Adaptiva OneSite is a software solution that can improve SCCM delivery of software, updates, and Windows (OSD) between your SCCM site and other locations, even ones without distribution points.  Adaptiva OneSite doesn’t require a huge infrastructure. It can run a thousand locations with just a single SCCM server and no distribution points. PXE servers, or SMPs. The content delivery is fast and, more important, it does not impact other traffic on the WAN. The peer-to-peer storage of content doesn’t affect free space on clients because it operates in unused clusters so the users retain all their disk space. With these capabilities, Adaptiva OneSite can upgrade thousands of systems to Windows 10 in a fraction of the time.

Companies that wants to upgrade their unsupported Windows XP to Windows 7 or 8, or upgrade from any of those versions to Windows 10 soon, you can use Adaptiva OneSite to facilitate the process. In this post, we will explain 3 reasons of using Adaptiva OneSite Rapid OSD with SCCM for your next Windows 10 deployment.

Peer-to-Peer PXE

With SCCM, you may need to configure IP Helpers or DHCP Options in some VLAN to use OSD. Enabling peer-to-peer (P2P) PXE with Adaptiva takes only few minutes and all Windows server or clients can become a PXE point without infrastructure changes. You select a checkbox and every network segment has a PXE point! No need to coordinate with the networking team to set up IP helpers or DHCP scope options.

Since you only need one PXE server per segment, one machine on each subnet is intelligently chosen and elected. However, it does not need to store the content. Instead, it serves content from different sources within the peer-to-peer network. For example, if ten systems are being migrated to Windows 10 at once, each one gets its OS image files from a different peer cache. This is for load-balancing, so one machine doesn’t slow down serving many others. You still have as much control as you want. You can include or exclude collections from eligibility both as PXE points and as data caches.

Content Storage and Delivery

One way that Adaptiva OneSite eliminates the need for storage is with zero footprint caching. This feature makes the Adaptiva Cache much more interesting than a normal SCCM cache. When global content is delivered to an operating location, it is stored in unallocated clusters on peer systems there. The data is copied without interfering with the users’ free disk space, and organized into a Virtual SAN. The result is virtually unlimited storage at each site, without servers, and without taking space from end users.

When an SCCM task sequence is ready to deploy, OneSite will read it, find all of the content it references, then automatically compress and distribute all pieces of content required to execute it. It will also make multiple copies for load-balancing and redundancy at a location, and the administrator can specify the minimum number of copies to keep.

When any of the content is updated, Adaptiva OneSite detects the change, and automatically creates and distributes a small binary differential file, efficiently updating the content every place it lives worldwide. It’s all as automatic as you want it to be. So you can be sure you are always deploying the most current content when migrating Windows.

Adaptiva includes a proprietary UDP-based network protocol that makes it possible to deliver 20GB+ OS image files over the WAN without impacting other network traffic. It’s the only predictive bandwidth harvesting technology in the world. Others are based on TCP and are reactive, not predictive.

Virtual State Migration Points

A Windows user can easily store gigabytes of data and settings on their system. They expect it to be there on the new version of Windows after a migration. This means administrators must save and restore the data and settings, also known as state. SCCM administrators must either have a State Migration Point server at each facility, or save/restore the data over the WAN to a remote server. Doing state migration to a remote server is rarely practical, as it can overload the WAN with too much data, or simply take too long to be viable.

Adaptiva solves this dilemma by using the OneSite virtual SAN already located at a site to create a virtual state migration point (VSMP) there. The VSMP offers all the functionality of a dedicated server without taking storage from end users or impacting their performance. It also has built-in redundancy, maintaining multiple copies of the saved state data during each migration. The VSMP integrates directly into the SCCM task sequences as shown in the screenshot.

Adaptiva has built redundancy into the V-SMP solution by creating multiple copies of the state data for business continuity. If one peer goes offline for any reason, the migration will continue uninterrupted.

For More Information

Take a look at all others Adaptiva OneSite features. You can also check Adaptiva’s Vimeo Channel for more videos.

Overview video about Adaptiva OneSite

Adaptiva OneSite

The post 3 Reasons to use Adaptiva OneSite for Windows 10 Deployment appeared first on System Center Dudes.

Windows 10 is coming out tomorrow. You want to install the latest Windows version to have the new OS features but you found out that one of your computer is running Windows 8 Enterprise edition which is not covered by the free Windows 10 upgrade. If you don’t need the Enterprise features, you can decided to downgrade your Windows 8.1 Enterprise edition to Windows 8.1 Pro to have the free upgrade to Windows 10.

This post will show you how to downgrade / change Windows edition from Enterprise to Professional in a couple of steps. This procedure works for Windows 7, 8 and 8.1 and you won’t need to reinstall your software and apps. The whole procedure should take about 30 minutes.

What you need

• Windows 8 Pro media
• A valid Windows 8 Pro product key
• Valid backup of you data in case something goes wrong

Which version can be upgraded to Windows 10

The following Windows versions can upgrade free to Windows 10 Home:

• Windows 7 Starter
• Windows 7 Home Basic
• Windows 7 Home Premium
• Windows 8.1

The following Windows versions can upgrade free to Windows 10 Pro:

• Windows 7 Professional
• Windows 7 Ultimate
• Windows 8.1 Pro
• Windows 8.1 Pro For Students

The following charts shows which version of  Windows 10 you will get depending of you Windows 7 / 8 version:

How-to change Windows edition from Enterprise to Professional

Here’s what’s to be done to change Windows edition from Enterprise to Professional:

• Open Regedit.exe
• Navigate to HKLM\Software\Microsoft\Windows NT\CurrentVersion
• Change ProductName to Windows 8.1 Professional
• Change EditionID to Professional

• Navigate now to HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion
• Change ProductName to Windows 8.1 Professional
• Change EditionID to Professional
• Close Regedit.exe

• Start the Windows 8.1 Pro installation
• Enter your 8.1 Professional product key when prompted

• On the Chose what to keep screen, select Windows settings, personal files and apps

• Review your selection and click Install

The computer will now reboot and once restarted you will have a Windows 8.1 Pro computer.

The next step is to update you PC using Windows Update. Once all updates are installed, you just have to wait for your computer to receive your free copy of Windows 10.

Bonus tip : Once the downgrade is successful you can safely delete the Windows.old folder to free up some hard disk space. See this link for detail on how to do this.

The post Change Windows Edition from Enterprise to Professional appeared first on System Center Dudes.

Windows 10 has just been released, Microsoft is calling it the biggest software update in history. With massive installations at the same time, many users has been reporting errors when upgrading. The most common error is Windows 10 error code 80240020. 

Microsoft explains this error in the following statement: This is an expected message indicating that when installation begins it may require user interaction.  This is the largest software upgrade event ever and we’re managing it so everyone has a great experience. We recommend waiting until your PC receives a notification to upgrade, and then following the instructions provided. 

Please note that there is no problem with your reservation or upgrade download. The upgrade download is not corrupt as some have stated, and you will be notified in the coming days or weeks when your device is ready to upgrade.

How to fix Windows 10 error code 80240020

Method 1 – Download folder

• Go to C:\Windows\SoftwareDistribution\Download and delete all content in the Download folder. Do not delete the Download folder
• Open an admin Command Prompt and type this command : wuauclt.exe /updatenow

• Go to Control Panel / Windows Update you will see Downloading Windows 10

• Once the download complete, restart your computer
• You will get Windows 10 ready to upgrade window
• Click Start the upgrade now, sit back and relax while your computer gets upgraded

Method 2 – Registry Editor

If the first method fails, try this one. You will need to add a value in the registry editor. Be careful when modifying registry key.

• Open the Registry Editor (Run / Regedit.exe)
• Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade
• Create a new DWORD (32-bit) value
  • Name = AllowOSUpgrade
  • Value = 0x00000001

• Close Registry Editor and go to Control Panel / Windows Update
• Click Check for Updates on the left
• You should now be able to click the Get Started button to upgrade to Windows 10

Leave a comment if one of this method works for you. Happy updating.

The post Windows 10 Error Code 80240020 appeared first on System Center Dudes.

Windows 10 is out since July 29th, now you want to manage Windows 10 Endpoint Protection with SCCM 2012.

You have probably noticed that Windows 10 comes natively with Windows Defender. Instead of Endpoint Protection, it is now the default anti-malware managed by SCCM 2012. Actually, the Endpoint Protection agent is installed locally in Programs & Features but it’s using the Windows Defender UI with a thin layer of Endpoint Protection to manage policies and malware definitions.

If you have already deployed Windows 10 in your environment, you might have encountered an issue where your Endpoint Protection policies are applied but the malware definitions are not updated.

Some have found a way to work around this problem by extracting the Endpoint Protection installer and make Endpoint Protection malware definitions automatically update.

Unfortunately, this TechNet article is the only official documentation but it’s mentioning only Windows 10 Technical Preview, no word about Windows 10 RTM. Might only be a matter of updating their documentation.

For now, we will take the Windows 10 Technical Preview documentation and apply it to our Windows 10 RTM. It consists in enabling Windows Defender from the products tab in Software Update Point component properties.

SCCM 2012 Windows 10 Endpoint Protection Configuration

Prerequisite

• Have a functional Software Update Point

Enabling Windows Defender Product

• Go to Administration / Sites Configuration / Sites
• Select your most top site on which Software Update Point role is installed
• Go on Configure Sites Components from the top ribbon
• In the drop down menu, click on Software Update Point

• In the Software Update Point Components Properties window, go on the Products tab
• Check Windows Defender under the Windows section, and then click on OK
  • Ensure that you have also Windows 10 checked

Synchronizing Software Updates

• Go to Software Library / Software Updates / All Software Updates
• On the top ribbon, click on Synchronize Software Updates

Verification

• Go to Software Library / Software Updates / All Software Updates
• In the Search field, look for Windows Defender
• Validate that make sure you have Windows Defender definition updates in the result list

From there, you deploy Windows Defender definitions like you would normally do with your existing Windows updates. To enhance your process, you could also configure an Automatic Deployment Rule (ADR) to automate the package creation and deployment.

We will update this post when Microsoft officially release their updated documentation.

The post Managing Windows 10 Endpoint Protection with SCCM 2012 appeared first on System Center Dudes.

Since Windows 10 is out, there’s been a ton of information coming out from the SCCM product group. Many people gets confused at what’s needed for managing Windows 10 with SCCM 2012. The goal of this post is to centralize all those information so you can reach out when your organisation will be ready for managing Windows 10 with SCCM 2012.

[Updated 09/25/2015]

Requirement for Managing Windows 10 with SCCM 2012

Before you can manage and deploy Windows 10 in your organisation, you need to update your SCCM infrastructure.

• Your site servers needs to be updated to SCCM 2012 R2 SP1 or SCCM 2012 SP2. Refer to our installation guide if it’s not the case.
• You need to apply R2 SP1 Cumulative Update 1. Refer to our installation guide if it’s not the case.
• You need to update your boot images to Win PE version 10. Refer to the Deployment section of this article.
• If you need to integrate MDT with SCCM, update your MDT version to MDT Update 1. Refer to the Deployment section of this article.

Client Management

The official documentation is not yet updated but you can install the SCCM 2012 client on a Windows 10 device. has been updated to include the LTSB version of Windows 10 as an official supported OS.

