MNSCUG OSD Day 2018 Meeting Notes
Notes taken by Andre Dupre
Modern Driver and BIOS Management
Modern Driver Management (MDM)
- Dynamic driver detection
- Dell, Lenovo, HP and Microsoft
- Fujitsu coming soon
- Operation modes
- Bare metal, OS Upgrade, Driver Update
- Bare metal is default, there's a switch in the script to use for update of existing or during IPU.
- Single Task Sequence Step
- Rather than one step per model
- Detect, download and apply (dism.exe)
- Update uses pnputil.exe
- Bare metal, OS Upgrade, Driver Update
- Driver automation tool
- Download and create driver packages
- ConfigMgr WebService
- Used for secure retrieval of driver package during deployment
- Script - Invoke-CMApplyDriverPackage.ps1
- Detect, download and inject drivers
- Logging to ApplyDriverPackage.log
- Support for multiple Apply OS steps
- Use OSImageTSVariableName parameter
- Install each driver separately or recursively
- Use DriverInstallMode
- In rare cases recursive can miss drivers. If you find this happening you can switch to Single install (old way, instead of recursive).
- Update detection logic with fallback from SystemSKU to computer model
- Try to use the baseboard or SystemSKU to match. If that doesn't work use computer model, to match.
- Panasonic and Viglen added for manufacturer support
- Only in Invoke-CMApplyDriverPackage.ps1 script
- XML model list creation for MDM via third party products
MDM Logic - Matching Packages
- Detect the models
- Detect the OS
- Apply the drivers
They do watch the github repo comments, can't reply to all but they do watch.
They do this for free.
Using the tool
- When you run it the xml with all your settings is saved
- Connect to your site and it will auto discover models
- It creates packages (legacy) of drivers for you
- Can be normal driver packages, or legacy packages.
- For Modern/Dynamic driver install it needs the legacy package type, not driver package.
- It creates folders for drivers per manufacturer, as needed.
- It can clean up unused drivers!
- Remove superseded, etc.
- Can use this to clean up driver store?
Web Service Needed
You do need a web service stood up which has rights to read Package/Model info from SCCM. During the TS, the script will query this web service to do the matching to select the correct model number. There isn't really any security on this so be sure to lock down the rights that the web service resource pool has access to (read only, limit read only to driver packages?)
You can generate an XML file that does the work of the web service, stick that on a file server, and have the script reference the UNC path.
Web service also used to determine what OS is being installed (must hook into TS monitoring?)
Custom Driver Package
If there are models without custom driver package the tool can create it by downloading all applicable drivers.
You can run the tool on the machine, it will grab the drivers from the local client. This generates an XML which can then be used to import drivers into legacy package in CM.
Tip: update that clients drivers before grabbing them (use vendor driver update tool). Machines don't always ship with latest drivers.
Driver Management Task Sequence Steps
Need one step to run the script in TS
- URI - url/uri for the web serice
- Secret key - generated when setting up web service
- HTTPS works!
- Still do create RBAC role for identity of the web service so that it can only read data.
- Filter - drivers, BIOS
- Deployment Type - only required for anything other than BareMetal (IPU, live OS).
- BIOS Version
- There's an additional step. Its got to do version checking to determine if a new BIOS version is available and needs to be updated.
Modern BIOS Management (MBM)
- Very similar process.
- Creates packages
- During TS
- Matches model
- First script attempts to detect if BIOS update is available
- Second script downloads and extracts and runs
- Use TS variable condition "NewBIOSAvailable equals True"
They might post their 4 slides later…
ConfigMgr OSD FrontEnd and Monitor
Open to feature requests for front end.
There are lots of great front ends out there (UI++ for example).
Whole idea of front end is to take config of device and make someone else decide/do it, rather than pre-stage it. You do this by setting variables in the front end.
- Device config at deployment
- Baremetal and refresh scenarios
- The whole idea of this front-end is aimed at Unknown computer support for SCCM bare metal deployment
- But can also be used with refresh
- Integrated with
- Config mgr and mdt
- Active Directory
- Enable / Disable sections
- You don't need to use every feature. Features can be disabled.
- All except computer and deployment
- Customizable branding and more
Not everyone needs MDT. It can be great, but it can add complexity. If you don't use MDT for anything other than bare-metal then you could just use custom front end instead of MDT + UDI for config.
In the front-end you will configure the entire TS and then start the deployment.
Uses same Config Mgr web service used in Modern Driver Management!
You can have the PC join groups during the OSD.
- Support for auth of users allowed for deploying devices
- Help stop accidental PXE boot and start of TS.
- Restrict to AD group so only specific people can run TS. (does support multiple dub-domain, not untrusted forests.)
