CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

Browsing Posts in System Center Configuration Manager

After playing around a while with Configuration Manager 1701 Technical Preview build I thought it was time to share some info and some nice screenshots.

The biggest new feature without competition is the fact that SCCM clients will now select Software Update point using Boundary Groups just like it would with an MP, DP … This is awesome news as it replaces the random selection a client does today! Right now there are some limitations to it in the Technical Preview, all information about what is included in 1701 Technical Preview can be found here: https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1701

Software update points and Boundary Groups improvements

A look a the new setting for SUP fallback in the Boundary Groups, it is not fully implemented yet in the Technical Preview.. but it looks nice! New clients will use the SUP assigned to the in the Boundary Group but existing clients will use the one that has been selected randomly until it fails to contact it. Something to keep in mind when implementing it if that is how it will work when it is released.

Boundary Group SUP

Hardware inventory now inventories UEFI information

UEFI is extremely important for all new security features in Windows 10 and going forward. In 1701 Hardware Inventory now inventories UEFI information as well. A Dashboard as well that shows Credential Guard, Device Guard state would be great as well. Configuration Item for it works just fine.. but if I could wish.

UEFI Inventory

UEFI Inventory_1

Improvements in Operating System deployment

There are many small but great updates to the Task Sequence as well, updates to Standalone Media, expiration dates, additional content.

In the task Sequence editor we can now multi select applications and instead of a maximum of 9 applications per step it is now possible to add 99.

TaskSequenceApps

All steps in a Task Sequence that reference a package, driver package, application and so on will have it packageID/applicationID shown as well. making it much easier to find and troubleshoot, an example would be the Setup Windows and Configuration Manager step.

PackageID

Validate device health attestation data via management points

We can now configure our Management Points with a list of On-Premise Device Health attestation points it should use to report device health. Device health attestation is not the most used feature as far as I know but it will be when we get rid of all the “old” hardware that doesn’t support TPM 2.0 for instance.

MP device helath

Host software updates on cloud-based distribution points

A feature that has been requested but is debated as well, as for Microsoft Updates the clients can download the content from Microsoft Update as it will introduce an additional cost for hosting them in the Cloud DP. Something to think about.

The features listed I wrote about here is far from complete, check out the documentation for a complete list.. It is great to follow the development of the product that is being done now, impressive!

In WinPE 1607 Dot3svc fails to load as I and many others have noted before. http://ccmexec.com/2016/09/dot3svc-does-not-load-using-winpeadk-1607/ Today on the comment to my post “Robert” posted the following workaround which seems to be working just fine!

Dot3svc

Copy the following files from a windows 10 1607 installation to winpe:

%windir%\l2schemas\OneX_v1.xsd %winpewindir%\l2schemas\OneX_v1.xsd

%windir%\system32\l2gpstore.dll %winpewindir%\system32\l2gpstore.dll

%windir%\system32\onex.dll %winpewindir%\system32\onex.dll

%windir%\system32\en-US\onex.dll.mui %winpewindir%\system32\en-US\onex.dll.mui

%windir%\system32\wbem\en-US\l2gpstore.mfl %winpewindir%\system32\wbem\en-US\l2gpstore.mfl

Thanks Robert for sharing this! All credit to your work!

Configuration Manager 1612 Technical Preview was released a couple of days ago and I have been playing around with it all the time I could spare since! Many new features that makes us long for 1701TP already now to see how the new features have improved.

I cannot help seeing a picture before me where David James are Santa Claus and the rest of fhe ConfigMgr team are his helpers :-) , the work and innovation put in Configuration Manager the last year is truly amazing! Fantaststic Work!

I have played around with a couple of the new features so I will cover them here, for a complete list of new features check out the documentation: https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1612

Task Sequence Retry option:

We have a new retry option when a Task Sequence fails because there is not content availble or a deployment could not be found for the computer in WinPE. A great addition, there are more steps that could benefit of a “retry” option but I am sure that will come.

It looks like this when content is missing on the DP, we now have a “Previous” button in the dialog, so we can retry the previous step.

TSretry

Checking for running applications when an application is about to install.

This is a very big deal as well, we can now add .exe files that shouldn’t be running when our application is trying to install. We add the .exe files in a new tab for the deployment type.

Check runnning

I tested with an available deployment to a user and then this dialog is shown. A friendly name would be a great addition so the user knows what to close, a retry option like in the TS would also be good.

Software Center dialog

Android for Work

Android for work is in the console but not yet operational. Also high on our list to Santa.

Android for work

Data Warehouse

We got a new Site System role “Data Warehouse service Point” which is just that, a DatawareHouse. It makes it possible to copy data to another SQL database for long term storage. This is great as we can replace all the custom solutions out there today. I love the

DataWarehouse

We can then choose which custom tables to include/exclude in out Data Warehouse and when to synchronize data.

DataWarehouse1

There are a couple of builtin reports as well that uses the Data Warehouse as datasource. The one I am sure I will use the most is the “Endpoint Protection and Software Update Compliance report” great stuff no more custom solutions to solve that for customers.

