RSS

Author Archives: mwesterink

ConfigMgr: a second attempt to REALLY liberate yourself from driver management…

In a previous post, I made an attempt to use Microsoft Update for downloading and installing all drivers during an Operating System deployment task with System Center Configuration Manager or Microsoft Deployment Toolkit. This approach works pretty great as long as hardware vendors use components that require drivers who are published by Microsoft Update. This requires some testing and if something’s missing, then alternative methods are available.

However, this works great but how about maintaining them during normal operation? After all, since drivers are not managed in this scenario, the process of receiving new drivers if updated needs to continue. As we all know, System Center Configuration Manager doesn’t support deploying drivers using Software Updates since the Update Classification ‘Drivers’ is not available (it is in WSUS though) so that’s not an option.

Fortunately, since Windows 10 1607 a feature called Dual Scan is available and can be used in conjunction with Software Updates in System Center Configuration Manager. This allows organizations to use both sources for managing updates so Microsoft Update can be used to update drivers.

The easiest way to do it is to deploy Windows Update for Business policies System Center Configuration Manager (assuming Intune is not used). All that needs to be done is follow the instructions on https://docs.microsoft.com/en-us/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10#configure-windows-update-for-business-deferral-policies

Within a policy, you can include drivers to be deployed by checking the option ‘Include drivers with Windows Update’. Roughly said, you can kiss driver management in System Center Configuration Manager goodbye.

Despite the availability of good tools provided by vendors such as HP and Dell, managing drivers in System Center Configuration Manager is still a dreadful task. So this approach may reduce administrative effort dramatically…

 

 

 

 

 

Advertisements
 

ConfigMgr: first impressions deploying a Distribution Point on a server core installation…

Recently I’ve been investigating deploying server core installations of Windows Server 2012 R2, 2016 and newer. Deploying a server core installation has become more viable for the following reasons:

  • Smaller footprint;
  • More secure, with tools like RSAT, Remote PowerShell and Windows Admin Center a GUI may no longer be required if the workload can run on a server core installation ;
  • Easy to manage with the remote tools mentioned before and requires less updating.

Well, Configuration Manager is one of those tools who remains strongly dependent on a GUI except for the role Disitribution Point, see https://docs.microsoft.com/en-us/sccm/core/plan-design/configs/supported-operating-systems-for-site-system-servers for more information.

Unfortunately, you will lose the ability to deploy PXE and Multicast since Windows Deployment Services is not available on server core, see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831764(v=ws.11) and it applies to Windows Server 2016 and newer as well, so you need to use media. I’d recommend using bootable media only since it won’t change that often. This would be terrible in the past. However, image building and deployment has lost its importance with Windows 10 and this is something I noticed as well. Nowadays, I hardly recommend to build reference images and consider just unattended setups including some stuff (drivers, updates, apps and other). The actual deployment may take a bit longer but it provides absolute flexibility.

The only scenario’s where PXE and Multicast are more viable are for mass deployments at places such as schools and universities, but this is just my opinion…

Deploying a Configuration Manager site mostly consists of at least three servers:

  • Site Server & Site Database Server (yes, a locally installed SQL instance);
  • Management Point, SUP, Application Catalogs and others except Distribution Point;
  • Distribution Point.

A Distribution Point is something that I normally don’t protect by some sort of backup mechanism. If a DP is broken, just reinstall and redistribute all content.

OK, so now to my first impressions, here they are:

  • A clean server core installation misses some basic prerequisites, ie. Remote Differential Compression;
  • After adding the server as a Distribution Point, some basic prerequisites are not automatically installed;
  • Data Deduplication works like a charm;
  • distribution of content fails due to the missing prerequisites.

So eventually, this means it’s recommended to install the prerequisites yourself before adding the server as a Distribution Point. Fortunately, this is not so difficult and will prevent a lot of frustration.

After that, it just works the same way as a GUI based server but without the overhead you don’t really need anyway. Except when you need PXE or multicast…

 

 

ConfigMgr: An attempt to liberate yourself from managing drivers

This attempt may not be suitable for the faint hearted and it may be intertpreted as if I’m dropping a bomb but here it goes.

