software updates

Deploying Office 2019 VL

Office 2019 now uses click-to-run technology instead of 'setup /admin' there are a few changes, probably for the best in the long run.

Create Config Files

First you need to download to Office Deployment tool

This is a self extracting file that spits out setup.exe and 2 sample config files - one for 32-bit and one for 64-bit.
Edit the edition you want to download. If you want the Volume License version change the Product ID to 'ProPlus2019Volume'

You don't need to add Visio or Project as they are also downloaded.

Save the file and run 'setup.exe /download configuration-Office365-x64.xml'.
This will run in the background and download into a subfolder - Office.

Now you have the files you can make configurations using these resources
https://config.office.com/ - Spits out config files for Office 365 - At time of writing it isn't made for 2019 yet but should work ok.
https://docs.microsoft.com/en-gb/DeployOffice/office2019/deploy - Documentation on customising the confiuration files.

If you want a head start I've made config files for Office, Project and Visio - Download 

Example - Office 32-Bit, exclude OneDrive and Skype, accept EULA, Silent install, some customisations from Config.office.com

Test

To test your config files run setup.exe with the configure switch

setup.exe /configure configuration-OfficeProPlus-x86.xml

 

Deploy

Create an application in SCCM - with your files.
Deployment type - Script Installer

For Detection Methods:

Office - 32-Bit: %ProgramFiles(x86)%\Microsoft Office\root\Office16\Winword.exe
Office - 64-Bit: %ProgramFiles%\Microsoft Office\root\Office16\WINWORD.EXE

Project - 32-Bit: %programfiles(x86)%\Microsoft Office\root\Office16\WINPROJ.EXE
Project - 64-Bit: %ProgramFiles%\Microsoft Office\root\Office16\WINPROJ.EXE

Visio -  - 32-Bit: %programfiles(x86)%\Microsoft Office\root\Office16\VISIO.EXE
Project - 64-Bit: %ProgramFiles%\Microsoft Office\root\Office16\VISIO.EXE

KMS

Download the Volume license app http://www.microsoft.com/downloads/details.aspx?FamilyID=878fef7e-3f4d-4d22-a423-f447c0f5bfdd
On the KMS server run the exe.

Follow the Wizard Prompts

Get your Office 2019 KMS Key from your Key Holder

Don't Click Commit! Click Cancel as you already have this configured

 

 

 

 

 

 

Build and Capture fails if KB3160005 IE sec cumulative update is installed


Update: Adding more scratch space to the boot wim seems to have resolved the problem on Windows 10, Windows 7 seems to still have issues.

Update: This update is also in Windows 10 CU 3163018, causing the same error. No workaround yet 

If your build and capture is failing at the capture step make sure you don't have the cumulative Security Update for IE11 KB3160005. It's somehow stopping the registry load part of the step.

 

Creating Collections to deploy ConfigMgr client updates (the easy way)

main

Get the Servicing Exstension from Microsoft NOW as it does all the work!!! http://blogs.technet.com/b/configmgrteam/archive/2014/12/09/now-available-microsoft-system-center-2012-configuration-manager-servicing-extension.aspx

Once you have this, in the Admin node, there's a site servicing section -> client targeting. You click 'Create Query' and it makes a nice query for your collections.

CreateColls

Then you go about creating your collection.

Screenshot 2015-02-05 09.39.11

click next. Select Add Rule -> Query Rule

 

Click Import Query Statement and choose the nice query microsoft made for you.

Screenshot 2015-02-05 09.44.29

Deploy the cumulative update to the clients.

 

 

How To: Create Automatic Deployment Rules for Patch Tuesday Software Updates

automate

Automatic deployment of updates is one of the best features of SCCM. Automation in general is awesome.

The best way to use Automatic deployment rules (ADR) is to have them run on Patch Tuesday which is the second Tuesday of the month when Microsoft releases their updates generally before 11:00 PST/PDT (I am Australian based so I set ADRs to run Wednesday Morning).

In this example I am deploying Windows 8.1 x64 critical, security and 'updates' updates.

1. Under the Software Library Node Software Updates click Automatic Deployment Rules then select 'Create Automatic Deployment Rule' from the Ribbon

adr1

2. In the Wizard name your ADR 'ADR: Windows 8.1 x64 Updates'

ADR2

3. Click Browse and select your target collection

4. Change the Option to 'Create a new Software Update Group'. The other Option should really be called 'Wipe previous updates from Software Update Group' as that's what it does.

