System Center Dudes https://www.systemcenterdudes.com SCCM Blog | Configuration Guides, Reports and Troubleshooting posts. Fri, 23 Feb 2018 14:28:28 +0000 en-US hourly 1 https://i2.wp.com/www.systemcenterdudes.com/wp-content/uploads/2015/06/logo.png?fit=32%2C29&ssl=1 System Center Dudes https://www.systemcenterdudes.com 32 32 67897261 Windows 10 Compatibility Check using SCCM and Report https://www.systemcenterdudes.com/sccm-windows-10-compatibility-check/ https://www.systemcenterdudes.com/sccm-windows-10-compatibility-check/#comments Thu, 22 Feb 2018 19:35:22 +0000 https://www.systemcenterdudes.com/?p=49898 When planning for a Windows 10 migration, understanding your environment is the key. Luckily, Windows 10 setup comes with command line options which one of them is an excellent compatibility check (/Compat ScanOnly). This command can be used on a Windows 7,8 or 10 devices before a migration in order to see if those devices are Windows 10 compatible. Using SCCM, we will run this Windows 10 compatibility check, return the results in the SCCM database and use this data to build a comprehensive report. This report can be used to detect and fix migration errors before the actual Windows 10 ... Read More

The post Windows 10 Compatibility Check using SCCM and Report appeared first on System Center Dudes.

]]>
When planning for a Windows 10 migration, understanding your environment is the key. Luckily, Windows 10 setup comes with command line options which one of them is an excellent compatibility check (/Compat ScanOnly). This command can be used on a Windows 7,8 or 10 devices before a migration in order to see if those devices are Windows 10 compatible. Using SCCM, we will run this Windows 10 compatibility check, return the results in the SCCM database and use this data to build a comprehensive report. This report can be used to detect and fix migration errors before the actual Windows 10 deployment.

SCCM Windows 10 Compatibility Check Package Creation

We will start by creating a package for Windows 10 compatibility check. The source of this package must be the Windows 10 installation media. The deployment option and command line is important here. If they are not set correctly you’ll end up sending the complete installation media (including Install.wim) to the computers only for a compatibility check which is not really effective. Using our proposed methods, you’ll be using about 250mb on the client drive instead of 5gb.

  • In the SCCM Console, go to Software Library / Application Management / Packages
  • Create a new package

SCCM Windows 10 Compatibility Check

  • Name your package and specify your Windows 10 installation media as the source file. Be aware that setup.exe is language specific. If you have EN-US machine, you must provide EN-US media

SCCM Windows 10 Compatibility Check

  • Create a Standard Program

SCCM Windows 10 Compatibility Check

  • Command Line : SETUP.EXE /Auto Upgrade /Quiet /NoReboot /DynamicUpdate Enable /Compat ScanOnly
    • /DynamicUpdate: Enabling it causes setup to download the latest compatibility information from Windows Update
    • /CopyLogs parameter can also be added at the end. Use it to copy setup logs to a shared network drive. The problem with that switch is that the logs are not classified using computer names, it will be a nightmare finding the right logs after hundreds of deployments. This is why I’m not using it for this blog post.

SCCM Windows 10 Compatibility Check

  • In the Requirements page, select your operating systems

SCCM Windows 10 Compatibility Check

  • Complete the wizard

SCCM Windows 10 Compatibility Check

  • Right-click your package and distribute it to your distribution points

SCCM Windows 10 Compatibility Check

Deploy Windows 10 compatibility check on a test computer

We will now deploy the Windows 10 compatibility check program on a computer that runs Windows 10 1607. In our test, we want to evaluate if this computer can upgrades from Windows 10 1607 to 1709. Create a test collection and deploy the newly created program to a test device.

  • Right-Click your package and select Deploy
  • On the General tab, select your collection

SCCM Windows 10 Compatibility Check

  • On the Content tab, ensure that your content is distributed to your distribution point

SCCM Windows 10 Compatibility Check

  • Select your deployment purpose – Available or Required

SCCM Windows 10 Compatibility Check

  • On the Scheduling pane, select your schedule

SCCM Windows 10 Compatibility Check

  • On the User Experience pane, select the desired options

SCCM Windows 10 Compatibility Check

  • On the Distribution Points pane, select Run program from distribution point

SCCM Windows 10 Compatibility Check

  • Review your choice and complete the wizard

SCCM Windows 10 Compatibility Check

Running the Compatibility Check

On a targeted computer, run the program manually in the Software Center (Available) or wait for the schedule to trigger your deployment (Required).

The installation will starts. It will take about 5 minutes to complete… and it will fail. This is normal as the error code returned by the compatibility check will always be an error. (No problem will be 0xC1900210 -1047526896).

SCCM Windows 10 Compatibility Check

If you need more information about the error, look at Setupacr.log or Setuperr.log generated by Setup.exe. They are located in C:\$WINDOWS.~BT\Sources\Panther folder. (Or in the specified path if you use the /CopyLogs parameter in your command line. We cover the topic on how to troubleshoot Windows 10 error in this blog post

Once we tested on a couple of test machine and are happy with results, we can expand our deployment to all computers.

From there, what’s the easy way to check your compatibility results? You could go in the Monitoring / Deployment section in the console… or you build a custom report.

Windows 10 Compatibility Check Report

Luckily for you, we created a report which will give you a quick overview of your compatibility success or failure. We also included basic hardware inventory information for you to refer if a computer is not compliant because of hardware limitation. The only thing you need to do is to select your Compatibility package and run the report !

SCCM Windows 10 Compatibility Check

You can download this free report by visiting our product page. The Asset – Compatibility Check report is available in the Report / Asset Section.

Good to know : How to import an RDL file

Let us know what you think of it.

Share this Post

The post Windows 10 Compatibility Check using SCCM and Report appeared first on System Center Dudes.

]]>
https://www.systemcenterdudes.com/sccm-windows-10-compatibility-check/feed/ 2 49898
How to setup an SCCM Cloud Management Gateway https://www.systemcenterdudes.com/how-to-setup-an-sccm-cloud-management-gateway/ https://www.systemcenterdudes.com/how-to-setup-an-sccm-cloud-management-gateway/#comments Tue, 06 Feb 2018 19:38:30 +0000 https://www.systemcenterdudes.com/?p=32186 Starting with SCCM version 1610, cloud management gateway introduces a new way to manage internet clients. This method is different than the “traditional” Internet-based client management (ICBM). Cloud Management Gateway uses a combination of a cloud service deployed in Microsoft Azure and a new site system role that communicates with that service. Clients then use the service to communicate with SCCM. The main advantage of a cloud management gateway is that it doesn’t expose your SCCM servers to the internet but the downside is that it requires an Azure subscription which brings recurring monthly costs. If you’re still unsure which method ... Read More

The post How to setup an SCCM Cloud Management Gateway appeared first on System Center Dudes.

]]>
Starting with SCCM version 1610, cloud management gateway introduces a new way to manage internet clients. This method is different than the “traditional” Internet-based client management (ICBM). Cloud Management Gateway uses a combination of a cloud service deployed in Microsoft Azure and a new site system role that communicates with that service. Clients then use the service to communicate with SCCM.

The main advantage of a cloud management gateway is that it doesn’t expose your SCCM servers to the internet but the downside is that it requires an Azure subscription which brings recurring monthly costs. If you’re still unsure which method to use, you can read the Microsoft documentation and see our blog post about internet client management. Make sure that you understand the limitation of using internet clients. We strongly encourage to use this new method if you’ll be managing client on the internet since this feature will evolve with time and the traditional way support should go away with time. You’ll also need a Cloud Management Gateway if you’re planning to use the new Windows 10 Co-Management features.

For clients to access Cloud Management Gateway, an SSL certificate is required to authenticate computers and encrypt communications. You will also need to create a custom SSL certificate on the Certificate Authority for the CMG. An Azure management certificate is also required to deploy the Cloud Management Gateway.

Important Information
For now, Cloud management gateway only supports the Management Point and Software Update point roles.

Cloud Distribution Point
If you already set up a Cloud Distribution Point before, the certificate requirements are quite similar

Here are the high-level steps for deploying Cloud Management Gateway:

  • Verify a unique Azure cloud service URL
  • Create and issue a custom SSL certificate for the Cloud Management Gateway
  • Request the Cloud Management Gateway certificate from the Certification Authority
  • Export the custom Web Certificate
  • Create a client authentication certificate
  • Create an Auto-Enroll Group Policy
  • Export the client certificate’s root
  • Upload the Cloud Management Gateway management certificate to Azure
  • Create the Cloud Management Gateway in the SCCM console
  • Add the Cloud Management Gateway Connector Point role
  • Configure the Primary Site for client certification authentication
  • Configure roles for cloud management gateway traffic
  • Verify Client Communication with the SCCM Cloud Management Gateway

Verify a unique Azure cloud service URL

We don’t need to create the cloud service in Azure, the Cloud Management Gateway setup will create the service. We just need to verify that the Azure cloud service URL is valid and unique.

  • Log in the Azure portal
  • In the Azure Portal, select Cloud Services on the left, click Add
  • Enter the desired DNS name
  • Validate that there’s a green check mark on the right. If your name is not valid, a red X will display, choose a different name if it’s the case
  • Once your name is valid, take note of the name as it will be needed later. We will use SCDCMG as for our example
  • Close the window, do not create the service now

SCCM Cloud Management Gateway

Create and Issue a Custom Web Server Certificate Template on your Certification Authority

This procedure creates a custom certificate template that is based on the web server certificate template. The certificate will be used for the installation of the SCCM cloud management gateway and the private key must be exportable as it will be asked during installation.

