Windows 8 RTM

For full details, download the following file

Windows 8.1

For full details, download the following file

Hi all,

as requested I’ve just listed all the ConfigMgr 2012 Released  versions in a table below. We will do our best to keep this up to date as new updates are released. Note that the Client and Console versions will be exactly the same as the Release/Update version.

To see how to view the version see Matt’s earlier blog here. If you want to confirm a CU update see Neil’s blog here.

I have been working with a number of customers recently that have had issues running their monthly Software Update compliance reports due to a high number of “DETECTION STATE UNKOWN” results reporting back long after the update deployment has successfully run.

As usual the first thing we want to identify is whether it is on the client side or server side.

State Message IDs are used to define specific state messages for each topic type. For our issue a State Message for a Software Updates has a TopicType=500 which has status Message ID state of 0, 1, 2 or 3 which would then depict the actual state of the given update on a client machine as below:

To determine what information your clients are sending back to your Management Point we can use WMI queries to see what is happening on the client.

1. Open wbemtest with elevated permissions

2. Connect to the WMI Namespace: root\CCM\StateMsg

3. Select Query and run the query  SELECT * FROM CCM_StateMsg

Find any software update deployment which can be determined by looking for “TopicType=500” and what we want to check is the below values in yellow as this will determine if the client has indeed sent a message back to the MP and if so what it sent back, If we see it sent back a “0” and confirm that the KBs are installed then we know it is something on the client side, we would expect to see 1, 2 ,3 pending the state listed above

Example below:

instance of CCM_StateMsg

{ Criticality = 0;

MessageSent = TRUE;      Message is sent

                                            MessageTime = "20101027211908.749000+000";           UTC Time

                                            ParamCount = 1;

                                            StateDetails = "";

                                            StateDetailsType = 0;

StateID = 2;   Update is required

                                            TopicID = "9d4681d5-46fa-4250-bedc-480ac7bce3aa";

                                            TopicIDType = 3;

TopicType = 500;   Update Detection

                                            UserFlags = 0;

                                            UserParameters = {"102"};

Hope this helps..

In CM12 we have a number of changes in Software Updates. One of the most anticipated one’s is Auto Deployment Rules.

Yes finally I hear you say….

Well Lets run through creating an Auto Deployment and one little gotcha to keep your eye on.

 Software Library > Software Updates > Automatic Deployment Rules

Choose Create Automatic Deployment Rule from the Ribbon or Right click on the mouse.

In the first screen we can choose a Template

(Templates are no longer a node in the console they are now created when creating an Auto Deployment Rule or manually Deploying Updates and are saved at the Summary screen.Ill point this out later in the post)

You can Select to Add to an Existing Software Update Group or Create a new Software Update Group.

If you select Add to an Existing Software Update Group a brand new group will be created the first time the Auto Deployment Rule is run and every time the rule runs after that the new updates are added to that group.

(NOTE You cannot create a software Update group manually and then create an Auto Deployment rule to add new updates to that group. Even if you give it the same name and description the Auto Deployment Rule will still create a new group. See Figure below.The group created at 6:02 pm was done manually. I then ran the Auto Deployment rule at 6:07 pm and you can see that it creates a group with a duplicate name and description.)

If you select Create a new Software Update Group every time the rule is run a new Software Update Group is created.

You can also choose to Enable the deployment after the rule is run.

Here you can choose to use Wake on lan and also decide whether to automatically deploy all updates and approve any license agreements or deploy only updates that do not include license agreements.

This is where you select the requirements to select the updates to auto approve.

Here you can set a Schedule for the Rule to run. Potentially every Patch Tuesday or Daily for Forefront updates.

Or you can run the rule manually.

Similar to CM07 we can set the deployment schedule and whether the Deployment will be Mandatory.

Set the User Experience, deadline behaviour and reboot suppression.

We can now Generate Alerts if the compliance falls below a certain after a certain period of time. As before we can select to disable alerts for Operations Manager.

Set your Deployment options

Either select an existing package or create a new one for the new updates

Select a DP or DP Group

Where to download the updates from

Choose a language

On the Summary screen you can Choose to Save your settings as a Template for future use

We now see the new Rule in the console and we can choose to Run Now from the ribbon.

The log file for troubleshooting is Ruleengine.log

We can see the Auto Deployment Rule is kicked off

Evaluating and downloading updates

Here we see it looking for an existing update group and not finding one therefore creating a new Software Update Group then adding the updates to that Group.

Back to the console.If we select Software Update Groups we now see the newly created Windows 7 Automatic Deployment and the Deployment (Yet to be enabled) on the tab below.

When we select Show Members we can see the updates applied.

and there you have it.