The official statement from Microsoft is : These service packs (R2 SP1/SP2) deliver full compatibility with existing features for Windows 10 deployment, upgrade, and management.

Which means : All that you can do with older Operating System (Windows 7, Windows 8) can be done with Windows 10 in term of management. (Inventory, Remote Control, Software updates, Software deployment, Anti-Virus…). We’ll cover it all in the next sections of this post.

If you want to regroup your Windows 10 devices in a collection using a query, Windows 10 version is 10.0. (Not 6.4 as in the Tech Preview version)

Use the following query to create your Windows 10 collection :

select SMS_R_System.ResourceID,SMS_R_System.ResourceType,SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier,SMS_R_System.ResourceDomainORWorkgroup,SMS_R_System.Client from SMS_R_System where OperatingSystemNameandVersion like '%Workstation 10.0%'

Our Set of Operational Collections has also been updated to include Windows 10 in its collection list.

Reference :

• Product Group blog article – Announcing the availability of System Center 2012 R2 Configuration Manager SP1 and System Center 2012 Configuration Manager SP2

Software Update

If you want to deploy Software Update to your Windows 10 device, you just need to enable Windows 10 in your Software Update Point configuration.

• Go to Administration / Sites Configuration / Sites
• Select your most top site on which Software Update Point role is installed
• Go on Configure Sites Components from the top ribbon
• In the drop down menu, click on Software Update Point

• In the Software Update Point Components Properties window, go on the Products tab
• Check Windows 10 under the Windows section, and then click on OK

• Go to Software Library / Software Updates / All Software Updates
• Right click  All Software Updates and select Synchronize Software Updates

• Once the Synchronization has completed, stay in All Software Updates and select Add Criteria on the right
• Select Windows 10 in the Product list
• At the time of this writing there’s 10 updates available

Endpoint Protection

We cover in depth this topic in a previous post. Long story short, Windows Defender is now managing your Endpoint Protection clients in SCCM.

Deployment

If you want to deploy Windows 10 computers using SCCM 2012, there’s a couple of things to know :

Windows Automated Deployment Kit (ADK)

You need the Windows 10 ADK to capture and deploy Windows 10 devices. You probably already have Windows 8.1 ADK installed on your SCCM Servers.

You must first uninstall the existing ADK, install the Windows 10 ADK and reboot your server before using it.

Make sure you upgrade the Windows ADK on all systems in the site that have it installed. This can include the site server, SMS Provider, and administrator consoles. The version of the Windows ADK needs to be consistent across all systems that leverage it.

Once you install the ADK for Windows 10 you will lose the ability to modify your WinPE 3.1, 4.0 or 5.0 boot images and you’ll only be able to modify WinPE 10 boot image. You can still use these down level boot images, you just can’t modify them in the SCCM console.

Windows PE 10 boot images supports deployments of Windows 7 through Windows 10.

Reference :

• Product Group blog article – Windows 10 ADK and Configuration Manager
• MSDN article – Download kits and tools for Windows 10

In-place upgrade

In-place upgrade Task Sequences are not available out of the box in SCCM 2012 R2 SP1. If you want to upgrade your existing Windows 7 or Windows 8 computer to Windows 10 using an in-place task sequence, you must do it manually using custom scripts provided by the product team. SCCM Vnext will have this feature when it ships Q4 2015.

Reference :

• In-Place Upgrade Task Sequence Part 1 – How to upgrade to Windows 10 using the task sequence in System Center 2012 R2 Configuration Manager
• In-Place Upgrade Task Sequence Part 2 – Revised content for the Windows 10 in-place upgrade via task sequence for Configuration Manager

MDT

If you are using MDT in your organisation to build your Windows 10 images or integrated with SCCM, the new MDT 2013 Update 1 version supports it.

MDT 2013 Update 1 is available through this link.

Reference :

• Product Group blog article – MDT 2013 Update 1 Now Available

Future

The official statement from Microsoft is : The next version of System Center Configuration Manager will deliver full support for client deployment, upgrade, and management of Windows 10 and associated updates.

This means that you won’t be able to manage Windows 10 Service Branches using SCCM 2012.

If you are using MDT 2013, you will need to wait for the next release of MDT (MDT 2013 Update 1) to deploy Windows 10. This is due for end of August 2015.

Reference :

• Product Group blog article – Windows 10 enterprise management with System Center Configuration Manager and Intune
• Product Group blog article – Windows 10 ADK release and MDT 2013 Update 1 plans

We hope you enjoy reading this article, with a new version of Windows comes new challenges. We’ll update this blog post as soon as Microsoft release more information about managing Windows 10 with SCCM 2012.

Visit our consulting service page if you need help deploying or managing Windows 10 with SCCM 2012.

The post Managing Windows 10 with SCCM 2012 appeared first on System Center Dudes.

Remote Server Administration Tools (RSAT) is a Windows Server component for remote management of other devices. RSAT allows administrators to run snap-ins and tools on a remote device to manage features, roles and role services. The software includes tools like Bitlocker Password Recovery, Group Policy management, NIC Teaming and many more.

A lot of IT guys use this tool in their day to day basis. Microsoft has released RSAT for Windows 10 so if you are an SCCM admin, instead of manually install via the link, you can create an application in SCCM 2012 and make it available to every Windows 10 computer or to users who have the right to use RSAT.

This post will show you how to create this application in SCCM 2012.

Step 1 | Create RSAT Application

Click on this link, download and save the source files needed in your content directory. These files will be used as the source of the application.

** Update 2015-09-28 ** Remote Server Administration Tools for Windows 10 is available only in English (United States) for current release.

From the SCCM console, navigate to Software Library / Overview / Application Management / Applications

• Right click on Applications and select Create Application
• The Create Application Wizard window will appear, on General tab, select Manually specify the application information and click Next

• In General Information tab, enter an application name like Microsoft Remote Server Administration Tools
• In the Publisher field enter Microsoft
• In Software Version enter Windows 10 and click Next

• In the Application Catalog tab, fill required information to customize the user experience
• In this example, we will only fill Localized application name with Microsoft Remote Server Administration Tools for Windows 10 and click Next

• In the Deployment Types tab, click on Add
• In the Create Deployment Type Wizard, select Manually specify the deployment type information as your deployment type and click Next

• In General Information tab, enter Install (32-bit) or Install (64-bit) for whatever you configure as the name of the deployment type and click Next

• In the Content tab, enter the Content Location where you copied both files at the beginning
• At the Installation Program field, enter this program command
  • For Install (32-bit): wusa.exe WindowsTH-KB2693643-x86.msu /quiet /norestart
  • For Install (64-bit): wusa.exe WindowsTH-KB2693643-x64.msu /quiet /norestart

• At the Uninstall Program field, enter this program command
  • For Install (32-bit): wusa.exe /uninstall WindowsTH-KB2693643-x86.msu /quiet /norestart
  • For Install (64-bit): wusa.exe /uninstall WindowsTH-KB2693643-x64.msu /quiet /norestart

• Check box Run installation and uninstall program as 32-bit process on 64-bit for Install (32-bit) only and click Next

• In the Detection Method tab, click Add Clause
• In the Detection Rule window, select File System as the setting type
• At the Type field, select File option
• At the Path textbox, enter %windir%\system32\
• At File or folder name, enter ServerManager.exe
• Check the option This file or folder is associated with a 32-bit application on a 64-bit systems if you are configuring the detection rule for Install (32-bit)
• Select the option This file setting must satisfy the following rule to indicate the presence of the application.
• Select Version as the property, Equals as the operator and 10.0.10514.0 as the value

The detection method is designed to evaluate whether application is already installed or not. If it turns out that the application is already present, the application will not be installed.

• You will come back to the Detection Method tab, click Next

• In the User Experience tab, at the Installation behavior settings, choose Install for system if resource is device; otherwise install for user if you use both type of collections
• At Login requirement, choose Whether or not a user is logged on
• At Estimated installation time (minutes), enter 5 minutes
• Click Next to finalize the process, then Close

• In the Requirements tab, select the Add button
• Select the Operating System condition and choose one of these value
  • For Install (32-bit): All Windows 10 and higher (32-bit)
  • For Install (64-bit): All Windows 10 and higher (64-bit)

• Once finished, click on Ok

Requirements is used to detect pre-requisites configuration before the application can install.  In our case, the application is only available for Windows 10 Pro, Enterprise and Education version.

• Click Next till the end of the wizard

If your goal is to deploy both version, simply repeat step 1 section for 32-bit or 64-bit.

You should see something like that in your Deployment Types tab.

Step 2 | Deploy RSAT

The last step is to use the application and deploy to your respective collections.

• From your application folder, right click on the application and select Deploy
• From the Deploy Software Wizard in the General tab, click on Browse, select the previously created collection from the first section and click Next

Before you can deploy the application, you must distribute content to your distribution points otherwise you will have deployment issues.

• In the Content tab, add the distribution points needed for your deployment and click Next

• In the Deployment Settings tab, you have two possibilities for the Purpose of the deployment
  • Required: The application will be enforced
  • Available: The application will be available to install in the Software Center and/or Application Catalog waiting for an user action
• Click Next

• In the Scheduling tab, configure when do want to make it available and installed, then click Next

• In User Experience tab, selecting Display in Software Center and show all notifications will display the status of the application deployment to the logged user.
• Click Next

• Click Next to the end

Step 3 | Validation

Validate the application deployment on a Windows 10 computer. If everything has been properly configured, the application will appear in the Software Center.

To open Software Center, simply search for Software Center in your application or type the following command line: C:\WINDOWS\CCM\SCCLIENT.EXE

You should see something like that. Monitor the application deployment if needed.

Windows 10 RSAT SCCM 2012

The post Deploy RSAT for Windows 10 using SCCM 2012 appeared first on System Center Dudes.

The latest build of Windows 10 is available since this week. Windows 10 TH2 or Windows 10 1511 build is the first important release of Windows 10 since it’s launch in July. If you are managing Windows 10 with SCCM 2012 in your organisation you may wish to deploy this latest build using SCCM 2012.

The bad news is that you can’t achieve that with SCCM 2012. You will need to wait for the next version of SCCM to deploy this update to your Windows 10 computers. The good news is that the wait is almost over, the next version SCCM should be shipped before the end of the year.

The product group official statement is :

ConfigMgr 2012 R2 SP1 or SP2 and lower versions do not support Windows 10 servicing via Software Update Management workflow.

This update with the new classification “Upgrade” can be sync’d down from WSUS after the hotfix is applied if the “Upgrade” classification is checked explicitly. However, only vNext client can complete the end to end installation successfully since this Windows 10 Upgrade is in a different format and requires special handling on the client side. Without vNext, the install will fail.

OSD Upgrade Task Sequence is still the recommended way to upgrade to Windows 10 via the current versions of ConfigMgr (excluding vNext) as these versions actually do not support Windows 10 upgrade via Software Update Management.

SCCM 2012 Windows 10 TH2 1511

Windows 10 KB3105211 update shows in the console but don’t try to deploy it through your Software Update process, it will simply fails !

The post Deploying Windows 10 TH2 (1511) using SCCM 2012 appeared first on System Center Dudes.

