ConfigMgrDogs

  • Windows 8 and Windows 8.1 New Group Policy Settings

    Windows 8 RTM

    For full details, download the following file

    image

     Policy Setting Name 
     
     Allow all trusted apps to install 
     Allow deployment operations in special profiles 
     Block launching desktop apps associated with a file. 
     Block launching desktop apps associated with a protocol 
     Block launching desktop apps associated with a file. 
     Block launching desktop apps associated with a protocol 
     Do not display the lock screen 
     Prevent changing lock screen image 
     Prevent changing start menu background 
     Turn on PIN sign-in 
     Turn off picture password sign-in 
     Do not display the password reveal button 
     Do not display the password reveal button 
     Device compatibility settings 
     Driver compatibility settings 
     Specify the search server for device driver updates 
     Turn off smart multi-homed name resolution 
     Turn off smart protocol reordering 
     Allow NetBT queries for fully qualified domain names 
     Prefer link local responses over DNS when received over a network with higher precedence 
     Turn off IDN encoding 
     IDN mapping 
     Use solid color for Start background 
     Turn on misconversion logging for misconversion report 
     Turn off saving auto-tuning data to file 
     Turn off history-based predictive input 
     Turn off Open Extended Dictionary 
     Turn off Internet search integration 
     Turn off custom dictionary 
     Restrict character code range of conversion 
     Do not include Non-Publishing Standard Glyph in the candidate list 
     Boot-Start Driver Initialization Policy 
     Turn off switching between recent apps 
     Turn off tracking of app usage 
     Do not allow Windows to activate Enhanced Storage devices 
     Do not throttle additional data 
     Send additional data when on battery power 
     Send data when on connected to a restricted/costed network 
     Do not throttle additional data 
     Send additional data when on battery power 
     Send data when on connected to a restricted/costed network 
     Windows To Go Default Startup Options 
     Allow hibernate (S4) when starting from a Windows To Go workspace 
     Disallow standby sleep states (S1-S3) when starting from a Windows to Go workspace 
     Turn off File History 
     Configure maximum age of file server shadow copies 
     Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file servers. 
     Enable / disable TXF deprecated features 
     Enable optimized move of contents in Offline Files cache on Folder Redirection server path change 
     Redirect folders on primary computers only 
     Redirect folders on primary computers only 
     Turn off offer text predictions as I type 
     Turn off insert a space after selecting a text prediction 
     Turn off autocorrect misspelled words 
     Turn off highlight misspelled words 
     Disallow copying of user input methods to the system account for sign-in 
     Block clean-up of unused language packs 
     Enable AD/DFS domain controller synchronization during policy refresh 
     Turn off Group Policy Client Service AOAC optimization 
     Configure Direct Access connections as a fast network connection 
     Change Group Policy processing to run asynchronously when a slow network connection is detected. 
     Configure Group Policy slow link detection 
     Specify workplace connectivity wait time for policy processing 
     Enable Hotspot Authentication 
     Turn off access to the Store 
     Turn off access to the Store 
     Turn off flip ahead feature 
     Turn on Enhanced Protected Mode 
     Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled 
     Always send Do Not Track header 
     Turn off encryption support 
     Show Content Advisor on Internet Options 
     Go to an intranet site for a one-word entry in the Address bar 
     Install binaries signed by MD2 and MD4 signing technologies 
     Prevent managing SmartScreen Filter 
     Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet 
     Turn off browser geolocation 
     Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects 
     Automatically activate newly installed add-ons 
     Turn off add-on performance notifications 
     Turn on ActiveX Filtering 
     Prevent deleting download history 
     Prevent deleting ActiveX Filtering and Tracking Protection data 
     Allow Internet Explorer 8 shutdown behavior 
     Specify default behavior for a new tab 
     Notify users if Internet Explorer is not the default web browser 
     Turn off URL Suggestions 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Allow Internet Explorer to play media files that use alternative codecs 
     Prevent configuration of top-result search on Address bar 
     Do not display the reveal password button 
     Turn off the WebSocket Object 
     Set the maximum number of WebSocket connections per server 
     Display tabs on a separate row 
     Establish InPrivate Filtering threshold 
     Establish Tracking Protection threshold 
     Turn off Tracking Protection 
     Use Policy List of Quirks Mode sites 
     Turn off ability to pin sites in Internet Explorer on the desktop 
     Set default storage limits for websites 
     Allow websites to store indexed databases on client computers 
     Set indexed database storage limits for individual domains 
     Set maximum indexed database storage limit for all domains 
     Allow websites to store application caches on client computers 
     Set application cache storage limits for individual domains 
     Set maximum application caches storage limit for all domains 
     Set application caches expiration time limit for individual domains 
     Set maximum application cache resource list size 
     Set maximum application cache individual resource size 
     Start Internet Explorer with tabs from last browsing session 
     Open Internet Explorer tiles on the desktop 
     Set how links are opened in Internet Explorer 
     Turn off flip ahead feature 
     Turn on Enhanced Protected Mode 
     Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled 
     Always send Do Not Track header 
     Show Content Advisor on Internet Options 
     Go to an intranet site for a one-word entry in the Address bar 
     Install binaries signed by MD2 and MD4 signing technologies 
     Prevent managing SmartScreen Filter 
     Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet 
     Disable Import/Export Settings wizard 
     Turn off browser geolocation 
     Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects 
     Automatically activate newly installed add-ons 
     Turn off add-on performance notifications 
     Turn on ActiveX Filtering 
     Prevent deleting download history 
     Prevent deleting ActiveX Filtering and Tracking Protection data 
     Allow Internet Explorer 8 shutdown behavior 
     Specify default behavior for a new tab 
     Disable changing secondary home page settings 
     Turn off URL Suggestions 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Render legacy filters 
     Enable dragging of content from different domains within a window 
     Enable dragging of content from different domains across windows 
     Turn off Print Menu 
     Allow Internet Explorer to play media files that use alternative codecs 
     Prevent configuration of search on Address bar 
     Prevent configuration of top-result search on Address bar 
     Do not display the reveal password button 
     Turn off the WebSocket Object 
     Set the maximum number of WebSocket connections per server 
     Display tabs on a separate row 
     Turn on Suggested Sites 
     Establish InPrivate Filtering threshold 
     Establish Tracking Protection threshold 
     Turn off Tracking Protection 
