ConfigMgrDogs

  • Windows 8 and Windows 8.1 New Group Policy Settings

    Windows 8 RTM

    For full details, download the following file

    image

     Policy Setting Name 
     
     Allow all trusted apps to install 
     Allow deployment operations in special profiles 
     Block launching desktop apps associated with a file. 
     Block launching desktop apps associated with a protocol 
     Block launching desktop apps associated with a file. 
     Block launching desktop apps associated with a protocol 
     Do not display the lock screen 
     Prevent changing lock screen image 
     Prevent changing start menu background 
     Turn on PIN sign-in 
     Turn off picture password sign-in 
     Do not display the password reveal button 
     Do not display the password reveal button 
     Device compatibility settings 
     Driver compatibility settings 
     Specify the search server for device driver updates 
     Turn off smart multi-homed name resolution 
     Turn off smart protocol reordering 
     Allow NetBT queries for fully qualified domain names 
     Prefer link local responses over DNS when received over a network with higher precedence 
     Turn off IDN encoding 
     IDN mapping 
     Use solid color for Start background 
     Turn on misconversion logging for misconversion report 
     Turn off saving auto-tuning data to file 
     Turn off history-based predictive input 
     Turn off Open Extended Dictionary 
     Turn off Internet search integration 
     Turn off custom dictionary 
     Restrict character code range of conversion 
     Do not include Non-Publishing Standard Glyph in the candidate list 
     Boot-Start Driver Initialization Policy 
     Turn off switching between recent apps 
     Turn off tracking of app usage 
     Do not allow Windows to activate Enhanced Storage devices 
     Do not throttle additional data 
     Send additional data when on battery power 
     Send data when on connected to a restricted/costed network 
     Do not throttle additional data 
     Send additional data when on battery power 
     Send data when on connected to a restricted/costed network 
     Windows To Go Default Startup Options 
     Allow hibernate (S4) when starting from a Windows To Go workspace 
     Disallow standby sleep states (S1-S3) when starting from a Windows to Go workspace 
     Turn off File History 
     Configure maximum age of file server shadow copies 
     Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file servers. 
     Enable / disable TXF deprecated features 
     Enable optimized move of contents in Offline Files cache on Folder Redirection server path change 
     Redirect folders on primary computers only 
     Redirect folders on primary computers only 
     Turn off offer text predictions as I type 
     Turn off insert a space after selecting a text prediction 
     Turn off autocorrect misspelled words 
     Turn off highlight misspelled words 
     Disallow copying of user input methods to the system account for sign-in 
     Block clean-up of unused language packs 
     Enable AD/DFS domain controller synchronization during policy refresh 
     Turn off Group Policy Client Service AOAC optimization 
     Configure Direct Access connections as a fast network connection 
     Change Group Policy processing to run asynchronously when a slow network connection is detected. 
     Configure Group Policy slow link detection 
     Specify workplace connectivity wait time for policy processing 
     Enable Hotspot Authentication 
     Turn off access to the Store 
     Turn off access to the Store 
     Turn off flip ahead feature 
     Turn on Enhanced Protected Mode 
     Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled 
     Always send Do Not Track header 
     Turn off encryption support 
     Show Content Advisor on Internet Options 
     Go to an intranet site for a one-word entry in the Address bar 
     Install binaries signed by MD2 and MD4 signing technologies 
     Prevent managing SmartScreen Filter 
     Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet 
     Turn off browser geolocation 
     Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects 
     Automatically activate newly installed add-ons 
     Turn off add-on performance notifications 
     Turn on ActiveX Filtering 
     Prevent deleting download history 
     Prevent deleting ActiveX Filtering and Tracking Protection data 
     Allow Internet Explorer 8 shutdown behavior 
     Specify default behavior for a new tab 
     Notify users if Internet Explorer is not the default web browser 
     Turn off URL Suggestions 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Allow Internet Explorer to play media files that use alternative codecs 
     Prevent configuration of top-result search on Address bar 
     Do not display the reveal password button 
     Turn off the WebSocket Object 
     Set the maximum number of WebSocket connections per server 
     Display tabs on a separate row 
     Establish InPrivate Filtering threshold 
     Establish Tracking Protection threshold 
     Turn off Tracking Protection 
     Use Policy List of Quirks Mode sites 
     Turn off ability to pin sites in Internet Explorer on the desktop 
     Set default storage limits for websites 
     Allow websites to store indexed databases on client computers 
     Set indexed database storage limits for individual domains 
     Set maximum indexed database storage limit for all domains 
     Allow websites to store application caches on client computers 
     Set application cache storage limits for individual domains 
     Set maximum application caches storage limit for all domains 
     Set application caches expiration time limit for individual domains 
     Set maximum application cache resource list size 
     Set maximum application cache individual resource size 
     Start Internet Explorer with tabs from last browsing session 
     Open Internet Explorer tiles on the desktop 
     Set how links are opened in Internet Explorer 
     Turn off flip ahead feature 
     Turn on Enhanced Protected Mode 
     Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled 
     Always send Do Not Track header 
     Show Content Advisor on Internet Options 
     Go to an intranet site for a one-word entry in the Address bar 
     Install binaries signed by MD2 and MD4 signing technologies 
     Prevent managing SmartScreen Filter 
     Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet 
     Disable Import/Export Settings wizard 
     Turn off browser geolocation 
     Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects 
     Automatically activate newly installed add-ons 
     Turn off add-on performance notifications 
     Turn on ActiveX Filtering 
     Prevent deleting download history 
     Prevent deleting ActiveX Filtering and Tracking Protection data 
     Allow Internet Explorer 8 shutdown behavior 
     Specify default behavior for a new tab 
     Disable changing secondary home page settings 
     Turn off URL Suggestions 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Turn off Print Menu 
     Allow Internet Explorer to play media files that use alternative codecs 
     Prevent configuration of search on Address bar 
     Prevent configuration of top-result search on Address bar 
     Do not display the reveal password button 
     Turn off the WebSocket Object 
     Set the maximum number of WebSocket connections per server 
     Display tabs on a separate row 
     Turn on Suggested Sites 
     Establish InPrivate Filtering threshold 
     Establish Tracking Protection threshold 
     Turn off Tracking Protection 
     Use Policy List of Quirks Mode sites 
     Turn off ability to pin sites in Internet Explorer on the desktop 
     Set default storage limits for websites 
     Allow websites to store indexed databases on client computers 
     Set indexed database storage limits for individual domains 
     Set maximum indexed database storage limit for all domains 
     Allow websites to store application caches on client computers 
     Set application cache storage limits for individual domains 
     Set maximum application caches storage limit for all domains 
     Set application caches expiration time limit for individual domains 
     Set maximum application cache resource list size 
     Set maximum application cache individual resource size 
     Start Internet Explorer with tabs from last browsing session 
     Open Internet Explorer tiles on the desktop 
     Set how links are opened in Internet Explorer 
     Install new versions of Internet Explorer automatically 
     KDC support for claims, compound authentication and Kerberos armoring 
     Warning for large Kerberos tickets 
     Specify KDC proxy servers for Kerberos clients 
     Disable revocation checking for the SSL certificate of KDC proxy servers 
     Fail authentication requests when Kerberos armoring is not available 
     Support compound authentication 
     Set maximum Kerberos SSPI context token buffer size 
     Kerberos client support for claims, compound authentication and Kerberos armoring 
     Hash Version support for BranchCache 
     Turn off Windows Location Provider 
     Show first sign-in animation 
     Do not enumerate connected users on domain-joined computers 
     Enumerate local users on domain-joined computers 
     Turn off app notifications on the lock screen 
     Automatic Maintenance Activation Boundary 
     Automatic Maintenance Random Delay 
     Automatic Maintenance WakeUp Policy 
     Turn off shared components 
     Prevent embedded UI 
     Support Email Address 
     Friendly Name 
     User Interface 
     Prefer Local Names Allowed 
     DirectAccess Passive Mode 
     Corporate Resources 
     IPsec Tunnel Endpoints 
     Custom Commands 
     Specify passive polling 
     Do not use NetBIOS-based discovery for domain controller location when DNS-based discovery fails 
     Specify address lookup behavior for DC locator ping 
     Use urgent mode when pinging domain controllers 
     Internet proxy servers for apps 
     Intranet proxy servers for  apps 
     Private network ranges for  apps 
     Proxy definitions are authoritative 
     Subnet definitions are authoritative 
     Remove "Work offline" command 
     Remove "Work offline" command 
     Enable file synchronization on costed networks 
     Detect compatibility issues for applications and drivers 
     Enable Automatic Hosted Cache Discovery by Service Connection Point 
     Configure Client BranchCache Version Support 
     Configure Hosted Cache Servers 
     Set age for segments in the data cache 
     Turn on Module Logging 
     Set the default source path for Update-Help 
     Turn on Module Logging 
     Set the default source path for Update-Help 
     Isolate print drivers from applications 
     Always rasterize content to be printed using a software rasterizer 
     Do not allow v4 printer drivers to show printer extensions 
     Change Microsoft XPS Document Writer (MXDW) default output format to the legacy Microsoft XPS format (*.xps) 
     Turn off storage and display of search history 
     Always use automatic language detection when indexing content and properties 
     Do not sync 
     Do not sync app settings 
     Do not sync passwords 
     Do not sync personalize 
     Do not sync other Windows settings 
     Do not sync desktop personalization 
     Do not sync browser settings 
     Do not sync on metered connections 
     File Classification Infrastructure: Display Classification tab in File Explorer 
     File Classification Infrastructure: Specify classification properties list 
     Enable access-denied assistance on client for all file types 
     Clear history of tile notifications on exit 
     Prevent users from uninstalling applications from Start 
     Show "Run as different user" command on Start 
     Do not allow taskbars on more than one display 
     Set IP Stateless Autoconfiguration Limits State 
     Specify default connection URL 
     Limit maximum display resolution 
     Suspend user sign-in to complete app registration 
     Configure image quality for RemoteFX Adaptive Graphics 
     Configure RemoteFX Adaptive Graphics 
     Allow RDP redirection of other supported RemoteFX USB devices from this computer 
     Configure RemoteFX 
     Optimize visual experience when using RemoteFX 
     Enable RemoteFX encoding for RemoteFX clients designed for Windows Server 2008 R2 SP1 
     Select network detection on the server 
     Select RDP transport protocols 
     Turn Off UDP On Client 
     Turn off Fair Share CPU Scheduling 
     Use the hardware default graphics adapter for all Remote Desktop Services sessions 
     Configure image quality for RemoteFX Adaptive Graphics 
     Configure RemoteFX Adaptive Graphics 
     Enable Remote Desktop Protocol 8.0 
     Select network detection on the server 
     Select RDP transport protocols 
     Turn Off UDP On Client 
     Turn on TPM backup to Active Directory Domain Services 
     Configure the level of TPM owner authorization information available to the operating system 
     Standard User Lockout Duration 
     Standard User Individual Lockout Threshold 
     Standard User Total Lockout Threshold 
     User management of sharing user name, account picture, and domain information with apps (not desktop apps) 
     Download roaming profiles on primary computers only 
     Set user home folder 
     Choose drive encryption method and cipher strength 
     Configure use of passwords for operating system drives 
     Reset platform validation data after BitLocker recovery 
     Disallow standard users from changing the PIN or password 
     Use enhanced Boot Configuration Data validation profile 
     Enforce drive encryption type on operating system drives 
     Allow network unlock at startup 
     Enable use of BitLocker authentication requiring preboot keyboard input on slates 
     Allow Secure Boot for integrity validation 
     Enforce drive encryption type on fixed data drives 
     Enforce drive encryption type on removable data drives 
     Prohibit connection to non-domain networks when connected to domain authenticated network 
     Minimize the number of simultaneous connections to the Internet or a Windows Domain 
     Prohibit connection to roaming Mobile Broadband networks 
     Disable power management in connected standby mode 
     Location where all default Library definition files for users/machines reside. 
     Start File Explorer with ribbon minimized 
     Location where all default Library definition files for users/machines reside. 
     Configure Windows SmartScreen 
     Show lock in the user tile menu 
     Show sleep in the power options menu 
     Show hibernate in the power options menu 
     Do not show the 'new application installed' notification 
     Start File Explorer with ribbon minimized 
     Set a default associations configuration file 
     Allow the use of remote paths in file shortcut icons 
     Disallow WinRM from storing RunAs credentials 
     Require use of fast startup 
     Turn off the Store application 
     Turn off the Store application 
     Allow Store to install apps on Windows To Go workspaces 
     Turn off Automatic Download of updates 
     Set Cost 
     Turn off tile notifications 
     Turn off toast notifications 
     Turn off toast notifications on the lock screen 
     Turn off notifications network usage 
     Set 3G Cost 
     Set 4G Cost 