  • In Active Directory, create a security group named SCCM Site Servers that contain your SCCM Primary Site server computer account
  • On the server running the Certification Authority, open the Certification Authority console (certsrv.mmc), right-click Certificate Templates and select Manage

SCCM Cloud Management Gateway

  • The Certificate Templates management console opens
  • Right-click the Web Server template and then select Duplicate Template

SCCM Cloud Management Gateway

  • In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected in Certification Authority

SCCM Cloud Management Gateway

  • In the General tab, enter a template name, like SCD SCCM Cloud Management Gateway. Change the validity period if needed. As a best-practice, the longer the validity period, the less secure is your certificate

SCCM Cloud Management Gateway

  • In the Request Handling tab, select Allow private key to be exported

SCCM Cloud Management Gateway

  • In the Security tab, remove the Enroll permission from the Enterprise Admins security group

SCCM Cloud Management Gateway

  • Choose Add, enter SCCM Site Servers in the text box, and then choose OK
  • Select the Enroll and Read permission for this group

SCCM Cloud Management Gateway

  • Choose OK, close Certificate Templates Console
  • Back in the Certification Authority (certsrv.mmc) console, right-click Certificate Templates, select New / Certificate Template to Issue

SCCM Cloud Management Gateway

  • In the Enable Certificate Templates dialog box, select the new template that you just created, SCD SCCM Cloud Management Gateway, click OK

SCCM Cloud Management Gateway

Request the custom web server certificate on the Primary Site Server

This procedure requests and then installs the newly created custom web server certificate on the Primary Site prior to the SCCM cloud management gateway installation

  • On the SCCM Server, run MMC
  • On the File Menu, choose Add/Remove Snap-in…  select Certificates, and click Add

SCCM Cloud Management Gateway

  • When prompted for what you want to manage certificates for, select Computer Account, click Next

SCCM Cloud Management Gateway

  • Select Local Computer and then click Finish

SCCM Cloud Management Gateway

  • Click OK to close the Add/Remove Snap-ins

SCCM Cloud Management Gateway

  • In the Add or Remove Snap-ins dialog box, choose OK.
  • In the console, expand Certificates (Local Computer) / Personal / Certificates
  • Right-click Certificates, select All Tasks / Request New Certificate
  • On the Before You Begin page, click Next

SCCM Cloud Distribution Point

  • If you see the Select Certificate Enrollment Policy page, choose Next

  • On the Request Certificates page, identify the SCD SCCM Cloud Management Gateway from the list of available certificates, and then select More information is required to enroll for this certificate. choose here to configure settings

SCCM Cloud Management Gateway

  • In the Certificate Properties dialog box, in the Subject tab
    • Subject name: in Type choose Common name
    • Value:  Specify your service name and your domain name by using an FQDN format. (For example: scdcmg.cloudapp.net) and select Add
    • Alternative name: in Type choose DNS
    • Value: Specify your service name and your domain name by using an FQDN format. (For example: scdcmg.cloudapp.net) and select Add

SCCM Cloud Management Gateway

  • Click OK to close the Certificate Properties dialog box
  • On the Request Certificates page, select SCD SCCM Cloud Management Gateway from the list of available certificates, click Enroll
  • On the Certificates Installation Results page, wait until the certificate is installed, click Finish

SCCM Cloud Management Gateway

Export Web Server Certificate

This procedure exports the custom web server certificate to file. We will export it as a .CER file for the Azure Management Certificate and in a .PFX format for the cloud management gateway creation.

.CER EXPORT

  • In the Certificates (Local Computer) console, right-click the SCD Cloud Management Gateway certificate that you just created, select All Tasks / Export

SCCM Cloud Management Gateway

  • In the Certificates Export Wizard, choose Next

SCCM Cloud Management Gateway

  • On the Export Private Key page, select No do not export the private key and click Next

SCCM Cloud Management Gateway

  • On the Export file format, select CER and click Next

SCCM Cloud Management Gateway

  • Save your certificate in a folder and close the wizard

SCCM Cloud Management Gateway

  • To close the wizard, click Finish in the Certificate Export Wizard page

SCCM Cloud Management Gateway

.PFX EXPORT

  • Redo the export task a second time
  • On the Export Private Key page, choose Yes, export the private key, click Next

SCCM Cloud Management Gateway

  • On the Export File Format page, ensure that the Personal Information Exchange – PKCS #12 (.PFX) option is selected

SCCM Cloud Management Gateway

  • On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next

SCCM Cloud Management Gateway

  • On the File to Export page, specify the name of the file that you want to export

SCCM Cloud Management Gateway

  • To close the wizard, click Finish in the Certificate Export Wizard page

SCCM Cloud Management Gateway

  • Close Certificates (Local Computer).

The certificate is now ready to be imported to create an SCCM Cloud Management Point Gateway

Create the Client Certificate

A client certificate is required on any computer which will be managed via the Cloud Management Gateway. It is also required on the server that will host the Cloud Management Gateway connection point. The fastest way to deploy the client certificate to all your machines is through an autoenrollment GPO. If you do not already have a client certificate template, follow these steps:

  • RDP to an Intermediate Certification Authority
  • Open Certification Authority console, right-click Certificate Templates and click Manage
  • Right-click Workstation Authentication and click Duplicate Template

SCCM Cloud Management Gateway

  • Make sure to use Server 2003, not 2008
  • In the General, name this SCCM Client Certificate

SCCM Cloud Management Gateway

  • Set the Validity Period to 5 years
  • Click on the Security tab, select the Domain Computers group and add the permissions of Read and Autoenroll, do not clear Enroll. Then click OK

SCCM Cloud Management Gateway

  • When you refresh your console, you will see that the new template is there

Create an Auto-Enroll Group Policy

A client certificate is required on any computer which will be managed via the Cloud Management Gateway. It is also required on the server that will host the Cloud Management Gateway connection point.

The fastest way to deploy the client certificate to all your machines is through an autoenrollment GPO :

  1. Launch Group Policy Management on your Domain (Start / Administrative Tools / Group Policy Management)
  2. Right-click the desired OU and select Create a GPO in this domain, and Link it here… as we are going to create a new GPO
  3. Name your GPO AutoEnroll ConfigMgr Client Cert, then click OK
  4. Right-click and Edit your newly created GPO
  5. Navigate to: Computer Configuration / Policies / Windows Settings / Security Settings / Public Key Policies

SCCM Cloud Management Gateway

  • Right-click on Certificate Services Client – Auto-Enrollment and then click Properties
  • Change the Configuration Model: to Enabled
  • Check the Update certificates that use certificate templates and Renew expired certificates, update pending certificates, and remove revoked certificates

SCCM Cloud Management Gateway

  • Click Apply and OK
  • Reboot a workstation and when you run a gpupdate /force or in 15 minutes when GP is re-applied, any machine on the domain communicating with the DC will request and receive a client certificate automatically that will be placed in theLocal Computer Personal Certificate Store

The easiest way to export the root of the client certificates used on the network is to get it on one of the domain-joined machines that receive it through your auto-enrollment GPO

Requirements
Client certificates are required on any computer you want to manage with cloud management gateway and on the site system server hosting the cloud management gateway connector point
  • Run MMC
  • From the File menu, choose Add/Remove Snap-in…
  • In the Add or Remove Snap-ins dialog box, choose Certificates / Add / Computer account / Local computer
  • Go to Certificates / Personal / Certificates
  • Double-click the certificate for client authentication on the computer, choose the Certification Path tab, and double-click the root authority (at the top of the path).
  • On the Details tab, choose Copy to File…
  • Complete the Certificate Export Wizard using the default certificate format.You’ll need it to configure cloud management gateway later

Upload the certificate to your Azure Subscription

If your company is already using Windows Azure, there is a very good chance that a management certificate is already created and uploaded. In that case, you will only need to get the .pfx file and its password. If not, follow these instructions to upload the management certificate (.Cer file) into the Azure portal.

  • Open Azure Portal
  • Go to Subscription / [Your Subscription] / Management Certificate / Upload
  • Select the .cer file that you exported earlier

SCCM Cloud Management Gateway

  • The management certificate is now created and ready to use
  • Copy the value of Subscription ID for your certificate. It will be needed to create the SCCM cloud management gateway.

SCCM Cloud Management Gateway

Create the SCCM Cloud Management Gateway

We will now create the Cloud Management Gateway in the SCCM console.

Pre-release
In SCCM 1710, the Cloud Management Gateway is still a pre-release feature. Be sure to turn it on before going further.
  • Open the SCCM Console
  • Click Administration \ Cloud Services \ Cloud Management Gateway
  • Right-Click Cloud Management Gateway and click on Create Cloud Management Gateway

SCCM Cloud Management Gateway

  • In the General pane, paste your Subscription ID and select your Management certificate (.PFX)

SCCM Cloud Management Gateway

  • On the Settings page
    • Service name: Enter the cloud service name which was verified in the first step of the post (Ex: Scdcmg)
    • Description: Enter a description for the Cloud Management Gateway
    • Region: Enter your Geographical region based on your organization
    • Instance number: Specify the number of VM instance
    • Certificate file: Select the PFX certificate created for the Cloud Management Gateway
    • Service FQDN: Will be populated by your FQDN
  • At the bottom, click the certificate button and select your certificate
  • Uncheck the box to Verify Client Certificate Revocation

SCCM Cloud Management Gateway

  • In the Alerts pane, configure the desired settings

SCCM Cloud Management Gateway

  • Review your setting and complete the wizard

SCCM Cloud Management Gateway

Once the wizard completed, it will take between 5 to 15 minutes to provision the service in Azure. Check the Status column for the new cloud management gateway to determine when the service is ready. You can also follow the progress in the CloudMgr.log

In progress :

SCCM Cloud Management Gateway

When completed :

SCCM Cloud Management Gateway

The cloud management gateway connector point is a new site system role for communicating with cloud management gateway. Let’s add this role to our management point machine.

