Monday, 20 July 2020

Management Insights Preview - Optimize for remote workers

Microsoft Endpoint Configuration Manager has a feature called Management Insights.  This feature is located in the Administrators node and it allows you to gain some understanding into your site's configuration, or aspects of your site's configuration, that may need some attention.  It divides the management into groups which Microsoft consider useful for proactively auditing your site.  The 2007 preview evaluation installation of Microsoft Endpoint Configuration Manager contains the following Insight groups.

Group
Description
Applications
Insights for application management
Cloud Services
Insights to Modernize Configuration Manager so that it integrates with cloud based technologies.
Collections
Insights into managing a healthy population of collections
Configuration Manager Assessment
Insights into settings that may need looking into such as Active Directory discovery intervals.
MacOS and Unix
Insights for MacOS and Unix clients
Operating System Deployment
Insights into Provisioning, for instance determine task sequences that are too large
Optimize for remote workers
Insights into the configuration aspects that affect your mobile workforce
Proactive Maintenance
Insights into how to keep ahead of potential issues, for instance boundary groups with no members
Security
Insights into possible areas where your site is insecure
Simplified Management
Insights into common management concerns such as clients running older versions of the Configuration Manager Client
Software Center
Insights into managing Software Center
Software Updates
Insights for software management updates.

There does not appear to be any option to create your own groups or insights, nor to customize those that currently exist.  In short Microsoft has presented a reporting and action facility that might represent something a consultant would be asked to do - conduct an audit and present areas of action that need attention.

At the time of writing the world is struggling with the Covid-19 pandemic and we are seeing many people now working from home.  Managing those users properly has never been so crucial and so in the 2006 preview version of Configuration Manager Microsoft has implemented the Optimize for Remote Workers Insight group.  In this article I run the Show Insights action to determine which action I might need to take for my installation of Configuration Manager Technical Preview 2007.

In the 2005 CM preview edition Microsoft introduced the VPN Boundary type.  Previously the administrator would have to enter in a subnet based boundary for their VPN users.  Using the VPN boundary simplifies administration of remote users because the IP address based boundary is no longer required.  In my lab I have configured a VPN boundary accepting all the defaults as can be seen.





So let us begin and see how Management Insights might help us view and modify our CM site so that we can be sure it is configured to effectively manage our systems.

We open the CM Admin console and navigate to Administration\Overview\Management Insights.  You are presented with a dashboard with some interesting charts and statistics in respect to your groups and actions that are recommended, optional, critical or completed.  You might like to tick or un-tick the boxes in the top ribbon to gain an insight into each category.




If we scroll down a bit we see a number of Actions Needed against each group.  In this case we can see there are a number of Actions needed: and specifically for this article there is an action for the Optimize for remove workers group.


We can see here that our recommended action is to define a VPN boundary group.  Let's look a bit closer at the needed action.

We now navigate to Administration\Overview\Management Insights\All Insights.  We right click on the Optimize for remote workers group and select Show Insights.




We can then see that we are required to put our VPN Boundary into a VPN Boundary Group.



We can then right click on the Action and select More Details.



The Rule Detail informs us we should Create and Configure a VPN boundary and associate it to a Boundary Group.  This makes sense because we cannot assign a system,  such as a management point, to a boundary.  We need to assign the required site systems to the Boundary Group and then assign the Boundary Group to the Boundary.

And conveniently if we click on the Review Actions button we are then taken to the Boundary Groups section in the Administration blade.


I then click on the Create Boundary Group option in the ribbon.



I enter in the VPN Boundary group name and add my VPN boundary.




I can then click on References and add my site system.


I click on OK and Apply




Once the Boundary Group is created we can then right click on it and select properties.  If we then click on the Options tab we see that the Allow peer downloads in this boundary group option is deselected.  In addition the Prefer cloud based sources over on-premise sources option is selected.  These are the default options and they do make sense given this is a VPN based boundary group.


Now having added the VPN boundary to a VPN boundary group we can then navigate back to Administration\Overview\Management Insights\All Insights\Optimize for remote workers.  If we Right click on the Define VPN boundary group action and select Re-evaluation - the action should then change to Competed.

To monitor and troubleshoot this you can view the sms_dataengine.log file.



