 client channels

You can also create an Office 365 Automatic Deployment Rule and Office 365 Client Setting directly from the dashboard.

At the top of the dashboard, use the Collection drop-down setting to filter the dashboard data by members of a specific collection.

The Office 365 Clients section show the number of  Office 365 clients in the selected collection.

The Office 365 Client Versions section shows the breakdown per version. You can refer to the Technet article for a full list of Office 365 versions. The pie chart show an hand icon when you hover over it but you cannot click it to have a detailed list of clients.

The Office 365 Client Language section shows the breakdown per language. The chart is not clickable.

The Create ADR button let you launch the Automatic Deployment Rule wizard to create an Office 365 rule. The wizard is the same as if you create one by going to Software Library \ Software Updates \ Automatic Deployment Rules

The Create Client Settings button let you create a Client Setting to manage Office 365 updates.

The Office 365 Client Channels section shows the breakdown per channel. As the other charts, it’s not clickable. You can refer to the Technet article for full list of Office 365 Channels

If you have created an Automatic Deployment Rule, the deployment statistic will show in the Office 365 Deployments Summary section. You can select your ADR from the drop down menu. If you haven’t created an ADR, this pane will be empty.

The post SCCM Office 365 Client Management Dashboard Overview appeared first on System Center Dudes.

Role based administration is used to secure the access that is needed to administer SCCM. You also secure access to the objects that you manage, like collections, deployments, and sites but lacks a couple of roles to be complete. For example, there’s no built-in role for report administration or report viewer.

We already covered the report viewer role in a previous post. This role give access to your users to consult and run SCCM Reports on the SSRS website. But what if you want to give access to an administrator to create, modify and upload reports without giving them access to the SCCM console ? This post will describe how to create SCCM Report Administrator Role which will fulfill this need.

How to Create SCCM Report Administrator Role

• The first step is to create a Report Users role
• Once created, go to Administration \ Security \ Security Roles
• Right-click Report Users and select Copy

• In Name, type Report Administrator and add a brief description
• On the lower pane, browse to each class where you have Run Report right and add Modify Report

• Ensure that the Site class has Read, Modify Report and Modify permissions and click OK

Assign the Security Role to an Administrative User

We now need to assign the Report Administrator security role to a user.

• Go to Administration \ Security \ Administrative Users
• Right-click Administrative User and select Add User or Group

• In the Add User or Group window, click Browse and select your user
• Click Add, select the Report Administrator Role that you just created

• In the lower pane select All instances of the objects that are related to the assigned security roles
• Click Ok

You have now assign your user or group to your report administrator role in SCCM.

SQL Server Reporting Services Permission

There’s one last step to complete. We need to give access to this user on the SSRS Website. SCCM overwrites permission modification by using the role-based assignments stored in the site database.

As per Technet :

Configuration Manager connects to Reporting Services and sets the permissions for users on the Configuration Manager and Reporting Services root folders and specific report folders. After the initial installation of the reporting services point, Configuration Manager connects to Reporting Services in a 10-minute interval to verify that the user rights configured on the report folders are the associated rights that are set for Configuration Manager users. When users are added or user rights are modified on the report folder by using Reporting Services Report Manager, Configuration Manager overwrites those changes by using the role-based assignments stored in the site database. Configuration Manager also removes users that do not have Reporting rights in Configuration Manager.

It’s not possible just to add your user with the Config Report Administrators role because it will be reset in 10 minutes.

• To fix this, you must click Site Settings in the upper right corner

• Click Security and New Role Assignment

• Enter your user or group name without your domain
• Select System User and click OK
  • This role give access to view system properties, shared schedules, and allow use of Report Builder or other clients that execute report definitions

Once set, you can validate that your user has been given the rights.

• Go to the root of your SQL Reporting Service Website, click you ConfigMgr site and select Security

• Validate that your user has been added. Those permission won’t be overwrite. All set !

The post Create SCCM Report Administrator Role appeared first on System Center Dudes.

Benoit Lecours has been awarded as MVP for the third consecutive time. Congrats to him!

The post Benoit Lecours has been awarded as MVP for 3 consecutive years. Congrats to him! appeared first on System Center Dudes.

With the release of SCCM Current branch 1610, one of the interesting new feature is the ability to do a BIOS to UEFI conversion in a task sequence. This would also allow to use Secure Boot with Windows 10 for strengthen security.

In this blog, we’ll explain how to convert BIOS to UEFI with a task sequence on HP computers. This solution can also be applied for Dell and Lenovo computers.

SCCM BIOS UEFI Conversion Prerequisites

Before starting, you need 3 things :

• SCCM Current Branch 1610 or higher

• The computer manufacturer must provide a tool for BIOS configuration
  • HP
  • Lenovo
  • Dell
• Package for Bios Configuration Utility and configuration file must be created (procedure included in this post)

Create BIOS and UEFI Configuration File

First, we need to create a configuration file that will be used in our task sequence. A configuration file, is basically a text file that will be used to change an option in the BIOS of the targeted computer. We’ll use an HP computer for our example.

You don’t have to create multiple files for each models, the same BIOS configuration file should apply to all HP models. The only settings included in the BIOS configuration file will be those required to change to UEFI. If needed, additional or model specific BIOS configuration could be apply at a later time in the task sequence.

Here’s an example of a configuration file that will :

• Disable legacy boot option (BIOS)
• Enable UEFI boot options
• Enable Secure Boot

Package Creation or BIOS Configuration Utility and Configuration

We will now create a standard program that contain all the source file. The content directory must contain the BIOS configuration utility, the configuration file and the password file.

• No program is needed, as we will use Run Command Line in the task sequence

SCCM BIOS to UEFI Conversion in Task Sequence

We will now create or edit an exiting task sequence to include the step to convert the BIOS to UEFI.

• Add a new group before the Install Operating System section

• In the Option tab, set the condition for task sequence variable  _SMSTSBootUEFI not equals true. This variable is needed to check if UEFI is already enabled on the group

• You could also add another condition for computer manufacturer or model if you have older PC that don’t support UEFI

• Add a Restart Computer task, in the Option tab, set the validation for task sequence variable  _SMSTSInWinPE  equals False

• Add a Run Command Line to run the HP BIOS config Utility
• Command Line : BiosConfigUtility64.exe /setconfig:UEFI.txt /cspwdfile:current.bin
• Package : Bios configuration utility with configuration files (Created in previous step)
• This must be a Run Command Line and not a program. Program are not allowed to run under WinPE

• Add a Format and Partition Disk task and configure as following :
• Disk type : GPT

• • First partition :
    • 500MB
    • Fat32 and Quick format
    • Variable : TSUEFIDrive

• • Second Partition default 100% of remaining space

• Add a Restart computer task. Make sure to select The boot image assigned to this task sequence

• After the restart, the BIOS will be configured with UEFI and Secure boot Only. It will partition and format the disk.

That’s it, you can now do the same tasks for your other manufacturer. Leave your comments and experience in the comment section bellow.

The post BIOS UEFI Conversion using SCCM Task Sequence appeared first on System Center Dudes.

Software Update management is not the simplest SCCM tasks. Over the years, we trained many SCCM administrator using a simple approach and deployment strategy. We finally decided to create this complete SCCM Software Update Management Guide.

This guide is a best-practice guide on how to plan, configure, manage and deploy software updates with SCCM. This guide aims to help SCCM administrator understand the basic concept of each part of the patch management process. This guide does not explain how to setup your Software Update Point.

There’s other ways of doing software update management in SCCM, this document describe a typical case that can be used in any organisation as a good starting point.