  • In the SCCM console, go to Administration / Site Configuration / Servers and Site System Roles
  • Select your server which will serve as your cloud management gateway connection point and select Add Site System Role
  • On the System Role Selection pane, select Cloud management gateway connection point

SCCM Cloud Management Gateway

  • Your Cloud Management Gateway name and region will be auto-populated

SCCM Cloud Management Gateway

  • Review your settings and complete the wizard

SCCM Cloud Management Gateway

SCCM Cloud Management Gateway

You can follow the installation progress in SMS_Cloud_ProxyConnector.log

We will now specify settings for clients computers when they communicate with our Management Point

  • In the SCCM console, go to Administration / Site Configuration / Sites
  • Select your primary site for the clients you want to manage through cloud management gateway, select Properties
  • On the Client Computer Communications tab, check Use PKI client certificate (client authentication) when available
  • Clear Clients check the certificate revocation list (CRL) for site systems
  • Click OK

SCCM Cloud Management Gateway

The final step in setting up cloud management gateway is to configure the site system roles to accept cloud management gateway traffic. Only the management point and software update point roles are supported by cloud management gateway. We recommend having a separate machine acting as the management point for your internet clients as it gives you the option to put this management point in HTTPS mode while having an HTTP MP for all your internal clients.

  • In the SCCM console, go to Administration / Site Configuration / Servers and Site System Roles.
  • Right-click the site system server for the role you want to configure for cloud management gateway traffic. In our case, we will configure a management point
  • Select the Management Point role and select Properties
  • In the General tab, check the box next to Allow Configuration Manager cloud management gateway traffic, and then click OK.
  • If you require HTTPS communication, select HTTPS here and follow the next steps

SCCM Cloud Management Gateway

Management Point HTTPS only

If you require having your management point in HTTPS communication, you must ensure that the server has requested the Server Authentification Certificate (SCD SCCM Cloud Management Gateway) and that IIS is configured with this certificate. If you are going with HTTP communication, you can skip this step.

  • Once again, option the Certificate MMC console
  • Choose Computer Account, click Next, Choose Local Computer, click Finish
  • Click OK, and then expand the Certificates tree to the Personal / Certificates folder
  • Click All Tasks / Request New Certificate
  • At the Request Certificates part of the wizard, check your certificate (ex: SCD SCCM Cloud Management Gateway)
  • You will notice that under the Web cert, a prompt that says, More information is required to enroll for this certificate. Click here to configure settings

SCCM Cloud Management Gateway

  • Click the link and set up your Certificate Properties
  • Under Alternative Name / DNS, enter the FQDN of the management point server
  • In General tab, name your certificate as it will be easier to find in IIS later
  • Then the warning field will disappear from the Request Certificates screen of the Certificate Enrollment wizard
  • Click Enroll and then finish once the enrollment is successful

SCCM Cloud Management Gateway

Assign the Web (IIS) Certificate to IIS

This shall be done only on an HTTPS Management point that will handle cmg client requests.

  1. LaunchIIS Manager
  2. Navigate to the Default Website
  3. Right-click it and select Edit Bindings
  4. Add https binding and click Edit
  5. Select the certificate with your server name, and then click OK

SCCM Cloud Management Gateway

Configure clients for cloud management gateway

We will now verify if clients are able to succesfuly communicate with our server via the SCCM Cloud Management Gateway.

  • On a client that is connected to the internet, run a Machine Policy Retrieval & Evaluation cycle from the Configuration Manager app
  • Under the Networking tab, you should see the name of the Cloud Management Gateway service listed as the Internet-based management point (FQDN)

SCCM Cloud Management Gateway

Check the ClientLocation.log file. It will indicate that the machine is using the internet management point

Rotating internet management point, new management point [1] is: SCDCMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/XXXXXXX (0) with capabilities: <Capabilities SchemaVersion =”1.0″><PropertyName=”SSL” Version=”1″ /></Capabilities> ClientLocation 02/02/2018 7:21:15 PM 4168 (0x1048)

If your clients are not already installed, you must use one of the proposed installation methods on Technet or use Intune if you are configured to use the Co-Management features.

 

Share this Post

The post How to setup an SCCM Cloud Management Gateway appeared first on System Center Dudes.

]]>
https://www.systemcenterdudes.com/how-to-setup-an-sccm-cloud-management-gateway/feed/ 3 32186
How to Change SCCM MDM Authority to Intune Standalone https://www.systemcenterdudes.com/sccm-mdm-authority-intune-standalone/ https://www.systemcenterdudes.com/sccm-mdm-authority-intune-standalone/#respond Thu, 01 Feb 2018 16:19:16 +0000 https://www.systemcenterdudes.com/?p=46028 With the release of SCCM 1710, one of the key new features is the Co-Management possibility with Intune. Going in the direction of the Co-Management would eventually allow to offload some management task to Intune and be more aligned with the concept of Modern Management for Windows 10. One of the main requirement to enable Co-Management is to have Intune as the MDM Authority. This goes against what many SCCM admins have done over the past few years, by enabling the Intune Connector in SCCM to manage mobile devices from the SCCM console. This is called Intune in Hybrid mode. ... Read More

The post How to Change SCCM MDM Authority to Intune Standalone appeared first on System Center Dudes.

]]>
With the release of SCCM 1710, one of the key new features is the Co-Management possibility with Intune. Going in the direction of the Co-Management would eventually allow to offload some management task to Intune and be more aligned with the concept of Modern Management for Windows 10.

One of the main requirement to enable Co-Management is to have Intune as the MDM Authority. This goes against what many SCCM admins have done over the past few years, by enabling the Intune Connector in SCCM to manage mobile devices from the SCCM console. This is called Intune in Hybrid mode.

Microsoft has come up with a solution to bring back Intune as the MDM authority, which is the Standalone mode. All this without impacting the end-user with his enrolled devices.

In this post, we will detail how to move Intune from Hybrid mode to Standalone.

Note
In the event that you configured the Intune connector in SCCM, but actually never used any of those features, changing the MDM authority to Intune, by removing the Intune Subscription from SCCM  can do just fine.

Prerequisites to Change SCCM MDM Authority Intune Standalone

  • Account with Global Administrator role in Azure portal for the first run of the Import tool
  • Account with Global Administrator role in Intune portal to import data
  • SCCM 1610 or higher
  • Intune configured as Hybrid mode with SCCM
  • Intune License for users

Import SCCM data to Intune

The first step, which is not mandatory, is to bring policy, apps and deployment from SCCM to Intune. This is optional because it could be all recreated manually.

The idea here is the publish the exact same configuration as in SCCM. This will lead to a smooth transition without impacting the end-user.

First run of the Microsoft Intune Data Importer

The first run must  be done by an account member of the Global Administrator role in Azure to allow import of content into Intune

Change SCCM MDM authority Intune standalone

  • Extract the content

Change SCCM MDM authority Intune standalone

  • Open a Command Prompt as administrator and run the following command:
    • Command line : intunedataimporter.exe -GlobalConsent

Change SCCM MDM authority Intune standalone

  • This prompt for credentials. Enter the Global Administrator credentials

Change SCCM MDM authority Intune standalone

  • Confirmation

Change SCCM MDM authority Intune standalone

Note

When you click Accept, you give the tool permission to do the following:

  • Read all groups
  • Sign in and read the user profile
  • Read and write Intune device configuration and policies
  • Read and write Intune apps
  • Read and write Intune role-based administration control policies
  • Read and write Intune devices
  • Read and write Intune configuration

Import data

This can be achieved by an Intune Admin or Global Admin.

  • Start the intunedataimporter.exe by double-clicking on it

Change SCCM MDM authority Intune standalone

  • Click Next

Change SCCM MDM authority Intune standalone

  • Specify the SCCM server FQDN and Site code. Select which data should be imported
    • You can always come back to that screen if you choose not to import discovered data.

Change SCCM MDM authority Intune standalone

  • Discovery will take a couple minutes to complete

Change SCCM MDM authority Intune standalone

  • Next, the tool will list all of the selected components it found, by categories of the item

Change SCCM MDM authority Intune standalone

  • Note that some items will not be importable

Change SCCM MDM authority Intune standalone

  • This happens for many different reasons. Scrolling to the right will give the reason

Change SCCM MDM authority Intune standalone

  • One likely error would be that the value in ConfigMgr for setting … is not supported in Intune
  • Another common error you might get is related to having a collection with a query or manual membership that are not supported for Intune. The only collection that can be converted to Intune is the ones with a simple query for AD group membership. This would allow having the SCCM deployment transferred automatically to Intune, and targeted to the right user group

Change SCCM MDM authority Intune standalone

  • Once items are selected, click next on the Summary

Change SCCM MDM authority Intune standalone

  • Sign in with Intune Admin or Global Admin rights

Change SCCM MDM authority Intune standalone

  • Sign-in

Change SCCM MDM authority Intune standalone

Note

Microsoft does recommend to import content to a Trial Tenant before going into production. If the tool is run multiple time for the same tenant, you might end up with duplicate items.

  • Once logged in, the import process starts automatically.

Change SCCM MDM authority Intune standalone

  • Click Next

Change SCCM MDM authority Intune standalone

  • Review errors as those will need to be addressed before moving user/devices to Intune

Change SCCM MDM authority Intune standalone

  • Go to Portal.azure.com, under Intune / Device Configuration / Profiles, the policies are imported

Change SCCM MDM authority Intune standalone

Warning
We had issue with the migration of the deployments. The target group, that is a member of our collection in SCCM, was not found in Intune, so the tool was not able to target assignment correctly.

The group was well synced to AAD and was available to be assigned manually. The group name had spaces in it. That might have been the issue.

The end result is that we had to manually do the assignment for each policy and applications.

Note that rerunning the import data tool could lead to duplicate items in Intune, and importing only Deployment is not possible without selecting the desired item at the same time.

More information about the Import data is available on Microsoft Documentation

Prepare Intune for User Migration

Before going forward with users and devices migration, here are some validation that should be done.

  • Assignment of apps and policies must be done to groups like they were done to collections in SCCM
  • Ensure users that have enrolled devices have Intune license assigned to them

Change SCCM MDM authority Intune standalone

Depending on your setup, additional validation could include  :

Migrate Users’ Devices

Once the data is imported and all validation is done, it’s time to migrate a group of test users to their devices to see how it goes.

