automation
Monitoring your fleets event logs - Part 2
Install Splunk - It's free! https://www.splunk.com/en_us/download/splunk-enterprise.html
Modify Program Files\Splunk\etc\system\local\inputs.conf
Add the lines
[WinEventLog]
evt_resolve_ad_obj = 1
Then we need to reboot splunk, in Splunk click Settings, then Server controls and click Restart Splunk
Next we need to add our data source, click Add Data from the launch screen, then monitor
Choose Local Events then ForwardedEvents and click Next
Click Create a new index, call it ForwardedEvents, click Save, change the Index to ForwardedEvents and then click Review, Submit
Give it some time to collect a few logins, then go to Search & Reporting
index="forwardedevents" LogName="Microsoft-Windows-User Profile Service/Operational" (EventCode=1 OR EventCode=2 OR EventCode=6 OR EventCode=7) | transaction ComputerName startswith=eval(EventCode=1) endswith=eval(EventCode=2) | table ComputerName, duration
So I'm using the selected data, filtering for 4 event codes, then getting the time between event code 1 and 2, and putting it into a table..
Edit: This search can be a bit funny, the delay ended up being between synching the roaming profile so I've also ran
index="forwardedevents" LogName="Microsoft-Windows-User Profile Service/Operational" (EventCode=1 OR EventCode=2 OR EventCode=6 OR EventCode=7) | transaction ComputerName startswith=eval(EventCode=6) endswith=eval(EventCode=7) | table ComputerName, duration
Then click on the Visualization tab
This also lets you dive into each login by clicking one and get the event logs!
You can save this as a report, dashboard and share with people.
There is so much more you can do with this software, and it takes some time to learn it. Will post more as I do..
Monitoring your fleets event logs - Part 1
Windows has an amazing feature that let's you collect logs from remote computers, it's called Windows Event forwarding and is pretty easy to set up. Once we have this data we can use free tools such as Splunk or GrayLog to analyse the data, find patterns, fix.
Below is the way to get started collecting the user profile logs to analyse things such as login performance with roaming profiles, something we are dealing with right now! Please note you need to enable winrm on your computers for forwarding to work.
First you need a machine that will be the data collectior.
- On that machine open Event Viewer and right click Subscriptions. You may get the following message to enable the service on startup
2. Now you should only collect data that you will use, in this example we are collecting the Microsoft-Windows-User Profile Service/Operational events so we will call it Microsoft-Windows-User Profile Service - Operational
3. Change the type to Source computer initiated and click Select Computer Groups
4. Add the group of machines to the Computer list and click OK
5. Click Select Events
6. We now select the Applications and Services Logs\Microsoft\Windows\User Profile Service
7. You can configure advanced settings to control how the computers forward the events.
8. Click OK
9. To get clean data we need to change the format of returned events by running the command:
wecutil ss "Microsoft-Windows-User Profile Service - Operational" /cf:Events
10. Next you deploy a group policy that tells your computers to go to the data collector for jobs
Create a group policy using Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding
11. Select Configure target Subscription Manager
12. Set to Enabled
13. Click Show
14. Insert the line
Server=http://SERVER.FQDN:5985/wsman/SubscriptionManager/WEC,Refresh=60
15. Replace SERVER.FQDN with your data collector's name.
16. To test run GPUPDATE /FORCE on the remote machine
17. If successful, on the data machine you will see the number of source computers change and logs in the forwarded events
Visit https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/ for more information.
PART 2
Disabling Windows File Explorer banner advertising
Microsoft has soo much advertising power with Windows 10, they can now put banners up in Windows Explorer via updates. You may see one such as this:
'Save your documents and photos to OneDrive' or 'Get the best deal on your cloud storage with OneDrive'
The setting is called Show Sync Provider Notifications however it has been used for other purposes such as when you do a feature update
To prevent this from happening push out a group policy User preference
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Value: ShowSyncProviderNotifications
Value Type: REG_DWORD
Value Data: 00000000
Base: Hex
Set the computer name using the BIOS Asset Tag
If you are setting the Asset Tag the same name that the computer is, it makes sense to only have to input it once. I created a powershell script that will do the following:
If VM or Mac: Exit 0
If computer exists in SCCM: Exit 0
If AssetTag Exists/Not empty: Set OSDComputerName to AssetTag, Exit 0
If AssetTag doesn't exist: Bring up an error message, Exit 1
Tested with HP and Dell machines.