     Use Policy List of Quirks Mode sites 
     Turn off ability to pin sites in Internet Explorer on the desktop 
     Set default storage limits for websites 
     Allow websites to store indexed databases on client computers 
     Set indexed database storage limits for individual domains 
     Set maximum indexed database storage limit for all domains 
     Allow websites to store application caches on client computers 
     Set application cache storage limits for individual domains 
     Set maximum application caches storage limit for all domains 
     Set application caches expiration time limit for individual domains 
     Set maximum application cache resource list size 
     Set maximum application cache individual resource size 
     Start Internet Explorer with tabs from last browsing session 
     Open Internet Explorer tiles on the desktop 
     Set how links are opened in Internet Explorer 
     Install new versions of Internet Explorer automatically 
     KDC support for claims, compound authentication and Kerberos armoring 
     Warning for large Kerberos tickets 
     Specify KDC proxy servers for Kerberos clients 
     Disable revocation checking for the SSL certificate of KDC proxy servers 
     Fail authentication requests when Kerberos armoring is not available 
     Support compound authentication 
     Set maximum Kerberos SSPI context token buffer size 
     Kerberos client support for claims, compound authentication and Kerberos armoring 
     Hash Version support for BranchCache 
     Turn off Windows Location Provider 
     Show first sign-in animation 
     Do not enumerate connected users on domain-joined computers 
     Enumerate local users on domain-joined computers 
     Turn off app notifications on the lock screen 
     Automatic Maintenance Activation Boundary 
     Automatic Maintenance Random Delay 
     Automatic Maintenance WakeUp Policy 
     Turn off shared components 
     Prevent embedded UI 
     Support Email Address 
     Friendly Name 
     User Interface 
     Prefer Local Names Allowed 
     DirectAccess Passive Mode 
     Corporate Resources 
     IPsec Tunnel Endpoints 
     Custom Commands 
     Specify passive polling 
     Do not use NetBIOS-based discovery for domain controller location when DNS-based discovery fails 
     Specify address lookup behavior for DC locator ping 
     Use urgent mode when pinging domain controllers 
     Internet proxy servers for apps 
     Intranet proxy servers for  apps 
     Private network ranges for  apps 
     Proxy definitions are authoritative 
     Subnet definitions are authoritative 
     Remove "Work offline" command 
     Remove "Work offline" command 
     Enable file synchronization on costed networks 
     Detect compatibility issues for applications and drivers 
     Enable Automatic Hosted Cache Discovery by Service Connection Point 
     Configure Client BranchCache Version Support 
     Configure Hosted Cache Servers 
     Set age for segments in the data cache 
     Turn on Module Logging 
     Set the default source path for Update-Help 
     Turn on Module Logging 
     Set the default source path for Update-Help 
     Isolate print drivers from applications 
     Always rasterize content to be printed using a software rasterizer 
     Do not allow v4 printer drivers to show printer extensions 
     Change Microsoft XPS Document Writer (MXDW) default output format to the legacy Microsoft XPS format (*.xps) 
     Turn off storage and display of search history 
     Always use automatic language detection when indexing content and properties 
     Do not sync 
     Do not sync app settings 
     Do not sync passwords 
     Do not sync personalize 
     Do not sync other Windows settings 
     Do not sync desktop personalization 
     Do not sync browser settings 
     Do not sync on metered connections 
     File Classification Infrastructure: Display Classification tab in File Explorer 
     File Classification Infrastructure: Specify classification properties list 
     Enable access-denied assistance on client for all file types 
     Clear history of tile notifications on exit 
     Prevent users from uninstalling applications from Start 
     Show "Run as different user" command on Start 
     Do not allow taskbars on more than one display 
     Set IP Stateless Autoconfiguration Limits State 
     Specify default connection URL 
     Limit maximum display resolution 
     Suspend user sign-in to complete app registration 
     Configure image quality for RemoteFX Adaptive Graphics 
     Configure RemoteFX Adaptive Graphics 
     Allow RDP redirection of other supported RemoteFX USB devices from this computer 
     Configure RemoteFX 
     Optimize visual experience when using RemoteFX 
     Enable RemoteFX encoding for RemoteFX clients designed for Windows Server 2008 R2 SP1 
     Select network detection on the server 
     Select RDP transport protocols 
     Turn Off UDP On Client 
     Turn off Fair Share CPU Scheduling 
     Use the hardware default graphics adapter for all Remote Desktop Services sessions 
     Configure image quality for RemoteFX Adaptive Graphics 
     Configure RemoteFX Adaptive Graphics 
     Enable Remote Desktop Protocol 8.0 
     Select network detection on the server 
     Select RDP transport protocols 
     Turn Off UDP On Client 
     Turn on TPM backup to Active Directory Domain Services 
     Configure the level of TPM owner authorization information available to the operating system 
     Standard User Lockout Duration 
     Standard User Individual Lockout Threshold 
     Standard User Total Lockout Threshold 
     User management of sharing user name, account picture, and domain information with apps (not desktop apps) 
     Download roaming profiles on primary computers only 
     Set user home folder 
     Choose drive encryption method and cipher strength 
     Configure use of passwords for operating system drives 
     Reset platform validation data after BitLocker recovery 
     Disallow standard users from changing the PIN or password 
     Use enhanced Boot Configuration Data validation profile 
     Enforce drive encryption type on operating system drives 
     Allow network unlock at startup 
     Enable use of BitLocker authentication requiring preboot keyboard input on slates 
     Allow Secure Boot for integrity validation 
     Enforce drive encryption type on fixed data drives 
     Enforce drive encryption type on removable data drives 
     Prohibit connection to non-domain networks when connected to domain authenticated network 
     Minimize the number of simultaneous connections to the Internet or a Windows Domain 
     Prohibit connection to roaming Mobile Broadband networks 
     Disable power management in connected standby mode 
     Location where all default Library definition files for users/machines reside. 
     Start File Explorer with ribbon minimized 
     Location where all default Library definition files for users/machines reside. 
     Configure Windows SmartScreen 
     Show lock in the user tile menu 
     Show sleep in the power options menu 
     Show hibernate in the power options menu 
     Do not show the 'new application installed' notification 
     Start File Explorer with ribbon minimized 
     Set a default associations configuration file 
     Allow the use of remote paths in file shortcut icons 
     Disallow WinRM from storing RunAs credentials 
     Require use of fast startup 
     Turn off the Store application 
     Turn off the Store application 
     Allow Store to install apps on Windows To Go workspaces 
     Turn off Automatic Download of updates 
     Set Cost 
     Turn off tile notifications 
     Turn off toast notifications 
     Turn off toast notifications on the lock screen 
     Turn off notifications network usage 
     Set 3G Cost 
     Set 4G Cost 

