Quick tip: Troubleshooting device management failures on Windows 10

This is a short and quick blog post to point out where to start with troubleshooting Windows 10 device enrollment issues and Windows 10 device management issues. To start with troubleshooting, it’s important to know where to find the information about the device enrollment issues and the device management issues. This short and quick post will show the location of that information, starting with Windows 10 build 1511.

Event Viewer

To find the information about the device enrollment issues and device management issues, starting with Windows 10 build 1511, simply perform the following steps:

  • DM_EventViewerOpen the Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider;
  • Select the Admin node to show the available events;
  • (Optional) Select View > Show Analytic and Debug Logs to enable the ability to generate debug logging;
  • (Optional) Right-click the Debug node and select Enable Log to enable detailed logging.

Note: When automatic device enrollment is configured with an Azure AD join, the User Device Registration node will provide helpful information for everything before the device enrollment.

More information

For more information about troubleshooting mobile device management failures on Windows 10 devices, please refer to Diagnose MDM failures in Windows 10.

Share

How the settings in ConfigMgr translate to the command line of the Windows 10 upgrade

DefaultSettingsThis week a short post about the settings in the Upgrade Operating System task sequence step and how these settings translate to the parameters used during the Windows 10 upgrade. I will go through the standard parameters, for the Windows 10 upgrade, used by the Upgrade Operating System task sequence step and I will go through the effect, of the configuration options in the Upgrade Operating System task sequence step, on the Windows 10 upgrade parameters.

Configuration options

Now let’s start by having a look at the standard parameters for the Windows Setup of the Windows 10 upgrade, used by the Upgrade Operating System task sequence step. To do this, let’s start with an Upgrade Operating System task sequence step with only Upgrade package selected. That setting will translate to a command line like this: “C:\_SMSTaskSequence\Packages\PCP0000F\SETUP.EXE” /ImageIndex 1 /auto Upgrade /quiet /noreboot /postoobe “C:\WINDOWS\SMSTSPostUpgrade\SetupComplete.cmd” /postrollback “C:\WINDOWS\SMSTSPostUpgrade\SetupRollback.cmd” /DynamicUpdate Disable

Based on that command line it’s possible to see the standard configurations of the Upgrade Operating System task sequence step. By default the Upgrade Operating System task sequence step performs an upgrade of Windows and saves apps and data (/auto Upgrade), suppresses any Setup end-user experience (/quiet), instructs Windows Setup not to restart the computer after the down-level phase of Windows Setup completes (/noreboot), runs a script after the Setup is complete (/postoobe), runs a script if the end-user rolls back Windows (/postrollback) and disables the dynamic update operations (/dynamicupdate Disable).

Now let’s have a look at the effect of the remaining configuration options option of the Upgrade Operating System task sequence step. The following table lists the configuration option, the parameter that it translates to, and a short description.

Option Command Description
Source path /InstallFrom Specifies a local, or network path, to the Windows 10 media, that is to be used.
Product key /PKey <ProductKey> Specifies the product key to apply to the upgrade process.
Provide the following driver content to Windows Setup during upgrade /Driver Specifies the drivers that need to be added to the destination computer during the upgrade process.
Time-out (minutes) N/A Specifies the number of minutes Setup has to run before ConfigMgr will fail the task sequence step.
Perform Windows Setup compatibility scan without starting upgrade /Compat ScanOnly Specifies to perform the Windows Setup compatibility scan without starting the upgrade process.
Ignore any dismissible compatibility messages /Compat IgnoreWarning Specifies that Setup completes the installation, ignoring any dismissible compatibility messages.
Dynamically update Windows Setup with Windows Update /DynamicUpdate Enable Specifies whether setup will perform dynamic update operations, such as search, download, and install updates.
Override policy and use default Microsoft Update N/A Specifies to temporarily override the local policy in realtime to run dynamic update operations and have the computer get updates from Windows Update.

Note: When dynamic update is enabled, ignore warnings is not allowed. That results in the task sequence ignoring the /compat switch.

More information

For more information about the Windows 10 upgrade and the different task sequence steps, please refer to:

Share

Managing the Configuration Manager console language

Let’s start this new year with a blog post about the Configuration Manager console language. I have to admit that it doesn’t really sound like an exiting subject, but it can be very useful with troubleshooting. Most issues can easily be found, on the Internet, when using the English language, while many other languages can be a lot more challenging. In this blog post I’ll go through an overview of the Configuration Manager console language behavior, the installation of the English-only Configuration Manager console and the possibility of disabling any additional Configuration Manager console languages.

