RSS

Category Archives: System Center Configuration Manager

ConfigMgr: a second attempt to REALLY liberate yourself from driver management…

In a previous post, I made an attempt to use Microsoft Update for downloading and installing all drivers during an Operating System deployment task with System Center Configuration Manager or Microsoft Deployment Toolkit. This approach works pretty great as long as hardware vendors use components that require drivers who are published by Microsoft Update. This requires some testing and if something’s missing, then alternative methods are available.

However, this works great but how about maintaining them during normal operation? After all, since drivers are not managed in this scenario, the process of receiving new drivers if updated needs to continue. As we all know, System Center Configuration Manager doesn’t support deploying drivers using Software Updates since the Update Classification ‘Drivers’ is not available (it is in WSUS though) so that’s not an option.

Fortunately, since Windows 10 1607 a feature called Dual Scan is available and can be used in conjunction with Software Updates in System Center Configuration Manager. This allows organizations to use both sources for managing updates so Microsoft Update can be used to update drivers.

The easiest way to do it is to deploy Windows Update for Business policies System Center Configuration Manager (assuming Intune is not used). All that needs to be done is follow the instructions on https://docs.microsoft.com/en-us/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10#configure-windows-update-for-business-deferral-policies

Within a policy, you can include drivers to be deployed by checking the option ‘Include drivers with Windows Update’. Roughly said, you can kiss driver management in System Center Configuration Manager goodbye.

Despite the availability of good tools provided by vendors such as HP and Dell, managing drivers in System Center Configuration Manager is still a dreadful task. So this approach may reduce administrative effort dramatically…

 

 

 

 

 

Advertisements
 

ConfigMgr: first impressions deploying a Distribution Point on a server core installation…

Recently I’ve been investigating deploying server core installations of Windows Server 2012 R2, 2016 and newer. Deploying a server core installation has become more viable for the following reasons:

  • Smaller footprint;
  • More secure, with tools like RSAT, Remote PowerShell and Windows Admin Center a GUI may no longer be required if the workload can run on a server core installation ;
  • Easy to manage with the remote tools mentioned before and requires less updating.

Well, Configuration Manager is one of those tools who remains strongly dependent on a GUI except for the role Disitribution Point, see https://docs.microsoft.com/en-us/sccm/core/plan-design/configs/supported-operating-systems-for-site-system-servers for more information.

Unfortunately, you will lose the ability to deploy PXE and Multicast since Windows Deployment Services is not available on server core, see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831764(v=ws.11) and it applies to Windows Server 2016 and newer as well, so you need to use media. I’d recommend using bootable media only since it won’t change that often. This would be terrible in the past. However, image building and deployment has lost its importance with Windows 10 and this is something I noticed as well. Nowadays, I hardly recommend to build reference images and consider just unattended setups including some stuff (drivers, updates, apps and other). The actual deployment may take a bit longer but it provides absolute flexibility.

The only scenario’s where PXE and Multicast are more viable are for mass deployments at places such as schools and universities, but this is just my opinion…

Deploying a Configuration Manager site mostly consists of at least three servers:

  • Site Server & Site Database Server (yes, a locally installed SQL instance);
  • Management Point, SUP, Application Catalogs and others except Distribution Point;
  • Distribution Point.

A Distribution Point is something that I normally don’t protect by some sort of backup mechanism. If a DP is broken, just reinstall and redistribute all content.

OK, so now to my first impressions, here they are:

  • A clean server core installation misses some basic prerequisites, ie. Remote Differential Compression;
  • After adding the server as a Distribution Point, some basic prerequisites are not automatically installed;
  • Data Deduplication works like a charm;
  • distribution of content fails due to the missing prerequisites.

So eventually, this means it’s recommended to install the prerequisites yourself before adding the server as a Distribution Point. Fortunately, this is not so difficult and will prevent a lot of frustration.

After that, it just works the same way as a GUI based server but without the overhead you don’t really need anyway. Except when you need PXE or multicast…

 

 

ConfigMgr: An attempt to liberate yourself from managing drivers

This attempt may not be suitable for the faint hearted and it may be intertpreted as if I’m dropping a bomb but here it goes.

In all those years working with Configuration Manager, managing drivers for devices remains a daunting task. It is time consuming, requires a lot of administrative effort and storage as well. It is also difficult to explain to customers on dealing with it accordingly, just not my kind of fun…

With the release of Windows 10 and Microsoft’s approach with the semi-annual update channels it may make sense to reevaluate the daunting task of driver management.

