Configuring Windows 10 Devices to Wake and Update Outside of Class time

Problem

Today, many productivity hours are lost due to software updates installing during class time resulting in frustrated users. Customers that are leveraging traditional management solutions such as System Center Configuration Manager (SCCM) or other 3rd party tools don’t have an easy way of updating these devices outside of class time. Solutions such as Wake on LAN have been around for years, but with the move to wireless devices, it’s not a viable solution. SCCM supports wake timers, but only for desktop devices.

Solution

In Windows 10, there are two solutions to this problem

  1. Shared PC CSP
  2. Automatic Maintenance

Shared PC CSP is a Configuration Service Provider MDM policy that was introduced in Windows 10 1607. Shared PC does many things to improve shared device management such as cleaning up old user profiles, improving logon performance, and more.

Automatic maintenance is a Windows feature that was introduced in Windows 8 that leverages scheduled tasks to allow them to wake a device during a specified period.

In education environments with shared devices, it’s recommended to use Shared PC as that will be the easiest method to enable devices to wake during the automatic maintenance period. However, shared PC does enable several additional policies that you may not want on your devices.

For more information about Shared PC, see how to set up a shared or guest PC. It’s important to understand the local policies that are being set on the device to understand if setting Shared PC is acceptable within your environment. For example, Shared PC will prevent usage of OneDrive for file storage.

IMPORTANT: To wake a device using the methods described in this article, the devices must be non-connected standby devices (devices that support the S3 sleep state). Connected Standby devices (such as surface) will not wake via the RTCWake timer. This is something we’re actively investigating.

Configuring Shared PC via Windows Configuration Designer (WCD) for new devices

Windows Configuration Designer (WCD) is used to create provisioning packages. It can be installed from the Windows Store by searching for Windows Configuration Designer. Once installed, you can create a desktop provisioning package from the list of package types on the left. During the initial wizard, one of the options will be to Configure Devices for Shared Use.

If you continue through this wizard, you can enter a device name, product key, specify wifi, whether you want to join AD or Azure AD, etc. Once you’ve completed that, this package will be ready for use for new or existing devices. You can then take the .ppkg file and put it on a USB stick and insert the USB stick during OOBE of a newly unboxed Windows 10 1703+ device and it will apply the settings in the package to that device. You can also run it by double clicking it, using powershell, etc. However, keep in mind that if you do fill out the entire wizard, you would be renaming the device.

Configuring Shared PC via Windows Configuration Designer (WCD) for Existing Devices

For existing devices, you don’t need to go through all the steps in the wizard. If you have an existing 1703+ device, you can apply the ppkg to just set Shared PC.

Open Windows Configuration Designer and select Advanced Provisioning

By looking in the advanced editor, we’ll see the different options we can configure for Shared PC (amongst a ton of other settings). We’ll need to enable the following settings to be able to wake the device:

  • EnableSharedPCMode = True
  • MaintenanceStartTime = 0 (this will wake the device between 12-2AM. There is a 2-hour randomization start time that is applied to the value you specify here. Valid values are 0-23. If you specify 13, the device will wake between 1PM-3PM or 13-15.)
  • RestrictLocalStorage = False (if set to either NOT CONFIGURED or TRUE, RestrictLocalStorage will prevent a user, even an admin, from being able to use File Explorer to access the file system. You still can use it via cmd or powershell. I’d suggest initial testing to have this set to False. If set to True, all users on the device will only have access to their c:\users\profile\downloads folder in File Explorer)
  • SetEDUPolicies = True for more info see configure windows for education
  • SetPowerPolicies = True (Prevents users from changing power settings; Turns off hibernate; Overrides all power state transitions to sleep (e.g. lid close))
  • SleepTimeout = 3600 (device will fall asleep after 1 hour – the default value the PPKG will set is 300 seconds (5 min) which is likely to be an issue)

Note that the above settings will NOT create the scheduled task necessary to wake the device.

To create the scheduled task to wake the device, we have two options:

  1. Enable account maintenance
  2. Enable SetEDURestart Windows Update policy

Enabling Account Maintenance

To enable account maintenance, we need to set the following policies:

  • AccountModel = Domain-joined (can also select domain-joined and guest if you wish to enable guest access. Guest access will create a button on the logon screen to allow for guest accounts to use the device. The guest account is a temporary local account that will be deleted on logoff. This can be useful for younger grade levels or those that have issues typing)
  • DeletionPolicy = Delete at disk space threshold and inactive threshold (this will enable the ability of Shared PC to delete profiles when disk space falls below 25% free and will delete the oldest profiles first until 50% free. It will also delete profiles when they are older than the inactive threshold which is 30 days by default.)
  • DiskLevelCaching = 50 (this is the amount of free disk space in percent that we wish the device to have after deleting profiles)
  • DisklevelDeletion = 25 (this is the amount of free disk space in percent threshold that we wish the device to start deleting the oldest profiles first)
  • EnableAccountManager = True (enables the ability for account maintenance to run)
  • InactiveThreshold = 30 (the number of days a profile has been inactive before it will be deleted. In 1:1 scenarios where students may come back to the device after a long break (summer or winter) you may wish to increase this value to 90 or 180 days to prevent a student’s profile from being deleted)

Once these settings have been applied, a scheduled task is enabled in task scheduler under Microsoft\Windows\Shared PC\Account Cleanup

This scheduled task will be responsible for waking the device.

