Tuesday, November 15, 2016

Failed to Install Software Updates during Build and Capture (Error: 87D00272)

Recently I created several Windows 10 1607 images, where Offline Servicing put all Windows 10 updates needed on the image. Besides of that I created Build and Captures task sequences, with an Office 2016 package in it. Because those updates cannot be injected with Offline Servicing, I decided to add an additional Install Software Updates step in the task sequence. Nothing wrong about that :-)

During the Software Update installation step however, the following error message was displayed:
-Refreshing Updates
-Failed to RefreshUpdates, hr=0x87d00272
-Failed to run the action: Install Software Updates. Component is disabled. (Error: 87D00272)


Trick is, someone changed the Default Client Settings policy, and set "Enable software updates on clients" to No. Therefore software update scan, download and install cannot take place. Long story short, change the policy back to Yes, and start build and capture again.

Hope it helps!

Download software updates working again!

Install software updates working again!

Tuesday, November 8, 2016

The Report Server WMI provider cannot create the virtual directory (SQL upgrade)

Recently I did an in-place upgrade, from SQL 2012 SP1 to 2014 SP2, this for upgrading ConfigMgr 2012 R2 SP1 to Current Branch (1511) afterwards. Nothing wrong here you may think.

During upgrade the reporting part failed with the following error: "A Secure Sockets Layer (SSL) certificate is not configured on the Web site." Trick is, within Reporting Services Configuration Manager, there may be IP-addresses reserved for both http and https, where the one for https must be connected to an SSL certificate.

After starting upgrade again (with the command: setup.exe /action=repair /instancename=<instance>), there was another error: "The Report Server WMI provider cannot create the virtual directory." This occurs when you call SetVirtualDirectory and the UrlString is already reserved. To continue, clear all URL reservations by calling RemoveURL and then try again."

That's another nasty issue if you ask me! I did several installations, with several configurations but it didn't work out for me. With the command: "netsh http show urlacl" all registered URL's can be seen. With the command: "netsh http delete urlacl URL=<url>:<port>" they can be deleted too. When lucky removing the Reportserver URL's is enough, but it didn't work out for me.

Therefore I removed Reporting Services, and installed it again. After installation you may see this message too: "The report server installation is not initialized." To solve this you need to restore the encryption key created earlier, or delete encrypted content. This can be done in Reporting Services Configuration Manager as well.

After 3 error messages, Reporting is running fine on SQL Server 2014 SP2. Now it's time to start the ConfigMgr upgrade finally :-)

Tuesday, November 1, 2016

SMS EXECUTIVE starting SMS OFFLINE SERVICING MANAGER automatically

Last days there is something really strange going on with Offline Servicing in ConfigMgr. The task "SMS EXECUTIVE started SMS OFFLINE SERVICING MANAGER" is running multiple times a day normally, with "This Schedule with ID does not have a next run time" as a result. Last days however I saw at two different environments that Offline Servicing is kicking off automatically on multiple images, leaving them in an error message, not cleaning up the ConfigMgr OfflineImageServicing folder afterwards. Let's have a look at some screenshots created.

It's all starting with the following messages in the ConfigMgr console! (Failed to apply one or more updates)

Looking in OfflineServicingMgr.log you see that multiple tasks are scheduled with dates from many months ago. The schedule with ID will be run now. It's run time is at (some date in past).

In another environment you see the same behavior, where schedules are running multiple times on the same image too. When you look closely you see a task running six times on the same image.

Because of multiple errors during the process, files and folders are not removed, leaving them in a unwanted state afterwards. Where this folder has (in my case) around 73.000 files in 14.000 folders, with almost 12GB in size. (with wrong ownership too)

Some of the error messages are:
-Image UnMount failed with error 31
-Deleting file
\\?\D:\ConfigMgr_OfflineImageServicing\<ID>\ImageMountDir\Program Files\Common Files\microsoft shared\DAO\dao360.dll, FAILED, Win32 Error = 5
-Failed to remove previously existing staging folder -D:\ConfigMgr_OfflineImageServicing\<ID>, GLE = 5
-Initialization of schedule processing failed
-Schedule processing failed


Hope someone can explain why this is happening on almost same time in totally different environments, where there's no schedule set on OS images? Both environments are running on ConfigMgr Current Branch, version 1606 with all hotfixes available installed. Will be continued.. (and posted at Microsoft bugs or suggestions too)

Update: Both tasks mentioned started at Sunday October 30th. One at 5:00 AM, the other at 23:00 AM (both UTC+01:00). Still nothing heard about other issues so far..

Friday, October 28, 2016

Highlights from the Microsoft Windows 10 devices event (2016)

This week (October 26th) the second Windows 10 devices event is shown. Last year it was all about Xbox, Hololens, Band 2, Lumia 950 (XL) and Surface. Where both Surface Pro 4 and Surface Book where shown. Pity Surface Book still isn't available everywhere yet, but hope the product will become at later time (in The Netherlands).

Let's have a look at #Windows10 and #Windows10devices again!


