IIS Log File Cleaning

The other day I noticed that my SCCM Site Server’s C drive was almost full.  After some searching, I found that the directory C:\Inetpub\Logs\Logfiles was consuming all of the drive space.

Now, I don’t recall ever being told to clean IIS Log Files, but all of my peers seem to know about it!!  Thus, that makes me…uh…..well….late to the game at the very least!!

Here is a great document on IIS Log File Cleaning.  Don’t be like Matthew.  Clean your log files!

https://docs.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage

ConfigMgr Training–Session 2

Supported configurations for SCCM – https://docs.microsoft.com/en-us/sccm/core/plan-design/configs/supported-configurations

SQL version comparison – https://www.microsoft.com/en-us/sql-server/sql-server-2016-editions

Remember, format your SQL Data, Log, and TempDB drives to 64kb. To see the NFTS block size:  fsutil fsinfo ntfsinfo [your drive]

SQL Server Mangaement Tools – https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms

SQL Server Data Tools – https://docs.microsoft.com/en-us/sql/ssdt/download-sql-server-data-tools-ssdt

Random note: Am I the only one who had their drive fill up with IIS logs? Yes? Wow!! Learn something every day. (Though, it seems I should have learned this years ago!!)

IIS Logs Maintenance – https://docs.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage

Use Managed Service Accounts (MSA) for SQL Services.

Example:

Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10));

New-ADServiceAccount -name MSA_SQLServer -DNSHostName MSA_SQLServer.TEmptyGarden.btls -PrincipalsAllowedToRetrieveManagedPassword TTEE-CM1$

Enter-PSSession -ComputerName tTEE-CM1

Install-ADServiceAccount MSA_SQLServer

setspn -l tEmptyGarden\MSA_SQLServer$

setspn -s MSSQLSvc/ttee-cm1.tEmptyGarden.btls tEmptyGarden\MSA_SQLServer$

SCCM Sizing Guide:   http://blog.coretech.dk/kea/system-center-2012-configuration-manager-sql-recommendations/

OLA:  https://ola.hallengren.com/

Optimizing SQL:  https://stevethompsonmvp.wordpress.com/2016/11/29/optimizing-sccm-databases-revisited/

Windows ADK:  https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install

ADK fix:  https://blogs.technet.microsoft.com/configurationmgr/2017/04/14/known-issue-with-the-windows-adk-for-windows-10-version-1703/

SCCM Requirements step by step:  https://www.systemcenterdudes.com/sccm-2012-r2-installation-prerequisites/

Windows 10 Versions:  https://support.microsoft.com/en-us/help/4018124

Next class:  Go through the Administration node in the SCCM console, PKI, CloudDP, Cloud Management Point, SCCM certificate management point

Future meeting topics:

Endpoint Protection

Application deployment and the App Deployment Toolkit

MBAM

The Compliance Setting Node

SCCM Fast Ring–Good or Bad (hint….bad!)

Last week I noticed that a colleague of mine had upgraded their SCCM environment to 1706.  This person manages well over 100,000 endpoints, so I figured 1706 was good to go.  Nope!

First, a bit of information regarding fast ring and regular ring.  Fast Ring for ConfigMgr is technically beta.  This means that even though you can put it in your production environment, you might want to wait.  Just like Windows 10 servicing, the Fast Ring will go production four months after the release.  In between……well, therein lies the problem.  You will most definitely get hotfixes every now and then while on Fast Ring, but you may also run into this:

https://support.microsoft.com/en-us/help/4039380/update-for-system-center-configuration-manager-version-1706-first-wave

“This update is available in the Updates and Servicing node of the Configuration Manager console for environments that were installed by using first wave (Fast Ring) builds of version 1706 downloaded between August 8 and August 11, 2017.”  According to the product team, only about 50 SCCM infrastructures were affected.  Guess who was part of the 50!

I installed SCCM 1706 on Friday August 11th.  Thus, I fell into one of the 50 that needed the hotfix.  Until today we were not able to install applications from the Software Center or OSD.  That, as you can imaging, was bad!

Lesson learned:  Perhaps don’t install SCCM Fast Ring unless you really really really need it and even then, be prepared for some issues from time to time until the release is full production.

