Before deploying a new Windows 10 feature upgrade, you need to have a good plan. Test it in a lab environment, deploy it to a limited group and test all your business applications before broad deployment. Do not treat a feature upgrade as normal monthly software updates. Treat it as a new operating system as if you were upgrading Windows 7 to Windows 10.
This blog post will cover all the task needed to deploy the new Windows 10 1709 using SCCM:
Check if you have an SCCM Supported version
Upgrade your Windows ADK
Create a Servicing Plan to update your existing Windows 10
Import the OS in SCCM to use with your deployment Task Sequence
Create a Windows 10 Task Sequence for new computers
Create a Windows 10 Upgrade Task Sequence for Windows 7 or 8.1 computers
Update your Automatic Deployment Rules and Software Update groups
Import your ADMX
Check SCCM Version
For Windows 10 1709 Fall Creator Update, you need at least SCCM 1706 in order to support it as a client. See the following support matrix if you’re running an outdated SCCM version and make sure to update your site.
Windows ADK
Before capturing and deploying a Windows 10 1709 image, make sure that you’re running a supported version of the Windows ADK.
SCCM Windows 10 1709 Servicing Plans Requirements
If you’re already running Windows 10 in your organization, a Servicing plan is the simplest method to upgrade to an up-to-date Windows 10 version. If it’s the first time you are using Windows 10 servicing plans, follow our previous post that explains the requirements to set up your Software Update Point.
We’ll start by making sure that the latest Windows 10 1709 Feature Upgrade is synchronized on our server:
Go to Software Library \ Windows 10 Servicing
Right-click Windows 10 Servicing, select Synchronize Software Updates
As for any Software Update synchronization process, follow the progress in Wsyncmgr.log in your SCCM installation directory
Once completed, go to Software Library \ Windows 10 Servicing \ All Windows 10 Updates
You should have your Windows 10 1709 Upgrade packages listed
Warning
At the time of this writing, there’s a bug that shows every update in double. Only one out of two will be required, select this one.
Create Windows 10 1709 Servicing Plans
Now that we have Windows 10 1709 upgrade packages synchronized in SCCM, we can create a servicing plan for our “outdated” Windows 10 devices (1511,1607,1703). Servicing Plan and Automatic Deployment Rules shares the same engine so you won’t be disoriented by servicing plans.
Warning
Servicing plans are designed to upgrade Windows 10 from one build to another build only. You can’t use that to upgrade Windows 7 to Windows 10. If you need to upgrade your Windows 7 to Windows 10 use an Upgrade Task Sequence instead. This is covered later in this blog post
Looking at the Windows 10 Servicing dashboard ( Software Library \ Windows 10 Servicing), you can see your Windows 10 expiration statistics :
Go to Software Library \ Windows 10 Servicing \ Servicing Plan
Right-click Servicing Plan and select Create Servicing Plan
In the General pane, give a Name and Description, click Next
On the Servicing Plan tab, click Browse and select your Target Collection
In the Deployment Ring tab:
Specify the Windows readiness state to which your servicing plan should apply. CB and CBB are still there but will certainly be changed in the future.
Specify how many days you want to wait before deploying
In the Upgrade tab, specify the Language, Required and Title of the upgrade packages you want to deploy. The language feature is available in SCCM 1602 and later.
Use the Preview button to ensure that you are targeting the right version (We are targeting Windows 10 1709 Enterprise en-us devices)
In the Deployment Schedule tab, select the desired behavior
In the User Experience tab, select the desired options
In the Deployment Package tab, select Createa new deployment package and enter your Package Source path
In the Distribution Points tab, select your distribution point
In the Download Location tab, select Download software updates from the Internet
In the Language Selection tab, select your language
In the Summary tab, review your settings and close the Create Servicing Plan wizard
Right-click your newly created Servicing Plan and select Run Now
Check the RuleEngine.log file to see the progress. This process takes a while.
A Software Update Group and Deployment Package will be created. The size of the package will be around 2-3gb per language
You can also see that the deployment gets created in the Monitoring / Deployments section
Ensure that your Deployment Package (specified in the Servicing Plan) has been distributed to your Distribution Points
Windows 10 1709 Servicing Plan Deployment
Now that the deployment is triggered for clients, we will launch the installation manually using software center.
Initiate a Software Update Deployment Evaluation Schedule using the Configuration Manager icon in Control Panel
Open the Software Center /Updates,Feature Update to Windows 10 Enterprise 1709, en-us is listed
Select it and select Install
Accept the warning by clicking Install
The computer will restart after about 5 minutes
The whole upgrade process takes about 30 to 45 minutes and your device will be rebooted multiple time
Once completed, log on the computer using your account. Windows is happy to tell you that it’s updated
We are now running Windows 10 Enterprise version 1709 (Build 16299)
Back in the Software Library \ Windows 10 Servicing \ Servicing Plan node
Our machine is now listed as Windows 10 version 1709 and is no longer listed as Expire Soon in the Windows 10 Servicing node
The Service Plan Monitoring section can be used to monitor compliance and you can use the Deploy Now button to deploy the same service plan to a new collection
Using Upgrade Task Sequence and for new Windows 10 Computer (Operating System Deployment)
It’s also possible to upgrade an existing Windows 10 computer using an upgrade task sequence. This method is useful if you need to run pre and post actions in your upgrade process.
If you need to upgrade older operating system (Windows 7,8.1) refer to the Create SCCM Task Sequence Upgrade Windows 7 to Windows 10 1709 section
You will also probably want to create or modify your existing task sequence so that new computers have the latest Windows 10 1709 version.
Import Windows 10 1709 Operating System
We will now import the Windows 10 1709 WIM file for Operating System Deployment.
We will be importing the default Install.Wim from the Windows 10 media for a “vanilla” Windows 10 deployment. You could also import a WIM file that you’ve created through a build and capture process.
Open the SCCM Console
Go to Software Library / Operating Systems / Operating System Images
Right-click Operating System Images and select AddOperating System Image
On the Data Source tab, browse to your WIM file. The path must be in UNC format
In the General tab, enter the Name, Version and Comment, click Next
It’s normal that you see Windows 10 Education even if you are importing Enterprise edition as this WIM contains multiple indexes. You’ll need to choose the right one in your deployment Task Sequence
On the Summary tab, review your information and click Next. Complete the wizard and close this window
Distribute your Operating System Image
We now need to send the Operating System Image (WIM file) to our distribution points.
Right-click your Operating System Image, select Distribute Content and complete the Distribute Content wizard
We will now import the complete Windows 10 media in Operating System Upgrade Packages. This package will be used to upgrade a Windows 7 (or 8.1) device to Windows 10 using an Upgrade Task Sequence.
Open the SCCM Console
Go to Software Library / Operating Systems / Operating System Upgrade Packages
Right-click Operating System Upgrade Packages and select AddOperating System Upgrade Packages
In the Data Source tab, browse to the path of your full Windows 10 media. The path must point to an extracted source of an ISO file. You need to point at the top folder where Setup.exe reside
In the General tab, enter the Name, Version, and Comment, click Next
On the Summary tab, review your information and click Next and complete the wizard
Distribute your Operating System Upgrade Packages
We now need to send the Operating System Upgrade Package to your distribution points.
Right-click your Operating System Upgrade Package, select Distribute Content and complete the Distribute Content wizard
Create SCCM Task Sequence Upgrade Windows 7 to Windows 10 1709
Let’s create an SCCM task sequence upgrade for a computer running Windows 7. If you don’t have any Windows 7 or Windows 8.1, skip to the next section.
Open the SCCM Console
Go to Software Library \ Operating Systems \ Task Sequences
Right-click Task Sequences and select Upgrade an operating system from upgrade package
In the Task Sequence Information tab, enter a Task Sequence Name and Description
On the Upgrade the Windows Operating System tab, select your upgrade package by using the Browse button
Select your Edition Index depending on the edition you want to deploy
On the Include Updates tab, select the desired Software Update task
All Software Updates will install the updates regardless of whether there is a deadline set on the deployment (on your OSD collection)
Mandatory Software Updates will only install updates from deployments that have a scheduled deadline (on your OSD collection)
Do not install any software updates will not install any software update during the Task Sequence
On the Install Applications tab, select any application you want to add to your upgrade process
On the Summary tab, review your choices and click Next andclick Close
Edit the SCCM Windows 10 1709 Task Sequence Upgrade
Now that we have created the upgrade task sequence, let’s see what it looks like under the hood:
Open the SCCM Console
Go to Software Library \ Operating Systems \ Task Sequences
Right-click your upgrade task sequences and select Edit
As you can see, it’s fairly simple. SCCM will take care of everything in a couple of steps :
The Upgrade Operating System step contains the important step of applying Windows 10
We are now ready to deploy our task sequence to the computer we want to upgrade. In our case, we are targeting a Windows 7 computer.
Go to Software Library \ Operating Systems \ Task Sequences
Right-click Task Sequences and select Deploy
On the General pane, select your collection. This is the collection that will receive the Windows 10 upgrade. For testing purposes, we recommend putting only 1 computer to start
On the Deployment Settings tab, select the Purpose of the deployment
Available will prompt the user to install at the desired time
Required will force the deployment at the deadline (see Scheduling)
You cannot change the Make available to the following drop-down since upgrade packages are available to client only
On the Scheduling tab, enter the desired available date and time. On the screenshot, we can’t create an Assignment schedule because we select Available in the previous screen
In the User Experience pane, select the desired options
In the Alerts tab, check Create a deployment alert when the threshold is higher than the following check-box if you want to create an alert on the failures
On the Distribution Point pane, select the desired Deployment options. We will leave the default options
Review the selected options and complete the wizard
Launch the Upgrade Process on a Windows 7 computer
Now that our upgrade task sequence is deployed to our clients, we will log on our Windows 7 computer and launch a Machine Policy Retrieval & Evaluation Cycle from Control Panel / Configuration Manager Icon
You’ll see the SCCM upgrade task sequence as available. We could have selected the Required option in our deployment schedule, to launch automatically without user interaction at a specific time
When ready, click on Install
On the Warning, click Install
The update is starting, the task sequence Installation Progress screen shows the different steps
The WIM is downloading on the computer and saved in C:\_SMSTaskSequence
You can follow task sequence progress in C:\Windows\CCM\Logs\SMSTSLog\SMSTS.log
After downloading, the system will reboot
The computer restart and is loading the files in preparation for the Windows 10 upgrade
WinPE is loading
The upgrade process starts. This step should take about 15 to 30 minutes depending on the device hardware
Windows 10 is getting ready, 2-3 more minutes and the upgrade will be completed
Once completed the SetupComplete.cmd script runs. This step is important to set the task sequence service to the correct state
Windows is now ready, all software and settings are preserved
Create Software Update Group
One important thing in any OSD project is to make sure that every machines deployment are up to date. Before deploying Windows 10 1709, make sure that your Software Update Point is configured to include Windows 10 patches.
Once Windows 10 is added to your Software Update Point, we will create a Software Update Group that will be deployed to our Windows 10 deployment collection. This way, all patches released after the Windows 10 media creation (or your Capture date) will be deployed during the deployment process.
To create a Windows 10 Software Update Group :
Open the SCCM Console
Go to Software Library / Software Updates / All Software Updates
On the right side, click Add Criteria, select Product, Expired and Superseded
Product : Windows 10
Expired : No
Superseded : No
Title contains 1709
Select only the latest Cumulative Updates that apply (x64 or x86) and select Create Software Update Group
Once created, go to Software Library / Software Updates / Software Update Groups
Right-click your Windows 10 SUG and deploy it to your OSD deployment collection
Import ADMX File
If you’re responsible for managing group policy in your organization. Ensure that you import the latest Windows 10 1709 ADMX file on your domain controller.
Bonus Ressources
Need a report to track your Windows 10 devices? We developed a report to help you achieve that :
Founder of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM Consultant, 4 times Enterprise Mobility MVP. Working in the industry since 1999. His specialization is designing, deploying and configuring SCCM, mass deployment of Windows operating systems, Office 365 and Intunes deployments.
When deploying Windows 10 1709 Feature Update using SCCM, you may encounter errors when running the installation in Software Center. These errors are sent by the Windows setup itself, they are not related to SCCM. In this post, we’ll show you how to troubleshoot these error and how to resolve the error 0xC1900208 – 1047526904. This post assumes that you’ve done the preparation steps to deploy features upgrades with SCCM.
Windows 10 1709 Troubleshooting
Here are some basic troubleshooting tips that you need to understand before proceeding. This blog post is not about troubleshooting any errors, we’ll focus on the frequent 0xC1900208 error but we think that you need basic understanding before proceeding. If you’re already familiar with this process, skip to the next section.
Upgrade files (ESD and WindowsUpdateBox.exe) are downloaded in SCCM cache (C:\Windows\ccmcache)
Relevant content is also stored in C:\WINDOWS\SoftwareDistribution\Download
ESD file is unpacked in the C:\$WINDOWS.~BT folder (hidden)
Windows setup is launched from that last location
Relevant Log files are located in C:\$WINDOWS.~BT\Sources\Panther
To read log file in the Panther directory, ensure to start CMtrace using Administrative privileges
Theses 3 location will get referred in this post. Here’s the relevant Microsoft documentation that will help you troubleshoot any Windows installation errors:
So let’s get back to our main topic which is resolving Error 0xC1900208 – 1047526904. This post has been made on Windows 10 computers using build 1607 and 1703.
When running the Windows 10 feature update from the Software Center you receive the error 0xC1900208 :
When retrying a second time the error 0x80240020 is returned. Don’t use this error for troubleshooting, use the first one.
Same error is shown in C:\Windows\CCM\Logs\WUAHandler.log
Error 0xC1900208 - 1047526904
Following Microsoft documentation our error is due to : This could indicate that an incompatible app installed on your PC is blocking the upgrade process from completing. Check to make sure that any incompatible apps are uninstalled and then try upgrading again.
The first easy troubleshooting step you can do at this point is to launch setup.exe from the C:\$WINDOWS.~BT directory.
After going through the first screens, the setup will warn you about those incompatible apps. Here are 2 examples we encountered.
If you don’t want to run the setup.exe, you can refer to the C:\$WINDOWS.~BT\Sources\Panther\CompatData[date-time].xml. You’ll have a couple of Compatdata.xml files, usually, the most recent one will contain the information you need. In this example, Mcafee is the faulty application and give setup the instruction to stop
Our next action was to check the Mcafee website to check if Windows 10 1709 is supported. Unfortunately, it’s not yet supported at the time of this writing. The only option we had was to completely uninstall the Mcafee suite from the computer
Once uninstalled, a couple of steps must be performed to restart the upgrade process. If you simply hit Retry in Software Center, it won’t work.
Empty the SCCM Cache
Delete the content of C:\WINDOWS\SoftwareDistribution\Download folder
Delete the C:\$WINDOWS.~BT folder (hidden)
Initiate a Software Update Deployment Evaluation Cycle and Software Update Scan Cycle
Wait a couple of minute for the scan to complete and retry the deployment
The deployment will now work, no more 0xC1900208 errors! You can follow the process in the C:\$WINDOWS.~BT\Sources\Panther\Setupact.log file
You’ve now mastered the 0xC1900208 error and can continue your Windows 1709 migration !
Founder of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM Consultant, 4 times Enterprise Mobility MVP. Working in the industry since 1999. His specialization is designing, deploying and configuring SCCM, mass deployment of Windows operating systems, Office 365 and Intunes deployments.
When planning for a Windows 10 migration, understanding your environment is the key. Luckily, Windows 10 setup comes with command line options which one of them is an excellent compatibility check (/Compat ScanOnly). This command can be used on a Windows 7,8 or 10 devices before a migration in order to see if those devices are Windows 10 compatible. Using SCCM, we will run this Windows 10 compatibility check, return the results in the SCCM database and use this data to build a comprehensive report. This report can be used to detect and fix migration errors before the actual Windows 10 deployment.
SCCM Windows 10 Compatibility Check Package Creation
We will start by creating a package for Windows 10 compatibility check. The source of this package must be the Windows 10 installation media. The deployment option and command line is important here. If they are not set correctly you’ll end up sending the complete installation media (including Install.wim) to the computers only for a compatibility check which is not really effective. Using our proposed methods, you’ll be using about 250mb on the client drive instead of 5gb.
In the SCCM Console, go to Software Library / Application Management / Packages
Create a new package
Name your package and specify your Windows 10 installation media as the source file. Be aware that setup.exe is language specific. If you have EN-US machine, you must provide EN-US media
/DynamicUpdate: Enabling it causes setup to download the latest compatibility information from Windows Update
/CopyLogs parameter can also be added at the end. Use it to copy setup logs to a shared network drive. The problem with that switch is that the logs are not classified using computer names, it will be a nightmare finding the right logs after hundreds of deployments. This is why I’m not using it for this blog post.
In the Requirements page, select your operating systems
Complete the wizard
Right-click your package and distribute it to your distribution points
Deploy Windows 10 compatibility check on a test computer
We will now deploy the Windows 10 compatibility check program on a computer that runs Windows 10 1607. In our test, we want to evaluate if this computer can upgrades from Windows 10 1607 to 1709. Create a test collection and deploy the newly created program to a test device.
Right-Click your package and select Deploy
On the General tab, select your collection
On the Content tab, ensure that your content is distributed to your distribution point
Select your deployment purpose – Available or Required
On the Scheduling pane, select your schedule
On the User Experience pane, select the desired options
On the Distribution Points pane, select Run program from distribution point
Review your choice and complete the wizard
Running the Compatibility Check
On a targeted computer, run the program manually in the Software Center (Available) or wait for the schedule to trigger your deployment (Required).
The installation will starts. It will take about 5 minutes to complete… and it will fail. This is normal as the error code returned by the compatibility check will always be an error. (No problem will be 0xC1900210 -1047526896).
If you need more information about the error, look at Setupacr.log or Setuperr.loggenerated by Setup.exe. They are located in C:\$WINDOWS.~BT\Sources\Panther folder. (Or in the specified path if you use the /CopyLogs parameter in your command line. We cover the topic on how to troubleshoot Windows 10 error in this blog post
Once we tested on a couple of test machine and are happy with results, we can expand our deployment to all computers.
From there, what’s the easy way to check your compatibility results? You could go in the Monitoring / Deployment section in the console… or you build a custom report.
Windows 10 Compatibility Check Report
Luckily for you, we created a report which will give you a quick overview of your compatibility success or failure. We also included basic hardware inventory information for you to refer if a computer is not compliant because of hardware limitation. The only thing you need to do is to select your Compatibility package and run the report !
You can download this free report by visiting our product page. The Asset – Compatibility Check report is available in the Report / Asset Section.
Founder of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM Consultant, 4 times Enterprise Mobility MVP. Working in the industry since 1999. His specialization is designing, deploying and configuring SCCM, mass deployment of Windows operating systems, Office 365 and Intunes deployments.
Windows Autopilot is a new and emerging solution designed that allows to setup and pre-configure Windows devices for your environment using Azure and Intune. The goal of Autopilot is to reduce the Os deployment complexity. If done correctly, a user logs to an out-of-box computer, logs on his computers with his ADD user account and applications and configurations gets deployed. All that with minimum infrastructure requirements.
When announced a couple of months ago, Autopilot has its flaws but it’s improving very fast. One of those flaws was that device importation was made from the Windows Store for Business or the Microsoft Partner Center. Those days are over since you can now import your device directly from Microsoft Intune.
Microsoft Intune Autopilot device import
Log to your Azure Portal and Launch Microsoft Intune
From the Intune portal, select Device enrollment / Windows enrollment / Devices
In the Windows Autopilot Devices pane, select Import on the top
From there, you need to select a .CSV file. It’s not possible to import a single device manually.
As shown in the portal, the CSV file has some formatting requirements :
This means that you need the Serial Number, Windows Product ID, Hardware Hash and Order ID separated by a comma. You cannot have more than 175 rows/devices in the CSV.
Hopefully, there a good script is already available in Windows to get this information… but it’s not yet adapted for Microsoft Intune. The OrderID is not generated by the script so it needs to be added manually and the header is invalid.
From a Windows 10 1703+ computer
Start Windows PowerShell as Administrator
Run the following command: Install-Script -Name Get-WindowsAutoPilotInfo
This action places the script into the folder C:\Program Files\WindowsPowerShell\Scripts
Run the script : Get-WindowsAutoPilotInfo -Outputfile C:\temp\SCD.csv
The script will output the result in the C:\temp\SCD.csv file
Open the CSV file add an OrderID at the end (,1) and remove the header
Before change : (Invalid header and no OrderID at the end)
After (Remove header and add OderID)
Back in the Microsoft Intune Portal, select your CSV file and select Import at the bottom
You will receive an Import notification. It will take about 5-10 minutes
Device is imported
It will take a moment to show in your device list but will eventually appear. The device will also be visible from the Windows Store for Business portal. The device is now ready to use in an Autopilot deployment.
Founder of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM Consultant, 4 times Enterprise Mobility MVP. Working in the industry since 1999. His specialization is designing, deploying and configuring SCCM, mass deployment of Windows operating systems, Office 365 and Intunes deployments.
