Leaderboard

In March 2017 I blogged a method to allow you to forcefully upgrade your Windows 10 (or Windows 7) computers to the latest version of Windows 10 using a popup (HTA) that gives the user some form of control (5 deferrals). This was very popular and spawned different versions of the same original concept by other MVP’s and the community at large. I always wanted to update mine, but never had time, however what I have done is incorporate bug-fixes and features, and rewritten the original VBS wrapper code to PowerShell. In the next version I’ll replace the HTA with a PowerShell gui. So how about listing the features of this solution. Designed to run as required Runs before the task sequence starts Shows the user a popup with options Can run on Windows 7 or Windows 10 Allows deferrals After deferrals run out, starts a 4 hour timer If the user ignores the popup, subtracts one deferral after 8 hours Checks for Power Checks for hard disc free space Checks for Supported Model Checks for VPN Is easy to Brand with your company details Has several checks to ensure it won’t run by accident So that’s enough of the features, here’s a look at what it will look like to the end user running either Windows 10 or Windows 7. Time to upgrade In the above screenshot, the user sees the popup daily at a time that you decide eg: 11am. The user has a number of choices: Upgrade now by clicking on the box ‘my files are backed up’, and then selecting Upgrade now Upgrade later by clicking on Defer Cancel, by clicking on the X in the top corner, this will remove one deferral. Note that this verifies how many deferrals are left and if there are none left, will start the task sequence Do nothing. The popup will auto close after 8 hours and remove one deferral. Kill it with Task Manager, this will remove one deferral. If the user runs out of deferrals the 4 hour timer will start. If the user still does nothing, when the 4 hours runs out the task sequence will begin. They can of course click the checkbox and select Upgrade now to start it at any time. Branding So how can you add your branding to it ? start with the banner.png. Open it in MSPaint and replace the windowsnoob logo with your own, try and keep it to 500×65 pixels otherwise you’ll need to edit the Upgrade.HTA code also. Next, open the wrapper.ps1 in PowerShell ISE. Edit CompanyName in line 15 to suit your Company Name. Save the changes, next, open upgrade.hta in Notepad ++. Edit CompanyName in line 50 to suit your company name. edit line 395, and put your company name in Troubleshooting The popup creates 3 log files in C:\ProgramData shown below Windows10RequiredUgradeHTA.log Windows10RequiredUgradeWrapper.log Windows10RequiredUpgradeStart-Upgrade.log The process creates registry keys (and deletes them upon successful closure of the HTA before starting the task sequence). For more details about how to set this up in your environment, please see the following blogpost. I’ve updated that blogpost to include the new files and the PowerShell wrapper.ps1. Note: To download the files included, you need to be a registered member of windows-noob.com cheers niall

Introduction This multi-part guide will show you how to install the latest baseline version of Configuration Manager from Microsoft. The latest available baseline version is System Center Configuration Manager (Current Branch) version 1902 as of April the 10th 2019. I blogged how to upgrade to 1902 here. This guide is aimed a new installations of SCCM. Baseline media is used to install new ConfigMgr sites or to upgrade from supported versions, for more information about baseline media please see my blog post here. Note: The SCCM 1902 Current Branch media is not yet available on MSDN or VLSC. When the new baseline media is released I'll update this note. This series is broken down into the following parts:- Part 1 - Get the lab ready, configure ADDS Part 2 - Join CM01 to Domain, add users, create the Systems Management container, delegate permission Part 3 - Role and Feature installation, installation of WDS and ADK Part 4 - Configure and install SQL Server 2017 (This part) Part 5 - Configure and install SCCM 1902 Current Branch Part 6 - Post configuration You can use this multi-part guide to get a hierarchy up and running on Windows Server 2019 using SQL Server 2017. The concept behind this is to guide you through all the steps necessary to get a working Configuration Manager Primary site installed (for lab use) using manual methods or automated using PowerShell. This gives you the power to automate the bits that you want to automate, while allowing you to manually do other tasks when needed. You decide which path to take. PowerShell knowledge is desired and dare I say required if you are in any way serious about Configuration Manager. I will show you how to do most steps via two methods shown below, it's up to you to choose which method suits you best but I highly recommend automating everything that you can, using PowerShell. Method #1 - Do it manually Method #2 - Automate it with PowerShell Downloads The scripts used in this part of the guide are available for download here. Unzip to C:\Scripts. The scripts are placed in the corresponding folder (Part 1, Part 2 etc) and sorted into which server you should run the script on (DC01 or CM01). Scripts.zip Step 1. Install SQL Server 2017 Note: Perform the following on the Configuration Manager server (CM01) as a Local Administrator, I'd suggest you logon as the username matching your name. Method #1 - Do it manually In this section you will install SQL Server 2017 CU14 which is the latest supported version of SQL Server that is compatible with SCCM 1902 Current Branch as of 2019/4/16. For details about which versions of SQL Server are supported with different site systems in ConfigMgr, please see this page. Before starting, please configure the firewall as described in https://go.microsoft.com/fwlink/?linkid=94001 to allow access to SQL Server through the firewall. You can do this by executing the following command as local administrator on the CM01 (ConfigMgr) server. netsh advfirewall firewall add rule name = SQLPort dir = in protocol = tcp action = allow localport = 1433 remoteip = localsubnet profile = DOMAIN After configuring the firewall, browse to the drive where the SQL Server 2017 media is, and run setup.exe. The SQL Server Installation Center wizard will appear. Click on Installation and then choose New SQL Server standalone installation or add features to an existing installation. Enter the Product Key or use the evaluation version if that's what you want to use. Note: The product key will be automatically filled in for licensed media downloaded from Microsoft Volume Licensing Service Center. Accept the EULA Make your Microsoft Update choices and review your Install rules, as long as you've opened the correct port for SQL you'll be ok and can safely ignore the Warning about the Firewall. select the SQL server instance features you need (at least Database Engine Services) and if necessary change the drive letter where you intend to install it And configure the Instance Configuration or just leave it as default Verify the Service Accounts settings and for Collation (click on the Collation tab in Server Configuration), make sure the collation is set to SQL_Latin1_General_CP1_CI_AS For Database Engine Configuration, click on Add Current User After configuring Data Directories, TempDB and Filestream settings you are ready to install Click on Install to start the installation of SQL Server 2017, and once it's completed, click Close. Next download and install the following: SQL Server 2017 Cumulative Update 14. SQL Server 2017 SSMS here. SQL Server 2017 Reporting Services. Method #2 - Automate it with PowerShell Note: Make sure your SQL Server 2017 media is in the drive specified in the script or edit the script to point to the new location of the media. The script set's the installation path pointing at D:\MSSQL if you want to install SQL somewhere else please change the variables as appropriate. To install SQL Server 2017 use the Install SQL Server 2017.ps1 script. The script will create a ConfigurationFile.ini used to automate the installation of SQL Server 2017, and after it's installed the script will download the SSMS executable (Management Studio) and install it. Then it will download Reporting Services and install it. If either of the EXE's are in the download folder, it will skip the download and just install. SQL Server no longer comes with the Management Studio or Reporting Services built in, and they are offered as separate downloads, don't worry though, my PowerShell script takes care of that for you. 1. Extract the scripts to C:\Scripts on CM01 and load the Install SQL Server 2017.ps1 script located in C:\Scripts\Part 4\CM01 2. Edit the variables [lines 17-81] as desired before running. 3. Logon as the user specified in line 20. 4. Start Windows PowerShell ISE as Administrator and run the script by clicking on the green triangle. Done ! That's it for this part, please join me in Part 5 where we Configure and Install System Center Configuration Manager 1902.

If anyone gets an access denied error at the last step (certutil -crl), then please reboot your Issuing CA server once and then issue the command again. I had this issue and apparently several other users had this too per various forums.

just make sure your Apply Driver Package step references that, as shown here.

you only need the one step, that's how it works, it's a variable !

Yes. While each deployment type has its own content ID, you must update content for each deployment type if both deployment types use the same content source.

