Automating SCCM patching process using ADRs

Let me start with a term that has often been referred by SCCM users & admins for a long time: ‘Best Practice‘. Personally, I feel there is no Best Practice for doing one thing in a certain way to achieve the end goal. With or without SCCM/MECM, one can attack the problem and navigate issues in so many different combinations.

For the purpose of writing this article on ADR, I am documenting a method that has worked for me in multiple enterprise design solutions.

As I work for a Healthcare system, the ADR solution is a little bit different from traditional design to ensure critical systems are not impacted by automated deployment & restart scenarios. It goes without saying that the process is not a representation of my organization’s policies but a general guideline on how to do things.

Let’s talk about deployment packages in SCCM, I would create four deployment packages to control them more granularly:

  1. Windows 10 Microsoft office updates
  2. Windows 10 windows update
  3. Adobe Reader updates
  4. Dell updates or any other supported third-party updates (For unsupported updates, I highly recommend PatchMyPC)

Each deployment package consists of distribution settings with medium distribution priority and content locations selecting all distribution points. You can choose the right configurations based on your SCCM layout. Also, one thing to keep in mind is to keep Adobe Reader ADR separate from other ADRs. One of the reasons to do so is because it helps prevent scheduling & content overlap with Microsoft’s Patch Tuesday.

ADR Planning

There are two school of thoughts when it comes to ADR planning :

  1. Create New SUG every time an ADR runs
  2. Add to existing SUG

The importance of SUG comes in to play as a SUG is used for grouping the software updates into one batch. For many organizations and SCCM architects have created SUG on a monthly basis which is a good practice but leads to a lot of overhead in terms of managing individual SUGs. The result is that you will end up with 12 months of SUG times two. One for Office & the other for Windows patch. Total: 24 SUGs, not to forget Adobe Reader, Dell Updates etc also need to be taken into account. I am in no way saying this is not good but it did not work for me while managing so many other stuff in SCCM. In a typical environment, you may want to spread the ADRs as Dev-QA-PROD or Lab-QA, PROD environments. This makes the total counts of SUGs 24×3= 72! on an annual basis. Too much work in my opinion. If you are able to track them, good for you!

However, adding to existing SUG is a much simpler option if you are mindful of not going beyond 2000 software updates per SUG. If you do go beyond 2000 software updates for SUG, you will need to clean it up. In my experience. for just window patches for windows 10 environment, a once an year cleanup is a must. This is a good practice to ensure that obsolete software updates are purged and also helps keep inventory clean. The total count here for SUG is just 2X3=6 which is reasonable amount of SUG to manage. I do use scripts to clean up the obsolete updates in SCCM’s SQL server every 6 months so it helps keep things in check.

Software Update Search criteria for Windows 10 & later versions:

ADR: Automatic Dancing Routine

This is where things get interesting. Reddit is filled with examples of how easy it is to time the ADR run to match up with Microsoft Patch Tuesday. There are also accounts of how hard it is to match up with a Patch-for-Patch Tuesday that often is released by Microsoft on Fridays! As mentioned earlier, there is no right or wrong approach. In fact, I have seen my management & security teams demand change in the policy that was set in stone couple of years ago. The art of getting this right is to find a balance between what Microsoft suggests & how your end user experience gets impacted. Strictly speaking in terms of Windows 10 Managed PC environment & not servers here. The server side of story is way more complex.

I call the ADR scheduling as a dance routine due to following three factors:

  1. Microsoft’s recommendation to stay approx. 1 month behind for general patching.
  2. Enterprise User experience aka business
  3. Enterprise security compliance & directive

If one of the stakeholders demands an explanation, SCCM admins & architects alike are dancing LOL.

Assumptions

  1. Change process approvals accounted for Monday, Tuesday, or Wednesday of each week *
  2. Patch-For-Patch is the security updates re-released with modifications, mostly occurring on Fridays after Patch Tuesday. It could happen any time later but the general trend I have observed is the Fridays.