    Windows 8.1

    For full details, download the following file

    image

     Policy Setting Name 
     
     Allow development of Windows Store apps without installing a developer license 
     Prevent enabling lock screen slide show 
     Prevent enabling lock screen camera 
     Force a specific background and accent color 
     Force a specific Start background 
     Force a specific default lock screen image 
     Allow users to select when a password is required when resuming from connected standby 
     Restrict delegation of credentials to remote servers 
     Prevent adding
     App switching 
     Charms 
     WinX 
     Automatically send memory dumps for OS-generated error reports 
     Automatically send memory dumps for OS-generated error reports 
     Configure Group Policy Caching 
     Configure Logon Script Delay 
     Turn off loading websites and content in the background to optimize performance 
     Turn on the swiping motion on Internet Explorer for the desktop 
     Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows 
     Allow Internet Explorer to use the SPDY/3 network protocol 
     Turn off phone number detection 
     Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Turn off loading websites and content in the background to optimize performance 
     Turn on the swiping motion on Internet Explorer for the desktop 
     Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows 
     Allow Internet Explorer to use the SPDY/3 network protocol 
     Turn off phone number detection 
     Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Don't run antimalware programs against ActiveX controls 
     Prevent deleting ActiveX Filtering
     Prevent deleting ActiveX Filtering
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     Allow cut
     KDC support for claims
     Kerberos client support for claims
     Automatic Maintenance Random Delay 
     Use DNS name resolution when a single-label domain name is used
     At logoff
     Run Windows PowerShell scripts first at computer startup
     Run Windows PowerShell scripts first at user logon
     Run Windows PowerShell scripts first at user logon
     Disable indexing of removable drives 
     Don't search the web or display web results in Search 
     Don't search the web or display web results in Search over metered connections 
     Set what information is shared in Search 
     Set the SafeSearch setting for Search 
     Do not sync Apps 
     Do not sync start settings 
     
     
     
     Pin Apps to Start when installed 
     Start Screen Layout 
     Default 
     Default app 
     Default search 
     Sort 
     Multimon 
     Pin Apps to Start when installed 
     Start Screen Layout 
     Remove and prevent access to the Shut Down
     For tablet pen input
     For tablet pen input
     For touch input
     For touch input
     Include rarely used Chinese
     Include rarely used Chinese
     Set remote control session UAC desktop 
     Use advanced RemoteFX graphics for RemoteApp 
     Set remote control session UAC desktop 
     Set remote control permission request timeout 
     Enable Remote Desktop Protocol 8.0 
     User management of sharing user name
     Choose drive encryption method and cipher strength (Windows Vista
     Configure TPM platform validation profile (Windows Vista
     Allow antimalware service to startup with normal priority 
     Turn on virus definitions 
     Configure local administrator merge behavior for lists 
     Define addresses to bypass proxy server 
     Define proxy server for connecting to the network 
     Randomize scheduled task times 
     Allow antimalware service to remain running always 
     Extension Exclusions 
     Path Exclusions 
     Process Exclusions 
     Turn on protocol recognition 
     Turn on definition retirement 
     Define the rate of detection events for logging 
     IP address range Exclusions 
     Port number  Exclusions 
     Process Exclusions for outbound traffic 
     Threat ID Exclusions 
     Specify additional definition sets for network traffic inspection 
     Configure local setting override for the removal of items from Quarantine folder 
     Configure removal of items from Quarantine folder 
     Turn on behavior monitoring 
     Turn on Information Protection Control 
     Turn on network protection against exploits of known vulnerabilities 
     Scan all downloaded files and attachments 
     Monitor file and program activity on your computer 
     Turn on raw volume write notifications 
     Turn on process scanning whenever real-time protection is enabled 
     Define the maximum size of downloaded files and attachments to be scanned 
     Configure local setting override for turn on behavior monitoring 
     Configure local setting override for monitoring file and program activity on your computer 
     Configure local setting override to turn off Intrusion Prevention System 
     Configure local setting override for scanning all downloaded files and attachments 
     Configure local setting override to turn on real-time protection 
     Configure local setting override for monitoring for incoming and outgoing file activity 
     Configure monitoring for incoming and outgoing file and program activity 
     Configure local setting override for the time of day to run a scheduled full scan to complete remediation 
     Specify the day of the week to run a scheduled full scan to complete remediation 
     Specify the time of day to run a scheduled full scan to complete remediation 
     Configure time out for detections requiring additional action 
     Configure time out for detections in critically failed state 
     Configure Watson events 
     Configure time out for detections in non-critical failed state 
     Configure time out for detections in recently remediated state 
     Configure Windows software trace preprocessor components 
     Configure WPP tracing level 
     Allow users to pause scan 
     Specify the maximum depth to scan archive files 
     Specify the maximum size of archive files to be scanned 
     Specify the maximum percentage of CPU utilization during a scan 
     Scan archive files 
     Turn on catch-up full scan 
     Turn on catch-up quick scan 
     Turn on e-mail scanning 
     Turn on heuristics 
     Scan packed executables 
     Scan removable drives 
     Turn on reparse point scanning 
     Create a system restore point 
     Run full scan on mapped network drives 
     Scan network files 
     Configure local setting override for maximum percentage of CPU utilization 
     Configure local setting override for the scan type to use for a scheduled scan 
     Configure local setting override for schedule scan day 
     Configure local setting override for scheduled quick scan time 
     Configure local setting override for scheduled scan time 
     Turn on removal of items from scan history folder 
     Specify the interval to run quick scans per day 
     Start the scheduled scan only when computer is on but not in use 
     Specify the scan type to use for a scheduled scan 
     Specify the day of the week to run a scheduled scan 
     Specify the time for a daily quick scan 
     Specify the time of day to run a scheduled scan 
     Define the number of days before spyware definitions are considered out of date 
     Define the number of days before virus definitions are considered out of date 
     Define file shares for downloading definition updates 
     Turn on scan after signature update 
     Allow definition updates when running on battery power 
     Initiate definition update on startup 
     Define the order of sources for downloading definition updates 
     Allow definition updates from Microsoft Update 
     Allow real-time definition updates based on reports to Microsoft MAPS 
     Specify the day of the week to check for definition updates 
     Specify the time to check for definition updates 
     Allow notifications to disable definitions based reports to Microsoft MAPS 
     Define the number of days after which a catch-up definition update is required 
     Specify the interval to check for definition updates 
     Check for the latest virus and spyware definitions on startup 
     Configure local setting override for reporting to Microsoft MAPS 
     Specify threats upon which default action should not be taken when detected 
     Specify threat alert levels at which default action should not be taken when detected 
     Display notifications to clients when they need to perform actions 
     Display additional text to clients when they need to perform an action 
     Always automatically restart at the scheduled time 
     Specify Work Folders settings 
     Turn off tile notifications 
     Turn off toast notifications 
     Turn off toast notifications on the lock screen 
     Turn off notifications network usage 
     Turn off Quiet Hours 
     Set the time Quiet Hours begins each day 
     Set the time Quiet Hours ends each day 
     Turn off calls during Quiet Hours 
     Set 3G Cost 
     Set 4G Cost 
  • ConfigMgr 2012 Version Numbers

    Hi all,

    as requested I’ve just listed all the ConfigMgr 2012 Released  versions in a table below. We will do our best to keep this up to date as new updates are released. Note that the Client and Console versions will be exactly the same as the Release/Update version.

