ConfigMgrDogs

  • ConfigMgr 2012 R2 Certificate Requirements and HTTPS configuration

    We have had a number of recent requests from our customers on the certificate requirements and configuration steps required to configure HTTPS communication in a ConfigMgr 2012 environment.

    I would like to give a massive thank you to Ravi Kalwani, a member of the ANZ Microsoft ConfigMgr Premier Field Engineering (PFE) team who put this guide together.

    This post contains the step-by-step configuration needed to successfully implement HTTPS communication in your ConfigMgr 2012 R2 environment.

    Creating Templates for Site Systems and Clients Certificates

    Create a template for ConfigMgr Clients

    On the issuing Certificate Authority go to Administrative Tools and Open Certificate Authority Console

    image  

     Right Click On Certificate Templates and Click Manage to open Certificate Template Console

    image

    image      
          

    Now right-click on Workstation Authentication and click Duplicate Template

    image

    Make sure to use Server 2003, not 2008

    image

    We are first creating Certificate Template for ConfigMgr client Authentication Certificate, so give the Template a Name that would related to what it would generate Certificates for, I have chosen Name “ConfigMgr Client Certificate”

    image 

    Click on the Security tab, select the Domain Computers group and add permissions of Read and Autoenroll, do not clear Enroll

    image

     Now Click on the Subject Name Tab, and Select DNS name in Build from this Active Directory information, Then click OK.


      image

     Refresh Certificate Template console to see the new template in there.

    image

    Create a template for Site Systems (MP, DP, SUP and/or WSUS)

    Still in Certification Authority, in the Certificate Templates list we’ll setup the next template. Right-click on the Web Server template, and click Duplicate. On the General tab, change the Template something more appropriate like ConfigMgr Web Server Certificate. 

    image

     Next click the Security tab, and add your SCCM server to the permissions list and add the Enroll permission.

    If you were running a SCCM configuration with multiple sites and servers, it is recommended you create a SCCM Servers Active Directory Security Group. I’ve created an AD security group called ConigMgr_Servers. So I’ve added the Group with Enroll permission. 

    image

     Now Click on the Subject Name Tab, and Select Build from this Active Directory information, and then Select DNS name. Then click OK.

    image 

    Create a ConfigMgr Client template for WinPE Images

    This step is only needed if you have all you MP/DP running in https. In this step we are creating a Client Authentication certificate that will be used to generate certificate for WinPE images, which will later contact MP and DP on Https.

    If you don’t have all MP/DPs in HTTPs you can continue to build image via Task Sequence and WinPE images will contact HTTP MP and not HTTPS

    Right-click on the Workstation Authentication template, click Duplicate. Rename the template as ConfigMgr WinPE images, I personally like to give longer validity as WinPE images can’t renew their certificate and it’s a manual process to create and Import certificates in WinPE images before the validity expires. In my lab I’ve given 5 years validity.
     
    image

     On the Request Handling tab select Allow private key to be exported. 

    image

     On the Security tab add your SCCM servers group, and give Enroll permission. Click Apply, then OK.

    image

     Now if you look at the Certificate Templates Console you will see our three new templates. 

    image

     We can now close the Certificate Templates Console. 

    Enable Certificates to be issued

    Open Certificate Authority Console-> Right Click Certificate Templates-> Select New-> Certificate to Issue   

    image 

    Select all three of the ConfigMgr templates we created then click OK.

    image

     They will then show up in the Certificate Templates listing. Once you verify that, you can close the Certification Authority console. 

    image

    Create an Auto-Enrol GPO for the Client Certificate template  

    Now we’ll need to create a Group Policy at the OU of our domain where we want client to get ConfigMgr Client Certificates and only does HTTPS with MP, DP and SUP
    Launch Group Policy Management on your Domain (Start > Administrative Tools > Group Policy Management). Right-click Group Policy Object and select New as we are going to create a new GPO and link it to OU later. Name your GPO appropriately, I have given my GPO Name “AutoEnroll ConfigMgr Client Cert“, then click OK.
     
    image
    image
     
    Edit your newly created GPO. Navigate to: Computer Configuration> Policies > Windows Settings > Security Settings > Public Key Policies. Right-click on Certificate Services Client – Auto-Enrollment and then click Properties. Change the Configuration Model: to Enabled, and check the Update certificates that use certificate templates. Then click Apply and OK.
     
    image
    image
     
    If you recall, we configured the ConfigMgr Client Certificate Template earlier and we set the permissions for Domain Computers to Read, Enroll, and Auto Enroll. Now when you run a “gpupdate /force” or in 15 minutes when GP is re-applied, any machine on the domain communicating with the DC will request and receive a client certificate automatically that will be place in the Local Computer Personal Certificate Store.

    Request Web Server Certificate on MP, DP and SUP

     Now we need to setup the appropriate certificates on our System Center Configuration Manager Management Point. The first thing you will need to do is reboot your SCCM server. This is so that it will pick up the permissions change that will allow it to register for the Web Server Certificate.

     Once the reboot completes, click Start > Run.  Type mmc.exe and click OK.  Click File > Add/Remove Snap-In, Choose Certificates and click Add.  Choose Computer Account, click Next.  Choose Local Computer, click Finish.  Click OK, and then expand the Certificates tree to the Personal > Certificates folder.

    You may notice that your SCCM server has Auto-enrolled for and received its Client Authentication Certificate we just setup. 

    image 
    Right-click in a blank space and click All Tasks > Request New Certificate, You are presented with the Certificate Enrollment wizard. Click Next
     
    image

     Leave the default on this page, and click Next           

    image
     
    Select ConfigMgr Web Server Certificate Template and Click Enroll. 
     
    image

      Once you see Status: Succeeded, Click Finish  

    image

      Now you will be able to see both all three Certificates on Certificate Console of Site Server  

    image

    Now we need to export the Client Distribution Point Certificate while we are in the Certificates Management console. Right-click the certificate that shows template name as Certificate WinPE images and click Export. 

    image

     Click next on the “Welcome to the Certificate Export Wizard


      image

      Select “Yes, export the private key”, if you see this option greyed out, you probably have wrong certificate selected.


      image

     Select “Personal Information Exchange – PCK #12 (.PFX)” and click Next


      image

      Set a password in this screen and click next, you will need this certificate while importing it to Distribution point property.

     
      image

      Select Destination where would you like to export the certificate, and give it a descriptive name.


      image

    Click Finish


      image

    Importing Certificates in IIS

    After all the certificates have been requested we need to now import the Web Server Certificate to the Default Website and WSUS Website in IIS.
    Launch IIS Manager (Start > Administrative Tools > Internet Information Services (IIS) Manager).Navigate to the Default Website, right-click it and select Edit Bindings.

    image

     Select the https binding and click Edit

      image        
            
    Select the https binding and click Edit. The select the ConfigMgr Web Server Certificate and then click OK. I highly recommend viewing your certificate afterwards, checking the Details tab, to ensure you selected the correct one.


      image

     Now do the same on WSUS Website.
    image         
    Select Appropriate Certificate (not SQL), and click OK. 

    image

      And Click Close.
      image

      Last Piece of configuration that we need to do is, manually configure five WSUS virtual directories to use SSL. The five Virtual directories are (APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService)
    The Virtual directories has also been definied in the TechNet document
    http://technet.microsoft.com/en-us/library/bb633246.aspx          
             
    Putting ApiRemoting in SSL


      image

     Check the box Require SSL and Select Ignore under Client certificates
      image

     Now do the same for rest of four Virtual directories mentioned above.

    Configuring MP, DP and SUP to use SSL

     Now that we have completed all our certificates pre-requisites and ready to configure ConfigMgr Components to use SSL.  

