MSEndpointMgr

Wake On Lan With ConfigMgr Compliance Baseline

Laptops

Please note some people have commented that running this CI on Laptops changed the WLAN too, and it can sometimes trigger Bitlocker to ask for the recovery key. So maybe don’t add Laptops to your collection at the moment. Will hopefully update this post soon restricting this to desktops only. 

What is Wake On Lan and how does it work?

Wake On Lan is an industry standard protocol for waking computers up from various sleep states, see below. In essence it’s the ability to wake computers up when you need to, well that’s the theory. Getting all the machines to wake up is like finding the holy grail sometimes.

Last Friday WannaCryrpt ransomware started hitting machines around the world and I contacted my department head and asked for permission to update all workstations and ignore maintenance windows, he agreed and I got to work. To my horror when I deployed the updates almost all of my 4000 workstations didn’t wake up. It turned out to be an issue with ACL lists on the switches, but to me it shows how hard it is to get WOL to work consistently. You need many ducks in a row for this to work.

So today I wanted to talk about how you get this to work or more likely how to give you the best chance of it working consistently. Wake on LAN uses what’s called a magic packet which is broadcasted across your environment, it contains the subnet information, network address, and the MAC address of the target computer’s network card. A Magic Packet consists of 6 bytes of all 255 (FF FF FF FF FF FF), followed by sixteen repetitions of the target computer’s MAC address.

Going forward I am assuming your BIOS supports and is configured for WOL

If you want to add support for Surface add this (WOL Surface)

Sleep States

Below are the different sleep states, in a previous post I spoke about how Windows fast startup can interfere with WOL. The machine should wake up from most of these states.

StateDescription
S0 The computer is on and fully functional.
S1 The computer appears to be off with the CPU stopped. RAM is refreshed, and the computer is running in a low power mode.
S2 The computer appears to be off with the CPU stopped. RAM is refreshed, and the computer is running in a lower power mode than S1.
S3 (Standby) The computer appears to be off with no power to the CPU. RAM is in slow refresh.
S4 (Hibernate) The computer appears to be off with no power to the hardware. System memory has been saved as a temporary file on the hard disk.
S5 (Off) The computer is off with no power to the hardware, and the operating system has been shut down without saving system memory to disk.

Default Network Adapter settings for WOL

  1. This is an example of a network adapter that wont allow WOL
  2. If we look in WMI we can see the setting for “Allow this device to wake the computer” and “Only allow a magic packet to wake the computer” by default they are disabled.

Subnet-directed broadcast Versus Unicast

What ever method you pick its work consulting your network team first.

Subnet Directed Broadcast: This method retrieves the subnet address and MAC address from Hardware Inventory and then the magic packets are targeted at the subnet. The magic packet is sent to all machines on that subnet but should only wake up its intended target. If ConfigMgr doesn’t have the IP and Mac address this wont work, plus subnet broadcast is normally disabled on routers and switches.

Unicast: This method transmits the IP address and MAC address that is stored in the Hardware Inventory and the magic packets are targeted directly. This will not work if the ARP cache on the switch has flushed out the MAC and IP of the computer. The ARP cache keeps a record of the MAC and IP address, normally the ARP cache is only held between 8 and 40 minutes but depends on your set up.

Configure System Center Configuration Manger for WOL

Go to the properties of the Site Server.

Go to the Wake on Lan tab, I use “Subnet-directed broadcasts”

Click on Advanced. I changed the retries from 3 to 5 and set the delay to 2 minutes. It works better for my environment.

Next go to the ports tab, currently its set to UDP port 9 Microsoft suggest changing this.

Automating adapter configuration with ConfigMgr CB

A few years ago I used a Vb script to alter the settings on our network adapters but this had a few flaws. The first was if the network adapter reset the settings reset to the default, the second was it tried to change all adapters settings (including Virtual) and finally I didn’t have a way to confirm that it actually worked. Now Maurice and I are pretty big fan boys when it comes to Configuration Items and Configuration Baselines. If you have never used them before my brother from another mother wrote a great article on this here (ConfigMgr Configuration Baselines – A Beginners Guide).

