Deploying the new chromium based edge via SCCM

New Edge, Credge, Edgium or Credgium – no matter what you call it, the Edge browser based on chromium was released on Jan 15th 2020.

To deploy the new versions using SCCM 1910 (or above)

  • Add “Microsoft Edge” a product that is sync’ed in your software update point component properties
    • Somewhat confusingly, the product is under the sub-category of “Windows”

  • Then navigate to Software Library > Microsoft Edge Management | All Microsoft edge update

 

  • Right click and select “:synchronise software updates”
  • You can follow the progress of this process by checking wsyncmgr.log – the same log as you use to follow all software update sync’s
  • At this stage – you can wait for anywhere from 5 minutes (for an environment that has sync’ed relatively recently) to hours (if this is your first sync)
  • Once completed, you can refresh by hitting F5 – and you should see some content update for Edge in the right-hand pane
  • Now right-click on the top node “Microsoft Edge Management” (yes, this is not intuitive) and select “Create Microsoft Edge application”
    • Select and name and a source directory to be used
    • Select a channel, or specific version that you wish to deploy. If you’re not sure here – use “stable” and “latest”
    • Deploy to a collection, select your DP’s etc – all pretty standard stuff here
  • You’ll notice that an application is created for you under the “applications” node – this is different to other software updates which are created as Software Update groups (SUG’s)
  • Personally, i’d prefer to see it all managed under the one node – however, its still a good feature overall – as simplifies deployment of edge greatly – but still allows the admin to go and edit properties of the deployment if… for the invetiable situation of where the Microsoft pre-defined install doesn’t meet your orgs needs

 

Once completed, as per any deployment – monitor your deployment via the “deployments” area in the monitoring tab.

SCEP updates fail on Windows 7 and 2008R2 clients where they are not patched

Ok, so, before the flood of hate comes my way

  1. Yes, its 2020, you should not be running Server 2008 R2 or Windows 7…… but the (unfortunate) reality is that many places still are
  2. Even if you are running them, they should be fully patched! “Patches break applications”…. mostly bullshit…. it does happen… but happens much much much less than what some admins claim.

Anyway, for those of you out there that have Windows 7 or 2008R2 SCCM clients that are, for whatever reason, unpatched, you may have also noticed that SCEP updates stopped working on them around October 21st 2019.

That’s because of this – https://www.microsoft.com/en-us/wdsi/defenderupdates

specifically the lines

Note: Starting on Monday October 21, 2019, the Security intelligence update packages will be SHA2 signed.
Please make sure you have the necessary update installed to support SHA2 signing, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

IF you try and install SCEP updates you will get an entry in the system event log similar to this:

Microsoft Antimalware has encountered an error trying to update signatures.
New Signature Version: 1.307.1945.0
Previous Signature Version:
Update Source: User
Update Stage: Install
Source Path:
Signature Type: AntiSpyware
Update Type: Full
User: Domain\User
Current Engine Version: 1.1.16600.7
Previous Engine Version:
Error code: 0x800b0109
Error description: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

 

As this link – https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus  specifies, you must install

  1. KB4474419
  2. KB4490628

once these updates are installed (and reboot of course), SCEP updates will then install.

Finding the right SQL view for your SCCM report

One of the banes of many SCCM admins existence is reporting. Some SCCM people are SQL guns, others, like me, know what they need to to get by, but a strong SQL understanding – that just isn’t me (and i know i’m not alone!).

One of the key things with SCCM reports, and something that some consultancies we deal with ignore is the requirement to use views for your reports, not directly talk to the tables.

The official SCCM doco dances around this and doesn’t explicitly state it (even though it does reference views constantly, it does not specifically state that using tables is unsupported – and it should)

https://docs.microsoft.com/en-us/sccm/core/servers/manage/creating-custom-report-models-in-sql-server-reporting-services

https://docs.microsoft.com/en-us/sccm/develop/core/understand/sqlviews/sql-server-views-configuration-manager

 

These posts are far better at laying it out as it is

https://www.enhansoft.com/what-are-the-supported-sql-server-views-to-use-with-sccm-reporting/

https://www.enhansoft.com/why-is-it-important-to-use-supported-sql-server-views-with-sccm-reporting/

 

The TL;DR version of the ehansoft articles is:

  • The SCCM reporting services account is specified during setup and is granted access to all the views – but not the tables etc
  • The 2nd enhansoft article lays out why views are utilised instead of tables – and the associated benefits
  • You can grant datareader access to accounts over the SCCM database to get around this – but its officially (MS) unsupported, and can cause a range of issues (again, laid out in the 2nd article)
    • There are people out on the web that recommend just allocating permissions – even some MVPs – which doesn’t help
  • My recommendation is to remain in “supported” territory and update the report to use views rather than tables directly (knowing full well that we have all referenced tables directly at some point in our careers!)

