Starting with SCCM 1702, a new command line tool is available to remove content that is no longer associated with any package or application from a distribution point. The Content Library Cleanup (ContentLibraryCleanup.exe) can help you save up valuable space in a specific distribution point content library.
The tool will delete content from the library based on the specified distribution point when the tool is run.
SCCM Content Library Cleanup Tool Requirements
You can run the content library cleanup tool directly on the computer that hosts the distribution point or remotely from another server
You can run the tool from a single distribution point at a time
You will need to have Full Administrator RBAC Role and the “All” Security scope in the Configuration Manager hierarchy
Running the Tool
You can find ContentLibraryCleanup.exe in the SCCMInstallationDir\cd.latest\SMSSETUP\TOOLS\ContentLibraryCleanup\ folder on the primary site or central administration site.
You can run the tool in 2 modes: What-If mode and Delete mode.
We will start by not specifying the /delete switch. The tool will run in What-If mode. This mode allows to identify the content that would be deleted from the distribution point.
On your Primary site, open an administrative command prompt and go to the ContentLibraryCleanup folder (see full path above)
Command : ContentLibraryCleanup /dp SCCM2012
The tool will check the content library on the SCCM2012 machine which is my distribution point (in What-If mode)
We encounter the following error:
System.InvalidOperationException: This content library cannot be cleaned up right now because package 10000004 is not fully installed. at Microsoft.ConfigurationManager.ContentLibraryCleanup.CLContentLibrary.LoadDistributedPackagesFromProvider() at Microsoft.ConfigurationManager.ContentLibraryCleanup.CLContentLibrary.LoadValidContentData() at Microsoft.ConfigurationManager.ContentLibraryCleanup.CLContentLibrary..ctor(String remoteDPFqdn, String primarySiteServerFqdn, String primarySiteCode) at Microsoft.ConfigurationManager.ContentLibraryCleanup.Program.Main(String[] args)
This error happens becase the package ID 10000004 has content replication issues.
If you have this error, open the SCCM console and fix the replication issue on the specified package ID and rerun the tool
The tool runs and the log file is written to the temp folder of the user account that runs the tool. The log file will open automatically
Review the log file to see what could be deleted if the /delete switch is ran
When you’re fine with it, run the following command to delete the content:
ContentLibraryCleanup /dp SCCM2012 /Delete
Before deleting each file, you must confirm that the file should be deleted (Yes, No, All)
We have compiled a list of SCCM Endpoint Protection agent versions, build numbers and cumulative updates. Anti-Malware platform updates are cumulative, meaning that the latest one includes the previous one.
If you are new to System Center Endpoint Protection, see our complete guide which covers it all. We documented a few years back… since the SCCM 2012 RTM release. If we missed some versions, please let us know and we will update this post.
This post will be updated as new releases are made available.
This will list all available System Center Endpoint Protection agent versions available and provide statistics of Installed or Required
System Center Endpoint Protection Agent Supported Platform
Microsoft plans to release one or two Anti-malware platform update per year for down-level OS (Windows 8.1 and up)
Here’s Microsoft official statement about supported platforms:
During the technical support (only) phase, commercially reasonable support incidents will be provided through Microsoft Customer Service & Support and Microsoft’s managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a non-security update, or requires a security update, customers will be asked to upgrade to the latest platform version.
(Platform versions older than N-2 are no longer supported.)
Version
Availability Date
Supported Phase
4.7 (baseline)
February, 2015
Technical Support (Only) for upgrades to the latest platform version
4.8
May, 2015
Technical Support (Only)
4.9
April, 2016
Technical Support (Only)
4.10
October, 2016
Security and Critical Updates
For more details on the supported platform, see the Technet Article
Friday morning, the sun is shining, coffee is flowing… You monitor your SCCM site and find out that your WSUS Synchronization is failing when it was working perfectly yesterday. The first error that you encounter is SCCM HTTP Error 503 The service is unavailable in a couple of places:
In Wsyncmgr.log:
Sync failed: The request failed with HTTP status 503: Service Unavailable. Source: Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer
In Component Status : Monitor / System Status / Component Status
SMS_WSUS_SYNC_Manager is in a warning state:
WSUS Synchronization failed. Message: The request failed with HTTP status 503: Service Unavailable. Source:Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer
If you try to access the URL for the WSUS Administration website (ex: http://SCCM2012:8530) it fails with the error: HTTP Error 503. The service is unavailable
What cause SCCM HTTP Error 503 ?
Don’t panic, this issues can usually be fixed easily…but not that quickly. There are two main causes of this error:
The WsusPool Application Pool (in IIS) is stopped.
The Private Memory Limit (KB) for the Application Pool is not high enough (Default value 1843200 KB)
See detailed explanation of why this issue occurs, see the article written by Kent Agerlund.
Resolution
The first thing you need to do is gives more memory to the WSUS Application Pool (WsusPool)
On your Software Update Point, start IIS Manager
Expand your site and click Application Pools
You’ll notice that the WSUSPool will be Stopped
Select WsusPool in the center pane, and then click Advanced Settings in the Action pane
In Advanced Settings, scroll to Private Memory Limit
Set the value to between 6 and 10 GB (in KB) and click OK
Restart WsusPool by clicking Start and close IIS
Verification
We will now initiate a Software Update synchronization in the SCCM Console
Go to Software Library / Software Updates
Right click All Software Updates and select Synchronize Software Updates
Monitor the sync process in Wsyncmgr.log
Open Task Manager and monitor the IIS Worker Process memory consumption. It should go up to a couple of GB. If it reaches your memory limit, the pool will crash again. Give more memory to the WsusPool and restart the synchronization
Be aware that the initial synchronization could take a couple of hours. Be patient and be sure to apply Kent’s recommendations to avoid this to occurs again in the future.
A few days ago we released three new Endpoint Protection reports. Together these reports give you a great insight into how well your Endpoint Protection clients are doing.
This report shows you useful information about endpoint protection on a single page.
The boxes at the top show current status as well as a trend for the last 30 days for each of the 5 categories a client can be in (Protected-Inactive-At Risk-Unprotected-Infected) .
The two At Risk and Unprotected categories shows a breakdown of the subcategories that make up the these two states. If you bought the System Health – Endpoint Protection reports you can click on a number and it will drill-trough to a filtered sub report that will show you the troubled clients.
Note
A client can be in multiple states, it can be both Inactive and At Risk at the same time.
The Malware Detected and and Malware Activity charts gives you a good overview over what malware is detected and how many clients are infected per day. If you bought the System Health – Endpoint Protection reports you can click on a either a specific malware or a specific day to drill-trough to a filtered sub report for more information.
System Health – Endpoint Protection
This report can be used by itself, but works great as a sub report for the Endpoint Protection Dashboard. It gives you detailed information about the endpoint protection clients in a defined collection.
System Health – Malware Detection
The Malware Detection report gives details about malware that’s detected in a given collection. Information like Client Name, Detection time , Threat nameand category , Severity and most importantly if it was successfully cleaned. It can be used standalone or as a sub report of the Endpoint Protection Dashboard.
Additional details can be found on each report page accessible from our menu or directly from our main product page.
We encounter an interesting issue at a client today. All Windows 10 1511 clients were failing to install a cumulative update and send their Software Update scan status to the SCCM Software Update Point. We were trying to apply the latest Windows 10 1511 Cumulative Update KB4019473 to ensure protection against WannaCry outbreak.
Software Updates Group were created with the needed update and deployed to the client collection
A required schedule was set on the deployment
Clients were pointing to the right Software Update Point
Client needed this update and was not previously installed
In the SCCM Console, Software Library \ Software Updates \ All Software Updates, no devices were requesting this update
Troubleshooting
Since everything point to a client error we check the client logs:
The UpdateHandler.log (C:\Windows\CCM\Logs) shows repeated errors : Update scan completion received, result = 0x80240fff
The scan was unable to complete and send the result
Using the Get-WindowsUpdateLogPowerShell command we generated the WindowsUpdate.log and open it
There again, same error is shown: 0x80240FFF
Key information about the failure is in this file : Two Swap OSUpgrades are found, Update1 ={Guid}, Update2 ={Guid}
Resolution
We now have a clue that 2 updates are causing the scan to fail. We open SQL Management Studio to find which update is causing the problem based on the GUID.
