Troubleshooting and Upgrading AD FS FarmsTroubleshooting and Upgrading AD FS Farms

WaaS – Phase 1 [Qualifying]

We have passed scrutineering and are now ready for qualifying during this race weekend!

In part 1 I talked about the overall design of my WaaS implementation and some background on how I got there.

WaaS – Overview of WaaS the Wolverine Way

In part 2 I talked about structuring the scrutineering phase of my WaaS process.

WaaS – Phase 0 [Scrutineering]

During the prior phase we have filtered out the devices that we have no intention of ever attempting the In-Place Upgrade (IPU).  In this phase we will work on catching devices that have issues that are not deal breakers and can be remediated.

What is the Goal?

We are going to start with all of the devices that have passed scrutineering and look for those that have issues that can possibly be fixed and then allow them back into the process.  These issues are transient and can be addressed in a number of different ways.

What “Rules” are We Enforcing?

We are going to be looking for five issues.

  1. Devices with low free disk space (<30GB)
  2. Devices that are inactive in AD (>14 days)
  3. Devices with insufficient memory (<3GB)
  4. Devices missing Hardware Inventory in Configuration Manager
  5. Workstations with outdated Hardware Inventory (>14 days)
[Laptops get a “pass” on this one]

We will continue to use collections to organize the devices funneling through this phase.  These collections will help the desktop support teams when troubleshooting.

Devices with low free disk space (<25GB)

Currently in our 1809 WaaS rollouts we have been looking for devices with less than 25GB free on drive C.  With 1909 we will most likely increase that threshold to 30GB or more.

Devices that are inactive in AD

This group is intended to gather up devices that may have been retired or no longer exist for some reason.  Here we are looking for devices that have no logged into Active Directory within the last 14 days.  The intent is to locate devices that may possibly no longer exist, but have not yet aged out of Configuration Manager.

Devices with insufficient memory (<3GB)

Here we collect devices that have less than 3GB of memory.  Initially we were triggering at 4GB or less but that was pulling in devices that were reporting less than 4096MB as 4GB of memory.  These were primarily some older Surface tablets.  More recently this has been catching virtual machines that were created with 2GB of memory.

Devices missing Hardware Inventory in Configuration Manager

This collection is intended to identify devices that while they exist in Configuration Manager, they have never submitted Hardware Inventory.  What usually happens is that a device was retired and while the computer aged out of Configuration Manager it was never removed from Active Directory.  AD Discovery finds the old computer object and pulls it back into Configuration Manager.

Workstations with outdated Hardware Inventory (>14 days)

This one will gather up desktops that have not reported Hardware Inventory within the last 14 days.  We are gathering HWInv every 7 days, so this should give us devices that have missed 2 consecutive HWInv cycles.

Laptops are excused from this test.  Often laptops are offline or at least off-network for extended periods of time.  Including them in this group was artificially inflating the collection’s population.

How are We Enforcing those Rules?

Phase Organization

Just like in the prior phase there are Start and Finish collections and the goal is to get from one to the other.  Failures are filtered out in between those two collections.

Collection Structure

There are 9 collections that play a part in this phase, 3 in the main line and 6 remediation collections.

Main Line Collections

  1. WaaS_DEV_1903_Phase1-PreAssessment_00_ReadyforPreAssessment
  2. WaaS_DEV_1903_Phase1-PreAssessment_50_FailedPreAssessment
  3. WaaS_DEV_1903_Phase1-PreAssessment_99_PassedPreAssessment

Remediation Collections

  1. WaaS_DEV_1903_Phase1-PreAssessment_Reference_Laptops
  2. WaaS_DEV_1903_Phase1-PreAssessment_Remediation_DiskSpace
  3. WaaS_DEV_1903_Phase1-PreAssessment_Remediation_InactiveInAD
  4. WaaS_DEV_1903_Phase1-PreAssessment_Remediation_Memory
  5. WaaS_DEV_1903_Phase1-PreAssessment_Remediation_MissingHWInventory
  6. WaaS_DEV_1903_Phase1-PreAssessment_Remediation_WorkstationOutdatedHWInventory

The three Main Line collections provide a general picture of devices as the progress through the phase.  All three collections are limited to the “WaaS_DEV_1903_Phase0-Reference_99_PassedScrutineering” collection.  This limits membership in the collections to only those devices that have successfully passed the prior phase (Phase 0 – Scrutineering).

