Enjoy Sharing

Uncategorized

Pass-through Authentication Agent Duplicate–Status Inactive

If you’re one of the early adopters of Azure AD Pass-through Authentication, you may face a problem with a duplicate authentication agent in your Azure portal which is displaying as ‘Inactive’ in its Status. This can happen when you’re upgrading the Authentication Agent or reinstalling it because of some possible fault. You may ask, how do I remove this duplicate/inactive agent?

The answer is trivial. Don’t worry, this is a normal behaviour and the Inactive entry will be automatically removed from the portal after several days. So don’t sweat, leave it and it will go away soon.

 

image

 

 

Enjoy!!!


Setting Up Microsoft Intune with Android for Work

In my previous post I’ve covered Microsoft Intune and Android for Work at a high level to give you an understanding of what it is from Intune standpoint. In this post I will cover the initial setup of Intune to get Android for Work started.

One thing to note is that Android for Work support is currently only available in Intune standalone at the time of writing. I will expect this capability to come to the hybrid MDM with Configuration Manager but it is currently not. If you’ve got Microsoft Intune already running or you’ve just set your Mobile Device Management Authority,  you will notice you could manage Android devices almost right away. This is the traditional/conventional method of Android management. To setup Android for Work you will find the Android for Work node on the left pane in the console.

Another thing to remember is that Microsoft Intune only supports Android for Work on devices running Android version 6.0 and above. Although Google officially supports version 5.0 and above but from Microsoft’s standpoint they are only supporting version 6.0 and above based on their internal testing.

image

 

Once you click on that you will see that Android for Work is not configured. So you need to click the Configure button to start with the binding with Android for Work.

image

 

As soon as you click on the Configure button you will be brought to the Android for Word page in a new tab. There, click SIGN IN.

image

 

Here you will be asked to either log in with a google account or create one. This is similar to the Apple ID for your organisation when managing iOS devices. Preferably this account will be accessible to a team in IT and not only just a single individual just in case this employee leaves the organisation. Click Create account if you choose to create a new one.image

 

In this page, fill in all the details to create a new account then click Next Step. Remember not to use a personal email address but rather use a email address accessible by a team in IT e.g. IT@company.com.

SNAGHTML24146f5

 

Agree to the terms and conditions.

image

 

And you’re done. Click Continue to Google Play.

image

 

You will be brought to the Android for Work page already signed in to the user you just created. Click GET STARTED.

image

 

Here configure you organisation’s details and then click CONFIRM.

image

 

Once setup is complete click COMPLETE REGISTRATION.

image

 

This is how it looks like after the binding is completed with Android for Work.

image

 

You’ve got an option to either manage your Android devices through the conventional method, Android for Work or a combination of the two methods. You basically need to target Android for work to a user group that have a supported device; that Android version 6.0 and above. To target Android for Work to a group of users, ensure you create a security group and synced with Azure AD if you don’t already have it. Choose the third option then click the Modify button.

image

 

Select the group that you want to target Android for Work to, click the Add button then click OK.

image

 

Now you’ve added a group, click Save. Time to rock and roll with enroling a device with a user account that is a member of that group you just added.

image

 

 

 

Enjoy!!!


Microsoft Intune and Android for Work

You may or may not have come across Android for Work. What it is and what does it do? Android for Work is Google’s enterprise device management initiative that allows IT to manage and secure corporate information (apps and data) in a separate ‘work profile’. Warning: Marketing fluff. Android for Work separates business apps from personal apps so you can use your favourite Android device for both work and play. A dedicated profile for business content that never mixes with your personal stuff so that IT can’t see or erase your photos, emails or other personal data.  Read more about it here.

The Problem Child

You would have pretty much noticed the pain of managing Android devices if you’re the administrator responsible for managing devices in your organisation. This comes down to the level of fragmentation the Android ecosystem and because of the fact that the Android operating system is open source. What this means is that OEMs take this piece of operating system and modify it for their devices whilst providing extensions on top of it to provide added features to users. This is great for the everyday user because there are so many choices out there for them but for the systems admin, this is a huge nightmare to manage and secure. This is one of the goals Android for Work is set out to achieve; a more unified management experience for IT as well as for the end user – much like how managing iOS devices look like.

What You Need to Know

Here are several things you may want to know about Android for Work.

Work Profiles – Android for Work uses the concept of a separate profile similar to a logical container to discriminate between work and personal. Enabling a work profile allows organizations to manage the business data and applications they care about, but leave everything else on a device under the user’s control. Administrators control work profiles, which are kept separate from personal accounts, apps, and data. This means a clear boundary of what IT can and cannot do. In this model IT no longer can perform a full device wipe or factory reset but is only limited to wipe data that is in the work profile. What this also means is that most device information remains invisible to IT other than what is exposed within the work profile.

Applications – Contrary to how apps are deployed to Android devices today; .apk / Google Play, in Android for Work apps are delivered only from one source – the Google Play Store. The immediate question will be “what about my LOB apps?”. Google is moving everyone to deploy business apps through their enterprise multi-tenant version of Play Store called, you guessed it – Google Play for Work! This is an isolated section of the store but only accessible to the organisation that owns it. Nobody else can see it. This increases security and eliminates the need to enable the allow installations for unknown sources option in the operating system which is considered the No. 1 malware threat that exist on Android today. What it also means is that there is now the ability to silently push required applications to the devices rather than taking them to a link in the Play Store through the conventional MDM.

Encryption – is no longer an option when managing devices with Android for Work. Even if the device is not currently encrypted, it will be at the point when the device is enrolled and a work profile created.

Permissions – Remember those annoying prompts to allow/deny access to parts of the devices like contacts, camera and storage? That’s gone now within the context of the work profile because now the administrators determines that for you when an app is pushed out so that the end user doesn’t need to. However on the personal side of the profile this is not affected and will continue to work as it was before.

Mode of Management – Microsoft Intune can concurrently support both methods of Android management; conventional MDM method and Android for Work. Intune considers this to be an entirely different device platform so you will see in the Intune console Android for Work devices alongside managed iOS devices and traditionally managed Android devices. The two modes of management for Androids are available for the administrator to target different groups of users on supported devices mainly because Android for Work is only available for Android version 6.0 and above.

 

In my following posts I will cover various topics in getting Android for Work running in your Microsoft Intune tenant so stay tuned for that shortly.

 

 

 

Enjoy!!!


Upgrading Configuration Manager to 1610

Okay, Configuration Manager 1610 has been released for some weeks now and only recently I have got the chance to upgrade my lab environment. Microsoft is rolling out the update progressively so you may not yet see it available in your console. If you don’t see it in your console and want to upgrade your ConfigMgr environment to 1610, you can actually force this upgrade to be available in your console by enabling the fast update ring for 1610. How you do it? Download a simple executable zip file from here and then run the PowerShell script after you’ve extracted it from the zip. https://gallery.technet.microsoft.com/ConfigMgr-1610-Enable-046cc0e9

image

 

You may be asked to change your execution policy if you haven’t. Enter Y for Yes to proceed.

image

 

Next you will be asked to enter your Site Server. I won’t tell you what it is because you should already know if but if you don’t, can easily find out.

image

 

Next, you would want to force ConfigMgr to check for updates by right-clicking on Updates and Servicing, then selecting Check for updates.

image

 

Give it some time and then the 1610 update should appear in your console shortly.

image

 

To install ConfigMgr 1610, right-click on the update and then select Install Update Pack.

image

 

In the General screen, except the defaults and then click Next. Optionally you can select the checkbox to Ignore any prerequisites check warnings and install this update regardless of missing requirements.

image

 

In the Features screen, you can leave the defaults and click Next, or if you want to test out some pre-release features that come with the 1610 update you can go ahead and select them. You will be able to turn them on after the update is complete too.

image

 

In the Client Update Options screen, choose whether you want to first go through your validation process of the new version of the client or just go ahead and roll the new version out to your organization. You would normally want to validate it first on your pre-production computers. Click Next after that.

image

 

In the License Terms screen, you know what to do Smile, then click Next.

image

 

In the Summary screen, click Next.

image

 

And in the Completion screen, click Close.

image

 

You’ll realise that it is now installing. Give it some time for it to complete.

image

 

Reminders:

Treat this update just like any upgrade where you may want to first perform a /testdbupgrade on your ConfigMgr database first before you upgrade your production environment. Other precautions still applies like verifying your backups beforehand etc. You know the drill Smile.

 

 

 

Enjoy!!!