    Windows 8.1

    For full details, download the following file

    image

     Policy Setting Name 
     
     Allow development of Windows Store apps without installing a developer license 
     Prevent enabling lock screen slide show 
     Prevent enabling lock screen camera 
     Force a specific background and accent color 
     Force a specific Start background 
     Force a specific default lock screen image 
     Allow users to select when a password is required when resuming from connected standby 
     Restrict delegation of credentials to remote servers 
     Prevent adding
     App switching 
     Charms 
     WinX 
     Automatically send memory dumps for OS-generated error reports 
     Automatically send memory dumps for OS-generated error reports 
     Configure Group Policy Caching 
     Configure Logon Script Delay 
     Turn off loading websites and content in the background to optimize performance 
     Turn on the swiping motion on Internet Explorer for the desktop 
     Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows 
     Allow Internet Explorer to use the SPDY/3 network protocol 
     Turn off phone number detection 
     Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Turn off loading websites and content in the background to optimize performance 
     Turn on the swiping motion on Internet Explorer for the desktop 
     Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows 
     Allow Internet Explorer to use the SPDY/3 network protocol 
     Turn off phone number detection 
     Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Prevent deleting ActiveX Filtering
     Prevent deleting ActiveX Filtering
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     KDC support for claims
     Kerberos client support for claims
     Automatic Maintenance Random Delay 
     Use DNS name resolution when a single-label domain name is used
     At logoff
     Run Windows PowerShell scripts first at computer startup
     Run Windows PowerShell scripts first at user logon
     Run Windows PowerShell scripts first at user logon
     Disable indexing of removable drives 
     Don't search the web or display web results in Search 
     Don't search the web or display web results in Search over metered connections 
     Set what information is shared in Search 
     Set the SafeSearch setting for Search 
     Do not sync Apps 
     Do not sync start settings 
     
     
     
     Pin Apps to Start when installed 
     Start Screen Layout 
     Default 
     Default app 
     Default search 
     Sort 
     Multimon 
     Pin Apps to Start when installed 
     Start Screen Layout 
     Remove and prevent access to the Shut Down
     For tablet pen input
     For tablet pen input
     For touch input
     For touch input
     Include rarely used Chinese
     Include rarely used Chinese
     Set remote control session UAC desktop 
     Use advanced RemoteFX graphics for RemoteApp 
     Set remote control session UAC desktop 
     Set remote control permission request timeout 
     Enable Remote Desktop Protocol 8.0 
     User management of sharing user name
     Choose drive encryption method and cipher strength (Windows Vista
     Configure TPM platform validation profile (Windows Vista
     Allow antimalware service to startup with normal priority 
     Turn on virus definitions 
     Configure local administrator merge behavior for lists 
     Define addresses to bypass proxy server 
     Define proxy server for connecting to the network 
     Randomize scheduled task times 
     Allow antimalware service to remain running always 
     Extension Exclusions 
     Path Exclusions 
     Process Exclusions 
     Turn on protocol recognition 
     Turn on definition retirement 
     Define the rate of detection events for logging 
     IP address range Exclusions 
     Port number  Exclusions 
     Process Exclusions for outbound traffic 
     Threat ID Exclusions 
     Specify additional definition sets for network traffic inspection 
     Configure local setting override for the removal of items from Quarantine folder 
     Configure removal of items from Quarantine folder 
     Turn on behavior monitoring 
     Turn on Information Protection Control 
     Turn on network protection against exploits of known vulnerabilities 
     Scan all downloaded files and attachments 
     Monitor file and program activity on your computer 
     Turn on raw volume write notifications 
     Turn on process scanning whenever real-time protection is enabled 
     Define the maximum size of downloaded files and attachments to be scanned 
     Configure local setting override for turn on behavior monitoring 
     Configure local setting override for monitoring file and program activity on your computer 
     Configure local setting override to turn off Intrusion Prevention System 
     Configure local setting override for scanning all downloaded files and attachments 
     Configure local setting override to turn on real-time protection 
     Configure local setting override for monitoring for incoming and outgoing file activity 
     Configure monitoring for incoming and outgoing file and program activity 
     Configure local setting override for the time of day to run a scheduled full scan to complete remediation 
     Specify the day of the week to run a scheduled full scan to complete remediation 
     Specify the time of day to run a scheduled full scan to complete remediation 
     Configure time out for detections requiring additional action 
     Configure time out for detections in critically failed state 
     Configure Watson events 
     Configure time out for detections in non-critical failed state 
     Configure time out for detections in recently remediated state 
     Configure Windows software trace preprocessor components 
     Configure WPP tracing level 
     Allow users to pause scan 
     Specify the maximum depth to scan archive files 
     Specify the maximum size of archive files to be scanned 
     Specify the maximum percentage of CPU utilization during a scan 
     Scan archive files 
     Turn on catch-up full scan 
     Turn on catch-up quick scan 
     Turn on e-mail scanning 
     Turn on heuristics 
     Scan packed executables 
     Scan removable drives 
     Turn on reparse point scanning 
     Create a system restore point 
     Run full scan on mapped network drives 
     Scan network files 
     Configure local setting override for maximum percentage of CPU utilization 
     Configure local setting override for the scan type to use for a scheduled scan 
     Configure local setting override for schedule scan day 
     Configure local setting override for scheduled quick scan time 
     Configure local setting override for scheduled scan time 
     Turn on removal of items from scan history folder 
     Specify the interval to run quick scans per day 
     Start the scheduled scan only when computer is on but not in use 
     Specify the scan type to use for a scheduled scan 
     Specify the day of the week to run a scheduled scan 
     Specify the time for a daily quick scan 
     Specify the time of day to run a scheduled scan 
     Define the number of days before spyware definitions are considered out of date 
     Define the number of days before virus definitions are considered out of date 
     Define file shares for downloading definition updates 
     Turn on scan after signature update 
     Allow definition updates when running on battery power 
     Initiate definition update on startup 
     Define the order of sources for downloading definition updates 
     Allow definition updates from Microsoft Update 
     Allow real-time definition updates based on reports to Microsoft MAPS 
     Specify the day of the week to check for definition updates 
     Specify the time to check for definition updates 
     Allow notifications to disable definitions based reports to Microsoft MAPS 
     Define the number of days after which a catch-up definition update is required 
     Specify the interval to check for definition updates 
     Check for the latest virus and spyware definitions on startup 
     Configure local setting override for reporting to Microsoft MAPS 
     Specify threats upon which default action should not be taken when detected 
     Specify threat alert levels at which default action should not be taken when detected 
     Display notifications to clients when they need to perform actions 
     Display additional text to clients when they need to perform an action 
     Always automatically restart at the scheduled time 
     Specify Work Folders settings 
     Turn off tile notifications 
     Turn off toast notifications 
     Turn off toast notifications on the lock screen 
     Turn off notifications network usage 
     Turn off Quiet Hours 
     Set the time Quiet Hours begins each day 
     Set the time Quiet Hours ends each day 
     Turn off calls during Quiet Hours 
     Set 3G Cost 
     Set 4G Cost 
  • ConfigMgr 2012 Version Numbers

    Hi all,

    as requested I’ve just listed all the ConfigMgr 2012 Released  versions in a table below. We will do our best to keep this up to date as new updates are released. Note that the Client and Console versions will be exactly the same as the Release/Update version.

    To see how to view the version see Matt’s earlier blog here. If you want to confirm a CU update see Neil’s blog here.

    Release/Update

    Version

    Build

    ConfigMgr 2012 RTM 5.00.7711.0000 7711
    ConfigMgr 2012 SP1 5.00.7804.1000 7804
    ConfigMgr 2012 SP1 CU1 5.00.7804.1202 7804
    ConfigMgr 2012 SP1 CU2 5.00.7804.1300 7804
    ConfigMgr 2012 SP1 CU3 5.00.7804.1400 7804
    ConfigMgr 2012 SP1 CU4 5.00.7804.1500 7804
    ConfigMgr 2012 SP1 CU5 5.00.7804.1600 7804
    ConfigMgr 2012 R2 5.00.7958.1000 7958
    ConfigMgr 2012 R2 CU1 5.00.7958.1203 7958
    ConfigMgr 2012 R2 CU2 5.00.7958.1303 7958
  • Version and Build numbers for ConfigMgr 2012 RTM and SP1

    If you need to distinguish whether or not a site has been upgraded to ConfigMgr 2012 SP1, here is the process and version numbers.