Introduced since SCCM 2012 R2, SCCM Wifi profiles are used to send Wifi configuration to clients. It can be useful if your company is not using certificates or any automated authentication methods. Smaller organisation that uses a simple WPA2 setup can use SCCM Wifi profiles to send Wifi SSID and password so that the computers connects automatically to that network.

You can also use Wifi profile to manage mobile devices with Intune but we won’t cover this scenario in this post.

The major drawback of the SCCM Wifi Profile is that it’s impossible to enter the Wifi password using the console UI. We will show you how to deploy Wifi profiles on a Windows 10 or Windows 8.1 computer, including the Wifi password using an Xml file.

How to deploy SCCM Wifi Profiles with password to Windows 10 devices

Since it’s not possible to enter a password in the SCCM console, we’ll create an XML file and use it to create a SCCM Wifi profile based on this file.

The first step is to connect on a Windows 10 computer and connect to the desired Wifi network manually. You can disconnect once done, it’s only important to connect to the network at least once.

• Open a PowerShell window and enter the following command to list all Wifi profiles on the computer :

• Enter the following command to create the Xml file : (replace the name of your network and location you want the file to be created)

• Using any text editor, you can see the Wifi information including the WPA2 pre-shared key

• We are now ready to create the Wifi profile in the SCCM console using this Xml file
• Open the SCCM console
• Go to Assets and Compliance / Compliance Settings / Company Resource Access / Wi-Fi Profiles
• Right-click Wi-Fi Profiles and select Create Wi-Fi Profile

• On the General pane, enter a Name and Description
• Check the box Import an existing Wi-Fi profile item from a file, click Next

• On the Import Wi-fi Profile pane, click Add

• Browse to the location where you saved the Xml file created in the first step of this post, click Open

• Validate the file, click Next

• On the Supported Platforms pane, select All Windows 8.1 (64-bits), All Windows 8.1 (32-bits), All Windows 10 (64-bits) and All Windows 10 (32-bits), click Next

• On the Summary pane, review your settings and click Next

• Wait for the wizard to complete and click Close

Deploy the Wifi Profiles

You are now ready to deploy the profile to your devices

• Open the SCCM console
• Go to Assets and Compliance / Compliance Settings / Company Resource Access / Wi-Fi Profiles
• Right-click the profile and select Deploy

• Click Browse and select your collection
• Specify the evaluation schedule, click Ok

Monitor the deployment

Like every deployments, you can monitor the status in the SCCM Console under Monitoring / Deployments

You may notice that the Wifi Profiles deployments are treated as they were Configuration Items.

Once successfully deployed, the computers receiving the Wifi Profile will automatically connect to the specified network.

The post Deploy SCCM Wifi Profiles with password to Windows 10 devices appeared first on System Center Dudes.

In the second post of this blog series about Windows 10 Deployment using SCCM, we will show you how to create a SCCM Windows 10 Task Sequence and deploy it. Complete the preparation of your environment before reading this post.

This task sequence will help you deploy what we call a “vanilla” Windows 10 using the default Install.wim from the Windows 10 media. This means that you’ll end up with a basic Windows 10 with the SCCM client and nothing else.

You will be able to edit this task sequence later to customize it to your environment.

Create SCCM Windows 10 Task Sequence

• Open the SCCM Console
• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click Task Sequences and select Create Task Sequence

• On the Task Sequence wizard, select Install an existing image package

• On the Task Sequence Information pane, enter the desired Name, Description and Boot Image

• On the Install Windows pane, select the Image package and Image index you imported in part 1
• Leave the check box beside Partition and Format the target computer before installing the operating system
• For this example we will remove the Configure task sequence for use with Bitlocker
• Leave the Product key blank, if you are using MAK keys, read this post on how to handle that in your Task Sequence. (TL;DR: Even with MAK key, you need to leave the Product key blank)
• Enter an Administrator password

• In the Configure Network pane, you can select to Join a workgroup or domain. If you select Join a domain, enter your domain information, OU and credentials

• On the Install Configuration Manager Client pane, select your Configuration Manager Client Package and enter your installation properties

• On the State Migration pane, we will remove all checkbox as we don’t want to use User State Migration at this time

• On the Include Updates pane, select the desired Software Update task
  • All Software Updates will install the updates regardless of whether there is a deadline set on the deployment (on your OSD collection)
  • Mandatory Software Updates will only install updates from deployments that have a scheduled deadline (on your OSD collection)
  • Do not install any software updates will not install any software update during the Task Sequence

• On the Install Applications tab, click on the Star Icon to add any application that you want to be installed during your deployment. Only applications will be listed. If you need to add packages, you can add it by editing the task sequence later. Theses applications will be deployed each time the task sequence is executed.

• On the Summary tab, review your settings and click Next

• On the Completion tab, click Close

Deploy Windows 10 Task Sequence

Now that your Task Sequence is created, we will deploy it to a collection and start a Windows 10 deployment.

• Open the SCCM Console
• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click your Windows 10 Task Sequence and select Deploy

• On the General pane, select your collection. This is the collection that will receive the Windows 10 installation. For testing purposes, we recommend putting only 1 computer to start

• Select the Purpose of the deployment
  • Available will prompt the user to install at the desired time
  • Required will force the deployment at the deadline (see Scheduling)
• In the Make available to the following drop down, select the Only media and PXE. This will ensure that you do not send the deployment on clients. This is also useful to avoid errors, using this options you *could* send the deployment to All Systems and no clients would be able to run the deployment from Windows

• On the Scheduling tab, enter the desired available date and time. On the screenshot, we can’t create an Assignment schedule because we select Available in the previous screen

• In the User Experience pane, select the desired options

• In the Alerts tab, check Create a deployment alert when the threshold is higher than the following checkbox if you want to create an alert on the failures

• On the Distribution Point pane, select the desired Deployment options. We will leave the default options

• Review the selected options and complete the wizard

PXE Boot

Now that we’ve created our task sequence and that it’s deployed. We can start the deployment on the machine. Make sure that your system is a member of your deployment collection and start the device. For this example, we will be using a virtual machine running on Hyper-V.

• The machine is booting and waiting for the PXE to respond

• Our SCCM Distribution point is sending the boot image to our VM

• The Welcome to the Task Sequence Wizard pops-up. This is because of the Available purpose in the Deployment Settings. If we had a Required deployment, the task sequence would start right away. Click Next

• All the available task sequence are listed. In our example we have only 1 deployment on our collection so only 1 task sequence is available. Select the task sequence and click Next

• The Task Sequence starts

Monitoring

See our blog post on this topic which covers the various ways to monitor your Task Sequence progress.

The post SCCM Windows 10 Deployment | Create SCCM Windows 10 Task Sequence appeared first on System Center Dudes.

In the first part of this blog series on how to deploy Windows 10 with SCCM, we will prepare our environment for Windows 10. If you’re already deploying other operating systems with SCCM 1511, adding Windows 10 is just a matter of adding a new WIM (which our post covers in part 4). If you’re new to deploying operating system with SCCM, follow this post which will covers all steps needed before you can deploy your first systems.

Overview SCCM Windows 10 Deployment

1. Upgrade to SCCM 1511
2. Enable PXE Support
3. Prepare your boot image
4. Prepare your Operating Systems
5. Create your SUG
6. USMT Packages

Upgrade to SCCM 1511

It’s possible to manage Windows 10 with SCCM 2012 but when it comes to deploying Windows 10, if you want to use the full features, you need SCCM 1511 and further. Follow our guide to upgrade your SCCM server and make sure that you are upgrading your Windows ADK version which is included in the upgrade process.

Enable PXE Support

Follow these steps if you want to deploy your images using PXE boot (recommended)

• Open the SCCM Console
• Go to Administration / Site Configuration / Servers and Site System Roles
• Select your distribution point and right-click on the Distribution point role on the bottom, select Properties

• Select the PXE tab
• Enable the Enable PXE support for Clients check-box and answer Yes when prompted about firewall ports (UDP ports 67, 68, 69 and 4011 )

• Check the Allow this distribution point to respond to incoming PXE requests check box
• Check the Enable unknown computer support check box
• Ensure that the Respond to PXE request on all network interfaces is selected
• Click Ok

Your distribution point will now install Windows Deployment Services (if not already installed) and will copy the necessary files on the distribution point.

You can monitor this process in the SCCM Console :

• Go to Monitoring / Distribution Status / Distribution Point Configuration Status
• Click your distribution point on the top and select the Details tab on the bottom
• You will see that the distribution point PXE settings has changed

Prepare your boot image

Drivers

Before launching your first boot image you must include your Windows 10 drivers into the boot image. Our rule of thumb about drivers is to try to boot a certain model and if it fails, add the drivers. Do not add all your NIC drivers to your boot image, it’s overkill and unnecessary increase the size of the boot image.

To add drivers to the boot image :

• Open the SCCM Console
• Go to Software Library / Operating Systems / Boot Images
• Right-click your Boot Image, select Properties
• Select the Drivers tab

• Click the Star icon
• Select the desired drivers and click OK

• The selected drivers are added to the boot image, once you click OK, SCCM will inject the driver in your boot image

Customization

We will now make a couple customization to the boot image to enable command support (F8) and add a custom background image to the deployment

• Open the SCCM Console
• Go to Software Library / Operating Systems / Boot Images
• Right-click your Boot Image
• Select the Customization tab
• Check the Enable command support checkbox. This allows to have the F8 command line support during deployment
• Specify a custom background if needed by checking Specify the custom background image file checkbox

• If you’re using a PXE-enable distribution point, select the Data Source tab and check the Deploy this boot image from the PXE-Enabled distributon point checkbox

• Click Apply and Yes to the warning, close the window

Distribute your boot image

Since you’ve upgraded your ADK to version 10 and made modifications to your boot image, you need to redistribute it to your distribution points.

• Right click your boot image and select Update Distribution Points

Prepare your Operating Systems

We will now import the Windows 10 WIM file for Windows 10 deployment.

We will start by importing the default Install.Wim from the Windows 10 media for a “vanilla” Windows 10 deployment. You could also import a WIM file that you’ve created through a build and capture process.

• Open the SCCM Console
• Go to Software Library / Operating Systems / Operating System Images
• Right click Operating System Images and select Add Operating System Image

• On the Data Source tab, browse to your WIM file. The path must be in UNC format

• In the General tab, enter the Name, Version and Comment, click Next

• On the Summary tab, review your information and click Next

• Complete the wizard and close this window

Distribute your Operating System Image

We now need to send the Operating System Image (WIM file) to our distribution points.

• Right click your Operating System Image, select Distribute Content and complete the Distribute Content wizard

We will now import the complete Windows 10 media in Operating System Upgrade Packages. This package will be used to upgrade a Windows 7 (or 8.1) device to Windows 10 using an Upgrade Task Sequence.

• Open the SCCM Console
• Go to Software Library / Operating Systems / Operating System Upgrade Packages
• Right click Operating System Upgrade Packages and select Add Operating System Upgrade Packages

• In the Data Source tab, browse to the path of your full Windows 10 media. The path must point on an extracted source of a ISO file. You need to point at the top folder where Setup.exe reside

• In the General tab, enter the Name, Version and Comment, click Next

• On the Summary tab, review your information and click Next

• Complete the wizard and close this window

Distribute your Operating System Upgrade Packages

We now need to send the Operating System Upgrade Package to your distribution points.

