Monday, May 30, 2016

Defer Windows 10 upgrades in Group Policy and ConfigMgr Current Branch

With Windows 10 in enterprises, it's recommended to devide systems between Current Branch (CB) and Current Branch for Business (CCB). Where few systems will be in CB for testing new functionalities, most systems will be in CBB probably. Difference is a 4 months delay for new Windows 10 builds, which can be extended for another 8 months to have a 12 months delay in total. After 1 year you're out of support, and no security updates will be offered anymore.
 
To divide systems between CB and CBB, Group Policy and/or ConfigMgr can be used. Within the new group policy templates, the following settings is available: Defer Upgrades and Updates
When this policy is enabled and linked, a 4 months delay is the result. This can be extended for another 8 months on upgrades and 4 weeks on updates. You can pause upgrades and updates too. Nothing wrong with that.

When using ConfigMgr Current Branch things get a bit different. Now you have a Windows 10 Servicing dashboard and CB is called Release Ready (RR). CBB is called Business Ready (BR) here. Why using different terms here is not handy and not logical to me. It's also not easy to move systems from RR to BR. Therefore lot's of prerequisites must be in place.
 
When looking on: Manage Windows as a service using System Center Configuration Manager you will see the prerequisites:
- Windows 10 computers must use ConfigMgr software updates with WSUS for software update management
- WSUS 4.0 with KB3095113 must be installed on your software update points and site servers
-Enable Heartbeat Discovery (7 days by default)

-The service connection point must be installed and configured for Online, persistent connection mode to see data on the Windows 10 servicing dashboard
-Specify the group policy setting, Defer Upgrades and Updates, to determine whether a computer is CB or CBB
-IE9 or later must be installed on the computer that runs the Configuration Manager console
-Software updates must be configured and synchronized

 
Strange thing is however, you need to configure group policy and a servicing plan too. Here you can choose between CB or CBB and there's a delay of 120 days possible. This is around 4 months, and not the same as the 8 months which can be configured in group policy. Why the difference here, on days instead of months?

On Manage Windows as a service using System Center Configuration Manager you will see the following on that: "How many days after Microsoft has published a new upgrade would you like to wait before deploying in your environment". Maybe I want to wait 12 months, how to configure that? Hope that someone or Microsoft can clarify something on that.

For now I see most environments with systems in CB/RR without the possibility to move them to CBB/BR easily.

Request: Besides of that I want to click on the dashboard, to see which systems has which build installed and which ring is configured. That will has benefit above off the value displayed.

Will be continued..

Thursday, May 26, 2016

Windows 7 SP1 stuck for hours on checking for updates

During a new Windows 7 SP1 installation, it went stuck on checking for updates. I did see Windows update issues a lot last years on Windows 7 SP1. This one is really nasty, because it stays on "Checking for updates" for hours.. Not that cool if you ask me.

The solution is really easy. Just download KB3102810 (Installing and searching for updates is slow and high CPU usage occurs in Windows 7) here and install it on the client. Better stop the Windows Update service first, to speed up the installation process.

Another solution is to download both KB3138612 (Windows Update Client for Windows 7: March 2016) and KB947821 (System Update Readiness Tool) and install them on the client. Better stop the Windows Update service again as mentioned before.

When still having issues, you can try Microsoft Easy Fix also! Hope it helps for you too :)

Source: superuser
 
In the meanwhile the following solution is available too:
Simplifying updates for Windows 7 and 8.1

It mentions: We’re happy to announce that we’re making available a new convenience rollup for Windows 7 SP1 that will help. This convenience rollup package, available to download from HERE, contains all the security and non-security fixes released since the release of Windows 7 SP1 that are suitable for general distribution, up through April 2016.  Install this one update, and then you only need new updates released after April 2016.

Other blogposts on Windows update:
Some clients not updating, reporting 8007000E error
Software Update Error 0x80004005 on client systems

Tuesday, May 24, 2016

Difference between Intune Standalone and ConfigMgr hybrid mode (part 4)

Recently I did some blogposts about the difference using Intune Standalone or ConfigMgr hybrid mode.
You can find them here: part 1 / part 2 / part 3

For ConfigMgr hybrid mode I mentioned the following:
As for ConfigMgr hybrid mode, this must be done in Configuration items and baselines, where not sure when they arrive. Monitoring - deployments is not the right place also, given a 'Unknown' status most of times. Did a lot of compliance checks and reboots on mobile devices, but nothing seems to happen..

Trick is, you need to do some additional configuration. When policies in Intune are working immediately, they are in ConfigMgr not.
When creating configuration items in ConfigMgr, "Remediate noncompliant settings" is turned on by default.
When creating and deploying configuration baselines, this is not the case. "Remediate noncompliant rules when supported" is not turned on by default. Trick is, you need to enable this for making them active.