Windows 10
-Windows 10 Creators Update (coming early 2017)
-This week early build release for all Windows insiders
-Coming to more then 400M Windows 10 devices
-Bringing 3D for everyone & 4K gaming

-Paint 3D (Within Windows 10 Creators Update)
-3D animations brings MS PowerPoint to life
-Connect and share easily with people who matter most

Xbox One S
-Game broadcasting for Windows 10
-Creating custom tournaments yourself
-Dolby Atmos on Xbox One with Windows 10 Creators Update

-4K gaming and watching movies (Netflix?)


Surface Book
-Has the highest user satisfaction among any current Windows 10 machine out there or any MacBook, all of them.
-The ultimate laptop, but people want even more...
-New Surface Book i7 with more power on CPU/GPU and 30% more battery life (16 hours in total)
-Available in November for $2,399


Surface Studio
-Thinnest LCD monitor ever built (12.5mm thin touch screen)
-28" PixelSense Display, 13.5 million pixels, TrueColor, DCI-P3, 3:2 aspect ratio, 192 PPI, True Scale

-i5/i7 Intel CPU, Up to 4GB NVIDIA GeForce GPU, Up to 32GB RAM
-Mic array, Cortana, HD camera, Windows Hello
-Pre-order today $2,999



Surface Dial
-A new tool for the creative process

-Available for Surface Pro 3/4 & Surface Book
-Not included with Surface Studio (additional $100)

So yes, Windows 10 Creators Update on Surface Book and Surface Studio looks great, but no surprises like last year. No news on Band and Lumia at all, where customers are not sure what Microsoft is doing here. Microsoft will probably pull the plug and ending sales by the end of this year. Instead of Lumia devices, Microsoft will announce Surface Phone for business purpose (expected late 2017).

No Surface Phone, no Surface Book 2, no Band 3, or anything else. It's a pity :-)

Highlights from last year (2015)

Wednesday, October 19, 2016

New ConfigMgr Current Branch features from 1511 till now! (part 2)

Since December 8, 2015 ConfigMgr Current Branch is Generally Available. This based on version 1511, which stands for November 2015 (MMYY). Since this release (and even before that too), there are monthly features added in Technical Preview, which are merged in public release (1602, 1606). Let's have a look at new features so far. When available this blogpost will be updated with new releases.

Microsoft did an amazing job on new ConfigMgr features for both standalone and hybrid environments. Really love the speed on new builds and update experience. Remember: When you want to go fast with Windows, you need to go fast with ConfigMgr too! :-)

New features in production so far:

[1610]
Deny previously approved application requests:
As an administrator you can deny a previously approved application request. To install this application later, users must resubmit a request. This does not uninstall the application.

Exclude clients from automatic upgrade:
When you configure settings to control how clients automatically upgrade you can now specify a collection to exclude specific clients from the upgrade. This applies to automatic upgrade as well as other methods such as software update-based upgrade. This can be used for a collection of computers that need greater care when upgrading the client.

Filter by content size in automatic deployment rules:
Use the content size filter in automatic deployment rules to prevent large software updates from automatically downloading to better support simplified Windows down-level servicing when network bandwidth is limited.

Improvements to the notification experience for high-impact task sequence and required application deployments:
Task sequence deployments that have a high-impact to the end user, for example operating system deployments, now display more intrusive notifications. However, end users can dismiss (snooze) these notifications, and control when they reappear. Any relevant client settings for notification frequency are still honored.


[1609]
Android, iOS, and Windows Additional Settings:
New settings have been added for Android, iOS, and Windows.

Boundary Group Improvements:
Improvements have been made to boundary groups to allow more granular control of fallback behavior, and greater clarity of what distribution points are used.

Deploy Office 365 apps to clients:
We have added a new Office 365 Servicing node in the Software Library where you can deploy Office 365 apps to clients.

Improvements for BIOS to UEFI conversion:
An OS deployment task sequence can now be customized with a new variable, TSUEFIDrive, so that the Restart Computer step will prepare the drive for transition to UEFI. See the documentation for additional details on the necessary customizations.

Intune Compliance Charts:
Administrators can get a quick view of overall compliance, and top reasons for non-compliance using new charts under Monitoring.

Native Connection Types for Windows 10 VPN Profiles:
You can now create Windows 10 VPN profiles with Microsoft Automatic, IKEv2, and PPTP connection types in the Configuration Manager console without using OMA-URI.

Office 365 Servicing Dashboard:
Use the Office 365 servicing dashboard to track Office 365 updates and deployments.

TouchID, ApplePay and Zoom DEP Settings:
DEP provides the ability for admins to create enrollment profiles to skip initial setup screens for new iOS devices. TouchID, ApplePay and Zoom have now been added as options to configure in the iOS enrollment profiles.

Windows 10 Upgrade Analytics:
Assess and analyze device readiness and compatibility with Windows 10 to allow smoother upgrades. This is done through integration with Windows Upgrade Analytics.

Windows Store for Business:
Windows Store for Business allows administrators to obtain applications (purchased or free) and deploy them to users in their organization.