This series is comprised of different parts, listed below. Part 1 - Introduction and server setup Part 2 - Install and do initial configuration on the Standalone Offline Root CA Part 3 - Prepare the HTTP Web server for CDP and AIA Publication Part 4 - Post configuration on the Standalone Offline Root CA Part 5 - Installing the Enterprise Issuing CA Part 6 - Perform post installation tasks on the Issuing CA Part 7 - Install and configure the OCSP Responder role service Part 8 - Configure AutoEnroll and Verify PKI health (this part) In part 1 of this series, you configured your LAB for a 2 tier PKI hierarchy running on Windows Server 2016. You used PowerShell to create some virtual machines, and then installed Windows Server 2016, Windows 10 Enterprise version 1803 and optionally Smoothwall 3.1 before configuring the IP address scheme and Computer Names on the virtual machines. Finally you configured ADDS on DC01 so that you have a working Domain Controller for the rest of this LAB. In part 2 you installed and did the initial configuration on the Standalone Offline Root CA. In part 3 you prepared the HTTP Web Server for CDP and AIA Publication and you created a DNS record for the publicly available web server. In part 4 you performed post configuration on the Standalone Offline Root CA to set certificate revocation list (CRL) period registry settings using CertUtil, and then enabled object access Auditing and finally, you configured three locations for the Authority Information Access (AIA) and four locations for the Certificate revocation list Distribution Point (CDP), again using CertUtil. In part 5 you joined the IssuingCA computer to the windowsnoob domain before creating a new CAPolicy.inf file which was customized for the Issuing CA role. Next, you published the Root CA Certificate and CRL (both to Active Directory and the HTTP web server) and you installed the Enterprise Issuing CA before submitting a request to the StandAlone Offline Root CA. Next you installed the Issuing CA Certificate using the response files from the StandAlone Offline Root CA on the removable media. In part 6, you performed post installation and configuration of the IssuingCA server by configuring Certificate Revocation and CA Certificate Validity Periods, you then enabled auditing on the CA server, and configured the AIA and CDP. In part 7 you installed and configured the OCSP responder role service on the web server. Now you will configure Auto Enrollment and Verify PKI health. Step 1.Configure a GPO for Auto Enrollment Logon to to the Domain Controller (DC01) as windowsnoob\Administrator. Click Start, click Run, and then type gpmc.msc and press enter. Expand Forest, expand Domains, expand windowsnoob.lab.local, and then expand Group Policy Objects. Right click Default Domain Policy, then click Edit. Under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then expand Public Key Policies. Select Certificate Services Client - Auto-Enrollment, right click and choose Properties. Change it from Not Configured to Enabled and enable the following 2 options. Renew expired certificates, update pending certificates, and remove revoked certificates Update certificate that use certificate templates As shown here. Click Apply when done, and close the Group Policy Management Editor and then close the Group Policy Management Console. Step 2. Configure AutoEnrollment for Workstation Authentication on the Issuing CA Ensure that you are logged on as windowsnoob\EntAdmin on the Issuing CA server (IssuingCA), start the Certification Authority console by entering certsrv.msc, ensure that windowsnoob Issuing CA is expanded. Right-click on Certificate Templates, then select Manage. In the Certificate Templates that appear, select Workstation Authentication. Right click it, and select Properties, click on the Security tab, select Domain Computers and ensure that AutoEnroll is selected, click Apply. Step 3. Join the Windows 10 computer to the domain Logon to Windows 10 version 1803 computer (Win101803) as Administrator, and copy the JoinDomain.ps1 script below to a folder called C:\Scripts. Open the script in PowerShell ISE as Administrator, then run Set-ExecutionPolicy to unrestricted before running the JoinDomain.ps1 PowerShell script by clicking on the Green Arrow in Windows PowerShell ISE. JoinDomain.ps1 Note: The computer will reboot by itself after joining the windowsnoob.lab.local domain. Step 4. Check PKI Health with Enterprise PKI To use the Enterprise PKI console to check PKI health, on the IssuingCA server, ensure that you are logged on as windowsnoob\entadmin. Run PKIView.msc from an administrative command prompt. Right click Enterprise PKI and then click Manage AD Containers. On the NTAuthCertificates tab, verify the windows noob Issuing CA certificate appears with a status of OK as shown below: On the AIA Container tab, verify both the windows noob Root CA and the windows noob Issuing CA certificates are present with a status of OK. On the CDP Container tab, verify that the windows noob Issuing CA has both Delta CRL and Base CRL, and that the windows noob Root CA has a Base CRL present and with a status of OK. On the Certification Authorities Container, verify that the windows noob Root CA certificate is present and with a status of OK. and finally on the Enrollment Services Container tab, verify that the windows noob Issuing CA certificate is present with a status of OK. Step 5. Configure Certificate Distribution on the Issuing CA To publish a certificate for computers in the enterprise do as follows. Logon to the IssuingCA computer as windowsnoob\EntAdmin. In the Certification Authority console (certsrv.msc), ensure that windows noob Issuing CA is expanded. Right-click Certificate Templates, select New and select Certificate Template to Issue. On the Enable Certificate Templates dialog box, select Workstation Authentication and then click OK. Step 6. verify certificate autoenrollment on the Windows 10 client To verify that autoenrollment of certificates on the Windows 10 compute do as follows. Log on to win101803.windowsnoob.lab.local as windowsnoob\Administrator. (Ensure that you switch user to log on as windowsnoob\Administrator) Click Start, type mmc and then press ENTER. Click File, and then click Add/Remove Snap-in. Click Certificates, then click Add, Select Computer Account, and then click Finish. Click OK. Expand Personal and select Certificates, if you do not see Certificates, in an Administrative Command prompt issue the following command gpupdate /force then refresh the view in the Certificates MMC. You should now see a Certificates folder and a certificate listed. This certificate was issued using AutoEnrollment which was configured above. Step 7. Verify PKI health on the issued certificate While logged on to W101803.windowsnoob.local.local as windowsnoob\Administrator, In the certificates console tree, expand Personal, click Certificates. In the details pane, right click the W101803.windowsnoob.lab.local certificate, click All Tasks, and then click Export. the Welcome to the certificate export wizard appears, click Next. Click Next at the No do not export the private key screen On the Export File Format page, click Next. [DER encoded binary X.509 (.CER) is the default selection]. in the File to Export, call it C:\Windows10 at the completing the certificate export wizard screen click Finish. you should be notified of the success of the export. Open an administrative command prompt and run the following commands: cd\ then certutil -URL C:\Windows10.cer The URL retrieval tool should appear. In the URL Retrieval Tool, select the OCSP (from AIA) option and then click Retrieve. Confirm that it shows status as Verified. In the URL Retrieval Tool, select the CRLs (from CDP) option and then click Retrieve. Confirm that it shows status as Verified. In the URL Retrieval Tool, select the Certs (from AIA) option and then click Retrieve. Confirm that it shows status as Verified. Click Exit to close URL Retrieval Tool. From the administrative command prompt run following command to thoroughly verify the certificate chain retrieval and revocation status. certutil -verify -urlfetch C:\Windows10.cer you'll see a lot of output similar to the following PS C:\> certutil -verify -urlfetch C:\Windows10.cer Issuer: CN=windows noob Issuing CA DC=windowsnoob DC=lab DC=local Name Hash(sha1): b500ca9b33a216fcc44492f25bb6e6b8bd6a5a78 Name Hash(md5): b0c8a9c15f77c9e2b7af24718ab3f3ec Subject: EMPTY (DNS Name=W101803.windowsnoob.lab.local) Name Hash(sha1): f944dcd635f9801f7ac90a407fbc479964dec024 Name Hash(md5): a46c3b54f2c9871cd81daf7a932499c0 Cert Serial Number: 1e000000057a5838e2727d5162000000000005 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwRevocationFreshnessTime: 3 Weeks, 1 Hours, 35 Minutes, 37 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwRevocationFreshnessTime: 3 Weeks, 1 Hours, 35 Minutes, 37 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=windows noob Issuing CA, DC=windowsnoob, DC=lab, DC=local NotBefore: 7/6/2018 4:04 AM NotAfter: 7/6/2019 4:04 AM Subject: Serial: 1e000000057a5838e2727d5162000000000005 SubjectAltName: DNS Name=W101803.windowsnoob.lab.local Template: Workstation Authentication Cert: 9eae120ea27c064e609df51cacda77e286a223d6 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- Verified "Certificate (0)" Time: 0 33daad0a6923fdbd02300d703264d13d70eedf42 [0.0] ldap:///CN=windows%20noob%20Issuing%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=windowsnoob,DC=lab,DC=local?cACertificate?base?objectClass=certificationAuthority Verified "Certificate (0)" Time: 0 33daad0a6923fdbd02300d703264d13d70eedf42 [1.0] http://pki.windows-noob.com/CertEnroll/IssuingCA.windowsnoob.lab.local_windows%20noob%20Issuing%20CA.crt ---------------- Certificate CDP ---------------- Verified "Base CRL (05)" Time: 0 7cf12cea65a271e322dcd148dafca9890381d68c [0.0] ldap:///CN=windows%20noob%20Issuing%20CA,CN=IssuingCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=windowsnoob,DC=lab,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint Verified "Delta CRL (05)" Time: 0 b27c6e817abccb07e6d18c37c808013cc1377c1d [0.0.0] ldap:///CN=windows%20noob%20Issuing%20CA,CN=IssuingCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=windowsnoob,DC=lab,DC=local?deltaRevocationList?base?objectClass=cRLDistributionPoint Verified "Delta CRL (05)" Time: 0 b27c6e817abccb07e6d18c37c808013cc1377c1d [0.0.1] http://pki.windows-noob.com/CertEnroll/windows%20noob%20Issuing%20CA+.crl Verified "Base CRL (05)" Time: 0 7cf12cea65a271e322dcd148dafca9890381d68c [1.0] http://pki.windows-noob.com/CertEnroll/windows%20noob%20Issuing%20CA.crl Verified "Delta CRL (05)" Time: 0 b27c6e817abccb07e6d18c37c808013cc1377c1d [1.0.0] ldap:///CN=windows%20noob%20Issuing%20CA,CN=IssuingCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=windowsnoob,DC=lab,DC=local?deltaRevocationList?base?objectClass=cRLDistributionPoint Verified "Delta CRL (05)" Time: 0 b27c6e817abccb07e6d18c37c808013cc1377c1d [1.0.1] http://pki.windows-noob.com/CertEnroll/windows%20noob%20Issuing%20CA+.crl ---------------- Base CRL CDP ---------------- OK "Delta CRL (07)" Time: 0 b27c6e817abccb07e6d18c37c808013cc1377c1d [0.0] ldap:///CN=windows%20noob%20Issuing%20CA,CN=IssuingCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=windowsnoob,DC=lab,DC=local?deltaRevocationList?base?objectClass=cRLDistributionPoint OK "Delta CRL (07)" Time: 0 b27c6e817abccb07e6d18c37c808013cc1377c1d [1.0] http://pki.windows-noob.com/CertEnroll/windows%20noob%20Issuing%20CA+.crl ---------------- Certificate OCSP ---------------- Verified "OCSP" Time: 0 f7d32928b44de5b419a11bac19cc56fad7d4f9ee [0.0] http://webserver.windowsnoob.lab.local/ocsp -------------------------------- CRL 05: Issuer: CN=windows noob Issuing CA, DC=windowsnoob, DC=lab, DC=local ThisUpdate: 7/3/2018 7:02 AM NextUpdate: 7/10/2018 7:22 PM CRL: 7cf12cea65a271e322dcd148dafca9890381d68c Delta CRL 07: Issuer: CN=windows noob Issuing CA, DC=windowsnoob, DC=lab, DC=local ThisUpdate: 7/5/2018 7:02 AM NextUpdate: 7/6/2018 7:22 PM CRL: b27c6e817abccb07e6d18c37c808013cc1377c1d Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=windows noob Root CA NotBefore: 6/19/2018 4:34 AM NotAfter: 6/19/2028 4:44 AM Subject: CN=windows noob Issuing CA, DC=windowsnoob, DC=lab, DC=local Serial: 5600000002ff2362e624faf00a000000000002 Template: SubCA Cert: 33daad0a6923fdbd02300d703264d13d70eedf42 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- Verified "Certificate (0)" Time: 0 1c2e0479a69623ffddcec692d01af64996b2b6e9 [0.0] ldap:///CN=windows%20noob%20Root%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=windowsnoob,DC=lab,DC=local?cACertificate?base?objectClass=certificationAuthority Verified "Certificate (0)" Time: 0 1c2e0479a69623ffddcec692d01af64996b2b6e9 [1.0] http://pki.windows-noob.com/CertEnroll/ROOTCA_windows%20noob%20Root%20CA.crt ---------------- Certificate CDP ---------------- Verified "Base CRL (02)" Time: 0 22cafd2ae550e12401696bac4a424652050c55a2 [0.0] ldap:///CN=windows%20noob%20Root%20CA,CN=ROOTCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=windowsnoob,DC=lab,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint Verified "Base CRL (02)" Time: 0 22cafd2ae550e12401696bac4a424652050c55a2 [1.0] http://pki.windows-noob.com/CertEnroll/windows%20noob%20Root%20CA.crl ---------------- Base CRL CDP ---------------- No URLs "None" Time: 0 (null) ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 (null) -------------------------------- CRL 02: Issuer: CN=windows noob Root CA ThisUpdate: 6/15/2018 3:12 AM NextUpdate: 6/14/2019 3:32 PM CRL: 22cafd2ae550e12401696bac4a424652050c55a2 CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=windows noob Root CA NotBefore: 6/14/2018 11:03 AM NotAfter: 6/14/2038 11:13 AM Subject: CN=windows noob Root CA Serial: 3d0d623b5abd19b34640212c87d45269 Cert: 1c2e0479a69623ffddcec692d01af64996b2b6e9 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 (null) ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 (null) ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 (null) -------------------------------- Exclude leaf cert: Chain: d5f425d64a9d41434507a599da1260fdced44873 Full chain: Chain: 0c69840fda437706dd390c3d120ab496038c2564 ------------------------------------ Verified Issuance Policies: None Verified Application Policies: 1.3.6.1.5.5.7.3.2 Client Authentication Leaf certificate revocation check passed CertUtil: -verify command completed successfully. PS C:\> Review the output and make sure all the chain retrieval and revocation status are successfully verified. Job done ! That's it for this mini-series about setting up PKI in a lab, thanks for joining me, I hope you completed everything successfully and have a better understanding of how PKI works and how to set it up in a lab. Next steps If you'd like to see how SCCM works with HTTPS, see below:- How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 1 How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 2 cheers niall.

