In the last few years SCCM has been introducing new features to the software update workflow to help with server update scenarios. Features such as Server Groups, maintenance windows, and Pre and Post deployment actions allow an unprecedented level of control over how and when servers are patched.
Top 10 Reasons to use SCCM for Server Updates
So what are some of the benefits of using SCCM to update servers compared to other tools like WSUS? Consider the following:
- Granular Deployment Control – Unlimited number of Collections based on Technology and Business requirements
- Automated Maintenance Windows – Patches will only deploy during scheduled maintenance windows
- Pre and Post Automation – Run Scripts before and after Updates (Example: Create a VM snapshot)
- Restart Management – Control over Server restart behaviour
- Automated Deployment Rules – Automate repetitive business logic based patching scenarios based on predetermined selection criteria such as platform, product, classification etc.
- Update Templates – Create scenario based templates to accelerate patching and minimize errors
- Rich reporting – Dozens of canned reports for updates management and status as well as the option for custom reports
- Bandwidth management and optimization – Use local repositories and peer caching to minimize the amount of network load and accelerate deployments. Schedule and throttle bandwidth usage based on time of day.
- Server Group Control – Logic based on number, percent and order of servers to be patched at any given time. Ideal for clusters and load balanced services.
- Query based targeting – richer targeting based on asset inventory data
That’s a lot of control and conceptually difficult to understand. I used to love the superflows in the old SMS documentation. I’ve created a miniflow of my own to help you understand how some of the new features can be used to take better control of the server update process.
Since the original release in July of 2015 there have been six versions of Windows 10 released in total:
- Version 1507 (Codenamed Threshold 1)
- Version 1511 (Codenamed Threshold 2 aka the November Update)
- Version 1607 (Codenamed Redstone aka the Anniversary Update)
- Version 1703 (Codenamed Redstone 2 aka the Creators Update)
- Version 1709 (Codenamed Redstone 3 aka the Fall Creators Update)
- Version 1803 (Codenamed Redstone 4 aka the Spring Creators Update)
Microsoft’s near term roadmap is to release two more feature updates every year. Version 1809 (Codenamed Redstone 5) is due later this year.
The number and frequency of releases coupled with new servicing models has led to a lot of confusion in the industry around managing servicing branches, quality updates vs. feature updates and the cadence of the release cycle of Windows as a Service (WaaS). In this post I’d like to focus on two simple things you can do to simplify your windows 10 updates if you are using System Center Configuration Manager (SCCM).
- Automatic Deployment Rules (ADRs)
ADRs let you automate how, when and what software updates are applied to your systems using repeatable, template, scheduled business rules. There are many good posts on ADRs and some very good videos by Jason Sandys (A fellow MVP) so I’m going to focus on Filters.
If you are using SCCM to update your Windows 10 systems you will notice that in the Software Updates there are a lot of Windows 10 updates. That is because as we know there are many different Windows 10 versions. Most organization will not be running all versions and do not need to be bothered with many of the available updates. For instance, if you search for all Windows 10 updates, you will see more than 150 updates. If you are only running Windows 10 1703 the majority of those updates will not apply to you. If you use a filter, you can reduce the number of irrelevant updates significantly. Consider this ADR filter:
It returns at all updates for Windows 10 limited in the following ways:
- The 64 bit Windows 10 1703
- Updates that haven’t been superseded
Updates that are classified as either Critical, Security, Update Rollups or Updates
This filter reduces the number of updates in the update group from over 150 to just 4 items. A little bit more manageable.
You may also notice that I have added the keyword “Malicious” to include the Malicious Software Removal Tool (MSRT) as I find it useful to include in my ADRs.
You can use the search criteria in a similar way if you are creating software update groups manually.
I use filters regularly to help organize my software update groups and create some order from the chaos that is Windows 10 updating.
Microsoft announced on February 1st that they will be adding another six months to the supprot of Windows 10 version 1607, 1703, and 1709.
|Release||Release Date||End of Support||End of Additional Servicing for Enterprise & Education|
|Windows 10 1511||November 10, 2015||October 10, 2017||April 10, 2018|
|Windows 10 1607||August 2, 2016||April 10, 2018||October 9, 2018|
|Windows 10 1703||April 5, 2017||October 9, 2018||April 9, 2019|
|Windows 10 1709||October 17, 2017||April 9, 2019||October 9, 2019|
Up to this point Microsoft has offered 18 months of support for each Windows 10 release. This extension seems a direct repsonse from enterprise customers struggling to keep pace with the rapid release cycle and short support windows associated with Windows as a Service.