The guide will help you achieve theses tasks :

• Guide you toward a good deployment strategy
• Setup your SCCM environment correctly
• Create Collections
• Setup Maintenance Windows
• Create Software Update Groups
• Create Deployment Packages
• Excluding certain updates
• Create Searches to target specific updates
• Configure your clients settings
• Describe the monthly tasks that needs to be done
• Create and setup Automatic Deployment Rules
• Add software updates to your Operating System Deployment
• Cleanup and operational best practice
• Which group policy needs to be configured
• How to monitor your deployments

SCCM Patch Management Guide Document screenshots

The post SCCM Software Update Management Guide appeared first on System Center Dudes.

For this post, we will be talking about how to do a SCCM Windows 7 convenience rollup image creation. A lot of companies still use Windows 7 and have not yet migrated to Windows 10. So, in the spirit of still having Windows 7, I thought I would write up a post to help fellow administrators.

You may have seen that a few weeks ago, Microsoft released a new convenience rollup for Windows 7 SP1. This convenience rollup is meant to make our lives easier when deploying fresh instances of Windows 7. As stated on the Technet article, it contains all the security and non-security fixes released since Service Pack 1, up to April 2016. Officially, the convenience update is released to help us administrators catch up our deployments of Windows 7 faster, have us have a Windows 7 release that’s consistent with the latest code levels, support benefits and so on. But, with this update, we are also ready for a Windows 10 migration since we have all required pre-upgrade updates installed. In short, this has all the requirements to be a Service Pack, but since Microsoft is moving away from SPs, we are not calling it so.

Downloading the Windows 7 Convenience Update

First, this can only be done via Internet Explorer. Browse to http://catalog.update.microsoft.com/v7/site/Search.aspx?q=3125574

If you get the below popup, Install the add on.

Pay attention, there are 3 versions of this update. One for Windows 7 x86, Windows 2008 R2 x64 and finally, Windows 7 x64.

• Press Add on the version you wish to download.

• Click on View Basket

• Click Download.

• Choose a path to save the file and press Continue

Add the Convenience Update to your SCCM Windows 7 Build Capture Task Sequence

Once your download has completed, let’s simply add a new Task Sequence. For this post, I am assuming that you do not have a Build and Capture Task Sequence. You may already have one. If that’s the case, you can tweak your existing TS instead. Let’s go ahead and create our Build and Capture Task Sequence :

• Open the SCCM Console
• Go to Software Library / Operating Systems / Task Sequences
• On the ribbon, click on Create Task Sequence

• Give your TS a meaningful name, click Next

• In the Install Windows pane, browse to your Windows 7 image or WIM file and choose the appropriate flavor in Image Index. Should you wish to have a specific local administrator password, enter it here, press Next

• Since this is a build we are doing, we do not need to join it to a domain since it could get polluted with unwanted parameters such as GPO configurations. For now, leave it in a workgroup, press Next

• In the Install Configuration Manager pane, leave the settings as is, press Next

• On the Include Updates pane, choose Available for installation, press Next

• Unless you have any specific applications you wish to include in your build, choose Next

• On the System preparation pane, press Next

• On the Image Properties pane, set your image properties, press Next

• Set your image capture path and the account used for to access this folder. Ensure that your account has the rights to write in that folder as well, press Next

• On the Summary pane, review your selection, review and complete the wizard

Creating the Convenience Update Package

Now that we have the Task Sequence up and running, we want to create the package to add in it.

• Go to Software Library / Application Management / Packages
• Right-click Packages and select Create Package
• Fill in the fields with all required information and point it to your source folder containing the update, press Next

• We will not need to create a program for now as we will be manually typing the command line in our Task Sequence. Although, it would still work. Press Next

• Confirm the settings and press Next.

• Press Close to validate.

• Distribute the package to the appropriate DP

Tweaking the Build and Capture Task Sequence

We will now apply some basic customization to our task sequence to better suit our needs.

• Go back to Software Library / Operating Systems / Task Sequences
• Right-click your Build and Capture Task Sequence and Edit

Since this is a Windows 7 Task Sequence, I always preferred to deploy them on a “classic” Format and Partition Disk. Therefore, you can either disable or remove both Partition steps and add a Format and Partition Disk with 100% remaining space on disk (1).

I also add a Task Sequence Variable with the variable name OSDPreserveDriveLetter set to false (2) because I am using the default Windows 7 wim file and this typically installs the OS on the D: Drive. Much more details on that can be found here.

Below the Setup Windows and Configuration Manager step, we will add the Convenience Rollup installation step.

• Click Add / General / Run Command Line
• The command line we will use in the task sequence for this is:

Don’t forget to also add the package we just created to your Convenience Rollup step or else the installation will fail as it will not be able to locate the content.

Your Task Sequence should now look like this:

Deploy your Task Sequence

We will now deploy our Task Sequence :

• Change the parameter here to make sure your task sequence is available to Configuration Manager clients, media and PXE

• On the Scheduling tab, enable Schedule when this deployment will be available. We won’t need to expire this since we will most likely need to rerun it in the future. Also, we don’t need an assignment schedule, so we will leave that blank. Press Next

• On the User Experience tab, let’s leave all the options default as they don’t bring anything useful for a Build and Capture

• On the Alerts tab, if your environment uses Alerts, configure them as you see fit. Press Next

• On the Distribution Points tab, make sure your Deployment Options are set to Download content locally when needed by the running task sequence. Press Next

• Finish up the validation and press Close

Deploying the Task Sequence on a Test Machine

We are now ready to have all of this deployed to a test machine. Import a new bare metal virtual machine or reuse one that you already have in your environment in your OSD Build and Capture collection.

Boot it up either via Network boot (PXE) or boot media :

On the Select a task sequence to run, choose your Build and Capture TS. Press Next

If all goes well, one of the last steps to be executed will be the Capture the Reference Machine step

Loading the captured WIM in SCCM

After the capture has completed on our test machine, we now have a Windows 7 image that include the Convenience Rollup. We can go back to the SCCM server and move the WIM file to our SCCM content store.

• In the console, go to Software Library / Operating System / Operating System Images
• Click Add Operating System Image button in the Ribbon

• Browse to the path where you stored your captured wim

• Fill in the Name, Version and Comment fields as you see fit. Press Next

• On the Summary tab, press Next

• On the Completion tab, press Close

• Distribute the image on your Distribution Points

We will now create our TS for the final test, which is the deployment of the captured image on a real machine.

• Go to Software Library / Operating Systems / Task Sequences
• Click on the Create Task Sequence ribbon button

• This time we choose Install and existing image package

• On the Task Sequence Information tab, fill in the fields and press Next

(1) Choose your imported WIM. Since this is a captured image, you should only have a single image index (2). Untick BitLocker (3) unless you use it in your infrastructure. Finally, once again, set your local administrator password (4).

• Since this time we are deploying the our image is a real test, we will join it to our domain

• Once more, unless you have anything special to set for your client installation, leave these steps as is

• I won’t be using USMT. Disable everything here. You can see this post if you wish to integrate USMT to your task sequence. Since it’s not the focus of my post, I will forego this step

• We want all available patches to be installed

• I won’t be pushing out applications for my test, but you could do so here

• Complete the wizard with 2 more Next

• As we have previously done, we will Deploy our Task Sequence to a Collection

• Choose your Collection and press Next

• Make your Deployment Available to ConfigMgr Clients, Media and PXE

• Choose a Deployment availability

• I leave these settings default

• Set your Alerts settings, press Next

• Set your Distribution Points settings, press Next

• Complete the wizard

• Boot up your test virtual machine

• Choose your new Task Sequence

• And if all goes well, you should now have a patched Windows 7 client which includes the Convenience Rollup.

