Tuesday, September 29, 2015

Apple iPad Pro vs Microsoft Surface Pro 3 specs

Recently the iPad Pro is announced, which is a Surface Pro 3 look-a-like. The new iPad Pro can be used with keyboard and stylus too. For me the Surface Pro 3 is still a great device, this after using it for almost a year now. With Windows 10 running for a few months the device is even better. The fan noise is less and overall experience is way better. Let's have a look at a nice comparison on the specs!

Just click on the picture for a better view :)

Source: Neowin

Additional sources:
Want to use Office on your new iPad Pro? Then you’ll need an Office 365 subscription
The iPad Pro is too big to get Office apps for free, says Microsoft

Friday, September 25, 2015

Xian NM 2012 SP4 has been released! - Jalasoft

Sponsor post

Introducing Service Pack 4 for Xian NM 2012. We’re proud to announce the release of our brand new Service Pack which comprises drastic improvements and enhancements, especially when talking about our brand new Topology Diagram feature, new Dashboards feature and improved Flow monitoring. Our solution keeps evolving and continues to answer the needs of customers looking to monitor their networks in a deep and efficient manner.

Please read below for further information.
Xian NM 2012 SP4 What's new / Press Release

Or: Download now

Wednesday, September 23, 2015

Cannot edit the object, which is in use by User at Site XYZ

During Edit Membership on Software Updates I get the following error message: Cannot edit the object, which is in use by User at Site XYZ. This because the ConfigMgr console was crashing while editing the object.

The following must be done to free the object again. The query for this is: select * from SEDO_LockState where LockStateID <> 0 (where SEDO stands for Serialized Editing of Data Objects)

Use the appropriate information to remove the record related to the object. The query for this is: DELETE from SEDO_LockState where LockID = ‘<LockID of the record identified in the previous query>’

Once the record is removed, you should be able to modify the object again. Hope it helps!

You must have local Administrator permissions to install this software

When upgrading ConfigMgr 2012 SP2 to 2012 R2 SP1, the following message is displayed: "You must have local Administrator permissions to install this software". 
Trick is, you must be start splash.hta with Administrator permissions. When right-click on the file this isn't possible.

Dutch error message

Solution: Just start an Elevated Command Prompt (Run as Administrator) and execute splash.hta from there. 
Then it will install fine after all :-)

Hope it helps!

Monday, September 21, 2015

How to delete multiple driver categories in ConfigMgr at once?

When using Dell Client Configuration Toolkit (CCTK) within ConfigMgr you can import drivers automatically, assign driver categories and create driver packages. Sounds easy isn't it? Recently I had a ConfigMgr environment at customer location with hundreds of driver categories. They all were named the same and they are a administrative nightmare for sure. The categories from Dell known were E7250_7250 and E7450_7450. You cannot delete all these categories at once unfortunately.

When you go to Manage Categories, select them all (which must be done one by one) and choose delete, it only deletes the first one selected. For it seems the multiple selection functions only to assign drivers, not to delete or rename them. Doing it one by one will take an entire day of clicking for sure. Therefore I used the following PowerShell command, which does the job in seconds..

Get-WmiObject -Namespace "root\sms\site_xxx" -Class "SMS_CategoryInstance" | ? { $_.CategoryTypeName -eq "DriverCategories" -and $_.LocalizedCategoryInstanceName -like "yyy" } | % { Write-Host "Deleting category $($_.LocalizedCategoryInstanceName)..."; $_.Delete() }

Just make sure to rename the site code "xxx" in the WMI namespace and "yyy" with "E7250_7250" or another model. After that the ConfigMgr database will be clean and clear again :-)

Source: Delete multiple driver admin categories?

Thursday, September 17, 2015

My experience with ConfigMgr 2012 R2 SP1 and Intune in Hybrid scenario

Last months I did multiple ConfigMgr implementations in Hybrid scenario. That means that a Microsoft Intune (SAAS) subscription is connected, and ConfigMgr is set as Management Authority. Combining both solutions has a great benefit; managing all devices (desktops, notebooks, servers, Mac-clients and mobile devices) from a single management console. I did multiple blogposts on that as well, which are included in the end of this post. Let's have a closer look.