Configuration Item

  1. Open the SCCM Console and expand the Compliance Settings section
  2. Right click on the Configuration Item and select Create Configuration Item
  3. Give your CI a name, always good to follow a naming pattern.
  4. I selected Windows 7, 8, 8.1, and 10
  5. Under Settings tab, new
    • Name: All this device to wake the computer
      Description: This allows the NIC to wake up the machine.
      Setting type: WQL query
      Data type: Boolean
      Namespace: root\wmi
      Class: MSPower_DeviceWakeEnable
      Property: Enable
      WQL query: InstanceName Like ‘PCI%’

      Warning when I copied this to the site it changed the formatting

  6. Under Compliance rules
  7. Under Settings tab, new
    • Name: Only allow a magic packet to wake the computer
      Description: Magic packets only.
      Setting type: WQL query
      Data type: Boolean
      Namespace: root\wmi
      Class: MSNdis_DeviceWakeOnMagicPacketOnly
      Property: EnableWakeOnMagicPacketOnly
      WQL query: InstanceName Like ‘PCI%’

      Warning when I copied this to the site it changed the formatting

  8. Under Compliance rules
  9. Review the settings
  10. Review Compliance Rules

Configuration Baseline

With the Configuration Items created the next step is to create a Configuration Baseline and deploy it to your collection.

  1. Right click on Configuration Baseline and click Create Configuration Baseline.
  2. Give the baseline a name.
  3. The final step is to deploy the Configuration Baseline to the Collection, so right click on the Configuration Baseline and Deploy. Ensure that “Remediate noncompliant rules when supported” is ticked.

Compliant

On a client machines you should see this.

The network adapter now has the settings ticked.

Under WMI you can see the settings enabled and only for the physical adapters.

Monitoring

Under the monitoring node I can see compliant machines.

And there we go.

30/06/2017

As requested here is the [download id=”6795″]

Terence Beggs

An Irish man living in London, after completing a BSc in Computer Science in 2005 he started working in the IT Industry. Currently Senior Systems Officer at London Metropolitan University managing Azure and several thousand endpoints across several campuses in London. Technology focuses include SCCM, MDT, Azure, Office 365, Active Directory, Group Policy, Application Packaging, PowerShell, Virtualization and Automation.

56 comments

  • Hi Terence, still love the way you show how setting the WoL options via SCCM. Just a few weeks we got new models that show the behavior you posted at the beginning: also WLAN stays on and drains the battery because WoL is enabled.
    Any chance you had time to look into this?
    Regards
    Mike

    • I only target desktops now for that reason, plus WOL over our wireless is useless. I did try testing some new settings with our Toshiba laptops but it was very inconsistent.

  • Just for information, I am using a dock-in station and the Ethernet card is not prefixed by PCI but USB:
    USB\VID_0BDA&PID_8153\000001000000_0

    So, I am wondering if I should delete the instance PCI from the query to make it work, and what will be the impact 🙂

  • Hello Terence,

    Can you please let us know if there are specific settings for Intel Latest Network Drivers Ver 23.4 which we can use to enable Wake on Magic packet using Compliance Manager Remediation?

    • I am looking at this at the moment for both x86 and x64. I have noticed the settings are a little different on some models not sure why. So far its working just fine but i will make sure to update the CI in the future to accommodate this.
      Thanks

  • In our experience, unless the Allow the computer to turn off this device to save power option is checked, the other two won’t apply even if they are checked(Grayed out). In your example, you obviously checked that box manually so how can you also make sure the Allow the computer to turn off this device to save power option is checked?

    • In my example I did not tick the check box as it was already enabled by the default install of the drivers. If that is happening to you i’m sure checking in WMI and turning the setting on and off will show you what entry to add. Hope this helps.

  • Hi Terence; We have this compliance baseline implemented in our SCCM environment and it has worked great. However some of our new Dell computers require some additional things checked in order to get them to do WOL. I was wondering if you could tell me how to change these. I’ve downloaded the WMI Explorer that you were using and it would be great if I could learn more about using this tool.

    Here is an excerpt from a website that helped me get WOL working on the DELL 3050 computer.

    To sum up, checking all options in the Power Management tab, and enabling the following three options within the Advanced Tab:
    •Shutdown Wake-On-Lan
    •Wake on Magic Packet
    •Wake on pattern match

    • Hi Dana, i don’t have any Dell’s in my environment, i have started to look around the Dells forums but without a machine to test on its difficult. I will ask Maurice to have a look as he just got a new dell Laptop

      • Thanks Terence; I’ll also try getting in touch with someone at Dell to see if they can help with this.

    • Interesting you say that, Dana. Our new Dell’s have been a crapshoot and I’ve actually seen the Power Management settings being impacted on our Laptops with them no longer going to Sleep with these settings specified.