     

    1. Open the ConfigMgr console

    2. Browse to Administration > Site Configuration > Sites

    3. Right-click on the site you need information for, and select Properties

    4. You’ll find the site version and build number here

    ConfigMgr 2012 RTM

    Version:  5.00.7711.0000
    Build number: 7711

    image

     

    ConfigMgr 2012 SP1

    Version:  5.00.7804.1000
    Build number:  7804

    clip_image002

    Matt Shadbolt

  • Software Update Compliance Reports – Detection State Unknown

    I have been working with a number of customers recently that have had issues running their monthly Software Update compliance reports due to a high number of “DETECTION STATE UNKOWN” results reporting back long after the update deployment has successfully run.

    As usual the first thing we want to identify is whether it is on the client side or server side.

    State Message IDs are used to define specific state messages for each topic type. For our issue a State Message for a Software Updates has a TopicType=500 which has status Message ID state of 0, 1, 2 or 3 which would then depict the actual state of the given update on a client machine as below:

    Topic Type

    State Message ID

    State Message Description

    500

    0

    Detection state unknown

    500

    1

    Update is not required

    500

    2

    Update is required

    500

    3

    Update is installed

    To determine what information your clients are sending back to your Management Point we can use WMI queries to see what is happening on the client.

    1. Open wbemtest with elevated permissions

    image

    2. Connect to the WMI Namespace: root\CCM\StateMsg

    image

    3. Select Query and run the query  SELECT * FROM CCM_StateMsg

    image

    image

    Find any software update deployment which can be determined by looking for “TopicType=500” and what we want to check is the below values in yellow as this will determine if the client has indeed sent a message back to the MP and if so what it sent back, If we see it sent back a “0” and confirm that the KBs are installed then we know it is something on the client side, we would expect to see 1, 2 ,3 pending the state listed above

    image

    image

    image

    image

    Example below:

    instance of CCM_StateMsg

    { Criticality = 0;

    MessageSent = TRUE;      Message is sent

                                                MessageTime = "20101027211908.749000+000";           UTC Time

                                                ParamCount = 1;

                                                StateDetails = "";

                                                StateDetailsType = 0;

    StateID = 2;   Update is required

                                                TopicID = "9d4681d5-46fa-4250-bedc-480ac7bce3aa";

                                                TopicIDType = 3;

    TopicType = 500;   Update Detection

                                                UserFlags = 0;

                                                UserParameters = {"102"};

    Hope this helps..

  • ConfigMgr 2012 Automatic Deployment Rules

     

    In CM12 we have a number of changes in Software Updates. One of the most anticipated one’s is Auto Deployment Rules.

    Yes finally I hear you say….

    Well Lets run through creating an Auto Deployment and one little gotcha to keep your eye on.

    In the Console we select

     Software Library > Software Updates > Automatic Deployment Rules

    Choose Create Automatic Deployment Rule from the Ribbon or Right click on the mouse.

          image

     

    In the first screen we can choose a Template

    (Templates are no longer a node in the console they are now created when creating an Auto Deployment Rule or manually Deploying Updates and are saved at the Summary screen.Ill point this out later in the post)

    image

     

     

     

    You can Select to Add to an Existing Software Update Group or Create a new Software Update Group.

    image

    If you select Add to an Existing Software Update Group a brand new group will be created the first time the Auto Deployment Rule is run and every time the rule runs after that the new updates are added to that group.

    (NOTE You cannot create a software Update group manually and then create an Auto Deployment rule to add new updates to that group. Even if you give it the same name and description the Auto Deployment Rule will still create a new group. See Figure below.The group created at 6:02 pm was done manually. I then ran the Auto Deployment rule at 6:07 pm and you can see that it creates a group with a duplicate name and description.)

    image

     

    If you select Create a new Software Update Group every time the rule is run a new Software Update Group is created.

     

    You can also choose to Enable the deployment after the rule is run.

     

    Here you can choose to use Wake on lan and also decide whether to automatically deploy all updates and approve any license agreements or deploy only updates that do not include license agreements.

    image

    This is where you select the requirements to select the updates to auto approve.

     

    image

    Here you can set a Schedule for the Rule to run. Potentially every Patch Tuesday or Daily for Forefront updates.

    Or you can run the rule manually.

    image

    Similar to CM07 we can set the deployment schedule and whether the Deployment will be Mandatory.

    image

    Set the User Experience, deadline behaviour and reboot suppression.

    image

    We can now Generate Alerts if the compliance falls below a certain after a certain period of time. As before we can select to disable alerts for Operations Manager.

    image

    Set your Deployment options

    image

    Either select an existing package or create a new one for the new updates

    image

    Select a DP or DP Group

    image

    Where to download the updates from

    image

     

    Choose a language

    image

    On the Summary screen you can Choose to Save your settings as a Template for future use

    image

    image

    We now see the new Rule in the console and we can choose to Run Now from the ribbon.

    image

    image

    The log file for troubleshooting is Ruleengine.log

    We can see the Auto Deployment Rule is kicked off

    image

    Evaluating and downloading updates

    image

    Here we see it looking for an existing update group and not finding one therefore creating a new Software Update Group then adding the updates to that Group.

    image

    Back to the console.If we select Software Update Groups we now see the newly created Windows 7 Automatic Deployment and the Deployment (Yet to be enabled) on the tab below.

    image

    When we select Show Members we can see the updates applied.

    image

    and there you have it.

  • New logs in ConfigMgr 2012 – Client Logs

    With the new version of Configuration Manager, comes a bunch of new juicy logs. I’ll separate the posts into Client and Server. In this first instalment, I’ll cover off on the new logs found on your clients.

    The first thing you need to know, is the log location has changed slightly.

    Client logs can now be found at C:\Windows\CCM\Logs – rather than in the System32 or SysWoW64 directory

    AppDiscovery.log

    With the new ConfigMgr 2012 App Model, we now scan each machine at a regular period (default is every 7 days) and make sure that applications that should be installed on a machine are indeed installed. The AppDiscovery.log will show you the discovery engine (based on DCM) checking to make sure the app is installed.

    Performing detection of app deployment type MS_Silverlight(ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0, revision 2) for system. AppDiscovery 3/05/2012 9:27:30 AM 7988 (0x1F34)

    +++ Application not discovered. [AppDT Id: ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0, Revision: 2] AppDiscovery 3/05/2012 9:27:31 AM 7988 (0x1F34)

    Here we can see the WMI query for the Microsoft Silverlight application and it not being found. The AppDiscovery.log will then flag Silverlight for installation

    ActionType - Install will use Content Id: Content_b0e86929-a5f2-4154-b876-ed83965ce25d + Content Version: 1 for AppDT "MS_Silverlight" [ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0], Revision - 2 AppDiscovery 3/05/2012 9:27:34 AM 12156 (0x2F7C)

    AppEnforce.log

    If an application should be installed, and the AppDiscovery doesn’t find it, the AppEnforce log should kick in with the installation routine

    +++ Starting Install enforcement for App DT "MS_Silverlight" ApplicationDeliveryType - ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0, Revision - 2, ContentPath - C:\Windows\ccmcache\1a, Execution Context - SystemAppEnforce 3/05/2012 9:28:29 AM 7988 (0x1F34)

    A user is logged on to the system. AppEnforce 3/05/2012 9:28:29 AM 7988 (0x1F34)

    Performing detection of app deployment type MS_Silverlight(ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0, revision 2) for system. AppEnforce 3/05/2012 9:28:29 AM 7988 (0x1F34)

    +++ Application not discovered. [AppDT Id: ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0, Revision: 2] AppEnforce 3/05/2012 9:28:29 AM 7988 (0x1F34)

    App enforcement environment:

    Context: Machine

    Command line: "Silverlight.exe" /q

    Allow user interaction: No

    UI mode: 1

    User token: null

    Session Id: 4294967295

    Content path: C:\Windows\ccmcache\1a

    Working directory: AppEnforce 3/05/2012 9:28:29 AM 7988 (0x1F34)

    Prepared working directory: C:\Windows\ccmcache\1a AppEnforce 3/05/2012 9:28:29 AM 7988 (0x1F34)

    Prepared command line: "C:\Windows\ccmcache\1a\Silverlight.exe" /q AppEnforce 3/05/2012 9:28:33 AM 7988 (0x1F34)

    Executing Command line: "C:\Windows\ccmcache\1a\Silverlight.exe" /q with system context AppEnforce 3/05/2012 9:28:33 AM 7988 (0x1F34)

    Once the application has installed, it will rerun the application detection and this time succeed.

    +++ Discovered application [AppDT Id: ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0, Revision: 2] AppEnforce 3/05/2012 9:29:41 AM 7988 (0x1F34)

    AppIntentEval.log

    The AppInterval.log works with the two previous logs, and should tell you which applications are required. You should see something like

    ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0/2 :- Current State = Installed, Applicability = Applicable, ResolvedState = Installed, Title = MS_Silverlight

    CCMVDIProvider.log

    The CCMVDIProvider.log will show you if the machine is a virtual or a physical machine

    EndpointProtectionAgent.log

    The EndpointProtectionAgent.log will only show you that the SCEP agent is/isn’t installed. It will not show you any information about definition updates. For SCEP definition updates and SCEP functionality, you’ll find a bunch of logs in C:\ProgramData\Microsoft\Microsoft Antimalware\Support

    ExpressionSolver.log

    ExpressionSolver.log is a log that records MSI discovery. This log is only available when verbose logging is enabled

    ExternalEventAgent.log

    The ExternalEventAgent shows all of the state messages sent from SCEP, into the CCM client. The CCM client will then process this state message as it would any internal state message.

    FileSystemFile.log

    This log file records all Software Inventory file system scans. You can see in the log file below, that we’re looking for qmgr.dll, scrnsave.exe, scrnsave.scr and msiexec in the System32 directory.

    Query = SELECT __class, __path, __relpath, name, path, lastwritedate, size, companyname, productname, productversion, productlanguage, fileversion, filedescription FROM FileSystemFile WHERE name = 'qmgr.dll|scrnsave.exe|scrnsave.scr|msiexec.exe' and path = '%windir%\\system32\\*' and iscompressed = false and isencrypted = false; Timeout = 14400 secs; ScanInterval = 2 msecs; SkipFile = skpswi.dat

    SCNotify.log

    You’ll see a bunch of SCNotify logs in your logs directory. This log describes the user notification for new applications. In the log you’ll see a bunch of WMI calls, and whether or not applications should notify the user of their availability

    This software should not display a user notification balloon, removing it from the available notification list.

