Before upgrading to SCCM 1511, it’s recommended to perform a test upgrade on a copy of your production database. We briefly cover the topic on our SCCM 1511 Upgrade post but we wanted to provide a step-by-step procedure. This procedure is not mandatory but gives you a head-ups on installation error you may encounter before your upgrade.

Step 1 | Prepare your environment for SCCM Installation Testdbupgrade

To test the database for an upgrade, you must copy the site database to a SQL instance that does not host SCCM. The SQL version must run the same edition and version of your production SQL.

• Start by creating a new VM or connect to an existing SQL server that can host your SCCM database.
• Install the right SQL version. Follow our post on how to install SQL Server if needed.

Step 2 | Backup your database

Once your SQL server is ready to receive the database copy, browse to your latest SCCM Backup.

We will use the SCCM Backup Maintenance task for this post but it’s also supported to use the SQL Database backup.

To see where SCCM backups are stored go to :

• Open the SCCM Console
• Go to Administration / Site Configuration / Sites
• Click on Site Maintenance on the top ribbon
• Select Backup Site Server, click on Edit

• Take note of the path where your backup are done and browse to that location

• Copy the .MDF and .LDF file to the SQL Server that will be performing the test upgrade

If you don’t have a backup, enable the task and schedule it. You can also initiate a manual backup if you want the files now.

• Go to Monitoring / System Status / Site Status
• Click on Start / Configuration Manager Service Manager

• Browse to SMS_SITE_BACKUP, right-click it select Query then Start

Step 3 | Attach the database copy

We are now ready to perform the test upgrade.

• Connect to your SQL Server
• Open SQL Management Studio
• In the Object Explorer pane, right-click Database and select Attach

• In the Attach Databases screen, click on Add

• Select the MDF file that you copied from the SCCM backup, click Ok

• On the bottom pane, resolve any issues displayed in the Message column. In my example the M: and N: drive are Not Found since they don’t exist on this machine. Click on the … button and point correctly at the Data and Log file
• Click Ok

• The Message box will remove errors

• The database will be attached

We will now check that we have the proper rights on the database

• Click on Security / Logins
• Right click your user and select Properties (or create a New Login if your Login is not existing)

• In the User Mapping tab, select the database you just attached and select the db_owner role membership

Step 4 | Test the upgrade

We will now launch the SCCM Setup using the switch to test the database migration

• On the same machine that you attach the database
• Mount the SCCM ISO
• Go to \SMSSETUP\BIN\X64
• Run the following command: (change the database name to refect your name)

• The Installation Prerequisite Check windows will open
• Click on Begin TestDBUpgrade button

• On the warning window, click Yes

• The Installation Prerequisite Check windows will close
• You need to monitor the progress in the log file located on C:\ConfigMgrSetup.log

• The process took about 20 minutes for a 6.7gb database
• When completed you’ll have the following line in the log : Configuration Manager Setup has successfully upgraded the database
• Close the log

If you had no error, you can delete the file you imported from your backup and proceed to your real SCCM Upgrade on your production server.

The post How to perform a Testdbupgrade before SCCM Installation appeared first on System Center Dudes.

Many challenges come with managing and maintaining  System Center Configuration Manager in large environment. In previous posts, we covered how to limit Pull DP bandwidth and How to manage Pull DP with collections to ease management in large environment. Probably the biggest challenge with large environment,  is to keep SCCM up to date.

In this post, we will provide in depth details, considerations and useful tips on Pull DP upgrade for large SCCM environment. The goal is to provide ways to prevent upgrades of SCCM to become a nightmare by taking more time than planned and/or heavy hit on the network. We will cover theses subjects :

• Automatic package update and distribution
• How to work around automatic package update and distribution
• Pre-requisite checker
• Upgrade time lapse
• Distribution point and PullDP upgrade ratio
• What happen while Distribution point/ Pull DP upgrade

Note that all details and considerations are regarding major upgrade like service pack upgrades and major upgrades.

Automatic Package Updates and Distribution

After an upgrade, some packages will be automatically updated and distributed to all of your Distribution Point and Pull DP to provide the latest bits to be used by clients.

Here’s the list of what will be updated :

• The default SCCM client package (Around 200MB)

  

• Configuration Manager Client Upgrade Package (Around 2mb)
  • No control on this package

• Default Windows PE boot images  (Around 200MB for each boot image)
  • The update will happen no matter if ADK is updated or not
    • For example, we can see a change between R2 and R2 SP1 to the default background used in the WinPE
  • If it doesn’t automatically update, it means that it tried and failed because of driver injection
    • Manual update of the boot image is required to fix this issue, by removing faulty drivers

How to Work Around the Automatic Packages Update and Distribution

With the nature of packages automatically updated and distributed, it is possible to work around it prior to the upgrade of the site server.

Remove Boot Images from Distribution Points

Boot images, unlike SCCM client, can’t be pre-distributed on distribution point because of their unique nature.

To prevent a hit on the network, we removed the boot images from DP, Pull DP and DP groups.

This mean that OSD will NOT be available while the upgrade is being processed.

Once all DP/Pull DP are upgraded and system is heatlhy, redistribute boot image on all your DP/PullDP. This will give you total control on when to distribute instead of leaving the upgrade handle it.

Pre-Distribute SCCM Client Package Content

As describe above, the update of the SCCM client package will send around 200 Mb to each DP/ Pull DP.  To prevent a massive hit on the network, we created a standard package, before the upgrade, that has the content of the new SCCM client.

We got the source from another hierarchy (like a lab) that was already to the desired upgrade level.

Path to the client : SCCMInstallationDirectory\Client

The Content Library will only host a single instance of files, this will ease the distribution of the client after the upgrade as it will only validate and not distribute.

Prerequisite Checker

When the prerequisite checker runs, it will communicate with all DP and PullDP.

It takes approximately 5-10 seconds per PullDP… with 1000 PullDP, this could mean hours of waiting for the prerequisite checker to complete. Let it go, and follow the log for details.

You can follow the prerequisite checker in this log : C:\ConfigMgrPrereq.log

Upgrade Time Lapse

Upgrading a primary server will take time. Be patient.

As an example, upgrading a primary site server with 1000 Pull DP, 5000 clients, took more than 1 hour to complete the wizard.

Monitoring  Compmon.log after the upgrade wizard added another hour to the process. This log shows the various Site component status.

Compmon.log must show Waiting until the next polling cycle in 300 secondes from now to consider the upgrade completed.

This log can be find in : SCCMInstallationDirectory\Logs\compmon.log

Distribution Point and Pull Distribution Concurrent Upgrade Ratio

When upgrading a primary site, all child sites will be upgraded. In a large environment, DP and Pull DP are the biggest challenge of the upgrade.

We found this process not to be well documented and with many grey areas.

Change the DPUpgradeThreadLimit

By default, when upgrading a primary site, all Distribution and Pull DP will be upgraded.

As documented in this KB for DPUpgradeThreadLimit, the default limit is 5 concurrent Distribution Point or Pull DP Upgrade.

With 1000 Pull DP, this will take extremely long time. With a large SCCM environment, most probably the server and the network can handle more than 5 concurrent upgrade.

This setting can be changed for a higher rate of concurrent upgrade. We did it at 50 concurrent upgrade. Server and network did handle it quite well.

Here’s how to check if your DP settings :

Get the setting using a script querying the WMI of the primary server.

param(
[string] $siteServerName="."
)

$providerLocation = gcim -ComputerName $siteServerName -Namespace root\sms SMS_ProviderLocation -filter "ProviderForLocalSite='True'"
$providerMachine = $providerLocation.Machine
$sitecode = $providerLocation.SiteCode
$providerNamespace = "root\sms\site_" + $sitecode
$siteFilter = "SiteCode='" + $sitecode + "‘"

write-host $providerLocation



$distmgrConfig = gcim -ComputerName $providerMachine -Namespace $providerNamespace SMS_SCI_Component | ? {$_.ComponentName -eq "SMS_DISTRIBUTION_MANAGER"}

ForEach ($distMgrObject in $distmgrConfig)  {

    $properties = $distMgrObject | select -ExpandProperty Props
    $threadLimitProperty = $properties | ? {$_.PropertyName -eq "DPUpgradeThreadLimit"}
    if($threadLimitProperty -eq $null)
    {
        write-host "Actual setting for DPUpgradeThreadLimit is using default (5)"

    }
    else
    {
        write-host "Actual setting for $($DistMgrObject.SiteCode) DPUpgradeThreadLimit is $($threadLimitProperty.Value)"
        }
    }

Here’s the script to change the setting in the WMI of the primary server.

param(
[string] $siteServerName=".",
#define the new number of DP/PullDP concurrent upgrade limit
[int] $newValue=50
)

$providerLocation = gcim -ComputerName $siteServerName -Namespace root\sms SMS_ProviderLocation -filter "ProviderForLocalSite='True'"
$providerMachine = $providerLocation.Machine
$sitecode = $providerLocation.SiteCode
$providerNamespace = "root\sms\site_" + $sitecode
$siteFilter = "SiteCode='" + $sitecode + "‘"

write-host $providerLocation



$distmgrConfig = gcim -ComputerName $providerMachine -Namespace $providerNamespace SMS_SCI_Component | ? {$_.ComponentName -eq "SMS_DISTRIBUTION_MANAGER"}

ForEach ($distMgrObject in $distmgrConfig)  {

    $properties = $distMgrObject | select -ExpandProperty Props
    $threadLimitProperty = $properties | ? {$_.PropertyName -eq "DPUpgradeThreadLimit"}
    if($threadLimitProperty -eq $null)
    {
        write-host "Previous setting for DPUpgradeThreadLimit was using default, updating to $newValue"
        $newProperty = New-CimInstance -ComputerName $providerMachine -Namespace $providerNamespace -ClassName SMS_EmbeddedProperty
        $newProperty.PropertyName = "DPUpgradeThreadLimit"
        $newProperty.Value = $newValue#

        $newPropertyList = @()
        $properties | % { $newPropertyList += $_}
        $newPropertyList += $newProperty

        $distMgrObject.Props = $newPropertyList
        scim $distMgrObject
    }
    else
    {
        write-host "Previous setting for $($DistMgrObject.SiteCode) DPUpgradeThreadLimit was $($threadLimitProperty.Value), updating to $newValue"
        $newProperty.PropertyName = "DPUpgradeThreadLimit"
        $newProperty.Value = $newValue

        $newPropertyList = @()
        $properties | % {
            if($_.PropertyName -eq "DPUpgradeThreadLimit")
            {
                $_.Value = $newValue
                $newPropertyList += $_
            }
            else
            {
                $newPropertyList += $_
           }
        }

        $distMgrObject.Props = $newPropertyList
        scim $distMgrObject
       }
       }

Script credit : Matt Shadbolt

Here the result after modifying the WMI on our server.

Once modified in the WMI, restart the SMS_Executive so it takes effect.

What Actually Happen while Pull DP Upgrade

Pull DP need the same upgrade as the primary server.

The high-level steps are the following :

• Update package for Client, Client upgrade and Boot image, if already distributed
• Pull DP upgrade with PullDP.msi
• Automatically upgrade SCCM client (no matter what are the setting of Automatic Client upgrade)

In Details…

All those steps and observation occurs after the upgrade of the server. No action are required for the following to occur.

• First, it will trigger an Update Distribution Point on packages mentioned before:
  • Notice that the actual distribution will fail on all Pull Distribution point because they haven’t been upgraded yet
  • It took more than an hour to see the failure on all Pull DP

• All Pull DP will turn red in the distribution point configuration status

• While this happen, Pull DP Upgrade will be running 50 concurrent upgrade at a time
  • Monitor it through DistMgr.log

• Pull DP will start to report Upgrade successfully completed

• An SQL query will list the progress of the global PullDP Upgrade successfull

• Once flagged as Upgraded successfull, it will automatically retry to send packages

• Slowly, Pull DP will be back to green state as distribution is successful. At one point, we had close to 2000 active distribution pending.

