PowerShell Template–Because we all want some sort of consistency!

Does your company have a lot of PowerShell scripts? Do they all follow the same template? No? You are not alone.

In my experience, troubleshooting scripts is much easier if all the scripts have the same look.

This script not only uses logging for errors, but can also be run in verbose mode so that the errors display in the PS session. Continue reading “PowerShell Template–Because we all want some sort of consistency!”

SCCM Training part 4

Topic:  SCCM HTTPS, IBCM, CloudDP, and Cloud Management Gateway

https://docs.microsoft.com/en-us/sccm/core/plan-design/network/example-deployment-of-pki-certificates

https://docs.microsoft.com/en-us/sccm/core/plan-design/network/pki-certificate-requirements

https://docs.microsoft.com/en-us/sccm/core/clients/manage/setup-cloud-management-gateway

https://blogs.technet.microsoft.com/arnabm/2016/12/19/step-by-step-cloud-management-gateway/

https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/install-cloud-based-distribution-points-in-microsoft-azure

Questions: do you have to reinstall client after IBCM.  Answer:  Yes

SCCM Training–Part 3

Followed this guide and built an Azure Dev Test Lab – https://www.verboon.info/2017/02/deploying-configmgr-current-branch-in-azure-dev-test-lab/

Another great link for lab environments: https://technet.microsoft.com/en-us/windows/mt604890.aspx

Good link from Brian Mason on OCSP! Do it!!

https://arstechnica.com/information-technology/2017/07/https-certificate-revocation-is-broken-and-its-time-for-some-new-tools/

Save this link for the rest of your life!!! Perfect step by step on setting up a two tier PKI environment and the OSSP.

I would provide more notes, but honestly the link has it all.

https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx

The one thing I would change is the CAPolicy.inf files the guide references.

The Offline RootCA should look like this:

Signature=”$Windows NT$”

[Certsrv_Server]

RenewalKeyLength=4096

RenewalValidityPeriod=Years

RenewalValidityPeriodUnits=20

AlternateSignatureAlgorithm=0

The other stuff they have in the guide is meant more for internet based PKI, which you are not doing.

I would install the Offline RootCA as follows:

On the offline root machine install ADCS – Certificate Authority

Standalone CA

Root CA

Configure new Private Key

RSA@Microsoft Software Key Storage Provider

SHA2

Key length 4096

Name of CA: azEmptyGardenRootCA

Validity period- 20 Years

Database location- default

RootCA Post Installation

Certutil -setreg CA\DSConfigDN “CN=Configuration,DC=azEmptyGarden,DC=BTLS”

Certutil -setreg CA\CRLPeriodUnits 6

Certutil -setreg CA\CRLPeriod “Months”

Certutil -setreg CA\CRLDeltaPeriodUnits 0

Certutil -setreg CA\CRLOverlapPeriodUnits 12

Certutil -setreg CA\CRLOverlapPeriod “Hours”

Certutil -setreg CA\ValidityPeriodUnits 20

Certutil -setreg CA\ValidityPeriod “Years”

NOTE: The CRLPeriod of 6 months means that the Offline RootCA needs to be booted up once every six months to copy the latest CRL to the SubordinateCA

Subordinate CA – CAPolicy.inf file

[Version]

Signature=”$Windows NT$”

[Certsrv_Server]

RenewalKeyLength=4096

RenewalValidityPeriod=Years

RenewalValidityPeriodUnits=10

LoadDefaultTemplates=0

AlternateSignatureAlgorithm=0

Subordinate CA – CAPolicy.inf file

[Version]

Signature=”$Windows NT$”

[Certsrv_Server]

RenewalKeyLength=4096

RenewalValidityPeriod=Years

RenewalValidityPeriodUnits=10

LoadDefaultTemplates=0

AlternateSignatureAlgorithm=0

Subordinate CA install

Install ADCS – This will be the Subordinate CA

Certification Authority only

Configure the Certification Authority

Enterprise CA

Subordinate CA

Create a new private key

Key length: 4096

azEmptyGardenIssuingCA

IIS Log File Cleaning

The other day I noticed that my SCCM Site Server’s C drive was almost full.  After some searching, I found that the directory C:\Inetpub\Logs\Logfiles was consuming all of the drive space.

Now, I don’t recall ever being told to clean IIS Log Files, but all of my peers seem to know about it!!  Thus, that makes me…uh…..well….late to the game at the very least!!

Here is a great document on IIS Log File Cleaning.  Don’t be like Matthew.  Clean your log files!

https://docs.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage

ConfigMgr Training–Session 2

Supported configurations for SCCM – https://docs.microsoft.com/en-us/sccm/core/plan-design/configs/supported-configurations

SQL version comparison – https://www.microsoft.com/en-us/sql-server/sql-server-2016-editions

Remember, format your SQL Data, Log, and TempDB drives to 64kb. To see the NFTS block size:  fsutil fsinfo ntfsinfo [your drive]

SQL Server Mangaement Tools – https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms

SQL Server Data Tools – https://docs.microsoft.com/en-us/sql/ssdt/download-sql-server-data-tools-ssdt

Random note: Am I the only one who had their drive fill up with IIS logs? Yes? Wow!! Learn something every day. (Though, it seems I should have learned this years ago!!)

IIS Logs Maintenance – https://docs.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage

Use Managed Service Accounts (MSA) for SQL Services.