Reading Task Sequence Variables in WinPE

Now and then you may have a need to read a task sequence variable during the OSD process. Today was one of those days. I had just modified a step in my task sequence and used the variable %OSDisk%. Well, the task failed. So……I put a pause in the task sequence and used PowerShell to find the variable. Turns out, there isn’t an OSDisk variable once the OS is dropped.

To see the variables and their values:

· Your WinPE boot image needs to have PowerShell on it

· In WinPE hit F8 to open a command prompt

· Type PowerShell to….well, you know, open PowerShell!!

$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment

Foreach ($i in $TSEnv.GetVariables()) {“$i” + ‘ = ‘ + $TSEnv.Value(“$i”) | Out-File FilePath X:\Windows\Temp\SMSTSlog\TSVar.log –append}

At this point you can use CMTrace to open and view the file.

If you just want to see the value of one TS Variable: $TSEnv.Value(“OSDTargetSystemDrive”) for example.

Notes: The log file created has a ton of duplicate variables and values. Not sure why, and really don’t care either!! All I wanted to do was find the value for where the Operating System is. I have no idea if I will ever need to query TS Variables again, but good to know that I can!

ConfigMgr Training–Session 1

ConfigMgr training has started!  It will happen from 5:00 Central to 7:00 Central every other Tuesday beginning August 1st.

How to build your own lab environment:

Option 1: Have someone else do it for you! This is a great option that many of my peers use. Big thanks to Johan for giving this to the community.

https://deploymentresearch.com/Research/Post/580/Hydration-Kit-For-Windows-Server-2016-and-ConfigMgr-Current-Technical-Preview-Branch

Option 2: Use Azure: https://www.verboon.info/2017/02/deploying-configmgr-current-branch-in-azure-dev-test-lab/

Option 3: Build it yourself. This is the option I like because everything is mine! I get to customize the environment a bit more than the hydration kit.

This training session will focus on Option 3:

General notes:

Create a Server 2016 gold image. Install all updates. Then run: sysprep.exe /oobe /generalize /shutdown /mode:vm

Copy the gold image and rename it to whatever you want

Create a DC using the copied file of your gold image

2048 GB RAM

Two network cards. One private internal. The other internet connected.

Create a CM / SQL server. Two NICs, dedicated IP, 4096GB

4096 GB RAM

Two network cards. One private internal. The other internet connected.

SCCM Prereq tool: https://gallery.technet.microsoft.com/ConfigMgr-2012-R2-e52919cd

SCCM sizing and capacity planning: https://docs.microsoft.com/en-us/sccm/core/plan-design/configs/size-and-scale-numbers

Next Training: Tuesday August 15th 5:00 – 7:00

Install and configure SQL and SCCM

SCCM Training starts August 1st

August 1st will be the start of many SCCM training sessions.

In the August 1st SCCM training session we will discuss how to build your own lab environment.

Here is a link to an FAQ regarding these sessions. https://www.mnscug.org/misc/articles/489-mnscug-configuration-manager-trainings-2

Book your calendar for every other Tuesday starting August 1st from 5-7.

Next training session is August 15 from 5-7. In that session we will discuss how to install SCCM (configure DB, disks, etc.)

………………………………………………………………………………………………………………………..

 Join Skype Meeting

Trouble Joining? Try Skype Web App

Help

Windows 10 Servicing

What is servicing

Windows as a service was introduced with the release of Windows 10. It seems that every time a product is released ‘as a service’ people get excited. Disaster Recovery as a service. Beer as a service. But what does it mean?

There are a few concepts that we need to learn regarding Windows as a service.

Feature Updates – These are released twice per year around March and September to coincide with Office and ConfigMgr releases. For example: Windows 10 1511, 1607, 1703. These add new features to the operating system. In the past we would have to wait for a service pack or an entirely new operating system to be delivered to meet the business needs.