  • Maybe this will help avoid wireless nics

    ‘Query for all of the Win32_NetworkAdapters that are wired Ethernet (AdapterTypeId=0 corresponds to Ethernet 802.3)
    Set colNetworkAdapters = GetObject(“WinMgmts:{impersonationLevel=impersonate}//./root/Cimv2”)_
    .ExecQuery(“SELECT * FROM Win32_NetworkAdapter WHERE AdapterTypeId=0 AND PhysicalAdapter = ‘true’ AND NOT Description LIKE ‘%Centrino%’ AND NOT Description LIKE ‘%wireless%’ AND NOT Description LIKE ‘%virtual%’ AND NOT Description LIKE ‘%WiFi%’ AND NOT Description LIKE ‘%Bluetooth%'”)

  • A question,
    Is there a way to configure SCCM to use a specified address for broadcasting the subnet directed magic packet rather than it automatically reffering to the last known subnet the client was atttached to?
    I ask becasue in a secured network environment leveraging dynamic VLAN allocation where the client is currently unauthenticated, the magic packet needs to be sent to the native VLAN configured on the switchport for the client to recieve the packet. If the magic packet is sent to the client’s dynamically allocated VLAN the sleeping unauthenticated client will not recieve it.
    This issue could be solved in the network with a destination NAT, but it would be easier if SCCM could be configued to override the client ip and sent to a specified address.

    • That is a good question, as far as i know in a subnet directed broadcast it uses the last known subnet. You might need a third party tool for something like that. I would tweet David James with your question if anyone knows its possible he would know.

      Thanks

  • As I read, using WMI may cause a problem. Why not using a PowerShell script as there are many NIC manufacturers and some need more than just changing a value?

    • Hello Francois, in my environment I’m only using Intel NIC’s and setting the Hardware using WMI makes sense. I suppose you could use PowerShell to make it more adaptable when dealing with different models. thanks

  • Why not disable the packets on wireless and it can achievable and all you need to ask you network team to have separate VLAN for wireless and block the same on wireless vlan.

    • I could look into that. I’m assuming, at some point, we may want that enabled as things go more wireless. So far it seems model-specific. Not sure why some models/nics seem to wake up more frequently.

    • I could but not sure if that’s what is causing it. If I disable WoWLAN in the BIOS it still happens. Doesn’t seem to be all models, either. If I run an Insomnia Report in ConfigMgr, much of these machines show ‘MsMpEng’ as the reason. Now sure why Endpoint Protection would be waking these machines up?

      • Think I need to look over this post again to adjust it for what you have found. Currently travelling so will look over it next week.

  • I ended up using the following because it wasn’t ticking all the boxes correctly for me on some machines:

    MSNdis_DeviceWakeOnMagicPacketOnly
    MSPower_DeviceEnable
    MSPower_DeviceWakeEnable

    I didn’t put the ‘PCI’ part in as I was testing that behavior. I see it has applied to the WLAN Cards on the machines and I’m seeing some of them wake up from sleep quite consistently. That may be because in the BIOS on these machines WOL is set to ‘LAN & WLAN.’ I’m testing that now but just curious if ‘PCI’ would have excluded the wireless cards?

    • Hello Adam

      Yes i set it out to only change the ethernet cards, adding PCI excluded Wireless on my laptops. Im going to be taking a second look at this post soon.
      Thanks

      • Ya, I may have put myself in an awkward position. I guess I would have to make two copies of these policies, one for LAN and one for WLAN. Is there an ‘instance’ filter I can use for WLAN?

      • I will have to look into this might be able to look tomorrow and get back to you.

      • Actually, the WLAN Card starts with ‘PCI’ as well, so it would apply there. Curious how I could separate that……….

      • What’s really odd is that I can disable ‘WoWLAN’ in the BIOS and it still wakes up. The only thing that fixes it is disabling all of these settings on the WLAN NIC in Device Manager. The setting specifies, however, to only wake on magic packet and I’m not sending any to these particular machines. If I do ‘powercfg -lastwake’ it just states the Wireless Card.

        Updated the BIOS and the NIC.

        Very odd……

      • Thanks for the update Adam, i’m going to put up a note on the blog advising people to be careful when using this on laptops. Another person commented that it was causing Bitlocker to ask for the recovery key, although i wasnt able to replicate that its worth noting.
        Im hopefully going revisit this blog again. Thanks

  • Great post. Playing around with it and came across something.
    On at least some HP systems, the default boot order for wake on lan is PXE first and then the internal hard drive.
    If your normal boot order is internal hard drive first and you have BitLocker is enabled, that change in boot order causes the system to prompt for the encryption key. I will have to change the WOL boot order in addition to the WMI changes to set this up in our environment.

    • That is a very interesting comment, i will need to look at this as i have found my Toshiba laptops doing something similar.