Hi, OUR SETUP We have a SCCM 2012 server which we recently took over. Our setup consist of 13 remote sites with DP's in 6 and 32 subnets between them all. Our sites and services setup in AD has been configured correctly and very carefully due to the complication of all the subnets of various sizes (/24 /25 /26 /27 etc..) We are'nt SCCM experts by any stretch of the imagination but know infrastructure and networking well and are confident that sites and services has been setup 100% correctly. OUR FINDINGS We recently had a closer look at the SCCM server to try and improve the general performance - Takes very long to come back with anything whenever you do anything in it.(assume the SQL queries are the issue) Starting at the basics we had a look at boundaries first and found that the discovery methods are setup for site and IP address ranges. Since our sites and services are setup correctly we thought we could get rid of the IP ranges as I have read multiple articles stating that this is a very "Expensive Query" - and therefore just use sites. OUR PROBLEM The minute we remove the IP range the "remote" workstations (sites with DP's)will not run the task Sequence after PXE booting Tail end of the smsts.log file <![LOG[ Flags: 01000000]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="1" thread="1824" file="resolvesource.cpp:2291"> <![LOG[ URLs : 1]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="1" thread="1824" file="resolvesource.cpp:2292"> <![LOG[ SMB : ]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="1" thread="1824" file="resolvesource.cpp:2293"> <![LOG[ MCS : ]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="1" thread="1824" file="resolvesource.cpp:2294"> <![LOG[No static content server.]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="1" thread="1824" file="resolvesource.cpp:2371"> <![LOG[(LocationsList.size() + slistHttpPaths.size() + slistSMBPaths.size()) > 0, HRESULT=80040102 (e:\nts_sccm_release\sms\framework\tscore\resolvesource.cpp,2427)]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="0" thread="1824" file="resolvesource.cpp:2427"> <![LOG[FALSE, HRESULT=80040102 (e:\nts_sccm_release\sms\framework\tscore\tspolicy.cpp,2000)]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="0" thread="1824" file="tspolicy.cpp:2000"> <![LOG[Content location request for QAT00002:3 failed. (Code 0x80040102)]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="3" thread="1824" file="tspolicy.cpp:2000"> <![LOG[hr, HRESULT=80040102 (e:\nts_sccm_release\sms\framework\tscore\tspolicy.cpp,2845)]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="0" thread="1824" file="tspolicy.cpp:2845"> <![LOG[Failed to resolve PackageID=QAT00002]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="3" thread="1824" file="tspolicy.cpp:2845"> <![LOG[(*iTSReference)->Resolve( pTSPolicyManager, dwResolveFlags ), HRESULT=80040102 (e:\nts_sccm_release\sms\framework\tscore\tspolicy.cpp,3693)]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="0" thread="1824" file="tspolicy.cpp:3693"> <![LOG[m_pSelectedTaskSequence->Resolve( m_pPolicyManager, TS::Policy::TaskSequence::ResolvePolicy | TS::Policy::TaskSequence::ResolveSource, fpCallbackProc, pv, hCancelEvent), HRESULT=80040102 (e:\nts_sccm_release\sms\client\tasksequence\tsmbootstrap\tsmediawizardcontrol.cpp,1439)]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="0" thread="1824" file="tsmediawizardcontrol.cpp:1439"> <![LOG[Failed to resolve selected task sequence dependencies. Code(0x80040102)]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="3" thread="1824" file="tsmediawizardcontrol.cpp:1439"> <![LOG[hrReturn, HRESULT=80040102 (e:\nts_sccm_release\sms\client\tasksequence\tsmbootstrap\tsmediaresolveprogresspage.cpp,445)]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="0" thread="1824" file="tsmediaresolveprogresspage.cpp:445"> <![LOG[ThreadToResolveAndExecuteTaskSequence failed. Code(0x80040102)]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="3" thread="1824" file="tsmediaresolveprogresspage.cpp:445"> <![LOG[ThreadToResolveAndExecuteTaskSequence returned code 0x80040102]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="1" thread="516" file="tsmediaresolveprogresspage.cpp:221"> <![LOG[Setting wizard error: This task sequence cannot be run because the program files for QAT00002 cannot be located on a distribution point. For more information, contact your system administrator or helpdesk operator.]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="0" thread="516" file="tsmediawizardcontrol.cpp:1463"> <![LOG[ResolveProgressPage::OnWizardNext()]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="0" thread="516" file="tsmediaresolveprogresspage.cpp:113"> <![LOG[Activating Finish Page.]LOG]!><time="11:56:30.378-600" date="11-24-2017" component="TSPxe" context="" type="0" thread="516" file="tsmediafinishpage.cpp:107"> <![LOG[Loading bitmap]LOG]!><time="11:56:30.394-600" date="11-24-2017" component="TSPxe" context="" type="1" thread="516" file="tsmbootstrap.cpp:1303"> If we add the IP Ranges back it works. I can see the problem (highlighted) and know how to get around it but don't understand why we cannot get it to use Sites and Services correctly. We have ensured that the DP servers Boundaries and Boundary Groups are all connected Boundary Discovered and Defined correctly. Boundary Group has correct Boundary in it. Boundary Group Reference has DP server defined as Site System Server We have made sure that the packages have sync'd/copied correctly with the DP's and the sizes all match. Obviously we are missing something - Can anyone provide any further advice? And I will just say again, we have just spent two weeks documenting and going over our Sites / Subnet / AD setup to ensure we have no overlapping networks and to ensure all our subnets are defined correctly in sites and services - We really don't think the issue lies there but are open to any advice. Thank You in advance.

