MNSCUG April 2017 Notes

Notes from our April 2017 meeting are below. Click arrow to proceed.




Fred - Windows Upgrade Readiness


Upgrade Readiness for in-place upgrades

Win7 & 8.1 > 10

Win10 Servicing (i.e. 1511 to 1607)


ADK 1703 will not install with Secure Boot enabled



Thoroughly testing and improving with telemetry data


Drivers for disconnected devices do not persist

Use the latest Win10 CU - ConfigMgr Offline Servicing is helpful here

Identify upgrade blockers - hardware, business units, applications

Use a ConfigMgr upgrade task sequence where possible

Update BIOS and Drivers during


Setup in OMS - do not need to buy OMS license for Upgrade Readiness!

Tests application compatibility

Need Azure Subscription with admin rights (can use a free azure subscription, do not have to use AzureAD unless you want to use PowerShell to query/access the workspace)

Log Analytics / Operational Insights

Whitelist telemetry endpoints on firewall

No on-prem infrastructure needed

Specify which branch to prepare for (build number)

Agentless - Gather Commercial ID and Enable Telemetry


Prepare Client

Make sure devices are patched, various KBs required

Upgrade Readiness Script you will download, update it with your info

Deploy script to run on a scheduled task or recurring package or something



What is actually gathered? Registered installs - Add/Remove Programs

Very accurate, ConfigMgr installed apps vs upgrade readiness showed shocking accuracy

Many suites show up as one item (Office, etc)

Upgrade Readiness may find items ConfigMgr does not

Security Updates not included, irrelevant to this

Shows issue status breakdown by issue type

Has list of apps

Install count

Devices with app installed

Detailed version info

Detailed Info on App

Readiness breakdown (eg. Highly adopted on build 1607)

Breakdown by version of app for each build number

Separate from this, look at

Still unsure if app will work?

Contact vendor

Ready for Windows

Application Compatibility Factory

Ask app owner to validate

Ask your peers

Retire, replace, rationalize



Hardware-specific apps are likely going to be identified as blockers (displaylink, bluetooth)

Identify devices with legacy installs and upgrade them before doing the in-place upgrade - should be doing this anyway

You can do this in task sequence as well

Incompatible Drivers Strategy

Use Windows Update

Identify devices with only drivers resolved using WU

Create device collection with a collection variable

Have upgrade step in TS allow dynamic updates

Upgrade OS TS Step has checkbox to update with Windows Update

Checkbox to provide staged content path for driver updates

Disconnected Peripheral Devices

Using DISM and WinPE

Reboot TS into PE

Run Command Line step that installs the steps using DISM

Will inject driver regardless of if the device is present or not

Be mindful of BitLocker or 3rd party encryption

Dism /image:C:\ /Add-Driver /Driver:.\ /Recurse


ConfigMgr Integration

Can create collections based on Upgrade Analytics Status (Ready to Upgrade, Already Upgraded, Cannot Upgrade)]


OMS Queries have a language of their own, slight learning curve, but auto-complete helps

Can use UI to create query as well



Run against OMS

Account needs access to Resource Group in Azure

OMS Search API PowerShell Module

Organizational account (AzureAD)

All the work is just Operation Insights queries, nothing Upgrade Readiness specific

5000 item limits, even in PowerShell




Ryan - Automating Intune with Microsoft Graph API


Graph is an API for automating actions

PowerShell Module available

Establish session to tenant environment and authenticate

Can get Metadata and browse with Graph PS Explorer

Helps show what is available to automate

Properties, navigation properties, raw data(xml)

Can execute actions as well

Graph is still in beta, so be careful

Follows ODATA query format

Well-documented API reference site

  • Created on .

Copyright © 2018 - The Minnesota System Center User Group