When the Microsoft Intune subscription is connected, configuration is needed for the different (mobile) platforms. They are not hard to configure, but needs different certificates for management. Let's have a look for the options available:
When enrolling Android devices no certificate is needed. Enrollment is done by installing the company portal. Downside is there's less to manage on this operating system. Both compliance policy and configuration items (less settings) can be configured. Not the best experience on this one for me. Depends on the device maybe?

When enrolling iOS devices an Apple Push Notification (APN) certificate is needed. This one is free and valid for 12 months. I like to enroll IPad's because of fast communication and great screen. Enrollment is done by installing the company portal. Optionally you can choose for DEP (Device Enrollment Program) and VPP (Volume Purchase Program) programs. That way you have over-the-air zero touch enrollment, and applications can be quickly installed without the need to have manually actions everytime. This because when doing required app deployment you must approve them one by one. With these programs this isn't needed anymore. Both compliance policy and configuration items (many settings) can be configured. Best experience for me so far.

When enrolling Windows Phone (WP) devices an Symantec certificate is needed (most of times). Enrollment is done by using workplace join and installing the company portal. For WP 8.1 devices the Symantec certificate is needed only for signing line-of-business apps. Enrollment is quick and easy, but I prefer the iOS way myself. When enrolling Windows 10 (Mobile) the behavior is same. Just by using workplace join, device management becomes available in ConfigMgr. Hope this experience becomes better in ConfigMgr 2016 (available soon) with Windows 10 (Mobile). That way Microsoft has the best solution available for device management. For some customers I like to use DEP and VPP for easy enrollment and app deploy. This because of over-the-air zero touch enrollment, and easy app installation.

On multiple operating systems I have almost same behavior for now. Enrollment and compliance settings are quick and easy. Configuration items however are slow and unstable. You can choose to deploy them to user/device collections (or both, depends on the setting?), but sometimes they work, sometimes not..
Example: I did an enrollment on an IPad, have the compliance policy in 1/2 minutes and the configuration baseline in 10/15 minutes. I installed some apps and they will be available on screen. After that I unenrolled the device. Apps are gone, configuration baseline is gone, compliance policy is not required anymore. Just great. Then I did another enrollment on the device. Have the compliance policy in 1/2 minutes again, did install the apps again. But the configuration baseline never come back again. That's sad and not reliable.

Hope this part will be better (and quicker) in a next release. For now I hope to do way more on Hybrid scenario :) Stay tuned for more!

Other blogposts about this topic:
How to reset your MDM authority in Microsoft Intune

Note: Most captures in Dutch, sorry for that :)

Tuesday, September 15, 2015

Update ConfigMgr 2012 R2 SP1 with Windows 10 boot images

When installing ConfigMgr 2012 R2 SP1, Windows 8.1 ADK is needed as a prerequisite. You can however upgrade to Windows 10 ADK after installation. Let's have a look. Let's download Windows 10 ADK first on Download kits and tools for Windows 10. At the bottom of the page you will find the Download button. When using ConfigMgr 2016 (Technical Preview), Windows 10 ADK can be used at start already.

Before this can be installed, it's needed to uninstall Windows 8.1 ADK first. After that start adksetup.exe for Windows 10. During setup multiple components must be selected, three of them are the same as in Windows 8.1 ADK. Imaging and Configuration Designer (ICD) is a new one, which is needed to configure Windows 10 settings.

Just select this four items and choose to install them. After installation however, boot images are still on Windows 6.3 (which is Windows 8.1). This because it's needed to update boot images manually. You can choose to change existing boot images or create new ones.

Here are the paths to both boot images:
-x86: C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\en-us\winpe.wim
-x64: C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim

Just copy (and rename) them to the <ConfigMgr folder>\OSD\Boot\i386 and x64 folders. Within the Boot images properties change the Data source location for both files or create new Boot images to the location. Just make sure to select -Distribute Content- and -Deploy this boot image from the PXE-enabled distribution point- (properties) as well. After that both boot images will be on v10.0.10240.16384 which is fine.

Note: As mentioned on TechNet Blogs, don't forget to reboot after ADK installation. Otherwise boot images won't get updated on the DP.

Source: How to switch to Windows 10 ADK on ConfigMgr 2012 R2 SP1

Hope it helps!