    Configuring Management Point to use SSL

    Go to Management Point Property, (Open ConfigMgr console>Administration Workspace>Site Configuration>Servers and Site System Roles>Select Your Sever and Right Click on Management Point Role and Click Property.


      image

    Select HTTPS from the Client Connections options, this will kick off Reinstallation of Management Point, and reconfigure its Virtual directories to use HTTPS communication only.  

    image

     You can see MP Reinstallation happening in MPSEtup.log


     
    image  

    Configuration Distribution Point Role to SSL

    Go to Distribution Point Property, (Open ConfigMgr console>Administration Workspace>Site Configuration>Servers and Site System Roles>Select Your Sever and Right Click on Distribution Point Role and Click Property


     
    image

    Select HTTPS under Specify how client computers communicate with this distribution point


      image

    If you would like Clients to communicate back to DP on HTTPS even during Task Sequence than you would need to Select Import Certificate under Create a self-signed certificate or import a PKI client certificate


      image

     Click Apply, This will reconfigure this Distribution Point virtual directory to Use Only HTTPS communication

    Configure WSUS/SUP to use HTTPs

    Open up command prompt in Admin Context on WSUS server and change working directory to WSUS installation path Tools directory and run following Command

    WSUSUtil.exe ConfiguresSSL <Intranet FQDN of WSUS Server>

    image

    Go to Software Update Point Property, (Open ConfigMgr console>Administration Workspace>Site Configuration>Servers and Site System Roles>Select Your Sever and Right Click on Software Update Point Role and Click Property


      image

    Check the box Require SSL communication to the WSUS Server and Click Apply


      image

     This as well will reinstall Software Update Point Role with new settings.

    Site Server Settings

    Change your ConfigMgr setting to ensure client communicates with HTTPs Enabled MP when there is a client authentication cert is present.
    Launch ConfigMgr Console> Administration Workspace> Site Configuration> Sites> Right Click your Primary Site> Properties and Go to Client Computer Communication Tab.
    Check the box “Use PKI Client certificate (client authentication capability) when available”

    image

    Review clients that have Client Authentication Cert to make
    sure they are communicating to MP in HTTPs.

    A Client that has ConfigMgr client cert installed will see changes made to ConfigMgr Server via Published information in Active Directory, and will switch to HTTPs if it detects a Valid Client Cert Present on Computer’s Personal Store.

    image

    References

    PKI Certificate Requirements for Configuration Manager
    http://technet.microsoft.com/en-us/library/gg699362.aspx

    System Center 2012 Configuration Manager: R.I.P. Native Mode

    http://blogs.technet.com/b/configmgrteam/archive/2012/05/25/system-center-2012-configuration-manager-r-i-p-native-mode.aspx

    Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority

    http://technet.microsoft.com/en-us/library/gg682023.aspx

  • PowerShell Script to Create and Link Schedules in Azure Automation

     

     

    Hi All,

    Lately I've been playing with Azure automation and needed to create schedules to kick off Runbooks at certain times of the day. Rather than doing this manually I decided to just write a simple PowerShell script to create these for me automatically, since I may need to do this task again in the future.  To do this I need to ensure I have Azure PowerShell configured and connected . I wont go into how in this blog please use the following blog as a reference How to install and configure Azure PowerShell

    I then used the following script I wrote to create and register each Schedule

     

    ################################################################################################################################

    $Days = ("Monday","Tuesday","Wednesday","Thursday","Friday")
    $StartDate = ("26/01/2015 08:30","27/01/2015 08:30","28/01/2015 08:30","29/01/2015 08:30","30/01/2015 08:30")
    $EndDate = ("26/01/2015 20:30","27/01/2015 20:30","28/01/2015 20:30","29/01/2015 20:30","30/01/2015 20:30")
    $Accountname = "yourAutomationAccountname"
    $Count = 0

    ForEach ($Day in $Days)
    {

    New-AzureAutomationSchedule -AutomationAccountName $Accountname -Name "Start AzureVMs $($Day)" -StartTime "$($StartDate[$Count])" -DayInterval 7
    Register-AzureAutomationScheduledRunbook -AutomationAccountName $Accountname -Name Start-AllAzureVM -ScheduleName "Start AzureVMs $($Day)"
    New-AzureAutomationSchedule -AutomationAccountName $Accountname -Name "Stop AzureVMs $($Day)" -StartTime "$($EndDate[$Count])" -DayInterval 7
    Register-AzureAutomationScheduledRunbook -AutomationAccountName $Accountname -Name Stop-AllAzureVM -ScheduleName "Stop AzureVMs $($Day)"

    $Count ++

    }

    ##################################################################################################################################

     

    We can see that before I run my script I have no schedules attached to my Start-AllAzureVM and Stop-AzureVM Runbooks

    image

    image

    we then run the script from which you should see a similar output to the one below.

    image

    We now can see that both of our Runbooks have Schedules created and assigned.

    image

    image

    As always if you improve or have similar scripts to share feel free to comment below.

  • PowerShell ISE Add-On to connect to ConfigMgr (Connect-ConfigMgr)

    Man, I’ve been on a PowerShell rampage lately!

    It always drove me crazy loading the PowerShell Module for ConfigMgr. First, you had to find the path of the AdminConsole\bin directory and then remember the name of the psd1 module file. Finally, you had to remember the site code of the site you normally work with.

    This post outlines a custom PowerShell ISE Add-On I’ve created to quickly load the ConfigMgr PowerShell module and connect to your console default SMS Provider location.

    image

    The first thing you’ll need to do is create a custom PowerShell ISE profile (if you don’t already use one)

    Browse to %UserProfile%\Documents and look for a WindowsPowerShell directory. If it doesn’t exist, create it. Then, look for a file called Microsoft.PowerShellISE_profile.ps1 (again if it doesn’t exist, create it). This file is automatically loaded when the ISE starts up, and is really handy for auto-loading any common functions.

    image

    Now edit the file in either the PowerShell ISE or Notepad.exe and paste in my script. If you’ve already created and customized your profile in the past, just add my script to the bottom of your profile file.

    001
    002
    003
    004
    005
    006
    007
    008
    009
    010
    011
    012
    013
    014
    015
    016
    017
    018
    019
    020
    021
    022
    023
    024
    025
    026
    027
    028
    029
    030
    031
    032
    033
    034
    035
    036
    037
    038
    039
    040
    041
    042
    ## ADDS A Connect-ConfigMgr ITEM TO THE ISE ADD-ONS MENU ##
    ## Created by Matt Shadbolt - http://blogs.technet.com/b/ConfigMgrDogs ##


    Function Connect-ConfigMgr {

    $CustomError = $null 

    If ($Console64 = Get-ItemProperty -Path HKLM:\SOFTWARE\Wow6432Node\Microsoft\ConfigMgr10\Setup -Name ProductCode -ErrorAction SilentlyContinue
    ) {
       
       
    # 64-bit system
        $ModulePath = (Get-ItemProperty HKLM:\SOFTWARE\Wow6432Node\Microsoft\ConfigMgr10\Setup -Name "UI Installation Directory").'UI Installation Directory'
        $SiteServerName = (Get-ItemProperty HKLM:\SOFTWARE\Wow6432Node\Microsoft\ConfigMgr10\AdminUI\Connection -Name Server).
    Server 
       
    $ProviderLocation = gcim -ComputerName $SiteServerName -Namespace root\sms SMS_ProviderLocation -filter "ProviderForLocalSite='True'"
        $ProviderMachine = $ProviderLocation.
    Machine
       
    $SiteCode = $ProviderLocation.
    SiteCode
       
    Import-Module $ModulePath\bin\ConfigurationManager.psd1
        Set-Location $SiteCode":\"
     
        }


    ElseIf ($Console32 = Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\ConfigMgr10\Setup -Name ProductCode -ErrorAction SilentlyContinue
    ) {
       
       
    # 32-bit system
        $ModulePath = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\ConfigMgr10\Setup -Name "UI Installation Directory").'UI Installation Directory'
        $SiteServerName = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\ConfigMgr10\AdminUI\Connection -Name Server).
    Server 
       
    $ProviderLocation = gcim -ComputerName $SiteServerName -Namespace root\sms SMS_ProviderLocation -filter "ProviderForLocalSite='True'"
        $ProviderMachine = $ProviderLocation.
    Machine
       
    $SiteCode = $ProviderLocation.
    SiteCode
       
    Import-Module $ModulePath\bin\ConfigurationManager.psd1
        Set-Location $SiteCode":\"
     

        }


    Else
     { 
       
    $CustomError = [String]"Error: The required registry keys cannot be found. Please ensure the console has been installed on this computer"
     
       
    Throw $CustomError
        }
    }


    $psISE.CurrentPowerShellTab.AddOnsMenu.Submenus.Add("Connect-ConfigMgr",
     
    {
       
    Connect-ConfigMgr
    },"ALT+F1") | out-Null

    Save the file and re-open the ISE. You’ll now have a Connect-ConfigMgr option in the Add-Ons menu. You can either select this option, or just press Alt+F1 from the ISE and your console will connect to your console configured SMS Provider.

    image

    I've also added this script to the TechNet Gallery - https://gallery.technet.microsoft.com/PowerShell-ISE-Add-On-to-4790e37b 

    I hope this significantly speeds up your ConfigMgr work in the PowerShell ISE!