Thanks for the suggestion. FML - Microsoft! The "Architecture" under filters has no purpose in this scenario. I just couldn't figure this out, build updates always failed me, I'm going to test something else today. I'm using a full "Title" description on the filters now: Feature update to Windows 10 (business editions), version 1809, en-us x64 It only displays the 64bit version which I want.

Recently rolled this out, some brief notes: - On a Windows 10 machine, no additional agent is required. You simply set the SCCM policy to enable Endpoint Protection (Defender) to be managed. SCCM > Administration > Client Settings > Endpoint Protection > Manage Endpoint Protection...... - On a Windows 7 machine, SCCM will automatically deploy the SCEP agent if the above policy setting is enabled. We haven't deployed to server so cant assist there, but no reason why it wouldnt work. - You'll need to setup ADR's so new definitions are downloaded every X hour, you'll also need to change you SUP sync schedule to match this frequency - All settings/configuration/exclusions etc can be done via Anti-Malware policies. SCCM > Asset and Compliance > Endpoint Protection > Antimalware policies - I found we had to manually uninstall our previous AV solution (even though SCCM has an option to remove it) else SCEP would fail to install. I had to script the removal of the old AV Take some time to flick over all the anti-malware policies, everything will become much clearer. Key thing is to make sure your definitions are regularly updated (i do mine every 8 hours), and to make sure your SUP also sync at the same time else the ADR will run against a "outdated" SUP catalog.

We followed this guide as we wanted to use PKI

2nd question Inside the task sequence, there is an "Join Domain or Workgroup" option where you can have the device join a domain. I have never used it separately from imaging but I don't see why it wouldn't work for what you want to do. I would try to have it perform the backup, restore, then add to the new domain. keep in mind you have to have an account on the new domain so SCCM will have rights to add the device.

1st question - we have two separate task sequence. 1st at 6pm disable bitlocker restart computer request state store capture user state re-enable bitlocker 2nd at 2am request restore state restore "customize how it's restored" "we have custom .xml files" Lastly, in the Assets and Compliance section, you will see the "User State Migration" section. That is how you associate the FROM computer and the TO computer. Associate the computers / users and let the tasks run

Anyweb, I wanted to thank you for you help. I used this site to learn everything I know about SCCM, so I'm glad you do this. It's helped alot.

You will need to use a sub-select query to do the not in stuff. Here is an example. https://www.enhansoft.com/blog/subselect-wql-query-to-find-pcs-that-do-not-have-either-x86-or-x64-versions-of-software-installed

I never got the Surface 4 to PXE boot. I didn't take it much further as we don't have very many. The later Surface Pro does PXE in exactly the same environment.