    To see how to view the version see Matt’s earlier blog here. If you want to confirm a CU update see Neil’s blog here.

    Release/Update

    Version

    Build

    ConfigMgr 2012 RTM 5.00.7711.0000 7711
    ConfigMgr 2012 SP1 5.00.7804.1000 7804
    ConfigMgr 2012 SP1 CU1 5.00.7804.1202 7804
    ConfigMgr 2012 SP1 CU2 5.00.7804.1300 7804
    ConfigMgr 2012 SP1 CU3 5.00.7804.1400 7804
    ConfigMgr 2012 SP1 CU4 5.00.7804.1500 7804
    ConfigMgr 2012 SP1 CU5 5.00.7804.1600 7804
    ConfigMgr 2012 SP2 5.00.8239.1000 8239
    ConfigMgr 2012 R2 5.00.7958.1000 7958
    ConfigMgr 2012 R2 CU1 5.00.7958.1203 7958
    ConfigMgr 2012 R2 CU2 5.00.7958.1303 7958
    ConfigMgr 2012 R2 CU3 5.00.7958.1401 7958
    ConfigMgr 2012 R2 CU4 5.00.7958.1501 7958
    ConfigMgr 2012 R2 CU5 5.00.7958.1604 7958
    ConfigMgr 2012 R2 SP1 5.00.8239.1000 8239
  • ConfigMgr 2012 Windows Update Client Process

    Hi Gang!

    So I provided this information to one of my customers recently, and Georgy said it would be quite helpful for you dedicated ConfigMgrDogs readers too, so here it is.

    This is a high-level view of the Windows Update process from a ConfigMgr clients view utilizing a SUP (Software Update Point).

    The Software Update process from the ConfigMgr client

    image

    Following the flow

    After refreshing machine policy, kick off the Software Update Scan. We can then see the Software Update Scan Cycle has started via the WUAHandler.log (C:\Windows\CCM\Logs\WUAHandler.log)

    image

    The Windows Update Handler initiates the Windows Update service against the ConfigMgr SUP. (C:\Windows\WindowsUpdate.log)

    image

    After the scan is completed, we then run the Software Update Deployment Evaluation Cycle. Use the UpdatesDeployment.log to view this process (C:\Windows\CCM\Logs\UpdatesDeployment.log)

    image

    The Content Access Service finds the content on the CMPRI-MATTSLABS Distribution Point and downloads it

    image

    Update Deployment attempts to install updates, Service Window Manager blocks the installation (C:\Windows\CCM\Logs\UpdatesDeployment.log)

    SNAGHTMLad0f073

    Service Window Manager blocking the installation (C:\Windows\CCM\Logs\ServiceWindowManager.log)

    clip_image002

    And when the window opens, the updates should install. Check the UpdatesDeployment.log

    image

    Also, the WindowsUpdate.log success

    image

    And reboot if required (and scheduled)

    image

    image

    Update: An ex-colleague reached out to me to add some extra info around the process for the SCEP update trigger. As my SCEP knowledge isn't the greatest, it's something I'll be sure to remember and very helpful for the community.

    The key difference that I can see is that the SCEP definition update initiates from the AntiMalware Policy configuration, not from the EndPoint client settings where I expected to see it, or the from Software Updates Schedule client setting.  As opposed of course to Software Update scanning and installation as per your post.  Also triggering a manual SCEP definition update is only done from the SCEP client and not the SCCM client actions from what I've seen so far.


    Thanks David!

  • Applying Windows Updates to a base WIM using DISM and Powershell

    Manual installation

    Firstly, locate your most up to date image and make a copy of it. This is so we can
    stream the newest Windows Updates into the mounted WIM without risk of damaging
    a working WIM. I suggest copying the WIM to a temp location. Also, put the
    Windows Update that you want to apply into an Updates folder.

    Next, mount your image in the temp location.

    DISM /Mount-Wim /WimFile:C:\TempMount\install.wim /index:1 /Mountdir:C:\TempMount\Mount

    Now inject the Windows Update you need to apply

    DISM /image:C:\TempMount\Mount /Add-Package /Packagepath:C:\Updates\

    Finally, save an unmount the image

    DISM /Unmount-Wim /Mountdir:C:\TempMount\Mount /commit
    DISM /Cleanup-Wim

    Automating the installation

    While running updates manually like this is an easy way to apply a few updates, hundreds of updates require more work. Here’s how you would apply the updates using PowerShell.

    $UpdatesPath = "C:\Updates\*"
    $MountPath = “C:\TempMount\Mount”
    $WimFile = “C:\TempMount\install.wim”
    DISM \Mount-Wim /WimFile:$WimFile /index:1 /Mountdir:$MountPath
    $UpdateArray = Get-Item $UpdatesPath
    ForEach ($Updates in $UpdateArray)
    {
    DISM /image:$MountPath /Add-Package /Packagepath:$Updates
    Start-Sleep –s 10
    }
    Write-Host "Updates Applied to WIM"
    DISM /Unmount-Wim /Mountdir:$MountPath /commit
    DISM /Cleanup-Wim

    Using SCCM 2007 Deployment Packages makes getting these updates really simple. Package up the updates like you would normally, then set the $UpdatesPath variable above to the SMS package location.

    Happy patching!

    Matt Shadbolt

  • ConfigMgr 2012 Automatic Deployment Rules

     

    In CM12 we have a number of changes in Software Updates. One of the most anticipated one’s is Auto Deployment Rules.

    Yes finally I hear you say….

    Well Lets run through creating an Auto Deployment and one little gotcha to keep your eye on.

    In the Console we select

     Software Library > Software Updates > Automatic Deployment Rules

    Choose Create Automatic Deployment Rule from the Ribbon or Right click on the mouse.

          image

     

    In the first screen we can choose a Template

    (Templates are no longer a node in the console they are now created when creating an Auto Deployment Rule or manually Deploying Updates and are saved at the Summary screen.Ill point this out later in the post)

    image

     

     

     

    You can Select to Add to an Existing Software Update Group or Create a new Software Update Group.

    image

    If you select Add to an Existing Software Update Group a brand new group will be created the first time the Auto Deployment Rule is run and every time the rule runs after that the new updates are added to that group.

    (NOTE You cannot create a software Update group manually and then create an Auto Deployment rule to add new updates to that group. Even if you give it the same name and description the Auto Deployment Rule will still create a new group. See Figure below.The group created at 6:02 pm was done manually. I then ran the Auto Deployment rule at 6:07 pm and you can see that it creates a group with a duplicate name and description.)

    image

     

    If you select Create a new Software Update Group every time the rule is run a new Software Update Group is created.