Note: This activities and theories in this blog post are successfully tested on ConfigMgr 2012 and ConfigMgr 1511.

Configuration Manager console language behavior

Now let’s start with an overview of the behavior of the Configuration Manager console language. During the site server installation, the Configuration Manager console installation files, and configured language packs, are copied to the <ConfigMgrInstallationPath>\Tools\ConsoleSetup subfolder on the site server.

When the installation of the Configuration Manager console is started from that folder, on the site server, the Configuration Manager console, and configured language pack files, are copied to the device. That will make sure that when a language pack is available for the currently configured language on the device, the Configuration Manager console opens in that language. If the associated language pack is not available, the Configuration Manager console will open in English.

Each time the Configuration Manager console opens, it determines the currently configured language on the device, verifies whether an associated language pack is available for the Configuration Manager console, and then opens the console by using the appropriate language pack.

Install English-only Configuration Manager console

After going through the standard behavior of the Configuration Manager console language. it is time to look at some minor adjustments. In case multiple languages were configured during the site server installation, it might be useful to know that it’s still fairly easy to only install the Configuration Manager console with the English language, regardless of the configured language on the device. To do this, simply perform the following steps and install the Configuration Manager console, on any device, in English-only.

  • DisableLanguageCentralOn the site server, navigate to <ConfigMgrInstallationPath>\ Tools\ConsoleSetup\LanguagePack;
  • Rename the .msp and .mst files of the languages that should not be installed. In this example, I configured the Dutch language during the site server installation, which means that I should rename the following files.
    • ALP1043.msp to ALP1043.msp.disabled;
    • ALP1043.mst to ALP1043.mst.disabled.

Note: Keep in mind that when a new language is configured on the site server, the .msp and .mst files are recopied to the LanguagePack folder.

Disable Configuration Manager console language

After going through the installation of the Configuration Manager console in English-only, it might be good to know that it’s also possible to temporarily switch a Configuration Manager console to English. That can be very useful when the Configuration Manager console is installed with the currently configured language on the device and it must be opened in English for easier troubleshooting. To do this, simply perform the following steps and open the Configuration Manager console in English.

  • DisableLanguageLocalOn the device that is running the Configuration Manager console, navigate to <ConsoleInstallationPath>\Bin\;
  • Rename the language folder of the language that is currently configured on the device. In this example, I installed en configured the Dutch language on the device, which means that I should rename the nl folder to nl.disabled.

Note: Keep in mind that when a repair is performed of the Configuration Manager console, the language folder is recopied to the Bin folder.

More information

For more information about managing the Configuration Manager console language, please refer to the following article: https://technet.microsoft.com/en-US/library/mt605315.aspx#BKMK_ManageConsoleLanguages

Share

Download package content during a task sequence

This week a blog post about one of the smaller new features of ConfigMgr 1511 and later. I want to devote this post to the new ability to easily download the content of a package during a task sequence. This ability is mainly introduced to work with the Windows 10 upgrade scenarios and the WinPE peer cache functionality. However, it can also be used to replace all the Run Command Line task sequence steps that were used to copy the content of normal Packages during a task sequence. In this post I’ll go through the different configuration options of that new ability, the Download Package Content task sequence step. I will also show an example in a task sequence and I will end with a look at the results in the smsts.log.

Configuration options

The Download Package Content task sequence step can download the content of Boot Images, Operating System Images, Operating System Upgrade Packages, Driver Packages and Packages. It also has the very nice option of Save path as variable, which can be used to easily store the location of the downloaded package content. When a variable is configured it has to be referred to in subsequence steps with a numerical suffix. That means that when ContentPath is used, as variable, it has to be referred to like ContentPath01. The order in the list determines the numerical suffix that’s used as reference.

Task Sequence working directory

The download location Task sequence working directory can be used at any moment after the Format and Partition Disk task sequence step. After that step the content will be kept and moved during the running time of the task sequence. The variable configured with Save path as variable will be updated when the location of the downloaded content has changed.

Configuration Manager client cache

The download location Configuration Manager client cache can be used at any moment after the Setup Windows and ConfigMgr task sequence step. When the ConfigMgr client is up-and-running, the content can be downloaded to its cache. The content will be available even after the task sequence is finished. This allows the client to act as a peer cache source for other peer cache clients. The variable configured with Save path as variable will be updated when the location of the downloaded content has changed.

Custom path

The download location Custom path can be used at any moment in the task sequence. However, keep in mind that the content will not be moved during the running time of the task sequence. Only the changes to the driver letter, due to reboots, will be updated in the variable configured with the Save path as variable. The content itself will be left untouched. When this option is used after the Setup Windows and ConfigMgr task sequence step, the content will be available after the task sequence is finished.

