Friday, December 30, 2016

Step by Step Installation of SCCM CB1606

Step by Step guide of Installation of SCCM CB 1606 on Windows server 2012 R2.
I have already installed the SQL server on the same box and have completed all the configuration.
now you are ready to install the CB 1606.
go to the ISO image and extract that. follow the steps in given file and your SCCM installation would be completed.
you can download the complete guide from following link.

Step by Step Installation of SCCM CB1606

Tuesday, December 13, 2016

Windows 10 Servicing Model and plan

I was searching about the Windows 10 servicing model and plan but did not get much on internet, then I thought I should share my knowledge with you guys. go through the complete blog post and let me know what you think, if you are happy with the provided solution and that meets your expectation. 

I have gone through with Naill blog which is our master database for any new feature in SCCM or MS Intune. 
Windows 10 servicing

however I thought I would also give some more details and have a blogged it.
In System Center Configuration Manager, you can view the state of Windows as a Service in your environment, create servicing plans to form deployment rings and ensure that Windows 10 current branch systems are kept up to date when new builds are released, and view alerts when Windows 10 clients are near end of support for their build of Current Branch (CB) or Current Branch for Business (CBB).
The following Windows 10 branch and build information is discovered and stored in the following attributes:
o    Operating System Readiness Branch: Specifies the operating system branch. For example, 0 = CB (no not defer upgrades), 1 = CBB (defer upgrades), 2 = Long Term Servicing Branch (LTSB)
o    Operating System Build: Specified the operating system build. For example, 10.0.10240(RTM) or 10.0.10586 (version 1511)
·         The service connection point must be installed and configured for Online, persistent connection mode to see data on the Windows 10 servicing dashboard. When you are in offline mode, you will not see data updates in the dashboard until you get Configuration Manager servicing updates.

Specify the group policy setting, Defer Upgrades and Updates, to determine whether a computer is CB or CBB.

Servicing plan workflow
Windows 10 servicing plans in Configuration Manager are much like automatic deployment rules for software updates. You create a servicing plan with the following criteria that Configuration Manager evaluates:
·         Upgrades classification: Only updates that are in the Upgrades classification are evaluated.
·         Readiness state: The readiness state defined in the servicing plan is compared with the readiness state for the upgrade. The metadata for the upgrade is retrieved when the service connection point checks for updates.
·         Time deferral: The number of days that you specify for How many days after Microsoft has published a new upgrade would you like to wait before deploying in your environment in the servicing plan. Configuration Manager evaluates whether to include an upgrade in the deployment if the current date is after the release date plus the configured number of days.
When an upgrade meets the criteria, the servicing plan adds the upgrade to the deployment package, distributes the package to distribution points, and deploys the upgrade to the
collection based on the settings that you configure in the servicing plan. You can monitor the deployments in the Service Plan Monitoring tile on the Windows 10 Servicing Dashboard
there are three Windows 10 servicing options we need to consider:
·         Current Branch
·         Current Branch for Business
·         Long Term Servicing Branch
Each branch has its' own properties. If you are using Current Branch, then updates and upgrades are made available as soon as they are released from Microsoft and the key benefits are that it makes new features available to users as soon as possible. Current Branch for Business allows more time (4 to 8 months depending on your Defer Updates and Upgrades preferences) to 'wait and see' how those updates (and upgrades) can impact your environment. The key benefit here is it provides additional time to test new feature upgrades before deployment which is useful in a business scenario. Long Term Servicing Branch is aimed at low-change configurations (Operational Technology for example) where changing functionality can impact production.

In the ConfigMgr console select Software Library and expand Windows 10 Servicing. The below screenshot should appear. 


The following Table clear the servicing plan:
·         Release Ready : Current Branch
·         Business Ready : Current Branch for Business
·         Long Term Servicing Branch : Long Term Servicing Branch

Create a Windows 10 servicing plan

Step-1 Sync the sup with WSUS
Then create the servicing plan
Servicing plans are akin to Automatic Deployment Rules (ADR) in Software Updates in that they can automatically download, and deploy updates to a collection based on the settings you define in the rule. Servicing plans however allow you to define what Windows 10 branches are in user in your environment and then monitor them in the servicing dashboard. From version 1602 onward, servicing plans are also tied so that you can manage the behavior for high-risk deployments.