     

    You can also choose to Enable the deployment after the rule is run.

     

    Here you can choose to use Wake on lan and also decide whether to automatically deploy all updates and approve any license agreements or deploy only updates that do not include license agreements.

    image

    This is where you select the requirements to select the updates to auto approve.

     

    image

    Here you can set a Schedule for the Rule to run. Potentially every Patch Tuesday or Daily for Forefront updates.

    Or you can run the rule manually.

    image

    Similar to CM07 we can set the deployment schedule and whether the Deployment will be Mandatory.

    image

    Set the User Experience, deadline behaviour and reboot suppression.

    image

    We can now Generate Alerts if the compliance falls below a certain after a certain period of time. As before we can select to disable alerts for Operations Manager.

    image

    Set your Deployment options

    image

    Either select an existing package or create a new one for the new updates

    image

    Select a DP or DP Group

    image

    Where to download the updates from

    image

     

    Choose a language

    image

    On the Summary screen you can Choose to Save your settings as a Template for future use

    image

    image

    We now see the new Rule in the console and we can choose to Run Now from the ribbon.

    image

    image

    The log file for troubleshooting is Ruleengine.log

    We can see the Auto Deployment Rule is kicked off

    image

    Evaluating and downloading updates

    image

    Here we see it looking for an existing update group and not finding one therefore creating a new Software Update Group then adding the updates to that Group.

    image

    Back to the console.If we select Software Update Groups we now see the newly created Windows 7 Automatic Deployment and the Deployment (Yet to be enabled) on the tab below.

    image

    When we select Show Members we can see the updates applied.

    image

    and there you have it.

  • New logs in ConfigMgr 2012 – Client Logs

    With the new version of Configuration Manager, comes a bunch of new juicy logs. I’ll separate the posts into Client and Server. In this first instalment, I’ll cover off on the new logs found on your clients.

    The first thing you need to know, is the log location has changed slightly.

    Client logs can now be found at C:\Windows\CCM\Logs – rather than in the System32 or SysWoW64 directory

    AppDiscovery.log

    With the new ConfigMgr 2012 App Model, we now scan each machine at a regular period (default is every 7 days) and make sure that applications that should be installed on a machine are indeed installed. The AppDiscovery.log will show you the discovery engine (based on DCM) checking to make sure the app is installed.

    Performing detection of app deployment type MS_Silverlight(ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0, revision 2) for system. AppDiscovery 3/05/2012 9:27:30 AM 7988 (0x1F34)

    +++ Application not discovered. [AppDT Id: ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0, Revision: 2] AppDiscovery 3/05/2012 9:27:31 AM 7988 (0x1F34)

    Here we can see the WMI query for the Microsoft Silverlight application and it not being found. The AppDiscovery.log will then flag Silverlight for installation

    ActionType - Install will use Content Id: Content_b0e86929-a5f2-4154-b876-ed83965ce25d + Content Version: 1 for AppDT "MS_Silverlight" [ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0], Revision - 2 AppDiscovery 3/05/2012 9:27:34 AM 12156 (0x2F7C)

    AppEnforce.log

    If an application should be installed, and the AppDiscovery doesn’t find it, the AppEnforce log should kick in with the installation routine

    +++ Starting Install enforcement for App DT "MS_Silverlight" ApplicationDeliveryType - ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0, Revision - 2, ContentPath - C:\Windows\ccmcache\1a, Execution Context - SystemAppEnforce 3/05/2012 9:28:29 AM 7988 (0x1F34)

    A user is logged on to the system. AppEnforce 3/05/2012 9:28:29 AM 7988 (0x1F34)

    Performing detection of app deployment type MS_Silverlight(ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0, revision 2) for system. AppEnforce 3/05/2012 9:28:29 AM 7988 (0x1F34)

    +++ Application not discovered. [AppDT Id: ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0, Revision: 2] AppEnforce 3/05/2012 9:28:29 AM 7988 (0x1F34)

    App enforcement environment:

    Context: Machine

    Command line: "Silverlight.exe" /q

    Allow user interaction: No

    UI mode: 1

    User token: null

    Session Id: 4294967295

    Content path: C:\Windows\ccmcache\1a

    Working directory: AppEnforce 3/05/2012 9:28:29 AM 7988 (0x1F34)

    Prepared working directory: C:\Windows\ccmcache\1a AppEnforce 3/05/2012 9:28:29 AM 7988 (0x1F34)

    Prepared command line: "C:\Windows\ccmcache\1a\Silverlight.exe" /q AppEnforce 3/05/2012 9:28:33 AM 7988 (0x1F34)

    Executing Command line: "C:\Windows\ccmcache\1a\Silverlight.exe" /q with system context AppEnforce 3/05/2012 9:28:33 AM 7988 (0x1F34)

    Once the application has installed, it will rerun the application detection and this time succeed.

    +++ Discovered application [AppDT Id: ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0, Revision: 2] AppEnforce 3/05/2012 9:29:41 AM 7988 (0x1F34)

    AppIntentEval.log

    The AppInterval.log works with the two previous logs, and should tell you which applications are required. You should see something like

    ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0/2 :- Current State = Installed, Applicability = Applicable, ResolvedState = Installed, Title = MS_Silverlight

    CCMVDIProvider.log

    The CCMVDIProvider.log will show you if the machine is a virtual or a physical machine

    EndpointProtectionAgent.log

    The EndpointProtectionAgent.log will only show you that the SCEP agent is/isn’t installed. It will not show you any information about definition updates. For SCEP definition updates and SCEP functionality, you’ll find a bunch of logs in C:\ProgramData\Microsoft\Microsoft Antimalware\Support

    ExpressionSolver.log

    ExpressionSolver.log is a log that records MSI discovery. This log is only available when verbose logging is enabled

    ExternalEventAgent.log

    The ExternalEventAgent shows all of the state messages sent from SCEP, into the CCM client. The CCM client will then process this state message as it would any internal state message.

    FileSystemFile.log

    This log file records all Software Inventory file system scans. You can see in the log file below, that we’re looking for qmgr.dll, scrnsave.exe, scrnsave.scr and msiexec in the System32 directory.

    Query = SELECT __class, __path, __relpath, name, path, lastwritedate, size, companyname, productname, productversion, productlanguage, fileversion, filedescription FROM FileSystemFile WHERE name = 'qmgr.dll|scrnsave.exe|scrnsave.scr|msiexec.exe' and path = '%windir%\\system32\\*' and iscompressed = false and isencrypted = false; Timeout = 14400 secs; ScanInterval = 2 msecs; SkipFile = skpswi.dat

    SCNotify.log

    You’ll see a bunch of SCNotify logs in your logs directory. This log describes the user notification for new applications. In the log you’ll see a bunch of WMI calls, and whether or not applications should notify the user of their availability

    This software should not display a user notification balloon, removing it from the available notification list.