In all those years working with Configuration Manager, managing drivers for devices remains a daunting task. It is time consuming, requires a lot of administrative effort and storage as well. It is also difficult to explain to customers on dealing with it accordingly, just not my kind of fun…

With the release of Windows 10 and Microsoft’s approach with the semi-annual update channels it may make sense to reevaluate the daunting task of driver management.

Would it be great if it can be thrown out of the window (no pun intended) so you don’t have to bother about it anymore?

Well, the answer is yes if you meet the following requirements:

Microsoft has also redesigned update deployment for Windows 10. The number of updates have been significantly reduced by merging all updates in a single monthly bundle which will increase the build version of Windows 10 as well. From Windows 10 1607 and newer, a feature called ‘Dual Scan’ has been introduced as well you may even wonder if you can throw out Update Management in Configuration Manager out of the window as well. I understand this may be hard to let get go, but releasing yourself from all this administrative effort allows you liberate yourself from this as well, unless the required processes and company policies are in place allowing you to have this automated…

To summarize it all, would it be great to have a fully patched machine including all drivers during deployment?

After investigating, I found an old but still valid approach by Chris Nackers which is available at http://blogs.catapultsystems.com/cnackers/archive/2011/04/28/using-ztiwindowsupdate-wsf-to-install-updates-in-a-system-center-configuration-manager-task-sequence/

I followed the steps except setting the variable (by not setting it) required by ZTIWindowsUpdate.wsf to make sure the script will go to Microsoft Update and retrieve all required updates from there. Additionally, I did check the ‘Continue on error’ checkbox to make sure the Task Sequence can continue in case update installation may fail. During testing I noticed some old printer driver failed to update while the rest installed properly. Enabling the ‘Continue on error’ checkbox is easier than collecting all exit codes.

In my scenario, it looks like this.

Alternatively, you can place the step after installing all applications so they may be updated as well.

Of course this requires some testing, if some devices are not installed because the driver is not available on Microsoft Update, then you can add them yourself.

Since Microsoft likes Github so much, you can even download ZTIWindowsUpdate.wsf (and ZTIUtility.wsf) as well and even edit to to your liking (ie. reducing the number of retries), you find it at https://github.com/monosoul/MS-Deployment-toolkit-scripts/tree/master/Scripts

 

The result is the deployment may take some time but you have a fully updated machine and don’t need to bother about managing drivers afterwards.

Also, allowing Dual Scan will update drivers as well keeping that part of updating the device as well…

 

Installing Windows 10 over the Internet, how cool is that?

I’ve been planning to do this for a while but time or to a lesser extent motivational constraints prevented me from doing so.

To be honest, installing Windows 10 (or many previous versions of Windows) over the Internet is something I couldn’t understand not being made available by Microsoft. To me, it is something I don’t consider something revolutionary. After all, installing an Operating System over the Internet is something that is available to Linux for quite some time.

Nowadays, more and more organizations are cleaning up their on-premises infrastructures and move them to the cloud. While this is great, it may provide some challenges for deploying clients when no local infrastructure is available anymore to facilitate this. Many organizations would also like to use their own reference images.

A certain technology caught my attention that would make this possible for now: Azure File shares.

Azure File shares allows organizations to deploy Windows 10 using a network installation. The only difference is that the network share is at an Azure location of your choice.

To keep this simple, I created an Azure File share using the following instructions:

To make this work, communication over port 445 needs to be allowed. This may be an issue by some ISPs which would completely defeat this approach.

Once the Azure File share is created and acces is available, all that needs to be done is to copy either the Windows 10 installation files or reference images created by yourself. I chose to place the Windows 10 installation files on the share.

