CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

In Windows 10 by default a reminder is displayed to the end-user in the Notification area if there are three apps or more that launch automatically when you login. At least I think this is very annoying and it causes end-users to call the servicedesk and ask how they can disable the applications to improve performance. This is not a wanted scenario!

DisableApps_1

This notification is triggered by a Schedule Task called “StartupAppTask” that resides under Microsoft, Windows and Application Experience in the Task Scheduler. So to stop it we simply disable that Task and then the reminders go away! :D

DisableApps_2How do we do this during OSD you might ask?

Well we run a simple Powershell script when we are on the full Operating System in the Task Sequence like the example below shows, then the task is disabled and never run at all for the end-users.

Powershell command:

powershell.exe -NoProfile -ExecutionPolicy ByPass -Command "&{ Disable-ScheduledTask -TaskName '\Microsoft\Windows\Application Experience\StartupAppTask'}"

DisableApps_3

You can disable this task in many ways, I prefer to do it this way then I know that it is always disabled.

I hope this is useful to more than me!

I get a lot of questions if there are any difference in functionality in Intune Standalone and in Hybrid with Configuration Manager. There are a lot of differences, in this post I will show how to setup the Apple Volume Purchase Program(VPP) integration in Configuration Manager 1602 with Intune and cover the differences in functionality between Intune Standalone and Configuration Manager/Intune Hybrid.

The Apple Volume Purchase Program comes in two different version one for Business and one for Education. Both programs work in the same way making it possible to volume purchase applications and deploy them with a MDM solution of your choice. When you sign up you download your Apple VPP token that is then imported into the MDM solution that you want to use. This token is valid for one year. More information can be found here: http://www.apple.com/business/vpp/

There are some things to keep in when it comes to the Apple VPP Program in Configuration Manager, for more information see the following link where these limitations are taken from. https://msdn.microsoft.com/en-us/library/mt627954.aspx

  • Only one VPP account and token is supported
  • Only the Apple Volume Purchase Program for Business is supported.
  • Once you associate an Apple VPP account to Intune, you cannot subsequently associate a different account. For this reason, it’s very important that more than one person has the details of the account you use.
  • If you have previously used a VPP token with a different MDM product in your existing Apple VPP account, you must generate a new one to use with Configuration Manager.
  • Each token is valid for one year.
  • By default, Configuration Manager syncs with the Apple VPP service twice a day to ensure that your licenses are synchronized with Configuration Manager.
  • Only changes to your licenses are synchronized. However, once every 7 days, a full synchronization will be performed.
  • When you click Sync to perform a manual sync, this will always perform a full synchronization.
  • If you need to recover, or restore you Configuration Manager database, we recommend that you perform a manual sync afterwards to ensure that your synchronized license data is up to date.
  • While you can deploy iOS volume-purchased apps to user or device collections, VPP apps you deploy to a device without a user (for instance, a device you enrolled without user affinity using the Device Enrollment Program (DEP) or Apple Configurator) will not be installed.

The differences between Intune Standalone and Intune/ConfigMgr Hybrid are actually bigger than you think. The table below illustrates the different deployment types and targets and if it works in Standalone/Hybrid.

Deployment Type

Intune/ConfigMgr Hybrid

Intune Standalone

User Required

X

X

User Available

X

Device Required

X

Device Available

So how do we configure Apple VPP in Configuration Manager? To start with you need the following:

  • Apple VPP Token that is to be used.
  • An account that is Global Administrator in your Intune Subscription used for Configuration Manager.

In the Configuration Manager Admin Console the Apple VPP Program is configured in under Software Library as shown below.

VPP2

We select to add “Create Apple Volume Purchase Program Token” which actually doesn’t create a token for you, you must have your token available.

VPP3_1

VPP4

In the next dialog you must log on to Intune with an account with Global Administrator permissions. Note that if you log on with an account without the required permissions the wizard will fail with a cryptic error message so make sure you have the correct permissions for your account.

VPP5

Then the token is uploaded.

