RSS

Category Archives: Windows Client

Looking forward to 2016…

So, after leaving 2015 behind us and getting started in 2016 it’s time to have a look what 2016 is going to bring us.

2015 was the year that got the adoption of cloud technology really going and I expect more and more organizations to do so or start adopting more features cloud technology offers us. A very nice feature is that organizations start to understand better how convenient it is when the ‘gate’ for end users has shifted from Active Directory to Azure Active Directory.

Three big releases will most likely take place this year:

  • AzureStack;
  • Windows Server 2016;
  • System Center 2016.

I strongly believe the release of Windows Server 2016 will dramatically change the way we’re used to work and I really believe the following two features will enable it:

  • Nano Server;
  • Containers.

Since the release of Windows Server 2016 Technical Preview 3, and even more with Windows Server 2016 Technical Preview 4 we’re able to research and experiment with these two features. Fortunately, I don’t expect Windows Server 2016 RTM to be released in the first half of 2016. This allows me to play around with it and understand how it works so that I am prepared when it becomes available.

So, Windows Server 2016 is quite a big tip of the iceberg. With the rest all coming as well I expect 2016 to be a very busy year. But I expect to have a lot of fun with it as well…

So let’s see what’s going to happen this year, I look forward to it.

Advertisements
 

Looking back at 2015…

So, the year 2015 is almost at its end. While I write this, I am already in my second week of my two week time off. And boy,I really needed this two week break.

2015 was an extremely busy year for me, and I can actually cut the year in half.

At the first half, I was still busy participating in a project where I designed and deployed System Center 2012 R2 Configuration Manager. I also built a stand-alone Image Building environment running MDT 2013. Unfortunately, the project took way longer than expected due the customer being unable to take ownership and start administering it by themselves. Eventually I decided to walk away after the contractual end date of my involvement despite the fact the project isn’t finished yet. The longer it took, the more frustrating the project became for me so the decision to walk away was eventually the right one.

This takes me to the second half. In the second half, I saw a dramatic shift in my job since I did only one Configuration Manager design and deployment in the second half of 2015. I started to extend my skillset on Enterprise Client Management a bit more with Microsoft Intune and Microsoft’s Public Cloud platform: Azure.

I also started to deliver more workshops, master classes and training sessions. This is something I really like to do and I want to thank those who made it possible for me. It allowed to me renew my Microsoft Certified Trainer certification.

Fortunately, the frustrations of the first half provided some learning moments which required me to become a more complete consultant. So my coworker arranged a two day training session for me called “Professional Recommending” (this may be a poor translation of Professioneel Adviseren in Dutch) provided by Yearth. This is by far the most important training I received in my career and it really started to pay off pretty quickly by receiving more positive feedback from customers. I became a more complete consultant with this training.

I was also happy to do the presentation workshop with Monique Kerssens and Jinxiu Hu from Niqué Consultancy BV at ExpertsLive 2015. I was happy to receive the feedback that my presentation skills have developed greatly. To quote them: “you’re standing like a house”.

The icing on the cake came at the end of this year when I was asked to review the DataON CiB-9224 platform. You can read the review in my previous post.

So, I experienced some highs and lows this year. Fortunately, the highs came at the second half.

I look forward to 2016, but that’s for another post…

 

 

Possible workaround for capturing a Windows 10 reference image with MDT 2013 Update 1

As most of us should know by now Microsoft release Microsoft Deployment Toolkit 2013 Update 1, see the announcement at http://blogs.technet.com/b/msdeployment/archive/2015/08/17/mdt-2013-update-1-now-available.aspx

The main improvements are support for Windows 10 and integration of System Center 2012 Configuration Manager SP2/R2 SP1. Unfortunately, this release has quite a lof of issues that makes it either very difficult or impossible to properly capture a reference image. A list of know issues is available at http://blogs.technet.com/b/msdeployment/archive/2015/08/25/mdt-2013-update-1-release-notes-and-known-issues.aspx

The issue that bothers me the most is the following, and I quote:

Do not upgrade from Preview to RTM

MDT 2013 Update 1 Preview should be uninstalled before installing the final MDT 2013 Update 1. Do not attempt to upgrade a preview installation or deployment share. Although the product documentation is not updated for MDT 2013 Update 1, the information on upgrading an installation still holds true.

