Updates, Servicing and Telemetry
in Configuration Manager current branch
Aaron Czechowski
Senior Program Manager
Microsoft
Kerim Hanif
Senior Program Manager
Microsoft
Aaron Czechowski
@AaronCzechowski
Senior Program Manager,
Configuration Manager product team
4 years on product team, 9 years at Microsoft.
18 years working with Configuration Manager
Anything coconut
Kerim Hanif
@KerimHanif
Senior Program Manager,
Configuration Manager product team
4 years on product team, 13 years at Microsoft.
16 years working with Configuration Manager
Cooking, Scuba, Bass guitar
Updates and Servicing
Configuration Manager
Servicing Strategy
Supports the faster pace of updates for Windows 10 and
Microsoft Intune
• New Updates and Servicing node
• Delivers periodic updates for new features, bug fixes, and
extensions for hybrid deployments using Microsoft Intune
Simplifies the upgrade experience
• In-place upgrade from Configuration Manager 2012 to latest
Listens to and more quickly responds to customer feedback
• Foundational improvements allow us to respond to customer
feedback more quickly
Configuration Manager Current Branch
Product version
Configuration Manager
Release vehicle
Availability
Windows 10 features
supported
Current Branch
Generally available
December 2015 with
updates released
periodically throughout
the year
New features, security
updates, and bug fixes
Support
Can defer updates
for up to 12 months
before you must
deploy updates to
maintain support
Windows Servicing
Model supported
Windows 10 Current
Branch, Current Branch
for Business, and Long
Term Servicing Branch
Configuration Manager
Current branch (version 1511)
Current branch (version 1602)
Current branch (version yymm)
Technical Preview (version yymm)
WINTER
SPRING
SUMMER
Consolidating All ConfigMgr Updates
Updates and Servicing node in the console
No more searching for the updates, gets updates
automatically from the cloud
No more Cumulative Updates
No more Service Packs
No more Microsoft Intune Extensions
Hotfixes will also be integrated
GOAL: Reduce this list as much as possible
Types of Releases
Baseline
• E.g. Configuration Manager 1511
• Full setup (CD)
• Will be upgradeable from 2012
R2 SP1/SP2
• Supported for 1 year
In-Console Update
• E.g. Configuration Manager
1602
• Not a full setup, cumulative
• Requires a baseline release
• Supported for 1 year
Out-of-Band (OOB) Update
• Will be released if needed
• Mostly will contain only features
Hotfixes
• Will be released if needed
• GDR (General Distribution
Release)
• LDR (Limited Distribution
Release)
• Traditional
History of Releases
Production Release (every 3-4 months)
Technical Preview Release (every month)
Date
Baseline (CD)
TP
May 2015
Baseline (CD)
TP2 (8271)
July 2015
Baseline (CD)
TP3 (8287)
August 2015
In-console Update (1st)
1509 (8299)
September 2015
In-console Update
1510 (8321)
October 2015
TP4 (8325)
December 2015
In-console Update
1512 (8336)
December 2016
In-console Update
1601 (8347)
January 2016
Baseline (CD)
In-console Update
1511 (8325)
1602 (8355)
February 2016
In-console Update
1602 (8360)
March 2016
In-console Update
1603 (8372)
March 2016
Baseline (CD)
TP5 (8385)
April 2016
In-console Update
1604 (8385)
April 2016
In-console Update
1605 (8396)
May 2016
https://technet.microsoft.com/en-us/library/mt607046.aspx
History of Releases
Updates (OOB)
Production Release (every 3-4 months)
Technical Preview Release (every month)
None yet
None
1511 Traditional:
None
(will be released if needed)
Hotfix
KB3125905, KB3118485, KB3124274,
KB3128090, KB3127032, KB3101706,
KB3122677, KB3139572, KB3140781,
KB3142341, KB3145401
1511 GDR:
KB3122637 (Exchange Connector)
1602:
None yet
(most cases we will not be releasing an
update for preview builds)
(most cases we will not be releasing an
hotfix for preview builds)
Recommended Customer Infrastructure
Technical Preview
Pre-Production
Production
ConfigMgr
Preview
Build
ConfigMgr
Production
Build
ConfigMgr
Production
Build
Standalone Primary
Replica of production site
(on the server side)
Live environment
No hierarchy support
10 Clients
Update monthly
Test new features
Appropriate number of
clients for testing purposes
Install updates here first
Service Connection Point
Can be Online or Offline or Skipped (not recommended)
During Setup
After Setup
Requirements
Service Connection Point (SCP) role needs to be
installed
• Either in Online or Offline mode
SCP role == Intune Connector role (doesn’t exist
anymore)
• ConfigMgr 2012 R2SP1/SP2 Hybrid (Intune+ConfiMgr) customers
upgrading to 1511 will not need to install SCP since it is already
there
TIP: If using a third party backup, “cd.latest” folder
needs to be added to backup
Service Connection Point
Nags will show if not installed
• Nag will only show at the top level site, during console start, to the
admins with “SMS_Site modify” right
Offline Servicing
