CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

A quick tip: Remember to inform the end-user in the enrollment instructions or in Intune related instructions that they will need to add the Intune Company Portal Widget to their screen to see the web apps published to them through Intune. Otherwise they won’t see any of the Web link you publish to the Android devices, which is the case I see way to often.

Android2

One very common request when implementing Intune is to distribute a Wi-Fi profile with WPA2 and a preshared password. This is currently not possible either with Intune standalone or with Intune integrated with Configuration Manager 2012 using the UI. I have already written a post on how to create a custom iSO profile using Apple Configurator and deploy it using Intune standalone here: http://ccmexec.com/2015/03/creating-and-deploying-a-custom-ios-policy-using-intune/

In this post I will use the same custom profile I used in the post above but distribute it using Configuration Manager 2012 R2 SP1 instead as deploying a custom iOS profile is a new feature.

In the Configuration Manager 2012 R2 Sp1 console do the the following:

1. Create a new Configuration Item, specify that it is a Mobile Device configuration item you want to create.
CustomIOS1

2. Select iOS Custom Profile as the settings group.

CustomIOS81

3. Enter a name for the profile note that it will be visible to the end-users, and the import the .xml file created as described in my earlier blog post, note that the SSID name in that .xml file is “Office1″CustomIOS3

4. Select which platforms the setting should be applied to, as it is only applicable on iOS devices there is no point in selecting anything else.

CustomIOS4

5. Then the Configuration Item itself is finished and ready to be added to a Configuration baseline.

CustomIOS5

6. Next step is to create a Configuration baseline so we can deploy the Wi-Fi policy to our devices. Select Create a new Configuration Baseline give it a name and add the Configuration Item we created earlier by clicking the Add button and selecting Configuration Item. Note that you can add more than one Configuration Item if you are deploying multiple settings to a group of devices it could be smart move to add them to the same baseline.

CustomIOS7

7. The next step is to deploy the Configuration Baseline, here we can select to generate an alert if a certain percentage fails to apply the policy and it is also here we select which collection we should deploy the Configuration Baseline to as well.

CustomIOS8

Then we are done and ready to test it, we can verify it easily one the iOS device by looking in the Management Profile and look for the Wi-Fi network we deployed.

There are many examples out there on how to remove a computer from a collection after OS Deployment is finished. I have used different scripts in different scenarios but at a customer lately we had a requirement to open as few ports as possible in the firewall. If you run a script from the Task Sequence on the client side that remove the device from a collection you will need to for example open RPC High Ports which could be avoided.

That is why I wrote this little Powershell script that will remove the computer from a collection and clear the PXE flag as well using Maik Koster’s excellent webservice instead and a Powershell script to use it. Maik Koster’s webservice can be downloaded here http://mdtcustomizations.codeplex.com/releases , don’t forget to secure it using request filtering in IIS.

The Powershell script

The following script is used to call the webservice, in this example we use Maik Koster’s webservice and call it using UUID as the identifier on the command line. The following lines need to be configured in the script below.
[string]$UsrName = “Contoso\wbssvc”

[string]$UsrPW = “Pa@ssw0rd”

[string]$SiteCode = “123″
[string]$URI = “http://sccm02/webservice/sccm.asmx?WSDL”

Copy the script and place it in a folder that can be used as a package source for a package so we can call the script from a package in the Task Seqeunce.

The script:

Param(

[string]$computerName,

[string]$UUID,

[String]$CollectionID

)

[string]$UsrName = "Contoso\wbssvc"

[string]$UsrPW = "Pa@ssw0rd"

[string]$SiteCode = "123"

[string]$Macaddress = ""

[string]$URI = "http://sccm02/webservice/sccm.asmx?WSDL"

$secpasswd = ConvertTo-SecureString "$UsrPW" -AsPlainText -Force

$mycreds = New-Object System.Management.Automation.PSCredential ("$UsrName", $secpasswd)

$zip = New-WebServiceProxy -uri $URI -Credential $mycreds

# Invoke Web Service

$method = "ClearLastPXEAdvertisementForComputer"

$zip."$method".Invoke("$Macaddress","$UUID","$SiteCode")

try

{

$method = "RemoveComputerFromCollection"

$zip."$method".Invoke("$Macaddress","$UUID","$CollectionID","$ComputerName")

}

catch

{

Write-Output "$_.Exception.Message"

exit 1

}

exit 0

The Task Sequence step

Before we create a package we need to edit the information in the script above. Then create a package from which we can call the script.