I hope it's ok if I answer my question on my own for all who read this post. On friday I registered on IANA a private enterprise number (pen). You can do this here: https://pen.iana.org/pen/PenApplication.page It's absolutly for free. I received my number for "Einfaches Netzwerk" a few hours later via e-mail. After a day or so you can find your number on a really hugh list here: https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers. Mine looks like this Now I am able to build my own OID with the prefix: iso.org.dod.internet.private.enterprise (1.3.6.1.4.1) > 1.3.6.1.4.1.52765 (the prefix is listed on the site above on the top). Behind this OID you can add additional nubmers according to your certification policy statement (cps.txt). For example: 1.3.6.1.4.1.52765.1.1 > Client certificates 1.3.6.1.4.1.52765.1.2 > Server certificates 1.3.6.1.4.1.52765.1.3 > EFS and so on. You can find a cps template here: https://www.globalsign.com/en/repository/TrustedRoot Template CPS.pdf You only need a public OID if your organization plans with other organzations to use PKI-enabled applications. It this case you need an OID which is unique on the internet. ...Dietmar

Introduction Microsoft Ignite 2018 is in full swing with packed sessions and thousands of attendees, here are my notes from another Windows 10 session, this time related to updates and deployment. The session is “BRK3027 – Deploying Windows 10: Making the update experience smooth and seamless” and it’s from the following clever Microsoft folk. Patrick Siu, Suma SaganeGowda This is going to be a long and detailed post, so grab a cup of coffee or beer, whichever you prefer. Updating at scale There are already 700 million devices running Windows 10, and more than 250 million of them are running Windows 10 version 1803 (within 48 days of it’s release), conversely, that would mean there are approx 450 million users of Windows 10 using a release that is older than Windows 10 1803, so even though there are millions of people upgrading, not everyone jumps on the new release as soon as it’s made available. Why stay current ? So why do we need to stay current ? why do we need to deploy the feature updates and quality updates at the cadence that Microsoft is releasing them. Microsoft is striving that you (the customer) get’s access to these new features in an agile manner. They want to ensure that the platform supports all of the hardware innovation that is being released (things like Windows Hello capability for example) or indeed just for better performance, better stability, better battery life. Microsoft is continually making changes to Windows features to improve creativity and productivity so that your employees can benefit from that. Stay secure by staying current Last but not least, you want to stay current because of all the work they do to make Windows more secure by thwarting modern day threats as well as protecting your from zero day exploits. Differentiating between Quality Updates and Feature Updates. Quality Updates come out monthly and are basically your security updates, whereas Feature Updates come out twice a year and they are a full blown new release of Windows. It hasn’t all been plain sailing however and Microsoft understands that it’s hard to stay current and keep current, here’s some of the issues that their customers have highlighted to them. And that’s quite a list of worries and concerns. Microsoft is committed to helping resolve those and to help you stay current. There are three main ways of getting these updates delivered and we’ll go into some more details about them. Acquiring content Quality Update Download Size The biggest complaint that Microsoft has received is about the size of these monthly updates (quality updates). The large size is because you are getting all previous updates at once, as it’s cumulative. this impacts bandwidth, network. Microsoft has tried to solve this problem with delta updates and express updates. But even these have issues, key complaint is the download size to the distribution points is large. Microsoft assumed that the update size that customers were complaining about was to the clients, so they did it this way, not thinking it was the distribution points also being impacted. There were also performance issues on the clients with Express Updates (memory issues). So to address these issues, Microsoft has made changes to Windows 10 in Windows 10 version 1809 (not available at time of writing). These changes will ensure much smaller downloads to the distribution points (300mb versus 8-11GB), device performance not affected as much, applicable only to Windows 10 version 1809 and later. Not as chatty as previous express updates so less impact on Network and Bandwidth. So basically on the left you have the updates on the dp’s and on the right, what’s being downloaded to your clients. It’s a huge win ! How to leverage this ? Basically it’s available to Windows 10 version 1809 but it’s also across the board, Windows Update, WSUS, ConfigMgr. No changes to the infrastructure involved. Feature Update Delivery As before with Quality Updates, the size of the download and frequency was an issues, as was the affect of Features on demand and no single jump to the latest update, it’s a two step process. so what’s the solution from Microsoft ? Get current and secure in one step ! that’s awesome. It will also preserve FOD (feature on demand) and LP’s (Language Packs), lower network traffic to pc’s and have a better user experience. You can get this right now via Windows Update, or wait for the Public Preview this fall for WSUS and ConfigMgr customers. What about FOD and LP’s ? Features on demand are basically optional components in Windows (such as Mixed Reality). To fix this you’ve got some options. Opt into UUP Opt in to Unified Update Platform, you can read about it here, or apply a GPO to download content from WU For on prem customers if you don’t want to be part of the public preview, works today already for WU and WUFB customers. Bandwidth Impact from Updates Challenges, the updates tend to consume large amounts of network bandwidth and create latency (lag and slowness, or jerky video etc). Recommendations use Caching, shift the traffic to the clients using peer to peer mechanism’s like delivery optimization (DO) or by leveraging centralized caching (Wsus/ConfigMgr dp’s). Optimize the network, use LedBat. Peer caching with Delivery Optimization (DO). Peer caching on the edge means getting it from your peers (other computers) as opposed to getting it from a centralized server (a distribution point). It’s a peer to peer service that works with Windows Update so that the peers can acquire parts of content from different peers. It supports different types of content, eg: windows updates, feature updates, quality updates, drivers, windows store apps, Microsoft store for business apps and Office C2R updates. Note: For a deep dive into DO see the following session (on Thursday). Optimize the network Optimizing the network helps LedBat to use unused network bandwidth for updates. Does not require difficult rules, just run some PowerShell commands on your distribution points to enable LedBat. It does however require Windows Server 2016 or later. https://blogs.technet.microsoft.com/networking/2018/07/25/ledbat/ https://aka.ms/LEDBaT-Validation What about the disruption that updates cause ? On average, these feature updates take 82 minutes. So Microsoft took it upon themselves to reduce this time offline. To do that, they changed the way Windows feature updates are installed. These changes are the default behavior starting in Windows 10 version 1709. and below is a chart of how the offline time has improved since Windows 10 version 1703 was released. RS5 (Redstone 5) will be Windows 10 version 1809. to access these improvements with ConfigMgr use maintenance windows to stage the content. The Windows team is working with the ConfigMgr team to allow these maintenance windows to use just the offline time period as the maintenance window, meaning less time offline. As the staging is now low priority, it might cause timeouts for you in your maintenance window. Set the thread priority to normal to avoid that issue. Diagnosing Failures Typically, what you’d do is go search the error on the internet. So Microsoft released a new tool called SetupDiag which will help you troubleshoot these types of errors. In this example it points to errors with an AMD video driver. You can download the tool from here: https://docs.microsoft.com/en-us/windows/deployment/upgrade/setupdiag In Place Upgrade issues Use Windows Analytics to help you understand compatibility problems. If you want to make changes, use GPO’s instead of registry keys. Make sure you use supported mechanisms for user profile redirections. What about uninstalling updates ? So a business critical app doesn’t work after the update, what to do ? In the update CSP there are two options to roll back updates (by default, ten days, can be changed between 2 and 60 days). You can set this up via dism or MDM. Scripts to run during install (poor mans task sequence, v1, will change in the future). At a high level Microsoft is providing hooks into the setup process to allow you to do changes as necessary (Windows 10 1803 and later). until next time, adios !

My guess--and it's just a guess. I'm assuming that since it's the client that picked up the script to run, it'll be similar to the same context that other scripts run in, when picked up by policies, like Configuration Item Scripts, or Scripts used for Detection Logic for Applications--which is NT Authority\System, of the individual device. So if you want all your Domain Computers to have rights to some remote share, you'll want to make a share, and grant (I think) "Domain Authenticated Users" both NTFS modify to that location, and that the Share also has Modify rights to Authenticated Users. I think that might work... I see you're trying to use s$... that would be an Admin share. I wouldn't use that. Make a real Share, which you can permission properly.

I would force a full hardware inventory on one fo the PC to confirm that it has the correct data. if that works then force full hardware inventory on the whole collection. These blogs will help you with these tasks. https://www.enhansoft.com/?s=force+hardware+inventory

I manually populate that field via a script I run against my HR report monthly. The field for "managed by" requires input (whether it be via powershell, or other) to be in a specific format. I believe that the CN or username must be used. It is an odd field that does not populate with static data. For example, you will get script errors if you try to add a name to that field and the account your are trying to insert does not exist in AD. The "managed by" field must contain users who exist if you want to script.