    Matt

  • DPUpgradeThreadLimit Modification

    I’ve recently spent some time with a customer deploying a large amount of Distribution Points in their ConfigMgr 2012 R2 hierarchy. They were finding themselves running into bottlenecks during the deployment, and with the help of the ConfigMgr Product Group, a new Site Control File property modification is now being supported.

    Distribution point installations or upgrades may take longer than expected in System Center 2012 Configuration Manager

    http://support.microsoft.com/kb/3025353 

    The DPUpgradeThreadLimit property by default is set to five. The property should be carefully increased in environments where many Distribution Points are being installed/upgraded in parallel.

    As the property is not visible by default, we need to create and set the new property. This will add the property and set it to the $newValue value across all of your Sites.

     This script is provided as-is and provides no warranties. Please thoroughly test in a lab environment, and see the Configuration Manager SDK for more information.

    001
    002
    003
    004
    005
    006
    007
    008
    009
    010
    011
    012
    013
    014
    015
    016
    017
    018
    019
    020
    021
    022
    023
    024
    025
    026
    027
    028
    029
    030
    031
    032
    033
    034
    035
    036
    037
    038
    039
    040
    041
    042
    043
    044
    045
    046
    047
    048
    049
    050
    051
    052
    053
    054

    param(
    [string] $siteServerName=".",
    [int] $newValue=10
    )

    $providerLocation = gcim -ComputerName $siteServerName -Namespace root\sms SMS_ProviderLocation -filter "ProviderForLocalSite='True'"
    $providerMachine = $providerLocation.Machine
    $sitecode = $providerLocation.SiteCode
    $providerNamespace = "root\sms\site_" + 
    $sitecode
    $siteFilter
     = "SiteCode='" + $sitecode + "'"

    $distmgrConfig = gcim -ComputerName $providerMachine -Namespace $providerNamespace SMS_SCI_Component | ? {$_.ComponentName -eq "SMS_DISTRIBUTION_MANAGER"}

    ForEach ($distMgrObject in $distmgrConfig
    )  {

       
    $properties = $distMgrObject | select -ExpandProperty Props
        $threadLimitProperty = $properties | ? {$_.PropertyName -eq "DPUpgradeThreadLimit"
    } 
       
    if($threadLimitProperty -eq $null
    )
        {
           
    write-host "Previous setting for DPUpgradeThreadLimit was using default, updating to $newValue"
            $newProperty = New-CimInstance -ComputerName $providerMachine -Namespace $providerNamespace -ClassName SMS_EmbeddedProperty
            $newProperty.PropertyName = "DPUpgradeThreadLimit"
            $newProperty.Value = $newValue

            $newPropertyList =
     @()
           
    $properties | % { $newPropertyList += $_
    }
           
    $newPropertyList += $newProperty
       
           
    $distMgrObject.Props = $newPropertyList
            scim $distMgrObject
        }
       
    else
        {
           
    write-host "Previous setting for $($DistMgrObject.SiteCode) DPUpgradeThreadLimit was $($threadLimitProperty.Value), updating to $newValue"
            $newProperty.PropertyName = "DPUpgradeThreadLimit"
            $newProperty.Value = $newValue

            $newPropertyList =
     @()
           
    $properties | %
     { 
               
    if($_.PropertyName -eq "DPUpgradeThreadLimit"
    )
                {
                   
    $_.Value = $newValue
                    $newPropertyList += $_
                }
               
    else
                {
                   
    $newPropertyList += $_
                } 
            } 
       
           
    $distMgrObject.Props = $newPropertyList
            scim $distMgrObject }
    }
     

  • Script to remind Office 365 users to enrol their device to InTune

    When I have a little downtime (which isn’t often!), I like to sit around and think of cool things I can automate using PowerShell. I have a .txt file that I put all these ideas into and every now and then have a crack at solving one.

    Just recently I was playing around with Office 365 and Windows InTune and this idea struck me.

    With the licensing model of Office 365 being user based, people are syncing their mail to more and more devices. They’ll have Outlook on their work laptop, email syncing on their Windows Phone, and probably syncing on their Apple and/or Android tablet as well. The problem with having so many devices is IT tracking and managing their corporate data. Of course, InTune is the obvious tool to manage these devices.

    Getting your users to enrol their devices into InTune is one of the main challenges. As the registration has to happen from the end users side, I thought I’d write a script to help pester your users into registering their iPads, iPhones, Androids and WPs into your InTune MDM.

    The idea is for this script to be run as a scheduled task. It will connect to your o365 tenant subscription and discover all those users who have synced their device with o365 since the last scheduled task ran. It will then send that user an email reminding them to enrol their device to InTune.

    The email to your users can obviously be customized, but here’s a look at what I’ve given you by default

    image

    I’ve also added a testing mode switch, so you don’t spam your o365 users while doing your dev and test.

    Here’s the script.

    001
    002
    003
    004
    005
    006
    007
    008
    009
    010
    011
    012
    013
    014
    015
    016
    017
    018
    019
    020
    021
    022
    023
    024
    025
    026
    027
    028
    029
    030
    031
    032
    033
    034
    035
    036
    037
    038
    039
    040
    041
    042
    043
    044
    045
    046
    047
    048
    049
    050
    051
    052
    053
    054
    055
    056
    057
    058
    059
    060
    061
    062
    063
    064
    065
    066
    067
    068
    069
    070
    071
    072
    073
    074
    075
    076
    077
    078
    079
    080
    081
    082
    083
    084
    085
    086
    087
    088
    089
    090
    091
    092
    093
    094
    095
    096
    097
    098
    099
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    135
    136
    137
    138
    139
    140
    141
    142
    143
    144
    145
    146
    147
    148
    149
    150
    151
    152
    153
    154
    155
    156
    157
    158
    159
    160


    $O365Username = "your@username.onmicrosoft.com" #Add your o365 admin username here
    $SendEmail = $true #Change this to $false during testing. Output will be returned to the console
    $DeviceRegistrationTimeFrame = -1000000 #Set this to the schedule of your scheduled task
    $InServiceMode = $true 
    #Configure this to $true when running as a scheduled task. This stops the PSSession from unloading everytime it's run

    # Ensure o365 session

    $SessionState = Get-PSSession 
    ForEach ($Session in $SessionState) {If ($Session.ConfigurationName -ne "Microsoft.Exchange") {Connect-O365}}
    If (!$SessionState) {Connect-O365} 

    # Get o365 data
    Get-MobileDevice | Where{$_.WhenCreated -gt (Get-Date).AddHours($DeviceRegistrationTimeFrame)}  | ForEach-Object {

    $User = Get-User -Identity $_.UserDisplayName 
    $AccountDisplayName = $User.DisplayName
    $AccountFirstName = $User.FirstName
    $AccountEmail = $User.WindowsEmailAddress
    $DeviceId = $_.DeviceId
    $DeviceOS = $_.DeviceOS
    $UserDisplayName = $_.UserDisplayName
    $ClientType = $_.ClientType
    $IsCompliant = $_.IsCompliant
    $IsDisabled = $_.IsDisabled
    $Name = $_.Name
    $WhenChanged = $_.WhenChanged
    $WhenCreated = $_.WhenCreated
    $Id = $_.Id
    $IsValid = $_.IsValid

    # Email authorization

    If ($IsDisabled -eq $true) {$SendEmail = $false}
    If ($IsValid -eq $false) {$SendEmail = $false} 