Enable SetEDURestart Windows Update policy

Some customers may opt to not enable account maintenance in Shared PC. They may have their own solutions or they may be in a 1:1 situation where it’s not necessary however they want some of the other benefits Shared PC offers.

Earlier I mentioned a Windows Update policy called SetEDURestart (in Group Policy this is referenced as Update Power Policy for Cart Restarts). This is a new policy that was introduced in Windows 10 1703 to skip checking of the battery level to ensure that the reboot will happen at the ScheduledInstallTime for updates (by default this value is 3 AM). This policy is a bit misleading because there’s also a scheduled task that this policy creates under UpdateOrchestrator\Combined Scan Download Install. This scheduled task is not created if the SetEDURestart MDM policy, or the Update Policy for Cart Restarts local/group policy is not enabled.

So, what does all this mean?

Ultimately, all we need is a scheduled task to wake the device up. If using Shared PC via WCD, it will do account maintenance via a scheduled task called Account Cleanup under the SharedPC folder in task scheduler. If you also want to bypass power checks, you can do that to by enabling SetEDURestart to 1 in Policies\Update\SetEDURestart in WCD. Having either of these set will create a scheduled task that will wake the device. Shared PC will also set the RTCWake value for the balanced power scheme to 1.

NOTE: If you’re using Windows Update or WSUS (i.e. not using SCCM or a 3rd party tool)

You may also want to apply the AllowAutoUpdate policy to Auto-install and restart without end-user control (this sets AllowAutoUpdate to 4). This will help ensure that the updates install and reboot. If you are using SCCM or a 3rd party tool, you can ignore this setting.


Once you have your provisioning package set up the way you want, you can click the Export drop down at the top and then apply it via USB at OOBE, or you can deploy it via SCCM, GP, or whatever management tool you use via Powershell.

As of Windows 10 1703, provisioning packages can be applied silently without being signed using the following command.

Install-ProvisioningPackage -PackagePath C:\Foo\bar.ppkg -QuietInstall -ForceInstall

How to enable in Intune for Education

Intune for Education makes this super easy to configure. Just go to the groups node and for the group you want to configure, select Settings and expand Device sharing settings and select Optimize devices for shared use.

Note that this doesn’t give you the same granular settings that you had in WCD. If you want to granularly apply these settings, you would have to do them via custom OMA-URI settings in the full Intune portal. How to configure these settings is outside the scope of this post.

How to enable in Group Policy

For those environments that do not wish to enable Shared PC, Automatic Maintenance can be configured via group policy to wake devices. To do this, the following items will need to be configured:

  1. Configure Automatic Maintenance Activation Boundary
  2. Configure Automatic Maintenance WakeUp Policy
  3. Optional: Configure Automatic Maintenance Random Delay (Recommended)
  4. Configure Update Power Policy for Cart Restarts (Windows 10 1703 GPO)
  5. Set RTCWake Timer on power scheme (Powershell)

In Group Policy, create a new Group Policy object and configure the following settings:

  1. Navigate to Computer Configuration – Administrative Templates – Windows Components – Maintenance Scheduler
  2. Enable and Configure Automatic Maintenance Activation Boundary using the following format: 2000-01-01T13:00:00 . In this example, the activation boundary is set to 1PM using a 24 hour clock and click OK.
  3. Enable Automatic Maintenance WakeUp Policy and click OK.
  4. Enable Automatic Maintenance Random Delay and set it using the following format: PT1H. In this example, the delay would be 1 hour. You can change this by modifying the 1 to a 2 for 2 hours, etc. It is recommended to set this so devices aren’t all waking at the exact same time.
  5. Navigate to Computer Configuration – Administrative Templates – Windows Components – Update Power Policy for Cart Restarts and Enable the policy
  6. Enable the RTCWake timer on your devices

    To enable RTCWake, we need to use Powercfg.exe to do this:

    Powercfg /SETACVALUEINDEX SCHEME_BALANCED SUB_SLEEP RTCWAKE 1

    And

    Powercfg /SETDCVALUEINDEX SCHEME_BALANCED SUB_SLEEP RTCWAKE 1

    The above commands will enable for both plugged in and battery states. This will only work for the balanced power scheme. If your devices are using different power schemes, you could use the below powershell script to apply to all power schemes.

     

    $PowerSchemes = (powercfg.exe /LIST) | Select-String "power scheme guid" -List
    $AllowWakeTimersGUID = ((powercfg.exe /q) | Select-String "(Allow wake timers)").tostring().split(" ") | where {($_.length -eq 36) -and ([guid]$_)} 
     
    foreach ($PowerScheme in $PowerSchemes) {
       $PowerSchemeGUID = $PowerScheme.tostring().split(" ") | where {($_.length -eq 36) -and ([guid]$_)}
       foreach ($Argument in ("/SETDCVALUEINDEX $PowerSchemeGUID SUB_SLEEP $AllowWakeTimersGUID 1","/SETACVALUEINDEX $PowerSchemeGUID SUB_SLEEP $AllowWakeTimersGUID 1")) {
        Start-Process powercfg.exe -ArgumentList $Argument -Wait -Verb runas -WindowStyle Hidden}}
    
    
    
  7. You can apply either the direct powercfg commands above or the script in a variety of ways. One way being GP as a startup or shutdown script, through a group policy preference using a scheduled task, the other being through SCCM or whatever management tool you are using.