• Right click your Operating System Upgrade Package, select Distribute Content and complete the Distribute Content wizard

Create Software Update Group

One important thing in any OSD project, is to make sure that every machines deployments are up to date. Before deploying Windows 10, make sure that your Software Update Point is configured to include Windows 10 patches.

Once Windows 10 is added to your Software Update Point, we will create a Software Update Group that will be deployed to our Windows 10 deployment collection. This way, all patches released after the Windows 10 media creation (or your Capture date) will be deployed during the deployment process.

To create a Windows 10 Software Update Group :

• Open the SCCM Console
• Go to Software Library / Software Updates / All Software Updates
• On the right side, click Add Criteria, select Product, Expired and Superseded
  • Product : Windows 10
  • Expired  : No
  • Superseded : No

• Select all patches and select Create Software Update Group

• Once created, go to Software Library / Software Updates / Software Update Groups
• Right-click your Windows 10 SUG and deploy it to your OSD deployment collection

USMT Package

If you are planning to use USMT to capture and restore user settings and files, you need to make sure that the USMT package is created and distributed.

• Open the SCCM Console
• Go to Software Library / Application Management / Packages
• Right-click the User State Migration Tool for Windows 10 package and select Properties
• On the Data Source tab, ensure that the package is using the ADK 10 – Which is per default C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\User State Migration Tool
• Right-click the User State Migration Tool for Windows 10 package and select Distribute Content

That’s it ! You have everything that’s needed to create your first Windows 10 deployment. Read the next parts of this blog series to successfully deploy Windows 10.

The post SCCM Windows 10 Deployment | Prepare your environment appeared first on System Center Dudes.

When deploying Windows 10 operating system using SCCM, you will need to monitor SCCM task sequence progress. This allows to track task sequence start, end time and most importantly errors (if any). Our post will shows 4 different ways to monitor SCCM task sequences. Each of them has their own benefits and drawbacks.

Monitor SCCM Task Sequence Using the Console

You can view the progress of a task sequence using the SCCM console. This method is simple and easy but permit to see the status of only one machine at the time. If your deployment staff don’t have access to the console or view deployment status, this option is not for you.

• Open the SCCM Console
• Go to Monitoring / Deployments
• Search and right-click the deployment linked to your Windows 10 task sequence
• On the menu, select View Status

• In the Deployment Status screen, select the In Progress tab for a running task sequence or the Success tab to review a completed task sequence
• At the bottom, click the Asset Details pane, right-click your device and select More Details

• On the Asset Message screen, click the Status tab
• You can view all task sequence Action Name with their Last Message Name

Console Status Message Queries

You can use Status Message Queries in the SCCM console to filter only task sequence messages. This method is useful to have messages from multiple devices instead of targeting a specific computer like in the previous methods. This method is a bit trickier to implement.

• The first step is to get the DeploymentID of your task sequence deployment
• Go to Monitoring / Deployments
• Add the DeploymentID column by right-clicking the top row. Note your DeploymentID, in our example 1002000B

• Go to Monitoring / System Status / Status Message Queries
• Right-click Status Message Queries and select Create Status Message Query

• On the General tab, enter a desired Name and click on Edit Query Statement

• On the Query Statement Properties window, click on Show Query Language

• Enter the following query in the Query Statement window

• Change the SMS_StatMsgAttributes.AttributeValue to reflect your DeploymentID

• Click OK
• In the Status Message Queries node, find your newly created Query, right-click on it and select Show Messages

• Select the desired Date and Time and click OK

• All messages from your selected deployment will be displayed for all devices that run it

SCCM Built-in Reports

There’s 28 built-in reports concerning task sequence in SCCM. The majority of the reports focus on statistics about overall deployments. To monitor progress, we refer to the 2 following reports :

• Task Sequence – Deployment Status / Status of a specific task sequence deployment for a specific computer
  • This report shows the status summary of a specific task sequence deployment on a specific computer.

• Task Sequence – Deployment Status / History of a task sequence deployment on a computer
  • This report displays the status of each step of the specified task sequence deployment on the specified destination computer. If no record is returned, the task sequence has not started on the computer.

 

As you can see, readability is easier using the console but keep in mind that reports can be accessible without having console access.

SMSTS.log

Last method we want to cover to monitor Windows 10 task sequence deployment is using the SMSTS.log file. This is the method you’ll want to use when you have a failing task sequence. The SMSTS.log file contains every details about every steps in your task sequence. It’s the first place to look to troubleshoot a problem with a specific deployment.

The downside of this file is that it’s stored locally on the computer (by default). Another downside is that this file location change depending on the stage you are at :

• Connect on the computer you want to troubleshoot
• Press the F8 key. A command prompt will open. If you have no command prompt by pressing F8, consult our Preparation post to enable Command Line support in your Boot image
• In the command windows, enter CMTrace to open the log viewer (it’s included by default in the latest WinPE version)

• Browse to the location when the file reside (see above table)

• The SMSTS.log opens and you can search for errors

There’s also methods to redirect your SMSTS.log automatically to a network share which could help :

• Using SLShare variable (MDT Integrated)
• Using the _SMSTSLastActionSucceeded variable

We hope this post will ease your Windows 10 deployments. Leave your comments and questions in the comment section.

The post Windows 10 Deployment | Monitor SCCM Task Sequence Progress appeared first on System Center Dudes.

In the third post of this blog series about Windows 10 Deployment using SCCM, we will show you how to create a SCCM Windows 10 Build and Capture Task Sequence and deploy it. Complete the preparation of your environment before reading this post. You will be able to edit this task sequence later to customize it to your environment.

The goal of a build and capture task sequence is to capture a reference machine OS in order to redeploy its configuration multiple time. As a best practice, we recommend not to add too much software and customization to your reference image. Rather, use the task sequence steps to customize your deployment which decrease management operation tasks in the long run.

For example, if you want to include Adobe Reader to your reference image because all your users need it, do not install it on your reference machine and do your capture. Instead, use the Installed Software step in the capture task sequence. When a new version of Adobe Reader will be released, it will be a matter of a couple of click to replace the old version with the new one.

Create SCCM Windows 10 Build and Capture Task Sequence

• Open the SCCM Console
• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click Task Sequences and select Build and capture a reference operating system image

• On the Task Sequence Information tab enter a task sequence Name and Description
• Select the desired boot image

• On the Install Windows pane, select the Image package and Image index you imported in part 1
• Leave the Product key blank, if you are using MAK keys, read this post on how to handle that in your Task Sequence. (Hint : Even with MAK key, you need to leave the Product key blank)
• Enter a password for the local Administrator account

• In the Configure Network pane, select to Join a workgroup. There’s no reason to join a domain when creating a build and capture task sequence. You’ll still be able to join a domain when creating a task sequence to deploy this image

• On the Install Configuration Manager Client pane, select your Configuration Manager Client Package and enter your installation properties

• On the Include Updates pane, select the desired Software Update task
  • All Software Updates will install the updates regardless of whether there is a deadline set on the deployment (on your OSD collection)
  • Mandatory Software Updates will only install updates from deployments that have a scheduled deadline (on your OSD collection)
  • Do not install any software updates will not install any software update during the Task Sequence

• On the Install Applications tab, click on the Star Icon to add any application that you want to be installed during your build and capture deployment. These applications will be part of the reference image, we recommended adding only software that need to be included in every deployment… and even there, I prefer add it to a deployment task sequence rather to include it in my image. The reason is pretty simple, if you need to make an application change, you only have 1 step to change to your task sequence rather than redo the whole build and capture process and then modify your task sequence with the new image. Some likes to add Office or other big applications that every users needs to reduce deployment time.

• On the System Preparation tab, click Next

• On the Image Properties tab, enter the desired information

• On the Capture Image tab, select the path where you want to save the .WIM file
• Enter the account to access the folder. This account needs write permission

• On the Summary tab, review your choices and complete the wizard

Deploy Windows 10 Build and Capture Task Sequence

Now that our Task Sequence is created, we will deploy it to a collection and start a Windows 10 Build and capture. It’s strongly recommended to deploy a build and capture on a virtual machine.

• Open the SCCM Console
• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click your Windows 10 Build and Capture Task Sequence and select Deploy

• On the General pane, select your build and capture collection. This is the collection that will receive the Windows 10 installation and be captured to create the new WIM file

• Select the Purpose of the deployment
  • Available will prompt the user to install at the desired time
  • Required will force the deployment at the deadline (see Scheduling)
• In the Make available to the following drop down, select the Only media and PXE. This will ensure that you do not send the deployment on clients. This is also useful to avoid errors, using this options you *could* send the deployment to All Systems and no clients would be able to run the deployment from Windows

• On the Scheduling tab, enter the desired available date and time. On the screenshot, we can’t create an Assignment schedule because we select Available in the previous screen

• In the User Experience pane, select the desired options

• In the Alerts tab, check Create a deployment alert when the threshold is higher than the following checkbox if you want to create an alert on the failures

• On the Distribution Point pane, select the desired Deployment options. We will leave the default options

• Review the selected options and complete the wizard

PXE Boot

Now that we’ve created our task sequence and that it’s deployed. We can start the deployment on the machine. Make sure that the system you want to capture is a member of your deployment collection and start the device. (See this Technet article to know how to import a computer).

For this example, we will be using a virtual machine running on Hyper-V.

• The machine is booting and waiting for the PXE to respond

• Our SCCM Distribution point is sending the boot image to our VM

• The Welcome to the Task Sequence Wizard pops-up. This is because of the Available purpose in the Deployment Settings. If we had a Required deployment, the task sequence would start right away. Click Next

• All the available task sequence are listed. In our example we have our deployment and our build and capture task sequence. Select the Build and Capture task sequence and click Next

• The Task Sequence starts

Monitoring

See our blog post on this topic which covers the various ways to monitor your task sequence progress.

The post Windows 10 Deployment | Create SCCM Windows 10 Build and Capture Task Sequence appeared first on System Center Dudes.

In the fourth post of this blog series about Windows 10 Deployment using SCCM, we will show you how to upgrade a Windows 7 to Windows computer 10 using SCCM task sequence upgrade.

The goal of an upgrade task sequence is to upgrade an existing operating system to Windows 10 without loosing any data and installed software. This post assumes that you are running SCCM 1511 or SCCM 1602 and that you completed the preparation of your environment for Windows 10.

If you are running SCCM 2012 R2 SP1, the product team has release important information about SCCM task sequence upgrade that you can find in this blog post.

In the past, an in-place upgrade scenario was not a reliable and popular option to deploy the latest version of Windows. With Windows 10, it’s now reliable and features an automatic rollback in case something goes wrong. This scenario can also be considered faster than the wipe and reload deployment scenarios, since applications and drivers don’t need to be reinstalled.

When to use In-Place Upgrade Scenario ?