I prefer to use a run command line step to run the powerhsell script and call the webservice. Use the package we created before to run the command from.

The following command line can be used, where the last part is the collection the device should be removed from, you need to change that to reflect your environment: “Powershell.exe -NoProfile -ExecutionPolicy ByPass -File RemoveFromOSDCollection1.ps1 %OSDcomputername% %UUID% 06000062”

RemoveCollection1

That should do it, deploy the task sequence and test it out.

Note:

  • The script will return an error if the computer cannot be removed from the Collection, you can solve it with continue on error.
  • If you import a computer with MAC address you need to change the script to use MAC address instead of UUID to remove it

Techdays 2015 in Sweden 21-22 October is THE event of the year in Sweden! It always have great content, great speakers, and a great time meeting the IT community.

This year I have the great honor to be presenting a session, “Windows 10 + EMS =TRUE” together with my collegue Anders Olsson (http://itsakerhetsguiden.se/) (in Swedish) We will focus on the latest and coolest features in Windows 10 and how we can utilize Enterprise Mobility Suite(EMS) together with Windows 10 to achieve greatness! EMS and Windows 10 will change change how we manage our devices and users in the future!

Really looking forward to it! Hope to meet you all there!

Techdays-mailfot-banner-600x80

I have many customers who have experienced the same issue deploying 64-bit Windows 7 using a 32-bit boot image. The error has not been consistent either the Apply Driver Package step fails and the DISM log file indicates that it cannot read the Software Hive from the registry or the machine blue-screen on first boot.

Rebuilding the master image has solved the problem. I have one customer who logged a case with Microsoft Support and got this solution that works great!

Thanks Ola Ahrens for sharing!!

The issue

WinPe tries compacting the offline registry and fails to commit the registry hives back to disk.

This problem only happen when you deploy windows 7 and use WinPe 5.0 or 5.1, 32 bit, to deploy the image.

Note: Sccm 2012 R2 and higher uses winpe 5.0 or higher to deploy os images.

Resolution

Create a Value in WinPE

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager

Name:  RegistryReorganizationLimitDays

Datatype: DWORD

Value:  365

This value has the effect that the registry hives are not compacted as long as the modified date of the hives is not older than a year.

When you intend to use the deployment longer than a year, a higher value must be chosen.

I am writing this post as I had two customers that wanted to use alternate Login ID in Azure AD together with Intune and SCCM 2012 in a Hybrid deployment using SCCM as the MDM Authority. I found several blogs and a Wiki that described that this wasn’t supported and that unsupported scripting directly to the database in SCCM 2012.

The background to this is that when using SCCM in a Hybrid deployment as the MDM authority you must use a collection in SCCM containing the users that are allowed to enroll their devices. If you are using different UPN in your On-premise AD and Azure AD SCCM would not be able to match the user in Azure AD and therefor you could not enroll any devices.

One workaround was changing the UPN directly in the SCCM database so it matched the UPN used in Azure AD, for example e-mail address if that was used as UPN in Azure AD.

After some investigation those issues are now resolved by Microsoft and there is no changes required on the SCCM side as Intune tries to match the user using UPN and if that doesn’t work it tries the e-mail address and then it is solved basically.

I have successfully delivered two proof-of-concepts where e-mail address was used as UPN in Azure AD instead of the UPN in the On-premise AD and it has worked just great!

Thanks to Kerim and Saud at Microsoft for verifying and support! :D

One of the Wiki’s that mentioned this: http://social.technet.microsoft.com/wiki/contents/articles/24096.dirsync-using-alternate-login-ids-with-azure-active-directory.aspx is updated by Saud as well so that the information that there are issues with SCCM+Intune in hybrid using alternate Login IDs is removed as well.