To validate that this is working, open an admin command prompt or powershell prompt and type in powercfg /waketimers

Miscellaneous items to think about:

  1. Just because the device wakes doesn’t necessarily mean it will install anything. Keep in mind what your current power policies are set to. If the device goes back to sleep five minutes after being awake, that won’t be enough time to get SCCM policies and install content. You may need to change your off-peak power settings to allow for the devices to stay awake longer to get policies from SCCM to install any updates/software that is being deployed.
  2. This process will work for machines managed by WSUS too or any third party management tool.
  3. If you are unsure if you have any devices that support connected standby, you can run Powercfg /a. If you see Standby (S0 Low Power Idle) this is a device that supports connected standby.
  4. If you’re on 1607 and can’t or won’t configure Shared PC, you also don’t have access to the SetEDURestart policy. You’ll need to create a scheduled task manually. You can do this via the following powershell script.
$task = Get-ScheduledTask -TaskName InvokeMaintenance -ErrorAction SilentlyContinue

If(-not $task)

{

$ST_A = New-ScheduledTaskAction -Execute "cmd" -Argument "/c"

$ST_T = New-ScheduledTaskTrigger -AtStartup

$ST_S = New-ScheduledTaskSettingsSet -DisallowHardTerminate -RunOnlyIfIdle -MaintenancePeriod 24:00:00 -StartWhenAvailable -WakeToRun -ExecutionTimeLimit 00:30:00 -Priority 0

$ST_P = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest

Register-ScheduledTask -TaskName "InvokeMaintenance" -Action $ST_A -Trigger $ST_T -Settings $ST_S -Principal $ST_P
Posted in Modern Management | Leave a comment

How to Create a Silent, Self-Extracting Installer for use with Windows Configuration Designer

How to Create a Self-Extracting Installer using 7Zip for Complex Applications for use with Windows Configuration Designer


A challenge that may arise when trying to use modern deployment techniques with Windows 10 is the need to deploy applications that have complex installation methods. These methods may use setup.exe’s that call .msi files or have multiple files or folders. When creating a provisioning package with Windows Configuration Designer (WCD) to join a device to Azure AD you can specify applications to install during the provisioning wizard, however these applications must be a single file. These could also be .bat, .cmd, etc. files, but again, can only be a single file.

7-Zip is a free, open source application that allows for creating self-extracting installers in an .exe format. It allows for repackaging without having to install the application on a reference machine and capture the differences into a MSI file like most repackaging solutions. These self-extracting .exe files can be deployed during the provisioning of a device.

Preparing to Repackage your Application

In this example, we’ll be repackaging Office 365 ProPlus Click To Run (CTR) since it has a small footprint consisting of a single setup.exe and configuration.xml which allows for silent installation. Know that this isn’t the most efficient way of installing Office 365 ProPlus CTR using provisioning since using the standard Office 365 ProPlus CTR bits will reach out to the internet to download ~1GB+ of files.

Note: If you’re looking for a more efficient way to include Office 365 ProPlus CTR into your provisioning package, use the Office Install Toolkit, which will give you the ability to customize your office install and download the bulk of the installation files to reduce the amount of bandwidth your devices will use during provisioning.

  1. Copy your application to some folder on your machine. For example C:\temp\Office 365 ProPlus
  2. In this folder, create a new folder called custom
  3. Download 7-zip from http://www.7-zip.org/ and select the appropriate architecture type for your machine (x86 or x64)
  4. Install 7zip
  5. Download the LZMA SDK – http://www.7-zip.org/a/lzma1604.7z
  6. Right Click the lzma1604.7z, select 7-zip -> Extract Files
  7. In the Extract to: field, select a location to extract to such as C:\temp\. When it’s finished extracting, you should have a folder called C:\temp\lzma1604
  8. If you are interested in how LZMA compresses the files into a self-extracting zip, you can reference the “C:\temp\lzma1604\DOC\installer.txt”

Repackaging the application

Now that 7Zip and LZMA are both installed, we need to repackage the application. In order to repackage, we need to do four things:

  1. Zip our source files
  2. Copy the 7zSD.sfx file from LZMA – this is what creates the self-extracting exe
  3. Create a config.txt file that includes the installation command and the silent switches
  4. Run a copy command to take the compressed zip file, the sfx file, and the config file and create a single self-extracting .exe

Let’s repackage Office 365

  1. Open File Explorer and go to C:\Temp\Office 365 ProPlus
  2. Select the setup.exe and configuration.xml files and select 7Zip -> Add to “Office 365 ProPlus.7z”
     You should have an Office 365 ProPlus.7z file in the C:\temp\Office 365 ProPlus folder
  3. In file explorer, copy
    “C:\temp\lzma1604\bin\7zSD.sfx” to C:\Temp\Office 365 ProPlus
  4. In file explorer, in the c:\temp\Office 365 ProPlus folder, right click in the white are and select New – Text Document and name the file config.txt
  5. Open the config.txt file
  6. The content of the config.txt file needs to be in a certain format. The below example is for Office 365, but for your installer you’ll need to get the execute file (this could be a setup.exe, or even a .cmd file or some other extension) and whatever the parameters are.

