SCCM (Anglais)

Update Rollup for Configuration Manager Current Branch 1710 is now available

The Official Configuration Manager Support Team Blog -

An update rollup for System Center Configuration Manager current branch, version 1710, is now available. This update is available for installation in the Updates and Servicing node of the Configuration Manager console. Please note that if the Service Connection Point is in offline mode, you must re-import the update so that it is listed in the Configuration Manager console. Refer to the Install in-console Updates for System Center Configuration Manager topic for details.

For complete details regarding the update rollup for ConfigMgr current branch v1710, including the list of issues that are fixed, please see the following:

4057517Update rollup for System Center Configuration Manager current branch, version 1710 (https://support.microsoft.com/help/4057517)

ConfigMgr Current Branch – Software Update Delivery Video Tutorial

The Official Configuration Manager Support Team Blog -

The release of Windows 10 brought with it a change in the way updates are released – updates are now cumulative.  Since the release of Windows 10 this same cumulative update approach has been adopted for the remainder of supported operating systems.  While this approach has significant advantages there still remains some confusion about what it all means. 

The video linked below was prepared by Steven Rachui, a Principal Premier Field Engineer focused on manageability technologies.  In this session, Steven talks through the changes, why the decision was made to move to a cumulative approach to updating, how this new model affects software updating, how the cumulative approach is applied similarly and differently between versions of supported operating systems and more.

Next in the series, Steven will discuss Windows Update for Business and its integration with Configuration Manager.

Posts in this Series

Software Update Video Tutorial Series

The Official Configuration Manager Support Team Blog -

I’m pleased to announce that over the next few days, Steven Rachui, a Principal Premier Field Engineer focused on manageability technologies will be sharing a video tutorial series here about software updates.  His topics will be:

  • ConfigMgr Current Branch – Software Update Delivery
  • ConfigMgr Current Branch – Windows Update for Business
  • ConfigMgr Current Branch – Express Updates

We invite you to tune in and enjoy.  Leave us your comments if you would like to see more of these in the future.

Additional guidance to mitigate speculative execution side-channel vulnerabilities

The Official Configuration Manager Support Team Blog -

We are aware of a new publicly disclosed class of vulnerabilities that are referred to as speculative execution side-channel attacks as detailed in Microsoft Security advisory ADV180002. These vulnerabilities affect many modern processors and operating systems, including chipsets from Intel, AMD, and ARM.

This post is intended to centralize and share current guidance to help Enterprise Mobility + Security customers ensure their environments are protected against these vulnerabilities. We will continue to update as more information becomes available.

The post includes sections for the three main customer scenarios:

  • Configuration Manager – just the first section applies
  • Configuration Manager with Microsoft Intune (hybrid) – all three sections may apply
  • Microsoft Intune – just the third section applies
Configuration Manager Windows Update

If you have Windows 10 devices receiving Windows Update for Business policy, or are using co-management and the Windows Update workload is switched to Microsoft Intune, these devices will automatically get the January cumulative update on the ring definition you define.

For traditional management of Windows 10 and other affected operating systems, use the software updates management feature of Configuration Manager to deploy the January cumulative update. For example, 2018-01 Cumulative Update for Windows 10 Version 1709 for x64-based Systems (KB4056892). For more information, see Windows client support article KB 4073119. (For more information about additional actions specifically for Windows Server, see “Configuration Manager infrastructure” section below.)

Compatibility issues may exist with a small number of antivirus software products. As a result, Microsoft is only offering the Windows security updates released on January 3, 2018, to devices running antivirus software from partners who have confirmed that their software is compatible with the January 2018 Windows security update. If your devices are not detecting the security update as applicable, you may be running incompatible antivirus software, and you should consult the antivirus software vendor. For more information, see Microsoft Support article KB 4072699.

Firmware update

Check for available firmware updates from your hardware vendor. For more information about an update for Microsoft Surface, see support article KB 4073065. Download the Windows Installer package for Microsoft Surface, and deploy using a Configuration Manager application. We recommend an application versus a package for the enhanced compliance reporting capabilities.

Customers running Configuration Manager current branch version 1706 or later can manage Microsoft Surface driver updates through the software update channel.

Some customers may experience devices prompting for BitLocker key entry after updating firmware, even if not normally required. If you are using BitLocker, we recommend testing this behavior, and then consider whether to suspend BitLocker during this process. If needed, you can use a custom task sequence to order these events. For example,

  • Disable BitLocker step
  • Install Application step: reference the application for the firmware update
  •  Restart Computer step

When using the Disable BitLocker step in a task sequence, protection resumes after restart.