Task Sequence example

Now that the configuration options are clear, let’s go through a configuration example. That example will mainly show how to use the configured variable.

1 DownloadPackageContentThe first action is to download the content and to configure the download-to location. This can be achieved by selecting a number of packages, of the previously mentioned types, and by specifying the download-to location. To make accessing the content easier, select Sava path as a variable and use ContentPath as variable.
2 DownloadPackageUsageThe second action is to use the content after it is downloaded. This can be achieved by using a Run Command Line step and using the ContentPath02 variable. That will refer to the downloaded content of the Set Image Version Package. Now simply refer to anything available within that Package.

Important: After saving the task sequence by clicking OK or Apply the list with packages will be rearranged by the letters of the alphabet. This will impact the numerical suffix that is needed to point to the right location. My advise is to save the task sequence before referring to the content.

Result

After going through all the configuration options and the task sequence example, it’s time to look at some results. Let’s have a look at how the first Package is handled by the OSDDownloadContent component, in the smsts.log, for the three different download locations.

Task sequence working directory

The download location Task sequence working directory is the easiest to handle for the task sequence. The task sequence will download the content to the C:\_SMSTaskSequence\Packages directory and set the ContentPath01 variable to the location of the first Package. After that it will add the ContentPath01 variable to the list of paths that need to be remapped on reboot.

petervanderwoude.nl

Configuration Manager client cache

The download location Configuration Manager client cache requires a few additional actions. The task sequence will download the content to the C:\_SMSTaskSequence\Packages directory. After that it will stage the downloaded content to the client cache directory and set the ContentPath01 variable to the location of the first Package in the client cache. After that it will add the ContentPath01 variable to the list of paths that need to be remapped on reboot.

SMSTS_CCMCache

Custom path

The download location Custom path requires similar additional actions. The task sequence will download the content to the C:\_SMSTaskSequence\Packages directory. After that it will stage the downloaded content to, in this case, the C:\Temp folder and set the ContentPath01 variable to the location of the first Package in that folder. After that it will add the ContentPath01 variable to the list of paths that need to be remapped on reboot.

SMSTS_CTemp

More information

For more information about this new task sequence step, please refer to the following article: https://technet.microsoft.com/en-us/library/mt629396.aspx#BKMK_DownloadPackageContent

Share

Company logo in the new Software Center

SoftwareCenter_TwThis time a short blog post as an answer to one of my tweets of yesterday. I’m afraid this post will take away all the flair of that tweet. The picture in that tweet looked so cool, but is actually also so simple to configure. The new Software Center will actually just take the Company Logo as configured in the Microsoft Intune Subscription Properties.

Configuration

Now let’s quickly go through the configuration. Assuming a Microsoft Intune Subscription is added, simply perform the following steps:

  • MISPIn the Configuration Manager administration console navigate to Administration > Overview > Cloud Services > Microsoft Intune Subscriptions;
  • Select Microsoft Intune Subscription and click Properties;
  • Navigate to the tab Company Logo, select Include company logo, Browse to the JPEG or PNG that should be used and click OK.

End-user experience

Let’s end this post with showing the end-user experience again. The end-user will see the newly configured Company Logo in the top-left corner of the new Software Center. That makes sure that the end-user will experience a similar look-and-feel on all its devices. Here is an example of the new Software Center next to the Company Portal app on iOS.

New Software Center Company Portal app
SoftwareCenter_LF IMG_0004
Share

Reset passcode via the Company Portal website

This week a blog post about the new ability in the Company Portal website to reset the passcode of a mobile device. Before only the administrator could reset the end-users’ passcode, but this has changed. Starting with the November update, of Microsoft Intune, a new option Reset Passcode is added to the Company Portal website. This option is available when the end-user is looking at the information of a specific mobile device.

In this blog post I will go through the complete end-user experience. Starting with the end-user experience in the Company Portal website, followed by the end-user experience on the mobile device. I will end this post with a summarization per platform that will show the behavior of the (new) passcode.

Also, a bit of topic, but this blog post was a good reason to verify my Remote Mobile Device Manager with the latest version of ConfigMgr and I can say that my Remote Mobile Device Manager fully works with ConfigMgr 1511!

End-user experience in the portal

Now, lets start with the end-user experience in the Company Portal website. The end-user can logon to any device and use a web browser to navigate to the Company Portal website. After that the end-user can select the device of which the password must be reset and simply following the step.