Microsoft has been releasing Security baseline since the Windows XP days. Windows 10 is no exception to this, except now there’s a new release of security baseline following each major build of Windows 10. The concept of the Security Baseline is to provide Microsoft guidance for IT administrators on how to secure the operating system, by using GPOs, in the following areas :
Computer security
User security
Internet Explorer
BitLocker
Credential Guard
Windows Defender Antivirus
Domain Security
Implementing the security baseline in GPOs is not a complex or long task. The challenge that the security baseline provide is that it will expose areas of the environment that are not secure.
This means that to follow all Microsoft security guidelines, it would be required to fix many other systems outside of Windows 10 to achieve this.
In this post, we will describe what is the Security baseline, how to use them and key points that will most likely be challenging for other systems in the environment
Right-click on the GPO, and select Import Settings
Click Next
Click Next, no need to take a backup of a new blank GPO.
Browse to the GPOs folder and click Next
Select the GPO to be imported, based on the name and click Next
Click Next
Select Copying them identically from the source and click next
Click Finish
Click the Settings tab to see all the configuration imported
Once the GPOs are imported, testing is key!
No magic trick here, start with test computers and then IT users/pilot users prior to applying this to production.
Key points that provide challenges
Here are some configurations that are part of the baseline that should be looked at up front as they might provide issues with your environment. The idea here is to have a better understanding of what is going on. Don’t go and change those settings to avoid issues. The issues should be fixed at the other end for better security.
Hardened UNC path
This setting is likely to give the following error when trying to process GPO on Windows 10.
Error
The processing of Group Policy failed. Windows attempted to read the file \\yourdomain.fqdn\sysvol\yourdomain.fqdn\Policies\{GPO GUID}\gpt.ini from a domain controller and was not successful.
The configuration Computer/Administrative Template/Network/Network Provider/Hardened UNC Path
Review the following post by Lee Stevens for details on the UNC hardening path to help define this setting for your environment
Internet Explorer process only computer GPO
If you have user GPO for Internet Explorer, in the Security Zone, adding the baseline for Internet Explorer will prevent those settings to be applied.
Two options are available if this causes issue:
Move your Internet Explorer configuration to computer GPO instead of user GPO
Change the configuration back to Not Configured for this GPO
The user account control (UAC) is configured to the maximum level with the Security Baseline.
The default Windows 10 level is set to Notify me only when applications try to make changes to my computer (level 3 out of 4)
This is configured by a local security policy
To modify the GPO, under the Windows 10 Computer GPO Computer/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control
Credential guard
Having Credential guard in Windows 10 is categorized as a quick win solution as the requirement and setup is easy.
The default configuration as part of MSFT Windows 10 and Server 2016 – Credential Guard GPO is configured in a way that is likely to crash the computer or have an undesired requirement for future needs if applied as is.
We strongly recommend to carefully read the Help section of the Computer/Administrative Templates/System/Device Guard/Turn On Virtualization based security GPO
To take advantage of Credential Guard safely, this would be the required configuration.
SMB v1
This topic is the most important of all key points. With Windows 10 v1709, SMB v1 is disabled by default. But what if you still need this in your environment?
Let me make this clear, we do not recommend enabling SMB v1. It has been proven to be one of the most critical security hole as of late with malware like WannaCry.
On the other hand, sometimes we don’t have much choice to go against security.
So to leave SMB v1 enabled as part of the security baseline GPO, we suggest reading the following blog post by Aaron Margosis
The GPO settings for SMB v1 are under Computer/Administrative Templates/MS Security Guide
Issue with BitLocker on Windows 10 1709
The MSFT Windows 10 RS3 – BitLocker GPO contains a setting to Disable new DMA devices, that broke some computer.
The setting Computer/Administrative Templates/Windows Components/BitLocker Drive Encryption/Disable new DMA devices when this computer is locked, should be reviewed prior to being applied.
What to do when a new version of Security baseline is available?
A new version of Security baseline usually come out at the same time as a Windows 10 build goes RTM.
Microsoft has always released them as a DRAFT version that goes on for a couple months and then release the FINAL version.
Here’s a checklist for what to do when the new version is available :
Start by reviewing the Excel file to see what’s new to the baseline
Most of the new settings in the baseline will be in line with new features as part of the Windows 10 release
Update ADMX in the Central store with the ones from the latest Windows 10 build prior to adding new settings
New settings should then be added to your environment by one of the following :
Import the new GPOs
Add new settings to current GPO
Follow us on Twitter to get a notification when a new version of the Security baseline is released.
Bonus Tip
The Policy Analyzer is a great tool to compare current GPOs against the ones from the Security Baseline.
This can give an idea of the conflicting settings as well as additional settings from the Security Baseline
Contributor of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM consultant, working in the industry for more than 10 years. He developed a strong knowledge of SCCM and MDT to build automated OS deployment solution for clients, managed large and complexe environment, including Point of Sale (POS) related projects.
Windows 10 brings a new feature to optimize network performance when it comes to Windows Update. This feature is called Delivery Optimization. Delivery Optimization is a cloud-based service that allows computers on the same network to share updates files to prevent reaching out to Windows Update directly or to a remote WSUS. Windows 10 clients must have access to the internet to be able to leverage Delivery Optimization to establish a peer-to-peer connection to another Windows 10 computer.
Important Info
If you are using SCCM to deliver Windows Updates, Delivery Optimization has no positive or negative impact on the network. SCCM bypass this feature, except for one case, if Express Updates are used.
We recommend looking at BranchCache or Peer-to-Peer to help with bandwidth management.
This great blog post resume and compare both solutions in details
With that said, Delivery Optimization as the potential of doing the opposite of what it was designed for. By default, the Download mode is configured in LAN Mode. This means that every computer going on the internet through a single IP address like many businesses do will be considered in the same LAN network. This means a remote office could be considered local, then try to share Windows Updates on the internal WAN and then choke the network.
In this post, we will detail how to configure Delivery Optimization in a Task Sequence to prevent using the LAN mode by default.
If you are looking for more Windows 10 customization and configuration tips, see our previous posts :
By default, Delivery Optimization is On for PCs on my local network
If we run the PowerShell command Get-DeliveryOptimizationStatus we can see that the Download Mode is set to 1, which is the LAN Mode
Important Info
If the Download Mode is set to 99, the proxy is likely preventing Delivery Optimization to reach the cloud service. this means that delivery Optimization is kind of turned off.
In the registry HKLM/Software/Microsoft/Windows/CurrentVersion/DeliveryOptimization/Config it should be the default
Turn off Delivery Optimization
Delivery Optimization can be turned off manually under Windows Settings/Update & Security/Windows Update/Advanced Options/Delivery Optimization
This can also be done by adding a Reg_Dword to HKML\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config
Name : DODownloadMode
Value: 100
When modified by the registry, the Delivery Optimization service must be restarted to take effect.
It can also be enforced by a GPO :
Under Computer Configuration/Administrative Templates/Windows component/Delivery Optimization, enable the Download Mode and set it to Bypass(100)
How to configure SCCM Delivery Optimization Task sequence
We were asked in a project to update Windows 10 by using WSUS and that BranchCache would be leveraged to deliver updates more efficiently on the network.
When using BranchCache for Windows Update, Delivery Optimization must be set to ByPass for the Download Mode.
Contributor of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM consultant, working in the industry for more than 10 years. He developed a strong knowledge of SCCM and MDT to build automated OS deployment solution for clients, managed large and complexe environment, including Point of Sale (POS) related projects.
The race to update Windows 7 computers from your environment is entering its home stretch. Microsoft will end Windows 7 support on January 14th, 2020. If you still have Windows 7 computers in your company, it’s time to seriously plan your migration. If you’ve been reading our blog for a while, you may have seen a couple (!) of post regarding Windows 10 migration. We thought that regrouping all posts in a single one would save you time finding all needed SCCM Windows 10 deployments resources to start.
If you are still running SCCM 2012 and have plans to deploy Windows 10, we recommend starting with part 2 of this guide. (Hint: Deploy SCCM Current Branch).
We will update this post as we add more Windows 10 deployments posts on our blog.
Founder of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM Consultant, 4 times Enterprise Mobility MVP. Working in the industry since 1999. His specialization is designing, deploying and configuring SCCM, mass deployment of Windows operating systems, Office 365 and Intunes deployments.
Sometimes Microsoft makes small changes under the hood and can hardly be tracked unless an issue comes up to flag that changes. The configuration of the Start Menu and Taskbar for Windows 10 has been since the beginning a great challenge for administrators and it doesn’t look that this will change anytime soon.
In Windows 10, version 1703, Export-StartLayout will use DesktopApplicationLinkPath for the .url shortcut. You must change DesktopApplicationLinkPath to DesktopApplicationID and provide the URL.
A simple note, with great implication!
Following our previous posts on Windows 10 Customization and how to modify the taskbar configuration, we will detail how to configure the start menu and taskbar with that latest indication from Microsoft.
Prerequisites
Windows 10 1703 and above
Windows 10 1803
Early test indicate that Windows 10 1803 is no different and this applies to it.
Configure Start Menu Windows 10
Setup a Windows 10 start menu as we would like to have as default
Start a PowerShell command window as administrator
Enter the following command line to export the Start Menu
Export-StartLayout -path C:\temp\StartMenu.xml
A StartMenu.xml is generated in the specified directory
Application links are using the DesktopApplicationLinkPath
In Powershell, enter the following command :
Get-StartApps
This returns the list of all applications in the Start Menu
Locate the application that uses the DesktopApplicationLinkPath and take note of the AppID
Go back to the XML exported previously and replace the DesktopApplicationLinkPath by the DesktopApplicationID
Once this is completed it can be added to your task sequence like we explain in previous posts.
Important Info
If you wish to manage the Taskbar like we explained in our previous post, note that the DesktopApplicationLinkPath must be used as the DesktopApplicationID will not work.
Contributor of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM consultant, working in the industry for more than 10 years. He developed a strong knowledge of SCCM and MDT to build automated OS deployment solution for clients, managed large and complexe environment, including Point of Sale (POS) related projects.
Beginning with Windows 10 1709, you can’t use WSUS to host Features on Demand and language packs for Windows 10 clients. Instead, you need to download them directly from Windows Update. This is the official Microsoft Statement… at the time of this writing, it’s still possible to download FoD on VLSC or MSDN. We are in a transition method but clearly sees where Microsoft is going. This blog post will show one method to install FoD using SCCM but there are alternative methods also when you download the file from VLSC or MSDN (hint : Use Dism).
Features on Demand (FODs) are Windows feature packages that can be added at any time. When a Windows 10 PC needs a new feature, it can request the feature package from Windows Update.
If you’re using SCCM or WSUS for your software update, you need to change a Group Policy setting that lets clients download these directly from Windows Update instead of your on-premise infrastructure. Without this group policy, all your installation tentative will fails with error 0x800f0954. This is because your client will check on your on-premise servers instead of Microsoft Update and won’t be able to find the feature.
You can also host Features on Demand and language packs on a network share, but starting with Windows 10 1809, language packs can only be installed from Windows Update. This is why we recommend using the group policy method to redirect your clients to Windows Update to get FoD or Language packs.
To change this policy :
Open your group policy editor
Navigate to Configuration\Administrative Templates\System
Enable the Specify settings for optional component installation and component repair policy
Check the Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS) checkbox
Changing this policy only enables Features on Demand and language pack downloads from Windows Update. It doesn’t affect how clients get feature and quality updates deployed by SCCM.
Deploy a Feature on Demand using SCCM
To deploy a new feature on demand to your client, you must understand a couple of things.
First, you need to understand that SCCM/WSUS can’t host these features so it will be downloaded from the internet by your SCCM clients.
The trick is to use the Add-WindowsCapability PowerShell cmdlet to call the feature that you need. You can get a list of available Feature on demand on Microsoft Doc or by using this PowerShell command :
Get-WindowsCapability -online
Each Feature on Demand has a state. It can be Installed or Not present. Depending on the Windows 10 version, you may have a different list of “not present“. Follow Microsoft Documentation to see which Feature can apply to your Windows version or see the list yourself running the Get-WindowsCapability -online command.
For our example, we are running Windows 10 1809 and we’ll use SCCM to deploy XPS viewer but it can be used for any Feature on demand. You just need to change your script to call the right Capability name. (In our example the Capability Name is XPS.Viewer~~~~0.0.1.0). We can also see that the size of this Feature is nearly 17MB
Hint: You can also install a series of Feature in a single command. For example, Remote Administration Tools have all Capability name like “RSAT*”. So to install all Remote Administration Tools on a Windows 10 1809 machine, simply use this command :
Deploy Features on Demand to client remotely using SCCM
To deploy FoD using SCCM you have 2 options. The first one is to use the new script feature if you are running SCCM 1706 or later. The second one would be to deploy using a standard package or application.
Script Feature
We’ll start by deploying it using the SCCM Script feature
In the SCCM Console, go to Software Library\Scripts
Create a new PowerShell script with this command (Change the FoD name if needed)
Get-WindowsCapability -Online | where name -like xps* | Add-WindowsCapability -Online
Complete the Script wizard
Approve your script by selecting it and click Approve on the top ribbon
Go to a test collection and right-click it, select Run Script
Select the script you just created
Validate Script Execution in the next screen. You can also monitor the script status in the console Monitoring\Script Status
Results
You can now validate that the Feature on Demand is installed on your test computer.
Using PowerShell : Get-WindowsCapability -Online | where name -like xps
State should be Installed
In the Windows 10 Start Menu
XPS Viewer is installed
Further FoD installation logging can be found locally on the computer C:\Windows\logs\dism\dism.log
Package
If you prefer to use the good old Package method, you need to :
Create a PowerShell file FOD-Install.ps1 with this command :
Get-WindowsCapability -Online | where name -like xps* | Add-WindowsCapability -Online
Create a new Package with source file pointing on your powershell file
For the program, specify the following command line :
Deploy your package to your test collection (Available or Required)
Initiate a client refresh policy
The results will be the same as for script (see Result Section above)
We expect Microsoft to increase the release of Feature on Demand in the following Windows release. We can clearly see where this is going. In a future post we’ll talk about language pack installation which should be pretty similar. Stay tuned !
Note: There is a rating embedded within this post, please visit this post to rate it.
Founder of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM Consultant, 5 times Enterprise Mobility MVP. Working in the industry since 1999. His specialization is designing, deploying and configuring SCCM, mass deployment of Windows operating systems, Office 365 and Intunes deployments.
With the latest updates Microsoft released to Intune and Autopilot, it is becoming more realistic to leave the task sequence behind in favor of using Autopilot with Intune to deliver the computer standards required by an enterprise. While it will no be possible for all scenarios, a standard PC used for administrative tasks can be delivered with many, if not all, of the required customization.
While many of our previous Windows 10 Customization tricks are still gonna be useful, the delivery will be different from simply running various scripts from a Task Sequence.
In this post, we will go over multiple Windows 10 customization all done with Intune in order to leverage Windows Autopilot. The ultimate goal is to be able to replicate a standard deployment made with a Task sequence from SCCM or MDT
This post is part of a series on Windows Autopilot that will be published in the following weeks. In the next posts, we will cover the following subjects :
How to Configure Intune Connector (Preview) for Hybrid AD joined computers
How to use Windows Update for Business
How to GPO with Microsoft Intune
How to deploy applications with Autopilot
Our previous post covers everything on how to package Win32 apps with Intune. Assigning those applications to a group that leverage Autopilot, will provide installations as soon as possible following the Autopilot process.
If you are using multiple groups in a task sequence to deliver applications per type of user, this can be also matched with Intune. Creating assignment to groups of users will have also the ability to easily refresh or replace a users’ computer.
As we covered in our Autopilot guide, using the Enrollment status page allows us to prevent the user to use the computer while the original setup completes. This includes Office installation and MSI applications. Win32 applications will complete even after this section of Autopilot, as the Enrollment status page doesn’t include Win32 app support yet.
Also, note that Win32 applications dependencies are coming soon to Microsoft Intune. This would then allow us to even more possibilities to match how a task sequence deliver mandatory applications.
How to customize Start menu with Intune
While there are some great solutions (like this one from Aaron Parker) out there to push the start menu in the same way as within a Task sequence, meaning that you apply a default without enforcing any part of it, we prefer to use the built-in way. This will mean that we’ll push out a partially locked start menu by using device restriction.
We had issues to deliver a partially locked Start Menu, along with task back configuration when using the DesktopApplicationID. Changing it all back to DesktopApplicationLinkPath fixed it for us!
Also, note that Microsoft as again updated the documentation on that subject. Beginning with Windows 10 1809, it is now possible to export the start menu configuration with the parameter -UseDesktopApplicationID.
Remember the following : Always export the file association from the destination version of Windows 10 you plan to use. We’ve seen issue in the past about that!
How to customize background and logon screen
This one is an interesting one. While it is possible to provide the wallpaper and login screen images through Intune, they both require the image to be hosted on a web address.
One of the ways to easily host the file is to use Azure Blob storage. (Big THANKS to @Per Larsen for the help on this one!)
Important Info
Note that hosting the file on SharePoint and sharing with everyone/anonymous will not work. This still requires a LiveID authentication to access files.
To host the image on an Azure blob, follow theses steps :
Browse to Azure/Storage Account. Select an existing or create a new one.
Select Blobs and click +Container
Set a name, in lower case only, and select Blob(Anonymous read access for blobs only)
Double click on the newly created Blob, select Upload
Select your image and click Upload
Once uploaded, click on the file, an URL is available. This will be the URL we provide into the Intune configuration. It’s a good idea to test the path using In-Private to validate that the anonymous access works.
Browse to Intune/Device Configuration/Profiles and under the properties of a Windows 10 device restriction profile, the 2 settings are available. Simply paste the blob path
To validate if the computer as received the configuration, browse the registry to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP
Note that the computer will only download it once to apply it. It would download it again if a change is necessary. In that case, changing the name could ease follow up.
How to turn of Windows Spotlight
Windows Spotlight is one of those “not so enterprise” features that we often disable as part of a Windows 10 configuration. It gives dynamic lock screen images, suggested apps and services in the start menu of lock screen.
Important Info
This is only available for Windows 10 Education and Enterprise edition. If you are running Pro edition, this can’t be disabled.
To disable Windows Spotlight, under Device restrictions for Windows 10, select Windows Spotlight. Simply toggle Block on the desired configurations.
How to remove default appx installed
This task worked the exact same way as within a task sequence. Jörgen Nilsson, from CCMExec did a great post about it to run in task sequence.
To add it to Intune/Autopilot, follow these steps:
Browse to Intune/Device configuration – Profiles and select Powershell Scripts
Provide a name and the Powershell script.
Once created, make sure you assign the script to a group processed at the Autopilot time.
How to upgrade Windows Pro to Enterprise
The first option is to promote Windows 10 to Enterprise with providing the cd-key with Intune. This option is well detailed in the following blog post by Microsoft.
The second option is to promote it to Windows 10 Enterprise, is to use Windows 10 Subscription activation. This simply consists of providing a valid license, that includes Windows 10 Enterprise such as Microsoft 365 E3, to the user.
Without doing anything more, the computer serviced with Autopilot will be automatically upgraded to Windows 10 Enterprise.
For more details about Windows 10 Subscription, see Microsoft docs
How to enable BitLocker
The following blog post by Courtenay Bernier gives it in details. Even if it dates a bit, it’s still accurate for most parts!
To enable the encryption, set Encrypt devices to Require.
Important Info
Make sure to select Warning for other disk encryption to Block. This will prevent a user warning to hold off the automatic encryption of the disk.
Two key configurations are the ability to Save BitLocker recovery information to Azure Active Directory and to Store recovery information in Azure Active Directory before enabling BitLocker. This brings BitLocker configuration to pretty much the same level as on-prem solutions.
As for those who used Microsoft BitLocker Administration and Monitoring(MBAM), Microsoft just released, in public preview, the Encryption report and BitLocker recovery keys to provide a similar approach in terms of administration and monitoring.
To access the Encryption report, browse to Intune/Device Configuration under the Monitoring section.
The report will give details about the OS version, TPM version, encryption readiness, and status.
To access the Recover keys, browse to Intune/Devices – All devices and select a device. It is located under the Monitor section.
Conclusion
We will later cover other aspects of computer customization like Windows Updates and GPO in upcoming blog posts.
To conclude, Windows Autopilot is still a young technology compared to SCCM/MDT Task sequences that have been around for years. With the support of Win32 Apps, and being able to do all those customizations, it gives us a great idea that it is now possible to leverage Windows Autopilot to standardize computer configurations.
Leave us a comment below if we forgot some classic OSD modifications that are show stopper to move to Windows Autopilot.
Note: There is a rating embedded within this post, please visit this post to rate it.
Contributor of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM consultant, working in the industry for more than 10 years. He developed a strong knowledge of SCCM and MDT to build automated OS deployment solution for clients, managed large and complexe environment, including Point of Sale (POS) related projects.
Windows Analytics is the suite name following the original release of Upgrade readiness. The suite adds Device Health and Update Compliance under the same roof. Depending on the environment each sub-product will provide key information for end-user computer admins.
Upgrade readiness can help assess applications and drivers compatibility prior to migrate from Windows 7/8.1 to Windows 10, or even from one Windows 10 build to another.
Device Health provides extra information for admins to review various crash within their environment.
Update compliance provides a way to track how updates and upgrades are doing in the environment. This will be particularly useful when mixed with Windows Update for Business.
All of the Windows Analytics features sit on Log Analytic from Azure. Previously it was possible to host the data in OMS. OMS as retired and it is possible to move it into Log Analytics.
