As an IT-Pro I am used to staying up to date on the latest technology that I am working with. And with On-premises solutions like traditional ConfigMgr implementations, staying up to to date is not too hard with a little bit of effort since new features and updates are not added daily as opposed to what is going on in the Cloud.

The cloud is evolving so fast with new features and services added daily and Microsoft EMS News is a tool to help IT-Pros staying up to date without too much effort where Microsoft EMS News is built to give a single place and/or stream of information about Microsoft Enterprise Mobility Suite.

This is a community tool that offers a “single-pane-of-glass” into the Microsoft Enterprise Mobility Suite where you have a single hub for all the necessary information to get you started with EMS and Hybrid-Cloud services.

The App consists of these sections:

The App will be available in the Microsoft Store in not to long. So stay tuned here and I will update this blog post when it hits the marked.

Meanwhile, if you want to download the bits and install it through PowerShell (the Kaido-way), you can do that right here:

Windows 10: Download (MicrosoftEMSNews.Desktop-v1.0.7.0) –> Extract –> Run the Add-AppDevPackage.ps1 PowerShell script and it will install it for you.

Windows Phone 10: Just use a QR Reader and scan this photo:

PS: The name of the App will probably change in the future.

Hope this app can help others in the same position as me!

Cheers!

Hi, thanks for an amazing week @ MMS. Here are the notes from our ConfigMgr

• Autmating the WSUS Cleanup process – http://blog.coretech.dk/kea/house-of-cardsthe-configmgr-software-update-point-and-wsus/
• SQL PowerShell audit script  http://stevethompsonmvp.wordpress.com/2014/05/19/powershell-sql-audit-script/
• Splitting existing ConfigMgr database into multiple SQL files  http://myitforum.com/cs2/blogs/jnelson/archive/2009/07/27/140199.aspx
• Pre-creating the database before installing Configmgr – download script
• Multiple software upate points and shared db – http://blogs.msdn.com/b/steverac/archive/2013/02/07/configuring-multiple-software-update-points-in-a-configmgr-2012-primary-site-what-to-expect.aspx
• Slide deck

SQL Script to for fragmentation on the SQL DB

Checking the database fragmentation:
Use CM_PS1
Go
SELECT DB_NAME(database_id) AS [Database Name], OBJECT_NAME(ps.OBJECT_ID) AS [Object Name],
    i.name AS [Index Name], ps.index_id, index_type_desc,
    avg_fragmentation_in_percent, fragment_count, page_count
FROM sys.dm_db_index_physical_stats(DB_ID(),NULL, NULL, NULL ,N’LIMITED’) AS ps
    INNER JOIN sys.indexes AS i WITH (NOLOCK)
    ON ps.[object_id] = i.[object_id] AND ps.index_id = i.index_id
WHERE database_id = DB_ID()
AND page_count > 1500
ORDER BY avg_fragmentation_in_percent DESC OPTION (RECOMPILE);

• PowerShell examples can be downloaded from http://cm12sdk.net/?page_id=10 and http://blog.coretech.dk/author/kaj/
• Mac Management as demonstrated by Jason Sandys – http://www.parallels.com/products/mac-management/
• Request a free trial –

Compliance Items and Compliance Baselines in ConfigMgr is so powerful! And with some PowerShell magic you can almost use it to do anything you like on a Windows based computer – Only your imagination that will be the showstopper!

Here I will show how you can uninstall software using WMI and Compliance Items in SCCM. However, it is important that you read the following articles as the uninstallation process uses win32_product WMI class which is known for its evilness. Thanks to Kaido, Jürg and Torsten for pointing this one out. A updated post as been created using a better and more reliable way of doing this with the SMS_InstalledSoftware class. Check out this post for a better way and instructions: http://bit.ly/1N3xwLQ

Win32_Product is evil:

1. http://gregramsey.net/2012/02/20/win32_product-is-evil
2. http://blogs.catapultsystems.com/cnackers/archive/2012/02/20/win32_product-is-evil
3. http://blogs.technet.com/b/askds/archive/2012/04/19/how-to-not-use-win32-product-in-group-policy-filtering.aspx

If you want to play with the Win32_Product class anyway follow these steps however it is not recommended for production:

Well, I had a customer that wanted me to 1. Identify all computers running any Java applications and 2. uninstall it if it existed. I quickly told about Compliance baselines which can

1. Discover java and report non-compliance
2. Remediate non-compliance by uninstalling Java
3. Report back compliance

all in one operation. 30 minutes later we had a working solution which we deployed to the organization.

Let’s start by creating the CI in your ConfigMgr Environment

On The server:

Detection Script:

#Detect Software
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -match "Java"}

Remediation Script:

#Uninstall Software
$app = Get-WmiObject -Class Win32_Product | Where-Object { 
$_.Name -match "Java" 
}
foreach ($a in $app) {$a.Uninstall()}

Now that we have a working Compliance Item we can create a Compliance Baseline which is based on the CI we just created.

Click OK, rigth click the baseline and choose deploy.

Choose that you want to Remediate noncompliant rules. Select appropriate collection and a suited schedule.

One the Client:

Next is to go to the client and check if the CI and Baseline is doing what it’s supposed to to. Just so you know I am not cheating – check out the screenshots below which shows Java installed and then uninstalled after running the rules.

Java installed:

Compliance baseline is unknown or Non-Compliant

Java is uninstalled automatically:

Let’s work together for a more secure environement without Java – Cheers!

It’s December 2nd and Christmas is just around the corner! Yesterday Jakob kicked off the Coretech December Calendar with a great post about “Triggering a webhook from a SharePoint workflow using Out-of-the-box Activities” (Check out his blog post here: http://bit.ly/1N16fte).  That was the  first, this is the second post in the Coretech blog series that will continue until December 24th - Christmas Eve! :)

In Part 1 (http://bit.ly/1PlnDPr) I explained how you can utilize ConfigMgr Compliance Baselines for uninstalling software like Java, Adobe etc. with the help of PowerShell and WMI. Well in Part 1 we used the Win32_Product class which is not recommended by many as it runs a consistency check against each installation and this can cause real performance issues and in worst case system failure.