Quality Updates – These are released at least monthly and are cumulative. When people ask me if they need to apply last month’s cumulative update before this months I tell them to look up the word cumulative! As the name implies, these updates grow bigger each month. The updates include both security fixes and non-security fixes. (Note: If you have Windows 10 1607 CU April 2017 or Windows 1703 you can deliver what are called express updates. These are just the differentials from the last cumulative update.

https://docs.microsoft.com/en-us/sccm/sum/deploy-use/manage-express-installation-files-for-windows-10-updates

Insider Preview – These are builds that are not production ready. They give systems administrators a chance to preview and test in their environment. You should have a small subset of your computers in the preview ring, and if you can get a small group of users outside of IT to join the fun on a secondary PC, it would be helpful.

Service Branches – These allow organizations to choose when to deploy the newest features of the newest build. The newest build will be called CB or Current Branch. You might want to deploy this build to your testing area and your IT Department and a few candidates from other business units on secondary machines. Next is CBB or Current Branch for Business. A CB build will turn into CBB after four months. For example: Windows 1703 is the CB as of March 2017. Around July of 2017 Windows 1703 will be CBB. Basically CB + 4months = CBB. Then there is LTSB – Long Term Service Branch. This is used to provide support for critical machines that can’t upgrade to CB or CBB anytime soon.

Microsoft will support the CB builds for exactly 18 months after they are released

The release cadence is this:

Engineering Builds – 1,000’s of machines

Microsoft Internal Validation – 100,00’s of machines

Microsoft Insider Preview – 1,000,000’s of machines

The above process repeats for six months. At that time it is released as Current Branch

After four months of Current Branch it is then declared as CBB.

Rinse and repeat.

There will always be two builds that are CBB. Example:

· 1507 went through insider preview and entered CB in July 2015.

· 1511 CB was released a bit after 1507 entered CBB

· 1607 CB was ready for CBB in November 0f 2016. That starts the countdown for 1507 60 day grace period.

Jason Sandys MVP has a great post about what CB and CBB are:

http://home.configmgrftw.com/windows-10-servicing-configmgr-confusion/

clip_image002[8]

Still not getting it?

CB = Current Branch
CBB = Current Branch for Business
CBBJOVLTCVCBB = Current Branch for Business Just One Version Lower Than Current Version Current Branch for Business

NMPFTV = No More Patches For This Version
m = months
WWCBB = What Was Current Branch for Business
v = version

CB + 4m = CBB

CBB – 1v = CBBJOVLTCVCBB

CBB – 2v = WWCBB

WWCBB + 4m = NMPFTV

But wait…there’s more! Microsoft is changing the name from Current Branch to Semi-Annual Branch.

Monthly Channel = CB

Semi-Annual Channel = CBB

So, our new formulas look like this:

MC + 4m = SAC

SAC -1v = SACJOVLTCVSAC

SAC- 2v = WWSAC

WWSAC + 4m = NMPFTV

Why?

Did you enjoy troubleshooting Windows 7 patches and trying to figure out what patches to install and what patches to not install? Most organizations took a selective approach to software updates. This could result in newer updates not working since Microsoft tests all of their updates on a fully patched machine. Think of disk fragmentation. An optimized disk doesn’t have any fragmentation. That would be similar to a fully patched machine.

With Windows as a Service Microsoft is ensuring that you can stay up to date with the latest features and security updates while maintaining consistency and reliability.

More reading:

https://docs.microsoft.com/en-us/windows/deployment/update/waas-quick-start

Much more reading:

https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview

Don’t like reading?

https://channel9.msdn.com/events/speakers/Michael-Niehaus

http://aka.ms/W10-1703-resources

Initial Setup

Make sure you have checked ‘Upgrades’ in the Software Update Point Component Properties in SCCM. If you are running Server 2012 R2 you will need a hotfix. The hotfix is listed in a prompt when you select Upgrades. If you’re using Server 2016, you still get this prompt, but you can safely ignore it.

clip_image004[6]

You can check the success of the upgrades synchronization by looking in SCCM > Software Library > Windows 10 Servicing > All Windows 10 Updates

clip_image006[6]

If this node is empty you will want to start troubleshooting by looking at the Wsyncmgr.log file. Troubleshooting is beyond the scope of this document.

Create Target Collection(s)

In this document we will be upgrading to the latest Windows 10 branch which is 1703.

