Download and own part 1 to 18 of the SCCM 2012 R2 Installation Guide in a single PDF file. Use our products page or use the download button below. This blog post won’t be updated, only the document will be.

In part 1 of this SCCM 2012 R2 Installation Guide blog series, we planned our hierarchy, prepared our SCCM 2012 R2 Server and Active Directory.

In part 2, we installed and configured SQL in order to install SCCM 2012 R2.

In part 3, we installed a stand-alone SCCM 2012 R2 Primary site.

In the next 16 parts, we will describe how to install the numerous site systems roles available in SCCM 2012 R2. Role installation order is not important, you can install roles independently of others.

This part will describe how to install SCCM 2012 Application Catalog web service point and the Application Catalog website point.

Role Description

The Application Catalog web service point provides software information to the Application Catalog website from the Software Library.

The Application Catalog website point provides users with a list of available software.

This is not a mandatory site system but you need both the Application Catalog website point and the Application Catalog web service point if you want to provide your user with a Self-Service application catalog (web portal).

Site System Role Placement in Hierarchy

The Application Catalog web service point and the Application Catalog website point are hierarchy-wide options. It’s supported to install those roles on a stand-alone Primary site or child Primary site. It’s not supported to install it on a Central Administration site or Seconday site.  The Application Catalog web service point must reside in the same forest as the site database.

If you’re having less than 10,000 users in your company, co-locating the Application Catalog web service and Application Catalog website roles on the same server should be ok. The web service role connects directly to the SCCM SQL database so ensure that the network connectivity between the SQL server and the Application Catalog web service servers is robust.

If you have more geographically distributed users, consider deploying additional application catalogs to keep responsiveness high and user satisfaction up. Use client settings to configure collections of computers to use different Application Catalog servers.

Read more on how to provide a great application catalog experience to your user in this Technet blog article.

If your client needs HTTPS connections, you must first deploy a web server certificate to the site system. If you need to allow Internet clients to access the application catalog, you also need to deploy a web server certificate to the Management Point configured to support Internet clients. When supporting Internet clients, Microsoft recommends that you install the Application Catalog website point in a perimeter network, and the Application Catalog web service point on the intranet.  For more information about certificates see the following Technet article.

Prerequisites

Using Windows Server 2012, the following features must be installed before the role installation:

Application Catalog web service point

Features:

• .NET Framework 3.5 SP1 and 4.0

WCF activation:

• HTTP Activation
• Non-HTTP Activation

IIS Configuration:

• ASP.NET (and automatically selected options)
• IIS 6 Management Compatibility
  • IIS 6 Metabase Compatibility

Application Catalog website point

Features:

• .NET Framework 4.0

IIS Configuration:

• Common HTTP Features
  • Static Content
  • Default Document
• Application Development
  • ASP.NET (and automatically selected options)
• Security
  • Windows Authentication
• IIS 6 Management Compatibility
  • IIS 6 Metabase Compatibility

SCCM 2012 Application Catalog Installation

For this post we will be installing both role on our stand-alone Primary site using HTTP connections. If you split the roles between different machine, do the installation section twice, once for the first site system (selecting Application Catalog web service point during role selection) and a second time on the other site system (selecting Application Catalog website point during role selection).

• Open the SCCM console
• Navigate to Administration / Site Configuration / Servers and Site System Roles
• Right click your Site System and click Add Site System Roles
• On the General tab, click Next

• On the Proxy tab, click Next

• On the Site System Role tab, select Application Catalog web service point and Application Catalog website point, click Next

• On the Application Catalog Web Service Point
  • In the IIS Website and Web application name fields, leave both to the default values
  • This is just the name that you’ll see in IIS after the installation (see next screenshot). It has nothing to do with your user facing portal
  • Enter the port and protocol that you want to use

• On the Application Catalog WebSite Point
  • In the IIS Website keep the default value
  • In Web application name, enter the name that you want for your Application Catalog. This is the URL that will be published to your users
  • Enter the port and protocol that you want to use

• On the Application Catalog Customizations tab, enter your organisation name and the desired color for your website

• On the Summary tab, review your settings, click Next and complete the wizard

Verification and Logs files

Logs

You can verify the role installation in the following logs:

• ConfigMgrInstallationPath\Logs\SMSAWEBSVCSetup.log and awebsvcMSI.log  – Records details of about the Application Catalog Web Service Point installation
• ConfigMgrInstallationPath\Logs\SMSPORTALWEBSetup.log and portlwebMSI.log – Records details of about the Application Catalog Website Point installation

Status messages

• Open the SCCM Console
• Go to Monitoring / System Status / Component Status
• See status of the components SMS_PORTALWEB_CONTROL_MANAGER and SMS_AWEBSVC_CONTROL_MANAGER

Internet Explorer

Verify that the Application Catalog is accessible :

• Open Internet Explorer
• Browse to http://YourServerName/CMApplicationCatalog
  • Replace YourServerName with the server name on which you installed the Application Catalog Website Point
  • Replace CMApplicationCatalog with the name that you give your Application Catalog. (Default is CMApplicationCatalog)

If everything is setup correctly, you’ll see a web page like this :

URL Redirection

The default URL to access the Application Catalog is not really intuitive for your users.

It’s possible to create a DNS entry to redirect it to something easier (ex: http://ApplicationCatalog)

Client Settings

Ensure that the client settings for your clients are set correctly to access the Application Catalog

• Open the SCCM Console
• Go to Administration / Client Settings
• Right-click your client settings and select Properties
• On the left pane, select Computer Agent
• Click the Set Website button and select your Application Catalog (the name will be automatically populated if your Application Catalog is installed)
• Select Yes on both Add Default Application Catalog website to Internet Explorer trusted site zone and Allow Silverlight application to run in elevated trust mode
• Enter your organisation name in Organisation name displayed in Software Center

That’s it, you’ve installed your SCCM 2012 Application Catalog, publish the link to your user and start publishing your applications.

The post How to install SCCM 2012 Application Catalog appeared first on System Center Dudes.

Download and own part 1 to 18 of the SCCM 2012 R2 Installation Guide in a single PDF file. Use our products page or use the download button below. This blog post won’t be updated, only the document will be.

In part 1 of this SCCM 2012 R2 Installation Guide blog series, we planned our hierarchy, prepared our SCCM 2012 R2 Server and Active Directory.

In part 2, we installed and configured SQL in order to install SCCM 2012 R2.

In part 3, we installed a stand-alone SCCM 2012 R2 Primary site.

In the next 16 parts, we will describe how to install the numerous site systems roles available in SCCM 2012 R2. Role installation order is not important, you can install roles independently of others.

This part will describe how to install SCCM 2012 Enrollment Point and Enrollment Proxy Point site system roles.

Role Description

The Enrollment Point uses PKI certificates for Configuration Manager to enroll mobile devices, Mac computers and to provision Intel AMT-based computers.

The Enrollment Proxy Point manages Configuration Manager enrollment requests from mobile devices and Mac computers.

This is not a mandatory site system but you need both Enrollment Point and Enrollment Proxy Point if you want to enroll legacy mobile devices, Mac computers and to provision Intel AMT-based computers. Since modern mobile devices are mostly managed using Windows Intune, this post will focus mainly on Mac computers enrollment.

Site System Role Placement in Hierarchy

The SCCM 2012 Enrollment Point and Enrollment Proxy Point are site-wide options. It’s supported to install those roles on a stand-alone or child Primary site. It’s not supported to install it on a Central Administration site or Secondary site.

You must install an SCCM 2012 Enrollment Point in the user’s forest so that the user can be authenticated if a user enrolls mobile devices by using SCCM and their Active Directory account is in a forest that is untrusted by the site server’s forest.

When you support mobile devices on the Internet, as a security best practice, install the Enrollment Proxy Point in a perimeter network and the Enrollment Point on the intranet.

Prerequisites

Beginning with System Center 2012 Configuration Manager SP2, the computer that hosts the SCCM 2012 Enrollment Point or Enrollment Proxy Point site system role must have a minimum of 5% of the computers available memory free to enable the site system role to process requests. When those site system role are co-located with another site system role that has this same requirement, this memory requirement for the computer does not increase, but remains at a minimum of 5%.

Using Windows Server 2012, the following features must be installed before the role installation:

Enrollment Point

Features:

• .NET Framework 3.5
• .NET Framework 4.5
  • HTTP Activation (and automatically selected options)
  • ASP.NET 4.5
• Common HTTP Features
• • Default Document
• Application Development
  • ASP.NET 3.5 (and automatically selected options)
  • .NET Extensibility 3.5
  • ASP.NET 4.5 (and automatically selected options)
  • .NET Extensibility 4.5
• IIS 6 Management Compatibility
  • IIS 6 Metabase Compatibility

Enrollment Proxy Point

Features:

• .NET Framework 3.5
• .NET Framework 4.5
  • HTTP Activation (and automatically selected options)
  • ASP.NET 4.5

IIS Configuration:

• Common HTTP Features
  • Default Document
  • Static Content
• Application Development
  • ASP.NET 3.5 (and automatically selected options)
  • ASP.NET 4.5 (and automatically selected options)
  • .NET Extensibility 3.5
  • .NET Extensibility 4.5
• Security
  • Windows Authentication
• IIS 6 Management Compatibility
  • IIS 6 Metabase Compatibility

SCCM 2012 Enrollment Point Installation

For this post we will be installing both roles on a stand-alone Primary site using HTTPS connections. If you split the roles between different machine, do the installation section twice, once for the first site system (selecting Enrollment Point during role selection) and a second time on the other site system (selecting Enrollment Proxy Point during role selection).

• Open the SCCM console
• Navigate to Administration / Site Configuration / Servers and Site System Roles
• Right click your Site System and click Add Site System Roles
• On the General tab, click Next

• On the Proxy tab, click Next

• On the Site System Role tab, select Enrollment Point and Enrollment Proxy Point, click Next

• On the Enrollment Point tab
  • In the IIS Website and Virtual application name fields, leave both to the default values
    • This is the names that you’ll see in IIS after the installation
  • Enter the port number you want to use. The HTTPS setting is automatically selected and requires a PKI certificate on the server for server authentication to the Enrollment Proxy Point and for encryption of data over SSL. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager.

• On the Enrollment Proxy Point tab,
  • The Enrollment point will be populated by default and can’t be changed
  • Keep the Website name to it’s default value
  • Enter the port and protocol that you want to use
  • The Virtual application name can’t be changed. This will be used for client installation (https://servername/EnrollmentServer)

• On the Summary tab, review your settings, click Next and complete the wizard

Verification and Logs files

Logs

You can verify the role installation in the following logs:

• ConfigMgrInstallationPath\Logs\enrollsrvMSI.log and enrollmentservice.log  – Records details of about the Enrollment Point installation
• ConfigMgrInstallationPath\Logs\enrollwebMSI.log – Records details of about the Enrollment Proxy Point installation
• ConfigMgrInstallationPath\Logs\enrollmentweb.log – Records communication between mobile devices and the Enrollment Proxy Point

That’s it, you’ve installed your SCCM 2012 Enrollment Point, follow this Technet Guide if you want to proceed to next steps for Mac computers enrollment

The post How to install an SCCM 2012 Enrollment Point appeared first on System Center Dudes.

Cumulative Update 1 (CU1) for SCCM 2012 R2 SP1 and SCCM 2012 SP2 is now available. This post is a complete step-by-step SCCM 2012 R2 SP1 CU1 Installation guide. If you’re looking for a complete SCCM 2012 installation guide, see our blog series which covers it all.

Installing SCCM cumulative updates is very important to your infrastructure. It fix lots of issues, which some of them are important.