Windows as a Service isnto only new for customers. It’s new for Microsoft as well. As they figure out how fast customers can ingest all of the innovatiosn comign out of Redmond, we’ll see the release cycles stabailze and balance update frequency with upgrade readiness.
For organizations that are having trouble transitioning engineerg efforts traditional associated with operating system updates to a more operational model, tools like Intune and SCCM can help accelerate the transion. I’ll be writng a few pieces in the future on how to take advantage of these types of tools to simplify Windows 10 update management.
As System Center Configuration Manager (SCCM) matures into an “as a Service” model, the ability to rapidly upgrade an infrastructure has come a long way. It used to be complex and time consuming to upgrade SCCM as you would have to download all the prerequisite media test everything in your lab and then schedule the downtime in your production environment. With the advent of SCCM Current Branch (CB) the ability to upgrade directly from the console has made this much less complex and in theory less error prone. This doesn’t mean you shouldn’t take precautions and test before rolling to production. Here’s some advice on how to manage the risk associated with the upgrade:
- Backup your environment and test the restore in case you need to rollback. You do this regularly anyways right? There are several supported backup options for you select from based on your particular requirements. Here is some backup and recovery guidance just in case
- Check your site and component status to make sure you don’t have any unresolved issues that might impact the upgrade. Check them again post upgrade.
- Perform the prerequisite check
- Test everything in your lab, sandbox, or test environment before upgrading in production. You don’t have a test environment. Well you do you just like to call it “production”. You can setup a really simple and inexpensive virtual lab in Azure that you can spin down when not in use.
- Use Pre-pilot collections to test client agents. This is a great way to minimize the impact of client agent defects.
- Check that all of your site systems have been upgraded
- Test basic functionality such as HW and SW inventory and Software Updates. This puts the basic components such as MPs, DPs, SUPs and client agents through a smoke test.
- Test task sequences especially if there was an ADK upgrade involved
- Check if there is a newer version of MDT available / required in order to work with particular ADK you are using and to support any required servicing branches
- Test the console update and any extensions such as Report Builder
- Test any pre-release features that you were previously using. Are they now released? Do you need to reenable the functionality as pre-release?
- Is this version available as a baseline build? Do you want to keep an ISO handy?
- Check for any post upgrade hotfixes.
As organizations move to modern management to be more agile in the way they manage multiple types of devices and cloud based services, the legacy management models associated with traditional PC management can lead to multiple consoles for managing different types of devices and services. At Microsoft Ignite this year, a hybrid approach called “Co-management” was announced. to bring organizations closer to modern management while still maintaining traditional management methods. In the past it has been difficult to use more than one management platform for the same device. Windows 10 1709 opens the doo this co-management by allowing devices to be managed simultaneously with SCCM 1710 and with Intune. What are the benefits of co-management? Here’s a few that come to mind.
- Manage devices where they live. Use SCCM to manage devices that are primarily on premise and use Intune to manage the same device when it is roaming.
- Transition workloads to Intune as you are ready
- Add modern management functionality to traditionally managed devices. Consider device compliance policies, resource access policies, Conditional access, selective wipe, factory reset etc.
- Single pane of glass for consolidated views of all devices such as mobile phones, tablets, Macs, PCs.
- Transition Windows 10 devices to Intune while managing legacy (Windows 7) devices with SCCM until they are upgraded or lifecycled.
- Self-provisioning of devices by end users
- Simplified BYOD scenarios
- Enhanced mobile workforce management
So, is this the best of both worlds? Nto really. Microsoft views this as a transitional step on the journey to modern management. Nonetheless I’m excited about the new opportunities for organizations to deliver a better user experience.
As organizations upgrade to Windows 10 there are many opportunities for security and performance improvements. Many of these enhancements rely of functionality that is only available with UEFI firmware as it is required for secure boot which is often a prerequisite for enhanced security features such as Device Guard and Credential Guard. Since Windows 7 did/does not support UEFI, most organizations will need to convert device firmware to UEFI as part of the Windows 10 upgrade. As upgrading to Windows 10 can be a long process, organizations have looked to tools like SCCM and MDT to automate and accelerate the process. Often time performing zero touch installations of hours or through self-service. Converting Bios to UEFI as part of the process ahs been problematic as each device may have different methods for converting and it typically requires visiting the device since the change happens in the before the operating system loads.
