System Center Universe Europe 2015

System Center Universe Europe is a community conference with a strong focus on systems management and virtualization topics such as cloud, datacenter and modern workplace management. In this post I do a small recap of the sessions I attended and my personal experience.

Day 1:

After arriving at Sunday I met up with people I met last year and had a beer and diner with them. Good start of the event.
Monday 24th of august at 8:45 Marcel Zehner @marcelzehner kicked off with his keynote, as enthusiastic as always. Even more people than last year from over 15 different countries. The buzz of this year, or hype if you like is IoT , The Internet Of Things. It's the network of physical objects or "things" embedded with electronics, software, sensors, and connectivity to enable objects to exchange data with the production. (source: Wikipedia).
Cool, so how does this work in real life? Sascha Corti @TechPreacher takes us along the way with some real life examples on how this integrates in our processes. E.g. by real-time sending information from the Microsoft Band to Azure based services and dynamically create charts out of it, or send alerts when certain limits are met. Of course this is a funny example, but the same can be done for cctv camera information, detection ports at a train station, actually everything that registers data and can connect to an external source can be used as input. The sky is the limit and we will see more of these developments in the near future. Business Intelligence and Analytics are key.

I closed off the day at an Irish pub with some other people and watched Arsenal - Liverpool on a big screen, while enjoying diner and a Guinness. However watching soccer isn’t my main way of relaxation I had a good time and good company.

Day 2:

• Starting with an early morning discussion about Windows 10, what was turning out more like a Q&A session. Johan Arwidmark and Jason Sandys got the technical answers to in-place migration and difficulties experienced during upgrade scenarios. Seems like Windows 10 does a really good job at restoring to Windows 7 or 8 when something seems to be wrong after migration. You can decide to go back for 30 days. After that the old information is removed completely.
• Nico Sienaert presented about Microsoft Enterprise Mobility Suite. Two hours of Cloud/Hybrid Identity, Intune and Azure RMS. That's a lot to cover and even more to store in my head. He also had some news about Microsoft ATA (Advance Threat Analytics) an new product for fast detection of abnormal behavior, malicious attack detection and alerting inside the (hybrid) network.
• Wally Mead showed the new stuff what is to come in ConfigMgr vNext, no official release name yet. The current version is in Technical Preview 3. OSD Windows 10 enhancements, Software Updates ADR enhancements, Cluster aware patching and support for SQL Always On Clusters is in there. The product is not really multi-tenant, however it can be tailored that way to make it work as desired.
• Thomas Maurer and Carsten Rachfahl told about what's new in Hyper-v 2016. While this is not my daily work some nice new features were introduced. Thomas wrote his own blogpost in this, which covers it all. http://www.thomasmaurer.ch/2015/05/whats-new-in-windows-server-2016-hyper-v/
• Kent Agerlund and Mirko Colemberg about Visualizing ConfigMgr Data
  They showed different ways to enrich the reporting possibilities in ConfigMgr. Power queries, Dashboards and scripting to get just the information you want and presented in a way that fits your needs. Besides the default 400+ reports already in ConfigMgr, this can be very useful if your just looking for a specific tailored report.
• Networking party
  This was nice again, a DJ playing some funky music and a beatboxer who showed off his skills. While drinking a beer and a good glass of wine the conversations came loose and as far as I could tell people had a great time.

Day 3:

• Early morning discussion
  Pete Zerger and Jakob Gottlieb Svendsen led a discussion about Automation. On-boarding and off-boarding of users and devices and Azure automation as a central point for managing these resources. What about government, securing/encrypting credentials that are synced to and used in Azure. Many people are suspicious, but a lot of them already use e.g. Office 365 were credentials are already managed and stored with Microsoft, or other Saas applications.
• IT Pro to IT Scientist
  Lee Berg and Samuel Erskine showed how a simple breadboard with sensors can instantly make collected data like temperature and humidity available and presented online in Azure tables and graphs. Cool stuff, also because Sam runs his mobile datacenter of a couple of Intel NUC's. Nice duo presentation with a lot of laughing, Sam could go for standup comedian.
• Samuel Zürcher showed real life solutions of Hybrid computing. Exchange, O365, Sharepoint, Identity Management, AD sync to Azure. What needs to be in place to really go hybrid? Technical session with lots of deep dive information and scenarios.
• Johan Arwidmark showed troubleshooting tips with the tools provided in Windows 10 ADK. Which deployment log shows what information, loading drivers in WinPE, create custom ISO's and unattended files to make a deployment act the way you need it. No deployment is standard and every organization has it’s own challenges and wishes. With these tools in hand the sky is the limit in deployment world. You can make it all possible.
• In this last official time slot session Jason Sandys showed us some Advanced Data collection with ConfigMgr. How to Include AD property information in ConfigMgr using WMI and Powershell. Or use your own set of variables to assign custom information to assets in the database. Also pretty deep dive, but luckily more than enough information available.