• Eventually, success distribution will go up
  • This took almost 48 hours to fully complete

• After the packages are sent, the client will automatically update to the new version

• Note that the client didn’t upgrade prior to this point because of the boundary configuration we had
  • The Pull DP was the only available Distribution point for itself

Hope this post will help you plan your next upgrade

The post Pull DP Upgrade Consideration in Large Environment appeared first on System Center Dudes.

Cumulative Update 3 (CU3) for SCCM 2012 R2 SP1 and SCCM 2012 SP2 is now available. This post is a complete step-by-step SCCM 2012 R2 SP1 CU3 Installation guide. If you’re looking for a complete SCCM 2012 installation guide, see our blog series which covers it all.

Installing SCCM cumulative updates is very important to your infrastructure. It fix lots of issues, which some of them are important. Microsoft recommends installing Cumulative Updates if you are affected by a resolved issues. If you are not on SCCM 2012 R2 SP1 or SCCM 2012 SP2, the latest CU is Cumulative Update 5.

If you are running SCCM 1511, this Cumulative Update is not applicable to your setup.

As this is a cumulative update, you don’t have to install prior CU(1-2) before installing CU3. CU3 contains all the fixes included in previous CU.

Improvements/Fixes

There’s no new major functionality in CU3. This update contains fixes for issues in various areas including software distribution and content management, operating system deployment, site systems and mobile device management. In addition, it applies the latest KB and fixes known bugs.

The most interesting updates is a new optional task sequence variable, SMSTSWaitForSecondReboot, to better control client behavior when a software update installation requires two restarts.

Follow this Microsoft Support page to see a full list of issues that are fixed.

PowerShell changes are no longer included in CU as described in our previous post. You won’t find any changes in PowerShell following this CU.

Before you begin

Installing this update is very similar to prior CU. I’ll guide you through the upgrade process step-by-step in a standalone primary scenario.

• Download the update on the Microsoft Support page

This update can be applied directly to the following Systems/Roles:

• The Central Administration Site (CAS)
• Primary Site
• Secondary Site
• SMS Provider
• Configuration Manager Console

In this guide, we’ll be updating a Primary Site Server, console and clients.

SCCM 2012 R2 SP1 CU3 Installation guide

To start the installation, lauch a remote desktop session on your Primary Site Server, and run CM12_SP2R2SP1CU3-KB3135680-X64-ENU.exe

A log file will be created in C:\Windows\Temp\CM12_SP2R2SP1CU3-KB3135680-X64-ENU.log

• On the Welcome Screen, click Next

• Accept the license agreement, and click Next

• Ensure that everything is green, and click Next. On the screenshot, a reboot is required before installing the CU

• Check the box to update the console, click Next

• Select Yes, update the site database, click Next

• If the Automatic Client Upgrade feature is enabled on a Site Server, the wizard will present the Automatic Client Update screen :
• Choosing the Automatically apply option results in following steps:
  • Places the most recent client patch file on the site server
  • Updates content on the distribution points for this site and any child sites. Note this only occurs when the cumulative update runs on the Central Administration Site (CAS)
  • Updates the client package on the Management Point of the local site; this source is used in the event there are no distribution points available for client installation
  • Future client installations using the Client Push method will apply the new patch automatically
  • The time frame for updating the client depends on your Automatic Client Upgrade settings
• If you chose the Manually Apply option, you will need to update your client manually as in prior CU (See our Updating the clients section)

• Check all 3 checkbox (Server, Console and Clients), click Next

• Edit the package name and program to your need, click Next

• Review the Summary page, click Install

• Installation is in progress

• You can follow the installation progress in the log file (C:\Windows\Temp\CM12_SP2R2SP1CU3-KB3135680-X64-ENU.log)

• When setup is complete, click Next and then Finish

Verification

Consoles

After setup is completed, launch the System Center 2012 Configuration Manager Console and verify the build number of the console. If the upgrade was successful, the console build number will be 5.0.8239.1403.

Servers

Open registry editor and check the HKLM\Software\Microsoft\SMS\Setup\ key. If the installation succeeded CULevel key value will be 3.

You can also verify both client and console version using PowerShell :

• Server : Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\SMS\Setup -Name “CULevel”
• Console : (Get-Item ($env:SMS_ADMIN_UI_PATH.Substring(0,$env:SMS_ADMIN_UI_PATH.Length – 5) + ‘\Microsoft.ConfigurationManagement.exe’)).VersionInfo.FileVersion

Clients

The client version will be updated to 5.0.8239.1403 (after updating, see section below)

This update also brings the anti-malware client version to 4.7.0209.0. You can find the version information by clicking About on the Help menu of the Endpoint Protection client UI.

Package distribution

Navigate to Software Library / Packages / Configuration Manager Updates

• You’ll see that your CU3 updates packages are created

• Go ahead and Distribute Content to your distribution points

Boot Images

After this cumulative update is installed on site servers, any operating system boot image should be updated

• Open the SCCM Console
• Go to Software Library / Operating Systems / Boot Images
• Select your boot image, right-click and select Update Distribution Points
• Repeat the steps for all your boot images

Updating the Clients

If you select the Automatically Apply option in the installation wizard, your client will update using your time frame settings.

• Open the SCCM Console
• Go to Administration / Site Configuration / Sites
• Click the Hierarchy Settings in the top ribbon
• Select Automatic Client Upgrade tab
• The Upgrade client automatically when the new client update are available checkbox has been enabled
• Review your time frame and adjust it to your needs

If you select the Manually Apply option in the wizard, you will need to update your client manually.

This update contains 2 update packages for client installations. One for 32-bit clients and one for 64-bit clients.

Create two collections for the client upgrade. (If not already done in previous CU)

All-x64-based Clients

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.SystemType = "X64-based PC"

All-x86-based Clients

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.SystemType = "X86-based PC"

Adjust the package options to fit your environments and deploy the update to your clients.

Once deployed I like to create a collection that targets clients without the latest CU. I use it to monitor which client haven’t been updated yet.

Here’s the query to achieve this: (You can also refer to our Set of Operational Collection Powershell Script)

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ClientVersion != '5.00.8239.1403'

Happy updating !

The post Step-by-Step SCCM 2012 R2 SP1 CU3 Installation guide appeared first on System Center Dudes.

In the first part of this blog series on how to deploy Windows 10 with SCCM, we will prepare our environment for Windows 10. If you’re already deploying other operating systems with SCCM 1511, adding Windows 10 is just a matter of adding a new WIM (which our post covers in part 4). If you’re new to deploying operating system with SCCM, follow this post which will covers all steps needed before you can deploy your first systems.

Overview SCCM Windows 10 Deployment

1. Upgrade to SCCM 1511
2. Enable PXE Support
3. Prepare your boot image
4. Prepare your Operating Systems
5. Create your SUG
6. USMT Packages

Upgrade to SCCM 1511

It’s possible to manage Windows 10 with SCCM 2012 but when it comes to deploying Windows 10, if you want to use the full features, you need SCCM 1511 and further. Follow our guide to upgrade your SCCM server and make sure that you are upgrading your Windows ADK version which is included in the upgrade process.

Enable PXE Support

Follow these steps if you want to deploy your images using PXE boot (recommended)

• Open the SCCM Console
• Go to Administration / Site Configuration / Servers and Site System Roles
• Select your distribution point and right-click on the Distribution point role on the bottom, select Properties

• Select the PXE tab
• Enable the Enable PXE support for Clients check-box and answer Yes when prompted about firewall ports (UDP ports 67, 68, 69 and 4011 )

• Check the Allow this distribution point to respond to incoming PXE requests check box
• Check the Enable unknown computer support check box
• Ensure that the Respond to PXE request on all network interfaces is selected
• Click Ok

Your distribution point will now install Windows Deployment Services (if not already installed) and will copy the necessary files on the distribution point.

You can monitor this process in the SCCM Console :

• Go to Monitoring / Distribution Status / Distribution Point Configuration Status
• Click your distribution point on the top and select the Details tab on the bottom
• You will see that the distribution point PXE settings has changed

Prepare your boot image

Drivers

Before launching your first boot image you must include your Windows 10 drivers into the boot image. Our rule of thumb about drivers is to try to boot a certain model and if it fails, add the drivers. Do not add all your NIC drivers to your boot image, it’s overkill and unnecessary increase the size of the boot image.

To add drivers to the boot image :

• Open the SCCM Console
• Go to Software Library / Operating Systems / Boot Images
• Right-click your Boot Image, select Properties
• Select the Drivers tab

• Click the Star icon
• Select the desired drivers and click OK

• The selected drivers are added to the boot image, once you click OK, SCCM will inject the driver in your boot image

Customization

We will now make a couple customization to the boot image to enable command support (F8) and add a custom background image to the deployment

• Open the SCCM Console
• Go to Software Library / Operating Systems / Boot Images
• Right-click your Boot Image
• Select the Customization tab
• Check the Enable command support checkbox. This allows to have the F8 command line support during deployment
• Specify a custom background if needed by checking Specify the custom background image file checkbox

• If you’re using a PXE-enable distribution point, select the Data Source tab and check the Deploy this boot image from the PXE-Enabled distributon point checkbox

• Click Apply and Yes to the warning, close the window

Distribute your boot image

Since you’ve upgraded your ADK to version 10 and made modifications to your boot image, you need to redistribute it to your distribution points.

• Right click your boot image and select Update Distribution Points

Prepare your Operating Systems

We will now import the Windows 10 WIM file for Windows 10 deployment.

We will start by importing the default Install.Wim from the Windows 10 media for a “vanilla” Windows 10 deployment. You could also import a WIM file that you’ve created through a build and capture process.

• Open the SCCM Console
• Go to Software Library / Operating Systems / Operating System Images
• Right click Operating System Images and select Add Operating System Image

• On the Data Source tab, browse to your WIM file. The path must be in UNC format

• In the General tab, enter the Name, Version and Comment, click Next

• On the Summary tab, review your information and click Next

• Complete the wizard and close this window

Distribute your Operating System Image

We now need to send the Operating System Image (WIM file) to our distribution points.

• Right click your Operating System Image, select Distribute Content and complete the Distribute Content wizard

We will now import the complete Windows 10 media in Operating System Upgrade Packages. This package will be used to upgrade a Windows 7 (or 8.1) device to Windows 10 using an Upgrade Task Sequence.

• Open the SCCM Console
• Go to Software Library / Operating Systems / Operating System Upgrade Packages
• Right click Operating System Upgrade Packages and select Add Operating System Upgrade Packages

• In the Data Source tab, browse to the path of your full Windows 10 media. The path must point on an extracted source of a ISO file. You need to point at the top folder where Setup.exe reside

• In the General tab, enter the Name, Version and Comment, click Next

• On the Summary tab, review your information and click Next

• Complete the wizard and close this window

Distribute your Operating System Upgrade Packages

We now need to send the Operating System Upgrade Package to your distribution points.

• Right click your Operating System Upgrade Package, select Distribute Content and complete the Distribute Content wizard

Create Software Update Group

One important thing in any OSD project, is to make sure that every machines deployments are up to date. Before deploying Windows 10, make sure that your Software Update Point is configured to include Windows 10 patches.

Once Windows 10 is added to your Software Update Point, we will create a Software Update Group that will be deployed to our Windows 10 deployment collection. This way, all patches released after the Windows 10 media creation (or your Capture date) will be deployed during the deployment process.

To create a Windows 10 Software Update Group :

• Open the SCCM Console
• Go to Software Library / Software Updates / All Software Updates
• On the right side, click Add Criteria, select Product, Expired and Superseded
  • Product : Windows 10
  • Expired  : No
  • Superseded : No

• Select all patches and select Create Software Update Group

• Once created, go to Software Library / Software Updates / Software Update Groups
• Right-click your Windows 10 SUG and deploy it to your OSD deployment collection

USMT Package

If you are planning to use USMT to capture and restore user settings and files, you need to make sure that the USMT package is created and distributed.