    SoftwareCatalogUpdateEndppoint.log

    The SoftwareCatalogUpdateEndpoint log will show any changes to the Software Catalog URL and will show the URL being added to the Trusted Sites list in Internet Explorer

    CSoftwareCatalogUpdateHandler::StartUpdateTrustedSitesProcess: Started UpdateTrustedSites process
    CSoftwareCatalogUpdateHandler::SetCatalogSecurity: Updating the registry for Software Catalog.

    SoftwareCenterSystemTasks.log

    This log will show you the Software Center notifications and whether or not the Software Center is installed and healthy.

    UpdateTrustedSites.log

    The UpdateTrustedSites logs the actual updates after the SoftwareCatalogUpdateEndpoint reports that the URL needs to be added to the Trusted Sites

    CSoftwareCatalogUpdateHandler::AddDefaultPortalToTrustedSites: Catalog Url should be added to the trusted sites zone. UpdateTrustedSites 18/05/2012 1:13:32 PM 14172 (0x375C)

    AddDefaultPortalToTrustedSites: url = http://applicationcatalog.yourdomain.com:80, zone = 258 UpdateTrustedSites 18/05/2012 1:13:32 PM 14172 (0x375C)

    UserAffinity.log

    With the new 2012 App Model, we need to determine which users are primary users of a device. The UserAffinity log will show which users have been added as primary users, and the method for determining the primary user

    Auto affinity threshold settings Days = '21', User Minutes = '2880', AutoApproveAffinity = '1'. UserAffinity 18/05/2012 1:12:33 PM 14332 (0x37FC)

    No WMI instance. Setting an affinity. UserAffinity 18/05/2012 1:12:45 PM 14332 (0x37FC)

    Setting auto affinity for user 'yourdomain\mattshadbolt'. UserAffinity 18/05/2012 1:12:45 PM 14332 (0x37FC)

    Successfully sent user affinity state message for user ‘yourdomain\mattshadbolt'. UserAffinity 18/05/2012 1:12:45 PM 14332 (0x37FC)

    Successfully saved user affinity data for user ‘yourdomain\mattshadbolt' into WMI. UserAffinity 18/05/2012 1:12:45 PM 14332 (0x37FC)

    We can see that AutoApproveAffinity is enabled for any users that have used the machine for anyone using the machine within 21 days, and for 2880 minutes or more.

    So that's it! If you find any other logs that weren’t around in 2007, please let me know and I’ll do my best to cover them!

    Matt Shadbolt

     

  • Applying Windows Updates to a base WIM using DISM and Powershell

    Manual installation

    Firstly, locate your most up to date image and make a copy of it. This is so we can
    stream the newest Windows Updates into the mounted WIM without risk of damaging
    a working WIM. I suggest copying the WIM to a temp location. Also, put the
    Windows Update that you want to apply into an Updates folder.

    Next, mount your image in the temp location.

    DISM /Mount-Wim /WimFile:C:\TempMount\install.wim /index:1 /Mountdir:C:\TempMount\Mount

    Now inject the Windows Update you need to apply

    DISM /image:C:\TempMount\Mount /Add-Package /Packagepath:C:\Updates\

    Finally, save an unmount the image

    DISM /Unmount-Wim /Mountdir:C:\TempMount\Mount /commit
    DISM /Cleanup-Wim

    Automating the installation

    While running updates manually like this is an easy way to apply a few updates, hundreds of updates require more work. Here’s how you would apply the updates using PowerShell.

    $UpdatesPath = "C:\Updates\*"
    $MountPath = “C:\TempMount\Mount”
    $WimFile = “C:\TempMount\install.wim”
    DISM \Mount-Wim /WimFile:$WimFile /index:1 /Mountdir:$MountPath
    $UpdateArray = Get-Item $UpdatesPath
    ForEach ($Updates in $UpdateArray)
    {
    DISM /image:$MountPath /Add-Package /Packagepath:$Updates
    Start-Sleep –s 10
    }
    Write-Host "Updates Applied to WIM"
    DISM /Unmount-Wim /Mountdir:$MountPath /commit
    DISM /Cleanup-Wim

    Using SCCM 2007 Deployment Packages makes getting these updates really simple. Package up the updates like you would normally, then set the $UpdatesPath variable above to the SMS package location.

    Happy patching!

    Matt Shadbolt

  • Package & Application Source Modification Scripts

    I promised in my last post to provide you all with my scripts for modifying all your package and application source paths… well that was over two months ago now!

    http://blogs.technet.com/b/configmgrdogs/archive/2013/02/18/moving-your-package-source-after-migration.aspx

    Note: These scripts are provided “as-is” and no guarantees are provided. Please TEST these in a non-production environment beforehand.

     

    ApplicationSourceModification.ps1 (Version 1.0)

    First is my script will modify the source paths for all of your Deployment Types within all Applications that are Script or MSI installers (you can modify this to do your App-V Deployment Types too)

    Write-Host "#######################################################################" -f Green
    Write-Host "##        Matts ConfigMgr 2012 SP1 Application Source Modifier       ##" -f Green
    Write-Host "##                blogs.technet.com/b/ConfigMgrDogs                  ##" -f Green
    Write-Host "##                                                                   ##" -f Green
    Write-Host "##                                                                   ##" -f Green
    Write-Host "##  Please ensure your package source content has been moved to the  ##" -f Green
    Write-Host "##          new location *prior* to running this script              ##" -f Green
    Write-Host "##                                                                   ##" -f Green
    Write-Host "#######################################################################" -f Green
    Start-Sleep -s 2

    Write-Host ""
    Write-Host ""
    ## Import ConfigMgr PS Module
    Import-Module 'C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1'

    ## Connect to ConfigMgr Site
    $SiteCode = Read-Host "Enter your ConfigMgr Site code (XXX)"
    $SiteCode = $SiteCode + ":"
    Set-Location $SiteCode
    Write-Host ""

    ## Set old Source share
    Write-Host "NOTE: This is the location your 2007 packages are stored. It must be correct"
    $OriginalSource = Read-Host "Enter your source ConfigMgr share (\\2007Server\Source$)"

    ## Set new Source share
    Write-Host ""
    Write-Host "NOTE: This is the location your Applications are stored. It must be correct"
    $DestinationSource = Read-Host "Enter your destination ConfigMgr Source share (\\2012SERVER\Source$)"
    Write-Host ""
    Write-Host "Working.."
    Write-Host ""
    ## Get your Application Deployment Types

    $ApplicationName = Get-CMApplication
    $ApplicationName = $ApplicationName.LocalizedDisplayName

    ForEach($x in $ApplicationName)
    {
    $DeploymentTypeName = Get-CMDeploymentType -ApplicationName $x
    #$DeploymentTypeName = $DeploymentTypeName.LocalizedDisplayName

        ForEach($DT in $DeploymentTypeName)
        {
        ## Change the directory path to the new location
        $DTSDMPackageXLM = $DT.SDMPackageXML
        $DTSDMPackageXLM = [XML]$DTSDMPackageXLM
       
        ## Get Path for Apps with multiple DTs
        $DTCleanPath = $DTSDMPackageXLM.AppMgmtDigest.DeploymentType.Installer.Contents.Content.Location[0]
       
        ## Get Path for Apps with single DT
        IF($DTCleanPath -eq "\")
        {
            $DTCleanPath = $DTSDMPackageXLM.AppMgmtDigest.DeploymentType.Installer.Contents.Content.Location
        }
       
        $DirectoryPath = $DTCleanPath -replace [regex]::Escape($OriginalSource), "$DestinationSource"

        ## Modify DT path
        Set-CMDeploymentType –ApplicationName "$x" –DeploymentTypeName $DT.LocalizedDisplayName –MsiOrScriptInstaller –ContentLocation "$DirectoryPath"
       
        ## Write Output
        Write-Host "Application " -f White -NoNewline;
        Write-Host $x -F Red -NoNewline;
        Write-Host " with Deployment Type " -f White -NoNewline;
        Write-Host $DT.LocalizedDisplayName -f Yellow -NoNewline;
        Write-Host " has been modified to " -f White -NoNewline;
        Write-Host $DirectoryPath -f DarkYellow
        }
    }

    PackageSourceModification.ps1 (Version 1.0)

    My second script is much simpler, as we are changing only the Package source location, with no need to cycle through each Deployment Type

    Write-Host "#######################################################################" -f Green
    Write-Host "##        Matts ConfigMgr 2012 SP1 Package Source Modifier           ##" -f Green
    Write-Host "##                blogs.technet.com/b/ConfigMgrDogs                  ##" -f Green
    Write-Host "##                                                                   ##" -f Green
    Write-Host "##                                                                   ##" -f Green
    Write-Host "##  Please ensure your package source content has been moved to the  ##" -f Green
    Write-Host "##          new location *prior* to running this script              ##" -f Green
    Write-Host "##                                                                   ##" -f Green
    Write-Host "#######################################################################" -f Green
    Start-Sleep -s 2

    $SiteCode = Read-Host "Enter your ConfigMgr Site code (XXX)"
    $SiteCode = $SiteCode + ":"
    Set-Location $SiteCode

    $PackageArray = Get-CMPackage
    $OldPath = "\\2007SERVER\source$"
    $NewPath = "\\2012SERVER\cmsource$"
    ForEach ($Package in $PackageArray)
    {
    $ChangePath = $Package.PkgSourcePath.Replace($OldPath, $NewPath)
    Set-CMPackage -Name $Package.Name -Path $ChangePath
    Write-Host $Package.Name " has been changed to " $ChangePath
    }

    Matt Shadbolt

  • Redistribute Package in Configuration Manager 2012

    One pain point with Configuration Manager 2007, was that when a package failed to distribute content to a distribution point after the retry count was exceeded, it was permanently stuck in a distributing state. There was no easy supported method to redistribute that package to a specific Distribution Point.

    Now in 2012 we have the new option to Redistribute a package.

    Open the properties of any application or package and click on the Content Locations tab.

    From there you can either select a specific Distribution point or a Distribution Point Group. see Figures below

    Application Properties

    image

    Package Properties

    image

    then Click on Redistribute

    image

    Click OK on the Warning and the package will then redistribute the content to that DP or DP Group.