Closing note

Marcel Zehner and his colleague Michael Rüefli did a nice presentation by managing their Tesla Model S vehicles using Powershell and Operations Manager. Very cool to see what can be done connecting IoT devices to cloud management. Afterwards all sponsors had some raffles and gave away presents to the winners.
SCU has been a great event this year and ITNetx did a great job organizing it for the third time. I've spoken to a lot of interesting and nice people and I'm looking forward to next year in Berlin.

Installing .NET Framework 3.5 during Task Sequence

Have you ever tried enabling .NET Framework during OS deployment in a Task Sequence? Instaling Windows 8.1 this should be enabled easily by running the following command line:

DISM /Online /Enable-Feature /FeatureName:NetFx3 /All

However, it's not as easy as it looks. This task often fails with error 0x800f081f during TS deployment. Also if you try to install .NET Framework offline by mounting the image it fails with the same error, see below.

Searching around I found out that 2 packages are prohibiting the .NET Framework action from succeeding. Package KB2966826 and KB2966826 are both integrated in the default Windows 8.1 installation.

Solution:
To enable .NET Framework in the first place both packages should be removed. These actions can be run as Command Line action in the Task Sequence.

Uninstall KB2966826

• DISM /Online /Remove-Package /PackageName:Package_for_KB2966826~31bf3856ad364e35~amd64~~6.3.1.7 /quiet /norestart

Uninstall KB2966828

• DISM /Online /Remove-Package /PackageName:Package_for_KB2966828~31bf3856ad364e35~amd64~~6.3.1.4 /quiet /norestart

After removing the packages, the .NET Framework feature can be installed succesfully using the comand line below.

• DISM /Online /Enable-Feature /FeatureName:NetFx3 /All

The KB updates can be installed afterwards using the Software Updates step. These actions can be run in the Build and Capture phase, so .NET is available in every deployment.

 

SCCM PXE OSD for tablets using external USB NIC adapter

At the client I'm working for at the moment one wants to deploy multiple Dell Venue Pro tablets. The problem, or challenge if you like :), with these devices is the lack of an onboard NIC. Luckily there are multiple suppliers who deliver USB to RJ45 adapters or dockings to overcome this problem. For Dell Venue Pro tablets you have to have a specific build type of this adapter which they write about here.

So once we have a valid USB to RJ45 adapter we are good to go for a PXE deployment. At this moment we only have 1 USB - RJ45 adapter and multiple tablets to deploy, so what to do?
Mark Morowczynski and Neil Potter wrote this very nice article How to Use The Same External Ethernet Adapter For Multiple SCCM OSD which is the basis of this blogpost. The article includes a script for managing deployment on multiple tablets with this single USB - RJ45 adapter.

Bottomline is that the MAC address which is assigned to the connector is unique, but if you deploy multiple devices with it, there wil be some mess in your SCCM database. So we need to ensure the tablet we deployed is registered in the SCCM database, but with another MAC address. This is where the Wifi NIC comes in.
Basically we have to register the MAC address of the Wifi NIC in the SCCM database and overwrite the USB-RJ45 connector mac address. That is what the script exaclty does. But for the script to work we also need an active connection to the wireless network. This is were I had some trouble.

The steps that got me a working Wifi connection during OSD are as follows:

Import Wifi profiles:

Netsh wlan add profile <sourcelocation>\profilename.xml (e.g. c:\Wifi\Wifi_Profile.xml)

Restart computer: speeks for itself

Connect to Wireless network:
cmd.exe /c netsh wlan connect name=Wireless-Network-Name

NB, the steps to create a Wifi profile are explained in Mark Morowczynski article.

So the import profile step went well, I had to restart the computer (maybe a net stop wlansvc & net start wlansvc would suffice also) and then I had to specifically connect to the Wireless network. Only then I got my wireless network config and an IP address. I then could run the powershell script at the end of the Task sequence and succeed.

Before you deploy the next tablet, don't forget to clear the PXE deployment from the device if you used a deployment type of required, otherwise you won't be able to deploy other devices from the same USB-RJ45 connector.

ConfigMgr Cumulative Updates

Every now and then Microsoft releases Cumulative Updates. Twitter explodes on the new release, like everyone is going to deploy the update without a doubt.