    # Mail info

    $SMTPServer = "smtp.office365.com"
    $SMTPPort = 587
    $SMTPCredential = $UserCredential 
    $EmailRecipient = 
    $AccountEmail
    $EmailSender
     = 
    $O365Username
    $EmailSubject
     = "$AccountFirstName, don't forget to enroll your device to InTune!"
    $Body = `
    "<html>
    <head>
    <title>Enroll Your Device Today!</title>
    <style>
    body {
    font-family: Verdana;
    }
    #HeadingTitle {
    text-align: center;
    font-size: large;
    margin-top: 10px;
    color: blue;
    }
    #HeadingBox {
    width: 60%;
    height: 70px;
    background-color: yellow;
    position: absolute;
    top: 10px;
    left: 20%;
    right: 20%;
    vertical-align: middle;
    background-color: white;
    }
    #BodyText {
    width: 60%;
    height: 60%;
    position: absolute;
    top: 100px;
    left: 15%;
    right: 20%;
    vertical-align: middle;
    text-align: center;
    }
     
    table.center {
        margin-left: auto;
        margin-right: auto;
    font-size: x-small;
    position: relative;
    top: 30px;
    color: gray;
    }

    </style>
    <body>
    <div id=""BodyText"">
    <!-- Intune logo. Please add your company logo too. -->
    <img src=""https://secure.aadcdn.microsoftonline-p.com/aadbranding/1.0.1/aadlogin/Intune/logo.png""></img><p>
    <!-- First line ""Hello Name,"" -->
    Hello $AccountFirstName, <p>
    <!-- Second line ""Thank you for syncing your device with Office 365!"" -->
    Thank you for syncing your device with Office 365! <p>
    <!-- Third line ""To ensure your device is fully managed and supported by the internal IT team, please ensure you enroll your device to InTune via the URL below"" -->
    To ensure your device is fully managed and supported by the internal IT team, please now enrol your device into InTune via the link below <p>
    <!-- Fourth line: link to the manage portal -->
    <a href=""http://manage.microsoft.com"">Manage My Device!</a><p>
    <!-- Fifth line ""Thanks,"" -->
    Thanks,<p>
    <!-- Sixth line ""Your IT Team"". Please add your IT department -->
    <b>Your IT Team</b>
    <!-- Device Details -->
    <table class=""center"">
    <tr>
      <td><b>Username</b></td>
      <td>$UserDisplayName </td>
    </tr>
    <tr>
      <td><b>Enrolled</b></td>
      <td>$WhenCreated </td>
    </tr>
    <tr>
      <td><b>Device OS</b></td>
      <td>$DeviceOS </td>
    </tr>
    <tr>
      <td><b>Device ID</b></td>
      <td>$DeviceID </td>
    </tr>
    </table>
    </div>
    </body>
    </html>"


    # Send Email
    If ($SendEmail -eq $true) {
    Send-MailMessage -To $EmailRecipient -From $EmailSender -Subject $EmailSubject -UseSsl -Port $SMTPPort -SmtpServer $SMTPServer -Credential $SMTPCredential   `
    -BodyAsHtml -Body $Body }
    Else {
    Write-Host "----- Output to console for testing -----"
    Write-Host "----- To: $EmailRecipient -----"
    Write-Host "----- From: $EmailSender -----"
    Write-Host "----- Subject: $EmailSubject -----"
    Write-Host "----- Body: Not added to testing -----"
    }

    }


    # Close Session if not in service mode
    If ($InServiceMode = $false) {
    Get-PSSession | ForEach-Object {If ($_.ConfigurationName -eq "Microsoft.Exchange") {Disconnect-o365 $_.
    ID}} 
    }


    Function Connect-O365 {

    $UserCredential = Get-Credential -UserName $O365UserName  -Message "Enter o365 password"
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
    Import-PSSession $Session
     

    } 


    Function Disconnect-o365 ($SessionID) {

    Remove-PSSession $SessionID

    }

    Matt Shadbolt

  • PowerShell Script to check active package distributions

     

    Hi All,

    I had a need at a customer to write a script that would identify any active package distributions at a primary site via WMI. Although DPJobMgr will also give you more information and control this script returns a quicker result and in the case I was dealing with when you have a large number of active package distributions this can come in handy. Hopefully you'll find it useful.

    The script is based on the SMS_DistributionJob Server WMI Class

     

    (UPDATE. Matt just provided me with the following code that will give you your Primary site code automatically from WMI. thanks Matty.

    ##################################################

    $providerLocation = gcim -ComputerName $siteServerName -Namespace root\sms SMS_ProviderLocation -filter "ProviderForLocalSite='True'"

    $sitecode = $providerLocation.SiteCode

    $providerNamespace = "root\sms\site_" + $sitecode

    ###################################################

    Updated script below

    )

    ####################################################################################################################################

    ##Check the content distribution queue on a primary

    $providerLocation = gcim -ComputerName $siteServerName -Namespace root\sms SMS_ProviderLocation -filter "ProviderForLocalSite='True'"
    $sitecode = $providerLocation.SiteCode
    $providerNamespace = "root\sms\site_" + $sitecode

    $count = (Get-WmiObject -Namespace $providerNamespace -Class SMS_DistributionJob).count

    $Activethreadcount = (Get-WmiObject -Namespace "root\SMS\Site_$($SiteCode)" -Class SMS_DistributionJob | Where {$_.Starttime -ne $null}).Count

    $Activethreads = Get-WmiObject -Namespace "root\SMS\Site_$($SiteCode)" -Class SMS_DistributionJob | Where {$_.Starttime -ne $null} | Format-List -Property Starttime, RemainingSize

    Write-Output "Total Current Active Distributions $($count)"

    Write-Output "Total Active Threads Count $($Activethreadcount)"

    Write-Output "Current Threads" $Activethreads

    ####################################################################################################################################

    Feel free to post any updates or even scripts that you've written in the comments below.

    If you want to look at other classes that could provide you with more information just check out the following MSDN reference

    http://msdn.microsoft.com/en-us/library/hh948405.aspx

  • 20 Years Of SMS/Configuration Manager

    On the 7th of November 1994, a little product called Systems Management Server (SMS) 1.0 was released. Since that date, there have been four major revisions (SMS 2.0, SMS 2003, ConfigMgr 2007 and ConfigMgr 2012), three Service Packs (ConfigMgr 2007 SP1 & SP2, ConfigMgr 2012 SP1), three Rx releases (ConfigMgr 2007 R2 & R3, ConfigMgr 2012 R2) and countless Release Candidates/Betas, Cumulative Updates (CU’s) and Hotfixes!

    I thought it would be really cool to check out the Wayback Machine for the TechNet page for the day that SMS 1.0 was released, but back then TechNet.com wasn’t even around! (how did we ever find our supportability numbers!)

    The first mention of SMS on the Wayback Machine TechNet is in mid 2000 and talked about deploying SMS 2.0, administering Inventory and Software Metering, as well as the standard Server Sizing advice we all so heavily rely on. (in their Contoso sizing example, the Central Site with 14k clients required a server with a whopping 300-MHz processor and 256 MB of RAM!)

    image

    http://web.archive.org/web/20000817202621/http://www.microsoft.com/technet/sms/ 

    (I love that the comments and suggestions hyper-link is a mailto:technet@microsoft.com)

    I was fortunate enough to not have really dealt with SMS, starting my Systems Management journey with Configuration Manager 2007 but some of my colleagues remember those days well.


    Sebastian Baboolal, Senior PFE at Microsoft

    I started with SMS 2.0. SP5 back around 2004.

    I was working for Microsoft support back then. We had one week of training and we were put on the phones.Classic trial by fire. My first call was a critsit for a customer. They had a large environment at the time > 100K clients being managed. They had a top-level SMS site. Then sites under that with lots of other primary sites under those. One of the 2nd tier primaries went belly up. Had to do a DR on that site. We didn’t cover DR at all in the training (just my luck). Back then you had to go thru like 20 pages of stuff to get the site back up. I was on that call for 14 hrs. Did not leave my desk. We got it fixed but then I was thinking what in the world did I get myself into. Smile
    Glad we’ve moved on from CAPs and smsclitoken accounts but did like die_evil_bug_die and dial_me_in_baby


    George Smpyrakis, Senior PFE at Microsoft

    I started with SMS 1.2 back in 1997. I had just started in IT straight out of Uni and helped setup these Site Servers that seemed to take an entire day to complete. I took these boxes out to a couple of remote sites and got them up and running then started the long and arduous procedure of attempting to install the client on the workstations. At the time we used it as a  Remote control tool for the workstations and In the end it only lasted a couple of months before we removed it and that was a monumental effort in itself as the client seemed to never go away. A few years later a lovely virus called Nimda came along and brought the company I was working for to a halt. We literally had to go around the State of Victoria with floppy disks (Look it up for those under 30.) to patch each workstation so we could bring Internet access back. That’s when my Manager came up to me and said I want you to run with SMS so we never have to do that again. So I then Implemented and starting using SMS 2.0 and have never looked back…


    Anthony Watherston, PFE at Microsoft

    I started with SCCM 2007 implementing it because I had nothing better to do and looking to expand my horizons – some of my favourite memories.