As this is the first post-R2 SP1 cumulative update, the important requirement for the installation is that SCCM 2012 R2 SP1 is installed. The latest non-R2 SP1 cumulative update is CU5. Don’t get confused, this CU could have been named CU6 (chronologically wise) but Microsoft has decided to reset the numbering due to the Service Pack release. See our SCCM 2012 versions post to have a clear view of all build numbers.

Improvements/Fixes

The major new functionality of CU1 is the Automatic Client Upgrade feature during CU setup wizard. This will facilitate client upgrade when applying further CU.

Latest KB are included and many bugs are fixed in this cumulative update. Follow this Microsoft Support page to see a detailed list.

Before you begin

Installing this update is very similar to prior CU. I’ll guide you through the upgrade process step-by-step in a standalone primary scenario.

• Download the update on the Microsoft Support page

This update can be applied directly to the following Systems/Roles:

• The Central Administration Site (CAS)
• Primary Site
• Secondary Site
• SMS Provider
• Configuration Manager Console

In this guide, we’ll be updating a Primary Site Server, console and clients.

SCCM 2012 R2 SP1 CU1 Installation guide

To start the installation, lauch a remote desktop session on your Primary Site Server, and run CM12_SP2R2SP1CU1-KB3074857-X64-ENU.exe

A log file will be created in C:\Windows\Temp\CM12_SP2R2SP1CU1-KB3074857-X64-ENU.log

• On the Welcome Screen, click Next

• Accept the license agreement, and click Next

• Ensure that everything is green, and click Next. On the screenshot, a restart is required before installing the CU

• Check the box to update the console, click Next

• Select Yes, update the site database, click Next

• This is the new Automatic Client Update addition. Select the behavior that you want
• Choosing the Automatically apply option results in following steps:
  • Places the most recent client patch file on the site server
  • Updates content on the distribution points for this site and any child sites. Note this only occurs when the cumulative update runs on the Central Administration Site (CAS)
  • Updates the client package on the Management Point of the local site; this source is used in the event there are no distribution points available for client installation
  • Future client installations using the Client Push method will apply the new patch automatically
  • The time frame for updating the client depends on your Automatic Client Upgrade settings
• If you chose the Manually Apply option, you will need to update your client manually as in prior CU (See our Updating the clients section)

• Check all 3 checkbox (Server, Console and Clients), click Next

• Edit the package name and program to your need, click Next

• Review the Summary page, click Install

• Installation is in progress

• You can follow the installation progress in the log file (C:\Windows\Temp\CM12_SP2R2SP1CU1-KB3074857-X64-ENU.log)

• When setup is complete, click Next and then Finish

Verification

Consoles

After setup is completed, launch the System Center 2012 Configuration Manager Console and verify the build number of the console. If the upgrade was successful, the console build number will be 5.0.8239.1203.

Servers

Open registry editor and check the HKLM\Software\Microsoft\SMS\Setup\ key. If the installation succeeded CULevel key value will be 1.

You can also verify both client and console version using PowerShell :

• Server : Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\SMS\Setup -Name “CULevel”
• Console : (Get-Item ($env:SMS_ADMIN_UI_PATH.Substring(0,$env:SMS_ADMIN_UI_PATH.Length – 5) + ‘\Microsoft.ConfigurationManagement.exe’)).VersionInfo.FileVersion

Clients

The client version will be updated to 5.0.8239.1203 (after updating, see section below)

This update also brings the anti-malware client version to 4.7.0209.0. You can find the version information by clicking About on the Help menu of the Endpoint Protection client UI.

Package distribution

Navigate to Software Library / Packages / Configuration Manager Updates

• You’ll see that your CU1 updates packages are created

• Go ahead and Distribute Content to your distribution points

Updating the Clients

If you select the Automatically Apply option in the installation wizard, your client will update using your time frame settings.

• Open the SCCM Console
• Go to Administration / Site Configuration / Sites
• Click the Hierarchy Settings in the top ribbon
• Select Automatic Client Upgrade tab
• The Upgrade client automatically when the new client update are available checkbox has been enabled
• Review your time frame and adjust it to your needs

If you select the Manually Apply option in the wizard, you will need to update your client manually.

This update contains 2 update packages for client installations. One for 32-bit clients and one for 64-bit clients.

Create two collections for the client upgrade. (If not already done in previous CU)

All-x64-based Clients

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.SystemType = "X64-based PC"

All-x86-based Clients

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.SystemType = "X86-based PC"

Adjust the package options to fit your environments and deploy the update to your clients.

Once deployed I like to create a collection that targets clients without the latest CU. I use it to monitor which client haven’t been updated yet.

Here’s the query to achieve this: (You can also refer to our Set of Operational Collection Powershell Script)

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ClientVersion != '5.0.8239.1203'

Happy updating !

The post Step-by-Step SCCM 2012 R2 SP1 CU1 Installation guide appeared first on System Center Dudes.

The installation of SCCM 2012 console can be either manually or automatically. Manual installation remains a good choice if you have a small team. Using role-based access control in SCCM 2012, you can delegate administrative tasks to your team and allow more users with different level of access to the SCCM 2012 console.

At this point, you would rather go the automatic way. This post will explain you how to save time by using the Application Model in SCCM 2012 to automatically deploy the console to all your devices.

We won’t cover the pre-requisites needed to install the SCCM 2012 console on a device. Make sure your devices are compliant.

Step 1 | Create a Collection

To regroup all the devices of users that will be using the console, there’s two possible types of collection to trigger the installation, either user or device collection.

Users

Create a user collection if your goal is to target team’s member. With the User Device Affinity, you make sure that all devices used by a specific user will have the latest console version installed.

The advantage of using user collections is the application catalog. Users will have access to install the console from the portal. However, the Application Catalog web service point and website point must be installed in your environment to use the Application Catalog portal at the desired time.

Devices

Create device collection if your goal is to target devices. With device collection, you make sure that all desired devices will have the latest console version installed.

To update existing consoles to the latest version, include a query rule in the membership rules that targets devices with SCCM 2012 console installed.

WQL Query

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName LIKE "%Configuration Manager Console%"

You can also refer to the PowerShell script that create operational SCCM collections that include consoles.

Step 2 | Create the Application

First, you will need to point to the files from SCCMInstallationFolder\Tools\ConsoleSetup to your content source location. It will be the source files used to install the console.

• From the console, navigate to Software Library / Overview / Application Management / Applications
• Right click on Applications and select Create Application
• The Create Application Wizard window will appear, on General tab, select Manually specify the application information and click Next

• In General Information tab, enter an application name like Microsoft System Center Configuration Manager Console 2012 R2 SP1 or your current version
• Enter the Publisher field with Microsoft
• Software Version field with 2012 R2 SP1 and click Next

• In the Application Catalog tab, if you are using user collection than you will need to fill required information
• In this example, we only fill Localized application name with Microsoft System Center Configuration Manager Console R2 SP1 and click Next

• In the Deployment Types tab, click on Add

• In the Create Deployment Type Wizard, select Script Installer as your deployment type and click Next

• In General Information tab, enter Install as the name of the deployment type and click Next

• In the Content tab, enter the Content Location with this folder SCCMInstallationFolder\Tools\ConsoleSetup
• At the Installation Program field, enter this program command
  • consolesetup.exe /q TargetDir=”C:\Program Files\ConfigMgr” EnableSQM=1 DefaultSiteServerName=YourSiteServerName
  • Change YourSiteServerName with your site server
• At the Uninstall Program field, enter this program command
  • consolesetup.exe /q /uninstall
• Check box Run installation and uninstall program as 32-bit process on 64-bit and click Next

• In the Detection Method tab, click Add Clause
• In the Detection Rule window, select Windows Installer as the setting type
• At the Product code field, enter your proper version MSI product code. In this example, we are using SCCM 2012 R2 SP1 which is {7952AC6D-315A-4791-BDE3-0976D6E0AD72} and click Next

The detection method is designed to evaluate whether application is already installed or not. If it turns out that the application is already present, the application will not be installed.

• You will come back to the Detection Method tab, click Next

• In the User Experience tab, at the Installation behavior settings, choose Install for User if you created a user collection and choose Install for Device if you created a device collection. You can also choose Install for system if resource is device; otherwise install for user if you use both type of collections
• At Login requirement, choose Whether or not a user is logged on
• At Estimated installation time (minutes), enter 5 minutes
• Click Next to finalize the process, then Close

You see something like this in your application folder.

Step 3 | Deploy the Console

The last step is to use the application and deploy to the collection.

• From your application folder, right click on the application and select Deploy
• From the Deploy Software Wizard in the General tab, click on Browse, select the previously created collection from the first section and click Next

Before you can deploy the application, you must distribute content to your distribution points otherwise you will have deployment issues.

• In the Content tab, add the distribution points needed for your deployment and click Next

• In the Deployment Settings tab, you have two possibilities for the Purpose of the deployment
  • Required: The application will be enforced
  • Available: The application will be available to install in the Software Center and/or Application Catalog waiting for an user action

What you must understand here is that if you are in position to update your current consoles, we suggest to use the Required option because without the update your console needs to match your site version. It must be apply as soon as possible. The Available option is used to provide the ability to install the console from the Software Center without being enforced.

• Click Next

• In the Scheduling tab, configure when do want to make it available and installed, then click Next

• In User Experience tab, selecting Display in Software Center and show all notifications will display the status of the application deployment to the logged user.
• Click Next

• Click Next to the end

Step 4 | Validation

If everything has been properly orchestrated with the Available option, the application will appear in the Software Center as well in your Application Catalog. If you set the Required option, the application will be automatically installed.

• To open Software Center, simply search for Software Center in your application or type the following command line: C:\WINDOWS\CCM\SCCLIENT.EXE

Monitor your application deployment and that’s it!

sccm 2012 console

The post Deploy the SCCM 2012 Console using the Application Model appeared first on System Center Dudes.

Windows 10 is out since July 29th, now you want to manage Windows 10 Endpoint Protection with SCCM 2012.

You have probably noticed that Windows 10 comes natively with Windows Defender. Instead of Endpoint Protection, it is now the default anti-malware managed by SCCM 2012. Actually, the Endpoint Protection agent is installed locally in Programs & Features but it’s using the Windows Defender UI with a thin layer of Endpoint Protection to manage policies and malware definitions.

If you have already deployed Windows 10 in your environment, you might have encountered an issue where your Endpoint Protection policies are applied but the malware definitions are not updated.

Some have found a way to work around this problem by extracting the Endpoint Protection installer and make Endpoint Protection malware definitions automatically update.

Unfortunately, this TechNet article is the only official documentation but it’s mentioning only Windows 10 Technical Preview, no word about Windows 10 RTM. Might only be a matter of updating their documentation.

For now, we will take the Windows 10 Technical Preview documentation and apply it to our Windows 10 RTM. It consists in enabling Windows Defender from the products tab in Software Update Point component properties.

SCCM 2012 Windows 10 Endpoint Protection Configuration

Prerequisite

• Have a functional Software Update Point

Enabling Windows Defender Product

• Go to Administration / Sites Configuration / Sites
• Select your most top site on which Software Update Point role is installed
• Go on Configure Sites Components from the top ribbon
• In the drop down menu, click on Software Update Point

• In the Software Update Point Components Properties window, go on the Products tab
• Check Windows Defender under the Windows section, and then click on OK
  • Ensure that you have also Windows 10 checked

Synchronizing Software Updates

• Go to Software Library / Software Updates / All Software Updates
• On the top ribbon, click on Synchronize Software Updates

Verification

• Go to Software Library / Software Updates / All Software Updates
• In the Search field, look for Windows Defender
• Validate that make sure you have Windows Defender definition updates in the result list

From there, you deploy Windows Defender definitions like you would normally do with your existing Windows updates. To enhance your process, you could also configure an Automatic Deployment Rule (ADR) to automate the package creation and deployment.