However: when I read the Microsoft support article I come across the following lines:

A supported update is available from Microsoft Support. However, this update is intended to correct only the problems that are described in this article. Apply this update only to systems that are experiencing the problems described in this article. This update might receive additional testing. Therefore, if you are not severely affected by these problems, we recommend that you wait for the next service pack that contains this update.

So, I found that non of these apply to my customer(s). Should I apply the update anyway, or wait for the Service Pack to come?

The only things I see here are the additional testing and administrative burden that are involved applying the CU.

So what is your advice or way to go? Please leave your comments, just a line will do, I'm curious.

Thx!

WIM error deploying captured OEM image

Recently I have been struggling to capture a Thin Client (Windows Embedded Standard 8) image from a Dell Wyse device, specifically the D90D8 model.

These where some of the errors in the SMSTS.log:

Installation of image 1 in package P01000xx failed to complete. Permissions on the requested may  be configured incorrectly. Access is denied. (Error: 80070005; Source: Windows)

Failed to run the action: Apply Operating System Image. Permissions on the requested may be configured incorrectly. Access is denied. (Error: 800070005; Source: Windows)

WIM error:C:\_SMSTaskSequence\TSEnv.dat. Permissions on the requested may be
 configured incorrectly. Access is denied. (Error: 800070005; Source: Windows) Unable to apply (0x80070005)

Dell delivered the device preinstalled using an OEM license. Because of that we chose to capture the image to be able to deploy through ConfigMgr. Installing a non OEM licensed Windows Embedded version would raise the costs, and also extra effort by finding the right drivers.
Dell secures it's images thoroughly using certificates and secure boot. So when I prepared the image for capture using USB media and the Thin Client rebooted, it was unable to find the boot device. Apparently the capture preparation changed some settings which interfere with Dell's security policies. So eventually I prepared a PXE boot and did the capture manually using imagex, very easy and succesfull.

However, since the preparation didn't finish some leftovers stayed behind on the Thin Client and where captured in the image. This caused issues when deploying the WIM image. For example the folders C:\_SMSTaskSequence, C:\SMSTS still existed. Once I removed these from the image

• dism /mount-wim /wimfile:"D:\Captured Image.wim" /index:1 /mountdir:D:\Mount
• Removed leftover folders
• dism /unmount-wim /mountdir:D:\Mount /commit
• Updated DP's

Now I am good to go and the errors went away. Deploying like crazy!!

Symbolic Links to the rescue

Lately I needed a solution to redirect System Center Endpoint Protection 2012 R2 definition updates to a alternative location. The situation was it was installed on a VDI machine which means the C-drive is non-persistent.
So I created a brand new vDisk with the latest definition updates and brought it online. The first day the definition updates are all current, but after a restart of the VDI, it gets back to the initial state. It's not recommended nor desirable to create a new vDisk every day, but I wanted to stay current with the updates. So every day the VDI needs to download more definitions and is not current at startup.

I came up with a solution to use a Symbolic Link to redirect the definition updates to a persistent writecache or overflow disk.
So before the Endpoint Protection solution in installed I created a folder on the D-drive to store the updates.
Then I created the SymLink on C:\ProgramData\Microsoft

Mklink /d /j "Microsoft Antimalware" D:\SCEP

So what this does is create a Symbolic Link named "Microsoft Antimalware" and connect it to the actual location D:\SCEP. For the OS the Symbolic Link looks like any ordinary folder and is threated that way. Also when you browse through the folders it looks like your in the folder, while your actually browing D:\SCEP. So easy to setup and yet so powerfull!

So when the Endpoint Protection client is installed and downloads the definition updates, the updates are placed in the "Microsoft Antimalware" location which is.... right the D:\SCEP location. So now you have an up-to-date AV solution in your VDI deployment.

System Center Endpoint Protection 2012 R2 policy issue

Recently I came across this issue about SCEP update definitions not being applied on (in my case) Citrix VDI computers.

Errors in the C:\Windows\CCM\Logs\EndpointProtectionAgent.log
Failed to apply the policy C:\WINDOWS\CCM\EPAMPolicy.xml with error (0x80004005).
Failed to apply policy with error 0x80004005, retry number : 1 after 60 second.

But mainly visible in the Management Console.

Luckily there are some community colleagues who dealt with this issue before, I did not solve my issue, maybe because we use streamed vDisk, or because this issue already existed for a long time. Any way many people benefit from the solution.

See Henk's blog for a solution.

Edit: Another solution could be to remove the gpt.ini (C:\Windows\System32\grouppolicy) because it became corrupt.