SCCM Current Branch 1806 is loaded with amazing features. In this post, we will cover the latest addition in the reporting space: CMPivot. SCCM has always been good with reporting and inventory of it’s managed devices but SCCM data is up-to-date at the last time the inventory has been run. SCCM CMPivot allows SCCM administrators to initiate a live query on selected computers on a specific topic. The result of that query can then be used to mitigate and fix potential issues.

How many time were you asked “what is the current state as of NOW?” well, you’ll finally be able to answer appropriately with SCCM CMPivot.

In this post, we will covert how to use CMPivot to create a basic query and how to use the result of this query.

SCCM CMPivot Prerequisites

• SCCM must be Current Branch 1806 or higher
• SCCM clients must be running 1806 or higher
• Powershell  v5.0 on target clients
  • This is not 100% mandatory as only the following entities require PowerShell v5.0 to run
    • Administrators
    • Connection
    • IPConfig
    • SMBConfig

How to use SCCM CMPivot

The first step is to select a computer collection to run CMPivot against those computers. We will select our All Server Clients collection. In our example, we will query the computer to have information about their Operating System version.

• Select the collection and from the Ribbon, select Start CMPivot

• The CMPivot window show up to configure the query

• The Home tab provides details on how to create queries
• Select the Query tab

• Select one of the available entities to target, Right click on it and select Insert

• The entities to query on is then added to the query

• Running the query as is will return all information about that entities

• To refine the query, add the pipe character |, this will provide the list of operators to be added after the |

• Then CMPivot will propose entities

• Here we addVersion to be like ’10.%’

• CMPivot will automatically correct it to look that way, once we Run the query.

• This provides a subset of computers

• Now that we have a list of computer, the following actions can be performed :
  • Create a collection based on those computers
  • Pivot to, which allows seeing other entities in CMPivot for a specific computer
  • Run Script, this can be run on multiple computers at a time
  • Remote Control a specific computer
  • Open the Resource Explorer for a specific computer

• The Pivot to is a quick access to other Entities for a specific computer.

This feature is brand new and we have yet to found a real-world scenario that requires this. We’ll update this post when we have some interesting queries.

Do you have a great query that could help other SCCM administrators out there? Share it in the comments below!

More details and examples available on Microsoft Docs

The post How to use SCCM CMPivot appeared first on System Center Dudes.

One of the new capabilities of SCCM Current Branch 1806, is to merge the Cloud Distribution Point along the Cloud Management Gateway. This provides an easier deployment method and also reduces the required certificates and cost of Azure VMs.

Before SCCM 1806, a standalone Cloud Distribution point requires 2 Standard A0 VMs but with the new SCCM 1806 capabilities, only the requirements for the Cloud Management Gateway remains, which is one Standard A2V2 VM. The storage cost remains the same as before. Microsoft provides a calculator to help plan ahead.

While our blog post is still accurate to install a Cloud Distribution Point standalone, using the Classic service Deployment, it should be considered the old way of doing this.

We’ll have a blog post on How to install a Cloud Distribution Point using Azure Resource Manager Deployment in the near future.

Prerequisites

• SCCM Current Branch 1806 or higher
• Azure Subscription
• A Cloud Management gateway configured

Configure SCCM Cloud Distribution Point

We will now enable the Cloud Distribution Point on our existing Cloud Management Gateway

• Go to Administration/Cloud Services /Cloud Management Gateway, select your Cloud Management Gateway and select Properties

• Under Settings, check the box Allow CMG to function as a cloud distribution point and serve content from Azure storage at the bottom

• See %Program Files%\Microsoft Configuration Manager\Logs\CloudMgr.log for any errors
• The status is also available under Monitoring \ Distribution status \ Distribution Point configuration status

• Once completed, the Cloud DP is available to distribute content to it

What if you already have an SCCM Cloud Distribution Point stand-alone?

Configuring the Cloud DP on the Cloud Management Gateway is a completely new Distribution point.

Unfortunately, this will mean re-uploading the content to the “new” Cloud DP as part of the Cloud Management Gateway.

Note that the Cloud DP on the Cloud Management Gateway will not show up under Administration / Cloud Services / Cloud Distribution Points…

…But it will show under Administration / Distribution Point

The post How to configure SCCM Cloud Distribution Point on Cloud Management Gateway appeared first on System Center Dudes.

SCCM 1802 phased deployment was introduced as a pre-release feature and was supporting only Task Sequence deployments.  Beginning with SCCM 1806, it’s no longer a pre-release feature and it now supports application deployments.

If you’re not familiar with Phased deployments, they allow orchestrating a software deployment based on certain criteria and condition. For example, you could use it to deploy an application to a pilot collection and then automatically continue the deployment based on success criteria.

SCCM Application Phased Deployment Creation

For now, it’s only possible to create a 2 phase deployment. Let’s go ahead and deploy 7zip :

• In Software Library / Application Management / Applications
• Right-click an existing application and select Create Phased Deployment

• On the General page, give the phased deployment a Name, Description and select Automatically create a default two-phase deployment
• Click Browse and select a target collection for the First Collection and Second Collection

• On the Settings page, choose one option for each of the scheduling settings
  • This is where you select which criteria need to be met before going to the next phase. You can select the Deployment Success Percentage and the Deferral Period for the second phase to begin

• On the Phases page, review the two phases that the wizard created. As stated before, it’s not possible to add more phase for now but we are pretty sure that it will be available in further releases. Click Next

• On the Completion tab, confirm your choices and then click Next to complete the wizard

Once created, check at the bottom of the console in the Phase Deployments tab, you’ll see your deployment there and can adjust its settings if needed.

Monitor SCCM Application Phased Deployment

Monitoring phased deployment has improved since the SCCM 1802 pre-release feature. Phase deployment has their own new monitoring dashboard. Here’s how to view the status of our phased deployment :

• Open Monitoring \ Deployments
• Find your phased deployment from the list, right-click on it and select Phased Deployment Status

• The new dashboard opens and shows the status of both phases and its success criteria

This feature will improve over time in the next SCCM release. Stay current to benefits the new features!

The post Create an SCCM Application Phased Deployment appeared first on System Center Dudes.

Based on my previous post published in 2015, I decided to do a 2018 refresh of the SCCM Must have Tools list since there were many changes since then. The tools are listed in no particular order.

Create a Custom Splash Screen for a Windows 10 in-place upgrade

If you are doing Windows 10 upgrades, this tool allows customizing the Windows 10 upgrade screen to look more like the built-in Windows update experience in Windows 10. This splash screen not only discourages computer interaction during the upgrade but also creates a consistent user experience throughout the upgrade process, for a user-initiated upgrade.

Developed by Trevor Jones, you can download this free tool from his blog where all necessary info resides.

Driver Automation Tool

Actually #1 on Microsoft Gallery based on popularity, this tool is a PowerShell GUI to automate the processes of downloading, extracting and importing driver packages for all three majors vendors (HP, Dell, Lenovo). This SCCM Tool is a must have if you’re dealing with SCCM driver packages.

The tool automates the following processes;

1. Queries XML content from Acer, Dell, Lenovo, HP and Microsoft
2. Provides Driver Downloads for all five manufacturers
3. Provides BIOS downloads for Dell and Lenovo only (at present)
4. Create a BIOS Update Package
5. Download Driver CAB for each model
6. Extract the Driver CAB
7. Import the drivers in the extracted CAB folder
8. Create a Category based on the machine model
9. Create a Driver Package based on the machine model and filename
10. Imports the associated drivers into the newly created Driver Package

Developed by fellow MVP Maurice Daly, you can trust SCConfigMgr tools, used by thousands of organizations.

Download the Driver Automation Tool on SCConfigMgr webpage or on Microsoft Gallery.

Removing Built-in apps from Windows 10 WIM-File

If you have been working on a Windows 10 project, you certainly had the request to remove some of the Windows 10 built-in apps. This Script will help you to remove unnecessary built-in-apps easily.

Written by Andre Picker, you can download the script from Microsoft Gallery. You can also follow its blog… but you need to understand German.

ConfigMgr Prerequisites Tool

If you need to do an SCCM Installation, the ConfigMgr Prerequisites Tool is designed to help administrators prepare their infrastructure and systems when about to install Configuration Manager.

Another great tool developed by one of the SCConfigMgr guys –  MVP Nickolaj Andersen.

Download the ConfigMgr Prerequisites Tool on SCConfigMgr webpage or on Microsoft Gallery.

ConfigMgr Client Health

ConfigMgr Client Health is a PowerShell script that increased your client percentage. It detects and fixes known errors in Windows and the Configuration Manager Client, and enforces the required services to run and start as Automatic. This tool is a must-have if you’re looking to achieve the 99% client percentage in your organization.