It did become apparent that the preview edition I am running is not 100 percent perfect because it did take a while for the action update to complete - even though the log stated no insight rules needed evaluating.  Well this is a technical preview edition so little glitches like this surely are to be expected.  Nevertheless we got there in the end as can be seen.




I hope you enjoyed reading this article.


























Saturday, 4 July 2020

Using the ProvisionTS CCMSetup parameter

Some time back I put a Windows 10 build together for a large company using the Ivanti landesk deployment product.  It was an interesting project in itself and I was grateful to have been given the opportunity to learn about a new systems management product.  My specialty has always been Microsoft Endpoint Configuration Manager, and before that it was called SCCM, and before that it was called SMS - and to learn about a new product is always very interesting.

One of the features I liked about Ivanti was the ability to nest task sequences so that a task sequence for a set of applications could be called from with a base task sequence. Thankfully Microsoft implemented nested Task Sequences also in build 1710.

In Microsoft Endpoint Configuration Manager (Build 2002 and above) Microsoft has also implemented the ProvisionTS switch as an option for the ccmsetup.exe Configuration Manager Client installation file.  When the CM client is installed, the Task Sequence of the deployment ID given to this switch is initiated as soon as the client has successfully registered to its Configuration Manager site.

There are a number of clear advantages to this feature as it stands, and a number of possibilities to build on the feature.

1) Tune up Task Sequence - If SCCM is being implemented first time in an organisation or in a department, client push discovery alongside and client push installation, along with ProvisionIT allows a true up.  All machines to run the task sequence and all machines to be brought up to a company standard.  And in quick time as well.

2) Client Reinstall - Uninstall clients and de-register from SCCM.  Install once more and the tune up task sequence applies a company standard of applications and configurations.

3) Delegation of responsibility - quite often a company will want to delegate part, but not all of the build to an external IT management company.  Nested and independent task sequences are a convenient way of achieving this: and it is clear which entity is responsible for a build failure after investigating which of the task sequences did fail.

4) Those applications whose completion time is not really a completion time.  We have all seen this one where the application feeds back an install complete status and the build then moves on to the next step in the task sequence.  But then we find the application is still doing something, and that something interferes with the build and causes a failure.  Putting this application in a separate task sequence to be called by ProvisionTS is a convenient way of working around this sort of application snag.

5) A baremetal build can compartmentalized so that there is a core build - critical to getting a user up and running; and a less critical subsection of the business build.  For instance a core build might included Windows 10, all security updates, Office Pro Plus and the required dot net frameworks - this in itself will allow the user to start working on documents, create and receive emails, access company portals and submit reports. In addition a role specific task sequence of less critical applications can be deployed using the ProvisionTS switch or the nested task sequence: for instance, a technical engineer might have the Visio application as well as Microsoft's systernals tools deployed via the less critical task sequence run through the ProvisionTS variable.  Thus:

  • Risk reduction requirements are implemented.
  • Change control is expedited with less risk.
  • Testing times are reduced because the core of the testing is done on the application task sequence.

6)  Build reduction time.  In an existing scenario the base build is applied, and then the machine is left on the bench waiting for all the required applications, deployed via AD integrated collections and deployments, to install.  This can take hours or days depending on polling schedules.  If the collections are hardware inventory based then the total build time can even take weeks: again depending on the hardware interval time set in SCCM (default is seven days).  It needs to be tested but an option here would be to use a Status Filter Rule force a client reinstall after a base is installed.

7) Zero Touch Upgrades are facilitated.  In most cases today, if we are able to apply an OSD build to a device at the user's desk - we still require an engineer to plug a machine into the network, PXE network boot the device, and select the task sequence.  We cannot expect a user to perform this operation.  However we supply the user with a machine which has a superseded, but approved, corporate build already installed on the hard disk: the user is instructed to switch on the device and the upgrade Task Sequence commences as soon as the device's SCCM client registers with the SCCM site.   The Task Sequence that is commenced is termed a refresh task sequence; in this scenario however it is a refresh but without user data migration - thus in terms of definition there is little change from a bare metal build.