Quote from Greg Ramsey blog: http://gregramsey.net/2012/02/20/win32_product-is-evil/

“
Win32_Product will return some great information about each windows installer-based application.  In fact, you can even view additional properties by running get-wmiobject win32_product | select * . However, even though you called a basic query of the Win32_Product class, you actually performed a consistency check of each installation.
“

The solution:

So how can we create a workaround for this. Well we can use basic PowerShell scripting and utilize a different class like SMS_InstalledSoftware which we are going to use in this example. There is just one catch, and that is  that SMS_InstalledSoftware do not have a Uninstall Method like Win32_Product has (https://msdn.microsoft.com/en-us/library/cc144824.aspx). So we need a different method for the actual uninstallation part.

The SMS_InstalledSoftware Class belongs to the Asset Intelligence features in ConfigMgr and is not enabled in Windows by default. You need to 1. have the ConfigMgr Agent installed and 2. enable the “Installed Software – Asset Intelligence (SMS_InstalledSoftware)” class under Hardware Inventory and Classes on your Client Setting Policy. Like this:

In your ConfigMgr Console, go to your Client Setting Policy, then Hardware Inventory and choose Set Classes.

Enable Installed Software – Asset Intelligence (SMS_InstalledSoftware)

Now that is done we can create a Compliance Settings Item and a Compliance Baseline like in Part 1 (http://bit.ly/1PlnDPr), but instead of utilizing WIN32_Product, let us use SMS_InstalledSoftware instead. Just change the Detection Script and Remediation script to the examples below and you should be good to go.

Detection Script:

#-----------------
#Define Variables
#-----------------
$Software = "Java"

#-----------------
#Search software
#-----------------
Get-WmiObject -class SMS_InstalledSoftware -Namespace "root\cimv2\sms" | 
Where-Object {$PSItem.ProductName -like "*$Software*"}

Remediation Script:

<#    
    .NOTES
    ===========================================================================
     Created on:       26.11.2015
     Created by:       Marius A. Skovli
     Organization:     Coretech
     Filename:         UninstallAppsWithWMI.ps1
    ===========================================================================
    .DESCRIPTION
        This Script will search for the software defined as ProductName in the 
        SMS_InstalledSoftware WMI Class store it in a variable ($Product) and uninstall
        the software. In this Example Java has been Used. 
#>

#-----------------
#Define Variables
#-----------------
$Software = "Java"

#-----------------
#Search software
#-----------------
$Product = Get-WmiObject -class SMS_InstalledSoftware -Namespace "root\cimv2\sms" | 
Where-Object {$PSItem.ProductName -like "*$Software*"}

#-----------------
#Uninstall software
#-----------------

    ForEach ($ObjItem in $Product) 
    {

    #-----------------
    #Define Variables
    #-----------------
    $ID = $ObjItem.SoftwareCode
    $SoftwareName = $ObjItem.ProductName

        #-----------------
        #Uninstall 
        #-----------------
        $Uninstall = "/x" + "$ID /qn" 
        $SP = (Start-Process -FilePath "msiexec.exe" $Uninstall -Wait -Passthru).ExitCode

    Write-Output "Uninstalled $SoftwareName"
    }

Write-Output "Done!"

The remediation script will search for the software defined as ProductName in the SMS_InstalledSoftware WMI Class store it in a variable ($Product) and uninstall the software using basic msiexec.exe /x command. If you have multiple Java versions installed it wil run the uninstallation command ForEach java version it finds.

The result when ran from PowerShell:

This is a far better method than using Win32_Product. A a big shout-out goes to Kaido Järvemets for helping me on this little project.

Don’t hesitate to comment below if you have any questions or additional thoughts you want to add.

Have a great December –  a Merry Christmas and Happy New Year to you all!

SCCM Community meet Power BI – Power BI meet the SCCM Community…

This blog post is the part 1 of 2 blog posts – and as you can see it’s all about introductions.
Power BI is not a “new” thing, it’s been around for some time but is really just now starting to take off.

(https://powerbi.microsoft.com/en-us/)

So what is Power BI?
It’s a new online service for us to get insight of our SCCM data, and for us to further display data internally or to others. Previous versions was a coop between Power BI and Office 365, but now we have Power BI as an online service by itself. It even comes in a Desktop version that allows you to connect and build data sources locally from your device.

How can it help me working with SCCM?
A big wish from many administrators is an simple and understandable way to show the work and effort we put into acquiring the data that we gather in SCCM. They are constantly asked to provide visual evidence for services provided and time spent.
Whether it’s Inventory, Health, Compliance or Deployment data we have had some possibilities to do just that with built-in reporting tools, but in my opinion its been heavy, slow and tiresome to work with. Can Power BI replace all that? No not quite, because there are still dashboard solutions out there that might be more fitting to the individual needs. But if you asked me if I would spend time building Reports in SCCM with the report builder or visual studio? I’d answer no – there’s Power BI!

And how does it work?
If you have worked with SQL Reporting Service for SCCM or perhaps even Power Query for Excel (Now built-in with Office 2016) then you know the dataset’s to be the foundation of these. It’s still the same, and we can even reuse the exact same queries in order work with the same data, but in a way that brings us many more options in terms of visual creativity and dynamics.

(Check this page out for all the possible data sources https://powerbi.microsoft.com/en-us/documentation/powerbi-desktop-data-sources/)

The way that we connect to the data are numerous, but it goes with out saying that the direct SQL connections is what the most would look into, we just need a way to access it with account rights etc.

So to end this part 1, I hope that I’ve planted a seed of interest and perhaps you will even have looked at Power BI before you get the chance to read part 2 that will come later, with en example and a template for you all to use as a startingline for racing forwards into the Power BI world.

So stay tuned to our xmas blog calendar, still so much cool stuff for us to share with you all.

Merry xmas!

Looking at the life of an IT Pro today, people like you and me are being challenged like never before. Long gone are the days where we only focused on traditional desktop management, today we are also challenged with managing mobile devices, like iOS, Android, Windows Phones and tablets. MAC OS 10, traditional desktops, road worriers, cloud services, SLA and visualization demands from from management and the list just goes on and on. In the middle of everything, right there in the eye of the Tornado is You….often trying to put out fires instead of spending time on being more proactive and predictive.