ConfigMgr Client Health detects and fixes the following errors:

• ConfigMgr client is not installed.
• ConfigMgr client is assigned the correct site code.
• ConfigMgr client is upgraded to current version if not at specified minimum version.
• ConfigMgr client not able to forward state messages to the management point.
• ConfigMgr client stuck in provisioning mode.
• ConfigMgr client maximum log file size.
• ConfigMgr client cache size. Fixed size (MB) or percentage of disk space.
• ConfigMgr client certificate error.
• ConfigMgr client hardware inventory not running.
• ConfigMgr client CcmSQLCE.log exists and client is not in debug mode.
• Corrupt WMI.
• DNS server record matches local IP’s
• Drivers – Reports faulty or missing drivers on client.
• Logging to SQL database and / or file share
• Pending reboot check
• User-friendly reboot of computer with 3rd party reboot app when in pending reboot or computer uptime is more than specified in config.
• Services for ConfigMgr client is not running or disabled.
• Other services can be specified to start and run and specific state.
• Windows Update Agent not working correctly, causing client not to receive patches.
• Windows Update Agent missing patches that fixes known bugs.

Written by Anders Rodland, you can download the script from Microsoft Gallery or from his blog when the official documentation resides.

Set of Operational SCCM Collections

Ok, I’m a little bit biased on this one… This script will create a set of 88 SCCM collections for your various needs. These collections can be used for operational tasks afterward.

You can download the latest script which is updated often with new collections on Microsoft Gallery.

Jonathan Lefebvre has also made its own variant of the script which puts the collection in a nice folder structure. Be sure to check our others scripts in the Technet folder in our Top Menu.

SCCM Right-Click Tool

One of the most popular console Extention that allows to do multiple client action from the console :

• Add / Remove Tools (Device, Collection, Deployment)
• Schedule Restart / Shutdown (Device, Collection, Deployment)
• Cancel Pending Restart / Shutdown (Device, Collection, Deployment)
• Repair Client (Device, Collection, Deployment)
• Rerun Deployment (Device, Deployment)
• Add Devices to Collection (Collection)
• System Information (Collection, Deployment)
• Client Health Check
• Group Policy Update
• Application Revision History
• Content Status
• Client Status
• User tools

The tool is still free to download even if the page is quite confusing. Just scroll down to the bottom, enter your information and the tool will be sent by email.

UI++

If you are deploying your Operating System using SCCM and need a front end for you user, UI++ is our choice.

UI++ is a better way to display information to the interactive user, solicit input from that same interactive user, and populate task sequence variables during System Center Configuration Manager (ConfigMgr) Operating System Deployment (OSD). UI++ can also solicit user information outside of task sequences because at its heart, UI++ is simply a generic UI framework. Nearly every aspect of UI++ is customizable including the number of dialogs, colours, icons, and the exact text to display — everything shown is up to you

Developed by fellow MVP Jason Sandys, you can download this free UI from his blog where the official documentation resides.

Console extension for ConfigMgr for cleaning up Software Update Groups automatically using PowerShell

Over time Deployment Packages can be filled with unwanted Software Updates if no regular maintenance is performed, leading to unwanted Software Update content taking up unnecessary disk space.  This SCCM console extension cleans up Software Update Groups automatically using PowerShell.

Another SCCM must have tool developed by MVP Nickolaj Andersen.

Download the ConfigMgr Prerequisites Tool on SCConfigMgr webpage or on Microsoft Gallery.

TSLaunch/UPBackground 

If you are doing Windows 10 upgrades, this tool allows sending a customized message to users before their migration. You can also give the user the choice of their installation time.

Developed by Johan Schrewelius, you can download this free tool from ccmexec blog where all necessary info resides.

Thank you to all contributor which make the life of all SCCM admin easier!

The post List of SCCM Must Have Tools – 2018 Edition appeared first on System Center Dudes.

The ConfigMgr team is working really hard to make SCCM admins job easier for some of the key components of Modern Management. Starting with SCCM 1806 release, they ease a bit the setup of the Cloud Management Gateway.

If you are new to the concept of Cloud Management Gateway, the main advantage is that it doesn’t expose your SCCM servers to the internet. The downside is that it requires an Azure subscription which brings recurring monthly costs. If you’re still unsure which method to use, you can read the Microsoft documentation and see our blog post about internet client management. Make sure that you understand the limitation of using internet clients.

We strongly encourage to use the Cloud Management Gateway if you’ll be managing client on the internet since this feature will evolve with time and the traditional way support should go away.

Here the available features supported through the Cloud Management Gateway:

In this post, we will configure the Cloud Management Gateway by using the Azure Resource Manager.

Some sections from our previous post are brought back here to ease reading.

High-level steps

All steps are done directly in the SCCM console. We will describe each step:

• Verify a unique Azure cloud service URL
• Configure Azure Service – Cloud management
• Configure Cloud Management Gateway server authentication Certificate
• Configure Client Authentication Certificate
• Configure Cloud Management gateway
• Configure SCCM-generated certificates
• Add the Cloud Management Gateway Connector Point
• Configure system roles to communicate with the Cloud Management Gateway
• Configure client settings

SCCM 1806 Cloud Management Gateway Prerequisites

• SCCM Current Branch 1806 or higher
• Have a valid Azure Subscription
• Azure administrators rights – We used a Global Administrator role but the official documentation is not clear as which level of Administrator is needed.
  • It is not required that the Azure admin account has access in SCCM.
• On-prem server to host Cloud management gateway connection point
• The SCCM service connection point must be set to Online

Verify a unique Azure cloud service URL

We don’t need to create the cloud service in Azure, the Cloud Management Gateway setup will create the service. We just need to verify that the Azure cloud service URL is valid and unique.

• Log in the Azure portal
• In the Azure Portal, select Cloud Services on the left, click Add
• Enter the desired DNS name
• Validate that there’s a green check mark on the right. If your name is not valid, a red X will display, choose a different name if it’s the case
• Once your name is valid, take note of the name as it will be needed later. We will use SCDCMG as DNS Name for our example
• Close the window, do not create the service now

Configure the Azure Service – Cloud Management

• Go to Administration/Cloud Services/Azure Services and select Configure Azure Services

• Specify a name and select Cloud Management, click Next

• In this step, the Azure Administrator will be required to create the web app and native client app. Click on Browse for the Web app

• Click on Create

• Click the Sign in and provide Azure administrator credentials. Default names do just fine. Click OK when login completed

• Select the App that was just created and click OK

• Click Browse for the  Native client app.  Click Create

• Click the Sign in and provide Azure administrator credentials. Default names do just fine. Click OK when login completed

• Select the App that was just created and click OK

• Click Next

• Chose to Enable Azure Active Directory User Discovery or not.

• Click Next

• The Azure service is completed. If enabled, the AAD user discovery can be modified

• the Azure AD Tenant is now configured

Cloud Management Gateway server authentication Certificate requirements

The certificate requirements are the most complex part of configuring the Cloud Management Gateway.

A certificate is needed between the SCCM server and the Cloud Management Gateway.

The following choices are available :

• Use a certificate from a public trusted provider
  • This option requires a CNAME to be created in the DNS for CMGSCD.SystemCenterDudes.com to the real hostname CMGSCD.CloudApp.Net
• Use a certificate from an enterprise CA
  • This certificate must be trusted by all computers that will connect with the Cloud Management Gateway
  • Use format <CMG name>.CloudApp.Net

See our post for the complete How-to about the certificate from an Enterprise CA

Follow section Create and issue a custom SSL certificate for the Cloud Management Gateway up to Export the custom Web Certificate

More detail can also be found on Docs.Microsoft.com

Client authentication certificate requirements

If you are using a certificate from a Public trusted provider for the CMG server authentication, this part can be skipped.

This can also be skipped if you only have client computers that are either Hybrid-domain joined or Azure AD joined.

Otherwise, using an Enterprise CA require this step.

See our post for the complete How-to about the certificate for Client Authentication

Follow section Create a client authentication certificate up to Export the client certificate’s root

Configure SCCM 1806 Cloud Management Gateway

• Go to Administration/Cloud Services/Cloud Management Gateway, select Create cloud management gateway

• Sign-in with Azure Administrator rights. The Azure AD App name should be auto-populated, click Next

• Select :
  • Service name: provided automatically if the certificate is using .cloudapp.net. If using a public certificate or an internal certificate, the name will need to be entered manually.
    • Remember, only letter and number for the name.
  • Region: should be the same as the on-prem Management point
  • Resource group: select an existing or create a new one
  • VM instance: 1
  • Cloud service certificate: select the CMG server authentication certificate or the Public certificate
  • Client authentication certificate: Provide the client authentication certificate when using an Enterprise CA
  • Choose to Verify client certificate revocation or not
    • See the following blog post for details about certificate revocation
  • Choose if you want to enable the Cloud DP
    • See our previous post about CMG to function as a cloud DP for more details about the feature.