What I ended up doing was upgrading my MDT to the 6.3.8450.1000 build (as you noted). Then, I tried my non-MDT TS...it still failed. I have no clue why. So I then recreated my entire OSD MDT TS. A few small TS tweaks and it now works with the older and the current Gen5's. For my 1803 deployment, I have the "apply operating system" ts set to "use an unattended sysprep answer file" and my unattended.xml is this: ********************************************** <?xml version="1.0" encoding="utf-8"?> <unattend xmlns="urn:schemas-microsoft-com:unattend"> <settings pass="oobeSystem"> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"> <OOBE> <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> <NetworkLocation>Work</NetworkLocation> <SkipMachineOOBE>true</SkipMachineOOBE> <SkipUserOOBE>true</SkipUserOOBE> </OOBE> </component> </settings> </unattend> ********************************************** Then, at the bottom of the auto created group called "install" (this is where the OS is applied and such). I have a "run command line" that sets the power plan so the computer does not sleep during OSD. This cmd line is: ********************************************** PowerCfg.exe /s 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c ********************************************** I apply drivers next. I integrated the HP MIK into my SCCM and now I create driver packages via that method. Seems to create smaller packages than previous when I was downloading the larger driver packs. I filter each driver pack by wmi query model. At the bottom of the drivers section, I increase the ccm cache size to 20GB using a powershell script. At the end of the OSD TS, I reset it back to 10GB. This allows larger packages to be installed during OSD. I hope this helps a bit.

I have worked with MS Intune support and this has now been verified as an SCCM bug. The case has been assigned to the SCCM team.

We'll see if anyone else comes along and says it's working or not working For now, I am trying the solution provided by @SMoRZ3 (thank you!)

FYI, I went back to the older PE and it is still failing to install the language pack. I suspect that it's actually the updated MDT that is causing the issue. I'm testing now to verify. Edit: Confirmed that rolling back to the older MDT and the install language pack offline is working again. So, the issue is not with the ADK but rather with MDT 8450 and Windows 10 1607.

Hi! Exacly what I was thinking also. Maybe they don't distribute worldwide, maybe they start slowly deploying the update. But then I know that in the future, to be patient. 😁 Hmm, maybe I should consider to download the script and try it out for upcoming updates in the future! Thank you so much for the info, have a great day, cheers!👍

Hello, The update is not available to us either, it is slowly deployed to everyone but not at the same time. If you want to have it right now, you have to download a script that will put you in the early distribution ring. It is available here : https://gallery.technet.microsoft.com/ConfigMgr-1806-Enable-3eb4b46c I have not tested the script, I am waiting patiently ;-) I hope this will help you

Have you enabled software inventory Is software inventory Inventoring .lnk files? Is there a reason you aren't just using a configuration baseline? it is easier to do this.

Thanks for the link, and the lab is definitely very useful and better than some other ones I've seen. I'll go through it some more. It seems like there's very little info on this specific aspect available on the internet regarding CApolicy.inf. I'm probably overthinking it but don't want to get it wrong. In other examples like Brian Komars book I see he adds more info under [certsrv_server] like "CRLPeriod", "CRLPeriodUnits", etc. and was wondering if there was a reason they were excluded on yours, if they are no longer needed or are set elsewhere, or if it's just due to it being a lab environment and those are the bare minimum settings needed for CAPolicy.inf EDIT: Just so other people who have the same question, I was able to find out that the only thing the CApolicy is needed for is to overwrite the few parameters that otherwise can't be configured via Powershell/GUI. So you're probably going to find a whole array of CApolicy files that are all technically correct, production-quality, they just contain varying levels of detail, and it's actually better to set them using CERTUTIL instead of defining them in the CAPolicy.inf file.

This is perfect Niall and I appreciate you not only taking the time to reply to my question but for all you do for the community and the time you spend creating your amazing walkthroughs. I cannot comprehend sometimes how incredible your knowledge and dedication is. you rock and cheers to you as well.

are you using the User version of the MSI or the other one ?

I'd recommend you install it to get a feel, and make sure to get your HP tam to guide you through it, i mean, that's what you are paying them for, it has some nice features and integrates nicely into SCCM when it works, have fun cheers niall

Thanks Niall for the time on this write up. Love it. Will implement this to my environment ones a get a non profit quote from patchmypc.

Introduction Microsoft released the new Surface Pro and recently a new operating system, Windows 10 version 1709 (Fall Creators Update). Now you can automate the installation of it using PowerShell. This script has been written to allow you to automate the deployment Windows 10 version 1709 (Fall Creators Update) using the latest available software including: Windows 10 x64 (version 1709) Microsoft Deployment Toolkit (MDT) build 8443 Latest available 2017 drivers for the Surface Pro Windows 10 ADK (version 1709) Windows Server 2016 Note: This is fully automated, and as this does install a Windows Deployment Services server role hosting a boot image, you should modify the script accordingly and test it thoroughly in a lab first. This script is tailored for one thing only, deploying Windows 10 x64 version 1709 to the Microsoft Surface Pro with all drivers loaded and MDT 2013 preconfigured. Download it and customize it to suit your needs for other hardware if you wish because what it does is pretty cool. This script performs the following actions:- Downloads and then Installs Windows ADK 10 (version 1709) if you have not done so already Downloads and then Installs MDT, if you have not done so already Downloads all required drivers for Microsoft Surface Pro if you have not done so already Imports the Windows 10 x64 (version 1709) operating system into MDT Imports the Microsoft Surface Pro drivers into MDT Creates Selection Profiles for Surface Pro and WinPE x64 Creates a Deploy Windows 10 X64 version 1709 task sequence Edits the Deploy Windows 10 X64 version 1709 task sequence and adds an inject drivers step for Microsoft Surface Pro Sets a WMI query for hardware detection for the Surface Pro on the corresponding driver step Injects the Microsoft Surface Pro network drivers into the LiteTouchPE_x64.wim Creates custom CustomSettings.ini and BootStrap.ini files Disables the X86 boot wim (as it is not needed for Surface Pro) Changes the Selection Profile for the X64 boot wim to use the WinPE x64 selection profile Installs the Windows Deployment Service role Configures the WDS role and adds the previously created LiteTouchPE_x64.wim Starts the WDS service so that you can PXE boot (UEFI network boot). All you have to do is download the script below, modify some variables, then place certain files in the right place such as the Windows 10 x64 Enterprise (version 1709) media. Please ensure you have a working DHCP scope on your Active Directory domain controller, then PXE boot a Microsoft Surface Pro and sit back and enjoy the show. Step 1. Download the script The PowerShell script will do all the hard work for you, it is in the Downloads section at the end of this guide, download it, unzip it and place it on the server that is designated to be the MDT server. Step 2. Configure the variables in the script Once you have downloaded and extracted the script, you need to configure certain variables interspersed throughout the script. I'll highlight the ones you need to edit. The most important of them is the $SourcePath variable (line 53) as this decides where to get the content from and where to store it. This variable should point to a valid drive letter, the folder name will be created if it does not exist. The $FolderPath variable (line 237) specifies the MDT Deployment share root folder for example C:\MDTDeploy. There are other variables to configure, for joining the Domain (lines 315-317) and then you need to configure how you actually connect to the MDT server from WinPE (lines 392-396) Step 3. Copy the Windows 10 x64 (version 1709) operating system files Mount a Microsoft Windows 10 x64 Enterprise (version 1709) ISO and copy the contents to $SourcePath\Operating Systems\Windows 10 x64\1709 as shown below Step 4. Optionally copy MDT, ADK 10, Surface Pro drivers This is an optional step. If you've already downloaded the above files then place them in the source folder, otherwise the script will automatically download them for you. Note: You do not have to do this as the script will download the content for you if it's not found. Step 5. Optionally copy your Applications to the respective folders This is an optional step. If you have apps like Office 365, copy them to their respective folders under Applications. If you do add any applications, you'll need to edit the corresponding section within the script for the CustomSettings.ini and replace the GUID for the App, these applications are remmed out with a #, as shown here (line 358) and here in line 294... Step 6. Run the script On the server that will become your MDT server, start PowerShell ISE as Administrator. Click on the green triangle to run the script. Below you can see the script has completed. After the script is complete, you are ready to test deploying Windows 10 version 1709 (Fall Creators Update) to a Microsoft Surface Pro. You can see that Windows Deployment Services is installed and that the ADK 1709 version of the MDT LiteTouch_X64 boot wim is already imported. This boot image also has the Surface Pro network drivers added. After opening the Deployment Workbench, you can see the Deploy Windows 10 x64 version 1709 task sequence is created The Surface Pro Inject drivers step is pre-configured for you and the WMI query for the hardware is also added on the options tab drivers specific to the Surface Pro for are imported into MDT Step 7. Sit back and watch the deployment Take a properly shutdown Surface Pro , and power it on using the following sequence. Hold the down volume key and then press the power button while continuing to hold down the volume key, it should PXE boot. Press enter when prompted before loading the boot image before prompting you for a computer name, note that it's currently set to SurfacePro in CustomSettings.ini contained within the script, you can change that behavior in the UI itself (CustomSettings.ini on the Properties/Rules of the DeploymentShare) or automate it via the many methods available such as those that Mikael describes here click Next and off it goes, with your customized Company name and after a while it's all done Troubleshooting If the script has issues starting WDS (and you see the error below) then restart the server, as you were asked to do at the end of the script ;-). If you cannot PXE boot, because WDS is not accepting connections (revealed by the PXE Response tab in WDS properties), then look for the following error in the scripts output: An error occurred while trying to execute the command. Error Code: 0x5 Error Description: Access is denied. If you see that error, then the user you are logged in as does not have sufficient permissions to configure WDS. To grant permissions to the Windows Deployment Server (MDT01) do as follows Open Active Directory Users and Computers. Right-click the OU where you are creating prestaged computer accounts, and then select Delegate Control. On the first screen of the wizard, click Next. Change the object type to include computers. Add the computer object of the Windows Deployment Services server, and then click Next. Select Create a Custom task to delegate. Select Only the following objects in the folder. Then select the Computer Objects check box, select Create selected objects in this folder, and click Next. In the Permissions box, select the Write all Properties check box, and click Finish. Repeat the above process to grant appropriate permissions for the User who will run the PowerShell script Summary Automating the deployment of Windows 10 version 1709 (Fall Creators Update) to the Microsoft Surface Pro using PowerShell and MDT is easy when you know how. Downloads Download the PowerShell script contained in the ZIP file. Deploy Windows 10 Fall Creators Update to Microsoft Surface Pro with MDT - November 2017.zip