In Object Explorer, expand Database
Right-click your CM_XXX database and select New Query
In the query window, enter the following query by replacing the GUID1 and GUID2 you noted in the WindowsUpdate.log
select * from v_UpdateInfo where CI_UniqueID = ‘GUID1′ OR CI_UniqueID =’GUID2’
Look for the Title column to see the update name
Open Windows Update Services
Go to Updates, right-click All Updates and select Search
Enter the name of the update and click Find Now
Right-click the problematic update and select Decline
Once the sync is complete on the server (see ConfigMgrSetup\Logs\Wsyncmgr.log), reinitiate a Software Update Scan Cycle on the problematic client
Scan error should be gone and required computers number should go up in the SCCM console
We still haven’t tested to “Re-Approved” the problematic update after a successful scan. We were also not able to pinpoint the exact cause of this issue. We’ll update this post if we have more to share about this.
Every time I’m starting a new Windows 10 deployment project, I need to know which Windows 10 ADK is installed on a server to use with MDT or SCCM. The Windows 10 ADK (Assessment and Deployment Kit) has the tools you need to customize Windows images for large-scale deployment, and to test the quality and performance of the system, the added components, and the applications running on the system.
How to find your Windows 10 ADK Version
In Program and Features, all Windows 10 ADK are referred as Windows Assessment and Deployment Kits – Windows 10. The only element that defers is the build version at the right.
Each time, I end up googling the version number but the information was not easily findable. Those days are over since I will be documenting Windows 10 ADK Version History in a beautiful table until Microsoft decide to include the build number in the name of the product… which could be never…
With each major release of Windows 10, comes a new release fo the Windows Assessment and Deployment Kit. This means yet another product to keep up-to-date in your environment. In this post, we will cover how to update an existing installation of a Windows ADK on an SCCM server. If you are looking for a history of Windows ADK versions, see our post here.
The following steps can be applied no matter what version of the ADK is already installed or will be installed.
Why the Windows ADK must be updated?
Stay supported for SCCM and Windows 10 OS deployment
*Should* match the Windows 10 version deployed
New setting in WinPE or in the Unattend.xml for the latest Windows 10 build
Notes
Windows ADK has not an history of bug-free releases. You should hold on the update for a couple days/weeks to see bug reports
It’s not mandatory to update the Windows ADK in order to deploy the latest Windows 10 build. An earlier version of the Windows ADK should work just fine, even if unsupported when a new rWindows 10 release comes out.
Windows ADK Compatibility Chart
Here’s the table for Windows ADK compatibility with SCCM Current Branch, as the time of posting.
Select Download and provide a path. This will allow to pre-download Windows ADK content prior to the installation
Select Privacy level for the download
Accept the License Agreement
Download will take some time as the Windows ADK is about 4.4GB
Download completed
Once ready for the update, the old version of the Windows ADK must be uninstalled
Open Program and Features, select Windows Assessment and Deployment Kit – Windows 10 and click on Uninstall
Once the previous Windows ADK is uninstalled, reboot the server
Once rebooted, run ADKsetup.exein the download folder you specified in the previous step
Select the installation path, click Next
Select Privacy level wanted. Click Next
Accept license agreement
Select the following mandatory features. You can select more if you need others. Click Install
Deployment Tools
Windows Preinstallation Environment (Windows PE)
User State Migration Tool (USMT)
Once completed, verify in the Program and Feature that Windows ADK has been updated to the latest version
Reboot the server once again
Updating Boot images
After the Windows ADK update is completed, boot images must be updated in order to use the latest bits for Windows PE.
There are 2 scenarios for you boot images:
Default boot image and updated ADK prior of an SCCM upgrade
If you updated the ADK prior to an in-place upgrade of SCCM to a latest Current branch release, the upgrade of SCCM will automatically regenerate the default boot images as part of the upgrade.
This is not clearly stated as part of an SCCM upgrade. After an upgrade, look at the OS version of the default Boot images, if it is matching your installed version of the Windows ADK, you are good!
Some times, the automatic update of the default boot images doesn’t work. This is often caused by old driver that are added to boot images.
This will be possible to catch by having a previous version on the boot images
Custom boot image or updated Windows ADK after an SCCM Upgrade
If you are in one of those situation, boot images must be taken care of in a more manual fashion.
If you use custom boot images
If you already did the SCCM upgrade prior to the Windows ADK update
Wilhelm Kocher and Herbert Fuchs, from Microsoft Premier, created a powershell script to help with this matter
When we hit Update Distribution Point on a boot image (custom or default), it will be possible to Reload this boot image with the current Windows PE version from the Windows ADK
This will actually do the exact same thing as the script used!
Unattend.xml consideration
Unattend.xml files are used to pass configuration to Windows while the installation is going on. With a new release of Windows 10, new settings could become available at the installation time. XML files are configured using Windows System Image Manager (Windows SIM). Windows SIM is part of the ADK.
That said, new or modified unattend.xml files could be needed along with new Windows 10 releases. They should be modified or created with Windows SIM, after the Windows ADK as been updated.
The first Update Rollupfor SCCM Current Branch (1702) is now available. This post is a complete SCCM 1702 Update Rollup 1 (KB4010155) installation guide. If you’re looking for a complete SCCM 1511 installation guide, see our blog series which covers it all. You can’t install this upgrade if you are running SCCM 2012. You need to be running SCCM 1702 to apply this update.
Installing SCCM upgrades is important for your infrastructure. It fixes a lot of issues from SCCM 1702, which some of them are important.
New Update and Servicing Model
If you’re not familiar with the new SCCM servicing model, read our New Update and Servicing section of the 1602 upgrade post which explain it all.
You may wonder what’s the difference between a Cumulative Update (CU) and an Update Rollup (UR) :
A CU is a new servicing baseline. A post-CU1 hotfix requires CU1 first, whereas a post-UR1 hotfix doesn’t require UR1. Like CU, UR are cumulative which means that UR2 will include previous hotfixes.
*If you are running SCCM 1511, 1602, 1606 or 1610, you first need to upgrade to 1702 prior to applying this Update Rollup, see our blog which covers the upgrade process. Once completed, the Update Rollup 3 will be available under Update and Servicing node.
SCCM 1702 Update Rollup 1 Fixes
Consult this support page for a full list of issues fixed.
Before you begin
Downloading and installing this update is done entirely from the console. There’s no download link, the update will appear in your console once synchronized.
When you install an in-console update: (New Versions,CU,UR,KB)
It automatically runs a prerequisite check. You can also run this check prior to starting the installation
It installs at the central administration site (if you have one), and at primary sites automatically. You can control when each primary site server is allowed to update its infrastructure by using Service Windows for site servers
After a site server updates, all affected site system roles (including instances of the SMS Provider) automatically update. Configuration Manager consoles also prompt the console user to update the console, after the site installs the update
If an update includes the Configuration Manager client, you are offered the option to test the update in pre-production, or to apply the update to all clients immediately
After a primary site is updated, secondary sites do not automatically update. Instead, you must initiate the secondary site update
In this post, we’ll be updating a standalone Primary Site Server, console and clients.
Reminder
It’s a best practice to have some exclusions for your antivirus/anti-malware software on the SCCM server. Here a list for exclusions from SCCM 2012, which is still valid for CB as far as we know.You could also consider disabling the AV prior to installing the update and re-enable it once completed.
Before installing, check if your site is ready for the update :
Open the SCCM console
Go to Administration \ Cloud Services \ Updates and Servicing
In the State column, ensure that the update is Available
If not already downloaded, hit Download
If it’s not available, right-click Updates and Servicing and select Check for Updates
The update state will change to Downloading
You can follow the download in Dmpdownloader.log
The update files are stored in the EasyPayload folder in your SCCM Installation directory
Before launching the update, we recommend to launch the prerequisite check:
Open the SCCM console
Go to Administration \ Cloud Services \ Updates and Servicing
Right-click the Configuration Manager 1702 Hotfix (KB4019926) update and select Run prerequisite check
Nothing will happen, the prerequisite check runs in the background. All menu options will be grayed out during the check
You can monitor prerequisite check by going to Monitoring / Site Servicing Status, right-click your Update Name and select Show Status
When completed the State column will show Prerequisite check passed
Step 2 | Launching the SCCM 1702 Update Rollup 1
We are now ready to launch the SCCM 1702 Update Rollup 1. At this point, plan about 30 minutes for the update installation.
Right click the Configuration Manager 1702 update and select Install Update Pack
On the General tab, click Next
In the Client Update Options, select the desired option for your client update
This new feature allows updating only clients member of a specific collection. Refer to our post here
On the License Terms tab, accept the licence terms and click Next
On the Summary tab, review your choices and click Next
On the Completion tab, close the wizard. The whole process took a minute but the installation is not over, it has been initiated
During installation, the State column changes to Installing
You can monitor installation by going to Monitoring / Site Servicing Status, right-click your Update Name and select Show Status
… or you can follow detailed installation progress in SCCM Installation Directory\Logs\CMUpdate.log
Warning
We’ve done numerous SCCM installation/upgrade. Some installation start a couple of minutes after you complete the wizard but we’ve seen some installation starts after a 10 minutes delay. Do not reboot or restart any services during this period or your update could be stuck in “Prerequisite check passed” status and all other options grayed out. There’s actually no officially documented methods by Microsoft to fix that. Patience is the key!