How does ConfigMgr 1511 help you face the challenges?

First, and maybe one of the most important changes is that Configmgr is moving into a service model with frequent update releases. Gone is the traditional 4 year period between each major release and 2 year wait for a service pack. Now updates are delivered right to your door step like any good pizza. The name also reflects the changes, it’s not Configmgr 2016, there will never be a 2016 release instead you can expect multiple releases in 2016 named Configmgr 16XX where 16 is the year and XX is the month, example 1603, is the name for a March release in 2016 (I’m not saying that there will be a March release!).

When installing ConfigMgr 1511 you are prompted whether you will be working in online or offline mode. A new site system role called Service connection point (this is the old Microsoft Intune connecter), will (when working in Online mode) communicate with Microsoft and upload telemetry data about your environment. The amount of telemetry data depends on what level you selected for collecting data usage, Basic, Enhanced, or Full. In return for your data you will notified when new updates are available to your environment. Below is an illustration of what the architecture looks like for above.

To understand what happens in the background, we need to look at the log files that is part of the process and also have a tiny look in SQL (only look!).

1) The DMPUploader.log file will give you information about data being uploaded to Microsoft.

RETRIEVE BATCH MESSAGE: size 1433513    SMS_DMP_UPLOADER    12/6/2015 2:55:41 AM    4320 (0x10E0)
Found telemetry data to upload (1)    SMS_DMP_UPLOADER    12/6/2015 2:55:41 AM    4320 (0x10E0)
Uploading telemetry b752f957-edf6-445b-bd34-733093c573e4 …    SMS_DMP_UPLOADER    12/6/2015 2:55:41 AM    4320 (0x10E0)
Reading Internet Proxy…    SMS_DMP_UPLOADER    12/6/2015 2:55:41 AM    4320 (0x10E0)
Redirected to URL https://sccm.manage.microsoft.com/SCCMConnectedService.svc    SMS_DMP_UPLOADER    12/6/2015 2:55:41 AM    4320 (0x10E0)
Certmgr has not installed certificate yet, sleep for 1 minutes.    SMS_DMP_UPLOADER    12/6/2015 2:55:42 AM    2012 (0x07DC)
UploadTelemetryData transmission b752f957-edf6-445b-bd34-733093c573e4 completed successfully    SMS_DMP_UPLOADER    12/6/2015 2:55:44 AM    4320 (0x10E0)
BATCH MESSAGE 0, size 1433513    SMS_DMP_UPLOADER    12/6/2015 2:55:44 AM    4320 (0x10E0)

As you you can see in the log file, data is being uploaded to Microsoft. Now the question is, what data? To see that, turn to SQL management studio and create a new query where you type Select * from tele – as you can see in the screenshot below you will get a few results. Personally I would check all of the options, and see what the results are.

If you are just interested in seeing the Telemetry results, type select * from TelemetryResults. From SQL, copy the data and paste into Excel. You’ll notice that the data is encrypted and do not contain any personal data.

If you are not running in Online mode, synchronization has to be done manually. From the installation media, navigate to smssetup\tools\Serviceconnectiontools\ in here your will find the new Serviceconnectiontool.exe utility. Notice that for configMgr1511 it only works when the site is in offline mode.

2) The DMPdownloader.log file will give you information about when data is being downloaded from Microsoft. At first you will download a cab file containing information about a newly released update. Once the cab file is downloaded, you will see information in the Updates and Servicing node in the Configmgr console. Below is a screenshot from Technical preview 1510 where I installed the latest update. The download will not begin until you select to download and install the update pack. When that happens updates will be downloaded and placed in the .\Program Files\Microsoft Configuration Manager\EasySetupPayload folder (they will take a little tour to other folders first). To see how files are being downloaded and what folders are being updated you have to monitor the log file.

Also monitor the timestamps on the folders in .\Program Files\Microsoft Configuration Manager. in the screenshot below you can see that my cd.latest folder (used for recovery purposes) is being updated when I update the site. This folder is being used to restore a site and must be part of your backup strategy for Configmgr 1511.

In ConfigMgr 1511 you have a new maintenance windows when you open the site server properties. That’s NOT for traditional software updates but for the new ConfigMgr Updates and Servicing model. You get to the maintenance windows in the Administration workspace, Site Configuration, Sites. Right the primary site and select properties. In the Maintenance Window tab, create a maintenance window (and make sure you call it something like ConfigMgr Dynamic update Only).

I did a few tests and the maintenance window do not apply to traditional software updates. According to my tests normal software software updates will still apply unless you create a collection based maintenance windows.

Here is a quick example how to install new Configuration Manager Distribution Point with PowerShell. As you see we have many options to expand this script. We can install Windows Server features, reboot it remotely, install additional software etc. It all depends how you wanna install and configure it.

#Import the Module
Import-Module $env:SMS_ADMIN_UI_PATH.Replace("\bin\i386","\bin\configurationmanager.psd1")
$SiteCode = Get-PSDrive -PSProvider CMSITE

#Change the connection context
Set-Location "$($SiteCode.Name):\"

#New DP Information
$DistributionPoint = ‘DP01.4demo4.com’
$SiteCode = ‘PS1′

# Test the connection to server
    Test-Connection `
        -ComputerName $DistributionPoint

# OPTIONAL – Install Windows Server Roles and Features
    Install-WindowsFeature `
        -Name Web-ISAPI-Ext,Web-Windows-Auth,Web-Metabase,Web-WMI,RDC `
        -ComputerName $DistributionPoint

# OPTIONAL – Restart the Server
    Restart-Computer `
        -ComputerName $DistributionPoint `
        -Wait `
        -For PowerShell `
        -Force

# Add new Site System Server
    New-CMSiteSystemServer `
        -ServerName $DistributionPoint `
        -SiteCode $SiteCode

# Add a Distribution Point
    Add-CMDistributionPoint `
        -SiteSystemServerName $DistributionPoint `
        -SiteCode $SiteCode `
        -ClientConnectionType Intranet `
        -MinimumFreeSpaceMB 50 `
        -PrimaryContentLibraryLocation Automatic `
        -SecondaryContentLibraryLocation Automatic `
        -PrimaryPackageShareLocation Automatic `
        -EnablePxeSupport `
        -SecondaryPackageShareLocation Automatic `
        -CertificateExpirationTimeUtc ((Get-Date).AddYears(100))

# Modify the DP
    Set-CMDistributionPoint `
        -SiteSystemServerName $DistributionPoint `
        -SiteCode $SiteCode `
        -ClientCommunicationType HTTP

#Additional steps here
    #Monitor DP Intallation

    #Distribute Content

Merry Christmas

I know it’s a pompous title, but that still the idea behind what I want to show next.