We will update this post when Microsoft officially release their updated documentation.

The post Managing Windows 10 Endpoint Protection with SCCM 2012 appeared first on System Center Dudes.

Since Windows 10 is out, there’s been a ton of information coming out from the SCCM product group. Many people gets confused at what’s needed for managing Windows 10 with SCCM 2012. The goal of this post is to centralize all those information so you can reach out when your organisation will be ready for managing Windows 10 with SCCM 2012.

[Updated 09/25/2015]

Requirement for Managing Windows 10 with SCCM 2012

Before you can manage and deploy Windows 10 in your organisation, you need to update your SCCM infrastructure.

• Your site servers needs to be updated to SCCM 2012 R2 SP1 or SCCM 2012 SP2. Refer to our installation guide if it’s not the case.
• You need to apply R2 SP1 Cumulative Update 1. Refer to our installation guide if it’s not the case.
• You need to update your boot images to Win PE version 10. Refer to the Deployment section of this article.
• If you need to integrate MDT with SCCM, update your MDT version to MDT Update 1. Refer to the Deployment section of this article.

Client Management

The official documentation is not yet updated but you can install the SCCM 2012 client on a Windows 10 device. has been updated to include the LTSB version of Windows 10 as an official supported OS.

The official statement from Microsoft is : These service packs (R2 SP1/SP2) deliver full compatibility with existing features for Windows 10 deployment, upgrade, and management.

Which means : All that you can do with older Operating System (Windows 7, Windows 8) can be done with Windows 10 in term of management. (Inventory, Remote Control, Software updates, Software deployment, Anti-Virus…). We’ll cover it all in the next sections of this post.

If you want to regroup your Windows 10 devices in a collection using a query, Windows 10 version is 10.0. (Not 6.4 as in the Tech Preview version)

Use the following query to create your Windows 10 collection :

select SMS_R_System.ResourceID,SMS_R_System.ResourceType,SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier,SMS_R_System.ResourceDomainORWorkgroup,SMS_R_System.Client from SMS_R_System where OperatingSystemNameandVersion like '%Workstation 10.0%'

Our Set of Operational Collections has also been updated to include Windows 10 in its collection list.

Reference :

• Product Group blog article – Announcing the availability of System Center 2012 R2 Configuration Manager SP1 and System Center 2012 Configuration Manager SP2

Software Update

If you want to deploy Software Update to your Windows 10 device, you just need to enable Windows 10 in your Software Update Point configuration.

• Go to Administration / Sites Configuration / Sites
• Select your most top site on which Software Update Point role is installed
• Go on Configure Sites Components from the top ribbon
• In the drop down menu, click on Software Update Point

• In the Software Update Point Components Properties window, go on the Products tab
• Check Windows 10 under the Windows section, and then click on OK

• Go to Software Library / Software Updates / All Software Updates
• Right click  All Software Updates and select Synchronize Software Updates

• Once the Synchronization has completed, stay in All Software Updates and select Add Criteria on the right
• Select Windows 10 in the Product list
• At the time of this writing there’s 10 updates available

Endpoint Protection

We cover in depth this topic in a previous post. Long story short, Windows Defender is now managing your Endpoint Protection clients in SCCM.

Deployment

If you want to deploy Windows 10 computers using SCCM 2012, there’s a couple of things to know :

Windows Automated Deployment Kit (ADK)

You need the Windows 10 ADK to capture and deploy Windows 10 devices. You probably already have Windows 8.1 ADK installed on your SCCM Servers.

You must first uninstall the existing ADK, install the Windows 10 ADK and reboot your server before using it.

Make sure you upgrade the Windows ADK on all systems in the site that have it installed. This can include the site server, SMS Provider, and administrator consoles. The version of the Windows ADK needs to be consistent across all systems that leverage it.

Once you install the ADK for Windows 10 you will lose the ability to modify your WinPE 3.1, 4.0 or 5.0 boot images and you’ll only be able to modify WinPE 10 boot image. You can still use these down level boot images, you just can’t modify them in the SCCM console.

Windows PE 10 boot images supports deployments of Windows 7 through Windows 10.

Reference :

• Product Group blog article – Windows 10 ADK and Configuration Manager
• MSDN article – Download kits and tools for Windows 10

In-place upgrade

In-place upgrade Task Sequences are not available out of the box in SCCM 2012 R2 SP1. If you want to upgrade your existing Windows 7 or Windows 8 computer to Windows 10 using an in-place task sequence, you must do it manually using custom scripts provided by the product team. SCCM Vnext will have this feature when it ships Q4 2015.

Reference :

• In-Place Upgrade Task Sequence Part 1 – How to upgrade to Windows 10 using the task sequence in System Center 2012 R2 Configuration Manager
• In-Place Upgrade Task Sequence Part 2 – Revised content for the Windows 10 in-place upgrade via task sequence for Configuration Manager

MDT

If you are using MDT in your organisation to build your Windows 10 images or integrated with SCCM, the new MDT 2013 Update 1 version supports it.

MDT 2013 Update 1 is available through this link.

Reference :

• Product Group blog article – MDT 2013 Update 1 Now Available

Future

The official statement from Microsoft is : The next version of System Center Configuration Manager will deliver full support for client deployment, upgrade, and management of Windows 10 and associated updates.

This means that you won’t be able to manage Windows 10 Service Branches using SCCM 2012.

If you are using MDT 2013, you will need to wait for the next release of MDT (MDT 2013 Update 1) to deploy Windows 10. This is due for end of August 2015.

Reference :

• Product Group blog article – Windows 10 enterprise management with System Center Configuration Manager and Intune
• Product Group blog article – Windows 10 ADK release and MDT 2013 Update 1 plans

We hope you enjoy reading this article, with a new version of Windows comes new challenges. We’ll update this blog post as soon as Microsoft release more information about managing Windows 10 with SCCM 2012.

Visit our consulting service page if you need help deploying or managing Windows 10 with SCCM 2012.

The post Managing Windows 10 with SCCM 2012 appeared first on System Center Dudes.

Remote Server Administration Tools (RSAT) is a Windows Server component for remote management of other devices. RSAT allows administrators to run snap-ins and tools on a remote device to manage features, roles and role services. The software includes tools like Bitlocker Password Recovery, Group Policy management, NIC Teaming and many more.

A lot of IT guys use this tool in their day to day basis. Microsoft has released RSAT for Windows 10 so if you are an SCCM admin, instead of manually install via the link, you can create an application in SCCM 2012 and make it available to every Windows 10 computer or to users who have the right to use RSAT.

This post will show you how to create this application in SCCM 2012.

Step 1 | Create RSAT Application

Click on this link, download and save the source files needed in your content directory. These files will be used as the source of the application.

** Update 2015-09-28 ** Remote Server Administration Tools for Windows 10 is available only in English (United States) for current release.

From the SCCM console, navigate to Software Library / Overview / Application Management / Applications

• Right click on Applications and select Create Application
• The Create Application Wizard window will appear, on General tab, select Manually specify the application information and click Next

• In General Information tab, enter an application name like Microsoft Remote Server Administration Tools
• In the Publisher field enter Microsoft
• In Software Version enter Windows 10 and click Next

• In the Application Catalog tab, fill required information to customize the user experience
• In this example, we will only fill Localized application name with Microsoft Remote Server Administration Tools for Windows 10 and click Next

• In the Deployment Types tab, click on Add
• In the Create Deployment Type Wizard, select Manually specify the deployment type information as your deployment type and click Next

• In General Information tab, enter Install (32-bit) or Install (64-bit) for whatever you configure as the name of the deployment type and click Next

• In the Content tab, enter the Content Location where you copied both files at the beginning
• At the Installation Program field, enter this program command
  • For Install (32-bit): wusa.exe WindowsTH-KB2693643-x86.msu /quiet /norestart
  • For Install (64-bit): wusa.exe WindowsTH-KB2693643-x64.msu /quiet /norestart

• At the Uninstall Program field, enter this program command
  • For Install (32-bit): wusa.exe /uninstall WindowsTH-KB2693643-x86.msu /quiet /norestart
  • For Install (64-bit): wusa.exe /uninstall WindowsTH-KB2693643-x64.msu /quiet /norestart

• Check box Run installation and uninstall program as 32-bit process on 64-bit for Install (32-bit) only and click Next

• In the Detection Method tab, click Add Clause
• In the Detection Rule window, select File System as the setting type
• At the Type field, select File option
• At the Path textbox, enter %windir%\system32\
• At File or folder name, enter ServerManager.exe
• Check the option This file or folder is associated with a 32-bit application on a 64-bit systems if you are configuring the detection rule for Install (32-bit)
• Select the option This file setting must satisfy the following rule to indicate the presence of the application.
• Select Version as the property, Equals as the operator and 10.0.10514.0 as the value

The detection method is designed to evaluate whether application is already installed or not. If it turns out that the application is already present, the application will not be installed.

• You will come back to the Detection Method tab, click Next

• In the User Experience tab, at the Installation behavior settings, choose Install for system if resource is device; otherwise install for user if you use both type of collections
• At Login requirement, choose Whether or not a user is logged on
• At Estimated installation time (minutes), enter 5 minutes
• Click Next to finalize the process, then Close

• In the Requirements tab, select the Add button
• Select the Operating System condition and choose one of these value
  • For Install (32-bit): All Windows 10 and higher (32-bit)
  • For Install (64-bit): All Windows 10 and higher (64-bit)

• Once finished, click on Ok

Requirements is used to detect pre-requisites configuration before the application can install.  In our case, the application is only available for Windows 10 Pro, Enterprise and Education version.

• Click Next till the end of the wizard

If your goal is to deploy both version, simply repeat step 1 section for 32-bit or 64-bit.

You should see something like that in your Deployment Types tab.

Step 2 | Deploy RSAT

The last step is to use the application and deploy to your respective collections.

• From your application folder, right click on the application and select Deploy
• From the Deploy Software Wizard in the General tab, click on Browse, select the previously created collection from the first section and click Next

Before you can deploy the application, you must distribute content to your distribution points otherwise you will have deployment issues.

• In the Content tab, add the distribution points needed for your deployment and click Next

• In the Deployment Settings tab, you have two possibilities for the Purpose of the deployment
  • Required: The application will be enforced
  • Available: The application will be available to install in the Software Center and/or Application Catalog waiting for an user action
• Click Next

• In the Scheduling tab, configure when do want to make it available and installed, then click Next

• In User Experience tab, selecting Display in Software Center and show all notifications will display the status of the application deployment to the logged user.
• Click Next

• Click Next to the end

Step 3 | Validation

Validate the application deployment on a Windows 10 computer. If everything has been properly configured, the application will appear in the Software Center.

To open Software Center, simply search for Software Center in your application or type the following command line: C:\WINDOWS\CCM\SCCLIENT.EXE

You should see something like that. Monitor the application deployment if needed.

Windows 10 RSAT SCCM 2012

The post Deploy RSAT for Windows 10 using SCCM 2012 appeared first on System Center Dudes.

During an operating system deployment using SCCM 2012, you received the error code 0x80070570 at the beginning of the Task Sequence.