• Open the SCCM Console
• Go to Software Library / Application Management / Packages
• Right-click the User State Migration Tool for Windows 10 package and select Properties
• On the Data Source tab, ensure that the package is using the ADK 10 – Which is per default C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\User State Migration Tool
• Right-click the User State Migration Tool for Windows 10 package and select Distribute Content

That’s it ! You have everything that’s needed to create your first Windows 10 deployment. Read the next parts of this blog series to successfully deploy Windows 10.

The post SCCM Windows 10 Deployment | Prepare your environment appeared first on System Center Dudes.

In the second post of this blog series about Windows 10 Deployment using SCCM, we will show you how to create a SCCM Windows 10 Task Sequence and deploy it. Complete the preparation of your environment before reading this post.

This task sequence will help you deploy what we call a “vanilla” Windows 10 using the default Install.wim from the Windows 10 media. This means that you’ll end up with a basic Windows 10 with the SCCM client and nothing else.

You will be able to edit this task sequence later to customize it to your environment.

Create SCCM Windows 10 Task Sequence

• Open the SCCM Console
• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click Task Sequences and select Create Task Sequence

• On the Task Sequence wizard, select Install an existing image package

• On the Task Sequence Information pane, enter the desired Name, Description and Boot Image

• On the Install Windows pane, select the Image package and Image index you imported in part 1
• Leave the check box beside Partition and Format the target computer before installing the operating system
• For this example we will remove the Configure task sequence for use with Bitlocker
• Leave the Product key blank, if you are using MAK keys, read this post on how to handle that in your Task Sequence. (TL;DR: Even with MAK key, you need to leave the Product key blank)
• Enter an Administrator password

• In the Configure Network pane, you can select to Join a workgroup or domain. If you select Join a domain, enter your domain information, OU and credentials

• On the Install Configuration Manager Client pane, select your Configuration Manager Client Package and enter your installation properties

• On the State Migration pane, we will remove all checkbox as we don’t want to use User State Migration at this time

• On the Include Updates pane, select the desired Software Update task
  • All Software Updates will install the updates regardless of whether there is a deadline set on the deployment (on your OSD collection)
  • Mandatory Software Updates will only install updates from deployments that have a scheduled deadline (on your OSD collection)
  • Do not install any software updates will not install any software update during the Task Sequence

• On the Install Applications tab, click on the Star Icon to add any application that you want to be installed during your deployment. Only applications will be listed. If you need to add packages, you can add it by editing the task sequence later. Theses applications will be deployed each time the task sequence is executed.

• On the Summary tab, review your settings and click Next

• On the Completion tab, click Close

Deploy Windows 10 Task Sequence

Now that your Task Sequence is created, we will deploy it to a collection and start a Windows 10 deployment.

• Open the SCCM Console
• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click your Windows 10 Task Sequence and select Deploy

• On the General pane, select your collection. This is the collection that will receive the Windows 10 installation. For testing purposes, we recommend putting only 1 computer to start

• Select the Purpose of the deployment
  • Available will prompt the user to install at the desired time
  • Required will force the deployment at the deadline (see Scheduling)
• In the Make available to the following drop down, select the Only media and PXE. This will ensure that you do not send the deployment on clients. This is also useful to avoid errors, using this options you *could* send the deployment to All Systems and no clients would be able to run the deployment from Windows

• On the Scheduling tab, enter the desired available date and time. On the screenshot, we can’t create an Assignment schedule because we select Available in the previous screen

• In the User Experience pane, select the desired options

• In the Alerts tab, check Create a deployment alert when the threshold is higher than the following checkbox if you want to create an alert on the failures

• On the Distribution Point pane, select the desired Deployment options. We will leave the default options

• Review the selected options and complete the wizard

PXE Boot

Now that we’ve created our task sequence and that it’s deployed. We can start the deployment on the machine. Make sure that your system is a member of your deployment collection and start the device. For this example, we will be using a virtual machine running on Hyper-V.

• The machine is booting and waiting for the PXE to respond

• Our SCCM Distribution point is sending the boot image to our VM

• The Welcome to the Task Sequence Wizard pops-up. This is because of the Available purpose in the Deployment Settings. If we had a Required deployment, the task sequence would start right away. Click Next

• All the available task sequence are listed. In our example we have only 1 deployment on our collection so only 1 task sequence is available. Select the task sequence and click Next

• The Task Sequence starts

Monitoring

See our blog post on this topic which covers the various ways to monitor your Task Sequence progress.

The post SCCM Windows 10 Deployment | Create SCCM Windows 10 Task Sequence appeared first on System Center Dudes.

Are you importing your applications in SCCM when it’s time to copy applications from one environment to the other? In some company, SCCM is installed twice, one for development and one for production. SCCM in a development environment provides flexibility but it adds additional cost to maintain both environment. Using the import application wizard in SCCM can ease the process and save time to copy applications from one to another environment.

In the best of worlds, it is best to keep environment identical much as possible, but it is very difficult to get there. The problem is that you can end up with missing features and import applications that require these requirements.

Did you ever receive this Referenced Configuration Items Not Available error message at the end of Import Application Wizard?

This is because one of your Referenced Configuration items not available in the destination environment you import the application.

In the future, if you get this error message, connect to your SCCM development environment :

• Open the SCCM console and navigate to Software Library / Application Management / Applications
• Select the application and click on Deployment Types tab at the bottom
• Right click on the Deployment Type and select Properties

• Click on Requirements tab and change your requirements to make it works in your destination environment

In our situation, we planned to import mobile devices applications that was supporting iOS 9. Both environments were SCCM 2012 versions but one doesn’t have the iOS 9 Extensions enabled. The option was not available in the destination environment and make the import application to fail. We resolve the problem by enabling iOS 9 extensions in production environment.

SCCM Applications Report

Related SCCM report that give you detailed information about applications.

• Configuration Manager | Applications

Referenced Configuration Items Not Available

The post Referenced Configuration Items Not Available in SCCM appeared first on System Center Dudes.

When deploying Windows 10 operating system using SCCM, you will need to monitor SCCM task sequence progress. This allows to track task sequence start, end time and most importantly errors (if any). Our post will shows 4 different ways to monitor SCCM task sequences. Each of them has their own benefits and drawbacks.

Monitor SCCM Task Sequence Using the Console

You can view the progress of a task sequence using the SCCM console. This method is simple and easy but permit to see the status of only one machine at the time. If your deployment staff don’t have access to the console or view deployment status, this option is not for you.

• Open the SCCM Console
• Go to Monitoring / Deployments
• Search and right-click the deployment linked to your Windows 10 task sequence
• On the menu, select View Status

• In the Deployment Status screen, select the In Progress tab for a running task sequence or the Success tab to review a completed task sequence
• At the bottom, click the Asset Details pane, right-click your device and select More Details

• On the Asset Message screen, click the Status tab
• You can view all task sequence Action Name with their Last Message Name

Console Status Message Queries

You can use Status Message Queries in the SCCM console to filter only task sequence messages. This method is useful to have messages from multiple devices instead of targeting a specific computer like in the previous methods. This method is a bit trickier to implement.

• The first step is to get the DeploymentID of your task sequence deployment
• Go to Monitoring / Deployments
• Add the DeploymentID column by right-clicking the top row. Note your DeploymentID, in our example 1002000B

• Go to Monitoring / System Status / Status Message Queries
• Right-click Status Message Queries and select Create Status Message Query

• On the General tab, enter a desired Name and click on Edit Query Statement

• On the Query Statement Properties window, click on Show Query Language

• Enter the following query in the Query Statement window

• Change the SMS_StatMsgAttributes.AttributeValue to reflect your DeploymentID

• Click OK
• In the Status Message Queries node, find your newly created Query, right-click on it and select Show Messages

• Select the desired Date and Time and click OK

• All messages from your selected deployment will be displayed for all devices that run it

SCCM Built-in Reports

There’s 28 built-in reports concerning task sequence in SCCM. The majority of the reports focus on statistics about overall deployments. To monitor progress, we refer to the 2 following reports :

• Task Sequence – Deployment Status / Status of a specific task sequence deployment for a specific computer
  • This report shows the status summary of a specific task sequence deployment on a specific computer.

• Task Sequence – Deployment Status / History of a task sequence deployment on a computer
  • This report displays the status of each step of the specified task sequence deployment on the specified destination computer. If no record is returned, the task sequence has not started on the computer.

 

As you can see, readability is easier using the console but keep in mind that reports can be accessible without having console access.

SMSTS.log

Last method we want to cover to monitor Windows 10 task sequence deployment is using the SMSTS.log file. This is the method you’ll want to use when you have a failing task sequence. The SMSTS.log file contains every details about every steps in your task sequence. It’s the first place to look to troubleshoot a problem with a specific deployment.

The downside of this file is that it’s stored locally on the computer (by default). Another downside is that this file location change depending on the stage you are at :

• Connect on the computer you want to troubleshoot
• Press the F8 key. A command prompt will open. If you have no command prompt by pressing F8, consult our Preparation post to enable Command Line support in your Boot image
• In the command windows, enter CMTrace to open the log viewer (it’s included by default in the latest WinPE version)

• Browse to the location when the file reside (see above table)

• The SMSTS.log opens and you can search for errors

There’s also methods to redirect your SMSTS.log automatically to a network share which could help :

• Using SLShare variable (MDT Integrated)
• Using the _SMSTSLastActionSucceeded variable

We hope this post will ease your Windows 10 deployments. Leave your comments and questions in the comment section.

The post Windows 10 Deployment | Monitor SCCM Task Sequence Progress appeared first on System Center Dudes.

In the third post of this blog series about Windows 10 Deployment using SCCM, we will show you how to create a SCCM Windows 10 Build and Capture Task Sequence and deploy it. Complete the preparation of your environment before reading this post. You will be able to edit this task sequence later to customize it to your environment.

The goal of a build and capture task sequence is to capture a reference machine OS in order to redeploy its configuration multiple time. As a best practice, we recommend not to add too much software and customization to your reference image. Rather, use the task sequence steps to customize your deployment which decrease management operation tasks in the long run.

For example, if you want to include Adobe Reader to your reference image because all your users need it, do not install it on your reference machine and do your capture. Instead, use the Installed Software step in the capture task sequence. When a new version of Adobe Reader will be released, it will be a matter of a couple of click to replace the old version with the new one.

Create SCCM Windows 10 Build and Capture Task Sequence

• Open the SCCM Console
• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click Task Sequences and select Build and capture a reference operating system image

• On the Task Sequence Information tab enter a task sequence Name and Description
• Select the desired boot image

• On the Install Windows pane, select the Image package and Image index you imported in part 1
• Leave the Product key blank, if you are using MAK keys, read this post on how to handle that in your Task Sequence. (Hint : Even with MAK key, you need to leave the Product key blank)
• Enter a password for the local Administrator account

• In the Configure Network pane, select to Join a workgroup. There’s no reason to join a domain when creating a build and capture task sequence. You’ll still be able to join a domain when creating a task sequence to deploy this image

• On the Install Configuration Manager Client pane, select your Configuration Manager Client Package and enter your installation properties

• On the Include Updates pane, select the desired Software Update task
  • All Software Updates will install the updates regardless of whether there is a deadline set on the deployment (on your OSD collection)
  • Mandatory Software Updates will only install updates from deployments that have a scheduled deadline (on your OSD collection)
  • Do not install any software updates will not install any software update during the Task Sequence

• On the Install Applications tab, click on the Star Icon to add any application that you want to be installed during your build and capture deployment. These applications will be part of the reference image, we recommended adding only software that need to be included in every deployment… and even there, I prefer add it to a deployment task sequence rather to include it in my image. The reason is pretty simple, if you need to make an application change, you only have 1 step to change to your task sequence rather than redo the whole build and capture process and then modify your task sequence with the new image. Some likes to add Office or other big applications that every users needs to reduce deployment time.

• On the System Preparation tab, click Next

• On the Image Properties tab, enter the desired information

• On the Capture Image tab, select the path where you want to save the .WIM file
• Enter the account to access the folder. This account needs write permission

• On the Summary tab, review your choices and complete the wizard

Deploy Windows 10 Build and Capture Task Sequence

Now that our Task Sequence is created, we will deploy it to a collection and start a Windows 10 Build and capture. It’s strongly recommended to deploy a build and capture on a virtual machine.