Manual installation

Firstly, locate your most up to date image and make a copy of it. This is so we can
stream the newest Windows Updates into the mounted WIM without risk of damaging
a working WIM. I suggest copying the WIM to a temp location. Also, put the
Windows Update that you want to apply into an Updates folder.

Next, mount your image in the temp location.

DISM /Mount-Wim /WimFile:C:\TempMount\install.wim /index:1 /Mountdir:C:\TempMount\Mount

Now inject the Windows Update you need to apply

DISM /image:C:\TempMount\Mount /Add-Package /Packagepath:C:\Updates\

Finally, save an unmount the image

DISM /Unmount-Wim /Mountdir:C:\TempMount\Mount /commit
DISM /Cleanup-Wim

Automating the installation

While running updates manually like this is an easy way to apply a few updates, hundreds of updates require more work. Here’s how you would apply the updates using PowerShell.

$UpdatesPath = "C:\Updates\*"
$MountPath = “C:\TempMount\Mount”
$WimFile = “C:\TempMount\install.wim”
DISM \Mount-Wim /WimFile:$WimFile /index:1 /Mountdir:$MountPath
$UpdateArray = Get-Item $UpdatesPath
ForEach ($Updates in $UpdateArray)
{
DISM /image:$MountPath /Add-Package /Packagepath:$Updates
Start-Sleep –s 10
}
Write-Host "Updates Applied to WIM"
DISM /Unmount-Wim /Mountdir:$MountPath /commit
DISM /Cleanup-Wim

Using SCCM 2007 Deployment Packages makes getting these updates really simple. Package up the updates like you would normally, then set the $UpdatesPath variable above to the SMS package location.

Happy patching!

Matt Shadbolt

With the new version of Configuration Manager, comes a bunch of new juicy logs. I’ll separate the posts into Client and Server. In this first instalment, I’ll cover off on the new logs found on your clients.

The first thing you need to know, is the log location has changed slightly.

Client logs can now be found at C:\Windows\CCM\Logs – rather than in the System32 or SysWoW64 directory

AppDiscovery.log

With the new ConfigMgr 2012 App Model, we now scan each machine at a regular period (default is every 7 days) and make sure that applications that should be installed on a machine are indeed installed. The AppDiscovery.log will show you the discovery engine (based on DCM) checking to make sure the app is installed.

Performing detection of app deployment type MS_Silverlight(ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0, revision 2) for system. AppDiscovery 3/05/2012 9:27:30 AM 7988 (0x1F34)

+++ Application not discovered. [AppDT Id: ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0, Revision: 2] AppDiscovery 3/05/2012 9:27:31 AM 7988 (0x1F34)

Here we can see the WMI query for the Microsoft Silverlight application and it not being found. The AppDiscovery.log will then flag Silverlight for installation

ActionType - Install will use Content Id: Content_b0e86929-a5f2-4154-b876-ed83965ce25d + Content Version: 1 for AppDT "MS_Silverlight" [ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0], Revision - 2 AppDiscovery 3/05/2012 9:27:34 AM 12156 (0x2F7C)

AppEnforce.log

If an application should be installed, and the AppDiscovery doesn’t find it, the AppEnforce log should kick in with the installation routine

+++ Starting Install enforcement for App DT "MS_Silverlight" ApplicationDeliveryType - ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0, Revision - 2, ContentPath - C:\Windows\ccmcache\1a, Execution Context - SystemAppEnforce 3/05/2012 9:28:29 AM 7988 (0x1F34)

A user is logged on to the system. AppEnforce 3/05/2012 9:28:29 AM 7988 (0x1F34)

Performing detection of app deployment type MS_Silverlight(ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0, revision 2) for system. AppEnforce 3/05/2012 9:28:29 AM 7988 (0x1F34)

+++ Application not discovered. [AppDT Id: ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0, Revision: 2] AppEnforce 3/05/2012 9:28:29 AM 7988 (0x1F34)

App enforcement environment:

Context: Machine

Command line: "Silverlight.exe" /q

Allow user interaction: No

UI mode: 1

User token: null

Session Id: 4294967295

Content path: C:\Windows\ccmcache\1a

Working directory: AppEnforce 3/05/2012 9:28:29 AM 7988 (0x1F34)

Prepared working directory: C:\Windows\ccmcache\1a AppEnforce 3/05/2012 9:28:29 AM 7988 (0x1F34)

Prepared command line: "C:\Windows\ccmcache\1a\Silverlight.exe" /q AppEnforce 3/05/2012 9:28:33 AM 7988 (0x1F34)

Executing Command line: "C:\Windows\ccmcache\1a\Silverlight.exe" /q with system context AppEnforce 3/05/2012 9:28:33 AM 7988 (0x1F34)

Once the application has installed, it will rerun the application detection and this time succeed.