Note:

  • There are still some limitations with Office 365 and alternative login ID
  • When using ADFS together with Alternate Login ID in Azure you need to configure ADFS to allow login using e-mail address as well as described here: https://technet.microsoft.com/en-us/library/dn659436.aspx (it will be updated as well to remove the information that Intune and SCCM has issues

One very appreciated feature in Configuration Manager 2012 when you integrate it with MDT is the background pictures showing OS deployment step, IP Address, MAC Address and so on to the end user och technician deploying the computer.

The first two steps are shown in WinPE only and under Computer Name in the background the generated Minint-3242 is displayed as computer name. I wrote a little powershell script which will simply write the OSDComputername variable to the registry in WinPE so we can read it from there with BGinfo and show both the WinPE name and the OSDComputername. It will look something like this:

Step2

I like the flexibility of running the scripts in the Task Sequence instead of modifying the Boot image so I run the script as a Run Powershell Script step in the Task Sequence. Start by doing the following:

  1. Make sure you have the Powershell component included in the Boot Image for the script to be able to run.
  2. Save a Powershell script with the following content.
    Param(
    [string]$OSDcomputerName
    )
    New-Item -Path HKLM:\Software -Name OSD –Force
    New-ItemProperty -Path HKLM:\SOFTWARE\OSD -Name OSDComputername -PropertyType String -Value $OSDcomputerName
  3. Save this script in a folder and create a package in SCCM with the folder as source path so we can use it later in the Task Sequence.
  4. In the Task Sequence before the step you are displaying in WinPe add the following step, select the package to run the script from and enter the %OSDComputername% in the Parameters to pass the OSDComputername variable to the script.
    WinpeCname1
  5. After that edit the STEP_02.BGI file by launching your MDT 2013 Toolkit package under \Tools\x86 in your package source directory  by launching Bginfo.exe from that directory.
  6. In BGinfo select File, Open the STEP_02.BGI file, then you will see the information displayed in the background.
  7. Select Custom and add the following value, the path should be HKEY_LOCAL_MACHINE\SOFTWARE\OSD\OSDComputerName
    WinpeCname2
  8. You will see a warning that the registry value doesn’t exist accept that and then we go on and edit the information displayed.
  9. Edit the background to look something like this.
    WinpeCname3
  10. Then save the STEP_02.BGI file. If you are using the State Capture Step do the same with that step or save this one with the STEP_01.BGI filename instead.
  11. Update the MDT 2013 Toolkit package so that the new .BGI files are updated on the DP’s and then you are good to go!

I haven’t tested it with MDT 2012 but I cannot see why it shouldn’t work.

When testing the latest Build of Windows 10 I got an error installing the Configuration Manager 2012 R2 client, it fails installing the Windows Update agent with the following error in the CCMSetup.log file.

“File ‘C:\WINDOWS\ccmsetup\WindowsUpdateAgent30-x64.exe’ returned failure exit code 775. Fail the installation.”

I assume a solution to this error will presented soon, but I cannot wait to get started with my testing of 10049 so installing the SCCM Client with the following command line solves at least the installation error of the Configuration Manager client.

“ccmsetup.exe  /skipprereq:windowsupdateagent30-x64.exe”

Then ccmsetup.exe will skip the installation of the Windows Update Agent and continue the installation anyway. Normally I use the /Skipprereq: command to skip the installation of Silverlight on servers as I don’t want Silverlight installed on my servers. But the command line works great in this case as well.

You will then see this in the ccmsetup.log file on the client which shows that the installation of the Windows Update agent was skipped and that the installation continues.

“Item ‘x64/WindowsUpdateAgent30-x64.exe’ is excluded by the ‘/skipprereq:’ switch. Ignore it.”

God Luck with the testing of Windows 1o!

Update: SCCM 2012 SP2 and SCCM 2012 R2 Sp1 solves the problem so to solve the issue and get OSD working an upgrade is needed. If you just want the client to work and cannot upgrade now, the workaround is valid for newer releases of Windows 10 as well.