Consider using SCCM upgrade task sequence if :

• You need to keep all existing applications and settings on a device
• You need to migrate Windows 10 to a later Windows 10 release (ex: 1511 to 1602)
• You don’t need to change the system architecture (32 bits to 64 bits)
• You don’t need to change the operating system base language
• You don’t need to downgrade a SKU (Enterprise to Pro). The only supported path is Pro to Enterprise or Enterprise to Enterprise)
• You don’t need to change the BIOS architecture from legacy to UEFI
• You don’t have multi-boot configuration

Windows 10 is now managed as a service, this upgrade process can also be used to migrate Windows 10 to a later Windows 10 release or you can use the new Windows 10 servicing feature in SCCM 1602 and later.

Possible Upgrade Path when using SCCM Task Sequence Upgrade

• Windows 7, Windows 8 and Windows 8.1 can use this method to upgrade to Windows 10
• You can’t upgrade a Windows XP or Windows Vista computer to Windows 10
• Windows 10 is the only final destination OS (You can’t upgrade a Windows 7 to Windows 8.1 using this method)

Requirements

• As stated in the start of this blog post, you need at least SCCM 2012 R2 SP1 (or SCCM 2012 SP2) to support the upgrade task sequence
• You cannot use a custom image for this scenario, you must start from the original WIM from the Windows 10 media

Three major vendors have supported workarounds documented on their support sites :

Understanding the In-Place Upgrade Process

If you want to understand all the phases in the upgrade process, we strongly recommend watching the Upgrading to Windows 10: In Depth video from the last Microsoft Ignite event.

Create SCCM Task Sequence Upgrade Windows 7 to Windows 10

Enough writing, let’s create a SCCM task sequence upgrade for a Windows 7 deployment.

• Open the SCCM Console
• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click Task Sequences and select Upgrade an operating system from upgrade package

• In the Task Sequence Information tab, enter a Task Sequence Name and Description

• On the Upgrade the Windows Operating System tab, select your upgrade package by using the Browse button. If you don’t have imported an upgrade package yet, use the step provided in our preparation blog post

• On the Include Updates tab, select the desired Software Update task
  • All Software Updates will install the updates regardless of whether there is a deadline set on the deployment (on your OSD collection)
  • Mandatory Software Updates will only install updates from deployments that have a scheduled deadline (on your OSD collection)
  • Do not install any software updates will not install any software update during the Task Sequence

• On the Install Applications tab, select any application you want to add to your upgrade process

• On the Summary tab, review your choices and click Next

• On the Competition tab, click Close

Edit the SCCM Task Sequence Upgrade

Now that we have created the task sequence, let’s see what it looks like under the hood:

• Open the SCCM Console
• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click your upgrade task sequences and select Edit

As you can see, it’s fairly simple. SCCM will take care of everything in a couple of steps :

• The Upgrade Operating System step contains the important step of applying Windows 10

Deploy the SCCM Upgrade Task Sequence

We are now ready to deploy our task sequence to the computer we want to upgrade. In our case, we are targeting a Windows 7 computer.

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click Task Sequences and select Deploy

• On the General pane, select your collection. This is the collection that will receive the Windows 10 upgrade. For testing purposes, we recommend putting only 1 computer to start

• On the Deployment Settings tab, select the Purpose of the deployment
  • Available will prompt the user to install at the desired time
  • Required will force the deployment at the deadline (see Scheduling)
• You cannot change the Make available to the following drop-down since upgrade packages are available to client only

• On the Scheduling tab, enter the desired available date and time. On the screenshot, we can’t create an Assignment schedule because we select Available in the previous screen

• In the User Experience pane, select the desired options

• In the Alerts tab, check Create a deployment alert when the threshold is higher than the following check-box if you want to create an alert on the failures

• On the Distribution Point pane, select the desired Deployment options. We will leave the default options

• Review the selected options and complete the wizard

Launch the Upgrade Process

Now that our upgrade task sequence is deployed to our clients, we will log on our Windows 7 computer and launch a Machine Policy Retrieval & Evaluation Cycle from Control Panel / Configration Manager Icon

• Open the new Software Center from the Windows 7 Start Menu
• You’ll see the SCCM upgrade task sequence as available. We could have selected the Required option in our deployment schedule, to launch automatically without user interaction at a specific time

• When ready, click on Install

• The following warning appears

• Click on Install Operating System

• The update is starting, the task sequence Installation Progress screen shows the different steps

• The WIM is downloading on the computer and saved in C:\_SMSTaskSequence

• You can follow task sequence progress in C:\Windows\CCM\Logs\SMSTSLog\SMSTS.log

• After downloading, the system will reboot

• The computer restart and is loading the files in preparation of the Windows 10 upgrade

• WinPE is loading

• The upgrade process starts. This step should take about 15 to 30 minutes depending of the device hardware

• Windows 10 is getting ready, 2-3 more minutes and the upgrade will be completed

• Once completed the SetupComplete.cmd script runs. This step is important to set the task sequence service to the correct state

• Windows is now ready, all software and settings are preserved

The post Windows 10 Deployment | SCCM Task Sequence Upgrade Windows 7 to Windows 10 appeared first on System Center Dudes.

As an IT professional, you already know that a security breach can be devastating. It can also be expensive, $4 million on average according to a 2015 survey sponsored by IBM.

Microsoft System Center Configuration Manager (ConfigMgr) can play a huge part in preventing attacks and implementing an enterprise-wide security solution. ConfigMgr helps companies make sure all endpoints are current with the latest security fixes, configured correctly, behaving normally, and only running authorized applications.

However, like almost everything else in IT these days, ConfigMgr itself is a target for hackers who can use it to distribute malware, take control of computers with access to private data, and engage in all manner of nefarious activity. According to a recent Adaptiva survey of more than 150 IT professionals, 70 percent expressed concern about potential security vulnerabilities in their Microsoft ConfigMgr environments.

Securing the perimeter of your company’s network is usually the #1 priority, and rightly so. However, securing ConfigMgr should also be a key part of your organization’s cyber defense strategy. A full list of security topics for ConfigMgr admins could span dozens or hundreds of topics. In this blog, I am giving you a place to start by explaining some key considerations and pointing you to some helpful online resources.

Restrict and Review ConfigMgr Administrative Users

This may seem obvious, but you’d be surprised how many companies overlook it. Admin privileges are the keys to the kingdom, and many IT shops hand them out too freely. Some basic guidelines are:

• Make sure that nobody has ConfigMgr permissions except people who specifically need them.
• Use role-based security and least privilege management (LPM) to make sure that nobody has more privileges than needed.
• Look into all new administrators. Some companies perform a background check, others consider it sufficient to just contact references.
• Review the assignments on a regular basis. Just because somebody needed ConfigMgr superpowers a year ago does not mean they still need them today.
• Check the audit logs once in a while to see that nobody is overstepping their bounds. This one is getting into the hard-to-justify-spending-the-time realm, but it will keep your company safer if you do it.

Secure the ConfigMgr SQL Server(s)

Securing SQL Servers is a critical part of any security strategy, and that definitely applies to ConfigMgr. In some companies a DBA will be responsible for SQL security, but as a ConfigMgr admin you will likely install SQL server and may end up owning its security.

SQL security is a vast topic, but there are a few very basic things that should apply in almost every deployment. First, always use Windows Authentication (never Mixed Mode). Second, secure the “sa” account by disabling it, deleting it, or protecting it with a complex password—the default password is the first thing hackers try.

Third, don’t forget SQL Express! In an architecture with secondary site servers, ConfigMgr may install SQL Express from files on the primary (unless you point it to a SQL Server instance instead). Those SQL Express install files may be out of date, so be sure to update after installation. However, the broader point is to make sure you update it regularly. Last year, Microsoft issued a SQL Express patch that fixed a remote execution vulnerability, so the threat is real—and easy to mitigate.

Lock-down Windows 10 OSD

Windows 10 OSD is a vast field about which volumes could be written. Some OSD security basics that will serve as a good jumping off point include:

• Never deploy task sequences to the All Unknown Computers collection
• Limit deployment to systems that have specifically been whitelisted/allowed for OSD
• Ensure that Task Sequences are kept clear of sensitive data
• Restrict physical access to OSD media
• Physically protect any physical system you use to create references images

Go Deep with Security

I’ve mentioned only few key things to look for. Other areas of ConfigMgr security include: permissions and authorization, server management, client management, content, and even business priorities. Also, to truly secure your systems management environment, you’ll need look at business processes in addition to systems and configurations.

To learn more, Adaptiva has put together a few educational security resources that go into much more detail:

Top 20 Security Best Practices Report PDF

Top 20 SCCM Security Best Practices Webinar: Recording & Slides

SCCM Security Checklist

Securing ConfigMgr

The post How to Start Securing ConfigMgr in the Enterprise appeared first on System Center Dudes.

In this post we will describe how to customize your windows 10 image to personalize it to your company. There’s an infinite amount of customization that can be made but i’ll try to cover the more frequent one, those that are asked 95% of every Windows 10 projects I was involved in. You could also do all those modifications through group policies if you want to enforce those settings.

SCCM Windows 10 Customization Package

Before we begin any customization, we will create a Windows 10 Customization package that we will use in our task sequence. It will be empty to start but we will create the folders and scripts during this blog post.

• Open the SCCM Console
• Go to Software Library / Application Management / Packages
• Create a new package
• On the Package tab, enter a Name, Description, Manufacturer and Source folder (this is where all scripts will be stored)

• On the Program Type tab, select Do not create a program

• On the Summary tab, review your choices and complete the wizard

File Association

The first item we will be covering is file association. By default, Windows 10 uses Microsoft Edge to open every PDF files and HTTP links. For this post, we will redirect PDF files to Adobe Reader and HTTP/HTTPS to Internet Explorer. You can redirect any extension to any software. You just need to make sure that the application that you associate is installed during your Windows 10 deployment (or in your image).

The first step is to make the association manually, we will then export the configuration to a XML file and we will use DISM in our task sequence to import the configuration.

• Log on a Windows 10 machine
• Open Control Panel / Programs / Default Programs / Set Associations

• Navigate to .PDF and click on Change Program

• Select Adobe Reader and click OK

• Your .PDF files are now associated to Adobe Reader
• For Internet Explorer association, select HTTP Protocol, .HTM and .HTML files, change program to Internet Explorer

Now that our associations has been done, we need to export the associations to a XML file using DISM :

• Open an elevated command prompt
• Run the following command : Dism /Online /Export-DefaultAppAssociations:C:\Temp\SCDAppAssoc.xml
  • (Change the XML file name and path if desired but make sure that the directory exists or you’ll get an error code 3)

The XML file can be opened using any text editor. You can see our modifications has been made. It’s possible to change manually in this file but it’s a bit tricky to find ProdId and ApplicationName.

• Copy the XML file to your Windows 10 customization package in the FileAssociations Folder

• Open the SCCM Console and browse to Packages
• Right-click your Windows 10 Customization package and select Update Distribution Point

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run Command Line
  • Name : Set File Association
  • Command line : Dism.exe /online /Import-DefaultAppAssociations:FileAssociations\SCDAppAssoc.xml
  • Check the Package box and specify your Windows 10 customization package
• Position this step after the Windows image has been deployed

Setting the Default Windows 10 Wallpaper

We will now change the default Windows 10 wallpaper to a corporate one.

• The default Windows 10 wallpapers are stored in the C:\Windows\Web\Wallpaper\Windows\ folder
• Windows 10 also support 4K wallpapers which are stored in C:\Windows\Web\4K\Wallpaper\Windows

For our post, we will delete the 4K wallpapers and overwrite the default img0.jpg file. If you need to support 4K wallpaper, just place them in the 4K folder before updating your distribution points and the script will copy it to the right location.