The process is quite simple for users devices. Devices enrolled by users that are no longer allowed to enroll devices into SCCM, are automatically redirected to Intune.

This means, that users must be excluded from the collection defined in SCCM Intune Subscription, to allow users to enroll devices.

  • To find the collection that is used to allow users to enroll devices, go to Administration / Cloud Services / Microsoft Intune Subscriptions and select Properties on your Microsoft Intune Subscription

Change SCCM MDM authority Intune standalone

  • Create a user collection that will be used for migration
  • Add this new collection as an Exclude Collection Rule on the collection used to allow users to enroll devices

Change SCCM MDM authority Intune standalone

WARNING
From this point, users’ devices will be redirected to Intune. Make sure policies, apps and deployments are assigned.

If the configuration is identical from SCCM, this change will be 100% transparent for the user.

  • Add test user to Migration collection
  • Go to Portal.azure.com, under Intune / Devices / All Devices, migrated devices should show up about 15 minutes later

Change SCCM MDM authority Intune standalone

  • At this point, the device is managed only by Intune, even if the device is still visible in SCCM

Change SCCM MDM authority Intune standalone

  • Remaining devices in SCCM are still managed by SCCM only. This is called Mixed MDM Authority, as both Intune and SCCM are managing devices
  • The Terms and Condition policy configured in SCCM, is automatically migrated to Intune when the Mixed Mode is enabled

Change SCCM MDM authority Intune standalone

  • The Terms and Condition are not automatically assigned. Go to Intune / Device Enrollment / Terms And Condition

Change SCCM MDM authority Intune standalone

  • Select the policy and set the Assignments  to the user group of your choice

Change SCCM MDM authority Intune standalone

Before moving all users, testing should be done to ensure that your mobile devices are correctly managed.

Once tests are completed, we can move on using the same method to migrate all other users and devices.

Important Note
If you have devices enrolled by Apple DEP program, devices can’t be migrated by their assigned owner. Those devices are considered user-less in Intune.

To migrate those, there is a PowerShell cmdlet available in the Intune data importer.

More details on how to migrate device without user affinity are available on Microsoft Documentation.

Change MDM authority to Intune standalone

After all users devices are migrated, it’s time to set Intune to standalone.

  • In SCCM, go to Administration / Cloud Services Microsoft Intune Subscription, and delete your existing Intune Subscription

Change SCCM MDM authority Intune standalone

  • Select Change MDM Authority to Microsoft Intune, click Next

Change SCCM MDM authority Intune standalone

  • Select Yes

Change SCCM MDM authority Intune standalone

  • Sign in to Intune
Note
The account provided to Sign-in Intune, must have a license for Intune assigned to the account.

Change SCCM MDM authority Intune standalone

  • Provide credentials

Change SCCM MDM authority Intune standalone

  • Click Next

Change SCCM MDM authority Intune standalone

  • Summary, click Next

Change SCCM MDM authority Intune standalone

  • Successful!

Change SCCM MDM authority Intune standalone

  • MDM Authority is now set to Intune

Change SCCM MDM authority Intune standalone

Post change after MDM authority tasks

Change SCCM MDM authority Intune standalone

More information on how to change the MDM authority on Microsoft Documentation

 

Hope this post helped! 🙂

Share this Post

The post How to Change SCCM MDM Authority to Intune Standalone appeared first on System Center Dudes.

]]>
https://www.systemcenterdudes.com/sccm-mdm-authority-intune-standalone/feed/ 0 46028
How to install SCCM 1710 Hotfix Rollup (KB4057517) https://www.systemcenterdudes.com/how-to-install-sccm-1710-hotfix-rollup-kb4057517/ https://www.systemcenterdudes.com/how-to-install-sccm-1710-hotfix-rollup-kb4057517/#comments Fri, 19 Jan 2018 15:30:50 +0000 https://www.systemcenterdudes.com/?p=45296 The first Hotfix Rollup for SCCM Current Branch (1710) is now available. This post is a complete SCCM 1710 Hotfix Rollup (KB4057517) installation guide. If you’re looking for a complete SCCM Current Branch installation guide, see our blog series which covers it all. You can’t install this upgrade if you are running SCCM 2012. You need to be running SCCM 1710 to apply this update. Installing SCCM upgrades is important for your infrastructure. It fixes a lot of issues from SCCM 1710, which some of them are important. New Update and Servicing Model If you’re not familiar with the new SCCM servicing model, ... Read More

The post How to install SCCM 1710 Hotfix Rollup (KB4057517) appeared first on System Center Dudes.

]]>
Need help to upgrade your site ? Consult our fixed price consulting plans to see our rates !

The first Hotfix Rollup for SCCM Current Branch (1710) is now available. This post is a complete SCCM 1710 Hotfix Rollup (KB4057517) installation guide. If you’re looking for a complete SCCM Current Branch installation guide, see our blog series which covers it all. You can’t install this upgrade if you are running SCCM 2012. You need to be running SCCM 1710 to apply this update.

Installing SCCM upgrades is important for your infrastructure. It fixes a lot of issues from SCCM 1710, which some of them are important.

New Update and Servicing Model

If you’re not familiar with the new SCCM servicing model, read our New Update and Servicing section of the 1602 upgrade post which explain it all.

You may wonder what’s the difference between a Cumulative Update (CU) and an Update Rollup (UR)/Hotfix RollUp (HR) :

A CU is a new servicing baseline. A post-CU1 hotfix requires CU1 first, whereas a post-UR1 hotfix doesn’t require UR1. Like CU, UR is cumulative which means that UR2 will include previous hotfixes.

*If you are running SCCM 1511, 1602, 1606,1610, 1702 and 1706 you first need to upgrade to 1710 prior to applying this Hotfix Rollup, see our blog which covers the upgrade process. Once completed, the Hotfix Rollup will be available under Update and Servicing node.

List of SCCM 1710 Hotfix Rollup Fixes

Consult this support page for a full list of issues fixed.

Before you begin

Downloading and installing this update is done entirely from the console. There’s no download link, the update will appear on your console once synchronized.

When you install an in-console update: (New Versions,CU,UR,KB)

  • It automatically runs a prerequisite check. You can also run this check prior to starting the installation
  • It installs at the central administration site (if you have one), and at primary sites automatically. You can control when each primary site server is allowed to update its infrastructure by using Service Windows for site servers
  • After a site server updates, all affected site system roles (including instances of the SMS Provider) automatically update. Configuration Manager consoles also prompt the console user to update the console, after the site installs the update
  • If an update includes the Configuration Manager client, you are offered the option to test the update in pre-production, or to apply the update to all clients immediately
  • After a primary site is updated, secondary sites do not automatically update. Instead, you must initiate the secondary site update

In this post, we’ll be updating a standalone Primary Site Server, console and clients.

Reminder
It’s a best practice to have some exclusions for your antivirus/anti-malware software on the SCCM server. Here a list for exclusions from SCCM 2012, which is still valid for CB as far as we know.You could also consider disabling the AV prior to installing the update and re-enable it once completed.
Before installing, check if your site is ready for the update :
  • Open the SCCM console
  • Go to Administration \ Cloud Services \ Updates and Servicing
  • In the State column, ensure that the update is Available

SCCM 1710 Hotfix Rollup

  • If not already downloaded, hit Download
  • If it’s not available, right-click Updates and Servicing and select Check for Updates

SCCM 1706 Update Rollup 1

  • The update state will change to Downloading
  • You can follow the download in Dmpdownloader.log

SCCM 1710 Hotfix Rollup

The update files are stored in the EasyPayload folder in your SCCM Installation directory

SCCM 1710 Hotfix Rollup

SCCM 1710 Hotfix Rollup Installation Guide

Step 1 | SCCM 1710 Hotfix Rollup Prerequisite Check

Before launching the update, we recommend to launch the prerequisite check:

  • Open the SCCM console
  • Go to Administration \ Cloud Services \ Updates and Servicing
  • Right-click the Configuration Manager 1710 Hotfix (KB4057517) update and select Run prerequisite check

SCCM 1710 Hotfix Rollup

  • Nothing will happen, the prerequisite check runs in the background. All menu options will be grayed out during the check

SCCM 1710 Hotfix Rollup

  • You can  monitor prerequisite check by going to Monitoring / Site Servicing Status, right-click your Update Name and select Show Status

Note
The prerequisite check was the fastest we witness yet!

  • When completed the State column will show Prerequisite check passed

SCCM 1710 Hotfix Rollup

Step 2 | Launching the SCCM 1710 Hotfix Rollup

We are now ready to launch the SCCM 1710 Hotfix Rollup. At this point, plan about 30 minutes for the update installation.

  • Right click the Configuration Manager 1710 update and select Install Update Pack

SCCM 1710 Hotfix Rollup

  • On the General tab, click Next

SCCM 1710 Hotfix Rollup

  • In the Client Update Options, select the desired option for your client update
    • This new feature allows updating only clients member of a specific collection. Refer to our post here

SCCM 1706 Update Rollup 1

  • On the License Terms tab, accept the license terms and click Next

SCCM 1706 Update Rollup 1

  • On the Summary tab, review your choices and click Next

SCCM 1710 Hotfix Rollup

  • On the Completion tab, close the wizard. The whole process took a minute but the installation is not over, it has been initiated

SCCM 1710 Hotfix Rollup

  • During installation, the State column changes to Installing
  • You can  monitor installation by going to Monitoring / Site Servicing Status, right-click your Update Name and select Show Status

SCCM 1710 Hotfix Rollup

  • … or you can follow detailed installation progress in SCCM Installation Directory\Logs\CMUpdate.log

SCCM 1710 Hotfix Rollup

Warning
We’ve done numerous SCCM  installation/upgrade. Some installation start a couple of minutes after you complete the wizard but we’ve seen some installation starts after a 10 minutes delay. Do not reboot or restart any services during this period or your update could be stuck in “Prerequisite check passed” status and all other options grayed out. There’s actually no officially documented methods by Microsoft to fix that. Patience is the key!
  • When completed, you’ll notice the message There are no pending update package to be processed in the log file
  • Refresh the Updates and Servicing node, the State column will be Installed

Updating the consoles

Since 1602, the console has an auto-update feature. At console opening, if you are not running the latest version, you will receive a warning and the update will start automatically.

