How-To

Resources for Windows Analytics

Posted on Updated on

I’m often asked for a set of resources to get started or to understand the Windows Analytics toolset.  Below is a collection of my favorite resources, which I may update from time-to-time.

  1. Windows Analytics accelerates enterprise Windows 10 migration. With Update Compliance and Device Health services now generally available, Windows Analytics provides an end-to-end upgrade solution with actionable insights into device performance, reliability, and health, so enterprises can broadly migrate their devices from Windows 7 or Windows 8 to Windows 10 or update Windows 10 devices to the latest feature update (Windows 10, version 1709) quickly and with confidence.
    http://blogs.windows.com/business/2017/12/12/accelerate-windows-10-migration-windows-analytics
  2. Register today for exclusive access to a one-hour, demo-rich webcast showcasing solutions that can help you monitor and proactively improve your experience with Windows 10 upgrades, update deployment, and device management.
    https://blogs.technet.microsoft.com/windowsitpro/2017/10/12/webcast-qa-proactive-insights-with-windows-analytics
  3. Have you heard of the new Upgrade Analytics service to help in your application compatibility planning and readiness?  If not, a Microsoft Mechanics video (6 minutes) was created to highlight and showcase the technology. Read more and watch at:
    https://technet.microsoft.com/en-us/windows/mt743627
  4. Videos and setup guides for Upgrade Readiness in the Windows Analytics suite.  Includes jump points to technical documentation on prerequisites, etc.
    https://blogs.technet.microsoft.com/windowsitpro/2017/06/07/setup-guides-for-windows-analytics-upgrade-readiness
  5. A demo from Microsoft Mechanics walks you through common usage scenarios for Windows Analytics Update Compliance, a cloud-based solution that provides you with an inventory of the devices in your organization, the version of Windows installed on each device, the update status of each device, and antimalware assessment for Windows Defender Antivirus-enabled devices.
    https://blogs.technet.microsoft.com/windowsitpro/2017/08/10/new-demo-windows-analytics-update-compliance
  6. In January a “Ask Microsoft Anything” (AMA) about Windows Analytics was held. Members of the engineering and product teams were answered questions and listened to feedback about Upgrade Readiness, Update Compliance, Device Health, and the future roadmap for Windows Analytics. Those conversations were recorded and can be found in techcommunity link below.
    https://techcommunity.microsoft.com/t5/Windows-Analytics-AMA/bd-p/WindowsAnalyticsAMA
  7. Discussion about pricing of OMS for Windows Analytics.
    https://techcommunity.microsoft.com/t5/Windows-10/What-are-our-pricing-options-for-OMS-to-for-Windows-10-upgrade/m-p/107869/highlight/true
  8. Announcing Delivery Optimization Insights for Windows Analytics: Update Compliance https://blogs.technet.microsoft.com/upgradeanalytics/2017/12/17/announcing-post-upgrade-insights-in-upgrade-readiness
  9. Windows Analytics utilizes Operations Management Suite (OMS) workspaces with Log Analytics.  OMS requires and Azure subscription (which can be free).  The following guide covers how to create the OMS=>Azure association for two scenarios: (1) Your organization is new to Microsoft Azure and you just want to use Upgrade Analytics, and (2) Your company is already using an Azure subscription and you want to create an OMS workspace for Upgrade Analytics under your Azure subscription
    https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure
  10. Detailed information on how Upgrade Readiness collects application inventory for your OMS workspace.  Includes info about data collection, appraiser updates, best practices, and troubleshooting!
    https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/How-Upgrade-Readiness-collects-application-inventory-for-your/ba-p/213586

Last updated: 7/10/2018

Evaluating Windows Defender Antivirus with ConfigMgr

Posted on Updated on

A standard today’s threat landscape is to not rely on antivirus alone and other mechanisms of endpoint security should be in place to mitigate threats.  However,  having a solid AV is still beneficial. In the past year, Windows Defender Antivirus (WDAV) in Windows 10 and Server 2016 has made great strides to provide next-generation antivirus protection.  More and more organizations are beginning to realize this and consider using it to displace their age-old, costly platforms.