• Set the threshold as needed

• Summary, click Next

• Click Close

• The Cloud Management Gateway will show as Provisioning for about 10 minutes

• The Cloud Management Gateway is ready for next steps

• The cloud management gateway resources are also visible in the Azure portal.

Configure SCCM-generated certificates

This is a new feature from SCCM 1806, but still in Pre-Release. This means that this feature is still in development but is fully supported.

The goal of this feature is to enable an HTTP Management point and Software Update to support CMG traffic using HTTPS. Prior to SCCM 1806, it was needed to provide an HTTPS MP and SUP in order to connect those services to the Cloud Management Gateway.

• Go to Administration/Updates and Servicing/Features
• Turn on the feature Enhanced HTTP site system

• Go to Administration/Site Configuration/Sites and select properties on your site

• Under the Client computer communication tab, check to box for Use Configuration Manager-generated certificates for HTTP Systems

For more detail on the SCCM-Generated certificate, see Docs.Microsoft.com

Add the Cloud Management Gateway Connector Point

The cloud management gateway connector point is a new site system role for communicating with cloud management gateway. Let’s add this role to our management point machine.

• In the SCCM console, go to Administration / Site Configuration / Servers and Site System Roles
• Select your server which will serve as your cloud management gateway connection point and select Add Site System Role
• On the System Role Selection pane, select Cloud management gateway connection point

• Your Cloud Management Gateway name and region will be auto-populated

• Review your settings and complete the wizard

You can follow the installation progress in SMS_Cloud_ProxyConnector.log.

Configure System roles to communicate with the Cloud Management Gateway

Prior to SCCM 1806, it was not possible for the current Management Point and Software Update Point to remain in HTTP mode and support the Cloud Management Gateway.

Admins were in need of a new Management Point and Software Update Point configured in HTTPS mode or to switch current ones.

Now with the SCCM-generated certificate, a current HTTP MP and SUP can support the Cloud Management Gateway.

• Under Administration/Site Configuration/Servers and site System roles, select the Management Point properties
• Check the box Allow Configuration Manager cloud management gateway traffic. Notice that the Client Connections remain in HTTP

• Under Administration/Site Configuration/Servers and site System roles, select the Software Update Point properties
• Check the box Allow Configuration Manager cloud management gateway traffic. Notice that the Require SSL communication to the WSUS remains unchecked

Configure Client settings

Under Administrations/Client Settings, under Cloud Services make sure Enable clients to use a cloud management gateway is set to yes.

Once configure, deploy your client settings to the desired clients.

If you plan to use Cloud Distribution Point, it is also configured here.

Configure clients for cloud management gateway

We will now verify if clients are able to successfully communicate with our server via the SCCM Cloud Management Gateway.

On a client connected to the intranet, do a machine policy retrieval and restart the SMS Agent host.

On the Network tab of the Configuration Manager agent, the *.CloudAPP.net should be visible.

Additional information is available in the ClientLocation.log

Testing client connection to Cloud Management gateway

To test the cloud management gateway, get your machine on the internet … or force the SCCM client to be configured as Always Internet.

In the registry editor, set HKLM/Software/Microsoft/CCM/Security/ClientAlwaysOnInternet to 1 and restart the SMS Agent host service.

After the SMS Agent host service, the client will display connection type Always internet

From this point, you can try any of the supported features for the Cloud Management Gateway!

This was a big one, hope it helped! Are you using the nre Cloud Management Gateway ? Tell us your experience in the comment section.

The post How to configure SCCM 1806 Cloud Management Gateway appeared first on System Center Dudes.

SCCM CMPivot has been introduced in SCCM 1806 and it’s making its way to be a pretty useful addition. If you are not familiar with this new feature, you can read about it in our previous post which describes how to use it. The goal of this post is to give a list of SCCM CMPivot Query.

When we began using CMPivot, we were a bit lost. We are pretty comfortable with various programming language but CMPivot uses a subset of the Azure Log Analytics data flow model for the tabular expression statement which was new for us.

The official Microsoft documentation states :

SCCM CMPivot Catches

This results in a pretty simple language but there are a few catches that I learned :

• Watch out for Uppercase letter, Where is not the same as where. If you use an “W”, you’ll end up with a Failed to parse query error

• At any time you can use | project Manufacturer, Model at the end of any query to display only desired column  (Manufacturer, Model in this case)

After a while of playing with it, we thought it would be useful to share a list of queries that we build. Here’s the SCCM CMPivot Query list, feel free to share your own and as in my other Set of Operational Collection script, this list will evolve over time so come back often to see that new addition we’ll make.

We hope it helps you adopt this new feature.

SCCM CMPivot Query Exemples

The post List of SCCM CMPivot Query appeared first on System Center Dudes.

The post SCCM Office 2019 Deployment appeared first on System Center Dudes.

Microsoft has announced a while ago that the OMS Portal, used for Windows Analytics, was being deprecated in favour of Azure’s Log Analytics. In order to keep access to Windows Analytics intact for all your users,  a “migration” must be done prior to January 15, 2019. A warning is currently displayed when you log on the to-be-deprecated OMS portal.

In this post, we will detail how to migrate Windows Analytics from the OMS Portal to Azure’s Log Analytics.

Azure Windows Analytics migration

• Log on the Azure Portal
• Browse to Log Analytics. This should be empty if you don’t have Global admin rights and had rights to the OMS portal

• You must use a Global admin account. Looking at the rights of the OMS workspace for Windows Analytics, users or groups should have either ReadOnly, Contributor or Owner role assigned. Those roles are OMS’ roles, not Azure roles.

• Rights need to be modified to one of the following Azure Roles.

• Microsoft recommends modifying permissions on the Resource Group  or  Subscription level

• Once completed, log back in with the account for OMS and the OMS workspace should be visible under Log Analytics

• Now accessing Windows Analytics is not done via the Log Analytics. Go to All Resources. If too many entries to find to ones related to the OMS workspace, filter by the name of the workspace
  • Look for CompatibilityAssessment, which is Upgrade Readiness. In the top right corner of the Summary, it is possible to Pin to dashboard for easy access.

• Repeat the Pin to dashboard for DeviceHealthProd and WaaSUpdateInsights to have the same view as Windows Analytics in the OMS portal

• The result after Pin to dashboard

• Clicking on any of them will bring back familiar views

The post How to migrate Windows Analytics to Azure Portal appeared first on System Center Dudes.

Microsoft has changed the way the release of Windows ADK works with version 1809 of Windows 10. The Windows ADK comes now in two parts. One for Windows ADK tools and the other one for WinPE. With each major release of Windows 10, comes a new release fo the Windows Assessment and Deployment Kit. This means yet another product (now two!)to keep up-to-date in your environment. In this post, we will cover how to update an existing installation of a Windows ADK on an SCCM server. If you are looking for a history of Windows ADK versions, see our post here.

In this blog post, we will detail how to update the Windows ADK along with the WinPE Addon.

WHY SEPARATE DOWNLOADS FOR WINDOWS ADK AND WINPE

From Microsoft, “Starting with Windows 10, version 1809, Windows Preinstallation Environment (PE) is released separately from the Assessment and Deployment Kit (ADK). To add Windows PE to your ADK installation, download the Windows PE Addon and run the included installer after installing the ADK. This change enables post-RTM updates to tools in the ADK. After running the installer for the WinPE add-on, the WinPE files will be in the same location as they were in previous installs of the ADK.”

WHY THE WINDOWS ADK MUST BE UPDATED?

• Stay supported for SCCM and Windows 10 OS deployment
• Microsoft recommend matching the Windows 10 version deployed
• New setting in WinPE or in the Unattend.xml for the latest Windows 10 build

WINDOWS ADK COMPATIBILITY CHART

Here’s the table for Windows ADK compatibility with SCCM Current Branch, at the time of posting.

For the latest compatibility chart, check this Docs documentation.

