Office 365 Client Updates Not Showing Up in SCCM Summary as ‘Required’

Had a tag-team of problems with Office 365 Client updates and this one reared its ugly head just a I managed to successfully get the O365 updates syncing successfully.

The Problem

Under Software Library|Office 365 Client Management|Office 365 Updates none of the client updates were checking in as ‘required’. Given that the O365 client on 5000-odd machines was at version 16.0.8201.2207 (v1705) this seemed odd to say the least. Everything was set correctly in SCCM for O365 Client Deployment so the summary screen should theoretically be showing that the whole estate needed at least every version beyond this.

The Solution

After some considerable digging I discovered that for updates to work in SCCM, the CDNBaseUrl and the UpdateChannel settings in the registry MUST BE IDENTICAL. In my case, whoever had packaged the application had a bogus entry in the UpdateChannel setting that made no sense. I copied the CDNBaseURL setting (something along the lines of http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60) into the UpdateChannel setting, restarted the Microsoft Office Click-To-Run service and ran an update scan and update deployment policy refresh from the SCCM control panel applet. Immediately O365 client updates showed up as required. This can be checked under the following ConfigMgr report:

Compliance 8 – Computers in a specific compliance state for an update (secondary)

I then set up a GPO to push this URL out to the estate and watched the count increase.

OneDrive For Business out of space – plenty of room left!

I have recently been doing some work for a customer who has introduced OneDrive to their estate. For reasons known only to them, they have insisted that their users have their OneDrive storage restricted to only 1GB. Not much in today’s  money.

The issue that I have been seeing (on more than one occasion) is that OneDrive would run out of space (denoted by a red cross over the blue cloud icon) yet if you were to look at what the folder contained, clearly there should be space left. On one occasion there should have been as much as 700MB left so I was left scratching my head as to why it was complaining it was full.

SOLUTION

This is what has worked for me when I have come across the above scenario, and mainly involves removing the versioning feature, which by default will store 500 major versions.

  1. Completely clear out the local OneDrive folder. Cut and paste the data into a local temp folder somewhere, eg C:\Temp\OneDrive
  2. Right-click OneDrive icon and select View Online.
  3. Select Recycle Bin from the menu on the left. Click Empty Recycle Bin. This can take a little while sometimes, be patient and ensure it’s properly emptied.
  4. Once empty you should see a line at the bottom of the screen: Can’t find what you’re looking for? Check the Second-stage recycle bin. Click the Second stage recycle bin link.
  5. Delete everything in the second-stage recycle bin.
  6. Click the cog/gear icon in the top right of OneDrive. A setting menu should open. Select Site Settings.
  7. Under Site Settings | Site Administration click Site libraries and lists.
  8. Click Customise “Documents”
  9. Click Versioning Settings.
  10. Under Create a version each time you edit a file in this document library? select No versioning.
  11. Select OK at the bottom of the screen.
  12. Recommended: Remove OneDrive from the computer. Also ask user to save any profile related settings (favourites, desktop icons, etc) and remove user’s profile in System|Advanced Settings|User Profiles|Settings
  13. Get the user to log back on and restore the user’s desktop and favourites.
  14. Reinstall OneDrive. Once configured, copy user data back to the user’s local OneDrive directory and wait to sync.

The above steps were successful in releasing the ‘used’ space. Bare in mind, no version history will be kept in this scenario so please ensure that this is acceptable first. Without step 12, I did see the problem come back in one instance so if possible, I’d strongly recommend this step. You must bare in mind that when this procedure is carried out, it is like the user logging on for the first time and any customisations to their local profile WILL BE LOST.

Good luck.

Failed to download file- “http://officecdn.microsoft.com/xxx/xxx.cab” from internet. Using proxyserver – 0. Error = 12029

This one caught me out recently. Scenario:

All http://officecdn.microsoft.com is whitelisted and available, definitely no issue there.