    • Reading through log files in Notepad until my eyes hurt – then discovering trace32
    • The satisfaction of being able to remotely rebuild machines – we used to have people ship the box to us so it could be rebuilt
    • Finally patching an enterprise – then fighting with people because they wouldn’t reboot their machines when patches were installed
    • Releasing a hotfix to 180 secondary servers then watching as all the high impact tickets rolled in because all the site systems were reinstalling.
    • Learning patience when installing new sites – sometimes things just take time to appear in the console
    • Working all day on an issue – then doing a site reset and fixing it instantly

    Through all this though it is one of the most complex systems management products and only limited by your imagination as to what you can do!


    Russell Stevens, Senior PFE at Microsoft

    I started with SMS (slow moving software) version 2.0 RTM in a distributed environment at a UK government department that may have had something to with mail in 2000…

    Highlights include:

    • SMSServer and SMSClient connection accounts for hundreds of Primary and Secondary sites.
    • Software Metering ‘mark one’
    • Switching from NT 4.0 domains to Active Directory domains (see point one).
    • Restoring SMS 2.0 without a wizard, hours and hours and then monitoring for weeks and weeks.
    • Preinst.exe became a useful companion from 2.0 -> 2003 -> 2007 –> 2012
    • Seeing the feature packs become part of the Configuration Manager OSD\BDD, Software Updates (remember ITMU……..)
    • Gigantic DDR backlogs.

    It has been a great ride with some ups and downs, and has delivered some outstanding results over the 20 years, loved it.


    So here’s to ConfigMgr! May our next 20 years be full of smooth CU upgrades, clear of inbox backlogs and void of all accidental deployments!

    Matt Shadbolt

  • Managing APP-V Deployments in ConfigMgr 2012

    Many customers are still configuring collection structures similar to 2007 and using collections to control the validity of who should receive which applications.

    Where possible we should be changing how we now manage application deployments and move the validity processing of the application back to the client by using our Global Conditions (state based) to manage Requirement Rules. This works well for many Off The Shelf (OTS) applications that do not have specific procurement constraints as we can safely deploy this category of applications to ALL USERS and if needed implement an Application Approval workflow. Where I am increasingly seeing customers still reverting back to specific targeted of applications, normally based of an AD Security Group, is for APP-V application deployments.

    I continue to see a large uptake of APP-V in many customer sites as we move towards a user-centric mobile environment, which is great, however I am seeing a lot of customers experiencing poor publishing times of virtual applications which is often a result of poor administrative processes.

    In SCCM 2007 we had the option to instruct the virtual application advertisement to auto remove the virtual application when the advertisement was no longer available to a client. Unfortunately this option is no longer available in 2012 and as a result many customers have gone searching for a solution by looking to the ConfigMgr Community forums. Unfortunately a lot of members of the community are simply recommending to use the general deployment rule that an INSTALL deployment takes precedence over an UNINSTALL deployment.  As a result many of the community forums have been instructing customers to simply create an UNINSTALL deployment for each virtual application and target this to the ALL USERS or ALL SYSTEMS collections. Please DO NOT DO THIS as you will continue to experience slow publishing times for APP-V applications.

    If you are already doing this approach, I strongly recommend you read this blog to understand why this is a BAD idea and be VERY CAUTIOUS in your approach to undo this setup. DO NOT do a BIG BANG approach and remove all of the current UNINSTALL deployments in one hit and create the new recommended workflow as this will cause a huge amount of deployment policy objects potentially causing significant issues in your environment. It would be very advisable that you slowly stage the changes in your environment over a few days to prevent a mass number of policy changes in one hit.

    When to use explicit collections for Tier 2 applications?

    Only when you have specific LOB applications that require a REQUIRED Deployment.

    • Valid Reason: APP-V Deployments where an automatic unpublished workflow is required

    AGAIN DO NOT Target APP-V Uninstall deployments to the ALL USERS / ALL SYSTEMS collection as mentioned in many other forums. This will only delay your application publishing times and add unnecessary load on your ConfigMgr environment.

    Understanding WHY this is BAD practice

    When a client polls for new policy changes, a SPROC is run by the Management Point consuming SQL resources.

    The more records in ResPolicyMap and DepPolicyAssignment, the more CPU time required to process the “GET” SPROC like

    MP_GetMachinePolicyAssignments – Machine Targeted Deployments

    MP_GetUserAndUserGroupPolicyAssignments – User Targeted Deployments

    ResPolicyMap maps the resource ID and PADBID, (unique identifier for the policy). You can Query the count of ResPolicyMap objects to determine the number of policies being targeted to each user / system that must be processed.

    DepPolicyAssignment links a policy object with its dependency polices and are provided to both users &/or machines when a policy request is initiated.

    Examples:

    • Application Requirement Rules defined
    • Multiple Deployment Types per application

    How you should mange APP-V Deployments in your environment

    • Minimise the number of Required Deployments to the ALL USERS / ALL SYSTEMS Collections.
    • Prevent making any large policy changes that target the ALL USERS / ALL SYSTEMS collections, or any large number of objects in one hit.
    • Create an explicit UNINSTALL Collection for each REQUIRED Install Deployment.
    • Base the Collection membership on the compliance state of the application = true and exclude the INSTALL collection.

    Below are examples of the Collection Queries you can use to manage an auto un-publish workflow for App-V deployments based off an AD Security Group.

    USER Centric Deployments.

    1. Create an AD Security group for the application you are deploying.

    2. Create an INSTALL Collection for each Virtual Application with a dynamic query linked to the AD Security Group. Target the INSTALL Deployment for each APP-V Application to this Collection.

    2. Create a specific UNINSTALL Collection for each Virtual Application with a dynamic query using the syntax below. Also add an explicit EXCLUDE Collection membership rule that excludes the INSTALL Collection for that application. Ensure the application name matches that listed in the ConfigMgr database.

    select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain
    from SMS_R_User inner join SMS_G_System_AppClientState on SMS_R_USER.UniqueUserName = SMS_G_System_AppClientState.UserName
    where SMS_G_System_AppClientState.AppName = "APPLICATIONNAME"
    and G_System_AppClientState.ComplianceState = 1

    Example

    image

    image

    image

    image

    Create and Target the UNINSTALL deployment policy to the UNINSTALL Collection.

    The result will be…. When a User is added to the AD Security Group the virtual application will be made available to the end user and install silently. When the user is removed from the AD Security group that has previously successfully published the APP-V application, they will be added to the UNINSTALL collection resulting in the virtual application being automatically removed from the client only then. This approach will minimise the ongoing policy objects that every user in the organisation will have to process.

    Disclaimer: The queries and examples provided in this post are offered “AS IS” and should be used at your own discretion. Please ensure extensive testing be done before implementing this solution into any production environment. While this solution has been tested and confirmed, the ConfigMgrDogs team takes no responsibility for any unexpected results this may have in your ConfigMgr 2012 environment.…
  • Monitoring ConfigMgr Clients Using System Center Operations Manager

    Microsoft MVP and my Premier customer from last week, Tao Yang was telling me about his custom SCOM Management Pack used to monitor the health of your ConfigMgr clients.

    Monitors include:

    • DCM Compliance
    • Missing hardware and software inventory
    • Failed application deployments
    • Pending software updates
    • CCMExec monitoring
    • Pending reboot detection
    • Many more…

    http://blog.tyang.org/2014/10/04/updated-configmgr-2012-r2-client-management-pack-version-1-2-0-0/

    This is an invaluable resource, and such a good example of the very smart MVP’s doing great work that benefits all of the System Center community.