    Copy and paste the below example into your config.txt file

    ;!@Install@!UTF-8!
     Title="Office 365 PP"
     BeginPrompt="Do you want to install Office 365 PP?"
     ExecuteFile="setup.exe"
     ExecuteParameters="/configure configuration.xml"
     ;!@InstallEnd@!

    If you have a MSI file as the installer, but still have multiple files and/or folders that comprise the installation, you can use the following:

    ;!@Install@!UTF-8!
     Title="Title of Application"
     BeginPrompt="Do you want to install Application?"
     ExecuteFile="msiexec.exe"
     ExecuteParameters="/i NameOfMSI.msi /qn /norestart"
     ;!@InstallEnd@!

    Note: Your MSI may have additional properties. Check with the vendor to determine any additional execute parameters that are needed.

  7. Open a command prompt by clicking the start menu and typing cmd and hitting enter
  8. Change directory to c:\temp\Office 365 ProPlus by typing cd c:\temp\Office 365 ProPlus
  9. Create the self-extracting exe by typing:
    copy /b 7zSD.sfx + config.txt + “Office 365 ProPlus.7z” O365PPInstaller.exeYou should end up with a temp folder that looks like the following:
  10. Congratulations, you now have a self-extracting exe that can be installed silently.

Testing the EXE

It’s recommended to test the exe prior to implementing in a provisioning package to validate that the exe installs successfully. There are two ways to do this:

  1. Copy the exe to a test machine (A VM is preferred) and run it via cmd prompt using O365PPInstaller.exe -y
  2. Copy the exe to a test machine (A VM is preferred) and install the exe in the system context

Option 1 is easy, however option 2 is a better test since the provisioning process uses the system context. Use option 1 first just to validate that the exe works. But use option two to make sure it works in the system context. If both tests work, then there’s a high likelihood it will work in the provisioning package.

Testing with option 1

  1. Copy the O365PPInstaller.exe file from C:\temp\Office 365 ProPlus and copy it somewhere on your test machine. In this example, we’ll use c:\temp
  2. Open an admin command prompt on the test machine by going to the start menu, typing in cmd, and pressing ctrl+Shift+Enter at the same time on the keyboard (alternatively, you can right-click on cmd and select Run as Administrator)
  3. Change directory to c:\temp by typing in cd c:\temp and hitting enter
  4. Run O365PPInstaller.exe -y

If your configuration file for O365 was configured correctly, O365 ProPlus should install silently (a black window might pop up, but no user intervention is required).

(Optional) Testing with option 2

Testing with option 2 requires the use of psexec to create a command prompt in the system context. This will allow for validation of the application as system, which is the context Intune and the provisioning process will use to install the application.

  1. Copy the O365PPInstaller.exe file from C:\temp\Office 365 ProPlus and copy it somewhere on your test machine. In this example, we’ll use c:\temp
  2. Download psexec from https://live.sysinternals.com/psexec.exe
    (Note: Sysinternals tools are Microsoft tools, psexec.exe is a safe download)
  3. Save the file to c:\temp\psexec.exe
  4. Open an admin command prompt on the test machine by going to the start menu, typing in cmd, and pressing ctrl+Shift+Enter at the same time on the keyboard (alternatively, you can right-click on cmd and select Run as Administrator)
  5. Type in c:\temp\psexec.exe -sid cmd -accepteula and hit enter
  6. A new cmd prompt will open up in the system context. Verify you are running as system by typing whoami and hitting enter
  7. Change directory to c:\temp by typing in cd c:\temp and hitting enter
  8. Run O365PPInstaller.exe -y

If your configuration file for O365 was configured correctly, O365 ProPlus should install silently (a black window might pop up, but no user intervention is required).

Integrating with a Provisioning Package

You can create provisioning packages (PPKG) with the Windows Configuration Designer (WCD) tool. This process will show how to download WCD and create a PPKG to provision a device.

  1. Download Windows Configuration Designer (WCD) from the Windows Store
    1. Go to the start menu and type store and hit enter
    2. In the search box type Windows Configuration Designer and hit enter
    3. Click the Install button
    4. When the app finishes installing, click Launch from the Windows Store application (alternatively you can find the app in your start menu)
  2. In Windows Configuration Designer, select Provision desktop devices
  3. In the New Project wizard, give your package a name and click Finish
  4. In the Set up device page, type in a name for the device such as Contoso-%RAND:5%
  5. Click Next
  6. In the Set up network page, enter your network SSID. If you are going to use a VM or a device without a wireless adapter, make sure to select Off for Connect devices to a Wi-Fi network and click Next
  7. In the Account Management page, select Enroll in Azure AD and select Get Bulk Token
  8. In the wizard that pops up, enter the Azure AD account that has rights to enroll devices (this would be a global administrator account, or an account that you have specified in Azure AD) and click Next
  9. Enter your password and click Sign In

    If you get an error, try again. Trying multiple times seems to help.
  10. Click Next once the bulk token has been fetched successfully
  11. In the Add applications page, click the + sign for Add an Application
  12. For Application Name, type in Office 365 Pro Plus
  13. Click Browse for the Installer path
  14. Select c:\temp\O365PPInstaller.exe
  15. For command line arguments enter cmd /c “o365ppinstaller.exe” -y
  16. Click Add
  17. Click Next
  18. In the Add certificates page, click Next
  19. In the Finish page, click Create
  20. After clicking Create, a link to the package will be listed in the app. The path to the PPKG will be similar to: C:\Users\<YourUserProfile>\Documents\Windows Imaging and Configuration Designer (WICD)\<Name You Gave The Package>The package will be in a folder that looks like the following. All you want is the .ppkg file out of this folder. Take the .ppkg file and copy this to a USB stick.