- Can even restrict which task sequences are available to user based on AD group. This can be kind of tricky to setup as web service needs to be able to read membership properties of all groups and users
- There's a DLL (systemdirctory services account) to securely eval creds in WinPE. Means that creds are encrypted
Front End Sections
- Welcome Message
- Customizable - probably good to warn your users that you are going to reformat your drive.
- If you click cancel it won't format, if you enabled the section to format.
- Built-in Pre-flight checks
- Garytown has good blog post on pre-flight checks
- Want to make sure power, network, web service is available, check supported model.
- Supported computer model check. Simple text file on web service, read by front end when querying web service. Can be useful if you haven't certified new models for deployment.
- Built in rules to use Serial Number or some other standard naming conventions.
- Can run external powershell script to determine computer name
- Can validate the name against AD (useful for if you need to remove bitlocker keys or certs or whatever is your process).
- Computername lock - prevent anyone from editing computer name.
- Can get around it by launching powershell and changing variable, but unlikely for normal person to do that.
- Also displays additional info about PC.
- Select the TS
- Front End runs as application from Pre-Start command, before task sequence starts. The Front end starts the TS selected.
- If TS fails, when you re-run you won't see TS's because machine isn't Unknown but isn't quite known. There's a tick box to remove it from unknown device list and refresh.
- You get UI with your OU structure, can browse and pick where it goes.
- Shows everything that the web service can see
- This section is for managing MDT database. Reads/adds/removes PC from MDT database.
- Not many people at the meeting using the Roles feature. Could be useful for having MDT automatically install packages/applications associated with the roles you decide.
- This section doesn't get a lot of love…
- XML file predefining (running locally in boot image or web server, web server lets you update without updating boot image), predefines OSD variables (locale, language, timezone, etc.).
- Can set custom variables as well. So if you have a variable that needs to be set for all swedish computers, then you can set it there.
- Application selector.
- This does not show all apps in environment. Predefined XML file to put apps into specific folders (tags).
- This lets you create folders for categorizing apps.
- Can select all or only some folders or specific apps.
- Can specify mandatory apps
- New feature coming soon - allowing pre-selected but not mandatory apps.
- Can set any variables manually. Name it anything, give it any value, etc.
- This is maybe not the best way but it is a way for now.
- Can allow you to check if they exist or not
- Checks if PC has existing association
- Can add new associations
- Can clear existing associations
- Note: task sequence needs to be deployed as HIDDEN to PXE/media, etc.
- Detect task sequence deployments for known and unknown systems
- Supports task sequence restrictions based on user
- You get UI with your OU structure, can browse and pick where it goes.
Web service can use HTTPS.
What is pre-start command in this context?
- It is not the normal pre-start you know that is added to collections
- There's a prestartcommand.ps1 script that starts DART?
In the XML file you can customize the button names, section names, color, etc.
- IsAuthenticationEnabled True/False - will show or hide the Auth section.
- You must config 2 parameters (web service address and secret key), everything else is optional
Logging is enabled in a separate file and also shows in event viewer, lets you see all the TS variables that are set.
For Apps XML you do need to add categories to your apps. The front end reads all the apps with that category and then displays them. When you need to update to the next version (Adobe Reader for example) you can just apply the category to the new version of the app and remove the category from the old app.
Can't release source code for this app but if there's some blocker to introducing this tool to your org please let them know.
If there's a feature you need ask. If it only takes half a day and the wife is ok with it he can do it. But if it takes a week of time he needs to get paid.
Can run the front end with debug switch to run in windows - lets you test. It doesn't actually run the task sequence, so don't worry you won't actually format your PC. This lets you see all the variables that get set at the end.
You can download, there's plenty of documentation. Free to use.
Adaptiva - Sponsor Presentation
Many products, looking to hire talented people.
Goal of products:
- Aim to reduce complexity in environments (minimize DPs, distribute content, etc).
- Automate common tasks
Windows 10 enterprise survey - not everyone has completed it even though end of life is approaching.
Biggest blockers to moving
- Time of IT staff
Windows 10 Accelerator program
They have a number of free resources available. OneSite combines all the pieces and more.
Peer to Peer memory, PXE. Reduce impact on network by anticipating busy/free times of network traffic flow. Better control of timing. Maintain it well with client health.
Adaptiva quiz show
Peer to Peer Memory - Adaptive does everything by RAM, rather than downloading to disk. Uses daisy chaining so that each peer only talks to one other peer. Before first client writes to disk it already sends the content to the next peers memory. Fault tolerance - if one recipient goes down, the chain heals (skips missing clients) and keeps going.