    Nice work Tao!

    Matt

  • R2 CU3 Management point communications update

     

    Hi All,

    with the release of R2 CU3 we now have the ability to restrict which Management points a client can talk to. This can be particularly useful in case you have a Remote MP or only certain MP’s a client can access.

    All we simply need to do is

    • Install the Client Hotfix KB2994331 which comes with the CU3 update above. The Client version will be 5.00.7958.1401

    image

    • add a new REG_MULTI_SZ (multi-string) type key under HKEY_LOCAL_MACHINE\Software\Microsoft\CCM on each client called AllowedMPs and add the FQDN of the Management Point we want to allow the client access to. (We can control this with Compliance Settings.)

    image

    image

    After restarting the SMS Agent Host we can see that our MP is being forced in the Locationservices.log

    image

    and we can confirm that we are talking to the correct MP in ClientLocation.log

    image

    keep in mind the following Note from the CU3 update

    Note After this value is defined, there is no fallback or other method for clients to communicate with other MPs. This new entry is only intended for permanently located workstation and server clients and is not portable to devices such as mobile PCs or tablets.

  • First 100 at TechEd Melbourne

    Morning Gang,

    Well, TechEd Australia 2014 is less than two weeks away, and Ian, George and I are furiously fine tuning our demos in time for our Wednesday session.

    As a special treat for the first 100 people into our session, we’re giving away some very cool looking ConfigMgrDogs badges!

    BxjSd_iCYAEAbne

    We’ll also have a t-shirt give-away for one lucky person who tweets a picture of themselves wearing their badge, hash tagging #ConfigMgrDogs.

    Looking forward to seeing you all in Melbourne!

    Matt

  • TechEd 2014 Australia: ConfigMgrDogs Troubleshoot ConfigMgr 2012 (Melbourne)

    Hey ConfigMgrDogers!

    The TechEd 2014 Australia schedule has been announced, and confirmed ConfigMgrDogs will be presenting at Melbourne only. Unfortunately, George, Ian and myself won’t make it to the Sydney TechEd, however our session will be recorded and posted on the ConfigMgrDogs blog. Please add the session to your schedule (we want the big room) and retweet to those you know attending.

    See you all there!

    Matt, Ian & George.


    ConfigMgrDogs Troubleshoot ConfigMgr 2012

    Date: Wednesday, 8 October
    Time: 3:00 PM - 4:00 PM
    Room: Datacenter and Infrastructure Management
    Session Type: Breakout
    Session Code: DCIM.004
    Session Levels: 400


    For those attending, here are all the relevant links:

    Public Information : http://techedmelbourne.azurewebsites.net/SessionDetail.aspx?id=19005 

    Add to My Schedule : http://techedmelbourne.hubb.me/Sessions/Details/19005

    Tweet about our session: https://twitter.com/intent/tweet?&hashtags=ConfigMgrDogs,ConfigMgrDogsAtTechEd,DCIM.004 

    10110Speaking melb

  • Wake On LAN Proxy “Have You’s?”

    If you’re trying to get the Wake On LAN Proxy feature of ConfigMgr 2012 SP1+ working, there’s a lot of steps required. Here’s a simple list of “have you’s?” to make sure you haven’t missed any requirements. For a more detailed guide, check out Muhammad Adil’s blog post.

    1. Have you enabled Wake On LAN on the Site?

    image

    For traditional Wake On LAN (broadcast based), select the Subnet-directed broadcasts option. If you want to use the Wake On LAN Proxy feature, you must select the Unicast method.

    2. Have you enabled the Wake On LAN features in your clients Power Management policy settings?

    image

    3. Have you ensured that Wake On LAN ports are being allowed through firewalls? Both hardware and software?

    image

    4. Have you got Hardware Inventory enabled?

    image

    5. Have you ensured the Hardware Inventory information correct?

    The WOL features use the IP Address provided by the Hardware Inventory scan as the target addresses. If you’re running Hardware Inventory every 7 days, these addresses may be stale and obviously unusable/.

    6. Have you confirmed your switches forward UDP packets?

    Confirm with your networking team that UDP packet forwarding has been configured across every network switch between your ConfigMgr servers and the target clients. Don’t forget those $99 switches under someone's desk!

    7.Have you ensured your BIOS hardware support wake-up packets? Is the feature turned on in BIOS? Is it enabled on the NIC?

    image

    image

    (Note: this is a screen cap of my wireless network adapter as my laptop doesn’t have a physical NIC. We do not support Wake On LAN via the Wireless network adapter)

    8. Have you checked that your network settings are not effecting supportability?

    802.1X port authentication, MAC address binding on switches and MAC flapping being blocked will all cause unicast Wake On LAN to fail.

    Matt

  • WMI / Powershell and the Configuration Manager Client

    A bit about me first :- my name is Anthony Watherston and I’m a Premier Field Engineer in Melbourne. Currently working with Configuration Manager and Orchestrator – plus I try to do everything I can with Powershell!

    Last week I had a need for accessing the Configuration Manager client on a remote system. As this was developing an automated solution I didn’t have the option to use the Control Panel applet or the Configuration Manager console to trigger actions on the client. What I needed to find was a way to trigger actions remotely using Powershell – the answer lies in the methods associated with WMI classes.

    As WMI is a class based system, each object has associated properties and many of these have methods as well. Below are some examples of how to call some of the built in WMI methods which are part of the Configuration Manager Client namespace. A detailed description of the client and its classes can be found at http://msdn.microsoft.com/en-us/library/jj874139.aspx

    Determine if a system has a reboot pending

    The Configuration Manager client has a class called CCM_ClientUtilities – in Wbemtest I can access it by connecting to root\ccm\clientsdk. In the diagram below we can see the methods associated with this class.

    image

    So how do I trigger these methods using Powershell – the Invoke-WMIMethod cmdlet.

    To get a list of associated methods I can use the command below: -

    Get-WmiObject -Namespace root\ccm\clientsdk -Class CCM_ClientUtilities -List | select -ExpandProperty Methods

    This gives me the list of methods below:-

    image

    Now if I want to trigger one of these methods I can use my Invoke-WMIMethod cmdlet and supply the method name.

    Invoke-WmiMethod -Namespace root\ccm\clientsdk -Class CCM_ClientUtilities -Name DetermineIfRebootPending

    image

    There is a lot of information in these results, I only want to know the value of the RebootPending flag. I can wrap my command in parentheses and specify the property name after a dot to only return that value.

    (Invoke-WmiMethod -ComputerName $remoteMachine -Namespace root\ccm\clientsdk -Class CCM_ClientUtilities -Name DetermineIfRebootPending).RebootPending

    image

    Now that I have this information I could force the machine to reboot if the result is true using one of the other methods in this class – RestartComputer.

    $rebootPending = (Invoke-WmiMethod -Namespace root\ccm\clientsdk -Class CCM_ClientUtilities -Name DetermineIfRebootPending).RebootPending

    if ($rebootPending)
        {
        Invoke-WmiMethod -Namespace root\ccm\clientsdk -Class CCM_ClientUtilities -Name RestartComputer
        }

    Of course if I wanted to perform this on a remote machine I can use the WMIObject computername parameter and specify a remote machine.

    $remoteMachine = "AW-SVR01"

    $rebootPending = (Invoke-WmiMethod -ComputerName $remoteMachine -Namespace root\ccm\clientsdk -Class CCM_ClientUtilities -Name DetermineIfRebootPending).RebootPending

    if ($rebootPending)
        {
        Invoke-WmiMethod -ComputerName $remoteMachine -Namespace root\ccm\clientsdk -Class CCM_ClientUtilities -Name RestartComputer
        }

    Trigger a client action

    I can use the same theory in order to trigger policy retrieval on a machine. Each action is specified by a schedule value, supplying these to the TriggerSchedule method will force the client to perform an action. For instance the script below will trigger a Machine Policy Retrieval & Evaluation cycle on a client.

    $trigger = "{00000000-0000-0000-0000-000000000021}"

    Invoke-WmiMethod -Namespace root\ccm -Class sms_client -Name TriggerSchedule $trigger

    As with the other script I can supply a computer name parameter to the command to have it execute on a remote machine.