Provision a New Device

  1. Image a machine with stock Windows 10 1703 (aka Creators Update) installation media and let it sit at the first screen of the out of box experience (the screen that says “Let’s start with region. Is this right?“)
  2. Insert the USB stick that has the provisioning package (the file with the .ppkg extension)You should see a screen that looks like the following:
  3. The PC will reboot and will be on the Installing provisioning packages… screen for a little while depending on the size or the application. With Office 365 ProPlus, the installer that we captured will reach out to the internet to download the latest bits of Office 365. This can be about 1GB+ of data.

Once the installation is complete, you should be at the lock screen. Dismiss the lock screen and login with an Azure Active Directory Account. If everything succeeded, you should see Office 365 ProPlus installed on the device.

Posted in Modern Management | Tagged , | 3 Comments

System Center 2012 Configuration Manager Beta 1 Unix and Linux Client Downloads Available

System Center 2012 Configuration Manager SP1 Beta 1 offers support for managing Unix and Linux clients (and Mac OS clients as well). When download loading the beta SP1 bits, the client bits aren’t available and need to be downloaded separately.

The following Unix and Linux versions are supported in Beta 1:

  • AIX Version 7.1 (Power)
  • AIX Version 6.1 (Power)
  • AIX Version 5.3 (Power)
  • HP-UX Version 11iv3 (IA64 & PA-RISC)
  • HP-UX Version 11iv2 (IA64 & PA-RISC)
  • RHEL Version 6 (x86 & x64)
  • RHEL Version 5 (x86 & x64)
  • RHEL Version 4 (x86 & x64)
  • Solaris Version 10 (x86 & SPARC)
  • Solaris Version 9 (SPARC)
  • SLES Version 11 (x86 & x64)
  • SLES Version 10 SP1 (x86 & x64)
  • SLES Version 9 (x86)

The following scenarios are supported by the UNIX and Linux clients:

  • Hardware Inventory – Hardware inventory can be viewed through Resource Explorer and can be used to create collections of UNIX and Linux computers.
  • Software Inventory – Through hardware inventory the list of natively installed software can be gathered from the UNIX and Linux computers – similar to add/remove programs for Windows systems.
  • Software Distribution – Deploy new software, update existing software and apply OS patches to collections of UNIX/Linux computers (using a package and program). Run arbitrary maintenance scripts on a collection of UNIX/Linux servers.
  • Secure and Authenticated Communications
  • Consolidated Reports

For more information and to download the client files, please visit http://www.microsoft.com/en-us/download/details.aspx?id=34609

Posted in ConfigMgr 2012, Unix and Linux | Leave a comment

List of RSS Feeds for KB Articles for Microsoft Products

Want to keep up with the latest KB articles for the Microsoft products that you have in your environment? The best solution I’ve found is to use an RSS Feed Reader and subscribe to the feeds.

Here’s a list of all of the RSS feeds for every KB article that comes out.

http://support.microsoft.com/select/?target=rss

Posted in Tips and Tricks | Leave a comment

SoftwareUpdateAutomation.exe Scheduled Task Fails with an 0x1 Error Message When Updating FEP 2010 Definition Package

Issue

When using the SoftwareUpdateAutomation.exe file as a scheduled task to update the Forefront Endpoint Protection definition files, the scheduled task may fail with an error code of 0x1. In the %programdata%\SoftwareUpdateAutomation.log file may see the following error:

SQLMessage = “[22018][245][Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the varchar value ‘APSB10-22’ to data type int.”;

Cause

This happens when SCUP is used to import third party updates. These updates sometimes include dashes as part of the articleID column in the database.

Solution

In the command line arguments for the SoftwareUpdateAutomation.exe scheduled task, use single quotes around the articleID. For example, use the following:

/AssignmentName <deployment name> /PackageName <deployment package> /RefreshDP /UpdateFilter “articleid=’2461484′ AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0”

Posted in Forefront Endpoint Protection | 1 Comment

How to Turn Off Compression in Configuration Manager 2007 Software Distribution

This is a question I’ve been asked a few times. By default, SMS and ConfigMgr both compress package content into a PCK file to distribute the content to child sites. The problem you might run into with Operating System Deployment WIM files, which are already compressed, is that they take forever to move from one site to another, finally to your distribution point.

There is a way to handle the compression and exclude WIM files, as well as any other extension you want to exclude. This can save you a good amount of time. In my customer’s case this week, we noticed that distribution manager took 5 minutes to complete “compression” instead of 30 minutes that it previously took.

I mention “compression” (in quotes) because while distmgr.log will show the file being compressed, if you look at the file size, it’s actually slightly bigger (in some cases) than the original WIM file.