Download latest Windows ADK and WinPE Add-on

• Download the latest version of the Windows ADK and Window PE add-on

• Execute ADKSetup.exe

• Select Download and provide a path. This will allow to pre-download Windows ADK content prior to the installation

• Select Privacy level for the download

• Accept the License Agreement

• The download will take some time as the Windows ADK is about 1.1GB
• Download completed
• Repeat process with ADKWinPESetup.exe

• Select Download and provide a path. This will allow to pre-download Windows ADK content prior to the installation

• Select Privacy level for the download

• Accept the License Agreement

• The download will take some time as the Windows PE Add-on is about 2.8GB
• Download completed

HOW TO UPDATE WINDOWS ADK 1809

The process of updating the Windows ADK is pretty straightforward:

Once ready for the update, the old version of the Windows ADK must first be uninstalled

• Open Program and Features, select Windows Assessment and Deployment Kit – Windows 10 and click on Uninstall

• Once the previous Windows ADK is uninstalled, reboot the server
• Once rebooted, run ADKsetup.exe in the download folder you specified in the previous step

• Select Install, click Next

• Select Privacy level wanted. Click Next

• Accept license agreement
• Select the following mandatory features. You can select more if you need others. Click Install
  • Deployment Tools
  • User State Migration Tool (USMT)

• Completed

HOW TO INSTALL WINDOWS ADK WINPE 1809 Add-on

• Run ADKWinPEsetup.exe in the download folder you specified in the previous step

• Select the installation path, click Next

• Select Privacy level wanted. Click Next

• Accept license agreement

• Select the Windows Preinstallation Environment (Windows PE)

• Once completed, reboot the server once again

Update boot images

Since SCCM Current Branch 1706, it is possible to reload boot images with current Windows PE version following a Windows ADK update. This is still true even if the Windows ADK has been split into 2 pieces

• Select a Boot image to update, and select Update distribution points

• Check the box  Reload this boot image with the current Windows PE version from the Windows ADK.  Click Next

• Summary

• Boot Image now has the latest OS version

The post How to Update Windows ADK 1809 on a SCCM Server appeared first on System Center Dudes.

One of the common mistakes we still see is having SCCM distribution point content folders on many different drives, most of the time not on purpose. Usually, this will lead to C drive being full, or the drive where the SQL database sit. This will then cascade into a series of errors all over SCCM.

In this post, we will show how to use Content Library Transfer tool to move distribution content folders

Prerequisites

• If you are running SCCM latest build, the tool is now build-in the install folder

• If you are running a version older than Current Branch 1802, download the SCCM 2012 toolkit

Move SCCM Distribution Point content

• It can be seen also in the registry key: HKLM\Software\Microsoft\SMS\DP\

• As stated in the limitation, the Distribution Point needs to stop providing content to clients. This can be achieved by multiple solutions:
  • Remove the distribution point from any Boundary group
  • stop network connection to that distribution point
  • Stop IIS on that distribution point
• Open a command prompt on the faulty distribution point
• Browse to <SCCM install folder>\Tools\ServerTools
  • Using the old SCCM 2012 toolkit, the path will be <Program Files(x86)\ConfigMgr 2012 Toolkit R2\Server Tools
  • If this is to be ran on a remote distribution point, simply copy over the ContentLibraryTransfer.exe
  • Command line: contentlibrarytransfer.exe -SourceDrive f -TargetDrive e
  • You will need to repeat this if you have distribution point content on multiple drives and want to consolidate all of them

• Transfer started. This will take time has it copy over all the content

• Transfer completed

• Content has been moved off the F drive

• Put the SCCM distribution point back online

Hope you found this blog useful!

The post How to move SCCM Distribution Point content folders appeared first on System Center Dudes.

Beginning with Windows 10 1709, you can’t use WSUS to host Features on Demand and language packs for Windows 10 clients. Instead, you need to download them directly from Windows Update. This is the official Microsoft Statement… at the time of this writing, it’s still possible to download FoD on VLSC or MSDN. We are in a transition method but clearly sees where Microsoft is going. This blog post will show one method to install FoD using SCCM but there are alternative methods also when you download the file from VLSC or MSDN (hint : Use Dism).

Features on Demand (FODs) are Windows feature packages that can be added at any time. When a Windows 10 PC needs a new feature, it can request the feature package from Windows Update.

If you’re using SCCM or WSUS for your software update, you need to change a Group Policy setting that lets clients download these directly from Windows Update instead of your on-premise infrastructure. Without this group policy, all your installation tentative will fails with error 0x800f0954. This is because your client will check on your on-premise servers instead of Microsoft Update and won’t be able to find the feature.

You can also host Features on Demand and language packs on a network share, but starting with Windows 10 1809, language packs can only be installed from Windows Update. This is why we recommend using the group policy method to redirect your clients to Windows Update to get FoD or Language packs.

To change this policy :

• Open your group policy editor
• Navigate to Configuration\Administrative Templates\System
• Enable the Specify settings for optional component installation and component repair policy

• Check the Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS) checkbox

Changing this policy only enables Features on Demand and language pack downloads from Windows Update. It doesn’t affect how clients get feature and quality updates deployed by SCCM.

Deploy a Feature on Demand using SCCM

To deploy a new feature on demand to your client, you must understand a couple of things.

First, you need to understand that SCCM/WSUS can’t host these features so it will be downloaded from the internet by your SCCM clients.

The trick is to use the Add-WindowsCapability PowerShell cmdlet to call the feature that you need. You can get a list of available Feature on demand on Microsoft Doc or by using this PowerShell command :

Get-WindowsCapability -online 

Each Feature on Demand has a state. It can be Installed or Not present. Depending on the Windows 10 version, you may have a different list of “not present“. Follow Microsoft Documentation to see which Feature can apply to your Windows version or see the list yourself running the Get-WindowsCapability -online command.

For our example, we are running Windows 10 1809 and we’ll use SCCM to deploy XPS viewer but it can be used for any Feature on demand. You just need to change your script to call the right Capability name. (In our example the Capability Name is XPS.Viewer~~~~0.0.1.0). We can also see that the size of this Feature is nearly 17MB

Deploy Features on Demand to client remotely using SCCM

To deploy FoD using SCCM you have 2 options. The first one is to use the new script feature if you are running SCCM 1706 or later. The second one would be to deploy using a standard package or application.

Script Feature

We’ll start by deploying it using the SCCM Script feature

• In the SCCM Console, go to Software Library\Scripts
• Create a new PowerShell script with this command (Change the FoD name if needed)

Get-WindowsCapability -Online | where name -like xps* | Add-WindowsCapability -Online

• Complete the Script wizard
• Approve your script by selecting it and click Approve on the top ribbon
• Go to a test collection and right-click it, select Run Script

• Select the script you just created

• Validate Script Execution in the next screen. You can also monitor the script status in the console Monitoring\Script Status

Results

You can now validate that the Feature on Demand is installed on your test computer.

• Using PowerShell : Get-WindowsCapability -Online | where name -like xps
• State should be Installed

• In the Windows 10 Start Menu
• XPS Viewer is installed

Further FoD installation logging can be found locally on the computer C:\Windows\logs\dism\dism.log

Package

If you prefer to use the good old Package method, you need to :

• Create a PowerShell file FOD-Install.ps1 with this command :

Get-WindowsCapability -Online | where name -like xps* | Add-WindowsCapability -Online

• Create a new Package with source file pointing on your powershell file
• For the program, specify the following command line :

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -File .\FOD-Install.ps1

• Distribute the Package to your Distribution Point
• Deploy your package to your test collection (Available or Required)
• Initiate a client refresh policy
• The results will be the same as for script (see Result Section above)

We expect Microsoft to increase the release of Feature on Demand in the following Windows release. We can clearly see where this is going. In a future post we’ll talk about language pack installation which should be pretty similar. Stay tuned !

The post Deploy Feature on Demand using SCCM appeared first on System Center Dudes.

At a client site, they received newest HP models to be tested. Downloading drivers and BIOS updates were the usual. Looking at details about the BIOS update, we noticed that the HPBIOSUPDREC.exe that was used was no longer available.  HP released a new version called HPFirmwareUpdRec to replace it. Even if the help stated the command line to be the same, it turned out it didn’t work at all. Unfortunately, it doesn’t seem HP documented the new tool and how to use it. we were able to figure it out by digging into HP forums…

In this post, we will show hot to update HP BIOS using the latest HPFirmwareUpdRec tool within a task sequence.

Prerequisites

When downloading the bits from HP, looking at the BIOS files you need to see HPFirmwareUpdRec.exe.

If the file is not there, the update should be done using the old tool HPBIOSUPDREC.exe like before.

Update HP Bios with HPFirmwareUpdRec

• Looking at the help from the old and new tool points to the exact same command line or almost…

• If we look closely, the -F as changed from specifying the ROM Bin file, to specify the folder containing the firmware update files.
• After multiple testing, turns out that we can just skip the -F option and the tool will find the .BIN file within the source folder and use it.
  • The command line should be : HpFirmwareUpdRec64.exe -s -pPWD.bin -r -b
  • The -b option turned out to be necessary even if BitLocker was not enabled yet as part of the task sequence.
  • So the Run Command Line set should look like this.
  • the package used is pointing to the root of the folder where the tool and the .BIN file are located.
  • Note that the previous password.bin file worked just fine.