[1608]
Application Requests from Software Center:
Users are now able to request approval for applications and view the request history for applications in the Application Details view in Software Center. The Request button in Application Details no longer redirects to the web-based Application Catalog.

Improvements to Asset Intelligence:
In the Configuration Manager 1608 Technical Preview, we have added a field to the properties for inventoried software that lets you set a parent and child relationship with other software. In the Inventoried Software list, you can view the parent of any software and also hide all child software.

New Software Indicators in Software Center:
The Software Center Applications, Updates, and Operating Systems tabs now show what software was recently added. Numbers in the navigation pane show how many new pieces of software are in each tab.

Remote Control Keyboard Translation:
In a remote control session, keys typed are now mapped by default to the sharer's keyboard when the keyboard languages do not match, so that the viewer is able to type normally. This behavior may be turned off in the Remote Control viewer Action menu.


[1607]
Customizable Branding for End-User Dialogs:
End-user dialogs that are opened from Software Center or taskbar notifications now show the same organization name, color and icon branding as Software Center. The administrator workflow for specifying branding settings remains unchanged.

Manage duplicate hardware identifiers:
Add known duplicate MAC addresses or SMBIOS IDs to be ignored hierarchy-wide for PXE boot and client registration.

Microsoft Operations Management Suite (OMS) Connector:
Sync data such as collections from ConfigMgr to OMS.

Windows 10 Edition Upgrade:
Upgrade Configuration Manager clients running Windows 10 Professional edition to Windows 10 Enterprise edition with just a product key; no reimaging required.


Part 1 of this series can be found HERE.
Will be updated with further 2016 updates!

Thursday, October 13, 2016

New servicing branch: Long-Term Servicing Branch (LTSB) of Configuration Manager

Yesterday a new announcement has been done. There is a new servicing branch called: Long-Term Servicing Branch (LTSB) of Configuration Manager. Where ConfigMgr Current Branch offers new functionality and support for Windows 10 and Windows Server 2016, LTSB of Configuration Manager is not. When Software Assurance (SA) or equivalent subscription rights became expired, customers, per product terms, would have to move back to ConfigMgr 2012 (R2). Besides of support for an fixed 10-year lifecycle (and equivalent subscription rights as mentioned), I guess there is no need to use the LTSB version of Configuration Manager.

While the LTSB is derived from the current branch of Configuration Manager (version 1606), it is scaled back and reduced in functionality to permit the extended support model. LTSB of Configuration Manager will not receive new functionality or support for new Windows 10 and Windows Server 2016. It will continue to receive security updates only. By design, LTSB of Configuration Manager is intended to be fixed in functionality and very infrequently updated, so any features or components that require continuous updating or are tied to a cloud service have been removed. What's left is ConfigMgr 2012 (R2) with less features and no Hybrid MDM.

These removed features include:
-Support for Windows 10 Current Branch (CB) and Current Branch for Business (CBB)
-Support for the future releases of Windows 10 LTSB and Windows Server
-Windows 10 Servicing Dashboard and Servicing Plans
-The ability to add a Microsoft Intune Subscription, which prevents the use of Hybrid MDM and on-premises MDM
-Asset Intelligence
-Cloud-based Distribution Point
-Support for Exchange Online as an Exchange Connector
-Any pre-release features available in the current branch of Configuration Manager


Not my cup of tea :-)
Source: Enterprise Mobility and Security Blog

System Center 2016 and Windows Server 2016 available for download now!

As for today System Center 2016 and Windows Server 2016 bits are available for download. Strange that Microsoft decided to announce General Availability (GA) during Microsoft Ignite, and publish bits two weeks later for download?


Within System Center 2016, the 1606 version of Configuration Manager is included. Customers still on ConfigMgr 2012 (R2) can upgrade directly to 1606 now. No need to upgrade to 1511 (RTM) first and upgrade to 1606 afterwards.

System Center 2016
 
Windows Server 2016

Just download the bits and happy upgrade! :-)

Microsoft Hybrid Cloud (12-10):
Another big step in Hybrid Cloud – Windows Server 2016 general availability
Managing the software-defined datacenter with System Center 2016

Wednesday, October 12, 2016

New ConfigMgr Current Branch features from 1511 till now! (part 1)

Since December 8, 2015 ConfigMgr Current Branch is Generally Available. This based on version 1511, which stands for November 2015 (MMYY). Since this release (and even before that too), there are monthly features added in Technical Preview, which are merged in public release (1602, 1606). Let's have a look at new features so far. When available this blogpost will be updated with new releases.

