Holy Cow! Why on Earth Did You Do That? Kent Agerlund Blog.Coretech.global CT Global Jason Sandys home.configmgrftw.com CT Global

Kent Agerlund Jason Sandys @Agerlund @JasonSandys MVP & Regional Director MVP for 8 years 20+ years 20+ years Never Walk Alone Glory Glory, Man United

Agenda J

Client Agent Promotion jason J

Tried to Promote the Client Agent Without Proper Permissions Requires Full Administrator role Assigned to All Scopes If all else fails, use the site installation account Jason J

Deleted The Site Installation Account USE <CM DB Name> SELECT AdminID ,AdminSID ,LogonName ,DisplayName FROM RBAC_Admins GO UPDATE RBAC_Admins SET AdminSID=‘<New Admin Account SID>‘ WHERE AdminID=<Old AdminID> jason J

WSUS Needs Love Too Kent Demo K

IgnoreD WSUS The DB is your precious Configure IIS App Pool Database Superseded Itanium Reindex database and rebuild statistics Configure IIS App Pool Queue Length Private Memory Limit Database Location Shared License Type kent K

IgnoreD WSUS The DB is your precious Decline Superseded & Itanium Re-index database and rebuild statistics Configure IIS App Pool Queue Length Private Memory Limit Database Location Shared License Type Compatibility Level Shared database and multiple WSUS: https://blogs.technet.microsoft.com/configurationmgr/2016/10/12/how-to-implement-a-shared-susdb-for-configuration-manager-software-update-points/ The DB is your precious Superseded Itanium Reindex database and rebuild statistics Configure IIS App Pool Queue Length Private Memory Limit Database Location Shared License Type kent K

Windows 10 Feature Update Deferral jason J

Deferred Window 10 Feature Updates Prematurely Deploy Feature Updates Can/Does Break Updates in ConfigMgr Enables Dual-Scan Feature Update Deferral Policy Configured Jason https://blogs.technet.microsoft.com/windowsserver/2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-out-to-microsoft-online/ https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/ J

Feature Update Deferral Policies Meant For Windows Update For Business HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DeferFeatureUpdate DeferFeatureUpdatePeriodInDays DeferQualityUpdate DeferQualityUpdatePeriodInDays PauseFeatureUpdate PauseQualityUpdate DeferUpgrade ExcludeWUDriversInQualityUpdate Meant For Windows Update For Business HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DeferFeatureUpdate DeferFeatureUpdatePeriodInDays DeferQualityUpdate DeferQualityUpdatePeriodInDays PauseFeatureUpdate PauseQualityUpdate DeferUpgrade ExcludeWUDriversInQualityUpdate J

Dual-Scan What Is It The WUA automatically scans against both WSUS and WU. Anything in WSUS that resides in the “Windows” product family is ignored. When Is It Enabled Specify intranet Microsoft update service location. Any update deferral policy is set*. Why Enable It Windows Updates come from the cloud. Light and automated management. Enabled When Specify intranet Microsoft update service location (i.e., WSUS) Either of the policies belonging to Windows Update for Business Select when Feature Updates are received Select when Quality Updates are received Result The WU client automatically scans against both WSUS and WU Anything on WSUS that resides in the “Windows” product family is ignored by the Dual Scan client. * Enabled or Disabled J

Reversing Dual-Scan Set all WU for Business policies to Not Configured.  This ensures that you are not in Dual Scan mode.  Verify that you have installed the November 2016 Cumulative Update for 1607, or any Cumulative Update more recent.  Enable the group policy System/Internet Communication Management/Internet Communication settings/Turn off access to all Windows Update features In an elevated command prompt, run “gpupdate /force”, followed by “UsoClient.exe startscan” J

Site Role Location Kent MP and SUP, K

Placed MPs and SUPs At Remote LocationS Client Traffic Inventory, State/Status Messages, Policy Update Scan/Catalog Content Know your traffic Inventory State messages Update scan Content Policies kent Don’t over-complicate your infrastructure K

Placed MPs and SUPs At Remote Locations Client Traffic Inventory, State/Status Messages, Policy Update Scan/Catalog Content MPs and SUPs are not meant for remote locations. Know your traffic Inventory State messages Update scan Content Policies kent Don’t over-complicate your infrastructure K

Best Way to Get Rid Of Old Server OSes J

Used a Migration to Get Off Of Windows Server 2008 or 2008 R2 Windows Server 2008 and 2008 R2 are not supported for ConfigMgr CB 1702+ Migrate In-place OS Upgrade Site Backup and Restore jason J

OS Change Pros and Cons Migrate OS Upgrade Site Restore Fully Supported Preserves all configurations Reinstallation of site roles All Some None Redeployment or reconfiguration of clients Downtime required Easy fallback Requires new hardware or virtual machine Shared DPs or content re-distribution across WAN Involves “risky” OS in-place upgrade J

CBB Is CB By Another Name Jason J

Looked for CBB and CB Updates Deferral Policy != CBB or CB CBB = CB + Latest CU Updates apply to the Win 10 version and not servicing branch And Coming Soon: “Semi-Annual Channel (Pilot)” and “Semi-Annual Channel (Broad)” jason J

Internet Clients are the Norm kent

Cloud Management Gateway What are we trying to solve Traditional management for roaming users Support for key features like software update management, machine policies, inventory ConfigMgr solution today Traditional Internet Based Client Management DMZ Way to complex VPN Hmmmmm, it’s not the 00’s anymore – wake up 1606 we support Machine policy Content Update Client notification K