  • System Center 2012 R2 Configuration Manager Toolkit

    Hi Everyone,

    just a very quick note to let you know that the Configuration Manager 2012 R2 Toolkit is available and is definitely worth a look.

    some of the new tools include

    CEViewer.exe for viewing collection update stats

    and

    DPJobManager a tool to help you monitor, suspend, cancel package distributions to Distribution Points

    download link below

    System Center 2012 R2 Configuration Manager Toolkit

  • Understanding ConfigMgr 2012 APP-V Virtual Environments

    ConfigMgr 2012 SP1 introduced APP-V Virtual Environments (VE). APP-V VE’s work differently to APP-V 5.0 Connection Groups in a “Full Infrastructure Model” (ie Publishing Server) so we need to do some application mapping before implementing APP-V Virtual Environments. You can think of ConfigMgr VE’s as a “Rule Set” that the ConfigMgr client evaluates when doing an application evaluation cycle. Once a client evaluates true to a VE “Policy”, the connection group is then created, The deviate in ConfigMgr is that an APP-V application can only be a member of one VE at anyone time. This blog aims to explain the reasons why this is the case and why application mapping is vital if your virtual application catalogue has a large number of applications that are highly dependant on other applications.

    Let’s say I have a three Applications I need to configure in a Connection Groups, in Full Infra I could easily create three separate connection groups and use the Priority to determine which VFS wins in a conflict.

    Full Infra Example (Firefox , Flash & Reader)

    Connection Group 1 = Firefox and Flash, priority = 1

    Connection Group 2 = Firefox and Reader, priority = 2

    Connection Group 3 = Firefox and Flash and Reader, priority = 3

    If I do not set my priorities correctly than as you know we get the following error

    clip_image001

    clip_image002

    However in ConfigMgr we need to use a single Virtual Environment Rule Set per application that we need to manage a Connection group for, and set Logical operators to determine the priorities. By Default the Connection Group priority in a ConfigMgr integrated environment is always set to “4294967294” (ie, the priority in traditional terms is not used in ConfigMgr). This is the underlining reason why a ConfigMgr virtual application can only ever be a member of one VE at any one time. ConfigMgr manages the creation of the Connection Group XML that gets created and processed by the client when the Client meets the rules set defined in the Virtual Environment.

    If I tried to setup the ConfigMgr Virtual Environment in the same way as I do in Full Infra, illustration below, This WILL NOT WORK! And we will end up with the same error as above

    Misconfigured Example below

    clip_image003

    clip_image004clip_image006clip_image005

    As I evaluate to True for both Virtual Environment Rule Set I configure both connection Groups but of course get the same ERROR

    clip_image007clip_image008

    To configure this in ConfigMgr I need to use my Logical operators inside the VE to achieve the same result I would get if doing it in a Full Infrastructure environment

    clip_image009clip_image010

    clip_image011

    Examples:

    Client 1: Has Firefox and Reader installed, ie No Flash. This meets the Virtual Environment rule configured so the “Firefox connection Group is created for Firefox and Reader.

    clip_image012clip_image013

    Client 2: Has Firefox, Flash and Reader installed. This also meets the Virtual Environment however as I have all three applications, the Flash VFS will take precedence over the Reader VFS as we have set Flash with a high ‘Order” in the Virtual Environment’.

    clip_image014clip_image015

    clip_image016

    Hope this helps clear up some miss understandings on how APP-V VE’s work in ConfigMgr 2012 SP1 +..

  • Creating Lab Computer Objects

    So I’m getting my preparation done for TechEd 2013 on the Gold Coast and needed to fill my ConfigMgr hierarchy with some dummy computer objects. My session being PowerShell for ConfigMgr 2012 SP1, of course I went straight to PowerShell to do the work for me. 

    I’m not looking for anything too special; 1000 laptops, 1000 desktops and 500 servers for my demo domain contoso.com.

    ConfigMgr can be a little picky when it comes to AD System Discovery, such as requiring a matching DNS record and a valid Operating System value. All of the options below are required otherwise you get errors in the ADSysDis.log.

     

    Here’s my script (note: you must have the Active Directory PowerShell module installed on the local machine)

     

    Import-Module ActiveDirectory
    $Count=1
    $LaptopCount = 1001
    $DesktopCount = 1001
    $ServerCount = 501
    # Create Laptops
    While ($Count -lt $LaptopCount)
    {
    New-ADComputer -Name "CON-LAP-$Count" -DNSHostName "CON-LAP-$Count.contoso.com" -OperatingSystem "Windows 7 Enterprise" -OperatingSystemVersion "6.1 (7600)"
    Add-DnsServerResourceRecord -ZoneName contoso.com -Name "CON-LAP-$Count" -IPv4Address "192.168.169.123" -A
    $Count = $Count + 1
    }
    $Count = 1
    # Create Desktops
    While ($Count -lt $DesktopCount)
    {
    New-ADComputer -Name "CON-DSK-$Count" -DNSHostName "CON-DSK-$Count.contoso.com" -OperatingSystem "Windows 7 Enterprise" -OperatingSystemVersion "6.1 (7600)"
    Add-DnsServerResourceRecord -ZoneName contoso.com -Name "CON-DSK-$Count" -IPv4Address "192.168.169.123" -A
    $Count = $Count + 1
    }
    $Count = 1
    # Create Servers
    While ($Count -lt $ServerCount)
    {
    New-ADComputer -Name "CON-SVR-$Count" -DNSHostName "CON-SVR-$Count.contoso.com" -OperatingSystem "Windows Server 2012 Enterprise" -OperatingSystemVersion "6.2 (9200)"
    Add-DnsServerResourceRecord -ZoneName contoso.com -Name "CON-SVR-$Count" -IPv4Address "192.168.169.123" -A
    $Count = $Count + 1
    }

    Active Directory Computer accounts

    image

    DNS A Records

    image

    Matt Shadbolt

  • Orchestrator 2012 Logging and Debug Logging

     

    Hi All,

    If you’ve started playing with Orchestrator I have detailed the areas where you can look for issues with your Runbooks and other components.

     

    Runbook Designer

    Log Tab

    Firstly you can look at the Log tab while you’re Runbook is executing

     

    image

    Log History Tab

    Or after it is complete you can check the Log History tab

     

    image

    Double Click on the entry you want to review and then check the status for each Activity.

    image

    To control the level of Detail available you need to go to the properties of each individual Runbook  and select Store Activity-specific Published Data and or Store Common Published Data. NOTE This is only recommended in Dev and Test not production as these may significantly increase the size of your database (See the following TechNet reference for details. Database Sizing and Performance )

    Do not have these turned on in Production unless you are troubleshooting.

    image

    Events

    We can also get some useful information from the Events tab

    image

    Log Files

    Another area is the component logs for Debug Logging.

    Thankyou to Jeffrey Fanjoy who is a senior support escalation engineer based out of the US for this information.

    if you go to the following Registry key

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SystemCenter2012\Orchestrator\TraceLogger

    on a box with the Runbook Designer or Runbook Server you will see that for each component there is a LogFolder and LogLevel key. The LogFolder shows you where the actual log sits and the LogLevel is the actual Verbosity level. (NOTE You may need to restart services/ the server before this will take affect.)

    Log Level

    Detail
    1 Errors
    3 Errors and warnings
    7 Errors, warnings and Information

    image

    Just keep in mind that the higher the verbosity the more information that will get put into the log so it should only be used for troubleshooting purposes and should not be left on by default.

  • Supported AV clients for SCEP to automatically remove

    I’ve just spent a frustrating 10 minutes searching bing/google for the list of the supported anti-virus programs that SCEP (System Center Endpoint Protection) can automatically uninstall. So to save my scalp for a future hair pulling, I thought I’d blog the list so I can find it quickly next time. Hopefully bing/google will index this post and save us all some time!

    http://technet.microsoft.com/en-us/library/gg682067.aspx#BKMK_EndpointProtectionDeviceSettings

    Automatically remove previously installed antimalware software before Endpoint Protection is installed

    Endpoint Protection uninstalls the following antimalware software only:

    • Symantec AntiVirus Corporate Edition version 10
    • Symantec Endpoint Protection version 11
    • Symantec Endpoint Protection Small Business Edition version 12
    • McAfee VirusScan Enterprise version 8
    • Trend Micro OfficeScan
    • Microsoft Forefront Codename Stirling Beta 2
    • Microsoft Forefront Codename Stirling Beta 3
    • Microsoft Forefront Client Security v1
    • Microsoft Security Essentials v1
    • Microsoft Security Essentials 2010
    • Microsoft Forefront Endpoint Protection 2010
    • Microsoft Security Center Online v1
  • Moving your package source after migration

    UPDATE: I’ve posted my Package and Application scripts (http://blogs.technet.com/b/configmgrdogs/archive/2013/05/09/package-amp-application-source-modification-scripts.aspx)

     

    If you haven’t checked out the Package Conversion Manager for ConfigMgr 2012 RTM/SP1 yet, you’re missing out.

    http://www.microsoft.com/en-au/download/details.aspx?id=34605

    The PCM is provided by Microsoft to help you convert those migrated ConfigMgr 2007 Packages, into the newer (and better) ConfigMgr 2012 App Model Applications.

    While PCM is really cool, this article is not going to show you how to use it, because frankly, it’s way too easy to use!

     

    One of the limitations of PCM, is while it’ll do a great job converting your Packages to Apps, it does not do anything with your package/application source. This can be a major problem if your migrated package source was hosted locally on your old ConfigMgr 2007 server. Of course you should all be using UNC paths for your source, however even if you’re doing the right thing, if you want to decommission the old 2007 server, somehow you’ll need to move that package source.

    I’m here to help!

    Let’s use our favourite test application – Adobe Reader – and we’ll quickly convert the package, and then move the package source to the new ConfigMgr server.

    In my demo, I’m using two package source shares to imitate a common environment

    \\SP1RTM\OldSource$ This would be our old 2007 package source share

    \\SP1RTM\Source$ This will be our new 2012 package source share

    I’ve converted my old package to a shiny new 2012 Application

    image

    And if we open the single Deployment Type, we’ll see that the source is still on the old package source share

    image

    Now, this will actually work quite nicely. Having an external package source is not only supported, but recommended in larger environments. BUT, in small to medium environments you’ll want to decommission the old 2007 to save on licensing and management.

    In 2007 there was two supported ways to move this package source. You either raised a Microsoft PSS case and they supplied you with a VB Script, or you manually went through each package source and changed the share path.

    In 2012 SP1, we now have Powershell to do the work!

