SCCM 1610: Ability to migrate BIOS to UEFI Partitioning and Boot

One of the biggest automated migration issues was always the fact that many companies have Windows 7 x64 in place but due to legacy issues with UEFI deployments in the past they stick still with LEGACY Bios settings and not with modern and much more secure UEFI boot bios settings. UEFI also need GPT partitioning and not MBR partitioning.

To remove this hurdle Microsoft introduced in SCCM 1610 a nice feature that allows you to migrate to UEFI during a task sequence.


Additionally to the task sequence you may need a vendor specific tool that allow you to migrate your bios settings to UEFI.


More you can find here:
https://docs.microsoft.com/en-us/sccm/osd/deploy-use/task-sequence-steps-to-manage-bios-to-uefi-conversion


Example with Dell CCTK.
The original blog still refer to an older alternate way. But the rest of the article in the end refer to the Dell CCTK tool to modify the BIOS. This is still valid.
http://www.scconfigmgr.com/2016/06/14/switch-from-bios-to-uefi-on-dell-systems-during-windows-10-deployment-with-configmgr/

Enjoy the show!

2 new categories available

Hey all!


to better maintain and have the single one stop shop for specific information's I added 2 new sides to my site bar right hand side.


Surface Pro tips and tricks (starting with diagnostic, maintenance and deployment stuff)
http://www.ms-labrats.de/p/surface-d.html


Powershell Playbook (where I store my own useful scriptlets for my projects)
http://www.ms-labrats.de/p/powershell-playbook.html


Just check out the right middle section of this website.




Enjoy your day!

Windows Server 2016 goes live - Check out this primer site (get updates from time to time)

Hi all, it was a while I had my last post. In between much happens. Got to Ignite and many other MS Events and workshops. A lot has changed with new products and we are really facing a big wave of new techniques and possibilities.
Windows Server 2016 is there no exception. It is really a new platform where you can do so much more. Especially saving money in storage!
So this blog should be a starting point to many other sites helping you and me to find around our way.

What's new in Windows Server 2016
https://technet.microsoft.com/windows-server-docs/get-started/What-s-New-in-Windows-Server-2016


Support and Upgrade
Server Upgrade Role Matrix
https://technet.microsoft.com/en-us/windows-server-docs/get-started/server-role-upgradeability-table
Server Compatibility Matrix
https://technet.microsoft.com/en-us/windows-server-docs/get-started/server-application-compatibility


NANO Server
Nano Server Builder
https://blogs.technet.microsoft.com/nanoserver/2016/10/15/introducing-the-nano-server-image-builder/
Nano Server Update/Upgrade
https://blogs.technet.microsoft.com/nanoserver/2016/10/07/updating-nano-server/

Windows Server Management
(The GUI is gone when installed wrong)
To enable the Management you will need this here
(RSAT Tools Win10 to Server 2016):
https://www.microsoft.com/en-US/download/details.aspx?id=45520

Updates needed to serve Windows 10 updates and upgrades with WSUS

I created a demo environment and thought it would be nice to use latest SCCM on latest Windows and guess what?  (SCCM Current Branch on Windows Server 2016 TP5)


You WILL FAIL!

Reason is you need to install a patch to WSUS to enable Windows 10 catalog.
But this patch is only available to Windows Server 2012 R2.
Not yet available to Windows Server 2016 TP5 (curious but that's the way it is)


So I installed another WSUS Server on Windows Server 2012 R2 latest patches stand alone. Then I enabled WSUS role.


But before you start configuring it. You must install at least these patches for 
Windows Server 2012 R2:
This Update enables the Win10 classification in the WSUS catalog
KB3095113
https://support.microsoft.com/en-us/kb/3095113
(also checkout note from WSUS team:
https://blogs.technet.microsoft.com/wsus/2015/12/03/important-update-for-wsus-4-0-kb-3095113/)

If you synced the catalog already and you missed the fix in the first place you need to read this for fixing it!https://blogs.technet.microsoft.com/wsus/2016/01/29/how-to-delete-upgrades-in-wsus/


This Update enables the ESD function. Without it you can not deploy 1607 or newer!
BE CAREFULL AND READ THE MANUAL STEPS NECESSARY!!!https://support.microsoft.com/en-us/kb/3159706

This update also replaces the problematic fix KB3148812. If it is installed you can install the KB3159706 on top of it! But don't miss the manual steps!