• You can go ahead and add all your enterprise specific applications such as Office, Adobe Reader and so on.

Hope you enjoyed this post, feel free to leave comments below.

The post How to add Latest Windows 7 Convenience Update in a SCCM Image appeared first on System Center Dudes.

With the end of support for Office 365 2013 on Febuary 28 2017, administrators must take action to upgrade Office 365 2013 to Office 365 2016. In previous posts, we covered how to manage updates for Office 365 2016 with SCCM and describe the Office 365 dashboard. Those posts applies to the 2016 version of Office 365.

This post will cover everything you need to know to upgrade Office 365 2013 to Office 365 2016 with SCCM.

Upgrade Office 365 2013 Prerequisites

• Latest Office 365 2016 version :
  • Version 16.0.6965.2117 from January 2017 was used for this post
  • We selected the Deferred Channel
• Latest Office deployment tool
• SCCM 2012 and later

Create Download.xml and Configuration.xml File

Office 365 Click-to-run installations, are controlled by XML files. We will create and use one XML file to download the Office 365 bits for an offline installation/upgrade and another XML for the configuration.

The download.xml specify the Channel to be used, the product  and language :

The configuration.xml has more details in it :

Important part in the XML :

• <Display Level=”Full” AcceptEULA=”TRUE” />
  • This will allow user to interact with the install, in order to see the prompt to close open application if needed.
• <Property Name=”FORCEAPPSHUTDOWN” Value=”False” />
  • This will allow user to see a prompt when the upgrade starts if any Office application is open and allow time to save files.
• Modify the language that you need using <Language ID=”fr-fr” />

Otherwise, the XML as no specific configuration related to upgrade. It will know it’s upgrading from 2013 automatically.

You can find more details about XML files for Office 365 here

Create Office 365 2016 Package

We will now create a standard package for the upgrade.

• First, we need to download the latest Office 365 2016 version
  • Open a command prompt, browse to your office directory and launch : setup.exe /download download.xml
  • This will create an Office folder under the running path. It will contain the Office 365 2016 bits for offline installation

• Create a standard package for Office 365 2016
  • The source folder must be the folder with the Setup.exe, Configuration.xml and Office folder downloaded in previous step

• Add a program to the package
  • Command Line : setup.exe /configure configuration.xml
  • Check Allow user to view and interact with the program installation. This is to help interaction with opened Office applications

Upgrade Office 365 2013 to Office 365 2016

• Deploy the package/program just as any other packages
  • Can be mandatory or available
  • Suggestion : Allow users to run the program independently of assignments will allow more flexibility for your users to upgrade

• The deployment start…

• One prompt for the user to know upgrade is coming
  • If the user hit Cancel, the deployment will return an error in SCCM reports.

• If an Office application is open, Office will ask to close applications

• Final screen for completed upgrade

• Office 365 2016 is now installed and Office 365 2013 is no longer available!

More information is available here

Happy upgrading!

The post How to upgrade Office 365 2013 to Office 365 2016 Click-to-run appeared first on System Center Dudes.

One of the SCCM features is to inventory hardware information from devices that are managed by the SCCM client. It’s not very difficult to enable and configure the hardware inventory client settings in SCCM. Once the devices received next machine policy and hardware inventory scan, data will start to populate in your SCCM database.

The information gathered from the devices can be very useful from a system health, inventory or operation perspective. You can use this information to create collections, queries as well as reports.

However, one thing is not too obvious with the hardware inventory information, is to see all the data of a device in a one pager. There’s several ways to do it, some more difficult then the others, but we will show you how.

Resource Explorer

The first one is the Resource Explorer tool. It’s a tool accessible directly from the console and you don’t need to download any additional third party tool. It’s built-in in the console, it’s pretty easy to use and very useful during troubleshooting.

• To open the Resource Explorer, open the SCCM console and navigate to Assets and Compliance / Devices 
• Right click on any devices and select Start then Resource Explorer

The Resource Explorer tool will open and by expanding sections, you will be able to find any hardware inventory information related to a device.

SQL Query

Are you a SQL fan? Do you understand a little bit of SQL syntax? If not, I would say don’t loose your time and go to the next section. However, if you still want to learn and you are DIY person, open the SQL Management Studio and query all v_GS_ xxxxx views in your CM database. They are the classes inventoried during the hardware inventory.

By joining the v_R_System or v_GS_Computer_System views to your SQL queries, you will have all the information you need to make nice queries. Take your SQL queries and transform them in great SSRS reports.

Here is an example of SQL query that you can do. This is a very interesting post as well!

WQL Query

The WMI Query Language (WQL) is a subset of the American National Standards Institute Structured Query Language (ANSI SQL) with minor semantic changes. You can use queries to retrieve information about inventory data, status messages and many more. What is nice with WQL query is you can reuse the query for collection. For those that understand SQL syntax, you won’t be lost. It looks like a lot to SQL query.

• To create WQL query, open the SCCM console and navigate to Monitoring / Queries

• Right click on Queries and select Create Query

• This windows will open and you will be able to configure your query. Follow this post to help you create your WQL query

There’s few websites that give examples of SQL queries as well. The difficulty of using WQL query is based on your ability of programming. If SQL is your fear, you will probably end up doing the same with WQL. But, it is worth the candle since the queries will help you save time.

Built-in Reports

Microsoft has included built-in reports in SCCM and has displayed the complete list here. The reports are divided into several category and these reports can help to develop your own reports.

You can execute the built-in reports from the SCCM console or from SSRS website.

• Open the SCCM console and navigate to Monitoring / Reporting / Reports

• Right click on the report you want to execute and select Run

SCCM Device Hardware Inventory

The final way to see the information of one device, is to use our Dashboard – Device, Dashboard – Intune Device or even all asset reports. You enter the name of any device from SCCM and you get an one pager overview of the device. This report can save lot of time to your SCCM team and minimize time in their operation task.

We also included in the report, collections, deployment and system health information.

Summary

Finally, your choice depends on the time you want to put or invest. For a person who wants to save time, you can use our reports or builtin reports. Others, who swears by the console, the resource explorer is an excellent choice. For those who like to develop own stuff, SQL and WQL are your choices. What’s good with SQL, once you learn how to query SCCM database, you can do your own reports.

Oh… by the way, one more thing about hardware inventory, even if the Add Remove Program information of a device is considered as software, it’s the hardware inventory scan that inventory add remove programs information. Not software inventory!

Do you use another way to scan SCCM device hardware inventory?

The post 5 Ways to view Hardware Inventory Information of a Device with SCCM appeared first on System Center Dudes.

In a previous post, we covered how to upgrade Office 365 2013 to Office 365 2016. We came across an issue after the upgrade is completed. Once you start any Office application, Office 365 2016 ask for activation, which will fail if attempted and then ask for repair. This can be quite confusing for user.

Following the activation try, an error prompts :

In this post, we will detail how to fix this activation issue as part of the upgrade process.

Problem

While the Office 365 upgrade is running, the UserOperations registry key is removed.

Solution

Re-create the registry key after the upgrade of Office 365 is completed. We will use a batch file for this.