Cloud Management Gateway Problem Remote, roaming user system management Key feature support: Software Updates, Inventory, Policy Solution? VPN 1606 we support Machine policy Content Update Client notification What are we trying to solve Traditional management for roaming users Support for key features like software update management, machine policies, inventory ConfigMgr solution today Traditional Internet Based Client Management DMZ Way to complex VPN Hmmmmm, it’s not the 00’s anymore – wake up Internet Based Client Management K

What you need to know Azure subscription Certificates Firewall Scaling Port 443 out Scaling By default a single VM~ can be modified to 16 Multiple CMG services pr. site https://docs.microsoft.com/en- us/sccm/core/clients/manage/setup-cloud- management-gateway https://github.com/Microsoft/SCCMdocs/blob /master/sccm/core/clients/manage/plan- cloud-management-gateway.md We build the channel with HTTPS or TCP-SSL from proxy connector to proxy service. Once the channel is established, proxy service can forward the client request and get response from proxy connector. It handles synchronous calls from clients. 4k is per CMG VM instance supported in 1610, a Standard_A2 vm is created K

What you need to know Azure subscription Certificates Firewall: Port 443 to Azure Scaling: 1-16 VMs, multiple per site We build the channel with HTTPS or TCP-SSL from proxy connector to proxy service. Once the channel is established, proxy service can forward the client request and get response from proxy connector. It handles synchronous calls from clients. 4k is per CMG VM instance supported in 1610, a Standard_A2 vm is created https://docs.microsoft.com/en-us/sccm/core/clients/manage/setup-cloud-management-gateway https://github.com/Microsoft/SCCMdocs/blob/master/sccm/core/clients/manage/plan-cloud-management-gateway.md K

What to configure Play the certificate game Configure CGM in console This will provision the service in Azure Create CMG connector On-prem, establish the outbound connection between on-prem to Azure Configure site systems MP & SUP Demo Log into Azure, show the management certificate Log into sccm, show the management gateway properties Show site system properties for MP/SUP Show software update deployment Switch to client, show policyagent.log Show software center Install software update, check the download URL Show the CMG interface, traffic, number of client connections K

What to configure PKI Configure CMG in console Create CMG connector Configure Site Systems Play the certificate game Configure CMG in console This will provision the service in Azure Create CMG connector On-prem, establish the outbound connection between on-prem to Azure Configure site systems MP & SUP Demo Log into Azure, show the management certificate Log into sccm, show the management gateway properties Show site system properties for MP/SUP Show software update deployment Switch to client, show policyagent.log Show software center Install software update, check the download URL Show the CMG interface, traffic, number of client connections K

What can go wrong PKI environments with sub-ca Broken CA chain Look for 403 PKI environments with sub-ca Defined data chunk not big enough 2017-03-13 07:00:39 W3SVC1273337584 RD00155D563B24 100.84.108.67 POST /CCM_Proxy_ServerAuth/72057594037927953/ClientWebService/client.asmx - 443 - 77.243.43.106 HTTP/1.1 Windows-Update-Agent/10.0.10011.16384+Client-Protocol/1.40 - - via001cmg.cloudapp.net 413 0 0 357 14260 187 Software Update scanning Azure host IIS log files Client log files wuahandler.log, ccmmessaging.log, scanagent.log, policyagent.log Troubleshooting http://blog.coretech.dk/kea/cloud-management-gateway-with-sub-ca/ http://blog.coretech.dk/kea/software-update-scan-error-using-cloud-management-gateway/ Demo: Software update issue: Client log file, wuahandler Login to Azure, ProxyEndpointConfig Open SQL – execute script, make a change in the CMG configuration and monitor cloudmgr.log file update Proxy_EndpointDefinition set RequestLimitContentLength=1048576 where Name='ClientWebService' select * from Proxy_Settings Ccmmessaging.log on the client Certificate issue Log into Azure Enable RDP Show IIS log files Show certificates, chain is broken – intermediate cert must be uploaded K

Long Term Sounds Good jason J

Your company thinks its saving money by not buying Software Assurance Used COnfigMgr LTSB Why Use LTSB Your company thinks its saving money by not buying Software Assurance Why Not Use LTSB Many Features Removed Not entitled to latest Current Branch builds jason J

Features Removed in LTSB In-console updates that add new features and improvements. Support for newly released operating systems to use as site servers and clients. Use of a Microsoft Intune Subscription to support: Intune in a hybrid mobile device management (MDM) configuration On-premises MDM The Windows 10 Servicing Dashboard and Servicing Plans, including support for recent Windows 10 Current Branch (CB) and Current Branch for Business (CBB) versions. Support for future releases of Windows Server and Windows 10 LTSB Asset Intelligence Cloud-based distribution points Exchange Online as an Exchange Connector jason J

The Pointy Haired Guy is Always Right kent K

Believe your manager when she told you to 100% compliance before the end of the day Know your enemies Health Activity Visualization kent Know Your Enemies Health Activity Visualization K

Believe your manager when she told you to 100% compliance before the end of the day Know your enemies Health Activity Visualization kent K

And some real crazy stuff Agent settings Enabling all hardware classes Running software inventory once pr. Hour Running hardware inventory every 15 minutes Configure BITS to an insanely low number Rebuilding WMI on a daily basis Never creating a new reference image Running SQL with default settings Using the same domain account for all ConfigMgr purposes Enabling F8 in the winpe image Configuring everyone as Full Administrator in the console K