In the baseline deployment properties "Remediate noncompliant rules when supported" must be selected. I did change the schedule for 7 days to 5 minutes too. After that configuration was starting on mobile devices right away.

Why this isn't configured by default is the question? Without this setting you can wait forever for policies to come through..

Friday, May 20, 2016

Deploy printer drivers during ConfigMgr task sequence (part 2)

Almost 3 years ago I did a blogpost on deploying printer drivers during a task sequence. That one is based on PnPutil.exe which is fine, but probably not the best solution. Therefore using a CMD file, with multiple commands for different printer models may be better. Let's have a look at that.

When you want to deploy a single print driver or multiple printer drivers, use the following command instead:
RUNDLL32 PRINTUI.DLL,PrintUIEntry /ia /m "<Printer model>" /f "<INF path>\<INF filename>"
RUNDLL32 PRINTUI.DLL,PrintUIEntry /ia /m "<Printer model>" /f "<INF path>\<INF filename>"
RUNDLL32 PRINTUI.DLL,PrintUIEntry /ia /m "<Printer model>" /f "<INF path>\<INF filename>"

This command can be placed multiple times in a CMD file (for example), so just create folders for different models and drivers, and have a CMD file in the root, which is pointing to the different locations. That way printer drivers can be installed easily.

Hope it helps!

Wednesday, May 18, 2016

Using the new Windows Store for Business for apps on Windows devices

Within the post: Windows 10: A Store That’s Ready for Business, Microsoft is mentioning the following: 'with Windows 10 we will deliver one Windows Store for all Windows devices'. But therefore the new web-based Store portal must be used. They will become visible in the Windows Store at a later time.

First you need to create a new Business portal on businessstore.microsoft.com and sign in with a work or school account, or Azure account if you prefer. In the Windows store on Windows 10 devices this account is used, next to your Microsoft Live ID. In that case a new tab will be present (next to Home, Apps, Games, Music, Movies & TV). This based on the company name used during creating the Business portal.

When adding apps you can choose between: 'Add to your private store where all people in your organization can find and install it', or 'Assign to people' only. That way they won't be present in the private store, but only for specific people. Last one is 'Distribute later', which isn't a deployment at all, but can be done later.

In this case I added apps to the private store, where all people in your organization can find and install it. Unfortunately the app is not ready for deployment yet, but 'Add in progress' is shown.

When adding apps to the Business portal, it can takes up to 24 hours for the app to get present in the Private store. When looking on Windows store on Windows 10 (full edition) or Windows 10 Mobile the same apps are there.

 
As mentioned earlier; When signing in with your Azure account (or add it next to your Live ID) a new tab in Windows Store will be present. This is how it looks like on my Surface (5 apps, but 6 deployed).

And this is how it looks like on my Phone (4 apps, where 6 deployed). For it seems LinkedIn and Translator are Phone only, Sway and Buienradar are Windows (full OS) only.

So unfortunately the same story as before (using the Company portal). Where does this fit in the One unified app store across devices, One great experience model, when apps differs between Windows 10 and Windows 10 Mobile devices? Because Microsoft is saying it's one platform, I hope this will be more clear in future..

Hope things will get more clear this way!

Update: It's possible to use 'My Library' too, and see which apps works and which apps doesn't work on your device.

Friday, May 13, 2016

Difference between MAK, KMS and ADBA activation

Last years I did multiple blogposts about activation based on MAK and KMS. Recently I did mention the ADBA license Pack too. This time some pros and cons beween these activation tools.

Multiple Activation Key (MAK) usage:
- For workgroup-joined systems (when no domain is used)
- Systems which are used outside the domain, and not connected in 180 days or more. Otherwise activation will be expired.

Key Management Service (KMS) usage:
- CMD-line based & domain wide, therefore a KMS host is need for every (child) domain.
- A minimum of 25 devices and/or 5 servers for activation
- Valid for 180 days, where every 7 days a check is done

- Windows 7 & Server 2008 support or later

AD-Based Activation (ADBA) usage:
- GUI based & forest wide, so no need to have a KMS host for every (child) domain
- No minimum on devices and/or servers (!)
- Activated during domain-join immediately, and removed when domain-join is undone or 180 days has passed.

- Windows 8 & Server 2012 support or later
- No TCP 1688 (KMS) is used, but default LDAP instead

Hope it's clear that ADBA is the way to go. Less servers needed and easier in communication and activation. Hope you like it too :-)

A setup guide can be found here: Installing Volume Activation Services Role in Windows Server 2012 to Configure ADBA

More blogposts about activation tools:
Update KMS hosts for Windows 10 activation
Usage of Microsoft Office 2016 KMS Host or ADBA License Pack
And many, many more...