Updates for other managed devices

For information about Apple macOS devices, see Apple support article HT208394.

Install the latest updates for Linux and UNIX. For more information, check with your specific Linux distro vendor and UNIX operating system vendor.

Verify protection on Windows devices

To verify protection against these vulnerabilities, both the software updates management and application management features have compliance reporting capabilities. Use these capabilities to determine device compliance for the January Windows update and the firmware update application.

Additionally, there is a new Windows PowerShell module, SpeculationControl, which you can use to verify protections are enabled. For more information, see the “Verifying protections are enabled” section of Microsoft Support article KB 4073119. We recommend downloading the version from the TechNet ScriptCenter as it works offline without further prerequisites. (Using the Install-Module process requires Internet access, trusting the PSGallery repository, and installing a NuGet package.)

Customers running Configuration Manager current branch version 1706 or later can use the Run Scripts feature to deploy a script and receive near real-time response from active clients. The following PowerShell code snippet is an example of what you can use to automate running the Get-SpeculationControlSettings cmdlet at scale:

# The SpeculationControl module is signed; default ‘Restricted’ policy won’t work

Set-ExecutionPolicy AllSigned -Scope Process -Force

 

# Pull the cert from the module

$cert = Get-AuthenticodeSignature .\SpeculationControl.psd1

 

# Add the CA cert to the Trusted Publishers store

$store = New-Object System.Security.Cryptography.X509Certificates.X509Store “TrustedPublisher”,”LocalMachine”

$store.Open(“ReadWrite”)

$store.Add($cert.SignerCertificate)

$store.Close()

 

# Import the module and run the cmdlet

Import-Module .\SpeculationControl.psd1

Get-SpeculationControlSettings

 

The final cmdlet returns a list of settings and their states. While the Run Scripts feature will report this output, a script to wrap and return a single value makes for easier reporting across many devices.

For example, save the Get-SpeculationControlSettings output into a variable, then access each setting as a property:

$SpecSettings = Get-SpeculationControlSettings
If ($SpecSettings.BTIHardwarePresent) { write-host “BTI hardware present”}

We are working on providing alternative solutions for verifying protection.

Configuration Manager infrastructure

As well as deploying the Windows and firmware updates to servers, also review Microsoft Support articles KB 4072698 for Windows Server and KB 4073225 for SQL Server.

For Windows Server, there are additional actions necessary to enable protections. (For Windows Clients, the protections are enabled by default. For Windows Servers, the protections need to be enabled.) Based on feedback from Microsoft IT, we recommend the following order of operations to optimize the number restarts:

  • Enable protections (see the “Enabling protections on server” section of KB 4072698)
  • Install Windows update
  • Restart
  • Install firmware update
  • Restart

(And remember to possibly disable BitLocker if in use on servers. When using the Disable BitLocker step in a task sequence, protection resumes after restart.)

KB 4073225 outlines customer guidance for SQL Server, which is a critical part of any Configuration Manager system. Currently, we recommend following the SQL guidance for Configuration Manager site database servers, except the following suggested steps which may impact Configuration Manager functionality and performance. Do not perform the steps for these two categories at this time:

  • Running SQL Server with CLR enabled (sp_configure ‘clr enabled’, 1)
  • Using Linked Servers (sp_addlinkedserver)

For customers that run their Configuration Manager environment in Microsoft Azure, or are using connected Azure services like the Cloud Management Gateway, see this blog post for information. 

Configuration Manager with Microsoft Intune (hybrid)

For more information about Apple iOS and macOS devices, see Apple support article HT208394.

For more information about Android devices, see Google’s blog post and support FAQ

Microsoft Intune

Windows 10 devices will automatically get the January cumulative update on the ring definitions you define. For example, 2018-01 Cumulative Update for Windows 10 Version 1709 for x64-based Systems (KB4056892). For more information, see Windows client support article KB 4073119.

For information on classic Intune PC management, see the software update documentation.

Compatibility issues may exist with a small number of antivirus software products. As a result, Microsoft is only offering the Windows security updates released on January 3, 2018, to devices running antivirus software from partners who have confirmed that their software is compatible with the January 2018 Windows security update. If your devices are not detecting the security update as applicable, you may be running incompatible antivirus software, and you should consult the antivirus software vendor.  For more information, see Microsoft Support article KB 4072699.

For more information about Apple iOS and macOS devices, see Apple support article HT208394.

For more information about Android devices, see Google’s blog post and support FAQ.

 

We will continue to update this post as more information becomes available.

If you have any feedback, please use the Windows 10 Feedback Hub.