As an IT-Pro I am used to staying up to date on the latest technology that I am working with. And with On-premises solutions like traditional ConfigMgr implementations, staying up to date is not too hard with a little bit of effort since new features and updates are not added daily as opposed to what is going on in the Cloud. Now for some time now I have been working with Cloud services like Microsoft Intune and eventually EMS after the suite was introduced and a challenge today is to stay ahead of the curve and be up to date on everything that happens with the Enterprise Mobility Suite from Microsoft and if you add all the cool solutions that other IT-Pros find and blog about, well it can be a bit blurry.

As I said, the cloud is evolving so fast with new features and services added daily and I created the Microsoft EMS Resources App to help myself and hopefully other IT-Pros staying up to date without too much effort where Microsoft EMS Resources is built to give a single place and/or stream of information about Microsoft Enterprise Mobility Suite.

It’s a community tool that offers a “single-pane-of-glass” into the Microsoft Enterprise Mobility Suite where you have a single hub for all the necessary information to get you started with EMS and Hybrid-Cloud services.

The tool is offered in both Windows 10 Mobile and Windows 10 Desktop stores.

Get it for free here or search in the store for Microsoft EMS Resources: https://www.microsoft.com/store/apps/9nblggh6j3fq

The experience:

Hope the app/tool can be usefull to others. Don’t hesitate to comment below if you have any questions or additional thoughts you want to add.

With that said I wish you all a merry Christmas and a Happy new year!

Xmas is not far away now, but before we hit that one special holiday during the year I want to throw one more blog out into cyberspace.

Managing those Mac OS X devices once and for all!

ConfigMgr 2012 started out with a proposed solution to how we could start managing those silver things from the Apple company, it just wasnt quite as easy as we would like it to be. We needed all kinds of special little configs and tweaks to be made and on top of it we needed to bring in the PKI infrastructure with a transition of our Site System Roles to HTTPS. So for many that had Mac OS X devices as a minority, well they didnt bother.

But… Now, believe it or not! There is an easy way for us to actually get them into ConfigMgr, register them, support them and even deploy them! With the same kind of structure as we know it from our windows devices.

Parallels Mac Management for SCCM or ConfigMgr as i prefer to call it.

What the Parallels product brings to ConfigMgr is actually 2 types of roles:

• Configuration Manager Proxy
• Netboot Server

The Parallels Configuration Manager Proxy is the role that integrates with ConfigMgr and allows us to manage the Mac OS X devices in our environment and most importantly – we can do it in HTTP mode. And its in no way a complicated installation as long as you do your prerequisite work properly, just like we do before installing ConfigMgr itself. Some small operations to be done in Active Directory and perhaps even a service account if you dont want to run with Local System.

The Parallels Netboot Server is the role that together with the Distribution Point, having PXE enabled, allows you to actually deploy Mac OS X version to the Apple devices with a special boot image, OS X reference image and a Task Sequence! Brilliant!

With the 2 above roles we are avle bring the following features to the Mac OS X clients:

• Network discovery of Mac computers (Through already created boundaries or IP subnets)
  
• Inventory of Mac hardware and installed applications (Through the Parallels Mac Management client agent)
• Operating System Deployment (Build boot images and reference images and deploy them through a Task Sequence)
  
• OS X software and patch distribution (Create a normal package and deploy it)
• Parallels Application Portal (Create .cmmac applications with the ConfigMgr utility, users can then request through the Parallels application portal)
  
• OS X configuration management via Configuration Profiles (Create profiles that can specifiy settings or configurations)
  
• FileVault 2 Encryption Management (Encrypt those apple devices like we do on our windows devices)

So to say it frankly – there is no longer any excuse for us to not manage these Mac OS X devices. The above mentioned solution and the features that follow are exactly what we need to start controlling the devices and ensuring that they are also managed.

More to follow…

For those already using Parallels Mac Management for SCCM here’s a little guide for creating the boot image and netrestore image.

Boot Image

Build and start a clean Mac with latest OS X version.

Login with the admin user and create the following folders in Documents:

• Boot
• SSHKeys

Open the Terminal application.

Navigate to the SSHKeys folder.
Example: “cd /Users/%accountname%/Documents/SSHKeys/”

Run the following command:

ssh-keygen -t rsa

When asked about filename just enter id_rsa.

When asked about a passphrase just press enter for default selection which is blank.

In the SSHKeys folder there should now be two files located:

• id_rsa
• id_rsa.pub

In Safari enter the URL for downloading the PmmOsdImageBuilder.dmg file:

http://server.domain.com:8761/files/PmmOsdImageBuilder.dmg

When downloaded mount the PmmOsdImageBuilder.dmg file.

In the Terminal application navigate to the mounted folder.

Example: “cd /Volumes/Parallels OSD Image Builder 4.0.1.31/”

Run the following command:

sudo ./pmm_osd_image_builder netboot -n [output-dir] --ntp-servers [ntp_servers] --ssh-authkeys [ssh_keys_file]

[output-dir] – Is a local folder on the Mac device, in this case the local folder we created called Boot. Example Path: “/Users/%accountname%/Documents/Boot/”

[ntp-servers] – Is a given NTP server/service used. Example: “time.euro.apple.com”

[ssh_keys-file] – Is the location to where SSH keys can be accessed, in this case we created them in the SSHKeys folder. Example Path: “/Users/%accountname%/Documents/SSHKeys/id_rsa”

Finalized command:

sudo ./pmm_osd_image_builder netboot -n /Users/Admin/Documents/Boot/ --ntp-servers time.euro.apple.com --ssh-authkeys /Users/Admin/Documents/SSHKeys/id_rsa

Verify that the command executed without any errors or missed actions.