• But that was not the end to surprises. On the new models, HP provides by default an HP_TOOLS partition of 2GB. Turns out that the HPFirmwareUpgRec is using that partition to update the BIOS.
  • without this partition, the BIOS will NOT update at all
  • Add to your partitioning task the following partition
  • No need to assign a letter for that drive, but the name is important.

• Once this was added the update went well! Hurray!!
• Retrying the task sequence over the same computer brought up another error for the BIOS upgrade. Return Code was 282.
  • Manually running the command line from within windows led me to better understand the error.
  • Under the run path of HPFirmwareUpgRec, it will automatically create a log file with the same name.
  • This log provided the details about the error code 282, which simply state  Same Firmware version no need to update!

• So we would like to consider the 282 error code as a success code. On the Options tab the run command line, simply add 282 to the list of Success codes!

Voilà!

The post How to update HP BIOS using latest HPFirmwareUpdRec with SCCM appeared first on System Center Dudes.

Microsoft has released the final SCCM version for 2018. Microsoft still uses the same standard naming versions. You can begin upgrading your SCCM Current Branch environment to the latest 1810 release. If you want to install the latest updates, this post is a complete step-by-step SCCM 1810 upgrade guide.

If you’re looking for a comprehensive SCCM installation guide, see our blog series which covers it all. You won’t be able to install 1810 if you are running SCCM 2012, the baseline version is 1802.

To install SCCM 1810 as an update, you must have installed at least SCCM 1710, SCCM 1802 or SCCM 1806.

Keeping your infrastructure up to date is essential. You will benefit from the new features and fixes, which some of them can apply to your environment. It’s easier than ever to upgrade since Microsoft has implemented the new servicing model which is done directly from the console.

SCCM 1810 New Features and Fixes

SCCM 1810 includes lots of new features and enhancements in the site infrastructure, content management, client management, co-management, application management, operating system deployment, software updates, reporting, and configuration manager console.

You can consult the What’s new in version 1810 of System Center Configuration Manager Technet article for a full list of changes.

Here’s our list of favorite features:

• Support for Windows Server 2019
• Hierarchy support for site server high availability
• Prefer cloud distribution points over distribution points
• Improvements to collection evaluation by fully disable a schedule with a query-based collection
• Improvements to Co-Management Dashboard
• Convert applications to MSIX from MSI
• Repair applications directly in Software Center
• Approve application request via email
• Task Sequence support of Windows Autopilot for existing devices
• Phased deployment of software updates
• Configuration Manager administrator authentication
• Support Center
• SMS Provider API
• New Permission for Client Notification actions

Support for SCCM Current Branch Versions

Ensure to apply this update before you fall into an unsupported SCCM version. Read about the support end date of the prior version of the following Technet article.

Windows and SQL Support

Before installing, make sure that you are running a supported Operating System and SQL version. Older SCCM version was giving a warning during Prerequisite check but 1810 is giving an error which prevents the installation from continuing.

1810 supports only Windows 2012+ and SQL 2012 SP3+.

Before you Begin

Downloading and installing this update is done entirely from the console. There’s no download link, the update will appear on your console once the Service Connection Point is synchronized.

If you’re running a multi-tier hierarchy, start at the top-level site in the hierarchy. After the CAS upgrade, you can begin the upgrade of each child site. Complete the upgrade of each site before you begin to upgrade the next site. Until all sites in your hierarchy are upgraded, your hierarchy operates in a mixed version mode.

Before applying this update, we strongly recommend that you go through the upgrade checklist provided on Technet. Most importantly, initiate a site backup before your upgrade.

In this post, we will update a stand-alone primary site server, consoles, and clients. Before installing, check if your site is ready for the update:

• Open the SCCM console
• Go to Administration \ Updates and Servicing
• In the State column, ensure that the update Configuration Manager 1810 is Available

• If it’s not available, right-click Updates and Servicing and select Check for Updates

• If the update is not downloading, click on the button Download on the upper node. The update state will change to Downloading
• You can follow the download in Dmpdownloader.log or by going to Monitoring / Updates and Servicing Status, right-click your Update Name and select Show Status

• The process will first download .CAB file and will extract the file in the EasyPayload folder in your SCCM installation directory.
• It can take up to 15 minutes to extract all files.

SCCM 1810 Upgrade Guide

Step 1 | SCCM 1810 Prerequisite Check

Before launching the update, we recommend launching the prerequisite check first. To see the prerequisite checklist, see the Microsoft Documentation

• Open the SCCM console
• Go to Administration \ Updates and Servicing
• Right-click the Configuration Manager 1810 update and select Run prerequisite check

• Nothing will happen, the prerequisite check runs in the background and all menu are unavailable during the check
• One way to see progress is by viewing C:\ConfigMgrPrereq.log

• You can also monitor prerequisite check by going to Monitoring / Update and Servicing Status, right-click your Update Name and select Show Status

• When completed the State column will show Prerequisite check passed

Step 2 | Launching the SCCM 1810 Update

We are now ready to launch the SCCM 1810 update. At this point, plan about 45 minutes to install the update.

• Right-click the Configuration Manager 1810 update and select Install Update Pack

• On the General tab, click Next

• On the Features tab, checkboxes on the features you want to enable during the update

• Don’t worry, if you don’t select one of the features now and want to enable it later, you’ll be able to so by using the console Administration \ Updates and Servicing \ Features

• In the Client Update Options, select the desired option for your client update
  • This option allows updating only clients member of a specific collection. Refer to our pre-production client deployment post for more details

• On the License Terms tab, accept the license terms and click Next

• On the Summary tab, review your choices, click Next and close the wizard on the Completion tab

The whole process took a minute but the installation begins on the back end.

• During installation, the State column changes to Installing
• We suggest you monitor the progress, by navigating to Monitoring / Updates and Servicing Status, right-click your Update Name and select Show Status

Unfortunately, the status is not updated in real time. Use the Refresh button to update.

• Open the SCCM log SCCM Installation Directory\Logs\CMUpdate.log with CMTrace

• When completed, you’ll notice the message There are no pending update package to be processed in the log file
• Monitoring / Updates and Servicing Status, right-click your Update Name and select Show Status, the last step will be Installation Succeeded
• Refresh the Updates and Servicing node in Administration, the State column will be Installed

Updating the Outdated Consoles

As a previous Cumulative update, the console has an auto-update feature. At the console opening, if you are not running the latest version, you will receive a warning and the update will start automatically.

• Since all updates operations were initiated from the console, we didn’t close it during the process. We received a warning message when clicking certain objects. You will have the same message when opening a new console

• Click OK, console restart and update will start automatically

• Wait for the process to complete. You can follow the progress in C:\ConfigMgrAdminUISetup.log and C:\ConfigMgrAdminUISetupVerbose.log. Once completed, the console will open and you’ll be running the latest version

Verification

Consoles

After setup is completed, verify the build number of the console. If the console upgrade was successful, the build number will be 8740 and the version is now Version 1810.

Beginning in 1802, this is a new version nomenclature for the console. The console will no longer include the main build number (8740). The last 2 numbers refer to the admin console build number. For example, in the Configuration Manager version 1810, the initial site version is 5.0.8740.1000, and the initial console version is 5.1810.1075.1300. The build (1075) and revision (1300) numbers may change with future hotfixes to the 1810 release.

Servers

• Go to Administration \ Site Configuration \ Sites
• Right-click your site and select Properties
• Verify the Version and Build number

SCCM 1810 Clients

The client version will be updated to 5.00.8740.1004 (after updating, see section below)

SCCM 1810 Client Package distribution

You’ll see that the 2 client packages are updated:

• Navigate to Software Library \ Application Management \ Packages

• Check if the update is successful, otherwise, select both packages and initiate a Distribute Content to your distribution points

Boot Images

Boot images will automatically update during setup. See our post on upgrade consideration in a large environment to avoid this if you have multiple distribution points.

• Go to Software Library / Operating Systems / Boot Images
• Select your boot image and check the last Content Status date. It should match your setup date

Updating the Clients

Our preferred way to update our clients is by using the Client Upgrade feature: (You can refer to our complete post documenting this feature)

• Open the SCCM Console
• Go to Administration / Site Configuration / Sites
• Click the Hierarchy Settings in the top ribbon
• Select Client Upgrade tab
• The Upgrade client automatically when the new client update is available to the checkbox is enabled
• Review your time frame and adjust it to your needs

Monitor SCCM Client Version Number

SCCM Reports Client Version

You can see our SCCM Client version reports to give detailed information about every client version in your environment. It’s the easiest way to track your client updates.

Collections

In conclusion, you can create a collection that targets clients without the latest client version because is very useful when it comes to monitoring a non-compliant client.