• Open the SCCM Console
• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click your Windows 10 Build and Capture Task Sequence and select Deploy

• On the General pane, select your build and capture collection. This is the collection that will receive the Windows 10 installation and be captured to create the new WIM file

• Select the Purpose of the deployment
  • Available will prompt the user to install at the desired time
  • Required will force the deployment at the deadline (see Scheduling)
• In the Make available to the following drop down, select the Only media and PXE. This will ensure that you do not send the deployment on clients. This is also useful to avoid errors, using this options you *could* send the deployment to All Systems and no clients would be able to run the deployment from Windows

• On the Scheduling tab, enter the desired available date and time. On the screenshot, we can’t create an Assignment schedule because we select Available in the previous screen

• In the User Experience pane, select the desired options

• In the Alerts tab, check Create a deployment alert when the threshold is higher than the following checkbox if you want to create an alert on the failures

• On the Distribution Point pane, select the desired Deployment options. We will leave the default options

• Review the selected options and complete the wizard

PXE Boot

Now that we’ve created our task sequence and that it’s deployed. We can start the deployment on the machine. Make sure that the system you want to capture is a member of your deployment collection and start the device. (See this Technet article to know how to import a computer).

For this example, we will be using a virtual machine running on Hyper-V.

• The machine is booting and waiting for the PXE to respond

• Our SCCM Distribution point is sending the boot image to our VM

• The Welcome to the Task Sequence Wizard pops-up. This is because of the Available purpose in the Deployment Settings. If we had a Required deployment, the task sequence would start right away. Click Next

• All the available task sequence are listed. In our example we have our deployment and our build and capture task sequence. Select the Build and Capture task sequence and click Next

• The Task Sequence starts

Monitoring

See our blog post on this topic which covers the various ways to monitor your task sequence progress.

The post Windows 10 Deployment | Create SCCM Windows 10 Build and Capture Task Sequence appeared first on System Center Dudes.

In the fourth post of this blog series about Windows 10 Deployment using SCCM, we will show you how to upgrade a Windows 7 to Windows computer 10 using SCCM task sequence upgrade.

The goal of an upgrade task sequence is to upgrade an existing operating system to Windows 10 without loosing any data and installed software. This post assumes that you are running SCCM 1511 or SCCM 1602 and that you completed the preparation of your environment for Windows 10.

If you are running SCCM 2012 R2 SP1, the product team has release important information about SCCM task sequence upgrade that you can find in this blog post.

In the past, an in-place upgrade scenario was not a reliable and popular option to deploy the latest version of Windows. With Windows 10, it’s now reliable and features an automatic rollback in case something goes wrong. This scenario can also be considered faster than the wipe and reload deployment scenarios, since applications and drivers don’t need to be reinstalled.

When to use In-Place Upgrade Scenario ?

Consider using SCCM upgrade task sequence if :

• You need to keep all existing applications and settings on a device
• You need to migrate Windows 10 to a later Windows 10 release (ex: 1511 to 1602)
• You don’t need to change the system architecture (32 bits to 64 bits)
• You don’t need to change the operating system base language
• You don’t need to downgrade a SKU (Enterprise to Pro). The only supported path is Pro to Enterprise or Enterprise to Enterprise)
• You don’t need to change the BIOS architecture from legacy to UEFI
• You don’t have multi-boot configuration

Windows 10 is now managed as a service, this upgrade process can also be used to migrate Windows 10 to a later Windows 10 release or you can use the new Windows 10 servicing feature in SCCM 1602 and later.

Possible Upgrade Path when using SCCM Task Sequence Upgrade

• Windows 7, Windows 8 and Windows 8.1 can use this method to upgrade to Windows 10
• You can’t upgrade a Windows XP or Windows Vista computer to Windows 10
• Windows 10 is the only final destination OS (You can’t upgrade a Windows 7 to Windows 8.1 using this method)

Requirements

• As stated in the start of this blog post, you need at least SCCM 2012 R2 SP1 (or SCCM 2012 SP2) to support the upgrade task sequence
• You cannot use a custom image for this scenario, you must start from the original WIM from the Windows 10 media

Three major vendors have supported workarounds documented on their support sites :

Understanding the In-Place Upgrade Process

If you want to understand all the phases in the upgrade process, we strongly recommend watching the Upgrading to Windows 10: In Depth video from the last Microsoft Ignite event.

Create SCCM Task Sequence Upgrade Windows 7 to Windows 10

Enough writing, let’s create a SCCM task sequence upgrade for a Windows 7 deployment.

• Open the SCCM Console
• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click Task Sequences and select Upgrade an operating system from upgrade package

• In the Task Sequence Information tab, enter a Task Sequence Name and Description

• On the Upgrade the Windows Operating System tab, select your upgrade package by using the Browse button. If you don’t have imported an upgrade package yet, use the step provided in our preparation blog post

• On the Include Updates tab, select the desired Software Update task
  • All Software Updates will install the updates regardless of whether there is a deadline set on the deployment (on your OSD collection)
  • Mandatory Software Updates will only install updates from deployments that have a scheduled deadline (on your OSD collection)
  • Do not install any software updates will not install any software update during the Task Sequence

• On the Install Applications tab, select any application you want to add to your upgrade process

• On the Summary tab, review your choices and click Next

• On the Competition tab, click Close

Edit the SCCM Task Sequence Upgrade

Now that we have created the task sequence, let’s see what it looks like under the hood:

• Open the SCCM Console
• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click your upgrade task sequences and select Edit

As you can see, it’s fairly simple. SCCM will take care of everything in a couple of steps :

• The Upgrade Operating System step contains the important step of applying Windows 10

Deploy the SCCM Upgrade Task Sequence

We are now ready to deploy our task sequence to the computer we want to upgrade. In our case, we are targeting a Windows 7 computer.

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click Task Sequences and select Deploy

• On the General pane, select your collection. This is the collection that will receive the Windows 10 upgrade. For testing purposes, we recommend putting only 1 computer to start

• On the Deployment Settings tab, select the Purpose of the deployment
  • Available will prompt the user to install at the desired time
  • Required will force the deployment at the deadline (see Scheduling)
• You cannot change the Make available to the following drop-down since upgrade packages are available to client only

• On the Scheduling tab, enter the desired available date and time. On the screenshot, we can’t create an Assignment schedule because we select Available in the previous screen

• In the User Experience pane, select the desired options

• In the Alerts tab, check Create a deployment alert when the threshold is higher than the following check-box if you want to create an alert on the failures

• On the Distribution Point pane, select the desired Deployment options. We will leave the default options

• Review the selected options and complete the wizard

Launch the Upgrade Process

Now that our upgrade task sequence is deployed to our clients, we will log on our Windows 7 computer and launch a Machine Policy Retrieval & Evaluation Cycle from Control Panel / Configration Manager Icon

• Open the new Software Center from the Windows 7 Start Menu
• You’ll see the SCCM upgrade task sequence as available. We could have selected the Required option in our deployment schedule, to launch automatically without user interaction at a specific time

• When ready, click on Install

• The following warning appears

• Click on Install Operating System

• The update is starting, the task sequence Installation Progress screen shows the different steps

• The WIM is downloading on the computer and saved in C:\_SMSTaskSequence

• You can follow task sequence progress in C:\Windows\CCM\Logs\SMSTSLog\SMSTS.log

• After downloading, the system will reboot

• The computer restart and is loading the files in preparation of the Windows 10 upgrade

• WinPE is loading

• The upgrade process starts. This step should take about 15 to 30 minutes depending of the device hardware

• Windows 10 is getting ready, 2-3 more minutes and the upgrade will be completed

• Once completed the SetupComplete.cmd script runs. This step is important to set the task sequence service to the correct state

• Windows is now ready, all software and settings are preserved

The post Windows 10 Deployment | SCCM Task Sequence Upgrade Windows 7 to Windows 10 appeared first on System Center Dudes.

Offline Servicing in SCCM is the process through which you can inject software updates in your operating system WIM files.

This process can alleviate your build and capture yearly/bi-yearly WIM updates that you most likely run in your enterprise. However, as much as this process is great to shorten your gold image updates, it’s still not perfect. Why? The answer is quite simple. Even if your gold image contains products such as Microsoft Office, offline servicing will not apply Office patches even though these are downloaded to your Software Update Point. Only core Windows applications can get patched through this process.

What are the type of core applications that you can apply patches to? Obviously, Windows, Internet Explorer, .Net Framework and so on and so forth. (also called CBS, for Component Based Servicing)

SCCM Offline Servicing Overview

Here’s what happens in the background when you start the SCCM Offline servicing process :

1. SMS_Executive starts the SMS_Offline_Servicing_Manager either via a schedule or manually, depending on how you configured it
2. SCCM copies your WIM in a temporary folder
3. The WIM gets mounted (or extracted if you will) to a mount directory
   • By using DISM the Offline Servicing will attempt to see if a given software update is applicable (installed or not) to your WIM file. If not, it injects it
4. This gets repeated for all software updates
5. The image gets unmounted and the WIM is rebuild
6. A backup of the WIM is created
7. The new WIM gets copied back to its original location
8. Your distribution point gets updated (if you chose to update them) or else, you should plan to update them

How to Initiate SCCM Offline Servicing

So now that we have all this theory explained, let’s get our hands dirty. How do we actually do this?

• From the SCCM console, navigate to Software Library / Operating System / Operating System Images
• Right click on your image you wish to inject patches to and choose Schedule Updates

• You can either choose to select all software updates or only a subset. Make sure the correct architecture is selected for your Wim and click Next 

• Set a Schedule if you want to plan ahead, if not, choose As soon as possible. To your choosing, select to Continue on error and Update the distribution points with the image, click Next

• Validate your selections and click Close

Monitoring

You can monitor the process via 3 log files :

• OfflineServicingMgr.log  – ConfigMgrInstallPath\Logs

You can refer to the high level steps above to match the numbers in the screenshots with the steps

• SMS_Executive calls SMS_OFFLINE_SERVICE_MANAGER (1)

• A backup is taken (2)

• WIM file gets mounted (3)

• Updates get applied (4)

• WIM gets unmounted (5)

• The backup copy is moved (6)

• WIM gets copied back (7)

• DISM.log  – Windows\Logs\Dism\DISM.log

You can also view the details of what DISM does patch per patch in this log. Take heed though, DISM.log tends to be very chatty/verbosy.

• DistMgr.log – ConfigMgrInstallPath\Logs

To view your WIM file get distributed on all your DPs.

Here’s to hoping this clears up the whole Offline Servicing for you all!

The post Inject Software Updates in your WIM using SCCM Offline Servicing appeared first on System Center Dudes.

In this post we will describe how to customize your windows 10 image to personalize it to your company. There’s an infinite amount of customization that can be made but i’ll try to cover the more frequent one, those that are asked 95% of every Windows 10 projects I was involved in. You could also do all those modifications through group policies if you want to enforce those settings.

SCCM Windows 10 Customization Package

Before we begin any customization, we will create a Windows 10 Customization package that we will use in our task sequence. It will be empty to start but we will create the folders and scripts during this blog post.

• Open the SCCM Console
• Go to Software Library / Application Management / Packages
• Create a new package
• On the Package tab, enter a Name, Description, Manufacturer and Source folder (this is where all scripts will be stored)

• On the Program Type tab, select Do not create a program

• On the Summary tab, review your choices and complete the wizard

File Association

The first item we will be covering is file association. By default, Windows 10 uses Microsoft Edge to open every PDF files and HTTP links. For this post, we will redirect PDF files to Adobe Reader and HTTP/HTTPS to Internet Explorer. You can redirect any extension to any software. You just need to make sure that the application that you associate is installed during your Windows 10 deployment (or in your image).

The first step is to make the association manually, we will then export the configuration to a XML file and we will use DISM in our task sequence to import the configuration.