Step Action
1 Step1_ResetPasscodeIn the Company Portal website the end-user must select the mobile device and select Reset Passcode.
2 Step2_SignOutAfter selecting Reset Passcode, the end-user will be prompted to sign out and sign in again. Select Sign out.
3 Step3_ResetPasscodeAfter signing out and signing in again, within 5 minutes, the end-user will be prompted to reset the passcode. Select Reset Passcode.
4 Step4_PendingAfter selecting Reset Passcode, the end-user will be notified that a Passcode reset is pending.
5a Step5_Success_iOS_HSOn an iOS device, managed by Microsoft Intune standalone or Microsoft Intune hybrid, the end-user will be prompted within a few minutes with Passcode successfully reset.
5b Step5_Success_WP_SOn a Windows Phone 8.1 device, managed by Microsoft Intune standalone, the end-user will be prompted within a few minutes with Passcode successfully reset and New Passcode: <Passcode>.
5c

Step5_Success_WP_HOn a Windows Phone 8.1 device, managed by Microsoft Intune hybrid, the end-user will be prompted within a few minutes with Passcode successfully reset.

5d Step5_Success_Android_HSOn an Android device, managed by Microsoft Intune standalone or Microsoft Intune hybrid, the end-user will be prompted within a few minutes with Passcode successfully reset and New Passcode: <Passcode>.

End-user experience on the mobile device

After looking at the end-user experience in the Company Portal website its interesting to look at the end-user experience on the mobile device. Like with almost everything, the end-user experience is completely different on every platform. Below is the behavior shown, per platform, after the end-user has performed the reset passcode procedure.

iOS Windows Phone 8.1 Android
20151210_201907000_iOS wp_ss_20151210_0001 IMG-20151212-WA0001
On an iOS device, the end-user will receive a message to change the passcode within 60 minutes. On a Windows Phone 8.1 device, the end-user will receive a message that the password was reset. On an Android device, the end-user will receive a notification that a new temporary passcode was set.

End-user experience summarization

The last thing that I want to provide is an overview, per platform and per scenario, about the passcode behavior. In the table below I will show what happens to the passcode and where the new passcode can be found. The scenario refers to Microsft Intune standalone and Microsoft Intune hybrid.

Platform Scenario Behavior
iOS Standalone and hybrid Removes the passcode from the device and gives the end-user 60 minutes to see a new passcode.
Windows Phone 8.1 Standalone Creates a new numeric passcode that is shown to the end-user in the Company Portal website.
Windows Phone 8.1 Hybrid Creates a new numeric passcode that is currently only available through the ConfigMgr console.*
Android Standalone and hybrid Creates a new alphanumeric passcode, which is shown to the end-user in the Company Portal website.

*At this moment the end-user experience on a Windows Phone 8.1 device, in a Microsoft Intune hybrid environment, is not working how it should be. The end-user has to contact the administrator to get the new passcode. Also, the administrator will only see the new passcode when a passcode reset has been performed before. If this is not the case, the administrator will have to perform another passcode reset to get the required new passcode for the end-user.

More information

For more information about the latest additions to Microsoft Intune, about the Company Portal website, or about my Remote Mobile Device Manager, please refer to:

Share

Many reasons to look at ConfigMgr 1511

ConfigMgr1511At this moment Microsoft has just released System Center Configuration Manager (version 1511). This build was released to MSDN subscribers last week and is now general available and publically announced by Microsoft. During this blog post I will refer to this release as ConfigMgr 1511.

In this blog post I will post my five main reasons to start looking at ConfigMgr 1511 as soon as possible. This will be followed by a list with great improvements that could also be good reasons to start looking. Before I start with all those reasons it might be worth mentioning that it’s possible to do an in-place upgrade of ConfigMgr 2012 to ConfigMgr 1511. This process will feel similar to a service pack upgrade.

Main reasons

Lets start with my main reasons to start looking at ConfigMgr 1511 as soon as possible. Of course everybody can have their own main reasons, but I really do think that the following five reasons can be very beneficial to every company.

Reason 1: Full support of Windows 10

R1_Windows10My first reason is, probably for many companies the main driver for upgrading or migrating to ConfigMgr 1511, the Windows 10 servicing support. A great blog post about the Windows 10 support in the different version of ConfigMgr can be found here. A brief summary would be that ConfigMgr 2012 supports servecing Windows 10 LTSB 2015 and Windows 10 CB(B) through February 2016. Everything else would require ConfigMgr 1511 and later. Including support for newly introduced features in Windows 10.