Here’s the query to achieve this: (You can also refer to our Set of Operational Collection Powershell Script which contains this collection)

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ClientVersion != '5.00.8740.1004'

The post Step-by-Step SCCM 1810 Upgrade Guide appeared first on System Center Dudes.

We had an issue in one of our clients site where some SCCM Administrator were receiving SCCM 1810 Client Notification error in the console. They informed us that they just upgraded to SCCM 1810 recently.

When we tried to initiated a client notification on SCCM 1810, the following error occured :

ConfigMgr Error Object:
instance of SMS_ExtendedStatus
{
Description = "CSspClientOperation: no permission to initiate the operation.";
ErrorCode = 1112017920;
File = "..\\sspclientoperation.cpp";
Line = 1177;
Operation = "ExecMethod";
ParameterInfo = "SMS_ClientOperation";
ProviderName = "WinMgmt";
StatusCode = 2147749889;
};

Clearly a missing permission in the security role of the affected users… but which one ? We found our answer in the SCCM 1810 What’s new documentation :

A new permission is now required to perform the Client Notification Actions.

SCCM 1810 Client Notification error Resolution

Here’s how to fix this error :

• Go to Administration\Security\Security Roles
• Select the security roles that applies to your affected user, right-click and select Properties

• In the Permission tab, go to Collection (not SMS_Collection)
• Set Notify Ressource to YES

• Repeat for any other security role

That’s it, your user will be able to do again their client notification actions.

The post SCCM 1810 Client Notification error appeared first on System Center Dudes.

When I first read the SCCM 1810 New features list, the features that I found the most interesting was the new SCCM Wake on LANClient Notification addition. By reading the feature description it looks too good to be true. Finally an easy way to do Wake on LAN on an enterprise network :

What makes it exciting is that SCCM can now find another client on the same subnet and wake up its neighbour. We won’t describe in details how WoL works, but let’s say that it’s always been a challenge to implement it in a corporate environment mostly because magic packets are non-routable so it doesn’t work easily on remote subnets.

We fired up our lab environment and had to try it to see if it comes up to our expectation. The blog post will show in details how to enable SCCM 1810 Wake on LAN using Client Notification.

SCCM Wake on Lan Client Notification – Requirements

Your computer hardware needs to support Wake on LAN. This means a compatible BIOS and network card. Not every computer is automatically able to use Wake on LAN but chances are good that you are fine if it’s not too old (10 years and less)

Bios

First, you need to make sure that Wake on LAN is enabled in the BIOS of your client computer.

Since there are many different BIOS vendors, we can’t guide you for all model types. Usually, you’ll find this option under Power option or Advanced Settings

• Look for Wake-On-LAN or Power On by PCIe/PCI

Windows Device manager

Once the option is enabled in the BIOS, you need to enable it in the Network Card Properties

• Go to Device Manager
• Find your network card, right-click Properties
• In the Advanced tab, find Wake on LAN Magic Packet, set it to Enabled

• In the Power Management tab, check Allow this device to wake the computer and Only allow a magic packet to wake the computer

Enabling Wake on LAN on the SCCM Site Server

Now that our clients are ready to receive Wake on LAN magic packet, we will enable the option in SCCM.

• On your SCCM Primary site server, go to Administration \ Site Configuration \ Sites
• Right-click your site and select Properties

• In the new Wake On LAN tab, check Enable Wake on LAN for this site and select Subnet-directed broadcasts
  • Subnet-directed broadcast has a higher success rate – Read about the different broadcasting method on Microsoft Technet

• Click the Advanced button and select the desired options. For our tests, we are leaving everything by default

• Still in the Site Properties, select the Ports tab. By default, SCCM uses port 9. To increase security, you can select another port for the site. Just make sure that this port is supported by routers and firewalls.

• Click Apply and Ok to close the Site Properties

As soon as you’ll enable the feature, 2 new log files will be created on the site server :

In the SCCM Installation directory \ Logs :

Testing on clients

We are now ready to test the feature on a computer. You need to have at least 1 online computer on the same subnet than the offline computer. SCCM will use Client notification on the online computer to send magic packet to the offline computer.

• Go to your collection and find your offline computer. Important: The machine needs to be an SCCM client
• Right-click on it, select Client Notification / Wake up

• If SCCM doesn’t find another device on the same subnet to send its wake up packet, you’ll get the following message.

• If SCCM finds another device on the same subnet to send its wake up packet :

Monitoring and Troubleshooting

To see if your Wake on Lan test succeed

• You can use the SCCM logs (see the previous section)
• Use the console: Monitoring\Overview\Client Operations
• You can use a software like Wake on Lan Monitor that will help you troubleshoot if the magic packet is sent and received

As per Microsoft documentation, the following network configurations are not supported:

• 802.1X with port authentication
• Wireless networks
• Network switches that bind MAC addresses to specific ports
• IPv6-only networks
• DHCP lease durations less than 24 hours

The post How to enable SCCM Wake on LAN Client Notification (1810+) appeared first on System Center Dudes.

Beginning with SCCM 1810, you can now repair an application directly from software center on an SCCM client. A small but useful new feature! Before 1810, you would have to go through Control Panel (not useful if a user didn’t have admin rights) or by uninstalling and reinstalling the application using 2 distinct software center actions.

Now, you can directly initiate a Repair action in Software Center. The good news, is that’s really simple to do ! The only thing that you need to do is :

• Upgrade to SCCM 1810
• Add a repair command line to your application
• Check the Repair option in your application deployments

If you haven’t upgrade to SCCM 1810 yet, we have a complete post for it. As the time of this writing SCCM 1810 is in slow ring, so you may see it in your console in a couple of days. If you don’t have it yet, follow our post to see how to switch your SCCM server in the Fast Ring.

Add SCCM repair command line

The first thing you need to do to have the SCCM application repair option is to add your repair command line in your application.

• In the SCCM Console
• Select the desired application, select the deployment type and go to the Properties
• In the Program tab, specify the command to repair the application in the new box

You’ll have to find the silent switch for repairing your application as for the installation switches.

If you have an MSI, it will look like this :

https://www.advancedinstaller.com/user-guide/msiexec.html

Add the repair option in the SCCM Deployment

Once the application has a repair command line, we can add the option in the deployment

• In the SCCM Console
• Create a new deployment for your application
• In the General tab, select your software and collection

• In the content tab, ensure that your application is distributed, click Next

• In the Deployment Settings tab, select Allow end users to attempt to repair this application

• In the Scheduling tab, select the desired schedule

• In the User Experience tab, select the desired options

• In the Alerts tab, select the Alerts options

In the Completion tab, you can see the repair option has been enabled

Test SCCM Repair Application on Client

Let’s see the results on an SCCM client

• Launch the Software Center
• On our test client, 7zip has already been installed
• Click on the application, a new Repair button is available
• Once initiated, the repair command line is launched.

• You can see the repair results in the AppEnforce log file.

A small but awesome new feature !

The post Repair Application from Software Center using SCCM 1810+ appeared first on System Center Dudes.

If you’ve been using BitLocker in your organization, you probably receive some requests from your security department to monitor the status of a device if it gets stolen. There’s a couple of ways to achieve this.

#1 – MBAM

The first and recommended one would be to use Microsoft BitLocker Administration and Monitoring (MBAM). However, this tool is not free, you need to have Microsoft Desktop Optimization Pack (MDOP). Microsoft has also announced that the actual MBAM 2.5 version is getting deprecated soon (Extended support on July 2019). So we’ll skip this one for now.

#2 – Configuration baseline

The second solution would be to use a configuration baseline in SCCM to monitor BitLocker and report the configuration baseline status using a report. This is a good solution but you’ll need to create a baseline based on a script and deploy it to all your computers. If you’re not familiar with configuration baseline and want a quicker, simplier solution, keep reading.

#3 – SCCM Bitlocker Report

The last solution would be to use a built-in SCCM Bitlocker report… but there’s none. The good news is that we’ve created one for you and giving it for free just because we think you’re awesome!

There’s 2 small thing to do before you can use the free report. You need to enable Bitlocker inventory classes in your Hardware inventory. If your inventory is already configured for Bitlocker, jump to the download section.

HOW TO ENABLE Bitlocker INVENTORY

Select the Client Settings that apply to your bitlocker collection. In our example, we’ll use the Default Client Setting but we reccomend that you use a custom one.

• Open the SCCM Console
• Go to Administration / Client Settings
• Right-Click your Default Client Setting, select Properties

• Click on Hardware Inventory
• Click on Set Classes

• Ensure that Bitlocker (Win32_EncryptableVolume) is enable

• Ensure that both TPM (Win32_Tpm) and TPM Status (SMS_TPM) classes are also enabled

• Close the Hardware inventory class window by clicking ok.