  • Since all updates operations were initiated from the console, we didn’t close it during the process. We received a warning message when clicking certain objects. You will have the same message when opening a new console

SCCM 1710 Hotfix Rollup

  • Click OK,  console update will start automatically

SCCM 1706 Update Rollup 1

SCCM 1706 Update Rollup 1

SCCM 1706 Update Rollup 1

  • Wait for the process to complete. You can follow the progress in C:\ConfigMgrAdminUISetup.log and C:\ConfigMgrAdminUISetupVerbose.log. Once completed, the console will open and you’ll be running the latest version

Verification

Consoles

After setup is completed, verify the build number of the console. If the console upgrade was successful, the build number will be 5.0.8577.1108. Note that the Site Version is not changed to the Hotfix Rollup version. This is normal.

SCCM 1710 Hotfix Rollup

Clients

The client version will be updated to 5.00.8577.1108 (after updating, see section below)

SCCM 1710 Hotfix Rollup

SCCM 1710 Hotfix Rollup Client Package distribution

You’ll see that the 2 client packages are updated:

  • Navigate to Software Library \ Application Management \ Packages

SCCM 1706 Update Rollup 1

  • Check if both packages were updated, if not, select both packages and initiate a Distribute Content to your distribution points

Updating the Clients

Our preferred way to update our clients is by using the Client Upgrade feature:

  • Open the SCCM Console
  • Go to Administration / Site Configuration / Sites
  • Click the Hierarchy Settings in the top ribbon
  • Select Client Upgrade tab
  • The Upgrade client automatically when the new client update are available checkbox has been enabled
  • Review your time frame and adjust it to your needs

SCCM 1710 Hotfix Rollup

 

Monitor SCCM Client Version Number

You can see our SCCM Client version reports to give detailed information about every client’s versions in your environment. It’s the easiest way to track your client updates.Collections

You can also create a collection that targets clients without the latest client version. I use it to monitor which client haven’t been updated yet.

SCCM 2012 - System Health Configuration Manager SS

Collections

Here’s the query to achieve this: (You can also refer to our Set of Operational Collection Powershell Script which contains this collection)

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ClientVersion != '5.00.8577.1108'

Share this Post

The post How to install SCCM 1710 Hotfix Rollup (KB4057517) appeared first on System Center Dudes.

]]>
https://www.systemcenterdudes.com/how-to-install-sccm-1710-hotfix-rollup-kb4057517/feed/ 6 45296
Powershell Script to Create Collections with Folder Structure https://www.systemcenterdudes.com/sccm-powershell-script-collections-folders/ https://www.systemcenterdudes.com/sccm-powershell-script-collections-folders/#comments Tue, 16 Jan 2018 15:45:19 +0000 https://www.systemcenterdudes.com/?p=43927 Following the excellent PowerShell script that Benoit wrote to create operationals collection, I decided to rethink it a bit to help classify collections and ease Role-based administration control implementation when a different group of users accesses SCCM. On top of that, the way folders for collections are designed, it helps implement a naming convention to keep things clear all across the SCCM console. The overall idea is to keep collections on a per needs basis. Having a collection that receives client settings, 1-2 applications, OSD and Windows Updates can lead to unplanned/accidental deployment or misconfiguration. With one collection per need, ... Read More

The post Powershell Script to Create Collections with Folder Structure appeared first on System Center Dudes.

]]>
Following the excellent PowerShell script that Benoit wrote to create operationals collection, I decided to rethink it a bit to help classify collections and ease Role-based administration control implementation when a different group of users accesses SCCM. On top of that, the way folders for collections are designed, it helps implement a naming convention to keep things clear all across the SCCM console.

The overall idea is to keep collections on a per needs basis. Having a collection that receives client settings, 1-2 applications, OSD and Windows Updates can lead to unplanned/accidental deployment or misconfiguration. With one collection per need, everything is well targeted.

I also prefer to have collection for inventory to feed my deployment collections, instead of always recreating the queries.

I’ve been using the same methodology for years at multiple clients site. When I go back after a few years, I know exactly what is going on, as they were using the naming and structure for all that time.

The script creates 17 folders and 36 collections. The collections are set to refresh on a 7 days schedule. If a collection already exists, the script will return an error but will continue.

Some of the collections come from Benoit script. (Thanks, Benoit !)

SCCM Powershell Script Collections Folders Download

The script can be downloaded from my Microsoft Gallery submission.

Be sure to rate the submission if you are using it.

Full list of folders

SCCM Powershell Script Collections Folders

Collections under each sub-folder will keep the naming convention.

Full list of collections

  • All Servers
  • All Workstations
  • All Workstations – Admin
  • MC – CS – Workstation Prod
  • MC – CS – Workstation Test
  • MC – CS – Server Prod
  • MC – CS – Server Test
  • MC – EP – Workstation Prod
  • MC – EP – Workstation Test
  • MC – EP – Server Prod
  • MC – EP – Server Test
  • SRV – INV – Physical
  • SRV – INV – Virtual
  • SRV – INV – Windows 2008 and 2008 R2
  • SRV – INV – Windows 2003 and 2003 R2
  • SRV – INV – Windows 2016
  • WKS – INV – Windows 7
  • WKS – INV – Windows 8
  • WKS – INV – Windows 8.1
  • WKS – INV – Windows XP
  • WKS – INV – SCCM Console
  • WKS – INV – Clients Version | 1710
  • WKS – INV – Laptops | Dell
  • WKS – INV – Laptops | Lenovo
  • WKS – INV – Laptops | HP
  • WKS – INV – Microsoft Surface 4
  • WKS – INV – Windows 10
  • WKS – OSD – Windows 10 – PROD
  • WKS – OSD – Windows 10 – TEST
  • WKS – SU – Exclusion
  • WKS – SU – Pilote
  • WKS – SU – TEST
  • WKS – SU – PROD
  • WKS – SD – Office 365 – PROD
  • WKS – SD – Office 365 – TEST

Some details

Inventory collections have defined queries.

Production collections contain all workstation or all servers based with the Include feature of collection membership.

OS Deployment, Software Distribution and Test collections are meant to have manual membership defined.

The collection WKS – SU – Exclusion is excluded from all Software Update collections to prevent patch specific system.

Role-based administration control

The All Servers, All Workstations and All Workstations – Admin collections are specifically made for RBAC. That’s why they are the Master Collections as they will probably be the limiting collection for 99% of the collections.

The concept is the following:

  • Give the server team only access to All servers
  • Give the technician team access to All Workstations
    • This would give access to technicians to see collections that would be considered production ready for OS and software deployment, on top of inventory collections
    • Collection with the limiting collection All Workstations – Admin would then be hidden for standard technician
  • Give SCCM Admin or higher ranks tech access to All Workstations – Admin
    • This would make available collections like the one’s Software Update or test collection

SCCM Powershell Script Collections Folders

Benefits

  • Role-based administration control “ready” as explained earlier
  • Loading time of each sub-folder will be faster because there will be fewer collections to load.
  • Collection’s naming convention will be useful in other areas of the console:

Collection name under Package or Applications deployments tab

SCCM Powershell Script Collections Folders

Collection name under all Deployments

SCCM Powershell Script Collections Folders

Collection name under Software Update Groups

SCCM Powershell Script Collections Folders

Hope this will help you keep SCCM clean 🙂

Share this Post

The post Powershell Script to Create Collections with Folder Structure appeared first on System Center Dudes.

]]>
https://www.systemcenterdudes.com/sccm-powershell-script-collections-folders/feed/ 1 43927
Install Specific Office 365 Version using SCCM https://www.systemcenterdudes.com/sccm-office-specific-version-installation/ https://www.systemcenterdudes.com/sccm-office-specific-version-installation/#comments Tue, 16 Jan 2018 15:32:04 +0000 https://www.systemcenterdudes.com/?p=38443 Managing Office 365 with SCCM is becoming a popular task among SCCM administrators. Depending of your company policy and Office 365 Channel, you may have to manage/install/uninstall specific version on client computers no matter the available version in your assigned channel. For example, you may want to downgrade an up-to-date Monthly version (v1711) to a Deferred version(v1705). This procedure also works to upgrade a Deferred version to an up-to-date version. Please note that this procedure is not meant to change Office Channel on a client, use this to install a specific version no matter the Channel. Package Creation The first thing to understand ... Read More

The post Install Specific Office 365 Version using SCCM appeared first on System Center Dudes.

]]>
Managing Office 365 with SCCM is becoming a popular task among SCCM administrators. Depending of your company policy and Office 365 Channel, you may have to manage/install/uninstall specific version on client computers no matter the available version in your assigned channel.

For example, you may want to downgrade an up-to-date Monthly version (v1711) to a Deferred version(v1705). This procedure also works to upgrade a Deferred version to an up-to-date version.

Please note that this procedure is not meant to change Office Channel on a client, use this to install a specific version no matter the Channel.

Warning
The installation will stream the file from Microsoft CDN (from internet), not from a distribution point

Package Creation

The first thing to understand is that to update an Office installation, you need to use the OfficeC2RClient.exe program that resides on the client. This command support various command line and switches. In our example, we will use Updatetoversion to specify the version 7766.2119 (1701) and forceappshutdown to force Office applications to close.

The tricky part is that OfficeC2RClient.exe is specific to the system architecture (x86 or x64). In order to make a command line that works on both architectures, you need to use the %CommonProgramW6432% system variable that works on both x86 and x64 systems.

  • In the SCCM Console, go to Software Library / Application Management / Packages
  • Create a new package, name it and do not specify source file. This is because the .exe needed for Office installation is on the client computer.