Peer to Peer PXE - dynamically assigns PXE Point to within each subnet based on an election of the best suited machine. So if there is a single Adaptive client in the subnet, then it can be PXE point. PXE every where! The machines in the subnet use broadcast to hold an election to determine which one of them will serve as the PXE point. Then they point at ADK so they can grab the files to build the boot image from a server.
The boot content can round robin - so that different machines can pull the content from different neighbors. This way no one gets overwhelmed.
Content Cache. Uses Proprietary filter driver - allows them to write to unallocated clusters. To the OS doesn't appear to use up any disk space. Use all free space from your clients across a subnet to create a virtual SAN. Duplicates content across the peers.
OneSite network impact - don't need to worry about bandwidth, time of day, network saturation, etc. Uses predictive bandwidth harvesting (custom net driver, ndis). Uses UDP to transfer content, easy to spot. No overhead of TCP error correction. Gathers data about the network - if it is busy or saturated then back off on content distribution. If it is not busy then start pushing content again. It does prioritize non-Adaptiva traffic.
LEDBAT? It is a P2P protocol that is coming in Windows Server 1809 and CM 1806
When distributing content from Adaptiva you can view/change protocol/reprioritize/pause/stop content distribution without having to kill job and re-create job. There's a big red button to Pause WAN traffic - this is helpful if the network team thinks your content distribution is the problem.
Client Health - there is a workflow designer so you don't need to write code. For example, was able to check to see if machine was infected or vulnerable to WannaCry, and then remediate. 160+ health checks built in (secure boot, etc).
- This is not just an SCCM client health tool, this is full client including SCCM client, health check.
Adaptiva Academy - collection of resources, tools, knowledge (including videos from MMS).
- How does P2P help with VPN?
- You don't get P2P benefits but you do get bandwidth harvesting (so user doesn't get destroyed as soon as they join VPN with new content). Also, it doesn't need to go back up to the primary site, just up to whatever parent site it is connected to.
- 96 of the 160 client health checks have remediations.
Spacesniffer - freeware tool to see free space on disk.
Can do virtual state migration point - so your clients can serve as SMP's for each other's data when doing USMT. Can be encrypted
- How does Virtual Cache work with SCCM Cache?
- Alternate content provider still needs to wait for all checks (boundary, etc) to go through. Adaptiva holds the content compressed in its cache then passes it into CM cache when needed…
Presentation will be provided.
Compliance and Reporting
Conformity in fulfilling official requirements.
Official Requirement = documented, discussed and agreed upon standards. Not just what you want.
- A standard states what we do
- Doesn't have to be complicated. Doesn't (always) require change control.
- We should have a standard written down. Makes sure that it doesn't become a wild west.
- We will get X number of test devices, we test the drivers, then deploy drivers with Modern driver management tool, etc.
- We will have X% of computers upgraded to new version of windows every [year/quarter/etc]
- You have to simplify this stuff so that it can be changed or is flexible. For example, Microsoft changed names and update cadence with Win10, so be sure to write your standards with flexibility.
- A process states all of the procedures we must to do uphold and maintain a standard
- This is a list of things we will do every month, or quarter or year.
- Establishes details of what we want to do.
- Step by step guides that can be executed by anyone or anything (if automated) who meets the requirements to complete the procedure (i.e. a tech to do tech work).
- These can be screen shots, blog posts, the full guides on how to do it.
- A step by step guide on what to do in the event that something goes wrong in a procedure or process causing a device to become non-standard.
OSD and Inventory control are two foundational components to determining compliance. You need to know what you have in order to manage it.
Example: you can't enforce patch compliance for devices not managed by CM.
- Define how often you will update your reference image
- You can cut down on updates in storage (WSUS) if you are keeping your reference images up to date.
- Define how you will update your reference image
- What about 3rd party patching?
- 1806 3rd party Software Update integration - can you apply 3rd party updates during OSD?
- Ensure that all apps in your reference image are updated
- Are you really putting apps in your reference image??
- What questions do we want to answer?
- How long does it take to image a machine?
- What is the success/failure rate?
- What is the error code when it fails?
- Note: use Hex calculator to convert those large negative error codes (-23879056875…). You'll get something like fffxf00f4535. then grab last 4 numbers, use NET HELP ####
- Average life of image? How long before it is re-imaged?
- Last TS step before failure?
- What about nested Task Sequences?
- What are the most common errors and can we fix them?
- What is the most common Task Sequence? Which ones take the longest?
- How do we track if we changed a TS and how big the impact was?
Important SQL Views and Tables
- System table, holds info about system such as client version, and is client installed.
- V_R_SystemValid - this has info about active clients, doesn't show invalid/inactive clients.