5. Click Next.

6. Ensure 'Automatically deploy all software updates found by this rule, and approve any license agreements. Also optionally enable the Wake-on-LAN tickbox.

adr3

7. Click Next

8.  Choose Date Released or Revised, set it to Last 3 weeks.

adr4

9. Choose Product, set it to 'Windows 8.1'

10. Choose Update Classification, set it to “Critical Updates” OR “Security Updates” OR
“Updates”

11. Choose Title, set it to 'x64'. This is to filter out x86 updates.

12. Click Preview, if you are doing this on Patch Tuesday you will see all the applicable updates that will be deployed. Otherwise you can change the date range for the example.

adr5

13. Click Next

14. Choose 'Run the rule on a schedule.

adr6

15. Click Customize and choose to run the rule every second Tuesday at the appropriate time depending what time zone you are in. Click OK (Not to important for the demo as you can run it manually)

adr7

16. Click Next

17. Customize the Deadline to 'As soon as possible'.

adr8

18. Click Next

19. Change the User Experience to 'Display in Software Center and show all notifications'

adr9

20. Tick 'Software Installation'.

21. Click Next.

22. Click Next.

23. Click Next

24. Choose Create a new deployment package.

adr12

25. Name it 'ADR: Windows 8.1 x64 Updates' and select a UNC share for storage of the software updates.

26. Add Distribution Points.

adr13

27. Click Next.

28. Click Next

29. Select desired languages, click Next

adr15

30. Click Next, then Close.

31. Right click on your newly created ADR and click 'Run Now'. You can monitor progress on the site server checking Program FilesMicrosoft Configuration ManagerLogsruleengine.log

adr18

32. Give it some time to download updates and distribute them then on the client machine run a machine policy update and verify updates install using Software Center

adr19

 

33. After having a play check out this post for some best practices to setting up all your Automatic Deployment Rules including Piloting your updates to a pilot group for 7 days.

34. Also check out this post to automate sending a report out on what updates are being deployed.

 

 

 

Create a compliance baseline to remove a folder

compliant

In this example we are killing the Silverlight start menu folder enabling us to use the Windows Updates while keeping the start menu clean.

Create the Configuration Item

1. In the console click Create Configuration Item

2. Name your configuration item, click 'This configuration item contains application settings' and click Next

Screenshot 2014-11-14 10.03.58

3. Select 'Always assume application is installed' and click Next

Screenshot 2014-11-14 10.05.15

4. Click New, Change the Setting type to 'Script'. Change the Data type to 'String'. Also name your Setting.

Screenshot 2014-11-14 10.29.17

5. Under Discovery Script click 'Add Script'

6. Ensure Script language is 'Windows Powershell' and paste the following

$false -eq (Test-Path "C:ProgramDataMicrosoftWindowsStart MenuProgramsMicrosoft Silverlight")

Screenshot 2014-11-14 10.32.38

7. Under Remediation Script click 'Add Script'

8. Ensure Script language is 'Windows Powershell' and paste the following

remove-item "C:ProgramDataMicrosoftWindowsStart MenuProgramsMicrosoft Silverlight" -recurse

Screenshot 2014-11-14 10.42.37

9. Click 'Ok',  then click the 'Compliance Rules' tab

10. Click 'New'

Screenshot 2014-11-14 10.47.35

11. Configure the Compliance rule: Set 'Rule type' to Value. Set the Value returned to equal 0. Click 'Run the specified remediation script when this setting is non complaint'.

Screenshot 2014-11-14 10.52.10

12. Click 'OK' then 'Next', 'Next' on the Wizard Screen.

13. Choose the OS Environments for compliance

Screenshot 2014-11-14 10.54.33

14. Click 'Next' until you finish the Wizard.

15. Under Configuration Baselines click 'Create Configuration Baseline' and add the configuration item we just created, then click 'OK'

Screenshot 2014-11-14 10.57.31

 

16. The Baseline is now ready to be deployed to your test collection!

Right click and select Deploy, Enable the remediation options and change the Schedule if needed.

Screenshot 2014-11-14 11.00.15

 

 

17. On your test machine, request a new machine policy, then click on the Components tab. Clicking Refresh should show the new baseline which you can then evaluate.

baselines

18. Within a minute the remediation runs and the folder disappears!

baselinesComp

How I automate patching desktops

update automation

It takes a long time to setup but worth it, computers should
not get policies they don’t need, at some point things will start stuffing up. I
have split desktops into 3 categories that suit our environment. Pilot get updates straight away and will reboot at night. Prod and PUC get updates 7 days later and have different reboot requirements.

