CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

Browsing Posts in System Center Configuration Manager

In the middle of vacation times at least in Sweden a new update was released that requires multiple reboots and therefor will fail an OS deployment task sequence in Configuration Manager as we seen a couple of times before. This issue is addressed i System Center 2012 Configuration Manager SP2 and R2 SP1 but if you haven’t upgraded yet then it still will cause an issue.

The update is: KB3073094

And the article that lists all the updates that requires multiple reboots is updated as well: https://support.microsoft.com/en-us/kb/2894518

Thanks for the heads-up Tim: https://twitter.com/t1mnl well spotted!

In September the Windows 10 Tour in Sweden takes place! Presented by Addskills, Cornerstone and Microsoft.

We will be turning Windows 10 inside and out from every angle you can image. Join Me and fellow MVP’s, Sami Laiho and Paula Januszkiewicz when we deep dive into Windows 10 in four cities in Sweden. I am really looking forward to it!

I have the great pleasure of presenting two sessions:

-”Deploying Windows 10 using Configuration Manager”, we will cover SCCM vNext as well during this session.

-”Windows 10 Azure AD and EMS”

Umeå – 21 September

Sotckholm – 22 September

Malmö – 23 September

Göteborg -24 September

I hope to see you all there!

win10tour

A quick tip: Remember to inform the end-user in the enrollment instructions or in Intune related instructions that they will need to add the Intune Company Portal Widget to their screen to see the web apps published to them through Intune. Otherwise they won’t see any of the Web link you publish to the Android devices, which is the case I see way to often.

Android2

One very common request when implementing Intune is to distribute a Wi-Fi profile with WPA2 and a preshared password. This is currently not possible either with Intune standalone or with Intune integrated with Configuration Manager 2012 using the UI. I have already written a post on how to create a custom iSO profile using Apple Configurator and deploy it using Intune standalone here: http://ccmexec.com/2015/03/creating-and-deploying-a-custom-ios-policy-using-intune/

In this post I will use the same custom profile I used in the post above but distribute it using Configuration Manager 2012 R2 SP1 instead as deploying a custom iOS profile is a new feature.

In the Configuration Manager 2012 R2 Sp1 console do the the following:

1. Create a new Configuration Item, specify that it is a Mobile Device configuration item you want to create.
CustomIOS1

2. Select iOS Custom Profile as the settings group.

CustomIOS81

3. Enter a name for the profile note that it will be visible to the end-users, and the import the .xml file created as described in my earlier blog post, note that the SSID name in that .xml file is “Office1″CustomIOS3

4. Select which platforms the setting should be applied to, as it is only applicable on iOS devices there is no point in selecting anything else.

CustomIOS4

5. Then the Configuration Item itself is finished and ready to be added to a Configuration baseline.

CustomIOS5

6. Next step is to create a Configuration baseline so we can deploy the Wi-Fi policy to our devices. Select Create a new Configuration Baseline give it a name and add the Configuration Item we created earlier by clicking the Add button and selecting Configuration Item. Note that you can add more than one Configuration Item if you are deploying multiple settings to a group of devices it could be smart move to add them to the same baseline.

CustomIOS7

7. The next step is to deploy the Configuration Baseline, here we can select to generate an alert if a certain percentage fails to apply the policy and it is also here we select which collection we should deploy the Configuration Baseline to as well.

CustomIOS8

Then we are done and ready to test it, we can verify it easily one the iOS device by looking in the Management Profile and look for the Wi-Fi network we deployed.

There are many examples out there on how to remove a computer from a collection after OS Deployment is finished. I have used different scripts in different scenarios but at a customer lately we had a requirement to open as few ports as possible in the firewall. If you run a script from the Task Sequence on the client side that remove the device from a collection you will need to for example open RPC High Ports which could be avoided.

That is why I wrote this little Powershell script that will remove the computer from a collection and clear the PXE flag as well using Maik Koster’s excellent webservice instead and a Powershell script to use it. Maik Koster’s webservice can be downloaded here http://mdtcustomizations.codeplex.com/releases , don’t forget to secure it using request filtering in IIS.

The Powershell script

The following script is used to call the webservice, in this example we use Maik Koster’s webservice and call it using UUID as the identifier on the command line. The following lines need to be configured in the script below.
[string]$UsrName = “Contoso\wbssvc”

[string]$UsrPW = “Pa@ssw0rd”

[string]$SiteCode = “123″
[string]$URI = “http://sccm02/webservice/sccm.asmx?WSDL”

Copy the script and place it in a folder that can be used as a package source for a package so we can call the script from a package in the Task Seqeunce.