+++ Discovered application [AppDT Id: ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0, Revision: 2] AppEnforce 3/05/2012 9:29:41 AM 7988 (0x1F34)

AppIntentEval.log

The AppInterval.log works with the two previous logs, and should tell you which applications are required. You should see something like

ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0/2 :- Current State = Installed, Applicability = Applicable, ResolvedState = Installed, Title = MS_Silverlight

CCMVDIProvider.log

The CCMVDIProvider.log will show you if the machine is a virtual or a physical machine

EndpointProtectionAgent.log

The EndpointProtectionAgent.log will only show you that the SCEP agent is/isn’t installed. It will not show you any information about definition updates. For SCEP definition updates and SCEP functionality, you’ll find a bunch of logs in C:\ProgramData\Microsoft\Microsoft Antimalware\Support

ExpressionSolver.log

ExpressionSolver.log is a log that records MSI discovery. This log is only available when verbose logging is enabled

ExternalEventAgent.log

The ExternalEventAgent shows all of the state messages sent from SCEP, into the CCM client. The CCM client will then process this state message as it would any internal state message.

FileSystemFile.log

This log file records all Software Inventory file system scans. You can see in the log file below, that we’re looking for qmgr.dll, scrnsave.exe, scrnsave.scr and msiexec in the System32 directory.

Query = SELECT __class, __path, __relpath, name, path, lastwritedate, size, companyname, productname, productversion, productlanguage, fileversion, filedescription FROM FileSystemFile WHERE name = 'qmgr.dll|scrnsave.exe|scrnsave.scr|msiexec.exe' and path = '%windir%\\system32\\*' and iscompressed = false and isencrypted = false; Timeout = 14400 secs; ScanInterval = 2 msecs; SkipFile = skpswi.dat

SCNotify.log

You’ll see a bunch of SCNotify logs in your logs directory. This log describes the user notification for new applications. In the log you’ll see a bunch of WMI calls, and whether or not applications should notify the user of their availability

This software should not display a user notification balloon, removing it from the available notification list.

SoftwareCatalogUpdateEndppoint.log

The SoftwareCatalogUpdateEndpoint log will show any changes to the Software Catalog URL and will show the URL being added to the Trusted Sites list in Internet Explorer

CSoftwareCatalogUpdateHandler::StartUpdateTrustedSitesProcess: Started UpdateTrustedSites process
CSoftwareCatalogUpdateHandler::SetCatalogSecurity: Updating the registry for Software Catalog.

SoftwareCenterSystemTasks.log

This log will show you the Software Center notifications and whether or not the Software Center is installed and healthy.

UpdateTrustedSites.log

The UpdateTrustedSites logs the actual updates after the SoftwareCatalogUpdateEndpoint reports that the URL needs to be added to the Trusted Sites

CSoftwareCatalogUpdateHandler::AddDefaultPortalToTrustedSites: Catalog Url should be added to the trusted sites zone. UpdateTrustedSites 18/05/2012 1:13:32 PM 14172 (0x375C)

AddDefaultPortalToTrustedSites: url = http://applicationcatalog.yourdomain.com:80, zone = 258 UpdateTrustedSites 18/05/2012 1:13:32 PM 14172 (0x375C)

UserAffinity.log

With the new 2012 App Model, we need to determine which users are primary users of a device. The UserAffinity log will show which users have been added as primary users, and the method for determining the primary user

Auto affinity threshold settings Days = '21', User Minutes = '2880', AutoApproveAffinity = '1'. UserAffinity 18/05/2012 1:12:33 PM 14332 (0x37FC)

No WMI instance. Setting an affinity. UserAffinity 18/05/2012 1:12:45 PM 14332 (0x37FC)

Setting auto affinity for user 'yourdomain\mattshadbolt'. UserAffinity 18/05/2012 1:12:45 PM 14332 (0x37FC)

Successfully sent user affinity state message for user ‘yourdomain\mattshadbolt'. UserAffinity 18/05/2012 1:12:45 PM 14332 (0x37FC)

Successfully saved user affinity data for user ‘yourdomain\mattshadbolt' into WMI. UserAffinity 18/05/2012 1:12:45 PM 14332 (0x37FC)

We can see that AutoApproveAffinity is enabled for any users that have used the machine for anyone using the machine within 21 days, and for 2880 minutes or more.

So that's it! If you find any other logs that weren’t around in 2007, please let me know and I’ll do my best to cover them!