Numerous errors and warnings are showing in SMSTS.log :

• ThreadToResolveAndExecuteTaskSequence failed. Code(0x80070570)
• Failed to create C:\_SMSTaskSequence (1392)
• The TSM directories could not be created at this time (80070570)
• uRet == ERROR_ALREADY_EXISTS, HRESULT=80070570 (e:\nts_sccm_release\sms\framework\tscore\utils.cpp,1903)

Cause

The SCCM 2012 0x80070570 error is translated to : The file or directory is corrupted and unreadable.

This issue is completely external to SCCM 2012. If you try to launch the Windows installation from the CDROM, you will get the same error.

It’s probable that your computer has been incorrectly shutdown and Windows wants to do a check disk at the next reboot.

How to fix SCCM 2012 0x80070570 Error

You have 2 options to fix this error

Option #1 | Chkdsk

• Boot the machine and let Windows complete the checkdisk process

• Reboot the computer and restart the Task Sequence

Option #2 | DiskPart

• Clean the partitions on the disks using Diskpart. This will delete all content on the drive.

• Open an elevated command prompt
• Enter the following commands :
  • Diskpart
  • List disk
• Select your disk
  • Sel disk 0
• Select your primary partition
  • Sel part 1
  • Clean

• Your partition is now deleted
• Reboot your computer and relaunch the Task Sequence, it shoud run fine. If not, you can delete all other partition by redoing the Diskpart process

We hope that this was helpful, leave a comment if you had success with this procedure.

The post Operating System Deployment SCCM 2012 0x80070570 Error appeared first on System Center Dudes.

This blog post will describe how to Deploy Office 2016 using SCCM 2012. This procedure is for the Office 2016 Click-to-Run version (Microsoft Office 365 ProPlus) not for the complete Office 2016 Professional Plus version. It will guide you in every steps required to deploy Office 2016 to your users.

The mains steps are :

• Preparing the installation
• Create the SCCM application
• Create the deployment type
• Deploy the application

Step 1 | Preparing Office 2016 installation

The first step is to create a Download.xml file that we’ll use to download the latest version of Office 365 Pro Plus (2016). Read the Reference for Click-to-Run xml file to know more about the available options.

• Download the Office Deployment Tools
• After downloading the tool, run OfficeDeploymentTool.exe

• Extract the files to a drive on your computer

• You’ll end up with 2 files (Setup.exe and Configuration.xml)

Create a Download.xml file and copy this content :

<Configuration>
<Add SourcePath=”C:\Office 2016″ OfficeClientEdition=”32″ >
<Product ID=”O365ProPlusRetail”>
<Language ID=”en-us” />
<Language ID=”fr-fr” />
</Product>
</Add>
</Configuration>

• In our example, we are downloading the 32 bit version in the C:\Office 2016 directory and add the English and French language
• Change the SourcePath and OfficeClientEdition if desired
• You can also add a additional language if needed by modifying/adding more language in <Language ID=”xx-xx” />
• Save the Download.xml file in the same directory as Setup.exe

Modify the Configuration.xml file that are used when deploying Office 2016

• Open the Configuration.xml file and modify it to reflect this :

<Configuration>
<Add OfficeClientEdition=”32″ >
<Product ID=”O365ProPlusRetail”>
<Language ID=”en-us” />
<Language ID=”fr-fr” />
</Product>
</Add>
<Display Level=”None” AcceptEULA=”TRUE” />
</Configuration>

It’s important that you don’t include the SourcePath attribute in the Add section of your Configuration.xml file. That’s because SCCM copies the installation files for an application into a folder under the SCCM client cache folder, and the name of that subfolder is different for each computer. The DisplayLevel and AcceptEULA parameters ensure that our installation is silent.

Once the 2 files are created, we can launch the download using our Download.xml file :

• Open a command prompt and naviguate to your folder
• Execute : Setup.exe /download Download.xml

The download starts silently, you’ll see an Office folder appear in your Office 2016 directory. The folder is 1.25GB so it will take some time to complete depending of your download speed. You won’t have a notification when it completes.

If the directory was created outside your SCCM source directory, move it to it’s definitive location before creating the application

Step 2 | Create the Office 2016 Application

• Open the SCCM console
• Go to Software Library / Application Management / Applications
• Right-click Applications and choose Create Application
• On the General tab of the Create Application Wizard, select Manually specify the application information, choose Next
• On the General information tab, enter a name for the application, enter any optional information, choose Next

• On the Application Catalog tab, provide the information that’s appropriate for your environment, choose Next

• On the Deployment Types tab, choose Next. We’ll add a deployment type later
• On the Summary tab, review the settings you’ve chosen, choose Next
• Complete the wizard by selecting Close

Step 3 | Create Office 2016 deployment type

• Open the SCCM console
• Go to Software Library / Application Management / Applications
• Right-click the Office 2016 application and choose Create Deployment Type
• On the General tab of the Create Deployment Type Wizard, in the Type list, select Script Installer, choose Next
• On the General Information tab , enter a name for the deployment type, enter any optional information, and then choose Next
• On the Content tab , do the following :
  • In the Content location box, enter the network share where you put the Office Deployment Tool, your Configuration.xml file, and the Office 365 ProPlus installation files that you downloaded from the Internet
  • In the Installation program box, enter the following text: Setup.exe /configure Configuration.xml

• After you enter this information, choose Next
• On the Detection Method tab , choose Add Clause
  • In the Detection Rule dialog box, do the following :
    • In the Setting Type list, select Windows Installer
    • In the Product Code box, enter {90160000-008F-0000-1000-0000000FF1CE}

• After you enter this information, choose OK, and then choose Next
• On the User Experience page, in the Installation behavior list, select Install for system, and then choose Next

• If you want to specify any requirements or dependencies for the deployment type, choose Next to go through those pages in the wizard. Otherwise, choose Summary
• Complete the wizard by selecting Close

The only step left is to distribute the content to your distribution points and create the deployment.

Bonus information

There is a new set of Administrative Template files (ADMX/ADML) for Group Policy settings. You can download the Administrative Template files using this Microsoft Download Center link.

All Group Policy settings for Office 2016 are  located in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Office\16.0 and HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0

The post Deploy Office 2016 using SCCM 2012 – Click-to-Run Version appeared first on System Center Dudes.

This blog article will explain how to create a custom SCCM 2012 client settings and how to deploy it.

In the first parts of this blog series, we covered the complete SCCM 2012 R2 installation. In the final parts, we will cover the basic SCCM configuration starting with client settings.

Client settings are used to configure your deployed agents. This is where you decide any configuration like :

• Enabling hardware inventory agent
• Enabling power settings options
• Set scan schedules
• BITS throttling
• Ect..

In previous versions of SCCM, client settings were specific to the site. You had 1 client settings that applied to all your hierarchy. In SCCM 2012 you can specify clients setting at the collection level. You can have different settings for specific collections, overlapping settings are set using a priority setting.

When you modify the Default Client Settings, the settings are applied to all clients in the hierarchy automatically. You do not need to deploy the Default Client Settings to apply it. By default it has a 10000 priority value (This is the lower priority). All others custom client settings can have a priority value of 1 to 9999 which will always override the Default Client Settings. (The higher Priority is 1).

We won’t explain each client settings and their descriptions. The Technet documentation is pretty clear and many of the client settings are self-explanatory. We cannot make any recommendation either as each environment has its own needs and limitations. If you have any questions concerning a specific setting, use the comment section and we’ll try to help you so you can make the right decision for your organisation.

How to Create Custom Client Device Settings

When you deploy a custom client settings, they override the Default Client Settings.

Before you begin, ensure that you created a collection that contains the devices that requires these custom client settings.

For our blog post, we will set the Client Policy polling interval to 15 minutes.

• Open the SCCM console
• Go to Administration / Client Settings
• On the top ribbon, click Create Custom Client Device Settings

• In the Create Custom Device Settings page, specify a name for the custom settings and description
• Select one or more of the available settings. We will select Client Policy

• On the left pane, Client Policy will be displayed, click on it
• We will set the Client Policy polling interval to 15 minutes

• Click Ok
• Your newly created setting will be displayed in the console

Set the Client Settings priority

When you create a new client settings, it automatically take the next available priority. (Beginning with 1) Before deploying it, make sure that your priority is well set for your needs. A higher priority (1) will override any settings with a lower priority. (9999). Don’t get confused 1 is higher !

To change the priority number :

• On the top ribbon, select your client settings and click Increase Priority or Decrease Priority

• You can see each client settings priority and if they are deployed in the same section

How to deploy

Now that your client settings is created, you need to deploy it to a collection. This new client settings will apply to only this collection and depending of the priority, will override the settings.

• Select the custom client settings that you have just created
• On the top ribbon, click Deploy

• In the Select Collection dialog box, select the collection that contains the devices to be configured with the custom settings, and then click Ok
• You can verify the selected collection if you click the Deployments tab on the bottom of the console

How to apply

Client computers will apply your custom settings when they download their next client policy. You can trigger it manually to speed up the process.

Manually on the client

• In Control Panel, click on the Configuration Manager icon
• In the Action tab, select Machine Policy Retrieval & Evaluation Cycle
• Click Run now

Using the SCCM Console

To initiate client policy retrieval by using client notification (Configuration Manager SP1+ only)

• In the SCCM console
• Go to Assets and Compliance / Device Collections
• Select the device collection containing the computers that you want to download policy
• Right click a single device or the whole collection and select Client Notification  and then Download Computer Policy

How to verify

It’s possible to see which client settings are applied to a specific client. You must use the Resultant Client Settings function in the SCCM console.

We already cover this in a previous article.

That’s it, you’ve created your first SCCM 2012 client settings,  use the comment section to leave a question or comment.

The post Configure SCCM 2012 Client Settings appeared first on System Center Dudes.

In this part of the SCCM 2012 Installation blog series, we will configure SCCM 2012 boundaries. First, let’s define what a boundary in SCCM 2012 is :

From Technet :

In System Center 2012 Configuration Manager, a boundary is a network location on the intranet that can contain one or more devices that you want to manage. Boundaries can be an IP subnet, Active Directory site name, IPv6 Prefix, or an IP address range, and the hierarchy can include any combination of these boundary types. To use a boundary, you must add the boundary to one or more boundary groups. Boundary groups are collections of boundaries. By using boundary groups, clients on the intranet can find an assigned site and locate content when they have to install software, such as applications, software updates, and operating system images.
A boundary does not enable clients to be managed at the network location. To manage a client, the boundary must be a member of a boundary group. Simple Boundaries on do nothing, they must be added to one or more boundary groups in order to work.

A boundary groups is self-explanatory, it’s a group of boundary used for for site assignment and for content location. Beginning with SCCM 2012 R2 SP1, a boundary group can direct your clients to their Distribution Points for content, State Migration Point and Preferred Management Point. Prior to R2 SP1, Content location is used by client to identify available Distribution Points or State Migration Point based on the client network location.

To resume :

• Site Assignment boundary group associate a resource to a site
• Content Location boundary group is used to retrieve its deployment content (applications, packages, images, etc)

Planning for SCCM 2012 Boundaries and Boundary Groups

Before designing your strategy choose wisely on which bounday type to use.

If you’re unsure of which type of boundary to use you can read Jason Sandys excellent post about why you shouldn’t use IP Subnet boundaries.

Microsoft recommends the following :

• When designing your boundary strategy, we recommend you use boundaries that are based on Active Directory sites before using other boundary types. Where boundaries based on Active Directory sites are not an option, then use IP subnet or IPv6 boundaries. If none of these options are available to you, then leverage IP address range boundaries. This is because the site evaluates boundary members periodically, and the query required to assess members of an IP address range requires a substantially larger use of SQL Server resources than queries that assess members of other boundary types
• It’s also recommended to split your Site Assignment and Content location group

Overlapping Boundaries

SCCM 2012 supports overlapping boundary configurations for content location.