  • I added that .CAB file and I get an error. : Error Type
    Error Code
    Error Description
    Error Source
    Setting Discovery Error
    0x80041010
    Invalid class
    WMI
    Error Type
    Error Code
    Error Description
    Error Source
    Setting Discovery Error
    0x80041010
    Invalid class
    WMI

    We have all HP Devices

  • Can you make this a .CAB file so I can import. what mark should go around the PCI% quotes or the tick make below the ~ key.

    • Good idea, done.

      Check the bottom of the post, will transfer this to technet when i get a chance

    • Hi Terence Beggs,

      Is this only applicable to intel based nic and does not matter who is the maker of laptop or desktop.

      Bharat

      • Hello Bharat,

        I have mostly Intel in my environment but we do have about 100 Broadcom and it’s works for that too. Some NICs are just rebranded Intel too, might need a bit of trial and error. Doesn’t matter about the make and model.
        Hope that helps.

        Thanks.

  • Thanks for this post, was kinda waiting for it 😉

    But unfortunately, it doesn’t work for me. This is DcmWmiProvider.log:

    WQLRealizer::QueryValues- failed at Namespace.Query with Error=0x80041017 DcmWQLQueryProvider 23.05.2017 11:26:29 700 (0x02BC)
    Failed in discovering instance.
    Unknown error (Error: 80041017; Source: Unknown) DcmWQLQueryProvider 23.05.2017 11:26:29 700 (0x02BC)
    Failed to do HandleExecQueryAsync().
    Unknown error (Error: 80041017; Source: Unknown) DcmWQLQueryProvider 23.05.2017 11:26:29 700 (0x02BC)
    Failed to process CWqlQueryProvider::ExecQueryAsync.
    Unknown error (Error: 80041017; Source: Unknown) DcmWQLQueryProvider 23.05.2017 11:26:29 700 (0x02BC)
    WQLRealizer::QueryValues- failed at Namespace.Query with Error=0x80041017 DcmWQLQueryProvider 23.05.2017 11:26:29 700 (0x02BC)
    Failed in discovering instance.
    Unknown error (Error: 80041017; Source: Unknown) DcmWQLQueryProvider 23.05.2017 11:26:29 700 (0x02BC)
    Failed to do HandleExecQueryAsync().
    Unknown error (Error: 80041017; Source: Unknown) DcmWQLQueryProvider 23.05.2017 11:26:29 700 (0x02BC)
    Failed to process CWqlQueryProvider::ExecQueryAsync.
    Unknown error (Error: 80041017; Source: Unknown) DcmWQLQueryProvider 23.05.2017 11:26:29 700 (0x02BC)

    • ooohhhh that’s evil!
      I figured it out:
      I copyed your WQL query ” InstanceName Like ‘PCI%’ ” and the ’ you used on the site is not the ‘ you have to use in your query. Replaced your ’ by ‘ and now it works. 🙂

      • You know what i have had that before from other sites. I will update the post to warn people.

      • Ok i have updated the post, for some reason it changes the formatting when I copy it to the post.

  • Hi and thanks for this article really appreciated !

    I get an error ID 0X80041010 ” NON VALID CLASS” on the deployment Status. Can you tell me what i’m doing wrong ?

      • Look at the post again as someone else pointed out that InstanceName Like ‘PCI%’ is changed to InstanceName Like ‘PCI%’ when i copy it to the blog

  • Thanks for the reply mate. I’m gonna have to dip into this SCCM magic. We have machines waking on randomly and we can’t figure out why. I assume we can nominate a couple of PCs in each subnet to act as WOL/WOW agents.

    • Yes you can test WOL within a subnet, as for randomly waking machines, check wake on alarm in the bios. We had machines randomly waking at 7am the poor cleaner probably thought the room was haunted.

  • Awesome article, I’m wondering, do we need to change some bios settings in order to make this work, or we just need to follow your guide? Thks

    • Yes you will need to a) confirm your motherboard supports this (most do), but I have been screwed over by this in the past b) you will need to turn this on, if your lucky enough to have dell or hp this should be pretty easy to do.

  • This is a great article! I really appreciate it!
    Genius like you are make ConfigMgr Admin life easier.

  • Great article! Great way to enable WOL. Do you use RCT to actually wake them up individually if needed or just rely on the deployment to wake them up? I have scenarios where I just need to switch a remote PC on without a deployment.

    • Hi Ben, yes I use RCT tools. If I’m in a hurry I use the RCT tools to wake machines up rather than wait on a deployment. As the site server is one of the only VMs allowed to wake up machines, the RCT tools must be run from there, but that is just my environment. Thanks.

Sponsors