Matt Shadbolt

ConfigMgr 2012 SP1 introduced APP-V Virtual Environments (VE). APP-V VE’s work differently to APP-V 5.0 Connection Groups in a “Full Infrastructure Model” (ie Publishing Server) so we need to do some application mapping before implementing APP-V Virtual Environments. You can think of ConfigMgr VE’s as a “Rule Set” that the ConfigMgr client evaluates when doing an application evaluation cycle. Once a client evaluates true to a VE “Policy”, the connection group is then created, The deviate in ConfigMgr is that an APP-V application can only be a member of one VE at anyone time. This blog aims to explain the reasons why this is the case and why application mapping is vital if your virtual application catalogue has a large number of applications that are highly dependant on other applications.

Let’s say I have a three Applications I need to configure in a Connection Groups, in Full Infra I could easily create three separate connection groups and use the Priority to determine which VFS wins in a conflict.

Full Infra Example (Firefox , Flash & Reader)

Connection Group 1 = Firefox and Flash, priority = 1

Connection Group 2 = Firefox and Reader, priority = 2

Connection Group 3 = Firefox and Flash and Reader, priority = 3

If I do not set my priorities correctly than as you know we get the following error

However in ConfigMgr we need to use a single Virtual Environment Rule Set per application that we need to manage a Connection group for, and set Logical operators to determine the priorities. By Default the Connection Group priority in a ConfigMgr integrated environment is always set to “4294967294” (ie, the priority in traditional terms is not used in ConfigMgr). This is the underlining reason why a ConfigMgr virtual application can only ever be a member of one VE at any one time. ConfigMgr manages the creation of the Connection Group XML that gets created and processed by the client when the Client meets the rules set defined in the Virtual Environment.

If I tried to setup the ConfigMgr Virtual Environment in the same way as I do in Full Infra, illustration below, This WILL NOT WORK! And we will end up with the same error as above

Misconfigured Example below

As I evaluate to True for both Virtual Environment Rule Set I configure both connection Groups but of course get the same ERROR

To configure this in ConfigMgr I need to use my Logical operators inside the VE to achieve the same result I would get if doing it in a Full Infrastructure environment

Examples:

Client 1: Has Firefox and Reader installed, ie No Flash. This meets the Virtual Environment rule configured so the “Firefox connection Group is created for Firefox and Reader.

Client 2: Has Firefox, Flash and Reader installed. This also meets the Virtual Environment however as I have all three applications, the Flash VFS will take precedence over the Reader VFS as we have set Flash with a high ‘Order” in the Virtual Environment’.

Hope this helps clear up some miss understandings on how APP-V VE’s work in ConfigMgr 2012 SP1 +..

If you need to distinguish whether or not a site has been upgraded to ConfigMgr 2012 SP1, here is the process and version numbers.

1. Open the ConfigMgr console

2. Browse to Administration > Site Configuration > Sites

3. Right-click on the site you need information for, and select Properties

4. You’ll find the site version and build number here

ConfigMgr 2012 RTM

Version:  5.00.7711.0000
Build number: 7711

ConfigMgr 2012 SP1

Version:  5.00.7804.1000
Build number:  7804

Matt Shadbolt

Hi Everyone,

just a very quick note to let you know that the Configuration Manager 2012 R2 Toolkit is available and is definitely worth a look.

some of the new tools include

CEViewer.exe for viewing collection update stats

and

DPJobManager a tool to help you monitor, suspend, cancel package distributions to Distribution Points

download link below

System Center 2012 R2 Configuration Manager Toolkit

Hi Gang!

So I provided this information to one of my customers recently, and Georgy said it would be quite helpful for you dedicated ConfigMgrDogs readers too, so here it is.

This is a high-level view of the Windows Update process from a ConfigMgr clients view utilizing a SUP (Software Update Point).

The Software Update process from the ConfigMgr client

Following the flow

After refreshing machine policy, kick off the Software Update Scan. We can then see the Software Update Scan Cycle has started via the WUAHandler.log (C:\Windows\CCM\Logs\WUAHandler.log)

The Windows Update Handler initiates the Windows Update service against the ConfigMgr SUP. (C:\Windows\WindowsUpdate.log)

After the scan is completed, we then run the Software Update Deployment Evaluation Cycle. Use the UpdatesDeployment.log to view this process (C:\Windows\CCM\Logs\UpdatesDeployment.log)

The Content Access Service finds the content on the CMPRI-MATTSLABS Distribution Point and downloads it

Update Deployment attempts to install updates, Service Window Manager blocks the installation (C:\Windows\CCM\Logs\UpdatesDeployment.log)

Service Window Manager blocking the installation (C:\Windows\CCM\Logs\ServiceWindowManager.log)

And when the window opens, the updates should install. Check the UpdatesDeployment.log

Also, the WindowsUpdate.log success

And reboot if required (and scheduled)

Update: An ex-colleague reached out to me to add some extra info around the process for the SCEP update trigger. As my SCEP knowledge isn't the greatest, it's something I'll be sure to remember and very helpful for the community.