Microsoft has just made this problem a little easier to manage. SCCM 1702 introduces the ability to include UEFI conversion as part of a Task Sequence if the device supports it. I’m looking forward to accelerating many Windows 10 migrations with this functionality.
Managing Windows 8.1 and the MS Surface in the Enterprise – Part 2: Deployment with System Center Configuration Manager
I’ve been selected to deliver a session next month as part of the Microsoft MVP Virtual Conference – You can register here. My session is focussed on the managing the MS Surface in the Enterprise and as part of my preparation I’ve been assembling lots of nuggets that will be scattered throughout the presentation. This blog post series is an attempt to aggregate some of the more significant pieces from the session that may have broader appeal. This is the second installment in the series. Here is a link to part 1 – Who’s Minding the Store.
As more and more organizations are deploying Surface devices there are some special considerations when deploying with Configuration Manager:
- Since the Surface doesn’t have a physical NIC, if you will probably need a USB NIC or docking station. If you are reusing the same dock or USB NIC, Configuration Manager will need to have the MAC address of the NIC cleaned out after each deployment. This blog provides more information on the issue and provides a script that can be used for the cleanup.
- The Surface Pro 3 Class 3 UEFI device. In order to support PXE bot for such a device Windows Deployment Services(WDS) must be at least Windows Server 2008R2 with Windows Server 2012 Boot image (Windows Server 2012R2 WDS with 2012R2 boot image is recommended)
- DHCP Scope Options 66/67 will not work with mix of BIOS and UEFI systems. Ip helpers must be used instead.
You may want to download the Deployment and Administration Guide for Surface Pro 3.
Love it or hate it, but Windows 8.1 was intended to be both a desktop and “device” operating system. There have been many articles written about how well it succeeds or fails at one or both of those objectives. Regardless of how you feel about Windows 8.1, if you are tasked with managing it in you enterprise, you don’t need another rant / rave post. You need some guidance on how to manage some of the intricacies that Windows 8.1 and some device form factors like the Surface bring into play. That’s what this series of posts aims to do.
I’ve been selected to deliver a session next month as part of the Microsoft MVP Virtual Conference – You can register here. My session is focussed on the managing the MS Surface in the Enterprise and as part of my preparation I’ve been assembling lots of nuggets that will be scattered throughout the presentation. This blog post series is an attempt to aggregate some of the more significant pieces from the session that may have broader appeal.
As part of Microsoft’s attempt to create an OS that is appealing to tablet device users, Microsoft introduced the Windows Store. The Windows Store is Microsoft’s version of Google Play, Apples iTunes App Store, the Amazon Appstore for Android and many other sources for device based apps. The current incarnation of the Windows Store showcases Modern UI (formerly known as Metro) applications.
Like the other AppStores, the Windows store is designed for consumers to purchase applications to run on their devices. Unlike the other AppStores, the Windows Store model needs to coexist with legacy software delivery methods in use by enterprise IT departments such as SCCM. While inconvenient, this is not a knock against the Windows Store. Other platforms don’t have this issue because they don’t have any legacy applications or enterprise software delivery models.
What can we do Today?
For now there are really two methods for managing Modern Apps in an enterprise setting:
- Requires Certificate to sign the app since it will bypass the store validation
- Requires .Appx Bundle from the application developer / vendor
- Applications can be inserted into image with DISM
- Applications can be distributed with System Center Configuration Manager
- Requires Windows Store account for each user (does not need to be linked to domain account)
- Associates application with user
- Applications cannot be included in image
- Still requires some user input (not truly silent)
Access to the Windows store can be controlled through group policy.
If you choose to permit users to access the store there is still the ability to restrict or allow specific applications with AppLocker.
Coming with Windows 10
Microsoft has announced that this will get easier with Windows 10. Organizations will be able to setup a private “boutique” within the Windows Store and curate which applications their users will be able to browse and install. Organizations will also be able to use a single store account to make volume purchases and download the installation files and distribute them in ways that make sense for their use cases (machines without internet access, reassigning applications, etc.).