Created for customers that can’t connect to a cloud
service (must be offline)
• STILL needs to install Service Connection Point (SCP) role to “a” server
(doesn’t have to be connected to the internet)
• Set the SCP to Offline mode
• Use “Service Connection Tool” on computer connected to the internet
download the content from the cloud service
TIP: ServiceConnectionTool.exe needs to be copied
together with all the other files in the directory when
needs to be copied and run in another location
• Recommended to have 2GB on media (if USB)
Service Connection Tool
1
ServiceConnectionTool.exe
-Prepare -usagedatadest
D:\USB\usagedata.cab
Cloud Service
1602
2
3
ServiceConnectionTool.exe
-import –updatepacksrc
D:\USB\UpdatePacks
Server with Service Connection Point
(no internet connection)
ServiceConnectionTool.exe -Connect -usagedatasrc
D:\USB\usagedata.cab –updatepackdest D:\USB\UpdatePacks
Any machine with
internet connection
Updating Site Systems
CAS/Standalone Primary
• Download automatic in Online mode
• Download and import manually in Offline mode (using the Service
Connection Tool)
• For both modes, initiate install manually using the console
Primary Sites
• Download and install automatic but can be controlled specifiying
“Service Windows”
Secondary Sites
• Download and install is manual
Distribution Points and all other site system roles
• Download and install is automatic
Configuration Manager Consoles
During initialization detects and if server version is
greater, auto upgrades
• Can be ignored, but not recommended
• If ignored, it continues nagging when using the console
Clients
Allow admins to select a pre-production collection to
test new client
After testing, admins can choose to promote the new
client bits to production
TIP: Client upgrade won’t start until the whole hierarchy
is updated (including MPs, DPs, all server roles)
Known Issues
1.
Full administrator with default scope can NOT see 1602 update. Admins needs to have
permission for “All instances of the object” under “Security Scopes”
2. Redistributables can fail to download for various reasons, please check
dmpdownloader.log and configmgrsetup.log for which exact files it fails to download
3. If the update is being downloaded, CM admin console [monitoring]->[Overview]->[Site
Servicing Status] does not show status for each site
4. If the update content is being replicated, CM Admin console [monitoring]->[Overview]>[Site Servicing Status] does not show status for each site
Known Issues
5. 1602 shown in Admin console as Not Applicable, this is because the environment has a
LONG CM installation path that 1602 cannot handle correctly.
6. <CM InstallDir>\Inboxes\clifiles.src\Configuration.mof will be overwritten. Please find the
backup from <CM InstallDir>\data\hinvarchive\ and add your custom extension back.
7. Using 1602 CD.Latest to add a new peer primary site to a CAS, you will get a prereq
failure (setup file build number does not match parent site build number), after verifying
this is the only prereq rule failure, use /noprereq option
Improvements Coming Soon
More granular status monitoring
• Update download and replication progress percentage
• Revised installation status window interface
• References to applicable log files in user interface
SQL upgrade performance improvements
Pre-release Consent
Feature node improvements
Previous updates moved to new History node
Limiting SQL access during database upgrade (1602+)
• Stop all current SQL connections to CM DB
• Deny remote MP “execute” permissions to CM DB
• 1602+ MPs will return "no new policy" to clients when update is in
progress
Folders used by Updates and Servicing Feature
On "Service Connection Point“ Server
1.
EasySetupPayload\<PackageGuid>
• Consider this as package source for software distribution scenario
On each "Site Server"
1.
<drive:>\SCCMContentLib\
• Just like how regular software packages store their content
• CMUpdate use content library to distribute content to all primary site and CAS in a hierarchy, doesn’t use DPs though.
2.
<CMInstallDir>\CMUStaging\<PackageGuid>
• Temporary folder used by CMUpdate service. To extract, validate and apply the content
3.
<CMInstallDir>\CD.Latest (more here: https://technet.microsoft.com/en-us/library/mt703293.aspx)
• Used for site recovery once the update is applied
• Can also be used for site expansion, or add a new primary site to the hierarchy
4.
<CMInstallDir>\StagingClient
• For storing client binaries for piloting clients
5.
<CMInstallDir>\CMUClient
• Contains new client binaries. For environments where client and MP are co-located.
Log Files
If Download not showing
• Dmpdownloader.log
• Hman.log
During Download
• Dmpdownloader.log
• Hman.log
• ConfigMgrSetup.log
Replication
• Distmgr.log
• Sender.log (CAS)
• Despool.log (Primary)
Prerequisites
• ConfigMgrPrereq.log
Install
• Hman.log
• CmUpdate.log
THINGS YOU MUST ABSOLUTELY AVOID DOING!