Update: Added optional script that uses the HP Ownership Tag
How to use:
Create a package for the script
Copy serviceUI.exe (From MDT Toolkit) to the same folder.
In the Task Sequence after initial format of the drive create a Run Command Line step using the package that you created
with the command: ServiceUI.exe -process:TSProgressUI.exe %SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File AssetTag.ps1
Thanks Nickolaj and Dave Green for the initial form
MDT Toolkit files fail to download - could not resolve source
If this happens during OSD, it is likely due to 2 settings in the BIOS.
I recommend
WIN7 -
Boot mode: Legacy
Sata mode: AHCI
Win10-
Boot mode: UEFI
Sata mode: AHCI
From the log:
The task sequence execution engine failed executing the action (Use Toolkit Package) in the group (Initialization) with the error code 2147942561
Action output: ... ursiveCreatePath(sPath.substr(0, nPos), psa), HRESULT=800700a1 (e:\nts_sccm_release\sms\framework\core\ccmcore\path.cpp,104)
RecursiveCreatePath(sPath.substr(0, nPos), psa), HRESULT=800700a1 (e:\nts_sccm_release\sms\framework\core\ccmcore\path.cpp,104)
RecursiveCreatePath( sNormalizedPath, psa ), HRESULT=800700a1 (e:\nts_sccm_release\sms\framework\core\ccmcore\path.cpp,159)
DownloadContentLocally (pszSource, sSourceDirectory, dwFlags, hUserToken, mapNetworkAccess), HRESULT=800700a1 (e:\nts_sccm_release\sms\framework\tscore\resolvesource.cpp,3582)
TS::Utility::ResolveSource (pszPkgID, sPath, 0, hUserToken, mapNetworkAccess), HRESULT=800700a1 (e:\nts_sccm_release\sms\client\osdeployment\installsoftware\runcommandline.cpp,399)
cmd.Execute(pszPkgID,sProgramName, dwCmdLineExitCode), HRESULT=800700a1 (e:\nts_sccm_release\sms\client\osdeployment\installsoftware\main.cpp,372)
Failed to resolve the source for SMS PKGID=PS10098B, hr=0x800700a1
Install Software failed to run command line, hr=0x800700a1. The operating system reported error 2147942561: The specified path is invalid.
Build and Capture fails if KB3160005 IE sec cumulative update is installed
Update: Adding more scratch space to the boot wim seems to have resolved the problem on Windows 10, Windows 7 seems to still have issues.
Update: This update is also in Windows 10 CU 3163018, causing the same error. No workaround yet
If your build and capture is failing at the capture step make sure you don't have the cumulative Security Update for IE11 KB3160005. It's somehow stopping the registry load part of the step.
1 2 3 4 5 6 7 8 9 10 11 12 |
The task sequence execution engine failed executing the action (Capture the Reference Machine) in the group (Capture the Reference Machine) with the error code 2147943850 Action output: ... software" into HKLM\OfflineRegistry1 RegLoadKey( oRegKeyHKLM, sRegKey, sRegHivPath), HRESULT=800705aa (e:\qfe\nts\sms\framework\osdcore\offlineregistry.cpp,68) LoadHive( szPathBuffer, m_sRegKeySoftware, m_oRegKeySoftware ), HRESULT=800705aa (e:\qfe\nts\sms\framework\osdcore\offlineregistry.cpp,190) m_oOfflineRegistry.Init(pszSystemRoot), HRESULT=800705aa (e:\qfe\nts\sms\framework\osdcore\offlineos.cpp,737) rDefaultOs.initialize(sTargetSystemRoot), HRESULT=800705aa (e:\nts_sccm_release\sms\client\osdeployment\capturesystemimage\capturesystemimage.cpp,613) VerifySystemForCapture(DefaultOs), HRESULT=800705aa (e:\nts_sccm_release\sms\client\osdeployment\capturesystemimage\capturesystemimage.cpp,859) Finished with error code 0x800705AA Failed to load "C:\WINDOWS\system32\config\software" (0x800705aa). Failed to load the offline SOFTWARE registry (0x800705aa). Failed to validate for capture. nsufficient system resources exist to complete the requested service. (Error: 800705AA; Source: Windows). The operating system reported error 2147943850: Insufficient system resources exist to complete the requested service. |
Hey Cortana! How do I add additional speeches during OSD so you work?