ADR Schedules & Target audience

I find the following three schedules that have worked for me in various companies where I worked as SCCM engineer:

  1. DEV-Lab :
    • Schedule: Runs everyday. When Patch Tuesday occurs, the updates automatically deployed and systems rebooted per client settings.
    • Audience: Keep a good set of VDIs, Laptops, HyperVMs, PCs in this group to monitor impact.
  2. QA:
    • Schedule: Runs every Third Wednesday at around 3 pm.
      • WHY Third Wednesday: As it helps me put a method to madness. Generally, it will come one week after the Patch Tuesday (which is second Tuesday of the month). If a patch for a patch is released on Patch Friday (if that’s a term you want to call), then I would not like to update systems over the weekend to prevent potential outages. Sometimes, we run into cycles where patch Tuesday may come after second Wednesday so it helps me overcome that problem too.
      • Example: For May 2024 calendar, I don’t need to tweak my design as Patch Tuesday occurs on 14th & third Wednesday occurs on 15th. DEV/LAB to QA movement account for In this unique situation, Third Wednesday falls just one day after patch Tuesday. Had the rule been set for second Wednesday, there would be no patching activity. Patch for Patch release can be individually monitored in this scenario without disrupting ADR ruleset.
    • Audience: These are technology savvy folks i.e. IT teams etc who are well aware of the patching schedule & what needs to be done. This group also consists of critical app users with their systems in QA to report any potential issue.
  3. PROD:
    1. Schedule: 2-3 weeks after Patch Tuesday. Manually move patches from QA SUG to PROD SUG by using “Edit Membership” option. This goes in-line with change management process. I suggest always use manual process for patch movement to PROD as it gives a lot of control & fallback in case approvals are not granted due to reasons not limited to outages, application issues, network problem or simply lack of approvals.
    2. Audience: The whole village + distant hamlets.
DEV/LAB to QA movement of patches for regular patch cycle
Unique scenario: DEV/LAB to QA movement accounts for Third Wednesday which falls just one day after patch Tuesday. Had the rule been set for the second Wednesday, there would be no patching activity. Patch-for-Patch release can be individually monitored in this scenario without disrupting the ADR ruleset. This is once or twice per year scenario.

Classic CMG failed during conversion to VSS-Recovery steps

Recently I attempted to convert CMG classic to a Virtual Scale Set using the native SCCM conversion option. The conversion failed and I had to reach out to Microsoft to help and support.

Per Microsoft, I was not the only one facing this challenge. I am sharing the actions undertaken to recover from failed conversion:

Problem:  CMG went down after trying to upgrade from classic cloud to VSS to support the 2203 upgrade.

Resolution:

1. CMG showed error state and CMG connection point was disconnected in SCCM Console.

2. An attempt was made to remove the role from the site server and we reconfigured the CMG but it still failed as well. 

3. It was observed that the Classic cloud upgraded to VSS on SCCM side but failed to provision the resources in Azure as there were only classic cloud and storage in the resource group.

4. For recovery of CMG, we reverted the SCCM to classic cloud deployment using the following query:

Update azure_service set Fqdn = ‘<CMG Service Name>’ , DeploymentModel = ‘1’

6. CMG role was reinstalled again on the server to take the changes into effect and it worked after 5 minutes. 

AutoPilot Script

I use this custom script to autopilot Intune enrolled devices. The hash file gets stored in a CSV file with GroupTag/OrderID needed.

#How to Ignore TPM requ in HyperV
REG ADD HKLM\SYSTEM\Setup\LabConfig /v BypassTPMCheck /t REG_DWORD /d 1
REG ADD HKLM\SYSTEM\Setup\LabConfig /v BypassSecureBootCheck /t REG_DWORD /d 1

#Manually Register device for autopilot
New-Item -Type Directory -Path "C:\HWID"
Set-Location -Path "C:\HWID"
$env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Install-Script -Name Get-WindowsAutoPilotInfo
Get-WindowsAutoPilotInfo -OutputFile AutoPilotHWID.csv -GroupTag DeskEng


#While OOBE Running, you can upload it too
PowerShell.exe -ExecutionPolicy Bypass
Install-Script -name Get-WindowsAutopilotInfo -Force
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Get-WindowsAutoPilotInfo -Online


#Troubleshooting & Exporting logs
mdmdiagnosticstool.exe -area DeviceProvisioning -cab C:\Log.CAB
net use Z: \\ServerName\SharedLocation$
Copy C:\Log.Cab Z:
#Copy that file from Z: to your local PC