Bitlocker Inventory Verification

Now that our classes are enabled, trigger a Machine Policy Retrieval & Evaluation Cycle (to have the latest Client Settings) followed by an Hardware inventory Cycle on a computer that has Bitlocker enabled. Once the inventory is completed, check the inventory using Resource Explorer :

• In the SCCM Console
• Right-Click your device, select Start / Resource Explorer
• Confirm that you have Bitlocker listed

Free SCCM Bitlocker Report

Now that you’ve confirmed that the inventory is working, the last thing you need to do is :

• Download the RDL File from our product page | Asset – Bitlocker Status
• Upload the report to your Reporting Point and change the data source
• Run the report

You can download this free report by visiting our product page. The Asset – Bitlocker Status report is available in the Report / Asset Section.

The post Monitor Bitlocker Status using SCCM Bitlocker Report appeared first on System Center Dudes.

While configuring the Cloud Management Gateway (CMG) at different client sites, we stumbled on an issue ‘Failed to sign in to Azure‘ to create the Azure web applications.

While we don’t know the official cause or how to prevent it, a workaround is possible.

If you are looking to configure the Cloud Management Gateway from A to Z, see ourprevious post.

SCCM CMG Failed to sign in to Azure – Symptoms

One of the first step to configure the Cloud Management Gateway is to configure the Azure Services. This step consists of creating the connection to the Azure Tenant and create 2 Web Applications, the ConfigMgr Server Application, and ConfigMgr Client Application.

Once the details are provided to create the ConfigMgr Server Application, we received a ‘Failed to sign in to Azure’ error.

Surely enough, we may have done an error providing the credential, so we did retry to sign in, but this time, the error was not the same. ‘Another object with the same value for property identifierUris already exists‘

Looking into Azure, strangely enough the application already exists! The ‘Failed to sign in to Azure‘ error was not that much a failure in the end.

From that point, we can no longer proceed to next step following the regular steps to configure the Cloud Management Gateway

Configure ConfigMgr Server Application

To be able to configure the ConfigMgr Server Application, select the Import option instead of New.

Provide all the required information

• Click Verify, this doesn’t require authentication. Wizard can than be completed

Find information in Azure

To get all the required information :

• Go to Portal.Azure.com
• Browse to Azure Active Directory
• The Azure AD tenant name can be seen in the Overview it should be xxxxxxxx.onmicrosoft.com

• Look for App Registration or  App Registration (Preview)

• Search for ConfigMgr and you should find only the ConfigMgr Server Application, somehow created previously

• Double click on it to find the Application(client) ID and Directory (tenant) ID

• In order to get the Secret key, it must be recreated. Under Certificates & Secrets select New client secret

• Select In 2 years, add a description if wanted, and click Add.
• Take note of the key to add it to the wizard
• Previous Client secret can be deleted

Configure ConfigMgr Client application

Next step is to configure the ConfigMgr client application. Trying it with the wizard to create it is likely to give the following error:’ Failed to Create ClientApp. Server app might not be present in the tenant specified’

Similarly to the Server App, we’ll need to manually provision Azure with the app

• Go to Portal.Azure.com
• Browse to Azure Active Directory
• Look for App Registration and select New Application registration

• Provide
  • Name : ConfigMgr Client Application
  • Application type : Native
  • Redirect URL : https://ConfigMgrClient

• Select Create at the bottom
• Go back to the Client app wizard in SCCM, provide the Application name and Client ID (ApplicationID)

Modify ConfigMgr Client Application

• Browse to the ConfigMgr Client Application to see the details

• Go to Authentication and remove the current Public Client(mobile &desktop) entr

• Select from the drop list, Public Client and add the following Redirect URI
  • ms-appx-web://Microsoft.AAD.BrokerPlugin/<ConfigMgr Server Application ID>
  • Don’t forget to hit Save

• Go to API Permissions and select Add a permission

• Under APIs my organization uses search for ConfigMgr Server application and select it

• Select User_Impersonation and click  Add Permissions at the bottom

• Back to the API permissions, at the bottom click Grand admin consent for…

Modify ConfigMgr Server application

• Go to API Permissions of the ConfigMgr Server Application
• Select Add Permission and select Microsoft Graph

• Select Application permissions

• Expand Directory and select Directory.Read.All
• Back to the API Permissions, at the bottom click Grand admin consent for…

That’s it! After that, completing the Cloud Management Gateway configuration shouldn’t be a problem

The post Failed to sign in to Azure error when configuring SCCM Cloud Management Gateway appeared first on System Center Dudes.

Today I upgraded my production SCCM/ConfigMgr environment from 1806 to 1810, but before I did, I took care of some housekeeping that saved me a fair amount of work on the backend. If you’re like me, you try ensure that your collections aren’t being refreshed unnecessarily. For collections where I have direct or include/exclude rules, I always uncheck the incremental and scheduled refresh boxes when setting up the collection. However, there’s one extra step that I haven’t been doing that requires just a bit of consideration before upgrading to 1810. The picture below is the setting in question.

The Issue

The Release Notes for SCCM 1810 state the following:

Previously, when you configured a schedule on a query-based collection, the site would continue to evaluate the query whether or not you enabled the collection setting to Schedule a full update on this collection. To fully disable the schedule, you had to change the schedule to None. Now the site clears the schedule when you disable this setting. To specify a schedule for collection evaluation, enable the option to Schedule a full update on this collection.

https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1810#improvements-to-collection-evaluation

If you’re like me, you likely have scheduled refreshes happening for collections that you thought you’d disabled it on. In my prod environment, I have 2200+ collections and 1750 collections were affected by this issue.

If you have NOT already upgraded to ConfigMgr 1810, you can use the following PowerShell script to change disable the schedule to None for all of the collections where the checkbox has been unchecked.

If you have already upgraded to 1810, this script won’t help since any collections in this state prior to the upgrade are were updated to Periodic (RefreshType 2). Eswar Koneti has a great post and script to help you further.

Finding Affected Collections

Collections with the Schedule checkbox unchecked but with an active schedule can be found using the ConfigMgr PowerShell cmdlets. If you run this query before upgrading to 1810, you should expect to find some collections.

#Returns all Collections with a recurring collection and RefreshType of manual.
Get-CMDeviceCollection | Where-Object RefreshType -eq 1 | Where-Object {$_.RefreshSchedule.SmsProviderObjectPath -ne "SMS_ST_NonRecurring"}

If you run the above collection on 1810, you won’t find any collections in this state. Instead they will all have RefreshType 2 and can be found with this query:

#Returns all Collections with a recurring collection and RefreshType of Periodic.
Get-CMDeviceCollection | Where-Object RefreshType -eq 2

SCCM Remove Recurring Schedules Collections Script

The script is commented and walks through what each step does. The script simply selects all collections where RefreshType is 1 and RefreshSchedule is not SMS_ST_NonRecurring then updates the RefreshSchedule with a non-recurring schedule.

<#

    .SYNOPSIS

        Find all collections with a RefreshType of 1 (Manual) that have a recurring schedule set and update the schedule to non-recurring (None).

    .NOTES

        Author: Adam Gross

        Twitter: @AdamGrossTX

        Website: https://www.asquaredozen.com

    .LINK
        Originally posted on http://www.SystemCenterDudes.com

    .HISTORY

        1.0 - Original
#>

[cmdletBinding()]
param(
    [Parameter(Mandatory=$true)]
    [string]
    $SiteCode,
    
    [Parameter(Mandatory=$true)]
    [string]
    $ProviderMachineName
)

#Connect to ConfigMgr
$initParams = @{}
if((Get-Module ConfigurationManager) -eq $null) {
    Import-Module "$($ENV:SMS_ADMIN_UI_PATH)\..\ConfigurationManager.psd1" @initParams 
}

if((Get-PSDrive -Name $SiteCode -PSProvider CMSite -ErrorAction SilentlyContinue) -eq $null) {
    New-PSDrive -Name $SiteCode -PSProvider CMSite -Root $ProviderMachineName @initParams
}

Set-Location "$($SiteCode):\" @initParams

#######################################################

#Set New Blank Schedule
$Schedule = New-CMSchedule -Start "01/01/2019 12:00 AM" -DurationInterval Minutes -DurationCount 0 -IsUtc:$False -Nonrecurring

#Get All Collections
$AllCollections = Get-CMDeviceCollection
Write-Host "Total Collections Count is: $($AllCollections.Count)"

#Filter to TargetCollections based on RefreshType of 1 which is Manual
$ManualRefreshCollections = $AllCollections | Where-Object RefreshType -eq 1
Write-Host "Total Collections with RefreshType of 1 is: $($ManualRefreshCollections.Count)"

#Get Collections with a RefreshSchedule that is recurring.
$RecurringCollections = $ManualRefreshCollections | Where-Object {$_.RefreshSchedule.SmsProviderObjectPath -ne "SMS_ST_NonRecurring"}
Write-Host "Total Collections with RefreshType of 1 and RefreshSchedule of Recurring: $($RecurringCollections.Count)"

$Count = 0
#Loop through each RecurringCollection and update the schedule to be non-recurring 
ForEach($Collection in $RecurringCollections)
{
    $Count ++
    Write-Host "#############################"
    Write-Host "Processing Record $($Count) of $($RecurringCollections.Count): $($Collection.Name)"
    $Collection | Set-CMDeviceCollection -RefreshSchedule $Schedule
    Write-Host "Updated: $($Collection.Name)"
}

You can download the latest copy of the script from the GitHub Repo.