DWReports

OData endpoint data access

We have a new option under Site Properties to enable REST endpoint for quering Configuration Manager data from the tool of our choosing, PowerBI or Excel for instance.

Restfull Odata

Express files support for Windows 10 (RS2 or update to RS1 in early 2017 required)

We can now enable support for Express updates both on our Software Update Point and in the client settings as well to allow the client to use the Express files. This feature requires either Windows 10 RS2 or an update coming to Windows 10 1607 in early 2017 to work. Express updates are a big deal, because they bring down the amount of data that the clients will download when applying Windows 10 Cumulative Updates.

Express updates SUP

Express updates client

Enhancement for online-licensed apps from the Windows Store for Business (RS2 required)

This feature will make it possible to deploy Online licensed apps using Configuration Manager, the next step towards the future of application management.

Azure AD onboarding

We can now add our Azure AD to Configuration Manager which can in turn be used by the Cloud Management Gateway to provide user policies to our clients when they use the Cloud Management Gateway.

AzureAD

In-console improvements

Ther are som console improvements, where my favorite is that it actually remembers if you selected to search sub-nodes.

Search

So many new features to try out! There are more, like the command line tool to cleanup content in the content library and I am sure much more as well. I will play around with it some more and see what I can find.

Data Warehouse for historical reporting
Azure Active Direcotory Onboarding
Windows Hello for Business toast notification
Enhancement for online-licensed apps from the Windows Store for Business
Express files support for Windows 10 cumulative update

I promised last week I would write a blog post on how I use OSDbackground in case of a Task sequence failure, so here it is. OSDbackground gives us the possibility to show an error in case a Task Sequence fails and when doing so it also provides us with the option to read all TS variables and open a command Prompt or CMtrace without having F8 Support enabled.

Well, to handle errors in a Task Sequence I use a couple of small scripts that I will describe here and that can be downloaded further down in the blog post. Basically, the functionality is the same as in an MDT integrated Task Sequence.

We start by using a group called “Execute Task Sequence” with the “continue on” error option selected.

TS error handling

Then we run our whole Task Sequence within that group, in that way we can catch any error in a group later in the Task Sequence.

I also set the variable shown above “SMSTSErrorDialogTimeOut” to “28800” which equals 8 hours. If the task sequence fails, the countdown timer will count down from 8 hours before restarting.

SMSTSErrorDialogTimeOut

In the end of the Task Sequence we have two groups, “OSD Completion” and “OSD Error”.

The OSD Completion group is run as the name indicates when the Task Sequence is successful, using the Task Sequence variable “_SMSTSLastActionSucceeded” = “True”. We remove the computer from the OSD Collection using the Onevinn WebService in this group as well.

OSDCompletionGroup

I also added a little step to stop the OSDBackground process, if we don’t restart the computer after we started OSDBackground the last time it will still show as desktop background when the user logs on.

The Powershell script used looks like this.

Stop-Process -Name “OSDBackground” -Force -ErrorAction SilentlyContinue

What if the Task Sequence fails?

In the OSD Error group we have a couple of interesting steps as well. The OSD Error code has the following condition. Using the same Task Sequence variable as before when there is an error in the Task Sequence, “_SMSTSLastActionSucceeded” = “False”.

OSDErrorGroup

The next step saves the error code from the Task Seqeunce step that actually failed in a Task Sequence variable called “ErrorReturnCode”. We use that later to actually fail the Task Sequence using a script but with the original error code.

SaveErrorCode

The next step uses OSDBackground to change the Background image and enable us to open a password protected debug mode with ,command prompt support without having F8 enabled.

OSDBackgroundError

The next three steps are from the sample scripts in the Onevinn OSD WebService, and the first one sets a couple of variables we need to be able to remove it from the Collection used to target the OS deployment.

SetTSVariable

The next step remove the computer from the OSD Collection.

RemoveFromOSDCollection

We can then disable the computer account using the Web Service in the domain to make sure no one uses a computer with a failed OS deployment potentially missing anti-virus and much more.

Disable Computer account

Then we use a small script that will fail the Task Sequence with the original error code that we saved in the variable before.

SetErrorCode

The script used looks like this:

$tsenv = New-Object -ComObject Microsoft.SMS.TSEnvironment

exit $tsenv.Value(”ErrorReturnCode”)

The result is a Task Sequence that will end up with this dialog when it fails.

TaskSequenceError

Now we can right-click in the upper left corner and supply the configured password to open the debug options in OSDBackground and troubleshoot our Task Sequence error without having F8 enabled in our boot image.

TSError2

OSDBackground was updated on Technet yesterday as well, so if you don’t have CMtrace in your image, you can just copy Cmtrace.exe to the OSDBackground package and it will copy CMtrace to the local drive so it can be used to read the log files. A great addition by Johan!
The two scripts used can be downloaded here and I would add them to the OSDBackground package so we can run them from the same package in our Task Sequence.