Copy the contents of the Boot folder to the SCCM Server.

Netrestore Image

Build a Mac device with 2 partitions:

1. OS – Install latest/desired Mac OS X – will be the source volume to be captured and deployed to future Mac devices.
2. Build – Install latest Mac OS X – will be the volume where the capture process is executed from.

Boot on the Build Volume, Login with the admin user and create the Image folder on the Image partition.

In Safari enter the URL for downloading the PmmOsdImageBuilder.dmg file:

http://server.domain.com:8761/files/PmmOsdImageBuilder.dmg

Mount the .dmg file and run the following commands or copy the contents to a local folder and then run the following commands from there.

Open the Terminal application.

In the Terminal application navigate to the mounted folder.

Example: “cd /Volumes/Parallels OSD Image Builder 4.0.1.31/”

Run the following command:

sudo ./pmm_osd_image_builder netrestore -s [source-vol] –o [output_dir]

[source-vol] – Is the source volume point to create the image from.

Example: “/Volumes/OS”

[output-dir] – Is a target folder where the image file will be placed. Example Path: “/Volumes/Image/Capture/”

Finalized command:

sudo ./pmm_osd_image_builder netrestore -s /Volumes/OS -o /Volumes/Image/Capture/

Copy the contents of the Boot folder to the ConfigMgr Server.

All that is needed now is to import the boot image and the restore image into ConfigMgr.

Currently working on an Enterprise Mobility project, and thought I should share a little trick. In the project; we are deploying WI-FI profiles to Windows 10 devices. Some WI-FI profiles use SCEP/NDES certificates while others are configured using a pre-shared secret. When working with Windows WI-FI profiles, the only way to add a pre-shared secret to the profile is by creating a custom XML file. An easy way to create the WI-FI profile XML file; is to create the profile on a Windows 10 computer and then export the profile. To do that, use the steps below:

1. To list all the WI-FI profiles on the computer, launch PowerShell as administrator, type netsh wlan show profiles and make a note of the WI-FI profile name.

   
   

2. Next type: netsh wlan export profile name=”Agerlund1” key=clear folder=c:\temp where Agerlund1 is the name of your WI-FI profile. This will create the XML file in c:\temp

    

3. The XML file is in clear text and can be imported straight into Microsoft Intune or Configuration Manager. Notice the connectionmode, it can be either manual or auto. Auto will connect to the network without any user interference.

4. In ConfigMgr create a new WI-FI company resource profile and select to import it from an existing XML file.

P.S. NO, it’s not my private WI-FI profile….just saying

I once heard a very wise guy saying the notepad is all you need to read log files. I do not say I agree, as I find cmtrace a slightly better tool…. but that’s right until I ran into a ConfigMgr 2012 upgrade to ConfigMgr 1511 earlier today. My upgrade failed, during the file copy phase because it couldn’t copy a new version of cmtrace to my tools folder. Whatever you do, do not click on the View Log button in the installation dialog.

The error in configmgrsetup.log:

ERROR: Failed to copy E:\INSTALLATIONSOURCE\MS\CONFIGMGR1511\DVD\SMSSETUP\tools\CMTrace.exe to k:\program files\microsoft configuration manager\tools\cmtrace.exe, Win32 error = 5

This happened during the file copy phase, which is almost right after the upgrade database phase! I’ll leave it up to you to figure out what that means – not a big problem as we always backup the server before any upgrade!

Playing around with Windows 10 Servicing in ConfigMgr 1511 is kind of cool. But having said that; you might want to know the consequences of creating custom servicing plans. A servicing plan is basically an automatic deployment rule with a twist. The twist being (right now), you are unable to filter on the updates being downloaded. Regardless of the Windows 10 versions and languages the servicing plan will always download all 256 Windows 10 versions. Each version is about 2 GB….do the math. Contentlibrary will explode in size, if you selected all remote distribution points; the Network team will not be happy (as in, not at all).

If you like me (in my test), create a custom servicing plan, you might get an error like this, saying that you ran out of disk space!!!!!

So how do we work around this? For now; I personally download the update directly from the console. Right click your win10 enterprise x64 and download it to a package. Remember to apply this ConfigMgr hotfix https://support.microsoft.com/en-us/kb/3127032 or you might run into a cert issue when downloading.

ConfigMgr 1511 is a great Win10 management tool, and so far the only real enterprise management tool I have seen when it comes to deploying Win 10 1511. There is a minor UI issue that might make you freak out. When downloading the upgrade our Download Software Updates Wizard is not really moving although everything runs smoothly in the background.

The trick is to open Patchdownloader.log – if you can find it – it’s located in %temp% if you started the download directly from the server. Notice that the log file is updating like a charm.

Happy upgrading

In my last post about silent / unattended installation of Java 8 Update 66, we followed the new guidelines for how to install Java 8 silently by Oracle. The problem with that method is that it works when you try to run your script locally with administrator privileges it will work fine, but when you run the same script through SCCM / Configuration Manager, it will fail. And just to confuse you even more, it will only fail for the 32-bit version of java, not the 64-bit, even though you use the exact same method. This problem have been reported in some bug reports, here, here and here.

So what’s the solution?

First, you have to revert to the “old” solution of extracting the MSI package from the Java installer. Find the newest version of Java offline installer from here. Remember that you properly need a 32-bit version, since Java 64-bit can only run in a 64-bit browser, and very few have that. Open the exe file, and just let it stay on the splash screen, then navigate to the following folder where the MSI file are placed:
C:\Users\[username]\AppData\LocalLow\Oracle\Java

Then select the folder for the version you’re installing, i.e. jre1.8.0_72:
C:\Users\[username]\AppData\LocalLow\Oracle\Java\jre1.8.0_72

Now we can install by adding a few flags to the commandline of the MSI file, like this:

start /wait msiexec.exe /i “jre1.8.0_72.msi” /qn JU=0 JAVAUPDATE=0 AUTOUPDATECHECK=0 RebootYesNo=No

Remember to configure your new application in SCCM to supersede the old version of java, so they will get uninstalled first.