SCCM Office specific version installation

  • Create a Standard Program

SCCM Office specific version installation

  • For the command line, find the desired Office version build number (In our case 1701 – 16.0.7766.2119). You need to add 16.0 to the build version in your command line.

SCCM Office specific version installation

  • Command Line : %CommonProgramW6432%\microsoft shared\ClickToRun\OfficeC2RClient.exe” /update user updatetoversion=16.0.7766.2119 forceappshutdown=True

SCCM Office specific version installation

  • In the Requirements page, click Next

SCCM Office specific version installation

  • Complete the wizard

SCCM Office specific version installation

Deploy Specific Office version on a test computer

We will now deploy the 1701 version on a computer that actually has version 1705 installed. Create a test collection and send the newly created program to a test device.

The installation will start on the client computer. It will take about 10-15 minutes to complete.

SCCM Office specific version installation

Office version before installation :

SCCM Office specific version installation

Office version after installation :

SCCM Office specific version installation

Make sure to use our free Office 365 report to track your Office version.

Share this Post

The post Install Specific Office 365 Version using SCCM appeared first on System Center Dudes.

]]>
https://www.systemcenterdudes.com/sccm-office-specific-version-installation/feed/ 1 38443
How to Monitor Spectre / Meltdown Workstation Vulnerability using SCCM https://www.systemcenterdudes.com/sccm-spectre-meltdown-configuration-baseline/ https://www.systemcenterdudes.com/sccm-spectre-meltdown-configuration-baseline/#comments Wed, 10 Jan 2018 16:01:34 +0000 https://www.systemcenterdudes.com/?p=41771 This new year brings a new challenge for us SCCM administrator. The Speculation Control vulnerability (aka Spectre and Meltdown) affects many modern processors and operating systems and is considered critical to patch. The first challenge is to monitor who is vulnerable in your organization. The second one is to understand this beast and to remediates it. The important thing to know here is that a machine needs more than only a Windows OS patch to be compliant. There’s also a hardware level firmware updates to apply. This blog post will focus on the monitoring part to be able to show your management ... Read More

The post How to Monitor Spectre / Meltdown Workstation Vulnerability using SCCM appeared first on System Center Dudes.

]]>
This new year brings a new challenge for us SCCM administrator. The Speculation Control vulnerability (aka Spectre and Meltdown) affects many modern processors and operating systems and is considered critical to patch. The first challenge is to monitor who is vulnerable in your organization. The second one is to understand this beast and to remediates it. The important thing to know here is that a machine needs more than only a Windows OS patch to be compliant. There’s also a hardware level firmware updates to apply. This blog post will focus on the monitoring part to be able to show your management if you’re compliant or not.

We also included a free report to download in order to track your Spectre and Meltdown compliance level. You can jump at the end of this post if you want to download it and skip the reading.

SCCM Spectre Meltdown Configuration Baseline Creation

Luckily for us, Microsoft PFEs, Ken Wygant make the dirty work for us and has created an incredible job in turning a detection Powershell script into a ready-to-import SCCM Configuration Item and Baseline. They did a pretty good blog post explaining their work and we’ll use their CAB file in order to show you the step-by-step process in order to use it in your organization.

  • The first step is to download the CAB file. 
  • [Edit  01/15] Microsoft has released a new Configuration Baseline available on Technet Gallery. The new cab file will create only 2 CIs instead of 8 but the blog post is still relevant.

  • In the SCCM Console, go to Assets and Compliance / Compliance Settings / Configuration Items
  • Right-Click Import Configuration Data

SCCM Spectre Meltdown Configuration Baseline

  • In the Import Configuration Data Wizard, click on Add

SCCM Spectre Meltdown Configuration Baseline

  • On the security warning, click Yes

SCCM Spectre Meltdown Configuration Baseline

  • The Configuration Baseline appears in the file window, click Next

SCCM Spectre Meltdown Configuration Baseline

  • Review the Summary, click Next and complete the wizard

SCCM Spectre Meltdown Configuration Baseline SCCM Spectre Meltdown Configuration Baseline

  • Back in the Configuration Item pane, the 8 CI are created

SCCM Spectre Meltdown Configuration Baseline

  • In the Configuration Baseline pane, the Baseline is created. This baseline contains the 8 CI and is ready to be deployed

SCCM Spectre Meltdown Configuration Baseline

SCCM Spectre Meltdown Configuration Baseline Deployment

We will now deploy the Configuration Baseline to a test collection in order to validate it.

  • In the SCCM Console, go to Assets and Compliance / Compliance Settings / Configuration Baseline
  • Right-Click the ADV180002 – Speculative Execution Side-channel Vulnerabilities Baseline and select Deploy

SCCM Spectre Meltdown Configuration Baseline

  • Select the collection which contains your test machines by clicking Browse, select your compliance evaluation schedule and click Ok

SCCM Spectre Meltdown Configuration Baseline

SCCM Spectre Meltdown Workstation Validation

On a machine that receives the configuration baseline :

  • In Control Panel, open the Configuration Manager Properties application
  • Initiate a Machine Policy Retrieval & Evaluation Cycle to receive the baseline

SCCM Spectre Meltdown Configuration Baseline

  • In the Configuration tab, click Refresh until the baseline appears

SCCM Spectre Meltdown Configuration Baseline

  • Once the baseline is available, select the ADV18002 Baseline, click Evaluate and wait a couple of minutes

SCCM Spectre Meltdown Configuration Baseline

  • Once the Last Evaluation Date get populated, click View Report
  • Your browser will open the report showing the compliance state of this machine. In our screenshot, my machine has a compliant state in 4 out 8 CIs. This is because I’ve applied the Windows 10 OS patches but the hardware level has not been patched

SCCM Spectre Meltdown Configuration Baseline

  • In the SCCM console, the compliance statistics will begin to populate. This will confirm that your work has been well made.

SCCM Spectre Meltdown Configuration Baseline

SCCM Spectre Meltdown Configuration Baseline Report

The console statistics are basic and doesn’t permit to know which machines are compliant or not. We’ve created a simple report to let you know the list of machines and their compliance state. This report will ask which Baseline to show, just select the baseline we just created in this blog post to see you Spectre / Meltdown statistics.

 

You can download this free report by visiting our product page. The Asset – Compliance State report is available in the Report / Asset Section.

Share this Post

The post How to Monitor Spectre / Meltdown Workstation Vulnerability using SCCM appeared first on System Center Dudes.

]]>
https://www.systemcenterdudes.com/sccm-spectre-meltdown-configuration-baseline/feed/ 28 41771
How to setup Telemetry Dashboard for Office 2016 https://www.systemcenterdudes.com/how-to-setup-telemetry-dashboard-for-office-2016/ https://www.systemcenterdudes.com/how-to-setup-telemetry-dashboard-for-office-2016/#comments Thu, 30 Nov 2017 18:44:33 +0000 https://www.systemcenterdudes.com/?p=34915 An area that is hard for IT admins to get feedback is how Office is doing in their environment. Unless users call in for support, there is not much more information easily available. A less known Office feature is available for free as part of the Office suite. The Office Telemetry Dashboard can help assess all kind of compatibility issues that could happen as part of a major upgrade and help to identify the potential risk ahead of an upgrade. The Office Telemetry dashboard was first introduced with Office 2013. It was released to replace the previous solution Office Migration ... Read More

The post How to setup Telemetry Dashboard for Office 2016 appeared first on System Center Dudes.

]]>
An area that is hard for IT admins to get feedback is how Office is doing in their environment. Unless users call in for support, there is not much more information easily available. A less known Office feature is available for free as part of the Office suite. The Office Telemetry Dashboard can help assess all kind of compatibility issues that could happen as part of a major upgrade and help to identify the potential risk ahead of an upgrade.

The Office Telemetry dashboard was first introduced with Office 2013. It was released to replace the previous solution Office Migration Planning Manager (OMPM).

The Office telemetry could be used in the following scenarios :

  • Planning a major upgrade to Office 2016 from older versions
  • Monitor your Semi-Annual Channel (Targeted)  installations as they received newer major build ahead of the Semi-annual Channel
Office 365 updates/upgrade

If you are looking for how to manage Update for Office 365 you can see our previous posts and report in the following links :

In this post, we will describe how to plan, install and use Office Telemetry dashboard for Office 2016.

Planning topology and hardware for Telemetry dashboard Office 2016

Before going into installation and configuration details, the data flow must be understood and the planning of the topology of the Telemetry servers defined.

Office Telemetry consist of the followings 5 components :

  • A simple network shared folder
  • Telemetry Processor
  • Telemetry database
  • Telemetry Dashboard
  • Telemetry Agent

The first 4 components are considered Server-side, while the Telemetry Agent is the client-side

Here’s the data flow process of Office Telemetry

Telemetry dashboard Office 2016

Now that the data flow is known, planning of the topology of the server side is important to prevent impact on the network as well on the Office Telemetry server.

Key points for topology design:

  • A Telemetry Dashboard can support up to 100 000 clients
  • A Telemetry Processor can support up to 50 000 clients
  • Client send approximately 64Kb of data to the network share
  • Client sends data every 8 hours by default.

This screen from TechNet gives a good overview of what a topology can look like.

Telemetry dashboard Office 2016

Most scenarios will simply require a single server that can host both the Telemetry Processor and the database.

If you have already an SQL server, it can be used for the Telemetry Database.

Note

The user that will run the installation wizard will need SysAdmin rights to the remote SQL server.

As for the performance needed, the following tables describes it best:

For Telemetry Database

Telemetry dashboard Office 2016

For Telemetry Processor

Telemetry dashboard Office 2016

Please review Microsoft Technet page for sizing, data flow or how Telemetry data is collected.

Prerequisites for Telemetry dashboard Office 2016

Client side :

  • Windows 7 SP1 and up
  • Windows Server 2008 and up
  • Office MSI or Click-to-run 2013 or 2016
Note
For Office 2003 to 2010, it is possible to monitor them, but an agent will be required on those computers.