When completed, you’ll notice the message There are no pending update package to be processed in the log file
Refresh the Updates and Servicing node, the State column will be Installed
Updating the consoles
Since 1602, the console has an auto-update feature. At console opening, if you are not running the latest version, you will receive a warning and the update will start automatically.
Since all updates operations were initiated from the console, we didn’t close it during the process. We received a warning message when clicking certain objects. You will have the same message when opening a new console
Click OK, console update will start automatically
Wait for the process to complete. You can follow the progress in C:\ConfigMgrAdminUISetup.log and C:\ConfigMgrAdminUISetupVerbose.log. Once completed, the console will open and you’ll be running the latest version
Verification
Consoles
After setup is completed, verify the build number of the console. If the console upgrade was successful, the build number will be 5.0.8498.1711. Note that the Site Version is not changed to the Update Rollup version. This is normal.
Clients
The client version will be updated to 5.00.8498.1711 (after updating, see section below)
SCCM 1702 Update Rollup 1 Client Package distribution
You’ll see that the 2 client packages are updated:
Navigate to Software Library \ Application Management \ Packages
Check if both packages were updated, if not, select both packages and initiate a Distribute Content to your distribution points
Updating the Clients
Our preferred way to update our clients is by using the Client Upgrade feature:
Open the SCCM Console
Go to Administration / Site Configuration / Sites
Click the Hierarchy Settings in the top ribbon
Select Client Upgrade tab
The Upgrade client automatically when the new client update are available checkbox has been enabled
Review your time frame and adjust it to your needs
Monitor SCCM Client Version Number
You can see our SCCM Client version reports to give detailed information about every client’s versions in your environment. It’s the easiest way to track your client updates.Collections
You can also create a collection that targets clients without the latest client version. I use it to monitor which client haven’t been updated yet.
Collections
Here’s the query to achieve this: (You can also refer to our Set of Operational Collection Powershell Script which contains this collection)
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ClientVersion !='5.00.8498.1711'
Last September, the Power BI solution template for System Center Configuration Manager was released. The SCCM Power BI Dashboard provides detailed information of your SCCM hierarchy including client and server health, malware protection, software updates, and software inventory. Better late than never, we decided to do a blog post on how to link your SCCM server to Power BI and install the SCCM Power BI Dashboard. The SCCM Dashboard will show data as soon as you finish this wizard. You’ll also be able to build your own Power BI reports and publish it if you have a valid Power BI license.
If you are not familiar with Power BI, you can read the FAQ which has answers to the most common questions.
The installation wizard will get us through the process of entering the information about our SCCM, SQL Server and/or Azure environment in order to establish a connection for Power BI. At the end of the process, the Template file (Dashboard) will be available to download and use.
The Office 365 portal pops-up, select your work email account and enter your credential if you’re not already logged-in
On the Business Platform Solution Template screen, click Accept
Once back on the Getting Started pane, click on the Download button
This will download the SCCM-Template.exe file. Once downloaded, launch the executable
Wait for the process to complete
The installation wizard will launch in new window, click Next
On the Login pane, Enter your credentials to connect to the SCCM database. These credentials will also be used to run a Powershell script on a recurring schedule. Click on Validate, then Next
In the Source pane, enter your SCCM server name, click on Validate, select your Database from the drop-down then Next
On the Target pane, select your SQL Server, click on Validate, select your Database from the drop-down then Next
If you are using Azure SQL (which is unlikely for an SCCM installation), check the Using Azure SQL box
The 5,6,7 and 8 steps will be automatically skipped
On the Customize pane, select the time you wish to have your scheduled task to be run and the desired Compliance Target number, click on Validate and Next
Review your choices, enter your email address if desired to receive information about Power Bi and click Run
The installation starts. The initial synchronization pulls data out of Configuration Manager database and pushes the data into the specified SQL Database
Once the process is completed, you can download the Power BI SCCM Dashboard by clicking on Download Report
Once downloaded, open the SolutionTemplate.pbix file, it will open in Power BI Desktop
One last step needs to be done in order for the data to populate. On the top ribbon, click on Edit Query and select Data Source Settings
Click on any query on the left pane and select Edit Credentials
Select your preferred credential method and click Connect
If you have an Encryption Support warning, click OK to accept the unencrypted connection
If your credential has the Read right on the SCCM database, all the “!” icons will turn to tables icons. This means that the data can be read.
Click the Apply Changes button on the warning on the top
The magic happens! Click the Overview pane to validates that the data is shown
Power BI Pro
Optional – If you have a Power BI Pro subscription, you can click the Publish button at the top to save your report in your Power BI portal
That’s it! You are now ready to create reports and dashboard using Power BI. Refer to the product documentation if you need help to start creating.
Usually, when it comes to driver management, for computer already deployed, we say ‘If it ain’t broken don’t fix it’. Once in a while, a driver or firmware could require an update because of a bug reported by multiple users but that would usually be an exception.
Microsoft Surface devices have proven over and over that this statement doesn’t apply to them. Microsoft Surface, since the beginning of the brand, tend to work better with latest firmware version. Microsoft often releases new firmware revision along major Windows 10 releases.
For home users, the update will be applied with the standard Windows Update process and delivered in stages. For businesses, firmware update management by WSUS or SCCM is not yet available. (Feature is included in the latest SCCM Technical Preview 1706 but not yet in the latest 1702 production version)
This blog post will detail how to update the Microsoft Surface firmware using SCCM.
SCCM Update Microsoft Surface Firmware Prerequisites
Download the latest MSI version of the needed firmware
Other sub-model (Wifi, LTE, AT&T) of Surface 3 and older are available here
Surface 3 and newer model
Older models don’t have an available MSI version for Firmware management
Important Note
Microsoft has started to release firmware updates based on Windows 10 builds. Vigilance is key here.
As an example, the Surface Pro 4 has a release specifically for the Creators Update (build ID 15063).
This would mean that older Windows 10 version should use the other release of the firmware, which as no build ID in the name.
Why use the MSI to Update Microsoft Surface Firmware?
Microsoft Surface firmware contains multiple drivers, software, and UEFI updates. Most releases do not upgrade all drivers, firmware and UEFI at once. Some releases only update one or two component, while others will update pretty much everything. Having an inventory of each of those components would be huge to maintain and managed throughout releases.
Using the provided MSI file provides an easy way to inventory of all those components since it has an entry in Programs and Features once installed.
Update Microsoft Surface Firmware History
The update history for all Microsoft Surface models is available here.
As an example, the update for a Surface Pro 4 on May 25th had many components updated:
Microsoft also provides a preview of what to expect from the update:
Microsoft has inconsistency with firmware version. In this example, the MSI version which will eventually display in Program and Features, is not on the history page.
The only thing matching “approximately” is the Date Published. Word of advice, keep track of version and release dates for future debugging.
Create application for SCCM Microsoft Surface Firmware Update
We will now shows how to deploy the Firmware MSI files using SCCM:
Select your new application and on the top ribbon, click Distribute Content to send your content to your distribution points
Looking at the Detection Method under the Deployment Type, we see that it looks for an MSI Product Code
SCCM Update Microsoft Surface Firmware
The deployment can be done just like any other deployment.
Important consideration
Microsoft Surface firmware update require a reboot. If the deployment is mandatory, the client computer will reboot to complete the installation. Plan accordingly. Target deployment date and time outside of working hours. Use Maintenance Windows if necessary.
The user will see the following happen on the Microsoft Surface after the installation as been triggered by SCCM
Restarting
Getting Windows Ready
Please wait while we install a system Update
After the reboot, Working on updates
Under the hood, the .BIN files under C:\Windows\Firmware will be updated:
After the installation, the SurfacePro4 Update is visible in the Programs and Features
Monitor Microsoft Surface Firmware Versions
You can use a built-in report (Computers with specific software registered in Add Remove Programs) to check the which devices have the Firmware installed using hardware inventory. Just use the exact name that is displayed in Program and Feature to target your search.
You can use our new Asset – Surface devices report to get detailed information about every Microsoft Surface in your environment, including UEFI versions and Firmware versions when deployed with this method.