Office 365 2016 Activation Problem Upgrade Pre-requisite

• First, you need to download the latest available version and update your Office 365 2016 package

Installation with Batch File

We will now create a batch file to include the creation of the registry key after the setup :

• Create a batch file at the same level as the setup.exe file

Add a Program to the Existing Package

• Add a new program to your existing Office 365 2016 package
  • Command line  : cmd /c Upgrade.cmd
  • Check Allow users to view and interact with the program installation (refer to our previous blog post for details)

• Deploying this program will recreate the missing registry key at the end of the upgrade

Hope this help!

The post Office 365 2016 Activation Problem after Upgrade from Office 365 2013 appeared first on System Center Dudes.

Today, I’ve been ask to switch a couple of hundred Office 365 Deferred Channel to Current Channel. At first, I wasn’t sure if there was a supported way to do that. I start googling around and I ran into this Microsoft support article.

Before going technical, you maybe wondering why you would want to do this. Well, for a couple of reason :

• You just installed Office 365, and you’re on the Deferred Channel and want to change to Current Channel
• A fix has been released and you want to move to the Current Channel to receive it
• A new feature has been released and you want to move to the Current Channel to receive it

All actions in this blog post has been executed on a Windows 10 64-bits computer and Office 365 32-bits (Deferred Version 1602  – build 6741.2071).

Create SCCM Office 365 Switch Channel Script

The script provided by Microsoft is pretty straight forward :

• Checks if the CDNBaseUrl key is present
• Switch the Office Channel to Current
• Delete some configuration files and update configuration
• Launch the Office click-to-run client to check for an update

But… the Microsoft script is not adapted to run with SCCM :

• SCCM runs .bat packages as 32bits applications on 64bits systems. This is a problem with the script provided by Microsoft because the reg command won’t be able to find the value in the registry. We simply add the /reg:64 switch at the end of each line. The /reg:64 switch enables the computer to receive the 64-bit view of the registry.
• The %CommonProgramFiles% variable will point to C:\Program Files (x86)\Common Files which is not where OfficeC2RClient.exe reside. We need to change it to %CommonProgramW6432%. See this thread for the full list for a 32-bit application on an English version of Windows.
• The OfficeC2RClient.exe /update user will display a dialog box. We want it to be silent. We’re adding displaylevel=False and forceappshutdown=True to the script to achieve that. See this Technet blog post to see full list of available variable.

We made several test with different option for the OfficeC2RClient.exe part (Office Applications opened, User logged on / Log Off, displaylevel=False/True, forceappshutdown=True/Flase)

Here’s the final script and SCCM packages options that works best for us :

Save this script in a batch file and store it on a location on your network. We will use it to create our package.

SCCM Package Creation

We will now create the package to deploy to switch our Office 365 clients from Deferred to Current Channel

• Open the SCCM Console
• Go to Software Library \ Application Management \ Packages
• Right-click Packages and select Create Package
• On the Package tab, name your package and in Source folder browse to the path where you saved the ChangetoCurrent.bat script

• In Program Type, select Standard program

• In Standard program, name your program and select your script in the Command line box
• In Program can run, select Only when a user is logged on
• In Run mode, select Run with administrative rights

• Leave all other option to default and complete the Create Package and Program Wizard

• Right-click your package and select Distribute Content. Complete the wizard and wait for the package to be distributed across your distribution points

Package Deployment

We will now deploy the package to a test collection. We already created a collection containing 1 computer.

• Right-click the program you just created and select Deploy

• Select your test collection

• Leave all other options to default. We will make the deployment Available for now. Complete the Deploy Software Wizard

Testing

On the test computer, we will make verification before launching the program. Refer to our post on Office 365 inventory for complete details on that topic.

• Open Word, look for the Office version in File / Account
• We have version 16.0.6741.2071

• In registry browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\CDNBaseUrl
• We are in Deferred Channel and VersionToReport match the version displayed in Word

• We will now launch our program to change the Office 365 channel
• Go to Software Center and locate your program, click on it

• Click Install

• The script will execute for a couple of seconds before saying that it’s installed. The script has made it’s job to launch the update process, it will take about 15 minutes to complete
• You can monitor the update process using Task Manager. You will see 2 or 3 OfficeClickToRun.exe process depending of the stage of the process. You can also use the Office 365 log file located in %temp%. The file name is of the following format : yourmachinename-date-time.log
• Near the end of the process, your Office application will automatically close and reopens
• Once completed, we make the same verification, Word now shows Current Channel and it’s using the latest version available at the time of this writing (16.0.7668.2074)

• In registry, the Channel and version as been updated

That’s it you’ve just change an Office 365 Deferred Channel client to Current Channel ! You can deploy to all computers that needs to be changed.

The post Switch from Office 365 Deferred Channel to Current Channel using SCCM appeared first on System Center Dudes.

With the release of Windows 10 1607, some customization solution were modified. One of them is the ability to modify the Taskbar configuration. In a previous post, we provided many customization scripts and how-to that were made for Windows 10 version 1511. Modifying the Taskbar was one of those customization but it was more of a workaround than a planned how-to.

With Windows 10 1607, the Taskbar can be modified similarly to the Start Menu.

In this post, we will detail how to modify the Windows 10 Taskbar configuration using a SCCM Task sequence.

This could also be done as part of a Group Policy.

SCCM Windows 10 Taskbar Configuration Prerequisites

Using this Taskbar customization solution is only available for Windows 10 version 1607 and higher.

Before we begin

It’s important to understand the concept behind customizing the Taskbar. It use the same Layout Modification method as the Start Menu. It means that if you already use an XML to modify the layout of the Start Menu, you will need to use the same file with a new section in the XML. You can’t have an XML for the Start Menu and a separate one for the Taskbar. If you do, the last to be imported will be the only configuration applied to both Start menu and Taskbar.

Configure a StartMenu.xml layout

• Setup a Windows 10 start menu as we would like to have as default

• Start a PowerShell command window as administrator
• Enter the following command line to export the Start Menu
  • Export-startlayout -path C:\temp\StartMenu.xml
• A StartMenu.xml is generated in the specified directory

More details can be found in this Technet article

Add Windows 10 1607 Taskbar configuration to StartMenu.xml

The easy part was to generate the StartMenu.xml file, the though part is ahead. There is no configure-and-export solution for the Taskbar. Instead, we must manually edit the sections in the XML file to include the desired configuration for the Taskbar.

• Replace the top section of LayoutModificationTemplate. This will “Enable” the Start Menu and Taskbar.

• Add a new section after the </DefaultLayoutOverride> section. This is where you’ll be adding your shortcuts. We will be adding Internet Explorer, Explorer, Outlook and Skype.

The end result will look like this :

The order of apps in the XML file dictates the order of pinned apps on the Taskbar from left to right, to the right of any existing apps pinned by the user.

The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using the XML file to the right (green square).

More details can be found in this Technet article to edit the XML as you wish.

Add the Start Menu and TaskBar configuration to a Task sequence

We will now deploy our configuration using a Task Sequence.

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run Command Line
  • Name : Set Start Menu Layout
  • Command line : Powershell.exe Import-StartLayout -LayoutPath StartMenu\StartMenu.xml -MountPath C:\
  • Check the Package box and specify your Windows 10 customization package
• Position this step after the Windows image has been deployed

Results

After a new deployment, the user profile will load with a modified Start Menu and Taskbar.

Default view :

Modified with the StartMenu.xml :

The order fits our XML file order. File Explorer is left because it’s a Windows default app.

Bonus – Hide Cortana from the Taskbar

If you want to see less or no Cortana at all in the taskbar, configure the following Regkey with a group policy preference :

• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
• SearchboxTaskbarMode DWORD
• 0 = Hidden

• 1 = Show search or Cortana icon

• 2 = Show search box

Here’s how the Registry configuration looks in Group Policy Preference :

Hope this help!

