Jump to content




Search the Community

Showing results for tags 'sccm'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • General Stuff
    • Site News
    • Windows News
    • Suggestion box
    • General Chat
    • Events
    • Jobs
  • Cloud
    • Microsoft Intune
    • Azure
    • Office 365
  • Microsoft Deployment Toolkit
    • Deploying Windows 10, Windows 8.1, Windows 7 and more...
  • SMS, SCCM, SCCM Current Branch, SCCM Technical Preview
    • SMS 2003
    • Configuration Manager 2007
    • Configuration Manager 2012
    • System Center Configuration Manager (Current Branch)
    • How do I ?
    • Packaging
    • scripting
    • Endpoint Protection
  • Windows Server
    • Active Directory
    • KMS
    • Windows Deployment Services
    • NAP
    • Failover Clustering
    • PKI
    • Windows Server 2008
    • Windows Server 2012
    • Windows Server 2016
    • Windows Server 2019
    • Hyper V
    • Exchange
    • IIS/apache/web server
    • System Center Operations Manager
    • System Center Data Protection Manager
    • System Center Service Manager
    • System Center App Controller
    • System Center Virtual Machine Manager
    • System Center Orchestrator
    • Lync
    • Application Virtualization
    • Sharepoint
    • WSUS
  • Microsoft SQL Server
    • SQL Server
  • Windows General
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows Vista
    • Windows XP
    • how do I do this ?
    • windows screenshots

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Location


Interests

Found 621 results

  1. I am trying to create an email notification that will report all the systems that completed their hardware inventory (which occurs daily) and those that haven't, and send an email notification with the status. Is this possible? Thanks
  2. Been checking out the new email approval feature for application requests in CB1810, however, I am running into an issue and can't seem to figure it out. To start, I can successfully request an application and SCCM triggers the alert and I successfully receive an email. However, when I attempt to approve or deny the request, I get a website security error and can't proceed. I am not using Azure integration and I am attempting this on my local intranet. Any ideas? (Sensitive information removed) Thanks! Mark
  3. We have been using the guides on this site for over 2 years without issues, but for some reason I can't find a guide that helps me through this issue. We have been deploying Win 10 Enterprise 2016 without issues (Add PC and MAC to SCCM, add new computer to group, boot PC to PXE and done....) We want to deploy Win 10 v1803. Here is what I did; Added the OS to SCCM - Distributed Content Copied the OS Task Sequence for 2016, named it 2019 Edited 2019. The only change the OS to Apply to the 2019 Deployed 2019 to the same groups (Unknown Computers and Deploy Windows 10) PC booted into PXE as expected, but is ONLY presented with the 2019 Task. Task 2016 is gone. If I disable the 2019 Task, the computer is rejected and doesn't boot. Is these something that I"m missing? Why if I copy a Task does it no longer show? Is there a "special" guide to have multiple OS task Sequences presented to the PC?
  4. MJGAIL

    O365 C2R - Location-Based XML

    Hi, I'm in the process of deploying Windows 10 (x64 Enterprise Build 1809) at a customer site using Configuration Manager Current Branch (1806 + Hotfix). Office 365 Click-to-Run is a Tier 1 application that I am installing during deployment of the OS to the endpoint machine. In order to ensure the O365 C2R content is the latest "Semi-Annual Channel" version (client is bound by regulation to patch applications, so testing this with Office) I've setup the following: "Content" for the Application in CM is JUST setup.exe plus XML files for the install. Two XML files for install for two different locations (one of which is on at a low-speed WAN site). Each XML refers to source content in an open share on the Distribution Point servers - one of which is at the low-speed WAN site. Two deployment types in the Application - one for each XML. Setup a Scheduled Task on the Distribution Point servers to update the share (not the Application content) on a regular basis So my plan was then to use a "Requirement" on the application using a custom Global Condition that determines the Active Directory site (created using PowerShell). The idea then being that during deployment, the application installs using the latest available SAC version and administrators don't need to worry about the Application content being updated. And of course, the XML file then tells it to grab the content from the local site, which is highly connected. Works wonderfully well in Software Center in my testing. BUT, doesn't seem to work in OSD Task Sequence ☹️. If I am reading error logs right, it seems as though the PowerShell in the Global Condition is not being allowed to run (even when I set Execution Policy to "Bypass" earlier in the Task Sequence. So, perhaps I am making things more complex than they should be. Simplest thing to do would be to create two separate applications using the same method (i.e. not just two deployment types) and use a Dynamic Variable in the Task Sequence that installs one or the other dependent upon gateway IP. However, throwing it out there for some thoughts on how I could do this using the multiple deployment methods on the single app. Thanks, Matt
  5. Hello all, I am new to this forum so thank you for feedback about possibly not following certain rules. I want to deploy an application to about 3000 users. This will be a required user-based application deployment. I created 1 AD distribution group, tied to 1 collection and the plan is to populate this group over a period of a few weeks with blocks of about 200 to 500 users, depending on fails etc. Because of this I made the application available as soon as possible and the installation deadline as soon as possible and configured a grace period of 96 hours in the client settings. I checked the "Delay enforcement of this application according to user preferences, up to the grace period defined in client settings." There are no maintenance windows configured on any devices. When I add a user to the AD distribution group and log in, the installation starts immediately which leads me to believe I am missing something in my configuration. Anyone any thoughts about this? Thanks for the feedback.
  6. Hey Windows Pros, I work as a tech-marketer for ManageEngine. We have some exciting news from Patch Connect Plus, which I thought will be valuable to you. We have introduced "Standard edition" which offers third-party software catalogs to your SCCM 1806. These catalogs can also be used to publish to SCUP too. So if you'd like to avail a free trial and see how it works on your SCCM environment, you can get started here. Here's a list of applications supported: https://www.manageengine.com/sccm-third-party-patch-management/supported-applications.html You can learn how to add the third-party catalogs to SCCM from the video: You can write to sales@manageengine.com if you would like to avail an extension of the free trial(30 days default)/avail more applications under the Standard edition for catalogs. Happy to help.