Setting Up An EMS Lab in ARM (Azure Resource Manager) Step-By-Step – Part 7

Quick links to the other parts of the post:-

 

What is an EMS lab without an EMS subscription, right? So now we’re gonna add an EMS subscription. We do this from the Office 365 portal https://portal.office.com. Once logged in, go to Billing > Subscriptions. There you will see that you can add subscriptions at the top right corner of the screen. Click + Add subscriptions.

SNAGHTML23204c52

 

Here you’ll see heaps of different subscriptions you can add to your tenant. Scroll through the page and look for Enterprise Mobility Suite Direct and hover over it then click Start free trial.

image

 

You’ll be asked to confirm your order then click Try now.

image

 

In the order receipt page, click Continue.

image

 

Now, this trial subscription will give you up to 100 users for up to 30 days. Now most of you do not want your lab to last only for 30 days, right? The good news is, from my experience you will be able to extend your EMS trial to 180 days. That’s 6 months…not too bad at all.

How you do this is to call up the Microsoft Online Services Support. I know this can be very difficult to find the right number to call so I’m gonna save you some misery. For Australia the number is 1800 197 503. For other countries look up the link below for your respective number to call. Look under the “Microsoft Dynamics CRM Online, Microsoft Dynamics Marketing, Microsoft Social Engagement and Parature, from Microsoft” section. Honestly I am not sure why it is under that section. In some other pages, this number is called the “Global Office 365 support phone numbers for admins”.

https://mbs.microsoft.com/customersource/Global/CRM/support/support-news/Support_Telephone

SNAGHTML238615b1

 

After the trial extension, you’ll it reflected in the portal page.

SNAGHTML2386a5bc

 

It is a good thing to also now assign a license to the Global Administrator account as of the requirement from Microsoft since November 2015. Basically, go to Active users, highlight your admin user then click on the Edit link beside Product license.

image

 

Click on the flip switch for Enterprise Mobility Suite, and then click Save.

image

 

Click Close.

image

 

If you don’t already know, EMS is a licensing construct that includes basically 4 products; Azure Active Directory Premium, Intune, Azure Rights Management and Advanced Threat Analysis. So once you’ve got the EMS subscription added you should be able to log on to the Intune portal at https://manage.microsoft.com. Remember to use another browser other than Microsoft Edge for this as currently the portal is still built on Silverlight. HTML5 to come soon.

SNAGHTML23891fa5

 

Once you’ve confirmed that you’ve got an Intune tenant, it is time to set up hybrid connection with Configuration Manager that we’ve installed for this lab. Back in the Configuration Manager console, navigate to Overview > Microsoft Intune Subscriptions. Right-click on it and the select Add Microsoft Intune Subscriptions.

image

 

In the Introduction page, click Next.

image

 

In the Subscription page, click Sign In.

image

 

Select the checkbox for I understand that after I complete the sign-in process, the mobile device management authority is permanently set to Configuration Manager and cannot be changed. Then click OK.

image

 

Log in with an administrator account to the Intune tenant, then click Sign in.

Note: If you do get an error after signing in, make sure you have Silverlight installed.

image

 

Back to the Subscription page, click Next.

image

 

In the General page, click the Browse button for the collection.

image

 

Here you have an option of choosing a user collection that will allow its members to enroll devices to Intune. You can choose to create a custom collection to control the users who are allowed to enroll their phones to Intune or in my case, I’ve selected the default All Users and User Groups collection which allows basically every user in the domain to enroll the phones to Intune.

image

 

Back in the General page, fill in the information for Company name, URL and the Configuration Manager site that you want Intune to be connected to. Typically this will be your CAS server if you have one, if not, this will be your Primary Site. Click Next.

image

 

Fill in the information as needed then click Next.

image

 

In the Company Logo page, you can browse for a company logo image or leave it for now and you can configure it later. Click Next.

image

 

In the Device Enrollment Manager page, leave the default if you want to configure this later or add users as Device Enrollment Managers. Click Next.

image

 

You can select to enable multi-factor authentication if you want to initiate a MFA request when a user enrolls a device. I’m gonna leave it for now as I can enable it later if I want to. Click Next.

image

 

In the Summary page, click Next.

image

 

In the Completion page, click Close.

image

 

 

 

Enjoy!!!


Cannot Turn On Features in Configuration Manager Current Branch

 

If this is your first time seeing a bunch of feature that are turned on or turned off in the Administration > Cloud Services > Updates and Servicing > Features node of the console and wondering why the option to Turn On a particular feature is greyed out. This is because it has to be turned on in the Hierarchy Settings.

image

 

The exact place to do it in the console is to browse to Overview > Site Configuration > Sites. Once there, click the Hierarchy Settings button at the ribbon.

image

 

At the General tab of the Hierarchy Settings, select the checkbox for Consent to use Pre-Release features, then click OK.

image

 

Back to the features node in the console and now, you have the option to Turn On a feature enabled.

image

 

 

 

Enjoy!!!


Automating Start/Stop Azure VMs (Resource Manager)

This is part of what I was doing setting up my lab environment entirely in Azure cloud. To save some credits in my subscription I want to make sure my VMs shutdown everyday because we all know a running VM consumes credits. I’m gonna show you one really easy way of doing it without writing any codes.

Once you have logged into your subscription, browse to Automation Accounts and then add a new Automation Account. Here you will be asked for a name, subscription and resource group. Note: I should have named it with something to identify it as an Automation Account, perhaps with a “AA-“ prefix? Click Create.

image

 

Once the Automation Account has been created, click on it and then click Runbooks.

image

 

At the Runbooks blade, click Browse gallery. Then on the new blade, click Stop Azure V2 VMs. This runbook is created by the SC Automation Product Team.

image

 

Click Import.

image

 

Pretty simple here. Give it a name then click OK.

image

 

Here, click the Edit button.

image

 

All you need to do here is click Publish.

image

 

At this point you’re almost done except that now you should tell it to run. Without it you would have to kick the runbook off manually. On the runbook, click Schedules, then click Add a schedule.

image

 

Here, click Schedule – Link a schedule to your runbook, click Create a new schedule, give it a name, a time and date, click Recurring, set how frequent to run, then click Create.

image

 

These settings are totally optional. This is to specify a specific Resource Group, a specific VM and to use a specific Connection Asset. Click OK twice.

image

 

Now that you’ve created and configured an automated task to stop all VMs at a specific time of the day, you can now do a similar thing to start all VMs at a specific tome of the day. I normally do this to keep my AD Connect server in sync with Azure AD. So what I normally do as a daily task is to start my VMs up let’s say at 1am everyday and stop all my VMs at 3am everyday to just get everything in sync at the same time saving precious credits when not in use.

image

 

You may encounter that your runbooks are not running anymore in the middle of the billing cycle. That’s basically because each Automation Account is configured to use the free tier which will give you 500 job minutes for free. If you do run out of those free minutes, go to the Automation Account > Pricing tier and usage, then click Pricing tier. This way your credits will be consumed to run your runbooks. Don’t worry, from experience it doesn’t cost very much.

image

 

 

 

Enjoy!!!


Setting Up An EMS Lab in ARM (Azure Resource Manager) Step-By-Step – Part 6

Quick links to the other parts of the post:-

 

Now that we’ve come this far, it is time to setup synchronization with the on-premises Active Directory. Before that, back to the classic portal. We need to first turn on directory sync on the newly created directory.

Go to the directory and click on the Directory Synchronization tab. Then on the Directory Sync, click on ACTIVATED. Click Save.

image

 

At the prompt, click Yes.

image

 

Directory Sync is not activated. Now we can begin installing the AD Connect tool. The easiest way to get the latest version of the Azure AD Connect tool is from the classic portal. Alternatively, you can go here to download it. For more details about all the other previous versions of the tool, go here.

image

 

Once downloaded, double-click on the installer to begin installation. At the Welcome page, select I agree to the license terms and privacy notice. Then click Continue.

image

 

At the Express Settings page, click Customize.

image

 

These settings are really up to you. I have specified a custom installation location and an existing service account. Then click Install.

image

 

In this post I am not going to cover setting up single sign-on with ADFS thus we will just install a single AD Connect server. At the User Sign-In page, select Password Synchronization then click Next.

image

 

Enter an Azure AD Global Admin account user name and password then click Next.

image

 

At the Connect Directories page, enter a user account to connect to your on-premises Active Directory, then click Add Directory.

image

 

The directory is added, click Next.

image

 

At the Azure AD sign-in page, click Next.

image

 

At the Domain/OU Filtering page, keep the defaults if you want to sync all objects in your on-premises AD, then click Next.

image

 

At the Identifying users page, keep the defaults and then click Next.

image

 

At the Filtering page, keep the defaults and then click Next.

image

 

At the Optional Features page, select Password synchronization and Password writeback and then click Next.

image

 

The default is to start the synchronization right after the install is complete. There is a second option to enable staging mode. This is a scenario where you can have a second AD Connect server to be kept in case of disaster which can be used to quickly get another AD Connect server up and running. Click Next.

image

 

Once the configuration is complete, you can click Exit.

image

 

 

 

Enjoy!!!