For example, look at this screen shot of my distmgr.log where I send an x86 boot WIM that distmgr compresses

Compressed Package

Notice the first line where it says the size of the package is 129544 KBytes and the compressed size at the bottom is 129068 KBytes. Not very much space gained here, but look at the amount of time it took to compress roughly 130MB. It took 2 minutes.

Let’s take a look at the same package with compression off for WIM files:

Notice here how the same package content is still “compressed”, but the content is actually BIGGER, yet the amount of time is a minute less (or 50% in reduction of time to “compress”). It’s bigger, likely because there is some additional information that gets added to the package as it is getting moved to a .pck file. The package will always convert from a .wim to .pck, however the compression engine simply isn’t involved.

In order to exclude WIM files from compression you need to edit the following location in the registry:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ SMS\ Compression\ DontCompressExts on 32 bit servers

Or

HKEY_LOCAL_MACHINE\ SOFTWARE\ Wow6432Node\ Microsoft\ SMS\ Compression\ DontCompressExts on 64 bit servers

In this list, you will see:

.cab;.zip;.arj;.rar;.jpg;.jpeg;.wma;.wmv;.mpg;.mpeg;.mov

Simply add

.cab;.zip;.arj;.rar;.jpg;.jpeg;.wma;.wmv;.mpg;.mpeg;.mov;.wim

Posted in sccm | 4 Comments

Verizon Wireless Samsung SCH-LC11 EF07 Update Now Available

Samsung has released a software upgrade EF07 for the SCH-LC11, which is recommended to be installed. I used to have CONSTANT disconnecting issues with my SCH-LC11, but those issues appear to have been resolved. Will know for sure after some more time with the update, but it’s working well so far.

  • PPTP and L2TP VPN support
  • CSFR improved web security
  • Change WEB UI 4G icon change
  • RSSI indicator change
  • Extended default IP range
  • Resolves Wi-Fi disconnect / interference issue
  • Device configuration script
Posted in Uncategorized | Leave a comment

Building Windows 8 – Improving Windows Explorer

If you haven’t been to the Building Windows 8 Blog yet, I highly recommend bookmarking it as the Windows 8 team has been updating it frequently.

Today’s post comes from Alex Simons and takes a brief look at the history of Windows Explorer (going back to MS-DOS Executive in Windows 1.0) and a very interesting look at the telemetry data (the data we use when we ask you to opt into the Customer Improvement Experience Program for many of our products) from our users to see how they are using the product and how we can make the products better.

Goals of the new Windows Explorer

We set out to accomplish three main goals with this new version of Explorer.

  1. Optimize Explorer for file management tasks. Return Explorer to its roots as an efficient file manager and expose some hidden gems, those file management commands already in Explorer that many customers might not even know exist.
  2. Create a streamlined command experience. Put the most used commands in the most prominent parts of the UI so they are easy to find, in places that make sense and are reliable. Organize the commands in predictable places and logical groupings according to context, and present relevant information right where you need it.
  3. Respect Explorer’s heritage. Maintain the power and richness of Explorer and bring back the most relevant and requested features from the Windows XP era when the current architecture and security model of Windows permits.

Read more at Improvements in Windows Explorer

Posted in Windows 8 | Leave a comment

Using Your Distribution Points for FEP Definitions with the Software Update Automation Tool – Forefront Endpoint Protection 2010 Update Rollup 1

In my previous post on using your distribution points for Forefront Endpoint Protection (FEP) 2010 definition files, we had to leverage a vbscript in order to automate the download of the definition files from Microsoft via a scheduled task and then create a package that updated automatically on schedule and have a recurring advertisement. We also had to create some additional DCM configuration items and collections. This whole thing became a pretty tedious process to setup, but in the end it worked and the clients could get the definitions from their local DPs instead of the Software Update Point, WSUS server, UNC Share, or Microsoft Update. FEP 2010 Update Rollup 1 makes the process of getting the defs from your DPs a whole lot easier!

Downloading FEP 2010 Update Rollup 1

When you download FEP 2010 Update Rollup 1, you will have the option for x86 and x64 versions as well as a hotfix KB2554364 which is reporting fix that must be installed prior to installing Rollup 1. The reporting fix needs to be installed on your Reporting server. Once you have downloaded FEP 2010 Update Rollup 1 and KB2554364 for the architecture types in your environment (32 or 64 bit) you also need to download the FEP 2010 Update Rollup 1 Tools. It’s not required to download all of the tools, but for the purposes of this post, the tool that you want to download is the fepsuasetup.cab which is the Definition Update Automation Tool.

In summary download the following:

Installing FEP 2010 Update Rollup 1 on Infrastructure Servers

Installing FEP 2010 is simple, but can be slightly confusing at first.

  1. Install FEP2010-Update-KB2554364-xxx-yyy.exe on the server you installed FEP Reporting to (where xxx is the architecture type and yyy is the language; e.g. FEP2010-Update-KB2554364-x64-enu.exe )
  2. Run FEP2010-Update Rollup-KB2551095-xxx-yyy.exe (this will extract into three folders: FepExt, FepReport, FepUx)
    1. FepExt is the FEP Extension for Configuration Manager. This needs to be applied on your SCCM Site Server(s).
    2. FepReport is for FEP Reporting and needs to be installed on the server you installed FEP Reporting to.
    3. FepUx is the FEP Console Extension and will need to be installed on all SCCM Consoles that plan on managing FEP.