#To View Log Files:
install-script -name get-autopilotdiagnostics -force
Get-AutopilotDiagnostics -CABFile C:\temp\Log.Cab

Rename file from .odt to .ps1

Bypass 8 digit PIN lock requirement for Microsoft Exchange using Samsung Galaxy S6 Fingerprint scanner

In my previous blogs I have written about issues in finger print scanner for Samsung Galaxy S5 with Microsoft Exchange email. More and more people are asking for resolutions for finger print scanner and Microsoft Exchange 8 digit PIN requirements.

I will review two new apps to deal with the situation for new models of Samsung Galaxy S6 & Note 4 (tested) and also for other android devices that have finger print scanners.

The issues have been persistent and common across the Samsung Galaxy phone’s fingerprint scanners. This is one of the biggest challenges for new users who purchase Samsung phones and want to sync their professional emails. However, they are asked 8 digit PIN requirements for Microsoft Exchange instead of allowing finger print scanner to identify the phone user at locked screen. This is one of the biggest letdown for android users and needs to be addressed by OEMs and Android dev teams. iPhone users do not face this problem as the finger print recognition technology takes the 8 digit pin requirement and maps it to Finger print of user thereby letting them login and use MS Exchange.

The two apps are TypeMail and OWA WebMail. They work in similar fashion to bypass the 8 digit PIN requirements but have their pros and cons from security level which I will discuss:

TypeMail (formerly BlueMail)

TypeMail is a beautiful app which gets the job done quickly. You can alternatively configure a Gmail, YahooMail, Outlook, Aol, and Exchange. The best part is, it is free!
The app looks very similar to Gmail android app and you can do all basic functions including tasks. The configuration of email is very simple and does not ask for 8 digit PIN on phone’s locked screen. It lets you use your fingerprint scanner to login to phone and never prompts the 8 Digit PIN. The app also integrates well with android watches so you can also see the Exchange emails on your watch. I would say the design and layout are impressively beautiful.

TypeMailFeatures

Mark your emails as read, archived or even delete them from the app. You can also view all your folders which can be synced along with tasks. Features like mobile printing and signatures are available too. One of the features I personally like is snoozing emails for later use and view.

Calendar feature is not available and it can be addressed in the next app review.

TypeMail

From security point of view, TypeMail is designed to help you manage all your email accounts. Whenever you link your email accounts for example Gmail or Microsoft Exchange, the TypeMail takes the information and securely accesses the same but keeps it temporarily on their server. Unfortunately, this credential data is stored on TypeMail servers leading to the security concern.

If you have a very secure email confidentiality requirements at your office, I would NOT recommend using the app. If you are good to use a third party server to securely access your personal & professional emails, then read the disclaimer on TypeMail website. Some professional organizations have high degree of security restrictions and might not allow you to use the type mail. It’s like sharing your user id and password with a third party.

 

OWA WebMail (Secured & supports calendar)

This snazzy little app does wonders from security point of view & I highly recommend it. This app is not aesthetically beautiful but gets the job done most efficiently. The bonus is that you can sync your calendars too which is not possible in any other app that I have seen so far. Most of the apps available on Google Play do not work with Microsoft Exchange Calendar. However, there is a way to bypass the calendar issue, which can be found in my previous blog.

Tasks & Folders view is available too. It is free but you will see small advertisements below which is ok for me.

 

OWA Webmail

How it works?

There is an extension of Microsoft Exchange server to give access on internet through web interface which is called Outlook WebApp. Many organizations use this feature for users to connect without Microsoft Outlook software when they are remote or when they don’t have office laptop devices.

OWA WebMail uses this kind of web interface to access your email and parse them to a different layout which looks like your regular phone email app. The data and all secured information is not stored at their server reducing the security concerns faced by organizations and you. It helps in accessing information exactly in the same way like Outlook Web App would do. It’s similar to using Web email in Internet Explorer on a laptop. The IT security issues and protocols do not get affected while using this app. The information synced from your phone to the outlook server is secured.
The downside has some minor bugs that makes you login sometimes as intermittently lose connection. Your email id & settings are stored locally on the phone within the application interface and might require an extra click to login. This extra click on login button is not a big task and a good trade off if you really want your professional emails to be secured.