The post Customize Windows 10 Taskbar Configuration Using SCCM Task Sequence appeared first on System Center Dudes.

The third hotfix for SCCM Current Branch (1610) is now available. This post is a complete SCCM 1610 Update Rollup 3 (KB4010155)  installation guide. If you’re looking for a complete SCCM 1511 installation guide, see our blog series which covers it all. You can’t install this upgrade if you are running SCCM 2012. You need to be running at least SCCM 1610.

Installing SCCM upgrades is important for your infrastructure. It fixes a lot of issues from SCCM 1610, which some of them are important.

New Update and Servicing Model

If you’re not familiar with the new SCCM servicing model, read our New Update and Servicing section of the 1602 upgrade post which explain it all.

You may wonder what’s the difference between a Cumulative Update (CU) and an Update Rollup (UR) :

A CU is a new servicing baseline. A post-CU1 hotfix requires CU1 first, whereas a post-UR1 hotfix doesn’t require UR1. Like CU, UR are cumulative which means that UR2 will include previous hotfixes.

*If you are running SCCM 1511, 1602 or 1606, you first need to upgrade to 1610 prior to apply this Update Rollup, see our blog which covers the upgrade process. Once completed, the Update Rollup 3 will be available under Update and Servicing node.

SCCM 1610 Update Rollup 3 Fixes

Consult this support page for a full list of issues fixed.

Before you begin

Downloading and installing this update is done entirely from the console. There’s no download link, the update will appear in your console once synchronized.

When you install an in-console update: (New Versions,CU,UR,KB)

• It automatically runs a prerequisite check. You can also run this check prior to starting the installation
• It installs at the central administration site (if you have one), and at primary sites automatically. You can control when each primary site server is allowed to update its infrastructure by using Service Windows for site servers
• After a site server updates, all affected site system roles (including instances of the SMS Provider) automatically update. Configuration Manager consoles also prompt the console user to update the console, after the site installs the update
• If an update includes the Configuration Manager client, you are offered the option to test the update in pre-production, or to apply the update to all clients immediately
• After a primary site is updated, secondary sites do not automatically update. Instead, you must initiate the secondary site update

In this post, we’ll be updating a standalone Primary Site Server, console and clients.

Before installing, check if your site is ready for the update :

• Open the SCCM console
• Go to Administration \ Cloud Services \ Updates and Servicing
• In the State column, ensure that the update is Available

• If it’s not available, right-click Updates and Servicing and select Check for Updates

• The update state will change to Downloading
• You can follow the download in Dmpdownloader.log

• The update files are stored in the EasyPayload folder in your SCCM Installation directory

SCCM 1610 Update Rollup 3 Installation Guide

Step 1 | SCCM 1610 Update Rollup 3 Prerequisite Check

Before launching the update, we recommend to launch the prerequisite check :

• Open the SCCM console
• Go to Administration \ Cloud Services \ Updates and Servicing
• Right-click the Configuration Manager 1610 Hotfix (KB4010155) update and select Run prerequisite check

• Nothing will happen, the prerequisite check runs in the background. All menu options will be grayed out during the check

• You can  monitor prerequisite check by going to Monitoring / Site Servicing Status, right-click your Update Name and select Show Status

• When completed the State column will show Prerequisite check passed

Step 2 | Launching the SCCM 1610 Update Rollup 3

We are now ready to launch the SCCM 1610 Update rollup 3. At this point, plan about 30 minutes for the update installation.

• Right click the Configuration Manager 1610 update and select Install Update Pack

• On the General tab, click Next

• In the Client Update Options, select the desired option for your client update
  • This new feature allows to update only clients member of a specific collection. Refer to our post here

• On the License Terms tab, accept the licence terms and click Next

• On the Summary tab, review your choices and click Next

• On the Completion tab, close the wizard. The whole process took a minute but the installation is not over, it has been initiated

• During installation, the State column changes to Installing
• You can  monitor installation by going to Monitoring / Site Servicing Status, right-click your Update Name and select Show Status

• … or you can follow detailed installation progress in SCCM Installation Directory\Logs\CMUpdate.log

• When completed, you’ll notice the message There are no pending update package to be processed in the log file
• Monitoring / Site Servicing Status, right-click your Update Name and select Show Status, the last step will be Installation Succeeded

• Refresh the Updates and Servicing node, the State column will be Installed

Updating the consoles

Since 1602, the console has an auto-update feature. At console opening, if you are not running the latest version, you will receive a warning and the update will start automatically.

• Since all updates operations were initiated from the console, we didn’t close it during the process. We received a warning message when clicking certain objects. You will have the same message when opening a new console

• Click OK,  console update will starts automatically

• Wait for the process to complete. You can follow the progress in C:\ConfigMgrAdminUISetup.log and C:\ConfigMgrAdminUISetupVerbose.log. Once completed, the console will open and you’ll be running the latest version

Verification

Consoles

After setup is completed, verify the build number of the console. If the console upgrade was successful, the build number will be 5.0.8458.1520. Note that the Site Version is not changed to the Update rollup version. This is normal.

Clients

The client version will be updated to 5.00.8458.1520 (after updating, see section below)

SCCM 1610 Update rollup 3 Client Package distribution

You’ll see that the 2 client packages are updated :

• Navigate to Software Library \ Application Management \ Packages

• Check if both package were updated, if not, select both package and initiate a Distribute Content to your distribution points

Updating the Clients

Our preferred way to update our clients is by using the Client Upgrade feature :

• Open the SCCM Console
• Go to Administration / Site Configuration / Sites
• Click the Hierarchy Settings in the top ribbon
• Select Client Upgrade tab
• The Upgrade client automatically when the new client update are available checkbox has been enabled
• Review your time frame and adjust it to your needs

* See note above about client version not being .1520 on the local client

Monitor SCCM Client Version Number

You can see our SCCM Client version reports to give detailed information about every clients versions in your environment. It’s the easiest way to track your client updates.

Collections

You can also create a collection that targets clients without the latest client version. I use it to monitor which client haven’t been updated yet.

Here’s the query to achieve this: (You can also refer to our Set of Operational Collection Powershell Script which contains this collection)

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ClientVersion != '5.00.8458.1520'

Happy updating !

The post How to apply SCCM 1610 Update Rollup 3 (KB4010155) appeared first on System Center Dudes.

A new upgrade for SCCM Current Branch is now available. This post is a complete step-by-step SCCM 1702 installation guide. If you’re looking for a complete SCCM installation guide, see our blog series which covers it all. You can’t install this upgrade if you are running SCCM 2012. You need to be at least at SCCM 1511.

Installing SCCM upgrades is very important to your infrastructure. It adds new features and fixes lots of issues, which some of them are important.

New Update and Servicing Model

If you’re not familiar with the new SCCM servicing model, read our New Update and Servicing section of the 1602 upgrade post which explain it all.

Similar to SCCM 1610, if you need to make a new SCCM installation, you can’t install SCCM 1702 directly. You need to install SCCM 1606 first and then apply SCCM 1702 from the console. SCCM 1606 is the baseline version if you’re starting from scratch.

*If you are running SCCM 1511, 1602,1606 or 1610, the latest updates will be replaced by SCCM 1702 in the SCCM Console after installation. If you are on SCCM 1511, you won’t be able to install 1602, 1606 or 1610 after 1702. You can skip all previous versions and install SCCM 1702 directly which contains all 1602, 1606 and 1610 fixes and features.