1.
Do NOT manually clean up EasySetupPayload folder for CM update that is being
downloaded/processed.
2. Do NOT manually clean up CMUStaging folder.
3. Do NOT restore CM database/CM site server in case of error hitting in CM Update (fix
the issue and “retry installation”)
4. Do NOT reinstall “Service Connection Point” if an update is in progress.
5. Do NOT use 1602 bits in CD.Latest folder to install a standalone primary site.
6. Do NOT use 1602 bits in CD.Latest folder to upgrade a 1511 site or R2 SP1 (or earlier)
sites.
7. Do NOT manually clean up any Cm_Update* tables.
8. Do NOT restart CMUpdate service during installation.
9. Do NOT keep the CMUStaging\<Guid> folder open during installation.
10. Do NOT copy files in CMUStaging folder.
11. Do NOT restart smsexec during payload download (dmpdownloader.log shows if the
package content is downloading) notifications can get lost in this scenario.
Demo
Configuration Manager Servicing
Diagnostics and Usage Data
Configuration Manager
Strategy
SaaSifying Configuration Manager
Running the product “as a service” requires visibility
• Product versions
• Scale and performance
• Default vs custom configurations
Benefits and Value
Customer
• Improved setup/upgrade
• Improved quality
Future potential
• Environment insights
• Peer comparisons
• Better support
Microsoft
• Accurate test matrix
• Product insights
• Prioritization decisions
How the data is used
Site server versions of Windows Server for supported
configurations
Installed language packs for scope of localization
Delta of SQL schema against default
Prerequisite checks
How it is NOT used
Individual customer identification
Licensing audits, such as comparing customer usage
against license agreements
Auditing of products that are out of support
Advertising based on available data such as feature
usage or geolocation (timezone)
Configuration Manager does not collect site codes or sites names, IP addresses, user or computer names, physical
addresses, or email addresses on the Basic or Enhanced levels. Any collection of this information on the Full level is
not purposeful (potentially included in advanced diagnostic information like log files or memory snapshots) and will
not be used by Microsoft to identify you, contact you, or for advertising purposes.
Engineering Commitment Example: TS Step Names
Started collecting statistics on task sequence steps
During tests, data returned:
• SMS_...(get from 462905)
• BDD_...
If MDT can create steps via SDK, so can customers
• Extending OS Deployment: https://msdn.microsoft.com/en-us/library/jj218106.aspx
• Contoso_SuperSecretProductStep
Solution:
• Hash the names on both ends and compare
• Known hash = built-in step
• Unknown hash = custom step
Engineering Commitment Example: State Msg Perf
What state messages generate the most
processing costs?
Get test data from Dogfood environment:
Now, what else can be derived?
• https://technet.microsoft.com/enus/library/bb932203.aspx
• 500 = SUM_UPDATE_DETECTION
• 7012 updates detected
• Could this highlight potential vulnerabilities?
Engineering Commitment Example: State Msg Perf
Solution:
• Business question is regarding performance
• We don’t need the raw data
• Calculate the magnitude and average cost, stack rank
• Telemetry captures the resultant summary:
Configuration
Collected per site, sent per hierarchy once per week
• Only via SQL queries
Service Connection Point
• Online
• Offline via service connection tool
Levels: Basic, Enhanced, Full
Site setup
• On by default
• Enhanced level
Data Flow
SQL queries per site, insert
to TEL_TelemetryResults
Primaries replicate to CAS
Once a week, SCP sends
data up to service
No data direct from clients
Demo
Viewing telemetry data
References
Updates and Servicing
• https://technet.microsoft.com/en-US/library/mt607046.aspx
• Install in-console updates
• Flowchart - Download updates
•
•
•
•
Use the Service Connection Tool
Use the Update Registration Tool to import hotfixes
Use the Hotfix Installer to install updates
Checklist for updating from Configuration Manager version 1511 to 1602
•
•
•
•
•
•
How diagnostics and usage data is used
Levels of diagnostic usage data collection
How diagnostics and usage data is collected
How to view diagnostics and usage data
Customer Experience Improvement Program (CEIP)
Frequently asked questions about diagnostics and usage data
Diagnostics and Usage Data
• https://technet.microsoft.com/en-us/library/mt613113.aspx
And Then …
Appendix
Process Flows and Troubleshooting
Common Issues and Possible Reasons
Update stuck in downloading state
1.
Check internet connectivity, check dmpdownloader.log to see if it is able to get the CM update manifest
• Make sure system context is allowed for internet connection, and if it requires proxy to access internet
2.
