This put up will information you thru a method of configuring the completely different settings for System Replace and Skinny Installer utilizing Configuration Gadgets and Baselines.
STEP 1
We’ll begin out by making a CI to detect if the present model of System Replace is put in on shoppers.
Launch the Create Configuration Merchandise wizard, set a reputation, and tick the field This configuration merchandise accommodates utility settings
Tick the Detect a particular utility and deployment kind radio button and choose the present model of System Replace from the appliance listing
Click on Subsequent by way of the wizard to finish the creation of the CI.
Begin the Create Configuration Baseline wizard, specify a reputation, and add the newly created CI
Deploy the Baseline to a Gadget Assortment. Ideally, the gathering ought to comprise Suppose branded gadgets solely. Proper click on on the deployment, Create New Assortment, select Non-compliant
On a shopper the place System Replace is just not put in, open the ConfigMgr applet, click on on the Configurations, choose the Baseline and click on Consider. The Compliance State ought to return Non-compliant, which can be famous within the report:
As soon as a full replace on the Non-compliant Gadget Assortment runs, the shopper can be populated right here.
To make sure System Replace is put in on this shopper, deploy the System Replace Software as a required Software. Trying on the Deployment Standing, I see a rely of two programs that do not have the present model of System Replace put in
Again on the shopper, for those who open the ConfigMgr applet, set off a Machine Coverage Retrieval & Eval Cycle and App Deployment Eval Cycle, System Replace can be pushed down. You may then test the standing of the Baseline and confirm the Compliance State ought to now present as Compliant
This technique will now drop out of the Non-compliant Gadget Assortment as soon as the scheduled membership eval hits.
STEP 2
Now that System Replace is put in, there is a handful of settings I need to configure. To do that, I will create one other Configuration Merchandise. On the Specify settings for this working system display screen, add the next setting/compliance guidelines:
____________________
Normal
Identify: Set AdminCommandLine
Setting Sort: Registry worth
Information Sort: String
Hive Identify: HKLM
Key Identify: SOFTWAREPoliciesLenovoSystem UpdateUserSettingsGeneral
Worth Identify: AdminCommandLine
Compliance Guidelines
Identify: Set AdminCommandLine
Description: This directs System Replace to a particular repository
The setting should adjust to the next rule:
Set AdminCommandLine Equals /CM -search A -action INSTALL -repository dp01.cdrt.comUR-CLOUDREPO -includerebootpackages 1,3,5 -noicon -noreboot -nolicense -exporttowmi
Remediate noncompliant guidelines when supported
____________________
____________________
Normal
Identify: Set AskBeforeClosing
Setting Sort: Registry worth
Information Sort: String
Hive Identify: HKLM
Key Identify: SOFTWAREPoliciesLenovoSystem UpdateUserSettingsGeneral
Worth Identify: AskBeforeClosing
Compliance Guidelines
Identify: Set AskBeforeClosing
Description: Removes the immediate to shut System Replace
The setting should adjust to the next rule:
Set AskBeforeClosing Equals NO
Remediate noncompliant guidelines when supported
____________________
____________________
Normal
Identify: Set DebugEnable
Setting Sort: Registry worth
Information Sort: String
Hive Identify: HKLM
Key Identify: SOFTWAREPoliciesLenovoSystem UpdateUserSettingsGeneral
Worth Identify: DebugEnable
Compliance Guidelines
Identify: Set DebugEnable
Description: Lets you log course of outcomes to the file named ApplicabilityRulesTrace.txt.
The setting should adjust to the next rule:
Set AskBeforeClosing Equals YES
Remediate noncompliant guidelines when supported
____________________
____________________
Normal
Identify: Set DisplayLicenseNotice
Setting Sort: Registry worth
Information Sort: String
Hive Identify: HKLM
Key Identify: SOFTWAREPoliciesLenovoSystem UpdateUserSettingsGeneral
Worth Identify: DisplayLicenseNotice
Compliance Guidelines
Identify: Set DisplayLicenseNotice
Description: Lets you skip the license settlement that can be displayed earlier than the replace packages decide listing is populated.