Following the excellent PowerShell script that Benoit wrote to create operationals collection, I decided to rethink it a bit to help classify collections and ease Role-based administration control implementation when a different group of users accesses SCCM. On top of that, the way folders for collections are designed, it helps implement a naming convention to keep things clear all across the SCCM console.
The overall idea is to keep collections on a per needs basis. Having a collection that receives client settings, 1-2 applications, OSD and Windows Updates can lead to unplanned/accidental deployment or misconfiguration. With one collection per need, everything is well targeted.
I also prefer to have collection for inventory to feed my deployment collections, instead of always recreating the queries.
I’ve been using the same methodology for years at multiple clients site. When I go back after a few years, I know exactly what is going on, as they were using the naming and structure for all that time.
The script creates 17 folders and 36 collections. The collections are set to refresh on a 7 days schedule. If a collection already exists, the script will return an error but will continue.
Some of the collections come from Benoit script. (Thanks, Benoit !)
OS Deployment, Software Distribution and Test collections are meant to have manual membership defined.
The collection WKS – SU – Exclusion is excluded from all Software Update collections to prevent patch specific system.
Role-based administration control
The All Servers, All Workstations and All Workstations– Admin collections are specifically made for RBAC. That’s why they are the Master Collections as they will probably be the limiting collection for 99% of the collections.
The concept is the following:
Give the server team only access to All servers
Give the technician team access to All Workstations
This would give access to technicians to see collections that would be considered production ready for OS and software deployment, on top of inventory collections
Collection with the limiting collection All Workstations – Admin would then be hidden for standard technician
Give SCCM Admin or higher ranks tech access to All Workstations – Admin
This would make available collections like the one’s Software Update or test collection
Benefits
Role-based administration control “ready” as explained earlier
Loading time of each sub-folder will be faster because there will be fewer collections to load.
Collection’s naming convention will be useful in other areas of the console:
Collection name under Package or Applications deployments tab
The first Hotfix Rollup for SCCM Current Branch (1710) is now available. This post is a complete SCCM 1710 Hotfix Rollup (KB4057517) installation guide. If you’re looking for a complete SCCM Current Branch installation guide, see our blog series which covers it all. You can’t install this upgrade if you are running SCCM 2012. You need to be running SCCM 1710 to apply this update.
Installing SCCM upgrades is important for your infrastructure. It fixes a lot of issues from SCCM 1710, which some of them are important.
New Update and Servicing Model
If you’re not familiar with the new SCCM servicing model, read our New Update and Servicing section of the 1602 upgrade post which explain it all.
You may wonder what’s the difference between a Cumulative Update (CU) and an Update Rollup (UR)/Hotfix RollUp (HR) :
A CU is a new servicing baseline. A post-CU1 hotfix requires CU1 first, whereas a post-UR1 hotfix doesn’t require UR1. Like CU, UR is cumulative which means that UR2 will include previous hotfixes.
*If you are running SCCM 1511, 1602, 1606,1610, 1702 and 1706 you first need to upgrade to 1710 prior to applying this Hotfix Rollup, see our blog which covers the upgrade process. Once completed, the Hotfix Rollup will be available under Update and Servicing node.
List of SCCM 1710 Hotfix Rollup Fixes
Consult this support page for a full list of issues fixed.
Before you begin
Downloading and installing this update is done entirely from the console. There’s no download link, the update will appear on your console once synchronized.
When you install an in-console update: (New Versions,CU,UR,KB)
It automatically runs a prerequisite check. You can also run this check prior to starting the installation
It installs at the central administration site (if you have one), and at primary sites automatically. You can control when each primary site server is allowed to update its infrastructure by using Service Windows for site servers
After a site server updates, all affected site system roles (including instances of the SMS Provider) automatically update. Configuration Manager consoles also prompt the console user to update the console, after the site installs the update
If an update includes the Configuration Manager client, you are offered the option to test the update in pre-production, or to apply the update to all clients immediately
After a primary site is updated, secondary sites do not automatically update. Instead, you must initiate the secondary site update
In this post, we’ll be updating a standalone Primary Site Server, console and clients.
Reminder
It’s a best practice to have some exclusions for your antivirus/anti-malware software on the SCCM server. Here a list for exclusions from SCCM 2012, which is still valid for CB as far as we know.You could also consider disabling the AV prior to installing the update and re-enable it once completed.
Before installing, check if your site is ready for the update :
Open the SCCM console
Go to Administration \ Cloud Services \ Updates and Servicing
In the State column, ensure that the update is Available
If not already downloaded, hit Download
If it’s not available, right-click Updates and Servicing and select Check for Updates
The update state will change to Downloading
You can follow the download in Dmpdownloader.log
The update files are stored in the EasyPayload folder in your SCCM Installation directory
Before launching the update, we recommend to launch the prerequisite check:
Open the SCCM console
Go to Administration \ Cloud Services \ Updates and Servicing
Right-click the Configuration Manager 1710 Hotfix (KB4057517) update and select Run prerequisite check
Nothing will happen, the prerequisite check runs in the background. All menu options will be grayed out during the check
You can monitor prerequisite check by going to Monitoring / Site Servicing Status, right-click your Update Name and select Show Status
Note
The prerequisite check was the fastest we witness yet!
When completed the State column will show Prerequisite check passed
Step 2 | Launching the SCCM 1710 Hotfix Rollup
We are now ready to launch the SCCM 1710 Hotfix Rollup. At this point, plan about 30 minutes for the update installation.
Right click the Configuration Manager 1710 update and select Install Update Pack
On the General tab, click Next
In the Client Update Options, select the desired option for your client update
This new feature allows updating only clients member of a specific collection. Refer to our post here
On the License Terms tab, accept the license terms and click Next
On the Summary tab, review your choices and click Next
On the Completion tab, close the wizard. The whole process took a minute but the installation is not over, it has been initiated
During installation, the State column changes to Installing
You can monitor installation by going to Monitoring / Site Servicing Status, right-click your Update Name and select Show Status
… or you can follow detailed installation progress in SCCM Installation Directory\Logs\CMUpdate.log
Warning
We’ve done numerous SCCM installation/upgrade. Some installation start a couple of minutes after you complete the wizard but we’ve seen some installation starts after a 10 minutes delay. Do not reboot or restart any services during this period or your update could be stuck in “Prerequisite check passed” status and all other options grayed out. There’s actually no officially documented methods by Microsoft to fix that. Patience is the key!
When completed, you’ll notice the message There are no pending update package to be processed in the log file
Refresh the Updates and Servicing node, the State column will be Installed
Updating the consoles
Since 1602, the console has an auto-update feature. At console opening, if you are not running the latest version, you will receive a warning and the update will start automatically.
Since all updates operations were initiated from the console, we didn’t close it during the process. We received a warning message when clicking certain objects. You will have the same message when opening a new console
Click OK, console update will start automatically
Wait for the process to complete. You can follow the progress in C:\ConfigMgrAdminUISetup.log and C:\ConfigMgrAdminUISetupVerbose.log. Once completed, the console will open and you’ll be running the latest version
Verification
Consoles
After setup is completed, verify the build number of the console. If the console upgrade was successful, the build number will be 5.0.8577.1108. Note that the Site Version is not changed to the Hotfix Rollup version. This is normal.
Clients
The client version will be updated to 5.00.8577.1108 (after updating, see section below)
SCCM 1710 Hotfix Rollup Client Package distribution
You’ll see that the 2 client packages are updated:
Navigate to Software Library \ Application Management \ Packages
Check if both packages were updated, if not, select both packages and initiate a Distribute Content to your distribution points
Updating the Clients
Our preferred way to update our clients is by using the Client Upgrade feature:
Open the SCCM Console
Go to Administration / Site Configuration / Sites
Click the Hierarchy Settings in the top ribbon
Select Client Upgrade tab
The Upgrade client automatically when the new client update are available checkbox has been enabled
Review your time frame and adjust it to your needs
Monitor SCCM Client Version Number
You can see our SCCM Client version reports to give detailed information about every client’s versions in your environment. It’s the easiest way to track your client updates.Collections
You can also create a collection that targets clients without the latest client version. I use it to monitor which client haven’t been updated yet.
Collections
Here’s the query to achieve this: (You can also refer to our Set of Operational Collection Powershell Script which contains this collection)
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ClientVersion !='5.00.8577.1108'
With the release of SCCM 1710, one of the key new features is the Co-Management possibility with Intune. Going in the direction of the Co-Management would eventually allow to offload some management task to Intune and be more aligned with the concept of Modern Management for Windows 10.
