CM: Deployment Requirements

I was recently asked about how to deploy a single application but with varying installation command line parameters, using Configuration Manager. Luckily we can do this fairly easily using the Requirements screen on your Application Deployment Type.

In this scenario we were installing a school classroom management program, and needed to provide a different string in the install command line depending upon what kind of PC it was going to – e.g. setup.exe /template=TEACHER or setup.exe /template=TECHNICIAN. The PCs were already organised by Organisational Unit in Active Directory so that was the obvious target. The other way we could have done this was to create multiple device collections in Config Manager, and then multiple applications, and deploy to each of them – but we wanted to keep all this within a single application.

The basic concept behind this is to create multiple deployment types within the single application, and optionally a fallback entry at the end if you want the software installing where none of the requirements have been met, perhaps with a generic template passed via command line.

In this example I’ve created a simple program which just drops a text file onto the C drive, with the content of the command line string, as proof of concept but this technique should work for most use cases – depending on device OU, registry setting values, or even CPU speed, RAM, Disk space. I’ve targeted device OU here, and split my VMs into two OUs – Azure and Garage (for Azure hosted VMs, and those running off a Hyper-V server in my garage).

Continue reading “CM: Deployment Requirements”

WUfB and Update Compliance

Windows Update for Business (WUfB) is a free service which allows you a level of control over Windows Update on certain SKU of Windows 10 – Pro/Enterprise/Education/Pro for Workstation – basically everything except Home edition. You can select which types of updates you would like – Feature updates, Quality (security) updates, Driver updates and Microsoft Product updates. Product updates are for other Microsoft products, but not Office if you used the Click-to-Run installer.

Whilst you don’t approve/deny each update as you’d have done in the past with WSUS, you can specify update deferral periods. For Quality updates this is 30 days or less, and for Feature updates it’s 365 days or less. You can create multiple policies, for example one targeting a pilot group with 0 day deferral, one with 5 day for a wider group, and a 10 day deferral for the rest of your devices. If you find an issue with an update installed by the pilot group, you can pause updates for up to 35 days on the other policies. The devices should then resume at the end of the 35 days and skip the missed update, moving on to the next cumulative update.

Device driver updates are enabled by default, but can be turned off, and Microsoft Product updates are disabled by default, but can be turned on. I tend to leave these at the default settings – as the trend with recent Microsoft products has been for them to look after the updating process themselves (e.g. Office 365 Click-to-Run, Edge etc) rather than using Windows Update.

You don’t need Intune or Config Manager for this, and you don’t need your devices to be Azure AD joined – it can even be a PC in a workgroup – although it’s a lot easier to manage if you have some central control over the client side settings.

Continue reading “WUfB and Update Compliance”

Endpoint Analytics

I’ve been looking at ways to get performance data for all our devices, currently 99% in Config Manager but in the future we’re expecting to have quite a large deployment which is only managed by Intune. I’ve already set up Desktop Analytics but this just covers things like Windows 10 feature updates, which is good but not really what I was after.

Introducing Endpoint Analytics.

This is part of Intune and, if you set up tenant attach or device co-management, you can pull data for ConfigMgr managed devices into the console. Endpoint Analytics will show you a score, based off various factors such as startup performance, recommended software and application reliability, and there’s various screens you can look at with more detailed information such as startup performance and application reliability. Most report lists can be exported for offline analysis in Excel. I think it’s a key tool for identifying devices which need attention – whether it’s a device that has missed its upgrade from HDD to SSD sitting at the top of the “slowest boot up time” list, or a device which frequently suffers from bugchecks/BSODs potentially being a hardware issue, it brings to light troublesome devices which the end user may not have ever reported.

I’ll cover setting it up and then look at each section in turn, with lots of screenshots.

Continue reading “Endpoint Analytics”

Deploying Apps from the Windows Store

There’s a lot of apps in the Windows Store, and one of the best bits about them is we don’t have to worry about managing their updates. Luckily we can deploy these through MEMCM and it is fairly easy to do.

You will need a subscription which creates an Azure tenancy (e.g. Office 365) to link MEMCM with the Microsoft Store for Business (or Microsoft Store for Education) – the Business and Education versions are pretty much the same just with different phrasing in places. Continue reading “Deploying Apps from the Windows Store”

Hybrid Azure AD Domain Join Without an SCP

The standard method to configure hybrid domain join is to open up Azure AD Connector and follow the wizard. However this isn’t suitable for every environment – for a start it needs to write forest-level configuration data, create a Service Connection Point (SCP), and if you want to link multiple tenancies to a single AD forest you’re in for a hard time.

Luckily we can hybrid join with some registry settings on the client devices, and don’t need to set up an SCP. Here’s how I’ve managed it on my network.

Continue reading “Hybrid Azure AD Domain Join Without an SCP”

Enabling BitLocker with MEMCM

Enable BitLocker to protect your data in case of device theft.

MEMCM comes with a Bitlocker Management section (under Endpoint Protection), however as far as I can tell this just allows you to set the Bitlocker policy but not force drives to be encrypted – at least I couldn’t get it to do anything on devices it claimed were compliant.

I’ve got an OS deployment task sequence which installs Windows, and has a few BitLocker steps – however I forgot to set a variable telling it to use the TPM chips without additional PIN/password/keys for Bitlocker – so my computers built without Bitlocker being enabled.

Not wanting to go through the build process again for all these devices, I decided to push it out to existing devices through MEMCM. Continue reading “Enabling BitLocker with MEMCM”

Delving into the “Last PXE Advertisement” flag

This post has actually come from having a look at the search queries coming up in my blog visit stats – “all active pxe flag deployements” – which seems like a good thing to look into.

If you’re trying to make a device collection you’ll find the LastPXEAdvertisement doesn’t appear to be available through the query builder UI. Here I’ll look into getting the data through PowerShell and then also putting it into a Device Collection within MEMCM. Continue reading “Delving into the “Last PXE Advertisement” flag”

Wake on LAN revisited

If only it were as simple as a BIOS setting any more!

A couple of years ago I wrote about the pain of getting Wake on LAN to work on HP switches. While this got some of my machines to work, there was still quite a large proportion (about 60%) that weren’t playing ball.

I’ve finally had a bit of time to look into this, so here’s everything I’ve gone through to get a lot more of the PCs powering up on command. Of course there will always be some PCs which just refuse to work (we have some Gigabyte H81M based machines where they just don’t Wake on LAN – whatever you do the LAN link drops when the power is turned off), and some older H61M based machines that are a bit hit and miss. Continue reading “Wake on LAN revisited”

MEMCM Support Centre

Tools installed as part of the Support Centre

I’m not sure how long it’s been around, but one of the neat things I discovered lately is the Support Centre. The installer for this can be found on your MEMCM server, in the installation directory\tools\SupportCenter.

The Support Centre contains a variety of tools to help troubleshoot all things MEMCM. I’m just going to do a very brief look at it here so the best thing to do is install it and have a look for yourself!

Continue reading “MEMCM Support Centre”

Deploying OS Task Sequences Without PXE

No onboard LAN? No problem.

If you’ve had to deploy any laptops recently you’ll have noticed that it’s very difficult to find smaller (lower budget) devices with onboard LAN any more. We recently replaced two trolleys of laptops and the only choice to keep within budget was sacrifice the network port. While this isn’t a problem for their day to day use (as we have full site wireless coverage), when it comes to deploying and updating them… not so great. Well it’s MEMCM to the rescue again with bootable media.

Continue reading “Deploying OS Task Sequences Without PXE”