I often get asked the following two questions:
- I know you blog but why don’t you blog about Configuration Manager as much as other topics?
- What are some good resources for learning about Configuration Manager?
The answers to these questions are definitely interrelated. Let me start with the first question:
First of all, although as an MVP I have an NDA with Microsoft that permits me to get some “inside information” from time to time. That same NDA forbids me from blogging about MS products until they are GA. Other bloggers don’t have the same restriction so they can write about new features and releases before the MVP community can. Secondly, and more importantly, there are already many very good blogs on Configuration Manger written by some very knowledgeable people (fellow MVPs in many cases) that know far more about specific parts of Configuration Manager than I do. With all of these fine writers already producing high quality content, it is difficult to add new, unique, and valuable posts.
In order to answer the second question I will act contrary to my answer to the first question and provide you with a list of t some of the resources that I use on a regular basis. I have limited the list to 10 by convention (otherwise it wouldn’t be a top 10 list would it?) – It was very difficult to choose. I apologize in advance to anybody that I may have omitted from the list. In an attempt to avoid any serious comparison algorithms and because I don’t have any hermetically sealed envelopes I have arranged the list in alphabetical order.
|1. Configuration Manager Team Blog||This is a great place to get news and information about the product. Things like announcements, latest cumulative updates, new features and capabilities can be found here as well as common scenarios and troubleshooting tips. All of this of course courtesy of Microsoft|
|2. CoreTech||Coretech has a lot of high profile bloggers including Kent Agerlund, and Kaido Järvemets. They do a lot of training and consulting and have seen a lot of real world use cases. As such their Configuration Manager Blog is a great resource.|
|3. Deployment Research||MVP Johan Arwidmark has done some extreme deployments. If you want deep dive and troubleshooting information about deployments including some unsupported workarounds (for your lab of course).|
|4. Enhansoft||Enhansoft is a company that focusses on asset management based on Configuration Manager. They have some free tools to help document Configuration Manager implementations. They also give out a free SSRS report every month. MVP Garth Jones, the founder of Enansoft also writes a blog for SMSUG.ca that has lots of sample reports and queries. I borrow from them often.|
|If you want detailed information about the inner workings of Configuration Manager, Jason Sandys (another MVP) is a fantastic resource. Not only does he understand the detail level, he can explain it in terms that are consumable by non-experts and help them understand the implications and applications. Many of his posts are linked from the Catapult Systems blog site. Not coincidentally Jason is one of the moderators of the Configuration Manager TechNet forums another great resource.|
|6. MyITForum||MyItForum is really a small community (with only 145,000 unique visitors per day). The resources are provided by the members of the community. There are tons of guides and some very good forums. MyItForum is famous for the running of the bulls at MMS to get passes to their famous party. Click here a link to a video about Community and MyITForum from MMS 2012 featuring Rod Trent is the President of MyITForum (and the Community Manager at WindowsItPro)|
|7. System Center User Group Belgium||Lots of good info here including blogs by MVPs Kenny Buntnix and Kim Oppalfens.|
|8. TechNet||TechNet has a lot of good resources including the official Microsoft Document Library for Configuration Manager, Release Notes, and Technical Publications.Configuration Manager TechNet forums is a great place for moderated support. There are other good resources as well such as ConfigMgrDogs.|
|9. WindowsItPro||WindowsItPro is a great resource for IT Pros in general but I like the independent view of the Microsoft world (including System Center) that they provide. As I’m writing this post and looking at their website, I see the System Center section their site framed by no less than six Amazon AWS ads. You won’t see that on the Configuration Manager Team Blog.|
|10. Windows-Noob.com||This is MVP Niall Brady’s blog. IT is a great place to get walkthroughs of every major feature of Configuration Manager. A good starting point for novices and a reference for veterans trying something new or troubleshooting. Although last on this list alphabetically, it should be the noob’s first place to go to check out the SCCM 2012 Guides.|
There are many other good blogs, blog aggregators, and knowledge bases out there. You could do pretty well with a good Google or Bing query for a specific topic. For better results, try some of Kim Oppalfens search providers to make it easier. These are just some that I use regularly and the first ten that came to mind. The selection process was by no means scientific and I was the only member of the selection committee. Full Disclosure – Yes, I do know most of the bloggers but that’s life.