 

The System Center Configuration Manager Team

How to upgrade ConfigMgr to the latest version along with upgrading OS and SQL

The Official Configuration Manager Support Team Blog -

Here is a step by step upgrade path from System Center Configuration Manager 2012 SP2 hosted on Windows Server 2012 R2 to System Center Configuration Manager 1702 or later hosted on Windows Server 2016.

These steps can be used if you want to upgrade Configuration Manager 2012 R2, R2 SP1 or SP2 version to Configuration Manager 1702, or upgrade your environment to the latest operating system and SQL server.

I strongly recommend you read Upgrade to System Center Configuration Manager before following the upgrade path.

Important points to remember:

  • You can directly upgrade Configuration Manager 2012 R2 ,R2 SP1 or SP2 to 1702, no update installation is required.
  • You will need to run TestDBupgrade before upgrading the Configuration Manager 2012 SP1 environment to Configuration Manager 1702. (If we are using standalone media for 1702)
  • You will need to download Configuration Manager 1702 setup files from your volume licensing website. When you have version 1702 baseline media, you can upgrade the following to a fully licensed version of System Center Configuration Manager version 1702:
    • An evaluation install of System Center Configuration Manager version 1702
    • System Center 2012 Configuration Manager with Service Pack 1
    • System Center 2012 Configuration Manager with Service Pack 2
    • System Center 2012 R2 Configuration Manager
    • System Center 2012 R2 Configuration Manager with Service Pack 1

Let get to it!

In this example we are running a Primary site (Configuration Manager 2012 SP2) on a Windows Server 2012 R2 OS with SQL Server 2014 hosting the Configuration Manager database on the same box. In below steps we are

  • Upgrading Base OS windows Server 2012 R2 to Windows Server 2016
  • Upgrading SQL Server 2014 R2 to SQL server 2016
  • Upgrading Configuration Manager 2012 SP2 to Configuration Manager 1702
Base OS Upgrade

If you plan to upgrade the base OS of the Configuration Manager primary site server, and upgrade SQL then follow these steps:

Take a backup of your existing primary site database, SMS backup, Source directory, SCCMContentLib (All the folders for SCCMContentlib). See  https://technet.microsoft.com/en-in/library/gg712697.aspx#BKMK_SupplementalBackup

  1. Rename your current Configuration Manager primary site server and create a new machine with Windows server 2016 installed.
  2. It should have same name, drive letters and drive structure as your earlier site server.
  3. Install all the pre-requisites for Configuration Manager. See Site and site system prerequisites for System Center Configuration Manager.

 

SQL upgrade

Please refer to this article for SQL upgrade:

https://docs.microsoft.com/en-us/sccm/core/plan-design/configs/support-for-sql-server-versions#upgrade-options-for-sql-server

As we are running SQL on primary site server locally, we need to install the upgraded version of SQL on this newly created server.

  1. In our previous server we were running SQL server 2014 (Microsoft SQL server 2014 (SP2-CU2)- 12.0.5522.0 (X64))

  1. On new Primary site server, we installed Microsoft SQL server 2016 Ent version (Microsoft SQL Server 2016 SP1 -13.0.4001.0 (X64))

3. Copied the smsbackup locally on the new server.

4. Copy CM_<Sitecode>.mdf and CM_<SiteCode>_log.ldf files from smsbackup location to the location on the new server exactly where it was stored in your old Primary (SQL) server. For example, if .mdf and .ldf files on your old server are stored in <G:\MSSQL\11\Data> then it has to be stored in the same location on the new server.

SMSBackup Location:

Copy to below location (As per the previous server database files location):

  1. Now attach the database on the New server (SQL) and then run site recovery.

Click on Add and provide the location for .mdf and .ldf files copied from the backup and click ok.

With this we should see the Primary Site Database visible under Databases in SQL Server Management Studio.

Now we can start the site recovery Process

Primary Site Recovery

6. Run the Configuration Manager setup and recover the site using “Manually recovered DB option”.

https://technet.microsoft.com/en-us/library/gg712697.aspx#Recover

-Please follow below link for the Recovery process.

-General:   System Center 2012 Configuration Manager R2 – Disaster Recovery for Entire Hierarchy and Standalone Primary Site recovery scenarios     http://www.microsoft.com/en-us/download/details.aspx?id=44295

-After waiting for couple of hours, we can start the Upgrade process for Configuration Manager 1702.

-Copy the Configuration Manager 1702 Media locally on the Primary site server.

-Also take the current SMSbackup for the primary site.

-The following is a checklist of required and recommended actions to perform prior to upgrading to System Center Configuration Manager:

https://docs.microsoft.com/en-us/sccm/core/servers/deploy/install/upgrade-to-configuration-manager#bkmk_checklist

-Make sure that all the Tasks are verified before we go for the Upgrade.