Wednesday, May 11, 2016

Difference between Intune Standalone and ConfigMgr hybrid mode (part 3)

In an earlier blogpost i wrote about pros and cons between Intune standalone and ConfigMgr hybrid mode, and the difference in speed between both solutions. This because Intune standalone (SAAS) is very fast (few seconds, sometimes few minutes) on enrollment of applications and/or policies. With ConfigMgr hybrid mode this is way slower, and can take up to multiple hours (or more) for making it happen. This time I want to share something on difference for Windows and Windows Phone devices.

With Windows 10, Microsoft is saying that there is One universal app platform, One security model, One management system, One deployment approach, and One familiar experience. Unfortunately that's not true when using a Windows 10 Mobile, managed by Intune standalone or ConfigMgr hybrid mode.

When deploying applications from one of both solutions, you will see that sometimes it's needed to choose Windows, the other time Windows Phone. Some apps are available for Windows, but not for Windows Phone (or the other way around). Very confusing if you ask me! So you must choose between a Windows app package or Windows Phone app package. That's hard to explain to customers..

When choosing a Windows app package (like I did), applications will not be offered on Windows 10 Mobile. In my perception this is not a Windows Phone anymore, with a different Windows Phone store. So yes, you must still use Windows Phone app package to make them available on Windows 10 Mobile. Very confusing if you ask me. Where does this fit in the One unified app store across devices, One great experience model? But wait there's more..

Within the post: Windows 10: A Store That’s Ready for Business, Microsoft is mentioning the following: 'with Windows 10 we will deliver one Windows Store for all Windows devices'. But therefore the new web-based Store portal must be used. So open Windows Store for Business and start adding apps to your inventory. When signing in with your Azure account (or add it next to your Live ID) a new tab in the default Store will be present.

After that a new tab is present in Windows Store, with the company name used, with apps added in Windows Store for Business. Because it can take up to 24 hours for the app to get present in the Private store, you must be patience on this :-)

More on that in a next blogpost. Thanks for reading.
Read more on part 1 and part 2

Tuesday, May 10, 2016

ConfigMgr issues and improvements posted on Microsoft Connect

Recently I did some blogposts about ConfigMgr issues and improvements, which I posted on Microsoft Connect.

More about that here:
Issue in ConfigMgr Current Branch (1602) with Intune subscription
Some small bugs found in ConfigMgr Current Branch (1602)

The current status after one month looks good to me:
-Issue in ConfigMgr Current Branch (1602) with Intune subscription (when changing tenant) = Fixed
-To enable use the Add Site System Roles wizard to add the Intune Connector role = Fixed
-This device might have Activation Lock enabled and might require the user's Apple id and password to be entered to be reactivated = Won't fix

-Default layout for deployment status of task sequences (Monitoring part) = Active
-To identify the Windows Store link for this application, browse to a computer that has the application installed = Active


Very good to see that Microsoft is making progress here, with one issue and one improvement fixed! Way to go :-)

Wednesday, May 4, 2016

HP Client Integration Kit for ConfigMgr 2012 R2 or Current Branch (update)

Recently I did a ConfigMgr Current Branch upgrade. To import driver packages easily I like to use additional Dell and/or HP tools to import driver packages. This time however the HP tool has some new functionality. Let's have a look at this first.

The HP Client Integration Kit for ConfigMgr has an update on 03/31/2016 with the following changes:
- Provides the Client Integration plug-in for ConfigMgr 1511 or 2012 R2 SP1 CU1 or later or 2012 SP2 CU1 or later.
- Adds the ability to create and import custom driver pack or import drivers only.
- Adds the ability to enter the keyword to search for HP product name when creating and importing driver pack.
- Adds the ability to sort the category such as driver name, version, SoftPaq number when selecting driver to import
- Adds the ability to choose the type of download file such as FTP or HTTP. By default, CIK uses HTTP.
- Adds BitLocker to CIK task sequence examples
- Revises the pop up messages when the server does not meet the requirement.
- Updates the CIK installer to fix the copyright string.
- Updates the CIK User Guide and ConfigMgr & CIK support matrix.


Let's have a look in the ConfigMgr console now:
There are 3 buttons in the ribbon now, one for 'Create and Import Driver Pack' one for 'Download and Import Driver Packs' and one for 'Import Downloaded Driver Pack'.

When choosing 'Create and Import Driver Pack' you can search on types/models and select which driver(s) must be part of it. This is the latest add-on available! That way you can create driver packages yourself, and decide which driver must be part of it. Therefore searching on the HP website yourself isn't needed anymore. Just great that a new feature is part of this ConfigMgr integration.

When choosing 'Download and Import Driver Pack' you can search on types/models and download/import driver packs, but no selection on drivers is possible. When choosing 'Import downloaded driver packs' you must download them manually and import them afterwards (as usual).

Download HP CIK right away!

More blogposts about importing driver packs:
HP Client Integration Kit for ConfigMgr 2012 R2 (update)

HP Client Integration Kit for ConfigMgr 2012 R2
Download Driver packages for Dell, HP and Lenovo systems