HINT:
You get all the updates also through (you need to know the KB article number)
http://catalog.update.microsoft.com




Microsoft promised these steps are not necessary for WSUS on Windows Server 2016 RTM.


HAPPY UPDATING!

Virtualization based security (Device Guard, Credential Guard) vs. VMware Workstation

Recently a customer asked me what's about the coexistence of the new Microsoft security features like Credential Guard and Device Guard when you need to work with VMware Workstation where you have some VMs locally used for application compatibility where they run older OSes and they need specific interface types like COM Port or USB for their machine diagnostic software?


So the basic question is: Can virtualization based security in Windows 10 which uses Client Hyper-V underneath coexist with VMware Workstation?

When you need more to know about Credential Guard then check this here: https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard

I took the question to MS an the clear answer currently is:
This is CURRENTLY not supported!  (as of Redstone 1 build release in 08/2016)
They are aware of this issue and looking to solve this in some point of time.


The main reason for this is that Client Hyper-V and VMware Workstation occupy exclusively the hardware virtualization extensions (like IOMMU or VT-X).
In this case nested virtualization does not work. For nested virtualization you find more info here:
https://msdn.microsoft.com/en-us/virtualization/hyperv_on_windows/user_guide/nesting

Also running other virtualization solutions like VirtualBox in a Hyper-V VM that supports nested virtualization is currently not supported!Some VMware Workstation users tried that recently as reported in forums and end up with bluescreens. Check out this here: https://communities.vmware.com/thread/528385?start=0&tstart=0

When you need VMs with older OSes regarding App Compat you have currently these options:

1. Use Client Hyper-V for virtualization. And explore the improved interface mappings like COM-Port or USB port redirection.  To check out the new possibilities read this here:https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/learn-more/use-local-resources-on-hyper-v-virtual-machine-with-vmconnect
   for COM Port this may also help:https://blogs.technet.microsoft.com/jeff_stokes/2013/05/06/how-to-redirect-serial-ports-in-windows-server-2012-rdsvdi/
   or make use of Terminal server devices with physical com port redirection via TCP-IP like these here: http://www.fabulatech.com/serial-port-redirector.html  There are a couple different vendors available.
   
2. A few other virtualization applications have an “emulator” mode.  This mode don’t require hardware virtualization extensions. But their performance is mostly really bad.
3. Disable Credential Guard and Device Guard, and run a different virtualization technology.

So my recommendation is give Client Hyper-V another trial :-)
Hyper-V was further developed over the last years and is now really break even with VMware virtualization. In some points its even better :-)

 

Mobile Device Management - simplified joining options

With 1607 the options to join MDM while joining Active Directory or Azure AD where simplified a lot. So you do not need to check 2 different options anymore.


So best is to prepare your Azure AD with the right options first and enable auto MDM enrollment there.

See here:
https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/




From a user perspective you you have now 4 major options described further here:


https://msdn.microsoft.com/en-us/library/windows/hardware/dn925028(v=vs.85).aspx


Options are so far:
Corporate owned - Active Dirctory
Corporate owned - Azure Active Directory
Private owned - Azure Active Directory
Independent - MDM using a deeplink

Azure AD Connect: Synced attributes

I am asked from time to time what attributes are synced with Azure AD through Azure Active Directory Connect tool:


In general its just selected user, group and contact information.

Here you find a list of synced attributes:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-attributes-synchronized


Depending on Windows 10 features there are also a few machine attributes synced to Azure AD as well. This is necessary for specific scenarios like Passport for work and requires actual versions of Windows 10 build (build 10551 or newer) for devices:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-devices-group-policy/


Be carefull and dont think you know what you are doing by partially not syncing them. Depending on the services they are really necessary. E.g. Exchange onpremise stores a lot of informations in AD. So Exchange online do as well. Therefore these attributes are necessary for proper function.


Unless you are the developer of the cloud application like Exchange Online you are not the one to judge if an attribute is necessary for correct function or not.


So either you feel comfortable with the attributes or just dont use Azure AD at all. Everything else will just mess up the AAD information and the cloud applications will not work properly.


Azure AD also stores Bitlocker keys but only for Azure AD joined machines.
https://blogs.technet.microsoft.com/home_is_where_i_lay_my_head/2016/03/14/automatic-bitlocker-on-windows-10-during-azure-ad-join/