The post Remove Recurring Schedules from Device Collections in SCCM Before Upgrading to 1810 appeared first on System Center Dudes.

That being said we are doing numerous SCCM Assessment these days, looking at various SCCM setup and configuration. Here’s our compiled list of settings, configuration and tricks we can give you to makes your SCCM configuration better.

Central Administration Site (CAS)

Don’t use a CAS. You’ll see this advice everywhere… and it’s true. Don’t use it. Just don’t.

When the Central Administration Site was introduced back in SCCM 2012 SP1 there was no concept of a preferred site system. If you had to manage thousand of clients in a remote site/region and a secondary site was not an option, the installation of numerous Primary Site was needed (so was the CAS).

But now that new client management options were introduced in later SCCM version, this is not needed anymore.

A Central Administration Site may be needed in specific scenarios. If you need to manage more than 175 000 clients or need more than 250 distribution points and you’re still unsure or don’t know what you’re doing, please ask for external help!

Colocate SQL

In most scenario, co-locate your SQL installation on your SCCM Primary Server. This is always debatable and often an unpopular topic among Database Administrators. DBA likes to have control and centralized databases as much as possible, however, co-location ensures better performance of you SCCM server.

From a licensing point of view it’s not an issue since all of the System Center products include SQL Server technology

SQL Configuration and Maintenance

Read and understand the basics of SQL configuration. Disk configuration and proper memory management can make a huge difference in your SCCM server performance. Don’t be shy to ask help to your DBA, SCCM is based on SQL technology and SQL best practices applies.

Also, make sure to defragment indexes on your SQL SCCM database on a regular basis. Fragmented indexes can make your application slow down significantly.

You can use the built-in Rebuild Index site maintenance task or use the Ola Hallengren’s SQL Server maintenance solution.

Site Systems

Keep it simple! The more site server, the more complexity you’ll have to manage. We saw setups with dozen site servers to manage 1000 computers. Why? Just because they decided to separate each role based on assumptions and bad advices. There’s really no harm doing single SCCM site server setup (SQL included) for small businesses (in term of SCCM Managed perspective). We have a couple of design recommendation in one of our post. You’ll live with this setup for years to come so plan accordingly and don’t be afraid to ask for help from the community.

Stay Current

I hope I’m not teaching you anything by saying that SCCM uses an in-console service method. This in-console method makes it easy to install updates for your SCCM infrastructure.

• Updates are made available 3 times a year
• Each version offers 18-month support, so don’t wait too much before upgrading to a new version
• At the time of this writing, the latest version is 1810
• The latest baseline version is 1802. Use this version to install a new server

When upgrading to the latest version, don’t forget to upgrade your clients ! We are seeing too many environment where the site is upgraded but not the clients.

Review the documentation of each release to learn the new and deprecated features.

Make sure to follow David James on Twitter who is the first person to announce the new version in his famous “one of those Fridays”

Client installation Compliance

What’s the goal of SCCM if you’re not managing all your devices? Do you want to push your software to only 70% of your computers? Will your security department accept that only 62% of devices have been patched? Do you want to give your management inventory number with a 28% error margin? No, No and … No.

Ensure to check your client compliance number on a weekly basis. Nothing makes me sadder to see discovered devices without the SCCM client. We often see 60-70% client installation rate. We recommend aiming 95% of the machines to have the SCCM clients. With laptops and road warrior, 100% is mostly impossible but with the help of Cloud Management Gateway and proper monitoring, your goal is attainable.

There’s also many solution out there to help you :

• 1901 Technical Preview is adding a nice client health dashboard (but still not in the production version)
• Client Health Script by Anders Rodland
• ConfigMgr Client Startup Script by Jason Sandys
• Our SCCM Client Health Report

Software Update Maintenance

Doing Software update deployment and not doing regular maintenance will bring your server to a non-functioning state.

• Configure IIS to stop recycling the App Pool
• Enable the built-in SCCM WSUS Server Cleanup on a regular basis
• Decline superseded updates in WSUS
• Use this script : Fully Automate Software Update Maintenance in Configuration Manager – By Brian Dam
• Or This one: Clean Software Update Packages in ConfigMgr with PowerShell – By Nickolaj Andersen [MVP]

Collection Maintenance

Collection refreshes are heavy processes on your server resource. It can bring your server running really slow if you configure it incorrectly. The biggest mistake is enabling incremental refresh on all collections. We also often sees incremental AND full collection updates enabled on the same collections.

Give your SCCM Collections some love by :

• Understand the refresh process – Great article by Garth Jones
• Limit the number of incremental collection
• Use our SCCM Collection report to identify which collections are badly configured
• Detect those Nasty Collections
• Do not use both Full and Incremental on the same collection
• Delete unused and empty collection
• Use Collection Management Insight (1802+)
• Use Collection Evaluation Viewer (CEViewer) from the SCCM Toolkit

Deployment Maintenance

Delete and remove any deployments that are no longer in use. If the deployment compliance is 100% and no longer necessary, delete it. If it’s a test deployment, delete it. If it’s a deployment created in 2009… delete it.

We created a script to help you detect and delete old deployments

Windows 10 Servicing

If you haven’t migrated yet, it’s a question of time before all your computers runs Windows 10. Windows 7 end of support is approaching (January 2020) and you must plan an upgrade strategy now. SCCM is giving you 2 options to manage Windows 10 Servicing. Upgrade task sequences and Servicing Plan. Master those topics because you’ll have to update your Windows 10 on a regular basis.

Also, ensure to track your Windows 10 version and establish an upgrade strategy for the long run. Microsoft has recently changed their support policy for 30 months for the September releases (Enterprise edition). The March release still have a support life cycle of 18 months.

SCCM Log Files

SCCM is a logging machine. It logs everything. I lose my mind when someone tells me that it’s not in the logs… it is! You just haven’t look the right one. One of the best skill you can have it knowing the exact meaning of all the logs file. (Joking!). Just learn the most important one… and use CMTrace to open them, not Notepad. (Sorry Wally).

And in case your didn’t know, CMtrace is part of every client since SCCM 1806. No need to copy it during your task sequence or using a deployment/script.

Maintenance Tasks

Review your maintenance task on a regular basis. Is the setting you set 3 years ago still valid? Some SCCM upgrade can bring new maintenance tasks.

The most important part is the backup of your database. SCCM built-in task or an SQL backup is a debatable option. Some like the built-in one, other the SQL one, I like to recommend having either one of them and know the restore path of the one you decide. Make sure to monitor your backup tasks, a failing backup is like having no backup!

Modern Management

The buzz word of the moment. You need to go to Intune absolutely now! SCCM will be dead in a couple of years. Wrong!

However, Microsoft has announced that on September 1, 2019, they will retire the hybrid MDM service offering. If you have SCCM in Hybrid mode, plan your migration to Intune Standalone.

SCCM is not dead and it’s in better shape than ever. Just look at all the new features that get developed in each release. However, it would be wrong not to look at these new devices management possibility that Intune and Autopilot brings. Just keep an eye on these new technologies, enable co-management and start playing with it.

Attend Conferences

This is not really a best practice but it will help you learn a lot. Some of them are big events (Microsoft Ignite) but there are smaller events like the Minnesota Management Summit (MMS – not the Las Vegas one back in the days) that will allow to target your expertise a lot more and meet accessible experts and MVPs.

There are also new events organized by other groups like Modern Management Summit London 2018 organized by SCConfigMgr/TrueSec that are worth the price (FREE!) if you are in the region.

And there are many local groups that meet up on a regular basis which you can join if you are near them.

Use Social Media

Once again not a best practice but the SCCM community out there is awesome. Follow them on Twitter, read the Reddit SCCM Community, join Facebook, Linkedin and Slack groups.

On Twitter, follow the EMS MVP List which contains 64 MVPs.

This list could have go on for a while but i’ll stop there for now. Leave your tips and trick using the comment section.

The post SCCM Best Practices (Tips and Tricks) appeared first on System Center Dudes.