Once you have installed the three components, you have completed the server installation of FEP 2010.

Installing FEP 2010 Update Rollup 1 on Clients

FEP 2010 Update Rollup 1 has a client upgrade as well. By default it modifies the files in the FEP – Deployment package that it created with the initial install. Basically, there’s a new FEPInstall.exe file.

Using the “Old” Advertisement to Upgrade Your Clients

Prior to installing FEP 2010 Update Rollup 1, you likely made an advertisement to target machines to install the FEP client. If you would like to use that same advertisement, you will need to modify the program rerun behavior to Always Rerun Program.

Using a New Advertisement to Upgrade Your Clients

Chances are you likely want to use a new advertisement to upgrade your clients. I will assume that you know how to create an advertisement for your environment, however what I would like to point out is a potential collection you can target. FEP creates a collection called Out of Date which is under FEP Collections – Deployment Status. This collection leverages a custom SQL query created by FEP that identifies machines that have an old version of the FEP client. You can target this collection with the new FEP 2010 Update Rollup 1 client package to upgrade your clients, but be forewarned that this collection doesn’t limit workstations or servers, so you may want to create other collections that limit to the Out of Date collection if you want to manage your FEP client rollout better.

Configuring a Deployment Package and Deployment for FEP Definitions

In order for the software update automation tool to work, you will need a deployment and package to leverage. But before that, you’ll need to make sure you are syncing the FEP 2010 Definitions.

Syncing the FEP 2010 Definition Files

  1. From the site server that is top most Software Update Point (the one that syncs with Microsoft Update) – Expand Site Database – Site Management – Site Code – Site Settings – Component Configuration
  2. In the middle pane double click select Software Update Point Component
  3. In the Classifications tab select Definition Updates
  4. In the Products tab select Forefront Endpoint Protection 2010 (note: if this is your first time syncing with Microsoft update, you may not see Forefront Endpoint Protection in this list. After the first sync you should see a lot of additional products in this list)
  5. In the Sync schedule tab select Custom schedule and click the Customize… button
  6. For the Recurrence Pattern select Custom interval and for Recur every select 1-8 hours (set this at an interval you are comfortable with. The definitions come out three times a day, so at most set this to 8 hours, but if you are comfortable doing it more frequently, then hourly is probably fine)
  7. Click OK
  8. Click OK at the Software Update Point Component Properties dialog window

If you had to do the above steps to get the FEP 2010 Definitions to sync, you probably don’t want to wait for the sync time to start, so to kick off a manual sync, do the following:

  1. Expand Site Database – Computer Management – Software Updates – Update Repository
  2. Right Click on Update Repository
  3. Select Run Synchronization
  4. Open <ConfigMgr Install Dir>\logs\wsyncmgr.log to watch the synchronization progress

After you have sync’d the catalog, you should now be able to create a package.

Creating the Deployment Package

  1. In the ConfigMgr console expand Site Database – Computer Management – Software Updates – Update Repository – Definition Updates – Microsoft – Forefront Endpoint Protection 2010
  2. In the Forefront Endpoint Protection 2010 pane in the middle, select the latest definition file in the list (you may have more than one file in here)
  3. Right Click the update you have selected and click Download Software Updates
  4. Alternatively, you could also select Update List which will allow you to add the definition file to an update list AND download the definition to a package. It’s up to you, however in this example I will not be making an update list and will just download to a package.
  5. In the Download Updates Wizard select Create a new deployment package
  6. In the Name field, type an appropriate name
  7. In the Description field, type an appropriate description
  8. For the package source, create a shared location for the definition files to be downloaded to
  9. Click Next
  10. Click Browse in the Distribution Points wizard and select the DPs you would like to send the package to
  11. Click Next
  12. Click Next at the Data Access step
  13. Click Next at the Distribution Settings step
  14. Click Next at the Download Location step (unless you have downloaded the defs manually to a location on the local network)
  15. Select the languages you would like the updates in at the Language selection step and click Next
  16. Click Next at the Summary step
  17. The updates will download, click Close when finished

If all went well, you should now have a package flowing to the DPs you have selected. You can look at the package status node for the package, or you can watch the distmgr.log on each of the servers if you are so inclined. The next step is to create your deployment.

Creating the Deployment

So just like your package, the deployment will also just have “one” update in it (as you’ll find over time the package and deployment will grow to have many updates, but initially we will just select one update).