Now, Java is a bit special, as you might have figured out from the exe file unpacking a MSI file. But it doesn’t stop there, the MSI file actually unpacks a new exe file, and that’s causing problem with the detection method in SCCM. Because if you run the script only with the above line, the process will be over in a few seconds, and then SCCM will start to check with your preferred detection method, and it will find nothing to be installed and give an error about installation have failed. And then when you check on the target computer in “Programs and Features” you’ll see a Java 8 Update 72 to be installed. So how do we solve that? We put in a slight delay so SCCM still thinks the installation is running, by having this line:

ping 127.0.0.1 -n 120 > nul

The above command pings the localhost for 120 seconds, and don’t write anything to the screen. You can make it wait longer if the client is slow. Below is the full script:

start /wait msiexec.exe /i “jre1.8.0_72.msi” /qn JU=0 JAVAUPDATE=0 AUTOUPDATECHECK=0 RebootYesNo=No 
ping 127.0.0.1 -n 120 > nul

With the introduction of Configuration Manager Current Branch (CB), the game of backup has changed slightly.  A SQL backup is still valid for restoring the database, but re-installing ConfigMgr CB must be started by running setup.exe from the cd.latest folder. I know most of you are backing up the virtual machine (which is good), but that should not prevent you from not stop you from backing up SQL and Configmgr. You have two options:

• Create a SQL maintenance plan and include a custom step to backup cd.latest
• SQL backup Pros
• Support for compression
• Better scheduling job
• E-mail notifications
• No ConfigMgr service interrupted
• Include other databases in the backup job
• Run the ConfigMgr built-in maintenance task
• ConfigMgr Pros:
• Easy to configure
• You do not require any SQL experience
• Run custom scripts after backup is completed using the old afterbackup.bat method
• Include cd.latest and other ConfigMgr folders.

Personally I prefer the SQL method as I’m a big fan of compression and do not have time to copy 250 GB. Steve Thompson describes in this blog post how you can configure SQL backup for ConfigMgr 2012. My configuration is a long way exactly the same, except I will include a custom SQL Job. The SQL job will compress and copy .\Program files\Configuration Manager\cd.latest to the same location as my SQL backup files. The PowerShell job require, the SQL agent service to be running and the service account have permissions to the target path.

powershell.exe -command "Add-Type -Assembly ‘System.IO.Compression.FileSystem’ -PassThru | Select -First 1 | % { [IO.Compression.ZIPFile]::CreateFromDirectory(‘d:\program files\microsoft configuration manager\cd.latest’, ‘f:\sqlbck\archive’ + (Get-Date -format ‘yyyyMMddHHmm’) + ‘.zip’) }"

To create the job, follow these steps in SQL Management Studio:

1. Open SQL Server Agent (ensure the SQL Agent service is running)
2. Right click Jobs, create a New Job called Copy cd.latest and change the Owner to System (not required, but why not)
3. Select the Steps page and click New. Configure the step with these values and click OK:
1. Step name: copy cd.latest
2. Type: Operating system (CmdExec)
3. Run as: SQL Server Agent Service Account
4. Command: Paste in the PowerShell command

4. Click OK, to close the custom job.

In order to test the job, right click and select Start Job at Step.

Next step in the process is to configure a backup configmgr maintenance plan as described by Steve Thompson. I have followed the same steps, but will also include my custom copy cd.latest step in the plan.

1. in SQL Management Studio, navigate to Management. Right click Maintenance Plans, and click Maintenance Plan Wizard.
2. On the SQL Server Maintenance Plan Wizard page, click Next.
3. Create a new plan with these settings:
1. Name: SCCM Backup
2. Run as: Select SQL Server Agent service account
3. Select Single schedule for the entire plan or no schedule.
4. Schedule: Click Change to configure a schedule
5. Configure the schedule to match your backup criteria’s
4. On the Select Maintenance Tasks page, select the following maintenance tasks:
   Clean Up History
   Back Up Database (Full)
   Maintenance Cleanup Task
   Execute SQL Server Agent Job

   
   

5. On the Select Maintenance Tasks Order page move Execute SQL Server Agent Job to the end and click Next.
6. On the Define History Cleanup Task page, configure Remove historical data older than 1 week(s) (or what ever value you want) and click Next.
7. On the Define Back Up Database (Full) Task page, in the General tab click All databases
8. Still on the Define Back Up Database (Full) Task page, click the Destination tab and configure these settings and click Next:

   Create a backup file for every database: enable Create a sub-directory for each database
   Set backup-compression: Compress backup.
   

9. On the Define Maintenance Cleanup Task page, configure these settings and click Next:
   Delete files of the following type: Backup files
   Search folder and delete files based on an extension. In Folder, type you backup destination folder e.g. F:\SQLBCK, select Include first level subfolders and in File extension, type bak.
   File age configure Delete files based on the age of the file at task run time and Delete files older than 1 week(s).
10. On the Define execute SQL Server Agent Job task page, select Copy cd.latest and click Next.

11. Finish the wizard

Now is the time of truth, right click your maintenance plan and click Execute. Creating the zip file will take a few minutes, but once it’s done you have a complete backup set.

Huge thanks to my colleague Claus Codam for helping out with the PowerShell step.

This document describes common scenarios for implementing DHCP in relation to PXE boot with particular focus on Configuration Manager.

Assumptions and audience

Audience must familiar with basic IP networking principles.

The background

In order for a client to perform a PXE boot, there must be a DHCP service available, this is not required to be a Microsoft DHCP service. Any DHCP server is good.

The following diagram shows a typical network setup

In this case the client and the server is on the same network, which is the simplest setup you will come across, normally the setup will be more advanced, but in order to explain the basics, we will start with this simple model.