If you’re in the same position and are wondering how you might approach an evaluation of WDAV, consider the following high-level steps as I envision it.  First and foremost however, Microsoft has also published prescriptive guidance for evaluating WDAV outside of ConfigMgr, including a downloadable PDF.  I recommend reviewing that information in it’s entirety before taking action. It is also highly advised that you watch the recent session from Ignite 2017 – Next-Gen AV: Windows Defender Antivirus unleashed – BRK3063.

  1. Upgrade ConfigMgr to the current branch model to support the latest Windows 10 releases (note: please first ensure that you’re licensed for ConfigMgr current branch!!)
  2. Review and pre-determine the desired WDAV settings, such as:
    • Network bandwidth to override any BITS restrictions – note that any BITS client settings defined in these clients settings will override other client settings only if given a higher priority and will impact the rest of BITS configurations
    • Auto-uninstall other AV products
    • Real-time protection exclusions (ConfigMgr has templates available as well)
    • WDAV specific capabilities available in Win10 1703, such as:
      • Cloud protection options
      • Potentially unwanted programs
      • WDAV offline scanning
      • End-user interactions with the WDAV interface
      • End-user notifications
  3. Follow the 5 steps outlined for setup of ConfigMgr for WDAV management, which includes instructions for both server and clients, but does not include common instructions such as using collections, reporting, or setup of RBAC
    https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection-configure
  4. Additional ConfigMgr server/client setup considerations:
  5. Optional: Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment
    https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus

To test the WDAV deployment and functionality:

  1. Assign the WDAV ConfigMgr client policy to the collection
  2. Ensure policy is delivered and has the appropriate priority to take effect
  3. Verify prior AV is uninstalled and WDAV becomes active
  4. Monitor the user experience as well as one potential risk may be that the uninstall of prior AV may need a restart of Windows to ‘unload’ executions in memory
  5. Perform AV protection tests as desired using the WDAV testground (hosted by Microsoft) as well as other standard testing by your security personnel
  6. Review alerts in the ConfigMgr console and reports

Note: to learn more about the security defense in-depth, see some of these recent sessions.

ConfigMgr Report for Antimalware Policies

Posted on Updated on

Let’s say for a moment that your organization uses SCCM for management of Windows Defender Antivirus (WDAV in Windows 10, Server 2016) or System Center Endpoint Protection (SCEP for legacy platforms).  Currently in SCCM (1706 or older) the only out-of-box mechanism to identify and report upon the antimalware policies being applied to a computer is through the SCCM console, such as in the image below.

ConsoleAntimalwarePolicies

What if the organization has a separate team or individual that needs that data – but you don’t want to provide them with the SCCM console?  You give them a report of course!  This quick guide will show you key things to do to obtain that info. The key steps are:

  1. Identify the SQL views being referenced by the SCCM console.
  2. Grant read permission of the SQL view to the SRSS reporting service account.
  3. Create the SRSS report.

Step 1: Identify the SQL views being referenced by the SCCM console.

  1. In the SCCM console, open the Antimalware Policies tab on the computer record
  2. Open the site server log SMSProv.log (and scroll to the end)
  3. Find the correlating “Execute SQL=” query to identify the SQL view(s) being used

    FindSQLqueryView

Step 2: Grant read permission of the SQL view to the SRSS reporting service account.

  1. Identify the service account being used by SCCM for SRSS reporting
    Tip: navigate to Administration > Security > Accounts, then locate the account being used for “ConfigMgr Reporting Services Point”
  2. Open SQL Management Studio (with a user account that has permissions to modify SQL permissions) and select the SCCM database
  3. Run the following GRANT command against the SCCM database
GRANT SELECT ON [dbo].[vSMS_G_SYSTEM_AmPolicyStatus] TO "DOMAIN\user"

GrantSQLview

Step 3: Create the SRSS report.  First off, there are many different ways that you can design the report.  To mimic what the SCCM console does, I usedan existing report with a selection box for the Computer Name, then just modified the executing query.