    SoftwareCatalogUpdateEndppoint.log

    The SoftwareCatalogUpdateEndpoint log will show any changes to the Software Catalog URL and will show the URL being added to the Trusted Sites list in Internet Explorer

    CSoftwareCatalogUpdateHandler::StartUpdateTrustedSitesProcess: Started UpdateTrustedSites process
    CSoftwareCatalogUpdateHandler::SetCatalogSecurity: Updating the registry for Software Catalog.

    SoftwareCenterSystemTasks.log

    This log will show you the Software Center notifications and whether or not the Software Center is installed and healthy.

    UpdateTrustedSites.log

    The UpdateTrustedSites logs the actual updates after the SoftwareCatalogUpdateEndpoint reports that the URL needs to be added to the Trusted Sites

    CSoftwareCatalogUpdateHandler::AddDefaultPortalToTrustedSites: Catalog Url should be added to the trusted sites zone. UpdateTrustedSites 18/05/2012 1:13:32 PM 14172 (0x375C)

    AddDefaultPortalToTrustedSites: url = http://applicationcatalog.yourdomain.com:80, zone = 258 UpdateTrustedSites 18/05/2012 1:13:32 PM 14172 (0x375C)

    UserAffinity.log

    With the new 2012 App Model, we need to determine which users are primary users of a device. The UserAffinity log will show which users have been added as primary users, and the method for determining the primary user

    Auto affinity threshold settings Days = '21', User Minutes = '2880', AutoApproveAffinity = '1'. UserAffinity 18/05/2012 1:12:33 PM 14332 (0x37FC)

    No WMI instance. Setting an affinity. UserAffinity 18/05/2012 1:12:45 PM 14332 (0x37FC)

    Setting auto affinity for user 'yourdomain\mattshadbolt'. UserAffinity 18/05/2012 1:12:45 PM 14332 (0x37FC)

    Successfully sent user affinity state message for user ‘yourdomain\mattshadbolt'. UserAffinity 18/05/2012 1:12:45 PM 14332 (0x37FC)

    Successfully saved user affinity data for user ‘yourdomain\mattshadbolt' into WMI. UserAffinity 18/05/2012 1:12:45 PM 14332 (0x37FC)

    We can see that AutoApproveAffinity is enabled for any users that have used the machine for anyone using the machine within 21 days, and for 2880 minutes or more.

    So that's it! If you find any other logs that weren’t around in 2007, please let me know and I’ll do my best to cover them!

    Matt Shadbolt

     

  • Software Update Compliance Reports – Detection State Unknown

    I have been working with a number of customers recently that have had issues running their monthly Software Update compliance reports due to a high number of “DETECTION STATE UNKOWN” results reporting back long after the update deployment has successfully run.

    As usual the first thing we want to identify is whether it is on the client side or server side.

    State Message IDs are used to define specific state messages for each topic type. For our issue a State Message for a Software Updates has a TopicType=500 which has status Message ID state of 0, 1, 2 or 3 which would then depict the actual state of the given update on a client machine as below:

    Topic Type

    State Message ID

    State Message Description

    500

    0

    Detection state unknown

    500

    1

    Update is not required

    500

    2

    Update is required

    500

    3

    Update is installed

    To determine what information your clients are sending back to your Management Point we can use WMI queries to see what is happening on the client.

    1. Open wbemtest with elevated permissions

    image

    2. Connect to the WMI Namespace: root\CCM\StateMsg

    image

    3. Select Query and run the query  SELECT * FROM CCM_StateMsg

    image

    image

    Find any software update deployment which can be determined by looking for “TopicType=500” and what we want to check is the below values in yellow as this will determine if the client has indeed sent a message back to the MP and if so what it sent back, If we see it sent back a “0” and confirm that the KBs are installed then we know it is something on the client side, we would expect to see 1, 2 ,3 pending the state listed above

    image

    image

    image

    image

    Example below:

    instance of CCM_StateMsg

    { Criticality = 0;

    MessageSent = TRUE;      Message is sent

                                                MessageTime = "20101027211908.749000+000";           UTC Time

                                                ParamCount = 1;

                                                StateDetails = "";

                                                StateDetailsType = 0;

    StateID = 2;   Update is required

                                                TopicID = "9d4681d5-46fa-4250-bedc-480ac7bce3aa";

                                                TopicIDType = 3;

    TopicType = 500;   Update Detection

                                                UserFlags = 0;

                                                UserParameters = {"102"};

    Hope this helps..

  • Orchestrator 2012 Logging and Debug Logging

     

    Hi All,

    If you’ve started playing with Orchestrator I have detailed the areas where you can look for issues with your Runbooks and other components.

     

    Runbook Designer

    Log Tab

    Firstly you can look at the Log tab while you’re Runbook is executing

     

    image

    Log History Tab

    Or after it is complete you can check the Log History tab

     

    image

    Double Click on the entry you want to review and then check the status for each Activity.

    image

    To control the level of Detail available you need to go to the properties of each individual Runbook  and select Store Activity-specific Published Data and or Store Common Published Data. NOTE This is only recommended in Dev and Test not production as these may significantly increase the size of your database (See the following TechNet reference for details. Database Sizing and Performance )

    Do not have these turned on in Production unless you are troubleshooting.

    image

    Events

    We can also get some useful information from the Events tab

    image

    Log Files

    Another area is the component logs for Debug Logging.

    Thankyou to Jeffrey Fanjoy who is a senior support escalation engineer based out of the US for this information.

    if you go to the following Registry key

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SystemCenter2012\Orchestrator\TraceLogger

    on a box with the Runbook Designer or Runbook Server you will see that for each component there is a LogFolder and LogLevel key. The LogFolder shows you where the actual log sits and the LogLevel is the actual Verbosity level. (NOTE You may need to restart services/ the server before this will take affect.)

    Log Level

    Detail
    1 Errors
    3 Errors and warnings
    7 Errors, warnings and Information

    image

    Just keep in mind that the higher the verbosity the more information that will get put into the log so it should only be used for troubleshooting purposes and should not be left on by default.

  • WMI / Powershell and the Configuration Manager Client

    A bit about me first :- my name is Anthony Watherston and I’m a Premier Field Engineer in Melbourne. Currently working with Configuration Manager and Orchestrator – plus I try to do everything I can with Powershell!

    Last week I had a need for accessing the Configuration Manager client on a remote system. As this was developing an automated solution I didn’t have the option to use the Control Panel applet or the Configuration Manager console to trigger actions on the client. What I needed to find was a way to trigger actions remotely using Powershell – the answer lies in the methods associated with WMI classes.