• Log on a Windows 10 machine
• Open Control Panel / Programs / Default Programs / Set Associations

• Navigate to .PDF and click on Change Program

• Select Adobe Reader and click OK

• Your .PDF files are now associated to Adobe Reader
• For Internet Explorer association, select HTTP Protocol, .HTM and .HTML files, change program to Internet Explorer

Now that our associations has been done, we need to export the associations to a XML file using DISM :

• Open an elevated command prompt
• Run the following command : Dism /Online /Export-DefaultAppAssociations:C:\Temp\SCDAppAssoc.xml
  • (Change the XML file name and path if desired but make sure that the directory exists or you’ll get an error code 3)

The XML file can be opened using any text editor. You can see our modifications has been made. It’s possible to change manually in this file but it’s a bit tricky to find ProdId and ApplicationName.

• Copy the XML file to your Windows 10 customization package in the FileAssociations Folder

• Open the SCCM Console and browse to Packages
• Right-click your Windows 10 Customization package and select Update Distribution Point

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run Command Line
  • Name : Set File Association
  • Command line : Dism.exe /online /Import-DefaultAppAssociations:FileAssociations\SCDAppAssoc.xml
  • Check the Package box and specify your Windows 10 customization package
• Position this step after the Windows image has been deployed

Setting the Default Windows 10 Wallpaper

We will now change the default Windows 10 wallpaper to a corporate one.

• The default Windows 10 wallpapers are stored in the C:\Windows\Web\Wallpaper\Windows\ folder
• Windows 10 also support 4K wallpapers which are stored in C:\Windows\Web\4K\Wallpaper\Windows

For our post, we will delete the 4K wallpapers and overwrite the default img0.jpg file. If you need to support 4K wallpaper, just place them in the 4K folder before updating your distribution points and the script will copy it to the right location.

By default, you can’t modify those files, we will use a PowerShell script to change the security of the folder and overwrite the wallpaper file. We will grant access to the SYSTEM account since it’s the account used during the SCCM task sequence.

• Create a new WallPaper\DefaultRes and WallPaper\4K folder in your Windows 10 customization directory
• Rename your wallpaper to img0.jpg copy it in the WallPaper\DefaultRes directory
• If 4K support is needed, copy your files in the WallPaper\4K Directory

Create a new Powershell script in the root of the Wallpaper directory and copy this code into it :

#Take OwnerShip of the files
TAKEOWN /f C:\Windows\WEB\Wallpaper\Windows\img0.jpg
TAKEOWN /f C:\Windows\Web\4K\Wallpaper\Windows\*.*
#Set permissions for SYSTEM Account
ICACLS C:\Windows\WEB\Wallpaper\Windows\img0.jpg /Grant 'System:(F)'
ICACLS C:\Windows\Web\4K\Wallpaper\Windows\*.* /Grant 'System:(F)'
#Delete the files
Remove-Item C:\Windows\WEB\Wallpaper\Windows\img0.jpg
Remove-Item C:\Windows\Web\4K\Wallpaper\Windows\*.*
#Copy the files
Copy-Item $PSScriptRoot\DefaultRes\img0.jpg C:\Windows\WEB\Wallpaper\Windows\img0.jpg
Copy-Item $PSScriptRoot\4k\*.* C:\Windows\Web\4K\Wallpaper\Windows

You’ll end up with the following structure :

• Open the SCCM Console and browse to Packages
• Right-click your Windows 10 Customization package and select Update Distribution Point

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run PowerShell Script
  • Name : Set Wallpaper
  • Script Name : Wallpaper\ChangeWallpaper.ps1
  • PowerShell execution policy : Bypass
• Position this step after the Windows image has been deployed

Change Lock Screen Image

The lock screen image is the image you see when the computer is locked. To change it, we must copy our image locally on the computer and then modify a registry key to read it.

• Create a new LockScreen folder in your Windows 10 customization directory
• Create a new LockScreen.cmd file and copy the following code

• Create a new LockScreen.reg file and copy the following code (watch out of the “” when copy/pasting)

• Copy the image you want to set as the lock screen. For this blog post we will call it LockScreen.jpg. If you rename this file, make sure to change the script to fit this name.

You’ll end up with the following structure :

• Open the SCCM Console and browse to Packages
• Right-click your Windows 10 Customization package and select Update Distribution Point

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run Command Line
  • Name : Set File Association
  • Command line : cmd.exe /c LockScreen\LockScreen.cmd
  • Check the Package box and specify your Windows 10 customization package
• Position this step after the Windows image has been deployed

Disable Microsoft Consumer Experiences

The latest Windows 10 feature upgrade includes a new feature that automatically installs a few apps from the Windows Store. Some apps like Candy Crush and Minecraft gets installed, we don’t think that belong to a work environment so we’ll delete it.

The good news is that it’s quite simple to disable. You need to disable a function called Microsoft Consumer Experiences. We will do this using a registry modification :

• Create a new ConsumerExperience folder in your Windows 10 customization directory
• Create a new DisableConsumerExperience.reg file and copy the following code :

You’ll end up with the following structure :

• Open the SCCM Console and browse to Packages
• Right-click your Windows 10 Customization package and select Update Distribution Point

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run Command Line
  • Name : Disable Consumer Experience
  • Command line : Regedit.exe /s ConsumerExperience\DisableConsumerExperience.reg
  • Check the Package box and specify your Windows 10 customization package
• Position this step after the Windows image has been deployed

Create Custom Start Menu

We will now create a default Windows 10 start menu that will be used on every Windows 10 machine by default. If you add shortcuts to applications, make sure that you’ve include them in your task sequence or you’ll end up with a start menu looking like swiss cheese. (empty spots)

• Log on a Windows 10 machine
• Manually configure the Start Menu
• Create a new StartMenu folder in your Windows 10 customization package
• Start an elevated PowerShell and run the following command : Export-StartLayout -Path “C:\Temp\StartMenu.bin”
• Copy the StartMenu.bin file to your Windows 10 customization package in the StartMenu folder

• Open the SCCM Console and browse to Packages
• Right-click your Windows 10 Customization package and select Update Distribution Point

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run Command Line
  • Name : Set Start Menu Layout
  • Command line : Powershell.exe Import-StartLayout -LayoutPath StartMenu\StartMenu.bin -MountPath C:\
  • Check the Package box and specify your Windows 10 customization package
• Position this step after the Windows image has been deployed

Set Windows 10 Pinned Taskbar items

Windows 10 permits to “pin” program on the task bar for easy access. Here’s how to create a standard task-bar for your Windows 10 users.

• Create a new PinTaskBar folder in your Windows 10 customization directory
• Log on a Windows 10 computer
• Manually pin all the desired program using the Pin to taskbar option

• Copy the links from %AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar to your Windows 10 customization package in the PinTaskBar directory. This directory is hidden, so be sure to show Hidden Items

• Open Registry Editor
• Export the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband key to Win10Taskbar.reg

• Copy the Win10Taskbar.reg file to your Windows 10 customization package in the PinTaskBar directory
• Edit the Win10Taskbar.reg file using a text editor and replace the beginning of the first line
  • Replace HKEY_Current_User to HKEY_LOCAL_MACHINE\defuser

• The final string will be : HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband
• Create a new Win10Taskbar.cmd file in your Windows 10 customization package in the PinTaskBar directory and copy the following code :

You’ll end up with the following structure :

• Open the SCCM Console and browse to Packages
• Right-click your Windows 10 Customization package and select Update Distribution Point

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run Command Line
  • Name : Set Taskbar Pins
  • Command line : cmd.exe /c PinTaskBar\Win10Taskbar.cmd
  • Check the Package box and specify your Windows 10 customization package
• Position this step after the Windows image has been deployed

Conclusion

If you correctly follow this post, you’ll end up with this structure in your Windows 10 Customization package :

And you’ll have 6 new steps in your Windows 10 task sequence :

You can now deploy your Windows 10 task sequence to a test machine and all customization should be there. See our post on how to monitor your task sequence if something goes wrong or simply if you want to track the progress.

We hope this post will help you out for your Windows 10 customization. Feel free to post your customization using the comment section. We will update this post on a regular basis when we have more to share.

The post SCCM Windows 10 Customization using Task Sequences appeared first on System Center Dudes.

Since SCCM 1511, you can use the new upgrade task sequence to easily upgrade a Windows 7 computer to Windows 10. But what if you want to upgrade a computer from a 32-bits operating system to Windows 10 64-bits ? You can’t use the upgrade task sequence for this specific scenario. Another reason would be that your company decided to use the wipe and reload option in your Windows 10 migration project. In those cases you will need to use USMT to capture data and settings from the users profiles before applying the new operating system.

This post will describe how to upgrade a 32-bits computer to Windows 10 64-bits using USMT and SCCM. This post will be using hard-links without using a State Migration Point. Continue reading if you are not familiar with those terms, we will explain it later.

Since you’re at the step of deploying Windows 10, we assume that you already installed at least SCCM 1511 and the latest Windows ADK before reading this post. If not, read our related posts :

1. SCCM 1511 Upgrade Guide
2. Windows 10 Deployment | Prepare your environment

USMT Basics

Let’s start by giving a couple of facts about the User State Migration Tool :

• Latest USMT version is 5.0
• Latest Windows ADK 10 includes the latest version
• Supports capturing data and settings from Windows Vista and later (including Windows 10)
• Supports restoring the data and settings to Windows 7 and later (including Windows 10)
• Supports migrating from a 32-bit operating system to a 64-bit operating system, but not the other way around

What gets Migrated

By default, USMT migrates many settings (user profile, Control Panel configurations, files, and more). The default configuration files that are used in Windows 10 deployments are MigUser.xml and MigApp.xml. These two configurations files migrates the following data and settings:

• Folders from each profile (My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders)
• USMT templates migrate the following file types: .accdb, .ch3, .csv, .dif, .doc*, .dot*, .dqy, .iqy, .mcw, .mdb*, .mpp, .one*, .oqy, .or6, .pot*, .ppa, .pps*, .ppt*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl*, .vsd, .wk*, .wpd, .wps, .wq1, .wri, .xl*, .xla, .xlb, .xls*.
• Operating system component settings
• Application settings

If needed, you can create a custom configuration files to includes more files types or settings. See the following Technet post for detailed instructions.

For more details on what USMT migrates, see this Technet article. For more information on the USMT overall references, see this Technet article.

Where to Store the User Data and Settings

You can capture USMT data locally (Hard-links) or remotely using a State Migration Point in SCCM (File Copy).

• Hard-link migration takes advantage of advanced features of the NTFS file system that allow files to physically remain in-place and intact even after the drive is wiped (not formatted). When restored, pointers to the files are restored, so the files never physically have to be copied or moved outside the machine. To use hard-linking, select the Capture locally by using links instead of copying files option in the Capture User State task
• File copy: If hard-linking is not selected, the traditional file copy method for storing user state is used. This file copy method literally copies all identified user state data to an alternative location requiring extra disk space and extra time to complete the copy

• To store the user state data on a state migration point (File Copy), you must first Configure a state migration point to store the user state data
• To store the user state data on the destination computer for update deployments (Hard-Link), you must :
  • Add Capture User State steps to your task sequence and configure it to use local folder using links
  • Add Restore User State steps to your task sequence and configure it to restores the user state using those links

This post will focus on the hard-links option and will not describe how to customize the task sequence to use the state migration point.

Verify SCCM Windows 10 USMT Package

To store the user state locally or on a state migration point, you must create a package that contains the USMT source files that you want to use. This package is used in the Capture User State step of the migration task sequence.