If you have a good source you’d like to share, let me know. Maybe I’ll make a Top 40 list. Again apologies to any good resources that I failed to mention.
I recently had to rebuild my Windows 8.1 laptop. In fact, this is the first real piece of work that I am doing on it while I reinstall apps in the background. As part of the process I had to re-install Microsoft Office. As long as I have been using a 64bit OS as my standard desktop (Windows 7 was the first OS that I only ran as x64)) as I have always used the 64bit version of Office. When downloading the ISO for Office 2013 SP1 from the MS Partner site, I noticed that Microsoft has posted the following message:
Important: Microsoft strongly recommends the use of 32-bit (x86) versions of Office 2013, Project 2013, and Visio 2013 applications as the default option for all platforms. Learn more about the deployment considerations for x64 and x86 at TechNet.
I consider myself somewhat of a technically savvy user (maybe a poor assumption?) and I have always assumed that all things being equal 64bit is better than 32bit. Just like 32bit is better than 16bit (and 16bit is better than 8bit etc.)
So Off I went to TechNet to find out why this strong recommendation from Microsoft. Considering how hard it has been to get users and enterprises to give up Windows XP, you’d think that they want everyone to upgrade to the latest generation of tools right?
Here is the key reason for the strong recommendation directly from TechNet:
32-bit Office is recommended for most users
We recommend the 32-bit version of Office, because it is more compatible with most other applications, especially third-party add-ins. This is why the 32-bit version of Office 2013 is installed by default, even on 64-bit Windows operating systems. On these systems, the 32-bit Office client is supported as a Windows-32-on-Windows-64 (WOW64) installation. WOW64 is the x86 emulator that enables 32-bit Windows-based applications to run seamlessly on 64-bit Windows systems. This lets users continue to use existing Microsoft ActiveX Controls and COM add-ins with 32-bit Office.
So what about my assumption that all things being equal x64 is better than x86? Well, I wasn’t wrong but it turns out that all things aren’t equal. Third party vendors don’t pay equal attention to 32bit office and 64bit office. There are other good reasons to consider Office x86 such as:
- The 64-bit version of Microsoft Office isn’t compatible with any other 32-bit version of Office programs. So you must first uninstall all 32-bit versions of Office programs before you install the 64-bit version of Office.
- Any add-ins you want to run for Office must also be 64-bit editions.
- Third-party ActiveX controls and add-ins. None of these work with the 64-bit version of Office.
- There is no 64-bit version of Visual Basic 6, so many of these objects need to be ported and rewritten.
- Microsoft Visual Basic for Applications (VBA) won’t work unless you manually update the “Declare” statements.
- Compiled Access databases The .MDE and .ACCDE files, a common way for Access application developers to distribute solutions and protect their intellectually property, don’t work in the 64-bit version of Office. You must contact the application developer to recompile, retest, and redistribute the solution in the 64-bit version.
With all of the reasons not to use 64bit Office, why on earth would anyone chose to use it? It still makes sense for some users such as the following examples from TechNet:
- Excel expert users who work with complex Excel worksheets can benefit from using 64-bit Office 2013. This is because 64-bit Office doesn’t impose hard limits on file size. Instead, workbook size is limited only by available memory and system resources. On the other hand, 32-bit Office is limited to 2 gigabytes (GB) of virtual address space, shared by Excel, the workbook, and add-ins that run in the same process. (Worksheets smaller than 2 GB on disk might still contain enough data to occupy 2 GB or more of addressable memory.) You can learn more in Excel specifications and limits and Data Model specifications and limits.
- Users who use Project 2013 also benefit when they use Project files over 2 GB, especially when they are dealing with many subprojects to a large project.
- In-house Office solution developers should have access to the 64-bit Office 2013 for testing and updating these solutions.
- Office 2013 offers enhanced default security protections through Hardware Data Execution Prevention (DEP). (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. For 64-bit installs, DEP will always be enforced for Office applications. On 32-bit installs, you can configure DEP by using Group Policy settings.
If you need to deploy both versions of Office with Configuration Manager, you can use the same application with different deployment types as I’ve explained in my previous post Managing 32 bit and 64 bit versions of applications using Global Conditions, Requirement Rules and Deployment Types.
BTW – I’m running 32bit Office now.