    1. Used report “Computer information for a specific computer” as an example baseline for selecting the computer name for a variable.
    2. Create a new report (using SQL Report Builder) to mimic the above report with the appropriate Data Source, Data Set(s), and Parameters

      AntimalwareReportBuilder

    3. Modified the SQL query to use the following code
SELECT APS.Name, APS.Priority, APS.LastMessageTime, @variable AS 'Computer Name'
FROM vSMS_G_SYSTEM_AmPolicyStatus as APS
JOIN v_R_System as SYS on APS.MachineID = SYS.ResourceID
WHERE SYS.Name0 = @variable
  1. Test execute the report to confirm the results
    Tip: in Report Builder, click the Run button on the Home tab
  2. Save, finish, and report!

AntimalwareReportResults

Creating Your Own Custom ConfigMgr 2012 Compliance Packs

Posted on Updated on

This demonstration will show you how to create your own custom compliance packs to import into ConfigMgr 2012/R2.

  1. First, download and install the Microsoft Security Compliance Manager (SCM) solution accelerator.  Note that this can be easily from your workstation computer, it does not need to be on a Windows Server.  Also, a version of SQL (including the Express edition) needs to be installed locally as a prerequisite.  http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx
    scm01
    scm02
  2. When SCM has been launched for the first time, it will check for, download, and import baselines.
    scm03
  3. However, newer baselines will still be missing.  Select the option to download baselines automatically.
    scm04
    scm05
  4. From the available products and baseline options, multi-select the desired configuration items, then export to SCCM DCM 2007 (.cab) –even for ConfigMgr 2012/R2!
    scm06
  5. Next, store/save a copy of the .cab file where it can be easily imported into ConfigMgr.  If you’ve made a “complex” DCM, then I recommend ensuring that you’ve either created instructions on how to rebuild the cab, or retain/backup the original file.
  6. In the ConfigMgr console for Compliance Settings > Configuration Items, select to Import Configuration Data.
    scm07
  7. In the wizard, click the Add button to include the baseline(s) that have been created and are ready for import.  Then complete the remainder of the wizard.
    scm06b
  8. Note that with the imported configuration data, the baseline(s) are automatically created as well.
    scm09
  9. Finally, deploy the baseline(s) to the desired collection of systems.
    scm10

And that’s all there is to quickly using SCM for creating your own compliance packs for ConfigMgr 2012/R2!

App-V 5.0 Standalone – How to Activate Deployment Scripts

Posted on Updated on

This is the walk-through in preparation for demonstrations from my Microsoft Master webcast on App-V 5.0 scripting.  For the full webcast information, visit https://t3chn1ck.wordpress.com/2014/02/03/playback-of-microsoft-master-app-v-5-0/.

This demo will show how to “activate” a deployment script (which may contain either user or global/PC scripts) that you may have added to the DeploymentConfig.xml of an App-V package.

  1. In your the App-V web console, locate the package and click Editappv-dep-scripts01
  2. For the deployed user or computer group, click Edit Default Config
    Note: do not select the drop-down option for “Custom” as this is only for activating UserScriptsappv-dep-scripts02
  3. On the Default Configuration pane, select Advanced from the left-side menu, the click Import and Overwrite this Configurationappv-dep-scripts03
  4. Locate and open the DeploymentConfig.xml
    Important: due some irregularities with Silverlight, after opening the XML, the console may revert back to the main package administration pane.  You’ll need to navigate back to the Advanced configuration (e.g. repeat steps 1-3 above).appv-dep-scripts04
  5. In the window, select to Overwrite the configurationappv-userscripts05

App-V 5.0 Standalone – How to Activate User Scripts

Posted on

This is the walk-through in preparation for demonstrations from my Microsoft Master webcast on App-V 5.0 scripting.  For the full webcast information, visit https://t3chn1ck.wordpress.com/2014/02/03/playback-of-microsoft-master-app-v-5-0/.

This demo will show how to “activate” a user script that you may have added to the UserConfig.xml of an App-V package.