• Open the SCCM Console
• Go to Software Library / Application Management / Packages
• Right-click the User State Migration Tool for Windows 10 package and select Properties
• On the Data Source tab, ensure that the package is using the ADK 10 – Which is per default C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\User State Migration Tool
• Right-click the User State Migration Tool for Windows 10 package and select Distribute Content

• If you have no User State Migration Tool for Windows 10 package, just create (without any programs) and distribute it

Creating the Capture and Restore User State Data Task Sequence

To capture and restore the user state, you must first create a new task sequence, but before, we’ll explain the different options in the User State Menu :

• Request State Store : This step is needed only if you store the user state on the State Migration Point
• Capture User State : This step captures the user state data and stores it on the State Migration Point or locally using hard-links
• Restore User State : This step restores the user state data on the destination computer. It can retrieve the data from a user state migration point or from hard-links
• Release State Store : This step is needed only if you store the user state on the State Migration Point. This step release this data from the State Migration Point

When you create a new task sequence from the latest SCCM version, the wizard takes care of the essential steps. Let’s create it and see what are the options :

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click Task Sequence and select Create Task Sequence
• Select Install an existing image package

• On the Task Sequence Information tab, enter your Task sequence name, Description and Boot Image

• On the Install Windows tab, uncheck Partition and format the target computer and Configure task sequence for use with Bitlocker
  • If a format and partition of the disk is selected, it would wipe all data on the drive, including the USMT data. Instead, the Apply Operating System task will delete of all files and directories occurs on the drive minus protected USMT folders

• On the Configure Network tab, select to join your domain and specify the account to use

• On the Install Configuration Manager Client tab, select your client package

• On the State Migration tab, check Capture user settings and files, select your USMT Package
• Select Save user settings and files locally and check Capture locally by using links instead of by copying files

• If needed check the Capture Network Settings and Capture Windows Settings. See the attached links for more information about these options

• In the Include Update tab, select the desired update behavior

• On the Install Applications tab, select any applications that you want to include in your task sequence

• On the Summary tab, review your choices, click Next and complete the wizard

• Now that the task sequence is created, we’ll edit it and review the steps
• Right-click your newly created task sequence and click Edit
• You’ll notice 3 USMT steps has been created :
  • Set Local State Location : This step specify the directory where the local state will be saved. We are using the builtin variable OSDStateStorePath and set the value to %_SMSTSUserStatePath% but you can use a specific location if needed

• Capture User Files and Settings : This is the step when USMT will run the ScanState command. You will see this command in SMSTS.log when monitoring your task sequence. (By default : C:\_SMSTaskSequence\Packages\<YourPackageID>\amd64\scanstate.exe C:\_SMSTaskSequence\UserState /o /localonly /efs:copyraw /c /hardlink /nocompress /l:C:\Windows\CCM\Logs\SMSTSLog\scanstate.log /progress:C:\Windows\CCM\Logs\SMSTSLog\scanstateprogress.log /i:C:\_SMSTaskSequence\Packages\<ID>\amd64\migdocs.xml /i:C:\_SMSTaskSequence\Packages\<ID>\amd64\migapp.xml)

• Restore User Files and Settings : This is the step when USMT will run the LoadState command. You will see this command in SMSTS.log when monitoring your task sequence (By default : C:\_SMSTaskSequence\Packages\<YourPackageID>\amd64\loadstate.exe C:\_SMSTaskSequence\UserState /ue:<computername>\* /c /hardlink /nocompress /l:C:\WINDOWS\CCM\Logs\SMSTSLog\loadstate.log /progress:C:\WINDOWS\CCM\Logs\SMSTSLog\loadstateprogress.log /i:C:\_SMSTaskSequence\Packages\<ID>\amd64\migdocs.xml /i:C:\_SMSTaskSequence\Packages\<ID>\amd64\migapp.xml)

Add Support for WinPE

Now that we created a basic task sequence for USMT, we suggest to add a step to support offline capture. If you start your task sequence from PXE, you will need this new step because the step we just created will fail in Windows PE. We will add a step and condition to run depending of the environment in which the task sequence is ran.

• Right-click the task sequence you just created, select Edit
• Select the Capture User Files and Settings step
• Duplicate the task by doing CTRL-C, CTRL-V
• A new Capture User Files and Settings step is created, select the Capture in Off-line mode (Windows PE only) check box and rename the step to add (WinPE) at the end
• Rename the other Capture User Files and Settings step to (FullOS)
• You’ll end up with 2 similar Capture User Files and Settings step. One for Online mode (FullOS) and one for Offline mode (WinPE)

• Select the Capture User Files and Settings (Full OS) step and click on the Options tab
• Select Add Condition, Task Sequence Variable
  • Variable : _SMSTSInWinPE
  • Condition : Equals
  • Value : False

• Select the Capture User Files and Settings (WinPE) step and click on the Options tab
• Select Add Condition, Task Sequence Variable
  • Variable : _SMSTSInWinPE
  • Condition : Equals
  • Value : True

• Click Apply and Ok to close the task sequence

Deploy SCCM Windows 10 USMT Task Sequence

We are now ready to deploy our Windows 10 USMT task sequence to the Windows 7 computer we want to upgrade.

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click your USMT Task Sequence and select Deploy
• On the General pane, select your collection. This is the collection that will receive the Windows 10 upgrade using USMT. For testing purposes, we recommend putting only 1 computer to start

• On the Deployment Settings tab, select the Purpose of the deployment
  • Available will prompt the user to install at the desired time
  • Required will force the deployment at the deadline (see Scheduling)
• You cannot change the Make available to the following drop-down since upgrade packages are available to client only

• On the Scheduling tab, enter the desired available date and time. On the screenshot, we can’t create an Assignment schedule because we select Available in the previous screen

• In the User Experience pane, select the desired options

• In the Alerts tab, check Create a deployment alert when the threshold is higher than the following check-box if you want to create an alert on the failures

• On the Distribution Point pane, select the desired Deployment options. We will leave the default options

• Review the selected options and complete the wizard

Testing on the Target Computer

For the sake of this post we created a VM with Windows 7 32 bits. We will run our newly created task sequence to upgrade to Windows 10 64 bits.

I also created multiple files in the user profile to shows the USMT actions. We simply created text documents in the various libraries and on the desktop.

• We open the Software Center, select our task sequence and click Install

• The computer will launch the USMT action before rebooting in Windows PE and install Windows 10

• Once the process completed, we have a brand new Windows 10 migrated with my files where I left them. Even the psycho tortoise wallpaper has made the move.

We hope this post will ease your Windows 10 migrations. Leave a comment if you have any questions.

The post Refreshing a Windows 7 Computer to Windows 10 using USMT and SCCM appeared first on System Center Dudes.

One of the challenges faced by workstation administrators, is to manage the local administrator account in large environment. One of the options was to use Group Policy Preferences, but that was before KB2962486 removed the possibility to set password using Group Policy Preferences. Since then, Microsoft as come up with a solution : Local Administrator Password Solution (LAPS).

Here’s the benefits of using LAPS :

• Unique password for local administrator per computer
• Password available from Active Directory, if needed to use local administrator account
• Remotly change the local administrator password
• Ability to use a custom administrator account

Limitation :

• Only the local administrator account can be managed or a custom local account as administrator.

In this post, we will detail how to install Local Administrator Password Solution (LAPS) to manage the local administrator password on a Windows 10 computer.

High-level steps to install Local Administrator Password Solution (LAPS)

Pre-requisite

• Download LAPS here
  • Download both x86 and x64 version as this MSI will be deployed on clients to be managed
  • Detailed documentation is also available from that link
• Active Directory requirement
  • Windows Server 2003 SP1 and above
• Minimum OS requirement
  • Vista with current SP and above
  • Windows Server 2003 with current SP and above
• .NET Framework 4.0
• PowerShell 2.0 and above

Management Computer

First step is to install the management tools for LAPS on a computer.

• Execute LAPS.x64.msi from the downloaded files

• Click Next

• Accept Terms and click Next

• Install all the Management Tools
  • If you plan to manage this computer, you can also install the AdmPwd GPO Extension

• Click Install

• Click Finish

• In the start Menu, LAPS UI is available

Active Directory preparation

Preparing the Active Directory for LAPS is a two steps configuration :

• Schema extension
• Edit permissions (ACL)

Schema Extension

The Active Directory Schema needs to be extended to add two new attributes that store :

• Passwords of the managed local Administrator account for each computer
• Timestamp of password expiration

Both attributes are added to the may-contain attribute set of the computer class.

ms-Mcs-AdmPwd – Stores the password in clear text

ms-Mcs-AdmPwdExpirationTime – Stores the time to reset the password

Update the Schema 

• Open up an Administrative PowerShell window and use this command to import the module :

• To update the Schema, use this command :

Edit permissions

Active Directory permissions should be modified for the following reasons and needs :

• Remove the default permission
• Add Computers rights to update the password and expiration  (write)
• Allow specific user or group to read the password
• Allow specific user or group to reset (write) the password for a computer

All of those needs are manageable on specific OU and child OU. This will be different for each organisation needs.

For an easy setup, use the PowerShell commands from the module AdmPwd.ps as it will do exactly what we need.

Remove default permission

By default, read permission could be available to many users trough the all extended rights on a Specific OU. This should be uncheck if needed :

• Open ADSIEdit
• Right Click on the OU that contains the computer accounts that you are installing this solution on and select Properties
• Click the Security tab
• Click Advanced
• Select the Group(s) or User(s) that you don’t want to be able to read the password and then click Edit
• Uncheck All extended rights

Allow computers to update password and expiration time

The Write permission on the ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd attributes of all computer accounts has to be added to the SELF built-in account. This is required so the machine can update the password and expiration timestamp of its own managed local Administrator password. This is managed per OU.

• Run the following command to add the rights to SELF built-in account to a specific OU

Allow specific user or group to read password

To allow users or groups to read the stored password of the managed local administrator account, the Control_access permission must be given to ms-Mcs-AdmPwd attribute.

• To do so, run the following Powershell command line :

Allow specific user or group to reset password

To allow users or groups to reset the  password for a  managed local administrator account, the write permission must be added on ms-Mcs-AdmPwdExpirationTime .

• To do so, run the following powershell command line:

Group Policy

LAPS is manageable by GPO using a new template.

The templates are located on the management computer :

• %WINDIR%\PolicyDefinitions\AdmPwd.admx
• %WINDIR%\PolicyDefinitions\en-US\AdmPwd.adml

If you use the Central Store, you need to copy both files to \\domain\Sysvol\Policies\PolicyDefinition

The settings are located under Computer Configuration\Administrative Templates\LAPS

Available settings :

• Password Settings
  • Complexity
  • Lenght
  • Age(days)
• Name of the administrator account to manage
  • Do not configure if you use the default name
• Do not allow password expiration time longer than required by policy
• Enable local admin password management
  • this must be enabled in order to manage the local administrator password.

Clients to be managed

To manage a client, we must install LAPS on it by using the same MSI files downloaded in the prerequisite section :

• Create a standard package in SCCM

• Add a program to that package with the following command line :

• Deploy the package to the client you want to manage
• Package can also be deployed as part of Task sequence

How to read and reset passwords

• Start LAPS UI from the Start menu

• Search for computer name
• Password is available with expire date and time

• To reset the password, select a new Expiration time and click Set

• Status of the request is displayed at the bottom

• Hit search after a minute or two, and a new password with expiration time will be available

Source : documentation of LAPS

Bonus – Add Laps to SCCM Console

Thanks to Mike -S- for this awesome LAPS  Extension for SCCM console and it works just fine with Current branch (tested with 1602 so far).

Leave your LAPS experience in the comment section.

The post How to install Local Administrator Password Solution (LAPS) appeared first on System Center Dudes.

Role based administration is used to secure the access that is needed to administer SCCM. You also secure access to the objects that you manage, like collections, deployments, and sites but lacks a couple of roles to be complete. For example, there’s no built-in role for report administration or report viewer.

We already covered the report viewer role in a previous post. This role give access to your users to consult and run SCCM Reports on the SSRS website. But what if you want to give access to an administrator to create, modify and upload reports without giving them access to the SCCM console ? This post will describe how to create SCCM Report Administrator Role which will fulfill this need.

How to Create SCCM Report Administrator Role

• The first step is to create a Report Users role
• Once created, go to Administration \ Security \ Security Roles
• Right-click Report Users and select Copy

• In Name, type Report Administrator and add a brief description
• On the lower pane, browse to each class where you have Run Report right and add Modify Report

• Ensure that the Site class has Read, Modify Report and Modify permissions and click OK

Assign the Security Role to an Administrative User

We now need to assign the Report Administrator security role to a user.

