How-To

Resources for Windows Analytics

Posted on Updated on

I’m often asked for a set of resources to get started or to understand the Windows Analytics toolset.  Below is a collection of my favorite resources, which I may update from time-to-time.

  1. Windows Analytics accelerates enterprise Windows 10 migration. With Update Compliance and Device Health services now generally available, Windows Analytics provides an end-to-end upgrade solution with actionable insights into device performance, reliability, and health, so enterprises can broadly migrate their devices from Windows 7 or Windows 8 to Windows 10 or update Windows 10 devices to the latest feature update (Windows 10, version 1709) quickly and with confidence.
    http://blogs.windows.com/business/2017/12/12/accelerate-windows-10-migration-windows-analytics
  2. Register today for exclusive access to a one-hour, demo-rich webcast showcasing solutions that can help you monitor and proactively improve your experience with Windows 10 upgrades, update deployment, and device management.
    https://blogs.technet.microsoft.com/windowsitpro/2017/10/12/webcast-qa-proactive-insights-with-windows-analytics
  3. Have you heard of the new Upgrade Analytics service to help in your application compatibility planning and readiness?  If not, a Microsoft Mechanics video (6 minutes) was created to highlight and showcase the technology. Read more and watch at:
    https://technet.microsoft.com/en-us/windows/mt743627
  4. Videos and setup guides for Upgrade Readiness in the Windows Analytics suite.  Includes jump points to technical documentation on prerequisites, etc.
    https://blogs.technet.microsoft.com/windowsitpro/2017/06/07/setup-guides-for-windows-analytics-upgrade-readiness
  5. A demo from Microsoft Mechanics walks you through common usage scenarios for Windows Analytics Update Compliance, a cloud-based solution that provides you with an inventory of the devices in your organization, the version of Windows installed on each device, the update status of each device, and antimalware assessment for Windows Defender Antivirus-enabled devices.
    https://blogs.technet.microsoft.com/windowsitpro/2017/08/10/new-demo-windows-analytics-update-compliance
  6. In January a “Ask Microsoft Anything” (AMA) about Windows Analytics was held. Members of the engineering and product teams were answered questions and listened to feedback about Upgrade Readiness, Update Compliance, Device Health, and the future roadmap for Windows Analytics. Those conversations were recorded and can be found in techcommunity link below.
    https://techcommunity.microsoft.com/t5/Windows-Analytics-AMA/bd-p/WindowsAnalyticsAMA
  7. Discussion about pricing of OMS for Windows Analytics.
    https://techcommunity.microsoft.com/t5/Windows-10/What-are-our-pricing-options-for-OMS-to-for-Windows-10-upgrade/m-p/107869/highlight/true
  8. Announcing Delivery Optimization Insights for Windows Analytics: Update Compliance https://blogs.technet.microsoft.com/upgradeanalytics/2017/12/17/announcing-post-upgrade-insights-in-upgrade-readiness
  9. Windows Analytics utilizes Operations Management Suite (OMS) workspaces with Log Analytics.  OMS requires and Azure subscription (which can be free).  The following guide covers how to create the OMS=>Azure association for two scenarios: (1) Your organization is new to Microsoft Azure and you just want to use Upgrade Analytics, and (2) Your company is already using an Azure subscription and you want to create an OMS workspace for Upgrade Analytics under your Azure subscription
    https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure
  10. Detailed information on how Upgrade Readiness collects application inventory for your OMS workspace.  Includes info about data collection, appraiser updates, best practices, and troubleshooting!
    https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/How-Upgrade-Readiness-collects-application-inventory-for-your/ba-p/213586

Last updated: 7/10/2018

Advertisements

Evaluating Windows Defender Antivirus with ConfigMgr

Posted on Updated on

A standard today’s threat landscape is to not rely on antivirus alone and other mechanisms of endpoint security should be in place to mitigate threats.  However,  having a solid AV is still beneficial. In the past year, Windows Defender Antivirus (WDAV) in Windows 10 and Server 2016 has made great strides to provide next-generation antivirus protection.  More and more organizations are beginning to realize this and consider using it to displace their age-old, costly platforms.

If you’re in the same position and are wondering how you might approach an evaluation of WDAV, consider the following high-level steps as I envision it.  First and foremost however, Microsoft has also published prescriptive guidance for evaluating WDAV outside of ConfigMgr, including a downloadable PDF.  I recommend reviewing that information in it’s entirety before taking action. It is also highly advised that you watch the recent session from Ignite 2017 – Next-Gen AV: Windows Defender Antivirus unleashed – BRK3063.