One of the main requirement to enable Co-Management is to have Intune as the MDM Authority. This goes against what many SCCM admins have done over the past few years, by enabling the Intune Connector in SCCM to manage mobile devices from the SCCM console. This is called Intune in Hybrid mode.
Microsoft has come up with a solution to bring back Intune as the MDM authority, which is the Standalone mode. All this without impacting the end-user with his enrolled devices.
In this post, we will detail how to move Intune from Hybrid mode to Standalone.
Note
In the event that you configured the Intune connector in SCCM, but actually never used any of those features, changing the MDM authority to Intune, by removing the Intune Subscription from SCCM can do just fine.
Prerequisites to Change SCCM MDM Authority Intune Standalone
Account with Global Administrator role in Azure portal for the first run of the Import tool
Account with Global Administrator role in Intune portal to import data
SCCM 1610 or higher
Intune configured as Hybrid mode with SCCM
Intune License for users
Import SCCM data to Intune
The first step, which is not mandatory, is to bring policy, apps and deployment from SCCM to Intune. This is optional because it could be all recreated manually.
The idea here is the publish the exact same configuration as in SCCM. This will lead to a smooth transition without impacting the end-user.
First run of the Microsoft Intune Data Importer
The first run must be done by an account member of the Global Administrator role in Azure to allow import of content into Intune
Open a Command Prompt as administrator and run the following command:
Command line : intunedataimporter.exe -GlobalConsent
This prompt for credentials. Enter the Global Administrator credentials
Confirmation
Note
When you click Accept, you give the tool permission to do the following:
Read all groups
Sign in and read the user profile
Read and write Intune device configuration and policies
Read and write Intune apps
Read and write Intune role-based administration control policies
Read and write Intune devices
Read and write Intune configuration
Import data
This can be achieved by an Intune Admin or Global Admin.
Start the intunedataimporter.exe by double-clicking on it
Click Next
Specify the SCCM server FQDN and Site code. Select which data should be imported
You can always come back to that screen if you choose not to import discovered data.
Discovery will take a couple minutes to complete
Next, the tool will list all of the selected components it found, by categories of the item
Note that some items will not be importable
This happens for many different reasons. Scrolling to the right will give the reason
One likely error would be that the value in ConfigMgr for setting … is not supported in Intune
Another common error you might get is related to having a collection with a query or manual membership that are not supported for Intune. The only collection that can be converted to Intune is the ones with a simple query for AD group membership. This would allow having the SCCM deployment transferred automatically to Intune, and targeted to the right user group
Once items are selected, click next on the Summary
Sign in with Intune Admin or Global Admin rights
Sign-in
Note
Microsoft does recommend to import content to a Trial Tenant before going into production. If the tool is run multiple time for the same tenant, you might end up with duplicate items.
Once logged in, the import process starts automatically.
Click Next
Review errors as those will need to be addressed before moving user/devices to Intune
Go to Portal.azure.com, under Intune / Device Configuration / Profiles, the policies are imported
Warning
We had issue with the migration of the deployments. The target group, that is a member of our collection in SCCM, was not found in Intune, so the tool was not able to target assignment correctly.
The group was well synced to AAD and was available to be assigned manually. The group name had spaces in it. That might have been the issue.
The end result is that we had to manually do the assignment for each policy and applications.
Note that rerunning the import data tool could lead to duplicate items in Intune, and importing only Deployment is not possible without selecting the desired item at the same time.
Once the data is imported and all validation is done, it’s time to migrate a group of test users to their devices to see how it goes.
The process is quite simple for users devices. Devices enrolled by users that are no longer allowed to enroll devices into SCCM, are automatically redirected to Intune.
This means, that users must be excluded from the collection defined in SCCM Intune Subscription, to allow users to enroll devices.
To find the collection that is used to allow users to enroll devices, go to Administration / Cloud Services / Microsoft Intune Subscriptions and select Properties on your Microsoft Intune Subscription
Create a user collection that will be used for migration
Add this new collection as an Exclude Collection Rule on the collection used to allow users to enroll devices
WARNING
From this point, users’ devices will be redirected to Intune. Make sure policies, apps and deployments are assigned.
If the configuration is identical from SCCM, this change will be 100% transparent for the user.
Add test user to Migration collection
Go to Portal.azure.com, under Intune / Devices / All Devices, migrated devices should show up about 15 minutes later
At this point, the device is managed only by Intune, even if the device is still visible in SCCM
Remaining devices in SCCM are still managed by SCCM only. This is called Mixed MDM Authority, as both Intune and SCCM are managing devices
The Terms and Condition policy configured in SCCM, is automatically migrated to Intune when the Mixed Mode is enabled
The Terms and Condition are not automatically assigned. Go to Intune / Device Enrollment / Terms And Condition
Select the policy and set the Assignments to the user group of your choice
Before moving all users, testing should be done to ensure that your mobile devices are correctly managed.
Once tests are completed, we can move on using the same method to migrate all other users and devices.
Important Note
If you have devices enrolled by Apple DEP program, devices can’t be migrated by their assigned owner. Those devices are considered user-less in Intune.
To migrate those, there is a PowerShell cmdlet available in the Intune data importer.
More details on how to migrate device without user affinity are available on Microsoft Documentation.
Change MDM authority to Intune standalone
After all users devices are migrated, it’s time to set Intune to standalone.
In SCCM, go to Administration / Cloud Services / Microsoft Intune Subscription, and delete your existing Intune Subscription
Select Change MDM Authority to Microsoft Intune, click Next
Select Yes
Sign in to Intune
Note
The account provided to Sign-in Intune, must have a license for Intune assigned to the account.
Starting with SCCM version 1610, cloud management gateway introduces a new way to manage internet clients. This method is different than the “traditional” Internet-based client management (ICBM). Cloud Management Gateway uses a combination of a cloud service deployed in Microsoft Azure and a new site system role that communicates with that service. Clients then use the service to communicate with SCCM.
The main advantage of a cloud management gateway is that it doesn’t expose your SCCM servers to the internet but the downside is that it requires an Azure subscription which brings recurring monthly costs. If you’re still unsure which method to use, you can read the Microsoft documentation and see our blog post about internet client management. Make sure that you understand the limitation of using internet clients. We strongly encourage to use this new method if you’ll be managing client on the internet since this feature will evolve with time and the traditional way support should go away with time. You’ll also need a Cloud Management Gateway if you’re planning to use the new Windows 10 Co-Management features.
For clients to access Cloud Management Gateway, an SSL certificate is required to authenticate computers and encrypt communications. You will also need to create a custom SSL certificate on the Certificate Authority for the CMG. An Azure management certificate is also required to deploy the Cloud Management Gateway.
If you already set up a Cloud Distribution Point before, the certificate requirements are quite similar
Here are the high-level steps for deploying Cloud Management Gateway:
Verify a unique Azure cloud service URL
Create and issue a custom SSL certificate for the Cloud Management Gateway
Request the Cloud Management Gateway certificate from the Certification Authority
Export the custom Web Certificate
Create a client authentication certificate
Create an Auto-Enroll Group Policy
Export the client certificate’s root
Upload the Cloud Management Gateway management certificate to Azure
Create the Cloud Management Gateway in the SCCM console
Add the Cloud Management Gateway Connector Point role
Configure the Primary Site for client certification authentication
Configure roles for cloud management gateway traffic
Verify Client Communication with the SCCM Cloud Management Gateway
Verify a unique Azure cloud service URL
We don’t need to create the cloud service in Azure, the Cloud Management Gateway setup will create the service. We just need to verify that the Azure cloud service URL is valid and unique.
In the Azure Portal, select Cloud Services on the left, click Add
Enter the desired DNS name
Validate that there’s a green check mark on the right. If your name is not valid, a red X will display, choose a different name if it’s the case
Once your name is valid, take note of the name as it will be needed later. We will use SCDCMG as for our example
Close the window, do not create the service now
Create and Issue a Custom Web Server Certificate Template on your Certification Authority
This procedure creates a custom certificate template that is based on the web server certificate template. The certificate will be used for the installation of the SCCM cloud management gateway and the private key must be exportable as it will be asked during installation.