When a client requests content, and the client network location belongs to multiple boundary groups, Configuration Manager sends the client a list of all Distribution Points that have the content.

This behavior enables the client to select the nearest server from which to transfer the content or state migration information.

Real World Scenario

In our various SCCM installations, our clients are often confused about this topic. Let’s make an example to help you understand :

• Contoso has 1000 clients
• 1 Primary Site (Montreal)
• 3 remote offices with their local Distribution Point (New York, Chicago, Los Angeles)
• Active Directory Site are based on their site subnets (MTL,NY,CHI,LA)

In that scenario, we need to create 4 Boundary, 1 for each office :

• Open the SCCM Console
• Go to Administration / Hierarchy Configuration / Boundary
• Right-click Boundaries and select Create Boundary

• Create the boundary, in our example we’ll create 4 different boundary for my 4 locations using their Active Directory Sites
  • Tip : If you have multiples Active Directory Sites, IP Ranges or Subnets, you can enable Active Directory Forest Discovery which can create them automatically

Create Boundary Group

Now, we’ll create a Site Assignment Boundary Group and add all those AD Site. That way, all my clients for my 4 locations will be assigned to my Montreal Primary Site.
For Content Location, we want clients to get their content locally at their respective location. We will create 4 Content Boundary groups, add only their AD Site Boundary and assign their local Distribution Point.

Here’s how to make this happen in SCCM :

• Open the SCCM Console
• Go to Administration / Hierarchy Configuration / Boundary Groups
• Right-click Boundary Groups and select Create Boundary Groups

Create Site Assignement Boundary Group

• We’ll start by creating a group for Site Assignment : SA – MTL
• Click the Add bouton on the bottom
• On the Add Boudaries screen, select all boundaries. This will direct all my clients to the Primary Site located in Montreal for Site Assignment

• On the References tab, check the Use this boundary group for site assignment box
• Select your assigned site. In my case : MTL
• Click Ok

Create Content Location Boundary Group

• Right-click Boundary Groups and select Create Boundary Groups
• We’ll name our group Content Location – MTL
• Click on Add
• Select only the MTL boundary

• The MTL boundary will be listed

• On the References tab, uncheck the Use this boundary group for site assignment box
• Click on Add at the bottom
• Select the Site System that host the Distribution Point role for the Montreal site. For our example DPMTL01
• Click Ok

• Repeat the steps for the other sites (New York, Chicago, Los Angeles)
• Once completed our clients are assigned to their local respective Site Systems

This is a simple but typical scenario. You can have multiples boundaries and Site System in your Boundary Groups if needed.

We hope this blog post was helpful for you, leave a comment or question using the comment section.

The post Configure SCCM 2012 Boundaries appeared first on System Center Dudes.

Do you have a high number of distribution point in your SCCM environment? Managing large SCCM environment with many Distribution Point or Pull Distribution Point is not an easy task. We’ve done a great post on 8 ways to monitor your Distribution Point, it was most related to the console monitoring and reports. We also provided a report to manage content on your Distribution Point. Additionally, you can use collections to regroup Distribution Point based on specific information. The advantage of using collections is that an action that can be taken based on the membership. (compliance settings, applications, etc.)

This post will explain various tips to improve your day to day SCCM Distribution Point Management.

Collection query to get all Distribution Points

First of all, we will create a collection to keep track of computers acting as Distribution Point or to target members of a Distribution Points Group.

• Create a new collection and use this query to include all Distribution Points :

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client
 from SMS_R_System 
where SMS_R_System.ResourceNames in (Select ServerName FROM SMS_DistributionPointInfo)

Based on that collection, you can create any check you want to find missing Distribution Point by using the Include / Exclude feature of collection membership.

For example, all computers having a name ending with P2 should be a Distribution Point in my environment. To find them, we will create a combination of queries :

• Create a collection INV – Distribution Point
  • Use the query above as those computers will have a DP installed on
• Create a collection that regroup all computers ending with the name P2
  • PROD – Distribution Point (This collection regroups all computers that should be DP)
• Create a collection to find computers ending by P2 without DP
  • INV – P2 without DP
• Include the first collection PROD – Distribution Point created at the beginning of the post to include all Distribution Point
• Exclude INV – Distribution Point

You now have a collection that lists the distribution points dedicated servers without a distribution point role installed.

Create collection based on Distribution Point group members

Now that we have targeted servers and DP roles, you can use them to apply a different search criteria. It can be useful to validate what are the members of Distribution Point groups based on other requirement. For example, we want to prevent having English content on Distribution Point that only require French content.

To do it, we created Distribution Point groups and added Distribution Point to those groups based on the language. In order to create collection queries, we need the Distribution Point GroupID. It can be found directly within the console :

• Open the SCCM Console
• Go to Administration / Distribution Points / Distribution point Groups
• Right-Click the space under the Search bar and add the GroupID column

Create a new collections for each GroupID and use this query :

Replace GroupID value from the query with yours and then you’ll have collections based on DP groups!

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client 
from SMS_R_System    
where SMS_R_System.ResourceNames in (
Select ServerName
 FROM SMS_DistributionPointInfo 
join SMS_DPGroupMembers on SMS_DistributionPointInfo.NALPath= SMS_DPGroupMembers.DPNALPath  
where GroupID = '{5CCA2803-XXXXXXXXXXXXXXXX-29472F8EBB1F}')

To validate if the DP has the right packages/OS language hosted on it, use Include/Exclude feature and the limiting collection.

By limiting a collection to English Computer, but we query the French group.

We then know that someone made a mistake and distributed the wrong set of Packages/OS.

This is just an exemple of the possibility you can make using collections based on Distribution Point. Use the comment section to tell us how you manage your DP.

The post How to manage your Distribution Points with Collections appeared first on System Center Dudes.

The latest build of Windows 10 is available since this week. Windows 10 TH2 or Windows 10 1511 build is the first important release of Windows 10 since it’s launch in July. If you are managing Windows 10 with SCCM 2012 in your organisation you may wish to deploy this latest build using SCCM 2012.

The bad news is that you can’t achieve that with SCCM 2012. You will need to wait for the next version of SCCM to deploy this update to your Windows 10 computers. The good news is that the wait is almost over, the next version SCCM should be shipped before the end of the year.

The product group official statement is :

ConfigMgr 2012 R2 SP1 or SP2 and lower versions do not support Windows 10 servicing via Software Update Management workflow.

This update with the new classification “Upgrade” can be sync’d down from WSUS after the hotfix is applied if the “Upgrade” classification is checked explicitly. However, only vNext client can complete the end to end installation successfully since this Windows 10 Upgrade is in a different format and requires special handling on the client side. Without vNext, the install will fail.

OSD Upgrade Task Sequence is still the recommended way to upgrade to Windows 10 via the current versions of ConfigMgr (excluding vNext) as these versions actually do not support Windows 10 upgrade via Software Update Management.

SCCM 2012 Windows 10 TH2 1511

Windows 10 KB3105211 update shows in the console but don’t try to deploy it through your Software Update process, it will simply fails !

The post Deploying Windows 10 TH2 (1511) using SCCM 2012 appeared first on System Center Dudes.

Pull Distribution point can help reduce the processing load on the site server and can help to speed the transfer of the content to each distribution point. One other need to use Pull Distribution Point could be because you require more than 250 Distribution point from a single Primary site. Using Pull DPs comes with certain limits compared to using a standard DP.

In previous post we covered How to manage your Distribution Points with Collections in large environment. Based on those collections, it’s possible to manage network impact while distributing content to Pull DP.

This post will explain how limit SCCM 2012 Pull Distribution Point bandwidth.

Pull Distribution Point Bandwidth Limitation Differences

Rate Limits

One of the key feature missing from Pull DP is the ability to use rate limits.  The tab is not even visible for Pull DP properties.

• To check the Full DP Properties, navigate in your console to Administration / Site Configuration / Servers and Site System Roles
• Click on your Distribution Point
• In the Site System Roles section, right click on role name Distribution Point
• Select Properties

Screenshot : Standard distribution point – Rate Limits

So you are left with more than 250 DPs/Pull DPs and you are not able to manage the hit on the network bandwidth when distributing content.

Concurrent Distribution

Another missing feature of a Pull DP is the number of concurrent distributions. This cannot be managed automatically by threshold. So if you distribute a package to 1000 Pull DP, theoretically all of them could download at the same time. In fact, it doesn’t happen because the site server and SQL are so busy processing the requests.

Side note : There are no metrics from Microsoft when it come to a lot of Pull DPs. We asked the product team for the maximum concurrent distributions, without clear answer.

• To check the Concurrent Distribution Settings, navigate in your console to Administration / Site Configuration / Sites
• Click on your Site Server
• In the top ribbon section, click on Configure Site Components and Software Distribution

Important : The concurrent distribution settings for Pull Distribution point affects the number of concurrent package distribution for a single Pull Distribution Point. It is not meant to manage the number of Pull Distribution Point that can receive distribution at the same time.

Solution

The solution comes in two parts :

• Carefuly plan DP groups to limit the quantity of simultaneous distribution
• Create a specific Client Setting for those computers to use BITS

Distribution Point Groups

From our experience, DP groups can be of around 400 pull DP. Try to split so it make sense for your environment, without becoming too much management to distribute. Site server performance might require upgrades to CPU/RAM to ease distribution when so many DPs/Pull DPs are involved.

For example : 1000 Pull DPs splited in 3 groups with the biggest at 400 will work just fine. When it’s time to distribute,  do it one group at the time. Plan ahead as this will take time.

Client Settings

The way to control bandwidth for PullDP is through using BITS (background intelligence transfert service). Limiting with BITS is easy and constant.

Pull Distribution point can have a specific Client Settings.

• Open the SCCM Console
• Go to Administration / Client Settings
• Create a new Client Settings

• Add Background Intelligent Transfer Service

• Configure the limits you want. This should be discussed with the network guys

• Deploy this new Client Settings to the collection of Pull DP
• Be sure to check the priority of this Client Setting

SCCM 2012 Pull Distribution Point bandwidth

The post How to limit SCCM 2012 Pull Distribution Point Bandwidth appeared first on System Center Dudes.

Are you having inventory issue in SCCM where machines information from the hardware inventory were not updated on the site server? This problem can affect your various systems that use data, such as license management or reports. You can read more about the basics of client inventory and hardware inventory process.

This post explains how to resolve the message dataldr.log SQL Error in SCCM 2012. Log file dataldr.log on the site server manages inventory received from clients. If the log file inventoryagent.log on the client shows no evidence of failure and you have this error, your hardware inventory won’t be updated in the SQL database.

The string or binary data would be truncated. : dINSTALLED_SOFTWARE_DATA

ERROR – SQL Error in

ERROR – is NOT retyrable

There’s no real explanation of this purpose, but it is a SQL issue for sure. Even with a full hardware inventory scan on the client, the data is not reset. We also tried to disable Asset Intelligence class to see if the SQL table will be deleted, but without success.

Solution

There’s a work around that resolve the problem is to delete the device in SCCM, that will flush data of this device in SQL database.

• Open the directory Configuration Manager\Logs on the site server and open dataldr.log with CMTrace
• Scroll down in the file and note each devices that have the issue
• Open SCCM Console and navigate to Assets and Compliance / Devices 
• Search for the machine name from your list, right click on the device and select Uninstall Client with the Right-Click Tools
• Right click on the device and select Delete
• Repeat for each devices.

At this point, use your favorite way to discover and install the client on all theses devices. Next time the machine will do an hardware inventory, site server will receive correctly the inventory and SCCM database will be updated.

dataldr.log SQL Error

The post How to resolve Dataldr.log SQL Error in SCCM 2012 appeared first on System Center Dudes.