Would it be great if it can be thrown out of the window (no pun intended) so you don’t have to bother about it anymore?

Well, the answer is yes if you meet the following requirements:

Microsoft has also redesigned update deployment for Windows 10. The number of updates have been significantly reduced by merging all updates in a single monthly bundle which will increase the build version of Windows 10 as well. From Windows 10 1607 and newer, a feature called ‘Dual Scan’ has been introduced as well you may even wonder if you can throw out Update Management in Configuration Manager out of the window as well. I understand this may be hard to let get go, but releasing yourself from all this administrative effort allows you liberate yourself from this as well, unless the required processes and company policies are in place allowing you to have this automated…

To summarize it all, would it be great to have a fully patched machine including all drivers during deployment?

After investigating, I found an old but still valid approach by Chris Nackers which is available at http://blogs.catapultsystems.com/cnackers/archive/2011/04/28/using-ztiwindowsupdate-wsf-to-install-updates-in-a-system-center-configuration-manager-task-sequence/

I followed the steps except setting the variable (by not setting it) required by ZTIWindowsUpdate.wsf to make sure the script will go to Microsoft Update and retrieve all required updates from there. Additionally, I did check the ‘Continue on error’ checkbox to make sure the Task Sequence can continue in case update installation may fail. During testing I noticed some old printer driver failed to update while the rest installed properly. Enabling the ‘Continue on error’ checkbox is easier than collecting all exit codes.

In my scenario, it looks like this.

Alternatively, you can place the step after installing all applications so they may be updated as well.

Of course this requires some testing, if some devices are not installed because the driver is not available on Microsoft Update, then you can add them yourself.

Since Microsoft likes Github so much, you can even download ZTIWindowsUpdate.wsf (and ZTIUtility.wsf) as well and even edit to to your liking (ie. reducing the number of retries), you find it at https://github.com/monosoul/MS-Deployment-toolkit-scripts/tree/master/Scripts

 

The result is the deployment may take some time but you have a fully updated machine and don’t need to bother about managing drivers afterwards.

Also, allowing Dual Scan will update drivers as well keeping that part of updating the device as well…

 

Upgrading to Configuration Manager CB, going all the way…

Well, it’s been a while since I wrote something about Configuration Manager. I worked a lot with this technology but I was never able to really move away from it. I guess it has something to do with experience. If you’re experienced with something and you’ve proven to be good at it, then people will request it…

The good side of this experience is that customers I worked with in the past ask me again to assist them with this technology…

Based on what I’ve seen so far with Windows 10, adopting it is going steadily. With the release of the Fall Creators Update (1709), it is possible to both join Active Directory and Azure Active Directory. This allows coexistence between and introduces two management platforms for devices:

  • Configuration Manager
  • Intune

While it is possible to create a hybrid environment by using Intune as a stepping stone for mobile devices while managing them from Configuration Manager, I wouldn’t recommend doing so since I consider it no longer necessary and has become obsolete. I wasn’t a big fan of the Intune integration within Configuration Manager. But that is something for a different post.

Managing Windows 10 devices with Configuration Manager is strongly recommended with the Current Branch releases because of its native support for Windows 10. Microsoft supports a number of in-place upgrade paths which is documented at https://docs.microsoft.com/en-us/sccm/core/servers/deploy/install/upgrade-to-configuration-manager

So recently I was asked to do an in-place upgrade of an existing System Center 2012 Configuration Manager SP1 site (a stand alone Primary Site) running on a server with the following components:

  • Operating System: Windows Server 2012
  • SQL Version: 2012 Standard Edition SP1
  • ADK for Windows 8
  • Integrated MDT 2012 SP1

All components needed to be upgraded with the latest version, at that time the following components needed to be there:

  • Operating System: Windows Server 2016
  • SQL Version: 2016 Standard Edition
  • ADK for Windows 10 1709
  • Integrated MDT version 8443

Doing an in-place upgrade was technically and politically the best way to go

So I got started by making a full backup of the Site Database and moved to a different location (a file share). the next step was stopping all Configuration Manager services. I was then able to get started using the following sequence with a few challenges:

