CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

Browsing Posts in System Center Configuration Manager

Techdays in Sweden is the biggest event of its kind in Sweden and I always enjoy it. Meeting old colleagues, customers, Microsoft employees, MVP’s and fellow community peers, it is always so much fun! This year I have the great honor to be hosting a pre-conf together with Peter Löfgren at TrueSec “Windows 10 – Client management now and in the future“, we will gather our combined experience around Windows 10 Configuration Manager, UE-V and so on and also try to look in a Crystal ball and look at the future and where we are going with Client Management. Really looking forward to it!!

I will also deliver two sessions:

What’s new on Configuration Manager 17xx and Beyond, Configuration Manager is the leading product when it comes to and on-prem application delivering continuous innovation with 15 releases every year!! 3 Current Branch releases and 12 Technical Preview releases!  I will cover the latest features in both Current branch and technical previews!

Windows 10+EMS = Helt fantastiskt!, together with my fellow colleague and MVP Anders Olsson. We will focus on the latest and greatest of features in a Combination of Windows 10 and EMS.

The session are held in Swedish and I hope to see many old and meet new friends at the event! http://tdswe.se/

MTD_Talarbanner_250x300

At MMS 2017 in Minneapolis me and Ryan Ephgrave @EphingPosh had the great honor of doing a session on some of the great Community tools out there for Configuration Manager. We did it last year as well with the help of Kent Agerlund and it is always great fun, just preparing it, researching looking for new tools, what has changed, what is updated is great!

We did some polls as well on Twitter this year on which tools people used for different purposes, the result of these polls is in this post as well together with the links to the tools we talked about and demoed.

WP_20170517_13_00_51_Pro

Infrastructure

Configuration Items

Applications

Software Updates Reports

Software Update PowerBI

Software Updates

OS Deployment

Frontends

Frontends

Right – click tools

Right click tools

Troubleshooting tools

Troubleshooting tools

In Windows 10 1703 – Creators Update there is a new Group Policy setting that actually allows us to control what is visible in “Settings” for our users. This is useful for computers with a specific purpose for instance or other business requirements. The policy is called “Settings Page Visibility” it can be used to either Hide a specific settings or Show only a specific setting or settings.

Example to hide the Bluetooth settings page we use the GPO with the settings hide:bluetooth as shown below.

HideOn the machine the Bluetooth settings is actually gone:

NoBluetoothWe can also use the Group Policy setting with the “ShowOnly” option as shown below.

ShowOnlyGPO

On the computer the Settings page will now only show, Colors, Start and Themes

ShowonlyThe syntax for the settings you want to hide/show is not that easy to find, this is where I found them, https://docs.microsoft.com/en-us/windows/uwp/launch-resume/launch-settings-app

Updated after comment on post, the Gaming can be hidden the following needs to be added to hide the group.

hide:gaming-gamebar;gaming-gamedvr;gaming-broadcasting;gaming-gamemode

Tip on how to test them, you can just launch run and type: MS-Settings:Colors for instance and it will launch the Colors settings node. We can also use this to create shortcuts to different settings.

Run

And Colors is launched.

Colors

That is basically it, great for some scenarios!

In previous versions of Windows 10, before 1703 built-in apps that couldn’t be uninstalled could still be blocked with Applocker so that they never got installed and it has worked great! With Windows 10 1703 there are two apps that I have identified as not being able to uninstall, it is not a Windows Capability which we can block that way. The result I am seeing when blocking for instance and Connect and Mixed reality portal using Applocker is this.

Applocker block

Me and Johan Schewelius wrote a small .cmd file that simply deletes the app after the image has been applied on the disk during OS deployment and then the app is simply never installed.

This is highly unsupported so use it at your own risk!

DisarmStuborn apps1

And from the Task Sequence we call it after the Operating System has been applied.

DisarmStuborn apps

Then the app cannot be installed during setup.

Again this is unsupported use at your own risk!!

I posted a Configuration Manager Configuration Item and Baseline a while back that checks to see if Applocker is configured and running. Another important thing to check on Windows 10 is that Credential Guard is configured and running. Credential Guard is an extremely important security feature in Windows 10 and should be used and of course we need to make sure that is active and running.

Here is a Configuration Item and Baseline that will do those checks. We use a Powershell script to check that Credential Guard is configured and running.

$DevGuard = Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard

return $DevGuard.SecurityServicesConfigured -contains 1 -and $DevGuard.SecurityServicesRunning -contains 1

Same as the Applocker post I wrote we need to configure the Powershell policy in Client settings or sign the script.

Powershell Client agent setting

If we compare it to the Applocker CI we created credential Guard doesn’t exist on Operating Systems earlier than Windows 10 so we need to configure that as well, otherwise the steps are the same. Here they are:

We create a new Configuration Item, and select the option to apply to Windows Desktops and Servers (custom)

Credential Guard 1

Select the supported platforms:

Credential Guard 2

Select New in the Settings step

Credential Guard 3

Create a new Configuration Item with following settings:

-Settings Type: Script

-Data type: Boolean

And then click “Add script”

Credential Guard 4

Then we edit the discovery script and paste the script as shown below.

Credential Guard 5

Then we create a compliance rule.

Credential Guard 6

Then we create a compliance rule with the following settings.

Credential Guard 7

Then we can add it to a baseline and deploy it to our clients. And again for all of you that took the time to read the whole post you can download an exported .Cab file which contains both a CI and the baseline used from here:Credential Guard status

Configuration Manager 1704 Technical Preview was released yesterday, some really awesome stuff in there this time for all OSD fans for sure!

If you aren’t running Technical Preview in a test environment you really should! It is a great way of getting to know the new features and a great way of providing feedback to make the features even more valuable for your organisation. Technical Preview 1703 is the current baseline you can grab it here: https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview then you can upgrade that to 1704 TP.