Microsoft has just announced the release of SCCM 1511. Before performing your SCCM 1511 upgrade, we recommend that you read all the available resources and carefully plan the upgrade process throughout your SCCM 2012 R2 SP1 hierarchy. The good news is that our SCCM 1511 Upgrade Guide will list everything you need to know before applying this major upgrade to your existing SCCM 2012 installation. We’ve got you covered !

In this blog post, we will guide you through the whole upgrade process to bring your existing SCCM 2012 R2 SP1 to SCCM 1511. See our complete installation guide if your starting from scratch.

New Features

SCCM 1511 brings a whole new set of features. Don’t get surprised, the gap isn’t as big as 2003 to 2007 or 2007 to 2012. The console has the same look and concepts are the same. If you’re upgrading from 2012, the upgrade process is similar as applying a Service Pack. No need to do a side-by-side migration which is a pretty good news !

We suggest to read our blog post to know everything about the new features before upgrading.

Naming Convention

You may wonder why Microsoft has decided to name the next version of SCCM that way. You may heard the name SCCM Vnext or SCCM 2016 but the final name is simply SCCM. This is due to the fact that SCCM is now part of the new SaaS platform which means that its update cycle will be much quicker than before. Each new version will be named as SCCM YYMM (Year Month). The first release is 1511 (for November 2015). Microsoft needed a way to keep the same upgrade pace than Windows 10 and decided to opt for the same naming convention which makes sense. Here’s chances that a new build of Windows will simultaneously bring a new SCCM build.

Upgrade Path

Depending your actual SCCM version you have different options :

• If you’re running SCCM 2012 R2 SP1 or SCCM 2012 SP2, you can upgrade directly to SCCM 1511. (Cumulative Update 1 or 2 is not mandatory).  Keep reading this guide is for you !
• If you’re running SCCM 2012 or SCCM 2012 R2  (non-SP2 or R2 SP1), you need to apply first  Service Pack 1 before upgrading. Use our blog post to apply it and come back to this guide afterward
• If you’re running a Technical Preview on your lab server. Completely uninstall it before doing a fresh install. An upgrade is not supported from a Technical Preview version
• If you’re running SCCM 2007 a side-by-side migration is still possible but you must first start by a fresh install on a separate server
• If you’re running SMS 2003, you seriously need to upgrade your remaining XP computers !
• If you’re not running any version of SCCM in your environment, refer to our full installation guide

Prerequisites

• Our post focus on what needs to be done to upgrade a stand-alone SCCM 2012 R2 SP1 Primary Site to SCCM 1511
• If you have a hierarchy with a Central Administration Site and multiple Primary Site, start with the top of the hierarchy (CAS) and go down, upgrading all Primary Sites and Secondary Sites.
• You need to upgrade your ADK version to version 10 before the upgrade process. See section Windows Automated Deployment Kit (ADK) of our Windows 10 blog post to know how to upgrade. Also consult this blog post from the product group to use the right version of ADK 10, there’s a bug in the latest release
• If you’re planning to use Windows 10 Servicing, you need to consider applying this important WSUS update to your Windows Server. This hotfix is only available for Windows 2012, if you’re running your Software Update Point on Windows 2008, consider moving your SUP to a Windows 2012 server
• Review the upgrade checklist from Technet

Database Replication

If you have a database replica for management point, disable Database replication. If you don’t use this function, skip this step and go to the Backup and TestDBupgrade section

• Open the SCCM Console, browse to Administration / Site Configuration / Servers and Site System Roles
• Select the Site System that hosts the management point that uses the database replica
• Right click Management point and select Properties

• On the Management Point Database tab, select Use the site database and click Ok

• Connect to the SQL server hosting the replica databases
• Open SQL Management Studio
• Go to  Replication / Local subscription
• Right click the replica and select Delete. Select Yes to the warning prompt

• Right click the publisher database and select Delete. Select Close existing connections and click OK
• Connect to the SQL server hosting the site database
• Open SQL Management Studio
• Go to Replication and select Disable Publishing and Distribution

• On the next screen, click Next
• Select Yes, disable publishing on this server and click Next, Next, Next
• Click Finish

Backup and TestDBUpgrade

• Before upgrading, perform a backup of your SCCM database.
• It is recommended to test your Configuration Manager database before the upgrade.  Detailed procedure is available on Technet, here’s the resumed version :
  • Backup your site databse
  • Restore it on a SQL server running the same version as your SCCM SQL instance
  • On the SQL server, run the SCCM setup command line using the Testdbupgrade switch
  • Open the log file on C:\ConfigMgrSetup.log
  • If the process is successful, you can delete the database copy
  • If you have errors, resolve them on your SCCM server, do a new backup and restart this procedure

After you successfully upgrade a copy of the site database, proceed with the “real” upgrade.

Running Console

Close all running consoles on the server. Check also if remotely logged users are running the console in their sessions. The setup won’t check that and you’ll endup having an error in the installation log at the end of the process.

ERROR: Configuration Manager console uninstallation failed. Check log file ConfigMgrAdminUISetup.log.

SCCM 1511 Upgrade Installation

If you just upgraded to SCCM 2012 R2 SP1, you’ll recognize the process. The user experience is similar to a new SCCM installation or Service Pack.

• Download the necessary files from Microsoft Volume Licensing Site

• Mount the ISO File and run Splash.hta

• On the main menu, select Install

• On the Before You Begin screen, click Next

• On the Getting Started screen, select Upgrade this Configuration Manager site

• On the Microsoft Software License Terms, check I accept these license terms and click Next

• On the Prerequisite Licenses, check all 3 boxes and click Next

• On the Prerequisite Downloads screen, specify a location to download the prerequisite files. This folder can be deleted after the upgrade process

• The files are downloading

• On the Server Language Selection screen, select the language you want to display in the SCCM Console and Reports

• On the Client Language Selection screen, specify the display language for your clients

• On the Usage Data screen, click Next. This new screen basically tells that you accept that you will send some telemetry data to Microsoft

• On the Settings Summary screen, you will see that you are performing an Upgrade, click Next

• The Prerequisite Check is running
• You should have no errors since your site is already installed and running
• Wait for Prerequisite checking has completed and click on Begin Install

• The installation is in progress. The installation will run for about 30 to 45 minutes depending of your server specifications
• You can follow the progress by clicking the View Log button or open the ConfigMgrSetup.log file on the C:\ drive

• Wait for Core setup has completed and close the wizard

Verification

Once the setup has completed, there’s a couple of check that you can make to be sure the upgrade process was successful.

• C:\ConfigMgrSetup.log  – Display detailed installation steps. Funny easter egg here, still written Configuration Manager 2012.

Console

• Open the SCCM Console and click on the upper left corner on the blue arrow and select About Configuration Manager
• The Console has been upgraded to SCCM 1511 – 5.00.8325.100

Site

• Go to Administration / Site Configuration / Sites
• Right-click your site and select Properties
• The Site Version and Build Numbers has been upgraded to 5.00.8325.1000

Clients

The site server client version will be upgraded to 5.00.8325.1000. A full list of client version is available on this post.

Boot Image

• Go to Software Library / Operating Systems / Boot Images
• Validate that the Boot Images has been automatically upgraded to WinPE 10 on your distribution points

Packages

• Go to Software Library / Application Management / Packages
• Validate that the Configuration Manager Client Package has been automatically distributed on your distribution points

Post Upgrade

Intune

If you use Intune with SCCM, at the top-level site upgrades, install a service connection point. This site system role must also be reconfigured with your Intune subscription.

Database Replication

Enable the database replicas for Management Points,  if it was configured before the upgrade.

Maintenance Tasks

Reconfigure any database maintenance tasks you disabled prior to the upgrade. If you disabled database Maintenance tasks for SCCM at a site prior to the upgrade, reconfigure those tasks at the site using the same settings that were in place prior to the upgrade

Updating the Clients and Consoles

Once your site is successfully upgraded, you need to upgrade the clients and console to SCCM 1511. A lower version of the console won’t be able to connect to a newer site. A outdated client will still be able to communicate with your Management Point but we recommend to update them.

Console

You can manually upgrade by browsing to .\ConfigMgrInstallationFolder\tools\ConsoleSetup and execute ConsoleSetup.exe on each computer running the console.

We suggest to create a package or application pointing on the same directory and deploy it using a collection.

All clients with the SCCM console installed

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = 'System Center 2012 R2 Configuration Manager Console'

Clients

To upgrade the clients, you have various options :

Automatic Client Upgrade

Using the Client Upgrade option, your client will be upgraded automatically within x days using the value specified

• Go to Administration / Site Configuration / Sites
• Click on the Hierarchy Settings button on the top ribbon
• On the Client Upgrade tab
• Check the Upgrade client automatically when new client updates are available
• Select the desired number of days you want your upgrade to be run
• A schedule task will be created on the clients and run within the specified number of days

Client Push

Create manual collection and use the client push function to deploy your clients. This method gives you more control on the group of computer you are upgrading.

I like to create a collection that targets clients without the latest SCCM 1511 version. I use it to monitor which client haven’t been upgraded yet.

Here’s the query to achieve this: (You can also refer to our Set of Operational Collection Powershell Script which contain this query and 47 others that you see in the previous screenshot)

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ClientVersion != '5.00.8325.1000'

Report

You can run our Client Health Check custom report to track your client versions.

Additional reference

Planning to Upgrade System Center 2012 Configuration Manager

Official Configuration Manager documentation

If you need further help to understand and configure various SCCM site component, consult our Step-by-Step SCCM 1511 Installation Guide blog series. It covers all you need to know.

Happy updating !

sccm 2012 r2 sp1 upgrade

The post Step-by-Step SCCM 1511 Upgrade Guide appeared first on System Center Dudes.

After you completed your SCCM installation, you certainly want to start managing some systems. The effective way to add them in SCCM is to configure SCCM discovery methods. This blog article will explain the various discovery methods and will describe how to configure it.

This blog post applies to both SCCM 2012 R2 and SCCM 1511.

In the first parts of these SCCM 2012 and SCCM 1511 blog series, we covered the complete SCCM 2012 R2 and SCCM 1511 installation. In the final parts, we will cover the basic SCCM configurations.

What is SCCM Discovery Methods

Here’s the official discovery methods definition from Technet :

SCCM discovery methods identifies computer and user resources that you can manage by using Configuration Manager. It can also discover the network infrastructure in your environment. Discovery creates a discovery data record (DDR) for each discovered object and stores this information in the Configuration Manager database. 

When discovery of a resource is successful, discovery puts information about the resource in a file that is referred to as a discovery data record (DDR). DDRs are in turn processed by site servers and entered into the Configuration Manager database where they are then replicated by database-replication with all sites. The replication makes discovery data available at each site in the hierarchy, regardless of where it was discovered or processed. You can use discovery information to create custom queries and collections that logically group resources for management tasks such as the assignment of custom client settings and software deployments. Computers must be discovered before you can use client push installation to install the Configuration Manager client on devices.

In simple words, it means that SCCM need to discover device before it can manage them. It’s not mandatory to discover computers, if you manually install the client, it will appear in the console and it can be managed. The problem is that if you have thousand computers, it can be a fastidious process. By using Active Directory System Discovery, all your computers will be shown in the console, from there you can choose to install the client using various SCCM methods. Of course if you need information about your user and groups, you need to configure User and Group discovery, it’s the only way to bring this information in SCCM.