For Cortana to work with your language you need to install the appropriate speech pack however if you are connected to an enterprise WSUS you won't be able to see additional downloads for your language.
To work around this you can get the language cab files from the 'Windows 10 Features on Demand' iso available via volume license and MSDN downloads, then use dism commands to apply the desired language packages. Currently the available ones are
- German - Germany (Microsoft-Windows-LanguageFeatures-Speech-de-de-Package.cab)
- English - Australia (Microsoft-Windows-LanguageFeatures-Speech-en-au-Package.cab)
- English - Canada (Microsoft-Windows-LanguageFeatures-Speech-en-ca-Package.cab)
- English - United Kigndom (Microsoft-Windows-LanguageFeatures-Speech-en-gb-Package.cab)
- English - India (Microsoft-Windows-LanguageFeatures-Speech-en-in-Package.cab)
- English - United States (Microsoft-Windows-LanguageFeatures-Speech-en-us-Package.cab)
- Spanish - Spain (Microsoft-Windows-LanguageFeatures-Speech-es-es-Package.cab)
- French - France (Microsoft-Windows-LanguageFeatures-Speech-fr-fr-Package.cab)
- Italian - Italy (Microsoft-Windows-LanguageFeatures-Speech-it-it-Package.cab)
- Japanese - Japan (Microsoft-Windows-LanguageFeatures-Speech-ja-jp-Package.cab)
- Chinese - China (Microsoft-Windows-LanguageFeatures-Speech-zh-cn-Package.cab)
- Chinese - Hong Kong (Microsoft-Windows-LanguageFeatures-Speech-zh-hk-Package.cab)
- Chinese - Taiwan (Microsoft-Windows-LanguageFeatures-Speech-zh-tw-Package.cab)
Note: Cortana is currently only available in United States, Japan, Australia, and Canada and India (in English) however having the speech packs installed will help your deployment if other markets open up.
You can also install the Text to speech pack along side. For example
Microsoft-Windows-LanguageFeatures-TextToSpeech-en-au-Package.cab adds Aussie Catherine and British James however Cortana doesn't use them.
To deploy during OSD create a package with the desired speech packs and an Install.bat file. The following example of install.bat sets up English-Australia and also adds text to speech voices, you can add additional packages by changing the PackagePath:
DISM /Online /Add-Package /PackagePath:Microsoft-Windows-LanguageFeatures-TextToSpeech-en-au-Package.cab
DISM /Online /Add-Package /PackagePath:Microsoft-Windows-LanguageFeatures-Speech-en-au-Package.cab
And then create a Run Command Line step in the task sequence referencing the package with Disable 64-bit file system redirection
install.bat
To set the default Speech Language you need to modify the default user reg. This can be achieved in 3 commands during the task sequence
Load Default User Registry
reg load HKU\DefaultTemp "C:\Users\Default\NTUSER.DAT"
Set Default SpeechRecognizer
reg add "HKU\DefaultTemp\Software\Microsoft\Speech_OneCore\Settings\SpeechRecognizer" /v RecognizedLanguage /t REG_SZ /d en-AU /F
Unload Default User Registry
reg unload HKU\DefaultTemp
Ensure the Operating System applys to C: drive not D: drive
This problem will increase more and more as everyone starts to use wim's instead of the OS media in SCCM.