Microsoft did an amazing job on new ConfigMgr features for both standalone and hybrid environments. Really love the speed on new builds and update experience. Remember: When you want to go fast with Windows, you need to go fast with ConfigMgr too! :-)

New features in production so far:

[1606]
Cloud Proxy Service:
The Cloud Proxy Service provides a simple way to manage ConfigMgr clients on the Internet. The service, which is deployed to Microsoft Azure and requires an Azure subscription, connects to your on-premises ConfigMgr infrastructure using a new role called the cloud proxy connector point. You use the ConfigMgr console to deploy the service and configure the supported roles to allow cloud proxy traffic. Cloud Proxy Service currently only supports the management point, distribution point, and software update point roles.
Device Categories:
You can create device categories, which can be used to automatically place devices in device collections when used in hybrid environments. Users are then required to choose a device category when they enroll a device in Intune.
Device Guard: ConfigMgr as a managed installer with manual client configuration:
Administrators can use the new Managed Installer AppLocker rules to configure clients so that ConfigMgr-deployed software is automatically trusted, but software from other sources is not. You cannot currently configure this functionality from the ConfigMgr console. Use the instructions at this blog post to manually configure client computers to use this functionality.
End users on a Windows 10 desktop managed by on-premises MDM can install an app from the Intune Company Portal:
You can deploy an app as Available Install to a user collection and the users on a Windows 10 PC managed by on-premises MDM can use the Intune Company Portal to browse, download, and install this app.
Enforcement grace period for application and software update deployments:
Give users a grace period to install required application or software updates beyond any deadlines you configured after their computers are offline for an extended period of time.
Multiple device management points available for enrolled Windows 10 Anniversary Edition devices:
On-premises Mobile Device Management (MDM) supports a new capability in Windows 10 Anniversary Edition (Redstone 1) that automatically configures an enrolled device to have more than one device management point available for use. This capability allows the device to fallback to another device management point when the one it was using is not available.
You can deploy offline-licensed applications to a Windows 10 desktop PC managed by on-premises MDM:
You can deploy an app with an offline license from the Windows Store for Business to a Windows 10 PC managed by on-premises MDM.

[1605]
Auto-Connect App List in Windows 10 VPN Profiles:
Admins can specify desktop and universal applications in Windows 10 VPN profiles that automatically establish a connection with the VPN when launched on the client. Admins can decide whether or not to limit VPN traffic to the apps in the list.
End users on a Windows 10 desktop managed by on-premises MDM can install an app from the Intune Company Portal:
You can deploy an app as Available Install to a user collection and the users on a Windows 10 PC managed by on-premises MDM can use the Intune Company Portal to browse, download, and install this app.
Improvements to the Install Software Updates task sequence step:
This release includes improvements to smsts.log to help you troubleshoot, and a new task sequence variable, SMSTSSoftwareUpdateScanTimeout, to control the timeout on the software updates scan during the Install Software Updates task sequence step.
New tabs for Updates and Operating Systems in Software Center:
Software Updates and Operating Systems now have their own respective tabs in Software Center, rather than being accessible via the categories dropdown in the Applications tab.
On-premises Health Attestation Service integration:
Collect Health Attestation information via on-premises Health Attestation Service with a few critical bug fixes from 1604 Technical Preview.
Pre-Declare Corporate Owned Devices:
You can now identify corporate-owned devices by importing their international station mobile equipment identity (IMEI) numbers. You can upload a comma-separated values (.csv) file containing device IMEI numbers or you can manually enter device information. You can also import serial numbers for iOS devices. Imported information will set ownership of the devices that enroll as “Corporate”. An Intune license is still required for each user that accesses the service. View a video walkthrough of the Pre-declare Corporate Owned Devices feature.
Remote Device Actions Experience Update:
The admin experience for wiping, resetting the passcode, remote locking, and bypassing iOS Activation Lock on mobile devices has been adjusted. The states of these actions are now part of the devices' details and properties.
Remote Full Wipe for Windows 10 desktop devices:
Support for remotely wiping and resetting Windows 10 desktop devices to factory settings.
Server groups:
Control settings for software updates in server groups, including the order and percentage of devices that can be updated at any one time. These capabilities introduce some enhancements over our pre-release "Servicing a cluster aware collection" feature, including the ability to control the order and better monitoring.
Windows 10 Enterprise Data Protection policies:
Enterprise data protection (EDP) policy settings - with this technical preview, you can create and deploy EDP policies for Windows devices running Windows 10 Insider Preview and Windows 10 Mobile Preview builds, including specifying apps, defining network boundaries, choosing the restriction modes and other EDP settings.
Windows Defender Advanced Threat Protection:
Manage Windows Defender Advanced Threat Protection policies for onboarding and offboarding Windows 10 clients to the cloud service, and view agent health in the monitoring dashboard. (Requires a Windows Defender ATP tenant in Azure.)
Windows Store for Business Integration:
ConfigMgr can manage and deploy applications purchased through the Windows Store for Business portal for both online and offline licensed apps. The 1605 Technical Preview adds the ability to create both online and offline apps with the ability to deploy offline apps to Intune and ConfigrMgr managed devices. View video walkthroughs of how to set up and deploy Windows Store for Business apps.

