Tuesday, 28 March 2017

My favourite features of ConfigMgr 1702

Configuration Manager Current Branch 1702 was released this week and is available as an in-console update for existing 1606 and 1610 sites. Read the official blog post here

As we've come to expect, 1702 offers a raft of new features for managing our estate of devices. There are some big hitters such as:
  • Support for express installation files for Windows 10 updates
  • Ability to add software update points to boundary groups to control which SUP clients can use
  • Being able to configure Office 365 installation settings from the Office 365 Client Management dashboard
Note that there are some deprecations also. Most notably, support has been dropped for the following:
  • SQL Server 2008 R2 for site database servers
  • Windows Server 2008 R2, for site system servers and most site system roles

Often though, my favourite features are less obvious. I've got two in this latest release:

1. I've always hated when customers ask me to create an OSD solution and give them the ability to deploy the OS using stand-alone media. I didn't like the idea of sending USB keys out in the field with no version control and no great way to withdraw them if they were superseded. Now we can set start and expiration dates on standalone media. Perfect, we can now timebomb the media so that it won't work after a pre-defined period.

I've configured the media so that it can't be used for a few days and will then expire in 2 months. I don't care if I never get it back now.

2. A new hardware inventory class (SMS_Firmware) and property (UEFI) have been added to determine if a computer is enabled to start in UEFI mode. This is a welcome addition so that we can report on the UEFI status of the estate. You're missing a trick if you're not using UEFI and enabling security features like Secure Boot. After all you already own it. That's like not locking the doors of your house or car because you couldn't be bothered.

I hope you're enjoying 1702. Until next time.....

Thursday, 2 March 2017

ConfigMgr OSD - use MDT without using MDT

The title may not make much sense but please read on about a recent customer requirement.

Customer requirement

In the task sequence, set the computer name to match the service tag


Easy - use the OSDComputerName variable with a value of %SerialNumber% (or was it that easy?)

Problem Statement

How does the %SerialNumber% value get populated in this case? This is straightforward if I'm using MDT integration as I can use the Gather step. However, the customer does not have MDT integrated and this would take a few weeks to organize with a strict change request procedure.
So what do I do?

Solution (revised)

Do I actually need MDT integrated or do I just need some MDT files?

I had a word with @ncbrady from @WindowsNoob and we came up with a plan. I installed MDT on a laptop and created a deployment share.

I figured that these files were all that I needed - only 45MB. I copied the files to my content source location and created an MDT Gather package (with no program).
Then I configured the TS as shown in the screenshots.

First I ran ZTIGather.wsf with this command

Cmd.exe /c cscript.exe .\Scripts\ZTIGather.wsf /debug:TRUE

This was to "discover" the service tag.

The next step was to set the hostname to match the serial number (service tag).

Unfortunately the task sequence failed:

"Gathering complete, but no INI file found” with an error code of 0x00001F40

On examining the smsts.log file the hostname was in fact set to the service tag, even though the task sequence failed. Happy days. I was just missing a customsettings.ini file. I manually created a default .ini file and copied it to the scripts folder.



That did it - SUCCESS.
Thanks for the assistance Niall.

Until next time.......

Edit #1:

Jörgen Nilsson has contacted me to say that only a few of the MDT files are actually required (less than 800KB). Here they are:

Thanks Jörgen.

Edit #2:

I've had some feedback about other ways to set the computer name to the service tag without using MDT. Thanks for that. However, the whole point of this post was to show how you can achieve MDT functionality without actually integrating MDT with ConfigMgr.

After all, the title is "Use MDT without using MDT".

Tuesday, 17 January 2017

PowerShell script - add and configure Intune Subscription

I've been deploying Microsoft Intune a lot recently. Adding and configuring the Intune subscription in the Configuration Manager console is very straightforward but can take be time-consuming. I've created a simple PowerShell script to automate this.

This script adds an Intune subscription to ConfigMgr Current Branch and configures the subscription to enable management of Android, iOS, Windows and Windows Phone devices.

The cmdlets in this script require a valid Intune subscription. They require Configuration Manager 1511 or later, although it is recommended to use 1606 or later. There are published workarounds for using the cmdlets in pre-1606 environments.

Instructions for use
  1. Download an APN certificate request from ConfigMgr and generate the APN certificate directly from Apple in advance of running this script. Save the Apple APN certificate to a local folder eg (E:\Sources\MDM\Apple\AppleCert.pem) https://identity.apple.com
  2. Save script to installation folder
  3. Install the System Center Configuration Manager Cmdlet Library (if you are already using PoSH with ConfigMgr you will have done this already) https://www.microsoft.com/en-us/download/details.aspx?id=46681
  4. Run PowerShell and browse to the installation folder (you may have to run PoSH as administrator as the first step is to set the execution policy to unrestricted)
  5. Run IntuneSubscriptionScript.ps1
  6. The script will prompt you to enter the following information:
  • Enter Site Server name
  • Enter Site Code
  • Enter Intune subscription username
  • Enter Intune subscription password
  • Enter Company Color Scheme (options: Blue, Magenta, Purple, Teal, Lime, Brown, Pink, Orange, Red or Green)
  • Enter your organization name
  • Enter valid contact email address
  • Enter contact name
  • Enter path to Apple APN certificate
  • Enter Apple APN certificate password - leave blank if no password

The script will create the hybrid Intune subscription with your required parameters.