  1. In your the App-V web console, locate the package and click Edit

    appv-userscripts01

  2. For the deployed user group, select the drop-down option for “Custom” and click Edit

    appv-userscripts02

  3. On the Custom Configuration pane, select Advanced from the left-side menu, the click Import and Overwrite this Configuration

    appv-userscripts03

  4. Locate and open the UserConfig.xml
    Important: due some irregularities with Silverlight, after opening the XML, the console may revert back to the main package administration pane.  You’ll need to navigate back to the Advanced configuration (e.g. repeat steps 1-3 above).

    appv-userscripts04

  5. In the window, select to Overwrite the configuration

    appv-userscripts05

App-V 5.0 Demo – Application Shims

Posted on Updated on

This is the walk-through for demo #2 in my Microsoft Master webcast on App-V 5.0 scripting.  For the full webcast information, visit https://t3chn1ck.wordpress.com/2014/02/03/playback-of-microsoft-master-app-v-5-0/.

This demo is on scripting the install of an application shim (for app compatibility) when an App-V package is published to a system.  For this example, I used an all time favorite software of mine … SMS Installer.

1) SMS Installer requires elevated rights in order to execute.  So if the user is a non-admin such as for my demos, they cannot use the software.  Below is the screen shot of how this gets blocked.  Even if your end users have elevated rights themselves, you may be able to use a shim to correct any UAC elevation prompts.  Additionally, you can see the “shield” on the shortcut.

smsinst-demo01

2)  Create shim with the Application Compatibility Toolkit – for more info on this process of creating a shim, visit http://spablog.ontrex.ch/2013/04/23/shims-and-app-v-5-0/

  • SMSINS32.exe
  • Run As Invoker
  • ForceAdminAccess

smsinst-demo02

3)  Add the shim into the package scripts

smsinst-demo03

4)  Update the DeploymentConfig.xml file from the package to install the shim


<MachineScripts>

<PublishPackage>

<Path>sdbinst.exe</Path>

/q "[{AppVPackageRoot}]\..\Scripts\shim.sdb"

<Wait RollbackOnError="true" Timeout="30"/>

</PublishPackage>

</MachineScripts>

5)  Add the new application into ConfigMgr and publish to user.  For more info on doing this process, see an example from https://t3chn1ck.wordpress.com/2014/02/05/app-v-5-0-demo-uninstall-a-native-application/

6)  Voila!  You can now see that the “shield” is no longer on the shortcut and that the application runs successfully!

smsinst-demo04

App-V 5.0 Demo – Uninstall a Native Application

Posted on Updated on

This is the walkthrough for demo #1 in my Microsoft Master webcast on App-V 5.0 scripting.  For the full webcast information, visit https://t3chn1ck.wordpress.com/2014/02/03/playback-of-microsoft-master-app-v-5-0/.

This demo is on uninstalling native (local) applications when an App-V package is added to a system.  For this example, I used 7-zip.

1)  First, sequence your application (7-zip).  Nothing special to do, just make sure it’s been done ;-)

2)  Create a .bat file to perform the uninstall of the software.  In this case, I just looked up GUID of the package to have msiexec perform the uninstall and added an extra step to then echo “Removed 7zip” into a text file for evidence that the script executed.  So my batch file looks like below.

Note: that you don’t have necessarily have to do this uninstall so simply as I have .. or even use a .bat script.  It could be VBScript.  Or PowerShell.  And/or include any custom checks to make sure it gets removed.  And the options go on.


MsiExec.exe /x {23170F69-40C1-2702-0920-000001000000} /qb

echo Removed 7zip >> C:\uninst_7zip.txt

3)  Save your .bat file onto a server share.  This share needs to have read, list, execute rights for all users and all computers of the domain.  In my examples, I essentially just had the share as \\server\AppV_Scripts\ which I can use for other scripts and whatnot.