The key difference that I can see is that the SCEP definition update initiates from the AntiMalware Policy configuration, not from the EndPoint client settings where I expected to see it, or the from Software Updates Schedule client setting.  As opposed of course to Software Update scanning and installation as per your post.  Also triggering a manual SCEP definition update is only done from the SCEP client and not the SCCM client actions from what I've seen so far.

Thanks David!

Hi All,

If you’ve started playing with Orchestrator I have detailed the areas where you can look for issues with your Runbooks and other components.

Runbook Designer

Log Tab

Firstly you can look at the Log tab while you’re Runbook is executing

Log History Tab

Or after it is complete you can check the Log History tab

Double Click on the entry you want to review and then check the status for each Activity.

To control the level of Detail available you need to go to the properties of each individual Runbook  and select Store Activity-specific Published Data and or Store Common Published Data. NOTE This is only recommended in Dev and Test not production as these may significantly increase the size of your database (See the following TechNet reference for details. Database Sizing and Performance )

Do not have these turned on in Production unless you are troubleshooting.

Events

We can also get some useful information from the Events tab

Log Files

Another area is the component logs for Debug Logging.

Thankyou to Jeffrey Fanjoy who is a senior support escalation engineer based out of the US for this information.

if you go to the following Registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SystemCenter2012\Orchestrator\TraceLogger

on a box with the Runbook Designer or Runbook Server you will see that for each component there is a LogFolder and LogLevel key. The LogFolder shows you where the actual log sits and the LogLevel is the actual Verbosity level. (NOTE You may need to restart services/ the server before this will take affect.)

Just keep in mind that the higher the verbosity the more information that will get put into the log so it should only be used for troubleshooting purposes and should not be left on by default.

I’ve just spent a frustrating 10 minutes searching bing/google for the list of the supported anti-virus programs that SCEP (System Center Endpoint Protection) can automatically uninstall. So to save my scalp for a future hair pulling, I thought I’d blog the list so I can find it quickly next time. Hopefully bing/google will index this post and save us all some time!

http://technet.microsoft.com/en-us/library/gg682067.aspx#BKMK_EndpointProtectionDeviceSettings

Automatically remove previously installed antimalware software before Endpoint Protection is installed

Endpoint Protection uninstalls the following antimalware software only:

• Symantec AntiVirus Corporate Edition version 10
• Symantec Endpoint Protection version 11
• Symantec Endpoint Protection Small Business Edition version 12
• McAfee VirusScan Enterprise version 8
• Trend Micro OfficeScan
• Microsoft Forefront Codename Stirling Beta 2
• Microsoft Forefront Codename Stirling Beta 3
• Microsoft Forefront Client Security v1
• Microsoft Security Essentials v1
• Microsoft Security Essentials 2010
• Microsoft Forefront Endpoint Protection 2010
• Microsoft Security Center Online v1

Hi Gang.

Over the long weekend last week, I thought I’d have a crack at writing, submitting and publishing a Windows 8 app. It’s a very simple countdown to Windows XP’s End Of Life on April 8th (we are all very excited to see the end of XP).

http://apps.microsoft.com/windows/en-au/app/windows-xp-end-of-life-countdown/08bd1136-13f0-47bb-a574-c8f3626a9227

As I said, it’s very simple but functional, with a countdown screen and live tile that updates daily.

Please download and rate it in the store.

Matt

Ran into an interesting issue while trying to migrate some App-V Applications from ConfigMgr 2007 to 2012 SP1. Most of the App-V packages migrated fine, however a few of them reported an error

“OSD file defines incompatible OS requirements”

After taking a look at the OSD file, according to this list all of the OS version listed were fine. After some troubleshooting I found that all the failing Applications had multiple OSD files associated. This led me to the solution.

If you have multiple OSD files as part of an App-V Application, you must have the same OS requirements listed in all of the OSD files. Once we fixed the compatible OS list, the Application migrated successfully. 

One pain point with Configuration Manager 2007, was that when a package failed to distribute content to a distribution point after the retry count was exceeded, it was permanently stuck in a distributing state. There was no easy supported method to redistribute that package to a specific Distribution Point.

Now in 2012 we have the new option to Redistribute a package.

Open the properties of any application or package and click on the Content Locations tab.

From there you can either select a specific Distribution point or a Distribution Point Group. see Figures below

Application Properties

Package Properties

then Click on Redistribute

Click OK on the Warning and the package will then redistribute the content to that DP or DP Group.

