System Update Suite and MEM: Part 2 Configuring and Deploying the Apps
Part 1 of the System Update Suite and MEM guide, we walk through creating an Application for System Update and Thin Installer.
This post will guide you through one way of configuring the different settings for System Update and Thin Installer using Configuration Items and Baselines.
STEP 1
We'll start out by creating a CI to detect if the current version of System Update is installed on clients.
Launch the Create Configuration Item wizard, set a name, and tick the box This configuration item contains application settings
Tick the Detect a specific application and deployment type radio button and select the current version of System Update from the application list
Click Next through the wizard to complete the creation of the CI.
Start the Create Configuration Baseline wizard, specify a name, and add the newly created CI
Deploy the Baseline to a Device Collection. Ideally, the collection should contain Think branded devices only. Right click on the deployment, Create New Collection, choose Non-compliant
On a client where System Update is not installed, open the ConfigMgr applet, click on the Configurations, select the Baseline and click Evaluate. The Compliance State should return Non-compliant, which is also noted in the report:
Once a full update on the Non-compliant Device Collection runs, the client will be populated here.
To ensure System Update is installed on this client, deploy the System Update Application as a required Application. Looking at the Deployment Status, I see a count of 2 systems that don't have the current version of System Update installed
Back on the client, if you open the ConfigMgr applet, trigger a Machine Policy Retrieval & Eval Cycle and App Deployment Eval Cycle, System Update will be pushed down. You can then check the status of the Baseline and verify the Compliance State should now show as Compliant
This system will now drop out of the Non-compliant Device Collection once the scheduled membership eval hits.
STEP 2
Now that System Update is installed, there's a handful of settings I want to configure. To do this, I'll create another Configuration Item. On the Specify settings for this operating system screen, add the following setting/compliance rules:
____________________
General
Name: Set AdminCommandLine
Setting Type: Registry value
Data Type: String
Hive Name: HKLM
Key Name: SOFTWARE\Policies\Lenovo\System Update\UserSettings\General
Value Name: AdminCommandLine
Compliance Rules
Name: Set AdminCommandLine
Description: This directs System Update to a specific repository
The setting must comply with the following rule:
Set AdminCommandLine Equals /CM -search A -action INSTALL -repository \\dp01.cdrt.com\UR-CLOUDREPO -includerebootpackages 1,3,5 -noicon -noreboot -nolicense -exporttowmi
Remediate noncompliant rules when supported
____________________
____________________
General
Name: Set AskBeforeClosing
Setting Type: Registry value
Data Type: String
Hive Name: HKLM
Key Name: SOFTWARE\Policies\Lenovo\System Update\UserSettings\General
Value Name: AskBeforeClosing
Compliance Rules
Name: Set AskBeforeClosing
Description: Removes the prompt to close System Update
The setting must comply with the following rule:
Set AskBeforeClosing Equals NO
Remediate noncompliant rules when supported
____________________
____________________
General
Name: Set DebugEnable
Setting Type: Registry value
Data Type: String
Hive Name: HKLM
Key Name: SOFTWARE\Policies\Lenovo\System Update\UserSettings\General
Value Name: DebugEnable
Compliance Rules
Name: Set DebugEnable
Description: Enables you to log process results to the file named ApplicabilityRulesTrace.txt.
The setting must comply with the following rule:
Set AskBeforeClosing Equals YES
Remediate noncompliant rules when supported
____________________
____________________
General
Name: Set DisplayLicenseNotice
Setting Type: Registry value
Data Type: String
Hive Name: HKLM
Key Name: SOFTWARE\Policies\Lenovo\System Update\UserSettings\General
Value Name: DisplayLicenseNotice
Compliance Rules
Name: Set DisplayLicenseNotice
Description: Enables you to skip the license agreement that will be displayed before the update packages pick list is populated.
The setting must comply with the following rule:
Set DisplayLicenseNotice Equals NO
Remediate noncompliant rules when supported
____________________
____________________
General
Name: Set MetricsEnabled
Setting Type: Registry value
Data Type: String
Hive Name: HKLM
Key Name: SOFTWARE\Policies\Lenovo\System Update\UserSettings\General
Value Name: MetricsEnabled
Compliance Rules
Name: Set MetricsEnabled
Description: Disables metrics collection
The setting must comply with the following rule:
Set MetricsEnabled Equals NO
Remediate noncompliant rules when supported
____________________
____________________
General
Name: Set SchedulerAbility
Setting Type: Registry value
Data Type: String
Hive Name: HKLM
Key Name: SOFTWARE\Policies\Lenovo\System Update\Preferences\UserSettings\Scheduler
Value Name: SchedulerAbility
Compliance Rules
Name: Set SchedulerAbility
The setting must comply with the following rule:
Set SchedulerAbility Equals NO
Remediate noncompliant rules when supported
____________________
____________________
General
Name: Set SchedulerLock
Setting Type: Registry value
Data Type: String
Hive Name: HKLM
Key Name: SOFTWARE\Policies\Lenovo\System Update\Preferences\UserSettings\Scheduler
Value Name: SchedulerLock
Compliance Rules
Name: Set SchedulerLock
Description: Hides the schedule updates option to end user
The setting must comply with the following rule:
Set SchedulerLock Equals HIDE
Remediate noncompliant rules when supported
____________________
One more configuration to make on the client is to disable System Update's default scheduled task to check for updates. Since I want to control this behavior, a Discovery and Remediation script will be used. Add one last setting to the CI:
General
Name: Create Scheduled Task
Description: Checks if custom scheduled task is present. If not, create it and disable System Update's default scheduled task.