Being a consultant which require me to be an early adopter and testing new stuff to allow myself to be ready when it’s released requires me to work with Preview versions of verious software. Also, as an ITPro which has an isolated environment available purely for Image Building purposes, I need to upgrade my deployment share frequently. While I can automate building new deployment shares, it takes time I don’t have to research and test these new technologies. So I don’t have much choice than upgrading my deployment share. I must admit that releasing this technology with so many known issues is quite sloppy to me. I can only assume that various scenarios may not have been tested thoroughly by time constraints and releasing this version was under a possible amount of pressure.

Trying to build and capture a Windows 10 reference image fails. The capturing itself fails with an error message that a certain script cannot be loaded. The MDT 2013 U1 environment I currently have is for image building purposes only so I don’t have that many customizations configured.

So knowing that the capturing itself fails I can do the capturing part myself. Knowing that image building is not something I expect you to every day the amount of administrative effort increases just a little bit but it’s quite easy to do.

First, we start a deployment using the Windows Deployment Wizard. After selecting my Build and Capture Windows 10 Task Sequence I get the option to select how I want to capture an image.

capture_option

I choose not to capture an image by selecting the option Do not capture an image of this computer. This will make the deployment run normally and finish without doing anything afterwards. I do use the option Finishaction=REBOOT in my customsettings.ini to make sure the machine restarts after completion.

The next step is logging on with the local Administrator password to SYSPREP the machine by running the sysprep.exe /oobe /generalize /shutdown command.

sysprep

Here we see SYSPREP is in progress. After a small while the machine is turned off.

Now the machine will be started again using the LiteTouch boot media (in my case I use WDS) and wait until the deployment wizard is started once more. The reason why I do this is that my deployment share is available and accessible by the Z: drive which is automatically mapped. Pressing F8 opens the command prompt.

All I need to is to start capturing an image using DISM which may look like the screenshot below (hmmm, makes me wonder why I chose that filename).

Capture_start

Now the capture can start.

Capture_progress

After a while the capture completes and a captured Windows 10 image is available in the Captures folder of the deployment share in use. This image can be used for deployment by MDT 2013 U1, System Center 2012 Configuration Manager SP2/R2 or whatever tool used for deploying .wim files.

Basically the workaround consists of replacing the image capturing part with manual labour. I’m sure that other workarounds may be available but this one works for me. The image capturing should take less than 72 hours since that is the maximum time a WinPE session is allowed to run. Once the 72 hours are up, it will automatically restart the computer. This should be enough though to have the image file created.

Feel free to use this workaround. As usual, testing is required before using it in a production environment.

Let’s hope an updated release should have all these issues solved, the sooner the better…

 

 

 

Thoughts on enabling Microsoft Antimalware extension on Azure virtual machines…

Recently, I was investigating in managing the Microsoft Antimalware extension on Azure virtual machines.

As we all know, the Microsoft Antimalware extension can be enabled when creating a new Azure virtual machine in the Azure portal. While enabling the Microsoft Antimalware extension can be enabled there, only the default settings will be applied. This might work in most scenario’s but company policy may require customization when specified, this may be extended to customizing the extension for specific server roles or even desktops.

It became clear that the only way to customize the configuration is using Azure PowerShell.

NOTE: More customization is also possible in the ‘new’ portal available at http://portal.azure.com . At his time of writing this portal is still in Preview though so it is not support.

After checking out the cmdlet reference for Azure, I found the Set-AzureVMMicrosoftAntimalwareExtension cmdlet. More information on this cmdlet is available at https://msdn.microsoft.com/en-us/library/dn771716.aspx

After reading the article I noticed that .json files can be used to provision a configuration for the extension. This brings a new challenge: what configuration should be in the .json file for a specific server role.

If an existing System Center Configuration Manager 2012 or newer infrastructure is available and the Endpoint Protection Point is enabled and used, then either existing configurations or the Endpoint Protection templates can be used. The trick is to read a template and ‘translate’ it into a .json file.