I promised in my last post to provide you all with my scripts for modifying all your package and application source paths… well that was over two months ago now!

http://blogs.technet.com/b/configmgrdogs/archive/2013/02/18/moving-your-package-source-after-migration.aspx

Note: These scripts are provided “as-is” and no guarantees are provided. Please TEST these in a non-production environment beforehand.

ApplicationSourceModification.ps1 (Version 1.0)

First is my script will modify the source paths for all of your Deployment Types within all Applications that are Script or MSI installers (you can modify this to do your App-V Deployment Types too)

Write-Host "#######################################################################" -f Green
Write-Host "##        Matts ConfigMgr 2012 SP1 Application Source Modifier       ##" -f Green
Write-Host "##                blogs.technet.com/b/ConfigMgrDogs                  ##" -f Green
Write-Host "##                                                                   ##" -f Green
Write-Host "##                                                                   ##" -f Green
Write-Host "##  Please ensure your package source content has been moved to the  ##" -f Green
Write-Host "##          new location *prior* to running this script              ##" -f Green
Write-Host "##                                                                   ##" -f Green
Write-Host "#######################################################################" -f Green
Start-Sleep -s 2

Write-Host ""
Write-Host ""
## Import ConfigMgr PS Module
Import-Module 'C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1'

## Connect to ConfigMgr Site
$SiteCode = Read-Host "Enter your ConfigMgr Site code (XXX)"
$SiteCode = $SiteCode + ":"
Set-Location $SiteCode
Write-Host ""

## Set old Source share
Write-Host "NOTE: This is the location your 2007 packages are stored. It must be correct"
$OriginalSource = Read-Host "Enter your source ConfigMgr share (\\2007Server\Source$)"

## Set new Source share
Write-Host ""
Write-Host "NOTE: This is the location your Applications are stored. It must be correct"
$DestinationSource = Read-Host "Enter your destination ConfigMgr Source share (\\2012SERVER\Source$)"
Write-Host ""
Write-Host "Working.."
Write-Host ""
## Get your Application Deployment Types

$ApplicationName = Get-CMApplication
$ApplicationName = $ApplicationName.LocalizedDisplayName

ForEach($x in $ApplicationName)
{
$DeploymentTypeName = Get-CMDeploymentType -ApplicationName $x
#$DeploymentTypeName = $DeploymentTypeName.LocalizedDisplayName

    ForEach($DT in $DeploymentTypeName)
    {
    ## Change the directory path to the new location
    $DTSDMPackageXLM = $DT.SDMPackageXML
    $DTSDMPackageXLM = [XML]$DTSDMPackageXLM
   
    ## Get Path for Apps with multiple DTs
    $DTCleanPath = $DTSDMPackageXLM.AppMgmtDigest.DeploymentType.Installer.Contents.Content.Location[0]
   
    ## Get Path for Apps with single DT
    IF($DTCleanPath -eq "\")
    {
        $DTCleanPath = $DTSDMPackageXLM.AppMgmtDigest.DeploymentType.Installer.Contents.Content.Location
    }
   
    $DirectoryPath = $DTCleanPath -replace [regex]::Escape($OriginalSource), "$DestinationSource"

    ## Modify DT path
    Set-CMDeploymentType –ApplicationName "$x" –DeploymentTypeName $DT.LocalizedDisplayName –MsiOrScriptInstaller –ContentLocation "$DirectoryPath"
   
    ## Write Output
    Write-Host "Application " -f White -NoNewline;
    Write-Host $x -F Red -NoNewline;
    Write-Host " with Deployment Type " -f White -NoNewline;
    Write-Host $DT.LocalizedDisplayName -f Yellow -NoNewline;
    Write-Host " has been modified to " -f White -NoNewline;
    Write-Host $DirectoryPath -f DarkYellow
    }
}

PackageSourceModification.ps1 (Version 1.0)

My second script is much simpler, as we are changing only the Package source location, with no need to cycle through each Deployment Type

Write-Host "#######################################################################" -f Green
Write-Host "##        Matts ConfigMgr 2012 SP1 Package Source Modifier           ##" -f Green
Write-Host "##                blogs.technet.com/b/ConfigMgrDogs                  ##" -f Green
Write-Host "##                                                                   ##" -f Green
Write-Host "##                                                                   ##" -f Green
Write-Host "##  Please ensure your package source content has been moved to the  ##" -f Green
Write-Host "##          new location *prior* to running this script              ##" -f Green
Write-Host "##                                                                   ##" -f Green
Write-Host "#######################################################################" -f Green
Start-Sleep -s 2

$SiteCode = Read-Host "Enter your ConfigMgr Site code (XXX)"
$SiteCode = $SiteCode + ":"
Set-Location $SiteCode

$PackageArray = Get-CMPackage
$OldPath = "\\2007SERVER\source$"
$NewPath = "\\2012SERVER\cmsource$"
ForEach ($Package in $PackageArray)
{
$ChangePath = $Package.PkgSourcePath.Replace($OldPath, $NewPath)
Set-CMPackage -Name $Package.Name -Path $ChangePath
Write-Host $Package.Name " has been changed to " $ChangePath
}

Matt Shadbolt

Microsoft have recently released a Windows 8 and Server 2012 cumulative update KB2770917.

http://support.microsoft.com/kb/2770917

One of the important features of this update is the ability to customize the Windows 8 lock screen with corporate branding and set this across your domain joined computers using Group Policy.