  1. In the ConfigMgr console expand Site Database – Computer Management – Software Updates – Update Repository – Definition Updates – Microsoft – Forefront Endpoint Protection 2010
  2. In the Forefront Endpoint Protection 2010 pane in the middle, select the latest definition file in the list (you may have more than one file in here)
  3. Right Click the update you have selected and click Download Software Updates
  4. In the name field, enter FEPDefs (you can name this something different, however I like to keep the package and deployment the same name, and with the Software Update Automation Tool, this will make things easier later, especially if the name of the package and deployment do not have spaces in the name)
  5. Click Next in the General step
  6. Click Next in the Deployment Template step
  7. In the Collection step, use a collection that makes sense for your environment. I would use a test collection here. Click Next
  8. In the Display/Time settings step, I prefer to select Suppress display notifications on clients, and Client Local Time. Leave the duration at the default of 2 weeks and click Next
  9. In the Restart Settings step, check the Servers and Workstations boxes to suppress restarts. Definitions should NEVER cause a reboot, but I do this just to be safe. Click Next
  10. Click Next in the Event Generation step
  11. In the Download Settings step, I prefer to have clients that are in slow boundaries to download software updates from a distribution point and install. I also prefer to keep the Download software updates from unprotected distribution point and install option selected. Click Next.
  12. In the Create Template step, if you would like to save the template, create a template name, otherwise uncheck the Save deployment properties as a template option and click Next.
  13. In the Deployment Schedule step, keep As soon as possible selected and set a deadline to something appropriate (I prefer to set my deadline to a few minutes ahead of the current time so my clients start to install definitions right away). You can also opt to Enable Wake on LAN and Ignore maintenance Windows and install immediately (which I would do since definitions are constantly being sent out and most maintenance windows are open once a month for most customers, however some may have a nightly window, so treat this option as something that will depend on your environment) and click Next.
  14. At the Summary step click Next
  15. Click Close when finished

If all went well, you should now have a deployment targeting a test collection. During this time, the package should have completed being copied to all the DPs as well. It’s a good idea to validate that the package is on all the DPs at this point. What we have basically done up to this point is created a package and a deployment for a single definition file. Over time, the definitions will obviously be out of date if we don’t update the package and deployment. This is where the Software Update Automation Tool will come into play. This will run a scheduled task which triggers an exe to run and update both the package and deployment for FEP AND it will cause the content to be updated on the DPs.

Configuring the Software Update Automation Tool

This step will require creating a scheduled task. I will do the steps from a Windows 2008 R2 stand point. For 2003, the steps will be different

  1. Extract the SoftwareUpdateAutomation.exe file from the fepsuasetup.cab to <ConfigMgr Installation Folder>\AdminUI\bin
  2. Open Task Scheduler (on Windows 2008 or 2008 R2 just go to Start and in the Search Field type in Task Scheduler)
  3. In the Task Scheduler window, right click
    Task Scheduler Library and select Create Task
  4. In the Create Task window, type in an appropriate name for the task
  5. Under security options in the General tab, click the Change User or Group
  6. In the Select User or Group window, under Enter the object name to select type in System and click OK
  7. Click the Triggers tab
  8. Click New…
  9. Under settings, select One Time and under Advanced Settings select Repeat task every 1 hour for duration of Indefinitely and click OK
  10. Click the Actions tab
  11. Click New
  12. For Action select Start a program
  13. Under Settings for the Program/script enter <ConfigMgr Install Dir>\AdminUI\bin\SoftwareUpdateAutomation.exe
  14. For Add arguments (optional) use /AssignmentName <deployment name> /PackageName <deployment package> /RefreshDP /UpdateFilter “articleid=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0” (replace <deployment name> and <deployment package> with the names of the deployment and package, for example: /AssignmentName FEPDefs /PackageName FEPDefs /RefreshDP /UpdateFilter “articleid=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0”) and click OK.
  15. Click OK to close and save the Scheduled Task

Updating Your Policies for Clients to Download the Definitions from Configuration Manager

With update rollup 1 installed, you’ll notice in your policies that a slight change has been made to the updates tab.

With update rollup 1 we can leverage the ability to specify Configuration Manager as the primary source for definition updates and also select the ability to check alternative sources if definitions on the client computer are older than a specific number of days. The previous options that we had with FEP 2010 RTM are now classified as alternative sources. So make sure that in your Policies that you update them to leverage Configuration Manager as the primary source for definition updates.

At this point you should now have a scheduled task that will run every hour. This will run hourly and update your package and deployment. When your client computers download policy, they will start to install the latest FEP definition files silently from their distribution points. If you have any questions about the setup of this method, please submit a comment and I’ll try to answer when I can.

Posted in Forefront Endpoint Protection | 19 Comments

Have ConfigMgr Client Health Problems? Check out the ConfigMgr Client Health and Remediation Services Offering!

Normally I don’t try and sell things on my blog here, however there’s a new service offering that I think many that come across this blog will be highly interested in. I know when I worked as a customer before coming to Microsoft I had to deal with Client Health issues (Client health was actually my full time job for nearly a year) and I would have loved a service like this.

Sometime in September, the ConfigMgr Client Health and Remediation Service offered by the Premier Field Engineering (PFE) group (the group I am apart of at Microsoft) will be made available to all Premier customers. This offering will have an engineer come on site and install our client health solution and offer training on how to utilize it. We will then setup a separate engagement a couple of weeks later to work on remediation (this will allow time for the clients to report back their health state).

If you’ve ever had a CMRAP done on your environment, this is an excellent complement to that offering as the RAP will look at the risk and health of the server environment, however it won’t go into detail about the health of your clients. There’s no requirement that a RAP be done on your environment to leverage our Client Health and Remediation Service, however to get a good idea how things are going, doing both is highly recommended.

If you’re interested in having a Microsoft PFE come on site to look at the health of your SCCM clients, please leave a comment on this post, or send me an email at richbal a.t. Microsoft.com. You can also work with your Technical Account Manager (TAM), however since this offering is relatively new, they may or may not be aware of it.

For more information on the offering, please see Chris Sugdinis’ blog post.

Posted in sccm | Leave a comment