Get it here on Google Play: OWA Webmail

The above two apps bypass the requirement of 8 digit PIN for Microsoft Exchange on Android locked screens. I am not sure how soon Samsung or Android will address this concern. Their development team need to imitate the security protocol used by iPhone fingerprint scanner. So far the four applications found and highlighted in my previous blogs have got a lot off traffic over Internet and on my blog. The reviews have helped thousands of users across many countries to access their professional emails with ease and without worrying for security teams restricting usage.

Please feel free to leave comment or like my blog.

How to install Windows 10 preview version on VirtualBox

Installing Windows 10 on Surface Pro2 is easy and fast. I used Virtual Box to create a Virtual Machine for Windows 10. The entire process took not more than 10 minutes on my Surface Pro 2. Considering this is only a preview version, I would say the more modified and updated Windows 10 will take a little more time once it’s available. One would not want to install this Preview version on top of your current machines and is not recommended. Going through the Virtual Machine root is the safest way to save your data in case something crashes.

You can download the Technical Preview from here

http://windows.microsoft.com/en-us/windows/preview

 WINDOWS10 (2)

To start Install Virtual Box and create a ‘New’ Virtual Machine.

Name it whatever you feel like.I selected Windows 8.1 as version for 64 Bit for testing purpose

clip_image002

Select how much RAM you want to provide to the Virtual Machine. I randomly selected 3132 MB.

clip_image004

Create a Virtual hard dive:

clip_image006

My preferred way to run VMs is VDI

clip_image008

clip_image010
clip_image012

Following were the final settings of the VirtualBox and VDI

clip_image014

Now, click Start and you will be prompted to select a Virtual Disk file or a Windows 10 Preview CD

clip_image016

Continue reading

RESOLVED: Galaxy S5 , NOTE 4 finger print scanner issue with MS Exchange Calendar

***Please see my latest review for OWA WebMail app that bypasses Calendar issue***

We all are excited about our new Samsung Galaxy S5 & Note 4 and how awesome it’s finger print scanner is. I got my S5 on Day 1 of deliveries and was very disappointed that my Corporate Exchange email restricts me to type 8 Digit PIN.

I am not a big fan of Apple iPhone and really wanted Samsung to come up with finger print recognition. The 8 digit pin for unlocking your phone is a pain in the you-know-where and I pray to Microsoft & Samsung developers to make things simple and uncomplicated. Please read my previous article for more details

I used CloudMagic software to fix this problem but CloudMagic does not support Calendars to be synced. To solve this, I wrote a powershell script to get this job done but bigger problem was to let it run in background after every 30 minutes. This would eat up my RAM (I use Surface Pro 2 and I have to think about saving memory/juice). After more search I found this solution on Youtube and is the exact thing I was looking for.

Google Calendar Sync is the utility and it’s a life saver!! Download it here

image

I am grateful to Mike Senn for putting this amazing video together explaining how to install and configure the software. A big Thanks !

The utility stays open in Notification area and keeps syncing calendar every 30 minute (or whatever time you set it)

image

Although Google had some good suggestions already available but Mike’s answer to all those new Galaxy S5 & Microsoft Exchange Corporate users is the easiest. Now, I can sync my Google calendar to Microsoft Outlook and vice versa. So, I have Cloudmagic to help sync Email & Google Calendar Sync to synchronize Calendar.

Alternatively, one can also try another method:

1. Use CloudMagic to read  write your email

2. As Cloudmagic does not support calendar, use TouchDown HD to track calendar entries as a widget + check emails.

Capture

Let the two apps sync emails /calendar/tasks and optimize them together to decrease bandwidth usage.

It enables you to have a view on calendar without putting in 8 or 4 digit pin using TouchDown HD and on the other hand you can check emails using CloudMagic.

Looks like a Win-Win argument ? !

Let me know how this turns out with your organizational/exchange challenges.