In Active Directory, create a security group named SCCM Site Servers that contain your SCCM Primary Site server computer account
On the server running the Certification Authority, open the Certification Authority console (certsrv.mmc), right-click Certificate Templates and select Manage
The Certificate Templates management console opens
Right-click the Web Server template and then select Duplicate Template
In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected in Certification Authority
In the General tab, enter a template name, like SCD SCCM Cloud Management Gateway. Change the validity period if needed. As a best-practice, the longer the validity period, the less secure is your certificate
In the Request Handling tab, select Allow private key to be exported
In the Security tab, remove the Enroll permission from the Enterprise Admins security group
Choose Add, enter SCCM Site Servers in the text box, and then choose OK
Select the Enroll and Read permission for this group
Choose OK, close Certificate Templates Console
Back in the Certification Authority (certsrv.mmc) console, right-click Certificate Templates, select New / Certificate Template to Issue
In the Enable Certificate Templates dialog box, select the new template that you just created, SCD SCCM Cloud Management Gateway, click OK
Request the custom web server certificate on the Primary Site Server
This procedure requests and then installs the newly created custom web server certificate on the Primary Site prior to the SCCM cloud management gateway installation
On the SCCM Server, run MMC
On the File Menu, choose Add/Remove Snap-in… select Certificates, and click Add
When prompted for what you want to manage certificates for, select Computer Account, click Next
Select Local Computer and then click Finish
Click OK to close the Add/Remove Snap-ins
In the Add or Remove Snap-ins dialog box, choose OK.
In the console, expand Certificates (Local Computer) /Personal / Certificates
Right-click Certificates, select All Tasks /Request New Certificate
On the Before You Begin page, click Next
If you see the Select Certificate Enrollment Policy page, choose Next
On the Request Certificates page, identify the SCD SCCM Cloud Management Gateway from the list of available certificates, and then select More information is required to enroll for this certificate. choose here to configure settings
In the Certificate Properties dialog box, in the Subject tab
Subject name: in Type choose Common name
Value: Specify your service name and your domain name by using an FQDN format. (For example: scdcmg.cloudapp.net) and select Add
Alternative name: in Type choose DNS
Value: Specify your service name and your domain name by using an FQDN format. (For example: scdcmg.cloudapp.net) and select Add
Click OK to close the Certificate Properties dialog box
On the Request Certificates page, select SCD SCCM Cloud Management Gateway from the list of available certificates, click Enroll
On the Certificates Installation Results page, wait until the certificate is installed, click Finish
Export Web Server Certificate
This procedure exports the custom web server certificate to file. We will export it as a .CER file for the Azure Management Certificate and in a .PFX format for the cloud management gateway creation.
.CER EXPORT
In the Certificates (Local Computer) console, right-click the SCD Cloud Management Gateway certificate that you just created, select All Tasks / Export
In the Certificates Export Wizard, choose Next
On the Export Private Key page, select No do not export the private key and click Next
On the Export file format, select CER and click Next
Save your certificate in a folder and close the wizard
To close the wizard, click Finish in the Certificate Export Wizard page
.PFX EXPORT
Redo the export task a second time
On the Export Private Key page, choose Yes, export the private key, click Next
On the Export File Format page, ensure that the Personal Information Exchange – PKCS #12 (.PFX) option is selected
On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next
On the File to Export page, specify the name of the file that you want to export
To close the wizard, click Finish in the Certificate Export Wizard page
Close Certificates (Local Computer).
The certificate is now ready to be imported to create an SCCM Cloud Management Point Gateway
Create the Client Certificate
A client certificate is required on any computer which will be managed via the Cloud Management Gateway. It is also required on the server that will host the Cloud Management Gateway connection point. The fastest way to deploy the client certificate to all your machines is through an autoenrollment GPO. If you do not already have a client certificate template, follow these steps:
RDP to an Intermediate Certification Authority
Open Certification Authority console, right-click Certificate Templates and click Manage
Right-click Workstation Authentication and click Duplicate Template
Make sure to use Server 2003, not 2008
In the General, name this SCCM Client Certificate
Set the Validity Period to 5 years
Click on the Security tab, select the Domain Computers group and add the permissions of Read and Autoenroll, do not clear Enroll. Then click OK
When you refresh your console, you will see that the new template is there
Create an Auto-Enroll Group Policy
A client certificate is required on any computer which will be managed via the Cloud Management Gateway. It is also required on the server that will host the Cloud Management Gateway connection point.
The fastest way to deploy the client certificate to all your machines is through an autoenrollment GPO :
Launch Group Policy Management on your Domain (Start / Administrative Tools /Group Policy Management)
Right-click the desired OU and select Create a GPO in this domain, and Link it here… as we are going to create a new GPO
Name your GPO AutoEnroll ConfigMgr Client Cert, then click OK
Right-click and Edit your newly created GPO
Navigate to: Computer Configuration / Policies / Windows Settings / Security Settings / Public Key Policies
Right-click on Certificate Services Client – Auto-Enrollment and then click Properties
Change the Configuration Model: to Enabled
Check the Update certificates that use certificate templates and Renew expired certificates, update pending certificates, and remove revoked certificates
Click Apply and OK
Reboot a workstation and when you run a gpupdate /force or in 15 minutes when GP is re-applied, any machine on the domain communicating with the DC will request and receive a client certificate automatically that will be placed in theLocal Computer Personal Certificate Store
Export the client certificate’s root
The easiest way to export the root of the client certificates used on the network is to get it on one of the domain-joined machines that receive it through your auto-enrollment GPO
Requirements
Client certificates are required on any computer you want to manage with cloud management gateway and on the site system server hosting the cloud management gateway connector point
Run MMC
From the File menu, choose Add/Remove Snap-in…
In the Add or Remove Snap-ins dialog box, choose Certificates / Add /Computer account / Local computer
Go to Certificates / Personal / Certificates
Double-click the certificate for client authentication on the computer, choose the Certification Path tab, and double-click the root authority (at the top of the path).
On the Details tab, choose Copy to File…
Complete the Certificate Export Wizard using the default certificate format.You’ll need it to configure cloud management gateway later
Upload the certificate to your Azure Subscription
If your company is already using Windows Azure, there is a very good chance that a management certificate is already created and uploaded. In that case, you will only need to get the .pfx file and its password. If not, follow these instructions to upload the management certificate (.Cer file) into the Azure portal.
Right-Click Cloud Management Gateway and click on Create Cloud Management Gateway
In the General pane, paste your Subscription ID and select your Management certificate (.PFX)
On the Settings page
Service name: Enter the cloud service name which was verified in the first step of the post (Ex: Scdcmg)
Description: Enter a description for the Cloud Management Gateway
Region: Enter your Geographical region based on your organization
Instance number: Specify the number of VM instance
Certificate file: Select the PFX certificate created for the Cloud Management Gateway
Service FQDN: Will be populated by your FQDN
At the bottom, click the certificate button and select your certificate
Uncheck the box to Verify Client Certificate Revocation
In the Alerts pane, configure the desired settings
Review your setting and complete the wizard
Once the wizard completed, it will take between 5 to 15 minutes to provision the service in Azure. Check the Status column for the new cloud management gateway to determine when the service is ready. You can also follow the progress in the CloudMgr.log
In progress :
When completed :
Add the Cloud Management Gateway Connector Point
The cloud management gateway connector point is a new site system role for communicating with cloud management gateway. Let’s add this role to our management point machine.
In the SCCM console, go to Administration / Site Configuration / Servers and Site System Roles
Select your server which will serve as your cloud management gateway connection point and select Add Site System Role
On the System Role Selection pane, select Cloud management gateway connection point
Your Cloud Management Gateway name and region will be auto-populated
Review your settings and complete the wizard
You can follow the installation progress in SMS_Cloud_ProxyConnector.log
Configure the Primary Site for client certification authentication
We will now specify settings for clients computers when they communicate with our Management Point
In the SCCM console, go to Administration / Site Configuration / Sites
Select your primary site for the clients you want to manage through cloud management gateway, select Properties
On the Client Computer Communications tab, check Use PKI client certificate (client authentication) when available
Clear Clients check the certificate revocation list (CRL) for site systems
Click OK
Configure roles for cloud management gateway traffic
The final step in setting up cloud management gateway is to configure the site system roles to accept cloud management gateway traffic. Only the management point and software update point roles are supported by cloud management gateway. We recommend having a separate machine acting as the management point for your internet clients as it gives you the option to put this management point in HTTPS mode while having an HTTP MP for all your internal clients.
In the SCCM console, go to Administration / Site Configuration / Servers and Site System Roles.
Right-click the site system server for the role you want to configure for cloud management gateway traffic. In our case, we will configure a management point
Select the Management Point role and select Properties
In the General tab, check the box next to Allow Configuration Manager cloud management gateway traffic, and then click OK.
If you require HTTPS communication, select HTTPS here and follow the next steps
Management Point HTTPS only
If you require having your management point in HTTPS communication, you must ensure that the server has requested the Server Authentification Certificate (SCD SCCM Cloud Management Gateway) and that IIS is configured with this certificate. If you are going with HTTP communication, you can skip this step.