In this post, we will show how to configure Windows Analytics with Log Analytics
Windows Analytics Log Analytics Requirements
Rights to create the Log Analytics :
Global admin
Contributor on the associated Azure subscription
Download the Upgrade readiness deployment script here
Click on Create a resource and search for Log Analytics. Once found, click Create
Select Create New
Select the Subscription type.
The resource group can be a new or existing one.
The pricing tier will be Per GB
Pricing Tier
Previously with OMS, it was clear that Windows Analytics was free. Moving to Log Analytics, it is still a free service. But when selecting the Pricing tier, the Free option is no longer available. Seems that if you still see the Free tier, it’s likely because OMS with Upgrade readiness was configured before.
For newer environment, the option of Per GB will be the only choice. but again, it remains free. Looking at the data usage in Log Analytics, we can see that the content is not billable.
Click Ok to create the Log Analytics. this will take a little time to complete.
Once deployed, it will take a good 2 to 3 days before data starts populating in the 3 components of Windows Analytics. This will be the same no matter which solution is chosen to enable Windows Analytics on clients.
Commercial ID
To find the CommercialID:
Go to Upgrade readiness and select Solution settings
Under Upgrade Readiness settings, the CommercialID is available.
Configure data collection for Windows Analytics with Intune
Most settings for Windows Analytics are configured by OME-URI items.
In a device restriction profile, under Reporting and Telemetry make the Share user Data up to Enhanced
This will only configure the level of usage data. It will not prevent user modification.
Diagnostic data
Depending on the features used with Windows Analytics, setting the diagnostic data below Enhanced will limit capabilities like Device Health.
Microsoft recommends Enhanced for Windows 10 1709 or higher for full functionality from Windows Analytics.
For more details about Diagnostic data, see Microsoft Docs.
Create a new Device configuration profile
Specify the name, select Windows 10 and later and select a Custom profile type
There are multiple OMA-URI settings available for Window Analytics. The first and mandatory OMA-URI is the CommercialID
Be aware that this setting, if disabled, will provide limited data analysis from Update compliance and device health because of the computer name not available.
Configure data collection for Windows Analytics with GPO
As covered in the Intune section, the same settings are available in the GPO. They can be found under Computer Configuration/Administration Templates/Windows Components/Data Collection and Preview build.
Make sure to use the latest ADMX for the most up to date options.
For more details about the various settings, see Microsoft Docs
Enable client for Windows Analytics with SCCM
If you are using SCCM, the Commercial ID can be specified in the Client settings. This is by far the easiest method of all. Otherwise, this option is limited as more configuration is available by GPO and Intune
For more details about Windows analytics, see Microsoft docs
Note: There is a rating embedded within this post, please visit this post to rate it.
Contributor of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM consultant, working in the industry for more than 10 years. He developed a strong knowledge of SCCM and MDT to build automated OS deployment solution for clients, managed large and complexe environment, including Point of Sale (POS) related projects.
Microsoft has been hard at work to optimize content delivery since the release of Windows 10 and Office 365. While not perfect at the beginning, the offer is now really great and offer many supported methods to ease the huge content that needs to be distributed month after month. Delivery Optimization is a key component included in Windows 10 since the beginning and recently added to Office 365. Combining Delivery Optimization Intune with Windows update for business will greatly help content download from the Internet.
In this post, we will provide details to configure Delivery Optimization for Windows 10 and Office 365, by using Microsoft Intune.
This post is part of a series on Windows Autopilot that will be published in the following weeks. In the next posts, we will cover the following subjects :
Delivery Optimization is a built-in service of Windows 10, and now Office 365, that allows computers under the same network to share downloaded content for monthly updates and bi-yearly upgrades of Windows 10 and Office 365 in a form of peer-to-peer.
The main benefit of Delivery Optimization is to avoid the trouble of managing the downloads of updates to an offline source, like Configuration Manager/WSUS, by allowing Windows 10 clients to download updates directly from Windows Update sources. It then shares it to nearby computers in the desired behavior to prevent overloading the network (LAN and/or WAN).
Whenever Windows Update for Business is used to manage updates, or simply if computers aren’t managed for updates, Delivery Optimization should be put in place to help with bandwidth management.
Delivery Optimization Intune Requirements
For Windows 10
All versions of Windows 10 support Delivery Optimization, but 1709 or higher should be used since there were key improvements over the years.
For Office 365
Updates must come from Office Content delivery network(CDN)
This means not from ConfigMgr or a shared network
One of the following must be met:
Version 1808 or higher for background updates
Version 1908 or higher for installation or user-initiated updates
Configure Delivery Optimization Intune for Windows 10
In the early days of Windows Update for Business, Delivery optimization was configurable within a ring configuration for Windows Update for Business. As seen below, this has been moved to standard device configuration.
To configure delivery optimization for Windows 10, create a new Device Configuration
Open the Device Management portal for Intune and click on Devices/Configuration Profiles and select Create Profile
Give a name, select platform Windows 10 or later and select profile type Delivery Optimization
Next, the detailed configuration can be quite customized for each enterprise.
Download Mode
The most important configuration of Delivery Optimization is Download Mode. This will define how clients will download and share content with others on the network. A bad configuration could kill LAN or WAN connection. There is no definitive answer as to which you should use.
If your enterprise as multiple offices with single NAT per office, then LAN(1) should do the trick. This will allow all computers under that unique NAT to share the content. But on the other hand, if you have a unique NAT for multiple offices, using this option will likely take a lot of bandwidth between your offices when dealing with large updates/upgrades.
The option of Groups(2) should also be considered. This allows some granularity and multiple choices to group computers. This will avoid the limitation of the LAN(1) option.
Note that the naming changed a bit between the official docs and choices in Intune. Refer to the number to understand the behaviour.
More details for Download mode available on Microsoft Docs
Other settings can be modified for your needs, without any key recommendations to be followed.
For more details about Windows 10 Delivery optimization, see Microsoft docs.
Configure Delivery Optimization Intune for Office 365
For more details about Office 365 Delivery optimization, see Microsoft docs
Validation of Delivery Optimization usage
Before looking for actual facts that DO is working correctly, a validation of your GPO might be a good idea. Many enterprises did change the behavior of Delivery Optimization because of the early days of the technology. Make sure to remove any GPO that manage Delivery Optimization.
Getting data usage of Delivery optimization takes time. Without monthly updates or major upgrades, not much will happen. But once it gets going, numbers are pretty crazy!
Under Windows Analytics –Update Compliance, there is a dedicated section for Delivery Optimization.
A picture speaks for itself!
The following post from Narkis Engler, from Microsoft, is excellent to resume benefits and methods to review Delivery Optimization.
Note: There is a rating embedded within this post, please visit this post to rate it.
Contributor of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM consultant, working in the industry for more than 10 years. He developed a strong knowledge of SCCM and MDT to build automated OS deployment solution for clients, managed large and complexe environment, including Point of Sale (POS) related projects.
Windows Update for Business is one of the new things Microsoft proposed along with Windows 10. It has come a long way since it’s release. Even if it isn’t perfect yet, or give all the flexibility that ConfigMgr (MEMCM) offer when managing monthly update or feature release, for many small/medium business, this brings a more simple approach to patching and maintaining Windows 10 up to date. In this post, we will detail how to configure Intune Windows Update for Business to patch Windows 10 devices managed by Intune
Pre-requisites
Windows 10 must be managed by Intune
If Windows 10 is being co-managed with ConfigMgr(MEMCM), make sure the slider for Software Update is set to Intune
Intune Windows Update Business – Update rings strategy
Depending on multiple factors, the key for Windows Update for Business to be successful is to define the various update rings for your enterprise.
Here, no magic answer or one size fit all scenarios.
To take in consideration to build your strategy :
Number of users total/per rings
Risk tolerance for the Feature update release
Windows 10 Pro vs Enterprise
Pro only allows 18months support following the release date of a build. Feature update strategy is likely to be more aggressive than if Windows 10 Enterprise is used with its 30months policy for autumn releases.
What we usually recommend :
Minimum of 3 Update rings
Test, with a few IT people only
Pilot, with more IT people and users for many department/roles
Production, with everyone else.
Depending on the total amount of user and support capacity, consider multiple Prod rings to avoid too many users at once installing Feature Update
The monthly quality update can follow the same 3 major Update rings
Test, within the first few days of release
Pilot, within a week or so of the release
Prod, within 2-3 weeks after release
Remember, it’s not possible to deny a monthly update. So better be careful and avoid faulty updates for most of the users
Servicing channel for most if not all should be Semi-Annual channel
Carefully review User experience settings in the update ring. Find the best fit for your users along with security needs.
Here’s an example of an aggressive update rings configuration.
Key points are Deferrals for both monthly and Feature updates.
Other settings are mostly about User Experience, so this needs to be reviewed case by case.
Set scopes tags if needed
Set the Assignments. Interesting point here is that you can target groups of users, which in the long run is a much easier way to target test and pilot users without care about the device anymore.
Review
Monitor Windows Update for Business
This is still done with the Update Compliance from Windows Analytics. Note that this is the only component that hasn’t retired yet.
There is also a new option Windows 10 feature Update that is currently in preview. This allow administrators to select the Feature update to target instead of leaving it only by default.
For more details about Windows Update for Business, see Microsoft docs
Contributor of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM consultant, working in the industry for more than 10 years. He developed a strong knowledge of SCCM and MDT to build automated OS deployment solution for clients, managed large and complexe environment, including Point of Sale (POS) related projects.
When planning for a Windows 10 migration, understanding your environment is the key. Luckily, Windows 10 setup comes with command line options which one of them is an excellent compatibility check (/Compat ScanOnly). This command can be used on a Windows 7,8 or 10 devices before a migration in order to see if those devices are Windows 10 compatible. Using SCCM, we will run this Windows 10 compatibility check, return the results in the SCCM database and use this data to build a comprehensive report. This report can be used to detect and fix migration errors before the actual Windows 10 deployment.
SCCM Windows 10 Compatibility Check Package Creation
We will start by creating a package for Windows 10 compatibility check. The source of this package must be the Windows 10 installation media. The deployment option and command line is important here. If they are not set correctly you’ll end up sending the complete installation media (including Install.wim) to the computers only for a compatibility check which is not really effective. Using our proposed methods, you’ll be using about 250mb on the client drive instead of 5gb.
In the SCCM Console, go to Software Library / Application Management / Packages
Create a new package
Name your package and specify your Windows 10 installation media as the source file. Be aware that setup.exe is language specific. If you have EN-US machine, you must provide EN-US media
/DynamicUpdate: Enabling it causes setup to download the latest compatibility information from Windows Update
/CopyLogs parameter can also be added at the end. Use it to copy setup logs to a shared network drive. The problem with that switch is that the logs are not classified using computer names, it will be a nightmare finding the right logs after hundreds of deployments. This is why I’m not using it for this blog post.
In the Requirements page, select your operating systems
Complete the wizard
Right-click your package and distribute it to your distribution points
Deploy Windows 10 compatibility check on a test computer
We will now deploy the Windows 10 compatibility check program on a computer that runs Windows 10 1607. In our test, we want to evaluate if this computer can upgrades from Windows 10 1607 to 1709. Create a test collection and deploy the newly created program to a test device.
Right-Click your package and select Deploy
On the General tab, select your collection
On the Content tab, ensure that your content is distributed to your distribution point
Select your deployment purpose – Available or Required
On the Scheduling pane, select your schedule
On the User Experience pane, select the desired options
On the Distribution Points pane, select Run program from distribution point
Review your choice and complete the wizard
Running the Compatibility Check
On a targeted computer, run the program manually in the Software Center (Available) or wait for the schedule to trigger your deployment (Required).
The installation will starts. It will take about 5 minutes to complete… and it will fail. This is normal as the error code returned by the compatibility check will always be an error. (No problem will be 0xC1900210 -1047526896).
If you need more information about the error, look at Setupacr.log or Setuperr.loggenerated by Setup.exe. They are located in C:\$WINDOWS.~BT\Sources\Panther folder. (Or in the specified path if you use the /CopyLogs parameter in your command line. We cover the topic on how to troubleshoot Windows 10 error in this blog post
Once we tested on a couple of test machine and are happy with results, we can expand our deployment to all computers.
From there, what’s the easy way to check your compatibility results? You could go in the Monitoring / Deployment section in the console… or you build a custom report.
Windows 10 Compatibility Check Report
Luckily for you, we created a report which will give you a quick overview of your compatibility success or failure. We also included basic hardware inventory information for you to refer if a computer is not compliant because of hardware limitation. The only thing you need to do is to select your Compatibility package and run the report !
You can download this free report by visiting our product page. The Asset – Compatibility Check report is available in the Report / Asset Section.
Founder of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM Consultant, 5 times Enterprise Mobility MVP. Working in the industry since 1999. His specialization is designing, deploying and configuring SCCM, mass deployment of Windows operating systems, Office 365 and Intunes deployments.
This blog post is a complete SCCM Windows 10 Deployment Guide. It contains all you need to know for a successful Windows 10 Deployment. The race to update Windows 7 computers from your environment is entering its home stretch. Microsoft has ended Windows 7 support on January 14th, 2020. If you still have Windows 7 computers in your company, it’s time to seriously plan your migration. If you’ve been reading our blog for a while, you may have seen a couple of posts regarding Windows 10 migration. We thought that regrouping all posts in a single one would save you time finding all needed SCCM Windows 10 deployments resources to start.
If you are still running SCCM 2012 and have plans to deploy Windows 10, we recommend starting with part 2 of this guide. (Hint: Deploy SCCM Current Branch).
If you’re already running SCCM Current Branch, start by creating a Windows 7 Upgrade Task Sequence. Upgrading Windows 7 to Windows 10 is not a complicated task, but it needs proper planning. You can use Desktop Analytics to help you with the applications and driver’s compatibility.
We will update this post as we add more parts to our SCCM Windows 10 deployments guide on our blog.
Before starting a Windows 10 migration project, it’s always a good idea to be informed. There was so much information about Windows 10 in the past year: the OS itself has a couple of new features that you need to first understand. Your infrastructure needs various updates before you can start managing Windows 10 devices. The Windows 10 servicing options are also a huge chunk to understand. This can be overwhelming at first so we decided to compile a list of documentation that we found helpful during our multiple deployment projects.
Come back often as this list will continue to grow with time as Microsoft releases interesting documentation on a weekly basis.
GENERAL DOCUMENTATION
Huge compiled list of documentation provided by Microsoft about various topics :
This post is the post to go if you need to understand CBB and LTSB editions. It’s also an absolute must to understand the different Windows 10 servicing options :
There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. Information about Deployment tools (MDT, SCCM), Management Tools (AD, GPO, WSUS) and Activation tools (KMS) :
Understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task :
In the first part of this blog series on how to deploy Windows 10 with SCCM, we will prepare our environment for Windows 10. If you’re already deploying other operating systems with SCCM 1511, adding Windows 10 is just a matter of adding a new WIM (which our post covers in part 4). If you’re new to deploying operating system with SCCM, follow this post which will covers all steps needed before you can deploy your first systems.
Part 2 | OVERVIEW SCCM WINDOWS 10 DEPLOYMENT
Upgrade to SCCM 1511
Enable PXE Support
Prepare your boot image
Prepare your Operating Systems
Create your SUG
USMT Packages
UPGRADE TO SCCM 1511
It’s possible to manage Windows 10 with SCCM 2012 but when it comes to deploying Windows 10, if you want to use the full features, you need SCCM 1511 and further. Follow our guide to upgrade your SCCM server and make sure that you are upgrading your Windows ADK version which is included in the upgrade process.
ENABLE PXE SUPPORT
Follow these steps if you want to deploy your images using PXE boot (recommended)
Open the SCCM Console
Go to Administration / Site Configuration /Servers and Site System Roles
Select your distribution point and right-click on the Distribution point role on the bottom, select Properties
Select the PXE tab
Enable the Enable PXE support for Clients check-boxandanswer Yes when prompted about firewall ports (UDP ports 67, 68, 69 and 4011 )
Check the Allow this distribution point to respond to incoming PXE requests check box
Check the Enable unknown computer support check box
Ensure that the Respond to PXE request on all network interfaces is selected
Click Ok
Your distribution point will now install Windows Deployment Services (if not already installed) and will copy the necessary files on the distribution point.
You can monitor this process in the SCCM Console :
Go to Monitoring / Distribution Status / Distribution Point Configuration Status
Click your distribution point on the top and select the Details tab on the bottom
You will see that the distribution point PXE settings has changed
PREPARE YOUR BOOT IMAGE
[su_box title=”Important note” style=”glass” title_color=”#F0F0F0″]If you have created any custom boot images in previous version, you won’t be able to manage it (customize, add drivers, ect…) through the SCCM console. The only manageable version would be PE10 images. Other version could still be used but you’ll have to manage them outside the console using DISM.[/su_box]
DRIVERS
Before launching your first boot image you must include your Windows 10 drivers into the boot image. Our rule of thumb about drivers is to try to boot a certain model and if it fails, add the drivers. Do not add all your NIC drivers to your boot image, it’s overkill and unnecessary increase the size of the boot image.
To add drivers to the boot image :
Open the SCCM Console
Go to Software Library / Operating Systems / Boot Images
Right-click your Boot Image, select Properties
Select the Drivers tab
Click the Star icon
Select the desired drivers and click OK
The selected drivers are added to the boot image, once you click OK, SCCM will inject the driver in your boot image
Windows 10 CUSTOMIZATION
We will now make a couple customization to the boot image to enable command support (F8) and add a custom background image to the deployment
Open the SCCM Console
Go to Software Library / Operating Systems / Boot Images
Right-click your Boot Image
Select the Customization tab
Check the Enable command support checkbox. This allows to have the F8 command line support during deployment
Specify a custom background if needed by checking Specify the custom background image file checkbox
If you’re using a PXE-enable distribution point, select the Data Source tab and check the Deploy this boot image from the PXE-Enabled distributon point checkbox
Click Apply and Yes to the warning, close the window
DISTRIBUTE YOUR BOOT IMAGE
Since you’ve upgraded your ADK to version 10 and made modifications to your boot image, you need to redistribute it to your distribution points.
Right click your boot image and select Update Distribution Points
PREPARE YOUR OPERATING SYSTEMS
We will now import the Windows 10 WIM file for Windows 10 deployment.
[su_box title=”Important” style=”glass” title_color=”#F0F0F0″]You’ll see bothOperating System ImagesandOperating System Upgrade Packages.One is to import .WIM files and the other one is for Full Media. We will need both for different scenarios. In the case of a vanilla deployment or after a build and capture, you useOperating System Imagesto import the WIM files. In an Upgrade task Sequence, you will need to have the Full media imported inOperating System Upgrade Packages.[/su_box]
We will start by importing the default Install.Wim from the Windows 10 media for a “vanilla” Windows 10 deployment. You could also import a WIM file that you’ve created through a build and capture process.
Open the SCCM Console
Go to Software Library / Operating Systems / Operating System Images
Right click Operating System Images and select AddOperating System Image
On the Data Source tab, browse to your WIM file. The path must be in UNC format
In the General tab, enter the Name, Version and Comment, click Next
On the Summary tab, review your information and click Next
Complete the wizard and close this window
DISTRIBUTE YOUR OPERATING SYSTEM IMAGE
We now need to send the Operating System Image (WIM file) to our distribution points.
Right click your Operating System Image, select Distribute Content and complete the Distribute Content wizard
We will now import the complete Windows 10 media in Operating System Upgrade Packages. This package will be used to upgrade a Windows 7 (or 8.1) device to Windows 10 using an Upgrade Task Sequence.
Open the SCCM Console
Go to Software Library / Operating Systems / Operating System Upgrade Packages
Right click Operating System Upgrade Packages and select AddOperating System Upgrade Packages
In the Data Source tab, browse to the path of your full Windows 10 media. The path must point on an extracted source of a ISO file. You need to point at the top folder where Setup.exe reside
In the General tab, enter the Name, Version and Comment, click Next
On the Summary tab, review your information and click Next
Complete the wizard and close this window
DISTRIBUTE YOUR OPERATING SYSTEM UPGRADE PACKAGES
We now need to send the Operating System Upgrade Package to your distribution points.
Right click your Operating System Upgrade Package, select Distribute Content and complete the Distribute Content wizard
CREATE SOFTWARE UPDATE GROUP
One important thing in any OSD project, is to make sure that every machines deployments are up to date. Before deploying Windows 10, make sure that your Software Update Point is configured to include Windows 10 patches.
Once Windows 10 is added to your Software Update Point, we will create a Software Update Group that will be deployed to our Windows 10 deployment collection. This way, all patches released after the Windows 10 media creation (or your Capture date) will be deployed during the deployment process.
To create a Windows 10 Software Update Group :
Open the SCCM Console
Go to Software Library / Software Updates / All Software Updates
On the right side, click Add Criteria, select Product, Expired and Superseded
Product : Windows 10
Expired : No
Superseded : No
Select all patches and select Create Software Update Group
Once created, go to Software Library / Software Updates / Software Update Groups
Right-click your Windows 10 SUG and deploy it to your OSD deployment collection
USMT PACKAGE
If you are planning to use USMT to capture and restore user settings and files, you need to make sure that the USMT package is created and distributed.