• Go to Administration \ Security \ Administrative Users
• Right-click Administrative User and select Add User or Group

• In the Add User or Group window, click Browse and select your user
• Click Add, select the Report Administrator Role that you just created

• In the lower pane select All instances of the objects that are related to the assigned security roles
• Click Ok

You have now assign your user or group to your report administrator role in SCCM.

SQL Server Reporting Services Permission

There’s one last step to complete. We need to give access to this user on the SSRS Website. SCCM overwrites permission modification by using the role-based assignments stored in the site database.

As per Technet :

Configuration Manager connects to Reporting Services and sets the permissions for users on the Configuration Manager and Reporting Services root folders and specific report folders. After the initial installation of the reporting services point, Configuration Manager connects to Reporting Services in a 10-minute interval to verify that the user rights configured on the report folders are the associated rights that are set for Configuration Manager users. When users are added or user rights are modified on the report folder by using Reporting Services Report Manager, Configuration Manager overwrites those changes by using the role-based assignments stored in the site database. Configuration Manager also removes users that do not have Reporting rights in Configuration Manager.

It’s not possible just to add your user with the Config Report Administrators role because it will be reset in 10 minutes.

• To fix this, you must click Site Settings in the upper right corner

• Click Security and New Role Assignment

• Enter your user or group name without your domain
• Select System User and click OK
  • This role give access to view system properties, shared schedules, and allow use of Report Builder or other clients that execute report definitions

Once set, you can validate that your user has been given the rights.

• Go to the root of your SQL Reporting Service Website, click you ConfigMgr site and select Security

• Validate that your user has been added. Those permission won’t be overwrite. All set !

Benoit Lecours

Founder of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM Consultant, 4 times Enterprise Mobility MVP. Working in the industry since 1999. His specialization is designing, deploying and configuring SCCM, mass deployment of Windows operating systems, Office 365 and Intunes deployments.

The post Create SCCM Report Administrator Role appeared first on System Center Dudes.

We have compiled a list of SCCM Endpoint Protection agent versions, build numbers and cumulative updates. Anti-Malware platform updates are cumulative, meaning that the latest one includes the previous one.

If you are new to System Center Endpoint Protection, see our complete guide which covers it all. We documented a few years back… since the SCCM 2012 RTM release. If we missed some versions, please let us know and we will update this post.

This post will be updated as new releases are made available.

**Updated 2017/04/10**

How to get your SCCM Endpoint Protection Agent Version Numbers

An easy and built-in way to evaluate Endpoint Protection version of the agent is to use the Software Update Compliance information:

• Open the SCCM console, go to Software Library / Software Update / All Software Updates

• Click on Add Criteria and check: Product & Update classification

• Select Product: Forefront Endpoint Protection 2010
• Update Classification: Critical Updates

• This will list all available System Center Endpoint Protection agent versions available and provide statistics of Installed or Required

System Center Endpoint Protection Agent Supported Platform

Microsoft plans to release one or two Anti-malware platform update per year for down-level OS (Windows 8.1 and up)

Here’s Microsoft official statement about supported platforms:

During the technical support (only) phase, commercially reasonable support incidents will be provided through Microsoft Customer Service & Support and Microsoft’s managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a non-security update, or requires a security update, customers will be asked to upgrade to the latest platform version.

(Platform versions older than N-2 are no longer supported.)

For more details on the supported platform, see the Technet Article

Jonathan Lefebvre

Contributor of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM consultant, working in the industry for more than 10 years. He developed a strong knowledge of SCCM and MDT to build automated OS deployment solution for clients, managed large and complexe environment, including Point of Sale (POS) related projects.

The post List of SCCM Endpoint Protection Agent Versions appeared first on System Center Dudes.

With the recent problems caused by monthly Windows Update, knowing how to massively uninstall Windows Update with SCCM is a must! This action is not available by default in SCCM.

There are 2 ways to uninstall a Windows Update. Both solutions require the command line utility WUSA.exe, that as been around since Windows Vista/Windows Server 2008 era.

In this post, we will detail both solutions to uninstall a Windows Update with SCCM.

If you are looking for how to manage Windows update with SCCM, see our SCCM Software Update Management Guide for complete instructions.

Prerequisites

• SCCM any version
• Windows 7 and up
• Windows 2008 R2 server and up

SCCM Uninstall Windows Update

One method is to use a Custom Task Sequence with a run command line. The advantage of using this method is the ability to use the same task sequence on both OS Architecture.

The second method involves having a script per OS architecture. Nowadays, x64 is pretty much the main OS architecture used on workstation and server. However, there’s still some softwarethat require x86 OS Architecture to run. Using this method will require the right script to run on the right OS architecture. The advantage of this method is to use a simple package/program instead of a Task sequence.

Custom Task Sequence to Uninstall Windows Update

Create a new custom task sequence

• Under Software Library / Operating System / Task Sequence, right-click and  Create Task Sequence

• Select Create a new custom task sequence, click Next

• Name: Uninstall KB, click Next
  • Do not select boot image as we don’t need it

• Summary, click Next

• On the Completion screen, click Close

• Edit the task sequence

• Click Add, General / Run Command Line

• Provide the needed information needed. (Change KB number based on the need)
  • Command Line : C:\Windows\System32\wusa.exe /uninstall /kb:4014505 /quiet /norestart
  • Check: Disable 64-bit file system redirection
  • Note that even with the /norestart, the task sequence will trigger a restart. This is because the run command line returns a 3010 error code, which means Restart Required

Deploy custom task sequence

• Create a Device Collection to target your systems
• Right-Click your Task Sequence and select Deploy
• Select your collection, click Next

• Select Required, click Next

• Define your Schedule, click Next

• Select the desired User Experience, click Next
  • Remember that a restart is required. Plan accordingly and use Maintenance Window if needed

• Set Alert, click Next

• Leave default option, as there is no download required, click Next

• Summary, click Next

• Completion

Once deployed, the Task sequence will uninstall the KB and reboot the computer.

Custom Script to Uninstall Windows Update

A simple batch file can do the trick to remove a Windows Update. As stated earlier, a special consideration must be done for x64 systems.

Create Scripts

For x64 system we will point the script to %Windir%\Sysnative.

For x86 system, we will use %Windir%\System32.

Save both script under the same folder.

Create SCCM Package

• Under Software Library / Application Management / Packages, select Create Package

• Enter Name, Description and Source Path (where you saved your script)

• Select Standard Program, click Next

• Enter information
  • Name: Uninstall x64
  • Command line : cmd /c Uninstall-x64.cmd
  • Program can run: Whether or not a user is logged on

• Limit platform to all X64 OS

• Under the Uninstall x64 program Properties, change the After running for Configuration Manager restarts computer. Click OK

• On the package, click Create Program

• Enter information
  • Name: Uninstall x86
  • Command line : cmd /c Uninstall-x86.cmd
  • Program can run: Whether or not a user is logged on

• Limit platform to all X86 OS

• Don’t forget to Distribute Content

Now you have 2 programs that can be deployed on all systems while the OS Architecture limitation will take care of which computer runs which OS architecture!

Jonathan Lefebvre

Contributor of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM consultant, working in the industry for more than 10 years. He developed a strong knowledge of SCCM and MDT to build automated OS deployment solution for clients, managed large and complexe environment, including Point of Sale (POS) related projects.

The post Uninstall Windows Update using SCCM appeared first on System Center Dudes.

Recently, at a client site, I was asked to install the SCCM client to manage workgroup servers in the DMZ with SCCM.

Following our a recent post on how to install a DP/MP/SUP in untrusted domain, I thought that documenting the process could be helpful.

In this post, we will detail how to install the SCCM client on workgroup computers.

Prerequisites

• The client must be able to resolve the FQDN of the management point.
  • Depending on network security, it might not actually ping. The important is that it can associate the FQDN to the IP of the management point.
  • Adding an entry to the Host file might be required.
• Port
  • Client -> Management point : TCP 80 or 443
  • Client -> Software Update Point : TCP 8530 or 8531
  • More details on SCCM ports requirement, here
• Manual installation of the SCCM client
  • There is no way to use the Client Push Installation for workgroup computers
  • Management Point must be provided in the install command line, as the client will not be able to find it in Active Directory
  • Site code must be provided in the install command line

SCCM Client Install Workgroup Computers

• Copy the source of SCCM client locally on the computer

• Open a command prompt as Administrator

• Set the working directory and run the CCMsetup command line
  • ccmsetup.exe /mp:<Management Point FQDN> SMSSITECODE=001 SMSMP=<Management Point FQDN> DNSSUFFIX=<domain suffix>

• Validate Management Point configuration and communication
  • When a client can’t resolve the FQDN of the management point, it might show up empty

• Action are limited as the client is not yet approved to connect to the SCCM server.

• Important logs at this point are
  • C:\Windows\CCM\Logs\ClientLocation.log
  • C:\Windows\CCM\Logs\LocationServices.log
  • Those logs provide details to the connection to the management point
  • If you see any error at this point, you are missing connection prerequisites of some sort.
• Client show up in the SCCM console

Approve Workgroup Computer Client in SCCM

In most environment, SCCM client approval method is set to Automatically approve computers in trusted domains.

This settings can be found under Administration / Site Configuration / Sites / Hierarchy Settings

When using this settings, workgroup computers will not be automatically approved for this SCCM site.

With this said, we need to approve clients once they show up in the SCCM console.

• The ease management, we first create a Collection for Not Approved clients.
  • Be sure to set the limiting collection to All System, as the not approved clients don’t have much information to based query on.

• To validate the Not Approved status, simply add the column Approved

• To approve a client, right-click on the client and select Approve

• Confirmation of approval

• The approved column will change to Approved

• After a couple minutes, SCCM agent will have all is action available

• Client will show online and will eventually start reporting inventory

For more details about the approval methods, click here 

Jonathan Lefebvre

Contributor of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM consultant, working in the industry for more than 10 years. He developed a strong knowledge of SCCM and MDT to build automated OS deployment solution for clients, managed large and complexe environment, including Point of Sale (POS) related projects.

The post How to install SCCM Client on Workgroup Computers appeared first on System Center Dudes.

Following the excellent PowerShell script that Benoit wrote to create operationals collection, I decided to rethink it a bit to help classify collections and ease Role-based administration control implementation when a different group of users accesses SCCM. On top of that, the way folders for collections are designed, it helps implement a naming convention to keep things clear all across the SCCM console.

The overall idea is to keep collections on a per needs basis. Having a collection that receives client settings, 1-2 applications, OSD and Windows Updates can lead to unplanned/accidental deployment or misconfiguration. With one collection per need, everything is well targeted.

I also prefer to have collection for inventory to feed my deployment collections, instead of always recreating the queries.

I’ve been using the same methodology for years at multiple clients site. When I go back after a few years, I know exactly what is going on, as they were using the naming and structure for all that time.

The script creates 17 folders and 36 collections. The collections are set to refresh on a 7 days schedule. If a collection already exists, the script will return an error but will continue.

Some of the collections come from Benoit script. (Thanks, Benoit !)

SCCM Powershell Script Collections Folders Download

The script can be downloaded from my Microsoft Gallery submission.

Be sure to rate the submission if you are using it.

Full list of folders

Collections under each sub-folder will keep the naming convention.

Full list of collections

• All Servers
• All Workstations
• All Workstations – Admin
• MC – CS – Workstation Prod
• MC – CS – Workstation Test
• MC – CS – Server Prod
• MC – CS – Server Test
• MC – EP – Workstation Prod
• MC – EP – Workstation Test
• MC – EP – Server Prod
• MC – EP – Server Test
• SRV – INV – Physical
• SRV – INV – Virtual
• SRV – INV – Windows 2008 and 2008 R2
• SRV – INV – Windows 2003 and 2003 R2
• SRV – INV – Windows 2016
• WKS – INV – Windows 7
• WKS – INV – Windows 8
• WKS – INV – Windows 8.1
• WKS – INV – Windows XP
• WKS – INV – SCCM Console
• WKS – INV – Clients Version | 1710
• WKS – INV – Laptops | Dell
• WKS – INV – Laptops | Lenovo
• WKS – INV – Laptops | HP
• WKS – INV – Microsoft Surface 4
• WKS – INV – Windows 10
• WKS – OSD – Windows 10 – PROD
• WKS – OSD – Windows 10 – TEST
• WKS – SU – Exclusion
• WKS – SU – Pilote
• WKS – SU – TEST
• WKS – SU – PROD
• WKS – SD – Office 365 – PROD
• WKS – SD – Office 365 – TEST

Role-based administration control

The All Servers, All Workstations and All Workstations – Admin collections are specifically made for RBAC. That’s why they are the Master Collections as they will probably be the limiting collection for 99% of the collections.