Next step is creating a WinPE boot CD using the instructions available at https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/winpe-create-a-boot-cd-dvd-iso-or-vhd

After creating the ISO file, I simply created a bootable USB drive and copied the files on that USB drive. I also added a simple .cmd file that mounts mounts the network share to avoid typing errors using the instructions at https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows

To start the installtion, I took the following steps:

  1. Boot from the USB drive
  2. Verify the network drivers are loaded and an IP-address has been assigned to the NIC
  3. Mount the Azure File Share
  4. Browse to the installation files
  5. Start setup.exe

After providing the required information for Windows setup, the installation was running. I tested this scenario at home. I am quite fortunate to have a decent Internet connection (300 Mbit/sec up/down FTTH). I wouldn’t really recommend this if network bandwith may be limited unless you have a lot of time on your hands. Nevertheless, using your own reference images and deploying machines when employees are sleeping may also work but that’s up to you

For the sake of this blog, I couldn’t be bothered to automate my deployment.

What would be really interesting is to see if I can place an MDT Deployment share on an Azure File share to deploy Windows over the Internet. I also would be very interested if Microsoft allows Windows 10 deployments using the http(s) protocol and not bother about shares at all. Ultimately, I’d like to run Windows setup using http(s) directly from Microsoft and having Microsoft maintain the setup with updates.

Seriously, how cool would that be?

 
Leave a comment

Posted by on 18/02/2018 in Uncategorized

 

Upgrading to Configuration Manager CB, going all the way…

Well, it’s been a while since I wrote something about Configuration Manager. I worked a lot with this technology but I was never able to really move away from it. I guess it has something to do with experience. If you’re experienced with something and you’ve proven to be good at it, then people will request it…

The good side of this experience is that customers I worked with in the past ask me again to assist them with this technology…

Based on what I’ve seen so far with Windows 10, adopting it is going steadily. With the release of the Fall Creators Update (1709), it is possible to both join Active Directory and Azure Active Directory. This allows coexistence between and introduces two management platforms for devices:

  • Configuration Manager
  • Intune

While it is possible to create a hybrid environment by using Intune as a stepping stone for mobile devices while managing them from Configuration Manager, I wouldn’t recommend doing so since I consider it no longer necessary and has become obsolete. I wasn’t a big fan of the Intune integration within Configuration Manager. But that is something for a different post.

Managing Windows 10 devices with Configuration Manager is strongly recommended with the Current Branch releases because of its native support for Windows 10. Microsoft supports a number of in-place upgrade paths which is documented at https://docs.microsoft.com/en-us/sccm/core/servers/deploy/install/upgrade-to-configuration-manager

So recently I was asked to do an in-place upgrade of an existing System Center 2012 Configuration Manager SP1 site (a stand alone Primary Site) running on a server with the following components:

  • Operating System: Windows Server 2012
  • SQL Version: 2012 Standard Edition SP1
  • ADK for Windows 8
  • Integrated MDT 2012 SP1

All components needed to be upgraded with the latest version, at that time the following components needed to be there:

  • Operating System: Windows Server 2016
  • SQL Version: 2016 Standard Edition
  • ADK for Windows 10 1709
  • Integrated MDT version 8443

Doing an in-place upgrade was technically and politically the best way to go

So I got started by making a full backup of the Site Database and moved to a different location (a file share). the next step was stopping all Configuration Manager services. I was then able to get started using the following sequence with a few challenges:

  • In-place upgrade to Windows Server 2016: I was forced to uninstall Endpoint Protection before upgrading
  • In-place upgrade to SQL 2016 Standard Edition: Needed to install SQL 2012 SP2 prior to upgrading to SQL 2016
  • ADK for Windows 8 had to be uninstalled prior to installing ADK for Windows 10 1709
  • In-place upgrade to Configuration Manager 1702 itself: After the upgrade IIS services were disabled so they had to be enabled and started again. Some components failed to update but they did once IIS services were started again
  • For MDT I removed the ConfigMgr Integration before uninstalling the old version and installing the latest one. For the new version I configured the ConfigMgr Integration again

After upgrading a small to-do list occurred that needed to be done:

  • WSUS post install had to be run once more. Apparently, WSUS configuration was gone after upgrading
  • New MDT Boot Images had to be created
  • MDT Packages (Toolkit, Settings and USMT) needed to be created with the new version
  • Existing Task Sequences needed to be modified

To summarize it, all went pretty smooth and new Configuration Manager features can be used.

After that, the site was upgraded to Configuration Manager 1706 using the Console…

 

Enrolling lots of Windows 10 devices to Microsoft Intune, why bother?