    We’ve now got a myriad of Powershell cmdlets available for ConfigMgr 2012 SP1. (NOTE: Powershell support was added at SP1 so none of the following is applicable to RTM)

    Anoop C Nair has a great write up of all the cmdlets available

    http://gallery.technet.microsoft.com/CM-2012-SP1-List-of-Cmdlets-a7bce79d

     

    First, we need to import the ConfigMgr Powershell Module (NOTE: the module will only run in the x86 Powershell console)

    Import-Module 'C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1'

    image

    Next, connect to the Central/Primary site where you’ll be targeting your commands

    Set-Location PRI:

    image

    Now that we’re connected, we can take a look at that Adobe Reader Deployment Type (DT)

    Get-CMDeploymentType –ApplicationName “Adobe Reader” – DeploymentTypeName “Install Reader”

    image

    image

    Whoa, lots of info! But the relevant part for this tutorial is the <Location></Location> tags

    image

    Luckily, we don’t have to modify the SDMPackageXML because the product group have given us a cmdlet to modify it without touching it directly.

    Set-CMDeploymentType –ApplicationName “Adobe Reader –DeploymentTypeName “Install Reader” –MsiOrScriptInstaller –ContentLocation “\\SP1RTM\Source$\Applications\Adobe Reader”

    image

    If we now open up the DT, we can see the source location has changed to our new share.

    image

    Voila! With Powershell integration, doing these manual admin tasks is a whole lot easier, especially if you start using programming logic and piping information from one cmdlet to another.

    In my next post, I’ll be posting a script to move *every* package source of applications that you’ve migrated.

     

    Matt Shadbolt

  • MDT Monitoring: Another Reason to Implement MDT 2012 Update 1 into your ConfigMgr 2012 SP1 Environment

    I have been doing a number of customer engagements recently around Windows 8 deployments through ConfigMgr 2012 SP1 and one question I often ask our customers during the planning phase is “Will you be integrating MDT 2012 Update 1 into your ConfigMgr 2012 SP1 environment?” The general response I get is “What are the benefits…?” Well the short answer is A LOT!!, but one of the cool new reasons is MDT 2012 Monitoring and the ability to use this to monitor your ConfigMgr 2012 SP1 OSD deployments.

    There are a few pre-requisites that are required to get the FULL functionality of what is offered in MDT 2012 monitoring in particular the option to DaRT Remote Control to your client machine during the build, even while in PXE. This will require a custom boot image to be created that includes the DaRT 8 utility embedded. As DaRT is part of the Microsoft Desktop Optimization Pack (MDOP) you will need an MDOP subscription.

    However if you do not have MDOP subscription you can still utilise the MDT 2012 Monitoring feature for your ConfigMgr 2012 SP1 deployments.

    In this session I will step through both configuring MDT 2012 Update 1 Monitoring for ConfigMgr 2012 SP1 OSD deployments as well as how to create a DaRT 8 embedded boot image to get the full power of MDT 2012 Monitoring.

    Section 1 – Configuring MDT 2012 Update 1 Monitoring

    Step 1: Install MDT 2012 Update 1 & Integrate it into your ConfigMgr 2012 SP1 Site

    clip_image002

    Step 2: Configure a MDT 2012 Update 1 Deployment Share

    - Open the MDT management MMC

    - Right Click Deployment Share \ New Deployment Share

    clip_image004

    - Complete the Wizard

    clip_image006

    clip_image008

    Step 5: Enable MDT Monitoring

    - Right Click your Deployment Share and select Properties

    - Select the Monitoring Tab

    - Enable Monitoring for this Deployment Share

    clip_image010

    Step 6: Modify your CustomSettings.ini file to use MDT Monitoring

    - Navigate to your source directory that your set for your MDT Settings Package

    - If you are not sure where it is check your ConfigMgr Package

    clip_image011

    - Open your CustomSettings.ini file using notepad

    - Add the following text to the end of the file: EventService=http://<server>:9800

    clip_image013

    - Update your Distribution Point to ensure the Settings Package is updated.

    NOTE: If you want to confirm your DP has been updated you can follow the steps outlined in one of my previous blogs – ConfigMgr 2012 Content Library Overview

    Step 7 – Deploy your MDT Client OSD Task Sequence

    clip_image015

    Step 8: Monitor your ConfigMgr 2012 SP1 OSD deployment through MDT 2012 Monitoring.

    - Open the MDT 2012 Update 1 Management Console

    - Expand your MDT Deployment Share

    - Select the Monitoring Node

    - Select the build you want to monitor and select Properties

    Note: You will not see your deployment appear until after the first “GATHER” has run during the Task Sequence.

    clip_image017

    clip_image019

    That’s all that needs to be done to start monitoring your ConfigMgr 2012 SP1 OSD Deployments using MDT 2012 Update 1 Monitoring.

    In the next section I will show you how to take monitoring further by using DaRT 8…

    Section 2 – Creating a DaRT8 Embedded Boot Image

    You will need to have integrated MDT 2012 Update 1 with your ConfigMgr 2012 SP1 environment and have a MDT 2012 Deployment Share configured before proceeding.

    Note: After Integrating MDT 2012 Update 1 with your ConfigMgr 2012 SP1 environment you will have the option to create a new MDT Boot Image directly out of the ConfigMgr UI Management console. However you will not have the option to select DaRT 8. The following steps will be required to make this option available.

    clip_image021

    The image above is what options you have out of the box when creating a custom MDT Boot Image in ConfigMgr 2012 SP1.

    NOTE that DaRT 8 is not an available option.. YET!!

    Step 1: Install DaRT 8 on your Server

    clip_image023

    This is only available for DaRT 8

    clip_image025

    - Complete the DaRT 8 Installation wizard

    Step 2: Prepare MDT 2012 Update 1 for DaRT 8

    - Using File Explorer, navigate to the C:\Program Files\Microsoft DaRT 8\v8 folder.

    - Copy the Toolsx86.cab file to C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86

    - Copy the Toolsx64.cab file to C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64

    clip_image027

    Step 3: Create a New ConfigMgr 2012 MDT Boot Image

    - Open the ConfigMgr 2012 Management Console

    - Select Software Library \ Operating Systems \ Boot Images

    - Right Click Boot Images and select “New MDT Boot Image”

    clip_image029

    - Complete the wizard

    - You will now notice we have a DaRT 8 option..

    clip_image031

    clip_image033

    Step 5: Configure your MDT Client Task Sequence to use your DaRT Boot Image

    clip_image034

    Step 7: Deploy your MDT Client Task Sequence using your DaRT 8 Boot Image

    clip_image036

    Step 8: Open MDT Monitoring and connect to your machine using DaRT Remote Connect

    - As we have deployed with a DaRT 8 embedded Boot Image we now have the option to connect to your client machine using DaRT Remote Control

    clip_image038

    You can now view your deployment status for any machine from start to finish even while it is in WinPE..

    clip_image040

    I hope you have found this information useful and will consider the benefits of integrating MDT 2012 Update 1 into your ConfigMgr 2012 SP1 environment, even if it is just for the monitoring components.

    Until next time…

  • Teched Australia 2013: Powershell for ConfigMgr 2012 SP1

     

    SMIC1608_blogBling_speaking For the second year running, I’ll be speaking at the Teched Australia 2013 conference on the Gold Coast, Australia.

    The session will cover the Powershell integration into ConfigMgr 2012 SP1.

    I’ll be posting all the scripts, video and transcript after the event.

    Hope to see you there!

    Powershell for ConfigMgr 2012 SP1
    Wednesday, September 4
    5:00 PM – 6:15 PM
    Meeting Room 7&8
    http://techedsessions.cloudapp.net/SessionDetail.aspx?id=2287

  • Migrating App-V Packages– "OSD file defines incompatible OS requirements”

    Ran into an interesting issue while trying to migrate some App-V Applications from ConfigMgr 2007 to 2012 SP1. Most of the App-V packages migrated fine, however a few of them reported an error

    “OSD file defines incompatible OS requirements”

    After taking a look at the OSD file, according to this list all of the OS version listed were fine. After some troubleshooting I found that all the failing Applications had multiple OSD files associated. This led me to the solution.

    If you have multiple OSD files as part of an App-V Application, you must have the same OS requirements listed in all of the OSD files. Once we fixed the compatible OS list, the Application migrated successfully. 

  • I Wrote An App

    Hi Gang.

    Over the long weekend last week, I thought I’d have a crack at writing, submitting and publishing a Windows 8 app. It’s a very simple countdown to Windows XP’s End Of Life on April 8th (we are all very excited to see the end of XP).

    http://apps.microsoft.com/windows/en-au/app/windows-xp-end-of-life-countdown/08bd1136-13f0-47bb-a574-c8f3626a9227

    As I said, it’s very simple but functional, with a countdown screen and live tile that updates daily.

    Please download and rate it in the store.

    image

    Matt

  • TechEd Australia 2013 - PowerShell for ConfigMgr 2012 SP1 Content

    image

    Update: here is the video of my session (link below for full resolution video)

    http://channel9.msdn.com/Events/TechEd/Australia/2013/WCL416 


    Hello ConfigMgrDogs community.

    I’ve just completed my TechEd 2013 presentation – PowerShell for ConfigMgr 2012 SP1. For those who weren’t attending the event, I’ve provided all scripts and cmdlets from the session.

    In the coming weeks there will also be the video posted.

    Demo 1 – PowerShell Basics

    http://aka.ms/Bf7b7c

    Demo 2 – Connecting to ConfigMgr

    http://aka.ms/Pb6sbx

    Demo 3 – Collections

    http://aka.ms/Xq09ps

    Demo 4 – Apps and Packages

    http://aka.ms/Khmrnv

    Demo 5 – Application Approval

    http://aka.ms/Sr6m82

    Demo 6 – Five Demos in Five Minutes

    http://aka.ms/Esmluw

  • TechEd Australia 2013 - PowerShell for ConfigMgr 2012 SP1 - Demo 5

     Demo 5: App Approvals

    Script for System Tray notification, pop-up form and Approve/Deny an Application Approval Request

    Add-Type -AssemblyName System.Windows.Forms
    Import-Module 'C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1'
    Set-Location PRI:\
    $ApprovalRequests = Get-CMApprovalRequest | Where{$_.CurrentState -eq 1}
    ForEach ($Approval in $ApprovalRequests)
    {
    function Popup-Form

    param ($form)
                      
        $form.ShowDialog()    
    }
    $RequestUser = $Approval.User.TrimStart("CONTOSO\")
    $RequestApp = $Approval.Application

    $container = New-Object System.ComponentModel.Container
    $notifyIcon = New-Object System.Windows.Forms.NotifyIcon($container)
    $notifyIcon.Icon = New-Object System.Drawing.Icon("C:\Scripts\Demo 5\tick.ico")
    $notifyIcon.Text = "New App Approval Request Available"
    $notifyIcon.Visible = $true
    $notifyIcon.BalloonTipText = "New App Approval Request Available"