You can make it easy for you and use Johan Arwidmarks excellent hydration kit to get a test environment up and running. http://deploymentresearch.com/Research/Post/580/Hydration-Kit-For-Windows-Server-2016-and-ConfigMgr-Current-Technical-Preview-Branch

Now let’s look at what is new in 1704 Technical Preview.

Nested Task Sequences

This is something that many of has dreamed about for years and wished for and now it is finally here, we can call a Task Sequence from a Task Sequence. We have a new Task Sequence Step called “Run Task Sequence” which will give use great possibilities to make our Task Sequences smarter. There are some limitations in this Technical Preview release that you should be aware of so check the documentation so you now what is possible or not.

RunTS

Android for Work app configuration

Android for work will be the way to manage Android devices in the future and now we got the ability to configure Android for Work apps in the same way we can do with iOS apps today. This is great news making the Android platform a real challenger for companies.

Android for Work configuration

Secure Boot Inventory

We got the possibility to inventory if UEFI is enabled or not before and now we can inventory if Secure Boot is enabled or not as well. It is inventoried per default.

secureboot

Reload the Boot images with the latest WinPE version

We need to update the ADK and WinPE version used twice a year as it looks now with the current release cadence of Windows 10 and supportability with Configuration Manager. We got a new way to do this which makes it much easier we can simply select to update the WinPe version when we distribute the boot images to our DP’s.

Reload Boot Images

Powershell support to create advanced detection methods

A long awaited addition, we can now create advanced detection methods for applications using Powershell.

https://blogs.msdn.microsoft.com/ameltzer/2017/04/20/powershell-how-to-add-enhanced-detection-methods-to-deployment-types-1704-tp/

Eliminate Duplicate Records when converting BIOS-UEFI

This is an issue that has been raised and seen when convertin BIOS-UEFI we get a dupliate record as the under-laying hardware ID could change, these duplicate records are now elimated in the TP 17+04 release. We actully could use that as a hotfix to the 1702 release as well…

High DPI support in the admin console

Now that we have cool devices with high resolution this has been an issue that the SCCM Admin Console didn’t support High-DPI very well. now that is solved as well. Long awaited!! :D

OS version Column in the System Images node

We can now see what OS version an OS Image is based on in one of the Columns in the System Images Node, makes life a little easier.

OS version

More efficient logging in SMSTS.log

Improvements have been made to the SMSTS.log file and logging which will make it easier to read the logs. Will test that and see how much difference it makes when time allows.

Installing the 1704 TP update

Another thing to note as well is the new behavior that updates aren’t automatically downloaded any more bin the Updates and Servicing node, we need to decide which updates to download. The reason behind this is that you don’t have to download updates/hotfixes that you perhaps skip and don’t install.

Download Update

For a full list of features check out the documentation here: https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1704

In Configuration Manager 1702 there is a new feature /site system role(pre-release) called Data Warehouse. This is a great addition as I cannot count the time I have setup and configured another database and then on a schedule moved data to that Database instead to be used both for historical data and by other systems that shouldn’t query our precious Configuration Manager database during production hours.

Many times, performance issues in Configuration Manager has been caused by developers querying the Configuration Manager database with really bad queries causing the overall performance being degraded.

In Configuration Manager 1702 the Data Warehouse feature holds all the answers to those issues. With the Data Warehouse Service Point role we can transfer SQL data to a another SQL database. That server doesn’t need to have the same high-spec as the Configuration Manager Database.

When we configure the Data Warehouse Service Point role we set a Schedule on when the data should be transferred to the Data Ware house and how often. Adding the Data Warehouse service connection point.  At is it still a pre-release feature you need to opt-in to using pre-release features, that is done in the Hierarchy Settings.

Pre-release features

To add the Data Warehouse service point we do add the Data Warehouse Service Point role to the server that should host the role.

DataWareHouse Service Point

We add the SQL Database Server Name, database name and Port to be used.

DataWareHouse Service Point 2

We can then configure how often it should synchronize the data.

DataWareHouse Service Point 3

We also get a couple of new reports that will show historical data from the Data Ware house database which are cool and useful as well if we have compliance rules applied to our business. No more exporting data at the end of each year to .CSV files for historical compliance reporting and Endpoint protection and software update compliance.

DataWareHouse reports

When configuring the Data Ware house don’t forget to grant the Reporting Service User account used in Configuration Manager “Data Reader” role permissions to the Data Warehouse Database, otherwise this message will show up when running the reports.

Error Displaying Reports

We grant the SQl Reporting Service user account the data reader role.

Reporting user permissions

After granting the Reporting Services user account permissions to the database the reports now run as they should.

Reporting user permissions_2

The Data Warehouse role is a great feature so you should try it out!

Windows 10 1703 is here! And is has some great new features as always, we are still waiting for the official .ADMX files and the documentation on what GPO’s are new and have changed. Some are changed like the Credential Guard setting where we have more options. I did a quick comparision so there are more I am sure, some are renamed some are moved so it is hard to put together. The components with most new settings are Microsoft Edge, Delivery Optimization and Windows Update.

Microsoft Edge have taken huge steps and is working great. The feature that will please out customers the most are the fact that we can synchronize Microsoft Edge and Internet Explorer favorites! Simple, small feature that will increase the adoption of Microsoft Edge. Setting a custom Start page that the users an change is great news as well.
Edge IE Sync

Here are the list on new GPO settings that my little investigation found, I am sure I missed some of them. Didn’t include changed ones like credential Guard improvements for instance. But it could be useful until we get the official documentation.
Windows 1703 New GPOs
And here it is in Excel which could make sense. Windows 10 1703 new GPOs