Jump to content




anyweb

Root Admin
  • Content Count

    7,801
  • Joined

  • Last visited

  • Days Won

    290

Everything posted by anyweb

  1. Note: I've upgraded the wrapper to PowerShell 2019/01/06 as explained here. Introduction This blog post is all about upgrading to Windows 10, either from Windows 7 or from an earlier release of Windows 10 to the latest release of Windows 10. Windows 10 is probably one of the fastest developing operating systems from Microsoft yet, and was initially released in July 2015 as Windows 10 version 1507. The version 1507 nomenclature equates to (YYMM) or year year, month month so you'll always know when a version was released to manufacturing (declared RTM). So far we've seen the following Windows 10 mainstream versions (not including LTSB/LTSC) Windows 10 version 1507 Windows 10 version 1511 Windows 10 version 1607 Windows 10 version 1703 Windows 10 version 1709 Windows 10 version 1803 Windows 10 version 1809 As each new version of Windows 10 is released, the new features it contains ensure that it is desirable to some and it's just a matter of time before people want to upgrade to that version given the chance, but even with all the latest and greatest features, some users just won't upgrade if given the choice for whatever reason. There is however another element to consider and that how long Microsoft will release security updates for any given release of Windows 10 (i.e. how long is that release supported by Microsoft). Michael Niehaus discusses simplifying Windows As A Service (WAAS) here but in a nutshell there is an 18-month servicing timeline for each release however, Microsoft have added an additional 6 months to ease your pain, for now. Update: In September 2018, Microsoft blogged the following after years of listening to customers complaining about the WAAS support lifecycle. In a nutshell, there are two main releases of Windows 10 for the Enterprise to think about going forward, the 03 releases (18 month support) and the 09 releases (30 months support). Based on that statement alone, Enterprises will most likely opt for the 09 releases to avoid disruption to business and to their end users. This leads you to deal with the security support ability in a couple of ways, you can make the new upgrade available in Software center and hope your users will upgrade (seriously do you think they will ?), or you can get tough and decide when and where they will upgrade. To do that you have two options: servicing plans task sequences I've discussed servicing plans here so I won't go over that subject again, they are a valid option for many but are not very dynamic. With task sequences you have far greater control over how to deal with things that can break servicing plans (such as incompatible AntiVirus software or Windows Language packs). Assuming that you've made the choice to use task sequences to forcefully upgrade your computers to the next version of Windows the next problem is how do you force the upgrade. The answer is defined by the purpose of the task sequence deployment, namely Required (or mandatory). Just mentioning the words Required and Task Sequence is usually enough to make any seasoned ConfigMgr admin shiver. Why ? well there are many cases of people who've had career changing events in relation to required task sequences, therefore using them must come with a big fat warning, so here it is. WARNING! Using required task sequences is risky! Use them with extreme care and always test thoroughly. Disclaimer: if you choose this method and it all goes wrong, I'm sorry, I cannot accept liability. In this guide I show you how to set it up in a safe way and I include a 'get out of jail free' in case you make a mistake. It's up to you to test what works in your organization and what doesn't. My advice is that you test this thoroughly in a lab and once you are happy with the results, recreate it in production and continue to test it thoroughly. Also, be very careful about how you add computers to the required collection especially if it involves queries. Note: The Get out of Jail free step will help to secure your environment towards any accidental upgrades. Now that that is out of the way, let's get on with it. In this post I'll show you one way of forcefully upgrading your computers from a soon to be unsupported version of Windows 10 to the latest and greatest, and I'll include steps and advice to help you 'protect' yourself from disaster. In this guide we'll be forcing our source Windows 10 version 1511 computers to upgrade to the target Windows 10 version 1607. Note: you can always change the target Windows 10 version to whatever build you want (using the TargetBuild variable) as described in the Troubleshooting section at the end of this guide. Notifying users There is one other thing to consider about required task sequences, they are normally for all intents and purposes zero touch meaning no user interaction. That is fine for simple quick changes such as upgrading applications but if your users are going to have one or two hours downtime due to a forced Windows upgrade, you'll want to notify them and give them options to defer for a limited time period to a time that makes sense for them. In this guide I assume that the client setting Show notifications for new deployments in Computer Agent is set to No, that is a common client setting in organizations as it means less annoyances for the end user and of course there are other ways to notify a user about mandatory actions (PowerShell Application Deployment Toolkit for example). The recently released System Center Configuration Manager (Current Branch) version 1702 contains a great ability to edit the user notification message shown to users but it's limited in ability and it depends on your configured notification settings. So how do we solve that problem in a nice way. ConfigMgr allows us to chain programs before the task sequence begins and that's the key to this solution. Step 1a. Get out of jail free (recommended) The wrapper will not allow the HTA to display if a file called DO_NOT_UPGRADE.txt is present in C:\ProgramData. If you are paranoid about accidental upgrades (and you should be if using required task sequences) then do as follows. 1. Create a package (with no content) with a program to deploy a text file to all computers that are at risk of accidental deployment. Run the package daily. The program is simply a one liner as follows: cmd.exe /c echo "Windows 10 Required Upgrade" > C:\ProgramData\DO_NOT_UPGRADE.txt 2. Target the OSD Servicing Required Deployment collection with another package/program that will remove the Do_NOT_Upgrade.txt file. Run the package every 2 hours. The program is again a one-liner, as follows: cmd.exe /c echo "Y" | del C:\ProgramData\Do_Not_Upgrade.txt The above actions should protect your computers from accidentally being targeted by the task sequence. Any computer that has the Do_NOT_Upgrade.txt file present, will not show the popup (HTA) and will not run the task sequence and thus, will not upgrade until you are ready to do so. Step 1b. Create some collections (optional) This step is optional but recommended as it will give you a base of collections to manage your deployments. To complete this step download the CreateWindows10DeviceCollections.ps1 PowerShell script in the downloads section and run it as Administrator in PowerShell ISE as shown below. This script not only creates collections to make your job of finding different versions of Windows 10 easier, but it adds queries, include and exclude rules as necessary. and below is a subset of the collections created (there are 18 in total). The OSD Servicing Required Deployment collection is limited to Windows 10 version 1511 as that is our target for the required upgrade. This does not mean that it will use all computers in that collection it just means it will only use computers added to the OSD Servicing Required Deployment collection provided that they are also present in All Windows 10 version 1511. This ensures that you are targeting the correct version of Windows 10 for the required upgrade. Step 2. Create a Package/Program In this step you'll add a simple package/program that contains a few scripts. These scripts have error checking, logging and more built in so that you can trace what was done and when. These scripts will be chained to the required task sequence meaning that they must run successfully (with an exit code of 0) before the actual task sequence can start. User actions such as Defer in the popup will force an exit code 99 and the task sequence cannot start. Download the scripts in the downloads section and extract somewhere useful. Copy the Required Windows 10 Upgrade folder to your source folder on your ConfigMgr server. In the ConfigMgr console, select Application Management, Packages and Create Package. Give the new package a suitable name such as Required Upgrade to Windows 10 and point it to the source folder. For Program Type, choose Standard Program. In the Specify information about this standard program screen fill in the following details, Note: keep in mind that if you set Program can run Only when a user is logged on that that becomes a requirement, i.e. that a user must be logged on in order for this to run. You may want to get even tougher and set the Program can run option to Whether or not a user is logged on. If you do set it to Whether or not a user is logged on, and if the user is not logged on, the scripts will write to HKEY_USERS\.DEFAULT\Software\windowsnoob and you may need to update the scripts to detect this change. Name: start-upgrade.ps1 Command line: Powershell.exe -Executionpolicy bypass ".\Start-Upgrade.ps1" Startup folder: Run: Hidden Program can run: Only when a user is logged on Run mode: Run with user's rights Drive Mode: Runs with UNC name Note: If your target computers are running Windows 7, then place a check mark in the All Windows 7 (64 bit) box also. in the Specify the requirements for this standard program screen use the following values This Program can run on only on specified platforms: All Windows 10 (64 bit) Estimated disk space: 10 MB Maximum allowed time (minutes): 250 click next through to completion. Step 3. Modify the package On the newly created package, right click and choose Properties, click the Data Access tab. Select Copy the content in this package to a package share on distribution points Click Apply and OK. Step 4. Distribute the package to your distribution points Right click the package and choose Distribute Content select your distribution points and continue through the wizard until completion Step 5. Modify an existing Windows 10 Required Upgrade task sequence In this step I'll assume you've already created your Windows 10 Required Upgrade task sequence. If you haven't already then take a look at this post to see how. Locate the task sequence in the ConfigMgr console, right click and choose Properties, in the Advanced tab place a check mark in Run another program first and select the Windows 10 Required Upgrade program. In the Run only on the specified client platforms screen select All Windows 10 (64 bit). Note: Make sure that Always run this program first is checked. Note: If your target computers are running Windows 7, then place a check mark in the All Windows 7 (64 bit) box also. Next, edit the task sequence and add a new Set Task Sequence Variable step as the first step in the task sequence, name it Is upgrade allowed to run. Fill in the following values Task Sequence Variable: Upgrade_Forced Value: True Click on the options tab and add the following options: If ALL the conditions are true: File C:\ProgramData\Upgrade_Forced.txt exists If None of the conditions is true: WMI Query: select * from Win32_OperatingSystem where VERSION = "10.0.15063" If None the conditions are true: File C:\ProgramData\DO_NOT_UPGRADE.txt exists These three checks allow us to halt the task sequence on computers that don't meet our upgrade criteria. Note: You'll need to decide what build is deemed 'the latest version' of Windows 10 in your organization and change accordingly. In this post I'm assuming that is Windows 10 version 1703 (build 10.0.15063). On the Upgrade Operating System step, edit the Options and include the following Task Sequence Variable: Upgrade_Forced=True Note: This will ensure that the required upgrade only occurs if the Upgrade_Forced.txt file was present in C:\ProgramData. Next in the Post-Processing group add a new Run Command Line step called Add Windows 10 Required Upgrade reg key with the following command line: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\windowsnoob" /v RequiredUpgrade /t REG_SZ /d "%date%" /f This will allow you to run reports on when computers were upgraded using this method. Close the task sequence. Next create a new Run command line step called Remove Upgrade_Forced.txt with a cmd line of cmd.exe /c echo Y | del C:\ProgramData\Upgrade_Forced.txt Step 6. Deploy the task sequence In this step we deploy the task sequence with a purpose of required. Note: I'd strongly advise you to test this thoroughly in your lab and make sure to pick