Create a collection called “Windows 10 – Upgrade to CB” with the following WQL statement:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client
from SMS_R_System
where SMS_R_System.OperatingSystemNameandVersion
     like “Microsoft Windows NT Workstation 10.0%” and SMS_R_System.Build < “10.0.15063”

You may want to create another collection for the current branch machines called “Windows 10 – CB” with the following WQL statement

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client
from SMS_R_System
where SMS_R_System.OperatingSystemNameandVersion
     like “Microsoft Windows NT Workstation 10.0%” and SMS_R_System.Build = “10.0.15063”

As you can see, these collections can be adjusted for the next Windows 10 branch release quite easily.

Here is a link to the Windows 10 build numbers:

https://technet.microsoft.com/en-us/windows/release-info.aspx

Upgrading to Current Branch

SCCM provides us with two different ways to deploy the latest Windows 10 branch. One is through the Servicing Plans type deployment. The other is deployment via Task Sequence. We will look at both ways below.

Windows 10 Servicing

In the SCCM console go to Software Library and expand Windows 10 Servicing.

Right click Servicing Plans and select Create Servicing Plan

Provide a name for the Servicing Plan

clip_image008[6]

Provide a target collection.

clip_image010[6]

Select the deployment ring that applies to you.

clip_image012[6]

Select the property filters for the deployment.

clip_image014[6]

Configure a schedule for the deployment

In this example the deployment is made available right away and will become mandatory in six months.

clip_image016[6]

Configure the end user experience

clip_image018[6]

Create or select a deployment package

clip_image020[6]

Finish creating the plan. During this time the updates will be downloaded.

In this example we will upgrade a Windows 10 1511 machine to 1607 using SCCM Servicing. Deploying the update via servicing puts the deployment in the Updates node in the Software Center

clip_image022[6]

Here used to be the maddening thing about Windows 10 Servicing via ConfigMgr prior to ConfigMgr 1702. Let’s see what happens if we just select the Feature Update to Windows 10 Pro, version 1607, en-us. When we do this, we are brought to a different screen.

clip_image024[6]

Now, let’s select Install…and….oh sweet Jesus….look at that message! “When you install a new operating system, all the existing data on your computer will be removed.” This is not a very good message for your end users!! Those who read it will panic and hit the cancel button and perhaps call the service desk. The message is incorrect. All we are doing is upgrading the operating system and that is all that will happen when “install operating system” is clicked.

clip_image026[6]

Now would be a good time to introduce you to ConfigMgr UserVoice. https://configurationmanager.uservoice.com You can vote or submit requests for chagnes in ConfigMgr. As a result, we now have a MUCH better dialog box (see below) due to this: https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/8469997-make-all-dialogs-shown-to-the-end-user-customizabl

In ConfigMgr 1702 the message is so much nice. Perhaps, it is even shinny:

clip_image028[6]

Task Sequence

The other way to deploy the latest Windows 10 branch is to use a task sequence. The big benefit of this method is that you can add other items to the sequence, such as a cumulative updates, pre-flight checks, drivers, and custom messages

Copy your Windows 10 media to a folder. In SCCM go to Software Library > Operating Systems. Right click on Operating System Upgrade Package and point to the directory where you copied the Windows 10 media. Distribute to your DP’s

We will also want to create a package for the latest Cumulative Update. Go to this link and find the latest CU. https://support.microsoft.com/en-us/help/4000825/windows-10-update-history

For Windows 10 1607:

As of this writing the latest CU is KB4015217. But, for Windows 10 1607 there is a Service Stack update released that needs to be applied first. Be sure to read the requirements for the KB articles! If you look at KB3206632 you will see that there is a prerequisite of KB3199986.

Start with the Servicing stack KB3199986

I like to put the link to the CU’s into the package comments. Also, I put the KB article under version. You will need to update this package if another Servicing Stack update comes out.

clip_image030[6]

The program will look like this: wusa.exe windows10.0-kb3199986-x64_5d4678c30de2de2bd7475073b061d0b3b2e5c3be.msu /quiet /norestart

Note: You will need to update the program with the latest CU each time you update the package.