Setting Up An EMS Lab in ARM (Azure Resource Manager) Step-By-Step – Part 5

Quick links to the other parts of the post:-

 

Now that we have purchased a domain name, it is time to add that as a custom domain. Back to the Office 365 portal https://portal.office.com > Settings > Domains. Click + Add Domains.

image

 

Enter your newly purchased domain name then click Next.

image

 

Note the TXT value. You’ll need it for the next steps.

image

 

Back to your domain hosting site. https://1and1.com. Once you’re logged in click on Domains on the left side of the page.

image

 

Click on the down-arrow to expand the newly purchased domain name.

image

 

Click Edit DNS Settings.

image

 

Scroll down the page to the TXT and SRV Records section. Click Add Record.

image

 

Enter the TXT value from the Office 365 portal as the value in the TXT record, then click Add.

image

 

The TXT record is created. Click the Save button and then we wait for the record to be replicated across the Internet.

image

 

Back to the Office 365 portal and depending on the time it takes record to be replicated across, you can occasionally click the Verify button to verify the ownership of the domain.

image

 

Select I’ll manage my own DNS records, then click Next.

image

 

Scroll down to the bottom of the page, click to select Skip this step, then click Skip.

image

 

Click Finish.

image

 

 

 

Enjoy!!!


Setting Up An EMS Lab in ARM (Azure Resource Manager) Step-By-Step – Part 4

Quick links to the other parts of the post:-

 

Now that we’re ready to add a custom domain, let’s go and purchase a domain name. We’re basically using this domain name for a test lab so unless you want to spend a lot of money for a domain name, I’ve found where you can get a domain name for as low as $0.99. Bear in mind I am in no way affiliated or receive any payment from this company. To date I have already bought several domains from 1 and 1. Yes, that’s the name. This step-by-step guide is going to be based on purchasing and configuring a custom domain from 1 and 1.

So, first things first, go to https://www.1and1.com/ on your browser. If you’re a first time customer, register for an account. I won’t go through the steps for that. But if you already have an account, go ahead and login at the top right of the page.

image_thumb[11]

 

I shouldn’t have to tell you how to log in. Tip: If you’ve got an existing domain name with them, you can log in using that as the username too.

image_thumb[13]

 

Once logged in, click on Domains, on the left hand side of the page.

image_thumb[15]

 

This is where you will have to spend some time searching for domain names that are available and picking the one you want. If you want to browse a list of prices for each different domain names, then click Domain Price List. I’ve found the cheapest ones are .space and .xyz which are $0.99 for the first year. Of course if you want to spend a little more for the one you love, go ahead.

image_thumb[19]

 

After some time, I finally decided on my domain name so I’m just going to add that to cart.

SNAGHTML30ce07a_thumb[1]

 

Once you’re ready, go ahead and click Checkout.

SNAGHTML30c5dcd_thumb[1]

 

Click Continue.

image_thumb[23]

 

Confirm your details, then click continue to checkout.

SNAGHTML31560df_thumb[1]

 

Check the box to say that you’ve read the terms and conditions, then click Order now.

SNAGHTML31dd5f8_thumb[1]

 

Congratulations, the domain name is your’s.

SNAGHTML31fe0eb_thumb[1]

 

 

 

Enjoy!!!


Setting Up An EMS Lab in ARM (Azure Resource Manager) Step-By-Step – Part 3

Quick links to the other parts of the post:-

 

Now that we have prepared our Azure IaaS environment, created virtual machines, and setup our domain environment, it is time to create our directory in the cloud, Azure Active Directory. So, first log on to https://manage.windowsazure.com. Yes, we still have to do this part of work in the classic portal. Browse and click on Active Directory on the left pane. There you’ll see all the other directories you may already have existing, or you might have none. Click on the +NEW button on the bottom left of the screen to add a new directory.

SNAGHTML5692a8

 

Here, go to App Services > Visual Studio Team Services > Directory > Custom Create.

image

 

Select Create new directory and then enter all the other necessary details; Name, Domain Name, Country/Region. Remember the Domain Name here must be globally unique. It runs a check to see if that name is still available. If not, you just have to pick another. Then click the CheckMark sign on the bottom right.

image

 

And now, you have your new Azure Active Directory. Let’s click into it and see what we have.

SNAGHTML5805b1

 

Click the Users tab. We want to create a primary administrator user instead of using the Microsoft account as the administrator.

SNAGHTML59729e

 

At the Users tab, click the Add User button at the bottom of the screen.

SNAGHTML5b09aa

 

Select New user in your organization and then enter a user name for this new admin account. I just called it “admin”. Then click the Right-Arrow at the bottom right.

image

 

Populate all the fields; First Name, Last Name, Display Name and Alternate Email Address. For the Role, select Global Admin. Then click the Right-Arrow at the bottom right.

SNAGHTML5e423f

 

This new account will be assigned a temporary password. Click create.

image

 

A temporary password is created. Note this down somewhere, you’ll need to log in for the first time. Click the CheckMark at the bottom right.

image

 

You now have a new Admin account.

SNAGHTML615c12

 

Now let’s try to log in using that account. Browse to https://portal.office.com using the newly created account and the temporary password. Click Sign In. The reason I’m introducing the Office 365 portal is because there will be more work that will be done from this portal e.g EMS.

image

You will be asked to enter the current temporary password and a new password. Click Update password and sign in.

image

 

You’re logged in! To go to the Admin console, click on the Admin tile.

image

 

Now that you’ve got a directory set up, we’ll want to add a custom domain so that your users don’t have to log on using a user name with the onmicrosoft.com name. On the Office 365 portal, under Settings, click Domains.

image

 

This is where you can add a new custom domain for your directory. To do that, you’ll have to first purchase a domain name. That’s the next step to our setup.

image

 

 

 

Enjoy!!!


Setting Up An EMS Lab in ARM (Azure Resource Manager) Step-By-Step – Part 2

Quick links to the other parts of the post:-

 

Now that we’ve got the fundamentals out of the way it is time to create some virtual machines. At the very least, we need a domain controller, a server for AD Connect and a server for SCCM.

Click on Virtual machines and then click Add.

image

 

Select Windows Server > Windows Server 2012 R2 Datacenter, then click Create.

image

 

Enter the details for the virtual machine as below. Change as required. Because I have multiple lab environments, I like to label my VMs with a prefix of “Labxx-“ where xx can be an incremental number to mark the set of VMs in the same environment.

  • Name: Lab02-DC01
  • Username: <username>
  • Password: <password>
  • Subscription: <subscription>
  • Resource group: <The resource group that was created in Part 1>
  • Location: <Location>

image

 

Choose a size of the virtual machine, then click Select. I would suggest a F1S Standard VM for a domain controller. If you don’t see it, click View All at the top right corner of the blade to display all VM sizes.

image

 

Configure the settings of the virtual machine as below:-

  • Disk type: Standard
  • Storage account: stwklab02
  • Virtual network: VNET-Lab02
  • Subnet: Subnet-01 (10.1.0.0/24)
  • Public IP address: (new) Lab02-DC01
  • Network security group: NSG-Lab02
  • Extensions: None
  • Diagnostics: Enabled
  • Diagnostics storage account: stwklab02
  • Availability set: None

image

 

Click OK.

image

 

Wait a few minutes for the virtual machine to be provisioned. Once the virtual machines has been created, it is time to add a data disk to be used for data. I normally use my data disks for program files and databases. If you want, you can choose to add more than one data disks especially for the SCCM server. The number of data disks you can add to a virtual machine depends on the virtual machine size you picked.

image

 

Repeat creating all virtual machines with the details below:-

Name

Size

Virtual Network

Subnet

Public IP

Network Security Group

Lab02-DC01

F1S

VNET-Lab02

Subnet-01

<New>

NSG-Lab02

Lab02-ADC01

F1S

VNET-Lab02

Subnet-01

<New>

NSG-Lab02

Lab02-CM01

DS2_V2

VNET-Lab02

Subnet-01

<New>

NSG-Lab02

 

Now that my virtual machines are all created, it is time to set up my domain environment. I will not walk through this step-by-step here as this is not what this post is about. What I do want to mention is that all virtual machines in Azure IaaS has a dynamic IP address by default. However, a static IP address is always recommended for a domain controller.