There are 5 Types of Discovery Methods that can be configured. Each one targets a specific object type (Computers, Users, Groups, Active Directory) :

Active Directory System Discovery

Discovers computers in your organization from specified locations in Active Directory. In order to push the SCCM client to the computers, the resources must be discovered first. You can specify to discover only computers that have logged on to the domain in a given period of time. This option is useful to exclude obsolete computer accounts from Active Directory.You also have the option to fetch custom Active Directory Attributes. This is useful if your organization store custom information in AD. You can read our blog post concerning this topic.

• Open the SCCM Console
• Go to Administration / Hierarchy Configuration / Discovery Methods
• Right-Click Active Directory System Discovery and select Properties

• On the General tab, you can enable the method by checking Enable Active Directory System Discovery
• Click on the Star icon and select the Active Directory container that you want to include in the discovery process

• On the Poling Schedule tab, select the frequency on which you want the discovery to happen
  • A 7 day cycle with a 5 minutes delta interval is usually fine in most environment

• On the Active Directory Attribute tab, you can select custom attributes to include during discovery
  • This is useful if you have custom data in Active Directory that you want to use in SCCM

• On the Options tab, you can select to discover only accounts that have logged or updated their passwords since a specific number of days
  • This is useful if your Active Directory isn’t clean. Use this to discover only good records

Active Directory Group Discovery

Discovers groups from specified locations in Active Directory. The discovery process discovers local, global or universal security groups. When you configure the Group discovery you have the option to discover the membership of distribution groups. With the Active Directory Group Discovery you can also discover the computers that have logged in to the domain in a given period of time. Once discovered, you can use group information for exemple to create deployment based on Active Directory groups.

Be careful when configuring this method : If you discover a group that contain a computer object that is NOT discovered in Active Directory System Discovery, the computer will be discovered. If automatic client push is enabled, this could lead to unwanted clients computers.

To discover resources using this methods :

• Open the SCCM Console
• Go to Administration / Hierarchy Configuration / Discovery Methods
• Right-Click Active Directory Group Discovery and select Properties

• On the General tab, you can enable the method by checking Enable Active Directory Group Discovery
• Click on the Add button on the bottom to add a certain location or a specific group.
  • Remember : If you discover a group that contain a computer object that is NOT discovered in Active Directory System Discovery, the computer will be discovered.

• On the Poling Schedule tab, select the frequency on which you want the discovery to happen
  • A 7 day cycle with a 5 minutes delta interval is usually fine in most environment

• On the Options tab, you can select to discover only accounts that have logged or updated their passwords since a specific number of days
  • This is useful if your Active Directory isn’t clean. Use this to discover only good records

Active Directory User Discovery

Discovery process discovers user accounts from specified locations in Active Directory. You also have the option to fetch custom Active Directory Attributes. This is useful if your organization store custom information in AD about your users. Once discovered, you can use group information for example to create user based deployment.

To discover resources using this methods :

• Open the SCCM Console
• Go to Administration / Hierarchy Configuration / Discovery Methods
• Right-Click Active Directory User Discovery and select Properties

• On the General tab, you can enable the method by checking Enable Active Directory User Discovery
• Click on the Star icon and select the Active Directory container that you want to include in the discovery process

• On the Poling Schedule tab, select the frequency on which you want the discovery to happen
  • A 7 day cycle with a 5 minutes delta interval is usually fine in most environment.

• On the Active Directory Attribute tab, you can select custom attributes to include during discovery
  • This is useful if you have custom data in Active Directory that you want to use in SCCM

Active Directory Forest Discovery

Discovers Active Directory sites and subnets, and creates Configuration Manager boundaries for each site and subnet from the forests which have been configured for discovery. Using this discovery method you can automatically create the Active Directory or IP subnet boundaries that are within the discovered Active Directory Forests. This is very useful if you have multiple AD Site and Subnet, instead of creating them manualy, use this method to do the job for you.

To discover resources using this methods :

• Open the SCCM Console
• Go to Administration / Hierarchy Configuration / Discovery Methods
• Right-Click Active Directory Forest Discovery and select Properties

• On the General tab, you can enable the method by checking Enable Active Directory Forest Discovery
• Select the desired options

HeartBeat Discovery

HeartBeat Discovery runs on every client and to update their discovery records in the database. The records (Discovery Data Records) are sent to the Management Point in specified duration of time. Heartbeat Discovery can force discovery of a computer as a new resource record, or can repopulate the database record of a computer that was deleted from the database.

HeartBeat Discovery is enabled by default and is scheduled to run every 7 days.

To discover resources using this methods :

• Open the SCCM Console
• Go to Administration / Hierarchy Configuration / Discovery Methods
• Right-Click Heartbeat Discovery and select Properties

• On the General tab, you can enable the method by checking Enable Heartbeat Discovery
  • Make sure that this setting is enabled and that the schedule run less frequently than the Clear Install Flag maintenance task.

Network Discovery

The Network Discovery searches your network infrastructure for network devices that have an IP address. It can search the domains, SNMP devices and DHCP servers to find the resources. It also discovers devices that might not be found by other discovery methods. This includes printers, routers, and bridges.

We won’t go into detail of this discovery methods as it’s old and depreciated methods. We never saw any customers using this method in production.

The post How to configure and enable SCCM Discovery Methods appeared first on System Center Dudes.

With the latest version of SCCM 1511, many admins will be tempted to move to latest operating system and SQL versions. Considering Windows Server 2008 R2 and SQL 2008 R2 are already on extended support and the way SCCM 1511 is designed for future upgrades, it can be good time to do a SCCM 1511 migration with the latest OS and SQL.

As of now, all system roles of SCCM 1511 are supported on Windows Server 2008 R2, but if you are planning to use Windows 10 Servicing, you must use WSUS 4.0 from Windows Server 2012 and up.

If you’re planning this scenario, you have 2 choices :

• Install a new server with new SQL and use backup/retore function before upgrading to 1511
• Install a new server and perform a side-by-side migration between the 2 SCCM hierarchy

This post will cover the second option, describing SCCM 1511 Migration pre-requisites and tasks.

If you’re looking to do an in-place upgrade, please see our SCCM 1511 upgrade guide instead.

SCCM 1511 Migration Pre-requisites

• Install your new server or virtual machine with desired SQL version as you would do for a new SCCM installation. You can refer to our  Part 1 and Part 2 of our SCCM 1511 complete installation guide for this
• Perform a new SCCM 1511 Installation on this new server with a new site code
• SCCM must be at least 2007 SP2 and above in order to create a migration task
• Software Update Point must be configured on destination hierarchy (1511) prior to migrating any Software Update configurations

Setup Source Hierarchy

To transfer data between your SCCM 1511 and SCCM 2012 sites, you must first connect them together.

• On your SCCM 1511, go to Administration/ Migration/ Source Hierarchy
• Select Specify Source Hierarchy on the top ribbon

• Enter the top-level site server FDQN of the source environment (SCCM 2012 server)
• Select the account to use to connect to the top-level site server
  • We use and account that is SCCM Full Admin on both side. As specified in the wizard, no such rights are required
• Depending on your environment, Enabling Distribution point sharing might be useful
  • This should be pretty important in large, distributed environment

• Click OK, Data Gathering process starts

Your 2 sites are now connected!

For more details about source hierarchy, read the following Technet article.

Data Gathering

The Data Gathering process will verify items that can be migrated from the source.

No objects are migrated yet ! Data gathering is configured to 4 hours by default.

It can be modified in the properties of the source hierarchy.

Migration jobs

To migrate objects from our SCCM 2012 site, we need to create a migration job.

When migrating content from a 2012 hierarchy, all objects should be compatible.

Before migrating, we suggest that you read these details about what objects can or can’t be migrated.

• In SCCM 1511, go to Administration/ Migration/ Migration Jobs
• Select Create Migration Job

• On the General tab, provide a name and select Object Migration in the Job Type dropbox, click Next
  • Object modified after migration can be useful to monitor object modified after the job as ran

• On the Select Objects tab, select objects that you want to migrate, click Next

• On the Content Ownership tab, all migrated objects will be owned by the new site, click Next

• On the Site Code Replacement tab, replace site code for collections if needed, click Next

• On the Security Scope tab, specify the security scope to apply to the migrated objects, click Next
  • If you used it a lot in SCCM 2012, multiple migration might be a good idea to assign the security scope back
  • Assigning security scopes can also be done after the migration

• On the Settings tab, specify the Schedule, Conflict resolution action and Organizational folder structure, click Next 

• On the Summary tab, review your option, click Next

• On the Completion tab, click Close

• You can see the migration job status in the console, go to Administration / Migration / Migration Jobs (Details can be found in the Summary tab in the bottom)

• The Objects in the job tab will shows each object included in the job

Once you run the job, you will see objects appearing within the new SCCM.

You can run the job at any time by right-clicking the job and selecting Start.

For more details about Migration jobs, read the following Technet Article

Content Distribution

Once objects are migrated, you can now migrate Distribution Points. Activating Enable distribution-point sharing for this source site in the Source Site properties will allows previous version Distribution Point to show up in SCCM 1511 and to be used by client as content source when packages are migrated.

You can see the status of Shared Distribution Point in the console under Administration / Migration / Source Hierarchy and by selecting the Shared Distribution Point tab at the bottom.

Eligible for Reassignment

When looking at your Shared Distribution Point tab, you’ll notice an Eligible for reassignment column. Yes value means that the Distribution Point is ready to be reassign to your SCCM 1511 hierarchy.

For a System Center 2012 Configuration Manager distribution point to be eligible for reassignment, it must meet the following criteria:

• A shared distribution point must be installed on a computer other than the site server
• A shared distribution point cannot be co-located with any additional site system roles

If you look at a package that has been migrated, you will see that they are already distributed.

How to Reassign a Distribution Point

The Reassign wizard is pretty much like a new Distribution Point installation.

• Under Administration / Migration / Source Hierarchy select the Shared distribution Points tab at the bottom
• Select your  Distribution Point, Right click it and select Reassign Distribution point

• On the General tab, select the new Site code, click Next

• On the Distribution Point tab, specify the desired options, click Next

For rights needed to reassign a Distribution point here, see the Technet Article

• On the Drive Settings tab, you cannot configured your drives, it will use what is already in place, click Next

• On the Pull Distribution Point tab, you can be enable you DP to be a Pull DP if needed, click Next

• On the PXE Settings tab, you can’t configured anything, this is normal, click Next

• On the Content validation tab, you can’t configured anything, this is normal, click Next

• On the Boundary Groups tab, assign your Boundary groups to your Distribution Point, click Next

• On the Content Conversion tab, you’ll see a list of packages on the Distribution Point, click Next

• On the Summary tab, review your options and click Next

• On the Completion tab, click Close

• Confirm that your Distribution Point is now part of your SCCM 1511 site

•  Confirm that the Distribution Point as been removed from the 2012 R2 SP1 site

For more details about Content Migration, read the following Technet article.

Clients

Once all objects are migrated, you need to reassign your client in the new SCCM 1511 site.

Many options can be used :

• Reassign client site with a script to migrate to the new hierarchy
  • This is mandatory because of the new site code
  • This script from Steve Thompson [MVP] does the trick!
• Use auto-upgrade when client are assigned to the new hierarchy
• Use client push to reassign clients and upgrade at the same time
  • This will change the assigned site code automatically

In the end, upgrading the clients uses the same process as any previous Service Pack release.

Please refer to our SCCM R2 SP1 upgrade post for client upgrade using auto-upgrade or client push.