  • All other updates seem to come down fine.
  • There are no ADR rules at all in place.
  • Running a full sync produces the error below:

My client downloads updates through a proxy server and naturally the correct details for the proxy were in place on the Site System Settings under Site System Roles. Also the checkbox for Use a proxy server when synchronizing software updates was checked under the Proxy And Account Settings tab under the Software Update Point Properties role.

SOLUTION:

Despite the fact that ADRs were NOT created or used in any way, it transpired that the checkbox Use a proxy server when downloading content by using automatic deployment rules also had to be checked. Once this was selected, O365 updates started syncing.

 

PXE only works for X number of clients; DHCP works fine

Difficult to pick a snappy title for this so suggestions welcome!

Anyway, I had an issue recently where we needed to load test 100+ machines, all booted from PXE. All machines were fresh out the box and all ethernet adaptors were fully registered in SCCM in the ignore list. In short, there was no reason for any machine not to PXE boot as expected. All went well until the 29th machine and then every machine thereafter refused to PXE boot. However, they did still receive an IP address. Additionally, the message Server response timeout E-18 flashed up very quickly before booting from the SSD.

Digging a little further, the machines that were able to PXE boot fine had to receive an IP address between .2 and .31 to work. Any IP after just refused to work.  Having accepted that all was well from a firewall perspective, I was forced to concede that the problem was somehow local.

Solution:

To cut a long and boring story short, the problem turned out to be a mis-configured subnet mask on the PXE server, in this case 255.255.255.224 instead of the 255.255.255.0 that it was supposed to be. The PXE server itself was allocated an IP within the range of PXE bootable clients and anything outside the range didn’t work. So easy when you know but one expects the basics to be correct so it took a while to track down. Hopefully this will provide some more ideas for anyone else who finds themselves with a similar issues.

Disable WiFi Group Policy

I recently had a request by a customer to disable WiFi on their laptops. I know, crazy, right? They had their reasons though and it was a temporary solution to a problem.  The issue with disabling Wifi is that there isn’t actually a group policy which directly allows ‘disable wifi’ but the workaround is pretty easy. Essentially we need to disable the WlanSvc service.

What we need is to harness group policy preferences, so without further ado here goes:

  1. Create a new GPO. Browse to Preferences | Control Panel Settings | Services. Right click in the right-hand pane and select New | Service. Call it WlanSvc.
  2. In the properties, change Startup to Disabled
  3. Ensure the service name is WlanSvc. Note, you’ll probably not be able to find this service if you browse via the ellipses unless the machine you’re using for administering group policy is a laptop. This is why it’s important you name the service correctly.
  4. Under Service Action change to Stop Service.

 

5. Apply the group policy. Note, you will probably need to reboot the machine for everything to take effect properly. You may notice a short pause before full (wired) network connectivity kicks in, maybe about 20 seconds. After this you should see that wireless is disabled.

Error Code 1 – Using Invoke-MbamClientDeployment.ps1 in SCCM OSD

I know I’m not alone in the misery of getting this less-than-perfect script to work during OSD and after a good couple of weeks of on-off testing I can finally say I got my desired result and it most certainly deserved a post. Please note, you may need to click on the pictures to see them fully.

GOAL:

Encrypt used space only with XTSAES256 encryption and escrow keys in MBAM database during SCCM OSD task sequence. I also need a PIN to be requested automatically at first logon.

I’m not going to detail the ins and outs of what I tried because this post will be far longer than necessary so I’ll concentrate on the steps that finally got it working for me. Don’t get me wrong, this is a buggy script that should really have been updated by Microsoft by now.  Error code 1 is an extremely common problem and can result for any number of reasons.

I would suggest you create an MBAM section in the task sequence, filtering on laptops or whatever criteria you require and add the steps below to this section.