To set static IP address for your domain controller, click on Lab02-DC01 virtual machine which will be your domain controller, then click Network interfaces.

image_thumb1

 

You should only have one network interface on that virtual machine. Click IP addresses, change the Assignment to Static and then click Save. A reboot of the virtual machine may be required. As a best practice, always restart a virtual machine in the ARM console.

image_thumb3

 

Another thing you want to do for a domain controller is to set its DNS to point to its own IP address. Click DNS servers, click Custom DNS then enter the private IP address of the domain controller virtual machine. Click Save.

In fact do this for all the virtual machines in this lab to point to the domain controller IP address for DNS.

image_thumb[3]

In the next part, we will be looking at setting up the integration between the on-premises AD with Azure AD, domain purchase and verification.

 

 

 

Enjoy!!!


Setting Up An EMS Lab in ARM (Azure Resource Manager) Step-By-Step – Part 1

Quick links to the other parts of the post:-

 

I’ve always wanted to do this and the thought of not needing any hardware to run my virtual machines to achieve what I want is such a cool idea. Now is the time I have the chance to do it and here’s the sharing of my experience performing it in the new Azure portal (vs the classic portal) known as the Azure Resource Manager (ARM). Hope you enjoy it.

First we would need a Resource Group. A Resource Group is defined as a container that holds related resources for an application. The resource group could include all of the resources for an application, or only those resources that are logically grouped together. You can decide how you want to allocate resources to resource groups based on what makes the most sense for your organization. Read more about Resource Groups here.

So, go ahead and create a new Resource Group. Click on Resource groups to open up the blade, then click Add.

image

 

Give your Resource Group a name. I like to have a naming conventions for resource groups with a prefix of “RG-“. Choose your subscription you want it to be created in and the location where you want the Resource Group to be created.

image

 

The Resource Group is created. Click on the newly created resource group to open up the blade where you can see information about it.

image

 

Secondly, we need a new Storage Account. An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.

Click on Storage Accounts, then click Add.

image

 

Storage Account names must be unique and only supports lowercase characters and numbers, so choose wisely :). I like to use a naming convention with a prefix of “st”. Use the locally-redundant storage (LRS) with Standard performance to save on cost/credits. Make sure you select the Resource Group that you just created in the previous step. Click Create to begin creating the Storage Account. Read more about Azure Storage Accounts here.

  • Name: stxxx
  • Deployment model: Resource manager
  • Account kind: General purpose
  • Performance: Standard
  • Replication: Locally-redundant storage (LRS)
  • Subscription: <choose one>
  • Resource group: <choose>
  • Location: <choose one>

image

 

The Storage Account is created. Click on the newly created Storage Account to view the information about the Storage Account.

image

 

Next we need a new Virtual Network. An Azure virtual network (VNet) is a representation of your own network in the cloud. It is a logical isolation of the Azure cloud dedicated to your subscription. You can fully control the IP address blocks, DNS settings, security policies, and route tables within this network. You can also further segment your VNet into subnets and launch Azure IaaS virtual machines (VMs) and/or Cloud services (PaaS role instances). Additionally, you can connect the virtual network to your on-premises network using one of the connectivity options available in Azure. In essence, you can expand your network to Azure, with complete control on IP address blocks with the benefit of enterprise scale Azure provides. Read more on Virtual Networks here.

Click on Virtual networks, then click Add.

image

 

Enter all the details to create a new Virtual Network then click Create. I like to use the prefix of “VNET-” to indicate a virtual network object. Remember to select the Resource Group that you just created.

image

 

The Virtual Network is created. Click on the newly created Virtual Network to view the information about the Virtual Network.

image

 

Now we need a new Network Security Group. Network security group (NSG) contains a list of Access Control List (ACL) rules that allow or deny network traffic to your VM instances in a Virtual Network. NSGs can be associated with either subnets or individual VM instances within that subnet. When a NSG is associated with a subnet, the ACL rules apply to all the VM instances in that subnet. In addition, traffic to an individual VM can be restricted further by associating a NSG directly to that VM. Read more about Network Security Group here.

Click on Network Security Groups, then click Add.

image

 

Enter all the details to create a new Network Security Group then click Create. I like to use the prefix of “NSG-” to indicate a Network Security Group object. Remember to select the Resource Group that you just created.

image

 

The Network Security Group is now created. Click on the newly created Network Security Group to view the information about the Network Security Group.

image

 

Now that you’ve got a net Network Security Group created, we would need to configure it so that it will allow Remote Desktop to get to and from our virtual machines. Click on the Inbound security rules on the Settings blade then click Add.

image

 

Here’s what you would want to configure in your inbound rule to allow Remote Desktop into this Network Security Group. Feel free to change the name and priority to suit your situation and obviously port 3389 is the RDP port number.

  • Name: AllowRDPInbound
  • Priority: 100
  • Source: Any
  • Protocol: Any
  • Source port range: *
  • Destination: Any
  • Destination port range: 3389
  • Action: Allow

image

 

Now for the outbound rule. Similarly, now click on Outbound security rules and then click Add.

image

 

 

image

 

Now that we’ve got the Network Security Group created and configured to allow at least RDP traffic to go through it, we now need to associate it. A Network Security Group can either be associated to a network interface or to a subnet. In our case to keep it really simple we’re associating it to a subnet.

Click on Subnets and then click Associate.

image

 

Click on Virtual network then choose the Virtual Network we’ve just created for this lab.

image

 

Click Subnet then choose the subnet that is associated to the Virtual Network of your lab. When you’re done, click OK.

image

 

We’ll continue the rest of the lab setup in Part 2 of this posting.

 

 

 

Enjoy!!!


Automatically or Manually Update your Configuration Manager Agent/Client

So here’s an interesting finding. You know how Cumulative Update 1 of ConfigMgr 2012 SP2 or ConfigMgr 2012 R2 SP1 has the ability to push out clients with the latest version including the cumulative update hotfix? Well there is one catch though that most people might have missed, including myself. For a person like me who does so many of this upgrades (either in the lab or at the customer’s environment), you may have realised that the setup page is slightly different depending on which environment you run in but can’t just quite able to put my finger on exactly what the difference is. I’m gonna relief you of trying to remember and tell you that it is exactly what I just mentioned above, the ability to install the latest version of the client during either a client push or an auto-upgrade, and is exactly like the below screen shots.

 

Right after you choose to upgrade the Site database, you click Next and you get this. Here you can choose either you want it to behave just like how it has been behaving (Manually apply) or you want it to go to the latest version Automatically apply

 

Once you come to the progress page you’ll also realise the additional Action of Configuring automatic client update.

image

 

At the end of the installation, you’ll notice an additional sub-folder in the path where you client is, called ClientUpdate.

image

 

And that’s where you’ll find the .msp file that you would normally execute.

image

 

So what triggers this different setup pages I was talking about? It is at the Automatic Client Upgrade tab of the Hierarchy Settings of your site.

Checked = You get the option to choose Automatically apply or Manually apply

Unchecked = You do not get that additional option to choose.

image

 

 

 

Enjoy!!!


Creating a Collection of Computers with Old Configuration Manager Console Version

You might have upgraded your Configuration Manager environment to the latest service pack 1 of 2012 R2 and suddenly realise your console installed on your local computer (not the Site Server) has stopped working and couldn’t connect to your Site Server. You could manually upgrade all your consoles by running the install or you could get ConfigMgr to do that for you. To do that you need a collection of computers that have the older version of the console. Just go ahead and use the collection query statement below to do that. The below queries for the 2012 R2 (non-SP1) version of the console.

Note that if you are trying to query the 2012 SP1 version, it is called “Microsoft System Center 2012 Configuration Manager Console” without the quotes instead of what’s used below. The names will defer slightly from one version to another.

 

select SMS_R_SYSTEM.ResourceID, SMS_R_SYSTEM.ResourceType, SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier, SMS_R_SYSTEM.ResourceDomainORWorkgroup, SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = ‘System Center 2012 R2 Configuration Manager Console’

 

 

 

Enjoy!!!


Creating a Collection of Computers with Old Clients Agent Version

So you might wanna do this when you want to upgrade older versions of the ConfigMgr agent to a later version. This scenario is common in a Service Pack upgrade or even a Cumulative Upgrade. In my case, I’m trying to upgrade all my clients to ConfigMgr 2012 R2 Service Pack 1 and therefore in my query I’m looking for all client version that are not equal to the version I’m planning to deploy. You might want to do this just to keep track of your client upgrades.