    As WMI is a class based system, each object has associated properties and many of these have methods as well. Below are some examples of how to call some of the built in WMI methods which are part of the Configuration Manager Client namespace. A detailed description of the client and its classes can be found at http://msdn.microsoft.com/en-us/library/jj874139.aspx

    Determine if a system has a reboot pending

    The Configuration Manager client has a class called CCM_ClientUtilities – in Wbemtest I can access it by connecting to root\ccm\clientsdk. In the diagram below we can see the methods associated with this class.

    image

    So how do I trigger these methods using Powershell – the Invoke-WMIMethod cmdlet.

    To get a list of associated methods I can use the command below: -

    Get-WmiObject -Namespace root\ccm\clientsdk -Class CCM_ClientUtilities -List | select -ExpandProperty Methods

    This gives me the list of methods below:-

    image

    Now if I want to trigger one of these methods I can use my Invoke-WMIMethod cmdlet and supply the method name.

    Invoke-WmiMethod -Namespace root\ccm\clientsdk -Class CCM_ClientUtilities -Name DetermineIfRebootPending

    image

    There is a lot of information in these results, I only want to know the value of the RebootPending flag. I can wrap my command in parentheses and specify the property name after a dot to only return that value.

    (Invoke-WmiMethod -ComputerName $remoteMachine -Namespace root\ccm\clientsdk -Class CCM_ClientUtilities -Name DetermineIfRebootPending).RebootPending

    image

    Now that I have this information I could force the machine to reboot if the result is true using one of the other methods in this class – RestartComputer.

    $rebootPending = (Invoke-WmiMethod -Namespace root\ccm\clientsdk -Class CCM_ClientUtilities -Name DetermineIfRebootPending).RebootPending

    if ($rebootPending)
        {
        Invoke-WmiMethod -Namespace root\ccm\clientsdk -Class CCM_ClientUtilities -Name RestartComputer
        }

    Of course if I wanted to perform this on a remote machine I can use the WMIObject computername parameter and specify a remote machine.

    $remoteMachine = "AW-SVR01"

    $rebootPending = (Invoke-WmiMethod -ComputerName $remoteMachine -Namespace root\ccm\clientsdk -Class CCM_ClientUtilities -Name DetermineIfRebootPending).RebootPending

    if ($rebootPending)
        {
        Invoke-WmiMethod -ComputerName $remoteMachine -Namespace root\ccm\clientsdk -Class CCM_ClientUtilities -Name RestartComputer
        }

    Trigger a client action

    I can use the same theory in order to trigger policy retrieval on a machine. Each action is specified by a schedule value, supplying these to the TriggerSchedule method will force the client to perform an action. For instance the script below will trigger a Machine Policy Retrieval & Evaluation cycle on a client.

    $trigger = "{00000000-0000-0000-0000-000000000021}"

    Invoke-WmiMethod -Namespace root\ccm -Class sms_client -Name TriggerSchedule $trigger

    As with the other script I can supply a computer name parameter to the command to have it execute on a remote machine.

    Determine assigned site

    The last method is one which will allow you to determine a client’s assigned site. I can use the GetAssignedSite method to retrieve the site code.

    (Invoke-WMIMethod –Namespace root\ccm –Class SMS_Client –Name GetAssignedSiteCode).sSiteCode

    image

    There are many more methods available to use within WMI – stay tuned for more.

  • Application Catalog Failed – “Application installation not started”


    The application could not be installed. The most common reason is that software does not support the version of Windows currently installed on your computer. You can try starting the application installation from the Application Catalog again. If the problem continues, contact your network administrator

    clip_image002

    In the ConfigMgrSoftwareCatalog.log Silverlight log file (found at "C:\Users\mattsha\AppData\LocalLow\Microsoft\Silverlight\is\j2mecbot.hwg\v2uabsdl.022\1\s\s5i52ebhc445n0s2jyvmx5askg5zbspajpmi3e4bvujwll1luiaaaeda\f\ConfigMgrLogs\ConfigMgrSoftwareCatalog.log"), the following three lines were found.

    [1][06/23/2014 17:46:43] :ApplicationDetailViewModel.RequestPolicyAssingmentForInstallCallback-Error:The policy information is empty or an error ocurred!

    [1][06/23/2014 17:46:43] :ApplicationDetailViewModel.UpdatePageView:PageViewMode changed to:FastInstallError

    [1][06/23/2014 17:46:43] :FastInstallPageView:Create Page View FastInstallError

    Also in the ServicePortalWebSite.log (found "F:\Program Files\SMS_CCM\CMApplicationCatalog\Logs\ServicePortalWebSite.log") the following two errors

    [28, PID:6060][06/23/2014 17:59:54] :The web method threw a fault exception - System.ServiceModel.FaultException`1[Microsoft.ConfigurationManager.SoftwareCatalog.Service.Faults5000.ServiceError]: Invalid parameter

    [28, PID:6060][06/23/2014 17:59:54] :System.ServiceModel.FaultException`1[[Microsoft.ConfigurationManager.SoftwareCatalog.Service.Faults5000.ServiceError, Microsoft.ConfigurationManager.SoftwareCatalog.Website.PortalClasses, Version=5.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: Invalid parameter

    I spent agestrying to troubleshoot this issue without success, and gave up for a short time while I did other things.

    A week later I was testing the Collection Evaluator Viewer program that comes with the R2 toolset and found that it was unable to connect directly to the database with a very similar error

    A connection was successfully established with the server, then then an error occurred during the login process. (provider: SSL Provider, error:0 – The certificate chain was issued by an authority that is not trusted)

    So now I can kind of tell that the issue is actually with the SQL db side, not necessarily ConfigMgr or the App Catalog site server roles.

    Next, I checked to make sure SQL is not forcing an encrypted connection using SQL Service Manager.

    clip_image003

    clip_image004

    All good there, however under the certificate tab I noticed we’ve got a self-signed certificate

    clip_image005

    And low-and-behold the certificate is having problems

    clip_image006

    I opened the IIS console to view the self-signed certificate

    clip_image007

    Exported the certificate

    clip_image009

    Import it into the Trusted Root Authorities

    clip_image010

    After the import, I attempted again to connect using the Collection Evaluation Viewer, this time it was successful as SQL now trusts the certificate

    clip_image011

    Back to the Application Catalog, and everything is now working nicely!

    clip_image012

    clip_image014

  • I Wrote An App

    Hi Gang.