VPP6

When the token is uploaded a Synchronization is started, the full synchronization downloads the information about which apps you have bought with your Apple VPP account and the license information for them how many you bought and how many are in use. After that Configuration Manager will synchronize twice a day to ensure that the license information is updated and it does a full synchronization once a week.

VPP7

Under the licensed apps we now have our applications and all information about them available in the console.

VPP8

We can now deploy the iOS application that we downloaded the information for through the Apple VPP program.

VPP9

We select the “App Package for iOS from App Store” option and then Browse.

VPP10

In the next dialog we now have two tabs, one for the App Store and one for Apple Volume Purchase Program and under the “Apple Volume Purchase Program” we can now choose the apps that are bought through the Apple VPP program and deploy them.

VPP11

We can then import the application based on the information from the Apple VPP Program.

VPP12

VPP13

Now we have an application with a link to the application in the Apple VPP Business Store which we can deploy as normal in Configuration Manager. We can deploy it both to Users and to Devices and that is the big difference between Intune Standalone and Intune/Configuration Manager in Hybrid as I mentioned above. When we deploy it to devices the device must have a user affinity which means that it doesn’t work for iOS devices enrolled via DEP without user affinity.

In Intune standalone we can only deploy Apple VPP apps to Users and only as required as shown here as well.

VPP9_2

We select the user group, only user groups are shown.

VPP9_I

And then we select deployment action and only Required Install is allowed.

VPP9_3

Support for Apple VPP program in Intune has been one of the most frequent feature requests for Intune and it is great that it is available!
It is also cool that Hybrid actually delivers!! Hybrid Rules!

  • Currently, each organization can have only one VPP account and token.

  • Only the Apple Volume Purchase Program for Business is supported.

  • Once you associate an Apple VPP account to Intune, you cannot subsequently associate a different account. For this reason, it’s very important that more than one person has the details of the account you use.

  • If you have previously used a VPP token with a different MDM product in your existing Apple VPP account, you must generate a new one to use with Configuration Manager.

  • Each token is valid for one year.

  • By default, Configuration Manager syncs with the Apple VPP service twice a day to ensure that your licenses are synchronized with Configuration Manager.

    Only changes to your licenses are synchronized. However, once every 7 days, a full synchronization will be performed.

    When you click Sync to perform a manual sync, this will always perform a full synchronization.

  • If you need to recover, or restore you Configuration Manager database, we recommend that you perform a manual sync afterwards to ensure that your synchronized license data is up to date.

  • While you can deploy iOS volume-purchased apps to user or device collections, VPP apps you deploy to a device without a user (for instance, a device you enrolled without user affinity using the Device Enrollment Program (DEP) or Apple Configurator) will not be installed.

In Configuration Manager CB 1511 the Windows 10 Servicing feature was introduced which gives us a great view of the Windows 10 versions used in our environment and a tool to schedule the updates of Windows 10 versions.

Windows10Servicing0

What is happeing when we create Service Plans is basically an ADR which deploys the Windows Upgrade packages according to the Service Plan. In 1511 there was an issue that all Windows 10 versions where downloaded when the ADR ran, there are some workarounds like blocking the non wanted versions of Windows 10 using the WSUS Console. This is now fixed in 1602, there is a new option to filter out which versions of Windows 10 we want to deploy.

The new step in 1602 is Upgrades it didn’t exist in 1511. In my case i select “Swedish” and “Enterprise,” using the “,” to filter out the Enterprise N version which I don’t want to download or deploy.

Windows10Servicing2

The preview feature is great! using it we can make sure only the Windows 10 versions we want to deploy will be downloaded and used.
Windows10Servicing3If you haven’t tried the new Windows 10 servicing feature before it is time to start now.
The new update model of Configuration Manager is great, fixing issues and adding feature faster than ever before!!

One of the new features in the newly released version of Configuration Manager CB 1602 is that in-place upgrade of the Server OS from 2008 R2 -> 2012 R2 is now supported. This will save a lot of time and money for many customers out there, great that it is finally supported!