So if you’re looking at gathering clients of another version, go ahead and change the ClientVersion. You can find out the client version number from the Configuration Manager icon in the Control Panel. So to create that collection, use my exported collection query statement below.

image

select SMS_R_SYSTEM.ResourceID, SMS_R_SYSTEM.ResourceType, SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier, SMS_R_SYSTEM.ResourceDomainORWorkgroup, SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ClientVersion != ‘5.00.8239.1000’

 

 

 

 

Enjoy!!!


Deploying or Upgrading System Center Configuration Manager Administrator Console

This is a fairly simple one to do. You may have to do this either because you’ve got a group of users that require access to the Configuration Manager Console where you do not want them to RDP to the Site Server or you’re upgrading the console as part of a service pack upgrade.

First off, get the installer files. And this is typically located at your ConfigMgr installation path C:\Program Files\Microsoft Configuration Manager\tools\ConsoleSetup. I’d recommend that you make a copy of these files to a location where you normally put all your package source.

Next, create an Application. Use the Windows Installer type but we’re not actually going to kick off the .MSI. You’ll see what I mean later. THen click Next.

image

 

Click Next here.

image

 

Leave the defaults or change the name if you like, then click Next.

image

 

Click Next at the Summary page.

image

 

Click Close. You’re almost there.

image

 

Now, go back to your application Deployment Types tab and right-click on it. Select Properties.

image

 

Go to the Programs tab and change the Installation Program to execute the ConsoleSetup.exe instead of the .MSI file. Reason for this is the .EXE will bootstrap the .MSI file which may do a number of other things like checks before it runs and that’s why it is better to use the executable instead. Also it allows you to specify a couple of other things like your Site Server that you want the console to connect to instead of prompting the user during the first time he/she launches the console, install missing prereqs like ReportViewer or specifying the install location.

Uninstallation is also supported using the /uninstall switch. Replace the Site Server FQDN with your own Site Server Name. You can change the EnableSQM option to either 0 (disable) or 1 (enable) to toggle the experience feedback. Obviously you can also specify a different path where you want it to be installed as TargetDir.

Installation program:

ConsoleSetup.exe /q DefaultSiteServerName=<Site Server FQDN> EnableSQM=0 TargetDir="C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole"

 

Uninstall program:

ConsoleSetup.exe /uninstall /q

image

 

Now, in a console upgrade scenario, you would want ConfigMgr to deploy this out to computers that have the previous version of the console.

To create a collection for targeting this deployement go to: https://weikingteh.wordpress.com/2015/08/14/creating-a-collection-of-computers-with-old-configuration-manager-console-version/

 

 

 

Enjoy!!!


Installing/Applying ConfigMgr 2012 R2 SP1 (SP2)

Now before I go on, you should know there are two files available for download but I’m still getting the same question regarding it. https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-2012-configuration-manager-and-endpoint-protection

  • System Center 2012 Configuration Manager and Endpoint Protection SP2
  • System Center 2012 R2 Configuration Manager and Endpoint Protection SP1

Just looking at it you’ll see that it is the first service pack for ConfigMgr 2012 R2 and the second service pack for ConfigMgr 2012. Hence this is where the confusion lies. Even though the above statement is true but when deciding which files to use for the installation is where most people get caught by surprise. Even though you’ve read some FAQs about it some of you might still be unclear about it. So let me share an easy way of understanding how it all works. Microsoft has brought the two versions of ConfigMgr (2012 and 2012 R2) up to the same level of functionality. So it makes sense to release only one file that will be applicable to both versions of ConfigMgr. They did…except that there is a second file. And trust me the names used here is not obvious and that’s probably why you’re reading this now.

 

Think of it that Microsoft has released SP2 for ConfigMgr 2012 but the same file used will also upgrade a ConfigMgr 2012 R2 to SP1 level. Remember they are now essentially the same now. It is a full media which allows you to install a complete ConfigMgr environment from nothing. So if you used that file to install ConfigMgr from scratch, you will end up with a ConfigMgr 2012 SP2 installation.

Here’s where the second file comes in. After you’re already on ConfigMgr 2012 SP2 and want to bring it to ConfigMgr 2012 R2 SP1, is when you use the second file. It is a mere 5MB file after extraction. If you are on ConfigMgr 2012 R2, this file will NOT install SP1 for you. Remember you should be using the first file which is about 1.1GB.

I hope that was a short one to clear the understanding before I proceed to show you how to go about backing up, restore, test and then upgrade your ConfigMgr environment to SP2 or SP1 if you were on ConfigMgr 2012 R2.

On to actually performing the upgrade. First you would want to be safe so you should make a backup of your ConfigMgr database. The best way is to protect your ConfigMgr environment is to schedule your backups. To do this is simple using the SQL Management Studio.

You should remember that executing the setup.exe /TESTDBUPGRADE not only runs a simulation or a pre-req test, it actually upgrades the database. That is why you should always make a backup of your ConfigMgr database, restore it to another SQL server and then run the /TESTDBUPGRADE on it. So don’t run setup.exe /TESTDBUPGRADE by mistake!

 

Backup

Go to Management > Maintenance Plan. Right-click on it and select Maintenance Plan Wizard.

image

 

Click Next on the SQL Server Maintenance Pla Wizard page.

image

 

Enter a name for your maintenance plan. Click the Change button on the bottom right.

image

 

Configure the schedule you want the backups to run then click OK. Then back at the Select Plan Properties page, click Next.

image

 

Click to select the three checkbox as below then click Next.

  • Clean Up History
  • Back Up Database (Full)
  • Maintenance Cleanup Task

image

 

In the Select Maintenance Task Order page, accept the defaults or change the order then click Next.

image

 

Most of the time you do not need to keep more than a week so change to remove historical data older than one week.

image

 

In the Define Back Up Database (Full) Task page, click on the Database drop-down box and select the database you want to backup. Configure the Folder location you want to store the backup file and select the backup compression to Compress backup. Click Next.

image

 

In the Define Maintenance Cleanup Task page, configure the location where you store the backup file and enter bak as the file extension. Change to delete files more than 1 week of age. Click Next.

image

 

In the Select Report Options page, accept the defaults or change to e-mail report if desired, then click Next.

image

 

In the Complete the Wizard page, click Finish.

image

 

In the Maintenance Plan Wizard Progress, click Close once the process is complete.

image

 

Back to the SQL Management Studio console, right-click on the Maintenance Plan you just created and click Execute to run the backup task out of schedule.

image

 

Click Close once the task is completed.

image

 

This is what you’ll end up with after the backup task is complete. Note the file size after compression from an original size of 5GB! Impressive.

image

 

Restore

Now to restore the database so that you can test the upgrade. You have to remember that you cannot restore the ConfigMgr DB to another SQL server that has a ConfigMgr DB. That means you would need another SQL server that is not another ConfigMgr server.

In my case I’ve got another SQL server in my environment and using the SQL Management Studio, right-click on Databases and select Restore Database.

image

 

In the General node of the Restore Database screen, select Device and then browse to locate the .bak file that was generated from the backup process.

image

 

In the Select backp devices, click Add.

image

 

Browse to the location of the .bak file then click OK three times.

image

 

Test DB Upgrade

Now that you’ve got the database restored to another SQL server, we can begin to test the DB upgrade. Remember, the setup.exe /TESTDBUPGRADE runs an actually database upgrade.

Using a command prompt or PowerShell window, navigate to the location of ConfigMgr 2012 SP2 media. Then simply execute “setup.exe /TESTDBUPGRADE <database name>

image

 

You can check the progress and status of the upgrade from the ConfigMgrSetup.log file which is normally located in your C:\ root. Now that you’ve successfully upgraded your ConfigMgr database in a separate server, you can now be more confident of it also succeeding in your production ConfigMgr environment.

image

 

Installing SP2

The rest of it is easy. Go ahead and install SP2 into your production environment.

Click Install.

image_thumb1

 

In the Before You Begin page, click Next.

image_thumb3

 

In the Getting Started page, make sure Upgrade this Configuration Manager site is selected then click Next.

image_thumb5

 

In the Microsoft Software License Terms page, select the checkbox to accept the license terms then click Next.

image_thumb8

 

In the Prerequisite Licenses page, select all the checkboxes to accept the license terms and then click Next.

image_thumb9

 

In the Prerequisite Downloads page, choose either to Download required files or Use previously downloaded files then click Next.

image_thumb10

 

In the Server Language Selection page, leave the defaults and click Next.

image_thumb11

 

In the Client Language Selection page, leave the defaults and then click Next.

image_thumb12

 

In the Settings Summary page, click Next.

image_thumb13

 

In the Prerequisite Check page, click Begin Install.

image_thumb14

 

Click Close when the process is complete.

image_thumb15

 

 

Installing ConfigMgr 2012 R2 SP1

Now to get it up to ConfigMgr 2012 R2 SP1. Just so that you know you using the correct file, it is the smaller size of the two which is only about 5MB so this will be a really quick one. Click Upgrade to proceed.

image

 

Click Next.

image

 

In the Software License Terms page, select the I accept the license agreement checkbox and then click Next.

image

 

In the Ready to Install page, click Install.

image

 

In the Setup Complete page, click Finish.

image

 

The Experience

Before ConfigMgr 2012 Service Pack 2 Installation

image

After ConfigMgr 2012 Service Pack 2 Installation

image

After ConfigMgr 2012 R2 Service Pack 1 Installation

image

 

 

 

Enjoy!!!