Friday, September 11, 2015

Using ConfigMgr 2012 R2 SP1 and Microsoft Intune in a Hybrid configuration

Within my daily job I'm doing Configuration Manager (ConfigMgr) and Endpoint Protection (SCEP) consultancy and training a lot. ConfigMgr is a great product for managing on-premises devices, like servers, desktops and notebooks. With Microsoft Intune, Mobile Device and Application Management on tablets and smartphones can be done. This is a standalone Software as a service (SAAS) solution which exists for multiple years now. When integrating both solutions, you have a Hybrid configuration in-place.

Benefit of using a Hybrid configuration is integration! You can manage both Windows, Mac and Mobile devices within a single management console. Just make sure to set the management authority (which can be set on Office 365, Intune or Configuration Manager) on the right one. When it's set on Configuration Manager no management has to be done in the SAAS console anymore. Just use collections, applications and policies which are in ConfigMgr by default, to manage mobile devices as well. On the different clients, a Intune Company Portal needs to be installed for management.

Last years Microsoft has done a good job to improve speed on client communication and policies. That way you can enroll a mobile device in a few minutes, publish policies and applications, and set an unenrollment (when needed) all within approx. 15/20 minutes. When forcing a Reset passcode (new passcode must be entered) or Remote lock (device is locked and passcode needs to be set again), it will be active in approx. 1/2 minutes. During unenrollment all configuration and apps are removed also. Reasons enough to stay enrolled.

With Windows 10 Mobile coming, the richest set on policies can be configured. When creating policies (configuration items), you will see the difference on Android, iOS and Windows (Phone) platforms. Hope that will be better and easier in the future. It's possible also to deploy applications (from the different app stores) and weblinks to mobile devices. You can choose to open them in a web browser or install them. During installation a shortcut is created in Apps, so no need to open the Intune Company Portal again.

Hope to have some real experience on Windows 10 (Mobile) soon. It looks like the choice is really easy now! Just use Windows 10, Azure Active Directory (AAD), Enterprise Mobility Suite (EMS/Intune) and ConfigMgr from now on. That way Microsoft can convince you on the new generation available, which is Mobile first, Cloud first. Windows as a service, ConfigMgr as a service (2016) and Software as a service! I'm very excited about this, hope you are too?!

The following can be found on the "In the cloud" blog:
While there have been many improvements to the MDM capabilities, not every management capability exists – yet. To solve for this, we have effectively built a “bridge” between the ConfigMgr agent and the MDM agent which enables the agents to co-exist and expose all the existing manageability that you know today – as well as the new functionality that is being exposed via MDM to be manageable from the ConfigMgr console. No one else (traditional PC management or EMM vendor) has done any work like this. This is another HUGE reason that ConfigMgr + EMS is your best solution for deploying and managing Windows 10.

Just great if you ask me :-)

Thursday, September 10, 2015

Windows Phone Apps cannot be deployed in ConfigMgr 2012 R2 SP1

Within ConfigMgr and Intune it's possible to import mobile apps for Microsoft, Apple and Google. When adding Windows Phone app packages from the Windows Phone Store however, you may have an issue as described below.

As an administrator, when you use ConfigMgr, you experience the following symptoms: When you click the Browse button in the Create Application Wizard to create a valid link in the Windows Phone app package browser, the link is not resolved and you cannot click OK. When you try to provide the location manually instead of by using the Browse button, you receive the following error message: Specify a valid link to a Windows Store app.

This occurs even when you use a valid link in the following format: https://www.microsoft.com/locale/store/type/AppName/AppID
You can still use the following old format in the Location field: https://www.windowsphone.com/locale/store/app/AppName/GUID

When you use ConfigMgr app compliance policies to try to create an Allowed Apps or Blocked Apps list for Windows Phone 8.1 devices, you cannot create the list. 

With Intune (standalone) no issue is seen when adding a LinkedIn URL (Dutch).
When doing the same in ConfigMgr, you get an error message mentioning the URL is invalid.

Lucky me Microsoft has released an hotfix for this. It can be applied on both ConfigMgr 2012 R2 SP1 (RTM) and CU1. Just have a look here: Hotfix Download Available. After installing the hotfix the issue is gone immediately :-)

Thanks to Peter van der Woude (@pvanderwoude) and Frans Oudendorp (@oudendorp) for support on this.