Besides the servicing support, also the upgrade paths are a lot easier via ConfigMgr 1511. This version will also support deploying the upgrades via the software update management flow, it even introduced something new for that named Servicing Plans, while ConfigMgr 2012 can only do an in-place upgrade and of course a fresh installation.

Reason 2: Updates and servicing

R2_ServicingMy second reason is the updates and servicing model of ConfigMgr 1511. It even introduced a new role for that named Service connection point. This role creates a persistent connection with the Configuration Manager cloud services and proactively notifies about updates. When a new update is released, which can be done a lot faster now, it will be made available through this channel. This will be the road to keep as close as possible to the releases of Microsoft Intune and Windows 10.

Also, good to know is that this Service connection point role does more than just that. It also functions as what was previously known as the Microsoft Intune connector role. Besides that another important function is to upload usage data. For more information about this role, please refer to this article.

Reason 3: Latest mobile device management features

R3_LatestMDMMy third reason is the availability of the latest mobile device management features in ConfigMgr 1511. That includes many new settings that are available as a Configuration Item, but also some completely new features like Terms and Conditions, Device Enrollment Manager and Multi-Factor Authentication. These last options are already available in Microsoft Intune for a while and now finally came to ConfigMgr.

As I mentioned before, the Service connection point will allow the environment to stay in par with Microsoft Intune, where possible.

Reason 4: New software center

R4_SoftwareCenterMy fourth reason is the new Software Center in ConfigMgr 1511. This new Software Center is great for two big reasons, 1) it does not require Silverlight anymore and 2) it includes available user-targeted applications. Yes, really, it includes available user-targeted applications!

Good to know is that it does still require the Application Catalog web service point and the Application Catalog website point and, at this moment, it has to be enabled via the Client Settings.

Reason 5: On-premises mobile device management

R5_OnPremMDMMy fifth reason is the introduction of on-premises mobile device management in ConfigMgr 1511. This allows the enrollment of on-premises Windows 10 devices as a mobile device. At this moment only Windows 10 is supported and it’s not possible yet to publish this service externally. In my opinion this is bigger than we might think, as it could be the very first step to agentless management. It simply uses the buildin OMA-DM agent capabilities. The more management capabilities that agent can do the more ConfigMgr can do without it’s own agent.

An important configuration checkbox can be found in the Microsoft Intune Subscription configuration. That checkbox will make sure that no device information is send to the cloud. Keep in mind that the complete configuration also requires certificates, the Enrollment point and the Enrollment proxy point.

Good reasons

That was a great list with reasons to migrate or upgrade to ConfigMgr 1511 as soon as possible. Now lets continue with a list, in no particular order, of great improvements that also could be very good reasons to start thinking about ConfigMgr 1511.

  • Support for 175.000 clients per primary site – ConfigMgr 1511 introduces support in a primary site for up to 175.000 clients;
  • Multiple deployments for an Automatic Deployment Rule – ConfigMgr 1511 introduces the ability to add multiple deployments for each Automatic Deployment Rule
  • Phased client upgrade process – ConfigMgr 1511 introduces client piloting to easily deploy and test updates to the Windows client using a pre-production collection while leaving the current client version in use by the remainder of the hierarchy;
  • Software update management for Office 365 updates – ConfigMgr 1511 introduces the ability to manage Office 365 desktop client updates using the software update management workflow. 
  • WinPE Peer Cache – ConfigMgr 1511 introduces the ability to deploy a new operating system and computers that run the task sequence can use this ability to obtain content from a local peer instead of downloading content from a distribution point.
  • Bulk enrollment for Windows 10 devices – ConfigMgr 1511 introduces bulk enrollment to enable administrators to easily enroll devices for on-premises, or cloud, management without requiring end-users to work through the device enrollment process.
  • Integration with Windows Update for Business – ConfigMgr 1511 introduces the ability to differentiate a Windows 10 computer that is directly connected via Windows Update for Business (WUfB) versus the ones connected to WSUS for getting Windows 10 updates and upgrades.

It could very well be that I even forgot a few new additions to the product, little improvements, like the ability to add the Download Package Content step to a task sequence, or the ability to enable Run WSUS cleanup wizard. I tried to be as complete as possible. For the official list with new features, please refer to this article.

Removed and deprecated features

As with many new releases, it’s also often a moment to remove specific features and to stop supporting specific versions of operating systems and SQL. This article list the removed and deprecated features for ConfigMgr. Make sure to check this list before planning the upgrade or migration to ConfigMgr 1511. A key item in that article is the removal of the Out of Band Management feature.

Share