Create a Package with the cab file Create a run Command Line Step Select the created Package Set as Command line: DISM.EXE /online /add-package /packagepath:.\relative\Path\to\dotNetFile.cab Example: (In this case the cab file is at the root directory of the package)

I have this working in my TS OSD. I setup mine differently than what you noted above. Here is what I have: 1) Create a TS for the powershell ps1 file call 2) Create the TS for the OSD Pics: location of 2 files; data in my ps1; TS for the OSD

Another great step-by-step guide from Windows-noob, thanks. Save us so much time. In one of the other step-by-step guide (I think it was in 1606) a user asked for splitting up the different SQL logs,DB,Temp and so on to different drives, maybe it would be a good ide to include that in your SQL configuration settings. Again thanks for some really nice guides.

<!-- This component migrates user files with known extension--> <component type="Documents" context="UserAndSystem"> <displayName _locID="miguser.userdata">User Data</displayName> <role role="Data"> <rules context="System"> <include> <objectSet> <script>MigXmlHelper.GenerateDrivePatterns ("* [*.snt]", "Fixed")</script> </objectSet>

Just to confirm, I've removed "2018-04 Cumulative Update for Windows 10 Version 1607 for x64-based Systems (KB4093119)" and now the 1703 Feature Update has appeared in Software Center! I'll get the CUs for each month of this year and try to find out where it's breaking.

Hello! Yes, do patch both x86 and x64. The detection should apply the correct architecture based on what' currently installed. For example, if you had Java x86 and Notepad++ x86 on an x64 machine, we would update to the latest x86 version for those apps if needed. No, we don't really pay much attention to what other competitors are doing. Instead, we focus on adding applications that would bring value to our customer base vs. just adding anything others may have that we don't currently support. Our customers can request new applications on our forum or email. We keep track of application request on this page: https://patchmypc.net/forum/index.php?board=19.0. Generally, it will only take us a few days to evaluate and add new request if the application is compatible. We do provide archived catalogs in the event you need to deploy an old version. - Justin

you know your spoiling us You have no idea how much this is appreciated. I am working on my SCCM certification and I used your documents in the past to create an SCCM 2007 environment and it worked well. I used other docs for my SCCM 1710 build (on Server 2008r2 and Server 2012). Even though the docs work, they were not laid out as organized as this (and they skipped some steps) and never provided scripts to auto build. With your process, I can build and rebuild (manual and automatically) so I can learn better. Again, I thank you very very much

there are TWO branches of SCCM, current branch (which is what you are using) and Technical Preview (which is what is in this video) Current Branch is for production environments, and Technical Preview is for labs, you cannot get TP updates in a Current Branch release

I do see this part of the execmgr.log at the time of clicking Install for my OSD: OnOptionalExecutionRequests attempted for package IVP00330 optional program * [QueueRequest: false RunOnCompletion : true QuietMode: true SDKCallerId: (null)] execmgr 10/17/2016 9:36:08 AM 496 (0x01F0) Validating package IVP00330 program * in the chain. The content request ID is {00000000-0000-0000-0000-000000000000} execmgr 10/17/2016 9:36:08 AM 496 (0x01F0) Creating an optional execution request for package IVP00330 program * execmgr 10/17/2016 9:36:08 AM 496 (0x01F0) Content is not available on the DP for this program. The program cannot be run now. execmgr 10/17/2016 9:36:10 AM 496 (0x01F0) OnOptionalExecutionRequests failed for program * : 0x87d01106 execmgr 10/17/2016 9:36:10 AM 496 (0x01F0) OR OnOptionalExecutionRequests attempted for package IVP002B9 optional program * [QueueRequest: false RunOnCompletion : true QuietMode: true SDKCallerId: (null)] execmgr 10/17/2016 9:42:07 AM 3908 (0x0F44) Validating package IVP002B9 program * in the chain. The content request ID is {00000000-0000-0000-0000-000000000000} execmgr 10/17/2016 9:42:07 AM 3908 (0x0F44) Creating an optional execution request for package IVP002B9 program * execmgr 10/17/2016 9:42:07 AM 3908 (0x0F44) Content is not available on the DP for this program. The program cannot be run now. execmgr 10/17/2016 9:42:09 AM 3908 (0x0F44) OnOptionalExecutionRequests failed for program * : 0x87d01106 execmgr 10/17/2016 9:42:09 AM 3908 (0x0F44) I have validated that the DPs for this client had all the packages that are part of this Task Sequence (which is ID: IVP00330 or IVP002B9, two different tests seen here). I have tested this same Task Sequence with an older SCCM client and the image works. It seems like I cannot install my Windows 10 Task Sequence or Windows 7 while using client 5.00.8412.1307. If I PXE or Media boot the computer, I can image with no issues.

hi guys, i know many people have requested to be able to download the guides here in PDF or Word DOC format so with help from a reader (Brian Thorp) we have just that ! now you can download the entire 18 part guide to using Configuration Manager 2012 in both PDF and WORD format and use whichever you want while on the go, Download the ZIP The windows-noob.com CM12 Guides in PDF and WORD format.zip a big thanks goes to Brian for compiling it all together so that you lot can have it remotely cheers ! niall