Wednesday, September 9, 2015

Installing ConfigMgr 2016 Technical Preview 3

On August 19th ConfigMgr Technical Preview 3 has become available. This is the third ConfigMgr 2016 preview, which is expected in Q4 this year. With every preview new functionality and features is added. More about this can be found on System Center Configuration Manager Team Blog. During installation a new feature is displayed; it's called Connected Configuration Manager or Cloud service if you wish. It mentions: Keep your ConfigMgr up-to-date by connecting to our cloud service. Connecting to the cloud service brings many benefits such as receiving new updates and features for ConfigMgr.

After installation a Cloud connection point is installed on the site server. This can be set Online or Offline for the moment. Let's have a look at the possibilities.
-Online mode creates a persistent connection to the ConfigMgr cloud service and proactively notifies you of updates.
-Offline mode requires you to run the Cloud Connection tool to set the initial configuration of the role and configure notifications.

When looking on TechNet Library it mentions:
When you install the Technical Preview 3 it automatically installs and configures a new site system role on the site server, the cloud connection point. When this role installs it defaults to:
-Online mode
-A data collection level of Enhanced

When this role is online, it enables Microsoft to automatically collect diagnostics and usage data over the Internet. Information that is collected helps us identify and troubleshoot problems as well as improve our products and services.
The three levels of data collection that are planned for future releases include:
-Basic includes data about setup and upgrade like the number of sites and which Configuration Manager features are enabled. No personally indefinable information will be transmitted.
-Enhanced includes the data in the Basic setting plus transmits data about the hierarchy, how each feature is used (frequency and duration), and enhanced diagnostic information like the memory state of your server when a system or app crash occurs. No personally identifiable data will be transmitted.
-Full includes the data in the Basic and Enhanced settings and also sends advanced diagnostic information like system files and memory snapshots. This option may include personally identifiably information, but we won’t use that information to identify or contact you, or target advertising to you.

For it seems the Cloud connection point is not used for updates only, it collect diagnostics and usage data (over the Internet) as well. Probably you cannot choose if you want to receive updates only. Microsoft wants to collect diagnostics and usage data as well, and as a benefit you will receive updates in return. With this feature ConfigMgr-as-a-service is born! Hope it will be more detailed in a next release :-)

When starting the new ConfigMgr console (look and feel) there are no much changes in this release. But with the Cloud connection point in-place, anything is possible!

Monday, September 7, 2015

Software Update Error 0x80004005 on client systems

Just when you thought you've seen all known issues, you get another one. This time a client didn't get updates for several months. In almost all Software Update logfiles (UpdatesDeployment.log, WindowsUpdate.log, WUAHandler.log) the error message is the same: Software Update Error: 0x80004005. In the CCMCache no updates where found for several months. This for both Windows updates and Endpoint Protection (SCEP) updates.

The UpdatesDeployment.log shows:
Job error (0x80004005) received for assignment ({<?>}) action
Updates will not be made available

The WindowsUpdate.log shows:
WinHttp: SendRequestToServerForFileInformation failed with 0x801901f7
WinHttp: ShouldFileBeDownloaded failed with 0x801901f7

The WUAHandler.log shows:
Unable to find or read WUA Managed server policy.
Unable to read existing WUA Group Policy object. Error = 0x80004005.
Enabling WUA Managed server policy to use server: <?>
Failed to Add Update Source for WUAgent of type (2) and id ({<?>}). Error = 0x80004005.

Lucky me I found the following blogpost: Microsoft TechNet
It mentions: Had the same issue.  Issue appears to be with corrupt policy info locally on the machine. Typically going to C:\Windows\System32\GroupPolicy\Machine and delete Registry.pol  As soon as I do that I can tell the client to perform an updates scan and all is well. More than likely there is a more elegant solution, but that resolves this error message for me.