    $formImage = [System.Drawing.Image]::FromFile("C:\Scripts\Demo 5\background.jpg")
    $form = New-Object System.Windows.Forms.Form
    $form.Add_Shown({$form.Activate()})
    $form.Size = New-Object System.Drawing.Point(325,200)
    $form.StartPosition = "Manual"
    $form.Text = "New App Approval Request"
    $form.BackgroundImage = $formImage
    $screenBounds = [system.Windows.Forms.Screen]::Getworkingarea(0)
    $form.Location = New-Object System.Drawing.Point( (($screenBounds.right) - ($form.Width)),(($screenBounds.Bottom) - ($form.height)) )
    $form.FormBorderStyle = "fixedDialog"

    $label = New-Object System.Windows.Forms.Label
    $label.Text = "$RequestUser has requested the $RequestApp application"
    $label.Location = New-Object System.Drawing.Point(10,20)
    $label.MaximumSize = New-Object System.Drawing.Size(300,100)
    $label.Font = New-Object System.Drawing.Font("Segoe UI",11,[system.drawing.fontstyle]::regular)
    $label.Autosize = $true
    $label.BackColor = "Transparent"
    $form.Controls.Add($label)

    $buttonApprove = New-Object System.Windows.Forms.Button
    $buttonApprove.Text = "Approve"
    $buttonApprove.Size = New-Object System.Drawing.Size(120,50)
    $buttonApprove.Location = New-Object System.Drawing.Point(35,110)

    $buttonApprove.Add_Click(
    {
    # Approve Request
    Set-Location PRI:\
    Approve-CMApprovalRequest -Id $Approval.CI_UniqueID -Comment "Approved via PowerShell Form"
    $form.close()
    $notifyIcon.Visible = $false
    New-Event ClickComplete
    })
    $form.Controls.Add($buttonApprove)

    $buttonDeny = New-Object System.Windows.Forms.Button
    $buttonDeny.Text = "Deny"
    $buttonDeny.Size = New-Object System.Drawing.Size(120,50)
    $buttonDeny.Location = New-Object System.Drawing.Point(165,110)

    $buttonDeny.Add_Click(
    {
    # Deny Request
    Set-Location PRI:\
    Deny-CMApprovalRequest -Id $Approval.CI_UniqueID -Comment "Denied via PowerShell Form"
    $form.close()
    $notifyIcon.Visible = $false
    New-Event ClickComplete
    })
    $form.Controls.Add($buttonDeny)

    $notifyIcon.ShowBalloonTip(3)
    Register-ObjectEvent -InputObject $notifyIcon -EventName BalloontipClicked -Action {Popup-Form -form $form} | Out-Null
    Register-ObjectEvent -InputObject $notifyIcon -EventName MouseClick -Action {Popup-Form -form $form} | Out-Null
    Wait-Event -SourceIdentifier ClickComplete | Out-Null
    Remove-Event -SourceIdentifier ClickComplete | Out-Null
    }

    VBScript to launch the PowerShell script silently

    command = "%SystemRoot%\syswow64\WindowsPowerShell\v1.0\powershell.exe -NoLogo -WindowStyle Hidden -File C:\Scripts\Sched\Demo5_Complete.ps1"
    set shell = CreateObject("WScript.Shell")
    shell.Run command,2

     

    Files required to run the script

    background.jpg (rename to background.jpg)

    tick.ico (rename to tick.ico)

  • ConfigMgr & Intune: Creating An Apple APN Certificate Request

     

    With the introduction of Configuration Manager 2012 SP1, we now have rich management capabilities for iOS devices. One of the apple requirements in order to manage their iOS devices is to request an Apple Push Notification Certificate.

    We can request and apply this certificate right from the ConfigMgr console.

    In the ConfigMgr console, select Administration > Hierarchy Configuration

    Right-Click the Windows Intune Subscriptions and select Create APNs certificate request 

    image

     

    Select a location to save the APN request file, and select Download

    image

     

    A small file is downloaded.

    image

     

    Now browse to the Apple APN Certificates portal (http://go.microsoft.com/fwlink/p/?LinkId=264215) and logon with your Apple ID

    image

     

    After signing in, select the Create a Certificate button

    image

     

    Upload the certificate request file we created from within the ConfigMgr console

    image

     

    The certificate will be created and available to download

    image

     

    You’ll get a MDM_Microsoft Corporation_Certificate.pem file. This is the file you’ll use when you setup your Intune connection in ConfigMgr

    image

     

    Matt Shadbolt

  • TechEd Australia 2013 - PowerShell for ConfigMgr 2012 SP1 - Demo 4

     Demo 4: Packages

    Automatically create Package from source directory, create Deployment Type, create Collection and Deployment

    $ErrorActionPreference = "Stop"
    Set-Location C:\
    $NewPackageLocation = "\\TECHED13\NewPackages\*"
    $CorpSourcelocation = "\\TECHED13\Source$\Packages"
    $NewPackageLocation = Get-Item $NewPackageLocation
    Copy-Item $NewPackageLocation -Destination $CorpSourcelocation -Recurse
    Remove-Item $NewPackageLocation -Recurse
    $PackageSourcePath = $CorpSourcelocation + '\' + $NewPackageLocation.Name
    $SplitValues = $NewPackageLocation.Name.Split("-")
    $PackageManufacturer = $SplitValues[0]
    $PackageName = $SplitValues[1]
    $PackageVersion = $SplitValues[2]
    $PackageLanguage = $SplitValues[3]
    Import-Module 'C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1'
    Set-Location PRI:\
    New-CMPackage -Path $PackageSourcePath -Name $PackageName -Manufacturer $PackageManufacturer -Version $PackageVersion -Language $PackageLanguage -Description "Created Using PowerShell"
    New-CMProgram -PackageName $PackageName -StandardProgramName "Setup $PackageName" -CommandLine "msiexec /i setup.msi /q"
    Start-CMContentDistribution -PackageName $PackageName -DistributionPointGroupName "All DPs"
    New-CMDeviceCollection -Name "Install -  $PackageManufacturer$PackageName$PackageLanguage$PackageVersion" -LimitingCollectionName "All Systems"
    Start-CMPackageDeployment -PackageName $PackageName -StandardProgramName "Setup $PackageName" -CollectionName "Install -  $PackageManufacturer$PackageName$PackageLanguage$PackageVersion" -DeployPurpose Available

  • My Experience Upgrading to CM12 SP1

     

    Hi All, it’s been a while since my last post and one of Matts posts hit-count just past my article on Auto Deployment Rules  (Unashamed plug of my old blog post to try and get the numbers up). So I decided, okay it’s time to get another one done.

    NOTE: This is not meant to be a step by step guide merely some general advice and run through. I always recommend doing any upgrade process in your test lab environment before even considering upgrading in production. If you don't have one create one.

    The environment I'm working with is a lab that was setup when ConfigMgr 2012 RTM came out. It sits on Server 2008 R2 SP1 and SQL 2008 R2 SP1 CU4. Probably not too dissimilar to most 2012 RTM environments.
    I have a one CAS, one Child Primary and one Secondary Site.

    The first thing I want to do is run the prerequisite checker.
    On the ISO I have Prereqchk.exe sits in the folder SC2012SP1_RTM_SCCM_SCEP\SMSSETUP\BIN\X64.

    clip_image001[1]

    The advantage of running this instead of running through the setup GUI and then seeing what prerequisites are required, you avoid having to have to exit the setup and run through the entire setup process again. To get the command line switches simply run prereqchk /?

    Let's run it on each server separately to see what is needed.
    CAS Server (CM12CAS.Contoso.com)
    Open an administrative command prompt and run the following command

    prereqchk /CAS /SQL <FQDN of the SQL Server>  /SDK <FQDN of the SDK Server>

    Feel free to add any other switches that you would like to but this will server our current purpose.

    clip_image002[1]

    clip_image003[1]

    clip_image004[1]

    OK so we can see a couple of Warnings which I expected in our lab environment, and number of things we need to fix.
    Anything that is a warning is usually just a best practice alert such as the WSUS on site server warning, or for you to be aware of a potential issue such as verifying site server permissions to publish to AD.
    Let's go through the errors.

    1) We can ignore the two errors Existing Configuration Manager server components on site server and Dedicated SQL Server Instance because the prereqchk is assuming we are trying to do a fresh install on this site server, not an upgrade.
    2) User State Migration Tool(USMT) installed, Windows Deployment Tools installed and Windows PreInstallation Environment installed are all part of the latest Window Assessment and Deployment Toolkit which you can download from here http://www.microsoft.com/en-us/download/details.aspx?id=30652
    3) SQL Server version I need to upgrade SQL from 2008 R2 SP1 CU4 to either CU6 or SP2. (See Supported Configurations for Configuration Manager.)

    NOTE : f you are going to upgrade from 2008 RTM/R2 to SQL 2012 post upgrading to ConfigMgr 2012 SP1, you need to upgrade in the following order.
    1st - CAS
    2nd - Secondary Site
    3rd - Child Primary of that secondary site.

    From Technet - http://technet.microsoft.com/en-us/library/gg682077#BKMK_SupConfigUpgradeDBSrv

    For Configuration Manager SP1 only: Configuration Manager with SP1 supports the in-place upgrade of SQL Server 2008 or SQL Server 2008 R2 to SQL Server 2012 with the following limitations:

    •        Each Configuration Manager site must run service pack 1 before you can upgrade the version of SQL Server to SQL Server 2012 at any site.

    •        When you upgrade the version of SQL Server that hosts the site database at each site to SQL Server 2012, you must upgrade the SQL Server version that is used at sites in the following order:

    o        Upgrade SQL Server at the central administration site first.

    o        Upgrade secondary sites before you upgrade a secondary sites parent primary site.

    o        Upgrade parent primary sites last. This includes both child primary sites that report to a central administration site, and stand-alone primary sites that are the top-level site of a hierarchy.

    Important

    Although you upgrade the service pack version of a Configuration Manager site by upgrading the top-tier site first and then upgrading down the hierarchy, when you upgrade SQL Server to SQL Server 2012, you must use the previous sequence, upgrading the primary sites last. This does not apply to upgrades of SQL Server 2008 to SQL Server 2008 R2.

    4) If you haven't already done so, the following WSUS Updates may also need to be applied.
    An update for Windows Server Update Services 3.0 Service Pack 2 is available (KB2734608)
    An update for Windows Server Update Services 3.0 Service Pack 2 is available (KB2720211)
    PLEASE read and understand what may occur in your environment before applying these hotfixes. and of course test in your lab environment first.

