Archive for February, 2014

Hi, every once and a while i need a site server to test or demo some functions. Each time however, I need to spend a day to deploy a server and download/install SCCM, SQL, ADK, server roles, preqeqs and more by hand. Not having to wait for each step to finish i wrote a basic powershell script to automate this. It doesn’t use variables or fancy loops, just batching it all up in one script.

Step 1: Download source files
Having a fresh installed Windows Server 2012 which is a domain member copy all required files to this server to a folder named: C:\Sources. You will need to (pre-)download all files and place them in the following folders:

  • ADK 8.1: C:\Sources\ADK8.1
  • SCCM 2012 R2 setup: C:\Sources\SCCM2012R2
  • SCCM 2012 prereqs: C:\Sources\SCCM2012R2\Downloads
  • SQL 2012 SP1: C:\Sources\SQL2012SP1
  • SQL 2012 SP1 Cumulative Update 2: C:\Sources\SQL2012CU2
  • Windows Server 2012 Feature file store: C:\Sources\SxS

Note that for ADK as well as SCCM 2012 prereq files you will need to pre-download the sources by running the setup wizard.

Step 2: Create unattended setup ini for ConfigMgr
The setup executable for ConfigMgr supports an input file. The following example is a minimal set of required input parameters for the setup to install unattended:

[Identification]
Action=InstallPrimarySite
[Options]
ProductID=XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
PrerequisiteComp=0
PrerequisitePath=C:\Sources\SCCM2012R2\Downloads
SiteCode=HQ1
SiteName="DvdRuit HQ"
SMSInstallDir="c:\program files\ConfigMgr"
ManagementPoint=S01.DVDRUIT.LOCAL
ManagementPointProtocol=HTTP
SDKServer=S01.DVDRUIT.LOCAL
RoleCommunicationProtocol=HTTPorHTTPS
ClientsUsePKICertificate=0
DistributionPoint=S01.DVDRUIT.LOCAL
DistributionPointProtocol=HTTP
DistributionPointInstallIIS=0
MobileDeviceLanguage=0
[SQLConfigOptions]
SQLServerName=S01.DVDRUIT.LOCAL
DatabaseName=SMS_HQ1
SQLSSBPort=4022

You might need to modify some these parameters to match your environment. You will need a valid product key. Evaluation version does not support unattended installation (unfortunately). Save this file to C:\Sources\Site-setup.ini.

Step 3: Create a powershell (batch) script to install all prerequisites one by one
To install all prereqs you will have to start of by extending the AD schema with some attributes that are used by ConfigMgr. I’ve put this at the top to make sure that replication to other domain controllers is done once the SCCM setup command is called. A summary of what is installed:

  • Extend AD
  • Install Windows Features
  • Install ADK 8.1
  • Create SQL service account
  • Install SQL 2012 SP1 with CU2
  • Install ConfigMgr R2

Behold the powershell script:

echo =======================================================================
echo ======== INSTALL SITE SERVER AND PREREQS SCRIPT =========
echo ======== By: Douwe van de Ruit =========
echo =======================================================================
echo Before proceeding make sure to copy sources from ADK, SQL 2012 SP1,
echo SQL 2012 CU2, Windows 2012 sxs and ConfigMgr R2 echo to
echo C:\Sources\ADK, C:\Sources\SCCM2012R2, C:\Sources\SQL2012SP1,
echo C:\Sources\SQL2012CU2 and C:\Sources\sxs. Pre-download all prereq
echo files for ConfigMgr to C:\Sources\SCCM2012R2\Downloads. Tested on Hyper-V.
echo No reboots required. Hit enter, get some coffee, sit back and enjoy the ride.
pause
#schema extension
C:\Sources\SCCM2012R2\SMSSETUP\BIN\X64\extadsch.exe
#server prereqs
Get-Module servermanager
Install-WindowsFeature Web-Windows-Auth
Install-WindowsFeature Web-ISAPI-Ext
Install-WindowsFeature Web-Metabase
Install-WindowsFeature Web-WMI
Install-WindowsFeature BITS
Install-WindowsFeature RDC
Install-WindowsFeature NET-Framework-Features
Install-WindowsFeature Web-Asp-Net
Install-WindowsFeature Web-Asp-Net45
Install-WindowsFeature NET-HTTP-Activation
Install-WindowsFeature NET-Non-HTTP-Activ
Install-WindowsFeature WDS
dism /online /enable-feature /featurename:NetFX3 /all /Source:c:\sources\sxs /LimitAccess
#install adk components
cmd /c C:\Sources\ADK8.1\adksetup.exe /quiet /installpath 'C:\Program Files (x86)\Windows Kits\8.1' /features OptionId.DeploymentTools OptionId.WindowsPreinstallationEnvironment OptionId.UserStateMigrationTool
#install sql db
New-ADUser -SamAccountName svcSQL -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force) -name "svcSQL" -enabled $true -PasswordNeverExpires $true -ChangePasswordAtLogon $false
Enable-ADAccount svcSQL
C:\Sources\SQL2012SP1\Setup.exe /qs /ACTION=Install /UpdateEnabled=TRUE /UpdateSource="C:\Sources\SQL2012CU2\" /FEATURES=SQL,RS,Tools /INSTANCENAME=MSSQLSERVER /SQLSVCACCOUNT="DVDRUIT\svcSQL" /SQLSVCPASSWORD="P@ssw0rd" /SQLSYSADMINACCOUNTS="DVDRUIT\Domain Admins" /AGTSVCACCOUNT="NT AUTHORITY\Network Service" /IACCEPTSQLSERVERLICENSETERMS /SQLCOLLATION=SQL_Latin1_General_CP1_CI_AS 
#install configMgr
C:\Sources\SCCM2012R2\SMSSETUP\BIN\X64\setup.exe /script C:\Sources\Site-setup.ini /nouserinput