Group

Deadline

User notifications

Deadline behaviour outside maintenance window

Device restart behaviour

Pilot

Asap

All

SW Updates Install

Yes

Prod

7 days

None

SW Updates Install

Suppressed

PUC (Public Use computers such as Labs)

7 days

None

SW Updates Install

Yes

I then split these groups into collections based on OS or
Office version requirements, so we have Office 2007, Office 2010, Office 2013,
Windows XP, Windows 7 x86, Windows 7 x64, Windows 8 x64.

A Pilot, PUC and PROD collection should be made so you can
limit the collections with it. These collections will vary in your environment.

Based on that you should have 21 collections - see ‘rules
and queries’ at the end for the messy queries

SUM-WORKSTATIONS-PROD–Office 2007

SUM-WORKSTATIONS-PROD–Office 2010

SUM-WORKSTATIONS-PROD–Office 2013

SUM-WORKSTATIONS-PROD–Windows XP

SUM-WORKSTATIONS-PROD–Windows 7 x86

SUM-WORKSTATIONS-PROD–Windows 7 x64

SUM-WORKSTATIONS-PROD–Windows 8 x64

SUM-WORKSTATIONS-PILOT–Office 2007

SUM-WORKSTATIONS- PILOT–Office 2010

SUM-WORKSTATIONS- PILOT–Office 2013

SUM-WORKSTATIONS- PILOT–Windows XP

SUM-WORKSTATIONS- PILOT–Windows 7 x86

SUM-WORKSTATIONS- PILOT–Windows 7 x64

SUM-WORKSTATIONS- PILOT–Windows 8 x64

SUM-WORKSTATIONS-PUC–Office 2007

SUM-WORKSTATIONS- PUC–Office 2010

SUM-WORKSTATIONS- PUC–Office 2013

SUM-WORKSTATIONS- PUC–Windows XP

SUM-WORKSTATIONS- PUC –Windows 7 x86

SUM-WORKSTATIONS- PUC–Windows 7 x64

SUM-WORKSTATIONS- PUC–Windows 8 x64

Update: 

Limit your pilot collections to a group of user's primary computers using this collection query

 

[code language="sql"]
Select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client FROM SMS_R_System JOIN SMS_UserMachineRelationship ON SMS_R_System.Name=SMS_UserMachineRelationship.ResourceName JOIN SMS_R_User ON SMS_UserMachineRelationship.UniqueUserName=SMS_R_User.UniqueUserName WHERE SMS_UserMachineRelationship.Types=1 AND SMS_R_User.UserGroupName="DOMAIN\SCCM Software Updates Pilot User Group"
[/code]

 

Thanks Powersheller

Next you create a Software Update Group (the current
baseline of approved updates) for each Office/OS Version and a deployments for
each based on the rules from the first table.

Then you create Automatic Deployment rules for each
collection based (to run on Patch Tuesday/Wednesday Australia time) on the
rules from above and what type updates you want released in the last 3 weeks.  They should be set to create a new software update group each time. See ‘rules and queries’ for what I have used.

You can also create an EndPoint Protection definitions ADR, however that should be set to use the existing software update group as the updates always superseed each time.

Rules and Queries:

Query Name

Query

Office 2007

See attachment

Office 2010

See attachment

Office 2013

See attachment

Windows XP

See attachment

Windows 7 x86

See attachment

Windows 7 x64

See attachment

Windows 8 x64

See attachment

Attachment - Download

Rule Name

Rules

Office 2007

Date Released or revised: Last 3 weeks

Product: “Office 2007”

Title: 32-Bit

Update Classification: “Critical Updates” OR “Security Updates” OR
“Updates” OR “Definition Updates”

Office 2010

Date Released or revised: Last 3 weeks

Product: “Office 2010”

Title: 32-Bit

Update Classification: “Critical Updates” OR “Security Updates” OR
“Updates” OR “Definition Updates”

Office 2013

Date Released or revised: Last 3 weeks

Product: “Office 2013”

Title: 32-Bit

Update Classification: “Critical Updates” OR “Security Updates” OR
“Updates” OR “Definition Updates”

Windows 7 x86

Date Released or revised: Last 3 weeks

Product: “Windows 7”

Title: -x64

Update Classification: “Critical Updates” OR “Security Updates” OR
“Updates”

Windows 7 x64

Date Released or revised: Last 3 weeks

Product: “Windows 7”

Title: x64

Update Classification: “Critical Updates” OR “Security Updates” OR
“Updates”

Windows 8 x64

Date Released or revised: Last 3 weeks

Product: “Windows 8” OR “Windows 8.1”

Title: x64

Update Classification: “Critical Updates” OR “Security Updates” OR
“Updates”