4)  Edit the DeploymentConfig.xml file of the AppV package.  What we want to do is

  1. Locate the <MachineScripts> section – uncomment the blocked text so it can used
  2. Locate the <AddPackage> element and delete the rest of the elements
  3. Set the <Path> to execute cmd.exe on the system
  4. Set the <Arguments> to run the .bat file on the server; if you’re unaware /c means to cmd.exe to “run this command” which would then be your \\server\share\script.bat

<!-- Machine Scripts Example - customize and uncomment to use machine scripts -->
<MachineScripts>
<AddPackage>
<Path>cmd.exe</Path>
<Arguments>/c \\alderaan2\appv_scripts\uninst_7zip.bat</Arguments>
<Wait RollbackOnError="true" Timeout="30"/>
</AddPackage>
</MachineScripts>

5)  Now we’ll add the package into ConfigMgr as an Application.  Note that ConfigMgr will choose the most recently modified Config.xml file to use for the Deployment Type.

  1. Add a new Application7zip-demo-01
  2. Select to add an App-V 5.0 package and select the .appv file7zip-demo-02
  3. Complete the wizard
  4. Using standard ConfigMgr procedures, deploy the application to the desired user collection (or computer)
  5. Run the application from the targeted user’s Application Catalog7zip-demo-03
  6. Watch the local system as the natively installed application is removed and replaced by the AppV package is there!
  7. Then check that the C:\ for presence of the uninst_7zip.txt file thus giving further proof that script executed!

App-V 5.0: Sequencing Visual Studio 2012

Posted on Updated on

The sequencing of Visual Studio 2012 does NOT seem to have been successfully accomplished by many people (at least not online that I can find!).  This recipe is a conglomeration of tips, tricks, fixes, and other recipes found on the web.  Hopefully it works for you too!

Notice: Visual Studio takes a long time to sequence.  At times, it will appear that the sequencer is ‘hung’.  In reality, this is normal so DO NOT terminate the window or otherwise start over.  Just allow for time (even up to 15 minutes) for the processing to complete.  An additional reference for virtualization can be found at http://social.technet.microsoft.com/Forums/en-US/7e93e525-31ed-43fc-8415-88a12766d2c2/how-to-sequence-visual-studio-2012-in-microsoft-application-virtualization-46-sp2

Prerequisites

  1. Pre-download the most recent Visual Studio 2012 Update
    1. Save into the source files
    2. Extract files to a folder in the AppV source files
    3. Update the CustomSetup.bat to call this
  2. Ensure VM has at least 45 GB disk
  3. Download the MVLS edition of VS then copy the installer and all subdirectories to a local folder
  4. Create an AdminDeployment.xml with SharePoint tools and SQL to not install (such as code snippets below)
         <SelectableItemCustomization Id="SharepointTools" Hidden="no" Selected="no"/>
         <SelectableItemCustomization Id="SQL" Hidden="no" Selected="no" />
  5. Install Microsoft .NET Framework 4.5 on the Sequencer machine. Using Microsoft Update, install all updates for .NET Framework 4.5
  6. Install IIS Express 8 (from iisexpress_8_0_RTM_x64_en-US.exe)
  7. Open an Administrator Command Prompt and run:
    1. C:\Windows\microsoft.net\framework\v4.0.30319\ngen.exe executeQueuedItems
    2. C:\Windows\microsoft.net\framework64\v4.0.30319\ngen.exe executeQueuedItems
  8. On Windows 7, disable the services:
    1. “Microsoft .NET Framework NGEN v4.0.30319_32”
    2. “Microsoft .NET Framework NGEN v4.0.30319_64”
  9. Open Regedit.exe, change the Permissions of the two following registry keys, granting Full Access to the Administrators group
    1. HKLM\System\CurrentControlSet\Services\DcomLaunch
    2. HKLM\System\CurrentControlSet\Services\RpcSS
  10. Restart Windows
  11. Now is a good time to make a snapshot/checkpoint :-)

Sequencing

vs12-01

CustomSetup.bat will do the following:

  1. Unattended install of the MVLS copy of Visual Studio 2012 Pro
  2. Disable prompt to download/install local help files on software first run
  3. Install help files

"%~dp0vs_professional.exe" /passive /adminfile "%~dp0AdminDeployment.xml"

:: Disable prompt to download/install local help files on first run reg add HKLM\SOFTWARE\Wow6432Node\Microsoft\VisualStudio\11.0\Help /v
DisableFirstRunHelpSelection /t reg_dword /d 1 /f