  1. Upgrade ConfigMgr to the current branch model to support the latest Windows 10 releases (note: please first ensure that you’re licensed for ConfigMgr current branch!!)
  2. Review and pre-determine the desired WDAV settings, such as:
    • Network bandwidth to override any BITS restrictions – note that any BITS client settings defined in these clients settings will override other client settings only if given a higher priority and will impact the rest of BITS configurations
    • Auto-uninstall other AV products
    • Real-time protection exclusions (ConfigMgr has templates available as well)
    • WDAV specific capabilities available in Win10 1703, such as:
      • Cloud protection options
      • Potentially unwanted programs
      • WDAV offline scanning
      • End-user interactions with the WDAV interface
      • End-user notifications
  3. Follow the 5 steps outlined for setup of ConfigMgr for WDAV management, which includes instructions for both server and clients, but does not include common instructions such as using collections, reporting, or setup of RBAC
    https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection-configure
  4. Additional ConfigMgr server/client setup considerations:
  5. Optional: Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment
    https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus

To test the WDAV deployment and functionality:

  1. Assign the WDAV ConfigMgr client policy to the collection
  2. Ensure policy is delivered and has the appropriate priority to take effect
  3. Verify prior AV is uninstalled and WDAV becomes active
  4. Monitor the user experience as well as one potential risk may be that the uninstall of prior AV may need a restart of Windows to ‘unload’ executions in memory
  5. Perform AV protection tests as desired using the WDAV testground (hosted by Microsoft) as well as other standard testing by your security personnel
  6. Review alerts in the ConfigMgr console and reports

Note: to learn more about the security defense in-depth, see some of these recent sessions.

ConfigMgr Report for Antimalware Policies

Posted on Updated on

Let’s say for a moment that your organization uses SCCM for management of Windows Defender Antivirus (WDAV in Windows 10, Server 2016) or System Center Endpoint Protection (SCEP for legacy platforms).  Currently in SCCM (1706 or older) the only out-of-box mechanism to identify and report upon the antimalware policies being applied to a computer is through the SCCM console, such as in the image below.

ConsoleAntimalwarePolicies

What if the organization has a separate team or individual that needs that data – but you don’t want to provide them with the SCCM console?  You give them a report of course!  This quick guide will show you key things to do to obtain that info. The key steps are:

  1. Identify the SQL views being referenced by the SCCM console.
  2. Grant read permission of the SQL view to the SRSS reporting service account.
  3. Create the SRSS report.

Step 1: Identify the SQL views being referenced by the SCCM console.

  1. In the SCCM console, open the Antimalware Policies tab on the computer record
  2. Open the site server log SMSProv.log (and scroll to the end)
  3. Find the correlating “Execute SQL=” query to identify the SQL view(s) being used

    FindSQLqueryView

Step 2: Grant read permission of the SQL view to the SRSS reporting service account.

  1. Identify the service account being used by SCCM for SRSS reporting
    Tip: navigate to Administration > Security > Accounts, then locate the account being used for “ConfigMgr Reporting Services Point”
  2. Open SQL Management Studio (with a user account that has permissions to modify SQL permissions) and select the SCCM database
  3. Run the following GRANT command against the SCCM database
GRANT SELECT ON [dbo].[vSMS_G_SYSTEM_AmPolicyStatus] TO "DOMAIN\user"

GrantSQLview

Step 3: Create the SRSS report.  First off, there are many different ways that you can design the report.  To mimic what the SCCM console does, I usedan existing report with a selection box for the Computer Name, then just modified the executing query.

    1. Used report “Computer information for a specific computer” as an example baseline for selecting the computer name for a variable.
    2. Create a new report (using SQL Report Builder) to mimic the above report with the appropriate Data Source, Data Set(s), and Parameters

      AntimalwareReportBuilder

    3. Modified the SQL query to use the following code
SELECT APS.Name, APS.Priority, APS.LastMessageTime, @variable AS 'Computer Name'
FROM vSMS_G_SYSTEM_AmPolicyStatus as APS
JOIN v_R_System as SYS on APS.MachineID = SYS.ResourceID
WHERE SYS.Name0 = @variable
  1. Test execute the report to confirm the results
    Tip: in Report Builder, click the Run button on the Home tab
  2. Save, finish, and report!

AntimalwareReportResults

Creating Your Own Custom ConfigMgr 2012 Compliance Packs

Posted on Updated on

This demonstration will show you how to create your own custom compliance packs to import into ConfigMgr 2012/R2.