Note: Servicing plans are designed to upgrade Windows 10 versions from one build to another build only.

you will create a servicing plan for Windows 10 Current Branch In the ConfigMgr console select Software Library and expand Windows 10 Servicing. Select Servicing Plans and in the ribbon click on Create Servicing Plan.

  
When the wizard appears, give the Servicing Plan a suitable name like SUM: Servicing Plan for Windows 10 (The SUM prefix allows you to clearly see that the deployment is for software updates in the monitoring console later.)

Next, point it to your target collection, this collection should contain Windows 10 computers that are suitable for this servicing plan (i.e. Current Branch as defined by not setting the Defer Upgrades setting).


Next you get to choose which Deployment Ring you'd like to use. The Deployment Ring refers to the Windows readiness state that applies to this servicing plan, and once again you get to choose between Release Ready (Current Branch) or Business Ready (Current Branch for Business). Depending on which state you choose, you will see different results in the console, so it's a good idea to use the Preview button on the Upgrades screen particularly when moving the days (to wait) slider.
 This servicing plan is aimed at Current Branch computers so select the first option
On the Upgrades screen select the three checkboxes and set the search criteria to
·         Language=English
·         Required=>=1
·         Title= Upgrade to Windows 10 Enterprise

Note: Make sure to select the right version (SKU) of Windows 10 for your deployment, if your clients are running Windows 10 Enterprise, then you should select the Enterprise version of the upgrade

Next, click on the Preview button, this will show what updates the wizard found that match your criteria

For the Deployment Schedule screen set the Software Available Time to be at least 4 hours after the rule has run in order for the actual software update deployment packages to reach the destination distribution points. In a slow wan, increase that time. For Installation Deadline, the deadline is the displayed deadline time plus a random amount of time up to 2 hours, this is to reduce the load generated by all computers in the collection downloading the updates at the same time.



On the User Experience screen, for User Notifications select Display in Software Center and show all notifications. For Deadline behavior, place a checkmark in Software Update Installation and System Restarts.
 On the Deployment Package screen choose Create a new deployment package and fill in the details as appropriate

Add the DP

Then download from the internet
Review additional servicing plan properties


Select the Evaluation Schedule tab, as you can see by default it's set to run after every SUP sync, if you want to change that behavior modify it here.

Then Run the servicing plan
Now that’s it, review all the steps and see once you get the update on Windows 10



Set up cloud management gateway for Configuration Manager

Today we will talk about ho to setup the cloud management gateway in our SCCM environment which is available with SCCM CB 1610

Step:-1 Create SSL certificate

You can create a custom SSL certificate for cloud management gateway in the same way you would do it for a cloud-based distribution point. Follow the instructions for Deploying the Service Certificate for Cloud-Based Distribution Points but do the following things differently:

When setting up the new certificate template, give Read and Enroll permissions to the security group that you set up for Configuration Manager servers.

When requesting the custom web server certificate, provide an FQDN for the certificate's common name that ends in cloudapp.net for using cloud management gateway on Azure public cloud or usgovcloudapp.net for the Azure government cloud.

Step 2: Export the client certificate's root

The easiest way to get export the root of the client certificates used on the network, is to open a client certificate on one of the domain-joined machines that has one and copy it.

In the Run window, type mmc and press Return.

On the File menu in the management console, click Add/Remove Snap-in....

In the Add or Remove Snap-ins dialog box, click Certificates, click Add >, click Computer account, click Next, click Local computer, and then click Finish. Click OK to close the dialog box.

Go to Certificates > Personal > Certificates.

Double-click the certificate for client authentication on the computer, click the Certification Path tab, and double-click the root authority (at the top of the path).

Click the Details tab, and click Copy to File....

Complete the Certificate Export Wizard using the default certificate format. Make note of the name and location of the root certificate you create. You will need it to configure cloud management gateway in a later step.

Step 3: Upload the management certificate to Azure

An Azure management certificate is required for Configuration Manager to access the Azure API and configure cloud management gateway.

Upload an Azure Management API Management Certificate

Make sure to copy the subscription ID associated with the management certificate. You will need it for configuring cloud management gateway in the Configuration Manager console in the next step.

Step 4: Set up cloud management gateway

In the Configuration Manager console, go to Administration > Cloud Services > Cloud Management Gateway.

Click Create Cloud Management Gateway.

In Create Cloud Management Gateway Wizard, enter your Azure subscription ID (copied from the Azure management portal), click Browse, and select the certificate file you used to upload as an Azure management certificate. Click Next. Wait a few moments for the console to connect to Azure.

