SCCM

Windows 10 Updates – The Rules they are a Changing

Posted on Updated on

Microsoft announced on February 1st that they will be adding another six months to the supprot of Windows 10 version 1607, 1703, and 1709.

Release Release Date End of Support End of Additional Servicing for Enterprise & Education
Windows 10 1511 November 10, 2015 October 10, 2017 April 10, 2018
Windows 10 1607 August 2, 2016 April 10, 2018 October 9, 2018
Windows 10 1703 April 5, 2017 October 9, 2018 April 9, 2019
Windows 10 1709 October 17, 2017 April 9, 2019 October 9, 2019

Up to this point Microsoft has offered 18 months of support for each Windows 10 release. This extension seems a direct repsonse from enterprise customers struggling to keep pace with the rapid release cycle and short support windows associated with Windows as a Service.

Windows as a Service isnto only new for customers. It’s new for Microsoft as well. As they figure out how fast customers can ingest all of the innovatiosn comign out of Redmond, we’ll see the release cycles stabailze and balance update frequency with upgrade readiness.

For organizations that are having trouble transitioning engineerg efforts traditional associated with operating system updates to a more operational model, tools like Intune and SCCM can help accelerate the transion. I’ll be writng a few pieces in the future on how to take advantage of these types of tools to simplify Windows 10 update management.

Advertisements

Windows 10 SCCM & Intune Co-Management

Posted on Updated on

Is SCCM right for you or is InTune a better fit? Why choose? Use Both!

Beginning with the Fall Creators Update for Windows 10 (aka 1709) Windows 10 devices will be able to join both on premise AD domains as well as the Azure AD service. This opens the door to have devices managed by both SCCM and Intune. While administrators can use co-management to split up specific servicing workflows such as using SCCM for application deployment and Intune for update management so that devices get updates wherever they are, the co-management bridge is intended to simplify the migration to cloud based modern management services and not a long term solution. It would be really nice to be able to mix and match servicing scenarios so that as a device moves between on premise and off premise they are serviced by the most appropriate tool however at first glance this functionality is not readily apparent.

Now that Autopilot is available for Operating System Deployments, Intune + Autopilot provides a credible solution for full device lifecycle management for many use case scenarios. I expect to see more organizations using the co-management bridge to begin their migration to modern management.

SCCM 1706 Feature Favourite – Managing Surface Drivers

Posted on Updated on

As many of you know, I am the cohost of the Universal Windows Podcast that started as the SurfaceSmiths Podcast – focussed on the Microsoft Surface.

I still use a Surface Pro 3 and many of my customers use SCCM to manage Surface devices. In fact, The Surface Pro is the tablet of choice in the Canadian federal government. So how is this related to SCCM 1706? While there are many new features in SCCM 1706 that you can read about here, there is a pre-release feature that is particularly interesting to anyone that has to manage Surface devices. The feature provides the ability to manage MS Surface driver updates with SCCM.

Prerequisites

  • All software update points must run Windows Server 2016.
  • This is a pre-release feature that you must turn on for it to be available. For more information, see Use pre-release features from updates.

To manage Surface driver updates

  1. Enable Synchronization for Microsoft Surface drivers. Use the procedure in Configure classification and products and select the Include Microsoft Surface drivers and firmware updates checkbox on the Classifications tab to enable Surface drivers.
  2. Synchronize the Microsoft Surface drivers.
  3. Deploy synchronized Microsoft Surface drivers

Managing Windows 8.1 and the MS Surface in the Enterprise – Part 2: Deployment with System Center Configuration Manager

Posted on Updated on

I’ve been selected to deliver a session next month as part of the Microsoft MVP Virtual Conference – You can register here. My session is focussed on the managing the MS Surface in the Enterprise and as part of my preparation I’ve been assembling lots of nuggets that will be scattered throughout the presentation. This blog post series is an attempt to aggregate some of the more significant pieces from the session that may have broader appeal.  This is the second installment in the series.  Here is a link to part 1 – Who’s Minding the Store.

As more and more organizations are deploying Surface devices there are some special considerations when deploying with Configuration Manager:

  1. Since the Surface doesn’t have a physical NIC, if you will probably need a USB NIC or docking station. If you are reusing the same dock or USB NIC, Configuration Manager will need to have the MAC address of the NIC cleaned out after each deployment. This blog provides more information on the issue and provides a script that can be used for the cleanup.
  2. The Surface Pro 3 Class 3 UEFI device. In order to support PXE bot for such a device Windows Deployment Services(WDS) must be at least Windows Server 2008R2 with Windows Server 2012 Boot image (Windows Server 2012R2 WDS with 2012R2 boot image is recommended)
  3. DHCP Scope Options 66/67 will not work with mix of BIOS and UEFI systems. Ip helpers must be used instead.