    Determine assigned site

    The last method is one which will allow you to determine a client’s assigned site. I can use the GetAssignedSite method to retrieve the site code.

    (Invoke-WMIMethod –Namespace root\ccm –Class SMS_Client –Name GetAssignedSiteCode).sSiteCode

    image

    There are many more methods available to use within WMI – stay tuned for more.

  • BREAKING: ConfigMgrDogs Together for Teched 2014!

    The ConfigMgrDogs boys will be getting together to deliver at TechEd Australia 2014!

    George, Ian and I will be delivering the ConfigMgrDogs Troubleshoot ConfigMgr 2012 (Level 400) session at both Melbourne and Sydney. We’ve got some exciting demos planned, and a surprise or two to be announced via the blog and Twitter. Subscribe to the blogs RSS here, or follow us on Twitter.

    Details haven’t formally been released, so stay tuned for more information!

    To wet your appetite, check out our previous TechEd sessions.

    Microsoft Application Virtualization 5.0: Introduction (TechEd 2012)

    http://channel9.msdn.com/Events/TechEd/Australia/2012/WCL312

    Implementing Security Compliance Manager for Compliance in SCCM 2012 (TechEd 2012)

    http://channel9.msdn.com/Events/TechEd/Australia/2012/SIM424

    PowerShell for ConfigMgr 2012 SP1 (TechEd 2013)

    http://channel9.msdn.com/Events/TechEd/Australia/2013/WCL416

  • Modern Style ConfigMgr Visio Stencil

    I went searching for some nice looking ConfigMgr Visio Stencils this morning and found the most amazing set created by Ryan Boud.

    You can download the stencils here (http://gallery.technet.microsoft.com/Modern-Style-Visio-da5a7470) and visit his blog (http://hmmconfused.wordpress.com/)

    Generic

    image

    Servers

    image

    Specialised

    image

    Thanks Ryan for such great work!

    Matt

  • Test your Collection WQL queries using WBEMTEST and PowerShell

     

    Hi All,

    one of the most useful tips I've learnt on the job is to use WBEMTEST on your Primary Site Server to test your Collection WQL queries. This is useful for doing things like testing the time it takes to run that query. This is especially useful when you get collections that take a very long time to run potentially causing backlogs and delays in collections updating. Using these tools can help you quickly test the queries for timing outside of Configuration Manager.

    WBEMTEST

    Log onto your Site Server or from your tools machine you can connect remotely. Ill show you both methods.

    Start up WBEMTEST from a command line

    image

    Click Connect

    image

    In Namespace type in the following

    root\SMS\SITE_XXX

    replace XXX with your SiteCode

    If your connecting remotely

    \\Computername\root\SMS\SITE_XXX

    then click Connect

    image

    Click the Query button

    image

    Enter your WQL query and click Apply

    image

    If you have a valid query you should see a result

    image

    PowerShell

    You could also run a similar query using PowerShell (Thanks to my fellow PFE’s Ryan Hall and Anthony Watherston for this.)

    just replace the value in the $WQL variable quotes with your query and of course PRI with your SiteCode.

    $WQL = 'select * from SMS_R_SYSTEM'

    $WMI = Get-WmiObject -Namespace Root\SMS\Site_PRI -Query $WQL

    $WMI

    image

    and if I want to measure that command for approximate timing

    Measure-Command -Expression {Get-WmiObject -Namespace Root\SMS\Site_PRI -Query 'select * from SMS_R_SYSTEM' }

    image

  • PowerShell Script to list Software Updates in a Software Update Group

     

    Hi everybody,

    In a recent Workshop that I was teaching I got asked how to list all of the security updates in a software update group. So I wrote a quick PowerShell script to do exactly that.

    Here is the code I used while on R2 CU1

    ############################################################################################

    $modulelocation = 'F:\Program Files\Microsoft Configuration Manager\AdminConsole\bin\configurationmanager.psd1'
    $SUG = 'Security Updates'

    Import-Module $modulelocation
    CD PRI:

    $SoftwareUpdates = (get-cmsoftwareupdategroup | Where {$_.LocalizedDisplayN -eq $SUG}).Updates
    Foreach ($SoftwareUpdate in $SoftwareUpdates){
    (Get-CMSoftwareUpdate -Id $SoftwareUpdate).LocalizedDisplayName

    }

    ############################################################################################

    image
    UPDATE

    After going to R2 CU2 The cmdlets changed slightly.

    Found a simpler command below

    ############################################################################################

    $modulelocation = 'F:\Program Files\Microsoft Configuration Manager\AdminConsole\bin\configurationmanager.psd1'
    $SUG = 'Security Updates'

    Import-Module $modulelocation
    CD PRI:

    (Get-CMSoftwareUpdate -UpdateGroupName $SUG).LocalizedDisplayName

    ############################################################################################

    image

    You will just need to change the two initial variables

    $Modulelocation to where your psd1 sits. See Matts blog for details on this.

    $SUG to the name of your Software Update Group.

    This will simply list all of the updates so you can paste it into any Change Request you need to create for Software Updates.

    Hopefully you find this useful but more than that hopefully this gets you started with some PowerShell. A fantastic free course that I always recommend to my students if you not sure where to begin is this MVA course run by Jeffrey Snover and Jason Helmick.

    Getting Started with PowerShell 3.0 Jump Start

    Feel free to comment with your own useful PowerShell script or even a new improved version of mine below…

  • ConfigMgrDogs on Twitter

    We’ve finally got an official ConfigMgrDogs Twitter account!

    https://twitter.com/ConfigMgrDogs

    Please follow us for all blog posts and news from the ConfigMgrDogs team!

  • Creating Custom RBAC Enabled Reports in ConfigMgr 2012 R2

    This post will step you through the process of creating custom reports in ConfigMgr 2012 R2 that will enforce your Role Based Access Control (RBAC) policies. Configuration Manager reports are now fully enabled for role-based administration. The data for all reports included with Configuration Manager is filtered based on the permissions of the administrative user who runs the report. Administrative users with specific roles can only view information defined for their roles. TechNet reference

    Step 1: Determine the data you wish to report on

    Using SQL Management Studio, confirm your SQL query against the new fn_rbac table views passing through the ('disabled') parameter to bypass the requirement of passing through a user SID

    NOTE: all fn_rbac_<table> views can be found under "Tabled-valued Functions".

    If you query v_<tables> than RBAC is ignored.

    clip_image001

    Step 2: Create a new custom report in ConfigMgr Management Console UI

    clip_image002

    clip_image003

    clip_image004

    Step 3: Editing your custom report will launch SQL Report Builder

    clip_image005

    clip_image006

    clip_image007

    clip_image008

    clip_image009

    Step 4: Design Your Report

    Confirm you can see Dataset values and select the type of Report you want to create

    clip_image010

    clip_image011

    clip_image012

    Step 5: Design and format your report as required

    clip_image013

    Step 7: Configure the Dependencies for RBAC

    Create a New Dataset

    clip_image014

    clip_image015

    clip_image016

    clip_image017

    clip_image018

    clip_image019

    clip_image020

    clip_image021

    clip_image022

    clip_image023

    clip_image024

    clip_image025

    clip_image026

    clip_image027

    clip_image028

    clip_image029

    NOTE: If you do not see the REFERENCES option, try and run your report, it will fail however will present the References parameters

    clip_image030

    clip_image031

    ALL DONE..

    Step 8: Test your custom report

    To test I have granted an admin account "sccm2012r2\Ian" that is limited only to the collection called "Ian's Collection"

    clip_image032

    Launch the ConfigMgr console using SCCM2012R2\Ian

    clip_image033

    clip_image034

    clip_image035

    clip_image036

    clip_image037

  • Application Catalog Failed – “Application installation not started”


    The application could not be installed. The most common reason is that software does not support the version of Windows currently installed on your computer. You can try starting the application installation from the Application Catalog again. If the problem continues, contact your network administrator

    clip_image002

    In the ConfigMgrSoftwareCatalog.log Silverlight log file (found at "C:\Users\mattsha\AppData\LocalLow\Microsoft\Silverlight\is\j2mecbot.hwg\v2uabsdl.022\1\s\s5i52ebhc445n0s2jyvmx5askg5zbspajpmi3e4bvujwll1luiaaaeda\f\ConfigMgrLogs\ConfigMgrSoftwareCatalog.log"), the following three lines were found.