From the KB:

This cumulative update includes the following performance and reliability improvements:

• Enable enterprise customers to customize the default lock screen.
• Improves the performance when you wake the computer and when the computer is asleep, in order to improve battery life
• Resolves an issue that may prevent Windows Store Apps from being installed fully
• Other software updates and performance improvements

After installing the update, you get four new Group Policy settings

Force a specific default lock screen image
Provide a UNC or local path to your corporate lock screen logo, and all of your users will receive that as their lock screen.

Prevent changing lock screen image
After setting the corporate lock image, enable this option if you don’t want your users to have the ability to personalize the lock screen image.

Prevent changing start menu background
Use this option to stop your users from changing the Start Menu background colour. This means whatever the colour of the Start Menu background was when the machine was deployed will not be changed.

Do not display the lock screen
Enabling this setting will remove the lock screen for any user who isn’t required to press CTRL+ALT+DEL to login.

After configuring all the settings and applying the GPO, my corporate machines lock screen now looks like this, and my users are stuck with it!

Matt Shadbolt

UPDATE: I’ve posted my Package and Application scripts (http://blogs.technet.com/b/configmgrdogs/archive/2013/05/09/package-amp-application-source-modification-scripts.aspx)

If you haven’t checked out the Package Conversion Manager for ConfigMgr 2012 RTM/SP1 yet, you’re missing out.

http://www.microsoft.com/en-au/download/details.aspx?id=34605

The PCM is provided by Microsoft to help you convert those migrated ConfigMgr 2007 Packages, into the newer (and better) ConfigMgr 2012 App Model Applications.

While PCM is really cool, this article is not going to show you how to use it, because frankly, it’s way too easy to use!

One of the limitations of PCM, is while it’ll do a great job converting your Packages to Apps, it does not do anything with your package/application source. This can be a major problem if your migrated package source was hosted locally on your old ConfigMgr 2007 server. Of course you should all be using UNC paths for your source, however even if you’re doing the right thing, if you want to decommission the old 2007 server, somehow you’ll need to move that package source.

I’m here to help!

Let’s use our favourite test application – Adobe Reader – and we’ll quickly convert the package, and then move the package source to the new ConfigMgr server.

In my demo, I’m using two package source shares to imitate a common environment

\\SP1RTM\OldSource$ This would be our old 2007 package source share

\\SP1RTM\Source$ This will be our new 2012 package source share

I’ve converted my old package to a shiny new 2012 Application

And if we open the single Deployment Type, we’ll see that the source is still on the old package source share

Now, this will actually work quite nicely. Having an external package source is not only supported, but recommended in larger environments. BUT, in small to medium environments you’ll want to decommission the old 2007 to save on licensing and management.

In 2007 there was two supported ways to move this package source. You either raised a Microsoft PSS case and they supplied you with a VB Script, or you manually went through each package source and changed the share path.

In 2012 SP1, we now have Powershell to do the work!

We’ve now got a myriad of Powershell cmdlets available for ConfigMgr 2012 SP1. (NOTE: Powershell support was added at SP1 so none of the following is applicable to RTM)

Anoop C Nair has a great write up of all the cmdlets available

http://gallery.technet.microsoft.com/CM-2012-SP1-List-of-Cmdlets-a7bce79d

First, we need to import the ConfigMgr Powershell Module (NOTE: the module will only run in the x86 Powershell console)

Import-Module 'C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1'

Next, connect to the Central/Primary site where you’ll be targeting your commands

Set-Location PRI:

Now that we’re connected, we can take a look at that Adobe Reader Deployment Type (DT)

Get-CMDeploymentType –ApplicationName “Adobe Reader” – DeploymentTypeName “Install Reader”

Whoa, lots of info! But the relevant part for this tutorial is the <Location></Location> tags

Luckily, we don’t have to modify the SDMPackageXML because the product group have given us a cmdlet to modify it without touching it directly.

Set-CMDeploymentType –ApplicationName “Adobe Reader –DeploymentTypeName “Install Reader” –MsiOrScriptInstaller –ContentLocation “\\SP1RTM\Source$\Applications\Adobe Reader”

If we now open up the DT, we can see the source location has changed to our new share.