Server side:

  • Operating system
    • For Telemetry Processor(server)
      • Windows server 2008/R2, 2012/R2
  • SQL server for Telemetry Processor
    • SQL Server 2005
    • SQL Server 2005 Express Edition
    • SQL Server 2008
    • SQL Server 2008 Express Edition
    • SQL Server 2008 R2
    • SQL Server 2008 R2 Express Edition
    • SQL Server 2012
    • SQL Server 2012 Express
  • Office 2013 or 2016 (Click-to-run or MSI) must be installed on the Telemetry Processor(server)
    • Default installation will do just fine

Other:

  • Office 2013 ADMX must be available
    • click here to download
  • Office 2016 ADMX must be available
    • click here to download

See detailed prerequisites on TechNet page

Configure Telemetry Processor and Share

Once we get the prerequisites done, we can begin the configuration of the first component, which is the Telemetry Processor along with the required network share

  • Create a new folder and share
    • Permission: No need to specify permission, as the setup will take care of it.

Telemetry dashboard Office 2016

  • On the server, start Telemetry Dashboard for Office 2016, from the start menu

Telemetry dashboard Office 2016

  • Click on Let’s Get Started

Telemetry dashboard Office 2016

  • Under 2. Install Telemetry Processor, select Install Telemetry Processor on this computer

Telemetry dashboard Office 2016

  • Check Run the Office Telemetry Processor settings wizard now

Telemetry dashboard Office 2016

  • Click Next

Telemetry dashboard Office 2016

  • Click Next

Telemetry dashboard Office 2016

  • Specify the SQL server and click Connect 

Telemetry dashboard Office 2016

  • Enter the desired database Name, click Create

Telemetry dashboard Office 2016

  • Select Yes to configure permissions and the database role

Telemetry dashboard Office 2016

  • Enter the Shared folder  path created before

Telemetry dashboard Office 2016

  • Select Yes to set the permissions automatically

Telemetry dashboard Office 2016

  • Select if you want to participate in Microsoft Custom Experience improvement or not

Telemetry dashboard Office 2016

  • Click Finish

Telemetry dashboard Office 2016

More details can be found on TechNet

Configure Telemetry Database

  • In the Telemetry Dashboard, select Connect to Database

Telemetry dashboard Office 2016

  • Provide the SQL server and database names

Telemetry dashboard Office 2016

  • Once connected, the dashboard will display, but will be empty at this point.
  • Telemetry dashboard Office 2016
From TechNet

To grant other administrators permission to access the telemetry database

  • You can download and use the Telemetry Dashboard Administration Tool (Tdadm) on the computer that is running SQL Server to allow other administrators to view data in Telemetry Dashboard. You don’t have to run this for your own account if you created a database when you installed the telemetry processor. Update the values for dbserver, dbname, and domain\user as needed.

Telemetry dashboard Office 2016

Run the following on an elevated command line :

  • tdadm.exe -o permission -databaseserver dbserver -databasename dbname -add domain\user
Telemetry dashboard Office 2016
Wiki for Telemetry Dashboard Administration Tool

Enable Telemetry on Office 2016 clients

Once the server side is configured, it’s time to enable and direct the Telemetry toward our Telemetry Processors. We need to configure a GPO for Office 2013 or Office 2016 in order to do so.

Note
For older versions of Office (2003, 2007or 2010), an agent must be deployed on Windows client to use the Telemetry.

See the following post for instruction to deploy the agent with SCCM

  • Edit a GPO and browse to User Configuration/Administrative Templates/Microsoft Office 2016/Telemetry Dashboard

Telemetry dashboard Office 2016

  • Edit Specify the UNC path to store Office Telemetry data
    • Provide the path to the share created earlier

Telemetry dashboard Office 2016

  • Edit Turn on telemetry data collection
    • Set to Enabled

Telemetry dashboard Office 2016

  • Edit Turn on data uploading for Office Telemetry Agent
    • Set to Enabled

Telemetry dashboard Office 2016

  • This should look like this.

Telemetry dashboard Office 2016

  • After a couple hours, the number of Computer under the tab Telemetry Processor will go up

Telemetry dashboard Office 2016

For testing only
It is possible to enable the Telemetry for Office 2013 and 2016, by using registry keys. This should only be used for testing.

For details, see section Use the registry to enable and configure the Office telemetry agent

Previous versions of Office require an agent to be deployed in order to use the Telemetry. Check out the section Telemetry Agent  for more details.

Results

Telemetry dashboard Office 2016

There are great videos and very detailed ways to used the Telemetry dashboard on TechNet site

Share this Post

The post How to setup Telemetry Dashboard for Office 2016 appeared first on System Center Dudes.

]]>
https://www.systemcenterdudes.com/how-to-setup-telemetry-dashboard-for-office-2016/feed/ 2 34915
Step-by-Step SCCM 1710 Upgrade Guide https://www.systemcenterdudes.com/step-by-step-sccm-1710-upgrade-guide/ https://www.systemcenterdudes.com/step-by-step-sccm-1710-upgrade-guide/#comments Tue, 21 Nov 2017 00:09:22 +0000 https://www.systemcenterdudes.com/?p=39592 Microsoft has released a new version of SCCM Current Branch. It’s now time to upgrade your environment! This post is a complete step-by-step SCCM 1710 upgrade guide. If you’re looking for a complete SCCM installation guide, see our blog series which covers it all. You won’t be able to install this upgrade if you are running SCCM 2012, the minimum required version is at least SCCM 1702. This version is the latest baseline version. It’s very important to keep your infrastructure up to date. You can benefit from the new features and fixes lots of issues, which some of them are important. ... Read More

The post Step-by-Step SCCM 1710 Upgrade Guide appeared first on System Center Dudes.

]]>
Need help to upgrade your site ? Consult our fixed price consulting plans to see our rates !

Microsoft has released a new version of SCCM Current Branch. It’s now time to upgrade your environment! This post is a complete step-by-step SCCM 1710 upgrade guide. If you’re looking for a complete SCCM installation guide, see our blog series which covers it all. You won’t be able to install this upgrade if you are running SCCM 2012, the minimum required version is at least SCCM 1702. This version is the latest baseline version.

It’s very important to keep your infrastructure up to date. You can benefit from the new features and fixes lots of issues, which some of them are important. It’s also easier to upgrade to the new version since Microsoft has implemented the new model of update servicing.

SCCM 1710 New Features and Fixes

SCCM 1710 includes lots of new features and enhancements in the adoption of Windows 10 and Office 365 as well in modern management, mobile device management, site infrastructure, compliance settings, application management, software updates, reporting and device protection.

You can consult the What’s new in version 1710 of System Center Configuration Manager Technet article for a full list of changes.

Here’s our list of favorite features:

  • Co-management for Windows 10 devices
  • Restart computers form the Configuration Manager console
  • Add child task sequences to a task sequence (Woot ! My Last year MVP hackathon project)
  • Improvements for Run Scripts

Support for SCCM Current Branch Versions

Ensure to apply this update before you fall into an unsupported SCCM version. Read about the support end date of the prior version of the following Technet article.

SCCM 1706 Upgrade Guide

Before you Begin

Downloading and installing this update is done entirely from the console. There’s no download link, the update will appear on your console once the Service Connection Point is synchronized.

If you’re running a multi-tier hierarchy, start at the top-level site in the hierarchy. After the CAS upgrade, you can begin the upgrade of each child site. Complete the upgrade of each site before you begin to upgrade the next site. Until all sites in your hierarchy are upgraded, your hierarchy operates in a mixed version mode.

Before applying this update, we strongly recommend that you go through the upgrade checklist provided on Technet. Most importantly, initiate a site backup before your upgrade.

In this post, we will update a stand-alone primary site server, consoles, and clients. Before installing, check if your site is ready for the update:

  • Open the SCCM console
  • Go to Administration \ Updates and Servicing
  • In the State column, ensure that the update Configuration Manager 1710 is Available

SCCM 1710 Upgrade Guide

  • If it’s not available, right-click Updates and Servicing and select Check for Updates
Warning

The SCCM 1710 update is not yet available for everyone. If you need it right away you can run the Fast-Ring script and the update will show up.

  • If the update is not downloading, click on the button Download on the upper node. The update state will change to Downloading

SCCM 1710 Upgrade Guide

  • You can follow the download in Dmpdownloader.log or by going to Monitoring / Updates and Servicing Status, right-click your Update Name and select Show Status

SCCM 1710 Upgrade Guide

  • The process will first download the .CAB file and will then extract the file in the EasyPayload folder in your SCCM installation directory.
    • GUID : b56c84cf-f5a1-48d2-b89a-5bac6b2c983b
  • It can take up to 15 minutes to extract all files.

SCCM 1710 Upgrade Guide

You may experience problems if the downloading status remains for a long time. You can find solutions on the net like the MVP Anoop post. Even though updates are becoming easier to do, this is the most common problem. Please note that starting with SCCM 1706, a reset tool has been included to help you in these situations. MVP Kent Agerlund did a great post about the tool.

SCCM 1710 Upgrade Guide

Step 1 | SCCM 1710 Prerequisite Check

Before launching the update, we recommend to launch the prerequisite check first:

  • Open the SCCM console
  • Go to Administration \ Updates and Servicing
  • Right-click the Configuration Manager 1710 update and select Run prerequisite check

SCCM 1710 Upgrade Guide

  • Nothing will happen, the prerequisite check runs in the background and all menu are unavailable during the check
  • One way to see progress is by viewing C:\ConfigMgrPrereq.log

SCCM 1710 Upgrade Guide

  • You can also monitor prerequisite check by going to Monitoring / Update and Servicing Status, right-click your Update Name and select Show Status

SCCM 1710 Upgrade Guide

  • When completed the State column will show Prerequisite check passed

SCCM 1710 Upgrade Guide

Step 2 | Launching the SCCM 1710 update

We are now ready to launch the SCCM 1710 update. At this point, plan about 45 minutes to install the update.

