Any SCCM Admins?

[Relentless81]

Hi,

I was wondering if anyone here shares my pain administering SCCM? It kind of fell onto me a couple of years ago and now I deal with most things SCCM related and we use it for pretty much all deployments including Windows Servicing and application deployment.

I do like working with SCCM, it takes up a lot of my time, its challenging and rewarding when you get things to work but my biggest frustration with it is Windows 10 Feature Pack Deployment and I was wondering if anyone else has ever managed to figure it out. This has been happening for every Windows 10 release and I am not alone, I have exhausted everything on Google and tried every possible suggestion but the issue remains which is as follows.

When deploying a Windows 10 Feature Update such as 1903 to an 1809 Collection of devices for example, about 75% devices will update as expected however 25% of them will show as Compliant but the update hasnt actually installed and the Windows version remains unchanged on the device. This is accompanied by a Success 0x00000 error code.

The same is true for the 1909 to 1903 Enablement Package which is awesome when it works as its so quick to install with little disruption to the user but it has the same issue as described above on some devices.

The only way I've managed to address this is using a Task Sequence which are majorly disruptive to the user compared to Servicing and comes with its own set of problems.

I've been asked to look at Intune as a potential replacement so would be interested to know if anyone has gone that route, from what I'm reading it might work well for replacing Windows 10 Servicing and App deployment which would be nice but Servers will still need SCCM.

Feel free to share your SCCM frustrations if you have any I might be able to help or if you have a suggestion for the above issue that avoids using Task Sequences for Feature Update deployment I would love to hear it.

Cheers

 

[Relentless81]

Don't use SCCM for this. It's a deprecated feature. Instead, set a GPO to delay feature updates through Windows Update (although I'm sure you're also going to tell me you're using WSUS, so you should stop using that too).

GPO to WMI target a pilot ring for immediate feature updates and a GPO to target all other devices with a 180day delay.

Also, don't use first half (xx03 or h1) versions for all your devices. They are not Enterprise targeted OS and offer the shortest supportability period from MS. Devices to all users (not in the pilot) should be using xx09 or H2 versions.

Intune is not a replacement, yet. You want to set SCCM to co-management and leverage both to provide your builds, updates, patching and software.

Thanks for the info, we always stay a version behind on Windows 10 devices, not really my call thats what I'm asked to do. Interesting you mention its a deprecated feature via SCCM do you have a source for this please? Just interested to read up as I had no idea that was the case.

We dont use WSUS, we use MDT for deployment and SCCM for management, I started reading about Intune yesterday to potentially replace MDT in full and co management with SCCM to replace the Windows 10 servicing and application deployments but its a big project that I have a lot more to read up on

 

[Relentless81]

Sure, I'll dig out the MS Doc. Essentially, they are removing it as a feature (albeit slowly) because the security model preference is to use Windows Update to provide aggressive patching and Feature Updates, but only inline with the second yearly releases from a supportability model. As an Enterprise, or even SME, you should push back on using first half releases. MS gear them to consumers to flesh out all the bugs (2004 one of the worst for a while) before tidying up all the relevant bug fixes into the H2 release.

Intune is still in it's infancy, but there are now a lot of options for domain joining / hybrid domain joining and using OMA-URI mapping (not complete compared to GPOs but getting there). It's perfect for white glove (pre-provisioned) Autopilot and User Drive deployments. Effectively you upload the Hardware ID into a CSV format to Intune and the second that Laptop appears on a network, or internet, it registers with your Org and deploys W10 and any other Intune policies/apps without user Interaction.

As I mentioned earlier, get your SCCM org into co-management mode and that will allow you to leverage those Intune options, base everything you do now on pilots with devices (AD OUs and GPOs). You will find you are using pilot devices for SCCM and a separate pilot for Intune / hybrid domain join but can be done concurrently.

Awesome thanks for this, I've just come out of a meeting and been told to shift my focus on replacing MDT with Intune and SCCM will come later (other than Feature Updates SCCM is maintaining the clients fine at the moment) however the info you've given me will certainly come into use very soon.

One of the biggest challenges with all of this is I have one laptop for testing the home user experience and a VM for general testing so hopefully that's enough to get me started, I've got a lot of reading to do too!