 

A couple of things i have found handy with this are:

 

When you know the table you wish to reference, but aren’t sure which views you can use (and you want to do the right thing and use a view)

SELECT * FROM INFORMATION_SCHEMA.VIEWS WHERE VIEW_DEFINITION like ‘%tablename%’ OR VIEW_DEFINITION like ‘%tablename%’ OR VIEW_DEFINITION like ‘%tablename%’

 

When you can find what your looking for in the database

https://www.apexsql.com/sql-tools-search.aspx

 

 

SCCM 1906 release

SCCM 1906 released! – https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1906

If you want it right now – you can opt-in via the fast ring script – https://go.microsoft.com/fwlink/?linkid=2099733

Another belting release from the SCCM team – while some releases have different focuses over time – generally releases have tended to have something which makes day-to-day admin life a bit easier for someone…. and sometimes, big things, such as passive site servers, that just structurally make the product substantially better.

Anyway – out of this release comes a couple of items that i think are particularly of note to me (other may be interested in different parts – depending on your setup):

  • Site maintenance UI is friendlier
  • Use your distribution point as an in-network cache server for Delivery Optimization
  • Support for Windows Virtual Desktop
  • OneTrace – a preview of a tool which could be dubbed the next-gen of CMTrace…
  • Improvements to co-management auto-enrollment
  • Retry the install of pre-approved applications
  • Task sequence debugger – not there yet – but great that its being thought about – can see this being exceedingly handy as this matures
  • The Disable BitLocker task sequence step has a new restart counter
  • Additional options for WSUS maintenance – these are brilliant. Hopefully this release will also fix bug id 4808740 – i haven’t been able to test this as yet.
  • New Windows 10, version 1903 and later product category – this enables admins everywhere to further reduce the number of updates stored by WSUS – which leads to improvements with server and client performance
  • Role-based access for folders – finally!
  • Administration service support for security nodes – this is potentially a big change – keen to test this out in a bigger environment
  • Collections tab in devices node – gradually chipping away at right click tools functionality
  • Multiselect and delete packages – finally!

 

 

 

 

Importing AD powershell module into Windows PE and then using encrypted creds

Powershell makes life much easier than vbscript…. however it does have its downsides…  signing policy can sometimes be a bit of pain and the modules you need have to be available…. which is an issue in particular for Windows PE.

Mick (good aussie name there) was nice enough to write a blog on how to import powershell into PE – without having to add it statically to the boot wim – http://mickitblog.blogspot.com.au/2016/04/import-active-directory-module-into.html

I was a little lazy here and copied both x86 and x64 required directories via robocopy rather than determining the version via powershell like Mick did.

The next step however is the more important one…. a task sequence doesn’t allow us to run a powershell command in PE with credentials, we need a secure way of running the command. In my case, I want to delete a computer object….

Step 1 – Generate a key file (perform on any full OS)

$KeyFile = “\\sccm\PSource$\OSD.DeleteComputer\DeleteComputer.key

$Key = New-Object Byte[] 16

[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($Key)

$Key | out-file $KeyFile

 

Step 2 – Encrypt a password using the key

$PasswordFile = “\\sccm\PSource$\OSD.DeleteComputer\DeleteComputer.txt

$KeyFile = “\\sccm\PSource$\OSD.DeleteComputer\\DeleteComputer.key

$Key = Get-Content $KeyFile

$Password = “Your password here” | ConvertTo-SecureString -AsPlainText -Force

$Password | ConvertFrom-SecureString -key $Key | Out-File $PasswordFile

 

Step 3 – Create your script utilising the creds – (Below is the one I use to delete a computer object)

Import-module ActiveDirectory

#SCCM TS Object
$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment

#SCCM Variables
$CompName = $tsenv.Value(“_SMSTSMachineName”)