OSDBackground Addon

Thanks Johan Schrewelius for creating OSDBackground!!

I wrote a blog post a while ago on a tool my college Johan Schrewelius has published which sets the OSDbackground during OSD and gives us the possibility to troubelshoot without F8 support enabled which should be avoided. An update of OSDBackground is now published with som bug fixes like:

1. Added Management Point to Wallpaper.

2. Made “ComputerNameVariable” Case Unsensitive.

3. Masked sensitive TS Variables in Debug mode.

4. Added support for Error background.

5. Moved background pictures to sub folder

The error background is a great addition, using this we use OSDBackground with a specific background when a Task Sequence fails and then we can access a Command Prompt or Cmtrace without F8 support enabled. We need to have a section in our Task Sequence with steps that are executed when a TS fails, I will write a post on that later this week. Configuring the “SMSTSErrorDialogTimeOut“ variable to for example 28′800 =8 hours is a good idea so we have time to catch the computer with the error still present.

SMSTSErrordialogTimeOut

Adding a step to our TS failed section like this:

OSDBackground Error

Then we get the following dialog when the Task Sequence fails.

TaskSequenceError

OSDBackground can be downloaded on Technet Gallery: https://gallery.technet.microsoft.com/Replacement-for-BGInfo-0095cff3

I have used Michael Niehaus excellent script for dumping all task sequence variables during OSD which is great for troubleshooting. https://blogs.technet.microsoft.com/mniehaus/2010/04/26/dumping-task-sequence-variables/

However it dumps all TS variables including:

  • _SMSTSReserved variables which for instance contains the Network access account username and password in clear text. The same goes for the Domain Join account used in the Task Sequence.
  • _OSDOAF which contains the TPM Password Hash for the computer it the Pre-Provision Bitlocker step is used and it takes ownership of the TPM.

So my college Johan Schrewelius posted a nice little Powershell script that can be used instead, which excludes the “sensitive” variables and only write the public ones to the log file.
It can be downloaded here: https://gallery.technet.microsoft.com/Task-Sequence-Variables-de05b064

In many environment scripts used for troubleshooting like this are left in the production Task Sequences and that is not a really good idea if it includes username/password in clear text or TPM password hash.

The script simply filters out the “sensitive” variables:

FilterSo if you need to use a script to list the TS variables be carefull where that log file is stored or use this one.

Great to wake up to a new release of Configuration Manager Technical Preview 1611! The Configuration Manager team must have been really busy, first shipping 1610 and then a week after 1611 technical Preview.

Truly impressed by the work they are putting in the product!

Not that many new features in 1611 Technical Preview though but a really useful one, the possibility to pre-cache the content for an available Task Sequence deployment.

Cm1611TP New

Pre-Cache

In previous releases there have been more features than was listed in the What’s New section.. Wonder if there are any this time…

In Windows 10 1607 the TPM Password Hash is no longer accessible from within windows. This is design change to increase the Security in windows 10 which you can read more about here: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password

Quote: “Starting with Windows 10, version 1607, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded.”

The ability to turn on TPM Backup to AD using Group Policy is also removed in the Windows 10 1607 .ADMX files as documented here: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/trusted-platform-module-services-group-policy-settings

The behavoiur is controlled by the registry key called “’HKLM\Software\Policies\Microsoft\TPM\OSManagedAuthLevel” it is default set to “2” which means it will discard the TPM Password Hash, if we set it to “4” it is retained.

When we upgrade ADK to 1607 we get the same behavior in WinPE so the script used before to capture the TPM Password Hash when we use Pre-provision Bitlocker and write it to registry doesn’t work anymore.

When me and my College Johan Schrewelius tested this, we found a Task Sequence variable that contains the TPM password hash if the Pre-Provision Bitlocker step is used in the Configuration Manager Task Sequence called “_OSDOAF”

Johan posted two Powershell Scripts here on Technet Galleries, one that read the TS variable and write it to the registry and set the “OSDManagedAuthLevel” to “4” otherwise it will be removed by Windows again. https://gallery.technet.microsoft.com/for-handling-TPM-Password-be7ee062

And one that simply sets the “OSDManagedAuthLevel” value back to default.

Here are the steps that are involved, I disabled the SaveWinPETPMOwnerAuth.wsf that we used before to achieve the same thing.

TPM Pass the Hash

The “MBAM TPMPassTheHash” step which we call it, runs the following script. A Computer restart must be run before the Invoke-MbamClientDeployment step is run.

TPM Pass the Hash Step1

And the “Reset tpm policy” step will reset the value of the “OSDManagedAuthLevel” back to default.

TPM Pass the Hash Step2

Then we have the TPM password Hash in our MBAM database once again.

Note that it is recommended that the TPM Password Hash isn’t saved anymore as stated in one of the links above. “Microsoft strongly recommends that you do not change the default value of this registry key in order to retain the owner password.”

But in some scenarios we still want to be able to do it.