You may want to download the Deployment and Administration Guide for Surface Pro 3.

Managing Windows 8.1 and the MS Surface in the Enterprise – Part 1: Who’s Minding the Store?

Posted on Updated on

Love it or hate it, but Windows 8.1 was intended to be both a desktop and “device” operating system. There have been many articles written about how well it succeeds or fails at one or both of those objectives. Regardless of how you feel about Windows 8.1, if you are tasked with managing it in you enterprise, you don’t need another rant / rave post. You need some guidance on how to manage some of the intricacies that Windows 8.1 and some device form factors like the Surface bring into play. That’s what this series of posts aims to do.

I’ve been selected to deliver a session next month as part of the Microsoft MVP Virtual Conference – You can register here. My session is focussed on the managing the MS Surface in the Enterprise and as part of my preparation I’ve been assembling lots of nuggets that will be scattered throughout the presentation. This blog post series is an attempt to aggregate some of the more significant pieces from the session that may have broader appeal.

As part of Microsoft’s attempt to create an OS that is appealing to tablet device users, Microsoft introduced the Windows Store. The Windows Store is Microsoft’s version of Google Play, Apples iTunes App Store, the Amazon Appstore for Android and many other sources for device based apps. The current incarnation of the Windows Store showcases Modern UI (formerly known as Metro) applications.

Like the other AppStores, the Windows store is designed for consumers to purchase applications to run on their devices. Unlike the other AppStores, the Windows Store model needs to coexist with legacy software delivery methods in use by enterprise IT departments such as SCCM.  While inconvenient, this is not a knock against the Windows Store.  Other platforms don’t have this issue because they don’t have any legacy applications or enterprise software delivery models.

What can we do Today?

For now there are really two methods for managing Modern Apps in an enterprise setting:

1. Sideload the application

  • Requires Certificate to sign the app since it will bypass the store validation
  • Requires .Appx Bundle from the application developer / vendor
  • Applications can be inserted into image with DISM
  • Applications can be distributed with System Center Configuration Manager

2. Deep Link the application

  • Requires Windows Store account for each user (does not need to be linked to domain account)
  • Associates application with user
  • Applications cannot be included in image
  • Still requires some user input (not truly silent)

Access to the Windows store can be controlled through group policy.

If you choose to permit users to access the store there is still the ability to restrict or allow specific applications with AppLocker.

Coming with Windows 10

Microsoft has announced that this will get easier with Windows 10. Organizations will be able to setup a private “boutique” within the Windows Store and curate which applications their users will be able to browse and install. Organizations will also be able to use a single store account to make volume purchases and download the installation files and distribute them in ways that make sense for their use cases (machines without internet access, reassigning applications, etc.).

Managing Surface Pro Drivers and Firmware in the Enterprise

Posted on Updated on

Cut to the chaseSurface Pro 3 January Cumulative Driver & Firmware Update Avaialble as MSI


Microsoft’s Surface Tablet/hybrid has been steadily gaining traction in as both a consumer device and a business tool. I use mine for both personal and business use. I haven’t turned on my iPad in over 5 months and I’m only using my laptop as a test bed for pre-release versions of Windows 10. My Surface Pro 3 has become my go to device. My mobile phone and Surface meet 95% of my requirements without any compromise.

Microsoft has been rolling out Surface drivers and firmware updates through the Windows Update service. This works great for personal devices but IT departments have struggled to keep the devices updated using their traditional tools.

Problem Statement

Enterprises need the ability to roll out Surface Updates with procedures that adhere to best practices and integrate into the processes that are already in place for other domain joined devices such as Windows Intune and System Center Configuration Manager (SCCM).

The Homebrew Solution

What does a smart Sysadmin do to solve the problem? He (or she) builds their own cumulative update payload that includes all updates including (patches, firmware, and drivers). Make it easy to manage and install in unattended mode with a smart wrapper like PowerShell or Windows Installer / MSI.

The Microsoft Solution

Microsoft has released a solution that meets all of the requirements of the homebrew solution but you don’t have to build it yourself.  Here’s a link to the January payload. There are multiple files that can be downloaded from the link. Select the Surface Pro 3 January 2015 MSI.zip

It will install all drivers and firmware that have been released through January 2015. As new updates are released new MSI files will be available for download.