Now it’s time to create the package for the latest Windows 10 1607 CU KB4015217

clip_image032[6]

The program will look like this: wusa.exe windows10.0-kb4015217-x64_60bfcc7b365f9ab40608e2fb96bc2be8229bc319.msu /quiet /norestart

Note: You will need to update the program with the latest CU each time you update the package.

In SCCM navigate to Software Library > Operating Systems

Right click Task Sequences and select ‘Upgrade an Operating System from an Upgrade Package’

clip_image034[6]

Provide a name. I called mine “Upgrade to Windows 10 1607”

Select the Upgrade Package and Windows Edition if applicable

For the ‘Include Updates’ screen I select ‘Required for installation – mandatory updates’

Select any applications you want to install and finish the Task Sequence

Now, right click the Task Sequence and select Edit

Add the Windows 10 Servicing Stack and Cu packages before the Install updates task.

Your Task Sequence should look something like this:

clip_image036[6]

The next thing is to deploy the Task Sequence to a collection

Your end users will be prompted that there is new software to install.

In the Software Center they will select Operating Systems and then select the Task Sequence you just deployed.

clip_image038[6]

clip_image040[6]

Prior to ConfigMgr 1702 your users will see the following message once they click on install.

clip_image042[6]

Again, this wording is completely wrong. The existing data on the machine will remain intact.

Once you are at ConfigMgr 1702 your users will see this:

clip_image044[6]

But, wait….there is more!!! In ConfigMgr 1702 you can customize the message your end users receive during task sequences.

Open the properties of a task sequence and select the User Notification tab

clip_image046[6]

This is how it will look for your end users:

clip_image048[6]

Task Sequence Options

As you can see, Task Sequences offer a lot more flexibility than servicing. There is much more that can be done.

Compatibility Scan

clip_image050[6]

Pre Flight Check

There are several things to check for before upgrading the Operating System. Below are a few, however, in every environment is different. If the task sequence fails, investigate the failure and add a new check in the ‘pre flight’ check group to address the failure.

Troy Martin @TroyMartinNet has a great post on creating OSD Preflight checks.  https://www.1e.com/blogs/2014/10/07/including-pre-flight-checks-in-your-ultimate-task-sequence-2/

Here I will simplify (hopefully) some of the highlights of his post:

  • Restart Computer – Is User Logged-Off
    • Add a Restart Computer task with the following options
      • If NONE of the conditions are true – WQL select __relpath from win32_process where caption = ‘explorer.exe’

  • Restart Computer – Is User Logged-On
    • Add a Restart Computer task with the following options
      • WQL select __relpath from win32_process where caption = ‘explorer.exe’

  • Set Pre-Flight Check Variable
    • Add a Set Task Sequence Variable step
      • Task Sequence Variable: PreFlightCheck
      • Value: PASSED

  • Check to see if the machine is connected to a wired network
    • Create a new folder called ‘Check if connected to wired network’
      • Options: Task Sequence Variable PreFlightCheck equals PASSED
    • Add a Set Task Sequence variable with the following properties and options.

clip_image052[6]

    • WMI Query
      • Namespace: Root\CIMV2
      • WQL: Select * from Win32_NetworkAdapter WHERE NetConnectionId like ‘%Ethernet%’ AND AdapterType LIKE ‘%ethernet%’ AND NetConnectionStatus=2 and NOT Name like ‘%virtual%’
    • Add a Set Task Sequence variable with the following
      • Properties
        • Task Sequence Variable Name: PreFlightCheckIsOnWired
        • Value: FAILED
      • Options
        • Variable IsOnWired exists
        • Variable IsOnWired not equals TRUE
      • Add a Set Task Sequence variable with the following
        • Properties
          • Task Sequence Variable Name: PreFlightCheck
          • Value: FAILED

Checks to see if USB drives are connected

  • Create a new folder called ‘Check if USB drive is connected to computer’
    • Options: Task Sequence Variable PreFlightCheck equals PASSED
    • Add a Set Task Sequence variable with the following properties and options.

clip_image054[6]