It will then enable management for Android, iOS, Windows and Windows Phone platforms.

Android enabled.

iOS enabled.

Windows enrolled as MDM enabled.

Windows Phone enabled.
Note that the script does not have much error checking for now. I'll get to that when I have a chance.
Download from the TechNet gallery and try it.
Until next time....

Monday, 2 January 2017

Manage Windows Defender ATP with ConfigMgr or Intune

As a result of a customer request I was recently reading about Windows Defender Advanced Threat Protection (ATP). It is a really cool Microsoft cloud service that integrates with Windows 10 v1607 (Enterprise, Education and Professional versions) and allows organizations to detect, investigate and respond to advanced threats on their networks. The service uses telemetry data sent from the Windows 10 devices to a private and isolated cloud instance of Windows Defender ATP. This telemetry data is supplemented by advanced threat intelligence and is translated into detections and recommended responses.

This sounded great to me so I wanted to give it a go. I was very curious to find out how straightforward it would be to deploy the technology in an organization and how quickly and easily I could receive meaningful information and recommendations.

How do you get Windows Defender ATP?

A Windows 10 Enterprise E3 license includes advanced security features such as Device Guard, Credential Guard and Managed User Experience. A Windows 10 Enterprise E5 license includes all the features and functionality available in Windows 10 Enterprise E3 plus Windows Defender Advanced Threat Protection and advanced IT administration management.

OR you can do what I did for this blog post and apply for a trial. Sign up for a Windows Defender ATP trial here

Tip: There is no guarantee that you will be accepted for a trial. I was turned down once but was approved the second time. In my second application I was economical with the truth regarding the number of PCs in my company.

You will get an acknowledgment to tell you that your application will now be reviewed and that you will be contacted within 7 business days. In actual fact it will be more like 3 days.

You will then receive an email with log in details and endpoint onboarding instructions.

Welcome to the Windows Defender Security Center.

Endpoint onboarding

Select Endpoint Management > Endpoint Onboarding

There are five methods of onboarding available. Select the one you need and click "Download package".

Group Policy
Use this method if you have no device management tool.

The package contains an admx and adml file that are to be deployed to the endpoints. You will find full instructions here

SCCM 2012/2012R2/1511/1602
Use this method for SCCM versions earlier than 1606. Why are there two different deployment methods for SCCM? This is because Windows Defender ATP Policies are natively integrated with SCCM v1606 and later.

This download package contains a single script that you can deploy using the traditional package/program method - full instructions here

Microsoft Intune

This package contains a single .onboarding file. This is to be deployed using a Windows 10 custom configuration policy with the following OMA-URI settings:
  • Setting name: eg Windows Defender ATP Policy
  • Setting description: eg Windows Defender ATP Policy
  • Data type: Select String.
  • OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding
  • Value: Copy and paste the contents of the WindowsDefenderATP.onboarding file you downloaded.
Local script
Use this option if want to onboard devices manually (for testing purpose perhaps).

The package contains a single script file that you can run manually (as administrator) on a Windows 10 device.

SCCM v1606
This is the option I am interested in for this blog post.

The package contains a single .onboarding file which we can deploy with SCCM.

First navigate to Administration > Cloud Services > Updates and Servicing > Features. Right click and Turn on Windows Defender Advanced Threat Protection. 

Restart the console and navigate to Assets and ComplianceEndpoint Protection. Windows Defender ATP Policies is new.

Right click to create a new policy.

Name the policy and choose onboarding.

Browse to the .onboarding file that you downloaded earlier. The Organization ID automatically populates.

Choose All files. The default is not to share any files.

Click Next to continue and create the policy.

The policy has been created and now can be deployed to a collection of Windows 10 1607 devices.

Troubleshooting endpoint onboarding

I manually ran Machine Policy retrieval on my test computer (I only had one) but nothing seemed to happen for about an hour. I wasn't sure how long it should take so I carried out some troubleshooting in the mean-time.

Deployment status:

All looked normal with the SCCM deployment.

Event log:

Applications and Services Logs > Microsoft > Windows > SENSE

No errors in event log. Actually there was evidence that the local Defender ATP service had successfully contacted the cloud service.

Telemetry and diagnostics service:

Service enabled and started.

Defender ATP Service:

Service started.

If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy. You can find full details of this here

So what now??

After about an hour of unnecessary troubleshooting and second-guessing I could see my endpoint onboarded and healthy.

Navigate to Monitoring > Security > Windows Defender ATP Status to see the health of your endpoints.

You can also see the status in the Windows Defender Security Center.

Now refer back to the welcome email. We are given instructions on how to run an attack simulation.

We are invited to open a safe looking MS Word document which could be delivered by email.

Once we enable macros an attacker's command shell opens on the computer.

The attacker can then run some innocent looking commands remotely.

Almost immediately the attack is detected in the Windows Defender Security Center (this was literally almost instantaneous).