By default, you can’t modify those files, we will use a PowerShell script to change the security of the folder and overwrite the wallpaper file. We will grant access to the SYSTEM account since it’s the account used during the SCCM task sequence.

• Create a new WallPaper\DefaultRes and WallPaper\4K folder in your Windows 10 customization directory
• Rename your wallpaper to img0.jpg copy it in the WallPaper\DefaultRes directory
• If 4K support is needed, copy your files in the WallPaper\4K Directory

Create a new Powershell script in the root of the Wallpaper directory and copy this code into it :

#Take OwnerShip of the files
TAKEOWN /f C:\Windows\WEB\Wallpaper\Windows\img0.jpg
TAKEOWN /f C:\Windows\Web\4K\Wallpaper\Windows\*.*
#Set permissions for SYSTEM Account
ICACLS C:\Windows\WEB\Wallpaper\Windows\img0.jpg /Grant 'System:(F)'
ICACLS C:\Windows\Web\4K\Wallpaper\Windows\*.* /Grant 'System:(F)'
#Delete the files
Remove-Item C:\Windows\WEB\Wallpaper\Windows\img0.jpg
Remove-Item C:\Windows\Web\4K\Wallpaper\Windows\*.*
#Copy the files
Copy-Item $PSScriptRoot\DefaultRes\img0.jpg C:\Windows\WEB\Wallpaper\Windows\img0.jpg
Copy-Item $PSScriptRoot\4k\*.* C:\Windows\Web\4K\Wallpaper\Windows

You’ll end up with the following structure :

• Open the SCCM Console and browse to Packages
• Right-click your Windows 10 Customization package and select Update Distribution Point

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run PowerShell Script
  • Name : Set Wallpaper
  • Script Name : Wallpaper\ChangeWallpaper.ps1
  • PowerShell execution policy : Bypass
• Position this step after the Windows image has been deployed

Change Lock Screen Image

The lock screen image is the image you see when the computer is locked. To change it, we must copy our image locally on the computer and then modify a registry key to read it.

• Create a new LockScreen folder in your Windows 10 customization directory
• Create a new LockScreen.cmd file and copy the following code

• Create a new LockScreen.reg file and copy the following code (watch out of the “” when copy/pasting)

• Copy the image you want to set as the lock screen. For this blog post we will call it LockScreen.jpg. If you rename this file, make sure to change the script to fit this name.

You’ll end up with the following structure :

• Open the SCCM Console and browse to Packages
• Right-click your Windows 10 Customization package and select Update Distribution Point

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run Command Line
  • Name : Set File Association
  • Command line : cmd.exe /c LockScreen\LockScreen.cmd
  • Check the Package box and specify your Windows 10 customization package
• Position this step after the Windows image has been deployed

Disable Microsoft Consumer Experiences

The latest Windows 10 feature upgrade includes a new feature that automatically installs a few apps from the Windows Store. Some apps like Candy Crush and Minecraft gets installed, we don’t think that belong to a work environment so we’ll delete it.

The good news is that it’s quite simple to disable. You need to disable a function called Microsoft Consumer Experiences. We will do this using a registry modification :

• Create a new ConsumerExperience folder in your Windows 10 customization directory
• Create a new DisableConsumerExperience.reg file and copy the following code :

You’ll end up with the following structure :

• Open the SCCM Console and browse to Packages
• Right-click your Windows 10 Customization package and select Update Distribution Point

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run Command Line
  • Name : Disable Consumer Experience
  • Command line : Regedit.exe /s ConsumerExperience\DisableConsumerExperience.reg
  • Check the Package box and specify your Windows 10 customization package
• Position this step after the Windows image has been deployed

Create Custom Start Menu

We will now create a default Windows 10 start menu that will be used on every Windows 10 machine by default. If you add shortcuts to applications, make sure that you’ve include them in your task sequence or you’ll end up with a start menu looking like swiss cheese. (empty spots)

• Log on a Windows 10 machine
• Manually configure the Start Menu
• Create a new StartMenu folder in your Windows 10 customization package
• Start an elevated PowerShell and run the following command : Export-StartLayout -Path “C:\Temp\StartMenu.bin”
• Copy the StartMenu.bin file to your Windows 10 customization package in the StartMenu folder

• Open the SCCM Console and browse to Packages
• Right-click your Windows 10 Customization package and select Update Distribution Point

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run Command Line
  • Name : Set Start Menu Layout
  • Command line : Powershell.exe Import-StartLayout -LayoutPath StartMenu\StartMenu.bin -MountPath C:\
  • Check the Package box and specify your Windows 10 customization package
• Position this step after the Windows image has been deployed

Set Windows 10 Pinned Taskbar items

Windows 10 permits to “pin” program on the task bar for easy access. Here’s how to create a standard task-bar for your Windows 10 users.

• Create a new PinTaskBar folder in your Windows 10 customization directory
• Log on a Windows 10 computer
• Manually pin all the desired program using the Pin to taskbar option

• Copy the links from %AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar to your Windows 10 customization package in the PinTaskBar directory. This directory is hidden, so be sure to show Hidden Items

• Open Registry Editor
• Export the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband key to Win10Taskbar.reg

• Copy the Win10Taskbar.reg file to your Windows 10 customization package in the PinTaskBar directory
• Edit the Win10Taskbar.reg file using a text editor and replace the beginning of the first line
  • Replace HKEY_Current_User to HKEY_LOCAL_MACHINE\defuser

• The final string will be : HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband
• Create a new Win10Taskbar.cmd file in your Windows 10 customization package in the PinTaskBar directory and copy the following code :

You’ll end up with the following structure :

• Open the SCCM Console and browse to Packages
• Right-click your Windows 10 Customization package and select Update Distribution Point

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run Command Line
  • Name : Set Taskbar Pins
  • Command line : cmd.exe /c PinTaskBar\Win10Taskbar.cmd
  • Check the Package box and specify your Windows 10 customization package
• Position this step after the Windows image has been deployed

Conclusion

If you correctly follow this post, you’ll end up with this structure in your Windows 10 Customization package :

And you’ll have 6 new steps in your Windows 10 task sequence :

You can now deploy your Windows 10 task sequence to a test machine and all customization should be there. See our post on how to monitor your task sequence if something goes wrong or simply if you want to track the progress.

We hope this post will help you out for your Windows 10 customization. Feel free to post your customization using the comment section. We will update this post on a regular basis when we have more to share.

The post SCCM Windows 10 Customization using Task Sequences appeared first on System Center Dudes.

Since SCCM 1511, you can use the new upgrade task sequence to easily upgrade a Windows 7 computer to Windows 10. But what if you want to upgrade a computer from a 32-bits operating system to Windows 10 64-bits ? You can’t use the upgrade task sequence for this specific scenario. Another reason would be that your company decided to use the wipe and reload option in your Windows 10 migration project. In those cases you will need to use USMT to capture data and settings from the users profiles before applying the new operating system.

This post will describe how to upgrade a 32-bits computer to Windows 10 64-bits using USMT and SCCM. This post will be using hard-links without using a State Migration Point. Continue reading if you are not familiar with those terms, we will explain it later.

Since you’re at the step of deploying Windows 10, we assume that you already installed at least SCCM 1511 and the latest Windows ADK before reading this post. If not, read our related posts :

1. SCCM 1511 Upgrade Guide
2. Windows 10 Deployment | Prepare your environment

USMT Basics

Let’s start by giving a couple of facts about the User State Migration Tool :

• Latest USMT version is 5.0
• Latest Windows ADK 10 includes the latest version
• Supports capturing data and settings from Windows Vista and later (including Windows 10)
• Supports restoring the data and settings to Windows 7 and later (including Windows 10)
• Supports migrating from a 32-bit operating system to a 64-bit operating system, but not the other way around

What gets Migrated

By default, USMT migrates many settings (user profile, Control Panel configurations, files, and more). The default configuration files that are used in Windows 10 deployments are MigUser.xml and MigApp.xml. These two configurations files migrates the following data and settings:

• Folders from each profile (My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders)
• USMT templates migrate the following file types: .accdb, .ch3, .csv, .dif, .doc*, .dot*, .dqy, .iqy, .mcw, .mdb*, .mpp, .one*, .oqy, .or6, .pot*, .ppa, .pps*, .ppt*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl*, .vsd, .wk*, .wpd, .wps, .wq1, .wri, .xl*, .xla, .xlb, .xls*.
• Operating system component settings
• Application settings

If needed, you can create a custom configuration files to includes more files types or settings. See the following Technet post for detailed instructions.

For more details on what USMT migrates, see this Technet article. For more information on the USMT overall references, see this Technet article.

Where to Store the User Data and Settings

You can capture USMT data locally (Hard-links) or remotely using a State Migration Point in SCCM (File Copy).

• Hard-link migration takes advantage of advanced features of the NTFS file system that allow files to physically remain in-place and intact even after the drive is wiped (not formatted). When restored, pointers to the files are restored, so the files never physically have to be copied or moved outside the machine. To use hard-linking, select the Capture locally by using links instead of copying files option in the Capture User State task
• File copy: If hard-linking is not selected, the traditional file copy method for storing user state is used. This file copy method literally copies all identified user state data to an alternative location requiring extra disk space and extra time to complete the copy

• To store the user state data on a state migration point (File Copy), you must first Configure a state migration point to store the user state data
• To store the user state data on the destination computer for update deployments (Hard-Link), you must :
  • Add Capture User State steps to your task sequence and configure it to use local folder using links
  • Add Restore User State steps to your task sequence and configure it to restores the user state using those links

This post will focus on the hard-links option and will not describe how to customize the task sequence to use the state migration point.

Verify SCCM Windows 10 USMT Package

To store the user state locally or on a state migration point, you must create a package that contains the USMT source files that you want to use. This package is used in the Capture User State step of the migration task sequence.