      • WMI Query
        • Namespace: Root\CIMV2
        • WQL: Select * from Win32_DiskDrive WHERE MediaType=’External Hard Disk Media’
      • Add a Set Task Sequence variable with the following
        • Properties
          • Task Sequence Variable Name: PreFlightCheckIsUSBDriveAttached
          • Value: FAILED
        • Options
          • Variable IsUSBDriveAttached exists
          • Variable IsUSBDriveAttached equals TRUE
      • Add a Set Task Sequence variable with the following
        • Properties
          • Task Sequence Variable Name: PreFlightCheck
          • Value: FAILED

  • Checks to see if computer is running on battery
    • Create a new folder called ‘Check if computer is running on battery’
      • Options: Task Sequence Variable PreFlightCheck equals PASSED
      • Options: WMI Query: Select * from Win32_Battery where Batterystatus > 0
    • Add a Set Task Sequence variable with the following properties and options.

clip_image056[6]

    • WMI Query
      • Namespace: Root\WMI
      • WQL: Select * from BatteryStatus where PowerOnline = ‘False’
    • Add a Set Task Sequence variable with the following
      • Properties
        • Task Sequence Variable Name: PreFlightCheckIsOnBattery
        • Value: FAILED
      • Options
        • Variable IsOnBattery exists
        • Variable IsOnBattery equals TRUE
    • Add a Set Task Sequence variable with the following
      • Properties
        • Task Sequence Variable Name: PreFlightCheck
        • Value: FAILED

In the Check Readiness or Upgrade the Operating System steps make sure to put a condition that the PreFlightCheck = Passed.

clip_image058[6]

Troubleshooting

Your best bet for success in troubleshooting is understanding both how the process works, and where to look when things go wrong.

Windows Servicing Troubleshooting

Here’s an example of the Scan process and logs to check

Client SW Update Scan Process/Issues

1. The client sends a WSUS Location Request to the management point

2. Scan agent requests the scan and WUAHandler initiates the scan

3. Windows Update Agent (WUA) starts the scan against the WSUS computer

4. WUAHandler receives results from Windows Update Agent and marks the scan as complete

5. WUAHandler parses the scan results

6. Update Store records the status and raises a state message for each update in WMI

7. State messages are sent to the management point

Logs for this step:

Scanagent.log

LocationServices.log

CCMMessaging.log

MP_Location.log

WUAHandler.log

WindowsUpdate.log

UpdateStore.log

StateMessage.log

Logs to check

Server Side

SUPSetup.log

WCM.log

WUSSyncXML.log

objreplmgr.log

ruleengine.log

WSUSCtrl.log

PatchDownloader.log

wsyncmgr.log

WUSSyncXML.log

MP_Location.log

Client Side

ScanAgent.log

LocationServices.log

CCMMessaging.log

WindowsUpdate.log

WUAHandler.log

UpdatesStore.log

StateMessage.log

PolicyEvaluator.log

RebootCoordinator.log

UpdatesHandler.log

ServiceWindowManager.log

UpdatesDeployment.log

SmsWusHandler.log

ccmperf.log

Questions about these log files can be answered by going to this link:

https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/log-files

Here’s a troubleshooter that you can walk through if you’re using the Servicing (non-task sequence) approach. It’s the same as troubleshooting software updates.

https://support.microsoft.com/en-us/help/10680/software-update-management-troubleshooting-in-configuration-manager

As you can see, the troubleshooting for Servicing is pretty much the same as for Software Updates.

Task Sequence Troubleshooting

If you’re doing Task Sequence model, you’ll check your task sequence log files the same way that you would for OS Deployment, however you can get information about what went wrong during setup by checking the following directories on the client:

$Windows.~BT\Sources\Panther\setupact.log

$Windows.~BT\Sources\Rollback\setupact.log

Windows\Panther\Unattend\GC

Windows\Panther

Why setup logs to these locations, details about each step, and reading the logs/error codes are beyond the scope of this session. Just know that what you get from task sequence logs may not be enough to determine what went wrong and how to fix it.

SCCM with SSL….this can sometimes be a bit tricky!

If you follow the guide for creating and deploying certificates you may run into an issue with the SCCM Reporting Point piece of the picture.

https://technet.microsoft.com/en-us/library/gg682023.aspx

When creating the ConfigMgr Web Server Certificate make sure you create a Common Name using the site servers FQDN.  If you do not do this, you will be able to see the cert in IIS, but not when you configure SSRS for SSL.