Wednesday, February 19, 2020

Windows as a Service: Forcing machine forward

Do you have a Windows as a Service strategy lined out? 
How do you are going to push the upgrades. 
Are you going to allow everyone to upgrade to any version or control it? 
What are you doing about special machines you cannot force due to software or process control, are they moving at the end of cycle? 
Are you tracking which machines are out of compliance?

I bet that last question made you think.  Many companies have not tracked their end of life for Windows 10 which can be found here:
https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet

Now you can create a CI and pull machines into a collection that will soon be end of life, use this to force a popup, Toast Notification, force the upgrade, etc...


Powershell:

CI Discovery script
Data type:String
------------------------------------------
 $Win10_Life = @(
                 ("1607","1703","1709", "1803","1809","1903","1909"),
                  ("4/9/2019","10/8/2019","4/14/2020","11/10/2020","5/11/2021","12/8/2020","5/10/2022") )

$CurentWindowsVer = (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ReleaseID -ErrorAction Stop).ReleaseID

$index= 0..20 | Where { $Win10_Life[0][$_] -eq $CurentWindowsVer }
if ($index -ge 0)
{
  # grab the end of life date for the OS version
  $EndofLifeDate= $Win10_Life[1][$index]

  #determine number of days left in life
  $EndofLifeDays = (New-TimeSpan -Start (Get-Date) -End $EndofLifeDate).Days

   #$EndofLifeDate
   #$EndofLifeDays

    If ($EndofLifeDays -lt 60) {"Upgrade"}
}

-------------------------------------------------------------
You can see there is a 2 Dimension array with the build numbers and the end of life date.  If you are running Pro then you will need to change these dates, these are for Enterprise/Education. 

 In the Compliance setting I use 
"The value returned by the specified script:"
Not Equal to
Upgrade

This can be run once a month or every 3 weeks on a machine.  It will pull the machine into the collection if it has less than 60 days. 

How do I create the collection?
In the baseline right click on the deployment
Select the Non-Compliant. 

This will create a collection of machines that are not running a supported version of Windows 10. 

Monday, January 27, 2020

Query Desktop Analytics data

Currently, there is not a rich report system for Desktop Analytics. Until that day comes you can use Azure Monitor or even Power BI to pull your data. First using query tools such as Azure Monitor You can reach this via the Azure Portal Monitor - > logs or Log Analytics Workspace -> Select Workspace -> Logs You will have a box where you can query your data

 



to the left you will have the listing of tables:

Notice the "eye" to the right.  This is similar to the right click in SQL where you can select the top 1,000 records only this will normally only pull the top 50 records for you understand the data.


Now that you are ready to query, let's query to find all our Deployment plans and then grab all the machines that are set to be in the pilot group, either via the global pilot that was recommended and you added them:


(MADeploymentPlan)
Should you have too many then use the following query
MADeploymentPlan
| limit 50


Find the machines in there pilot.  But only show the columns for the Device name, Family, Source and Pilot Status







MAProposedPilotDevices 
| where DeploymentPlanId  == "881ba*******************56c"
| project  DeviceName , DeviceFamily, Source, PilotStatus  



Source = Was it part of the Global Pilot or was it added via Desktop Analytics
Pilot Status.  = Is in the the pilot, recall you can exclude or replace with other machines.

Source is interesting because if necessary you can now export this list and add it to the Collection in ConfigMgr and your pilot for upgrades or any other pilot would be more efficient.

Since there is no export function in DA we are here with this list.

At the top of your query



You can now export this to a CSV...but WAIT THERE'S MORE!!!

Notice that is gives you the Power BI query too! So you can pull in and manipulate it also!!!








Tuesday, December 31, 2019

Changing Client Side Software Update Deadlines via WMI


I have been trying to think of a way to improve the Win10 feature updates for a complex company where some machines could be critical or performing long term operations such as simulations or remote operations that is unmanned. 


Scenario:
Company of over 100,000 workstation has a worldwide operation and you are not able to know what is happening in every segment of the company.  Causing an unknown or unwanted reboot on a machine could break a simulation or business process.  Reboot the MRI machine when someone is 1 minute from completing the scan.  All your data is gone, reset the machine pay the techs for more work, the patients have to wait for the person to complete.  The goal is to complete the task without doing harm to the company or business process.  How do we complete the upgrades on machines that we have no visibility and we don't know exactly when it can be touched.  Currently, patching can take 15 mins to reboot but a feature update is still 30 mins or more depending on the age of the machine, process used, what was the previous version of Win10.


Solution:
Set the deadline in the future, possibly the month before the OS expires or company deadline
Then give the user to select the exact date/time for the feature updates to install.  This could also be extended for all updates if you grant the operation the ability to select the date/time. 


If you have 1E Shopping or similar product then you choose the date/time of the deployment but this doesn't exist in ConfigMgr in the native product.

So I broke down the Software Update policy.  Understand that this is simply a proof of concept and I don't have a product wrapped around it.  This is all POC and not meant to replace any current procedures.


You can look at the policies for the various Software Deployments on a machine via many methods.  But I found that if you modify them they will be overwritten on the next policy cycle or software update deployment cycle.  But the policy found in the "ActualConfig" doesn't overwrite and you can modify it.  I couldn't find a blog with this process, that is not to say it isn't out there but I created this so I could see if it was possible.


For Test purposes, in my lab, I made a deployment with the default name "Microsoft Software Updates - 2019-12-30 07:14:46 PM";


Next I listed all the Software Deployments but I needed to pull just the one I wanted.  This could be named "Windows 10 Deployment" or something else unique so that your UX that is created will know what to look for on the machine.  



I deployed the update several years in the future so I could prove that I could then modify the deadline.





For our purpose here we pull in "Software" since this is unique to my deployments.


Here is the code to find and change the deadline for this software update group.  Understand that you would need to deploy the Win10 in a single software update group.  I have not yet looked at modifying the individual update.  This test failed as the date reverted after a Deployment Eval Cycle.




#AssignmentName = "Microsoft Software Updates - 2019-12-30 07:14:46 PM";
get-wmiObject -Namespace "ROOT\ccm\Policy\Machine\ActualConfig" -Class CCM_UpdateCIAssignment -filter "AssignmentName like '%Software%'"


$PatchPath = (get-wmiObject -Namespace "ROOT\ccm\Policy\Machine\ActualConfig" -Class CCM_UpdateCIAssignment).__Path


$newRebootDeadline = @{EnforcementDeadline="20210402161400.000000+000"}
Set-WmiInstance -Path $PatchPath -Arguments $newRebootDeadline




Let's break down the date/time


20210402161400


2021/04/02/16/14/00


2021 - year
04 - 4th Month
02 - 2nd Day
16 - 4pm, 24 hour clock
14 - Minutes
00 - Seconds.


Understand that this is client local time, not UTC.


 Should you change the date to a later date, nothing will change to the user.  Should you make the date earlier than the previous date then Windows will show a standard Toast Notification.





If you click on the box it will ask if you wish to install now or wait till the deadline. 





How do we operationalize this?  You can build an HTA allow the user to select a date/time anywhere from the original deadline or a preset date, you don't want the user changing it to 10 years in the future. 

I would love to be able to have the change made in the Software Center.  The problem is how to make a client setting to allow for custom deadlines and then check a check box on a software update or update group for "Allow Custom Deadlines"


If I could make a website that would read the machine information on the update and deadline, allow the user to select a new deadline and then send the script to the machine and run/change the date/time of the deployment on the machine. 


Understand that this is all done in a lab and not in a production environment because I don't know what, if any, harm I could be doing to the CM client or the machine.  But this is an interesting question and problem to solve.