I decided to use the Domain Controller template as a reference. After analyzing the template .xml file, the resulting .json may look like this:

{
 “AntimalwareEnabled”: true,
 “RealtimeProtectionEnabled”: true,
 “ScheduledScanSettings”:
 {
   “isEnabled”: true,
    “day”: 7,
    “time”: 120,
    “scanType”: “Full”
 },
    “Exclusions”:
 {
     “Extensions”: “.pol;.chk;.edb;.sdb;.pat”,
     “Paths”: “%systemroot%\\NTDS\\Ntds.dit;%systemroot%\\NTDS\\EDB*.log;%systemroot%\\NTDS\\Edbres*.jrs;%systemroot%\\SYSVOL\\domain\\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\;%systemroot%\\SYSVOL\\staging;%systemroot%\\SYSVOL\\staging areas;%systemroot%\\SYSVOL\\sysvol”,
     “Processes”: “”
 }
}

Keep in mind though that using wildcards in the .json file is not recommended by Microsoft as stated in the cmdlet reference page for the Set-AzureVMMicrosoftAntimalwareExtension cmdlet.

This method allows administrators to create multiple .json files for specific server roles and specify them when enabling the extension.

Feel free to use this method yourself. As always, try this out in a test environment or separate subscription used for testing purposes.

Hope this helps…

 

Using PowerShell for bulk Configuration Manager 2012 SP1 (or newer) Client installation…

You might be in the situation that the Configuration Manager Client needs to be installed on many machines. However, automatic client deployment using Client Push is not allowed not preferred for whatever technical/financial/political reason. Browsing in the Console and select a lot of discovered machines may be a very frustrating action. It may also be extremely error prone, especially when you already know which machines need to have a Configuration Manager Client (they’re most like not deployed by using OSD).

Fortunately, we can use PowerShell to have the Configuration Manager Client installed. What makes it even better is that a single cmdlet is needed to get the job done: Install-CMClient

You can find more info for the Install-CMClient cmdlet at the following location:

https://technet.microsoft.com/library/jj821865(v=sc.20).aspx

If you already know which machines need the Configuration Manager Client to be installed, then you can put them in a .csv file. This allows you to create a PowerShell script that reads each object and run the cmdlet for each object. A script to get the job done might look like this:

#
# Script name: Install_Client_Bulk.ps1
#
# Purpose: Installs the ConfigMgr client on multiple machines, uses .csv as input
#
# Author: Marc Westerink
#
# Reference: http://technet.microsoft.com/library/jj821865(v=sc.20).aspx
#

#Create the required ‘global’ variables
$ConfigMgrModulePath=“D:\Program Files\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1″
$ConfigMgrSiteCode=“P01:”
#Connecting to site
Import-Module $ConfigMgrModulePath
Set-Location $ConfigMgrSiteCode

#Initiate Client Installation(s)

Import-CSV E:\Install\CMHostName.csv | %{

$SiteCode=”P01″

Install-CMClient -SiteCode $SiteCode -AlwaysInstallClient $True -IncludeDomainController $True -DeviceName $_.CMHostName

}

 

Running this script has one downside. Since a lot of machines will be instructed to have the client installed, you will see a lot of entries in the ccm.log file so monitoring its progress might be challenging. So therefore I recommend testing the script with only a few entries in the .csv file (as little as two) to verify everything’s working as expected…

 

An alternative guide for applying CU4 for ConfigMgr 2012 R2

Recently, Cumulative Update 4 for System Center 2012 R2 Configuration Manager 2012 was released. A release like this generally spawns a lot of tweets, blogs, tweets about blogs and their respectable retweets making it hard to miss. It also allowed me to check out which guides are written. While these guides are generally a good way to start, I did notice they generally have the following properties in common:

  • Packages are created containing the updates
  • Device collections are created to deploy them to
  • Optionally, the PATCH=<blabla fix.msp> is used in a task sequence

I try to achieve a matter of simplicity as much as possible and I also try to facilitate a ‘fire and forget’ mechanism as well. If System Center Updates Publisher (SCUP) 2011 is used, then deploying this update becomes much easier. The following location provides a guide that can be used to install SCUP 2011: http://blog.coretech.dk/kea/the-complete-scup-2011-installation-and-configuration-guide/

When SCUP 2011 is used, applying CU4 goes a little bit different. Here are the steps how to do it, assuming the hotfix is downloaded and accessible by the site server. I used http://technet.microsoft.com/en-us/library/jj553405.aspx as a reference.