[1604]
Client cache size:
We added a new item to Client Settings called "Client Cache Settings". Use this to configure the client cache size as a percentage of overall disk space and megabytes.
Client Peer Cache:
A built-in ConfigMgr solution for clients to share content with other clients, directly from their local Cache with monitoring and troubleshooting capabilities.
Passport for Work:
Administrators can now deploy Passport for Work policies to domain-joined Windows 10 devices managed by the ConfigMgr client.
Policy Setting to Disable Smart Lock and other Trust Agents:
Hybrid administrators can now deploy a policy in the ConfigMgr console that disables Smart Lock and other trust agents from being used to circumvent passcode policy on devices running Android 5.0 or higher.
Software Updates Compliance Dashboard:
The Software Updates Dashboard continues our commitment to helping you keep your devices up to date with the latest security updates and Windows features. The dashboard allows you to view the current compliance status of devices in your organization and quickly analyze the data to see which devices are at risk.
Switch Software Update Point:
Administrators will be able to switch Software Update Points for clients when there are multiple SUPs available on a primary site. Administrators should use this option when clients are failing SUM scenarios due to SUP/WSUS issues on their assigned SUP. When administrators switch SUPs for a collection of clients, the selected clients will look for another SUP at the next scan interval. To try out this change go to the Asset and Compliance tab -> Device Collections -> and in the context menu of a device collection click on "Switch to Next Software Update Point".
VPN for Windows 10:
You can use 3rd party VPN providers for computers with the ConfigMgr client. These include Pulse Secure, F5 Edge, Dell SonicWall and Checkpoint.

[1603]
List View for Applications in Software Center:
In the Software Center Applications tab, users now have the option to switch between the default tile view and a new list view by clicking on the view selection icons underneath the search bar.
Install Selected Updates in Software Center:
In the new Updates tab in Software Center, click on the select mode button at the top left of the list of updates. In select mode, multiple updates may be selected and then simultaneously installed using the Install Selected button.
Content Status links in the Admin Console:
The Content Status links for objects like applications, packages, task sequences or software updates, now go directly to the related Content Status object node.
PXE Provider TFTP Window Size:
The administrator can now configure the TFTP window size (RamDiskTFTPWindowSize) via a registry setting on the PXE-enabled distribution point.
Limit access to the Clipboard in Remote Control Sessions:
You can now enable the remote tools client setting "Prompt user for shared clipboard file transfer permission" to limit access to the shared clipboard in a remote control session. When enabled, the end-user who is sharing a remote session must grant permissions to the viewer of that session before they can transfer files from the shared clipboard.

[1602]
Support for in-place upgrade of ConfigMgr Site Server's operating system:
In-place upgrade of the ConfigMgr's Site Server's operating system from Windows Server 2008 R2 to Windows Server 2012 R2 is now supported.
Sync Policy button in Software Center:
The new Sync Policy button helps you keep machine and user policies in sync. The button is available through the Software Center options tab, under Computer Maintenance.
Automatic creation of Microsoft Office mobile apps for iOS and Android:
Microsoft Office mobile apps for iOS and Android are pre-created for users using ConfigMgr integrated with Microsoft Intune.
iOS Activation Lock management:
iOS Activation Lock management capabilities include: enabling, querying for the status, retrieving bypass codes, and performing an Activation Lock bypass on corporate-owned iOS devices.

[1601]
Windows 10 Team configuration settings:
New configuration settings added and supported for Windows 10 Team when using either Intune managed (hybrid) devices, or ConfigMgr full client devices.
Windows 10 Microsoft Edge configuration settings:
Specify Windows 10 Edge settings and assign them to users or devices in their organization.
Windows 10 Conditional Access new compliance checks:
Set 3 new compliance checks: require a password to unlock an idle device, time until the device is locked, and require automatic updates with minimum classification. These policy rules are evaluated as part of overall device compliance.
Windows 10 Conditional Access with Health Attestation service:
For Intune managed devices, Windows 10 Health Attestation data can be used as part of device compliance when used with Conditional Access.
Device Compliance report:
Device Compliance report provides you the number and percentage of devices and their compliance state for each compliance policy.
Windows 10 Health Attestation service reports:
Users can view reports on Windows 10 Health Attestation data collected by Intune. Windows 10 device Health Attestation helps evaluate the vulnerability of Windows 10 desktop and mobile devices.
Kiosk mode for Samsung KNOX devices:
ConfigMgr kiosk mode allows you to lock a managed mobile device only to allow certain features. For example, you can allow a device only to run a specific managed app, or you can disable the device's volume buttons.
Client Online Status:
View the online status of devices in Assets and Compliance. New icons indicate the status of a device as online or offline.
Conditional Access for ConfigMgr Managed PCs:
To help secure Office 365 access and other services on PCs enrolled with ConfigMgr, use Conditional Access. Conditions that can be used to control access include: Workplace Join, BitLocker, Antimalware, and Software Updates.
On-Premises Exchange Default Rule Override:
Set a default on-premises Exchange rule to block mobile devices from accessing email. You can allow Intune-enrolled and compliant mobile devices to access mail. You can also choose to override the default Exchange rule to allow Intune-enrolled and compliant devices to access email, even when the default rule is set to Block or Quarantine.
iOS App Configuration:
Create and deploy iOS app configuration policies to dynamically change settings such as server name or port for iOS applications that support configuration.
Apple Volume Purchase Program:
ConfigMgr can manage and deploy applications purchased through the Apple Volume Purchase Program for Business portal.