Details of the attack and recommended actions are provided.

Note that we can configure email notifications for high severity alerts.

I have to say that I'm seriously impressed with how easy it was to get started with this service. It was very straightforward to onboard devices and the speed of threat detection was alarming.

Have a look at a recent Microsoft blog post describing a real life attack. It's quite impressive.

I hope this blog post was useful. Until next time.....

Wednesday, 28 December 2016

Recover a ConfigMgr Current Branch site - my ramblings

System Center Configuration Manager landing page

I have some time off this week so I'm getting through some of the jobs that I've been putting on the long finger for a while. One of those jobs is to move my ConfigMgr lab to new hardware. I could've just copied the VHDX files and created new VMs but where is the fun in that? I haven't had to recover a ConfigMgr Current Branch site yet so I thought that this would be a good opportunity to test the process before I have to do it in production. Note that I will be recovering ConfigMgr Current Branch 1610 (standalone Primary Site).

I previously blogged about the new backup requirements for ConfigMgr Current Branch. You can read that blog post here. Essentially you must ensure that you back up the CD.Latest folder. This folder contains that installation files required to recover in case of a disaster and the contents change every time you upgrade. In order to recover a site you must have a copy of these installation files and the version MUST match the version of the site contained in the backup. During this process I will deliberately use the wrong installation files first to see what happens.

Backup best practice.

First I'd like to offer a little advice on backup best practice for ConfigMgr Current Branch (or ConfigMgr in general). The product includes a maintenance task which backs up the required files to recover a site (this includes the CD.Latest folder). However this isn't the recommended approach among serious ConfigMgr admins. It is recommended to use a SQL maintenance plan instead. You have a little bit more work to do to make sure that you include everything as CD.Latest folder is not automatically included. Steve Thompson has a great blog on this here.

Some of the considerations in a production environment are as follows:
  • SQL backup compresses the files rather than just copying them
  • SQL backup includes retention periods and data integrity checks
  • SQL backup allows you to select other databases like ReportServer and SUSDB
  • SQL backup does not require any interruption to ConfigMgr services
  • SQL backups allow you to configure email notifications
  • SQL backup allows more scheduling control
Remember also that there are a number of additional items that should be backed up to assist in recovery in case of a disaster, for example:
  • Make a note of the current SQL server version (very important)
  • Content library
  • Source files
  • SSRS
OK, so I've spent some time going on about why SQL backup is better. However I didn't use it for this job. I used the trusty maintenance task as it's only my lab and just a once-off job. I also didn't bother with the additional items. I just copied what I wanted to retain.


So what is to be done in advance? The following tasks are required once I have my backup:
  • Turn off old CM server (if it is still alive)
  • Create new VM and install Operating System (does not have to be the same OS as before but the same drive configuration is recommended), patch and join to domain
  • The server name must be the same as previously
  • Install server prerequisites (Nickolaj Andersen has a great tool for this)
  • Install ADK for Windows 10 (there are a number of versions but they all have some issues - do your research first before you pick one)
  • Install the same SQL version as before
So now let's recover the site. I'll do it wrong first to show you the difference.

Recover the site - the wrong way

Let's use traditional thinking here. In previous versions of ConfigMgr we would just download the ISO and recover from backup - so let's do that.

The latest version of Current Branch is 1606. See that there are Current Branch and Long Term Service Branches. LTSB is not suitable in any situation in my opinion. 

What happens when I try to install this version and use my 1610 backup?

The restore fails as expected with the error:

"The site was being recovered using a different build number than the build version of the ConfigMgr backup. The recovery build number must match with the previous installed build version".

(I don't like the way the wizard allows you to continue to the actual setup before failing. It should fail earlier, perhaps at the dialog box where you configure the location of the backup files. After all the wizard interrogates the backup at that stage and knows that you are recovering a primary site as opposed to a CAS. In my opinion it should also know at that stage that there is a version mismatch.)

Recover the site - the correct way

Now let's do it right. Copy the backup contents to the new server and launch splash.hta (found in the root of CD.Latest).

Complete the wizard to recover the site. It's pretty similar to the regular site installation wizard.

Select "Install".

Read the information before you begin.

Choose "Recover a site".

In my case I want to recover the site server and database from backup. Your needs may be different.

The wizard detects that you have a backup of a primary site. Other options are greyed out.

Enter the license key.

Accept the various license terms.

Download the prerequisite files.

Choose the ConfigMgr installation folder.

The server name and database name are prepopulated.

Choose the database and log file locations (I'm choosing defaults in my lab - you would not do this in production).

Read the telemetry information. Click Next to continue.

Read the settings summary and click Next to continue.

Prerequisites check has passed with some warnings. Click "Begin Install".

The recovery commences. This can take a while. This one took about 45 minutes for a very small lab environment......

...and we're done.

Finally we are warned about some post-recovery tasks.

Everything looks OK.

Note: now have a look at the security permissions on the System Management container. The old site server computer account will be seen as Unknown (even though the new one has the same name). Remove it and delegate full control to the new server.

I hope this blogpost was useful. Until next time.....