Fill out the additional details in the wizard:

Specify the name for the service which will run in Azure. Service name must be alphanumeric characters only and 3-24 characters in length.

Choose the Azure region you want the service to run in.

Specify the number of virtual machines you want to use for the service. The default is 1, but you can run up to 16 virtual machines for the service.

If you use an internet proxy for the cloud management gateway connection point, you need to increase the number of ports on the proxy by the number of virtual machines you use, starting at port 10124.

Specify the private key (.pfx file) that you exported from the custom SSL certificate.

Specify the root certificate exported from the client certificate.

Specify the same service name FQDN that you used when you created the new certificate template. You must specify the one of the following suffixes for the FQDN service name based on the Azure cloud you are using:

Azure cloud FQDN prefix

Public (commercial) cloud .cloudapp.net

Government cloud .usgovcloudapp.net

Clear the box next to Verify Client Certificate Revocation (unless you're publicly publishing your CRL information).

Click Next when you're done.

If you want to monitor cloud management gateway traffic with a 14-day threshold, click check box to turn on the threshold alert. Then, specify the threshold (in GB) and the percentage at which to raise the different alert levels. Click Next when your done.

Review the settings, and click Next. Configuration Manager starts setting up the service. When the wizard completes, you can click Close, however it will take between 5 to 15 minutes to provision the service completely in Azure. Check the Status column for the newly setup cloud management gateway to determine when the service is ready.

Step 5: Configure primary site for client certification authentication

In the Configuration Manager console, go to Administration > Site Configuration > Sites.

Select the primary site for the clients you want to manage through cloud management gateway, and click Properties.

On the Client Computer Communications tab of the primary site property sheet, check the box next to Use PKI client certificate (client authentication) when available.

Make sure to clear the box next to Clients check the certificate revocation list (CRL) for site systems. This option would only be required if you were publicly publishing your CRL.

Click OK.

Step 6: Add the cloud management gateway connector point

The cloud management gateway connector point is a new site system role for communicating with cloud management gateway. To add the cloud management gateway connector point, follow the instructions in Add site system roles for System Center Configuration Manager.

Step 7: Configure roles for cloud management gateway traffic

The final step in setting up cloud management gateway is to configure the site system roles to accept cloud management gateway traffic. For Tech Preview 1606, only the management point, distribution point, and software update point roles are supported for cloud management gateway. You must configure each role separately.

In the Configuration Manager console, go to Administration > Site Configuration > Servers and Site System Roles.

Click the site system server for the role you want to configure for cloud management gateway traffic.

Click the role, and then click Properties.

In the role Properties sheet, under Client Connections, choose HTTPS, check the box next to Allow Configuration Manager cloud management gateway traffic, and then click OK. Repeat these steps for the remaining roles.

Step 8: Configure clients for cloud management gateway

After the cloud management gateway and site system roles are completely configured and running, clients will get the location of the cloud management gateway service automatically on the next location request. Clients must be on the corporate network to receive the location of the cloud management gateway service. The polling cycle for location requests is every 24 hours. If you don't want to wait for the normally scheduled location request, you can force the request by restarting the SMS Agent Host service (ccmexec.exe) on the computer.

With the location of the cloud management gateway service configured on the client, it can automatically determine whether it’s on the intranet or the Internet. If the client can contact the domain controller or the on-premises management point, it will use it for communicating with Configuration Manager, Otherwise, it will consider it’s on the Internet and use the location of the cloud management gateway service to communicate.

You can force the client to always use cloud management gateway regardless of whether it’s on the intranet or Internet. To do that, you set the following registry key on the client computer:\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Security, ClientAlwaysOnInternet = 1

To verify that clients can contact Configuration Manager, you can run the following PowerShell command on the client computer:

gwmi -namespace root\ccm\locationservices -class SMS_ActiveMPCandidate

This command displays the management points the client can contact including the cloud management gateway service.

Thursday, October 13, 2016

Changes to Software Updates on Down Level Operating Systems for ConfigMgr Admins

I wanted to share the information with you about much awaited patch Tuesday, which is live now, now Microsoft is releasing only Quality update (Monthly Quality rollup and Monthly Quality)
Now days gone for having multiple KB’s and updates for each operating system and components, we will have only one quality update, which is really great.


And important thing Quality update will not be available on windows update, so users can’t install them directly on their machines.