SCCM 1702 New Features and Fixes

If you’ve been installing SCCM Technical Preview in your lab, SCCM 1702 contain most features included in the latest Technical Previews. Refer to the chart in the Capabilities delivered in technical previews section.

1702 includes lots of new features and enhancements in Operating system deployment, Software Updates, application management and Mobile device deployment.

Consult the What’s new in version 1702 of System Center Configuration Manager Technet article for a full list of changes. 1702 also applies the latest KB/fixes to fix known bugs, including KB3209501, KB3214042, KB4010155

Here’s our list of favorite features:

• Close executable files at the deadline when they would block application installation – If executable files are listed on the Install Behavior tab for a deployment type and the application is deployed to a collection as required, then a more intrusive notification experience is provided to inform the user, and the specified executable files will be closed automatically at the deadline
• Support for Windows 10 Creators Update – This version of Configuration Manager now supports the release of upcoming Windows 10 Creators Update
• Express files support for Windows 10 Cumulative Update – Configuration Manager now supports Windows 10 Cumulative Update using Express files
• Customize high-risk deployment warning – You can now customize the Software Center warning when running a high-risk deployment, such as a task sequence to install a new operating system

Deprecated Features

Version 1702 drops support for the following products:

• SQL Server 2008 R2, for site database servers. This version of SQL Server remains supported when you use a Configuration Manager version prior to version 1702.
• Windows Server 2008 R2, for site system servers and most site system roles. This version of Windows remains supported when you use a Configuration Manager version prior to version 1702.
• Windows Server 2008, for site system servers and most site system roles.
• Windows XP Embedded, as a client operating system. This version of Windows remains supported when you use a Configuration Manager version prior to version 1702.

Support for SCCM Current Branch Versions

Ensure to apply this update before you fall in an unsupported SCCM version. Read about the support end date of prior version on the following Technet article.

Before you begin

Downloading and installing this update is done entirely from the console. There’s no download link, the update will appear in your console once the Service Connection Point is synchronized.

If you’re running a multi-tier hierarchy, start at the top-level site in the hierarchy. After the top-level site upgrades, you can begin the upgrade of each child site. Complete the upgrade of each site before you begin to upgrade the next site. Until all sites in your hierarchy are upgraded, your hierarchy operates in a mixed version mode.

Before applying this update, we strongly recommend that you go through the upgrade checklist provided on Technet. Most importantly, initiate a site backup before your upgrade.

In this post, we’ll be updating a standalone Primary Site Server, consoles and clients.

Before installing, check if your site is ready for the update:

• Open the SCCM console
• Go to Administration \ Cloud Services \ Updates and Servicing
• In the State column, ensure that the update is Available

• If it’s not available, right-click Updates and Servicing and select Check for Updates
• The update state will change to Downloading
• You can follow the download in Dmpdownloader.log or by going to Monitoring / Site Servicing Status, right-click your Update Name and select Show Status

• The process will first download a .CAB file and will then extract the file in the EasyPayload folder in your SCCM Installation directory. (GUID : 2dc025b9-af2f-4f22-a477-33f19c16c14c)  It can take up to 15 minutes to extract all files.

SCCM 1702 Installation guide

Step 1 | SCCM 1702 Prerequisite check

Before launching the update, we recommend to launch the prerequisite check :

• Open the SCCM console
• Go to Administration \ Cloud Services \ Updates and Servicing
• Right-click the Configuration Manager 1702 update and select Run prerequisite check

• Nothing will happen, the prerequisite check runs in the background. All menu options will be grayed out during the check
• One way to see progress is by viewing C:\ConfigMgrPrereq.log

• You can also monitor prerequisite check by going to Monitoring / Site Servicing Status, right-click your Update Name and select Show Status

• When completed the State column will show Prerequisite check passed

Step 2 | Launching the SCCM 1702 update

We are now ready to launch the SCCM 1702 update. At this point, plan about 45 minutes for the update installation.

• Right click the Configuration Manager 1702 update and select Install Update Pack

• On the General tab, click Next

• On the Features tab, select the features you want to update

• If you don’t select one of the features now and want to enable it later, you’ll be able to so by using the console in Administration \ Cloud Services \ Updates and Servicing \ Features

• In the Client Update Options, select the desired option for your client update
  • This new feature allows updating only clients member of a specific collection. Refer to our pre-production client deployment post for more details

• On the License Terms tab, accept the license terms and click Next

• On the Summary tab, review your choices and click Next

• On the Completion tab, close the wizard. The whole process took a minute but the installation is not over, it has been initiated

• During installation, the State column changes to Installing

• You can  monitor installation by going to Monitoring / Site Servicing Status, right-click your Update Name and select Show Status

• … or you can follow detailed installation progress in SCCM Installation Directory\Logs\CMUpdate.log

• When completed, you’ll notice the message There are no pending update package to be processed in the log file
• Monitoring / Site Servicing Status, right-click your Update Name and select Show Status, the last step will be Installation Succeeded

• Refresh the Updates and Servicing node, the State column will be Installed

Updating the consoles

As a previous Cumulative update, the console has an auto-update feature. At console opening, if you are not running the latest version, you will receive a warning and the update will start automatically.

• Since all updates operations were initiated from the console, we didn’t close it during the process. We received a warning message when clicking certain objects. You will have the same message when opening a new console

• Click OK,  console update will start automatically

• Wait for the process to complete. You can follow the progress in C:\ConfigMgrAdminUISetup.log and C:\ConfigMgrAdminUISetupVerbose.log. Once completed, the console will open and you’ll be running the latest version

Verification

Consoles

After setup is completed, verify the build number of the console. If the console upgrade was successful, the build number will be 5.0.8498.1500. You can also notice that Version 1702 is stated.

Servers

• Go to Administration \ Site Configuration \ Sites
• Right-click your site and select Properties
• Verify the Version and Build number

Clients

The client version will be updated to 5.00.8498.1007 (after updating, see section below)

SCCM 1702 Client Package distribution

You’ll see that the 2 client packages are updated:

• Navigate to Software Library \ Application Management \ Packages

• Check if both packages were updated, if not, select both packages and initiate a Distribute Content to your distribution points

Boot Images

Boot images are automatically updated during setup. See our post on upgrade consideration in a large environment to avoid this if you have multiple distribution points.

• Go to Software Library / Operating Systems / Boot Images
• Select your boot image and check the last Content Status date. It should match your setup date

Updating the Clients

Our preferred way to update our clients is by using the Client Upgrade feature: (You can refer to our complete post documenting this feature)

• Open the SCCM Console
• Go to Administration / Site Configuration / Sites
• Click the Hierarchy Settings in the top ribbon
• Select Client Upgrade tab
• The Upgrade client automatically when the new client update are available checkbox has been enabled
• Review your time frame and adjust it to your needs

Monitor SCCM Client Version Number

SCCM Reports Client Version

You can see our SCCM Client version reports to give detailed information about every client version in your environment. It’s the easiest way to track your client updates.

—Collections

You can also create a collection that targets clients without the latest client version. I use it to monitor which client haven’t been updated yet.

Here’s the query to achieve this: (You can also refer to our Set of Operational Collection Powershell Script which contains this collection)

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ClientVersion != '5.00.8498.1007'

Happy updating !

The post Step-by-Step SCCM 1702 Installation Guide appeared first on System Center Dudes.

Starting with SCCM 1702, mobile device management with SCCM and Microsoft Intune (Hybrid) now supports Android for Work device enrollment and management. You can manage compliance settings, wipe or delete Android devices, deploy apps, and collect software and hardware inventory. Users can download the Android company portal app from Google Play that lets them enroll Android for Work devices.