The setting should adjust to the next rule:
Set DisplayLicenseNotice Equals NO
Remediate noncompliant guidelines when supported
____________________
____________________
Normal
Identify: Set MetricsEnabled
Setting Sort: Registry worth
Information Sort: String
Hive Identify: HKLM
Key Identify: SOFTWAREPoliciesLenovoSystem UpdateUserSettingsGeneral
Worth Identify: MetricsEnabled
Compliance Guidelines
Identify: Set MetricsEnabled
Description: Disables metrics assortment
The setting should adjust to the next rule:
Set MetricsEnabled Equals NO
Remediate noncompliant guidelines when supported
____________________
____________________
Normal
Identify: Set SchedulerAbility
Setting Sort: Registry worth
Information Sort: String
Hive Identify: HKLM
Key Identify: SOFTWAREPoliciesLenovoSystem UpdatePreferencesUserSettingsScheduler
Worth Identify: SchedulerAbility
Compliance Guidelines
Identify: Set SchedulerAbility
The setting should adjust to the next rule:
Set SchedulerAbility Equals NO
Remediate noncompliant guidelines when supported
____________________
____________________
Normal
Identify: Set SchedulerLock
Setting Sort: Registry worth
Information Sort: String
Hive Identify: HKLM
Key Identify: SOFTWAREPoliciesLenovoSystem UpdatePreferencesUserSettingsScheduler
Worth Identify: SchedulerLock
Compliance Guidelines
Identify: Set SchedulerLock
Description: Hides the schedule updates possibility to finish person
The setting should adjust to the next rule:
Set SchedulerLock Equals HIDE
Remediate noncompliant guidelines when supported
____________________
Yet another configuration to make on the shopper is to disable System Replace’s default scheduled process to test for updates. Since I need to management this conduct, a Discovery and Remediation script can be used. Add one final setting to the CI:
Normal
Identify: Create Scheduled Activity
Description: Checks if customized scheduled process is current. If not, create it and disable System Replace’s default scheduled process.
Setting Sort: Script
Information kind: String
Discovery script:
$cloudrepocheck = Get-ScheduledTask | The place-Object {$_.TaskName -match "CloudRepository"} if (!($cloudrepocheck)) { Write-Output "Non-compliant" } else { Write-Output "Compliant" } |
Remediation script:
# Create the scheduled process for System Replace to hook up with Lenovo's servers to put in whitelisted updates $su = Be a part of-Path ([System.Environment]::GetFolderPath(“ProgramFilesX86”)) "LenovoSystem Updatetvsu.exe" $taskAction = New-ScheduledTaskAction –Execute $su -Argument '/CM' $taskTrigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Monday -At 9am $taskUserPrincipal = New-ScheduledTaskPrincipal -UserId 'SYSTEM' $taskSettings = New-ScheduledTaskSettingsSet -Compatibility Win8 $process = New-ScheduledTask -Motion $taskAction -Principal $taskUserPrincipal -Set off $taskTrigger -Settings $taskSettings Register-ScheduledTask -TaskName 'TVSU-CloudRepository' -InputObject $process -Drive # Disable the default System Replace scheduled duties Get-ScheduledTask -TaskPath "TVT" | Disable-ScheduledTask |
Compliance Guidelines
Identify: Create Scheduled Activity
The setting should adjust to the next rule:
The worth entered by the required script: Equals Compliant
Run the required remediation script when this setting is noncompliant
In any case Setting Varieties have been added to the CI, the Settings and Compliance Guidelines tabs ought to appear like this:
Create a brand new Baseline, enter a reputation, click on Add and choose Configuration Gadgets from the drop down. Select the brand new CI from the listing.
STEP 3
Now we’re prepared for deployment. Select Deploy from the ribbon bar and select a Gadget Assortment. Tick the bins to Remediate noncompliant guidelines when assist and Permit remediation exterior the upkeep window and set the schedule
Confirm the standing of the Baseline on a shopper to find out compliance. As soon as in a compliant state, now you can see within the Registry that the keys configured within the CI have been set.
Activity Scheduler additionally has the brand new customized process
Relying on the relevant updates primarily based on which reboot kind packages had been specified to put in within the command line, System Replace might immediate the person to point out which updates can be put in.
Additional Studying
Managing System Replace With Intune – https://thinkdeploy.blogspot.com/2019/07/manage-lenovo-system-update-with-intune.html