High Level:

    1. DISABLE ALL BITLOCKER PRE-PROVISION STEPS
    2. DISABLE ROOT CERTIFICATE UPDATE
    3. STOP THE MBAM SERVICE
    4. ADD ENCRYPTIONMETHOD
    5.  ADD OSENCRYPTIONTYPE
    6. ADD  ENCRYPTIONMETHODWITHXTSOS
    7. ADD  ENACTONFIRSTLOGINREQUIRED
    8. REMOVE STARTUP DELAY
    9. START MBAM SERVICE
    10. FORCE USER TO SELECT A NEW PIN ON FIRST LOGIN
    11. RUN INVOKE-MBAMCLIENTDEPLOYMENT.PS1 SCRIPT
    12. RE-ENABLE ROOT CERTIFICATE UPDATE

1. DISABLE ALL BITLOCKER PRE-PROVISION STEPS

Contrary to what I have read elsewhere, the pre-provision step in the task sequence isn’t necessary. In fact, it’ inclusion will cause the error code 1. These steps should be disabled.

2. DISABLE ROOT CERTIFICATE UPDATE

This is a strange one but I have had trouble getting the Invoke-MbamClientDeployment.ps1 to run properly without first disabling the certificate update mechanism in Windows. Trust me, just do it, reboot, run the rest of the steps and make sure you remember to re-enable afterwards.

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot /v DisableRootAutoUpdate /t REG_DWORD /d 1 /f

3. STOP THE MBAM SERVICE
The assumption is that you have installed the MBAM 2.5 SP1 client with the August 2017 hotfix by this stage so there will be an MBAM Agent service running on the machine.

Net stop mbamagent

4.  ENCRYPTIONMETHOD

Now I am recreating what worked for me here and despite my requirement for XTSAES256 the below setting seems to work fine for this in my task sequence. However evidence elsewhere suggests the DWORD value should be 7. Feel free to test in your own environment though and let me know how you get on.

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 2 /f

5.  ADD OSENCRYPTIONTYPE
We want used space only as this is quickest. See here for other values. Be careful though – if you want the PIN prompt to appear at first logon the disk has to be ‘fully encrypted’, ie with used space only OR full disk. If the disk is still encrypting when the user logs on, they won’t be prompted for the PIN.

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE /v OSEncryptionType /t REG_DWORD /d 2 /f

6. ADD ENCRYPTIONMETHODWITHXTSOS

This is where * I believe * stage 3 gets overwritten (tbc). Essentially this will set the OS encryption to XTSAES256.

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethodWithXtsOs /t REG_DWORD /d 7 /f


7. ADD  ENACTONFIRSTLOGINREQUIRED

Call the MBAMClientUI on first login. Technically this shouldn't be needed as I have a step further down which will call this anyway but no harm in adding.
REG ADD HKLM\Software\Microsoft\MBAM /v EnactOnFirstLoginRequired /t REG_DWORD /d 1 /f

8. REMOVE STARTUP DELAY
Force MBAM client to wake up within a minute.

REG ADD HKLM\Software\Microsoft\MBAM /v NoStartupDelay /t REG_DWORD /d 1 /f

9. RE-START MBAM SERVICE

Net start mbamagent


10. FORCE USER TO SELECT A NEW PIN ON FIRST LOGIN
This adds a setting to the default user so that every NEW user that logs onto the machine gets prompted for a new MBAM PIN for startup. Note, this will only fire if the disk is fully encrypted to type, ie used space only or full disk. Since we’re aiming for used space only here, disk encryption is pretty quick but it still needs to complete before the prompt will appear. If you log on before encryption is complete then the automatic prompt won’t appear and you will instead need to rely on GPO.

powershell.exe -ExecutionPolicy Bypass -command "reg load HKLM\DefaultUser C:\Users\Default\NTUSER.DAT; New-ItemProperty -Path 'HKLM:\Defaultuser\Software\Microsoft\Windows\CurrentVersion\RunOnce' -Name PromptForPIN -Value '""C:\Program Files\Microsoft\MDOP MBAM\MBAMClientUI.exe"""' -Type String; reg unload HKLM\DefaultUser"