I upgraded my old Server 2008 R2 test environment to Configuration Manager CB 1511 which has been with me since Configuration Manager 2012 RTM was released. The upgrade of the OS was pretty straight forward, IMPORTANT!! WSUS MUST be uninstalled before the upgrade, more information can be found here: https://technet.microsoft.com/library/hh852345.aspx failure to do this will have serious results according to the documentation.

My setup looks like this, I actually cheated and configured a new server running server 2012 R2 with WSUS and the Windows 10 hotfix and changed to that as the active WSUS server before the upgrade, and Yes I know it is not supported ;-) Will see if I can document the steps for a setup with a local SQL and SUP as well.

Primary Site Server:
-Server 2008 R2
-MP, DP and so on… no SUP

Site System:
-Server 2012 R2
-SUP

SQL Server:
-Server 2012 R2
-SQL Server 2012

Here is how I did it, If the SUP/WSUS and SQL is installed on the same server there are a few additional steps which is not included here.

1. Backup, Backup, Backup.. make sure you have a WORKING backup in case anything goes wrong.

2. Uninstall antivirus from the server if not System Center Endpoint Protection is used then there is no need, this is just to be on the safe side for the upgrade itself.

3. Restart Server

4. Uninstall WSUS, in my case the admin console only otherwise the full product !Important must uninstall WSUS! Read the article above.

5. Disable Configuration Manager services that are set to start automatically, to be able to sort out any issues after the upgrade with drivers e.t.c before ConfigMgr is started.

Services

6. Restart Server

7. Upgrade Server OS using in-place upgrade, make sure to use the updated Server 2012 R2 media and make sure to review any warnings that you are prompted with.
UpgradeServer

8. Verify that the upgrade was successful, review event logs and start IIS Manager and review the IIS settings, my IIS was disabled, see note below.

9. Install WSUS Admin console (or full WSUS depending on local or remote SUP)

10. Install Hotfix KB 3095113, that adds Windows 10 Upgrade support https://support.microsoft.com/en-us/kb/3095113

11. Start Configuration Manager Services and change startup to Automatic for the services that we changed above.

12. Verify that everything is working, System Status, Component status…

13. Install Anti-virus

14. Install all Software Updates for Server 2012 R2, I was struggling when to do this but I decided to do it after I verified that Configuration Manager was working to make potential troubleshooting easier.

That is how I did it and it seems to be working just fine. I ran into a couple of things with the OS upgrade itself, no big deal at all.

1. IIS and WAS was disabled during upgrade due to “incompatibility with the current setup”, I have a lot of test websites, webservices and stuff so I assume that was why, I cleaned up the IIS from old websites. I had to change the startup type of the services to automatic and then start them, then everything worked fine.
UpgradeServer2

UpgradeServer3

2. .NET Optimization ran for about 15 minutes consuming a lot of CPU, check that before you freak out that the system is slower ;-)

3. CCMRepair was also launched automatically which also consumed some CPU.

That is how I did it.

When managing Windows Defender on Windows 10 with Configuration Manager you will see an error when you use the Group Policy Management Console to view the Group Policy Result on a computer. Looking something like this.

Defender3The reason for this is that Configuration Manager writes the values that you set in a policy as DWORD but the Group Policy will write the values as String instead. That is the reason why the error “Registry Value…… is of unexpected type. Both will work so this is more a cosmetic error and basically only visible under Group Policy Result in GPMC.

It can be illustrated easy by creating a Group Policy that applies an exclusion for .wim and in the Configuration Manager Antimalware policy we create an exclusion for .iso. When looking at the registry key on a client under the Policies key we can see that the values are of different type.

Defender2

Is this a big problem, NO as the Windows Defender client reads and use both values in the example above so basically the only thing that is impacted is the Group Policy result view in GPMC. Note that I used the example above and applied different exclusions using GPO and Configuration Manager, this is not recommended to use in a production environment from a troubleshooting perspective.