Open the SCCM Console
Go to Software Library / Application Management / Packages
Right-click the User State Migration Tool for Windows 10 package and select Properties
On the Data Source tab, ensure that the package is using the ADK 10 – Which is per default C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\User State Migration Tool
Right-click the User State Migration Tool for Windows 10 package and select Distribute Content
That’s it ! You have everything that’s needed to create your first Windows 10 deployment. Read the next parts of this blog series to successfully deploy Windows 10.
Part 3 | CREATE SCCM WINDOWS 10 TASK SEQUENCE
In the second post of this blog series about Windows 10 Deployment using SCCM, we will show you how to create a SCCM Windows 10 Task Sequence and deploy it. Complete the preparation of your environment before reading this post.
This task sequence will help you deploy what we call a “vanilla” Windows 10 using the default Install.wim from the Windows 10 media. This means that you’ll end up with a basic Windows 10 with the SCCM client and nothing else.
You will be able to edit this task sequence later to customize it to your environment.
Open the SCCM Console
Go to Software Library \ Operating Systems \ Task Sequences
Right-click Task Sequences and select Create Task Sequence
On the Task Sequence wizard, select Install an existing image package
On the Task Sequence Information pane, enter the desired Name, Description and Boot Image
On the Install Windows pane, select the Image package and Image index you imported in part 1
Leave the check box beside Partition and Format the target computer before installing the operating system
For this example we will remove the Configure task sequence for use with Bitlocker
Leave the Product key blank, if you are using MAK keys, read this post on how to handle that in your Task Sequence. (TL;DR: Even with MAK key, you need to leave the Product key blank)
Enter an Administrator password
In the Configure Network pane, you can select to Join a workgroup or domain. If you select Joina domain, enter your domain information, OU and credentials
On the Install Configuration Manager Client pane, select your Configuration Manager Client Package and enter your installation properties
On the State Migration pane, we will remove all checkbox as we don’t want to use User State Migration at this time
On the Include Updates pane, select the desired Software Update task
All Software Updates will install the updates regardless of whether there is a deadline set on the deployment (on your OSD collection)
Mandatory Software Updates will only install updates from deployments that have a scheduled deadline (on your OSD collection)
Do not install any software updates will not install any software update during the Task Sequence
On the Install Applications tab, click on the Star Icon to add any application that you want to be installed during your deployment. Only applications will be listed. If you need to add packages, you can add it by editing the task sequence later. Theses applications will be deployed each time the task sequence is executed.
On the Summary tab, review your settings and click Next
On the Completion tab, click Close
DEPLOY WINDOWS 10 TASK SEQUENCE
Now that your Task Sequence is created, we will deploy it to a collection and start a Windows 10 deployment.[su_box title=”Warning” style=”glass” title_color=”#F0F0F0″]Be careful when targeting the deployment. This task sequence will format and install a new OS to targeted devices.[/su_box]
Open the SCCM Console
Go to Software Library \ Operating Systems \ Task Sequences
Right-click your Windows 10 Task Sequence and select Deploy
On the General pane, select your collection. This is the collection that will receive the Windows 10 installation. For testing purposes, we recommend putting only 1 computer to start
Select the Purpose of the deployment
Available will prompt the user to install at the desired time
Required will force the deployment at the deadline (see Scheduling)
In the Make available to the following drop down, select the Only media and PXE. This will ensure that you do not send the deployment on clients. This is also useful to avoid errors, using this options you *could* send the deployment to All Systems and no clients would be able to run the deployment from Windows
On the Scheduling tab, enter the desired available date and time. On the screenshot, we can’t create an Assignment schedule because we select Available in the previous screen
In the User Experience pane, select the desired options
In the Alerts tab, check Create a deployment alert when the threshold is higher than the following checkbox if you want to create an alert on the failures
On the Distribution Point pane, select the desired Deployment options. We will leave the default options
Review the selected options and complete the wizard
PXE BOOT
Now that we’ve created our task sequence and that it’s deployed. We can start the deployment on the machine. Make sure that your system is a member of your deployment collection and start the device. For this example, we will be using a virtual machine running on Hyper-V.
The machine is booting and waiting for the PXE to respond
Our SCCM Distribution point is sending the boot image to our VM
The Welcome to the Task Sequence Wizard pops-up. This is because of the Available purpose in the Deployment Settings. If we had a Required deployment, the task sequence would start right away. Click Next
All the available task sequence are listed. In our example we have only 1 deployment on our collection so only 1 task sequence is available. Select the task sequence and click Next
The Task Sequence starts
MONITORING
See our blog post on this topic which covers the various ways to monitor your Task Sequence progress.
Part 4 | CREATE SCCM WINDOWS 10 BUILD AND CAPTURE TASK SEQUENCE
In the third post of this blog series about Windows 10 Deployment using SCCM, we will show you how to create a SCCM Windows 10 Build and Capture Task Sequence and deploy it. Complete the preparation of your environment before reading this post. You will be able to edit this task sequence later to customize it to your environment.
The goal of a build and capture task sequence is to capture a reference machine OS in order to redeploy its configuration multiple time. As a best practice, we recommend not to add too much software and customization to your reference image. Rather, use the task sequence steps to customize your deployment which decrease management operation tasks in the long run.
For example, if you want to include Adobe Reader to your reference image because all your users need it, do not install it on your reference machine and do your capture. Instead, use the Installed Software step in the capture task sequence. When a new version of Adobe Reader will be released, it will be a matter of a couple of clicks to replace the old version with the new one.
Open the SCCM Console
Go to Software Library \ Operating Systems \ Task Sequences
Right-click Task Sequences and select Build and capture a reference operating system image
On the Task Sequence Information tab enter a task sequence Name and Description
Select the desired boot image
On the Install Windows pane, select the Image package and Image index you imported in part 1
Leave the Product key blank, if you are using MAK keys, read this post on how to handle that in your Task Sequence. (Hint : Even with MAK key, you need to leave the Product key blank)
Enter a password for the local Administrator account
In the Configure Network pane, select to Join a workgroup. There’s no reason to join a domain when creating a build and capture task sequence. You’ll still be able to join a domain when creating a task sequence to deploy this image
On the Install Configuration Manager Client pane, select your Configuration Manager Client Package and enter your installation properties
On the Include Updates pane, select the desired Software Update task
All Software Updates will install the updates regardless of whether there is a deadline set on the deployment (on your OSD collection)
Mandatory Software Updates will only install updates from deployments that have a scheduled deadline (on your OSD collection)
Do not install any software updates will not install any software update during the Task Sequence
On the Install Applications tab, click on the Star Icon to add any application that you want to be installed during your build and capture deployment. These applications will be part of the reference image, we recommended adding only software that need to be included in every deployment… and even there, I prefer add it to a deployment task sequence rather to include it in my image. The reason is pretty simple, if you need to make an application change, you only have 1 step to change to your task sequence rather than redo the whole build and capture process and then modify your task sequence with the new image. Some likes to add Office or other big applications that every users needs to reduce deployment time.
On the System Preparation tab, click Next
On the Image Properties tab, enter the desired information
On the Capture Image tab, select the path where you want to save the .WIM file
Enter the account to access the folder. This account needs write permission
On the Summary tab, review your choices and complete the wizard
DEPLOY WINDOWS 10 BUILD AND CAPTURE TASK SEQUENCE
Now that our Task Sequence is created, we will deploy it to a collection and start a Windows 10 Build and capture. It’s strongly recommended to deploy a build and capture on a virtual machine.
Be careful when targeting the deployment. This task sequence will format and install a new OS to targeted devices.
Open the SCCM Console
Go to Software Library \ Operating Systems \ Task Sequences
Right-click your Windows 10 Build and Capture Task Sequence and select Deploy
On the General pane, select your build and capture collection. This is the collection that will receive the Windows 10 installation and be captured to create the new WIM file
Select the Purpose of the deployment
Available will prompt the user to install at the desired time
Required will force the deployment at the deadline (see Scheduling)
In the Make available to the following drop down, select the Only media and PXE. This will ensure that you do not send the deployment on clients. This is also useful to avoid errors, using this options you *could* send the deployment to All Systems and no clients would be able to run the deployment from Windows
On the Scheduling tab, enter the desired available date and time. On the screenshot, we can’t create an Assignment schedule because we select Available in the previous screen
In the User Experience pane, select the desired options
In the Alerts tab, check Create a deployment alert when the threshold is higher than the following checkbox if you want to create an alert on the failures
On the Distribution Point pane, select the desired Deployment options. We will leave the default options
Review the selected options and complete the wizard
PXE BOOT
Now that we’ve created our task sequence and that it’s deployed. We can start the deployment on the machine. Make sure that the system you want to capture is a member of your deployment collection and start the device. (See this Technet article to know how to import a computer).
For this example, we will be using a virtual machine running on Hyper-V.
The machine is booting and waiting for the PXE to respond
Our SCCM Distribution point is sending the boot image to our VM
The Welcome to the Task Sequence Wizard pops-up. This is because of the Available purpose in the Deployment Settings. If we had a Required deployment, the task sequence would start right away. Click Next
All the available task sequence are listed. In our example we have our deployment and our build and capture task sequence. Select the Build and Capture task sequence and click Next
The Task Sequence starts
MONITORING
See our blog post on this topic which covers the various ways to monitor your task sequence progress.
Part 5 | MONITOR SCCM TASK SEQUENCE USING THE CONSOLE
When deploying Windows 10 operating system using SCCM, you will need to monitor SCCM task sequence progress. This allows us to track task sequence start, end time and most importantly errors (if any). Our post will show 4 different ways to monitor SCCM task sequences. Each of them has its own benefits and drawbacks.
You can view the progress of a task sequence using the SCCM console. This method is simple and easy but permit to see the status of only one machine at the time. If your deployment staff don’t have access to the console or view deployment status, this option is not for you.
In the Deployment Status screen, select the In Progress tab for a running task sequence or the Success tab to review a completed task sequence
At the bottom, click the Asset Details pane, right-click your device and select More Details
On the Asset Message screen, click the Status tab
You can view all task sequence Action Name with their Last Message Name
CONSOLE STATUS MESSAGE QUERIES
You can use Status Message Queries in the SCCM console to filter only task sequence messages. This method is useful to have messages from multiple devices instead of targeting a specific computer like in the previous methods. This method is a bit trickier to implement.
The first step is to get the DeploymentID of your task sequence deployment
Go to Monitoring / Deployments
Add the DeploymentID column by right-clicking the top row. Note your DeploymentID, in our example 1002000B
Go to Monitoring / System Status / Status Message Queries
Right-click Status Message Queries and select Create Status Message Query
On the General tab, enter a desired Name and click on Edit Query Statement
On the Query Statement Properties window, click on Show Query Language
Enter the following query in the Query Statement window
[su_box title=”Query” style=”glass” title_color=”#F0F0F0″]select SMS_StatusMessage.*,SMS_StatMsgInsStrings.*,SMS_StatMsgAttributes.*,SMS_StatMsgAttributes.AttributeTimefrom SMS_StatusMessageleft join SMS_StatMsgInsStrings on SMS_StatMsgInsStrings.RecordID = SMS_StatusMessage.RecordIDleft join SMS_StatMsgAttributes on SMS_StatMsgAttributes.RecordID = SMS_StatusMessage.RecordIDwhere SMS_StatMsgAttributes.AttributeID = 401 and SMS_StatMsgAttributes.AttributeValue = “1002000B” and SMS_StatMsgAttributes.AttributeTime >= ##PRM:SMS_StatMsgAttributes.AttributeTime##order by SMS_StatMsgAttributes.AttributeTime DESC[/su_box]
Change the SMS_StatMsgAttributes.AttributeValue to reflect your DeploymentID
Click OK
In the Status Message Queries node, find your newly created Query, right-click on it and select Show Messages
Select the desired Date and Time and click OK
All messages from your selected deployment will be displayed for all devices that run it
SCCM BUILT-IN REPORTS
There’s 28 built-in reports concerning task sequence in SCCM. The majority of the reports focus on statistics about overall deployments. To monitor progress, we refer to the 2 following reports :
Task Sequence – Deployment Status / Status of a specific task sequence deployment for a specific computer
This report shows the status summary of a specific task sequence deployment on a specific computer.
Task Sequence – Deployment Status / History of a task sequence deployment on a computer
This report displays the status of each step of the specified task sequence deployment on the specified destination computer. If no record is returned, the task sequence has not started on the computer.
As you can see, readability is easier using the console but keep in mind that reports can be accessible without having console access.
OUR SCCM OSD REPORT
We offer a report for you to buy to keep track of your Windows 10 deployment. The report gives you all the information needed to keep track of a deployment.
Last method we want to cover to monitor Windows 10 task sequence deployment is using the SMSTS.log file. This is the method you’ll want to use when you have a failing task sequence. The SMSTS.log file contains every details about every steps in your task sequence. It’s the first place to look to troubleshoot a problem with a specific deployment.
The downside of this file is that it’s stored locally on the computer (by default). Another downside is that this file location change depending on the stage you are at :
In Windows PE – Before the hard disk is formatted
X:\Windows\Temp\Smstslog\Smsts.log
In Windows PE – After the hard disk is formatted
X:\Smstslog\Smsts.log and C:\_SMSTaskSequence\Logs\Smstslog\Smsts.log
In Windows – Before the SCCM client is installed
C:\_SMSTaskSequence\Logs\Smstslog\Smsts.log
In Windows – After the SCCM client is installed
C:\Windows\Ccm\Logs\Smstslog\Smsts.log
In Windows – When the Task Sequence is complete
C:\Windows\Ccm\Logs\Smsts.log
Connect on the computer you want to troubleshoot
Press the F8 key. A command prompt will open. If you have no command prompt by pressing F8, consult our Preparation post to enable Command Line support in your Boot image
In the command windows, enter CMTrace to open the log viewer (it’s included by default in the latest WinPE version)
Browse to the location when the file reside (see above table)
The SMSTS.log opens and you can search for errors
There’s also methods to redirect your SMSTS.log automatically to a network share which could help :
We hope this post will ease your Windows 10 deployments. Leave your comments and questions in the comment section.
Part 6 | SCCM WINDOWS 7 TASK SEQUENCE UPGRADE
In the fourth post of this blog series about Windows 10 Deployment using SCCM, we will show you how to upgrade Windows 7 to Windows computer 10 using SCCM task sequence upgrade.
The goal of an upgrade task sequence is to upgrade an existing operating system to Windows 10 without loosing any data and installed software. This post assumes that you are running SCCM 1511 or SCCM 1602 and that you completed the preparation of your environment for Windows 10.
If you are running SCCM 2012 R2 SP1, the product team has release important information about SCCM task sequence upgrade that you can find in this blog post.
In the past, an in-place upgrade scenario was not a reliable and popular option to deploy the latest version of Windows. With Windows 10, it’s now reliable and features an automatic rollback in case something goes wrong. This scenario can also be considered faster than the wipe and reload deployment scenarios, since applications and drivers don’t need to be reinstalled.
WHEN TO USE WINDOWS 7 IN-PLACE UPGRADE SCENARIO ?
Consider using SCCM upgrade task sequence if :
You need to keep all existing applications and settings on a device
You need to migrate Windows 10 to a later Windows 10 release (ex: 1511 to 1607)
You don’t need to change the system architecture (32 bits to 64 bits)
You don’t need to change the operating system base language
You don’t need to downgrade a SKU (Enterprise to Pro). The only supported path is Pro to Enterprise or Enterprise to Enterprise)
You don’t need to change the BIOS architecture from legacy to UEFI
[su_box title=”Device using disk encryption” style=”glass” title_color=”#F0F0F0″]Devices using Bitlocker can be upgraded to Windows 10 using this method. If you are using third-party disk encryption product, it can be done but you need far more effort.[/su_box]
Three major vendors have supported workarounds documented on their support sites :
If you want to understand all the phases in the upgrade process, we strongly recommend watching the Upgrading to Windows 10: In Depth video from the last Microsoft Ignite event.
CREATE SCCM TASK SEQUENCE UPGRADE WINDOWS 7 TO WINDOWS 10
Enough writing, let’s create a SCCM task sequence upgrade for a Windows 7 deployment.
Open the SCCM Console
Go to Software Library \ Operating Systems \ Task Sequences
Right-click Task Sequences and select Upgrade an operating system from upgrade package
In the Task Sequence Information tab, enter a Task Sequence Name and Description
On the Upgrade the Windows Operating System tab, select your upgrade package by using the Browse button. If you don’t have imported an upgrade package yet, use the step provided in our preparation blog post
On the Include Updates tab, select the desired Software Update task
All Software Updates will install the updates regardless of whether there is a deadline set on the deployment (on your OSD collection)
Mandatory Software Updates will only install updates from deployments that have a scheduled deadline (on your OSD collection)
Do not install any software updates will not install any software update during the Task Sequence
On the Install Applications tab, select any application you want to add to your upgrade process
On the Summary tab, review your choices and click Next
On the Competition tab, click Close
EDIT THE SCCM TASK SEQUENCE UPGRADE
Now that we have created the task sequence, let’s see what it looks like under the hood:
Open the SCCM Console
Go to Software Library \ Operating Systems \ Task Sequences
Right-click your upgrade task sequences and select Edit
As you can see, it’s fairly simple. SCCM will take care of everything in a couple of steps :
The Upgrade Operating System step contains the important step of applying Windows 10
DEPLOY THE SCCM WINDOWS 7 UPGRADE TASK SEQUENCE
We are now ready to deploy our task sequence to the computer we want to upgrade. In our case, we are targeting a Windows 7 computer.
Go to Software Library \ Operating Systems \ Task Sequences
Right-click Task Sequences and select Deploy
On the General pane, select your collection. This is the collection that will receive the Windows 10 upgrade. For testing purposes, we recommend putting only 1 computer to start
On the Deployment Settings tab, select the Purpose of the deployment
Available will prompt the user to install at the desired time
Required will force the deployment at the deadline (see Scheduling)
You cannot change the Make available to the following drop-down since upgrade packages are available to client only
On the Scheduling tab, enter the desired available date and time. On the screenshot, we can’t create an Assignment schedule because we select Available in the previous screen
In the User Experience pane, select the desired options
In the Alerts tab, check Create a deployment alert when the threshold is higher than the following check-box if you want to create an alert on the failures
On the Distribution Point pane, select the desired Deployment options. We will leave the default options
Review the selected options and complete the wizard
LAUNCH THE UPGRADE PROCESS
Now that our upgrade task sequence is deployed to our clients, we will log on our Windows 7 computer and launch a Machine Policy Retrieval & Evaluation Cycle from Control Panel / Configration Manager Icon
You’ll see the SCCM upgrade task sequence as available. We could have selected the Required option in our deployment schedule, to launch automatically without user interaction at a specific time
When ready, click on Install
The following warning appears
[su_box title=”Warning” style=”glass” title_color=”#F0F0F0″]TheWhen you install a new operating system, all the existing data on your computer will be removedwarning is not true. This issue will be resolved in future release.[/su_box]
Click on Install Operating System
The update is starting, the task sequence Installation Progress screen shows the different steps
The WIM is downloading on the computer and saved in C:\_SMSTaskSequence
You can follow task sequence progress in C:\Windows\CCM\Logs\SMSTSLog\SMSTS.log
After downloading, the system will reboot
The computer restart and is loading the files in preparation of the Windows 10 upgrade
WinPE is loading
The upgrade process starts. This step should take about 15 to 30 minutes depending of the device hardware
Windows 10 is getting ready, 2-3 more minutes and the upgrade will be completed
Once completed the SetupComplete.cmd script runs. This step is important to set the task sequence service to the correct state
Windows is now ready, all software and settings are preserved
Part 7 | SCCM WINDOWS 10 CUSTOMIZATION
In this post we will describe how to customize your windows 10 image to personalize it to your company. There’s an infinite amount of customization that can be made but i’ll try to cover the more frequent one, those that are asked 95% of every Windows 10 projects I was involved in. You could also do all those modifications through group policies if you want to enforce those settings.
Before we begin any customization, we will create a Windows 10 Customization package that we will use in our task sequence. It will be empty to start but we will create the folders and scripts during this blog post.
Open the SCCM Console
Go to Software Library / Application Management / Packages
Create a new package
On the Package tab, enter a Name, Description, Manufacturer and Source folder (this is where all scripts will be stored)
On the Program Type tab, select Do not create a program
On the Summary tab, review your choices and complete the wizard
FILE ASSOCIATION
The first item we will be covering is file association. By default, Windows 10 uses Microsoft Edge to open every PDF files and HTTP links. For this post, we will redirect PDF files to Adobe Reader and HTTP/HTTPS to Internet Explorer. You can redirect any extension to any software. You just need to make sure that the application that you associate is installed during your Windows 10 deployment (or in your image).
The first step is to make the association manually, we will then export the configuration to a XML file and we will use DISM in our task sequence to import the configuration.
Log on a Windows 10 machine
Open Control Panel / Programs / Default Programs / Set Associations
Navigate to .PDF and click on Change Program
Select Adobe Reader and click OK
Your .PDF files are now associated to Adobe Reader
For Internet Explorer association, select HTTP Protocol,.HTM and .HTML files, change program to Internet Explorer
Now that our associations has been done, we need to export the associations to a XML file using DISM :
Open an elevated command prompt
Run the following command : Dism /Online /Export-DefaultAppAssociations:C:\Temp\SCDAppAssoc.xml
(Change the XML file name and path if desired but make sure that the directory exists or you’ll get an error code 3)
The XML file can be opened using any text editor. You can see our modifications has been made. It’s possible to change manually in this file but it’s a bit tricky to find ProdId and ApplicationName.