Example:

Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10));

New-ADServiceAccount -name MSA_SQLServer -DNSHostName MSA_SQLServer.TEmptyGarden.btls -PrincipalsAllowedToRetrieveManagedPassword TTEE-CM1$

Enter-PSSession -ComputerName tTEE-CM1

Install-ADServiceAccount MSA_SQLServer

setspn -l tEmptyGarden\MSA_SQLServer$

setspn -s MSSQLSvc/ttee-cm1.tEmptyGarden.btls tEmptyGarden\MSA_SQLServer$

SCCM Sizing Guide:   http://blog.coretech.dk/kea/system-center-2012-configuration-manager-sql-recommendations/

OLA:  https://ola.hallengren.com/

Optimizing SQL:  https://stevethompsonmvp.wordpress.com/2016/11/29/optimizing-sccm-databases-revisited/

Windows ADK:  https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install

ADK fix:  https://blogs.technet.microsoft.com/configurationmgr/2017/04/14/known-issue-with-the-windows-adk-for-windows-10-version-1703/

SCCM Requirements step by step:  https://www.systemcenterdudes.com/sccm-2012-r2-installation-prerequisites/

Windows 10 Versions:  https://support.microsoft.com/en-us/help/4018124

Next class:  Go through the Administration node in the SCCM console, PKI, CloudDP, Cloud Management Point, SCCM certificate management point

Future meeting topics:

Endpoint Protection

Application deployment and the App Deployment Toolkit

MBAM

The Compliance Setting Node

SCCM Fast Ring–Good or Bad (hint….bad!)

Last week I noticed that a colleague of mine had upgraded their SCCM environment to 1706.  This person manages well over 100,000 endpoints, so I figured 1706 was good to go.  Nope!

First, a bit of information regarding fast ring and regular ring.  Fast Ring for ConfigMgr is technically beta.  This means that even though you can put it in your production environment, you might want to wait.  Just like Windows 10 servicing, the Fast Ring will go production four months after the release.  In between……well, therein lies the problem.  You will most definitely get hotfixes every now and then while on Fast Ring, but you may also run into this:

https://support.microsoft.com/en-us/help/4039380/update-for-system-center-configuration-manager-version-1706-first-wave

“This update is available in the Updates and Servicing node of the Configuration Manager console for environments that were installed by using first wave (Fast Ring) builds of version 1706 downloaded between August 8 and August 11, 2017.”  According to the product team, only about 50 SCCM infrastructures were affected.  Guess who was part of the 50!

I installed SCCM 1706 on Friday August 11th.  Thus, I fell into one of the 50 that needed the hotfix.  Until today we were not able to install applications from the Software Center or OSD.  That, as you can imaging, was bad!

Lesson learned:  Perhaps don’t install SCCM Fast Ring unless you really really really need it and even then, be prepared for some issues from time to time until the release is full production.

Reading Task Sequence Variables in WinPE

Now and then you may have a need to read a task sequence variable during the OSD process. Today was one of those days. I had just modified a step in my task sequence and used the variable %OSDisk%. Well, the task failed. So……I put a pause in the task sequence and used PowerShell to find the variable. Turns out, there isn’t an OSDisk variable once the OS is dropped.

To see the variables and their values:

· Your WinPE boot image needs to have PowerShell on it

· In WinPE hit F8 to open a command prompt

· Type PowerShell to….well, you know, open PowerShell!!

$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment

Foreach ($i in $TSEnv.GetVariables()) {“$i” + ‘ = ‘ + $TSEnv.Value(“$i”) | Out-File FilePath X:\Windows\Temp\SMSTSlog\TSVar.log –append}

At this point you can use CMTrace to open and view the file.

If you just want to see the value of one TS Variable: $TSEnv.Value(“OSDTargetSystemDrive”) for example.

Notes: The log file created has a ton of duplicate variables and values. Not sure why, and really don’t care either!! All I wanted to do was find the value for where the Operating System is. I have no idea if I will ever need to query TS Variables again, but good to know that I can!

ConfigMgr Training–Session 1

ConfigMgr training has started!  It will happen from 5:00 Central to 7:00 Central every other Tuesday beginning August 1st.

How to build your own lab environment:

Option 1: Have someone else do it for you! This is a great option that many of my peers use. Big thanks to Johan for giving this to the community.

https://deploymentresearch.com/Research/Post/580/Hydration-Kit-For-Windows-Server-2016-and-ConfigMgr-Current-Technical-Preview-Branch

Option 2: Use Azure: https://www.verboon.info/2017/02/deploying-configmgr-current-branch-in-azure-dev-test-lab/

Option 3: Build it yourself. This is the option I like because everything is mine! I get to customize the environment a bit more than the hydration kit.

This training session will focus on Option 3:

General notes:

Create a Server 2016 gold image. Install all updates. Then run: sysprep.exe /oobe /generalize /shutdown /mode:vm

Copy the gold image and rename it to whatever you want

Create a DC using the copied file of your gold image

2048 GB RAM

Two network cards. One private internal. The other internet connected.

Create a CM / SQL server. Two NICs, dedicated IP, 4096GB

4096 GB RAM

Two network cards. One private internal. The other internet connected.

SCCM Prereq tool: https://gallery.technet.microsoft.com/ConfigMgr-2012-R2-e52919cd

SCCM sizing and capacity planning: https://docs.microsoft.com/en-us/sccm/core/plan-design/configs/size-and-scale-numbers

Next Training: Tuesday August 15th 5:00 – 7:00

Install and configure SQL and SCCM

SCCM Training starts August 1st

August 1st will be the start of many SCCM training sessions.

In the August 1st SCCM training session we will discuss how to build your own lab environment.

Here is a link to an FAQ regarding these sessions. https://www.mnscug.org/misc/articles/489-mnscug-configuration-manager-trainings-2

Book your calendar for every other Tuesday starting August 1st from 5-7.

Next training session is August 15 from 5-7. In that session we will discuss how to install SCCM (configure DB, disks, etc.)

………………………………………………………………………………………………………………………..

 Join Skype Meeting

Trouble Joining? Try Skype Web App

Help