  • In-place upgrade to Windows Server 2016: I was forced to uninstall Endpoint Protection before upgrading
  • In-place upgrade to SQL 2016 Standard Edition: Needed to install SQL 2012 SP2 prior to upgrading to SQL 2016
  • ADK for Windows 8 had to be uninstalled prior to installing ADK for Windows 10 1709
  • In-place upgrade to Configuration Manager 1702 itself: After the upgrade IIS services were disabled so they had to be enabled and started again. Some components failed to update but they did once IIS services were started again
  • For MDT I removed the ConfigMgr Integration before uninstalling the old version and installing the latest one. For the new version I configured the ConfigMgr Integration again

After upgrading a small to-do list occurred that needed to be done:

  • WSUS post install had to be run once more. Apparently, WSUS configuration was gone after upgrading
  • New MDT Boot Images had to be created
  • MDT Packages (Toolkit, Settings and USMT) needed to be created with the new version
  • Existing Task Sequences needed to be modified

To summarize it, all went pretty smooth and new Configuration Manager features can be used.

After that, the site was upgraded to Configuration Manager 1706 using the Console…

 

Looking back at 2015…

So, the year 2015 is almost at its end. While I write this, I am already in my second week of my two week time off. And boy,I really needed this two week break.

2015 was an extremely busy year for me, and I can actually cut the year in half.

At the first half, I was still busy participating in a project where I designed and deployed System Center 2012 R2 Configuration Manager. I also built a stand-alone Image Building environment running MDT 2013. Unfortunately, the project took way longer than expected due the customer being unable to take ownership and start administering it by themselves. Eventually I decided to walk away after the contractual end date of my involvement despite the fact the project isn’t finished yet. The longer it took, the more frustrating the project became for me so the decision to walk away was eventually the right one.

This takes me to the second half. In the second half, I saw a dramatic shift in my job since I did only one Configuration Manager design and deployment in the second half of 2015. I started to extend my skillset on Enterprise Client Management a bit more with Microsoft Intune and Microsoft’s Public Cloud platform: Azure.

I also started to deliver more workshops, master classes and training sessions. This is something I really like to do and I want to thank those who made it possible for me. It allowed to me renew my Microsoft Certified Trainer certification.

Fortunately, the frustrations of the first half provided some learning moments which required me to become a more complete consultant. So my coworker arranged a two day training session for me called “Professional Recommending” (this may be a poor translation of Professioneel Adviseren in Dutch) provided by Yearth. This is by far the most important training I received in my career and it really started to pay off pretty quickly by receiving more positive feedback from customers. I became a more complete consultant with this training.

I was also happy to do the presentation workshop with Monique Kerssens and Jinxiu Hu from Niqué Consultancy BV at ExpertsLive 2015. I was happy to receive the feedback that my presentation skills have developed greatly. To quote them: “you’re standing like a house”.

The icing on the cake came at the end of this year when I was asked to review the DataON CiB-9224 platform. You can read the review in my previous post.

So, I experienced some highs and lows this year. Fortunately, the highs came at the second half.

I look forward to 2016, but that’s for another post…

 

 

Investigating a ConfigMgr TP3 deployment workflow

Recently, Microsoft released System Center Technical Preview 3 for testing purposes. I found some time to investigate how to install it. The main focus of my investigation was to determine if the workflow for deploying it is different compared to ConfigMgr 2012 SP2/R2 SP1.

It also allowed to determine if it would make sense to create a site server on Microsoft Azure. Except for PXE and/or multicast enabled distribution points it would make sense to host the site server there.

To determine if the workflow is different or not, I used the following setup (I have limited Azure credits so I have to keep my resources low):

  • 1 Azure Cloud Service
  • 1 VNet
  • 1 A1 Azure VM configured as DC and local DNS
  • 1 A5 Azure VM configured as ConfigMgr TP3 site server, two additional virtual disks of 512 GB were added which are added to a single storage pool. a striped virtual disk was created to get some more IOPS.

Both Azure VM machines run Windows Server 2012 R2.

I use SQL 2014 SP1 Standard Edition for hosting the site database. I could use a gallery machine with SQL, I decided not to and install SQL 2014 SP1 manually.

NOTE: I made an attempt to use Windows Server 2016 Technical Preview machines, but the performance was quite annoying. I decided to go back to Windows Server 2012 R2 instead.