The script:

Param(

[string]$computerName,

[string]$UUID,

[String]$CollectionID

)

[string]$UsrName = "Contoso\wbssvc"

[string]$UsrPW = "Pa@ssw0rd"

[string]$SiteCode = "123"

[string]$Macaddress = ""

[string]$URI = "http://sccm02/webservice/sccm.asmx?WSDL"

$secpasswd = ConvertTo-SecureString "$UsrPW" -AsPlainText -Force

$mycreds = New-Object System.Management.Automation.PSCredential ("$UsrName", $secpasswd)

$zip = New-WebServiceProxy -uri $URI -Credential $mycreds

# Invoke Web Service

$method = "ClearLastPXEAdvertisementForComputer"

$zip."$method".Invoke("$Macaddress","$UUID","$SiteCode")

try

{

$method = "RemoveComputerFromCollection"

$zip."$method".Invoke("$Macaddress","$UUID","$CollectionID","$ComputerName")

}

catch

{

Write-Output "$_.Exception.Message"

exit 1

}

exit 0

The Task Sequence step

Before we create a package we need to edit the information in the script above. Then create a package from which we can call the script.

I prefer to use a run command line step to run the powerhsell script and call the webservice. Use the package we created before to run the command from.

The following command line can be used, where the last part is the collection the device should be removed from, you need to change that to reflect your environment: “Powershell.exe -NoProfile -ExecutionPolicy ByPass -File RemoveFromOSDCollection1.ps1 %OSDcomputername% %UUID% 06000062”

RemoveCollection1

That should do it, deploy the task sequence and test it out.

Note:

  • The script will return an error if the computer cannot be removed from the Collection, you can solve it with continue on error.
  • If you import a computer with MAC address you need to change the script to use MAC address instead of UUID to remove it

Techdays 2015 in Sweden 21-22 October is THE event of the year in Sweden! It always have great content, great speakers, and a great time meeting the IT community.

This year I have the great honor to be presenting a session, “Windows 10 + EMS =TRUE” together with my collegue Anders Olsson (http://itsakerhetsguiden.se/) (in Swedish) We will focus on the latest and coolest features in Windows 10 and how we can utilize Enterprise Mobility Suite(EMS) together with Windows 10 to achieve greatness! EMS and Windows 10 will change change how we manage our devices and users in the future!

Really looking forward to it! Hope to meet you all there!

Techdays-mailfot-banner-600x80

I have many customers who have experienced the same issue deploying 64-bit Windows 7 using a 32-bit boot image. The error has not been consistent either the Apply Driver Package step fails and the DISM log file indicates that it cannot read the Software Hive from the registry or the machine blue-screen on first boot.

Rebuilding the master image has solved the problem. I have one customer who logged a case with Microsoft Support and got this solution that works great!

Thanks Ola Ahrens for sharing!!

The issue

WinPe tries compacting the offline registry and fails to commit the registry hives back to disk.

This problem only happen when you deploy windows 7 and use WinPe 5.0 or 5.1, 32 bit, to deploy the image.

Note: Sccm 2012 R2 and higher uses winpe 5.0 or higher to deploy os images.

Resolution

Create a Value in WinPE

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager

Name:  RegistryReorganizationLimitDays

Datatype: DWORD

Value:  365

This value has the effect that the registry hives are not compacted as long as the modified date of the hives is not older than a year.

When you intend to use the deployment longer than a year, a higher value must be chosen.

I am writing this post as I had two customers that wanted to use alternate Login ID in Azure AD together with Intune and SCCM 2012 in a Hybrid deployment using SCCM as the MDM Authority. I found several blogs and a Wiki that described that this wasn’t supported and that unsupported scripting directly to the database in SCCM 2012.

The background to this is that when using SCCM in a Hybrid deployment as the MDM authority you must use a collection in SCCM containing the users that are allowed to enroll their devices. If you are using different UPN in your On-premise AD and Azure AD SCCM would not be able to match the user in Azure AD and therefor you could not enroll any devices.

One workaround was changing the UPN directly in the SCCM database so it matched the UPN used in Azure AD, for example e-mail address if that was used as UPN in Azure AD.

After some investigation those issues are now resolved by Microsoft and there is no changes required on the SCCM side as Intune tries to match the user using UPN and if that doesn’t work it tries the e-mail address and then it is solved basically.

I have successfully delivered two proof-of-concepts where e-mail address was used as UPN in Azure AD instead of the UPN in the On-premise AD and it has worked just great!

Thanks to Kerim and Saud at Microsoft for verifying and support! :D

One of the Wiki’s that mentioned this: http://social.technet.microsoft.com/wiki/contents/articles/24096.dirsync-using-alternate-login-ids-with-azure-active-directory.aspx is updated by Saud as well so that the information that there are issues with SCCM+Intune in hybrid using alternate Login IDs is removed as well.

Note:

  • There are still some limitations with Office 365 and alternative login ID
  • When using ADFS together with Alternate Login ID in Azure you need to configure ADFS to allow login using e-mail address as well as described here: https://technet.microsoft.com/en-us/library/dn659436.aspx (it will be updated as well to remove the information that Intune and SCCM has issues