Copy the XML file to your Windows 10 customization package in the FileAssociations Folder
Open the SCCM Console and browse to Packages
Right-click your Windows 10 Customization package and select Update Distribution Point
Go to Software Library \ Operating Systems \ Task Sequences
Command line : Dism.exe /online /Import-DefaultAppAssociations:FileAssociations\SCDAppAssoc.xml
Check the Package box and specify your Windows 10 customization package
Position this step after the Windows image has been deployed
SETTING THE DEFAULT WINDOWS 10 WALLPAPER
We will now change the default Windows 10 wallpaper to a corporate one.
The default Windows 10 wallpapers are stored in the C:\Windows\Web\Wallpaper\Windows\ folder
Windows 10 also support 4K wallpapers which are stored in C:\Windows\Web\4K\Wallpaper\Windows
For our post, we will delete the 4K wallpapers and overwrite the default img0.jpg file. If you need to support 4K wallpaper, just place them in the 4K folder before updating your distribution points and the script will copy it to the right location.
By default, you can’t modify those files, we will use a PowerShell script to change the security of the folder and overwrite the wallpaper file. We will grant access to the SYSTEM account since it’s the account used during the SCCM task sequence.
Create a new WallPaper\DefaultRes and WallPaper\4K folder in your Windows 10 customization directory
Rename your wallpaper to img0.jpg copy it in the WallPaper\DefaultRes directory
If 4K support is needed, copy your files in the WallPaper\4K Directory
Create a new Powershell script in the root of the Wallpaper directory and copy this code into it :
Position this step after the Windows image has been deployed
CHANGE LOCK SCREEN IMAGE
The lock screen image is the image you see when the computer is locked. To change it, we must copy our image locally on the computer and then modify a registry key to read it.
Create a new LockScreen folder in your Windows 10 customization directory
Create a new LockScreen.cmd file and copy the following code
Create a new LockScreen.reg file and copy the following code (watch out of the “” when copy/pasting)
LockScreen.reg
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization] “LockScreenImage”=”C:\\SCD\\LockScreen\\LockScreen.jpg”
Copy the image you want to set as the lock screen. For this blog post we will call it LockScreen.jpg. If you rename this file, make sure to change the script to fit this name.
You’ll end up with the following structure :
Open the SCCM Console and browse to Packages
Right-click your Windows 10 Customization package and select Update Distribution Point
Go to Software Library \ Operating Systems \ Task Sequences
Command line : cmd.exe /c LockScreen\LockScreen.cmd
Check the Package box and specify your Windows 10 customization package
Position this step after the Windows image has been deployed
DISABLE MICROSOFT CONSUMER EXPERIENCES
The latest Windows 10 feature upgrade includes a new feature that automatically installs a few apps from the Windows Store. Some apps like Candy Crush and Minecraft gets installed, we don’t think that belong to a work environment so we’ll delete it.
The good news is that it’s quite simple to disable. You need to disable a function called Microsoft Consumer Experiences. We will do this using a registry modification :
Create a new ConsumerExperience folder in your Windows 10 customization directory
Create a new DisableConsumerExperience.reg file and copy the following code :
DisableConsumerExperience.reg
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent] “DisableWindowsConsumerFeatures”=dword:00000001
You’ll end up with the following structure :
Open the SCCM Console and browse to Packages
Right-click your Windows 10 Customization package and select Update Distribution Point
Go to Software Library \ Operating Systems \ Task Sequences
Command line : Regedit.exe /s ConsumerExperience\DisableConsumerExperience.reg
Check the Package box and specify your Windows 10 customization package
Position this step after the Windows image has been deployed
CREATE CUSTOM START MENU
We will now create a default Windows 10 start menu that will be used on every Windows 10 machine by default. If you add shortcuts to applications, make sure that you’ve include them in your task sequence or you’ll end up with a start menu looking like swiss cheese. (empty spots)
Log on a Windows 10 machine
Manually configure the Start Menu
Create a new StartMenu folder in your Windows 10 customization package
Start an elevated PowerShell and run the following command : Export-StartLayout -Path “C:\Temp\StartMenu.bin”
Copy the StartMenu.bin file to your Windows 10 customization package in the StartMenu folder
Open the SCCM Console and browse to Packages
Right-click your Windows 10 Customization package and select Update Distribution Point
Go to Software Library \ Operating Systems \ Task Sequences
Command line : Powershell.exe Import-StartLayout -LayoutPath StartMenu\StartMenu.bin -MountPath C:\
Check the Package box and specify your Windows 10 customization package
Position this step after the Windows image has been deployed
SET WINDOWS 10 PINNED TASKBAR ITEMS
Windows 10 permits to “pin” program on the task bar for easy access. Here’s how to create a standard task-bar for your Windows 10 users.
Create a new PinTaskBar folder in your Windows 10 customization directory
Log on a Windows 10 computer
Manually pin all the desired program using the Pin to taskbar option
Copy the links from %AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar to your Windows 10 customization package in the PinTaskBar directory. This directory is hidden, so be sure to show Hidden Items
Open Registry Editor
Export the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband key to Win10Taskbar.reg
Copy the Win10Taskbar.reg file to your Windows 10 customization package in the PinTaskBar directory
Edit the Win10Taskbar.reg file using a text editor and replace the beginning of the first line
Replace HKEY_Current_User to HKEY_LOCAL_MACHINE\defuser
The final string will be : HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband
Create a new Win10Taskbar.cmd file in your Windows 10 customization package in the PinTaskBar directory and copy the following code :
Command line : cmd.exe /c PinTaskBar\Win10Taskbar.cmd
Check the Package box and specify your Windows 10 customization package
Position this step after the Windows image has been deployed
CONCLUSION
If you correctly follow this post, you’ll end up with this structure in your Windows 10 Customization package :
And you’ll have 6 new steps in your Windows 10 task sequence :
You can now deploy your Windows 10 task sequence to a test machine and all customization should be there. See our post on how to monitor your task sequence if something goes wrong or simply if you want to track the progress.
We hope this post will help you out for your Windows 10 customization. Feel free to post your customization using the comment section. We will update this post on a regular basis when we have more to share.
Part 8 | SCCM INJECT LANGUAGE PACK WINDOWS 10
Injecting language pack into Windows 10 WIM images can be achieved in many different ways. MDT has a module to easily import image. SCCM can do it within a task sequence while the image is offline/online. You will also be able to do it by using DISM from the Windows ADK.
In this post, we will detail the process of injecting language packs into a Windows 10 WIM images using DISM.
Injecting a language pack with DISM provides a modified Install.wim that can later be used as a standalone solution to deploy Windows 10 from a media (DVD, USB) or as a Windows OS source for MDT or SCCM. This solution can also be used with our previous post as we explained how to create and capture a custom Windows 10 image.
PRE-REQUISITES
You must install few tools and plugins, before you get there.
Language Pack for Windows 10 same Current Branch version
PREPARATION
Create a folders structure like this one below
Copy the extracted Windows 10 ISO files to EN-FR-fr folder
[su_box title=”Note” style=”glass” title_color=”#F0F0F0″]This will be the updated Windows 10 after we inject the language pack. (EN-US with language pack FR-FR).[/su_box]
Mount your ISO language packs
Browse to the needed language pack folder
Copy your language folder (FR-FR) into the LangPack folder This folder must contain only one file (LP.cab)
INJECT LANGUAGE PACK WINDOWS 10
To use DISM command lines, we need the Deployment and Imaging Tools Environment from the Windows 10 ADK.
Right click on Deployment and Imaging Tools Environment icon and select Run as administrator
Type dism /get-mountedimageinfo to validate if any other WIM are mounted
You can see that we don’t have any mounted image. If you have any, unmount it first before proceeding to the next steps
We now need the information from the Install.WIM from the Windows 10 1511 EN-US
Run the following command : (change to the path where you copied your sources files in the first steps)
After the unmount is completed, take look at the Install.wim within EN-FR-fr folder. The modified Install.wim will be slightly bigger and modified date will be modified.
Install.wim EN-FR-fr folder
LOGS AND MORE INFO
If you experiment this problem with any of the command line from DISM, you can use the log file located in C:\Windows\Logs\DISM
Even if not up-to-date, this Technet article can help with DISM Command lines options.
INJECT INSTALL.WIM WITH LANGUAGE PACK
We now have a source media with 2 languages in it. It can be used to install Windows 10 from a media source (manual install), for MDT and SCCM.
BONUS : UNATTEND.XML
In order to prevent the choice of language to prompt at first boot, an Unattend.xml file must be configured to answer the question from the Out-of-the-box experience (OOBE).
To create or modify an Unattend.xml file we need Windows System Image Manager, from the Windows ADK.
In the Unattend.xml file, the Microsoft-Windows-International-Core_neutral must be configured in the Specialize and OOBE System phase.
The 2 settings that needs to be configured for language packs are UILanguage and UILanguageFallback.
It must be configured the same way for both sections.
In the example bellow, FR-FR would be the default language, and EN-US would be the Fallback language.
More information on Windows System Image Manager here
Part 9 | WINDOWS 10 DEEP LINK ENROLLMENT
Starting with Windows 10, version 1607, you can create a deep link to launch the Windows 10 enrollment app using an URI link. This allows to send a user-friendly display text to your user to simplify their device enrollment. You can use this link in an email sent to your users or add this link to an internal web page that users refer for enrollment.
The URI link must use the following format :
ms-device-enrollment:?mode=mdm
At the time of this writing, the only supported mode value is mdm.
Starting with Windows 10, v1607 deep linking is only supported for connecting devices to MDM. It will not support adding a work or school account, joining a device to Azure AD, and joining a device to Active Directory.
USER EXPERIENCE
When clicking the link, Windows 10 will launch the enrollment app in a special mode that only allows MDM enrollments.
This is fairly straight forward, no need to explain to the user how to find the enrollment app. (This process is similar to the Enroll into device management option in Windows 10, v1511).
If the device finds an endpoint that only supports on-premises authentication, the page will change and ask for the user password. If the device finds an MDM endpoint that supports federated authentication, the user will be presented with a new window that will ask additional authentication information. Users may also be prompted to provide a second factor of authentication if your IT policy requires it.
After you complete the wizard, your device will be connected to your organization’s MDM.
LOG FILES
If anything goes wrong, you can collect logs by going to :
Settings / Accounts / Access work or school
Click the Export your management logs under Related Settings section
Click Export and follow the path displayed to retrieve your log files
See this Technet article for further details about MDM enrollment and Windows 10 deep link enrollment.
Part 10 | Windows 10 KMS Server
The KMS server was first introduced with Windows Vista as an easy activation service for IT pros. Since then, each new release of Windows and Office provided a necessary update to KMS server, in order to keep offering activation keys to Windows and Office clients. The release of Windows 10 KMS activation and Office 2016 activation is no different then previous versions.
In this post, we will covert how to use an already configured KMS server for activation of Windows 10 and Office 2016.
PREREQUISITES FOR WINDOWS 10 KMS
Your existing KMS server will most probably be good to manage licenses for Windows 10 and Office 2016.
Minimum OS requirement :
Windows 7 and up
Window Server 2008 R2 and up
Mandatory :
Mandatory KB3079821 for Windows 7 and Windows server 2008 R2 to support Windows 10
Mandatory KB3058168 for Windows 8/8.1 and Windows Server 2012/R2 to support Windows 10
Windows ADK 10 for Volume Activation Management Tool (VAMT) – Version 3.1
SQL server 2008 or later required (SQL Server Express supported)
LOCATE YOUR KMS SERVER
It is most probably been a long time since you’ve played around your KMS server. To find which server is acting as your KMS :
Go to the DNS console / Forward Lookup Zones / <domain> /_TCP
Look for the _VLMCS entry to get your KMS Server name
LIST LICENSED PRODUCTS ON A KMS SERVER
Run the following command line on the KMS server to retrieve all installed licences :
cscript c:\windows\system32\slmgr.vbs /dli all >> c:\temp\KMS.log
In the KMS.log file, look for License status : Licensed to retrieve which product is supported by your KMS
THRESHOLD FOR KMS SERVER ACTIVATION
Each Microsoft product supported by KMS server activation has a threshold to be an active KMS server. This mean that until the minimum concurrent activation request is met, the KMS server is not offering licenses for Windows and Office client.
A minimum of 25 Windows 10 must be running and asking for KMS activation concurrently to enable the KMS server for Windows 10
A minimum of 5 Office 2016 must be running and asking for KMS activation concurrently to enable the KMS server for Office 2016
When you’ll try to add your Windows 10 KMS key to your KMS server, you might have the following issue :Error 0xC004F015when you try to activate Windows 10 Enterprise on a Windows Server 2012 R2 and Windows Server 2008 R2 KMS host. This will force you to use the Windows Srv 2012R2 DataCtr/Std KMS for Windows 10 keyfrom the Volume licensing site.
This key is good for Windows 10 andWindows Server 2012R2. Because of this, it will likely result in meeting the minimum requirement for this key, as you probably already have 5 Windows Server 2012 R2. Once the key is activated, the first Windows 10 will be able to get an activation key from the KMS server. No need for the 25 Windows 10 threshold. [/su_box]
You server is not yet licensed as we didn’t had 25 up and running Windows 10 computers at this time.[/su_box]
ADD OFFICE 2016 KEY TO KMS SERVER
All Office 2016 client volume editions products are pre-installed with a Generic Volume License Key (GVLK) key, which supports automatic activation for both KMS and Active Directory-Based Activation, so you will not need to install a product key.
Execute the Microsoft Office Volume License pack
Check the Accept Terms checkboxand click Continue
Enter the KMS key from the Volume Licensing website, Click OK
Once installed, we need to activate on the Internet, click Yes
Confirmation of installed and activated
To validate the key is installed, run the following command :
[su_box title=”Note” style=”glass” title_color=”#F0F0F0″]Most of the time , Visio and Project should use the same KMS key to be activated.[/su_box]
KMS CLIENT SETUP KEY
KMS client setup key are the default key to redirect Windows to find a KMS server on the network. Those should be use only on a Windows 10 client to redirect them to KMS server if they were activated by a MAK key.
By default, Windows will look for a KMS server automatically if no key is specified in the setup or after Windows installation.[su_box title=”Warning” style=”glass” title_color=”#F0F0F0″]Never use your KMS key from the volume licencing site on your Windows clients. This will generate a new KMS server on your network.[/su_box]
Operating System Edition
KMS Client Setup Key
Windows 10 Professional
W269N-WFGWX-YVC9B-4J6C9-T83GX
Windows 10 Professional N
MH37W-N47XK-V7XM9-C7227-GCQG9
Windows 10 Enterprise
NPPR9-FWDCX-D2C8J-H872K-2YT43
Windows 10 Enterprise N
DPH2V-TTNVB-4X9Q3-TJR4H-KHJW4
Windows 10 Education
NW6C2-QMPVW-D7KKK-3GKT6-VCFB2
Windows 10 Education N
2WH4N-8QGBV-H22JP-CT43Q-MDWWJ
Windows 10 Enterprise 2015 LTSB
WNMTR-4C88C-JK8YV-HQ7T2-76DF9
Windows 10 Enterprise 2015 LTSB N
2F77B-TNFGY-69QQF-B8YKP-D69TJ
Windows 10 Enterprise 2016 LTSB
DCPHK-NFMTC-H88MJ-PFHPY-QJ4BJ
Windows 10 Enterprise 2016 LTSB N
QFFDN-GRT3P-VKWWX-X7T3R-8B639
Those keys can be used with the following command :
slmgr /ipk <key>
This will force the computer to look for a KMS server instead of a MAK key.
The Volume Activation Management Tool is designed to help administrator management licenses for Windows and Office products. You can inventory licenses, manage MAK activation and KMS activation. This is an optional step and it can be installed on any computer on your network.
Start the Windows 10 ADK installation (If you already have Windows 10 ADK installed, you can change it from Program and Features in Control Panel)
Select Volume Activation Management Tool, click on Change
Select Volume Activation Management Tool from the start menu
Select the SQL server where you want the VAMT database to be created or install SQL Server Express locally using the link in the Database Connection Settings screen
Our server will be the local server with default instance name and we will create a new database called VAMT
VAMT is installed and connected to the database
CHANGE WINDOWS 10 ACTIVATION METHOD WITH VOLUME ACTIVATION MANAGEMENT TOOL
When you have the minimum 25 concurrents Windows 10 on your network, you can use VAMT to change the activation method of clients remotely instead of using the manual process describe earlier in this post.
When changing the activation method from MAK to KMS with VAMT, Windows 10 clients will be activated with KMS client setup key. This will force a new try to find a KMS server for Windows 10 on the network. Once 25 computers is reached, KMS server will be up and allowing further activation.[su_box title=”Note” style=”glass” title_color=”#F0F0F0″]Changing Office activation to use KMS can be done the same way as for Windows 10.[/su_box]
To change a Windows 10 from MAK to KMS :
Open VAMT, right-click on Products and select Discover products
We need to find our Windows 10 computers :
This can be done using an LDAP query, IP Address, Name or in a Workgroup
For this post, we will only find one computer. A full Active Directory search will take time. Manually entering your 25 Windows 10 computers, separated by a comma, might be a good idea.
Our computer is found
When the computer is found, VAMT will not know the license status until we query it. To query the license, right click on the computer and select Update license Status
If you use current credential, you must be local administrator of the remote computer
Computer must be accessible on the network to update the license status
The computer will return one row per product found. In our case, the computer is running Windows 10 and Office 2016
We now take a look at the Product key type column, we see that our Windows 10 is using a MAK key, while Office 2016 is already using the KMS
[su_box title=”Note” style=”glass” title_color=”#F0F0F0″]GVLK is the acronym used for KMS client setup key.[/su_box]
Under Products / Windows
Select one or more computers to change from MAK to KMS activation
Right-click on it and choose Install Product Key
Select Automatically select a KMS client key (GVLK) and click Install Key
You do not need to specify any key. The GVLK are generic and known by VAMT
Wait for the Action Status to show Successfully installed the product key
The computer now flagged as Non Genuine
[su_box title=”Note” style=”glass” title_color=”#F0F0F0″]At this point, the client remain activated using a MAK key.[/su_box]
Go back to Products / Windows and select the computer again
Right-click and select Volume activate / Activate
This will force the computer to try to activate using the KMS server
Computer is now activated on the KMS server
Activation is also visible in the Event Viewer
In VAMT, the client is now Licensed and Genuine
EVENT VIEWER FOR KMS ACTIVATION
You can see all activation requests that goes to this KMS server in the Event Viewer of the KMS server.
Open Event Viewer / Applications and Services Logs / Key Management Service
All activation requests are listed
On the client, you can also use Event Viewer to see activation requests :
Open Event Viewer / Application Logs
Looking for events number 12288 and 12289
Here’s how to read 12289 events :
Here’s how to read 12288 events :
Read the Technet article for more information on troubleshooting KMS.
ENCOUNTERED ISSUES
Here’s a couple of support article that may comes handy. We encountered the following issues in various environments :
Windows as a service provides a new way to think about building, deploying, and servicing the Windows operating system. Microsoft will releases new builds two to three times per year rather than the traditional upgrade cycle. Instead of doing traditional Windows deployment projects, you will need a continuous updating process which will reduce the overall effort required to maintain Windows 10 devices in your environment.
SUMMARY
This post will look at the available tools in SCCM to manage and deploy Windows 10 upgrades. We have broken down the post in 4 different sections :
Windows 10 Servicing Dashboard
What’s missing in the Windows 10 Servicing Dashboard
Windows 10 reports
Windows 10 Collections
SCCM WINDOWS 10 SERVICING DASHBOARD
The Windows 10 servicing dashboard provides information about Windows 10 computers in your environment, active servicing plans, compliance information, and so on. Let’s get a look at the different dashboard tiles:
Windows 10 Usage tile (1): Provides a breakdown of Windows 10 builds. Windows Insiders builds are listed as other as well as any builds that are not yet known. The Service Connection Point is responsible of this data.
Windows 10 Rings tile (2): Provides a breakdown of Windows 10 by branch and readiness state . The LTSB segment will be all LTSB versions (For example : Windows 10 LTSB 2015). The Release Ready segment corresponds to Current Branch (CB), and the Business ready segment is Current Branch for Business (CBB)
Create Service Plan tile (3): Provides a quick way to create a servicing plan
Expired tile (4): Displays the percentage of devices that are on a build of Windows 10 that is past its end of life. The computers in this category should be upgraded to the next build version. We’ll talk about the available options later in this post. (Task Sequence and Services Plans)
Expire Soon tile (5): Displays the percentage of computers that are on a build that is near end of life (within about four months), similar to the Expired tile
Alerts tile (6): Displays active alerts
Service Plan Monitoring tile (7): Display servicing plans that you have created and a chart of the compliance for each. This gives you a quick overview of the current state of the servicing plan deployments. If an earlier deployment ring meets your expectations for compliance, then you can select a later servicing plan (deploying ring) and click Deploy Now instead of waiting for the servicing plan rules to be triggered automatically
The Windows 10 Builds tile (8): Display is a fixed image time line that provides you an overview of the Windows 10 builds that are currently released and gives you a general idea of when builds will transition into different states.