Setting Type: Script
Data type: String
Discovery script:
Remediation script:
Compliance Rules
Name: Create Scheduled Task
The setting must comply with the following rule:
The value entered by the specified script: Equals Compliant
Run the specified remediation script when this setting is noncompliant
After all Setting Types have been added to the CI, the Settings and Compliance Rules tabs should look like this:
Create a new Baseline, enter a name, click Add and select Configuration Items from the drop down. Choose the new CI from the list.
STEP 3
Now we are ready for deployment. Choose Deploy from the ribbon bar and choose a Device Collection. Tick the boxes to Remediate noncompliant rules when support and Allow remediation outside the maintenance window and set the schedule
Verify the status of the Baseline on a client to determine compliance. Once in a compliant state, you can now see in the Registry that the keys configured in the CI have been set.
Task Scheduler also has the new custom task
Depending on the applicable updates based on which reboot type packages were specified to install in the command line, System Update may prompt the user to show which updates will be installed.
Further Reading
Managing System Update With Intune - https://thinkdeploy.blogspot.com/2019/07/manage-lenovo-system-update-with-intune.html
This post will guide you through one way of configuring the different settings for System Update and Thin Installer using Configuration Items and Baselines.
STEP 1
We'll start out by creating a CI to detect if the current version of System Update is installed on clients.
Launch the Create Configuration Item wizard, set a name, and tick the box This configuration item contains application settings
Tick the Detect a specific application and deployment type radio button and select the current version of System Update from the application list
Click Next through the wizard to complete the creation of the CI.
Start the Create Configuration Baseline wizard, specify a name, and add the newly created CI
Deploy the Baseline to a Device Collection. Ideally, the collection should contain Think branded devices only. Right click on the deployment, Create New Collection, choose Non-compliant
On a client where System Update is not installed, open the ConfigMgr applet, click on the Configurations, select the Baseline and click Evaluate. The Compliance State should return Non-compliant, which is also noted in the report:
Once a full update on the Non-compliant Device Collection runs, the client will be populated here.
To ensure System Update is installed on this client, deploy the System Update Application as a required Application. Looking at the Deployment Status, I see a count of 2 systems that don't have the current version of System Update installed
Back on the client, if you open the ConfigMgr applet, trigger a Machine Policy Retrieval & Eval Cycle and App Deployment Eval Cycle, System Update will be pushed down. You can then check the status of the Baseline and verify the Compliance State should now show as Compliant
This system will now drop out of the Non-compliant Device Collection once the scheduled membership eval hits.
STEP 2
Now that System Update is installed, there's a handful of settings I want to configure. To do this, I'll create another Configuration Item. On the Specify settings for this operating system screen, add the following setting/compliance rules:
____________________
General
Name: Set AdminCommandLine
Setting Type: Registry value
Data Type: String
Hive Name: HKLM
Key Name: SOFTWARE\Policies\Lenovo\System Update\UserSettings\General
Value Name: AdminCommandLine
Compliance Rules
Name: Set AdminCommandLine
Description: This directs System Update to a specific repository
The setting must comply with the following rule:
Set AdminCommandLine Equals /CM -search A -action INSTALL -repository \\dp01.cdrt.com\UR-CLOUDREPO -includerebootpackages 1,3,5 -noicon -noreboot -nolicense -exporttowmi
Remediate noncompliant rules when supported
____________________
____________________
General
Name: Set AskBeforeClosing
Setting Type: Registry value
Data Type: String
Hive Name: HKLM
Key Name: SOFTWARE\Policies\Lenovo\System Update\UserSettings\General
Value Name: AskBeforeClosing
Compliance Rules
Name: Set AskBeforeClosing
Description: Removes the prompt to close System Update
The setting must comply with the following rule:
Set AskBeforeClosing Equals NO
Remediate noncompliant rules when supported
____________________
____________________
General
Name: Set DebugEnable
Setting Type: Registry value
Data Type: String
Hive Name: HKLM
Key Name: SOFTWARE\Policies\Lenovo\System Update\UserSettings\General
Value Name: DebugEnable
Compliance Rules
Name: Set DebugEnable
Description: Enables you to log process results to the file named ApplicabilityRulesTrace.txt.