  7. Hi WN I created a function to connect to the CMSite and load the cmdlet for ConfigurationManager. Could the function be improved in any way or is it as good it can be? is the logic best practice or? You can download it at : https://gallery.technet.microsoft.com/Connect-ConfigMgr64-db5e9d0a function Connect-ConfigMgr64 { $initParams = @{ } if ((Get-Module ConfigurationManager) -eq $null) { try { Import-Module "$($ENV:SMS_ADMIN_UI_PATH)\..\ConfigurationManager.psd1" @initParams -Scope Global } catch { $ModulePath = (Get-ItemProperty HKLM:\SOFTWARE\Wow6432Node\Microsoft\ConfigMgr10\Setup -Name "UI Installation Directory").'UI Installation Directory' Import-Module $ModulePath\bin\ConfigurationManager.psd1 -Scope Global } } if ((Get-Module ConfigurationManager) -ne $null) { $SiteCode = Get-PSDrive -PSProvider CMSITE if ((Get-PSDrive -Name $SiteCode -PSProvider CMSite -ErrorAction SilentlyContinue) -eq $null) { $ProviderMachineName = (Get-ItemProperty HKLM:\SOFTWARE\Wow6432Node\Microsoft\ConfigMgr10\AdminUI\Connection -Name Server).Server New-PSDrive -Name $SiteCode -PSProvider CMSite -Root $ProviderMachineName @initParams } if ((Get-PSProvider -PSProvider CMSite) -ne $null) { Set-Location $SiteCode":\" Write-Host 'Type "Get-Command -Module ConfigurationManager" for a list of SCCM CMDlets.' -ForegroundColor Green } else { $CustomError = [String]"Error: Can't find CMSite provider" Throw $CustomError } } else { $CustomError = [String]"Unable to locate System Center Configuration Manager installation folder!" Throw $CustomError } } Connect-ConfigMgr64
  8. Hi All, We are running SCCM 1806 and Windows 10 1709 clients and currently have an issue where we try to image a machine using PXE we get the following error: Previously it was working fine (about 6 weeks ago) but it has now just stopped. If i look at the SMSPXE.log i get the following: 16/10/2018 12:25:30 PM ============> Received from client: 16/10/2018 12:25:30 PM Operation: BootRequest (1) Addr type: 1 Addr Len: 6 Hop Count: 0 ID: 09DF8E1C Sec Since Boot: 0 Client IP: 000.000.000.000 Your IP: 000.000.000.000 Server IP: 000.000.000.000 Relay Agent IP: 000.000.000.000 Addr: 00:15:5d:98:2f:03: Magic Cookie: 63538263 Options: Type=53 Msg Type: 1=Discover Type=57 Max Msg Size: 05c0 Type=55 Param Request List: 0102030405060c0d0f111216171c28292a2b3233363a3b3c4243618081828384858687 Type=97 UUID: 00c5aa2830da4b354c927442798bf8d6fd Type=94 UNDI: 010300 Type=93 Client Arch: EFI BC Type=60 ClassId: PXEClient:Arch:00007:UNDI:003000 16/10/2018 12:25:30 PM Prioritizing local MP http://xxxxxxxx.xxxxxxxx.local. 16/10/2018 12:25:30 PM Not in SSL 16/10/2018 12:25:31 PM Not in SSL 16/10/2018 12:25:31 PM Client lookup reply: <ClientIDReply><Identification Unknown="0" DuplicateSMBIOS="0" DuplicateMACAddress="0" ItemKey="16777501" ServerName=""><Machine><ClientID/><NetbiosName/></Machine></Identification></ClientIDReply> 16/10/2018 12:25:31 PM 00:15:5D:98:2F:03, 3028AAC5-4BDA-4C35-9274-42798BF8D6FD: device is in the database. 16/10/2018 12:25:31 PM Prioritizing local MP http://xxxxxxxx.xxxxxxxxx.local. 16/10/2018 12:25:31 PM Not in SSL 16/10/2018 12:25:31 PM Request using architecture 9. 16/10/2018 12:25:31 PM Not in SSL 16/10/2018 12:25:31 PM Client boot action reply: <ClientIDReply><Identification Unknown="0" DuplicateSMBIOS="0" DuplicateMACAddress="0" ItemKey="16777501" ServerName=""><Machine><ClientID/><NetbiosName/></Machine></Identification><PXEBootAction LastPXEAdvertisementID="" LastPXEAdvertisementTime="" OfferID="" OfferIDTime="" PkgID="" PackageVersion="" PackagePath="" BootImageID="" Mandatory=""/></ClientIDReply> 16/10/2018 12:25:31 PM 00:15:5D:98:2F:03, 3028AAC5-4BDA-4C35-9274-42798BF8D6FD: no advertisements found 16/10/2018 12:25:31 PM Prioritizing local MP http://xxxxxxx.xxxxxxxxxx.local. 16/10/2018 12:25:31 PM Not in SSL 16/10/2018 12:25:31 PM Not in SSL 16/10/2018 12:25:31 PM 00:15:5D:98:2F:03, 3028AAC5-4BDA-4C35-9274-42798BF8D6FD: No boot action. Aborted. 16/10/2018 12:25:31 PM Operation: BootReply (2) Addr type: 1 Addr Len: 6 Hop Count: 0 ID: 09DF8E1C Sec Since Boot: 0 Client IP: 000.000.000.000 Your IP: 000.000.000.000 Server IP: 192.168.152.025 Relay Agent IP: 000.000.000.000 Addr: 00:15:5d:98:2f:03: Magic Cookie: 63538263 Options: Type=53 Msg Type: 2=Offer Type=54 Svr id: 192.168.152.025 Type=97 UUID: 00c5aa2830da4b354c927442798bf8d6fd Type=60 ClassId: PXEClient 16/10/2018 12:25:31 PM 00:15:5D:98:2F:03, 3028AAC5-4BDA-4C35-9274-42798BF8D6FD: Not serviced. 16/10/2018 12:25:34 PM ============> Received from client: 16/10/2018 12:25:34 PM Operation: BootRequest (1) Addr type: 1 Addr Len: 6 Hop Count: 0 ID: 09DF8E1C Sec Since Boot: 0 Client IP: 000.000.000.000 Your IP: 000.000.000.000 Server IP: 000.000.000.000 Relay Agent IP: 000.000.000.000 Addr: 00:15:5d:98:2f:03: Magic Cookie: 63538263 Options: Type=53 Msg Type: 3=Request Type=54 Svr id: 192.168.152.017 Type=50 Requested IP: 192.168.152.100 Type=57 Max Msg Size: ff00 Type=55 Param Request List: 0102030405060c0d0f111216171c28292a2b3233363a3b3c4243618081828384858687 Type=97 UUID: 00c5aa2830da4b354c927442798bf8d6fd Type=94 UNDI: 010300 Type=93 Client Arch: EFI BC Type=60 ClassId: PXEClient:Arch:00007:UNDI:003000 16/10/2018 12:25:34 PM ============> Received from client: 16/10/2018 12:25:34 PM Operation: BootRequest (1) Addr type: 1 Addr Len: 6 Hop Count: 0 ID: 0404FBE8 Sec Since Boot: 0 Client IP: 192.168.152.100 Your IP: 000.000.000.000 Server IP: 000.000.000.000 Relay Agent IP: 000.000.000.000 Addr: 00:15:5d:98:2f:03: Magic Cookie: 63538263 Options: Type=53 Msg Type: 3=Request Type=55 Param Request List: 0102030405060c0d0f111216171c28292a2b3233363a3b3c4243618081828384858687 Type=57 Max Msg Size: 05c0 Type=60 ClassId: PXEClient:Arch:00007:UNDI:003000 Type=93 Client Arch: EFI BC Type=94 UNDI: 010300 Type=97 UUID: 00c5aa2830da4b354c927442798bf8d6fd 16/10/2018 12:25:34 PM Prioritizing local MP http://xxxxxxx.xxxxxxxxx.local. 16/10/2018 12:25:34 PM Not in SSL 16/10/2018 12:25:34 PM Request using architecture 9. 16/10/2018 12:25:34 PM Not in SSL 16/10/2018 12:25:34 PM Client boot action reply: <ClientIDReply><Identification Unknown="0" DuplicateSMBIOS="0" DuplicateMACAddress="0" ItemKey="16777501" ServerName=""><Machine><ClientID/><NetbiosName/></Machine></Identification><PXEBootAction LastPXEAdvertisementID="" LastPXEAdvertisementTime="" OfferID="" OfferIDTime="" PkgID="" PackageVersion="" PackagePath="" BootImageID="" Mandatory=""/></ClientIDReply> 16/10/2018 12:25:34 PM 00:15:5D:98:2F:03, 3028AAC5-4BDA-4C35-9274-42798BF8D6FD: no advertisements found 16/10/2018 12:25:35 PM Prioritizing local MP http://xxxxxxxxxxx.xxxxxxxxxxx.local. 16/10/2018 12:25:35 PM Not in SSL 16/10/2018 12:25:35 PM Not in SSL 16/10/2018 12:25:35 PM ============> REQUEST Reply to client ([192.168.152.100:4011]) Len:285 16/10/2018 12:25:35 PM Operation: BootReply (2) Addr type: 1 Addr Len: 6 Hop Count: 0 ID: 0404FBE8 Sec Since Boot: 0 Client IP: 192.168.152.100 Your IP: 000.000.000.000 Server IP: 192.168.152.025 Relay Agent IP: 000.000.000.000 Addr: 00:15:5d:98:2f:03: BootFile: smsboot\x64\wdsmgfw.efi Magic Cookie: 63538263 Options: Type=53 Msg Type: 5=Ask Type=54 Svr id: 192.168.152.025 Type=97 UUID: 00c5aa2830da4b354c927442798bf8d6fd Type=60 ClassId: PXEClient Type=250 020105 16/10/2018 12:25:35 PM <============ REQUEST Reply (end) Any help would be appreciated. Thanks in Advance. Paul
  9. Hello, I have the problem with my SCCM that I cannot open the Administration Console anymore. The last think I have do bevor it don't works anymore was to fix my 0% downloading from Software Center Problem. I have tried these steps from Arthur_Li (because the fix with the .mof files don't work for me): https://social.technet.microsoft.com/Forums/windows/en-US/df00b2e4-3bab-4b46-ad5a-95e82617a039/wmi-errors?forum=winserverNIS Here are the SMSAdmin Logs: [19, PID:1928][10/11/2018 08:50:07] :Transport error; failed to connect, message: 'The SMS Provider reported an error.'\r\nMicrosoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryException\r\nThe SMS Provider reported an error.\r\n at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryResultsObject.<GetEnumerator>d__74.MoveNext() [19, PID:1928][10/11/2018 08:50:07] :Transport error; failed to connect, message: 'The SMS Provider reported an error.'\r\nMicrosoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryException\r\nThe SMS Provider reported an error.\r\n at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryResultsObject.<GetEnumerator>d__74.MoveNext() at Microsoft.ConfigurationManagement.AdminConsole.SmsSiteConnectionNode.GetConnectionManagerInstance(String connectionManagerInstance)\r\nConfigMgr Error Object: instance of __ExtendedStatus{Operation = "ExecQuery";ParameterInfo = "SELECT * FROM SMS_Site WHERE SiteCode = 'PS0'";ProviderName = "WinMgmt"; } Error Code: ProviderLoadFailure [19, PID:1928][10/11/2018 08:50:07] :Transport error; failed to connect, message: 'The SMS Provider reported an error.'\r\nMicrosoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryException\r\nThe SMS Provider reported an error.\r\n at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryResultsObject.<GetEnumerator>d__74.MoveNext() I have tried to reinstall the console with the AdminConsole.msi but this don't work. Also I have tried to connect with my IP, but also no success. The complete D drive where SCCM is installed, the SMSAdmins Group has "Full control" permissions. At this group are all user where can connected to the server and the server itself. All sms services are running. One think I found out is that my wmi maybe don't work right. At another Topic (https://www.windows-noob.com/forums/topic/10298-applications-suddenly-wont-deploy-hung-stuck-at-0-downloading/) they tried "Run the query select * from sms_sci_component where componentname=SMS_DISTRIBUTION_MANAGER" to fix the wmi problem, but if I try this query I get the following error: Number: 0x80041017Facility: WMIDescription: Invalid query Could it be that this query is only for 2012? At the wmiprov.log I get this error by trying to open the Console from SCCM: (Wed Oct 10 10:16:42 2018.780762406) : WDM call returned error: 5 The WMIDIAG Log is attach below WMIDIAG-V2.2_2K12R2.SRV.RTM.64_SRV-SCCM_2018.10.12_09.52.41-REPORT.TXT
  10. Hi all, I've tried and failed miserably! to work out how to do this using the Report Builder. Could anyone possibly help with creating an SQL query to create a deployment report which includes the Administrative Category? Example: Application Name, Application Administrative Category, Target Collection, Success, In Progress, Fail, Requirements not met, Unknown. Would really appreciate any assistance. Thanks
  11. Did you know that Enhansoft is giving away a free report set on Software Update Health? Check out the blog about it. https://www.enhansoft.com/blog/software-update-health-dashboard-set-special-microsoft-ignite-giveaway They give away something every month too! https://giveaway.enhansoft.com/ Keep in mind that I do work for them too.
  12. This multi-part guide will show you how to install the latest baseline version of Configuration Manager from Microsoft. The latest available baseline version is System Center Configuration Manager (Current Branch) version 1802 as of March 29th 2018. You can use this multi-part guide to get a hierarchy up and running on Windows Server 2016 using SQL Server 2017. The concept behind this is to guide you through all the steps necessary to get a working Configuration Manager Primary site installed using manual methods or automating it by using PowerShell. This gives you the power to automate the bits that you want to automate, while allowing you to manually do other tasks when needed. You decide which path to take. PowerShell knowledge is desired and dare I say required if you are in any way serious about Configuration Manager. I will show you how to do most steps via two methods shown below, it’s up to you to choose which method suits you best but I highly recommend automating everything that you can (if possible), using PowerShell. Method #1 – Do it manually Method #2 – Automate it with PowerShell In Part 1, you configured Active Directory Domain Services (ADDS) on AD01, then joined the Configuration Manager primary server (CM01) to the newly created domain. You then created users, usergroups and OU's in Active Directory and created the System Management Container. Finally you delegated permission to the Configuration Manager server to the System Management container. In Part 2, you configured Windows Server 2016 roles and features on the Configuration Manager primary server (CM01) and then you downloaded and installed Windows ADK 1709. Next you installed SQL Server 2017 CU5 with SQL Server Management Studio (SSMS) and Reporting Services before installing the WSUS role which uses SQL to store the SUSDB instead of the Windows Internal Database (WID). In this Part, you will download and extract the ConfigMgr content, you'll download the ConfigMgr prerequisites and then you'll extend the Active Directory schema before installing System Center Configuration Manager (Current Branch) version 1802. Step 1. Download and extract the ConfigMgr content Before installing System Center Configuration Manager version 1802 you'll need to download the content as it is a baseline version. You can download baseline versions of the ConfigMgr media from Microsoft's Volume licensing Service Center (VLSC) site for use in production or from MSDN (or the Microsoft Evaluation site) for use in a lab. The VLSC download can be found be searching for Config and then selecting System Center Config Mgr (current branch and LTSB) as shown below. Once you've downloaded the ISO, mount it using Windows File Explorer and copy the contents to somewhere useful like C:\Source\SCCM1802 on the Configuration Manager server. Step 2. Download the ConfigMgr Prerequisites Note: Perform the following on the Configuration Manager server (CM01) as a Local Administrator You can download the prerequisites during ConfigMgr setup or in advance. As you'll probably want to install more than one copy of ConfigMgr (one lab, one production) it's nice to have the prerequisites downloaded in advance. Method #1 – Do it manually To do that, open an administrative PowerShell command prompt and navigate to the following folder: C:\Source\SCCM1802\smssetup\bin\X64 Run the following line .\SetupDL.exe C:\Source\SCCM_Prerequisites Once the process is complete you can open C:\ConfigMgrSetup.log with CMTrace (or notepad) to verify the status of the download. Note: You can find the CMTrace executable in the SMSSetup Tools folder in the location that you extracted the ConfigMgr media, eg: C:\Source\SCCM1802\SMSSETUP\TOOLS. Method #2 – Automate it with PowerShell To automate the download of the prerequisites simply follow the instructions and run the Install SCCM Current Branch version 1802.ps1 Powershell script in Step 4 or use the Download SCCM prerequisite files.ps1. Step 3. Extend the Schema Note: Perform the following on the Domain controller server (AD01) as Administrator. You do not have to extend the Active Directory schema if it was already extended for Configuration Manager previously. Method #1 – Do it manually To do that, on the Active Directory domain controller (AD01), open Windows File Explorer and browse to the network path of the ConfigMgr server where you've copied the SCCM source, eg: \\cm01\c$\Source\SCCM1802\SMSSETUP\BIN\X64 In that folder, locate extadsch.exe and right click, choose Run as Administrator. After the schema has been extended for SCCM, you can open C:\ExtAdsch.log on the root of C:\ on the server you are performing this on, and review the success or failure of that action. Method #2 – Automate it with PowerShell To automate extending the schema, use the Extend the Schema in AD.ps1 PowerShell script. Run the script on the CM01 server using credentials that have the ability to extend the schema. Step 4. Install SCCM Current Branch (version 1802) Note: Perform the following on the ConfigMgr server (CM01) as Administrator. Method #1 – Do it manually To do that, on the Configuration Manager server (CM01), open Windows File Explorer and browse to the network path of the ConfigMgr server where you've copied the SCCM source, eg: C:\Source\SCCM1802\ In that folder, double click on splash.hta. The Installer appears, click on Install. At the Before You Begin screen click Next. In the Available Setup Options screen, place a checkbox in "Use typical Installation options for a stand alone primary site" When prompted if you want to continue click Yes. On the Product Key screen enter your Key (or choose the eval option), and set the Software Assurance Date (optional) On the Product License Terms screen, select the 3 available options and click Next. On the Prerequisite Downloads screen, select the first option and specify C:\Source\SCCM_Prerequisites as the folder to download the prerequisite files. Click Next to start the download. On the Site and Installation Settings screen, enter your chosen site code (eg: P01), your site name and the path where you want to install ConfigMgr. On the Diagnostics and Usage data screen, click Next. On the Service Connection Point Setup screen, enter your choices and click Next. On the Settings Summary, review your choices and when happy with them click Next. On the Prerequisite Check screen click Begin Install when ready. During the installation, click on View Log (opens C:\ConfigmgrSetup.log) to review the installation progress using CMTrace and when the installation is done, click Close. Method #2 – Automate it with PowerShell To automate the installation of ConfigMgr 1802 (including all the previous steps above), simply run the Install SCCM Current Branch version 1802.ps1 PowerShell script. Run the script on the CM01 server and when prompted to extend the schema, enter your choice (yes or no) and if you choose to extend the schema, provide suitable credentials when prompted. Once done with the schema extension, the installation will continue (as shown below). and once installed you can launch the console. Success ! Summary In this 3 part guide you used quite a bit of PowerShell to automate pretty much most of Installing System Center Configuration Manager Current Branch (version 1802), including installing and configuring SQL Server 2017 on Windows Server 2016. Doing it with PowerShell means you can safely say that you've got a handle on Automation using PowerShell. I hope you learned a lot from doing it this way, and until next time, adios ! Downloads The scripts used in this guide are available for download here. Unzip to C:\Scripts on both servers. The scripts are placed in the corresponding folder (Part 1, Part 2 etc) and sorted into which server you should run the script on (AD01 or CM01). Scripts.zip
  13. So, I have a few custom groups in my task sequence that install applications based upon some WMI queries using a naming convention. But I am having some issues trying to get it working exactly. Here is what I am trying to do. I have two groups. Employee and Labs. The naming convention for employees is LIB-AU and for the Labs its LIB-AUXXXXX-XX where the X's represent numbers I have this particular "If" statement. Here is the query in question that I currently have for employee SELECT * FROM Win32_ComputerSystem WHERE Not Name LIKE 'LIB-AU%-%' Here is the query for the labs group. SELECT * FROM Win32_ComputerSystem WHERE Name LIKE 'LIB-AU%-%' The behavior that occurs is that everything under the employees group installs to a system if it has the name "LIB-AUXXXXX-XX" - I don't want this to happen. I only want it to run the steps if it meets the 'LIB-AUXXXXX' naming, but otherwise skip it. The query for the "labs" group works fine. Any suggestions?
  14. This multi-part guide will show you how to install the latest baseline version of Configuration Manager from Microsoft. The latest available baseline version is System Center Configuration Manager (Current Branch) version 1802 as of March 29th 2018. You can use this multi-part guide to get a hierarchy up and running on Windows Server 2016 using SQL Server 2017. The concept behind this is to guide you through all the steps necessary to get a working Configuration Manager Primary site installed using manual methods or automating it by using PowerShell. This gives you the power to automate the bits that you want to automate, while allowing you to manually do other tasks when needed. You decide which path to take. PowerShell knowledge is desired and dare I say required if you are in any way serious about Configuration Manager. I will show you how to do most steps via two methods shown below, it’s up to you to choose which method suits you best but I highly recommend automating everything that you can (if possible), using PowerShell. Method #1 – Do it manually Method #2 – Automate it with PowerShell In Part 1, you configured Active Directory Domain Services (ADDS) on AD01, then joined the Configuration Manager primary server (CM01) to the newly created domain. You then created users, usergroups and OU's in Active Directory and created the System Management Container. Finally you delegated permission to the Configuration Manager server to the System Management container. In Part 2, you configured Windows Server 2016 roles and features on the Configuration Manager primary server (CM01) and then you downloaded and installed Windows ADK 1709. Next you installed SQL Server 2017 CU5 with SQL Server Management Studio (SSMS) and Reporting Services before installing the WSUS role which uses SQL to store the SUSDB instead of the Windows Internal Database (WID). In Part 3, you downloaded and extracted the ConfigMgr content, you downloaded the ConfigMgr prerequisites and then you extended the Active Directory schema before installing System Center Configuration Manager (Current Branch) version 1802. In this part you'll create some device collections to prepare your lab for Servicing Windows 10, whether using WAAS or Upgrade Task Sequences built into ConfigMgr. The collections create include some based on the recently released Windows 10 version 1803. Step 1. Create some device collections Note: Perform the following on the Configuration Manager server (CM01) as a Local Administrator You can create collections using the ConfigMgr console and clicking your way through the wizard, you'll need to add membership queries to populate the collections, and include Include or Exclude rules as appropriate. Method #1 – Do it manually <to be added> Method #2 – Automate it with PowerShell To automate the creation of a bunch of device collections simply run the CreateDeviceCollectionsWindows10.ps1 Powershell script by starting PowerShell ISE as Administrator on the ConfigMgr server (CM01). Summary In this guide you created a whole bunch of collections to sort all your Windows 10 computers into easily identifiable groups based on Windows Version number, so that you can target them with policy or use Upgrade task sequences or Windows Servicing. Downloads The scripts used in this guide are available for download here. Unzip to C:\Scripts on both servers. The scripts are placed in the corresponding folder (Part 1, Part 2 etc) and sorted into which server you should run the script on (AD01 or CM01). Scripts.zip
  15. michael.lecomber

    Antimalware Policy not applying

    Hi, I've recently had an issue were my Windows 10 1803 clients don't get signature updates although the definition updates seem to apply ok. Looking through the logs nothing really stuck out except that the machine didn't have a antimalware policy. I check SCCM and the policy is deployed and apperently installed ok (going from the console). Any ideas would really be great!
  16. I am facing a very weird issue with SCCM CoManagement where Windows 10 machines registered to AzureAD in Hybrid Azure AD Join, are shown as Azure AD Joined. I will be focusing on one machine so we see the issue in depth. Configuration details SCCM Current Branch 1802 with all three hotfixes installed Windows 10 Enterprise 1803 with latest updates Co-Management Enabled for All Devices (no pilot group) No workloads have yet been migrated to Intune Group Policies for Automatic Enrollment to MDM and Automatic Registration with AzureAD enabled SCCM Client Cloud option for Automatic Registration enabled Intune set as Standalone Intune Enrollment set as MDM only (MAM disabled) ADFS Federated Domain 3.0 (2012R2) with AAD Connect Federation Facts SSO et. all are working as expected on the client Client detects client as Hybrid Azure AD Joined Intune detects client as Hybrid Azure AD Joined Issue SCCM detects client as Azure AD Joined I will now provide all relevant screenshots from Intune, SCCM and Client. SCCM As seen below, SCCM thinks the device is Azure AD Join and not Hybrid Azure AD Join. I also used the following SCCM query: select SMS_R_System.NetbiosName, SMS_Client_ComanagementState.Authority, SMS_Client_ComanagementState.AADDeviceID, SMS_Client_ComanagementState.ComgmtPolicyPresent, SMS_Client_ComanagementState.EnrollmentErrorDetail, SMS_Client_ComanagementState.EnrollmentFailed, SMS_Client_ComanagementState.EnrollmentStatusCode, SMS_Client_ComanagementState.HybridAADJoined, SMS_Client_ComanagementState.MDMEnrolled, SMS_Client_ComanagementState.MDMWorkloads, SMS_Client_ComanagementState.AADJoined from SMS_R_System inner join SMS_Client_ComanagementState on SMS_Client_ComanagementState.ResourceID = SMS_R_System.ResourceId where SMS_Client_ComanagementState.ComgmtPolicyPresent = 1 and SMS_Client_ComanagementState.MDMEnrolled = 1 And had the following results, same probem. Azure AD Joined = Yes, Hybrid Azure AD Joined = No AzureAD As seen on the Devices > Azure AD Devices, the machine is properly detected as Hybrid Azure AD Joined As seen below, DeviceTrustType = Domain Joined and DeviceTrustLevel = Managed should be correct (see here). Get-MsolDevice -Name hp-eb-g3 Enabled : True ObjectId : cxxxxxxxxxxxxxxxxxxxxxxxx0 DeviceId : 2xxxxxxxxxxxxxxxxxxxxxxxxxxxxx2 DisplayName : HP-EB-G3 DeviceObjectVersion : 2 DeviceOsType : Windows 10 Enterprise DeviceOsVersion : 10.0 (17134) DeviceTrustType : Domain Joined DeviceTrustLevel : Managed DevicePhysicalIds : {[USER-GID]:2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx2, [GID]:g:6xxxxxxxxxxxxxxxx2, [USER-HWID]:2xxxxxxxxxxxxxxxxxxxxxxxxxxxxx2, [HWID]:h:6xxxxxxxxxxxxxxxxxx2} ApproximateLastLogonTimestamp : 27/07/2018 15:00:56 AlternativeSecurityIds : {X509:<SHA1-TP-PUBKEY>0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx} DirSyncEnabled : True LastDirSyncTime : 03/08/2018 02:31:16 RegisteredOwners : {} GraphDeviceObject : Microsoft.Azure.ActiveDirectory.GraphClient.Device Intune This is how the device shows up in Intune Client DeviceManagement Log event 75 properly happened Client properly seeing management from Intune dsregcmd properly recognizes machine as AAD and MDM enrolled and AD Domain Joined dsregcmd /status +----------------------------------------------------------------------+ | Device State | +----------------------------------------------------------------------+ AzureAdJoined : YES EnterpriseJoined : NO DeviceId : 2xxxxxxxxxxxxxxxxxxxxxxxxx2 Thumbprint : 0xxxxxxxxxxxxxxxxxxxxxxA KeyContainerId : cxxxxxxxxxxxxxxxxxxxxxx7 KeyProvider : Microsoft Platform Crypto Provider TpmProtected : YES KeySignTest: : PASSED Idp : login.windows.net TenantId : 9xxxxxxxxxxxxxxxxxxx2 TenantName : Axxxxxxxxxxxxxs AuthCodeUrl : https://login.microsoftonline.com/9xxxxxxxxxxxxxxxxxxxx2/oauth2/authorize AccessTokenUrl : https://login.microsoftonline.com/9xxxxxxxxxxxxxxxxxxxxxxxxx2/oauth2/token MdmUrl : https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc MdmTouUrl : https://portal.manage.microsoft.com/TermsofUse.aspx MdmComplianceUrl : https://portal.manage.microsoft.com/?portalAction=Compliance SettingsUrl : JoinSrvVersion : 1.0 JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/ JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net KeySrvVersion : 1.0 KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/ KeySrvId : urn:ms-drs:enterpriseregistration.windows.net WebAuthNSrvVersion : 1.0 WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/9xxxxxxxxxxxxxxxxxxxxxxxxxxxx2/ WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net DeviceManagementSrvVersion : 1.0 DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx2/ DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net DomainJoined : YES DomainName : XXXXXXXXXX +----------------------------------------------------------------------+ | User State | +----------------------------------------------------------------------+ NgcSet : NO WorkplaceJoined : NO WamDefaultSet : YES WamDefaultAuthority : organizations WamDefaultId : https://login.microsoft.com WamDefaultGUID : {Bxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0} (AzureAd) AzureAdPrt : YES AzureAdPrtAuthority : https://login.microsoftonline.com/9xxxxxxxxxxxxxxxxxxxxxxxxxx2 EnterprisePrt : NO EnterprisePrtAuthority : +----------------------------------------------------------------------+ | Ngc Prerequisite Check | +----------------------------------------------------------------------+ IsUserAzureAD : YES PolicyEnabled : NO PostLogonEnabled : YES DeviceEligible : YES SessionIsNotRemote : NO CertEnrollment : none AadRecoveryNeeded : NO PreReqResult : WillNotProvision Can anyone having a similar configuration crosscheck and let me know what difference there is? References: https://www.imab.dk/flipping-the-switch-how-to-enable-co-management-in-configuration-manager-current-branch/ https://allthingscloud.blog/automatically-mdm-enroll-windows-10-device-using-group-policy/ -- Alex
  17. Hello Folks! Firstly I want to say that I'm new here to this forum, so hello. 😀 The ConfigMgr team just released the latest version av SCCM CB, 31 July if I understood correctly. Now, it is 8 August and 1806 hasn't appeared in the Updates and Servicing node for us. I have clicked on the button Check for Updates and even checked the dmpdownloader.log but no error messages seems to strike out. I have even restarted the SMS_EXECUTIVE component without any issues. I am currently running out of ideas, I have been googling for some answers why new versions don't appear in the node but don't find any relevant so I'm reaching out to you guys. Our current environment is SCCM CB 1802, 5.00.8634.1000 (Not the hotfix though). The only update that is available in there is the hotfix CB 1802 Hotfix KB4163547. If it isn't that what's causing the trouble? Am i too early that is searching for that update or is there something wrong that I'm doing? Can't really hesitate to try out the new third party update feature and even CMPivot! Have a great day everyone, cheers!
  18. I'm in the process of automating reader so that it downloads and creates the application in SCCM We use a global condition to get the version of reader out of the registry. I have two deployment types, One installs the full reader and the second just installs the patch. On the second deployment type we use the requirement Between operand with the values of "17.011.130000" "17.011.130080" that way it will only install the patch it fails on the between operand. If I use greaterthan or others it works fine. Any help???? Here is the error message. Add-CMScriptDeploymentType : ConfigMgr Error Object: instance of SMS_ExtendedStatus { Description = "There is a failure while generating lantern documents for this configuration item"; ErrorCode = 1078462256; File = "..\\sspconfigurationitem.cpp"; Line = 2164; Operation = "PutInstance"; ParameterInfo = ""; ProviderName = "ExtnProv"; StatusCode = 2147749889; }; At C:\Reader\Add-Depend.ps1:155 char:1 + Add-CMScriptDeploymentType -SourceUpdateProductCode "$ReaderGUID" -A ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (Microsoft.Confi...mentTypeCommand:AddScriptDeploymentTypeCommand) [Add-CMScriptDeploymentType], WqlQueryException + FullyQualifiedErrorId : UnhandledException,Microsoft.ConfigurationManagement.Cmdlets.AppMan.Commands.AddScriptDeploymentTypeCommand
  19. Hello all, I am trying to get a report of workstations that have a shortcut on desktop. select SMS_R_System.NetbiosName, SMS_R_System.LastLogonUserName, SMS_G_System_SoftwareFile.FileName from SMS_R_System inner join SMS_G_System_SoftwareFile on SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SoftwareFile.FileName like "foo.lnk" and SMS_G_System_SoftwareFile.FilePath like "C:\\Users\\Public\\Desktop\\" I could not make it work as this program is installed on the machine. its just a link to web portal
  20. Morning all, I'm running into an odd problem with my SCCM OSD TS. I am using MDT integration and have selected the steps Install Roles and Features to install the .NET Framework 3.5. I have this step right after the Setup Windows and Configuration Manager step. However, upon OSD completion, the process is not complete. Here is the excerpt of the step from SMSTS.log, it doesn't show any failures Adding begin group instruction at 38 TSManager 7/16/2018 2:13:53 PM 1620 (0x0654) There are 1 first level steps or groups TSManager 7/16/2018 2:13:53 PM 1620 (0x0654) Parsing step node: Install .NET Framework 3.5 (Includes .NET 2.0 and 3.0) TSManager 7/16/2018 2:13:53 PM 1620 (0x0654) Description: TSManager 7/16/2018 2:13:53 PM 1620 (0x0654) ContinueOnError: true TSManager 7/16/2018 2:13:53 PM 1620 (0x0654) SuccessCodeList: 0 TSManager 7/16/2018 2:13:53 PM 1620 (0x0654) RetryCount: 0 TSManager 7/16/2018 2:13:53 PM 1620 (0x0654) No condition is associated with the step. TSManager 7/16/2018 2:13:53 PM 1620 (0x0654) Disable: TSManager 7/16/2018 2:13:53 PM 1620 (0x0654) Run in attribute: WinPEandFullOS TSManager 7/16/2018 2:13:53 PM 1620 (0x0654) Timeout: TSManager 7/16/2018 2:13:53 PM 1620 (0x0654) DefaultVarlist found TSManager 7/16/2018 2:13:53 PM 1620 (0x0654) Variable name: OSFeatures TSManager 7/16/2018 2:13:53 PM 1620 (0x0654) Variable name: OSRoleIndex TSManager 7/16/2018 2:13:53 PM 1620 (0x0654) Variable name: OSRoleServices TSManager 7/16/2018 2:13:53 PM 1620 (0x0654) Variable name: OSRoles TSManager 7/16/2018 2:13:53 PM 1620 (0x0654) Action command line: smsswd.exe /run: cscript.exe "%DeployRoot%\Scripts\ZTIOSRole.wsf" TSManager 7/16/2018 2:13:53 PM 1620 (0x0654) Adding instruction at 39 TSManager 7/16/2018 2:13:53 PM 1620 (0x0654) Processed all elements TSManager 7/16/2018 2:13:53 PM 1620 (0x0654) Any assistance is greatly appreciated.
  21. In a previous series of guides I showed you how to configure PKI in a lab on Windows Server 2016. In another series, I also showed you how to install System Center Configuration Manager (Current Branch) version 1802 on Windows Server 2016 with SQL Server 2017. In this lab, I will show you how to configure SCCM to utilize that PKI environment. This series is based upon an excellent video by the talented former Microsoft Premier Field Engineer Justin Chalfant here. If you haven't seen it yet, do check it out. The intention here is that after you've completed this PKI enabled SCCM lab you can then use this in future guides, and to dig deeper into new technologies from Microsoft, for example enabling a Cloud Management Gateway and/or Cloud Distribution Point and using later on, using Co-Management. Note: To complete this lab you must first complete the PKI Lab series (8 parts) and then install a new virtual machine within that PKI lab running System Center Configuration Manager (Current Branch) version 1802 utilizing this series (4 parts), that installation of Configuration Manager will be in HTTP mode. In addition, you must configure the Software Update Point role (in HTTP mode) on CM01 See this guide (step 2 onward) for details. For details how to configure that, see this post. It will take some time to setup but you'll be glad you did. Also, don't do this in production without consulting with a PKI Expert. I don't claim to be one, I'm just helping you get it up and running in a lab. This is intended for use in a lab only. In part 1 of this series you created an Active Directory Security Group to contain your SCCM servers that host IIS based roles such as Distribution Point, Management Point and Software Update Point, you then rebooted that server after adding it (CM01) to the group. You then created 3 certificate templates for SCCM on the Issuing CA server (IssuingCA) and issued them so that they could be available to applicable computers. You verified that you had a GPO in place for AutoEnrollment before requesting the IIS and DP/OSD Certificates on the IIS Site System (CM01) using certlm.msc. Step 1. Edit bindings in IIS for the Default Web Site and WSUS Administration Websites On the SCCM server (CM01), start Internet Information Services (IIS) Manager, expand Sites so that you can see the Default Web Site and the WSUS Administration websites listed. Select the Default Web Site, this web site is where the management point, distribution point and other SCCM roles such as Application Catalog can be found (if they are installed). Edit bindings on the Default Web Site Right click on the Default Web Site and choose Edit Bindings from the options available. In the window that appears, select the https section (port 443) and choose Edit. In the SSL certificate dropdown menu, select SCCM IIS Cert. Click OK and then click Close. Verify changes made Once done, you can open up Internet Explorer and verify that it's reporting back in HTTPS mode for the default web site by browsing to the following addresses to verify the Netbios name and FQDN resolve in HTTPS mode. Click on the Lock in the address bar to get info about the connection. https://cm01 https://cm01.windowsnoob.lab.local/ Edit bindings on the WSUS Administration Web Site Repeat the above operation, on the WSUS Administration website (note that it uses port 8531 for https mode). click OK and Close when done. Step 2. Modify WSUS Administration SSL Settings WSUS itself requires some additional changes documented here (1) that we need to configure to allow WSUS to use HTTPS. In the Internet Information Services (IIS) Manager, expand sites and selct WSUS Administration. Select ApiRemoting30 under the WSUS Administration web site, in the right pane, click on SSL Settings and select Require SSL and verify that Ignore is selected before clicking Apply. Next, select ClientWebService under the WSUS Administration web site, in the right pane, click on SSL Settings and select Require SSL and verify that Ignore is selected before clicking Apply. Next, select DSSAuthWebService under the WSUS Administration web site, in the right pane, click on SSL Settings and select Require SSL and verify that Ignore is selected before clicking Apply. Next, select ServerSyncWebService under the WSUS Administration web site, in the right pane, click on SSL Settings and select Require SSL and verify that Ignore is selected before clicking Apply. Finally, select SimpleAuthWebService under the WSUS Administration web site, in the right pane, click on SSL Settings and select Require SSL and verify that Ignore is selected before clicking Apply. Step 3. Configure WSUS to require SSL In an administrative command prompt on CM01, browse to the location of WSUS installation files. cd C:\Program Files\Update Services\Tools Next issue the following command where CM01.windowsnoob.lab.local is the Fully qualified domain name of your ConfigMgr server hosting WSUS. WsusUtil.exe configuressl cm01.windowsnoob.lab.local The results are shown below: Step 4. Configure SCCM to use HTTPS In this step you will configure SCCM to operate in HTTPS mode. To do that, first bring up the site properties in the SCCM Console on CM01. To bring up the site properties, select the Administration workspace, select Site Configuration, select your site and in the ribbon choose Properties. Next, click on Client Computer Configuration, select HTTPS only from the options and then select Apply. Note: If you have both HTTP and HTTPS site systems in your environment, keep the second box checked (HTTPS or HTTP) and enable the Use PKI client certificate (client authentication capability) when available check box. Step 5. Verify that the Distribution Point, Management Point and Software Update Point are using SSL Next you need to verify the DP (and perform some additional configuration), MP and SUP roles are using SSL. To do this, select the Administration workspace in the console, click Site Configuration, select Servers and Site System roles, and select the Distribution Point role. Right click it and choose Properties to bring up the Distribution Point role properties. You should see that it is already configured for HTTPS. Next you need to add the certificate used by clients being imaged by operating system deployment in WinPE or for WorkGroup based clients, to do so, click on Import Certificate and select Browse, browse to the location where you saved the osdcert.pfx file, enter the password you specified, and click Apply. Click OK to close the Distribution Point role properties. Next, select the Management Point role properties, they are shown below, again, HTTPS is selected by default as you set it site wide with the HTTPS only option. When you selected HTTPS Only in the Client Computer Communication of the site properties, this initiated the Management Point to reinstall itself with the new settings, as you can see here in the sitecomp.log. In addition in the mpsetup.log you can see that it's configured for SSL Finally you can check mpcontrol.log this log logs the status of your Management Point, and in there you can verify that the Management Point is up and running and communicating OK in HTTPS mode and that it has successfully performed Management Point availability checks. Next, double click the Software Update Point role to review it's properties. Place a check in the Require SSL communication to the WSUS Server check box. Click Apply and click OK to close the Software Update Point properties. At this point open the WCM.log and look for a line that reads Step 6. Verify Client Received Client Certificate and SCCM Client Changes to SSL Logon to the Windows 10 1803 client and start and administrative command prompt, from there launch certlm.msc to bring up Certificates on the Local Machine. Browse to Personal and Certificates, and you should see the SCCM Client Certificate listed. Note: I assume you've already installed the ConfigMgr client agent using whatever method your prefer on the Windows 10 1803 virtual machine. Next, open the Control Panel and locate the Configuration Manager client agent in System and Security, and open it. If the client was just installed the Client Certificate will probably state Self-Signed (or None if you have just installed the client..). After a couple of minutes, close and then reopen the client and you should see that the Client Certificate states PKI. At this point, open the ClientIDManagerStartup.log in C:\Windows\CCM\Logs and you can see Client PKI cert is available. You can also verify client communication to the Management Point in the CCMMessaging.log and we can see it's successful in that communication. Job done ! You've successfully converted SCCM from HTTP to HTTPS using your PKI lab, and you've verified that the client is operating in HTTPS mode. In the next parts we'll look at the Cloud Management Gateway and Cloud Distribution Point. Recommended reading (1) - https://technet.microsoft.com/en-us/library/bb633246.aspx