Enable SCCM Android for Work

The first step is to create a Google account and configure your Intune subscription to accept Android for Work devices. Refer to our previous blog post, if you don’t already have an active Intune subscription.

• Create a Google account that will be used as your Android for Work admin account. This account will be shared by the administrators in your team who manage Android devices. It will also be used to manage and publish and approve apps in the Play for Work console
• Once the account created, open the SCCM console and go to Administration \ Cloud Services \ Microsoft Intune Subscriptions
• Right-Click the Microsoft Intune Subscription and select Configure Platforms \ Android for Work

• On the Microsoft Intune Subscription Properties screen, click the link on the bottom to Configure Android for Work in the Intune console

• You will be redirected to your organization Intune portal. Log on using your credentials
• Go to Admin / Mobile Device Management / Android for Work

• On the right pane, select Configure to open Google Play’s Android for Work website
• Enter your Google account that you just created and enter your company information
• After entering the information, confirm that Android for Work is enabled

• On the bottom, select Manage supported devices as Android for Work, click Save

• Back in the SCCM console, go to Administration \ Cloud Services \ Android For Work
• Check the Sync Status and ensure that it’s Successful

Enroll Android for Work Devices

Your users have to download the Android company portal app from Google Play to enroll devices in SCCM. If the company portal is not installed on Android devices you only be able to deploy apps to Android devices. The app prompts them to create a work profile as part of the enrollment process. Once the work profile is created, users must switch to the managed version of the Company Portal. The managed Company Portal is tagged with a small orange briefcase in the bottom-right corner.

The app will prompt the user to create a work profile during the enrollment process. Once the work profile is created, users must switch to the managed version of the Company Portal. The managed Company Portal will show an orange briefcase.

The post How to enable Android for Work in SCCM and Intune appeared first on System Center Dudes.

Starting with SCCM 1702, new options are available in Task Sequences. It’s now possible to give more information about Task Sequence in Software Center (restart required, the download size of the task sequence, and the estimated run time), create a custom notification for high-risk deployments and configure any task sequence as a high-risk deployment. The new options can be found in the properties of any Task Sequence.

We will configure those options and shows how it affect the end user.

SCCM High-Impact Task Sequence Settings

It’s possible to configure any task sequence (including non-operating system task sequences) as a high-risk deployment. This will allows the user to receive a notification before the task sequence runs which can be customized by the SCCM administrator.

• Go to Software Library / Operating Systems / Task Sequences
• Right-Click your task sequence, select Properties
• On the User Notification tab, you can select to use default text or a custom text

Let’s create a custom notification and see what’s the result on the user side.

We deployed the task sequence to a client and execute it from Software Center. Here is the results:

Using default text:

Notice that the bold message has been changed from the previous versions. The old message for any operating system installation indicated that all apps, data, and settings would be lost, which was not true for an in-place upgrade.

Using custom text:

Software Center Properties

Before SCCM 1702, it was not possible to show estimated run time and the download size of a Task Sequence (as it’s possible for packages and applications). It’s now possible to set the information in the Task Sequence Properties

• Go to Software Library / Operating Systems / Task Sequences
• Right-Click your task sequence, select Properties
• On the General tab, you can set the information manually

Here’s the result in Software Center:

Nothing set:

With Values:

Those are nice additions which will help your user knows exactly what’s going on. This could be particularly helpful when deploying Operating System upgrade using the new Windows 10 servicing model.

The post Configure High-Impact Task Sequence Settings in SCCM 1702 appeared first on System Center Dudes.

When a company wants to manage an iOS mobile device, an Apple Push Notification Service (APN) certificate is installed on the iOS devices. This certificate installation makes sure that the connectivity between the devices, Apple, and your MDM solution is trusted. Intune makes no exception to this process.

It’s the main reason why, from Intune or SCCM console, you have the possibility to send remote actions directly on iOS devices.

After the certificate is configured in Intune, users can install the Company Portal app to enroll their devices (Android, iOS, Windows). When you open the Company Portal for the first time, the user must enter his tenant credentials to identify himself.

Once the authentication succeeds, the Company portal will prompt the user to install an MDM profile including the APN certificate. If the configuration of your Apple APN certificate is missing or expires, the No Enrollment Policy error message appears. Do not panic. We’ll describe how to fix this in the next section.

Intune No Enrollment Policy

To resolve this issue, you need to configure or verify your APN certificates health status.

• If you are using Intune in standalone mode, open the Intune console
• Follow this step-by-step guide to renew the Apple Push Notifications certificate

• If you are using Intune in hybrid mode, open the SCCM console
• Navigate to Administration / Cloud Services / Microsoft Intune Subscription and select Configure Platforms / iOS

• In the first tab, if you don’t have configured an APN certificate, create one!
• If you do, your certificate is probably expired, and you will likely need to renew your APN certificate with SCCM on the Appel Portal
• Download the new certificate and upload it to the Intune Subscription, click Ok

Verification

Restart the installation of the Intune client within the Company Portal. The Intune No Enrollment Policy error message should be gone.

We also suggest that you set an alert before the APN certificate expires. You won’t miss the renewal of the APN certificate anymore. (Each year)

The post No Enrollment Policy during Intune Client Installation appeared first on System Center Dudes.

SCCM Endpoint Protection is not the simplest SCCM tasks to put in place. Over the years, we trained many SCCM administrator using a simple approach and deployment strategy. We created this complete SCCM Endpoint Protection Guide based on our knowledge and experience.

This guide is a best-practice guide on how to plan, configure, manage and deploy Endpoint Protection with SCCM. This guide aims to help SCCM administrator understand the basic concept of each part of the Endpoint Protection management.

Many Endpoint Protection settings require customization based on your environment, this document describe a typical case that can be used in any organization as a good starting point for an efficient malware protection.

The guide will help you achieve theses tasks:

• Install Endpoint Protection point role
• Configure Software Update point to support Endpoint Protection
• Configure automatic deployment rules for Definition Updates
• Configure Endpoint Protection Agent policies
• Deploy the Endpoint Protection Agent
• Manage Endpoint Protection clients

This guide does not explain how to setup your Software Update Point.

This guide does not cover Windows Defender Advanced threat

SCCM Endpoint Protection Guide Document screenshots

The post SCCM Endpoint Protection Management Guide appeared first on System Center Dudes.

SCCM 1702 introduce a new feature to check and close executable files before application installation. This could be useful if you need to close a certain process before an SCCM application installation. One example would be some Adobe products that need Internet Explorer to be closed before installation. Before 1702 there was no way to do this using a built-in option in SCCM. A popular User Voice item was delivered as a pre-release feature in SCCM 1702 which is called SCCM install behavior for applications.

We will show you how to enable and configure the Install Behavior tab in an application deployment type and show you the different behaviors based on the deployment properties.

Enable SCCM Install Behavior for Applications

Before you can use the Install Behavior feature, you must enable it as it’s still a pre-release feature:

• In the SCCM Console, go to Administration \ Site Configuration \ Sites
• Click on the Hierarchy settings on the top ribbon
• Ensure that the Consent to use pre-release feature checkbox is checked

• Go to Administration \ Updates and Servicing \ Features
• Right-click Pre-Release Install Behavior for applications
• Select Turn On

• On the warning dialog, click Yes

• Close your SCCM console and reopen it
• Verify that you have the Install Behavior tab in any application deployment type

Create a Check for Running Executable Files Rule

For our post, we will deploy 7zip to a computer and we’ll ask to check if notepad.exe is running before installing.