     

    Install WADK


    Ok so let's install the WADK components to my CAS
    Download it from the link above
    Run adksetup
    Download the Kit to a network location so it is available for installation. (Note this may take a while)

    clip_image005

    From that location on your server share
    Run adksetup.exe
    Specify your installation directory and click Next

    clip_image006

    Select Yes or No depending on your preference and click Next

    clip_image007

    Accept the license agreement

    clip_image008

    All you should need is the Deployment Tools, Windows Preinstallation Environment (Windows PE) and User State Migration Tool (USMT) select these and click Install

    clip_image009

    Again, this may take a while to install.

    NOTE: Check your build via PXE after this is done as you may potentially need to remove and redistribute your x64 Boot Image. Ensure you refer to the SMSPXE.log file for any errors.

     

    SQL Upgrade
    I'm going to upgrade to SQL 2008 R2 SP2.
    (If you wish to do the same you can get SP2 from here How to obtain the latest service pack for SQL Server 2008 R2)

    Run the SP2 executable

    clip_image010

    Click Next

    clip_image011

    Accept the license agreement

    clip_image012

    Click Next

    clip_image013

    After the file check click Next

    clip_image014

    Click Update

    clip_image015

    Click Close

    clip_image016

    Click OK and restart the server
    I'd suggest checking the SQL Logs after the reboot to ensure there are no errors that you may need to look into.

    Upgrade to ConfigMgr to SP1

    Now we can start the SP1 Upgrade

    Double click on splash.hta to bring up the splash screen

    clip_image017

    You'll see a familiar screen Click Install

    clip_image018

    Click Next

    clip_image019

    Select Upgrade this Configuration Manager Site and Click Next

    clip_image020

    Enter your product key and click Next

    clip_image021

    Accept the license agreement and click Next

    clip_image022

    Accept the license agreement and click Next

    clip_image023

    You can either download the latest prerequisite files from the internet and save them on a network location, or use an already downloaded copy. In this case they are available on my copy of the ISO so I'll just grab them from there. Obviously over time I'd suggest you download the latest version from the internet.

    Click OK and Next

    clip_image024

    Select your Server Language and click Next

    clip_image025

    Select your client language and click Next.

    clip_image026

    Click Next again at the Summary screen

    clip_image027

    Finally we reach the prerequisite check screen (You can now see the value in using prereqchk.exe)
    For more detail you can look at the ConfigmgrPrereq.log file in the root of C.

    Click Begin Install

    clip_image028

    You should now see a log file called C:\ConfigmgrSetup.log open this up to watch how the upgrade process is going.

    clip_image029

    We can see that after a successful connection to the database we are about to Upgrade the CAS Server

    clip_image030

    After about 40 minutes in my lab the upgrade process is complete. See the entry in the setup log file above

    clip_image031

    We can now click Close on the splash screen

    clip_image032

    Now let's check and see if the Site has upgraded successfully.
    Open the ConfigMgr console and select Administration > Site Configuration > Sites > CAS right click and select Properties

    clip_image033

    As per Matt’s previous blog we can now see that our CAS is at Version 5.00.7804.1000 and Build number 7804

    clip_image034

    I'm also going to check my database replication and ensure everything is functioning correctly. .
    One other thing that is interesting to note is the change in the change in the configure Client Installation Settings under Administration > Sites and in the ribbon Hierarchy Settings

    RTM

    clip_image035

    SP1

    clip_image036

    We now no longer have a choice to select the latest version for the Automatic Client Upgrade option.


    Child Primary

    OK, so let's now move onto the Child primary

    Open an administrative command prompt and run the following command

    prereqchk /PRI /SQL <FQDN of the SQL Server>  /SDK <FQDN of the SDK Server>

    clip_image037

    So we can see the exact same prereqs as the CAS, so I will run through the same process as per the CAS of installing the latest WADK and upgrading SQL.

    Upgrade to SP1

    The screen shots are exactly the same for the child primary so I won't bore you with those

    clip_image038

    Once we start again, we can see in the Setup log file after the SQL connections are successful the upgrade will begin

    clip_image039

    Then after about 30 minutes we can see that the setup is now complete

    clip_image040

    We can also see a few extra tasks have been done on the Child Primary.

    Let’s check some of the logs and the console to ensure it has upgraded successfully.

    clip_image041

    To see if the components have reinstalled without issue, we can check the sitecomp.log under <SCCMInstallFolder>\Logs
    We can see where the bootstrapper starts successfully after SP1 finishes installing. You can also see as it successfully reinstalls each component.

    See the figure below for all of the entry’s filtered in the log file.

    clip_image042

    clip_image043

    You may also notice a few new components being installed.

    clip_image044

    Mpcontrol.log shows us that the management point is communicating successfully.

    Now jump into the console and check the site version and database replication. We also essentially check that the provider is functioning since we need it to be to get into the console.

    clip_image045

    All looks good. Also the picture of the Cloud is a bit of a giveaway.

    clip_image046

    DB Replication also looks nice and healthy.


    Secondary Site

    OK, so now lets look at our Secondary site

    Open an administrative command prompt and run the following command

    prereqchk.exe /SECUPGRADE

    clip_image047

    We can see that there are 2 points I need to fix before attempting an upgrade.

    1) The upgrade process will not automatically install a supported version of SQL so we need to do it manually first
    2) SQL Express does not have a static port set so we will need to go into SQL to set a static port of 1433.

    The upgrade of SQL we have already run through so I will just go through setting the static port
    On the secondary server open up SQL Server Configuration Manager

    clip_image048

    Ensure the local Secondary server is selected (Or remote server name if you've started it from another server)

    clip_image049

    Expand SQL Server Network Configuration and select Protocols for CONFIGMGRSEC
    Then double click on TCP/IP under protocol name

    clip_image050

    You will notice that SQL has both Dynamic and a static port set for IPAll

    clip_image051

    Lets delete the Dynamic entry and click Apply

    clip_image052

    Click OK and restart the appropriate services.
    After I have upgraded SQL and changed the port I run my prereq check again.

    clip_image053

    We can now see that the errors are gone and we should be able to upgrade our secondary site successfully. You also may have noticed that I have warnings on all of the servers for SQL Server process memory allocation. That is because SQL requires a minimum of 8 GB of RAM for a CAS and Primary, and 4GB for a secondary. It will still run with less as per my Lab VM’s but you will get a performance hit.

    Upgrade to SP1

    As most of you will now know we install and we upgrade the Secondary site via the ConfigMgr console and not directly on the box itself.
    So we can open the console on either our CAS or our Child Primary. I'll do it from the Child primary just to speed things up.

    clip_image054

    Go to Administration > Sites and select the secondary site. You will now see an Upgrade option available on the ribbon.
    When your upgrading you have two choices to monitor what is happening.
    1) Click on Show Install Status

    clip_image055

    This brings up a step by step guide to let you know at what stage the installation is at. Here we can see that the prereq’s have already occurred and the Bootstrap service has already been installed ready for the upgrade.

    2) Look at the local log files sitting in the root of C:\

    clip_image056

    As with the CAS and the Child primary, we have the exact same prereq Wizard and setup log files that go into much more depth should there be any issues with the installation. Although we will need to watch the logs initially on the Child Primary before the setup and bootstrap begins on the secondary site.

    clip_image057

    I will click on Upgrade get the above warning then click Yes.

    clip_image058

    This log file is from the Child Primary

    clip_image059

    With each action we can see the corresponding action in the appropriate log file if we wish.
    Once prereqs are finished we can see that the bootstrapper begins its process

    clip_image060

    clip_image061

    And on the secondary site we can see the upgrade process begin

    clip_image062

    clip_image063

    clip_image064

    clip_image065

    And we can see that now the installation is complete

    clip_image066

    clip_image067

    I'm going to check the SMSEXEC.log to see if my components have started.

    clip_image068

    I'm also going to check MPControl.log to see if my management point is functioning as expected.

    clip_image069

    Now ill check the version and database replication status from the console.

    clip_image070

    We can see that we are on build 7804

    clip_image071

    And we can also see that database replication is working as expected.

    I would suggest checking that all of your components on each server, are functioning correctly. Keep your eye on the status messages and alerts, in case any of them fail and need further attention. You can do this from Monitoring > Site Status and Component Status. Below we can see an example of an issue with my Software Update Point after the SP1 update  that needs attention.

    image   
    Looking at the WCM.LOG you can see that I haven't applied the WSUS updates I mentioned earlier in this blog.

    An update for Windows Server Update Services 3.0 Service Pack 2 is available (KB2734608)
    An update for Windows Server Update Services 3.0 Service Pack 2 is available (KB2720211)

    image

    I will download and apply these updates.

    after a restart of the WSUS Configuration Manager component (This isn't necessary the next time it polls it would do this anyway) you can see that it now has a supported version and is now running though setting up the updated component.

    image

    Conclusion and next steps.

    So what we have seen here are various methods to run through the upgrade process and various log files and GUI settings in the console that we can use to follow the process. If you plan and get the prerequisites setup correctly before you begin you should have a fairly smooth SP1 upgrade.

    Next steps.
    1) Update your ConfigMgr Client package to all of your Distribution points and plan out the client upgrade.
    2) Think about and potentially plan an upgrade to SQL 2012.

    George Smpyrakis

  • Set Windows 8 Lock Screen Image (KB2770917)

    Microsoft have recently released a Windows 8 and Server 2012 cumulative update KB2770917.

    http://support.microsoft.com/kb/2770917

    One of the important features of this update is the ability to customize the Windows 8 lock screen with corporate branding and set this across your domain joined computers using Group Policy.

    From the KB:

    This cumulative update includes the following performance and reliability improvements:

    • Enable enterprise customers to customize the default lock screen.
    • Improves the performance when you wake the computer and when the computer is asleep, in order to improve battery life
    • Resolves an issue that may prevent Windows Store Apps from being installed fully
    • Other software updates and performance improvements

    After installing the update, you get four new Group Policy settings

    image

    Force a specific default lock screen image
    Provide a UNC or local path to your corporate lock screen logo, and all of your users will receive that as their lock screen.

    image

    Prevent changing lock screen image
    After setting the corporate lock image, enable this option if you don’t want your users to have the ability to personalize the lock screen image.

    image

     

    Prevent changing start menu background
    Use this option to stop your users from changing the Start Menu background colour. This means whatever the colour of the Start Menu background was when the machine was deployed will not be changed.

    image

     

    Do not display the lock screen
    Enabling this setting will remove the lock screen for any user who isn’t required to press CTRL+ALT+DEL to login.

     


     

    After configuring all the settings and applying the GPO, my corporate machines lock screen now looks like this, and my users are stuck with it!

     

    image

     

    Matt Shadbolt