The six Remediation Collections are all limited to the “WaaS_DEV_1903_Phase1-PreAssessment_00_ReadyforPreAssessment” collection.  In practice both of these limiting collections will contain the same devices the majority of the time, but depending on when you set up the collection refreshes you could have a situation where there are more/less machines that have passed Phase 0 until the Phase 1 starting collection has updated.

Main Line Collections

WaaS_DEV_1903_Phase1-PreAssessment_00_ReadyforPreAssessment

This is the starting point for this phase.  Essentially we are just going to take those that passed Phase 0 and funnel them directly into Phase 1.  You can do this any number of ways, for example you could use an Include Collection rule, or you could set up a query to pull in everything and allow the limiting collection to keep things in check.

We use a query to pull in the members of the “WaaS_DEV_1903_Phase0-Reference_99_PassedScrutineering”.  Some may find this redundant with it also being the limiting collection but I would rather err on the side of caution.

Query:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId in (select ResourceID from SMS_CM_RES_COLL_PS1000C7)

 

In this example, the collection ID PS1000C7 points to the “PassedScrutineering” collection.

WaaS_DEV_1903_Phase1-PreAssessment_50_FailedPreAssessment

This collection will gather up all of the various devices that have failed any of the Pre-Assessment tests.  This works as a consolidation collection and in reports the member count shows the overall number of devices that have failed this phase for any reason.

Query:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId in (select ResourceID from SMS_CM_RES_COLL_PS1000CB) or SMS_R_System.ResourceId in (select ResourceID from SMS_CM_RES_COLL_PS1000CC) or SMS_R_System.ResourceId in (select ResourceID from SMS_CM_RES_COLL_PS1000CD) or SMS_R_System.ResourceId in (select ResourceID from SMS_CM_RES_COLL_PS1000CE) or SMS_R_System.ResourceId in (select ResourceID from SMS_CM_RES_COLL_PS1000CF)

 

In this example, the collection IDs point to the individual Remediation Collections detailed below.

PS1000CB = Insufficient Disk Space

PS1000CC = Inactive in Active Directory

PS1000CD = Insufficient Memory

PS1000CE = Missing Hardware Inventory

PS1000CF = Outdate Hardware inventory (Desktops Only)

 

WaaS_DEV_1903_Phase1-PreAssessment_99_PassedPreAssessment

This is the ultimate goal for this phase, the collection of devices that have passed all of the tests in this phase.  The query pulls in all of the devices that are not in the collection that consolidates all of the Pre-Assessment failures.

Query:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId not in (select ResourceID from SMS_CM_RES_COLL_PS1000CA)

 

In this example, the collection ID PS1000CA points to the “FailedPreAssessment” collection.

 

Remediation Collections

WaaS_DEV_1903_Phase1-PreAssessment_Reference_Laptops

This is simply a reference collection.  It pulls together devices whose chassis type would categorize them as mobile or laptop machines.  It is used as an exclusion to the “WorkstationOutdatedHWInventory” collection to provide a pass for laptop/tablet devices.

Query:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SYSTEM_ENCLOSURE on SMS_G_System_SYSTEM_ENCLOSURE.ResourceId = SMS_R_System.ResourceId where SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes = “8” OR SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes = “9” OR SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes = “10” OR SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes = “30” OR SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes = “31”

 

WaaS_DEV_1903_Phase1-PreAssessment_Remediation_DiskSpace

To help ensure that devices have enough free space to process the upgrade we only allow devices with at least 25GB free on their C drive to continue.  This collection will pull in all devices that have less than 25GB free.  In our next iteration for 1909 we will probably increase this to 30-35GB.

Query:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_LOGICAL_DISK on SMS_G_System_LOGICAL_DISK.ResourceId = SMS_R_System.ResourceId where SMS_G_System_LOGICAL_DISK.DeviceID = ‘C:’ and SMS_G_System_LOGICAL_DISK.FreeSpace < 25600

 

The value (25600) is in MB.

WaaS_DEV_1903_Phase1-PreAssessment_Remediation_InactiveInAD

Here we are gathering devices that have not logged into Active Directory within the last 2 weeks.  If the device has been offline for 2 weeks or more, it will also fail for not having submitted Hardware Inventory within 2 weeks.  The intent of this collection is to separate devices that have been offline and not submitting Hardware Inventory from those that have been online and through a potential client health problem have not reported.