Setting the SMSCacheSize During OSD Task Sequence (PowerShell)

So you just want to configure the cache size of the Configuration Manager agent to something else other than the default size of 5120MB for whatever reason. Easy right? Since the cache size is set during the installation of the ConfigMgr client you go to the “Setup Windows and ConfigMgr” task and just add the SMSCACHESIZE parameter as the installation properties and it’ll work right? Not so fast.

The installation properties will only work if you’re installing the ConfigMgr client and will not work if you’re re-installing the client. So why this might not work in your task sequence? Really it is because if you’ve got the ConfigMgr client installed in your reference image (which is pretty common when creating a sysprep’ed reference image to get the things like core apps or software updates installed), then running the “Setup Windows and ConfigMgr” task in your task sequence is actually re-installing the ConfigMgr client and that’s why this method wouldn’t work.

Untitled

 

So how do you work around it? Run a PowerShell script. Below is the contents of the script. Copy and paste it into Notepad and save it as a .ps1 file. Change the $Cache.size to whatever you want in MB.

$Cache = Get-WmiObject -namespace root\ccm\SoftMgmtAgent -class CacheConfig
$Cache.size = 20480
$Cache.InUse = "True"
$Cache.Put()
Restart-Service ccmexec

After you create a package for your PowerShell script, it is time to add it as a task in your deployment task sequence. So I use the Run PowerShell Script task and reference the package I’ve just created for it. Obviously the Script name is the file name I saved the above content as. Set the PowerShell execution policy to “Bypass”. You would want to run this script after the “Setup Windows and ConfigMgr” task but anything lower will work as well like how I’ve done it. And that should be it!

ts

 

 

 

Enjoy!!!


PowerShell Script to Insert Branding, OEM and Custom Wallpaper

As part of a Windows deployment whether or not using SCCM, MDT or other methods, one thing you probably want to do is customise Windows in such a way that incorporates a corporate image. This script includes customised Lock Screen image, custom wallpaper image and OEM information like logo, support contact, support URL etc.

One requirement is to set a default corporate wallpaper but still allow the user to change it. Although we can address the custom wallpaper using Group Policy, but that will prevent the users from changing it. This is why Group Policy is not used for custom wallpaper like how it is most commonly done. Also preferably we do not want to replace the img01.jpg file which comes with Windows for the wallpaper (which may be another solution to assigning a custom default wallpaper) so that users still have the ability to change it to that if the user wishes.

Important thing to note is, make sure you have your BMP and JPG file is saved in the same location where this script is sitting in. Create all these files as a package and then call the .PS1 file using the Run PowerShell Command task in SCCM/MDT task sequence.

The script first copies the images BMP and JPG to their respective locations then starts to set the OEM information using the Set-ItemProperty cmdlet, followed by making changes to the registry for the default lock screen and default wallpaper.

 

===Start Script===

$Wallpaper = "backgroundDefault.jpg"
$OSDISK=$env:OSDISK

# copy the OEM bitmap
If (-not(Test-Path c:\windows\system32\oobe\info\backgrounds)){New-item c:\windows\system32\oobe\info\backgrounds -type directory}

copy-item $PSScriptRoot\OEMlogo.bmp "$OSDISK\windows\system32"
copy-item $PSScriptRoot\user.bmp "$OSDISK\ProgramData\Microsoft\User Account Pictures"
copy-item $PSScriptRoot\OEMLogo.BMP "$OSDISK\windows\system32\oobe\info\"
copy-item $PSScriptRoot\$Wallpaper "$OSDISK\windows\system32\oobe\info\backgrounds\"
copy-item $PSScriptRoot\$Wallpaper "C:\Windows\Web\Screen\$wallpaper"
copy-item $PSScriptRoot\$Wallpaper "C:\Windows\Web\Wallpaper\Windows\$wallpaper"

# make required registry changes
$strPath = "HKLM:\Software\Microsoft\Windows\CurrentVersion\OEMInformation"
$strPath2 = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background"
$strPath3 = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization"
$strPath4 = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"

Set-ItemProperty -Path $strPath -Name Logo -Value "C:\Windows\System32\OEMlogo.bmp"
Set-ItemProperty -Path $strPath -Name Manufacturer -Value "My IT Services"
Set-ItemProperty -Path $strPath -Name SupportPhone -Value "(02)9876-1234"
Set-ItemProperty -Path $strPath -Name SupportHours -Value "7:00am to 7:00pm"
Set-ItemProperty -Path $strPath -Name SupportURL -Value http://example.intranet.myitservices.com/internal_services/IT_services
Set-ItemProperty -Path $strPath2 -Name OEMBackground -value 1

New-Item -Path HKLM:\Software\Policies\Microsoft\Windows -Name Personalization –Force
Set-ItemProperty -Path $strPath3 -Name LockScreenImage -value "C:\Windows\Web\Screen\$wallpaper"

New-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies -Name System -Force
Set-ItemProperty -Path $strPath4 -Name Wallpaper -value "C:\Windows\Web\Wallpaper\Windows\$wallpaper"
Set-ItemProperty -Path $strPath4 -Name WallpaperStyle -value "2"

write-host "End of Script"

===End Script===

 

 

 

Enjoy!!!


Script to Assign Computer Name from Asset Tag with Validation to be used by SCCM Task Sequence

I’m not usually a script writer (especially when it comes to VBS) but I’m surprised how I got from a small script to basically prompt the user to enter a computer name to something as big as this.

I have been asked to automatically assign the computer name during a Windows deployment. Not just the common task to prompt the user to enter a computer name which you can do pretty easily just by configuring a task sequence variable to the target collection you’re deploying the task sequence to but to assign the computer name with the Asset Tag value found in the BIOS.

In my situation all computers have been assigned with a customised Asset Tag value (either from the manufacturer’s factory or using a separate tool) so what needs to be done is to read that value from the Asset Tag and assign it as the computer name in a Task Sequence. There’s no way I can do it straight out of a task sequence so a script has to be written for it.

So what I’ve done with the script is:-

  • Read the value of the Asset Tag in the BIOS through the SMBIOSAssetTag from Win32_SystemEnclosure class
  • Validate the value first to see if it contains only all the correct characters and not symbols
  • Read the value of the chassis type through the ChassisType also from the Win32_SystemEnclosure class
  • Depending on the chassis type number read from the BIOS, assign it as either Desktop, Laptop or Unknown
  • Based on whether it is a Desktop or Laptop, run another validation to see if it conforms with the correct naming convention which in my case has a prefix of either “PC-“ or “LT-“ respectively
  • Last 5 characters is validated to see that it only contains numbers. So a full computer name will look something like e.g. “PC-12345” or “LT-98765”.
  • If the value doesn’t conform to the naming convention, then prompt for the user to enter the correct computer name
  • Run the check after to validate the values entered by the user that it conforms to naming conventions and prompt again until a valid value is entered
  • Only if it passes all of the above, then proceed to assign the value to the OSDComputerName

Phew…that was quite a lengthy one. And quite a lengthy one it is. Attached below is the script that makes all this work.