[1512]
New antimalware policy settings:
Added settings for protection against Potentially Unwanted Applications, user control of automatic sample submission, and scanning of network drives during a full scan.
Device Health Attestation:
Users are able to view the status of Windows 10 Device Health Attestation in the ConfigMgr console, to ensure that client computers have trustworthy BIOS, TPM, and boot software.
User acceptance of Terms and Conditions:
Users who use ConfigMgr integrated with Intune (hybrid) can view which users have accepted the Terms and Conditions configured by IT and which users have not, right from the ConfigMgr console.

Will be continued in a next blogpost!

New ConfigMgr Current Branch features from 1511 till now! (part 1)

Since December 8, 2015 ConfigMgr Current Branch is Generally Available. This based on version 1511, which stands for November 2015 (MMYY). Since this release (and even before that too), there are monthly features added in Technical Preview, which are merged in public release (1602, 1606). Let's have a look at new features so far. When available this blogpost will be updated with new releases.

Really love the speed on new (Windows and ConfigMgr) builds and update experience. Remember: When you want to go fast with Windows, you need to go fast with ConfigMgr too! :-)

Microsoft did an amazing job on new ConfigMgr features for both standalone and hybrid environments. Let's have a look at new features (in production) so far:

[1606]
Cloud Proxy Service:
The Cloud Proxy Service provides a simple way to manage ConfigMgr clients on the Internet. The service, which is deployed to Microsoft Azure and requires an Azure subscription, connects to your on-premises ConfigMgr infrastructure using a new role called the cloud proxy connector point. You use the ConfigMgr console to deploy the service and configure the supported roles to allow cloud proxy traffic. Cloud Proxy Service currently only supports the management point, distribution point, and software update point roles.
Device Categories:
You can create device categories, which can be used to automatically place devices in device collections when used in hybrid environments. Users are then required to choose a device category when they enroll a device in Intune.
Device Guard: ConfigMgr as a managed installer with manual client configuration:
Administrators can use the new Managed Installer AppLocker rules to configure clients so that ConfigMgr-deployed software is automatically trusted, but software from other sources is not. You cannot currently configure this functionality from the ConfigMgr console. Use the instructions at this blog post to manually configure client computers to use this functionality.
End users on a Windows 10 desktop managed by on-premises MDM can install an app from the Intune Company Portal:
You can deploy an app as Available Install to a user collection and the users on a Windows 10 PC managed by on-premises MDM can use the Intune Company Portal to browse, download, and install this app.
Enforcement grace period for application and software update deployments:
Give users a grace period to install required application or software updates beyond any deadlines you configured after their computers are offline for an extended period of time.
Multiple device management points available for enrolled Windows 10 Anniversary Edition devices:
On-premises Mobile Device Management (MDM) supports a new capability in Windows 10 Anniversary Edition (Redstone 1) that automatically configures an enrolled device to have more than one device management point available for use. This capability allows the device to fallback to another device management point when the one it was using is not available.
You can deploy offline-licensed applications to a Windows 10 desktop PC managed by on-premises MDM:
You can deploy an app with an offline license from the Windows Store for Business to a Windows 10 PC managed by on-premises MDM.

[1605]
Auto-Connect App List in Windows 10 VPN Profiles:
Admins can specify desktop and universal applications in Windows 10 VPN profiles that automatically establish a connection with the VPN when launched on the client. Admins can decide whether or not to limit VPN traffic to the apps in the list.
End users on a Windows 10 desktop managed by on-premises MDM can install an app from the Intune Company Portal:
You can deploy an app as Available Install to a user collection and the users on a Windows 10 PC managed by on-premises MDM can use the Intune Company Portal to browse, download, and install this app.
Improvements to the Install Software Updates task sequence step:
This release includes improvements to smsts.log to help you troubleshoot, and a new task sequence variable, SMSTSSoftwareUpdateScanTimeout, to control the timeout on the software updates scan during the Install Software Updates task sequence step.
New tabs for Updates and Operating Systems in Software Center:
Software Updates and Operating Systems now have their own respective tabs in Software Center, rather than being accessible via the categories dropdown in the Applications tab.
On-premises Health Attestation Service integration:
Collect Health Attestation information via on-premises Health Attestation Service with a few critical bug fixes from 1604 Technical Preview.
Pre-Declare Corporate Owned Devices:
You can now identify corporate-owned devices by importing their international station mobile equipment identity (IMEI) numbers. You can upload a comma-separated values (.csv) file containing device IMEI numbers or you can manually enter device information. You can also import serial numbers for iOS devices. Imported information will set ownership of the devices that enroll as “Corporate”. An Intune license is still required for each user that accesses the service. View a video walkthrough of the Pre-declare Corporate Owned Devices feature.
Remote Device Actions Experience Update:
The admin experience for wiping, resetting the passcode, remote locking, and bypassing iOS Activation Lock on mobile devices has been adjusted. The states of these actions are now part of the devices' details and properties.
Remote Full Wipe for Windows 10 desktop devices:
Support for remotely wiping and resetting Windows 10 desktop devices to factory settings.
Server groups:
Control settings for software updates in server groups, including the order and percentage of devices that can be updated at any one time. These capabilities introduce some enhancements over our pre-release "Servicing a cluster aware collection" feature, including the ability to control the order and better monitoring.
Windows 10 Enterprise Data Protection policies:
Enterprise data protection (EDP) policy settings - with this technical preview, you can create and deploy EDP policies for Windows devices running Windows 10 Insider Preview and Windows 10 Mobile Preview builds, including specifying apps, defining network boundaries, choosing the restriction modes and other EDP settings.
Windows Defender Advanced Threat Protection:
Manage Windows Defender Advanced Threat Protection policies for onboarding and offboarding Windows 10 clients to the cloud service, and view agent health in the monitoring dashboard. (Requires a Windows Defender ATP tenant in Azure.)
Windows Store for Business Integration:
ConfigMgr can manage and deploy applications purchased through the Windows Store for Business portal for both online and offline licensed apps. The 1605 Technical Preview adds the ability to create both online and offline apps with the ability to deploy offline apps to Intune and ConfigrMgr managed devices. View video walkthroughs of how to set up and deploy Windows Store for Business apps.