WHAT’S MISSING IN THE WINDOWS 10 SERVICING DASHBOARD
The Windows 10 Servicing Dashboard is a good starting point but it lacks important functions to be able to do your work to update Windows 10 as tiles are not clickable :
What if I need to have the list of Windows 10 devices per rings or versions ?
What if I need to have the list of Windows 10 that are Expired or Expiration Soon
In our example 33% of my devices are in the Expiration Soon state. Great, but how many devices is that ? A simple tooltip showing the number would have been a nice idea.
For those reasons, we decided to make your life easier by developing tools to help with your Windows 10 upgrades deployments.
WINDOWS 10 REPORTS
Unfortunately, there’s no built-in report to track your Windows 10 devices. Some report in the Upgrade Assessment may help you but some of those reports are limited to Windows 7 and Windows 8. We decided to create our own Windows 10 report. Similar to the Windows 10 dashboard visually but which can easily list machines in different support state and their inventory.
See our Asset – Windows 10 report page to see the complete feature list.
WINDOWS 10 COLLECTIONS
As for any other deployments, you will need to create your own device collections in order to deploy your Windows 10 service plans or task sequences. Our Set of operational collections contains 67 collections which contains 9 Windows 10 collections to begin with :
SERVICE PLAN VS TASK SEQUENCES
Once you’ve targeted your Windows 10 devices to upgrade, it’s a matter of deploying a service plan or a task sequence to those machine to keep them in the right support state. To decide which methods suits your organisation needs, read our complete step-by-step post which guide you thought the whole process :
Using a combination of the tools provided in this post, you should be set to start your Windows 10 as a service management. Feel free to provides tips and other tools that make your life easier using the comment section.
Part 12 |SCCM WINDOWS 10 SERVICING PLANS
With the introduction of new Windows 10 service branches, you will need to upgrade your Windows 10 devices at a much faster pace. Hopefully, SCCM Current Branch (1511 and higher) has built-in features to help you fulfill this task. You can choose between Upgrade Task Sequence or the new Windows Servicing feature. This post will describe how to use SCCM Windows 10 servicing plans to upgrade Windows 10 devices.
If you are running SCCM 1511 we recommend using the Upgrade Task Sequence over servicing plans. SCCM 1511 has an issue that makes all Windows 10 languages and editions to be downloaded to the device when the ADR runs. This is fixed in SCCM 1602, using a new filter you can exclude unwanted languages and editions.
If you are running SCCM 1602 or later, it’s really a matter of preference of which process to use. Each one has their own advantages, the new servicing features is using the ADR/Software Update engine, the Task Sequence one is using Task Sequence engine. The Task Sequence method allows to run additional tasks after the upgrade or install new applications. Read both our post before making your decision or use both if needed.
In this post, we will be upgrading a Windows 10 1511 to Windows 10 1607 using SCCM 1606 serving plans. You can use this method to upgrade any upcoming Windows 10 release. You can’t use servicing plans to upgrade Windows 7 or Windows 8 computers.
Install WSUS hotfix to enable WSUS support for Windows 10 feature upgrades
Enable Windows 10 product and Upgrade classification in your software update point
Once the first 4 steps are completed, let’s bring Windows 10 upgrade packages to your software update point :
Open the SCCM Console
Go to Administration \ Site Configuration \ Sites
On the top ribbon, select Configure Site component and Software Update Point
In the Products tab, select Windows 10
In the Classifications tab, select Upgrades
Accept the prerequisite warning. Go back and install these hotfixes if you haven’t done it before
Close the Software Update Point Component properties window
Go to Software Library \ Windows 10 Servicing
Right-click Windows 10 Servicing, select Synchronize Software Updates
As for any Software Update synchronization process, follow the action in Wsyncmgr.log in your SCCM installation directory
Once completed, go to Software Library \ Windows 10 Servicing \ All Windows 10 Updates
You should have Windows 10 Upgrade packages listed
FEATURE UPDATES VS UPGRADES
After your synchronization, you’ll notice 2 types of packages. This is a bit confusing. As you can see in the screenshot, for Windows 1607 Enterprise, we only has Feature Update to Windows 10 Enterprise we don’t have an Upgrade to Windows 10 Enterprise package for 1607… yet.
Why ?
The short story : At the time of this writing, the 1607 build is in the Current Branch readiness state. (listed as Feature Update). When this build falls into Current Branch for Business (Approximately 4 months), a new release will be available in Windows Update and then in SCCM (listed as Upgrade).
Feature Upgrade : New build at the time of the release
Upgrade : Feature Update + Servicing Update (Patches) since media first published
In this post, we’ll be using Feature Updates. During our tests, we also tried the Upgrade package on a 1507 computer (1507 -> 1511) without issues. If you have both available at the time of creating your servicing plan, use the Upgrade package since it includes Servicing Updates.
Long Story : If you want the Microsoft version, refer to the complete Technet documentation.
The 2 key phrases from this documentation are:
Feature upgrades that install the latest new features, experiences, and capabilities on devices that are already running Windows 10. Because feature upgrades contain an entire copy of Windows, they are also what customers use to install Windows 10 on existing devices running Windows 7 or Windows 8.1, and on new devices where no operating system is installed
Approximately four months after publishing the feature upgrade, Microsoft uses Servicing Branch #1 again to republish/updated installation media for Windows 10 Pro, Education, and Enterprise editions. The updated media contains the exact same feature upgrade as contained in the original media except Microsoft also includes all the servicing updates that were published since the feature upgrade was first made available. This enables the feature upgrade to be installed on a device more quickly, and in a way that is potentially less obtrusive to users.
CREATE SERVICING PLANS
Now that we have Windows 10 upgrade packages in SCCM, we can create a servicing plan for our Windows 10 devices. Servicing Plan and Automatic Deployment Rules shares the same engine so you won’t be disoriented by servicing plans.
Servicing plans are designed to upgrade Windows 10 from one build to another build only. You can’t use that to upgrade Windows 7 to Windows 10. If you need to upgrade your Windows 7 to Windows 10 use theUpgrade Task Sequenceinstead.
Looking at the Windows 10 Servicing dashboard, our 3 Windows 10 1511 are near expiration (Expire Soon).
Go to Software Library \ Windows 10 Servicing \ Servicing Plan
Right-click Servicing Plan and select Create Servicing Plan
In the General Pane, give a Name and Description, click Next
On the Servicing Plan tab, click Browse and select your Target Collection
In the Deployment Ring tab :
Specify the Windows readiness state to which your servicing plan should apply
Specify how many days you want to wait before deploying
In the Upgrade tab, specify the Language, Required and Title of the upgrade packages you want to deploy. This is a nice addition to the SCCM 1602 release, in 1511 all languages were downloaded
Use the Preview button to ensure that you are targeting the right version (We are targeting Windows 10 1607 Enterprise en-us devices that are Required)
In the Deployment Schedule tab, select the desired behavior
In the User Experience tab, select the desired options
In the Deployment Package tab, select Createa new deployment package and enter your Package Source path
In the Distribution Points tab, select your distribution point
In the Download Location tab, select Download software updates from the Internet
In the Language Selection tab, select your language
In the Summary tab, review your settings and close the Create Servicing Plan wizard
Right-click your newly created Servicing Plan and select Run Now
You can see that the deployment gets created in the Monitoring / Deployments section
SERVICING PLAN DEPLOYMENT
Now that the deployment are triggered for clients, we will launch the installation manually using software center.
Open the Software Center, under Updates,Feature Update to Windows 10 Enterprise 1607 is listed
Select it and select Install
Accept the warning by clicking Install Operating System. (Your data won’t be lost)
Installation is running
The computer will restart after about 5 minutes
The whole upgrade process takes about 30 to 45 minutes and your device will be rebooted several time
Once completed, log on the computer using your account. Windows is happy to tell you that it’s updated
We are now running Windows 10 Enterprise version 1607 (Build 14393)
Back in the Software Library \ Windows 10 Servicing \ Servicing Plan node
Our machine is now listed as version 1607 and is no longer listed as Expire Soon
The Service Plan Monitoring section can be used to monitor compliance and you can use the Deploy Now button to deploy the same service plan to a new collection
Use the comment section to tell which upgrade method you are preferring.
Part 13 | SCCM WINDOWS 10 TASK SEQUENCE UPGRADE
With the introduction of new Windows 10 service branches, you will need to upgrade your Windows 10 devices at a much faster pace. Hopefully, SCCM Current Branch (1511 and higher) has built-in features to help you fulfill this task. You can choose between Upgrade Task Sequence or the new Windows Servicing feature. This post will describe how to upgrade Windows 10 using SCCM Upgrade Task Sequence.
If you are running SCCM 1511 we recommend to use the Upgrade Task Sequence over the new servicing features. There is an issue in SCCM 1511 that make all Windows 10 languages and editions to be downloaded to the device when the ADR runs. This is fixed in SCCM 1602, using a new filter you can exclude unwanted languages and editions.
If you are running SCCM 1602 or later, it’s really a matter of preference of which process to use. Each one has their own advantages, the new servicing features is using the ADR/Software Update engine, the Task Sequence one is using Task Sequence engine. The Task Sequence method allows to run additional tasks after the upgrade or install new applications. Read both our post before making your decision or use both if needed.
In this post, we will be upgrading a Windows 10 1511 to Windows 10 1607 using SCCM 1606. You can use this method to upgrade any upcoming Windows 10 release. Refer to our other blog post if you’re looking to upgrade Windows 7 to Windows 10 using task sequences.
REQUIREMENT
In an upgrade task sequence, you will need to have the full Windows 10 1607 media imported in Operating System Upgrade Packages node in SCCM :
Open the SCCM Console
Go to Software Library \ Operating Systems \ Operating System Upgrade Packages
Select AddOperating System Upgrade Packages
Select the path where you extracted the Windows 10 ISO
In the General tab, edit Name, Version and Comment fields, click Next
In the Summary tab, review your choices and click Next
Your operating system upgrade package is imported and ready to use in an upgrade task sequence
DISTRIBUTE OPERATING SYSTEM UPGRADE PACKAGES
Select your newly imported operating system upgrade packages and select Distribute Content
Send it to all your distribution points where you will be doing Windows 10 upgrade
CREATE WINDOWS 10 UPGRADE TASK SEQUENCE
Open the SCCM Console
Go to Software Library \ Operating Systems \ Task Sequences
Right-click Task Sequence and select Create Task Sequence
Select Upgrade an operating system from an upgrade package, click Next
In the Task Sequence Information tab, modify the Task sequence name and description if needed, click Next
In the Upgrade the Window Operating System tab, click Browse and select your imported package, click Ok then Next
In the Include Updates tab, we’ll select Do not install any software updates
In the Install Applications tab, add any applications you want to install after the upgrade, click Next
Review your choices, click Next and close the Create Task Sequence Wizard
If you right click your newly created task sequence and select Edit, you’ll notice that the task sequence is really simple. You can add additional steps if required
DEPLOY THE TASK SEQUENCE
Right click your newly created task sequence and select Deploy
In the General tab, click Browse and select a collection that contains your Windows 10 devices to be upgraded. At this point, we recommend to select a collection containing a couple of devices to test your deployment. Click Next
In the Deployment Settings tab, select the Purpose (Available or Required). For this post we will select Available, click Next
In the Scheduling tab, select the desired date and time, click Next
In the User Experience tab, select desired options and click Next
In the Alerts tab, decide if you want to create alerts for the deployment and click Next
In the Distribution Points tab, select desired options, click Next
Review your settings, click Next and close the wizard
DEPLOY THE TASK SEQUENCE ON A DEVICE
Now that our task sequence is targeted to our Windows 10 device, we need to open the Software Center to initiate the upgrade process.
Before launching, let’s look at our current Windows 10 version :
Use the comment section to tell which upgrade method you are preferring.
Part 14 |SCCM UPGRADE READINESS CONNECTOR
Upgrade Readiness (formerly Upgrade Analytics) enables you to assess and analyze device readiness with Windows 10. You can integrate Upgrade Readiness with SCCM to access client upgrade compatibility data in the SCCM admin console. You are able to target devices for upgrade or remediation from the device list.
Support for integrating Upgrade Analytics (now Upgrade Readiness) was introduced in SCCM 1610. With the 1706 release, there’s an improved integration of SCCM and Azure Services. These improvements streamline how you configure the Azure services you use with Configuration Manager. We thought this was a good opportunity to describe how to configure SCCM with the Upgrade Readiness Connector.
You must connect Upgrade Readiness to the top-tier site in your hierarchy. If you connect Upgrade Readiness to a standalone primary site and then add a central administration site to your environment, you must delete and recreate the OMS connection within the new hierarchy.
Once the setup is completed you’ll see the upgrade statistics in your OMS portal. You can see your Commercial ID Key by clicking the Solution Settings button. This key will be needed in the deployment script that you’ll be sending to your client.
CONFIGURE THE SCCM UPGRADE REDINESS CONNECTOR
To create the connection, you’ll need the information of the Azure AD App you just created.
Open the SCCM Console
Go to Administration / Cloud Services / Azure Services
Right-click Azure Services and select Configure Azure Services
On the Azure Services tab, name your connection and select Upgrade Readiness Connector
On the App page, select your Azure environment and click Import
On the Import Apps page, specify the following information :
Azure AD Tenant Name: Specify any name
Azure AD Tenant ID: Specify the Azure AD tenant – You can find this information under Azure Active Directory / Properties
Application Name – Specify your application name
Client ID: Specify the Application ID of the created Azure AD app. You can see where to find this information in the previous steps
Secret key: Specify the Client secret key of the created Azure AD app. You can see where to find this information in the previous steps
Secret Key expiry: Specify the expiration date of your key
App ID URI: Specify the App ID URI of the created Azure AD app. You can see where to find this information in the previous steps
Click on Verify then Ok
On the configuration page, the information will be pre-populate once the Azure AD app has enough permissions on the resource group. If the fields are empty, your application doesn’t have the necessary rights.
On the Summary page, click Next
On the Completion page, click Close
RUN AND DEPLOY UPGRADE READINESS SCRIPT
The computers that you want to evaluate needs to run a script to send their data.
Save the script, create a package and deploy it to your Windows 7 or 8 computers.
VERIFICATION
Once run, it can take betweek 24 to 48 hours for the first number to show in your OMS workspace and another 24-48h to show up in the SCCM Console. Be patient!
After the configuration is completed you can view the numbers in Monitoring / Upgrade Readiness.
Part 15 |WINDOWS 10 SECURITY BASELINE
Microsoft has been releasing Security baseline since the Windows XP days. Windows 10 is no exception to this, except now there’s a new release of security baseline following each major build of Windows 10. The concept of the Security Baseline is to provide Microsoft guidance for IT administrators on how to secure the operating system, by using GPOs, in the following areas :
Computer security
User security
Internet Explorer
BitLocker
Credential Guard
Windows Defender Antivirus
Domain Security
Implementing the security baseline in GPOs is not a complex or long task. The challenge that the security baseline provide is that it will expose areas of the environment that are not secure.
This means that to follow all Microsoft security guidelines, it would be required to fix many other systems outside of Windows 10 to achieve this.
In this post, we will describe what is the Security baseline, how to use them and key points that will most likely be challenging for other systems in the environment
Right-click on the GPO, and select Import Settings
Click Next
Click Next, no need to take a backup of a new blank GPO.
Browse to the GPOs folder and click Next
Select the GPO to be imported, based on the name and click Next
Click Next
Select Copying them identically from the source and click next
Click Finish
Click the Settings tab to see all the configuration imported
Once the GPOs are imported, testing is key!
No magic trick here, start with test computers and then IT users/pilot users prior to applying this to production.
KEY POINTS THAT PROVIDE CHALLENGES
Here are some configurations that are part of the baseline that should be looked at up front as they might provide issues with your environment. The idea here is to have a better understanding of what is going on. Don’t go and change those settings to avoid issues. The issues should be fixed at the other end for better security.
HARDENED UNC PATH
This setting is likely to give the following error when trying to process GPO on Windows 10.
Error
The processing of Group Policy failed. Windows attempted to read the file \\yourdomain.fqdn\sysvol\yourdomain.fqdn\Policies\{GPO GUID}\gpt.ini from a domain controller and was not successful.
The configuration Computer/Administrative Template/Network/Network Provider/Hardened UNC Path
Review the following post by Lee Stevens for details on the UNC hardening path to help define this setting for your environment
INTERNET EXPLORER PROCESS ONLY COMPUTER GPO
If you have user GPO for Internet Explorer, in the Security Zone, adding the baseline for Internet Explorer will prevent those settings to be applied.
Two options are available if this causes issue:
Move your Internet Explorer configuration to computer GPO instead of user GPO
Change the configuration back to Not Configured for this GPO
The user account control (UAC) is configured to the maximum level with the Security Baseline.
The default Windows 10 level is set to Notify me only when applications try to make changes to my computer (level 3 out of 4)
This is configured by a local security policy
To modify the GPO, under the Windows 10 Computer GPO Computer/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control
CREDENTIAL GUARD
Having Credential guard in Windows 10 is categorized as a quick win solution as the requirement and setup is easy.
The default configuration as part of MSFT Windows 10 and Server 2016 – Credential Guard GPO is configured in a way that is likely to crash the computer or have an undesired requirement for future needs if applied as is.
We strongly recommend to carefully read the Help section of the Computer/Administrative Templates/System/Device Guard/Turn On Virtualization based security GPO
To take advantage of Credential Guard safely, this would be the required configuration.
SMB V1
This topic is the most important of all key points. With Windows 10 v1709, SMB v1 is disabled by default. But what if you still need this in your environment?
Let me make this clear, we do not recommend enabling SMB v1. It has been proven to be one of the most critical security hole as of late with malware like WannaCry.
On the other hand, sometimes we don’t have much choice to go against security.
So to leave SMB v1 enabled as part of the security baseline GPO, we suggest reading the following blog post by Aaron Margosis
The GPO settings for SMB v1 are under Computer/Administrative Templates/MS Security Guide
ISSUE WITH BITLOCKER ON WINDOWS 10 1709
The MSFT Windows 10 RS3 – BitLocker GPO contains a setting to Disable new DMA devices, that broke some computer.
The setting Computer/Administrative Templates/Windows Components/BitLocker Drive Encryption/Disable new DMA devices when this computer is locked, should be reviewed prior to being applied.
WHAT TO DO WHEN A NEW VERSION OF SECURITY BASELINE IS AVAILABLE?
A new version of Security baseline usually come out at the same time as a Windows 10 build goes RTM.
Microsoft has always released them as a DRAFT version that goes on for a couple months and then release the FINAL version.
Here’s a checklist for what to do when the new version is available :
Start by reviewing the Excel file to see what’s new to the baseline
Most of the new settings in the baseline will be in line with new features as part of the Windows 10 release
Update ADMX in the Central store with the ones from the latest Windows 10 build prior to adding new settings
New settings should then be added to your environment by one of the following :
Import the new GPOs
Add new settings to current GPO
Follow us on Twitter to get a notification when a new version of the Security baseline is released.
BONUS TIP
The Policy Analyzer is a great tool to compare current GPOs against the ones from the Security Baseline.
This can give an idea of the conflicting settings as well as additional settings from the Security Baseline
Part 16 | SCCM Windows 10 USMT
Since SCCM 1511, you can use the new upgrade task sequence to easily upgrade a Windows 7 computer to Windows 10. But what if you want to upgrade a computer from a 32-bits operating system to Windows 10 64-bits ? You can’t use the upgrade task sequence for this specific scenario. Another reason would be that your company decided to use the wipe and reload option in your Windows 10 migration project. In those cases you will need to use USMT to capture data and settings from the users profiles before applying the new operating system.
This post will describe how to upgrade a 32-bits computer to Windows 10 64-bits using USMT and SCCM. This post will be using hard-links without using a State Migration Point. Continue reading if you are not familiar with those terms, we will explain it later.
Since you’re at the step of deploying Windows 10, we assume that you already installed at least SCCM 1511 and the latest Windows ADK before reading this post. If not, read our related posts :
Let’s start by giving a couple of facts about the User State Migration Tool :
Latest USMT version is 5.0
Latest Windows ADK 10 includes the latest version
Supports capturing data and settings from Windows Vista and later (including Windows 10)
Supports restoring the data and settings to Windows 7 and later (including Windows 10)
Supports migrating from a 32-bit operating system to a 64-bit operating system, but not the other way around
WHAT GETS MIGRATED
By default, USMT migrates many settings (user profile, Control Panel configurations, files, and more). The default configuration files that are used in Windows 10 deployments are MigUser.xml and MigApp.xml. These two configurations files migrates the following data and settings:
Folders from each profile (My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders)
If needed, you can create a custom configuration files to includes more files types or settings. See the following Technet post for detailed instructions.
For more details on what USMT migrates, see this Technet article. For more information on the USMT overall references, see this Technet article.
WHERE TO STORE THE USER DATA AND SETTINGS
You can capture USMT data locally (Hard-links) or remotely using a State Migration Point in SCCM (File Copy).