This list of guides (think of it as a living index) will be updated by me whenever I write a new guide for the new versions of System Center Configuration Manager (Current Branch) or System Center Configuration Manager (Technical Preview) and how they incorporate with Microsoft Intune. These guides are broken down into three different sections: System Center Configuration Manager (Current Branch) System Center Configuration Manager (Technical Preview) Setting up PKI in a lab on Windows Server 2016 The Current Branch release is meant for your production deployments and the Technical Preview releases are for testing new upcoming features in the product, and are aimed at Lab use only. The PKI guides are added in case you want to experiment with any roles requiring certificates using SCCM. If you are looking for some of my other guides then please check below: Microsoft Intune (standalone) in Azure step by step guides are here Microsoft Intune (hybrid) guides look here (over 61,103 views as of July 2017) Configuration Manager 2012 guides then look here (over 1 million views as of July 2017) Configuration Manager 2007 guides then look here (over 948388 views as of July 2017) Microsoft Deployment Toolkit guides are here SMS 2003 guides are here (over 10423 views as of July 2017) cheers niall System Center Configuration Manager (Current Branch) Installation - How can I install System Center Configuration Manager (Current Branch) Configuring Discovery - How can I configure discovery for System Center Configuration Manager (Current Branch) Configuring Boundaries - How can I configure boundaries in System Center Configuration Manager (Current Branch) Using Updates and Servicing in Offline mode - How can I use Updates and Servicing in Offline mode in System Center Configuration Manager (Current Branch) Using Updates and Servicing in Online mode - How can I use Updates and Servicing in Online mode in System Center Configuration Manager (Current Branch) Setting up the Software Update Point - How can I setup Software Updates in System Center Configuration Manager (Current Branch) Installing the Client agent - How can I configure client settings and install the ConfigMgr client agent in System Center Configuration Manager Current Branch Upgrading to System Center Configuration Manager (Current Branch) version 1602 from System Center Configuration Manager (Current Branch) version 1511 How can I use the Upgrade Task Sequence in System Center Configuration Manager (Current Branch) ? How can I use servicing plans in System Center Configuration Manager (Current Branch) to upgrade Windows 10 devices ? How can I deploy Windows 10 with MDT 2013 Update 2 integrated with System Center Configuration Manager (Current Branch) Setting up PKI in a lab on Windows Server 2016 Part 1 - Introduction and server setup Part 2 - Install and do initial configuration on the Standalone Offline Root CA Part 3 - Prepare the HTTP Web server for CDP and AIA Publication Part 4 - Post configuration on the Standalone Offline Root CA Part 5 - Installing the Enterprise Issuing CA Part 6 - Perform post installation tasks on the Issuing CA Part 7 - Install and configure the OCSP Responder role service Part 8 - Configure AutoEnroll and Verify PKI health

After a hour of testing I found out that you must add double quotes around "%msgdesc" to get the full description. Example of how my command line works: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file "D:\scripts\Dcreation.ps1" -message "%msgdesc"

good idea, i'll put that together shortly and here it is ! http://www.windows-noob.com/forums/index.php?/topic/10905-the-windows-noob-mobile-device-management-guides-now-available-to-download/

ok great and thanks for updating the thread in case others have the same problem

Hi The problem was the fact that the SCCM 2007 agent was still installed. After uninstalling the agent I managed to take a capture, thanks for your help in this.

This list of guides is all about System Center 2012 R2 Configuration Manager. If you want to learn about SCCM 2012 this is how you can do it ! I've put together this list together to help people like you learn about Configuration Manager 2012 R2 and to help people learn about how they can integrate Microsoft Intune with Configuration Manager 2012 R2 to manage their iOS, Android and Windows Phone mobile devices. If you are looking for some of my other guides then please check below: Microsoft Intune (standalone) in Azure step by step guides are here Microsoft Intune (hybrid) guides look here (over 61,103 views as of July 2017) System Center Configuration Manager (Current Branch and Technical Preview) here (96,953 views, May 2018) Configuration Manager 2007 guides then look here (over 948388 views as of July 2017) Microsoft Deployment Toolkit guides are here SMS 2003 guides are here (over 10423 views as of July 2017) Note: Some of my guides are also available for download, please see below links download the Microsoft Intune Mobile Device Management guides here. download the Standalone Primary guides in PDF and WORD format here. Step-by-Step Guides Hierarchy with CAS using System Center 2012 Configuration Manager - Part 1. Installation - CAS using System Center 2012 Configuration Manager - Part 2. Install the Primary server - P01 using System Center 2012 Configuration Manager - Part 3. Configuring Discovery and Boundaries using System Center 2012 Configuration Manager - Part 4. Adding roles and configuring custom Client Device Settings and custom Client User Settings using System Center 2012 Configuration Manager - Part 5. Adding WSUS, Adding the SUP role, deploying the Configuration Manager Client Agent using System Center 2012 Configuration Manager - Part 6. Adding the Endpoint Protection role, configure Alerts and custom Antimalware Policies using System Center 2012 Configuration Manager - Part 7. Build and Capture Windows 7 X64 SP1 using System Center 2012 Configuration Manager - Part 8. Deploying Applications using System Center 2012 Configuration Manager - Part 9. Deploying Monthly Updates using System Center 2012 Configuration Manager - Part 10. Monitoring our Monthly Updates Automatic Deployment Rule using System Center 2012 Configuration Manager - Part 11. Upgrading your hierarchy to Service Pack 1 using System Center 2012 Configuration Manager - Part 12. Connecting Powershell and building a reference image of Windows 8 with .NET 3.5 using System Center 2012 Configuration Manager - Part 13. Deploying Windows 8 X64 with custom Start screen using System Center 2012 Configuration Manager - Part 14. Using Compliance Settings CM12 in a Lab - PXE boot failure after upgrading to System Center 2012 Configuration Manager Service Pack 1 CM12 in a Lab - How can I deploy Windows 8 X64 to the Microsoft Surface Pro using Configuration Manager 2012 SP1 ? CM12 in a Lab - How can I deploy System Center 2012 Endpoint Protection Definition Updates from a UNC file share CM12 in a Lab - How can I determine what Antimalware Policy is applied to my SCEP 2012 SP1 client ? CM12 in a Lab - when running /testdbupgrade for System Center 2012 Configuration Manager SP1 you get an error: SQL Native client 11 is not installed CM12 in a Lab - How can I backup System Center 2012 Configuration Manager ? CM12 in a Lab - SQL Server 2012 SP1 support in System Center 2012 Configuration Manager SP1 CM12 in a Lab - The CM12 BitLocker FrontEnd HTA - video CM12 in a Lab - The CM12 BitLocker FrontEnd HTA CM12 in a Lab - Where can I download additional clients for System Center 2012 Configuration Manager SP1 ? CM12 in a Lab - How can I sequence applications using App-V version 5 for Configuration Manager 2012 SP1 CM12 in a Lab - How can I deploy a Hidden task sequence in Configuration Manager 2012 SP1 ? CM12 in a Lab - How can I pre-provision BitLocker in WinPE during Windows 8 deployments using Configuration Manager 2012 SP1 ? CM12 in a Lab - How can i disable “Connect to a wireless network” during Windows 8 OOBE ? CM12 in a Lab - How can I deploy Windows 8 in UEFI mode using Configuration Manager 2012 ? CM12 in a Lab - Why is my System Center 2012 Configuration Manager console in read-only mode ? CM12 in a Lab - How can I view hidden Endpoint Protection Reports in System Center 2012 Configuration Manager ? CM12 in a Lab - How can I upgrade System Center 2012 Configuration Manager ? CM12 in a Lab - How can I add a PXE enabled Distribution Point on Server 2008 X86 for System Center 2012 Configuration Manager ? CM12 in a Lab - How can I display my System Center 2012 Configuration Manager hierarchy in Bing Maps ? CM12 in a Lab - How can I enable Debug View in the Configuration Manager console? CM12 in a Lab - How can I easily prompt for a computer name in Configuration Manager 2012 CM12 in a Lab - Importing Computers using a file CM12 in a Lab - Two New Endpoint Protection Reports added, What are they and what do they look like CM12 in a Lab - How can I setup a Distribution Point on a Windows 7 PC in Configuration Manager 2012 ? CM12 in a Lab - How can I capture an image using Capture Media in Configuration Manager 2012 ?