• Open the SCCM Console
• Go to Software Library / Application Management / Packages
• Right-click the User State Migration Tool for Windows 10 package and select Properties
• On the Data Source tab, ensure that the package is using the ADK 10 – Which is per default C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\User State Migration Tool
• Right-click the User State Migration Tool for Windows 10 package and select Distribute Content

• If you have no User State Migration Tool for Windows 10 package, just create (without any programs) and distribute it

Creating the Capture and Restore User State Data Task Sequence

To capture and restore the user state, you must first create a new task sequence, but before, we’ll explain the different options in the User State Menu :

• Request State Store : This step is needed only if you store the user state on the State Migration Point
• Capture User State : This step captures the user state data and stores it on the State Migration Point or locally using hard-links
• Restore User State : This step restores the user state data on the destination computer. It can retrieve the data from a user state migration point or from hard-links
• Release State Store : This step is needed only if you store the user state on the State Migration Point. This step release this data from the State Migration Point

When you create a new task sequence from the latest SCCM version, the wizard takes care of the essential steps. Let’s create it and see what are the options :

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click Task Sequence and select Create Task Sequence
• Select Install an existing image package

• On the Task Sequence Information tab, enter your Task sequence name, Description and Boot Image

• On the Install Windows tab, uncheck Partition and format the target computer and Configure task sequence for use with Bitlocker
  • If a format and partition of the disk is selected, it would wipe all data on the drive, including the USMT data. Instead, the Apply Operating System task will delete of all files and directories occurs on the drive minus protected USMT folders

• On the Configure Network tab, select to join your domain and specify the account to use

• On the Install Configuration Manager Client tab, select your client package

• On the State Migration tab, check Capture user settings and files, select your USMT Package
• Select Save user settings and files locally and check Capture locally by using links instead of by copying files

• If needed check the Capture Network Settings and Capture Windows Settings. See the attached links for more information about these options

• In the Include Update tab, select the desired update behavior

• On the Install Applications tab, select any applications that you want to include in your task sequence

• On the Summary tab, review your choices, click Next and complete the wizard

• Now that the task sequence is created, we’ll edit it and review the steps
• Right-click your newly created task sequence and click Edit
• You’ll notice 3 USMT steps has been created :
  • Set Local State Location : This step specify the directory where the local state will be saved. We are using the builtin variable OSDStateStorePath and set the value to %_SMSTSUserStatePath% but you can use a specific location if needed

• Capture User Files and Settings : This is the step when USMT will run the ScanState command. You will see this command in SMSTS.log when monitoring your task sequence. (By default : C:\_SMSTaskSequence\Packages\<YourPackageID>\amd64\scanstate.exe C:\_SMSTaskSequence\UserState /o /localonly /efs:copyraw /c /hardlink /nocompress /l:C:\Windows\CCM\Logs\SMSTSLog\scanstate.log /progress:C:\Windows\CCM\Logs\SMSTSLog\scanstateprogress.log /i:C:\_SMSTaskSequence\Packages\<ID>\amd64\migdocs.xml /i:C:\_SMSTaskSequence\Packages\<ID>\amd64\migapp.xml)

• Restore User Files and Settings : This is the step when USMT will run the LoadState command. You will see this command in SMSTS.log when monitoring your task sequence (By default : C:\_SMSTaskSequence\Packages\<YourPackageID>\amd64\loadstate.exe C:\_SMSTaskSequence\UserState /ue:<computername>\* /c /hardlink /nocompress /l:C:\WINDOWS\CCM\Logs\SMSTSLog\loadstate.log /progress:C:\WINDOWS\CCM\Logs\SMSTSLog\loadstateprogress.log /i:C:\_SMSTaskSequence\Packages\<ID>\amd64\migdocs.xml /i:C:\_SMSTaskSequence\Packages\<ID>\amd64\migapp.xml)

Add Support for WinPE

Now that we created a basic task sequence for USMT, we suggest to add a step to support offline capture. If you start your task sequence from PXE, you will need this new step because the step we just created will fail in Windows PE. We will add a step and condition to run depending of the environment in which the task sequence is ran.

• Right-click the task sequence you just created, select Edit
• Select the Capture User Files and Settings step
• Duplicate the task by doing CTRL-C, CTRL-V
• A new Capture User Files and Settings step is created, select the Capture in Off-line mode (Windows PE only) check box and rename the step to add (WinPE) at the end
• Rename the other Capture User Files and Settings step to (FullOS)
• You’ll end up with 2 similar Capture User Files and Settings step. One for Online mode (FullOS) and one for Offline mode (WinPE)

• Select the Capture User Files and Settings (Full OS) step and click on the Options tab
• Select Add Condition, Task Sequence Variable
  • Variable : _SMSTSInWinPE
  • Condition : Equals
  • Value : False

• Select the Capture User Files and Settings (WinPE) step and click on the Options tab
• Select Add Condition, Task Sequence Variable
  • Variable : _SMSTSInWinPE
  • Condition : Equals
  • Value : True

• Click Apply and Ok to close the task sequence

Deploy SCCM Windows 10 USMT Task Sequence

We are now ready to deploy our Windows 10 USMT task sequence to the Windows 7 computer we want to upgrade.

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click your USMT Task Sequence and select Deploy
• On the General pane, select your collection. This is the collection that will receive the Windows 10 upgrade using USMT. For testing purposes, we recommend putting only 1 computer to start

• On the Deployment Settings tab, select the Purpose of the deployment
  • Available will prompt the user to install at the desired time
  • Required will force the deployment at the deadline (see Scheduling)
• You cannot change the Make available to the following drop-down since upgrade packages are available to client only

• On the Scheduling tab, enter the desired available date and time. On the screenshot, we can’t create an Assignment schedule because we select Available in the previous screen

• In the User Experience pane, select the desired options

• In the Alerts tab, check Create a deployment alert when the threshold is higher than the following check-box if you want to create an alert on the failures

• On the Distribution Point pane, select the desired Deployment options. We will leave the default options

• Review the selected options and complete the wizard

Testing on the Target Computer

For the sake of this post we created a VM with Windows 7 32 bits. We will run our newly created task sequence to upgrade to Windows 10 64 bits.

I also created multiple files in the user profile to shows the USMT actions. We simply created text documents in the various libraries and on the desktop.

• We open the Software Center, select our task sequence and click Install

• The computer will launch the USMT action before rebooting in Windows PE and install Windows 10

• Once the process completed, we have a brand new Windows 10 migrated with my files where I left them. Even the psycho tortoise wallpaper has made the move.

We hope this post will ease your Windows 10 migrations. Leave a comment if you have any questions.

The post Refreshing a Windows 7 Computer to Windows 10 using USMT and SCCM appeared first on System Center Dudes.

Injecting language pack into Windows 10 WIM images can be achieved in many different ways. MDT has a module to easily import image. SCCM can do it within a task sequence while the image is offline/online. You will also be able to do it by using DISM from the Windows ADK.

In this post, we will detail the process of injecting language packs into a Windows 10 WIM images using DISM.

Injecting a language pack with DISM provides a modified Install.wim that can later be used as a standalone solution to deploy Windows 10 from a media (DVD, USB) or as  a Windows OS source for  MDT or SCCM. This solution can also be used with our previous post as we explained how to create and capture a custom Windows 10 image.

Pre-Requisites for SCCM Inject Language Pack Windows 10

You must install few tools and plugins, before you get there.

• Windows ADK for Windows 10 (Download)
• Windows 10 1511 Enterprise ISO file
• Language Pack for Windows 10 same Current Branch version

Preparation

• Create a folders structure like this one below

• Copy the extracted Windows 10 ISO files to EN-FR-fr folder

• Mount your ISO language packs

• Browse to the needed language pack folder

• Copy your language folder (FR-FR) into the LangPack folder This folder must contain only one file (LP.cab)

Inject Language Pack Windows 10

To use DISM command lines,  we need the Deployment and Imaging Tools Environment from the Windows 10 ADK.

• Right click on Deployment and Imaging Tools Environment icon and select Run as administrator

• Type  dism /get-mountedimageinfo to validate if any other WIM are mounted
  • You can see that we don’t have any mounted image. If you have any, unmount it first before proceeding to the next steps

• We now need the information from the Install.WIM from the Windows 10 1511 EN-US
• Run the following command : (change to the path where you copied your sources files in the first steps)

• You must have at least a Windows 10 Enterprise Technical Preview installed to advanced
• Run the following command to mount the image :

• This will mount the WIM file to the Mount folder.

• Run the following command to inject the language pack into the mounted WIM

• At this point, the language pack is injected into the mounted WIM
• Now we need to commit changes, run the following command :

• Once changes are commited, WIM must be unmounted.
• Run the following command :

After the unmount is completed, take look at the Install.wim within EN-FR-fr folder. The modified Install.wim will be slightly bigger and modified date will be modified.

• Install.wim EN-FR-fr folder

Logs and More Info

If you experiment this problem with any of the command line from DISM, you can use the log file located in C:\Windows\Logs\DISM 

Even if not up-to-date, this Technet article can help with DISM Command lines options.

Inject Install.wim with Language Pack

We now have a source media with 2 languages in it. It can be used to install Windows 10 from a media source (manual install), for MDT and SCCM.

Bonus : Unattend.xml

In order to prevent the choice of language to prompt at first boot, an Unattend.xml file must be configured to answer the question from the Out-of-the-box experience (OOBE).

To create or modify an Unattend.xml file we need Windows System Image Manager, from the Windows ADK.

In the Unattend.xml file, the Microsoft-Windows-International-Core_neutral must be configured in the Specialize and OOBE System phase.

The 2 settings that needs to be configured for language packs are UILanguage and UILanguageFallback.

It must be configured the same way for both sections.

In the example bellow, FR-FR would be the default language,  and EN-US would be the Fallback language.

More information on Windows System Image Manager here

The post Windows 10 | Inject Language Pack with DISM appeared first on System Center Dudes.

A few month ago, Microsoft released Windows Store for Business to help IT administrators to buy, manage and distribute Windows Store Apps on Windows 10 devices. At that time, the solution was useful but not fully operational from an administration perspective. Windows Store for Business integration with SCCM is a new feature of SCCM 1606 and it’s a great addition.

This new feature offers the possibility for an enterprise to distribute and manage apps for Windows 10 devices while using similar methods for standard 32-bits applications.

Key Features

• Manage Volume-Purchased apps
• Synchronize the list of purchased apps
• Apps that are synchronized appear in SCCM Console
• Easy creation of apps from the Windows Store for Business using the Application model
• Same distribution and deployment methods as standard applications
• Review licensing information in the SCCM console

Limitations

• Support only free apps. Paid apps can’t be managed with the integration for now.
• For hierarchy with  a central administration site and at least one primary site, deployment of offline Windows Store for Business apps to devices managed by Intune

This post will detail how to integrate the Windows Store for Business with SCCM 1606 and how to deploy a Business App to a Windows 10 computer.

SCCM Windows Store for Business integration Pre-Requisites

• Windows 10 version 1511 and up
• Azure AD with an account Global Administrator
• SCCM Current Branch 1606 (Follow our upgrade guide)
• Supported browser to access Windows Store for Business website
  • Internet Explorer 10 and up
  • Microsoft Edge
  • Chrome current version
  • Firefox current version
• Proxy Configuration
  • All those URLs must be allowed to acquire, install or update apps
    • login.live.com
    • login.windows.net
    • account.live.com
    • clientconfig.passport.net
    • windowsphone.com
    • *.wns.windows.com
    • *.microsoft.com
    • *.msftncsi.com/ncsi.txt

You can read more information on this TechNet post.

Azure Active Directory required configurations

In order to integrate Windows Store for Business, a Web API must be created in Azure AD for SCCM.

• Open Azure AD via https://manage.windowsazure.com/
• Select Applications and click Add at the bottom

• Select Add an application my organization is developing

• Type an application name like Microsoft ConfigMgr and select Web application and/or Web API

• Specify the Sign-on URL and APP ID URL by following this format https://yourdomain.com/SCCM
  • Make sure both links are the same

• Highlight the application created and select Configure

• Under Keys, select the duration and then click Save
  • Do NOT close this window as we’ll need these information later to integrate in SCCM

Sign Up for Windows Store for Business

• Go to https://www.microsoft.com/business-store and click Sign In

• Sign-in with a Global Administrator account

• Accept agreement by checking the box and click Accept

• Windows Store for Business is now enabled

Configure Windows Store for Business

Permissions

First, it’s a good idea to have a look at the roles and permissions for the Windows Store for Business. They are NOT related to SCCM roles and permissions.