11. RUN INVOKE-MBAMCLIENTDEPLOYMENT.PS1 SCRIPT
The script itself. Note the encryption method, Unspecified. Because we have specified the encryption method earlier, the XTSAES256 encryption is automatically derived from that. Strangely, I couldn’t get this script to work unless I used this parameter and manually set the reg entry. Also note, I am running the script from the local installation of the MBAM client. This ensures that I am running the script that is aligned to that version of the client, ie it should contain any updates provided by any client upgrades you’ve applied, eg August 2017 update.

powershell.exe -ExecutionPolicy Bypass -File "C:\Program Files\Microsoft\MDOP MBAM\Invoke-MbamClientDeployment.ps1" https://MBAMSERVER.local/MBAMRecoveryAndHardwareService/CoreService.svc -EncryptionMethod UNSPECIFIED


12. RE-ENABLE ROOT CERTIFICATE UPDATE
Don’t forget to re-enable this otherwise you’ll end up with all sorts of certificate errors when trying to reach HTTPS sites.

 

That’s it. One would assume much of this legwork should automatically be taken care of by the script itself but unfortunately that doesn’t appear to be the case. Don’t forget, you will also need to make sure that no MBAM policies are in place when the script runs. This isn’t a problem with SCCM as GPOs will be suppressed but if you’re using native MDT this can be an issue.

Hopefully this will save some of you a few hours (more likely days) of frustration!

Simon

 

0x8007000f Task Sequence Error

Really quick post on issue experienced recently.

We were trying to build some Lenovo T470Ps and one was exhibiting this error just before the task sequence was to start and failed as a result before we even got off the ground. The error translates to The system cannot find the drive specified. However I knew for a fact that the drivers were OK as other T470Ps were building fine.

Transpires that somewhere along the way, something had indeed got mixed up on the disk and it was having problems with the config. I initially tried a DISKPART then CLEAN but this wasn’t enough and it was continuing to fail.

In the end I resorted to doing the task sequence’s job manually and recreating the partitions as follows:

Open CMD prompt (F8):

1. Diskpart
2. Select disk 0 (0 being the disk to setup)
3. Clean
4. Convert gpt
5. Create partition efi size=300
6. Format quick fs=FAT32
7. Create partition msr size=128
8. Create partition primary
9. Assign letter=c
10.Format quick fs=NTFS

Exit DISKPART and try again – this time the task sequence continued as expected.

Adding a Software Update Point to a Secondary Site (for those who already know how to add it to the primary site!)

This is something I’ve meant to get round to writing about for months as the first time I did this I couldn’t find any direct answers in the multitude of blogs I read about it.

On the face of things, installing WSUS/SUP on a secondary site sounds pretty straightforward if you’re used to adding them to a primary site but when you start it soon becomes clear there are a few unanswered questions which start to materialise. It’s important to first consider whether a SUP is even required for the secondary site: remember, the update packages will be present anyway. The secondary site SUP is really only there for scanning purposes and to relieve associated traffic which is really quite minimal. Assuming you are over this and need it anyway then here are a few other things to consider, some of which have changed since CM2007.

  1.  Since CM2012, there is now a DB on the secondary site so should we be installing to that?
  2.  WSUS Content?
  3. How does it interact with the Primary SUP?

This blog is only intended to answer one or two questions you might have as regards specifics of installing on a secondary site and there are plenty of answers out there for general installation. In short, the SUP on the secondary site is a secondary SUP and when you install it ConfigMgr will actually take care of marrying it up to the Primary SUP.