The DHCP Process

During a normal DHCP process the following happens:

1. The client sends out a DHCP broadcast on the network
2. The broadcast is picked up by the server
3. The server replies with a broadcast containing the MAC address of the client and a suggested IP address
4. The client replies back to the server, indicating that it will use the provided address

The PXE Boot process

When a client initiates a PXE boot (often by pressing a key of selecting a particular boot option during start-up) the process changes a little bit:

1. The client sends out a DHCP broadcast on the network, with a flag stating that it needs to PXE boot
2. The broadcast is picked up by the server
3. The server replies with a broadcast containing the MAC address of the client and a suggested IP address
   1. If the server configuration has any information on how to PXE boot, this information is included in the reply to the client.
4. The client replies back to the server, indicating that it will use the provided address
5. The client then contacts the PXE boot server (is this case the same server) and requests the bootfile specified in the boot information sent back from the server
6. The file is loaded and launched.

PXE Configuration on the DHCP server

Traditionally the PXE configuration has been made on the DHCP by setting either server or scope options, typically Option 66 and 67 are used, option 66 specifies the server to contact, 67 is the name of the file to request.

Another method of providing the boot information is to have a service listen for the DHCP request coming from the client and then send an additional reply back to the client. This is commonly known as dynamic PXE boot.

PXE booting from Configuration Manager Distribution Point

Configuration Manager provides dynamic PXE boot using the WDS service (available in Windows Server)

A typical simple setup could look like the following

The PXE server is installed on the SCCM DP (the WDS service).

Now the boot process is as follows:

1. The client sends out a DHCP broadcast on the network, with a flag stating that it needs to PXE boot
2. The broadcast is picked up by the server
3. The server replies with a broadcast containing the MAC address of the client and a suggested IP address
4. The WDS service also replies back to the client with information on how to PXE boot
5. The client replies back to the server, indicating that it will use the provided address
6. The client then contacts the PXE boot server (is this case the SCCM DP server) and requests the bootfile specified in the boot information sent back from the server
7. The file is loaded and launched.

This method has the great advantage that it is dynamic and therefore it can send back information based on the type of client requesting a PXE boot, whereas a setup using options configured on the DHCP cannot.

Why is this important in this case?

A PXE boot on a BIOS based system is using one method, whereas UEFI based systems are using another, therefore the PXE server must be able to dynamically provide different information according to the client type.

Also note: For UEFI PXE boot to work correctly with SCCM DPs the underlying OS must be Windows Server 2012 R2 or later.

Additional scenarios

Given that a typical network setup today is a lot more complex than the examples given above I will go through some of these to illustrate how to successfully implement PXE boot in such environments

Multiple subnets

The common method of setting up networks today is to have multiple subnets connected by routers or switches providing router-like functionality.

A typical setup could look like the following:

In this setup the DHCP server is in one subnet, the SCCM DP in another and the client is connected to a third network.

Given that DHCP traffic is based primarily on broadcasts, and broadcasts are normally contained within a subnet (in order to control spamming of the network). As such DHCP and also PXE will not work in a setup like this.

The way to fix this is to implement IP Helpers.

IP Helpers is a function implemented in routers to allow broadcast traffic to pass between networks in a controlled manor. It is important to note that IP Helpers typically forwards a specific type of traffic to a specific target (IP address).

In the given example an IP Helper must forward DHPC requests from subnet 10.10.30.0 to 10.10.10.10 to allow the client to obtain an IP address from the DHCP server.

For PXE boot requests to be answered correctly by the SCCM DP server, an additional IP Helper must also forward the request to 10.10.20.10.

The resulting setup looks like this

Note that in the case where the DHCP Server and the SCCM DP is on the same subnet, there must still be two IP Helpers implemented as IP Helpers are directed to a specific IP Address.

Special cases: 1E Nomad with PXE Everywhere

In some scenarios special features like 1E Nomad and PXE Everywhere may be implemented, and that may change the way you should implement DHCP and PXE boot.

There are two typical setups for this approach.

Central DHCP Server

A typical setup for Nomad with PXE Everywhere would be like to following:

The DHCP Server is placed in a central location, and will provide DHCP addresses to clients, using an IP Helper. However, the PXE functionality is provided by local clients running the PXE Everywhere component. In this case there must not be an IP Helper that forwards the DHCP request to the SCCM DP, as we intend for PXE boot requests to be serviced locally. If the IP Helper was setup the client would attempt to contact the SCCM DP to PXE boot.

So but not having the additional IP Helper the DHCP request is forwarded only to the DHCP which provides an IP Address to the client, and the PXE Everywhere service will reply to the same DHCP request to provide PXE boot information.

For this to work successfully the DHCP Server should not provide any PXE information either dynamically or using static option as that will cause confusion for the client trying to PXE boot.

Local DHCP Server

In some Nomad scenarios there may not be a central DHCP server to provide IP addresses to clients. The can be done by the local router, maybe a SOHO (Small Office Home Office) router. These routers are typically not able to provide any PXE boot information, which in this case is a good thing. The client will follow the normal process to obtain an IP address and the PXE Everywhere service will reply to the DHCP with the required PXE Boot information.

The following shows a setup for this case:

Conclusion

• Never use DHCP options, BIOS and UEFI based devices require different replies from PXE Server
• In routed networks use IP Helpers to both the DHCP server and the PXE server
• Do not install DHCP and PXE service on the same server unless it REALLY makes sense
• It is safe to rely on local DHCP functionality but may require an IP Helper pointing to the PXE Server if this is not local
• Windows Server 2012 R2 or later is required for UEFI boot to work correctly

Last week Microsoft announced 1602 for SCCM Current Branch Production Environments: https://blogs.technet.microsoft.com/configmgrteam/2016/03/11/now-available-update-1602-for-system-center-configuration-manager/

Receiving updates to your System Center Configuration Manager Server(s) is today more important than ever in order to have your SCCM environment keep track with Windows 10 and the ever fast paste with Cloud development where new features are added constantly. To make the updates experience of your SCCM solution as smooth as possible Microsoft has introduced dynamic updates for SCCM. This basically means that you will get a notice in your SCCM Administration console that a new update is available for installation. But there is a but, Microsoft requires you to send data to them in order to actually receive the updates. Now, if your Service Connection Point is set to Online, then you will come to the office one morning with a fresh update waiting to be installed. However, if your Service Connection Point is set to Offline for some reason, then there are some manual steps that need to be done in order to actually retrieve a new update.  Before your read any further I suggest you read the following blogs and articles.