[1604]
Client cache size:
We added a new item to Client Settings called "Client Cache Settings". Use this to configure the client cache size as a percentage of overall disk space and megabytes.
Client Peer Cache:
A built-in ConfigMgr solution for clients to share content with other clients, directly from their local Cache with monitoring and troubleshooting capabilities.
Passport for Work:
Administrators can now deploy Passport for Work policies to domain-joined Windows 10 devices managed by the ConfigMgr client.
Policy Setting to Disable Smart Lock and other Trust Agents:
Hybrid administrators can now deploy a policy in the ConfigMgr console that disables Smart Lock and other trust agents from being used to circumvent passcode policy on devices running Android 5.0 or higher.
Software Updates Compliance Dashboard:
The Software Updates Dashboard continues our commitment to helping you keep your devices up to date with the latest security updates and Windows features. The dashboard allows you to view the current compliance status of devices in your organization and quickly analyze the data to see which devices are at risk.
Switch Software Update Point:
Administrators will be able to switch Software Update Points for clients when there are multiple SUPs available on a primary site. Administrators should use this option when clients are failing SUM scenarios due to SUP/WSUS issues on their assigned SUP. When administrators switch SUPs for a collection of clients, the selected clients will look for another SUP at the next scan interval. To try out this change go to the Asset and Compliance tab -> Device Collections -> and in the context menu of a device collection click on "Switch to Next Software Update Point".
VPN for Windows 10:
You can use 3rd party VPN providers for computers with the ConfigMgr client. These include Pulse Secure, F5 Edge, Dell SonicWall and Checkpoint.

[1603]
List View for Applications in Software Center:
In the Software Center Applications tab, users now have the option to switch between the default tile view and a new list view by clicking on the view selection icons underneath the search bar.
Install Selected Updates in Software Center:
In the new Updates tab in Software Center, click on the select mode button at the top left of the list of updates. In select mode, multiple updates may be selected and then simultaneously installed using the Install Selected button.
Content Status links in the Admin Console:
The Content Status links for objects like applications, packages, task sequences or software updates, now go directly to the related Content Status object node.
PXE Provider TFTP Window Size:
The administrator can now configure the TFTP window size (RamDiskTFTPWindowSize) via a registry setting on the PXE-enabled distribution point.
Limit access to the Clipboard in Remote Control Sessions:
You can now enable the remote tools client setting "Prompt user for shared clipboard file transfer permission" to limit access to the shared clipboard in a remote control session. When enabled, the end-user who is sharing a remote session must grant permissions to the viewer of that session before they can transfer files from the shared clipboard.

[1602]
Support for in-place upgrade of ConfigMgr Site Server's operating system:
In-place upgrade of the ConfigMgr's Site Server's operating system from Windows Server 2008 R2 to Windows Server 2012 R2 is now supported.
Sync Policy button in Software Center:
The new Sync Policy button helps you keep machine and user policies in sync. The button is available through the Software Center options tab, under Computer Maintenance.
Automatic creation of Microsoft Office mobile apps for iOS and Android:
Microsoft Office mobile apps for iOS and Android are pre-created for users using ConfigMgr integrated with Microsoft Intune.
iOS Activation Lock management:
iOS Activation Lock management capabilities include: enabling, querying for the status, retrieving bypass codes, and performing an Activation Lock bypass on corporate-owned iOS devices.