  1. First, download and install the Microsoft Security Compliance Manager (SCM) solution accelerator.  Note that this can be easily from your workstation computer, it does not need to be on a Windows Server.  Also, a version of SQL (including the Express edition) needs to be installed locally as a prerequisite.  http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx
    scm01
    scm02
  2. When SCM has been launched for the first time, it will check for, download, and import baselines.
    scm03
  3. However, newer baselines will still be missing.  Select the option to download baselines automatically.
    scm04
    scm05
  4. From the available products and baseline options, multi-select the desired configuration items, then export to SCCM DCM 2007 (.cab) –even for ConfigMgr 2012/R2!
    scm06
  5. Next, store/save a copy of the .cab file where it can be easily imported into ConfigMgr.  If you’ve made a “complex” DCM, then I recommend ensuring that you’ve either created instructions on how to rebuild the cab, or retain/backup the original file.
  6. In the ConfigMgr console for Compliance Settings > Configuration Items, select to Import Configuration Data.
    scm07
  7. In the wizard, click the Add button to include the baseline(s) that have been created and are ready for import.  Then complete the remainder of the wizard.
    scm06b
  8. Note that with the imported configuration data, the baseline(s) are automatically created as well.
    scm09
  9. Finally, deploy the baseline(s) to the desired collection of systems.
    scm10

And that’s all there is to quickly using SCM for creating your own compliance packs for ConfigMgr 2012/R2!

App-V 5.0 Standalone – How to Activate Deployment Scripts

Posted on Updated on

This is the walk-through in preparation for demonstrations from my Microsoft Master webcast on App-V 5.0 scripting.  For the full webcast information, visit https://t3chn1ck.wordpress.com/2014/02/03/playback-of-microsoft-master-app-v-5-0/.

This demo will show how to “activate” a deployment script (which may contain either user or global/PC scripts) that you may have added to the DeploymentConfig.xml of an App-V package.

  1. In your the App-V web console, locate the package and click Editappv-dep-scripts01
  2. For the deployed user or computer group, click Edit Default Config
    Note: do not select the drop-down option for “Custom” as this is only for activating UserScriptsappv-dep-scripts02
  3. On the Default Configuration pane, select Advanced from the left-side menu, the click Import and Overwrite this Configurationappv-dep-scripts03
  4. Locate and open the DeploymentConfig.xml
    Important: due some irregularities with Silverlight, after opening the XML, the console may revert back to the main package administration pane.  You’ll need to navigate back to the Advanced configuration (e.g. repeat steps 1-3 above).appv-dep-scripts04
  5. In the window, select to Overwrite the configurationappv-userscripts05

App-V 5.0 Standalone – How to Activate User Scripts

Posted on

This is the walk-through in preparation for demonstrations from my Microsoft Master webcast on App-V 5.0 scripting.  For the full webcast information, visit https://t3chn1ck.wordpress.com/2014/02/03/playback-of-microsoft-master-app-v-5-0/.

This demo will show how to “activate” a user script that you may have added to the UserConfig.xml of an App-V package.

  1. In your the App-V web console, locate the package and click Edit

    appv-userscripts01

  2. For the deployed user group, select the drop-down option for “Custom” and click Edit

    appv-userscripts02

  3. On the Custom Configuration pane, select Advanced from the left-side menu, the click Import and Overwrite this Configuration

    appv-userscripts03

  4. Locate and open the UserConfig.xml
    Important: due some irregularities with Silverlight, after opening the XML, the console may revert back to the main package administration pane.  You’ll need to navigate back to the Advanced configuration (e.g. repeat steps 1-3 above).

    appv-userscripts04

  5. In the window, select to Overwrite the configuration

    appv-userscripts05

App-V 5.0 Demo – Application Shims

Posted on Updated on

This is the walk-through for demo #2 in my Microsoft Master webcast on App-V 5.0 scripting.  For the full webcast information, visit https://t3chn1ck.wordpress.com/2014/02/03/playback-of-microsoft-master-app-v-5-0/.

This demo is on scripting the install of an application shim (for app compatibility) when an App-V package is published to a system.  For this example, I used an all time favorite software of mine … SMS Installer.

1) SMS Installer requires elevated rights in order to execute.  So if the user is a non-admin such as for my demos, they cannot use the software.  Below is the screen shot of how this gets blocked.  Even if your end users have elevated rights themselves, you may be able to use a shim to correct any UAC elevation prompts.  Additionally, you can see the “shield” on the shortcut.

smsinst-demo01

2)  Create shim with the Application Compatibility Toolkit – for more info on this process of creating a shim, visit http://spablog.ontrex.ch/2013/04/23/shims-and-app-v-5-0/

  • SMSINS32.exe
  • Run As Invoker
  • ForceAdminAccess

smsinst-demo02

3)  Add the shim into the package scripts

smsinst-demo03

4)  Update the DeploymentConfig.xml file from the package to install the shim


<MachineScripts>

<PublishPackage>

<Path>sdbinst.exe</Path>

/q "[{AppVPackageRoot}]\..\Scripts\shim.sdb"

<Wait RollbackOnError="true" Timeout="30"/>

</PublishPackage>

</MachineScripts>

5)  Add the new application into ConfigMgr and publish to user.  For more info on doing this process, see an example from https://t3chn1ck.wordpress.com/2014/02/05/app-v-5-0-demo-uninstall-a-native-application/

6)  Voila!  You can now see that the “shield” is no longer on the shortcut and that the application runs successfully!

smsinst-demo04