For ConfigMgr 2012 deployments, I use the following workflow:

  1. Install Roles & Features
  2. Install an SQL instance
  3. Install Windows 10 ADK
  4. Extend AD Schema and configure delegation
  5. Configure WSUS
  6. Install ConfigMgr

I followed the workflow displayed above for deploying ConfigMgr TP3. Not surprisingly, the result is the same. I also notice that the site server is also perfectly happy to run on the Azure platform. For distribution points, I’d suggest to use an on-premises machine for distributing content…

 

 

 

Possible workaround for capturing a Windows 10 reference image with MDT 2013 Update 1

As most of us should know by now Microsoft release Microsoft Deployment Toolkit 2013 Update 1, see the announcement at http://blogs.technet.com/b/msdeployment/archive/2015/08/17/mdt-2013-update-1-now-available.aspx

The main improvements are support for Windows 10 and integration of System Center 2012 Configuration Manager SP2/R2 SP1. Unfortunately, this release has quite a lof of issues that makes it either very difficult or impossible to properly capture a reference image. A list of know issues is available at http://blogs.technet.com/b/msdeployment/archive/2015/08/25/mdt-2013-update-1-release-notes-and-known-issues.aspx

The issue that bothers me the most is the following, and I quote:

Do not upgrade from Preview to RTM

MDT 2013 Update 1 Preview should be uninstalled before installing the final MDT 2013 Update 1. Do not attempt to upgrade a preview installation or deployment share. Although the product documentation is not updated for MDT 2013 Update 1, the information on upgrading an installation still holds true.

Being a consultant which require me to be an early adopter and testing new stuff to allow myself to be ready when it’s released requires me to work with Preview versions of verious software. Also, as an ITPro which has an isolated environment available purely for Image Building purposes, I need to upgrade my deployment share frequently. While I can automate building new deployment shares, it takes time I don’t have to research and test these new technologies. So I don’t have much choice than upgrading my deployment share. I must admit that releasing this technology with so many known issues is quite sloppy to me. I can only assume that various scenarios may not have been tested thoroughly by time constraints and releasing this version was under a possible amount of pressure.

Trying to build and capture a Windows 10 reference image fails. The capturing itself fails with an error message that a certain script cannot be loaded. The MDT 2013 U1 environment I currently have is for image building purposes only so I don’t have that many customizations configured.

So knowing that the capturing itself fails I can do the capturing part myself. Knowing that image building is not something I expect you to every day the amount of administrative effort increases just a little bit but it’s quite easy to do.

First, we start a deployment using the Windows Deployment Wizard. After selecting my Build and Capture Windows 10 Task Sequence I get the option to select how I want to capture an image.

capture_option

I choose not to capture an image by selecting the option Do not capture an image of this computer. This will make the deployment run normally and finish without doing anything afterwards. I do use the option Finishaction=REBOOT in my customsettings.ini to make sure the machine restarts after completion.

The next step is logging on with the local Administrator password to SYSPREP the machine by running the sysprep.exe /oobe /generalize /shutdown command.

sysprep

Here we see SYSPREP is in progress. After a small while the machine is turned off.

Now the machine will be started again using the LiteTouch boot media (in my case I use WDS) and wait until the deployment wizard is started once more. The reason why I do this is that my deployment share is available and accessible by the Z: drive which is automatically mapped. Pressing F8 opens the command prompt.

All I need to is to start capturing an image using DISM which may look like the screenshot below (hmmm, makes me wonder why I chose that filename).

Capture_start

Now the capture can start.

Capture_progress

After a while the capture completes and a captured Windows 10 image is available in the Captures folder of the deployment share in use. This image can be used for deployment by MDT 2013 U1, System Center 2012 Configuration Manager SP2/R2 or whatever tool used for deploying .wim files.

Basically the workaround consists of replacing the image capturing part with manual labour. I’m sure that other workarounds may be available but this one works for me. The image capturing should take less than 72 hours since that is the maximum time a WinPE session is allowed to run. Once the 72 hours are up, it will automatically restart the computer. This should be enough though to have the image file created.

Feel free to use this workaround. As usual, testing is required before using it in a production environment.

Let’s hope an updated release should have all these issues solved, the sooner the better…

 

 

 
 
Steve Thompson [MVP]

The automation specialist

Boudewijn Plomp

Cloud and related stuff...

Anything about IT

by Alex Verboon

MDTGuy.WordPress.com

Deployment Made Simple

Modern Workplace

Azure, Hybrid Identity & Enterprise Mobility + Security

Daan Weda

This WordPress.com site is all about System Center and PowerShell

IT And Management by Abheek

Microsoft certified Trainer -Abheek

Heading To The Clouds

by Marthijn van Rheenen