[1601]
Windows 10 Team configuration settings:
New configuration settings added and supported for Windows 10 Team when using either Intune managed (hybrid) devices, or ConfigMgr full client devices.
Windows 10 Microsoft Edge configuration settings:
Specify Windows 10 Edge settings and assign them to users or devices in their organization.
Windows 10 Conditional Access new compliance checks:
Set 3 new compliance checks: require a password to unlock an idle device, time until the device is locked, and require automatic updates with minimum classification. These policy rules are evaluated as part of overall device compliance.
Windows 10 Conditional Access with Health Attestation service:
For Intune managed devices, Windows 10 Health Attestation data can be used as part of device compliance when used with Conditional Access.
Device Compliance report:
Device Compliance report provides you the number and percentage of devices and their compliance state for each compliance policy.
Windows 10 Health Attestation service reports:
Users can view reports on Windows 10 Health Attestation data collected by Intune. Windows 10 device Health Attestation helps evaluate the vulnerability of Windows 10 desktop and mobile devices.
Kiosk mode for Samsung KNOX devices:
ConfigMgr kiosk mode allows you to lock a managed mobile device only to allow certain features. For example, you can allow a device only to run a specific managed app, or you can disable the device's volume buttons.
Client Online Status:
View the online status of devices in Assets and Compliance. New icons indicate the status of a device as online or offline.
Conditional Access for ConfigMgr Managed PCs:
To help secure Office 365 access and other services on PCs enrolled with ConfigMgr, use Conditional Access. Conditions that can be used to control access include: Workplace Join, BitLocker, Antimalware, and Software Updates.
On-Premises Exchange Default Rule Override:
Set a default on-premises Exchange rule to block mobile devices from accessing email. You can allow Intune-enrolled and compliant mobile devices to access mail. You can also choose to override the default Exchange rule to allow Intune-enrolled and compliant devices to access email, even when the default rule is set to Block or Quarantine.
iOS App Configuration:
Create and deploy iOS app configuration policies to dynamically change settings such as server name or port for iOS applications that support configuration.
Apple Volume Purchase Program:
ConfigMgr can manage and deploy applications purchased through the Apple Volume Purchase Program for Business portal.

[1512]
New antimalware policy settings:
Added settings for protection against Potentially Unwanted Applications, user control of automatic sample submission, and scanning of network drives during a full scan.
Device Health Attestation:
Users are able to view the status of Windows 10 Device Health Attestation in the ConfigMgr console, to ensure that client computers have trustworthy BIOS, TPM, and boot software.
User acceptance of Terms and Conditions:
Users who use ConfigMgr integrated with Intune (hybrid) can view which users have accepted the Terms and Conditions configured by IT and which users have not, right from the ConfigMgr console.

Will be continued in a next blogpost!

Monday, October 10, 2016

What to do if App-V Sequencer is missing from Windows 10 ADK 1607

When installing Windows 10 ADK 1607, the App-V Sequencer component may be missing. This depending on the Operating System you're installing Windows ADK on. When you need to install the App-V Sequencer from Windows 10 ADK 1607, make sure you install it on Windows 10 1607 as well. Otherwise use the Microsoft Desktop Optimization Pack (MDOP) Setup Media instead.

When running on Windows 10 1511/1507, Windows 8.x, Windows 7 or Windows Server 2012 R2, App-V Sequencer is missing.

When running on Windows 1607, App-V Sequencer will be back again :-) Other components are available then as well.

Hope it helps!

More on App-V in Windows 10 can be found here: Both App-V and UE-V integrated in Windows 10 Enterprise now!

Thursday, October 6, 2016

Enable the Upgrades classification in ConfigMgr Current Branch (again)

Recently I was troubleshooting an environment where Windows 10 upgrades didn't came in. I did check if hotfixes were installed, which was the situation indeed.
-KB3095113: Update to enable WSUS support for Windows 10 feature upgrades (Server 2012 and 2012R2)
-KB3127032: Windows 10 upgrades are not downloaded in System Center Configuration Manager (CM1511 only)

I decided to remove the Upgrade checkbox, too put it on at later time. Then a new pop-up was displayed: Additionally, to service Windows 10 Version 1607 and later, you must install and configure KB3159706 using the guidance. Oops, I missed that one! Installed it a the WSUS/SUP and other Site server(s) and did have a look at additional steps too. This because of the following post on Microsoft TechNet: WSUS Breaks after KB3159706, released 5/5/2016

It mentions: Manual steps required to complete the installation of this update:
1. Install the hotfix and restart the WSUS/SUP server!
2. Open an elevated Command Prompt window, and run "C:\Program Files\Update Services\Tools\wsusutil.exe postinstall /servicing" (case sensitive)
3. Select HTTP Activation under .NET Framework 4.5 Features in the Server Manager Add Roles and Features wizard.
4. Restart the WSUS service.


I skipped steps mentioned on "If SSL is enabled on the WSUS server" at first try, but they seems to be needed too!
1.Open an elevated Command Prompt window, and assign ownership of the Web.Config file to the administrators group
-takeown /f web.config /a
-icacls "C:\Program Files\Update Services\WebServices\ClientWebService\Web.config" /grant administrators:f
2. Make the following changes in the file > add the lines displayed in bold, don't make the mistake (as me) to replace those lines!
3. Add the multipleSiteBindingsEnabled="true" attribute to the bottom of the Web.Config file
4. Restart the WSUS service.

Start a Software Update sync in ConfigMgr and watch wsyncmgr.log and WCM.log closely. Everything should be fine now!

Didn't see Windows 10 Servicing working yet, but hope too see it in near future. On Microsoft Ignite there was no session or demo about it too, given the fact that it may be working.

Will be continued in a next blogpost :-)