Before starting, verify a valid backup is available.

First, the update must be applied to the site server.

Log on the Configuration Manager site server with a user account that has administrative privileges to execute the update.

snip001

Start the .exe file to start installing the cumulative update.

snip002

Select Next.

snip003

Accept the License Terms en select Next.

snip004

The prerequisite check verifies if all prerequisites are met. In this screenshot a previous software installation needs to be restarted to be completed. In this case the installation may continue by pressing Next.

snip005

The installation is run on the site server which runs the Configuration Manager console. Make sure the checkbox is filled in and press Next.

snip006

Select Yes, update the site database and press Next.

snip007

The distribution and deployment will be done using Software Updates, this means the packages are not going to be used. To prevent them from creating, uncheck each checkbox and press Next.

snip008

Review the summary and select Install.

snip009

Installation in progress…

snip010

After a few moments the installation is finished successfully. Select Next to continue.

snip011

Press Finish to close this window

System Center Updates Publisher 2011 (SCUP) allows publishing updates to WSUS in conjunction with Configuration Manager that are not published by Microsoft Update. Catalogs are used to import these updates to SCUP 2011 which are then published to WSUS. The cumulative update contains a catalog that can be imported into SCUP 2011.

Start SCUP 2011, make sure to start this application by the Run as administrator feature.

snip012

Select the Import button.

snip013

Browse to the catalog file (.cab) and press Next.

snip014

Press Next.

snip015

The security warning pops up. Because Microsoft delivers this hotfix, it is safe to trust them by pressing the Accept button.

snip016

The updates are imported successfully. Select Close to close this window.

snip017

The updates are now visible in the Console. Select the updates and choose Assign.

snip018

The publication type must be Full Content. Create a new publication as displayed and press OK.

snip019

In the Publications tab, select the newly created publication and press the Publish button.

snip020

Press Next.

snip021

Review the summary and press Next.

snip022

Publishing in progress…

snip023

The updates are published successfully. Press Close to close the window.

All tasks in SCUP are completed and the SCUP console can be closed.

 

The final step is distributing the updates for deployment.

The following Software Updates synchronization should pick up the newly published updates. Review the wsyncmgr.log file to verify the updates are synchronized by Software Updates.

snip024

Yes, there they are…

snip025

It is recommended to have a separate Automatic Deployment Rule which is targeted to the All Desktop and Server Clients device collection. In this scenario, it is not scheduled to run automatically since it rarely has to run. Select the Run Now option to run the Automatic Deployment Rule.

snip026

Press OK to confirm.

snip027

Verify the newly published updates are part of the Deployment Package. Once present and distributed, Configuration Manager clients are able to download and install the updates automatically. The client itself will determine which particular updates are needed.

That’s it. Feel free to try this method in a test environment before applying this in a production environment.

 

Ending in style and looking back to 2014…

Today is the last day of the year 2014, I ended this year in style by passing exam 70-533: Implementing Microsoft Azure Infrastructure Solutions. I have to admit, this one is hard but I got it and nobody will take that one away from me J

Sitting at my laptop looking back at 2014, it was quite a tremendous year for me. I changed employer and I started to notice that I needed to expand my knowledge. I also receive my MCT certification making me eligible to provide training courses. 2014 is what I consider a breakthrough year for cloud computing. Since I’m a Microsoft minded consultant I’m talking about Azure of course…

But I see quite a split in what technology is available for organizations and what organizations are able or willing to use. 2014 marked the end for Windows XP and many organizations who still use(d) Windows XP are still in the process of migrating to a new Windows Client. At some of my customers I notice some reluctance to directly jump to Windows 8.1 which excludes some cloud related functionality completely. So I spent most my time working on projects which required my skills on Configuration Manager…

Hopefully this will change in 2015…

 

 

 
 
Steve Thompson [MVP]

The automation specialist

Boudewijn Plomp

Cloud and related stuff...

Anything about IT

by Alex Verboon

MDTGuy.WordPress.com

Deployment Made Simple

Modern Workplace

Azure, Hybrid Identity & Enterprise Mobility + Security

Daan Weda

This WordPress.com site is all about System Center and PowerShell

IT And Management by Abheek

Microsoft certified Trainer -Abheek

Heading To The Clouds

by Marthijn van Rheenen