So the high level tasks are as follows:

  1. Install the pre-req’s for a Software Update Point. I thoroughly recommend Nickalaj A’s PreRequisite Tool  for this job, see https://gallery.technet.microsoft.com/ConfigMgr-2012-R2-e52919cd. I must confess this has made me lazy and I barely remember what the pre-reqs are these days but to be honest I don’t need to with this.
  2. Install the database on the secondary site SQL instance. Best practice is to have separate instances but I’ll leave that to you. Personally I don’t find there is any real performance issues using the same instance. Also, as an aside, if you have full SQL on the primary, (and you will) then I don’t really see why you wouldn’t use it on the secondary. Why use SQL Express when the licence is free for the full version? Just my opinion though.
  3. WSUS Content should always be local. It’s a requirement to specify this during installation but it’s not really used when part of a SUP in ConfigMgr.
  4. Finally, after WSUS installation, add the SUP role to the site. ConfigMgr will take care of the rest. Click on the secondary site under  the Sites node, and click the SUP under the site component properties to check the sync status. It should be greyed out because SCCM has recognised it as a child of the primary SUP.
  5. A good, detailed explanation of the whole process can be found here

Happy Deployments…

Change login screen language in MDT / SCCM (Server Core)

I came across an interesting (if very frustrating) issue recently when a client provided me with an updated version of Windows Server 2012 R2. Prior to being handed the new media, I was using my own copy of Server 2012 R2 which is Build 6.3.9600.16384. I set up my MDT build which had a task sequence for each version of Server 2012 R2, Standard, Standard Core, Datacenter and Datacenter Core.  Everything was fine and the UI language was configured correctly throughout.

I received the new media which was Build 6.3.9600.17415 and replaced my original copy of Server with this new version. All appeared to be fine until I tried to log in to the two Server Core versions where my password wasn’t being accepted. It transpires that these have some kind of bug / difference whereby the Input Locale doesn’t change to the configured language. In my case, I had an American (en-us) keyboard and I wanted to use an English (en-gb) keyboard. Weirdly, this was only the case for the core versions; the GUI versions were fine.

I spent a good deal of time scouring the internet for a fix to this and it appears quite a few people had the same issue, eg:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/d82dd905-e346-4a94-87e6-a78d59f4941c/keyboard-layout-wrong-on-logon-screen-but-fine-on-desktop?forum=windowsserver2008r2general
or
http://windowsitpro.com/systems-management/how-do-i-configure-default-keyboard-layout-during-login

This one was also interesting but the application of the fix wasn’t explained clearly and I gave up on it.

Mostly, the ‘fix’ was to change the HKEY_CURRENT_USER\Keyboard Layout\Preload setting to the proper value and this does seem to work if you log on and change this manually in the registry. However I could not get this setting to stick when I applied it through any scripting mechanism.

I eventually found a solution though through group policy which I applied during the build. The steps below are for MDT but the same can easily be applied for SCCM.

Create a new GPO and browse to Computer Configuration\Policies\Admin Templates\System\Locale Services
Change Disallow copying of user input methods to the system account for sign in to Enabled.
Create a backup of the policy and copy it to your deployment share. Rename it from {GUID} to LogonKB. I created a custom directory to store this in called Custom2012R2. Under this I had a directory called GPOBackup which contain any GPOs I need to apply.
Download a copy of lgpo.exe and stick it in your tools\%architecture% directory (in practice you want the x64 version)
Create a TS step just before the Tattoo step called Copy GPOs Locally as below
Command line: xcopy “%DEPLOYROOT%\Custom_2012R2\GPOBackup” C:\Windows\Temp /e /i

6. Next, create another step to apply the GPO, directly after the copy step and call this Apply GPO logon keyboard.
Command line:

“%DEPLOYROOT%\Tools\%ARCHITECTURE%\lgpo.exe” /g “C:\Windows\Temp\LogonKB”

It is important these two steps are early in the task sequence as the ‘damage’ is already done if you apply them too late. What is actually happening is that the GPO you have applied is preventing the Input Locale from being copied over to the login screen keyboard locale. You can see this before and after by running up the systeminfo command from a command prompt. On a machine without the application of the GPO the Input Locale will show up as:

Input Locale: en-us;English (united States)

and this will get copied over to the login screen language during build time. The GPO prevents this from happening and keeps the setting at en-gb.

I hope this will save others many hours of frustration.

Headaches of an SCCM Admin