your collections correctly and to populate them very carefully. Right click on the task sequence and choose Deploy For collection choose OSD Servicing Required Deployment, and ignore the popup telling you it's empty, you can add computers to that collection later. Change the Purpose to Required For Scheduling click on New, then choose Schedule, then change it to run daily at 11am. For rerun, choose Always rerun program as you will update the limiting collection (All Windows 10 version 1511) membership daily @ 1pm and upgraded computers will fall out of the collection. In case they don't (for whatever reason) the wrapper checks for the targetbuild and if the computer matches that build, it will abort and not start the upgrade. Note: The above schedule will run our popup daily at 11am for 6 days prior to forcing the upgrade to Windows 10. You should change the schedule according to your preferences. Continue through the wizard until completion. Note: If you want to test run the Task Sequence from the Software Center or if you want your users to do this, then enable the Allow users to run the program independently of assignments checkbox on the User Experience tab. Step 7. Adjust Windows 10 limiting collections membership schedule Below you can see the membership rules update frequency on the limiting collection, it's set to run two hours after our Upgrade, adjust as necessary for your organization and your agreed schedule. Step 8. Add test computers to the OSD Servicing Required Deployment collection Note: Before doing this step, carefully read the Warning and Disclaimer at the top of this guide! Right click on the collection and choose Add Resources (or use your own chosen method to add computers) to add one or more test computer to the OSD Servicing Required Deployment collection. As this collection now has a live required task sequence deployed to it, do this step very very carefully, if in doubt stop what you are doing, go and have a coffee and try again when your nerves are calm. and add your test computers as you see fit.. Step 8. Monitor the experience on test computers Login to a test computer, do a machine policy update in the ConfigMgr client actions and wait for the popup or kick it off via software center. After the computer receives the policy and the scheduled time is reached a popup is shown offering the user to Defer the upgrade or Upgrade now by selecting the appropriate checkbox and then clicking on Upgrade Now. Note: The clickable link goes to a non-existant url, you need to point it to whatever documentation you want your users to read in preparation for the upgrade. As each day passes (or based on your custom schedule) the counter reduces by 1 every time the popup appears. When there are no more deferrals left, a 4 hour countdown starts and when it reaches 00:00:00 the Windows 10 Required Upgrade will start. If the user closes the popup, the timer will resume where it left off when it is restarted. Alternatively, if the user doesn't want to defer, and they want to run the upgrade right now, they can place a checkmark in the 'My files are synced in OneDrive...' and then click Upgrade Now to start the task sequence. Either way, regardless of what your user clicks on, (based on the schedule in this guide) the computer will start the upgrade within 7 days (or earlier or later if you adjust the schedule). Once the Upgrade Now button is clicked on, or once the Timer reaches 00:00:00 the task sequence will automatically start (assuming that the DO_NOT_UPGRADE.txt is not present). Branding Simply replace the banner.png file included with one matching your Company Name, edit the upgrade.hta and locate the 'windowsnoob' name in the text field (line 347) and replace it with your own Company Name. Troubleshooting The popup creates 3 log files to troubleshoot the process, they are located in C:\ProgramData and named Windows10RequiredUpgradeHTA.log Windows10RequiredUpgradeWrapper.log Windows10RequiredUpgradeStartUpgrade.log The wrapper writes to the registry in HKCU\Software\windowsnoob Note: The collections, scripts and task sequence assume you are upgrading from Windows 10 version 1511 to Windows 10 version 1607, you'll need to edit the WMI Query in the task sequence to change Windows 10 build version when you move to creators update and for later versions of Windows, and you'll need to edit the TargetBuild variable in the wrapper.vbs script accordingly. Once done, you should change the Limiting Collection for the OSD Servicing Required Deployment collection to match the n-1 version of Windows 10 you want to migrate from. Tip: If you have rendering issues with the popup on different devices then edit the call ResizeWindow(425,335,500,375) values and ResizeWindow Function to fit your specific needs, I don't have access to too much hardware to test this on. The popup is fixed, if you want the user to be able to move it change the line caption="no" to caption="yes". If you want to programmatically use it then add a Window.moveTo(x, y) line. Downloads You can download the scripts used above in the following zip files: windowsnoob Required Upgrade HTA.zip CreateDeviceCollectionsWindows10.zip Summary Forcefully upgrading computers is a tricky area but hopefully this method gives you one more option to consider.
  2. Introduction At the start of this series of step by step guides you installed System Center Configuration Manager (Current Branch), then you configured discovery methods. Next you configured boundaries to get an understanding of how automatic site assignment and content location works. After that you learned how to update ConfigMgr with new features and fixes using a new ability called Updates and Servicing and you learned how to configure ConfigMgr to use Updates and Servicing in one of these two modes: Online mode Offline mode To prepare your environment for Windows 10 servicing (this guide) you learned how to setup Software Updates using an automated method (via a PowerShell script) or manually using the ConfigMgr console. Next you used a PowerShell script to prepare some device collections, then you configured client settings for your enterprise and finally you'll deployed the ConfigMgr client agent using the software updates method which is the least intensive method of deploying the Configuration Manager client agent. As System Center Configuration Manager (current branch) is being delivered as a service now, version 1602 was made available (March 11th, 2016) and you used Updates and Servicing to do an in-place upgrade to that version as explained here. Next you learned about how to use the Upgrade task sequence to upgrade your Windows 7, Windows 8 (and 8.1) and even your Windows 10 devices to a later build of Windows 10. You then learned about the new Windows 10 servicing features which use Servicing Plans in ConfigMgr (Current Branch). Next you integrated MDT 2013 update 2. MDT integration with ConfigMgr is useful as it provides additional functionality for operating system deployment scenarios such as Offline Language Package installation or User Driven Integration (UDI). Next you learned how to deploy Language Packs offline for Windows 10. To assist with Windows 10 servicing and for applying appropriate software updates to your Windows 10 devices, you used PowerShell to add queries to the various Windows 10 collections. Next you took a deeper look at the Windows 10 Upgrade task sequence, and learned one way of dealing with potential upgrade issues. While that method will flag a problem, such as determining the system UI language doesn't match the provided media, it won't allow you to continue with the upgrade. Next you learned how to upgrade the operating system when a language pack was installed, provided that the system UI language is from a 'list' of approved languages that you intend to support. This guide will show you how to display customized messages to a user during a task sequence, and how to set an exit code which could allow you to deliberately fail an action if necessary. All that's required is a few steps to set variables, a PowerShell script, and the serviceUI.exe executable from MDT 2013 Update 2. Step 1. Create a package On your ConfigMgr server, in the sources share, create a folder called Display Custom Message and place the DisplayCustomMessage.ps1 PowerShell script available in the downloads section of this guide, in the folder. Even though you might be deploying an X64 operating system, locate, select and copy the x86 architecture version of ServiceUI.exe from the Sources\OSD\MDT\MDT2013u2\Toolkit\Tools\x86 folder into the Display Custom Message folder as shown below. In the ConfigMgr console, Software Library, select Packages and right click, choose Create Package. Fill in the following details, Choose Do not create a program and then continue through the wizard until completion. Once the package is created, right click the package and choose Distribute Content. Distribute the package to your distribution points. Step 2. Create a custom task sequence In the ConfigMgr console, in Software Library, select Operating Systems and right click on Task Sequences, choose Create Task Sequence. select Create a new custom task sequence give the task sequence a suitable name such as Display Custom Messages with exit codes continue through that wizard until completion. Step 3. Edit the task sequence Right click on the newly created task sequence and choose edit It will appear blank, click on the Add Drop down and add a New Group called Display Custom Message Create a new Set Task Sequence Variable step called Set Title with a Task Sequence Variable called Title, with a suitable value as follows: Create a new Set Task Sequence Variable step called Set Message with a Task Sequence Variable called Message, with a suitable value as follows: Create a new Set Task Sequence Variable step called Set ReturnCode with a Task Sequence Variable called ReturnCode, with a suitable positive value as follows: Click Add and choose Run Command Line, name the step Display Custom Message and paste in the following: ServiceUI.exe -process:TSProgressUI.exe %windir%\sysnative\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -nologo -file DisplayCustomMessage.ps1 For Package, select the Display Custom Message package created above. Copy the entire group and paste it below the first group Edit the Set Message step as below Edit the Set ReturnCode step, and choose a value that the Options tab on the Display Custom Message step is not going to expect such as 1, this will cause the next step to fail when it returns the return code. Apply your changes and exit the Task Sequence wizard. Step 4. Deploy the task sequence Right Click on the task sequence and choose Deploy Choose a suitable collection and use a purpose of Available. Step 5. Review the capabilities On a client computer that is in the collection that the task sequence was deployed to, open Software Center and select the Display Custom Message with exit codes task sequence. choose Install and after a few moments the first popup message appears ! As the ReturnCode for the first message was set to a value we expected (0 or 3010) it did not fail the task sequence. Click OK to continue... the next message appears, note the different text, and it's hinting towards what will happen Clicking OK will produce the failure Which is OK because we were expecting it, in fact, the ReturnCode we set (1) is listed in the failure message. In a real Production task sequence however, you'd take care of failures and deal with them in a professional way, I just want you to see that we can actually set the ReturnCode via the custom message. To get more proof of that refer to the SMSTS.log file, and you can see that it's setting the ReturnCode to the value we chose result ! Summary Popping up messages to users during a task sequence is sometimes necessary, and when things go wrong, you sometimes need to fail the task sequence or set a ReturnCode to do a planned action. This guide helps you do both of those things dynamically. Related Reading Task sequence steps in System Center Configuration Manager - https://technet.micr...y/mt629396.aspx If you'd like to send a notification message to users in Intune in Azure, try the following guide. Downloads You can download a Microsoft Word copy of this guide here dated 2016/05/26 How can I display custom messages to users during a task sequence in SCCM Current Branch.zip You can download the PowerShell script used above here: DisplayCustomMessage.zip\
  3. Introduction At the start of this series of step by step guides you installed System Center Configuration Manager (Current Branch), then you configured discovery methods. Next you configured boundaries to get an understanding of how automatic site assignment and content location works. After that you learned how to update ConfigMgr with new features and fixes using a new ability called Updates and Servicing and you learned how to configure ConfigMgr to use Updates and Servicing in one of these two modes: Online mode Offline mode To prepare your environment for Windows 10 servicing (this guide) you learned how to setup Software Updates using an automated method (via a PowerShell script) or manually using the ConfigMgr console. Next you used a PowerShell script to prepare some device collections, then you configured client settings for your enterprise and finally you'll deployed the ConfigMgr client agent using the software updates method which is the least intensive method of deploying the Configuration Manager client agent. As System Center Configuration Manager (current branch) is being delivered as a service now, version 1602 was made available (March 11th, 2016) and you used Updates and Servicing to do an in-place upgrade to that version as explained here. Next you learned about how to use the Upgrade task sequence to upgrade your Windows 7, Windows 8 (and 8.1) and even your Windows 10 devices to a later build of Windows 10. You then learned about the new Windows 10 servicing features which use Servicing Plans in ConfigMgr (Current Branch). In this guide you will integrate MDT 2013 update 2. MDT integration with ConfigMgr is useful as it provides additional functionality for operating system deployment scenarios such as Offline Language Package installation or User Driven Integration (UDI). Note: This guide assumes that you have not yet enabled or configured a PXE distribution point or Network Access Account, if you have, then you can skip those steps. In addition, this guide assumes you have created a DHCP scope on your Active Directory Domain Controller and activated it. Step 1. Download MDT 2013 Update 2 Download the MDT 2013 Update 2 x64 MSI from the following link. In addition to downloading MDT 2013 Update 2, you might want to download the MDT ZIP file (located in the downloads section at the end of this post) which contains pre-created folders and files for use in the Create MDT Task sequence wizard. Simply extract it to the desired sources folder on your ConfigMgr server, for example: \\<ConfigMgrServer>\sources\osd\ the folders it creates are highlighted below after extraction Step 2. Install MDT 2013 Update 2 After you've downloaded the msi, it's time to install it. On your ConfigMgr server double-click the MSI and the wizard will appear accept the EULA and click next choose where you want to install MDT, for example on D:\Program Files\Microsoft Deployment Toolkit\ select if you want to participate in the CEIP or not and then click Install and accept the UAC prompt when complete, click Finish to close the wizard Step 3. Integrate MDT 2013 Update 2 with ConfigMgr Now that you have installed MDT you should integrate it with ConfigMgr. You do this to gain access to tools and features that MDT provides from within the ConfigMgr console. In the start screen, locate the newly installed Microsoft Deployment Toolkit application group, right click Configure ConfigMgr Integration shortcut and right click, choose Run as Administrator. The wizard settings will default to Install the MDT extensions for Configuration Manager the first time you run the integration after clicking next you should see output similar to below, if not, make sure you chose Run As Administrator Note: If the ConfigMgr console was open during this process, close it and then open it again to view the MDT integration. Step 4. Add the latest Windows 10 Enterprise x64 media I'd recommend you use the latest Windows 10 Enterprise x64 media from Microsoft Volume License site (or MSDN for a lab). The latest available media is updated with February Cumulative Updates for 1511. Mount the ISO using Windows File Explorer. After mounting the ISO, copy the contents to somewhere useful like: \\<ConfigMgrServer>\\Sources\OSD\OS\OSImages\Windows10x64\1511 to add the operating system do as follows. In the ConfigMgr console, select Software Library, then Operating Systems then Operating System Images. Right click and choose Add Operating System Image. Point it to the install.wim file in the sources folder of the Windows 10 Enterprise x64 media you just added and fill in some details about the image before continuing through that wizard until completion. Note: To make the image available on the network, distribute it to your distribution points by right-clicking and choose Distribute Content. Select one or more distribution points, and continue through that wizard until completion. Step 5. Configure a Network Access Account You'll need to configure a Network Access Account to allow content to be downloaded while in WinPE. To configure the Network Access Account do as follows: In the ConfigMgr Console, Administration workspace, select Site Configuration then Sites and right click on the Primary site listed (P01). Choose Configure Site Components, then Software Distribution. then choose Specify the account that accesses network locations, choose New and enter the credentials of the account you plan on using for Network Access. Apply the changes and close the wizard. Step 6. Enable PXE support on the Distribution Point Note: These actions install Windows Deployment Services files to C:\RemoteInstall, if you want to use a custom path or different drive letter then configure WDS manually before enabling PXE. This step assumes you have already configured a DHCP scope and activated it on your Active Directory domain controller. Enabling PXE support on the distribution point configures Windows Deployment Services automatically. To do this, open the Administration workspace and select a distribution point, right click and choose Properties. Select the PXE tab and use the following settings: Enable PXE support for clients Allow this distribution point to respond to incoming PXE requests Enable Unknown Computer support Require a Password when computers use PXE <P@ssw0rd> Allow user device affinity with Automatic Approval Click Apply when done. Step 7. Create MDT boot image, MDT Toolkit and MDT settings packages In order to utilize MDT within ConfigMgr, you need to create a few MDT components namely MDT Boot image MDT Toolkit Files MDT Settings These can be created the first time you create an MDT task sequence. To do that follow this process. In the ConfigMgr console browse to Software Library, Operating Systems, right click on Task Sequences and choose Create MDT Task Sequence. Choose a Template, there are several provided in the drop down menu listed below: Client Task Sequence Client Replace Task Sequence Microsoft Deployment Custom Task Sequence Server Task Sequence User Driven Installation Replace Task Sequence choose the default option which is Client Task sequence give the MDT task sequence a suitable name enter domain join details and choose an administrator password keep the default capture settings for Specify a boot image package to use, select the second option, create a new boot image package and browse to a previously created empty folder UNC path which contains a folder matching the version of WinPE and the Architecture of the boot image you are about to create, eg: \\<ConfigMgrServer>\Sources\OSD\boot\WinPE 10 x64 Note: If you used the MDT.ZIP file mentioned in step 1, then this folder will already be present. Also to note, do not place a backslash at the end of the path as ConfigMgr will add that to the path and you won't be able to distribute the boot wim later. fill in some details about the boot image then select the x64 Architecture and scratch space on the Components screen, browse through the list of components you want added to the boot image, for example if supporting Windows PowerShell add it here. On the Customization screen you get to choose background wallpaper, prestart commands and extrafiles in addition to enabling command support (F8). To enhance the built in logging ability you'll add smsts.ini via Extrafiles. I won't go into more detail about that other than to refer you to this post where everything is explained. Below you can see the smsts.ini file that is copied to an Extrafiles\Windows folder and in the customization screen, you point to that previously created path Next you get to create the MDT Toolkit Files package, so select the Create a new Microsoft Deployment Toolkit Files package option, and point it to a previously created path such as below: \\<ConfigMgrServer>\sources\osd\MDT\MDT2013u2\Toolkit fill in details about the MDT Toolkit Files package..be descriptive as it's common to have different versions of MDT Files over time Select your previously added Operating System Image (first option) For Deployment Method you get to choose the type of task sequence interaction will be used: Perform a zero touch installation os deployment, with no user interaction Perform a user driven installation if you want your users to have choices then select the UDI option, otherwise select the Zero Touch option to remove choices from the task sequence. for Client Package, select Specify an existing ConfigMgr client package and browse to the one you wish to use. for USMT Package select the User State Migration Tool for Windows 10 package For Settings Package, you need to create a new MDT 2013 Update 2 settings package, therefore select the second option. You only have to do this once for each version of MDT you have installed. Select Create a new settings package and fill in the path to be created as shown below something like: \\<ConfigMgrServer>\sources\osd\MDT\MDT2013u2\Settings\ for Sysprep Package, set No sysprep package is required and continue through to the end of the wizard and after a while you'll get a process completed successfully message. Note: If you want to create the WinPE 10 x86 mdt boot image, repeat the above, except do not create new toolkit and settings packages, and change the architecture of the boot wim for that step. Step 8. Distribute task sequence content At this point you are nearly ready to start testing, but first you need to distribute the task sequence content to your distribution points, the easiest way to do that is to right click on the Windows 10 x64 version 1511 - Zero Touch MDT task sequence and choose Distribute Content. the Distribute content wizard appears, listing all the packages in the task sequence select one or more distribution points by clicking Add and continue through the wizard until completion Step 9. Enable PXE support for the MDT boot image Browse to Software Library, Operating Systems, Boot images and select the WinPE 10 x64 boot image. Right click and choose Properties, and select the Data Source tab. Place a checkmark in Deploy this boot image from a PXE enabled distribution point. Repeat the above for the WinPE 10 x86 boot image. Step 10 . Deploy the task sequence Browse to Software Library, Operating Systems, Task Sequences and select the Windows 10 x64 version 1511 - Zero Touch task sequence. Right click and choose Deploy and use the following settings: For collection choose the OSD_Deploy collection (created in this guide) for Deployment Settings make sure it is set to Available and deployed to Only media and PXE and continue through the rest of the wizard until completion. Note: The last task sequence deployed (last in, first out or LIFO) will have an effect on which boot image is offered to PXE clients. If you require the WinPE 10 x64 boot image to 'answer' your clients, make sure it's attached to the last task sequence deployed. Step 11. PXE boot a computer Now everything is in place for testing a deployment of Windows 10 using an MDT 2013 Update 2 integrated task sequence in Configuration Manager (current branch). Simply PXE boot a computer that is a member of the OSD Deploy collection. While PXE booting, you can verify that the WIM file it's pulling down is indeed your newly created MDT 2013 update 2 boot image by looking at the boot image package id. after is has completed PXE boot the custom wallpaper is in place and the PXE password prompt is waiting enter the PXE password and choose the appropriate task sequence and off it goes... and you can see the familiar MDT background with information about the stages of deployment and after a while, it's all done ! Summary Using MDT integrated task sequences is relatively easy once you understand what needs to be put in place beforehand. In a later post you'll see how to use some of the added functionality that MDT integrated task sequences provide within the ConfigMgr console. Related Reading Planning for PXE-Initiated Operating System Deployments in Configuration Manager - https://technet.microsoft.com/en-us/library/hh397405.aspx How to Deploy Operating Systems by Using PXE in Configuration Manager - https://technet.microsoft.com/en-us/library/gg712266.aspx How can I use the Upgrade Task Sequence in System Center Configuration Manager (current branch) ? How can I use servicing plans in System Center Configuration Manager (Current Branch) to upgrade Windows 10 devices ? Downloads You can download a Microsoft Word copy of this guide here dated 2016/04/30 Deploying Windows 10 with MDT 2013 Update 2 in System Center Configuration Manager (current branch).zip Download a copy of the MDT files and folders used in the Create MDT task sequence wizard here MDT.zip
  4. technically i'm sure it's possible but you'd have to script something to make the call to AD and then pull the relevant data.
  5. best of luck with it Thomas, i know it's complex to setup, but once you have it all working in a lab it's worth it !
  6. This series is comprised of different parts, listed below. Part 1 - Introduction and server setup Part 2 - Install and do initial configuration on the Standalone Offline Root CA Part 3 - Prepare the HTTP Web server for CDP and AIA Publication Part 4 - Post configuration on the Standalone Offline Root CA (this part) Part 5 - Installing the Enterprise Issuing CA Part 6 - Perform post installation tasks on the Issuing CA Part 7 - Install and configure the OCSP Responder role service Part 8 - Configure AutoEnroll and Verify PKI health In part 1 of this series, you configured your LAB for a 2 tier PKI hierarchy running on Windows Server 2016. You used PowerShell to create some virtual machines, and then installed Windows Server 2016, Windows 10 Enterprise version 1803 and optionally Smoothwall 3.1 before configuring the IP address scheme and Computer Names on the virtual machines. Finally you configured ADDS on DC01 so that you have a working Domain Controller for the rest of this LAB. In part 2 you installed and did the initial configuration on the Standalone Offline Root CA. In part 3 you prepared the HTTP Web Server for CDP and AIA Publication and you created a DNS record for the publicly available web server. Now you will perform post configuration on the Standalone Offline Root CA to set certificate revocation list (CRL) period registry settings using CertUtil, and then enable object access Auditing and finally, to configure three locations for the Authority Information Access (AIA) and four locations for the Certificate revocation list Distribution Point (CDP), again using CertUtil. Step 1. Configure CRL period registry settings using CertUtil In this step, you'll use CertUtil to set various related registry settings for the Certificate Revocation List periods in the registry on the Standalone Offline Root CA. Logon to the Standalone Offline Root CA as RootCA\Administrator. Right-click on Start, and choose Command Prompt (admin). I'll show screenshots of the output of each command separately so that you can compare it to your environment. To start off, you need to define the Active Directory Configuration Partition Distinguished Name, and to do that using certutil enter the following command: Certutil -setreg CA\DSConfigDN "CN=Configuration,DC=windowsnoob,DC=lab,DC=local" Note: You can determine what the configuration path should be (for your LAB) for the command above by logging on to the Domain Controller (DC01), and by opening Adsi Edit, and click on Action then select Connect to. In the window that appears, change Select a well known naming context to Configuration. In the Adsi Edit pane, right click on CN=Configuration,DC=windowsnoob,DC=lab,DC=local and choose Properties, scroll down and double click on Distinguished Name, copy the Value listed in the String attribute editor. The results of the certutil -setreg command on the Standalone Offline Root CA are shown below. Be sure that it states CertUtil: -setreg command completed successfully. Next you will define the Certificate Revocation List (CRL) Period Units, CRL Period and CRL Delta Period Units. To do so run the following commands from an administrative command prompt: Certutil -setreg CA\CRLPeriodUnits 52 Press Enter. The output of the above command is shown below. Certutil -setreg CA\CRLPeriod "Weeks" Press Enter. The output of the above command is shown below. Certutil -setreg CA\CRLDeltaPeriodUnits 0 Press Enter. The output of the above command is shown below. To define the CRL Overlap Period Units and the CRL Overlap Period, run the following commands from an administrative command prompt: Certutil -setreg CA\CRLOverlapPeriodUnits 12 Press Enter. The output of the above command is shown below. Certutil -setreg CA\CRLOverlapPeriod "Hours" Press Enter. The output of the above command is shown below. To define the Validity Period Units for all certificates issued by this CA, type following command and then press Enter. In this lab, the Enterprise Issuing CA should receive a 10 year lifetime for its CA certificate. To configure this, run the following commands from an administrative command prompt: Certutil -setreg CA\ValidityPeriodUnits 10 Press Enter. The output of the above command is shown below. Certutil -setreg CA\ValidityPeriod "Years" Press Enter. The output of the above command is shown below. Note: You can confirm all these 8 settings that you have just set on the Standalone Offline Root CA, by using CertUtil -getreg (and query the appropriate setting, for example Certutil -getreg CA\CRLPeriod), or simply browse the registry using RegEdit to the following address. HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\windows noob Root CA You can see those values highlighted in the screenshot below. Can the above all be done with PowerShell ? yup, and i'll add the commands later, check back for that. Step 2. Enable Auditing on the Standalone Offline Root CA Note: You cannot configure these setting via Group Policy as the Standalone Offline Root CA should not be connected to any Domain and is Offline (disconnected from the network). Auditing is the ability to log successful or failed attempts when performing certain actions, and as the Standalone Offline Root CA is an important security resource, you want to enable auditing. To enable auditing on the Standalone Offline Root CA click start, select Administrative Tools, and then select Local Security Policy. Expand Local Policies and then select Audit Policy. Double click Audit Object Access and then select Success and Failure then click OK (2). After configuring this, you'll see the following. To enable auditing for the CA you can select which group of events to audit in the Certificate Authority MMC snap-in or by configuring the AuditFilter registry key setting. To configure Auditing for all CA related events, run the following command from an administrative command prompt: Certutil -setreg CA\AuditFilter 127 Press Enter. The output of the above command is shown below. Step 3. Configure the AIA There are multiple different methods for configuring the Authority Information Access (AIA) and certificate revocation list distribution point (CDP) locations. You can use the user interface (in the Properties of the CA object), the certutil command, or directly edit the registry. The Authority Information Access (AIA) is used to point to the public key for the certification authority (CA). To configure the Authority Information Access (AIA) using certutil to set the following three locations on the Standalone Offline Root CA: Static file system LDAP (lightweight directory access path) HTTP Note: Edit the command below to use your public facing HTTP web server address, I'm using http://pki.windows-noob.com, you should use your own address. Open an administrative command prompt and do as follows: certutil -setreg CA\CACertPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n2:http://pki.windows-noob.com/CertEnroll/%1_%3%4.crt" Press Enter. The output of the above command is shown below. To confirm the output you can issue the following command: certutil -getreg CA\CACertPublicationURLs Press Enter. The output of the above command is shown below. If you look in the registry, under the following path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\windows noob RootCA, you can confirm the CACertPublicationURLs by opening that REG_MULTI_SZ value. You should see the following: 1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt 2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11 2:http://pki.windows-noob.com/CertEnroll/%1_%3%4.crt as shown in the screenshot below. You can also see this in the the Certification Authority console (certsrv) . To open the console, click Start, click Administrative Tools, and then click Certification Authority. In the navigation pane, expand the Certificate Authority (Local). Right-click windows noob Root CA and then click Properties. On the Extensions tab, under Select extension, click Authority Information Access (AIA) and you will see the graphical representation of the AIA settings that you've just configured using certutil. In the above step, you have used the following three different methods to confirm the specified settings. certutil registry certsrv.msc Step 4. Configure the CDP The CDP is where the certificate revocation list is maintained, which allows client computers to determine if a certificate has been revoked. To configure the Certificate revocation list Distribution Point (CDP) using certutil to set the following four locations on the Standalone Offline Root CA: Static file system LDAP (lightweight directory access path) HTTP File system The file system location (4th option) that you will set will allow the CRL to be copied over the network to the web server (webserver), which is why we earlier allowed the Cert Publishers group access to the share and folder. All CAs are members of the Cert Publishers group, so we effectively allowed all CAs to copy to the CertEnroll folder on the webserver computer. You may wish to grant a specific group rights to access this share instead, it's up to you. Note: Edit the command below to use your public facing HTTP web server address, I'm using http://pki.windows-noob.com, you should use your own address. certutil -setreg CA\CRLPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n2:http://pki.windows-noob.com/CertEnroll/%3%8%9.crl" Press Enter. The output of the above command is shown below. After you run that command, run the following certutil command to verify your settings: certutil -getreg CA\CRLPublicationURLs Press Enter. The output of the above command is shown below. You can also verify it in the following registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\windows noob Root CA and in CertSrv.msc Step 5. restart the CertSvc service On the Standalone Offline Root CA, open an Administrative command prompt and type PowerShell. In the PowerShell command prompt issue the following command: Restart-Service certsvc Press Enter. The output of the above command is shown below. Step 6. Publish the CRL On the Standalone Offline Root CA, open an Administrative command prompt and type PowerShell. In the PowerShell command prompt issue the following command: certutil -crl Press Enter. The output of the above command is shown below. That's it for this part, please continue to Part 5 where you will Install the Enterprise Issuing CA. Recommended reading (1) - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil (2) - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc776774(v=ws.10)
  7. hi Thomas, i guess you missed the start of the blog post ? here it is again...I've also added a hard link to part 5 at the end of this blog post, thanks This series is comprised of different parts, listed below. Part 1 - Introduction and server setup Part 2 - Install and do initial configuration on the Standalone Offline Root CA Part 3 - Prepare the HTTP Web server for CDP and AIA Publication Part 4 - Post configuration on the Standalone Offline Root CA (this part) Part 5 - Installing the Enterprise Issuing CA Part 6 - Perform post installation tasks on the Issuing CA Part 7 - Install and configure the OCSP Responder role service Part 8 - Configure AutoEnroll and Verify PKI health
  8. This multi-part guide will show you how to install the latest baseline version of Configuration Manager from Microsoft. The latest available baseline version is System Center Configuration Manager (Current Branch) version 1802 as of March 29th 2018. How can I install System Center Configuration Manager (Current Branch) version 1802 on Windows Server 2016 with SQL Server 2017 – Part 1 How can I install System Center Configuration Manager (Current Branch) version 1802 on Windows Server 2016 with SQL Server 2017 – Part 2 How can I install System Center Configuration Manager (Current Branch) version 1802 on Windows Server 2016 with SQL Server 2017 – Part 3 How can I install System Center Configuration Manager (Current Branch) version 1802 on Windows Server 2016 with SQL Server 2017 – Part 4 You can use this multi-part guide to get a hierarchy up and running on Windows Server 2016 using SQL Server 2017. The concept behind this is to guide you through all the steps necessary to get a working Configuration Manager Primary site installed using manual methods or automating it by using PowerShell. This gives you the power to automate the bits that you want to automate, while allowing you to manually do other tasks when needed. You decide which path to take. PowerShell knowledge is desired and dare I say required if you are in any way serious about Configuration Manager. I will show you how to do most steps via two methods shown below, it’s up to you to choose which method suits you best but I highly recommend automating everything that you can (if possible), using PowerShell. Method #1 – Do it manually Method #2 – Automate it with PowerShell In Part 1, you configured Active Directory Domain Services (ADDS) on AD01, then joined the Configuration Manager primary server (CM01) to the newly created domain. You then created users, usergroups and OU's in Active Directory and created the System Management Container. Finally you delegated permission to the Configuration Manager server to the System Management container. In Part 2, you configured Windows Server 2016 roles and features on the Configuration Manager primary server (CM01) and then you downloaded and installed Windows ADK 1709. Next you installed SQL Server 2017 CU5 with SQL Server Management Studio (SSMS) and Reporting Services before installing the WSUS role which uses SQL to store the SUSDB instead of the Windows Internal Database (WID). In this Part, you will download and extract the ConfigMgr content, you'll download the ConfigMgr prerequisites and then you'll extend the Active Directory schema before installing System Center Configuration Manager (Current Branch) version 1802. Step 1. Download and extract the ConfigMgr content Before installing System Center Configuration Manager version 1802 you'll need to download the content as it is a baseline version. You can download baseline versions of the ConfigMgr media from Microsoft's Volume licensing Service Center (VLSC) site for use in production or from MSDN (or the Microsoft Evaluation site) for use in a lab. The VLSC download can be found be searching for Config and then selecting System Center Config Mgr (current branch and LTSB) as shown below. Once you've downloaded the ISO, mount it using Windows File Explorer and copy the contents to somewhere useful like C:\Source\SCCM1802 on the Configuration Manager server. Step 2. Download the ConfigMgr Prerequisites Note: Perform the following on the Configuration Manager server (CM01) as a Local Administrator You can download the prerequisites during ConfigMgr setup or in advance. As you'll probably want to install more than one copy of ConfigMgr (one lab, one production) it's nice to have the prerequisites downloaded in advance. Method #1 – Do it manually To do that, open an administrative PowerShell command prompt and navigate to the following folder: C:\Source\SCCM1802\smssetup\bin\X64 Run the following line .\SetupDL.exe C:\Source\SCCM_Prerequisites Once the process is complete you can open C:\ConfigMgrSetup.log with CMTrace (or notepad) to verify the status of the download. Note: You can find the CMTrace executable in the SMSSetup Tools folder in the location that you extracted the ConfigMgr media, eg: C:\Source\SCCM1802\SMSSETUP\TOOLS. Method #2 – Automate it with PowerShell To automate the download of the prerequisites simply follow the instructions and run the Install SCCM Current Branch version 1802.ps1 Powershell script in Step 4 or use the Download SCCM prerequisite files.ps1. Step 3. Extend the Schema Note: Perform the following on the Domain controller server (AD01) as Administrator. You do not have to extend the Active Directory schema if it was already extended for Configuration Manager previously. Method #1 – Do it manually To do that, on the Active Directory domain controller (AD01), open Windows File Explorer and browse to the network path of the ConfigMgr server where you've copied the SCCM source, eg: \\cm01\c$\Source\SCCM1802\SMSSETUP\BIN\X64 In that folder, locate extadsch.exe and right click, choose Run as Administrator. After the schema has been extended for SCCM, you can open C:\ExtAdsch.log on the root of C:\ on the server you are performing this on, and review the success or failure of that action. Method #2 – Automate it with PowerShell To automate extending the schema, use the Extend the Schema in AD.ps1 PowerShell script. Run the script on the CM01 server using credentials that have the ability to extend the schema. Step 4. Install SCCM Current Branch (version 1802) Note: Perform the following on the ConfigMgr server (CM01) as Administrator. Method #1 – Do it manually To do that, on the Configuration Manager server (CM01), open Windows File Explorer and browse to the network path of the ConfigMgr server where you've copied the SCCM source, eg: C:\Source\SCCM1802\ In that folder, double click on splash.hta. The Installer appears, click on Install. At the Before You Begin screen click Next. In the Available Setup Options screen, place a checkbox in "Use typical Installation options for a stand alone primary site" When prompted if you want to continue click Yes. On the Product Key screen enter your Key (or choose the eval option), and set the Software Assurance Date (optional) On the Product License Terms screen, select the 3 available options and click Next. On the Prerequisite Downloads screen, select the first option and specify C:\Source\SCCM_Prerequisites as the folder to download the prerequisite files. Click Next to start the download. On the Site and Installation Settings screen, enter your chosen site code (eg: P01), your site name and the path where you want to install ConfigMgr. On the Diagnostics and Usage data screen, click Next. On the Service Connection Point Setup screen, enter your choices and click Next. On the Settings Summary, review your choices and when happy with them click Next. On the Prerequisite Check screen click Begin Install when ready. During the installation, click on View Log (opens C:\ConfigmgrSetup.log) to review the installation progress using CMTrace and when the installation is done, click Close. Method #2 – Automate it with PowerShell To automate the installation of ConfigMgr 1802 (including all the previous steps above), simply run the Install SCCM Current Branch version 1802.ps1 PowerShell script. Run the script on the CM01 server and when prompted to extend the schema, enter your choice (yes or no) and if you choose to extend the schema, provide suitable credentials when prompted. Once done with the schema extension, the installation will continue (as shown below). and once installed you can launch the console. Success ! Summary In this 3 part guide you used quite a bit of PowerShell to automate pretty much most of Installing System Center Configuration Manager Current Branch (version 1802), including installing and configuring SQL Server 2017 on Windows Server 2016. Doing it with PowerShell means you can safely say that you've got a handle on Automation using PowerShell. I hope you learned a lot from doing it this way, and until next time, adios ! Downloads The scripts used in this guide are available for download here. Unzip to C:\Scripts on both servers. The scripts are placed in the corresponding folder (Part 1, Part 2 etc) and sorted into which server you should run the script on (AD01 or CM01). Scripts.zip
  9. Normally you would want to automate building your reference image using Configuration Manager or MDT or a mixture of both. So if for example you want to capture a reference image you could do so using a fully automated Build and Capture task sequence in System Center 2012 R2 Configuration Manager. In this post however, I'll explain how you can capture an image manually and Configuration Manager 2012 provides a method of doing just that called Capture Media. This media is created as an ISO file which you burn directly to CD/DVD or mount in a virtual machine and use. But first you need to make sure that the image you want to capture is in the right state, listed below workgroup joinedIn order for the image to be captured the computer must be a member of a Workgroup, In other words, the machine you want to capture the image from must not be joined to a domain. Tip: It's recommended that you build your master image without joining a domain as domain join can impact an image and make troubleshooting problems that occur later on, harder. Settings get applied when you join a domain, such as Group Policies are set, software may be installed, registry keys might be changed. Keeping a computer off the domain before capturing it, eliminates these and other potential issues. I'd recommend you use Virtual Machines (Hyperv, Vmware Workstation) or whatever virtual software you like to create the 'image' you want to capture. Step 1. Create the Capture Media Perform the following on the Configuration Manager server as a SMSadmin. Open the ConfigMgr console, click on Software Library, Operating Systems, expand Task Sequences. In the ribbon click on Create Task Sequence Media when the Create Task Sequence Media wizard appears click on Capture Media click next and browse to the path of where you want to store the ISO file, give it a name like capture_media.iso click next, then click on browse beside boot image select your X86 boot image Note: if you are trying to capture x64 UEFI hardware such as the Microsoft Surface Pro 3, you must use a x64 boot wim. click ok, then click on Browse beside Distribution Point select your distribution point now your selected boot image and distribution point are listed, click next to continue through the wizard if you get a UAC prompt accept it finally the media is done ! if you need to troubleshoot it's creation look at the CreateTSMedia.log file in your confmgr LOGS dir. (D:\Program Files\Microsoft Configuration Manager\AdminConsole\AdminUILog) Step 2. Remove the Configuration Manager client if installed Run Ccmsetup.exe /uninstall from the C:\Windows\CCMsetup folder, you can monitor the CCMSetup.log file to verify it uninstalls successfully as shown below Once done remove the following:- delete any logs and files left behind in the ccmsetup and ccm folders delete c:\windows\smscfg.ini delete the two SMS certs for the local computer in CertMgr.Msc Step 3. While in Windows, start the ISO/CD/DVD on the Workgroup Computer Perform the following on the computer which you want to capture an image of as a local administrator. if you are using virtual hardware (hyperv or vmware) just mount the ISO on your workgroup computer (click on Media, Insert Disc, browse to the ISO location), otherwise burn the ISO to cd/dvd and insert that burned cd/dvd into the computer you need to capture. While still in Windows (do not try to boot from this ISO/CD/DVD) you should see the following click on Run TSMBAutorun.exe Welcome to the Image Capture Wizard appears, click next.. Enter a path and name for the WIM file, I chose \\sccm\sources\os\captures\captured.wim and then enter the credentials of a user with permissions to write to that location enter some Image Information review the summary and click finish to start the capture process, notice how it prepares the config manager client and then it syspreps before rebooting into Windows PE to capture the system and the capture begins ! success ! all done, the image is captured. Troubleshooting Tips: If there is no CCM client installed, check for the SMSTS.log file in C:\Users\Administrator\AppData\Local\Temp\ If you have the CCM client installed and you see an error in SMSTS.log (probably in C:\Windows\CCM\Logs or C:\Windows\SysWow64\CCM\logs) which sates Waiting for CCMExec service to be fully available, locate the SMS Agent Host service in services.msc and start the service. If you get the following error after inputting the Capture path and Network credentials "The network location cannot be reached. For information about network troubleshooting, see Windows Help. (Error: 800704CF; Source: Windows)" then verify you entered the credentials correctly, in addition you can test mapping a network drive using the same path and same credentials, if it fails, reboot the computer and try the wizard again
  10. hi at the bottom of each post it links to the next in the series. Did you miss that ? fyi, all the Current Branch content I've written is listed here in chronological order https://www.windows-noob.com/forums/topic/13288-step-by-step-guides-system-center-configuration-manager-current-branch-and-technical-preview/ here are the 4 parts of this series How can I install System Center Configuration Manager (Current Branch) version 1802 on Windows Server 2016 with SQL Server 2017 – Part 1 How can I install System Center Configuration Manager (Current Branch) version 1802 on Windows Server 2016 with SQL Server 2017 – Part 2 How can I install System Center Configuration Manager (Current Branch) version 1802 on Windows Server 2016 with SQL Server 2017 – Part 3 How can I install System Center Configuration Manager (Current Branch) version 1802 on Windows Server 2016 with SQL Server 2017 – Part 4 I will edit the posts to link to all 4 parts.