  22. In a previous series of guides I showed you how to configure PKI in a lab on Windows Server 2016. In another series, I also showed you how to install System Center Configuration Manager (Current Branch) version 1802 on Windows Server 2016 with SQL Server 2017. In this lab, I will show you how to configure SCCM to utilize that PKI environment. This series is based upon an excellent video by the talented former Microsoft Premier Field Engineer Justin Chalfant here. If you haven't seen it yet, do check it out. The intention here is that after you've completed this PKI enabled SCCM lab you can then use this in future guides, and to dig deeper into new technologies from Microsoft, for example enabling a Cloud Management Gateway and/or Cloud Distribution Point and using later on, using Co-Management. Note: To complete this lab you must first complete the PKI Lab series (8 parts) and then install a new virtual machine within that PKI lab running System Center Configuration Manager (Current Branch) version 1802 utilizing this series (4 parts), that installation of Configuration Manager will be in HTTP mode. In addition, you must configure the Software Update Point role (in HTTP mode) on CM01 See this guide (step 2 onward) for details. For details how to configure that, see this post. It will take some time to setup but you'll be glad you did. Also, don't do this in production without consulting with a PKI Expert. I don't claim to be one, I'm just helping you get it up and running in a lab. This is intended for use in a lab only. Step 1 - Create an Active Directory Security Group In this step you'll create an active directory group which will contain all your site systems that use Configuration Manager server roles which utilize IIS (Internet Information Systems) such as the below (1): Management point Distribution point Software update point State migration point Enrollment point Enrollment proxy point Application Catalog web service point Application Catalog website point A certificate registration point On the Active Directory domain controller (DC01), open Active Directory Users and Computers, and expand the windowsnoob organisational unit (OU) created in this Step 1, part 5 of this blog post. Click on Security Groups, and then right click and choose New, select Group. Give the group a name, SCCM IIS Servers. Once done, right click on the SCCM IIS Servers Active Directory Security Group, choose Properties and click on the Members tab, click on Add, for Object Types make sure Computers are selected. Add the Configuration Manager server (CM01) to that group. Once done, reboot the Configuration Manager server (CM01) using the following command otherwise you might get access denied when trying to request a certificate. shutdown /r Step 2. Create certificate templates on the Issuing CA In this step you will create three new certificate templates for use within SCCM by duplicating existing templates. Using the windowsnoob\Entadmin credentials, logon to the Issuing CA server (IssuingCA) and launch the certificate authority console (CertSrv.msc). In the three templates below, one uses the Web Server template, and the others use the Workstation Authentication template, you can verify which Microsoft certificate template to use by using the tables on the following blog post, of which i'm showing a screenshot below to make it clear. 1. SCCM IIS Certificate Right click on Certificate Templates and choose Manage. Scroll down to Web Server from the templates listed. Right click on the Web Server template and choose Duplicate Template. The Properties of New Template screen appears. Verify that the Certificate Authority Compatibility settings are set to Windows Server 2003. Note: When you use an enterprise certification authority and certificate templates, do not use the Version 3 templates. These certificate templates create certificates that are incompatible with System Center Configuration Manager. Instead, use Version 2 templates by using the following instructions. On the Compatibility tab of the certificate template properties, specify Windows Server 2003 for the Certification Authority option, and Windows XP / Server 2003 for the Certificate recipient option. (1) Click on the General tab and rename it to SCCM IIS Certificate. On the Request Handling tab, verify that Allow private key to be exported is not selected (default). On the Subject Name tab verify that the Supply in the Request is selected (default). On the Security tab, add the previously created Active Directory Security Group called SCCM IIS Servers and give it Read and Enroll access. Optionally you can remove Enroll from the Domain Admin and Enterprise Admins as it is mentioned in the docs. Click Apply to apply the changes and then close the Properties of New Template. 2. SCCM DP Certificate This template is used by the distribution point site system for Operating System Deployment (clients that are not domain joined). Next, right click on Workstation Authentication from the templates listed and choose Duplicate Template. The Properties of New Template screen appears. The Properties of New Template screen appears. Verify that the Certificate Authority Compatibility settings are set to Windows Server 2003. Click on the General tab and rename it to SCCM DP Certificate, change the validity period to something more reasonable, like 3 years. On the Request Handling tab, ensure that Allow private key to be exported is selected to allow us to export the certificate as a pfx file and we need the private key to do so, as we'll import that certificate into our console so that the clients can utilize it during imaging (workgroup members, to authenticate back to your site). On the Security tab, add the previously created Active Directory Security Group called SCCM IIS Servers and give it Read and Enroll access. Next, remove Domain Computers altogether. Click Apply to apply the changes and then close the Properties of New Template. 3. SCCM Client Certificate This template is used by clients to communicate with site systems. Next, right click on Workstation Authentication from the templates listed and choose Duplicate Template. The Properties of New Template screen appears. The Properties of New Template screen appears. Verify that the Certificate Authority Compatibility settings are set to Windows Server 2003. Click on the General tab and rename it to SCCM Client Certificate, change the validity period to something more reasonable, like 3 years. Under Subject Name verify that Build from Active Directory is selected. On the Request Handling tab, verify that Allow private key to be exported is not selected (default). On the Security tab, select Domain Computers and ensure that Read, Enroll and AutoEnroll permisions are selected. Click Apply to apply the changes and then close the Properties of New Template. The three SCCM templates are now shown below. Close the Certificate Templates console. Next you will issue these certificate templates. To do so, in the Certificate Authority (on the IssuingCA), right click on Certificate Templates and choose New, then Certificate Template to Issue. In the Enable Certificate Templates window, select the 3 previously created SCCM templates as shown below and click OK. They will now appear under Certificate Templates. Step 3. Verify Auto-Enrollment GPO is enabled for the Client Certificate In Part 8 of the PKI lab you enabled Auto Enrollment so that clients can request certificates automatically. As it is a lab, the setting is deployed in the default domain GPO. The setting is in Computer Configuration, Policies, Windows Settings, Security Settings, Public Key Policies, and Certificate Services Client - Auto Enrollment. The setting should look like so (Enabled). Step 4. Requesting the IIS and DP/OSD Certificates on the IIS Site System On the SCCM server (CM01), which hosts all those IIS ConfigMgr roles, start certlm.msc from an Administrative command prompt. if you expand Personal, then Certificates, you'll see certificates issued to that computer, there will be a few by default. In the administrative command prompt, run gpupdate /force to pull down group policy changes...and refresh the view in certlm. Below you can see the SCCM Client Certificate template was used to generate this Client Authentication certificate. Requesting New certificates Next, you will request certificates from Active Directory, to do so, right click on Certificates and choose All Tasks then Request New Certificate. click Next at the Before you begin screen, and verify that Active Directory Enrollment Policy is selected before clicking Next. Select the SCCM DP Certificate and SCCM IIS Certificate from those listed (you already have the SCCM Client Certificate from AutoEnrollment). You'll notice that for the SCCM IIS Certificate, more information is required to enroll, Click on the message to enter this info. For Alternative Name, choose the DNS option and then click on Add to add the hostname and fully qualified domain name of your SCCM server (CM01). Note: If you want this server to be available via IBCM you could also add the publicly available FQDN of the site here (eg: cm01.windowsnoob.com) Next Click on General, and give this cert a friendly name so we can distinguish it in IIS later when we bind it. click OK, then click Enroll. It should state a status of Succeeded for both certificates. If not look at the details to find out what went wrong. Click Finish to exit. Exporting the Distribution Point certificate Next you need to export the Distribution Point certificate so that during OSD the client can authenticate to the management point in WinPE. To do that, refresh the view in Certificates (certlm.msc) and then select the client authentication certificate created with the SCCM DP Certificate template. Right click and choose All Tasks, then select Export. In the welcome to certificate export wizard click Next and choose to export the private key. stick with the defaults and give it a password that you will use when you import it back into the SCCM Console, I used P@ssw0rd Save the cert to your desktop. and continue through that wizard until completion. You should see that the export was successful. That's it for this part, please join me in part 2 where we will complete the configuration of SCCM to HTTPS. cheers niall Recommended reading (1) - https://docs.microsoft.com/en-us/sccm/core/plan-design/network/pki-certificate-requirements