 

===Start Script===

Dim objOSD, objRegEx
Dim Matches, Match
Dim strPattern, strInputBox, strReason
Dim boolLength, boolValid, StrType

Set objOSD = CreateObject("Microsoft.SMS.TSEnvironment")
Set objRegEx = New RegExp
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
Set colItems = objWMIService.ExecQuery("Select * from Win32_SystemEnclosure",,48)
For Each objItem in colItems
OSDComputername = objItem.SMBIOSAssetTag
OSDComputername = Left(OSDComputerName,8)
Next

‘ Define valid patterns as and character not in (A-Z, 0-9, or -)
strPattern = "[^a-zA-Z0-9-]"
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colChassis = objWMIService.ExecQuery _
    ("Select * from Win32_SystemEnclosure")
For Each objChassis in colChassis
    For  Each strChassisType in objChassis.ChassisTypes
        Select Case strChassisType

            Case 3
                  StrType = "Desktop"
            Case 4
                   StrType = "Desktop"
            Case 6
                   StrType = "Desktop"
            Case 7
                  StrType = "Desktop"
            Case 8
                StrType = "Laptop"
            Case 9
                 StrType = "Laptop"
            Case 10
                  StrType = "Laptop"
            Case 11
                  StrType = "Laptop"
            Case 12
                   StrType = "Laptop"
            Case 14
                  StrType = "Laptop"
            Case 15
                  StrType = "Laptop"
            Case Else
        StrType = "unknown"
            End Select
    Next
Next
If StrType = "Desktop" then

  Do
   ‘ Check ComputerName – must comply to the naming standard
   If Len(OSDComputerName) <> 8 Then
    boolLength = False
   ElseIf Left(OSDComputerName, 3) <>  "PC-" AND Left(OSDComputerName, 3) <> "EV-"  Then
    boolLength = False
   ElseIf IsNumeric(Right(OSDComputerName, 5)) = False Then
        boolLength = False
   Else
    boolLength = True
   End If

  If boolLength = "False" Then
   strReason = ""
   strInputBoxA = InputBox("Enter desired machine name:" & VbCrLf & VbCrLf & "Names must start with PC- and only numbers in the last 5 characters " & VbCrLf &  "Current PC number is :-(" & OSDComputername &")","Machine Name",,60,60)
   If strInputBoxA = "" Then TemplateQuit(0)
   ‘COVERT STRING TO UPPERCASE
   OSDComputerName = UCase(strInputBoxA)
  End If

   ‘ Check character validity
   boolValid = True
   ‘ Return all matches for invalid characters
   objRegEx.Global = True
   objRegEx.Pattern = strPattern
   ‘ Generate collection of matches
   Set Matches = objRegEx.Execute(strInputBox)
   ‘ Check for matches on invalid characters
   For Each Match In Matches
    boolValid = False
   Next
  Loop While boolLength = "False"
End If
If StrType = "Laptop" then

  Do
   ‘ Check ComputerName – must comply to the naming standard
   If Len(OSDComputerName) <> 8 Then
    boolLength = False
   ElseIf Left(OSDComputerName, 3) <> "LT-" AND Left(OSDComputerName, 3) <> "EV-"  Then
    boolLength = False
   ElseIf IsNumeric(Right(OSDComputerName, 5)) = False Then
        boolLength = False
   Else
    boolLength = True
   End If

  If boolLength = "False" Then
   strReason = ""
   strInputBoxA = InputBox("Enter desired machine name:" & VbCrLf & VbCrLf & "Names must start with LT- and only numbers in the last 5 characters " & VbCrLf &  "Current PC number is :- (" & OSDComputername &")","Machine Name",,60,60)
   If strInputBoxA = "" Then TemplateQuit(0)
   ‘COVERT STRING TO UPPERCASE
   OSDComputerName = UCase(strInputBoxA)
  End If

   ‘ Check character validity
   boolValid = True
   ‘ Return all matches for invalid characters
   objRegEx.Global = True
   objRegEx.Pattern = strPattern
   ‘ Generate collection of matches
   Set Matches = objRegEx.Execute(strInputBox)
   ‘ Check for matches on invalid characters
   For Each Match In Matches
    boolValid = False
   Next
  Loop While boolLength = "False"
End If
If StrType = "Unknown" then

  Do
   ‘ Check ComputerName – must comply to the naming standard
   If Len(OSDComputerName) <> 8 Then
    boolLength = False
   ElseIf Left(OSDComputerName, 3) <> "LT-" AND Left(OSDComputerName, 3) <> "PC-" AND Left(OSDComputerName, 3) <> "EV-" AND Left(OSDComputerName, 1) <> "V" Then
    boolLength = False
   ElseIf IsNumeric(Right(OSDComputerName, 5)) = False Then
        boolLength = False
   Else
    boolLength = True
   End If

  If boolLength = "False" Then
   strReason = ""
   strInputBoxA = InputBox("Enter desired machine name:" & VbCrLf & VbCrLf & "Names must start with PC- or LT- and only numbers in the last 5 characters " & VbCrLf &  "Current PC number is :- (" & OSDComputername & ")","Machine Name",,60,60)
   If strInputBoxA = "" Then TemplateQuit(0)
   ‘COVERT STRING TO UPPERCASE
   OSDComputerName = UCase(strInputBoxA)
  End If

   ‘ Check character validity
   boolValid = True
   ‘ Return all matches for invalid characters
   objRegEx.Global = True
   objRegEx.Pattern = strPattern
   ‘ Generate collection of matches
   Set Matches = objRegEx.Execute(strInputBox)
   ‘ Check for matches on invalid characters
   For Each Match In Matches
    boolValid = False
   Next
  Loop While boolLength = "False"
End If

objOSD("OSDComputerName") = OSDComputerName

===End Script===

 

 

Enjoy!!!


Hello Windows 10. Have your seen 9?

Good morning! Today is the day where Microsoft is set to release the preview of their latest operating system after Windows 8.x. As you would expect, Windows 9 is just around the corner…not. Hit by surprise as many would expect, Microsoft is releasing their latest operating system…Windows 10!

Yes, don’t that make you wonder where did 9 go? From a blog release from Microsoft we have been told that the next release of Windows is so big that it deserves a perfect 10. From my view this release is set not only to incrementally fix the shortcomings of Windows 8 but to rethink the way an OS is to run on a slew of different devices today.

So some things that we can expect from Windows 10:-

(images courtesy from Microsoft blog release)

1. Welcome back, Start Menu.

If you’ve been using Windows 8 and 8.1 (that includes Windows Server 2012 and 2012 R2) you may have not experience the Start Menu (replaced with a Start screen) for some time now. It is back now, better and bigger…literally. The live tiles is not entirely gone though. You can still pin your favourite tiles to the Start Menu.

clip_image002

2. Windows, windows windows

The thing that made it more confusing for some users is the fact that there are 2 types of apps; a desktop app and a ‘metro’ app or I should call it modern UI app that runs full screen all the time optimized for touch on a tablet and touch devices. Now that too runs in a window. Now a modern UI app will run in a window complete with a top toolbar and the familiar 3 buttons to minimize, restore and close a window. The ability to pin it to the taskbar is still there, so that’s good.

clip_image004

3. Snapping a window is a snap

This is probably going to be my favourite. With larger resolution screens (mine on 3200 x 1800) we’ve got so much more screen estate that we can use. We used to be able to snap an open window to the left or right so that it resizes to take the left or right half of the screen. Now though, we can snap 4 app windows forming a quadrant for each app. Not only that, when an app is snapped, it suggests opened apps to be snapped in the available desktop space.

clip_image006

4. New button for task view

We’re all familiar with the Alt-Tab to switch between windows. Now there’s a new task view button when you hit it displays all the opened apps which you can select to bring it to the foreground or switch between desktops.

clip_image008

5. Hold on. Did I say switch desktops?

Yes I did. You can now have multiple desktops each for a different purpose perhaps. One for your personal stuffs and one where you put your recent work documents you’re working on.

clip_image010

For further reading follow the link below and there’s also a short video running through those features. Now if you’re like me and thinking how can I get my hands on this Technical Preview copy of Windows 10, currently there is a Windows Insider Program about to be open where you can sign up to be one of the first to test drive Windows 10 and hopefully provide feedback.

Where? Just go to http://preview.windows.com/. If you don’t see anywhere to sign up yet, wait a little longer as we’re all expecting it to be open really soon. Microsoft have been clear that this is a pre-release version and to expect it to be less refined as they are ironing out the rough edges.

 

 

 

Enjoy!!!


Configuration Manager Client Package source version keeps incrementing/increasing causing disk space to fill up in schedule.box

The first time I realized the problem is when I found that my replication isn’t going too well between my CAS and Primary. I soon found out that my disk space has run out on the partition ConfigMgr was installed on. That might be causing problem with replication, but what is causing my disk to fill up? Checking folder-by-folder I then found the offending folder that is filling up my drive. It was Program Files\Microsoft Configuration Manager\inboxes\schedule.box specifically the ‘tosend’ folder.

I did also realize that my server is busy transferring files. This can be seen by looking at the sender.log. I soon noticed it was the ConfigMgr agent package file and can be seen in the monitoring workspace that it is in the midst of updating all the DPs. Shockingly I noticed the version number of the Configuration Manager Client Package has gone up close to 200, notice version 180 from the distmgr.log.