I did found indeed a Registry.pol file, which was updated several months ago. I deleted the file, and did a GPUpdate /force after that. When starting Machine policy retrieval after that you will see that the error is gone. I installed 1GB on updates after that :-)

Thursday, September 3, 2015

My findings after a ConfigMgr migration with Site servers through Europe

Last month (July) I did another large ConfigMgr deployment. Last time I did an implementation with remote Site servers placed in almost all continents. This time I did a migration on a ConfigMgr 2007 Primary site and eight (8) Secondary site servers. It was needed also to install a Public Key Infrastructure (PKI) and Distribution & Management points on HTTPS because of MAC OS X management. Furthermore I installed Shavlik Patch for third-party updates.

Within ConfigMgr 2007 it was normal to install Secondary site servers because of bandwidth management. In ConfigMgr 2012 this isn't needed anymore, because this functionality is available on remote Distribution points too. Therefore I installed a new ConfigMgr 2012 Primary site server and eight (8) remote Distribution points. For MAC OS X management I installed another Site server with multiple roles needed for HTTPS communication.

Special tasks provided during implementation:
-Application Catalog (doesn't work out-of-the-box always)
-Asset Intelligence - Software (empty by default, but useful when configured)
-Compliance Settings - Configuration Items and Baselines (Windows and Mac systems)
-Mac OS X management (PKI, certificates and roles for HTTPS communication)
-Shavlik Patch (download and publish third-party updates)

Special collections created for overview:
-Departments (all departments)
-Locations (all locations)
-Operating Systems (all operating systems)
-System Type (all system types)
Queries on Computer name, Model and System Type are used.
With all queries available and nested collections, you can create anything you want! :-)

Special tasks provided during OS deployment:
-BIOS Configuration Utility (HP)
-Define Active Directory OU Location
-Set BIOS Password when not available (HP)
-Use applications instead of packages
-Configure BitLocker for notebooks

Very cool to manage Mac OS X systems and deploy applications to them! Furthermore Rate Limits on Remote Site servers are great to configure bandwidth usage. Again: You can do so much in ConfigMgr, that almost everything is possible :-)

Tuesday, September 1, 2015

My experience on the Microsoft 70-695 and 70-696 exams

Recently I did both Microsoft 70-695 and 70-696 exams. Because the exams are available since January 2015, they are quite new. Let's have a look at my experience on this.

Exam 70-695 is about Deploying Windows Devices and Enterprise Apps

The exams covers the following topics:
-Implement an operating system deployment infrastructure (21%)
-Implement a Lite-Touch deployment (18%)
-Implement a Zero-Touch deployment (20%)
-Create and maintain desktop images (21%)
-Prepare and deploy the VDI application environment (20%)

Exam 70-696 is about Managing Enterprise Devices and Apps

The exams cover the following topics:
-Deploy and manage virtual applications (14%)
-Deploy and manage desktop and mobile applications (15%)
-Plan and implement software updates (16%)
-Manage compliance and endpoint protection settings (15%)
-Manage Configuration Manager clients (15%)
-Manage inventory using Configuration Manager (12%)
-Provision and manage mobile devices (12%)

Both exams will present you with a mixture of cases and multiple choice questions. There will be 50 questions in total, with 150 minutes time at maximum. This is kind of hard, because you don't know before start how many cases you have. Once a case is closed, you can't go back anymore. You must also study the cases above of reading the questions. In both exams I used all time available to answer the questions.

On exam 70-695 I had 4 cases with 22 questions in total. After that I had 28 multiple choice questions. I did use all my time for this, but it was enough. This because of the order in cases and multiple choice questions.
On exam 70-696 I started with 24 multiple choice questions, where I did take to much time. After that I had 4 cases with 26 questions in total, but I did must hurry to handle them all. In the last minutes and seconds I answered the last questions.

When time is up you are presented with the score immediately.

Lucky me (I did quite a lot of study and doing practice a lot) I passed both exams on first try. I used both Microsoft Exam Refs for studying. These books are quite nice and have a lot of practice questions as well. In my case this was enough to finish both exams :-)

Just have a look at this website for more information:
MS Learning: Deploying Windows Devices and Enterprise Apps

MS Learning: Managing Enterprise Devices and Apps
MS Press: Deploying Windows Devices and Enterprise Apps
MS Press: Managing Enterprise Devices and Apps

Exam Prep Session for Exam 70- 695 and Exam 70-696: Enterprise Devices and Apps (Part 1)

Exam Prep Session for Exam 70-695 and Exam 70-696: Enterprise Devices and Apps (Part 2)