Recently I’ve been involved in a few Microsoft Intune deployments.

These are standalone environments, so no hybrid scenario with System Center Configuration Manager. As we all know, Microsoft Intune can be purchased separately but that’s something I wouldn’t recommend. The pricing models of Enterprise Mobility + Security (EM+S) or Microsoft 365 Enterprise (a.k.a. Secure Productive Enterprise) would give you a lot more benefits making it a true bang for your buck. Organizations who fail to see that will basically defeat themselves because their competition does embrace this strategy. These subscriptions will replace a lot of on-premises management tools which liberates administrators with their daily tasks of extinguishing fires…

Microsoft Intune is available for EM+S E3 or 365 Enterprise E3 (also in both E5 subscriptions). Both subscriptions also include Azure Active Directory Premium P1. Azure Active Directory Premium P1 is a requirement to achieve a goal this post is talking about making Windows 10 device enrollment really simple.

Following guidelines on https://docs.microsoft.com/en-us/intune/windows-enroll allows organizations to deliver automatic enrollment for Windows 10 devices when Azure Active Directory Premium is enabled for a user who is assigned a EM+S or 365 Enterprise license. All features are enabled by default so we know it’s there if we don’t fiddle around with them…

So what does this actually mean?

Well, it means that each user who receives a Windows 10 device, preferably Enterprise, will do the device enrollment for you during the OOBE phase of Windows 10. It doesn’t matter if your organization has 5, 50, 500, 5000 or more devices. How cool is that?

As long as all required licenses are in place, admins don’t need to bother about this at all…

 

 

My first Azure Stack TP2 POC deployment ending in disaster…

Today I had the opportunity to have an attempt to deploy my first Azure Stack TP2 POC. Having this DataON CiB-9224 available allowed to have a go on deploying an Azure Stack TP2 POC environment. I was able to achieve this after finishing some testing with Windows Server 2016 with the platform. The results of those tests are available at https://mwesterink.wordpress.com/2017/01/19/case-study-running-windows-server-2016-on-a-dataon-cib/

Before I started testing I reviewed the hardware requirements which are available at https://docs.microsoft.com/nl-nl/azure/azure-stack/azure-stack-deploy

Unfortunately, a small part made me wonder if I would actually succeed in deploying Azure Stack. Here’s a quote of the worrying part:

Data disk drive configuration: All data drives must be of the same type (all SAS or all SATA) and capacity. If SAS disk drives are used, the disk drives must be attached via a single path (no MPIO, multi-path support is provided).

Damn, again a challenge with MPIO. Such a shame since I meet all other hardware requirements.

So decided to have a go and figure out why MPIO is not supported by deploying Azure Stack TP2 anyway. I followed the instructions at https://docs.microsoft.com/nl-nl/azure/azure-stack/azure-stack-run-powershell-script and see what happens…

I used a single node of the CiB-9224 and used 4 400 GB SSD disks only. I turned the other node off and I disabled all unused NICs.

After a while I decided to check its progress and I noticed that nothing was happening at a specific step (there was a hour between the latest log and the time I went to check). Here’s a screenshot where the deployment was ‘stuck’:

stuck_at_s2d

Seems like the script is trying to enable Storage Spaces Direct (S2D). Knowing that S2D is not supported with MPIO I terminated the deployment and wiped all data because I knew I was going to be unsuccessfull. At least I know why.

I didn’t meet all hardware requirements after all. Fortunately it gave me some insights in how to deploy Azure Stack so when I do have hardware that meets my requirements, then at least I know what to do…

Looking at the requirements again, it’s obvious that the recommended way to go is with single channel JBOD.

 

 

 
 
Steve Thompson [MVP]

The automation specialist

Boudewijn Plomp

Cloud and related stuff...

Anything about IT

by Alex Verboon

MDTGuy.WordPress.com

Deployment Made Simple

Modern Workplace

Azure, Hybrid Identity & Enterprise Mobility + Security

Daan Weda

This WordPress.com site is all about System Center and PowerShell

IT And Management by Abheek

Microsoft certified Trainer -Abheek

Heading To The Clouds

by Marthijn van Rheenen