  23. Introduction Today (in Seattle WA) Thursday the 22nd of March, 2018, System Center Configuration Manager (Current Branch) version 1802 was released. You can read the official announcement here and for a detailed list of what's new, please see the following blog post. The white elephant above is based upon an original graphic which I found here, thanks Djam ! Understanding the different SCCM releases There are two main branches of Configuration Manager currently available, Current Branch and Technical Preview. System Center Configuration Manager (Current Branch) is designed for use in production environments, for managing anything from relatively small to very very large Enterprises, whereas System Center Configuration Manager (Technical Preview) is for lab testing environments only and is limited to 10 clients. The Technical Preview releases are released monthly, and contain the latest and greatest features that are being trialed in the product, and usually these new features are the result of feedback from uservoice. Current Branch releases on the other hand are released only a few times per year and contain stable, tested features that are mature enough to release into production environments. Note: You cannot upgrade from a Current Branch to Technical Preview or vice versa, they are two distinct different branches. The following versions have been previously released since Microsoft moved to the Current Branch release cadence for Configuration Manager: Source Microsoft. A note about Baseline versions Baseline versions are versions of Configuration Manager that you can use to perform a clean install of Configuration Manager or when upgrading a supported version of System Center Configuration Manager 2012 hierarchy to Current Branch. Baseline versions are available for download in the Microsoft Volume License Service Center. As System Center Configuration Manager (Current Branch) version 1802 is now the new Baseline, you should it for all new installs (or applicable upgrades) until the next Baseline version is released. Note: Even though 1802 is listed as a baseline version here, it is not yet available for download on MVLS (as of 2018/3/25). Usually it takes a few weeks to get the new build media in place, so until that happens you can continue to use the 1702 baseline media for new installs and supported upgrades. Upgrading to 1802 Current Branch In a previous post you used PowerShell scripts to install System Center Configuration Manager (Current Branch) version 1702. This post will focus on upgrading from one current branch version to version 1802. This post assumes you are running a minimum version of 1702 of System Center Configuration Manager (Current Branch). If you have a hierarchy containing a CAS and one or more Primaries, then you must upgrade the CAS first before upgrading the Primary site servers. Note: Before upgrading, please review the following checklist to verify you are ready for the update. Fast ring versus Slow ring Do you want it now or later ? If you want it right now then you have the choice of getting the release immediately using a method called the fast ring. The fast ring method uses a PowerShell script which you download from Microsoft. After running the PowerShell script, the upgrade will show up in the ConfigMgr console. Note: The fast ring method is usually only available for the first 2 weeks after a Current Branch release is released. If however you decide to wait a couple of weeks after the release is publicly available, then the upgrade will be released to the slow ring and at that point it will show up in the ConfigMgr console for all Current Branch hierarchies without the need for running any PowerShell script. If you want to use the Fast Ring, download the PowerShell script and run it to self-extract to FastRingScript_1802. Once extracted, start an Administrative PowerShell command prompt in that folder and from there use the following command (where CM01 is the <SiteServer_Name | SiteServer_IP> of your CAS or standalone Primary site server). .\EnableFastUpdateRing1802.ps1 CM01 Next, open the ConfigMgr console and find Updates and servicing in the Administration node. Click on Check for Updates in the ribbon, followed by Refresh. After a few minutes you should see that Configuration Manager 1802 is listed with a state of Available to download as shown below. Note: If the upgrade does not show up in the console even after refreshing the view, you can restart the SMS_Executive component in Configuration Manager Service Manager in the Monitoring node of the console or alternatively restart the Configuration Manager server. After some time the update will automatically start downloading at which point you can open the dmpdownloader.log using CMtrace to keep track of things. Once it has completed downloading, the update pack will be listed in the ConfigMgr console with a state of Ready to Install. You may need to click refresh in the ConfigMgr console to update the view. Installing the Update pack Right click on the update and choose Install Update Pack. when the Wizard appears, make your choice for pre-requisites and click next. review the features included in this update pack , and make selections if you wish, you can always add them later in the Console. Note: You'll also notice lots of Pre-Release features that are greyed out, to turn them on see the steps after upgrading the console the bottom of this guide. Before clicking next at the Client update settings please see this post accept the EULA and configure the software assurance expiration date and continue through until the wizard is complete. Monitoring the update In the console, the update pack state will change to Installing (refresh the console view to see this). Clicking on Show Status will give you detailed info about the state the Installation is in, there are 5 distinct phases in the top pane: Download Replication Prerequisite Check Installation Post Installation Selecting a phase will highlight what state the update is in, including what (if any) problems it has. Logs, logs and more logs. During the upgrade you should monitor the following log files available in <drvletter>:\Program Files\Microsoft Configuration Manager\Logs, you can use CMTrace to do so. CMUpdate.log Hman.log These logs will detail the installation of the update pack. you should also pay close attention to the following log files present in the root of C:\. CompMgrProv.Log ConfigMgrPrereq.log ConfigMgrSetup.log After the update is complete, click Refresh in the console and you'll be reminded to update the ConfigMgr Console via a popup, the new version is 5.1802.1082.1700. Make sure to update your console as you cannot use the new features until you do. The observant among you will notice a change to the Console versioning. The new console version is 5.1802.1082.1700 versus the old console version (in my lab) which was 5.00.8577.1100. The new Console versioning works as follows: Major Minor Build Revision So that translates to... Major = 5 Minor = 1802 Build = 1082 Revision = 1700 Click OK to upgrade your ConfigMgr console, and after all is done you’ll see the 1802 version listed in the console. and clicking on about shows you Enabling Pre-release features If you want to use the Pre-Release features, then select the Administration node, select Site Configuration, Sites, Hierarchy Settings, and place a check mark in Consent to use Pre-Release features. After that, select Updates and Servicing, click on the Update Pack, select Features and in the right pane of the ConfigMgr console you'll be able to turn pre-release features on or off by right clicking and choosing Turn on or Turn off. Summary This release is packed with great features and new functionality and proves that the SCCM as a Service (SAAS) model is working. Not only is it working but quick adoption by Enterprises large and small is proof indeed that they like and trust the direction that ConfigMgr is evolving towards. If you are not on Twitter yet then get on it, and Tweet a thank you to David James (@Djammmer) and his Team for the amazing work they do. Recommended reading System Center: Configuration Manager - https://blogs.technet.microsoft.com/configurationmgr/ Checklist for updating to SCCM 1802 - https://docs.microsoft.com/en-us/sccm/core/servers/manage/checklist-for-installing-update-1802 What's new In System Center Configuration Manager (Current Branch) 1802 - https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1802 Co-Management for Windows 10 devices - https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-overview Log files in System Center Configuration Manager - https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/log-files
  24. Hi all, First time poster, so apologise in advance if I post incorrectly. Currently building Windows 10 devices, some are upgrades from Windows 7 to Windows 10 and others are fresh Windows 10 using SCCM (MDT integrated). This works as expected, but when I log in and check TPM Administration the following message show up Reduced Functionality errors codes 0x400900 = The Device lock counter has not be created 0x2900 = The monotonic counter incremental during the boot has not been created Do I need to do something in the Task Sequence to clear the protectors or clear TPM before BitLocker is enabled Cheers all
  25. Hi all, I was trying to deploy a Task sequence, which I Copied from standard T.S. and made little change and trying to test it before using. This T.S. is to make BIOS system to UEFI system in boot (Dell system) and then install OS. But when I try to implement this its throwing an error code "0x80004005". I am pasting my SMSTS log file. Please help me. Log: please see the attachment.
×