Hard-link migration takes advantage of advanced features of the NTFS file system that allow files to physically remain in-place and intact even after the drive is wiped (not formatted). When restored, pointers to the files are restored, so the files never physically have to be copied or moved outside the machine. To use hard-linking, select the Capture locally by using links instead of copying files option in the Capture User State task
File copy: If hard-linking is not selected, the traditional file copy method for storing user state is used. This file copy method literally copies all identified user state data to an alternative location requiring extra disk space and extra time to complete the copy
[su_box title=”Warning” style=”glass” title_color=”#F0F0F0″]You cannot use a State Migration Point and use hard-links to store the user state data at the same time.[/su_box]
To store the user state data on a state migration point (File Copy), you must first Configure a state migration point to store the user state data
To store the user state data on the destination computer for update deployments (Hard-Link), you must :
Add Capture User State steps to your task sequence and configure it to use local folder using links
Add Restore User State steps to your task sequence and configure it to restores the user state using those links
The user state data that the hard-links reference stays on the computer after the task sequence removes the old operating system. For that reason, you cannot format and partition a drive if you are using USMT. The disk is will be wiped during theApply Operating Systemstep of the task sequence. If you must format and partition but still want to use USMT, consider using user state migration points, which is network based.
This post will focus on the hard-links option and will not describe how to customize the task sequence to use the state migration point.
VERIFY SCCM WINDOWS 10 USMT PACKAGE
To store the user state locally or on a state migration point, you must create a package that contains the USMT source files that you want to use. This package is used in the Capture User State step of the migration task sequence.
Open the SCCM Console
Go to Software Library / Application Management / Packages
Right-click the User State Migration Tool for Windows 10 package and select Properties
On the Data Source tab, ensure that the package is using the ADK 10 – Which is per default C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\User State Migration Tool
Right-click the User State Migration Tool for Windows 10 package and select Distribute Content
If you have no User State Migration Tool for Windows 10 package, just create (without any programs) and distribute it
CREATING THE CAPTURE AND RESTORE USER STATE DATA TASK SEQUENCE
To capture and restore the user state, you must first create a new task sequence, but before, we’ll explain the different options in the User State Menu :
Request State Store : This step is needed only if you store the user state on the State Migration Point
Capture User State : This step captures the user state data and stores it on the State Migration Point or locally using hard-links
Restore User State : This step restores the user state data on the destination computer. It can retrieve the data from a user state migration point or from hard-links
Release State Store : This step is needed only if you store the user state on the State Migration Point. This step release this data from the State Migration Point
When you create a new task sequence from the latest SCCM version, the wizard takes care of the essential steps. Let’s create it and see what are the options :
Go to Software Library \ Operating Systems \ Task Sequences
Right-click Task Sequence and select Create Task Sequence
Select Install an existing image package
On the Task Sequence Information tab, enter your Task sequence name, Description and Boot Image
On the Install Windows tab, uncheck Partition and format the target computer and Configure task sequence for use with Bitlocker
If a format and partition of the disk is selected, it would wipe all data on the drive, including the USMT data. Instead, the Apply Operating System task will delete of all files and directories occurs on the drive minus protected USMT folders
On the Configure Network tab, select to join your domain and specify the account to use
On the Install Configuration Manager Client tab, select your client package
On the State Migration tab, check Capture user settings and files, select your USMT Package
Select Save user settings and files locally and check Capture locally by using links instead of by copying files
[su_note note_color=”#e56e6e” radius=”8″]This is the important part of the post[/su_note]
In the Include Update tab, select the desired update behavior
On the Install Applications tab, select any applications that you want to include in your task sequence
On the Summary tab, review your choices, click Next and complete the wizard
Now that the task sequence is created, we’ll edit it and review the steps
Right-click your newly created task sequence and click Edit
You’ll notice 3 USMT steps has been created :
Set Local State Location : This step specify the directory where the local state will be saved. We are using the builtin variableOSDStateStorePath and set the value to %_SMSTSUserStatePath% but you can use a specific location if needed
Capture User Files and Settings : This is the step when USMT will run the ScanState command. You will see this command in SMSTS.log when monitoring your task sequence. (By default : C:\_SMSTaskSequence\Packages\<YourPackageID>\amd64\scanstate.exe C:\_SMSTaskSequence\UserState /o /localonly /efs:copyraw /c /hardlink /nocompress /l:C:\Windows\CCM\Logs\SMSTSLog\scanstate.log /progress:C:\Windows\CCM\Logs\SMSTSLog\scanstateprogress.log /i:C:\_SMSTaskSequence\Packages\<ID>\amd64\migdocs.xml /i:C:\_SMSTaskSequence\Packages\<ID>\amd64\migapp.xml)
Restore User Files and Settings : This is the step when USMT will run the LoadState command. You will see this command in SMSTS.log when monitoring your task sequence (By default : C:\_SMSTaskSequence\Packages\<YourPackageID>\amd64\loadstate.exe C:\_SMSTaskSequence\UserState /ue:<computername>\* /c /hardlink /nocompress /l:C:\WINDOWS\CCM\Logs\SMSTSLog\loadstate.log /progress:C:\WINDOWS\CCM\Logs\SMSTSLog\loadstateprogress.log /i:C:\_SMSTaskSequence\Packages\<ID>\amd64\migdocs.xml /i:C:\_SMSTaskSequence\Packages\<ID>\amd64\migapp.xml)
ADD SUPPORT FOR WINPE
Now that we created a basic task sequence for USMT, we suggest to add a step to support offline capture. If you start your task sequence from PXE, you will need this new step because the step we just created will fail in Windows PE. We will add a step and condition to run depending of the environment in which the task sequence is ran.
Right-click the task sequence you just created, select Edit
Select the Capture User Files and Settings step
Duplicate the task by doing CTRL-C, CTRL-V
A new Capture User Files and Settings step is created, select the Capture in Off-line mode (Windows PE only) check box and rename the step to add (WinPE) at the end
Rename the other Capture User Files and Settings step to (FullOS)
You’ll end up with 2 similar Capture User Files and Settings step. One for Online mode (FullOS) and one for Offline mode (WinPE)
Select the Capture User Files and Settings (Full OS) step and click on the Options tab
Select Add Condition, Task Sequence Variable
Variable : _SMSTSInWinPE
Condition : Equals
Value : False
Select the Capture User Files and Settings (WinPE) step and click on the Options tab
Select Add Condition, Task Sequence Variable
Variable : _SMSTSInWinPE
Condition : Equals
Value : True
Click Apply and Ok to close the task sequence
DEPLOY SCCM WINDOWS 10 USMT TASK SEQUENCE
We are now ready to deploy our Windows 10 USMT task sequence to the Windows 7 computer we want to upgrade.
Go to Software Library \ Operating Systems \ Task Sequences
Right-click your USMTTask Sequence and select Deploy
On the General pane, select your collection. This is the collection that will receive the Windows 10 upgrade using USMT. For testing purposes, we recommend putting only 1 computer to start
On the Deployment Settings tab, select the Purpose of the deployment
Available will prompt the user to install at the desired time
Required will force the deployment at the deadline (see Scheduling)
You cannot change the Make available to the following drop-down since upgrade packages are available to client only
On the Scheduling tab, enter the desired available date and time. On the screenshot, we can’t create an Assignment schedule because we select Available in the previous screen
In the User Experience pane, select the desired options
In the Alerts tab, check Create a deployment alert when the threshold is higher than the following check-box if you want to create an alert on the failures
On the Distribution Point pane, select the desired Deployment options. We will leave the default options
Review the selected options and complete the wizard
TESTING ON THE TARGET COMPUTER
For the sake of this post we created a VM with Windows 732 bits. We will run our newly created task sequence to upgrade to Windows 10 64 bits.
I also created multiple files in the user profile to shows the USMT actions. We simply created text documents in the various libraries and on the desktop.
We open the Software Center, select our task sequence and click Install
The computer will launch the USMT action before rebooting in Windows PE and install Windows 10
Once the process completed, we have a brand new Windows 10 migrated with my files where I left them. Even the psycho tortoise wallpaper has made the move.
We hope this post will ease your Windows 10 migrations. Leave a comment if you have any questions.
Part 17 | SCCM WINDOWS 10 2004 UPGRADE
Support for Windows 7 ended on January 14, 2020. If you are still using Windows 7, your PC may become more vulnerable to security risks. Microsoft published the Windows 10 2004 feature update (aka Windows 10 May 2020 Update) on VLSC. If you haven’t planned your Windows 7 migration to Windows 10, this post will help prepare your SCCM Server to deploy it.
You may also need to deploy Windows 2004 to your Windows 10 computer to stay supported or to benefits from the new features. Before deploying a new Windows 10 feature upgrade, you need to have a good plan. Test it in a lab environment, deploy it to a limited group and test all your business applications before broad deployment. Do not treat a feature upgrade as normal monthly software updates. Treat it as a new operating system as if you were upgrading Windows 7 to Windows 10.
This blog post will cover all the task needed to deploy the new SCCM Windows 10 2004 Upgrade :
Check if you have an SCCM Supported version
Upgrade your Windows ADK
Import the OS in SCCM to use with your deployment Task Sequence
Create a Windows 10 Upgrade Task Sequence for Windows 10 (and Win 7 or 8.1 computers)
Update your Automatic Deployment Rules and Software Update, groups
Import your ADMX
CHECK PREREQUISITE SCCM WINDOWS 10 2004 UPGRADE
For Windows 10 2004 May 2020 Update, you need at least SCCM 2002 in order to support it as a client. See the following support matrix if you’re running an outdated SCCM version and make sure to update your site.
WINDOWS ADK
Before capturing and deploying a Windows 10 2004 image, make sure that you’re running a supported version of the Windows ADK. Windows recommends using the Windows ADK that matches the version of Windows you’re deploying. If you’re already running an ADK version on your SCCM server, see our post on how to install a new version.
UPGRADE METHOD – TASK SEQUENCE OR SERVICING PLAN?
You can’t use servicing plans to upgrade Windows 7 or Windows 8 computers. So you must use an upgrade task sequence.
In order to upgrade an existing Windows 10 to Windows 2004, you have 2 choices: You can use an upgrade Task Sequence or you can use Servicing Plans.
There a strong debate over which is the best method. We prefer to use Upgrade Task Sequence for the simple reason that it’s more customizable. You can run pre-upgrade and post-upgrade tasks which will be mandatory if you have any sort of customization to your Windows 10 deployments.
For example, Windows 10 is resetting pretty much anything related to regional settings, keyboard, start menu and taskbar customization. Things are getting better from one version to another but if you’re upgrading from an older build, let’s say 1511, expect some post-configuration tasks… and the only way to do that is using a task sequence.
Servicing Plan has the simplicity, you set your option and forget, as for Automatic Deployment Rules does for Software Updates. We yet did not have any client that doesn’t want any control over Windows 10 upgrade in their organization. We totally understand the point of Servicing Plan and they’ll be useful in a couple of releases when Windows 10 upgrades will be an easy task… but for now, it’s not, unfortunately.
IMPORT SCCM WINDOWS 10 2004 OPERATING SYSTEM
We will now import the Windows 10 2004 WIM file for Operating System Deployment. If you don’t have the Windows 10 ISO, you can download it from Microsoft Volume Licensing Site.
We will be importing the default Install.wim from the Windows 10 media for a “vanilla” Windows 10 deployment. You could also import a WIM file that you’ve created through a build and capture process. This WIM wile will be used for new computers, to upgrade an existing Windows 10, you need to import an Operating System Upgrade Packages. We will cover this in the next section.
Open the SCCM Console
Go to Software Library / Operating Systems / Operating System Images
Right-click Operating System Images and select AddOperating System Image
On the Data Source tab, browse to your WIM file. The path must be in UNC format
You can now select to import only a specific index from the WIM file. We selected the Windows 10 Enterprise index
Select your Architecture and Language at the bottom and click Next
In the General tab, enter the Name, Version and Comment, click Next
On the Summary tab, review your information and click Next
Complete the wizard and close this window
DISTRIBUTE YOUR SCCM WINDOWS 10 2004 OPERATING SYSTEM IMAGE
We now need to send the Operating System Image (WIM file) to our distribution points.
Right-click your Operating System Image, select Distribute Content and complete the Distribute Content wizard
ADD OPERATING SYSTEM UPGRADE PACKAGES
We will now import the complete Windows 10 media in Operating System Upgrade Packages. This package will be used to upgrade an existing Windows 10 or a Windows 7 (or 8.1) device to Windows 10 using an Upgrade Task Sequence.
Open the SCCM Console
Go to Software Library / Operating Systems / Operating System Upgrade Packages
Right-click Operating System Upgrade Packages and select AddOperating System Upgrade Packages
In the Data Source tab, browse to the path of your full Windows 10 media. The path must point to an extracted source of an ISO file. You need to point at the top folder where Setup.exe reside
You can now select to import only a specific index from the WIM file. We selected the Windows 10 Enterprise index
Select your Architecture and Language at the bottom and click Next
In the General tab, enter the Name, Version, and Comment, click Next
On the Summary tab, review your information and click Next and complete the wizard
DISTRIBUTE YOUR OPERATING SYSTEM UPGRADE PACKAGES
We now need to send the Operating System Upgrade Package to your distribution points.
Right-click your Operating System Upgrade Package, select Distribute Content and complete the Distribute Content wizard
CREATE SCCM TASK SEQUENCE FOR WINDOWS 10 2004
Let’s create an SCCM task sequence upgrade for a computer running a Windows 10 device. Once again, this Task Sequence could be used for Windows 7 or 8.1.
Open the SCCM Console
Go to Software Library \ Operating Systems \ Task Sequences
Right-click Task Sequences and select Upgrade an operating system from upgrade package
In the Task Sequence Information tab, enter a Task Sequence Name and Description
On the Upgrade the Windows Operating System tab, select your upgrade package by using the Browse button
Select your Edition Index depending on the edition you want to deploy. If you select just 1 index as per our indication in previous steps, you’ll see just 1 index to select from.
On the Include Updates tab, select the desired Software Update task
All Software Updates will install the updates regardless of whether there is a deadline set on the deployment (on your OSD collection)
Mandatory Software Updates will only install updates from deployments that have a scheduled deadline (on your OSD collection)
Do not install any software updates will not install any software update during the Task Sequence
On the Install Applications tab, select any application you want to add to your upgrade process
On the Summary tab, review your choices and click Next and click Close
EDIT THE SCCM WINDOWS 10 2004 TASK SEQUENCE UPGRADE
Now that we have created the upgrade task sequence, let’s see what it looks like under the hood.
Open the SCCM Console
Go to Software Library \ Operating Systems \ Task Sequences
Right-click your upgrade task sequences and select Edit
As you can see, it’s fairly simple. SCCM will take care of everything in a couple of steps :
The Upgrade Operating System step contains the important step of applying Windows 10
Ensure to choose the right Edition
DEPLOY THE SCCM WINDOWS 10 2004 UPGRADE TASK SEQUENCE
We are now ready to deploy our task sequence to the computer we want to upgrade. In our case, we are targeting a Windows 7 computer.
Go to Software Library \ Operating Systems \ Task Sequences
Right-click Task Sequences and select Deploy
On the General pane, select your collection. This is the collection that will receive the Windows 10 upgrade. For testing purposes, we recommend putting only 1 computer to start
On the Deployment Settings tab, select the Purpose of the deployment
Available will prompt the user to install at the desired time
Required will force the deployment at the deadline (see Scheduling)
You cannot change the Make available to the following drop-down since upgrade packages are available to clients only
On the Scheduling tab, enter the desired available date and time. On the screenshot, we can’t create an Assignment schedule because we select Available in the previous screen
In the User Experience pane, select the desired options
In the Alerts tab, check Create a deployment alert when the threshold is higher than the following check-box if you want to create an alert on the failures
On the Distribution Point pane, select the desired Deployment options. We will leave the default options
Review the selected options and complete the wizard
LAUNCH THE UPGRADE PROCESS ON A WINDOWS 10 COMPUTER
Everything is now ready to deploy to our Windows 10 computers. For our example, we will be upgrading a Windows 10 1909 to Windows 10 2004. This task sequence can also be used on a Windows 7 or 8.1 devices to install Windows 10 2004.
Log on our Windows 10 computer and launch a Machine Policy Retrieval & Evaluation Cycle from Control Panel / Configuration Manager Icon
You’ll see the SCCM upgrade task sequence as available. We could have selected the Required option in our deployment schedule, to launch automatically without user interaction at a specific time
When ready, click on Install
On the Warning, click Install
The update is starting, the task sequence Installation Progress screen shows the different steps
The WIM is downloading on the computer and saved in C:\_SMSTaskSequence
You can follow task sequence progress in C:\Windows\CCM\Logs\SMSTSLog\SMSTS.log
After downloading, the system will reboot
The computer restart and is loading the files in preparation for the Windows 10 upgrade
WinPE is loading
The upgrade process starts. This step should take between 60-90 minutes depending on the device hardware
Windows 10 is getting ready, 2-3 more minutes and the upgrade will be completed
Once completed the SetupComplete.cmd script runs. This step is important to set the task sequence service to the correct state
Windows is now ready, all software and settings are preserved
CREATE SOFTWARE UPDATE GROUP
One important thing in any OSD project is to make sure that the deployment of every machine is up to date. Before deploying Windows 10 2004, make sure that your Software Update Point is configured to include Windows 10 patches.
Once Windows 10 is added to your Software Update Point, we will create a Software Update Group that will be deployed to our Windows 10 deployment collection. This way, all patches released after the Windows 10 media creation (or your Capture date) will be deployed during the deployment process.
To create a Windows 10 Software Update Group :
Open the SCCM Console
Go to Software Library / Software Updates / All Software Updates
On the right side, click Add Criteria, select Product, Expired and Superseded
Product : Windows 10
Expired : No
Superseded: No
Title contains 2004
Select only the latest Cumulative Updates that apply (x64 or x86) and select Create Software Update Group
Once created, go to Software Library / Software Updates / Software Update Groups
Right-click your Windows 10 SUG and deploy it to your OSD deployment collection
IMPORT ADMX FILE
If you’re responsible for managing group policy in your organization. Ensure that you import the latest Windows 10 2004 ADMX file on your domain controller.
BONUS RESOURCES
After your SCCM Windows 10 2004 Upgrade, need a report to track your Windows 10 devices? We developed a report to help you achieve that :
This post will describe how to connect your SCCM infrastructure to the Desktop Analytics cloud-based service. We will show how to create your workspace and connect it to an SCCM 1906 server. In the latest SCCM 1906 version, some new features were added to Desktop Analytics :
From Microsoft :
You can now get more detailed insights for your desktop applications including line-of-business apps.
Use the DesktopAnalyticsLogsCollector.ps1 tool from the Configuration Manager install directory to help troubleshoot Desktop Analytics. It runs some basic troubleshooting steps and collects the relevant logs into a single working directory.
WHY USE SCCM DESKTOP ANALYTICS
Desktop Analytics is a standalone cloud-based service that connects with SCCM. By using Desktop Analytics service, you can easily find interesting information about your Windows clients.
Receive mitigation suggestions based on cloud-enabled data insights
Create pilot groups that represent your organization based on application and drivers
Use those pilot group to Deploy Windows 10
The main advantage is that it can help an organization stay current with Windows 10 by helping you assess problems from drivers and application compatibility. There’s really no reason not to use Desktop Analytics if you have all the requirements.
WINDOWS ANALYTICS VS DESKTOP ANALYTICS
Desktop Analytics is a “new version” of Windows Analytics. It has all the same features plus it can be connected with SCCM.
The Desktop Analytics service includes:
Upgrade Readiness
Update Compliance
Device Health
Richer app and Office macro insights
Easier integration with SCCM
PREREQUISITES BEFORE USING DESKTOP ANALYTICS AND SCCM INTEGRATION
If you are not redirected to the Desktop Analytics page, click on it on the left menu
On Welcome to Desktop Analytics screen, click Start
On the Accept service agreement screen, click Next
Click the slider to Yes, Click Next
Move the Allow the Desktop Analytics to manage directory roles on your behalf slider to the right (Yes)
Under Workspace Owners, add desired users who will have access to your Desktop Analytics portal
Click Next
On Set up your workspace page, select your Azure Subscription. You can add a new workspace or use an existing workspace. We will create a new workspace
Click Add Workspace and click Set as Desktop Analytics workspace
On the Confirm and grant access box, click Continue, then Accept the permission requested
When you successfully add the workspace, you will find the following details. Validate the Workspace Name, Workspace ID and Commercial ID Key. Click Next
Desktop Analytics is now configured. Click Go to Desktop Analytics
On the Desktop Analytics home screen, you are warned that It could take up to 72 hours to process data. Be patient, you’ll also see a warning: Welcome to Desktop Analytics! You will need to enroll devices in Configuration Manager to populate your workspace. This is what we’ll be doing in the next steps.
Under the hood, if you log into your Azure Portal and go in the Log Analytics workspace, you’ll see that your workspace has been created
CONNECT SCCM WITH DESKTOP ANALYTICS
It’s now time to connect SCCM with the newly created Desktop Analytics workspace.
Open the SCCM console
Navigate to Administration / Cloud Services / Azure Services.
Right-click Azure Services and click Configure Azure Services
Set a name and select Desktop Analytics, Click Next
Select the Azure environment and click Browse to select the associated Web App. On the Server app window, click Create
Specify an Application name
The HomePage URL and App ID URI should be set to https://ConfigMgrService. If you get an error that Another object with the same value for property identifierUris already exists, this is probably because you’ve already configured another Azure service with that name. Set a unique name and click Sign-In
Enter your Azure Credentials and ensure that the login is successful, click OK to close the window
Click Next
On the Diagnostic Data page, make a note of Commercial ID
Select Enable to Allow Device Name in Diagnostic Data, click Next
In the Available Functionality screen, click Next
Select the SCCM collection that will target Desktop Analytic onboarding by clicking the Add button. You’ll be able to add more collection later. Since this is a lab environment we selected All Systems collection. Choose a Pilot collection to start on your site.