  11. This multi-part guide will show you how to install the latest baseline version of Configuration Manager from Microsoft. The latest available baseline version is System Center Configuration Manager (Current Branch) version 1802 as of March 29th 2018. How can I install System Center Configuration Manager (Current Branch) version 1802 on Windows Server 2016 with SQL Server 2017 – Part 1 How can I install System Center Configuration Manager (Current Branch) version 1802 on Windows Server 2016 with SQL Server 2017 – Part 2 How can I install System Center Configuration Manager (Current Branch) version 1802 on Windows Server 2016 with SQL Server 2017 – Part 3 How can I install System Center Configuration Manager (Current Branch) version 1802 on Windows Server 2016 with SQL Server 2017 – Part 4 You can use this multi-part guide to get a hierarchy up and running on Windows Server 2016 using SQL Server 2017. The concept behind this is to guide you through all the steps necessary to get a working Configuration Manager Primary site installed (for lab use) using manual methods or automated using PowerShell. This gives you the power to automate the bits that you want to automate, while allowing you to manually do other tasks when needed. You decide which path to take. PowerShell knowledge is desired and dare I say required if you are in any way serious about Configuration Manager. I will show you how to do most steps via two methods shown below, it’s up to you to choose which method suits you best but I highly recommend automating everything that you can, using PowerShell. Method #1 – Do it manually Method #2 – Automate it with PowerShell In Part 1, you configured Active Directory Domain Services (ADDS) on AD01, then joined the Configuration Manager server (CM01) to the newly created domain. You then created users, usergroups and OU's in Active Directory and created the System Management Container. Finally you delegated permission to the Configuration Manager server to the System Management container. Step 1. Install Roles and Features on CM01 Note: Perform the following on the Configuration Manager server (CM01) as a Local Administrator To support various features in System Center Configuration Manager, the setup wizard requires some server roles and features preinstalled. On CM01, login as the username you added to the Local Administrators group and start Server Manager. Method #1 - Do it manually The role and feature requirements for ConfigMgr are listed here https://docs.microsoft.com/en-us/sccm/core/plan-design/configs/site-and-site-system-prerequisites. On CM01, login as a user with administrative permissions on the server. Start Server Manager. Click on Add roles and features, on the Before you begin page click Next Choose Role-based or feature-based installation In the Server Selection screen verify CM01.windowsnoob.lab.local is selected and click Next On the Server Roles screen select Web Service (IIS) and when prompted to add features for Web Server (IIS) click on Add Features Click Next and on the Features screen select the .NET Framework 3.5 (includes .NET 2.0 and 3.0) feature Expand the .NET Framework 4.6 Features and select HTTP Activation under WCF Services, answer Add Features when prompted. Select Message Queuing (MSMQ) Activation and when prompted select Add Features Select Named Pipe Activation and TCP Activation and under Background Intelligent Transfer Service (BITS) select IIS Server Extension when prompted to add features click on Add Features Scroll down and select Remote Differential Compression Click Next and on the Web Server Role (IIS) screen click Next on the Select Role Services verify that the following are selected Click Next and point to the Installation Source by clicking on Specify an alternate source path Enter the path to the media eg: E:\Sources\SxS Click Install when ready, at this point you could export configuration settings for later automation Click on Close when the feature installation has succeeded. Method #2 - Automate it with PowerShell Note: Make sure your Server 2016 media is in the drive specified in the script or edit the script to point to the new location of the media. To install the roles and features needed, start Windows Powershell ISE as a user with administrative permissions on the server, edit the variables as appropriate and run the install roles and features.ps1 script. The script will automatically stop and prompt you to correct things, if it cannot find the XML file or the Windows Server 2016 installation media. 1. Extract the scripts to C:\Scripts on CM01 and load the install roles and features.ps1script located in C:\Scripts\Part 2\CM01 2. Edit the variables (lines 18-19) as desired before running. 3. Start Windows PowerShell ISE as Administrator and run the script by clicking on the green triangle. Step 2. Download and install Windows ADK and install WDS Note: Perform the following on the Configuration Manager server (CM01) as a Local Administrator When you deploy operating systems with Configuration Manager, the Windows ADK is an external dependency that is required. The ConfigMgr prerequisite checker will check for various things, including ADK components such as USMT and Windows Preinstallation Environment (among others), therefore you need to install Windows ADK on your server. System Center Configuration Manager version 1802 supports Windows ADK 1709 as I've explained here. Method #1 - Do it manually Go to this link and download ADK 1709. You'll be prompted to save or run ADKSETUP.EXE, select Run. When prompted for the path, accept the defaults...(or change it to something else if you wish) Select your privacy settings Accept the ADK EULA Make sure to have selected at least the following ADK features Deployment Tools Windows Preinstallation Environment (Windows PE) Imaging and Configuration Designer (ICD) Configuration Designer User State Migration tool (USMT) and click Install to start the download and Installation of the Windows ADK, version 1709. Once the ADK installation is complete, click Close. To install WDS, open Server Manager, select Add roles and features and select the Windows Deployment Services role. When prompted click on Add Features to include management tools. and click through the wizard until completion, close the wizard when done. Method #2 - Automate it with PowerShell To download and then install Windows ADK 10 version 1709 with the components needed for ConfigMgr, start Windows Powershell ISE as Administrator and run the setup ADK and WDS.ps1 script. This script not only downloads and installs ADK 1709, but it installs the Windows Deployment Services role. Tip: If you've already downloaded ADK 1709 and want to save yourself some time, copy the Windows Kits folder and all files/folders within to the source folder (eg: C:\Source\Windows Kits) and the script will skip the download. 1. Extract the scripts to C:\Scripts on CM01 and load the setup ADK and WDS.ps1 script located in C:\Scripts\Part 2\CM01 2. Edit the variable (line 17) as desired before running. 3. Start Windows PowerShell ISE as Administrator and run the script by clicking on the green triangle. Step 3. Install SQL Server 2017 Note: Perform the following on the Configuration Manager server (CM01) as a Local Administrator Method #1 - Do it manually Configure the firewall as described in https://go.microsoft.com/fwlink/?linkid=94001. After configuring the firewall, browse to the drive where the SQL Server 2017 media is, and run setup.exe. The SQL Server Installation Center wizard will appear. Click on Installation and then choose New SQL Server standalone installation or add features to an existing installation. Enter the Product Key or use the evaluation version if that's what you want to use. The product key will be automatically filled in for licensed media downloaded from Microsoft Volume Licensing Service Center. Accept the EULA Make your Microsoft Update choices and review your Install rules, select the SQL server instance features you need and if necessary change the drive letter where you intend to install it And configure the Instance Configuration or just leave it as default Verify the Service Accounts settings and for Collation, make sure the collation is set to SQL_Latin1_General_CP1_CI_AS For Server Configuration, click on Add Current User After configuring Data Directories, TempDB and Filestream settings you are Ready to Install Click on Install to start the installation of SQL Server 2017, and once it's completed, click Close. After installing SQL Server 2017, download SQL Server 2017 SSMS from here and install it. Method #2 - Automate it with PowerShell Note: Make sure your SQL Server 2017 media is in the drive specified in the script or edit the script to point to the new location of the media. The script and accompanying INI file have the path pointing at D:\Program Files, please change the variables as appropriate. To install SQL Server 2017 use the Install SQL Server 2017.ps1 script. The script will create a ConfigurationFile.ini used to automate the installation of SQL Server 2017, and after it's installed the script will download the SSMS executable (Management Studio) and install it. Then it will download Reporting Services and install it. If either of the EXE's are in the download folder, it will skip the download and just install. SQL Server no longer comes with the Management Studio or Reporting Services built in, and they are offered as separate downloads, don't worry though, my PowerShell script takes care of that for you. 1. Extract the scripts to C:\Scripts on CM01 and load the Install SQL Server 2017.ps1 script located in C:\Scripts\Part 2\CM01 2. Edit the variables [lines 17-76] as desired before running. 3. Start Windows PowerShell ISE as Administrator and run the script by clicking on the green triangle. Step 4. Restart the Configuration Manager Primary Server Note: Perform the following on the Configuration Manager server (CM01) as a Local Administrator Open an administrative command prompt and issue the following command: shutdown /r Step 5. Install the WSUS role Note: Perform the following on the Configuration Manager server (CM01) as a Local Administrator Now that SQL server is installed, we can utilize SQL Server for the WSUS database. To install WSUS and configure it to use the SQL server database instead of the Windows Internal Database, do as follows: Method #1 - Do it manually Using Roles and Features in Server Manager, add the Windows Server Update Services role. When prompted to add features for the WSUS role, click on Add features. When prompted for the Role Services, uncheck WID Connectivity and add SQL Server Connectivity instead. When prompted for Content location, enter a valid path When prompted for Database Instance Selection, enter the server name and click on Check Connection On the Confirm Installation Selections screen, click on Install. and finally click close. After installing the WSUS role, in Server Manager, click on the yellow exclamation mark and choose Launch Post Installation Tasks. When the tasks are completed Optional: The WSUS database (SUSDB) can be observed using SQL Server SSMS. Method #2 - Automate it with PowerShell Browse to the location where you extracted the scripts, C:\scripts. Start Windows PowerShell ISE as administrator, open the Install roles and features_WSUS.ps1 script, edit the $servername variable and replace CM01 with the ServerName your are installing ConfigMgr on (SQL server). Note: Make sure to have your Windows Server 2016 media in the path referred to by $Sourcefiles. 1. Extract the scripts to C:\Scripts on CM01 and load the Install roles and features_WSUS.ps1 script located in C:\Scripts\Part 2\CM01 2. Edit the variables [lines 22-25] as desired before running. 3. Start Windows PowerShell ISE as Administrator and run the script by clicking on the green triangle. Downloads The scripts used in this guide are available for download here. Unzip to C:\Scripts on both servers. The scripts are placed in the corresponding folder (Part 1, Part 2 etc) and sorted into which server you should run the script on (AD01 or CM01). Scripts.zip Summary Using PowerShell to automate things leaves more time for yourself and it's fun. Please join me in Part 3 of this multi-part guide when you will install System Center Configuration Manager version 1802 (Current Branch).
  12. Introduction At the start of this series of step by step guides you installed System Center Configuration Manager (Current Branch), then you configured discovery methods. Next you configured boundaries to get an understanding of how automatic site assignment and content location works. After that you learned how to update ConfigMgr with new features and fixes using a new ability called Updates and Servicing and you learned how to configure ConfigMgr to use Updates and Servicing in one of these two modes: Online mode Offline mode To prepare your environment for Windows 10 servicing (coming in a later guide) you learned how to setup Software Updates using an automated method (via a PowerShell script) or manually using the ConfigMgr console. Next you used a PowerShell script to prepare some device collections, then you configured client settings for your enterprise and finally you'll deployed the ConfigMgr client agent using the software updates method which is the least intensive method of deploying the Configuration Manager client agent. As System Center Configuration Manager (current branch) is being delivered as a service now, version 1602 was made available (March 11th, 2016) and you used Updates and Servicing to do an in-place upgrade to that version as explained here. The Upgrade Task Sequence In this guide you will learn about the Upgrade Task Sequence which is now built-in to System Center Configuration Manager (current branch). This new type of task sequence was initially offered as a download from Microsoft for System Center 2012 R2 SP1 Configuration Manager however that version lacked certain abilities (such as installing drivers). The Upgrade task sequence allows you to upgrade your Windows 7, Windows 8, Windows 8.1 computers (and even Windows 10) to the latest and greatest version of Windows 10. This is a new method of upgrading the operating system and it leaves the users files and settings intact. The System Center Configuration Manager (current branch) Upgrade Task Sequence can even handle drivers in the task sequence which is definitely a useful feature. Note: In this Lab I've already upgraded the ADK version from 1507 to 1511, for details about how you can do that review Brandon's post here. In addition these boot wims are patched with KB3143760 and you can use Keith's PowerShell script to do it easily. Step 1. Create some ConfigMgr folders We need some folders created to store things that OSD requires (such as the operating system upgrade package) so let's use a PowerShell script to create them. Note: This script creates several custom folders used for OSD, many are not applicable to the Upgrade Task Sequence but I'm including them as they will be used later as part of this series. The script is available at the end of this post in the Downloads section. To use it simply edit any variables you deem necessary (such as domain, users and sources drive) and save your changes. Open the edited script in PowerShell ISE by starting it as Administrator and run the script by pressing on the green triangle. Some of the created folders are shown below. Step 2. Copy the Windows 10 media Before you get started with the upgrade task sequence you'll need a copy of Windows 10 media which you can download from MSDN or your Microsoft Volume License site. In this guide I'll use the latest version currently available and that is Windows 10 x64 version 1511. Once you've located a copy of this media copy the extracted contents of it to the following path (which was created by the PowerShell script above). \\cm01\Sources\OSD\OS\OSUpgradePackages\Windows10x64\1511 as shown below Step 3. Add Windows 10 as an operating system upgrade package To add Windows 10 version 1511 as an operating system upgrade package do as follows. In the Configuration Manager console, click Software Library and expand Operating Systems then click Operating System upgrade packages. Right click on Operating System upgrade packages and choose Add Operating System upgrade package. When the wizard appears fill in the path to the media and click on next fill in some details about the Windows 10 image, and include the version as you'll need to re-do this process every 6 months or so. continue through the wizard until completion. Note: To make the image available on the network, distribute it to your distribution points by right-clicking and choose Distribute Content. Step 4. Optionally add software updates to the Windows 10 upgrade package Cumulative updates are released for Windows 10 regularly, and the latest available cumulative update for Windows 10 version 1511 at the time of writing is KB3140743. To make this update available for servicing search for it in Software Updates as shown below. I won't go into too many details of making the update available but in a nutshell what i did was as follows: Synchronize Software Updates create folder structure to store update package (\\cm01\sources\updates\windows10) create a Software Update Group from the matching architecture (x64) Cumulative Update above and deploy it to the SUM Windows 10 CB collection While the above worked for me, all you should have to do is: Synchronize Software Updates Select one or more updates and download them Once done, right click on the Windows 10 upgrade package and choose Schedule Updates after a few moments you should see any updates you've made available and you can select the update you wish to apply or deselect any you don't want applied Next, select a schedule that applies to your environment remembering that distribution of the patched wim can consume network resources so perhaps a custom schedule during off-business hours would be useful and click next through completion. At this point you can monitor the OfflineServicingMgr.log file available in <ConfigMgr Installation Path>\Logs by opening it in CMTrace to get details of the actual patching of the wim file. After some time it will check all available updates that you made available to see if they are applicable or not, each update will have an Applicability State which can be listed as any of the following:- NOT_REQUIRED INSTALLED APPLICABLE APPLICABILITY_CHECK_NOT_SUPPORTED The Schedule Updates process will then commit those changes, you should verify that all is well in the OfflineServicingMgr.log file before continuing with this guide. Note: In addition to committing the changes the process then creates a backup copy of the original WIM file (with a file extension of .bak). The path to the backup file is included in the log. Below is a sample: Original image '\\cm01\Sources\OSD\OS\OSUpgradePackages\Windows10x64\1511\sources\install.wim' is backed up at '\\cm01\Sources\OSD\OS\OSUpgradePackages\Windows10x64\1511\sources\install.wim.bak' To verify that the Schedule Updates process was successful look for a line which states Schedule processing succeeded, this notifies you that all is done with the patching of the WIM file. Step 5. Create a task sequence to upgrade an operating system Now we are ready to create the actual task sequence, to do so in the ConfigMgr console do as follows: Click Software Library and expand Operating Systems, click Task Sequences. Right click and choose Create Task Sequence to start the Create Task Sequence Wizard. When the wizard appears select Upgrade an operating system from upgrade package from the list of available options as shown below: Give the task sequence a suitable name like Upgrade to Windows 10 x64 version 1511 On the Select an Operating system upgrade package step click on browse and select the Operating System Upgrade Package added (and patched) earlier, enter a product key if necessary for your version of Windows choose your software update options add any applications you want installed and continue through to completion Once created, right click on the task sequence and choose edit, observe the Check readiness for upgrade step and next review the Upgrade Operating System step, note all the options it provides If you choose the option to Perform windows setup compatability scan without starting upgrade then the task sequence will use a /Compat {IgnoreWarning | ScanOnly option with Windows setup and set a task sequence read-only variable called set a variable called _SMSTSOSUpgradeActionReturnCode with the error Windows setup error code as shown in the example below: This could be useful if you create a PowerShell script to parse the errors and log them somewhere for example in order to determine if a collection of computers is really ready for Windows 10, the downside is they have to go through the download of the operating system which takes time and disk space before actually running this step. Step 6. Add drivers to the task sequence Note: This post will not cover importing drivers into ConfigMgr, if you want to do that please refer to this post (step 2 and onwards) for a PowerShell script and manual methods to add drivers to ConfigMgr. To add driver support in the Upgrade Task Sequence for models you intend to upgrade, do as follows: In the Upgrade Operating System group add a new step called Download Package Content And give it a suitable name such as Windows 10 x64 - Microsoft HyperV depending on the hardware model you intend to support, Click on the yellow starburst and select a previously created driver package applicable to this model In the Place into the following location section choose the following: Custom Path = C:\Drivers Save path as variable = Drivers On the options tab select Add Condition, choose WMI Query and enter a query to look for your chosen hardware To identify what the model of any computer is use Powershell with the following command Get-WmiObject Win32_Computersystem Apply the changes and repeat the above process for each and every model you intend to support Next select the Upgrade Operating System step and place a checkmark in Provide the following content to Windows Setup during Upgrade and then select Staged Content and enter the following variable %Drivers01% Step 7. Deploy the task sequence At this point you are ready to start testing the task sequence. Right click it and choose Deploy, this task sequence must run within Windows so whatever collection you use should be created with that in mind... for collection choose OSD Deploy and for purpose choose Available (required is really only for the brave..., give users choice !) continue through the wizard until completion Step 8. Review it in action Note: In Progress/screenshots coming shortly, please check back for updates ! After policy is received you'll see the following in Software Center click on it for more details and click on Install to start the Upgrade Task Sequence, notice the popup and the text contained within, if you are using the 'default' software center (old style) you'll see a different popup text shown below Note: I've raised a UserVoice on this point to allow us to change the text in the popup or hide it and the task sequence from software center, you can review that here and vote too ! click on Install Operating System to start the upgrade, and off it goes.... Use CMTrace to monitor the deployment live, the log file you need to review is in C:\Windows\CCM\Logs\SMSTSLOG\smsts.log below you can see where it uses the %Drivers01% variable here's the upgrade step... and off it goes with the actual Upgrade to Windows 10 and after some time, it's completed ! Summary Microsoft continue to innovate, in System Center Configuration Manager Current Branch (version 1602) you can not only Upgrade your workstations to Windows 10 but you can ensure that they are patched with the latest available updates and installed with all applicable drivers. Related Reading A deeper look at the Upgrade task sequence in System Center Configuration Manager (Current Branch) Resolve Windows 10 upgrade errors How can I deal with languages in the Upgrade Task sequence using System Center Configuration Manager (Current Branch) Create a task sequence to upgrade an operating system in System Center Configuration Manager - https://technet.microsoft.com/en-us/library/mt613172.aspx Task sequence steps in System Center Configuration Manager - https://technet.microsoft.com/en-us/library/mt629396.aspx Manage operating system upgrade packages with System Center Configuration Manager - https://technet.microsoft.com/library/mt627916%28technet.10%29.aspx Technical details of the Windows 10 Upgrade process - https://www.sepago.com/blog/2016/05/18/windows-10-deployment-in-place-upgrade Windows 10 upgrade failure codes - https://support.microsoft.com/en-us/kb/3107983 Downloads You can download a Microsoft Word copy of this guide here dated 2016/03/31 How can I use the Upgrade Task Sequence in System Center Configuration Manager (current branch).zip You can download the PowerShell script used above here. CreateConfigMgrFolders.zip
  13. Introduction At the start of this series of step by step guides you installed System Center Configuration Manager (Current Branch), then you configured discovery methods. Next you configured boundaries to get an understanding of how automatic site assignment and content location works. After that you learned how to update ConfigMgr with new features and fixes using a new ability called Updates and Servicing and you learned how to configure ConfigMgr to use Updates and Servicing in one of these two modes: Online mode Offline mode To prepare your environment for Windows 10 servicing (coming in a later guide) you learned how to setup Software Updates using an automated method (via a PowerShell script) or manually using the ConfigMgr console. In this post you'll use a PowerShell script to prepare some device collections, then you'll configure client settings for your enterprise and finally you'll deploy the ConfigMgr client agent using the software updates method which is the least intensive method of deploying the Configuration Manager client agent. Step 1. Create collections using PowerShell Note: Perform this step using an account with full administrative permissions on the ConfigMgr server. Collections are used to group together users or devices into one place in ConfigMgr. Collections can either be a user based or device based but not both. After installing a brand new ConfigMgr infrastructure by default there are a few device collections as shown below. Those collections are useful but it's a good idea to create collections that separate servers from workstations and to create collections used for Operating System Deployment (OSD) and Software Update Management (SUM). This script will create a simple structure for you that is easy to implement. Note: This script does not add any membership queries for the Software Update Management (SUM) collections, you can decide yourself how to populate them. For example you could create Active Directory Security Groups in AD and query for them, and later add computers to those security groups in order to populate the collections. Any ADSG that you create will in turn need to be discovered by your discovery methods in order for ConfigMgr to discover resources. To create some device collections using PowerShell, download the CreateDeviceCollections.ps1 contained in a zip file in the Downloads section at the bottom of this guide and extract it to C:\Temp. On CM01, start Windows PowerShell ISE as Administrator and open the CreateDeviceCollections.ps1 script. Edit any variables in the script to match your environment before proceeding (for example if you want to rename the collections or define what drive ConfigMgr is on). The variables are found lines 74-83 as shown below. Save any changes, then run the script by pressing F5 or clicking on the Green arrow. Below you can see the script has completed. and the new device collections are present in the ConfigMgr console (in Assets and Compliance, Device Collections). Step 2. Add site roles required for user based apps System Center Configuration Manager (Current Branch) comes with a lot of new features including a new Software Center which is capable of showing user as well as device targeted applications. However in order to show user apps in the new software center you need the back-end infrastructure to be in place and that means you need to install the following site roles: Application catalog web service point Application catalog website point To install the roles do as follows. In the ConfigMgr console expand Administration and click on Servers and Site System Roles and right click on the Primary Site Server (P01), choose Add Site System Roles. When the add site system roles wizard appears click next and select both the above roles and click next. In the specify settings for the application catalog web service point, stay with the defaults (these are what will be displayed in IIS Manager) and next specify settings for configuring IIS for this application catalog website point, these are the settings that control the URL your users will see, so you might want to configure it to something useful or just leave it as default as I have here: You can customize the Application Catalog somewhat (although there's a bug open on Microsoft connect currently about the theme color) to a certain degree, enter your Organization name and choose a corresponding Website theme. and continue through that wizard until it is completed To confirm that the web service point role installed successfully review the awebsvcMSI.log file stored in <Configuration Manager Installation Path>\Logs\ and look for the following line - Product: Application Web Service -- Installation operation completed successfully. Step 3. Configure custom client device settings Note: Perform this step using an account with full administrative permissions on the ConfigMgr server. The default client settings apply to all devices in your enterprise. To target a smaller sub-set you can use custom client device settings to target devices within a collection. These settings will apply to all systems within the collection that they are deployed to on that site. You can configure multiple custom client device settings and target them to different collections to control how devices behave in your hierarchy. For a detailed explanation of what each setting does see the following page on Technet: https://technet.microsoft.com/en-us/library/gg682067.aspx Note: Custom client settings always take priority over default client settings. For information about Planning for client settings please see this link on Technet. If you want to configure settings that apply to all sites in your hierarchy create custom client agent settings on the CAS server. In the Administration workspace, right-click on Client Settings in Site Configuration and choose Create Custom Client Device Settings. Give the custom device settings a descriptive name which reveals what they are and the intended target, such as Client Device settings for All Workstations select the following custom settings from the list (you can add/configure more later) Client Policy Computer Agent Software Updates In the left pane, click on the first of the three selected above, Client Policy. This controls how often your ConfigMgr clients poll the management point looking for policy. Policy can be thought of as a list of instructions telling a client what to do (such as install an application or check for Windows update availability). The default of 60 minutes is fine for most production environments so let's leave it alone. Note: Lowering the client policy polling interval (minutes) value to something like 5, will mean you can test things much faster in a lab. That setting however, would not be suitable in a production environment due to the increased network traffic and server load. Next, select Computer Agent in the left pane and configure the default application catalog website by clicking on Set Website. Using the drop down menu select the URL you want to use. Next, add your organization name to the organization name displayed in Software Center field and then configure how the Software Center appears to your end users. You have two choices, the old default software center or the new one. Select Yes which will give you the ability to target User and Device applications using one UI, the Software Center. Note: Previously you had to use the application catalog for applications deployed to the user and the software center to show applications targeted to the device. The new software center can now show user based applications however it cannot do application approvals or allow the user to set their primary device. And finally set the Disable deadline randomization value to no. Note: This setting determines whether the client uses an activation delay of up to two hours to install required software updates when the deadline is reached. By default, the activation delay is disabled. Setting this value to no will mean that updates are not installed at the same time thus saving a distribution point from undesired behavior (slowing to a crawl). For Software Updates set "When any software update deadline is reached, install all other software update deployments with deadline coming within a specified period of time" to Yes to speed up software update installation, reduce system restarts and increase security. For more info see this page on Technet. Now that you've configured the client settings, you need to deploy them to a collection containing computers you want to target with these settings. To deploy the client settings, right click and choose Deploy. when prompted to select a collection, choose the previously created All Workstations collection. Click OK when done. Step 4. Configure client installation properties Note: Perform this step using an account with full administrative permissions on the ConfigMgr server. You can configure client.msi installation properties to specify certain preferences as these properties are published to Active Directory Domain Services and used during the client installation process. Note: When you extend the Active Directory schema for System Center 2012 Configuration Manager and the site is published to Active Directory Domain Services, many client installation properties are published to Active Directory Domain Services. If a computer can locate these client installation properties, it can use them during Configuration Manager client deployment. [source: Technet] To configure client.msi installation properties, in the ConfigMgr console select Administration and choose Site Configuration, Sites then right click on the primary server and choose Client Installation Settings, then Client Push Installation and finally click on the Client Installation Properties tab. Enter some installation properties such as those added below to increase the cache size to 20gb and the log file size to 10mb. SMSCACHESIZE=20480 CCMLOGMAXHISTORY=3 CCMLOGMAXSIZE=10485760 Step 5. Configure a GPO Note: Perform the following on the Active Directory Domain Controller server (AD1) as Local Administrator To distribute the Configuration Manager client agent as a software update requires a GPO in place. Start the Group Policy Management tool (GPMC.MSC) and create a new GPO. Note: In the preceding screenshot I link the GPO to the domain GPO however you should consider creating an OU specifically for computers you want to target and apply this GPO only to that OU. Give the GPO a name such as Install the Configuration Manager client agent. When done, right click on the GPO and choose Edit. Select and expand Computer Configuration, select Policies then expand Administrative Templates, expand Windows Components, and then scroll down to Windows Update. Next select Specify intranet Microsoft update service location, and set it to Enabled, and enter the fully qualified domain name (FQDN) and port of your ConfigMgr primary server Software Update Point as per the screenshot below: Click Apply and click OK. Step 6. Enable Software Update based client installation Note: Perform this step using an account with full administrative permissions on the ConfigMgr server. In order for on-premise devices to be managed by ConfigMgr they need the ConfigMgr client agent installed. There are several ways to install the client as listed below, each method has its' advantages and disadvantages, take a look at this post on Technet for a summary. Client push installation Software update point-based installation Group Policy installation Logon script installation Manual Installation In this step you will use the Software update point based installation method which is listed as a Best Practise method of deploying the client. Navigate to the Administration workspace, select Site Configuration, Sites, and select the P01 site, right click and choose Client Installation Settings and then Software Update based client installation and now comes the really hard part, place a check mark in the Enable software update based client installation box. Done. Click Apply and then OK. Step 7. Monitor client installation On a computer that is joined to the domain check windowsupdate.log to see what is happening, if that computer happens to run Windows 10 then you'll need to use the following PowerShell cmdlet to generate a readable windowsupdate.log file. Get-WindowsUpdateLog If prompted to accept Microsoft Internet Symbol Store answer Yes and after a while it's done processing the ETL files and creates your logfile on the Desktop (if you have administrative permssions on that computer, otherwise it's copied to the Administrators desktop). Using CMTrace, open the WindowsUpdate.log file and review it, below you can see the ConfigMgr client is referenced in the WindowsUpdate.log Once the update becomes available it will install Once the client is installed and has retrieved it's policy you can review the new Software Center, cool huh ! and check out the ConfigMgr client cache size which we set in Step 4 above and the MSI properties are revealed in the CCMSetup.log file Job done ! Summary In this guide you created device collections using PowerShell and learned about configuring custom device client settings and deploying them to a collection called All Workstations. You then deployed the ConfigMgr client agent using Software Updates. Related Reading Client Settings - https://technet.microsoft.com/en-us/library/gg682067.aspx Fundamentals of System Center Configuration Manager - https://technet.microsoft.com/en-us/library/mt622643.aspx How to configure client settings in System Center Configuration Manager - https://technet.microsoft.com/en-us/library/mt627896.aspx#BKMK_DefaultClientSettings Best practices for client deployment in System Center Configuration Manager - https://technet.microsoft.com/en-us/library/mt627892.aspx Downloads You can download a Microsoft Word copy of this guide here dated 2016/1/26 how to configure client settings and the client agent.zip You can download the PowerShell script used above here CreateDeviceCollections.zip
  14. ok is the e5580 that imaged ok on the same vlan as this one ?
  15. yeah it never downloads that nbp file as far as i can see, so what is between this computer and the distribution point hosting PXe ? are you sure you've updated both the X86 and X64 boot images to this dp ?
  16. eh it was sideways, can you try again please and let me see it right up until the error
  17. after it downloads the nbp file you should see 'press enter' are you seeing that, maybe you could VIDEO it with your phone and upload the video
  18. ok then, is this a lab or production ? are switches involved ? what pxe error do you get when you try to pxe boot in UEFI mode ?
  19. ok the bios mode of your computer is BIOS not UEFI, no wonder it's not working as you want change it to UEFI with Secure boot enabled and try again. if you cannot PXE boot in UEFI mode have you verified youve distributed the x64 boot image to your dp's and enabled it for pxe ?
  20. can you attach your smsts.log file please.
  21. hi i just tried it, and it works fine, you must be a member in order to download it, so did you try downloading it before becoming a member ? if so, now that you are a member simply re-try the download and you'll see it will work.
×