• Right-click an application deployment type and select Properties
• Click the new Install Behavior tab
• Click Add
• Enter your Executable File Name and Display Name – In our case notepad.exe / Notepad

• Click Ok and close the deployment type properties

Create a Deployment – Available vs Required

Depending on the purpose of the deployment, the user experience will be different:

Available

We will now deploy 7zip to one computer as Available. When deploying as Available, there are no new option at deployment creation.

• On our test computer, Notepad is running
• In Software Center, we launch the 7zip installation by clicking Install

• The application failed to install and the user is prompted to close the running executable you specified (in Install Behavior) before it can proceed with the installation

• Close Notepad and rerun the installation from the Software Center. The application installs correctly

Required Deployment

We will now create the same deployment but with a Required assignment

• Create a new Required deployment, you’ll notice a new checkbox in the Deployment Settings pane

• If Automatically close any running executables you specified on the install behavior tab of the deployment type properties dialog box is selected, a more intrusive notification experience is provided to inform the user, and the specified executable files will be closed automatically at the deadline.
• One important thing to mention is that the User Experience / User Notification is important here. If you select Hide Software Center and all notifications, the notification will not be shown and the running application will be closed without notice and user could lose unsaved data.

• For our post, we select Display in Software Center and show all notification

• The user receives this notification before the deadline and can select to close the applications using 3 options :

• Right now:  Notepad is closed and the application installs (7zip)
• Outside my business hours: Notepad will close outside business hour (following Business hour logic)
• Snooze and remind me: User will be reminded at a later time
• If the user does nothing, at the deadline, Notepad will close automatically without other notice and the application (7zip) will install. The Software Center notification will stay on the user screen (!). This will probably be fixed in an upcoming release.

Monitoring

When monitoring your deployment using Install Behavior feature:

• In the SCCM Console, Monitoring \ Deployments
• You’ll find a new error when a process prevents the installation: One or more process are running and prevent enforcement action.

Bonus Tips

If you specify more than one application in Install Behavior, the warning will show all applications that need to be closed. The applications that are not running at deployment time will not be displayed.

The post Enable and Configure SCCM Install Behavior for Applications appeared first on System Center Dudes.

System Center Endpoint Protection and Windows Defender both have a history of changes since they came out years ago. When Windows 10 came out more changes were made to Endpoint Protection and Windows Defender as we covered in a previous post. The latest Windows 10 Creators Update (1703), also bring its share of changes for Windows Defender, which then impact Endpoint Protection on the end-user side.

If you are new to System Center Endpoint Protection, see our complete guide which covers it all.

In this post, we will look at what changed for Endpoint Protection and Windows Defender in the Windows 10 Creators Update (1703).

What’s new for Endpoint Protection on Windows 10 Creators Update?

First thing first. The name! Microsoft as once again renamed Windows Defender. The new name is Windows Defender Antivirus. This is due to the rising of Advanced Threat Protection (ATP) and the idea that Windows Defender is becoming more a security suite for Windows 10.

This can be seen under Settings / Update & Security / Windows Defender. Basic information are available on this screen.

To seen each “component” of Windows Defender, Microsoft has created a Windows Defender Security Center section :

Windows Defender standalone window

The standalone window is now gone. Everything can be found in the Windows Defender Security Center

This is how it looks before Creators Update:

With Windows 10 Creators Update :

How to run a manual scan?

As stated earlier, Microsoft like to move stuff around regarding Endpoint Protection and Windows Defender. The manual scan has moved :

• To run a scan, go to in the Windows Defender  Security Center / Virus & threat protection

• Quick Scan and Advanced Scan are available
• Under Advanced Scan, a new option is available : Windows Defender Offline Scan

More details about Windows Defender Offline Scan on the Technet Article

How to validate Anti-malware policies

To validate which Anti-malware policies are applied from Endpoint Protection:

• Go to Windows Defender Security Center / Settings
• Click the gear icon on the bottom

• Then click on About

• Anti-malware policies are displayed in a similar format as before

SCCM Definition Updates

Definition updates haven’t changed for the new release of Windows 10. It is still required to deploy Windows Defender Definition Update KB2267602. Also, note that the update is still in the Windows Defender product category.

What are the new features for Windows Defender on Windows 10 Creators update?

As we said at the beginning of this blog, Windows Defender is becoming a suite of Security features.

The Windows Defender Security Center include the following features on top of Windows Defender Anti-virus:

Firewall & network protection

This is a high-level view of the Firewall status. Windows Firewall with Advanced Security is still available and necessary.

Device Performance & Health

This new section provides an overview of the Windows Update, Storage Capacity, Device Drivers and Battery life.

Not much has emerged for this section so far. Status and report are automatically generated.

Warning and error will impact the display icon of Windows Defender Security Center from the system tray.

App & Browser Control

This section is the previously known SmartScreen, which is now rebranded to Windows Defender SmartScreen

It comes with 3 settings section: Check Apps & files, SmartScreen for Microsoft Edge and SmartScreen for Windows Store apps.

A fourth setting is available in Internet Explorer 11. This seems to be a standalone On/Off switch, as it doesn’t affect any settings under the App & Browser Control

Family Option

This is pretty much the Parental Control but online with LiveID

Clicking on View family settings lead to this Microsoft page, which is an online service for family options.

For more details on Windows Defender in Windows 10 Creators Updates, see the Technet article

The post SCCM Endpoint Protection on Windows 10 Creators Update 1703 appeared first on System Center Dudes.

One of SCCM Current Branch 1702 new feature is to support Express installation files for Windows 10 Cumulative Updates. This new features will enable a Windows 10 client to download only differential files from the previous month Cumulative Update. This should limit the size of Windows 10 Cumulative Updates as they tend to get bigger from months to months.

In this post, we will cover how to configure SCCM and Windows 10 in order to benefit from express installation files.

Prerequisites for SCCM Express Installation Files

• SCCM Current Branch 1702 or higher
• Windows 10 Anniversary Update 1607 with April 2017 Cumulative Update which contains the needed Windows Update Agent
• …or Windows 10 Creators Update 1702 or higher

Enable Express Installation Files in SCCM

New settings for server and client are needed in order to manage Express installation files.

A modification must be done to the Software Update Point component:

• Open SCCM console, go to Administration / Site Configuration / Sites / Configure Site Components and select Software Update Point

• On the Update Files tab, a new setting is available. Download both full files for all approved updates and express installation files for Windows 10

Client settings

Enabling this option also require a modification on the client side by modifying the client settings:

• Go to Administration / Site Configuration / Client Settings

• Edit your client setting, click Properties

• Under Software Update scroll to Enable installation of Express installation files on clients

• Another setting must be set, Port Used to download content for Express installation files.

Express installation files download

When the Software Update Point is configured to download Express installation files, the download will be done just as any other updates.

• If we take a closer look inside a Software Update Package, we can see a new folder with Express at the beginning

• Inside, we can see the difference between the Express files and the full KB below. The size is roughly 3 times bigger for the Express file. This specific KB3150513 is pretty small. There is no Express file so far for the big cumulative update. Will be interesting to follow in the next months.

• Under the Properties/Content Information of the KB, we can see the Express information.

• On the client side, as stated above, we were not able to “use” the Express file. It’s the client that determine to use it or not.

We will update this post when we have more information on the client side impact.

More details can be found in Microsoft documentation.

The post SCCM Express Installation Files for Windows 10 Updates appeared first on System Center Dudes.