• Go to Settings – Permissions

• You must be a Global Administrator to assign roles and permissions

• For more details on roles and permissions for Windows Store for Business, please read this TechNet post

Offline Licensed

In order to install offline applications, we must allow Windows Store for Business to do it

• Go to Manage – Account Information

• Scroll to Offline licensing section
• Check the box Show offline licensed apps to people

Management Tools

Windows Store for Business must add a management tool for SCCM integration. This management tool is the Web API created in previous steps.

• Go to Settings – Management Tools

• Click Add a Management Tool

• Search for Microsoft ConfigMgr or the name specified in the WEB API from the earlier steps

• Be sure he Microsoft ConfigMgr tool is Active

Integration with SCCM Current Branch 1606

After the upgrade to SCCM CB 1606, a new feature is available for Windows Store for Business Integration.

• Go to Administration / Cloud Services / Updates and Servicing / Features

• Find Windows Store for Business Integration and right-click to Turn-On

• Windows Store for Business will then be visible under Administration / Cloud Services
  • Please allow couple of minutes to see it

• Right-click on Windows Store for Business and select Add Windows Store for Business Account

• Click Next

• Provide your Tenant Name, Client ID, Client Secret key and a location to store the application content downloaded
  • These are from the Web API created earlier
  • Verify the information provided

• Select the required Languages for your environment

• Validate the Summary

• Windows Store for Business wizard completed and click Close

• Windows Store for Business is now integrated to SCCM 1606

• Under Software Library / Application Management / License Information for Store App, we now see purchased apps
  • The initial sync from the Windows Store for Business will take some time
  • In our case it took a good 30 minutes before we saw are purchased apps

Take the Apps Offline

• Go in the Windows Store for Business web site and Select Shop or Search store at the top to find an app

• For this post, we chose Microsoft Remote Desktop

• Select Offline then Get the app

• The app is added to your Inventory

• Within the next 24 hours, SCCM will sync with Windows Store for Business and then we will see the purchased app in the SCCM console

How to deploy an App with SCCM on Windows 10

• Under Software Library / Application Management / License Information for Store App, select the App and right click Create Application

• Click Next

• The application information is imported to SCCM, then click Next

• Specify information and click Next

• Validate Summary and click Next

• Completed summary

• An Application as been created under Software Library / Application Management / Application

• From this point, the app is manageable just as any other applications

• The source as been downloaded to the source folder for Windows Store apps

• First we Distribute Content to distribution point

• Next, we will Deploy the application

• From the Software Center click on the App Microsoft Remote Desktop

• We can see the detail of the App and click Install

• We can follow the progress

• If installed with success, we can uninstall it from here if needed.

• App Remote desktop is now available from the start menu!

For more information on Windows Store for Business integration, read this TechNet post.

The post SCCM Windows Store for Business Integration appeared first on System Center Dudes.

One of the challenges faced by workstation administrators, is to manage the local administrator account in large environment. One of the options was to use Group Policy Preferences, but that was before KB2962486 removed the possibility to set password using Group Policy Preferences. Since then, Microsoft as come up with a solution : Local Administrator Password Solution (LAPS).

Here’s the benefits of using LAPS :

• Unique password for local administrator per computer
• Password available from Active Directory, if needed to use local administrator account
• Remotly change the local administrator password
• Ability to use a custom administrator account

Limitation :

• Only the local administrator account can be managed or a custom local account as administrator.

In this post, we will detail how to install Local Administrator Password Solution (LAPS) to manage the local administrator password on a Windows 10 computer.

High-level steps to install Local Administrator Password Solution (LAPS)

Pre-requisite

• Download LAPS here
  • Download both x86 and x64 version as this MSI will be deployed on clients to be managed
  • Detailed documentation is also available from that link
• Active Directory requirement
  • Windows Server 2003 SP1 and above
• Minimum OS requirement
  • Vista with current SP and above
  • Windows Server 2003 with current SP and above
• .NET Framework 4.0
• PowerShell 2.0 and above

Management Computer

First step is to install the management tools for LAPS on a computer.

• Execute LAPS.x64.msi from the downloaded files

• Click Next

• Accept Terms and click Next

• Install all the Management Tools
  • If you plan to manage this computer, you can also install the AdmPwd GPO Extension

• Click Install

• Click Finish

• In the start Menu, LAPS UI is available

Active Directory preparation

Preparing the Active Directory for LAPS is a two steps configuration :

• Schema extension
• Edit permissions (ACL)

Schema Extension

The Active Directory Schema needs to be extended to add two new attributes that store :

• Passwords of the managed local Administrator account for each computer
• Timestamp of password expiration

Both attributes are added to the may-contain attribute set of the computer class.

ms-Mcs-AdmPwd – Stores the password in clear text

ms-Mcs-AdmPwdExpirationTime – Stores the time to reset the password

Update the Schema 

• Open up an Administrative PowerShell window and use this command to import the module :

• To update the Schema, use this command :

Edit permissions

Active Directory permissions should be modified for the following reasons and needs :

• Remove the default permission
• Add Computers rights to update the password and expiration  (write)
• Allow specific user or group to read the password
• Allow specific user or group to reset (write) the password for a computer

All of those needs are manageable on specific OU and child OU. This will be different for each organisation needs.

For an easy setup, use the PowerShell commands from the module AdmPwd.ps as it will do exactly what we need.

Remove default permission

By default, read permission could be available to many users trough the all extended rights on a Specific OU. This should be uncheck if needed :

• Open ADSIEdit
• Right Click on the OU that contains the computer accounts that you are installing this solution on and select Properties
• Click the Security tab
• Click Advanced
• Select the Group(s) or User(s) that you don’t want to be able to read the password and then click Edit
• Uncheck All extended rights

Allow computers to update password and expiration time

The Write permission on the ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd attributes of all computer accounts has to be added to the SELF built-in account. This is required so the machine can update the password and expiration timestamp of its own managed local Administrator password. This is managed per OU.

• Run the following command to add the rights to SELF built-in account to a specific OU

Allow specific user or group to read password

To allow users or groups to read the stored password of the managed local administrator account, the Control_access permission must be given to ms-Mcs-AdmPwd attribute.

• To do so, run the following Powershell command line :

Allow specific user or group to reset password

To allow users or groups to reset the  password for a  managed local administrator account, the write permission must be added on ms-Mcs-AdmPwdExpirationTime .

• To do so, run the following powershell command line:

Group Policy

LAPS is manageable by GPO using a new template.

The templates are located on the management computer :

• %WINDIR%\PolicyDefinitions\AdmPwd.admx
• %WINDIR%\PolicyDefinitions\en-US\AdmPwd.adml

If you use the Central Store, you need to copy both files to \\domain\Sysvol\Policies\PolicyDefinition

The settings are located under Computer Configuration\Administrative Templates\LAPS

Available settings :

• Password Settings
  • Complexity
  • Lenght
  • Age(days)
• Name of the administrator account to manage
  • Do not configure if you use the default name
• Do not allow password expiration time longer than required by policy
• Enable local admin password management
  • this must be enabled in order to manage the local administrator password.

Clients to be managed

To manage a client, we must install LAPS on it by using the same MSI files downloaded in the prerequisite section :

• Create a standard package in SCCM

• Add a program to that package with the following command line :

• Deploy the package to the client you want to manage
• Package can also be deployed as part of Task sequence

How to read and reset passwords

• Start LAPS UI from the Start menu

• Search for computer name
• Password is available with expire date and time

• To reset the password, select a new Expiration time and click Set

• Status of the request is displayed at the bottom

• Hit search after a minute or two, and a new password with expiration time will be available

Source : documentation of LAPS

Bonus – Add Laps to SCCM Console

Thanks to Mike -S- for this awesome LAPS  Extension for SCCM console and it works just fine with Current branch (tested with 1602 so far).

Leave your LAPS experience in the comment section.

The post How to install Local Administrator Password Solution (LAPS) appeared first on System Center Dudes.

With the increasing speed of new Windows 10 releases, SCCM administrators will be faced with new testing process before deploying to all your users. During this process at a customer, we found an hardware inventory problem affecting only Windows 1607 devices. We were able to reproduce the problem in our lab and finally decided to submit the problem to Microsoft. They confirmed that it’s actually a bug that seems to reside in the latest Windows 10 1607 release. We had no inventory problem on this device using Windows 10 1511 and no changes were made in SCCM. The hardware inventory just stopped working after the Windows 1607 upgrade. We also reproduce the problem on a fresh Windows 1607 deployment.

Our setup is on SCCM 1606 but this error is present also on SCCM 1511.

We found 2 links that is identifying the problem. You can up vote the Connect item if you’re affected by this problem.

• Technet Forum
• Microsoft Connect

What’s causing the SCCM Hardware Inventory Problem on Windows 10 1607

The problem reside under the file encryption feature in Windows 10 1607 which cause an error when trying to send the file to the management point. The EFS feature is not new to Windows 10. It has been in Windows for years. Read more about EFS on this Technet article.

Here’s how to check if you’re affected by this problem :

• We’ll start by checking the server logs which there’s no entries related to the device in the MP_Hinv.log and Dataldr.log on the Management Point
• On the client InventoryAgent.log, we can see that the XML was generated and sent to Management Point
  • Inventory: Starting reporting task Reporting: 92 report entries created Inventory:
  • Reporting Task completed in 18.785 seconds
  • Inventory: Successfully sent report.
  • Destination:mp:MP_HinvEndpoint, ID: {831C6FFD-651A-48A3-F187DCFB38FB}, Timeout: 80640 minutes MsgMode: Signed, Not Encrypted
  • Inventory: Cycle completed in 109.319 seconds

Since BITS is used to send the reports, we’ll check the BITS jobs status on our affected client :

• Open a PowerShell session
• Launch the command : Get-BitsTransfer -allusers -verbose

• Check the JobState column, you can see TransistentError on CCM Message Upload jobs
• On a administrator command prompt, we’ll look at the job status
• Type the following command : Bitsadmin /list /allusers /verbose

• See the error code 0x8007177f – This machine is disabled for file encryption for our job {831….8FB}
• Browsing to the path of the file (C:\Windows\CCM\ServiceData\LocalPayload) we can see that jobs are pilling up

The machine effectively has EFS disabled by Group Policy but it was also disabled on Windows 1511 using the same GPO without any SCCM hardware inventory problem.

Workaround

At the time of writing this post, there’s only a workaround proposed by Microsoft Support. Enabling EFS on the affected clients which means that your users can suddenly encrypt files and folders on their system… Maybe not a good solution for all environment.

To enable EFS on the affected client :

• Open Regedit
• Browse to HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\EFS\
• Change the EfsConfiguration key value from 1 to 0 – (Yes 0 means Enabled and 1 is disabled)
• Reboot the system

• Once rebooted, initiate a manual hardware inventory and the process should complete successfully

We’ll update this post if we have new information about this SCCM Hardware Inventory problem on Windows 10 1607. Meanwhile, use the Connect Item to up-vote or use the comment section to share your experience.

The post SCCM Hardware Inventory Problem on Windows 10 1607 appeared first on System Center Dudes.