-Also make sure that TestDbUpgrade is successful before we go for the upgrade.

Note: We need to take the backup of current Database and restore to a separate SQL server (Non- production SQL) and run TestDbUpgrade.

Test upgrade should not be run on production database.

-Now we can run the Configuration Manager 1702 media to start the upgrade process.

https://docs.microsoft.com/en-us/sccm/core/servers/deploy/install/upgrade-to-configuration-manager#bkmk_upgrade

NOTE– We can implement all the above steps in case we have multiple sites, to upgrade multiple sites, we need to perform the above steps from Top to bottom (First we need to Upgrade CAS then Primary sites)

–Rajat Choubey

Support Engineer, Microsoft

Update 1710 for Configuration Manger Technical Preview released

The Official Configuration Manager Support Team Blog -

We are happy to let you know that update 1710 for the Technical Preview Branch of System Center Configuration Manager has been released. Technical Preview Branch releases give you an opportunity to try out new Configuration Manager features in a test environment before they are made generally available. For information about this month’s new preview features, please see the following two posts.

Using ConfigMgr With Windows 10 WUfB Deferral Policies

The Official Configuration Manager Support Team Blog -

Important: Configuration Manager current branch version 1706 is needed for any ConfigMgr environment using WUfB deferral policies. ConfigMgr client version 1702 will periodically delete all WUfB deferral policies, if configured. This could lead to unintended results. 

As you are probably aware, Windows 10 version 1607 introduced new Dual Scan behavior for enterprises that wanted Windows Update (WU) to be their primary update source while Windows Server Update Services (WSUS) provided all other content.  In this scenario, the WU client automatically scans against both WSUS and WU, but it only accepts scan results for Windows content from WU. Stated another way, the Dual Scan enabled client ignores anything on WSUS from the “Windows” product family. If you configure a combination of Windows Update group policies (or their MDM equivalents, or the underlying registry keys corresponding to either set of policies), then Dual Scan will be automatically enabled. These policies are:

  • Specify intranet Microsoft update service location (i.e. WSUS)

and

  • Either of the “deferral” policies belonging to Windows Update for Business
    • Select when Feature Updates are received
    • Select when Quality Updates are received

To defer updates, many enterprise customers used the configuration above prior to 1607. For them, the new Dual Scan behavior was an unwelcomed change as it broke ConfigMgr software update deployments for any updates within the “Windows” product family. Demystifying “Dual Scan” provides details about Dual Scan as well as settings that enterprises can use to work around the new behavior.

The October cumulative update for 1703 includes new functionality and a new policy that allows Dual Scan to be disabled. The new policy, “Do not allow update deferral policies to cause scans against Windows Update”, when enabled, will disable Dual Scan. This allows enterprises that wish to configure deferral policies, the ability to do so without being concerned that Dual Scan will override administrator intent.

NOTE: You can only configure the new policy, “Do not allow update deferral policies to cause scans against Windows Update”, via local group policy for now. Updated administrator template files will be available later this fall that will allow you to configure this policy at a domain level.

It is important to understand the expected behavior as it relates to ConfigMgr.

  • Windows Update for Business deferral policy configured and deployed via ConfigMgr (Windows 10 version 1703 and higher) – If you configure and deploy WUfB deferral policy via ConfigMgr, Dual Scan will be automatically enabled*. That is, “Do not allow update deferral policies to cause scans against Windows Update” will be set to disabled on any ConfigMgr client where the WUfB deferral policy is deployed. Even if you enable “Do not allow update deferral policies to cause scans against Windows Update” at the domain level, that setting will be periodically overwritten by the ConfigMgr client. *Assumes that the “Specify intranet Microsoft update service location” policy is set to Enabled.
  • Windows Update for Business deferral policy and Dual Scan disable policy configured and deployed via GPO – If you configure WUfB deferral policy as well as disable Dual Scan (e.g. enable the new policy) via GPO, those settings will be preserved by the ConfigMgr client.

To summarize:

  1. To use WUfB deferral policies while disabling Dual Scan, use GPO to configure all required settings.
  2. To use Dual Scan with WUfB deferral policies, configure and deploy WUfB policy via ConfigMgr.
  3. And if you’re still managing some Windows 10 version 1607 clients, the August cumulative update for 1607 also includes the new Dual Scan policy. You can use GPO to set deferral polices and disable Dual Scan when running ConfigMgr version 1706.

 

S'abonner à Philippe BARTH agrégateur - SCCM (Anglais)