RESOLVED: GALAXY S5, NOTE 4 fingerprint scanner does not work with Microsoft Exchange

UPDATE 06/11/2015:

Please see reviews of two better apps which resolves finger scanner issue for Exchange


photo 1    photo 2

I have been going through a lot of articles about how awesome the new Galaxy S5 is and being a techie I am not completely happy with my new Galaxy S5. Samsung has worked hard and spent a good amount of time to create it’s Finger Print recognition and I must say, they have FAILED in copying it from Apple’s TouchID. The Finger print scanner which Samsung refers to is the new fingerprint sensor made to fit close to the Home button. This technology has previously existed with Motorola Atrix , IPhone 5S and some other phone makers. However, there were issues in finger print recognition with them. Unfortunately Samsung has disappointed me as I heavily depend on my Corporate Emails. The corporate emails force a phone device to have 8 DIGIT (YES, 8 Digit!!!) PIN on phone to maintain security. Punching in 8 DIGITS after every 14 minutes just doesn’t make sense. IPhone 5S did have a solution to this where the Fingerprint is mapped to the 8 Digits in the background. To my disappointment Samsung Galaxy S5 or NOTE 4 does it in a different way and hence defeats the purpose of having Finger Print recognition in a phone.

clip_image002clip_image004

Overall the idea to have fingerprint recognition is not new but solves a lot of problems for end users, if implemented well. Going by Samsung’s legacy of great innovations, the problem should have been addressed. This issue can easily be addressed with a patch and finger print recognition can have a logical mapping to Digit based PINS. The problem with Microsoft Exchange My organization and a lot of major organizations around the world rely on Microsoft Exchange for email communications. The most common pre requisite for Microsoft Exchange in such organizations worldwide is 4 digit or 8 digit PIN or passcode requirements.

clip_image006

I have been using Nokia’s Symbian devices and Samsung Galaxy S2 and Apple IPad for some good amount years. Microsoft has not addressed this problem till now and no matter how many online search I have done so far, I have not found a solution to skip this requirement. I am afraid, for me as an avid user of Microsoft exchange for my email requirements on a minute to minute basis will lead me to use the number PIN code instead of the Finger print recognition. This has been the case with my Samsung Galaxy S2 phone as well, where I could never use the pattern lock and still be jealous of my other friends who did not use Exchange configured on their phones. I would love to see Microsoft address to the problem and I do not blame Samsung for the mess. But, for me, the purpose of an upgrade has been defeated.   For now Samsung, Please fix this problem !

Solution as update on 04/11/2014: I installed a free app called CLOUDMAGIC from Google Play Store and it’s able to ignore the 8 Digit Pin requirement all together. You can find the app here on Play strore.

Update1: The calendar sync problem has a solution from Google. Please read my next article on Google Calendar Sync.

Update2: **Check my latest review on two more apps which resolves this issue for all Android Finger Print scanners**

Windows 8.1 Update

Microsoft has started the download of Windows 8.1 update today (04-08-2014) using it’s Windows Update Method. The much anticipated update will bring some very nice changes in the UI for mouse and touch users. I currently use Microsoft Surface Pro 2 and have downloaded the update from Windows Store.

How to get the free update

You can download the free update from the Windows Store.

  1. Go to the Start screen, and tap or click the Store tile     image
  2. In the Store, tap or click the Windows 8.1 or Windows RT 8.1 update. if you don’t see the update on the Store home screen, see Why can’t I find the update in the Store?
  3. Tap or click Download.
  4. The download will start automatically.

image

image

20140408_150107

20140408_161910

Based on Microsoft website there are lot’s of new features that will show distinct improvements from previous version. Some of them are life savers:

1. Power & Search buttons on the Start screen

2. A better looking Taskbar for Open & Pinned apps with START button

3. Much awaited minimize & Close button

4. A more intuitive tile with functionalities of Right click option like previous Windows operating systems.

5. Better Security

The good thing is that this update is free of cost. The other good thing that I observed that Microsoft has started listening to it’s customer base. Be it Windows 8.1 Phones or the Windows 8.1 Update for laptops, Microsoft is trying it’s best to cater to user’s demands. Introduction of Cortana & other great features in Windows 8.1 only makes Microsoft stronger in front of Apple & Samsung in the phone segment. The shift in strategy is a clear indication of product improvement and that too in time.