Voila! With Powershell integration, doing these manual admin tasks is a whole lot easier, especially if you start using programming logic and piping information from one cmdlet to another.

In my next post, I’ll be posting a script to move *every* package source of applications that you’ve migrated.

Matt Shadbolt

 Demo 4: Packages

Automatically create Package from source directory, create Deployment Type, create Collection and Deployment

$ErrorActionPreference = "Stop"
Set-Location C:\
$NewPackageLocation = "\\TECHED13\NewPackages\*"
$CorpSourcelocation = "\\TECHED13\Source$\Packages"
$NewPackageLocation = Get-Item $NewPackageLocation
Copy-Item $NewPackageLocation -Destination $CorpSourcelocation -Recurse
Remove-Item $NewPackageLocation -Recurse
$PackageSourcePath = $CorpSourcelocation + '\' + $NewPackageLocation.Name
$SplitValues = $NewPackageLocation.Name.Split("-")
$PackageManufacturer = $SplitValues[0]
$PackageName = $SplitValues[1]
$PackageVersion = $SplitValues[2]
$PackageLanguage = $SplitValues[3]
Import-Module 'C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1'
Set-Location PRI:\
New-CMPackage -Path $PackageSourcePath -Name $PackageName -Manufacturer $PackageManufacturer -Version $PackageVersion -Language $PackageLanguage -Description "Created Using PowerShell"
New-CMProgram -PackageName $PackageName -StandardProgramName "Setup $PackageName" -CommandLine "msiexec /i setup.msi /q"
Start-CMContentDistribution -PackageName $PackageName -DistributionPointGroupName "All DPs"
New-CMDeviceCollection -Name "Install -  $PackageManufacturer$PackageName$PackageLanguage$PackageVersion" -LimitingCollectionName "All Systems"
Start-CMPackageDeployment -PackageName $PackageName -StandardProgramName "Setup $PackageName" -CollectionName "Install -  $PackageManufacturer$PackageName$PackageLanguage$PackageVersion" -DeployPurpose Available

Demo 2: Connecting via PowerShell

Importing the ConfigMgr module

Import-Module 'C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1'

Connect to Primary Site (where PRI is the site code)

Set-Location PRI:\

Display all Configuration Manager cmdlets

Get-Command -Module ConfigurationManager

Display a count of all the Configuration Manager cmdlets

(Get-Command -Module ConfigurationManager).Count

So I’m getting my preparation done for TechEd 2013 on the Gold Coast and needed to fill my ConfigMgr hierarchy with some dummy computer objects. My session being PowerShell for ConfigMgr 2012 SP1, of course I went straight to PowerShell to do the work for me. 

I’m not looking for anything too special; 1000 laptops, 1000 desktops and 500 servers for my demo domain contoso.com.

ConfigMgr can be a little picky when it comes to AD System Discovery, such as requiring a matching DNS record and a valid Operating System value. All of the options below are required otherwise you get errors in the ADSysDis.log.

Here’s my script (note: you must have the Active Directory PowerShell module installed on the local machine)

Import-Module ActiveDirectory
$Count=1
$LaptopCount = 1001
$DesktopCount = 1001
$ServerCount = 501
# Create Laptops
While ($Count -lt $LaptopCount)
{
New-ADComputer -Name "CON-LAP-$Count" -DNSHostName "CON-LAP-$Count.contoso.com" -OperatingSystem "Windows 7 Enterprise" -OperatingSystemVersion "6.1 (7600)"
Add-DnsServerResourceRecord -ZoneName contoso.com -Name "CON-LAP-$Count" -IPv4Address "192.168.169.123" -A
$Count = $Count + 1
}
$Count = 1
# Create Desktops
While ($Count -lt $DesktopCount)
{
New-ADComputer -Name "CON-DSK-$Count" -DNSHostName "CON-DSK-$Count.contoso.com" -OperatingSystem "Windows 7 Enterprise" -OperatingSystemVersion "6.1 (7600)"
Add-DnsServerResourceRecord -ZoneName contoso.com -Name "CON-DSK-$Count" -IPv4Address "192.168.169.123" -A
$Count = $Count + 1
}
$Count = 1
# Create Servers
While ($Count -lt $ServerCount)
{
New-ADComputer -Name "CON-SVR-$Count" -DNSHostName "CON-SVR-$Count.contoso.com" -OperatingSystem "Windows Server 2012 Enterprise" -OperatingSystemVersion "6.2 (9200)"
Add-DnsServerResourceRecord -ZoneName contoso.com -Name "CON-SVR-$Count" -IPv4Address "192.168.169.123" -A
$Count = $Count + 1
}