1. My colleague’s blog, Kent Agerlund about: SCCM Current Branch Dynamic updates and telemtry data
2. My colleague’s blog, Tim De Keukelaere: Configuration Manager 1511 Updates and Servicing : a closer look at the updating experience
3. Technet : About the Service Connection Point

If you for some reason do not have a internet connection and/or your service connection point is set to offline then there are 3 main steps that needs to be taken in order to get the new updates.

1. Prepare Usage data that will be sent to Microsoft
2. Connect to Microsoft, send usage data and retrive update
3. Import the update

All this is done with the ServiceConnectionTool.exe which can be found under cd.latest folder.

So how is this done? Go to your SCCM CB server and open an elevated PowerShell prompt and change directory to “Program Files\Microsoft Configuration Manager\cd.latest\SMSSETUP\TOOLS\ServiceConnectionTool”

Then create this folder and subfolders on a drive:

1. \ConfigMgrServiceConnection
   1. \ConfigMgrUsageData
   2. \ConfigMgrUpdatePacks

Then from your PowerShell prompt run this command to create UsageData.cab which will be sent to Microsoft.

.\ServiceConnectionTool.exe -prepare -usagedatadest D:\ConfigMgrServiceConnection\ConfigMgrUsageData\UsageData.cab

Verify result by looking at ServiceConnectionTool.log which is in the same folder as ServiceConnectionTool.exe and that you actually have created UsageData.cab in ConfigMgrUsageData folder.

Now, if your ConfigMgr Server is not connected to Internet, then you have to copy both the UsageData.cab and the ServiceConnection to a computer or server that is connected since the Telemetry Data will be sent out in exchange for the update package (EasySetup Payload).

Next Run the following command to send data and retrieve update.

.\ServiceConnectionTool.exe -connect -usagedatasrc D:\ConfigMgrServiceConnection\ConfigMgrUsageData\UsageData.cab -updatepackdest D:\ConfigMgrUpdatePacks

Verify result by looking at ServiceConnectionTool.log where you will see that the bits is actually downloading.

When all is done, you should have these files in  .\ConfigMgrUpdatePacks

Next step is now to import the newly downloaded data into your ConfigMgr environment for processing. Return to your ConfigMgr Server and bring .\ConfigMgrUpdatePacks folder with you in case you downloaded them on an other computer or server. On the ConfigMgr server open a Elevated PowerShell prompt and run the following command

.\ServiceConnectionTool.exe -import -updatepacksrc D:\ConfigMgrServiceConnection\ConfigMgrUpdatePacks

This will import the content of  .\ConfigMgrUpdatePacks to D:\Program Files\Microsoft Configuration Manager\EasySetupPayload\offline

• ConfigMgr.AdminUIContent.auc will be copied to D:\Program Files\Microsoft Configuration Manager\AdminUIContentPayload
• ConfigMgr.Update.Manifest.cab will be copied to D:\Program Files\Microsoft Configuration Manager\EasySetupPayload\offline

Now if you return to these two foldes later and you do not see the files, do not worry. ConfigMgr has moved them to the Inbox folder for further processing. To further monitor what is going on behind the scene you can monitor the following log file; dmpdownloader.log which is located here: D:\Program Files\Microsoft Configuration Manager\Logs

After you have imported the Payload, wait 10 – 20 minutes and you should be able to see the 1602 update being available in the ConfigMgr Console. However, Microsoft has announced that they are slowly rolling out the update globally which means that it could take a while until you see anything. But there is a solution for those who can’t wait. A PowerShell script to the rescue. If your dmpdownloader.log files do not indicate anything happening and your console has no updates available, then go to this link and download the script at the end of the page. https://blogs.technet.microsoft.com/configmgrteam/2016/03/11/now-available-update-1602-for-system-center-configuration-manager/

• Direct link to script: https://msdnshared.blob.core.windows.net/media/2016/03/EnableUpdateRing1.txt

(Right click and Save As to download. Rename the .txt extension to .ps1 after downloading)

When downloaded, open a elevated PowerShell prompt and run the following command

.\EnableUpdateRing.ps1 SCCMServerName

Your update is ready to be installed:

Take a look at this blog post for further instructions on how to actually install the update: Configuration Manager 1511 Updates and Servicing : a closer look at the updating experience

Last but not least, to view your telemetry data before you send them to Microsoft run the following command

.\ServiceConnectionTool.exe -export -dest D:\ConfigMgrServiceConnection\ConfigMgrUsageData\UsageData.csv

Do not forget to leave a comment if you have any questions – Have a great Easter!

In ConfigMgr Current Branch, version 1511/1602 you have a new pre-production client upgrade feature that allows you to test the new client install on a pre-preproduction collection. The feature works like a charm and allows you to gain control over the upgrade process by testing first. However, while testing the new client, you might run into client installation issues if you are installing a new client on a Management Point.

In ccmsetup.log on the management point you will see errors stating that “The client version 5.00.8325.1000 does not match the MP version 5.00.8355.1000.  The client will not be installed.”

The fix is easy, the only question is – if you are ready. Configure you the client install options to deploy to production instead of the pre-production collection. That can be done from Cloud Services, Updates and Servicing. You’ll notice in the illustration below that Client Update Options is still in pre-production (if it was not, the option would be grayed out).

Click Client Update options and enable I’m ready……

After that, time to spend a few seconds in cmtrace reading hman.log (on the site server). Notice that both the preproduction and production packages are impacted by your recent change. Look for the line Loaded client upgrade settings from DB successfully. FullClientPackageID=PS100002, StagingClientPackageID=PS100007, ClientUpgradePackageID=PS100003, PilotingUpgradePackageID=PS100008, ClientUpgradeAdvertisementID=PS120000, ClientPilotingAdvertisementID=PS120003

After the upgrade, your management point will successfully install.