# Get current path in order to get encrypted password
$MyDir = [System.IO.Path]::GetDirectoryName($myInvocation.MyCommand.Definition)
$User = “Domain\Account”
$PasswordFile = “$MyDir\DeleteComputer.txt”
$KeyFile = “$MyDir\DeleteComputer.key”
$key = Get-Content $KeyFile
$MyCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, (Get-Content $PasswordFile | ConvertTo-SecureString -Key $key)

# Remove the computer from AD
Remove-ADComputer -Identity $CompName -server <DC name required> -Credential $MyCredential -confirm:$false

 

Now before you say it…. yes, this is not very secure. It will stop a random snooper type person from seeing a plain text password…. but it will not stop someone who has 1/2 an idea about pressing F8 to get into the running TS (if you have it enabled) and then grabbing the key and txt and being able to use them…. so use (or don’t use) appropriately for your environment.

UEV now included in Windows 10 1607 (and above)

User Experience Virtualization (UEV) use to be part of the MDOP packs…. however MDOP’s last update was in 2015…. leaving some of us wondering what was happening to awesome tools contained within.

Given Microsoft’s recent desire to destroy anything and everything that isn’t cloud – irrelevant of its ability to fill gaps that cloud services don’t currently service well, or their ability to facilitate migration to cloud – it seemed likely that these tools were dead.

Fortunately for UEV, its now included in Windows 10 Enterprise as a default service, for versions 1607 and 1703 (and we may be able to assume future releases as well). Some details on the release are here – https://docs.microsoft.com/en-us/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows

Unfortunately, in standard Microsoft fashion, the documentation is not good.

The UEV documentation is located here – https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/uev-v2/deploy-required-features-for-ue-v-2x-new-uevv2

However, there are a few, quite important things that anyone deploying this should be aware of

  • Even though it isn’t stated anywhere in the doco, and seems quite counter-intuitive based on what’s presented in the GPO settings, the default Microsoft included templates do not automatically register on clients. These can be copied to your custom templates path, or you can register them with powershell on each machine as per http://ccmexec.com/2017/02/synchronizing-ie-favorites-with-ue-v-in-windows-1607/
  • The UEV template generator is part of the ADK (1607 or 1703) – however, it does not show up if you try and run the ADK installer on Windows 8.1 or server 2012 R2. I haven’t tried on Windows 10 versions below 1607 or 1703 – but it will show/be installable on those versions.

Upgrading Hyper-V integration components via SCCM

Keeping Hyper-V integration components up to date on all your hyper-V guests has a few options, Powershell and SCO being the common ones…. but im one of these whacky people that likes to keep deployment tasks within my deployment tool – SCCM.

Unfortunately, the integration services version doesn’t seem to be exposed via properties exposed by default to SCCM, such as hardware inventory (which includes add/remove programs).

Due to this, we have to use software inventory.

To this end, I enable software inventory for C:\Windows\System32\drivers\vmbus.sys

The version of this, once reported, isn’t quite clean. Instead of 6.3.9600.18398, we get “6.3.9600.18398 (winblue_ltsb.160625-0600)”, so this is what needs to be used in your collection queries in order to have anything show up in your collections.

The resulting query ends up like this

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SoftwareFile on SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SoftwareFile.FileName = “vmbus.sys” and SMS_G_System_SoftwareFile.FileVersion = “6.3.9600.18398 (winblue_ltsb.160625-0600)”

SCCM 2012+ – Bug when building query using values selector for Software files – File modified date

This is a fairly uncommon thing…. but, its still there.

When using SCCM, sometimes its necessary to use software inventory and the “Software Files” class – to determine the versions of software that is in your environment.

Normally, we would use Software Files – File Name and Software Files – File Version and that would be enough.

We have one client, who has some software developed by a particularly shitty vendor, who releases different software versions with the same version number, so we needed to look for the exe, the version, but also the Software Files – File Modified Date.

When selecting the file modified date, like most reasonable people, you would select the “values” button and select the correct entry – or based your entry on that format… unfortunately, in this case, the entry values shown in the below dialogue box, are not the same as the ones in the database.

The values box in SCCM

Bug.1

The view data in SQL

Bug.2

Notice the different values

 

If I select a value, or use the format from the values box, I get a collection with 0 members, as nothing matches that criteria

Bug.3

If, however, I enter the value in the correct format from the database, we are all good

Bug.4

 

Anyhoo – I realise this is an unusual situation…. most developers realise that incrementing version numbers is a good thing. Still, there’s an small chance this might help someone out there.