    [1][06/23/2014 17:46:43] :ApplicationDetailViewModel.RequestPolicyAssingmentForInstallCallback-Error:The policy information is empty or an error ocurred!

    [1][06/23/2014 17:46:43] :ApplicationDetailViewModel.UpdatePageView:PageViewMode changed to:FastInstallError

    [1][06/23/2014 17:46:43] :FastInstallPageView:Create Page View FastInstallError

    Also in the ServicePortalWebSite.log (found "F:\Program Files\SMS_CCM\CMApplicationCatalog\Logs\ServicePortalWebSite.log") the following two errors

    [28, PID:6060][06/23/2014 17:59:54] :The web method threw a fault exception - System.ServiceModel.FaultException`1[Microsoft.ConfigurationManager.SoftwareCatalog.Service.Faults5000.ServiceError]: Invalid parameter

    [28, PID:6060][06/23/2014 17:59:54] :System.ServiceModel.FaultException`1[[Microsoft.ConfigurationManager.SoftwareCatalog.Service.Faults5000.ServiceError, Microsoft.ConfigurationManager.SoftwareCatalog.Website.PortalClasses, Version=5.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: Invalid parameter

    I spent agestrying to troubleshoot this issue without success, and gave up for a short time while I did other things.

    A week later I was testing the Collection Evaluator Viewer program that comes with the R2 toolset and found that it was unable to connect directly to the database with a very similar error

    A connection was successfully established with the server, then then an error occurred during the login process. (provider: SSL Provider, error:0 – The certificate chain was issued by an authority that is not trusted)

    So now I can kind of tell that the issue is actually with the SQL db side, not necessarily ConfigMgr or the App Catalog site server roles.

    Next, I checked to make sure SQL is not forcing an encrypted connection using SQL Service Manager.

    clip_image003

    clip_image004

    All good there, however under the certificate tab I noticed we’ve got a self-signed certificate

    clip_image005

    And low-and-behold the certificate is having problems

    clip_image006

    I opened the IIS console to view the self-signed certificate

    clip_image007

    Exported the certificate

    clip_image009

    Import it into the Trusted Root Authorities

    clip_image010

    After the import, I attempted again to connect using the Collection Evaluation Viewer, this time it was successful as SQL now trusts the certificate

    clip_image011

    Back to the Application Catalog, and everything is now working nicely!

    clip_image012

    clip_image014

  • ConfigMgr 2012 Windows Update Client Process

    Hi Gang!

    So I provided this information to one of my customers recently, and Georgy said it would be quite helpful for you dedicated ConfigMgrDogs readers too, so here it is.

    This is a high-level view of the Windows Update process from a ConfigMgr clients view utilizing a SUP (Software Update Point).

    The Software Update process from the ConfigMgr client

    image

    Following the flow

    After refreshing machine policy, kick off the Software Update Scan. We can then see the Software Update Scan Cycle has started via the WUAHandler.log (C:\Windows\CCM\Logs\WUAHandler.log)

    image

    The Windows Update Handler initiates the Windows Update service against the ConfigMgr SUP. (C:\Windows\WindowsUpdate.log)

    image

    After the scan is completed, we then run the Software Update Deployment Evaluation Cycle. Use the UpdatesDeployment.log to view this process (C:\Windows\CCM\Logs\UpdatesDeployment.log)

    image

    The Content Access Service finds the content on the CMPRI-MATTSLABS Distribution Point and downloads it

    image

    Update Deployment attempts to install updates, Service Window Manager blocks the installation (C:\Windows\CCM\Logs\UpdatesDeployment.log)

    SNAGHTMLad0f073

    Service Window Manager blocking the installation (C:\Windows\CCM\Logs\ServiceWindowManager.log)

    clip_image002

    And when the window opens, the updates should install. Check the UpdatesDeployment.log

    image

    Also, the WindowsUpdate.log success

    image

    And reboot if required (and scheduled)

    image

    image

    Update: An ex-colleague reached out to me to add some extra info around the process for the SCEP update trigger. As my SCEP knowledge isn't the greatest, it's something I'll be sure to remember and very helpful for the community.

    The key difference that I can see is that the SCEP definition update initiates from the AntiMalware Policy configuration, not from the EndPoint client settings where I expected to see it, or the from Software Updates Schedule client setting.  As opposed of course to Software Update scanning and installation as per your post.  Also triggering a manual SCEP definition update is only done from the SCEP client and not the SCCM client actions from what I've seen so far.


    Thanks David!

  • ConfigMgr 2012 Version Numbers

    Hi all,

    as requested I’ve just listed all the ConfigMgr 2012 Released  versions in a table below. We will do our best to keep this up to date as new updates are released. Note that the Client and Console versions will be exactly the same as the Release/Update version.

    To see how to view the version see Matt’s earlier blog here. If you want to confirm a CU update see Neil’s blog here.

    Release/Update

    Version

    Build

    ConfigMgr 2012 RTM 5.00.7711.0000 7711
    ConfigMgr 2012 SP1 5.00.7804.1000 7804
    ConfigMgr 2012 SP1 CU1 5.00.7804.1202 7804
    ConfigMgr 2012 SP1 CU2 5.00.7804.1300 7804
    ConfigMgr 2012 SP1 CU3 5.00.7804.1400 7804
    ConfigMgr 2012 SP1 CU4 5.00.7804.1500 7804
    ConfigMgr 2012 SP1 CU5 5.00.7804.1600 7804
    ConfigMgr 2012 R2 5.00.7958.1000 7958
    ConfigMgr 2012 R2 CU1 5.00.7958.1203 7958
    ConfigMgr 2012 R2 CU2 5.00.7958.1303 7958
    ConfigMgr 2012 R2 CU3 5.00.7958.1401 7958
    ConfigMgr 2012 R2 CU4 5.00.7958.1501 7958
  • Orchestrator 2012 Logging and Debug Logging

     

    Hi All,

    If you’ve started playing with Orchestrator I have detailed the areas where you can look for issues with your Runbooks and other components.

     

    Runbook Designer

    Log Tab

    Firstly you can look at the Log tab while you’re Runbook is executing

     

    image

    Log History Tab

    Or after it is complete you can check the Log History tab

     

    image

    Double Click on the entry you want to review and then check the status for each Activity.

    image

    To control the level of Detail available you need to go to the properties of each individual Runbook  and select Store Activity-specific Published Data and or Store Common Published Data. NOTE This is only recommended in Dev and Test not production as these may significantly increase the size of your database (See the following TechNet reference for details. Database Sizing and Performance )

    Do not have these turned on in Production unless you are troubleshooting.

    image

    Events

    We can also get some useful information from the Events tab

    image

    Log Files

    Another area is the component logs for Debug Logging.

    Thankyou to Jeffrey Fanjoy who is a senior support escalation engineer based out of the US for this information.

    if you go to the following Registry key

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SystemCenter2012\Orchestrator\TraceLogger

    on a box with the Runbook Designer or Runbook Server you will see that for each component there is a LogFolder and LogLevel key. The LogFolder shows you where the actual log sits and the LogLevel is the actual Verbosity level. (NOTE You may need to restart services/ the server before this will take affect.)

    Log Level

    Detail
    1 Errors
    3 Errors and warnings
    7 Errors, warnings and Information

    image

    Just keep in mind that the higher the verbosity the more information that will get put into the log so it should only be used for troubleshooting purposes and should not be left on by default.

  • I Wrote An App

    Hi Gang.

    Over the long weekend last week, I thought I’d have a crack at writing, submitting and publishing a Windows 8 app. It’s a very simple countdown to Windows XP’s End Of Life on April 8th (we are all very excited to see the end of XP).

    http://apps.microsoft.com/windows/en-au/app/windows-xp-end-of-life-countdown/08bd1136-13f0-47bb-a574-c8f3626a9227

    As I said, it’s very simple but functional, with a countdown screen and live tile that updates daily.

    Please download and rate it in the store.

    image

    Matt