Hello! In this blog I will walk through the steps of upgrading your Configuration Manager environment to the latest update Configuration Manager 1602. Please note that in order to upgrade to 1602, you must first be on 1511. It is not supported going directly to 1602 from any other release.
To see if your environment is showing the update for 1602 click on the administration tab, cloud services. Click on Updates and Servicing. In my case I did not see the update.
To force check the update, you can download the script from this blog post.
Once you run the script restart the SMS_Exec service.
Within a few minutes you will see the latest update appear and start to download.
I looked at the EasySetupPayload folder to where the update is downloaded. This update is quite large (1.72 GB) so it will take some time.
The update will now say that it is available. Click on Install Update Pack. Note: you may choose to run update prerequisite check first, however the install does this anyway.
A wizard will appear. Click Next.
Click I accept the license terms and privacy statement. Click Next.
Review the summary. Click Next.
Refer to the Updates and Servicing again.
You will now see that it is installing. You can refer to the CMUpdate.log for status.
After Several minutes you will see that the status is now changed to Installed.
Click on the Features node under Updates and Servicing. You will now see several features. There is one that is turned off. Select Pre-release – Conditional access for managed PCs. Click Turn on from the ribbon on top.
When you click Turn on, the following message will appear. Click Cancel and close out of the Console and reboot your server before attempting the update. I ran into an issue trying to update the console before a reboot and it would never complete. After the reboot and you attempt to open the console. The same message will reappear. Click OK.
You may be prompted to restart your server. If not, it is a good idea to do so anyway as a lot of changes were just made to your Configuration Manager environment. After the reboot, open your console to confirm the console has been updated.
Also be sure to update-based client installation as this will have a new version
As of late I have started to see more and more organizations take advantage of providing an image to the organizations hardware vendor to save time in deploying the image out to their systems. The goal is to have the image already on the systems so that when the systems arrive on site at the organization, they will just continue with the task sequence.
This post will walk through the steps to .wim file that can be applied to a bare-metal system either on site or from your hardware vendor. The post will then show the continuation of the process once the system is on site.
Create the prestaged media
Browse to the Software Library and expand Operating Systems. Right click Task Sequences and select Create Task Sequence Media.
The Create Task Sequence Media Wizard window will open.
Select Prestaged media and click Next.
Select how media finds a management point. In this example I chose Dynamic media. Click Next.
Specify the information for the media file. Click Next
Select the security settings for the media. In this example my lab is running with certificates.
Browse for the task sequence. The selected task sequence will reference content.
Select the boot image to be used.
Note: This must be the same boot image as referenced in the task sequence above.
Select the image package that will be applied as part of the prestage wim.
If any applications are needed, select those.
Select content packages to add.
If you are using driver packages, select those.
Specify the distribution point(s) for the media.
Customize the task sequence media
Confirm the settings
Importing the prestaged image into Configuration Manager
Browse to Software Library expand Operating Systems and right click Operating system Images. Select Add Operating System image.
Browse to the path of the .wim file created in the previous steps. Click Next.
Provide the details and click Next.
Review the summary and click Next.
Deploy this image to your distribution points.
Creating a Task Sequence to deploy the prestaged image to a computer
Since I do not have a hardware vendor for my lab, and everything is virtualized, I am providing the steps I used to apply the In this section I am providing the steps I used to apply the wim image similar to how it would be applied to a bare-metal system.
I have created three tasks. First we need to format and partition the disk.
Next we need to apply the prestage wim file.
Lastly we want to shutdown the winPE.
Staging a system with the prestage image
Now that we have the task sequence ready, boot up the virtual machine and select the Prestage task sequence.
The Task Sequence will begin to apply the wim. When the Task Sequence has completed, the system will power off.
Continuing the image post prestage
Now that we have the prestage image applied to our system, we can power up the system. The system will load into the boot environment. Select the Task sequence for continuing the imaging process.
Note: My windows 7 x64 Enterprise Task Sequence was created using the MDT 2013 integration.
The process will continue to finish applying the needed settings.
Once it is completed, you should be at the CTRL + ALT + DELETE screen.
Welcome to part 2 of 4 in PKI Certificates for ConfigMgr 2012 and converting the environment from http to https. In this Post I will continue to show the Step-by-Step process (found here) for configuring and requesting the certificates that will be used with the Configuration Manager 2012 R2 environment and the clients.
For the links to all the parts of this series see below
Part 1 – Web Server Certificate
Part 2 – Client Certificate for Windows Computers
Part 3 – Distribution Points (You are here)
Part 4 – Converting Roles
Creating and Issuing a Custom Workstation Authentication Certificate Template on the Certification Authority
1. On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.
2. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.
3. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.
4. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client authentication certificate for distribution points, such as ConfigMgr Client Distribution Point Certificate.
5. Click the Request Handling tab, and select Allow private key to be exported.
6. Click the Security tab, and remove the Enroll permission from the Enterprise Admins security group.
7. Click Add, enter ConfigMgr IIS Servers in the text box, and then click OK.
8. Select the Enroll permission for this group, and do not clear the Read permission. Click OK and close Certificate Templates Console.
9. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
10. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Client Distribution Point Certificate, and then click OK.
11. If you do not have to create and issue any more certificates, close Certification Authority.
This procedure requests and then installs the custom client certificate on to the member server that runs IIS and that will be configured as a distribution point.
1. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in.
- In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.
- In the Certificate snap-in dialog box, select Computer account, and then click Next.
- In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish.
- In the Add or Remove Snap-ins dialog box, click OK.
- In the console, expand Certificates (Local Computer), and then click Personal. Right-click Certificates, click All Tasks, and then click Request New Certificate.
- On the Before You Begin page, click Next.
- If you see the Select Certificate Enrollment Policy page, click Next.
- On the Request Certificates page, select the ConfigMgr Client Distribution Point Certificate from the list of displayed certificates, and then click Enroll.
- On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish.
- In the results pane, confirm that a certificate is displayed that has Client Authentication displayed in the Intended Purpose column, and that ConfigMgr Client Distribution Point Certificate is displayed in the Certificate Template column.
- Do not close Certificates (Local Computer).
1. In the Certificates (Local Computer) console, right-click the certificate that you have just installed, select All Tasks, and then click Export.
2. In the Certificates Export Wizard, click Next.
3. On the Export Private Key page, select Yes, export the private key, and then click Next.
4. On the Export File Format page, ensure that the option Personal Information Exchange – PKCS #12 (.PFX) is selected. Click Next.
- On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next.
- On the File to Export page, specify the name of the file that you want to export, and then click Next.
- To close the wizard, click Finish in the Certificate Export Wizard page, and click OK in the confirmation dialog box.
8. Close Certificates (Local Computer).
9. Store the file securely and ensure that you can access it from the Configuration Manager console. The certificate is now ready to be imported when you configure the distribution point.