For more details about Client Migration, read the following Technet article

SCCM 1511 Post Migration Tasks

When all objects are migrated, the migration can be completed with these general steps :

• Validate that all clients, data, Distribution Points are migrated and no longer require the source hierarchy
• Stop gathering data from the source site
• Clean up migration data
• Decommission the source hierarchy

Stop gathering data

Before you stop gathering data, the following must be completed :

• Distribute content to at least one DP in the new hierarchy
• Reassign Distribution Point

To stop gathering data :

• In the SCCM Console, go to Administration / Migration / Source Hierarchy

Clean Up Migration Data

This step is optional.

To clean up migration data :

• In the SCCM Console, go to Administration / Migration / Source Hierarchy

• Select the source hierarchy

• Confirm by clicking Yes

For more details about post migration tasks, read the following Technet article

Logs

All migrations tasks refer to the same log : Migmctrl.log

It can be founded in your SCCM installation directory Microsoft Configuration Manager\Logs\

For more details about Monitoring migration, read the following Technet article

That’s it, you’ve completed your SCCM 2012 to SCCM 1511 Migration. Feel free to ask your question or leave your comments using the comments section !

The post Step-by-step SCCM 1511 Migration to New Hardware appeared first on System Center Dudes.

Introduced since SCCM 2012 R2, SCCM Wifi profiles are used to send Wifi configuration to clients. It can be useful if your company is not using certificates or any automated authentication methods. Smaller organisation that uses a simple WPA2 setup can use SCCM Wifi profiles to send Wifi SSID and password so that the computers connects automatically to that network.

You can also use Wifi profile to manage mobile devices with Intune but we won’t cover this scenario in this post.

The major drawback of the SCCM Wifi Profile is that it’s impossible to enter the Wifi password using the console UI. We will show you how to deploy Wifi profiles on a Windows 10 or Windows 8.1 computer, including the Wifi password using an Xml file.

How to deploy SCCM Wifi Profiles with password to Windows 10 devices

Since it’s not possible to enter a password in the SCCM console, we’ll create an XML file and use it to create a SCCM Wifi profile based on this file.

The first step is to connect on a Windows 10 computer and connect to the desired Wifi network manually. You can disconnect once done, it’s only important to connect to the network at least once.

• Open a PowerShell window and enter the following command to list all Wifi profiles on the computer :

• Enter the following command to create the Xml file : (replace the name of your network and location you want the file to be created)

• Using any text editor, you can see the Wifi information including the WPA2 pre-shared key

• We are now ready to create the Wifi profile in the SCCM console using this Xml file
• Open the SCCM console
• Go to Assets and Compliance / Compliance Settings / Company Resource Access / Wi-Fi Profiles
• Right-click Wi-Fi Profiles and select Create Wi-Fi Profile

• On the General pane, enter a Name and Description
• Check the box Import an existing Wi-Fi profile item from a file, click Next

• On the Import Wi-fi Profile pane, click Add

• Browse to the location where you saved the Xml file created in the first step of this post, click Open

• Validate the file, click Next

• On the Supported Platforms pane, select All Windows 8.1 (64-bits), All Windows 8.1 (32-bits), All Windows 10 (64-bits) and All Windows 10 (32-bits), click Next

• On the Summary pane, review your settings and click Next

• Wait for the wizard to complete and click Close

Deploy the Wifi Profiles

You are now ready to deploy the profile to your devices

• Open the SCCM console
• Go to Assets and Compliance / Compliance Settings / Company Resource Access / Wi-Fi Profiles
• Right-click the profile and select Deploy

• Click Browse and select your collection
• Specify the evaluation schedule, click Ok

Monitor the deployment

Like every deployments, you can monitor the status in the SCCM Console under Monitoring / Deployments

You may notice that the Wifi Profiles deployments are treated as they were Configuration Items.

Once successfully deployed, the computers receiving the Wifi Profile will automatically connect to the specified network.

The post Deploy SCCM Wifi Profiles with password to Windows 10 devices appeared first on System Center Dudes.

Last week, Microsoft announced the end of support for older version of Internet Explorer . Many organisations will need to upgrade to Internet Explorer 11 soon. This post will describe how to upgrade to Internet Explorer 11 with SCCM.

There’s multiple ways to upgrade your Internet Explorer :

• Internet Explorer Administration Kit (IEAK)
• Windows Server Update Services (WSUS)
• Software Update with SCCM
• Standard Package with SCCM
• Task sequence with SCCM

All of theses options were tested and the fastest installation is by using Task sequence because of the ability to manage restart and multiple consecutive steps to get everything installed in one deployment. IEAK could also do that, but we never had much success with it.

Task sequence are made for OS Deployment, but they can be very useful with complex application deployment.

In this post, we will cover :

• How to update to Internet Explorer 11 with SCCM using a task sequence for bulk installation of Pre-requisite, IE11 and Enterprise mode.

• How to inject Internet Explorer 11 in OS Deployment task sequence

Required download to upgrade to Internet Explorer 11 with SCCM

The key to a successful Internet Explorer 11 upgrade is to have all the required files in the right format. Here’s everything that you need :

• Download Prerequisite KB
  • Validate which KB are required for your environment and download all required
• Download Internet Explorer 11 for IT Pro
  • X86 – Download all the different language needed
  • X64 – Download all the different language needed
• Download Enterprise Mode for Internet Explorer
  • X86
  • X64
• If you are using a Windows 7 Enterprise with MUI, you will need to do the same for Internet Explorer 11
  • Download required language pack

Keep all original files as they will be used in different ways to update or to inject in OSD.

SCCM Task Sequence Method

This method is great to have complete control of the deployment and be sure that one deployment will get everything needed for updating to Internet Explorer 11.

Pre-requisite package

• The downloaded prerequisites KB are MSU files. We need the extracted the .CAB files from those .MSU files.

• Run the following command for each .MSU :

• This provide many files, only the .CAB is important

• Add all .CAB files in a folder

• We will now create a batch file to insert each .CAB using DISM
  • Create a new batch file (install.cmd) in the folder where you saved your .CAB files
  • Add this line for each .CAB files (change the .CAB file name in each line)

• Create a new package in SCCM that will be use for the IE Prerequisite
• Open the SCCM Console
• Go to Software Library / Application Management / Packages
• Right-Click Package and select Create Package
• Create a standard program
  • Command line – cmd /c install.cmd
  • After Running – Program controls restart
• This is required as the task sequence will automatically detect a restart pending error code (3010)

• Your Internet Explorer Prerequisite package is created and ready to deploy

Internet Explorer 11 Package

Create a standard package for each Internet Explorer languages you need.

• Open the SCCM Console
• Go to Software Library / Application Management / Packages
• Right-Click Package and select Create Package
• Create a standard program. (Be sure to change the .exe file to your language)
  • Command line – IE11-Windows6.1-x86-fr-fr.exe /quiet /closeprograms /norestart /log:C:\temp\
  • After Running – Program controls restart
• This is required as the task sequence will automatically detect a restart pending error code (3010)

• Your Internet Explorer 11 package is created and ready to deploy

Enterprise Mode for Internet Explorer 11 Package

Create a standard package for Enterprise Mode for Internet Explorer 11

• Open the SCCM Console
• Go to Software Library / Application Management / Packages
• Right-Click Package and select Create Package
• Create a standard program
• • Command line – wusa.exe IE11-Windows6.1-KB2929437-x86.msu /quiet /norestart
  • After Running – Program controls restart
• This is required as task sequence automatically detect 3010 restart pending

• Your Enterprise Mode for Internet Explorer package is created and ready to deploy

Multi Language Consideration

Create a standard package for each MUI.

• Open the SCCM Console
• Go to Software Library / Application Management / Packages
• Right-Click Package and select Create Package
• Create a standard program
  • Command line – wusa.exe IE11-Windows6.1-KB2929437-x86.msu /quiet /norestart
  • After Running – Program controls restart
• This is required as task sequence automatically detect 3010 restart pending

Task Sequence

We will now create the Task Sequence to deploy our package we just created.

• Open the SCCM Console
• Go to Software Library / Operating Systems / Task Sequences
• Right-click Task Sequence and select Create Task Sequence

• Select Create a new custom task sequence, click Next

• Enter the desired name
• Do NOT add a boot image, click Next

• On the Summary tab, click Next

• On the Completion tab, click Close

• Select your Task Sequence
• On the top ribbon, click Edit

• Click Add / Software / Install Package
• Add your previously created package in this order
  • Prerequisites
  • Internet Explorer 11
  • Internet Explorer Enterprise Mode
• Each Install Package task has the right to restart the computer if necessary
• Each task will return a 3010 error code (Success but restart required), the task sequence will automatically initiate a restart
• At the end of the Task Sequence, we will add a restart to successfully apply GPO for IE11 and Enterprise mode if needed
• Click Add / General / Restart Computer
• This is the expected result :

Results

This method will automatically reboot the computer 4 times. Overnight deployment and communication plan might be a good idea

On a deployed computer, Internet Explorer 11 will be installed as well as all prerequisite KB and Enterprise mode.

How to inject Internet Explorer 11 in OS Deployment Task Sequence

Internet Explorer 11 OSD Source Files

As stated in the required downloads section, the downloaded files will be used in a different manner to inject all required updates in OS Deployment.

• Create a new folder with the following directories

• Add the downloaded Prerequiste MSU files to Prerequisites folder

• Add the downloaded Enterprise Mode MSU file to EnterpriseMode folder

• Extract the required file from Internet Explorer executable

• Add the theses extracted files to the IE11 folder :
  •  IE-Hyphenation-en.MSU
  •  IE-Spelling-en.MSU
  • IE-Win7.CAB

• Add the language pack MSU file to LanguagePack folder
  • This will only work with Windows 7 Enterprise
  •  If you are using Windows 7 Pro, this folder is not necessary.  You will need multiple package for the Internet Explorer 11 extracted file to match the OS language.

Internet Explorer 11 OSD Package

• Open the SCCM Console
• Go to Software Library / Application Management / Packages
• Right-Click Package and select Create Package
• Name – Internet Explorer – OSD
• No program is needed. We will use this package later.

Inject Internet Explorer 11 in Task Sequence

This method can be used in a Build and Capture task sequence as well as a Deploy task sequence. It will add Internet Explorer offline (using DISM) to the Windows Installation.

• Select your Task Sequence
• On the top ribbon, click Edit
• Add a new group under the Apply Driver section and before the Setup Operating system group

• Click Add / General / Run Command Line 3 times to add 3 steps to the new group
• Command #1 – Install IE 11 Prereq
  • Command line – Dism /image:%OSDrive%\ /ScratchDir:”%OSDRIVE%\Windows\Temp” /Add-Package /PackagePath:”.\Prerequisites”
  • Check the Package box and select the package created in the previous step

• Command #2 – Install IE 11
  • Command line – Dism /image:%OSDrive%\ /ScratchDir:”%OSDRIVE%\Windows\Temp” /Add-Package /PackagePath:”.\IE11″
  • Check the Package box and select the package created in the previous step

• Command #3 – Install Enterprise mode
  • Command line – Dism /image:%OSDrive%\ /ScratchDir:”%OSDRIVE%\Windows\Temp” /Add-Package /PackagePath:”.\EnterpriseMode\IE11-Windows6.1-KB2929437-x86.msu”
  • Check the Package box and select the package created in the previous step

• If needed,
• Command #4 – Install Language pack
  • Command line – Dism /image:%OSDrive%\ /ScratchDir:”%OSDRIVE%\Windows\Temp” /Add-Package /PackagePath:”.\LanguagePack\IE11-Windows6.1-LanguagePack-x64-fr-fr.msu”
  • Check the Package box and select the package created in the previous step

Happy Upgrade!

The post Upgrade to Internet Explorer 11 with SCCM appeared first on System Center Dudes.