Some notes:

  1. It doesn’t contain all Surface Pro 3 drivers, just the driver updates
  2. Touch firmware updates are not included
  3. It will create an entry into add/remove programs
  4. There is an option that allows the installation operations to be logged verbosely for troubleshooting

Here’s a good post with a step-by-step that explains how to use the MSI with System Center Configuration Manager (SCCM) and System Center Updates Publisher (SCUP).

 

My Top 10 System Center Configuration Manager Resources

Posted on Updated on

I often get asked the following two questions:

  1. I know you blog but why don’t you blog about Configuration Manager as much as other topics?
  2. What are some good resources for learning about Configuration Manager?

The answers to these questions are definitely interrelated. Let me start with the first question:

First of all, although as an MVP I have an NDA with Microsoft that permits me to get some “inside information” from time to time. That same NDA forbids me from blogging about MS products until they are GA. Other bloggers don’t have the same restriction so they can write about new features and releases before the MVP community can. Secondly, and more importantly, there are already many very good blogs on Configuration Manger written by some very knowledgeable people (fellow MVPs in many cases) that know far more about specific parts of Configuration Manager than I do. With all of these fine writers already producing high quality content, it is difficult to add new, unique, and valuable posts.

In order to answer the second question I will act contrary to my answer to the first question and provide you with a list of t some of the resources that I use on a regular basis. I have limited the list to 10 by convention (otherwise it wouldn’t be a top 10 list would it?) – It was very difficult to choose. I apologize in advance to anybody that I may have omitted from the list. In an attempt to avoid any serious comparison algorithms and because I don’t have any hermetically sealed envelopes I have arranged the list in alphabetical order.

1. Configuration Manager Team Blog This is a great place to get news and information about the product. Things like announcements, latest cumulative updates, new features and capabilities can be found here as well as common scenarios and troubleshooting tips. All of this of course courtesy of Microsoft
2. CoreTech Coretech has a lot of high profile bloggers including Kent Agerlund, and Kaido Järvemets. They do a lot of training and consulting and have seen a lot of real world use cases. As such their Configuration Manager Blog is a great resource.
3. Deployment Research MVP Johan Arwidmark has done some extreme deployments. If you want deep dive and troubleshooting information about deployments including some unsupported workarounds (for your lab of course).
4. Enhansoft Enhansoft is a company that focusses on asset management based on Configuration Manager. They have some free tools to help document Configuration Manager implementations. They also give out a free SSRS report every month. MVP Garth Jones, the founder of Enansoft also writes a blog for SMSUG.ca that has lots of sample reports and queries. I borrow from them often.

If you want detailed information about the inner workings of Configuration Manager, Jason Sandys (another MVP) is a fantastic resource. Not only does he understand the detail level, he can explain it in terms that are consumable by non-experts and help them understand the implications and applications. Many of his posts are linked from the Catapult Systems blog site. Not coincidentally Jason is one of the moderators of the Configuration Manager TechNet forums another great resource.
6. MyITForum MyItForum is really a small community (with only 145,000 unique visitors per day). The resources are provided by the members of the community. There are tons of guides and some very good forums. MyItForum is famous for the running of the bulls at MMS to get passes to their famous party. Click here a link to a video about Community and MyITForum from MMS 2012 featuring Rod Trent is the President of MyITForum (and the Community Manager at WindowsItPro)
7. System Center User Group Belgium Lots of good info here including blogs by MVPs Kenny Buntnix and Kim Oppalfens.
8. TechNet TechNet has a lot of good resources including the official Microsoft Document Library for Configuration Manager, Release Notes, and Technical Publications.Configuration Manager TechNet forums is a great place for moderated support. There are other good resources as well such as ConfigMgrDogs.
9. WindowsItPro WindowsItPro is a great resource for IT Pros in general but I like the independent view of the Microsoft world (including System Center) that they provide. As I’m writing this post and looking at their website, I see the System Center section their site framed by no less than six Amazon AWS ads. You won’t see that on the Configuration Manager Team Blog.
10. Windows-Noob.com This is MVP Niall Brady’s blog. IT is a great place to get walkthroughs of every major feature of Configuration Manager. A good starting point for novices and a reference for veterans trying something new or troubleshooting. Although last on this list alphabetically, it should be the noob’s first place to go to check out the SCCM 2012 Guides.

There are many other good blogs, blog aggregators, and knowledge bases out there. You could do pretty well with a good Google or Bing query for a specific topic. For better results, try some of Kim Oppalfens search providers to make it easier. These are just some that I use regularly and the first ten that came to mind.   The selection process was by no means scientific and I was the only member of the selection committee. Full Disclosure – Yes, I do know most of the bloggers but that’s life.

If you have a good source you’d like to share, let me know. Maybe I’ll make a Top 40 list. Again apologies to any good resources that I failed to mention.