There you go! A simple but handy script to automate the installation of a SCCM Site server. Copy this to “C:\Sources\Install-Site server.ps1”. You might need to change some parameters. Run the script with administrative permissions. When you open the taskmgr and see this you’ll be good:

task mgr

 

 

 

 

 

 

 

 

 

 

 

 

 

 

I hope this may be of some assistance! After a while SCCM is installed. 🙂

SCCM installed

Advertisements

The world of device or client management is changing rapidly and will keep changing. Mobile devices are transitioning to fully capable workspace machines whereas laptops are becoming more mobile and mainly internet-based. Traditional desktop numbers are dropping. Users will take more responsibility in getting the appropriate apps and keeping their devices up to date and protected. On the other hand organizations need to control and maintain device compliancy in scenario’s where highly classified information is disclosed through apps. Number of usage scenario’s is growing. With that, management scenario’s become more granular as well. Happily enough technology is also changing. In SCCM and it’s predecessors mobile device management capabilities are not new and covered some mobile scenario’s. Starting from Systems Management Server (SMS) 2003 Device Management Feature Pack administrators where able to do some level of management on Windows based smartphones. In later versions more “mobile” features and platform support where added. When Windows Intune came into play Mobile Device Management became more mature and capable in supporting all sorts of business scenario’s. Also, the Microsoft Windows client platform is developed with a mobile-first strategy, enabling anywhere, anyplace, anytime relevant functionality while still supporting all sorts of legacy scenario’s as well (such as managed desktops). All form factors will be supported in all scenario’s. However it raises some questions when designing such a solution:

  • Should i choose for SCCM or Windows Intune? Both?
  • Is Windows 8.1 a mobile BYO platform or more a desktop client platform? Or both?
  • Do i (the noble admin) need to provide updates and anti-malware services or is that done by the user him/herself?
  • Should and can i install a management client, is the client domain or workspace joined
  • Is the device private or corporate owned?
  • What kind of apps will be deployed? ARM vs x86 or x64 based?

For each scenario IT admins have to think in terms of capabilities. With SCCM you will be able to manage corporate and LAN/VPN connected Windows devices well enough. A way of managing devices that are mainly connected to foreign networks such as the internet is to extend SCCM with a Windows Intune subscription that will serve the internet connected clients. If you don’t have the luxury of having SCCM you can use Windows Intune separatly (only for small environments). To start with the client management capabilities there are some client mechanisms that can be used by SCCM and Windows Intune to configure the client:

  • OMA-DM API (Open Mobile Alliance Device Management): Many organizations want to manage certain classes of devices, like tablets and BYOD devices, as mobile devices and do only light management. With Windows 8.1, you can use an OMA-DM API agent to allow management of Windows 8.1 devices with mobile device management products such as XenMobile, MobileIron, etc. No agent is required to use this feature.
  • Windows Intune agent: A software agent similar to the Configuration Manager client which is installed on the device and will provide support for deployment of updates and endpoint protection as an addition to the OMA-DM functions. The Windows Intune client should only be used in scenario’s without the existence of SCCM on Windows x86 or x64 platform with the requirement to centrally manage updates/antimalware. There is no Windows Intune client for Windows RT or other platforms such as IOS, Android, OSX and Linux.
  • Configuration Manager agent: Most capable management agent for managing Windows based platforms. When a Windows Intune subscription is connected to SCCM only clients without the ConfigMgr agent, using OMA-DM instead, can use Windows Intune cloud servers to find content or policies that are configured in SCCM. You only need the SCCM console to manage it all. It might be a bit confusing that a ConfigMgr agent cannot use Intune cloud servers (yet??).

Microsoft made an overview on platform support for enterprises:
415199

 

 

 

 

 

 

 

 

 

As you can see the Windows Intune agent is not listed in this table. This is because Microsoft positioned Windows Intune as an extension to SCCM for larger enterprises. For smaller organizations Windows Intune could suffice and than you could need the Windows Intune client capabilities to centrally manage and control updates and endpoint protection.

When looking to Windows based devices/clients only two scenario’s are left mainly:

  1. ConfigMgr Agent based management: updates, endpoint protection, inventory for Windows PC’s such as Windows XP, Windows 7, Windows 8 and Windows 8.1. x86 and x64 architecture only.
  2. Agentless management: for Windows RT, Windows Phone and Windows 8.1 devices/clients in a BYO scenario!!!

Windows 8.1 PC management
Note that Windows 8.1 can positioned in two scenario’s: the Windows PC and the Windows BYO device. This is important because when you need to manage a Windows 8.1 client as a Windows PC you should install the ConfigMgr client. Also, the client should be domain joined. You can deploy and manage all settings and software configurations on the client. You will have complete control of the client configuration. 

Windows 8.1 BYO management
However, when you need to manage a Windows 8.1 client as a mobile device the ConfigMgr should not be installed. Just enable device management through charms bar > PC Settings > Network > Workplace. Enter your credentials that matches a synchronized Windows Intune user account. Optionally Workspace Join the device to the corporate Active Directory to support additional services such as Single-Sign-On and Workspace Folders. You have only management control on some security features that are available to the OMA-DM API. No complete control, only light management possible.

workfolders

 

 

 

 

 

 

 

 

 

Conclusion
A summary to this post gives a quick list of each deployment scenario that should be used for each management scenario for Windows 8.1 clients/devices:

  1. Intune client: used only for small number of clients. SCCM not used.
  2. ConfigMgr client: used for enterprise PC management. With or without Intune subscription.
  3. Agentless: used for BYO management of Windows 8.1 devices.

I hope this clears things up a bit. In other posts i will discuss the Company Portal and BYO management of other platforms such as IOS, Android etc.