Once again, option the Certificate MMC console
Choose Computer Account, click Next, Choose Local Computer, click Finish
Click OK, and then expand the Certificates tree to the Personal / Certificates folder
Click All Tasks / Request New Certificate
At the Request Certificates part of the wizard, check your certificate (ex: SCD SCCM Cloud Management Gateway)
You will notice that under the Web cert, a prompt that says, More information is required to enroll for this certificate. Click here to configure settings
Click the link and set up your Certificate Properties
Under Alternative Name / DNS, enter the FQDN of the management point server
In General tab, name your certificate as it will be easier to find in IIS later
Then the warning field will disappear from the Request Certificates screen of the Certificate Enrollment wizard
Click Enroll and then finish once the enrollment is successful
Assign the Web (IIS) Certificate to IIS
This shall be done only on an HTTPS Management point that will handle cmg client requests.
LaunchIIS Manager
Navigate to the Default Website
Right-click it and select Edit Bindings
Add https binding and click Edit
Select the certificate with your server name, and then click OK
Configure clients for cloud management gateway
We will now verify if clients are able to succesfuly communicate with our server via the SCCM Cloud Management Gateway.
On a client that is connected to the internet, run a Machine Policy Retrieval & Evaluation cycle from the Configuration Manager app
Under the Networking tab, you should see the name of the Cloud Management Gateway service listed as the Internet-based management point (FQDN)
Check the ClientLocation.log file. It will indicate that the machine is using the internet management point
Rotating internet management point, new management point [1] is: SCDCMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/XXXXXXX (0) with capabilities: <Capabilities SchemaVersion =”1.0″><PropertyName=”SSL” Version=”1″ /></Capabilities> ClientLocation 02/02/2018 7:21:15 PM 4168 (0x1048)
If your clients are not already installed, you must use one of the proposed installation methods on Technet or use Intune if you are configured to use the Co-Management features.
When planning for a Windows 10 migration, understanding your environment is the key. Luckily, Windows 10 setup comes with command line options which one of them is an excellent compatibility check (/Compat ScanOnly). This command can be used on a Windows 7,8 or 10 devices before a migration in order to see if those devices are Windows 10 compatible. Using SCCM, we will run this Windows 10 compatibility check, return the results in the SCCM database and use this data to build a comprehensive report. This report can be used to detect and fix migration errors before the actual Windows 10 deployment.
SCCM Windows 10 Compatibility Check Package Creation
We will start by creating a package for Windows 10 compatibility check. The source of this package must be the Windows 10 installation media. The deployment option and command line is important here. If they are not set correctly you’ll end up sending the complete installation media (including Install.wim) to the computers only for a compatibility check which is not really effective. Using our proposed methods, you’ll be using about 250mb on the client drive instead of 5gb.
In the SCCM Console, go to Software Library / Application Management / Packages
Create a new package
Name your package and specify your Windows 10 installation media as the source file. Be aware that setup.exe is language specific. If you have EN-US machine, you must provide EN-US media
/DynamicUpdate: Enabling it causes setup to download the latest compatibility information from Windows Update
/CopyLogs parameter can also be added at the end. Use it to copy setup logs to a shared network drive. The problem with that switch is that the logs are not classified using computer names, it will be a nightmare finding the right logs after hundreds of deployments. This is why I’m not using it for this blog post.
In the Requirements page, select your operating systems
Complete the wizard
Right-click your package and distribute it to your distribution points
Deploy Windows 10 compatibility check on a test computer
We will now deploy the Windows 10 compatibility check program on a computer that runs Windows 10 1607. In our test, we want to evaluate if this computer can upgrades from Windows 10 1607 to 1709. Create a test collection and deploy the newly created program to a test device.
Right-Click your package and select Deploy
On the General tab, select your collection
On the Content tab, ensure that your content is distributed to your distribution point
Select your deployment purpose – Available or Required
On the Scheduling pane, select your schedule
On the User Experience pane, select the desired options
On the Distribution Points pane, select Run program from distribution point
Review your choice and complete the wizard
Running the Compatibility Check
On a targeted computer, run the program manually in the Software Center (Available) or wait for the schedule to trigger your deployment (Required).
The installation will starts. It will take about 5 minutes to complete… and it will fail. This is normal as the error code returned by the compatibility check will always be an error. (No problem will be 0xC1900210 -1047526896).
If you need more information about the error, look at Setupacr.log or Setuperr.loggenerated by Setup.exe. They are located in C:\$WINDOWS.~BT\Sources\Panther folder. (Or in the specified path if you use the /CopyLogs parameter in your command line. We cover the topic on how to troubleshoot Windows 10 error in this blog post
Once we tested on a couple of test machine and are happy with results, we can expand our deployment to all computers.
From there, what’s the easy way to check your compatibility results? You could go in the Monitoring / Deployment section in the console… or you build a custom report.
Windows 10 Compatibility Check Report
Luckily for you, we created a report which will give you a quick overview of your compatibility success or failure. We also included basic hardware inventory information for you to refer if a computer is not compliant because of hardware limitation. The only thing you need to do is to select your Compatibility package and run the report !
You can download this free report by visiting our product page. The Asset – Compatibility Check report is available in the Report / Asset Section.
Windows Autopilot is a new and emerging solution designed that allows to setup and pre-configure Windows devices for your environment using Azure and Intune. The goal of Autopilot is to reduce the Os deployment complexity. If done correctly, a user logs to an out-of-box computer, logs on his computers with his ADD user account and applications and configurations gets deployed. All that with minimum infrastructure requirements.
When announced a couple of months ago, Autopilot has its flaws but it’s improving very fast. One of those flaws was that device importation was made from the Windows Store for Business or the Microsoft Partner Center. Those days are over since you can now import your device directly from Microsoft Intune.
Microsoft Intune Autopilot device import
Log to your Azure Portal and Launch Microsoft Intune
From the Intune portal, select Device enrollment / Windows enrollment / Devices
In the Windows Autopilot Devices pane, select Import on the top
From there, you need to select a .CSV file. It’s not possible to import a single device manually.
As shown in the portal, the CSV file has some formatting requirements :
This means that you need the Serial Number, Windows Product ID, Hardware Hash and Order ID separated by a comma. You cannot have more than 175 rows/devices in the CSV.
Hopefully, there a good script is already available in Windows to get this information… but it’s not yet adapted for Microsoft Intune. The OrderID is not generated by the script so it needs to be added manually and the header is invalid.
From a Windows 10 1703+ computer
Start Windows PowerShell as Administrator
Run the following command: Install-Script -Name Get-WindowsAutoPilotInfo
This action places the script into the folder C:\Program Files\WindowsPowerShell\Scripts
Run the script : Get-WindowsAutoPilotInfo -Outputfile C:\temp\SCD.csv
The script will output the result in the C:\temp\SCD.csv file
Open the CSV file add an OrderID at the end (,1) and remove the header
Before change : (Invalid header and no OrderID at the end)
After (Remove header and add OderID)
Back in the Microsoft Intune Portal, select your CSV file and select Import at the bottom
You will receive an Import notification. It will take about 5-10 minutes
Device is imported
It will take a moment to show in your device list but will eventually appear. The device will also be visible from the Windows Store for Business portal. The device is now ready to use in an Autopilot deployment.
Windows Update for Business which replace the ability to manage updates from SCCM using the Software Update Point
Once a workload is offloaded to Intune, SCCM no longer manages those settings on the Windows client.
The co-management is designed to allow administrators to Pilot to specific computers before completely offload a workload to Intune, allowing a smooth transition.
Enable SCCM 1710 Co-Management
Here’s how to enable comanagement.
Go to Administration / Cloud Services / Co-Management and select Configure Co-Management
Enter your Intune Credentials
Select who can Automatic Enroll in Intune
We strongly recommend beginning with Pilot. This will require selecting a collection to limit allowed computers only
This can be changed later when ready to production roll-out
Configure the Workloads
This can be left to all SCCM for now and adjusted later on
Select a computer collection to be used for pilot
Summary, click Next
Co-Management is then enabled
Under Properties / Enablement, the Automatic enrollment can be changed from Pilot to Production
Under Properties / Workloads, it’s possible to set the slider for the different workloads and assign them to Pilot or Intune
Before changing any workload to pilot, it’s time to enroll a computer into Intune, while still managed by SCCM.
Enroll Windows 10 1709 client into Intune for Co-management
The first step is to enable the GPO to enable Auto MDM Enrollment with AAD Token
Next, add the computer to the Pilot collection for Co-Management
After the next machine policy update, the client will begin to enroll.