The fix for the refresh scenario that doesn’t work with ADK 10586 that I blogged about a while ago which has been a pain for many of us got a fix last week, https://support.microsoft.com/sv-se/kb/3143760 Really great! :D :D

I realized that I have many environments to create new boot images and apply the hotfix in so I wrote two simple .cmd files to create them for me, so I thought I would share them here as well. The .CMD file is a combination of the instruction for how to apply the hotfix and the great blog post by Brandon which can be found here: http://blogs.technet.com/b/brandonlinton/archive/2015/07/30/windows-10-adk-boot-image-updates-for-configuration-manager.aspx

Both of the .cmd files can be downloaded here:Download

A short how to create new boot images using WinPE 10.0.15086

1. If you are using an older ADK uninstall it on the Primary Site Server.

2. Download and install the new version of the ADK

3. Reboot the Site Server

4. Download the .cmd files from the link above

5. Download the ADK hotfix from the link: https://support.microsoft.com/sv-se/kb/3143760

6. Create a folder, example D:\Temp\ADKHotfix

7. Extract the Hotfix and the .CMD files to that directory.
BootImageADKhotfix

8. Check the two .dat files for any alternate stream according to the KB article.

9. Edit the .cmd files so that it has the correct path’s for your environment, change the path to the ADK and the Mount folder to be used by DISM.

BootImageADKhotfix1

10. Open the “Deployment and Imaging Tools Environment” command prompt
BootImageADKhotfix3

11. Execute the .cmd file for the architecture that you want to create a boot image for and you are done!

BootImageADKhotfix2Then you go and grab a “Configuration Manager cup of coffee” as a customer once called it.. and when you return you have a new fixed Boot Image that can be imported in Configuration Manager.

Hope it is helpful!

One of the big new features in Configuration Manager CB – 1511 is the “Updates and Servicing” feature where new versions of Configuration Manager and updates will be published making it really easy to install a new build of Configuration Manager. Yesterday the hotfix that was published KB3122637 – “FIX: Mobile devices aren’t listed in System Center Configuration Manager” and it is the first one to use the new “Updates and Servicing” feature in Configuration Manager 1511. It will only be advertised if the hotfix is applicable, in this case if you have the Exchange Connector deployed.

When you launch the Admin Console you are greated by this message:

Update

When we go the Updates and Servicing node we see the new update as available.
ConfigMgr1511_H1

We have two options available either “Install Update Pack” or “Run Prerequisite check” when we select the update.
ConfigMgr1511_H2
In production, always run the prerequisite check before installing to make sure there are no issues. When the preq check has completed we can select “Show Status” and we can see this view.
ConfigMgr1511_H4If we then select “Show Status” once again we can see some more detailed information.

ConfigMgr1511_H3

We can the go back and select to install the update package.

ConfigMgr1511_H5

We are then prompted with the following dialogs

ConfigMgr1511_H6

ConfigMgr1511_H7

ConfigMgr1511_H8

ConfigMgr1511_H9

We can then track the installation using the CMUpdate.log file as we will loose connection with the console so the status viewer there will not be usable until the Site is up and running again.

ConfigMgr1511_H10

As this update didn’t contain any client update we are now finished. The procedure is the same as for a new version of Configuration Manager CB, if you check the CMUpdate.log file you can see that it skipped updating the database as there where no database upgrades to perform.

This is a great step moving to Configuration Manager as a Service! Easy to update and a really nice experience as well!!

Yesterday Configuration Manager Technical Preview – 1602 was released, the installation worked great!! One of the most useful features so far is that we now have a “Sync Policy” button in the new Software Center UI. I am extra excited about this as I filed a Uservoice item for a while back and finally seeing it in the product is really cool and proves that the Uservoice is important and that Microsoft delivers from the suggestions you place there and vote for.

I cannot remember how many times I have written scripts to be placed in the Start Menu for the end users that triggers a Machine/user policy refresh. Great that it is now in the product.

So how does it look then? Where is it?
It is under Options, Computer Maintenance in Software center.

SoftwareCenter

So the user can easily be instructed to find it by the ServiceDesk for instance. Remember it triggers both a Machine policy evaluation cycle and a User policy evaluation cycle.
I think this kind of enhancements are great!
We need to focus more on the end-user experience that is the most important thing we have, the End user Experience is king!