The setting must comply with the following rule:
Set AskBeforeClosing Equals YES
Remediate noncompliant rules when supported
____________________
____________________
General
Name: Set DisplayLicenseNotice
Setting Type: Registry value
Data Type: String
Hive Name: HKLM
Key Name: SOFTWARE\Policies\Lenovo\System Update\UserSettings\General
Value Name: DisplayLicenseNotice
Compliance Rules
Name: Set DisplayLicenseNotice
Description: Enables you to skip the license agreement that will be displayed before the update packages pick list is populated.
The setting must comply with the following rule:
Set DisplayLicenseNotice Equals NO
Remediate noncompliant rules when supported
____________________
____________________
General
Name: Set MetricsEnabled
Setting Type: Registry value
Data Type: String
Hive Name: HKLM
Key Name: SOFTWARE\Policies\Lenovo\System Update\UserSettings\General
Value Name: MetricsEnabled
Compliance Rules
Name: Set MetricsEnabled
Description: Disables metrics collection
The setting must comply with the following rule:
Set MetricsEnabled Equals NO
Remediate noncompliant rules when supported
____________________
____________________
General
Name: Set SchedulerAbility
Setting Type: Registry value
Data Type: String
Hive Name: HKLM
Key Name: SOFTWARE\Policies\Lenovo\System Update\Preferences\UserSettings\Scheduler
Value Name: SchedulerAbility
Compliance Rules
Name: Set SchedulerAbility
The setting must comply with the following rule:
Set SchedulerAbility Equals NO
Remediate noncompliant rules when supported
____________________
____________________
General
Name: Set SchedulerLock
Setting Type: Registry value
Data Type: String
Hive Name: HKLM
Key Name: SOFTWARE\Policies\Lenovo\System Update\Preferences\UserSettings\Scheduler
Value Name: SchedulerLock
Compliance Rules
Name: Set SchedulerLock
Description: Hides the schedule updates option to end user
The setting must comply with the following rule:
Set SchedulerLock Equals HIDE
Remediate noncompliant rules when supported
____________________
One more configuration to make on the client is to disable System Update's default scheduled task to check for updates. Since I want to control this behavior, a Discovery and Remediation script will be used. Add one last setting to the CI:
General
Name: Create Scheduled Task
Description: Checks if custom scheduled task is present. If not, create it and disable System Update's default scheduled task.
Setting Type: Script
Data type: String
Discovery script:
$cloudrepocheck = Get-ScheduledTask | Where-Object {$_.TaskName -match "CloudRepository"} if (!($cloudrepocheck)) { Write-Output "Non-compliant" } else { Write-Output "Compliant" } |
Remediation script:
# Create the scheduled task for System Update to connect to Lenovo's servers to install whitelisted updates $su = Join-Path ([System.Environment]::GetFolderPath(“ProgramFilesX86”)) "Lenovo\System Update\tvsu.exe" $taskAction = New-ScheduledTaskAction –Execute $su -Argument '/CM' $taskTrigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Monday -At 9am $taskUserPrincipal = New-ScheduledTaskPrincipal -UserId 'SYSTEM' $taskSettings = New-ScheduledTaskSettingsSet -Compatibility Win8 $task = New-ScheduledTask -Action $taskAction -Principal $taskUserPrincipal -Trigger $taskTrigger -Settings $taskSettings Register-ScheduledTask -TaskName 'TVSU-CloudRepository' -InputObject $task -Force # Disable the default System Update scheduled tasks Get-ScheduledTask -TaskPath "\TVT\" | Disable-ScheduledTask |
Compliance Rules
Name: Create Scheduled Task
The setting must comply with the following rule:
The value entered by the specified script: Equals Compliant
Run the specified remediation script when this setting is noncompliant
After all Setting Types have been added to the CI, the Settings and Compliance Rules tabs should look like this:
Create a new Baseline, enter a name, click Add and select Configuration Items from the drop down. Choose the new CI from the list.
STEP 3
Now we are ready for deployment. Choose Deploy from the ribbon bar and choose a Device Collection. Tick the boxes to Remediate noncompliant rules when support and Allow remediation outside the maintenance window and set the schedule
Verify the status of the Baseline on a client to determine compliance. Once in a compliant state, you can now see in the Registry that the keys configured in the CI have been set.
Task Scheduler also has the new custom task
Depending on the applicable updates based on which reboot type packages were specified to install in the command line, System Update may prompt the user to show which updates will be installed.
Further Reading
Managing System Update With Intune - https://thinkdeploy.blogspot.com/2019/07/manage-lenovo-system-update-with-intune.html