  • Right-click the Configuration Manager 1710 update and select Install Update Pack

SCCM 1710 Upgrade Guide

  • On the General tab, click Next

SCCM 1710 Upgrade Guide

  • On the Features tab, checkboxes on the features you want to enable during the update

SCCM 1710 Upgrade Guide

  • Don’t worry, if you don’t select one of the features now and want to enable it later, you’ll be able to so by using the console in Administration \ Updates and Servicing \ Features

SCCM 1710 Upgrade Guide

  • In the Client Update Options, select the desired option for your client update

SCCM 1710 Upgrade Guide

  • On the License Terms tab, accept the license terms and click Next

SCCM 1710 Upgrade Guide

  • On the Summary tab, review your choices, click Next and close the wizard on the Completion tab

SCCM 1710 Upgrade Guide

The whole process took a minute but the installation begins on the back end.

  • During installation, the State column changes to Installing

SCCM 1710 Upgrade Guide

  • We suggest you monitor the progress, by navigating to Monitoring / Updates and Servicing Status, right-click your Update Name and select Show Status

SCCM 1710 Upgrade Guide

Unfortunately, the status is not updated in real time. Use the Refresh button to update.

  • Open the SCCM log SCCM Installation Directory\Logs\CMUpdate.log with CMTrace

SCCM 1710 Upgrade Guide

We’ve done numerous SCCM upgrades. Some installation start a couple of minutes after you complete the wizard but we’ve seen some installation starts after a 10 minutes delay. Do not reboot or restart any services during this period or your update can be stuck in “Prerequisite check passed” status. There’s actually no officially documented methods by Microsoft to fix that. Patience is the key!
  • When completed, you’ll notice the message There are no pending update package to be processed in the log file
  • Monitoring / Updates and Servicing Status, right-click your Update Name and select Show Status, the last step will be Installation Succeeded

SCCM 1710 Upgrade Guide

  • Refresh the Updates and Servicing node in Administration, the State column will be Installed

SCCM 1710 Upgrade Guide

Updating the Outdated Consoles

As a previous Cumulative update, the console has an auto-update feature. At console opening, if you are not running the latest version, you will receive a warning and the update will start automatically.

  • Since all updates operations were initiated from the console, we didn’t close it during the process. We received a warning message when clicking certain objects. You will have the same message when opening a new console

SCCM 1710 Upgrade Guide

  • Click OK,  console update will start automatically

SCCM 1710 Upgrade Guide

SCCM 1710 Upgrade Guide

  • Wait for the process to complete. You can follow the progress in C:\ConfigMgrAdminUISetup.log and C:\ConfigMgrAdminUISetupVerbose.log. Once completed, the console will open and you’ll be running the latest version

Verification

Consoles

After setup is completed, verify the build number of the console. If the console upgrade was successful, the build number will be 5.0.8577.1000 and the version is now Version 1710 .

SCCM 1710 Upgrade Guide

Servers

  • Go to Administration \ Site Configuration \ Sites
  • Right-click your site and select Properties
  • Verify the Version and Build number

SCCM 1710 Upgrade Guide

Clients

The client version will be updated to 5.00.8577.1003 (after updating, see section below)

 

SCCM 1710 Client Package distribution

You’ll see that the 2 client packages are updated:

  • Navigate to Software Library \ Application Management \ Packages

SCCM 1710 Upgrade Guide

  • Check if the update is successful, otherwise, select both packages and initiate a Distribute Content to your distribution points

Boot Images

Boot images will automatically update during setup. See our post on upgrade consideration in a large environment to avoid this if you have multiple distribution points.

  • Go to Software Library / Operating Systems / Boot Images
  • Select your boot image and check the last Content Status date. It should match your setup date

Updating the Clients

Our preferred way to update our clients is by using the Client Upgrade feature: (You can refer to our complete post documenting this feature)

  • Open the SCCM Console
  • Go to Administration / Site Configuration / Sites
  • Click the Hierarchy Settings in the top ribbon
  • Select Client Upgrade tab
  • The Upgrade client automatically when the new client update is available check box is enable
  • Review your time frame and adjust it to your needs

SCCM 1710 Upgrade Guide

Monitor SCCM Client Version Number

SCCM Reports Client Version

You can see our SCCM Client version reports to give detailed information about every client version in your environment. It’s the easiest way to track your client updates.

SCCM 2012 - System Health Configuration Manager SS

Collections

In conclusion, you can create a collection that targets clients without the latest client version because is very useful when it comes to monitoring non-compliant client.

Here’s the query to achieve this: (You can also refer to our Set of Operational Collection Powershell Script which contains this collection)

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ClientVersion != '5.00.8577.1003'

Happy updating!!

The post Step-by-Step SCCM 1710 Upgrade Guide appeared first on System Center Dudes.

]]>
https://www.systemcenterdudes.com/step-by-step-sccm-1710-upgrade-guide/feed/ 24 39592
SCCM Error 0xC1900208 deploying Windows 10 1709 https://www.systemcenterdudes.com/sccm-windows-10-feature-update-error-0xc1900208/ https://www.systemcenterdudes.com/sccm-windows-10-feature-update-error-0xc1900208/#comments Thu, 09 Nov 2017 15:37:34 +0000 https://www.systemcenterdudes.com/?p=39217 When deploying Windows 10 1709 Feature Update using SCCM, you may encounter errors when running the installation in Software Center. These errors are sent by the Windows setup itself, they are not related to SCCM. In this post, we’ll show you how to troubleshoot these error and how to resolve the error 0xC1900208 – 1047526904. This post assumes that you’ve done the preparation steps to deploy features upgrades with SCCM. Windows 10 1709 Troubleshooting Here are some basic troubleshooting tips that you need to understand before proceeding. This blog post is not about troubleshooting any errors, we’ll focus on the ... Read More

The post SCCM Error 0xC1900208 deploying Windows 10 1709 appeared first on System Center Dudes.

]]>
When deploying Windows 10 1709 Feature Update using SCCM, you may encounter errors when running the installation in Software Center. These errors are sent by the Windows setup itself, they are not related to SCCM. In this post, we’ll show you how to troubleshoot these error and how to resolve the error 0xC1900208 – 1047526904. This post assumes that you’ve done the preparation steps to deploy features upgrades with SCCM.

Windows 10 1709 Troubleshooting

Here are some basic troubleshooting tips that you need to understand before proceeding. This blog post is not about troubleshooting any errors, we’ll focus on the frequent 0xC1900208 error but we think that you need basic understanding before proceeding. If you’re already familiar with this process, skip to the next section.

When launching a Windows 10 feature update from SCCM :

  • Upgrade files (ESD and WindowsUpdateBox.exe) are downloaded in SCCM cache (C:\Windows\ccmcache)
  • Relevant content is also stored in C:\WINDOWS\SoftwareDistribution\Download
  • ESD file is unpacked in the C:\$WINDOWS.~BT folder (hidden)
  • Windows setup is launched from that last location
  • Relevant Log files are located in C:\$WINDOWS.~BT\Sources\Panther
  • To read log file in the Panther directory, ensure to start CMtrace using Administrative privileges

Theses 3 location will get referred in this post. Here’s the relevant Microsoft documentation that will help you troubleshoot any Windows installation errors:

Resolution for Error 0xC1900208 – 1047526904

So let’s get back to our main topic which is resolving Error 0xC19002081047526904. This post has been made on Windows 10 computers using build 1607 and 1703.

  • When running the Windows 10 feature update from the Software Center you receive the error 0xC1900208 :

SCCM Windows 10 Feature Update Error 0xC1900208

  • When retrying a second time the error 0x80240020 is returned. Don’t use this error for troubleshooting, use the first one.

SCCM Windows 10 Feature Update Error 0xC1900208

  • Same error is shown in C:\Windows\CCM\Logs\WUAHandler.log

SCCM Windows 10 Feature Update Error 0xC1900208

Error 0xC1900208 - 1047526904
Following Microsoft documentation our error is due to  :  This could indicate that an incompatible app installed on your PC is blocking the upgrade process from completing. Check to make sure that any incompatible apps are uninstalled and then try upgrading again.

The first easy troubleshooting step you can do at this point is to launch setup.exe from the C:\$WINDOWS.~BT directory.

  • After going through the first screens, the setup will warn you about those incompatible apps. Here are 2 examples we encountered.

SCCM Windows 10 Feature Update Error 0xC1900208 SCCM Windows 10 Feature Update Error 0xC1900208

  • If you don’t want to run the setup.exe, you can refer to the C:\$WINDOWS.~BT\Sources\Panther\CompatData[date-time].xml. You’ll have a couple of Compatdata.xml files, usually, the most recent one will contain the information you need. In this example, Mcafee is the faulty application and give setup the instruction to stop

SCCM Windows 10 Feature Update Error 0xC1900208

  • Our next action was to check the Mcafee website to check if Windows 10 1709 is supported. Unfortunately, it’s not yet supported at the time of this writing. The only option we had was to completely uninstall the Mcafee suite from the computer
  • Once uninstalled, a couple of steps must be performed to restart the upgrade process. If you simply hit Retry in Software Center, it won’t work.
    • Empty the SCCM Cache
    • Delete the content of C:\WINDOWS\SoftwareDistribution\Download folder
    • Delete the C:\$WINDOWS.~BT folder (hidden)
    • Initiate a Software Update Deployment Evaluation Cycle and Software Update Scan Cycle
  • Wait a couple of minute for the scan to complete and retry the deployment
  • The deployment will now work, no more 0xC1900208 errors! You can follow the process in the C:\$WINDOWS.~BT\Sources\Panther\Setupact.log file

SCCM Windows 10 Feature Update Error 0xC1900208

You’ve now mastered the 0xC1900208 error and can continue your Windows 1709 migration !

Share this Post

The post SCCM Error 0xC1900208 deploying Windows 10 1709 appeared first on System Center Dudes.

]]>
https://www.systemcenterdudes.com/sccm-windows-10-feature-update-error-0xc1900208/feed/ 7 39217