The concept is the following:

• Give the server team only access to All servers
• Give the technician team access to All Workstations
  • This would give access to technicians to see collections that would be considered production ready for OS and software deployment, on top of inventory collections
  • Collection with the limiting collection All Workstations – Admin would then be hidden for standard technician
• Give SCCM Admin or higher ranks tech access to All Workstations – Admin
  • This would make available collections like the one’s Software Update or test collection

Benefits

• Role-based administration control “ready” as explained earlier
• Loading time of each sub-folder will be faster because there will be fewer collections to load.
• Collection’s naming convention will be useful in other areas of the console:

Collection name under Package or Applications deployments tab

Collection name under all Deployments

Collection name under Software Update Groups

Hope this will help you keep SCCM clean 🙂

Jonathan Lefebvre

Contributor of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM consultant, working in the industry for more than 10 years. He developed a strong knowledge of SCCM and MDT to build automated OS deployment solution for clients, managed large and complexe environment, including Point of Sale (POS) related projects.

The post Powershell Script to Create Collections with Folder Structure appeared first on System Center Dudes.

With the release rhythm of SCCM and latest requirements on the OS and SQL side, sometimes, it’s inevitable to migrate to a newer operating system to remain under support and also gain new features as part of the latest SCCM Current Branch release.

Over the years, we’ve done many migrations of all kinds, depending on the environment and needs. We created this complete SCCM Migration to new operating system guide based on our knowledge and experience.

This guide is a refreshed version of our previous post about Side-by-Side Migration to new Hardware. It also includes answers and how-to to the most commonly asked questions on side-by-side migration. Also included: all the details to achieve the migration to a new operating system by using the Backup and Restore strategy.

This guide aims to help SCCM administrator evaluate, plan, understand and achieve a migration to a newer operating system for the SCCM site server.

The guide will help you achieve these tasks:

• Compare both migration scenarios in details
  • Backup and restore
  • Side-by-Side migration
• Achieve the migration by using the Backup and Restore strategy
• Achieve the migration by using the side-by-side strategy
• Follow up steps to get to the latest Current Branch build

This guide does not cover how to do In-place OS Upgrade for SCCM site server

This guide does not cover how to upgrade SQL

SCCM Migration to new operating system guide document screenshots

Jonathan Lefebvre

Contributor of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM consultant, working in the industry for more than 10 years. He developed a strong knowledge of SCCM and MDT to build automated OS deployment solution for clients, managed large and complexe environment, including Point of Sale (POS) related projects.

The post New Product – SCCM Migration to new operating system Guide appeared first on System Center Dudes.

In this post we will describe how to customize your windows 10 image to personalize it to your company. There’s an infinite amount of customization that can be made but i’ll try to cover the more frequent one, those that are asked 95% of every Windows 10 projects I was involved in. You could also do all those modifications through group policies if you want to enforce those settings.

SCCM Windows 10 Customization Package

Before we begin any customization, we will create a Windows 10 Customization package that we will use in our task sequence. It will be empty to start but we will create the folders and scripts during this blog post.

• Open the SCCM Console
• Go to Software Library / Application Management / Packages
• Create a new package
• On the Package tab, enter a Name, Description, Manufacturer and Source folder (this is where all scripts will be stored)

• On the Program Type tab, select Do not create a program

• On the Summary tab, review your choices and complete the wizard

File Association

The first item we will be covering is file association. By default, Windows 10 uses Microsoft Edge to open every PDF files and HTTP links. For this post, we will redirect PDF files to Adobe Reader and HTTP/HTTPS to Internet Explorer. You can redirect any extension to any software. You just need to make sure that the application that you associate is installed during your Windows 10 deployment (or in your image).

The first step is to make the association manually, we will then export the configuration to a XML file and we will use DISM in our task sequence to import the configuration.

• Log on a Windows 10 machine
• Open Control Panel / Programs / Default Programs / Set Associations

• Navigate to .PDF and click on Change Program

• Select Adobe Reader and click OK

• Your .PDF files are now associated to Adobe Reader
• For Internet Explorer association, select HTTP Protocol, .HTM and .HTML files, change program to Internet Explorer

Now that our associations has been done, we need to export the associations to a XML file using DISM :

• Open an elevated command prompt
• Run the following command : Dism /Online /Export-DefaultAppAssociations:C:\Temp\SCDAppAssoc.xml
  • (Change the XML file name and path if desired but make sure that the directory exists or you’ll get an error code 3)

The XML file can be opened using any text editor. You can see our modifications has been made. It’s possible to change manually in this file but it’s a bit tricky to find ProdId and ApplicationName.

• Copy the XML file to your Windows 10 customization package in the FileAssociations Folder

• Open the SCCM Console and browse to Packages
• Right-click your Windows 10 Customization package and select Update Distribution Point

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run Command Line
  • Name : Set File Association
  • Command line : Dism.exe /online /Import-DefaultAppAssociations:FileAssociations\SCDAppAssoc.xml
  • Check the Package box and specify your Windows 10 customization package
• Position this step after the Windows image has been deployed

Setting the Default Windows 10 Wallpaper

We will now change the default Windows 10 wallpaper to a corporate one.

• The default Windows 10 wallpapers are stored in the C:\Windows\Web\Wallpaper\Windows\ folder
• Windows 10 also support 4K wallpapers which are stored in C:\Windows\Web\4K\Wallpaper\Windows

For our post, we will delete the 4K wallpapers and overwrite the default img0.jpg file. If you need to support 4K wallpaper, just place them in the 4K folder before updating your distribution points and the script will copy it to the right location.

By default, you can’t modify those files, we will use a PowerShell script to change the security of the folder and overwrite the wallpaper file. We will grant access to the SYSTEM account since it’s the account used during the SCCM task sequence.

• Create a new WallPaper\DefaultRes and WallPaper\4K folder in your Windows 10 customization directory
• Rename your wallpaper to img0.jpg copy it in the WallPaper\DefaultRes directory
• If 4K support is needed, copy your files in the WallPaper\4K Directory

Create a new Powershell script in the root of the Wallpaper directory and copy this code into it :

You’ll end up with the following structure :

• Open the SCCM Console and browse to Packages
• Right-click your Windows 10 Customization package and select Update Distribution Point

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run PowerShell Script
  • Name : Set Wallpaper
  • Script Name : Wallpaper\ChangeWallpaper.ps1
  • PowerShell execution policy : Bypass
• Position this step after the Windows image has been deployed

Change Lock Screen Image

The lock screen image is the image you see when the computer is locked. To change it, we must copy our image locally on the computer and then modify a registry key to read it.

• Create a new LockScreen folder in your Windows 10 customization directory
• Create a new LockScreen.cmd file and copy the following code

• Create a new LockScreen.reg file and copy the following code (watch out of the “” when copy/pasting)

• Copy the image you want to set as the lock screen. For this blog post we will call it LockScreen.jpg. If you rename this file, make sure to change the script to fit this name.

You’ll end up with the following structure :

• Open the SCCM Console and browse to Packages
• Right-click your Windows 10 Customization package and select Update Distribution Point

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run Command Line
  • Name : Set File Association
  • Command line : cmd.exe /c LockScreen\LockScreen.cmd
  • Check the Package box and specify your Windows 10 customization package
• Position this step after the Windows image has been deployed

Disable Microsoft Consumer Experiences

The latest Windows 10 feature upgrade includes a new feature that automatically installs a few apps from the Windows Store. Some apps like Candy Crush and Minecraft gets installed, we don’t think that belong to a work environment so we’ll delete it.

The good news is that it’s quite simple to disable. You need to disable a function called Microsoft Consumer Experiences. We will do this using a registry modification :

• Create a new ConsumerExperience folder in your Windows 10 customization directory
• Create a new DisableConsumerExperience.reg file and copy the following code :

You’ll end up with the following structure :

• Open the SCCM Console and browse to Packages
• Right-click your Windows 10 Customization package and select Update Distribution Point

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run Command Line
  • Name : Disable Consumer Experience
  • Command line : Regedit.exe /s ConsumerExperience\DisableConsumerExperience.reg
  • Check the Package box and specify your Windows 10 customization package
• Position this step after the Windows image has been deployed

Create Custom Start Menu

We will now create a default Windows 10 start menu that will be used on every Windows 10 machine by default. If you add shortcuts to applications, make sure that you’ve include them in your task sequence or you’ll end up with a start menu looking like swiss cheese. (empty spots)

• Log on a Windows 10 machine
• Manually configure the Start Menu
• Create a new StartMenu folder in your Windows 10 customization package
• Start an elevated PowerShell and run the following command : Export-StartLayout -Path “C:\Temp\StartMenu.bin”
• Copy the StartMenu.bin file to your Windows 10 customization package in the StartMenu folder

• Open the SCCM Console and browse to Packages
• Right-click your Windows 10 Customization package and select Update Distribution Point

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run Command Line
  • Name : Set Start Menu Layout
  • Command line : Powershell.exe Import-StartLayout -LayoutPath StartMenu\StartMenu.bin -MountPath C:\
  • Check the Package box and specify your Windows 10 customization package
• Position this step after the Windows image has been deployed

Set Windows 10 Pinned Taskbar items

Windows 10 permits to “pin” program on the task bar for easy access. Here’s how to create a standard task-bar for your Windows 10 users.

• Create a new PinTaskBar folder in your Windows 10 customization directory
• Log on a Windows 10 computer
• Manually pin all the desired program using the Pin to taskbar option

• Copy the links from %AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar to your Windows 10 customization package in the PinTaskBar directory. This directory is hidden, so be sure to show Hidden Items

• Open Registry Editor
• Export the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband key to Win10Taskbar.reg

• Copy the Win10Taskbar.reg file to your Windows 10 customization package in the PinTaskBar directory
• Edit the Win10Taskbar.reg file using a text editor and replace the beginning of the first line
  • Replace HKEY_Current_User to HKEY_LOCAL_MACHINE\defuser

• The final string will be : HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband
• Create a new Win10Taskbar.cmd file in your Windows 10 customization package in the PinTaskBar directory and copy the following code :

You’ll end up with the following structure :

• Open the SCCM Console and browse to Packages
• Right-click your Windows 10 Customization package and select Update Distribution Point

• Go to Software Library \ Operating Systems \ Task Sequences
• Right-click and Edit your Windows 10 task sequence
• Select Add / General / Run Command Line
  • Name : Set Taskbar Pins
  • Command line : cmd.exe /c PinTaskBar\Win10Taskbar.cmd
  • Check the Package box and specify your Windows 10 customization package
• Position this step after the Windows image has been deployed

Conclusion

If you correctly follow this post, you’ll end up with this structure in your Windows 10 Customization package :

And you’ll have 6 new steps in your Windows 10 task sequence :

You can now deploy your Windows 10 task sequence to a test machine and all customization should be there. See our post on how to monitor your task sequence if something goes wrong or simply if you want to track the progress.

We hope this post will help you out for your Windows 10 customization. Feel free to post your customization using the comment section. We will update this post on a regular basis when we have more to share.

Benoit Lecours

Founder of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM Consultant, 5 times Enterprise Mobility MVP. Working in the industry since 1999. His specialization is designing, deploying and configuring SCCM, mass deployment of Windows operating systems, Office 365 and Intunes deployments.

The post SCCM Windows 10 Customization using Task Sequences appeared first on System Center Dudes.