On the client, the CoManagementHandler.log will provide the details.
Note that during our testing, this took awhile to get going in the logs. Many errors show up before it work correctly, without changing a thing. Patience is key.
After a little while (hours) the client will change from MDM – none to MDM – Intune
Before MDM managed
After MDM managed
It will eventually report that the device is managed by MDM/ConfigMgr Agent
At that point, it’s time to configure Intune policy to eventually switch Workloads
The second Hotfix Rollup for SCCM Current Branch (1710) is now available. This post is a complete SCCM 1710 Hotfix Rollup 2 (KB4086143) installation guide. If you’re looking for a complete SCCM Current Branch installation guide, see our blog series which covers it all. You can’t install this upgrade if you are running SCCM 2012. You need to be running SCCM 1710 to apply this update.
Installing SCCM upgrades is important for your infrastructure. It fixes a lot of issues from SCCM 1710, which some of them are important.
New Update and Servicing Model
If you’re not familiar with the new SCCM servicing model, read our New Update and Servicing section of the 1602 upgrade post which explain it all.
You may wonder what’s the difference between a Cumulative Update (CU) and an Update Rollup (UR)/Hotfix RollUp (HR) :
A CU is a new servicing baseline. A post-CU1 hotfix requires CU1 first, whereas a post-UR1 hotfix doesn’t require UR1. Like CU, UR is cumulative which means that UR2 will include previous hotfixes.
*If you are running SCCM 1511, 1602, 1606,1610, 1702 and 1706 you first need to upgrade to 1710 prior to applying this Hotfix Rollup, see our blog which covers the upgrade process. Once completed, the Hotfix Rollup will be available under Update and Servicing node.
List of SCCM 1710 Hotfix Rollup 2 Fixes
This hotfix rollup brings the long-awaited fix for Office 365 updates users interaction. Previous attempt to manage led to inconsistency for the user experience, like the Office product would close without any warning, while it was expected to be the case.
The new hotfix bring a simple restart notice (SCCM regular reboot) if any Office product is open while an update has been installed.
We will update our post on Office 365 updates, once we have successfully tested this change.
Consult the Microsoft support page for a full list of fixed issues.
Before you begin
Downloading and installing this update is done entirely from the console. There’s no download link, the update will appear on your console once synchronized.
When you install an in-console update: (New Versions, CU, UR, KB)
It automatically runs a prerequisite check. You can also run this check prior to starting the installation
It installs at the central administration site (if you have one), and at primary sites automatically. You can control when each primary site server is allowed to update its infrastructure by using Service Windows for site servers
After a site server updates, all affected site system roles (including instances of the SMS Provider) automatically update. Configuration Manager consoles also prompt the console user to update the console, after the site installs the update
If an update includes the Configuration Manager client, you are offered the option to test the update in pre-production, or to apply the update to all clients immediately
After a primary site is updated, secondary sites do not automatically update. Instead, you must initiate the secondary site update
In this post, we’ll be updating a standalone Primary Site Server, console and clients.
Reminder
It’s a best practice to have some exclusions for your antivirus/anti-malware software on the SCCM server. Here a list of exclusions from SCCM 2012, which is still valid for CB as far as we know.You could also consider disabling the AV prior to installing the update and re-enable it once completed.
Before installing, check if your site is ready for the update :
Open the SCCM console
Go to Administration \ Cloud Services \ Updates and Servicing
In the State column, ensure that the update is Available
If not already downloaded, hit Download
If it’s not available, right-click Updates and Servicing and select Check for Updates
The update state will change to Downloading
You can follow the download in Dmpdownloader.log
The update files are stored in the EasyPayload folder in your SCCM Installation directory
Before launching the update, we recommend to launch the prerequisite check:
Open the SCCM console
Go to Administration \ Cloud Services \ Updates and Servicing
Right-click the Configuration Manager 1710 Hotfix (KB4086143) update and select Run prerequisite check
Nothing will happen, the prerequisite check runs in the background. All menu options will be grayed out during the check
You can monitor prerequisite check by going to Monitoring / Site Servicing Status, right-click your Update Name and select Show Status
When completed the State column will show Prerequisite check passed
Step 2 | Launching the SCCM 1710 Hotfix Rollup 2
We are now ready to launch the SCCM 1710 Hotfix Rollup. At this point, plan about 30 minutes for the update installation.
Right-click the Configuration Manager 1710 update and select Install Update Pack
On the General tab, click Next
In the Client Update Options, select the desired option for your client update
This new feature allows updating only clients member of a specific collection. Refer to our post here
On the License Terms tab, accept the license terms and click Next
On the Summary tab, review your choices and click Next
On the Completion tab, close the wizard. The whole process took a minute but the installation is not over, it has been initiated
During installation, the State column changes to Installing
You can monitor installation by going to Monitoring / Site Servicing Status, right-click your Update Name and select Show Status
… or you can follow detailed installation progress in SCCM Installation Directory\Logs\CMUpdate.log
Warning
We’ve done numerous SCCM installation/upgrade. Some installation start a couple of minutes after you complete the wizard but we’ve seen some installation starts after a 10 minutes delay. Do not reboot or restart any services during this period or your update could be stuck in “Prerequisite check passed” status and all other options grayed out. There’s actually no officially documented methods by Microsoft to fix that. Patience is the key!
When completed, you’ll notice the message There are no pending update package to be processed in the log file
Refresh the Updates and Servicing node, the State column will be Installed
Updating the consoles
Since 1602, the console has an auto-update feature. At console opening, if you are not running the latest version, you will receive a warning and the update will start automatically.
Since all updates operations were initiated from the console, we didn’t close it during the process. We received a warning message when clicking certain objects. You will have the same message when opening a new console
Click OK, console update will start automatically
Wait for the process to complete. You can follow the progress in C:\ConfigMgrAdminUISetup.log and C:\ConfigMgrAdminUISetupVerbose.log. Once completed, the console will open and you’ll be running the latest version
Verification
Consoles
After setup is completed, verify the build number of the console. If the console upgrade was successful, the build number will be 5.0.8577.1115. Note that the Site Version is not changed to the Hotfix Rollup version. This is normal.
Clients
The client version will be updated to 5.00.8577.1115 (after updating, see section below)
SCCM 1710 Hotfix Rollup 2 Client Package distribution
You’ll see that the 2 client packages are updated:
Navigate to Software Library \ Application Management \ Packages
Check if both packages were updated, if not, select both packages and initiate a Distribute Content to your distribution points
Updating the Clients
Our preferred way to update our clients is by using the Client Upgrade (You can refer to our complete post documenting this feature) feature:
Open the SCCM Console
Go to Administration / Site Configuration / Sites
Click the Hierarchy Settings in the top ribbon
Select Client Upgrade tab
The Upgrade client automatically when the new client update are available checkbox has been enabled
Review your time frame and adjust it to your needs
Monitor SCCM Client Version Number
You can see our SCCM Client version reports to give detailed information about every client’s versions in your environment. It’s the easiest way to track your client updates.Collections
You can also create a collection that targets clients without the latest client version. I use it to monitor which client hasn’t been updated yet.
Collections
Here’s the query to achieve this: (You can also refer to our Set of Operational Collection Powershell Script which contains this collection)
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ClientVersion !='5.00.8577.1115'
The Intune troubleshooting portal can be used by Intune administrators to view information about a specific Intune user. It can be used to troubleshoot many problems for example, licensing problem, the devices assigned to a user, details about enrollment issues, compliance issues, app installation failure and much more. The Intune Troubleshooting portal can also give suggested remediation steps to resolve issues.
You need at least the HelpDesk Operatorrole (RBAC) to use the troubleshooting portal.
Details about the assignments for the selected user. A drop-down, let you choose between Mobile apps, Compliance policies, Configuration policies, App protection policies, Windows 10 update rings and Enrollment restrictions. In our example, we selected Compliance Policies
Then you click a policy, you are sent to the Device compliance policy section and you can troubleshoot your policy.
#5 – Devices
Show detailed information about the devices assigned to the selected user.
When clicked, you are sent to the device information pane
#6 – App Protection Status
This shows the details about the app protection policies that are assigned to the selected user. At this time you cannot drill-down to the app protection section when a policy is clicked.
#7- Enrollment Failure
Shows the details about devices enrollment failures for the user. Each row shows an enrollment attempt.
When clicked on an attempt you are given more detail about the error. In our example, the Apple push certificate was not configured in our tenant
This is a very nice addition to the Intune portal. A must have for your help desk and Intune adminstrator !
After MDM managed
It will eventually report that the device is managed by MDM/ConfigMgr Agent