The Target collection includes all devices that SCCM configures with your commercial ID and diagnostic data settings.
Once selected, click Next
On the Summary screen, verify all settings, Click Next and Close
Desktop AnaVERIFICATION
Once completed you can verify that the connection has been made
Go to Administration / Cloud Services / Azure Services
You’ll see that the Desktop Analytics service is listed
To monitor the enrollment status of devices :
Go to Software Library / Analytics Servicing / Connection Health
This Dashboard shows valuable data to help you. Microsoft has also release good documentation about how to troubleshoot issues
SCCM 1906 and later also have a PowerShell script DesktopAnalyticsLogsCollector.ps1 from the SCCM install directory\cd.latest\SMSSETUP\TOOLS\DesktopAnalyticsLogsCollector) to help troubleshoot Desktop Analytics.
ENROLL DEVICES
Once that your service is connected, the work is just beginning, you need to enroll the most device as possible to gather valuable information.
Depending on the Operating System, you need to make sure that they have all the required updates.
For Enrollment, you don’t need to install any client. Desktop Analytics relies on diagnostic data sent depending on the configured settings.
SCCM will use the collection you specified in the previous steps to configure your devices.
CREATE DEPLOYMENT PLANS
Once your devices are enrolled you need to create Deployment Plans. Deployment plans are used to simulate a Windows deployment and to :
Automatically recommend which devices to include in pilots
Identify compatibility issues and suggest mitigations
Assess the health of the deployment before, during, and after updates
Track the progress of your deployment
Unfortunately, these plans are not created in SCCM. You need to create them in your Desktop Analytic portal and they will be synced in SCCM. You’ll then use SCCM to deploy the plans to collections.
By clicking on the Deployment Plan, you’ll be able to see the results in the SCCM Console
Log file reference – Configuration Manager | Microsoft Docs
DESKTOP ANALYTICS LOGS FILES
Use the following log files to help troubleshoot issues.
The log files on the service connection point are in the following directory: %ProgramFiles%\Configuration Manager\Logs\M365A.
The log files on the Configuration Manager client are in the usual C:\Windows\CCM\Logs directory.
Log
Description
Computer with log file
M365ADeploymentPlanWorker.log
Information about deployment plan sync from Desktop Analytics cloud service to on-premises Configuration Manager
Service connection point
M365ADeviceHealthWorker.log
Information about device health upload from Configuration Manager to Microsoft cloud
Service connection point
M365AHandler.log
Information about the Desktop Analytics settings policy
Client
M365AUploadWorker.log
Information about collection and device upload from Configuration Manager to Microsoft cloud
Service connection point
SmsAdminUI.log
Information about Configuration Manager console activity, like configuring the Azure cloud services
Service connection point
Desktop Analytics is still in the preview phase and it’s possible that process change during the development phase. We’ll try to keep this post as current as possible as the product hits General Availability.
REPORTING
We build 2 SSRS reports that will help you using Desktop Analytics. For more details, click here.
Founder of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM Consultant, 5 times Enterprise Mobility MVP. Working in the industry since 1999. His specialization is designing, deploying and configuring SCCM, mass deployment of Windows operating systems, Office 365 and Intunes deployments.
Windows Autopilot is a new and emerging solution designed that allows to setup and pre-configure Windows devices for your environment using Azure and Intune. The goal of Autopilot is to reduce the Os deployment complexity. If done correctly, a user logs to an out-of-box computer, logs on his computers with his ADD user account and applications and configurations gets deployed. All that with minimum infrastructure requirements.
When announced a couple of months ago, Autopilot has its flaws but it’s improving very fast. One of those flaws was that device importation was made from the Windows Store for Business or the Microsoft Partner Center. Those days are over since you can now import your device directly from Microsoft Intune.
Update 2018/04/09 – Intune now uses the same format as the Microsoft Store for Business, so you can directly upload a CSV created by the Get-WindowsAutoPilotInfo script.
Microsoft Intune Autopilot device import
Log to your Azure Portal and Launch Microsoft Intune
From the Intune portal, select Device enrollment / Windows enrollment / Devices
In the Windows Autopilot Devices pane, select Import on the top
From there, you need to select a .CSV file. It’s not possible to import a single device manually.
As shown in the portal, the CSV file has some formatting requirements :
This means that you need the Serial Number, Windows Product ID, Hardware Hash and Order ID separated by a comma. You cannot have more than 175 rows/devices in the CSV.
Hopefully, there a good script is already available in Windows to get this information… but it’s not yet adapted for Microsoft Intune. The OrderID is not generated by the script so it needs to be added manually and the header is invalid.
From a Windows 10 1703+ computer
Start Windows PowerShell as Administrator
Run the following command: Install-Script -Name Get-WindowsAutoPilotInfo
This action places the script into the folder C:\Program Files\WindowsPowerShell\Scripts
Run the script : Get-WindowsAutoPilotInfo -Outputfile C:\temp\SCD.csv
The script will output the result in the C:\temp\SCD.csv file
Open the CSV file add an OrderID at the end (,1) and remove the header
Before change : (Invalid header and no OrderID at the end)
After (Remove header and add OderID)
Back in the Microsoft Intune Portal, select your CSV file and select Import at the bottom
You will receive an Import notification. It will take about 5-10 minutes
Device is imported
It will take a moment to show in your device list but will eventually appear. The device will also be visible from the Windows Store for Business portal. The device is now ready to use in an Autopilot deployment.
Founder of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM Consultant, 5 times Enterprise Mobility MVP. Working in the industry since 1999. His specialization is designing, deploying and configuring SCCM, mass deployment of Windows operating systems, Office 365 and Intunes deployments.
Sometimes Microsoft makes small changes under the hood and can hardly be tracked unless an issue comes up to flag that changes. The configuration of the Start Menu and Taskbar for Windows 10 has been since the beginning a great challenge for administrators and it doesn’t look that this will change anytime soon.
In Windows 10, version 1703, Export-StartLayout will use DesktopApplicationLinkPath for the .url shortcut. You must change DesktopApplicationLinkPath to DesktopApplicationID and provide the URL.
A simple note, with great implication!
Following our previous posts on Windows 10 Customization and how to modify the taskbar configuration, we will detail how to configure the start menu and taskbar with that latest indication from Microsoft.
Prerequisites
Windows 10 1703 and above
Windows 10 1803
Early test indicate that Windows 10 1803 is no different and this applies to it.
Configure Start Menu Windows 10
Setup a Windows 10 start menu as we would like to have as default
Start a PowerShell command window as administrator
Enter the following command line to export the Start Menu
Export-StartLayout -path C:\temp\StartMenu.xml
A StartMenu.xml is generated in the specified directory
Application links are using the DesktopApplicationLinkPath
In Powershell, enter the following command :
Get-StartApps
This returns the list of all applications in the Start Menu
Locate the application that uses the DesktopApplicationLinkPath and take note of the AppID
Go back to the XML exported previously and replace the DesktopApplicationLinkPath by the DesktopApplicationID
Once this is completed it can be added to your task sequence like we explain in previous posts.
Important Info
If you wish to manage the Taskbar like we explained in our previous post, note that the DesktopApplicationLinkPath must be used as the DesktopApplicationID will not work.
Contributor of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM consultant, working in the industry for more than 10 years. He developed a strong knowledge of SCCM and MDT to build automated OS deployment solution for clients, managed large and complexe environment, including Point of Sale (POS) related projects.
The process of enrolling your Windows 10 computers in Intune should be as simple as possible for your users. If you’re using Azure Active Directory in your organization, the enrollment process can be made automatically when a user joins it’s device to AAD. It couldn’t be simpler. The process is the same rather for Intune Standalone or Hybrid mode (integrated with SCCM)
Windows 10 Intune Automatic Enrollment Prerequisites
CNAME DNS Entry created on your domain for automatic name resolution
A valid Intune Tenant (Standalone or SCCM Integrated)
Azure Active Directory Premium enabled
For this post, we’ll be using a Windows 10 1703 device but the process is the same for Windows 10 1607 and slightly different for older versions but is supported.
Go to Intune / Device Enrollment / Windows Enrollment / CNAME Tester
Enter your domain and click on Test
Ensure that your test is successful
Verify Licences
We’ll start by verifying if our Intune and/or Azure Active Directory Premium License are enabled for this task.
Open the Azure Portal
Go to User and Groups / All Users
Select your Global Administrator Account
Select Licenses
Select the product linked with your service (In our case EMS E5)
Ensure that your Azure Active Directory Premium and Intune A Direct licenses are ON
Intune Configuration
We now need to enable Intune to accept automatic MDM enrollment requests.
Go to Azure Active Directory
Select Mobility (MDM and MAM) / Microsoft Intune
In MDM User Scope, select All or Some
All : All Users are enabled to enroll devices
Some : Specify a group to limit device enrollment to this group only
The 3 MDM link will be automatically filled. Do not change anything and click Save
We are now ready to automatically enroll a Windows 10 device in our Intune tenant.
Windows 10 Intune Automatic Device Enrollment
We will now test our enrollment procedure using a Windows 10 device.
Open the Start menu
Click on Settings
Select Accounts / Access work or school / Connect
Log in using an account in your domain and then select Next
Enter your password
If everything is set correctly, your device will be joined to Azure Active Directory and automatically enroll in Intune. Click Done
Verification
Go back to Settings you’ll see that your account is enable
You can click on the account and validate the enrollment by clicking on Info
You can see your organization name at the top
If you followed the previous steps, but still fail to connect, see the Microsoft documentation or use the Export your management log file on the right. Consult the log file and refer to the MSDN documentation for the full error code list.
At this time you’ll see your device in the Intune Portal or in the SCCM console depending if you’re using Standalone or hybrid mode.
SCCM :
Intune :
Windows 10 Company Portal
The Company Portal app, lets you find and download available and required apps sent by your IT department. If you have the Company Portal app installed you can validate that the enrollment is successful.
If you don’t have the Company Portal installed :
Select Start / Store
Use Search, type company portal
Select Company Portal / Install
Open the Company Portal you’ll see that you’re automatically sign-in and that your device is automatically enrolled
Founder of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM Consultant, 5 times Enterprise Mobility MVP. Working in the industry since 1999. His specialization is designing, deploying and configuring SCCM, mass deployment of Windows operating systems, Office 365 and Intunes deployments.
Beginning with Windows 10 1709, you can’t use WSUS to host Features on Demand and language packs for Windows 10 clients. Instead, you need to download them directly from Windows Update. This is the official Microsoft Statement… at the time of this writing, it’s still possible to download FoD on VLSC or MSDN. We are in a transition method but clearly sees where Microsoft is going. This blog post will show one method to install FoD using SCCM but there are alternative methods also when you download the file from VLSC or MSDN (hint : Use Dism).
Features on Demand (FODs) are Windows feature packages that can be added at any time. When a Windows 10 PC needs a new feature, it can request the feature package from Windows Update.
If you’re using SCCM or WSUS for your software update, you need to change a Group Policy setting that lets clients download these directly from Windows Update instead of your on-premise infrastructure. Without this group policy, all your installation tentative will fails with error 0x800f0954. This is because your client will check on your on-premise servers instead of Microsoft Update and won’t be able to find the feature.
You can also host Features on Demand and language packs on a network share, but starting with Windows 10 1809, language packs can only be installed from Windows Update. This is why we recommend using the group policy method to redirect your clients to Windows Update to get FoD or Language packs.
To change this policy :
Open your group policy editor
Navigate to Configuration\Administrative Templates\System
Enable the Specify settings for optional component installation and component repair policy
Check the Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS) checkbox
Changing this policy only enables Features on Demand and language pack downloads from Windows Update. It doesn’t affect how clients get feature and quality updates deployed by SCCM.
Deploy a Feature on Demand using SCCM
To deploy a new feature on demand to your client, you must understand a couple of things.
First, you need to understand that SCCM/WSUS can’t host these features so it will be downloaded from the internet by your SCCM clients.
The trick is to use the Add-WindowsCapability PowerShell cmdlet to call the feature that you need. You can get a list of available Feature on demand on Microsoft Doc or by using this PowerShell command :
Get-WindowsCapability -online
Each Feature on Demand has a state. It can be Installed or Not present. Depending on the Windows 10 version, you may have a different list of “not present“. Follow Microsoft Documentation to see which Feature can apply to your Windows version or see the list yourself running the Get-WindowsCapability -online command.
For our example, we are running Windows 10 1809 and we’ll use SCCM to deploy XPS viewer but it can be used for any Feature on demand. You just need to change your script to call the right Capability name. (In our example the Capability Name is XPS.Viewer~~~~0.0.1.0). We can also see that the size of this Feature is nearly 17MB
Hint: You can also install a series of Feature in a single command. For example, Remote Administration Tools have all Capability name like “RSAT*”. So to install all Remote Administration Tools on a Windows 10 1809 machine, simply use this command :
Deploy Features on Demand to client remotely using SCCM
To deploy FoD using SCCM you have 2 options. The first one is to use the new script feature if you are running SCCM 1706 or later. The second one would be to deploy using a standard package or application.
Script Feature
We’ll start by deploying it using the SCCM Script feature
In the SCCM Console, go to Software Library\Scripts
Create a new PowerShell script with this command (Change the FoD name if needed)
Get-WindowsCapability -Online | where name -like xps* | Add-WindowsCapability -Online
Complete the Script wizard
Approve your script by selecting it and click Approve on the top ribbon
Go to a test collection and right-click it, select Run Script
Select the script you just created
Validate Script Execution in the next screen. You can also monitor the script status in the console Monitoring\Script Status
Results
You can now validate that the Feature on Demand is installed on your test computer.
Using PowerShell : Get-WindowsCapability -Online | where name -like xps
State should be Installed
In the Windows 10 Start Menu
XPS Viewer is installed
Further FoD installation logging can be found locally on the computer C:\Windows\logs\dism\dism.log
Package
If you prefer to use the good old Package method, you need to :
Create a PowerShell file FOD-Install.ps1 with this command :
Get-WindowsCapability -Online | where name -like xps* | Add-WindowsCapability -Online
Create a new Package with source file pointing on your powershell file
For the program, specify the following command line :
Deploy your package to your test collection (Available or Required)
Initiate a client refresh policy
The results will be the same as for script (see Result Section above)
We expect Microsoft to increase the release of Feature on Demand in the following Windows release. We can clearly see where this is going. In a future post we’ll talk about language pack installation which should be pretty similar. Stay tuned !
Founder of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM Consultant, 5 times Enterprise Mobility MVP. Working in the industry since 1999. His specialization is designing, deploying and configuring SCCM, mass deployment of Windows operating systems, Office 365 and Intunes deployments.
With the latest updates Microsoft released to Intune and Autopilot, it is becoming more realistic to leave the task sequence behind in favour of using Autopilot with Intune to deliver the computer standards required by an enterprise. While it will not be possible for all scenarios, a standard PC used for administrative tasks can be delivered with many, if not all, of the required windows 10 intune autopilot customization.
While many of our previous Windows 10 Customization tricks are still gonna be useful, the delivery will be different from simply running various scripts from a Task Sequence.
In this post, we will go over multiple Windows 10 customization all done with Intune in order to leverage Windows Autopilot. The ultimate goal is to be able to replicate a standard deployment made with a Task sequence from SCCM or MDT
This post is part of a series on Windows Autopilot that will be published in the following weeks. In the next posts, we will cover the following subjects :
Windows 10 Intune Autopilot Customization – SCD Guide
Our previous post covers everything on how to package Win32 apps with Intune. Assigning those applications to a group that leverage Autopilot, will provide installations as soon as possible following the Autopilot process.
If you are using multiple groups in a task sequence to deliver applications per type of user, this can be also matched with Intune. Creating assignment to groups of users will have also the ability to easily refresh or replace a users’ computer.
As we covered in our Autopilot guide, using the Enrollment status page allows us to prevent the user to use the computer while the original setup completes. This includes Office installation and MSI applications. Win32 applications will complete even after this section of Autopilot, as the Enrollment status page doesn’t include Win32 app support yet.
Also, note that Win32 applications dependencies are coming soon to Microsoft Intune. This would then allow us to even more possibilities to match how a task sequence deliver mandatory applications.
How to customize Start menu with Intune
While there are some great solutions (like this one from Aaron Parker) out there to push the start menu in the same way as within a Task sequence, meaning that you apply a default without enforcing any part of it, we prefer to use the built-in way. This will mean that we’ll push out a partially locked start menu by using device restriction.
We had issues to deliver a partially locked Start Menu, along with task back configuration when using the DesktopApplicationID. Changing it all back to DesktopApplicationLinkPath fixed it for us!
Also, note that Microsoft as again updated the documentation on that subject. Beginning with Windows 10 1809, it is now possible to export the start menu configuration with the parameter -UseDesktopApplicationID.
Remember the following : Always export the file association from the destination version of Windows 10 you plan to use. We’ve seen issue in the past about that!
How to customize background and logon screen
This one is an interesting one. While it is possible to provide the wallpaper and login screen images through Intune, they both require the image to be hosted on a web address.
One of the ways to easily host the file is to use Azure Blob storage. (Big THANKS to @Per Larsen for the help on this one!)
Important Info
Note that hosting the file on SharePoint and sharing with everyone/anonymous will not work. This still requires a LiveID authentication to access files.
To host the image on an Azure blob, follow theses steps :
Browse to Azure/Storage Account. Select an existing or create a new one.
Select Blobs and click +Container
Set a name, in lower case only, and select Blob(Anonymous read access for blobs only)
Double click on the newly created Blob, select Upload
Select your image and click Upload
Once uploaded, click on the file, an URL is available. This will be the URL we provide into the Intune configuration. It’s a good idea to test the path using In-Private to validate that the anonymous access works.
Browse to Intune/Device Configuration/Profiles and under the properties of a Windows 10 device restriction profile, the 2 settings are available. Simply paste the blob path
To validate if the computer as received the configuration, browse the registry to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP
Note that the computer will only download it once to apply it. It would download it again if a change is necessary. In that case, changing the name could ease follow up.
How to turn of Windows Spotlight
Windows Spotlight is one of those “not so enterprise” features that we often disable as part of a Windows 10 configuration. It gives dynamic lock screen images, suggested apps and services in the start menu of lock screen.
Important Info
This is only available for Windows 10 Education and Enterprise edition. If you are running Pro edition, this can’t be disabled.
To disable Windows Spotlight, under Device restrictions for Windows 10, select Windows Spotlight. Simply toggle Block on the desired configurations.
How to remove default appx installed
This task worked the exact same way as within a task sequence. Jörgen Nilsson, from CCMExec did a great post about it to run in task sequence.
To add it to Intune/Autopilot, follow these steps:
Browse to Intune/Device configuration – Profiles and select Powershell Scripts
Provide a name and the Powershell script.
Once created, make sure you assign the script to a group processed at the Autopilot time.
How to upgrade Windows Pro to Enterprise
The first option is to promote Windows 10 to Enterprise with providing the cd-key with Intune. This option is well detailed in the following blog post by Microsoft.
The second option is to promote it to Windows 10 Enterprise, is to use Windows 10 Subscription activation. This simply consists of providing a valid license, that includes Windows 10 Enterprise such as Microsoft 365 E3, to the user.
Without doing anything more, the computer serviced with Autopilot will be automatically upgraded to Windows 10 Enterprise.
For more details about Windows 10 Subscription, see Microsoft docs
How to enable BitLocker
The following blog post by Courtenay Bernier gives it in details. Even if it dates a bit, it’s still accurate for most parts!
To enable the encryption, set Encrypt devices to Require.
Important Info
Make sure to select Warning for other disk encryption to Block. This will prevent a user warning to hold off the automatic encryption of the disk.
Two key configurations are the ability to Save BitLocker recovery information to Azure Active Directory and to Store recovery information in Azure Active Directory before enabling BitLocker. This brings BitLocker configuration to pretty much the same level as on-prem solutions.
As for those who used Microsoft BitLocker Administration and Monitoring(MBAM), Microsoft just released, in public preview, the Encryption report and BitLocker recovery keys to provide a similar approach in terms of administration and monitoring.
To access the Encryption report, browse to Intune/Device Configuration under the Monitoring section.
The report will give details about the OS version, TPM version, encryption readiness, and status.
To access the Recover keys, browse to Intune/Devices – All devices and select a device. It is located under the Monitor section.
Windows 10 intune autopilot customization – Conclusion
We will later cover other aspects of computer customization like Windows Updates and GPO in upcoming blog posts.
To conclude, Windows Autopilot is still a young technology compared to SCCM/MDT Task sequences that have been around for years. With the support of Win32 Apps, and being able to do all those customizations, it gives us a great idea that it is now possible to leverage Windows Autopilot to standardize computer configurations.
Leave us a comment below if we forgot some classic OSD modifications that are show stopper to move to Windows Autopilot.
Contributor of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM consultant, working in the industry for more than 10 years. He developed a strong knowledge of SCCM and MDT to build automated OS deployment solution for clients, managed large and complexe environment, including Point of Sale (POS) related projects.