:: Install help files
:: Note this is disabled due to space constraints but could potentially be enabled
:: "C:\Program Files (x86)\Microsoft Help Viewer\v2.0>hlpctntmgr.exe" /operation install /catalogname VisualStudio11 /locale en-s /sourceuri \\ServerShareWhatever\VS2012Documentation\helpcontentsetup.msha

:: Fix for IEXPlorer
reg add HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE /v /T REG_SZ /d """c:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"""
reg add HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE /v /T REG_SZ /d """c:\Program Files (x86)\Internet Explorer"""

vs12-02

Visual Studio 2012 Professional

C:\Program Files (x86)\Microsoft Visual Studio 11.0

vs12-03

After the install completes, do not close the sequencer, but just restart Windows and login.  The sequencer will resume.

Run the latest update that was downloaded as part of the prerequisite steps

vs12-04

After the install completes, do not close the sequencer, but just restart Windows and login.  The sequencer will resume.

Locate the Developer Command Prompt and do a Run as Admin

vs12-05

Run regedit.exe

vs12-06

Delete the value of SetupCommandLine in HKLM\SOFTWARE\Wow6432Node\Microsoft\VisualStudio\11.0

vs12-07

Done installing

vs12-08

Do not run anything

vs12-09

vs12-10

Stop Now

vs12-11

vs12-12

Locate and delete the following in the VFS

  1. [{AppVPackageRoot}]\Common7\IDE\Extensions\random.folder\package\services\digital-signature\_rels
  2. [{AppVPackageRoot}]\Common7\IDE\Extensions\random.folder\_rels

vs12-13

vs12-15

(Optional step, but advisable for Standalone App-V 5.0 Infrastructure)

Add the .NET Framework 4.5, IIS Express 8.0 installers, and custom install.bat script (which just installs both items) into the scripts folder

vs12-14

Now save your package because it’s ready for deployment!!

If you did the optional step above, then edit the saved Deployment.xml file to run a user script for installing IIS Express 8.0 and .NET 4.5 locally

<UserScripts>
   <PublishPackage>
      <Path>cmd.exe</Path>
      <Arguments>/c [{AppVPackageRoot}]\..\Scripts\install.bat</Arguments>
      <Wait RollbackOnError="true" Timeout="600"/>
   </PublishPackage>
</UserScripts>

Additional Notes

When starting the software for the first time, select to use General Development Settings and to not install local help.

vs12-16

Create ConfigMgr Package for Office 365 Pro Plus

Posted on Updated on

Quick guide to create an O365 Pro Plus (e.g. Click-To-Run) deployment with ConfigMgr

  1. Obtain the source files
    1. Download the Office Deployment Tool for Click-To-Run
    2. Run the wizard (or use a tool such as 7-zip) to extract Setup.exe
    3. setup.exe /download <path of Configuration.xml file>
  2. Create a configuration file based upon config your desired configurations (or use the example below)
    http://community.office365.com/en-us/blogs/office_365_community_blog/archive/2013/03/06/office-365-proplus-administrator-series-client-deployment-options.aspx
  3. Create a ConfigMgr package with the setup.exe, configuration.xml file(s), and the download Office folder
  4. Create a program for the package to run command line setup.exe /configure <path of Configuration.xml file>
    (setup will locate the source files within the Office folder)

Example configuration.xml file for deployment

<Configuration>
  <Add OfficeClientEdition="32" >
    <Product ID="O365ProPlusRetail">
      <Language ID="en-us" />
    </Product>
  </Add>
  <Updates Enabled="TRUE" />
  <Display Level="None" AcceptEULA="TRUE" />
  <Logging Name="O365ProPlusRetail.log" Path="%temp%" />
  <Property Name="AUTOACTIVATE" Value="1" />
</Configuration>

Below are some additional resources provided to me by a colleague which were of additional help.

  1. How to customize the xml: us/download/details.aspx?id=36778
  2. TechNet talking how to deploy it:  http://technet.microsoft.com/en-us/library/jj839718(v=office.15).aspx
  3. TechNet talking about the /download and /configure commands:  http://technet.microsoft.com/en-us/library/jj219422(v=office.15).aspx