- Info about TS execution
- When did it start, when did end, error codes.
- Info about anything that has been advertised.
- Info about packages including task sequences.
PowerBI Dashboard for Patch Compliance
We want tasty donuts not sad donuts.
BI dashboard demo.
Has an option to show run time by Machine type - this can help you identify if certain models are taking way too long (maybe a driver issue with bitlocker deployment).
- Timeline graph for how many errors occurred in a given day
- Timeline graph for how long OSD takes on average per day
- Data validation
- Community suggestions
- DM on twitter
- Email, etc.
Notifications to Teams with OSD
- Could be too many notifications
- Can be broken up by channel or other ways
- Or you can mute that channel
- Terrance made it.
- Uses incoming webhook to the URI/URL
- Makes a json file and sends it
Implement PowerBI Patching Template
- Reports on patch compliance with dashboard.
- How far back in the past do you care about patches that have been released (-90 is 90 days ago)
- In setting it up you have to go to query editor and change it to your server and server db.
- This can be parametized now.
- You can pick by collection or by patch release date.
MDT - what if there are two features I like but don't want to implement all of MDT?
- Monitoring service
Using Config manager web service, what if I can get real time info from OSD Task Sequence? Beta of OSDMonitor is coming - inject into boot image, it runs every 5 seconds (customizable) agent to send data back to CM SQL db, real time about task sequence progress.
Needs DART? But doesn't require MDT. You do need a SQL DB (not same as config man? Cause of licensing?). Currently only works on bare metal deployments. May work on IPU…
Plan to use this data from agent to pull it into OSD report PowerBI Dashboard.
This gives more info than status messages, and status messages are kind of hard to pull into PowerBI.
Lessons Learned - From the Field (Tips and Tricks)
- Anyone use the Command and Configure app to create an exe to deploy - very few
- CCTK is great but…
- Lots of new versions, small updates. It works great on new models but has problems on older models.
- Can use the old version but some new models need the new version to do UEFI conversion.
- There are also some new commands
- There's also a problem to clear TPM without prompt that only works on certain models with certain firmware version.
- So far, there's no option for this problem.
- How to fix?
- Package both Newest and Old working version
- Run CCTK and check exit code (141 or 140)
- Then use that exit code to run either Legacy or new versions of CCTK.
- Why do we need to clear the TPM chip?
- If doing firmware update for example, you usually need to
- Disable bitlocker
- Update FW
- Requires physical presence F12 to clear (except HP)
- Re-enable bitloker
- Physical presence - the painful side of updating
- The option to disable physical presence required doesn't always work on all models.
- User or tech needs to press F12 to clear. The screen is kind of scary so maybe not good for users.
- Clearing TPM via PS
- If doing firmware update for example, you usually need to
Windows as a Service
- Language packs during servicing.
- If on 1709, the language packs are specific to that version, how do you get language pack into 8103 during InPlaceUpgrade?
- Blog post - retain installed language packs during win10 servicing
- Use the web service! Similar method to Modern Driver Management
- Ask the web service to give you language packs dynamically.
- Script to help create all the packages (language packs into folder)
- Can we do it with CMG? No not now. But maybe changing it to XML feed so people can run it while they are at home. But it should work while they're on VPN.
Including DaRT - Boot Image
- What is DaRT?
- Remote deployment troubleshooting tool.
- How can you start DaRT earlier?
- There'll be a blog latter. Or Johan may have one ready now
- You can use a powershell command to launch DaRT right away, even before entering in password. This way you only need someone to PXE boot for you and you can take it from there.
- Moving Machine OU - OSD
- OU Staging?
- There's nothing in Config Man that stops GPO from processing - it’s a timing thing. Even though documentation says processing is disabled.
- Can use web service to stage it. This uses web method.
- Could maybe also create step to remove all membership if you are re-deploying.
- Security of this vs storing credentials in TS
- Depends… could arguably be worse if credentials are leaked. For example you have a domain join user and creds get compromised and then could those creds be used elsewhere?
- You could segregate web services - one that has read only permissions and another that has rights to modify objects in AD…
- The permissions are the most important thing. Give it minimum necessary.
- Status query filters
- MDT integration…
- Web service integration
- Computer Naming
- Best way - Serial Number
- Unless you have really good reason to name it differently.
- For example: on the manufacturing floor you have one PC called ROBOT1 and WELDER2 so you really know what that machine is for.
- Old School - OSDComputerName prompt
- WMI Based - computer name based on serial number, machine type, etc.
- Numeric - Computer name with sequence numbering
- AD query via powershell?
- Web service
- Sequential naming
- Can use web service to do this
- Best way - Serial Number
- OU Staging?
- Created on .