Deep dive setting up a Lenovo cloud repository in an Azure file share
This article has moved to https://blog.lenovocdrt.com/#/2020/ur_az_fs
In a previous post, I walked through a few steps on how to host an Update Retriever repository in an Azure blob storage. This involved downloading the updates to a local machine, copying them to the blob, and configuring Thin Installer on the client to pull these updates down.
Another option is the Lenovo cloud repository feature in Update Retriever. By choosing this option, only the package XML's will be downloaded to the repository while the full content will be hosted by Lenovo. If you're moving your on-prem repository to the cloud, this option will most definitely cut down storage costs as these XML's are only a couple of Kilobytes in size.
A few things to note before exploring this route:
- System Update (version 5.07.0046 and later) is supported
- Commercial Vantage is supported
- Thin Installer is NOT supported
Azure Storage Account
You'll need to create a new storage account first. During the creation, make sure you set the account kind to StorageV2 since we're going to be using this as an Azure file share.
After creation, go to the new storage account and scroll down to the File service section and click File shares. Click +File share, give it a name and click Create.
The URL of the share can be found in Properties
The URL of the share can be found in Properties
You'll need to take note of one of the Access keys for the storage account, which will be used to later on. These can be found under Settings > Access keys.
Being that this is in a test tenant, I set the Storage account to be accessed from All networks. You can lock the access down to specific vNets and/or IP ranges under Settings > Firewalls and virtual networks.
Update Retriever
Install the latest version of Update Retriever on a technician system. We're going to use cmdkey to store the Azure storage account credentials. Launch PowerShell and enter the following command (replacing the storage account name and access key):
Invoke-Expression -Command "cmdkey /add:<storageaccountname>.file.core.windows.net /user:Azure\<storageaccountname> /pass:<accesskey>"
You should see cmdkey return a Credential added successfully message. You can verify by opening Credential Manager and looking under Windows Credentials.
Now, launch Update Retriever and select Lenovo Cloud repository. Instead of entering the URL of the file share, enter it as a UNC path:
Set any other options and click Continue. You may see a spinning wheel for a bit but will eventually proceed to the Get new updates screen. Here you can add your MTM's and check for updates. You should see Update Retriever connect to your Azure file share and download content.
If you look in Event Viewer under Applications and Services Logs > Lenovo > ThinkVantage > UpdateRetriever and look through the This is the operational log of ThinkVantage UpdateRetriever log, you'll see Events like this:
Back in the Azure portal, navigate to your file share and you should now see all of the package ID directories with corresponding .xml's, as well as the database.xml.
Now, launch Update Retriever and select Lenovo Cloud repository. Instead of entering the URL of the file share, enter it as a UNC path:
If you look in Event Viewer under Applications and Services Logs > Lenovo > ThinkVantage > UpdateRetriever and look through the This is the operational log of ThinkVantage UpdateRetriever log, you'll see Events like this:
Back in the Azure portal, navigate to your file share and you should now see all of the package ID directories with corresponding .xml's, as well as the database.xml.
Client-side Config
I'm going to build off the previous post, Managing System Update with Intune, and add one more requirement here. We need to upload and deploy a PowerShell script to add the Azure storage account credentials on the client. Unfortunately, SAS tokens aren't supported with SMB access so you'll have to use the Storage Account Access Key.
Copy the same command that was used earlier into a .ps1 file and add it by navigating to Intune > Device Configuration > Scripts in the Azure portal.
Set the Script settings to:
Run this script using the logged on credentials - Yes
Run script in 64 bit PowerShell host - Yes
Assign to a group.
I'm going to build off the previous post, Managing System Update with Intune, and add one more requirement here. We need to upload and deploy a PowerShell script to add the Azure storage account credentials on the client. Unfortunately, SAS tokens aren't supported with SMB access so you'll have to use the Storage Account Access Key.
Copy the same command that was used earlier into a .ps1 file and add it by navigating to Intune > Device Configuration > Scripts in the Azure portal.
Set the Script settings to:
Run this script using the logged on credentials - Yes
Run script in 64 bit PowerShell host - Yes
Assign to a group.
I've already set my System Update scheduled task, as described in the System Update Suite and MEM post.
To confirm everything works, I manually start the scheduled task and monitor the tvsu_<timestamp>.log which can be found under %ProgramData%\Lenovo\SystemUpdate\logs
I can see the client connects to the repository and finds the database.xml
And further down the log, once the client parses through the database.xml for applicable updates, the packages are downloaded from Lenovo
I've set my AdminCommandLine to list the updates so I can select which ones to install.
/CM -search A -action LIST -includerebootpackages 3,5 -noreboot -noicon -exporttowmi
And here's a screenshot of updates that are applicable to download and install
If you're using Commercial Vantage, ensure you've configured the Local Repository GPO to point to the UNC of your Azure File Share.