Query:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_WORKSTATION_STATUS on SMS_G_System_WORKSTATION_STATUS.ResourceId = SMS_R_System.ResourceId where SMS_G_System_WORKSTATION_STATUS.LastHardwareScan < DateAdd(dd,-14,GetDate()) AND SMS_R_System.ResourceId not in (select SMS_R_System.ResourceID from  SMS_R_System inner join SMS_G_System_CH_ClientSummary on SMS_G_System_CH_ClientSummary.ResourceID = SMS_R_System.ResourceId where SMS_G_System_CH_ClientSummary.LastPolicyRequest > DateAdd(dd,-14,GetDate())) and SMS_R_System.ResourceId not in (select SMS_R_System.ResourceID from  SMS_R_System where SMS_R_System.LastLogonTimestamp > DateAdd(dd,-14,GetDate()))

 

WaaS_DEV_1903_Phase1-PreAssessment_Remediation_Memory

This collection is meant to pull in devices that have too little memory.  We have been purchasing hardware with 4GB of memory for over a decade and 8GB for at least the last 3-4 years.  What usually gets caught in this collection are virtual machines that were created with only 2GB and occasionally a device that while running on supported hardware, only has 2GB of memory.

We set the target at 3GB because we had devices (primarily older Surface tablets) that reported 4071MB or less of memory as their 4GB.

Query:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_X86_PC_MEMORY on SMS_G_System_X86_PC_MEMORY.ResourceId = SMS_R_System.ResourceId where SMS_G_System_X86_PC_MEMORY.TotalPhysicalMemory < 3145728

 

WaaS_DEV_1903_Phase1-PreAssessment_Remediation_MissingHWInventory

Here we are pulling in devices that have a record in Configuration Manager but that record has no Hardware Inventory at all.

Query:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceID not in (select SMS_R_System.ResourceID from  SMS_R_System inner join SMS_G_System_WORKSTATION_STATUS on SMS_G_System_WORKSTATION_STATUS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_WORKSTATION_STATUS.LastHardwareScan != “”)

 

WaaS_DEV_1903_Phase1-PreAssessment_Remediation_WorkstationOutdatedHWInventory

This collection is intended to collect desktops only (no laptops/tablets) that have not reported Hardware Inventory within the last 14 days.  This is different than the “InactiveInAD” explained above.  While that collection is meant to collect devices that have been completely offline for 2 weeks or more, this one is meant to collect devices that are actively being used but failing to report Hardware Inventory.

Query:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_WORKSTATION_STATUS on SMS_G_System_WORKSTATION_STATUS.ResourceId = SMS_R_System.ResourceId where SMS_G_System_WORKSTATION_STATUS.LastHardwareScan < DateAdd(dd,-14,GetDate()) AND (SMS_R_System.LastLogonTimestamp > DateAdd(dd,-14,GetDate()) OR SMS_R_System.ResourceID in (select SMS_R_System.ResourceID from  SMS_R_System inner join SMS_G_System_CH_ClientSummary on SMS_G_System_CH_ClientSummary.ResourceID = SMS_R_System.ResourceId where SMS_G_System_CH_ClientSummary.LastPolicyRequest > DateAdd(dd,-14,GetDate())))

 

This query pulls in devices that have not reported Hardware Inventory within the last 14 days.  Since this would pull in both desktops and laptops we add an “Exclude Collection” rule to exclude any devices that are members of the “PreAssessment_Reference_Laptops” collection.

The End Result

We have a series of collections that are used by our web report that show what correctable issues were found with our pack of potential IPU targets.

Main Line Collections

Remediation Collections

In the above example, I had 3 machines that passed Phase 0 and were funneled into Phase 1.  All three machines have outdated Hardware Inventory so they have dropped into the remediation collection for that condition.  This leaves no machines that have passed this phase.

What’s Next?

Devices that pass this phase are now set to move on to Phase 2 – Compatibility Scan.  It is at that point where we will begin running processes locally to fine tune our evaluation to see if they are ready to be upgraded.

We have passed scrutineering in Phase 0 and have qualified for the race in Phase 1.  Now we are moving on to the Practice Sessions of the race weekend.

 

Mike Marable

I am the OSD lead and a senior engineer for the Configuration Manager client group at Michigan Medicine (formerly the University of Michigan Health System). We manage 40,000 systems throughout the health system and medical school with Configuration Manager. I have been doing OS deployments for nearly 25 years, 14 of which have been with Michigan Medicine. I’ve lead the engineering efforts of moving our OS Deployment from a custom solution to Configuration Manager, our Windows XP to Windows 7 and Windows 7 to Windows 10 efforts. My passion over the last 2+ years has been Windows as a Service.

2 comments

5 × five =

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Follow us

Don't be shy, get in touch. We love meeting interesting people and making new friends.

%d bloggers like this: