SCCM – Deploy Unknown Computers with Assettag as computername

January 5, 2017

Hi,

In a recent Windows 10 deployment project (with SCCM) a customer of mine wanted to use the Serialnumber as the computername within Active Directory. The customer is using Unknown Computers so they don’t the need to import them first. Also there was the need to identify if a computer was a desktop or laptop, this was needed to make sure the computer was joined in the right OU depending of that type and to make sure Bitlocker was only applied to laptop computers.  To provide this functionality I’ve created a vbs script:

Part 1: Set Computername variable

Set objOSD = CreateObject(“Microsoft.SMS.TSEnvironment”)

Set SWBemlocator = CreateObject(“WbemScripting.SWbemLocator”)
Set objWMIService = SWBemlocator.ConnectServer(strComputer,”root\CIMV2″,UserName,Password)
Set colItems = objWMIService.ExecQuery(“Select * from Win32_SystemEnclosure”,,48)

For Each objItem in colItems
strOSDComputername = objItem.SerialNumber
Next

objOSD(“OSDComputerName”) = strOSDComputerName

The variable OSDComputerName is a default task sequence variable. Therefore no further actions need to be taken in the task sequence to make sure it is used to name the computer.

Part 2: Set Chassis variable

Set colChassis = objWMIService.ExecQuery(“Select * from Win32_SystemEnclosure”,,48)
For Each objChassis in colChassis
    For  Each strChassisType in objChassis.ChassisTypes
        Select Case strChassisType

            Case 3
                  StrType = “Desktop”
            Case 4
                   StrType = “Desktop”
            Case 6
                   StrType = “Desktop”
            Case 7
                  StrType = “Desktop”
            Case 8
                StrType = “Laptop”
            Case 9
                 StrType = “Laptop”
            Case 10
                  StrType = “Laptop”
            Case 11
                  StrType = “Laptop”
            Case 12
                   StrType = “Laptop”
            Case 14
                  StrType = “Laptop”
            Case 15
                  StrType = “Laptop”
            Case Else
    StrType = “unknown”
            End Select
    Next
Next

objOSD(“Chassis”) = StrType

The variable “Chassis” can now be used like any other task sequence variable to make sure certain steps only run for a laptop or desktop.

Save the above codesnippets into a vbs file and create an SCCM package containing the script.

Afterwards add a “Run Command Line” step to the task sequence, provide the package details and the following command line: cscript.exe “…vbs”

That should do the trick.

Obviously this is one solution among others, there are many other ways to accomplish the same but this seemed the easiest to me.

A little remark: When reinstalling a computer with Bitlocker enabled, make sure the Run Command Line step is located after the partition disk step, otherwise the script will fail as WMI cannot be accessed from WinPE. I’ve experienced this the hard way.

Hope this helps!

 

Best regards,

Bert

 

 

 

 

 

 

 


Add URL to customized Windows 10 Start Menu

September 1, 2016

Hi,

Since more and more of our customers are adopting Windows 10 in their environment we start to learn more tricks every day.

An important component of Windows 10 is the start menu. Administrators could apply a default startmenu layout for all users by using a GPO but downside of this approach is that the user isn’t able to add any custom applications himself. That’s why I prefer to set the startlayout during the Windows 10 deployment task sequence using a Powershell script.

Afterwards the default layout is set when the user first logs in, from then on the user can edit his start menu as he likes. Adding “classical” applications such as Word, Excel and Powerpoint is quite easy as those applications are already present when the user first logs in. Adding a shortcut to a website might be a little bit harder, in this post I’ll be explaining the steps that need to be taken to accomplish this. It’s a combination of Powershell, SCCM  (also applicable for MDT) and Group Policy Preferences. Let’s get started

First of all start by customizing the start menu as you like on a test machine. The start menu I want is the one shown below. We’ll be focusing on the highlighted icon in the start menu as this is a URL, other shortcuts are applications.

Screenshot_1

When the start layout is finished, launch powershell and execute the following command to export the startlayout:

Export-Startlayout -Path “C:\windows\temp\Startlayout.xml”

The XML generated looks as follows (text in bold is related to the Citrix URL):

<LayoutModificationTemplate Version=”1″ xmlns=”http://schemas.microsoft.com/Start/2014/LayoutModification”&gt;
<LayoutOptions StartTileGroupCellWidth=”6″ />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth=”6″ xmlns:defaultlayout=”http://schemas.microsoft.com/Start/2014/FullDefaultLayout”&gt;
<start:Group Name=”Webbrowsers” xmlns:start=”http://schemas.microsoft.com/Start/2014/StartLayout”&gt;
<start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationID=”Microsoft.InternetExplorer.Default” />
</start:Group>
<start:Group Name=”Office ” xmlns:start=”http://schemas.microsoft.com/Start/2014/StartLayout”&gt;
<start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”0″ DesktopApplicationID=”{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office15\WINWORD.EXE” />
<start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationID=”Microsoft.Office.OUTLOOK.EXE.15″ />
<start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”2″ DesktopApplicationID=”{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office15\POWERPNT.EXE” />
<start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”2″ DesktopApplicationID=”{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office15\EXCEL.EXE” />
</start:Group>
<start:Group Name=”” xmlns:start=”http://schemas.microsoft.com/Start/2014/StartLayout”&gt;
<start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”0″ DesktopApplicationID=”Microsoft.SoftwareCenter.DesktopToasts” />
<start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationID=”Microsoft.Windows.ControlPanel” />
</start:Group>
<start:Group Name=”” xmlns:start=”http://schemas.microsoft.com/Start/2014/StartLayout”&gt;
<start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationID=”https://citrix.contoso.com&#8221; />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>

Now create an SCCM Package containing the XML file and a Powershell script with the following content:

Import-StartLayout -LayoutPath $PSScriptroot\StartLayout.xml -MountPath $env:systemdrive\

Now this can be executed using a Run Powershell Script during the SCCM OSD task sequence.

Without performing further actions when a user first logs in the start menu will be generated but the URL to citrix.contoso.com will not be present. To make sure it’s there we need to create a Group Policy Preference to put the exact URL in the start menu for the user. Pay close attention because the target URL specified in the GPP must EXACTLY match the value of DesktopApplicationID (without the “”)

Screenshot_2

Now when the user (for which the GPP is applied) logs on for the first time on a Windows 10 computer, the default Start layout will be applied properly and the URL will also appear.

Hope this helps!

 

Best regards,

Bert

 

 


Reboot notifications

May 9, 2016

Hello,

Reboot notifications , we all hate to reboot. Normally the less the better but as … an admin you want to pursuade your users into rebooting the device from time to time. Keeps it healthy and running smoothly.

Now in sccm we have several options for rebooting. In this particalur case we supress the reboot for the update deployment. So the user gets notified but not forced to reboot.

Unfortunately the result was this :

clip_image002

That’s odd the windows update reboot notification was not wat we wanted. If we check the notifications area we see 2 notifications : one for sccm client and one for windows update.

clip_image004

The setting required to modify this behavior was the following :

· System -> Windows Components -> Windows Update -> Configure Automatic Updates :Disabled

· Re-prompt for restart : Disabled.

clip_image006

After modification of these policies the result was better ! Just one notification.

clip_image008

And if the user presses the Open restart button :

clip_image010

Or select the restart now option :

clip_image012

In the software center applet you can see detailed info about which update requires a reboot.

clip_image014

Now the behavior is different for software installations requiring a reboot. For example this IE11 installation returns a 3010.

clip_image016

The user will be notified about a required reboot on the device , the settings are be configured by the sccm client settings for “Computer Restart”

clip_image018

The user will recieve a popup :

clip_image020

If ignored the restart icon will stay in the notification area.

clip_image022

Now according to the settings there is a permanent message shown as soon as there is only 15′ left on the clock. The color of the progress bar will change and the hide button will become unavailable.

clip_image024

Enjoy

Gino D


WaaS

March 16, 2016

Hello,

WaaS or Windows-As-A-Service. It has quite a ring to it and you could think : what does it change for me ?

Well , actually quite a lot ! As explained in the following article https://technet.microsoft.com/en-us/library/mt598226%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396, Microsoft has evolved to a continous release cycle of new features of the client OS starting from Windows 10. What’s important about these new features is that Microsoft will provide servicing updates ( aka normal security updates ) for the last 2 features and they foresee 2-3 feature upgrades per year.

clip_image002

Windows 10 servicing options for updates and upgrades (Windows)https://technet.microsoft.com/en-us/library/mt598226%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

Basically this means that your enterprise has several options :

  • -> “Ahead of the competition” : Use the Windows 10 Professional or Enterprise build. Install new features to your likings but don’t skip more then 1 feature upgrade in order to keep getting these required servicing updates for your client environment. You can use all the new added value that will be made available to the client platform.
  • -> “Business As Usual” : Use the Windows 10 Enterprise Long term Servicing Branch build ( no Software Assurance ) for deployment. The build recieves servicing updates for 10 years but lacks certain features ( ex. Edge and Store ) and recieves no feature upgrades.
  • -> “Hybrid Model” : A combined model , let’s say the best of both worlds. You use Windows 10 Enterprise Long Term Servicing Branch with SA. This means that you deploy a LTSB build but when microsoft releases a Windows feature as LTSB feature you can deploy this build to your environment. Microsoft expects to release a new LTSB build every 12 months.

Now , this means that, if you would like to use the full blown potential of the client environment some checks are required :

Have the processes in place for a rapid, continuous release cycle.

How to test ? Who will tests ? What to test ? Approval in place ? A defined flow for new releases ?

Have the required resources for this.

The people are available to perform these actions ?

Have the required toolsets for this.

The management or deployment toolset needs to follow the releases. Some automated test scenarios can be an added value. Some ITSM tools might help too.

Have the mindset for this.

Maybe the most important one, Step away from the traditional approach.

So buccle up, find out which format is right for and find a partner that can help out on some of the missing pieces.

Enjoy.

Gino D


SCCM Distribution point down !

December 17, 2015

Ho ho ho,

Almost merry Christmas everyone ! Enjoy the holidays .

Until then, here’s some useful information about fallback locations in sccm 2012.

As you all know there are lots of different options for redirecting a client to a specific distribution point for downloading content. The most common setup involves “preferred” distribution points linked to a specific boundary group. By specifying the option “allow fallback source location” on the distribution point we can allow clients to use a fallback option when content is not available.

clip_image002

Now there is a great blog going through the option in detail : http://blogs.technet.com/b/neilp/archive/2013/01/03/on-demand-content-distribution-fallback-distribution-points-a-2012-configuration-manager-micro-depp-dive.aspx

Here’s the catch however. These scenario’s all work when the DP is online but the content is unavailable.

But , if the DP is offline the deployment will fail as the MP will continue to present these DP’s to the clients even while unavailable. The client will retry the unavailable DP for 8 hours until switching to the next.

You can find detailed info about the behavior here : http://blogs.technet.com/b/wemd_ua_-_sms_writing_team/archive/2008/11/25/clarifying-retry-behavior-for-distribution-points.aspx

clip_image004

So what can we do ?

Well we can remove the DP from our boundary group and then the MP will no longer present it to the client.

clip_image006

Nice ! But that’s a manual action. No, not really as we can use orchestrator to run a simple ping test on our DP and when it’s unavailable just run a powershell script to remove it from the boundary group and add some alerting ( in our case we create an alert in SCOM ).

Some good examples can be found here : http://cm12sdk.net/?p=513

Enjoy !

Gino D


ADR and wsus sync #RDProud

August 28, 2015

 

Hello,

Today I had a strange issue with some ADR. As you see we have 4 ADR set ( WKS Pilot & Production and SRV Pilot & Production )

clip_image002

Now if we check our Software update packages we see that for August we only have one package for WKS Production. None for the rest. How come ?

clip_image004

Let’s verify the logging. The execution of the ADR is logged in ruleengine.log

clip_image006

No applicable updates found for the first ADR.

clip_image008

146 updates found in the latest ADR. How come ?

Solution is found in the WSUS sync log. We see that at 09:00 when the first ADR was run the catalog file was not yet synced, so it did not contain the new updates. At 11:06 however it was synced so my ADR from 11:55 found all the required updates.

clip_image010

Okay so we modify the Sync Schedule for WSUS each 8 hours starting at 20:00.

clip_image012

Enjoy.

Gino D


Configuration Manager 2012 R2 SP1 IBCM WSUS #RDPROUD

August 5, 2015

Hi all,

For some time I’ve been busy configuring Internet Based Client Management (IBCM) at a customer of mine. The infrastructure consists of System Center 2012 Configuration Manager R2 SP1 and has one primary site. One management server was already present for the intranet clients and I wanted to add the necessary means to support IBCM.

The most straightforward method was to add an additional management server which would be occupied with everything related to internet clients.

The general setup can be found here: https://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_webserver2008_cm2012 and is quite straight forward.

Now the tricky part: How to make sure the infrastructure can be reached from the internet? First of all I needed a public IP adress which I could use for the CNAME eg. sccm.customer.com. Then I needed to add the necessary components in the reverse proxy solution available (in this case: Citrix NetScaler). There I added a virtual server on port 443 configured using Protocol SSL_BRIDGE. This makes sure the connection gets passed through the NetScaler directly to the backend server.

When this was configured deploying software, requesting policies, etc. worked like a charm.

Additionally I wanted to make sure internet client could also use SCCM to check for updates (not directly to Windows Updates).

Therefore some extra configuration was needed:

  • Install WSUS on the new management server (sharing the same database as the WSUS that is already present in the Configuration Manager infrastructure.
  • Install SUP on the new management server (with SSL enabled + Internet only traffic allowed)
  • Configure IIS to use the SSL certificate (additional information here)
  • Make sure URL https://sccm.customer.com:8531 can be resolved on the internet ( therefore an additional virtual server can be added to the NetScaler: port 8531 protocol TCP)

Now when a computer is connected to the internet, the SCCM agent will detect that and will replace the existing WSUS URL (eg. http://sccminternal.customer.local:8530) by the one available from the internet (https://sccm.customer.com:8531). One of the places to check this is in registry: HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate. This should point to the internet available FQDN. Also the Locationservices.log should show some information.

20150805_2

 

20150805_4

When the computer checks for updates it will connect to the published URL to see what updates are missing. Afterwards the deployment of updates will be checked to see what updates are “Actionable” (see UpdatesDeployment.log)

20150805_1

For the download itself the agent will use Windows Update. These downloads are done over HTTP and can be followed in the DataTransferServices.log on the computer.

20150805_3

The user experience is the same. Everything is listed properly in the Software Center

20150805_5

If Windows Update isn’t available then a fallback will happen to http://sccm.customer.com. But because HTTP traffic isn’t redirected through the reverse proxy this will fail. Nevertheless I prefer the direct download from Windows Update as this minimizes bandwidth constraints in the customer infrastructure.

 

Hope this helps.

 

Best regards,

B