From Patch Tuesday in October 2016, there will be 3 update types released for each Windows version and architecture. The updates are described in the table below:

Update Type Description Release Time Classification Windows Update WSUS Windows Update Catalog
Monthly Rollup Includes security fixes, reliability fixes, bug fixes, etc. Supersedes and includes all updates provided previously. 2nd Tuesday Security Yes Yes Yes
Security only Security fixes released this month 2nd Tuesday Security No Yes Yes
Monthly Rollup Preview Includes all previous security updates, and new reliability fixes, bug fixes, etc. Does not include new security fixes on top of the Monthly Rollup. 3rd Tuesday Updates No Yes Yes


The updates will have names of the format:

Update Type Name Format Example
Monthly Rollup [Month, Year] Security Monthly Quality Rollup for [OS] [architecture] (KB #) October, 2016 Security Monthly Quality Rollup for Windows Server 2012 R2 (KB3185331)
Security Only [Month, Year] Security Only Quality Update for [OS] [architecture] (KB #) October, 2016 Security Only Quality Update for Windows Server 2012 R2 (KB3192392)
Monthly Rollup Preview [Month, Year] Preview of Monthly Quality Rollup for [OS] [architecture] (KB #)




So here you can see for Window’s 8.1 x64 bit we have only one update that is Quality and one for monthly rollup, same for other OS also.
Tested that, all updates installed very fast and compliance are increased from previous month. Because there is no multiple updates. Nothing is going to change in ConfigMgr, just need to update patching document  :P

And one more the next current branch of #SCCM (CB1610) will support the Express updates format, for delta updates of windows.

For more detail about the Patch Tuesday… see the following link.



Wednesday, September 28, 2016

Update 1609 for System Center Configuration Manager Technical Preview

Today Microsoft has released update 1609 for System Center Configuration Manager Technical Preview. Technical Preview releases give an opportunity to try out new Configuration Manager features in a test environment before they are made generally available. This month’s new preview features include:
  • Windows 10 Upgrade Analytics – Assess and analyze device readiness and compatibility with Windows 10 to allow smoother upgrades.  This is done through integration with Windows Upgrade Analytics.
  • Office 365 Client Management Dashboard – Use the Office 365 client management dashboard to track Office 365 updates and deployments.
  • Deploy Office 365 apps to clients – We have added a new Office 365 Servicing node in the Software Library where you can deploy Office 365 apps to clients.
  • Improvements for BIOS to UEFI conversion – An OS deployment task sequence can now be customized with a new variable, TSUEFIDrive, so that the Restart Computer step will prepare the drive for transition to UEFI. See the documentation for additional details on the necessary customizations.
  • Improvement to Endpoint Protection antimalware policy settings – You can now specify the level at which the Endpoint Protection Cloud Protection Service will block suspicious files.
  • Boundary Group Improvements – Improvements have been made to boundary groups to allow more granular control of fallback behavior, and greater clarity of what distribution points are used.
This release also includes the following new features for customers using System Center Configuration Manager connected with Microsoft Intune to manage mobile devices:
  • TouchID, ApplePay and Zoom DEP Settings – DEP provides the ability for admins to create enrollment profiles to skip initial setup screens for new iOS devices. TouchID, ApplePay and Zoom have now been added as options to configure in the iOS enrollment profiles.
  • Windows Store for Business – Windows Store for Business allows customers to obtain applications (purchased or free) and deploy them to users in their organization.
  • Android, iOS, and Windows Additional Settings – New settings have been added for Android, iOS, and Windows.
  • Native Connection Types for Windows 10 VPN Profiles– You can now create Windows 10 VPN profiles with Microsoft Automatic, IKEv2, and PPTP connection types in the Configuration Manager console without using OMA-URI.
  • Intune Compliance Charts – Admins can get a quick view of overall device compliance, and top reasons for non-compliance using new charts under the Monitoring.
Update 1609 for Technical Preview is available in the Configuration Manager console. To install Configuration Manager Technical Preview for the first time, the installation bits (currently based on Technical Preview 1603) areavailable on TechNet Evaluation Center.

Source: Enterprise Mobility and Security Blog
Detailed overview of new features: Microsoft TechNet

PXE Issue after SCCM CB 1806 upgrade

Recently i had upgraded my SCCM environment 1806 and after upgrade suddenly all PXE servers stopped working. While initiating the PXE ...