8) The ProvisionTS variable provides a way of achieving, for the on-premise arsenal of deployment tools, what Autopilot achieves as an in cloud deployment tool.  In essence an active build need not be modified as often as it currently is - but all the configurations and applications are overlay-ed using a task sequence deployed to the All Provisioning Devices collection.  This can be achieved using the offline join domain process.

9) We shouldn't forget that the SCCM client installation is a standard installation and can be deployed via Intune with whatever Task Sequence is desired, thus this feature through Intune can enhance existing builds and also autopilot builds in an on premise scenario.

Using ProvisionTS 

In this example I have a simple Application based Task Sequence that installs Notepad ++ and copies the famous cmtrace.exe log file viewer to the windows directory



We will test the following.

1) Create a deployment for our application task sequence to the new Provisioning Device(Provisioning Device) collection.

2) Install the SCCM client using following command line: ccmsetup.exe /SMSMP=SERVER2 SMSMP=SERVER2 PROVISIONTS=<deployment ID of the application task sequence>

3) Verify that the application task sequence is run after the client is registered in SCCM.


Note:  If your task sequence is failing at the software distribution steps you may need to configure a Run Command Line step to enable software distribution.  Execute the following code:

WMIC /namespace:\\root\ccm\policy\machine\requestedconfig path ccm_SoftwareDistributionClientConfig CREATE ComponentName="Enable SWDist", Enabled="true", LockSettings="TRUE", PolicySource="local", PolicyVersion="1.0", SiteSettingsKey="1" /NOINTERACTIVE


Creating the TS deployment

1) Open the CM console and navigate to Software Library\Operating Systems\Task Sequences.  Right click on the custom application task sequence and select Deploy.  The Specify general information for this deployment window appears.  In the collection section click on browse and select the All Provisioning Devices collection.  Click on Ok and then Next


2) On the Specify setting to control how this software is deployed ensure that Required is selected under Purpose and click on Next.


3) On the Scheduling windows click on the New button and in the Assignment Schedule window click on Assign immediately after this event: and select As soon as possible.  


4) Click on OK and then Next. Accept the defaults for the User Experience windows and click on Next.  Accept the defaults for the Alerts windows and click on Next. Accept or modify the Distribution Points window as required and click on Next. Review the Summary and click on Next.  The Deployment is created.  Click on Close.




5) In the lower section of the right pane your Task sequence ensure that Deployments tab is selected and that the the Deployment ID column is listed. If it is not then right click on the ribbon and select Deployment ID.


6) Make a note of the Deployment ID.  This is required for the next set of instructions.  In this case it is S0120003.




Deploy the Client using ProvisionTS

Copy the ccmsetup.exe file to the c:\windows directory of your test client.  Open a command prompt and run the following command ccmsetup.exe /MP:<name of CM management point server> SMSMP=<name of CM management point server>  PROVISIONTST=<Deployment ID of the task sequence deployed to the Provisioning Devices collection.  In this example my command line is:

ccmsetup.exe /MP:SERVER2 SMSMP=SERVER2 PROVISIONTS=S0120007



The progression of the installation can be monitored in the c:\windows\ccmsetup\logs\ccmsetup.log file.



The installation completes



The task sequences fires up and completes.





Using ProvisionTS in an Operating System Deployment Task Sequence

In this test case scenario I run a standard Zero Touch MDT task sequence to install Windows 10 Enterprise build 2004.  I configure the ProvisionTS variable in the Setup Windows and ConfigMgr task sequence step.  I have created a new deployment and so the deployment id is different from above.  In addition I have no other switches to feed into the step as can be seen.

ProvisionTS=S0120009



I tested the OSD MDT build on a Hyper-V guest machine and it successfully completed at July 4 at 10:54:09.



Observing the status messages and without touching the newly built virtual, it was observed that the additional task sequence specified in the ProvisionTS switch started installing at 10:56:24.  So that is just a little over two minutes wait time and from my point of view, that is a good result indeed.


Twenty seconds later Notepad ++ 7.8.7 has installed.


Twenty seven seconds later the supplementary task sequence has completed.







Deploy Windows 11 with MDT - Supported

 Introduction The Microsoft Deployment Toolkit (MDT)  has been used by many companies for the provisioning of operating systems.  It does ha...