There are a few workarounds for this problem however the best method is to force the new OS the reevaluate Drive Letters with 3 easy steps after applying the OS
Create a Run Command Line step for each of the 3 commands
Reg.exe load HKLM\Temp %OSDTargetSystemDrive%\Windows\system32\config\system
Reg.exe delete HKLM\Temp\MountedDevices /va /f
Reg.exe unload HKLM\Temp
This forces the default behaviour of Windows to choose the drive letter.
For more information and other workarounds see http://blogs.technet.com/b/configurationmgr/archive/2014/04/28/how-to-ensure-that-windows-installs-on-c-during-a-system-center-2012-configuration-manager-osd-task-sequence.aspx
Creating Collections to deploy ConfigMgr client updates (the easy way)
Get the Servicing Exstension from Microsoft NOW as it does all the work!!! http://blogs.technet.com/b/configmgrteam/archive/2014/12/09/now-available-microsoft-system-center-2012-configuration-manager-servicing-extension.aspx
Once you have this, in the Admin node, there's a site servicing section -> client targeting. You click 'Create Query' and it makes a nice query for your collections.
Then you go about creating your collection.
click next. Select Add Rule -> Query Rule
Click Import Query Statement and choose the nice query microsoft made for you.
Deploy the cumulative update to the clients.
Format failed (0x80070057) during task sequence.
Update:
If this is happening to you I recommend importing the boot wim again creating a new one and only adding the network drivers (in the surface pro 3 case) and test using that boot wim with a copy of your task sequence. Then add existing sata/network drivers you need for other devices using latest versions.
I recieved an email from someone that has the same issue, he noticed that Microsoft ships with either a Hynix SSD or a Samsung SSD. The Samsung SSD has never had any issues. From my SCCM data we have 20% Hynix drives - possibly due to change of hard drive supply or shortage, I'm not sure. This will explain why you may be going crazy not understanding why encountering imaging issues after having success.
In this scenario the formatting of the disk fails and then the disk just dissapears even in diskpart until next reboot.
Solution is to get the correct SATA driver for the device. This happened on one of the Surface Pro 3's yet all the others imaged fine. Using the driver provided by the driver pack in the boot wim the task sequence was able to successfully format the disk.
Text from the smsts.log:
1 2 3 4 5 6 7 8 9 10 |
Format failed (0x80070057) OSDDiskPart 15/12/2014 4:33:23 PM 864 (0x0360) CVolume::Format( sDrive.c_str(), (*iter)->getFilesystem(), (*iter)->getVolumeName().c_str(), 0, (*iter)->getIsQuickFormat() ? CVolume::foptQuick : 0, FormatProgressCallback, NULL), HRESULT=80070057 (e:nts_sccm_releasesmsclientosdeploymentosddiskpartmain.cpp,1003) OSDDiskPart 15/12/2014 4:33:23 PM 864 (0x0360) Failed to format drive C: (0x80070057) OSDDiskPart 15/12/2014 4:33:23 PM 864 (0x0360) FormatPartitions(oDisk), HRESULT=80070057 (e:nts_sccm_releasesmsclientosdeploymentosddiskpartmain.cpp,1279) OSDDiskPart 15/12/2014 4:33:23 PM 864 (0x0360) Failed to format partition(s) for disk 0 (0x80070057) OSDDiskPart 15/12/2014 4:33:23 PM 864 (0x0360) OSDDiskPart.exe failed: 0x80070057 OSDDiskPart 15/12/2014 4:33:23 PM 864 (0x0360) Process completed with exit code 2147942487 TSManager 15/12/2014 4:33:23 PM 1088 (0x0440) !--------------------------------------------------------------------------------------------! TSManager 15/12/2014 4:33:23 PM 1088 (0x0440) Failed to run the action: Format and Partition Disk (UEFI). This is usually caused by a problem with the program. Please check the Microsoft Knowledge Base to determine if this is a known issue or contact Microsoft Support Services for further assistance. The parameter is incorrect. (Error: 80070057; Source: Windows) TSManager 15/12/2014 4:33:23 PM 1088 (0x0440) |