Found notification for package ‘CL100003’    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:53 AM    7140 (0x1BE4)
Used 0 out of 3 allowed processing threads.    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:53 AM    7140 (0x1BE4)
Sleep 30 minutes…    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:53 AM    6628 (0x19E4)
Starting package processing thread, thread ID = 0x2304 (8964)    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:53 AM    7140 (0x1BE4)
Starting package processing thread, thread ID = 0x1A60 (6752)    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:54 AM    7140 (0x1BE4)
Sleep 3600 seconds…    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:54 AM    7140 (0x1BE4)
STATMSG: ID=2300 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=<FQDN> SITE=CAS PID=2644 TID=8964 GMTDATE=Wed Sep 10 17:37:54.312 2014 ISTR0="Configuration Manager Client Package" ISTR1="CL100002" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="CL100002"    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:54 AM    8964 (0x2304)
Start updating the package CL100002…    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:54 AM    8964 (0x2304)
CDistributionSrcSQL::UpdateAvailableVersion PackageID=CL100002, Version=180, Status=2300    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:54 AM    8964 (0x2304)
STATMSG: ID=2300 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=<FWDN>SITE=CAS PID=2644 TID=6752 GMTDATE=Wed Sep 10 17:37:54.344 2014 ISTR0="Configuration Manager Client Upgrade Package" ISTR1="CL100003" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="CL100003"    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:54 AM    6752 (0x1A60)
Start updating the package CL100003…    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:54 AM    6752 (0x1A60)
Taking package snapshot for package CL100002 from source \\<FQDN>\SMS_CAS\Client    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:54 AM    8964 (0x2304)
CDistributionSrcSQL::UpdateAvailableVersion PackageID=CL100003, Version=180, Status=2300    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:54 AM    6752 (0x1A60)
Taking package snapshot for package CL100003 from source \\<FQDN>\SMS_CAS\ClientUpgrade    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:54 AM    6752 (0x1A60)
The size of package CL100003, version 180 is 1576 KBytes    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:54 AM    6752 (0x1A60)
Successfully created RDC signatures for package CL100003 version 180    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:54 AM    6752 (0x1A60)
Creating hash for algorithm 32780    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:54 AM    6752 (0x1A60)
The hash for algorithm 32780 is D6279C75363ECFBE0F4A64447E472F512261393FFBE6246AB153ACEF41C53094    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:54 AM    6752 (0x1A60)
The RDC signature hash for algorithm 32780 is 9CEFAE33CC2B4475D5B67C8C6046A48834B03C292B59C16222070B6161168017    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:54 AM    6752 (0x1A60)
STATMSG: ID=2376 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=<FWDN> SITE=CAS PID=2644 TID=6752 GMTDATE=Wed Sep 10 17:37:54.600 2014 ISTR0="CL100003" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="CL100003"    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:54 AM    6752 (0x1A60)
CDistributionSrcSQL::UpdateAvailableVersion PackageID=CL100003, Version=180, Status=2376    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:54 AM    6752 (0x1A60)
The source for package CL100003 has changed or the package source needs to be refreshed    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:54 AM    6752 (0x1A60)
Adding these contents to the package CL100003 version 180.    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:54 AM    6752 (0x1A60)
The Package Action is 1, the Update Mask is 32 and UpdateMaskEx is 0.    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:54 AM    6752 (0x1A60)
Use drive E for storing the compressed package.    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:54 AM    6752 (0x1A60)
Successfully created/updated the package CL100003    SMS_DISTRIBUTION_MANAGER    9/11/2014 3:37:54 AM    6752 (0x1A60)

 

This happened during my hierarchy expansion from a standalone primary to a CAS and multiple primaries. The Configuration Manager Client Package though still the same packageID had its source path changed to the CAS server UNC path and that may have triggered a package update. Trying to stop the DP transfer by deleting the package or removing content didn’t work because it will be grayed out.

image

In order to be able to do that you need to go into SQL. First create 2 new packages for the Configuration Manager Client Package and Configuration Manager Client Upgrade Package. They will be having new package IDs. Note them down!

Then using the SQL Server Management Studio console find out what is your existing ClientDeploymentSettings. Enter the below statement in your new query window.

select * from CM_CAS.dbo.ClientDeploymentSettings

 

This wil return the result of your FullPackageID and UpgradePackageID. Next we will update it to the new packageID of the new packages you’ve just created. Use the below statements

update CM_CAS.dbo.ClientDeploymentSettings set FullPackageID = ‘<new package ID>’ where FullPackageID = ‘<old package ID>’

 

Now do the similar for the UpgradePackageID

update CM_CAS.dbo.ClientDeploymentSettings set UpgradePackageID = ‘<new upgrade package ID>’ where UpgradePackageID = ‘<old upgrade package ID>’

 

After this you can go ahead and remove the package from the DPs. It will not be grayed out anymore.

If this still does not solve your problem especially after a reboot (this might re-occur after a reboot), investigating further you will find this in your hman.log.

HandleRBACPermissions : Check if there is request.    SMS_HIERARCHY_MANAGER    9/11/2014 2:12:02 PM    5160 (0x1428)
End sync rbac permissions.    SMS_HIERARCHY_MANAGER    9/11/2014 2:12:02 PM    5160 (0x1428)
Update site server active directory informtion into DB    SMS_HIERARCHY_MANAGER    9/11/2014 2:12:02 PM    5160 (0x1428)
Handle auto-upgrade client configuration changes    SMS_HIERARCHY_MANAGER    9/11/2014 2:12:02 PM    5160 (0x1428)
Update auto-upgrade client configurations    SMS_HIERARCHY_MANAGER    9/11/2014 2:12:02 PM    5160 (0x1428)
INFO: client.acu file was found. client upgrade packages need to be updated.    SMS_HIERARCHY_MANAGER    9/11/2014 2:12:02 PM    5160 (0x1428)
INFO: Current client upgrade settings are: FullClientPackageID=CL100002, ClientUpgradePackageID=CL100003, ClientUpgradeProgramName=Configuration Manager Client Upgrade Program, ClientUpgradeAdvertisementID=CL120000, ClientUpgradeVersion=5.00.7958.1000.    SMS_HIERARCHY_MANAGER    9/11/2014 2:12:02 PM    5160 (0x1428)
INFO: Successfully requested package CL100002 to be updated from its source.    SMS_HIERARCHY_MANAGER    9/11/2014 2:12:02 PM    5160 (0x1428)
INFO: Successfully requested package CL100003 to be updated from its source.    SMS_HIERARCHY_MANAGER    9/11/2014 2:12:02 PM    5160 (0x1428)
INFO: Successfully updated packages CL100002 and CL100003    SMS_HIERARCHY_MANAGER    9/11/2014 2:12:02 PM    5160 (0x1428)
INFO: Client upgrade command line will be modified to ccmsetup.exe /AutoUpgrade /UpgradePackageVersion:240    SMS_HIERARCHY_MANAGER    9/11/2014 2:12:02 PM    5160 (0x1428)
Updating supported platforms for auto-upgrade client program.    SMS_HIERARCHY_MANAGER    9/11/2014 2:12:02 PM    5160 (0x1428)
INFO: Successfully updated program Configuration Manager Client Upgrade Program of package CL100003 with new command line: ccmsetup.exe /AutoUpgrade /UpgradePackageVersion:240    SMS_HIERARCHY_MANAGER    9/11/2014 2:12:02 PM    5160 (0x1428)
INFO: Successfully modified the command line for client upgrade program Configuration Manager Client Upgrade Program in package CL100003.    SMS_HIERARCHY_MANAGER    9/11/2014 2:12:02 PM    5160 (0x1428)

 

Realize that client.acu file is found in the Program Files\Microsoft Configuration Manager\inboxes\hman.box path and that is what is instructing the package to be updated. It is a file with 0kb. So go ahead and delete that file from your server and that should stop your Configuration Manager Client Package from wrongly self updating itself.

 

 

 

Enjoy!!!


ConfigMgr 2012 Pre-requisites Installation Tool

Have you been trying to remember the long list of pre-requisites components needed for each ConfigMgr server role? Take a look at this. Then I’ve been documenting steps to make it easier to go about it. Then moved to using PowerShell? Nowadays I’ve been actively using this for most of my ConfigMgr installations. This new version by Nickolaj Andersen, supports ConfigMgr 2012 R2. Now it has tabs for each ConfigMgr server you’re trying to prepare for; CAS, Primary, Secondary etc. So no more trying to remember the list of pre-reqs? Maybe? Download version 1.3.0 here. There is also an older version still made available for ConfigMgr 2012 SP1 here.

 

 

 

Enjoy!!!