Redist download (check configmgrsetup.log)
• Check which file it failed to download, if possible check proxy server setting is blocking the download
• Some customers’ proxy only allow HTTPS connection
• Some customers’ proxy have a white list of servers where it can download files from
3.
Make sure antimalware/virus exclude <CM install dir> and sub-directories
• If this is HybridMDM, first make sure the connector role certificate issued by Microsoft Intune is consistent. Check in hman.log to see if there
error rejecting messages from “Service connection point”
4.
Make sure all the following places have the SAME cert.
• My store on CM “Service connection point” machine
• CertificateData table on CM database (Where CertType = 1)
• Active DMPConnector certificate that Microsoft Intune Service trusts (thinks the tenant has)
5.
If you are deleting an Intune subscription, make sure to delete the “Service connection point” role as well.
Common Issues and Possible Reasons
Update stuck in content replicating state
1. Make sure there is enough space on site server
• If there is no disk space on site server, distmgr.log will show error it cannot get
the files into content library on site server.
2. Make sure hman.log has correctly created/updated the software
distribution package used for CM update
3. Make sure distmgr has processed update package successfully
4. If this is hierarchy, check file replication channel to make sure the
content has been replicated successfully to the primary sites.
5. Check if the site server machine account can access the \\<Service
Connection Point>\EasySetupPayloader
Process Flow – Downloading (CAS/Standalone Primary)
https://technet.microsoft.com/en-us/library/mt711512.aspx
Process Flow – Downloading (CAS/Standalone Primary)
Process Flows – Replication (CAS)
Process Flows – Replication (CAS ..continued)
Process Flow – Replication (Primaries)
Process Flow – Replication (CAS/Standalone Primary)
Process Flow – Replication (CAS/Standalone Primary)
Installation Process (flow coming soon)
CMUpdate:
1. Checks if prereq has passed
2. Checks if the site server is OK to
install update
3. Checks if CMUpdate itself is up to
date
4. Checks if the site server is in service
window
5. Extracts the package from content
library into CMUStaging folder
6. Validates the content
7. Installs the package
8. Marks the site has finished
installing the update
Hman:
1. Checks if prereq has passed
2. If this is top level site, marks current site OK to install
update, (peer primary site not OK to install)
(CM_UpdateReadiness)
3. If this is top level site, and CAS has finished installing the
update, marks peer primary site OK to install update (only
after this peer primary site proceeded to install)
4. Aggregates overall update state from all site servers
(excluding secondary sites)
5. Extracts the package from content library into CMUStaging
folder
6. Validates the content
7. Updates and restarts CMUpdate service
8. Marks CMUpdate service is up to date
(CM_UpdateReadinessSite)
9. If overall state is update installed, updates the clients bits.
CM Update Database Schemas
--Overall state for CM Update
--Only created/updated by HMan on TOP level site
--The OverallState is checked by hman/cmupdate to decide what further action they should take
select * from CM_UpdatePackages
--Per site CM update state
--Hman update it for heart beat, no state change
--CMUpdate update it for state changes
--trigger ObjectDistributionState_ins_upd to update the state regarding to content
--trigger EasySetupSettings_iu (1602) to update the state regarding to content (for handling certain
timing conditions)
select * from CM_UpdatePackageSiteStatus
--detailed installation status
select * from CM_UpdatePackageInstallationStatus order by MessageTime desc
--detailed prereq status
select * from CM_UpdatePackagePrereqStatus
CM Update Database Schemas
-- Only created/updated by HMan on top level site
-- HMan will mark the top level site is ready once CMUpdate service has passed prereq, waiting to
install, CM_UpdatePackages
-- Once top level site finished installation, it will add/update all peer primary sites into the table
to tell them to go ahead
select * from CM_UpdateReadiness
-- created/updated by Hman on each site
-- Once the site is ready to install
-- HMan checks if cmupdate (CONFIGURATION_MANAGER_UPDATE) service is up to date, if not patch the
cmupdate service first
-- Hman mark the site cmupdate service is ready
-- Read by CMUpdate service to see if it can continue to apply the update
select * from CM_UpdateReadinessSite
-- service window for the site server
select * from SC_SysResUse_ServiceWindow
CM Update Database Schemas
-- saves the current EasySetup software dist package ID, version and hash of the content directory
select * from EasySetupSettings
select SourceVersion, StoredPkgVersion from SMSPackages where PkgID in (select packageid from
EasySetupSettings)
-- client piloting settings
select * from ClientPilotingConfigs
-- HISTORY tables
-- Only maintained on top level site to track history of overall state
-- For troubleshooting purposes, hman/cmupdate do not care about the history
select * from CM_UpdatePackages_Hist order by RecordTime desc
select * from CM_UpdatePackageSiteStatus_HIST order by RecordTime desc