    Over the long weekend last week, I thought I’d have a crack at writing, submitting and publishing a Windows 8 app. It’s a very simple countdown to Windows XP’s End Of Life on April 8th (we are all very excited to see the end of XP).

    http://apps.microsoft.com/windows/en-au/app/windows-xp-end-of-life-countdown/08bd1136-13f0-47bb-a574-c8f3626a9227

    As I said, it’s very simple but functional, with a countdown screen and live tile that updates daily.

    Please download and rate it in the store.

    image

    Matt

  • Version and Build numbers for ConfigMgr 2012 RTM and SP1

    If you need to distinguish whether or not a site has been upgraded to ConfigMgr 2012 SP1, here is the process and version numbers.

     

    1. Open the ConfigMgr console

    2. Browse to Administration > Site Configuration > Sites

    3. Right-click on the site you need information for, and select Properties

    4. You’ll find the site version and build number here

    ConfigMgr 2012 RTM

    Version:  5.00.7711.0000
    Build number: 7711

    image

     

    ConfigMgr 2012 SP1

    Version:  5.00.7804.1000
    Build number:  7804

    clip_image002

    Matt Shadbolt

  • Understanding ConfigMgr 2012 APP-V Virtual Environments

    ConfigMgr 2012 SP1 introduced APP-V Virtual Environments (VE). APP-V VE’s work differently to APP-V 5.0 Connection Groups in a “Full Infrastructure Model” (ie Publishing Server) so we need to do some application mapping before implementing APP-V Virtual Environments. You can think of ConfigMgr VE’s as a “Rule Set” that the ConfigMgr client evaluates when doing an application evaluation cycle. Once a client evaluates true to a VE “Policy”, the connection group is then created, The deviate in ConfigMgr is that an APP-V application can only be a member of one VE at anyone time. This blog aims to explain the reasons why this is the case and why application mapping is vital if your virtual application catalogue has a large number of applications that are highly dependant on other applications.

    Let’s say I have a three Applications I need to configure in a Connection Groups, in Full Infra I could easily create three separate connection groups and use the Priority to determine which VFS wins in a conflict.

    Full Infra Example (Firefox , Flash & Reader)

    Connection Group 1 = Firefox and Flash, priority = 1

    Connection Group 2 = Firefox and Reader, priority = 2

    Connection Group 3 = Firefox and Flash and Reader, priority = 3

    If I do not set my priorities correctly than as you know we get the following error

    clip_image001

    clip_image002

    However in ConfigMgr we need to use a single Virtual Environment Rule Set per application that we need to manage a Connection group for, and set Logical operators to determine the priorities. By Default the Connection Group priority in a ConfigMgr integrated environment is always set to “4294967294” (ie, the priority in traditional terms is not used in ConfigMgr). This is the underlining reason why a ConfigMgr virtual application can only ever be a member of one VE at any one time. ConfigMgr manages the creation of the Connection Group XML that gets created and processed by the client when the Client meets the rules set defined in the Virtual Environment.

    If I tried to setup the ConfigMgr Virtual Environment in the same way as I do in Full Infra, illustration below, This WILL NOT WORK! And we will end up with the same error as above

    Misconfigured Example below

    clip_image003

    clip_image004clip_image006clip_image005

    As I evaluate to True for both Virtual Environment Rule Set I configure both connection Groups but of course get the same ERROR

    clip_image007clip_image008

    To configure this in ConfigMgr I need to use my Logical operators inside the VE to achieve the same result I would get if doing it in a Full Infrastructure environment

    clip_image009clip_image010

    clip_image011

    Examples:

    Client 1: Has Firefox and Reader installed, ie No Flash. This meets the Virtual Environment rule configured so the “Firefox connection Group is created for Firefox and Reader.

    clip_image012clip_image013

    Client 2: Has Firefox, Flash and Reader installed. This also meets the Virtual Environment however as I have all three applications, the Flash VFS will take precedence over the Reader VFS as we have set Flash with a high ‘Order” in the Virtual Environment’.

    clip_image014clip_image015

    clip_image016

    Hope this helps clear up some miss understandings on how APP-V VE’s work in ConfigMgr 2012 SP1 +..

  • Creating Custom RBAC Enabled Reports in ConfigMgr 2012 R2

    This post will step you through the process of creating custom reports in ConfigMgr 2012 R2 that will enforce your Role Based Access Control (RBAC) policies. Configuration Manager reports are now fully enabled for role-based administration. The data for all reports included with Configuration Manager is filtered based on the permissions of the administrative user who runs the report. Administrative users with specific roles can only view information defined for their roles. TechNet reference

    Step 1: Determine the data you wish to report on

    Using SQL Management Studio, confirm your SQL query against the new fn_rbac table views passing through the ('disabled') parameter to bypass the requirement of passing through a user SID

    NOTE: all fn_rbac_<table> views can be found under "Tabled-valued Functions".

    If you query v_<tables> than RBAC is ignored.

    clip_image001

    Step 2: Create a new custom report in ConfigMgr Management Console UI

    clip_image002

    clip_image003

    clip_image004

    Step 3: Editing your custom report will launch SQL Report Builder

    clip_image005

    clip_image006

    clip_image007

    clip_image008

    clip_image009

    Step 4: Design Your Report

    Confirm you can see Dataset values and select the type of Report you want to create

    clip_image010

    clip_image011

    clip_image012

    Step 5: Design and format your report as required

    clip_image013

    Step 7: Configure the Dependencies for RBAC

    Create a New Dataset

    clip_image014

    clip_image015

    clip_image016

    clip_image017

    clip_image018

    clip_image019

    clip_image020

    clip_image021

    clip_image022

    clip_image023

    clip_image024

    clip_image025

    clip_image026

    clip_image027

    clip_image028

    clip_image029

    NOTE: If you do not see the REFERENCES option, try and run your report, it will fail however will present the References parameters

    clip_image030

    clip_image031

    ALL DONE..

    Step 8: Test your custom report

    To test I have granted an admin account "sccm2012r2\Ian" that is limited only to the collection called "Ian's Collection"

    clip_image032

    Launch the ConfigMgr console using SCCM2012R2\Ian

    clip_image033

    clip_image034

    clip_image035

    clip_image036

    clip_image037

  • System Center 2012 R2 Configuration Manager Toolkit

    Hi Everyone,

    just a very quick note to let you know that the Configuration Manager 2012 R2 Toolkit is available and is definitely worth a look.

    some of the new tools include

    CEViewer.exe for viewing collection update stats

    and

    DPJobManager a tool to help you monitor, suspend, cancel package distributions to Distribution Points

    download link below

    System Center 2012 R2 Configuration Manager Toolkit

  • Test your Collection WQL queries using WBEMTEST and PowerShell

     

    Hi All,

    one of the most useful tips I've learnt on the job is to use WBEMTEST on your Primary Site Server to test your Collection WQL queries. This is useful for doing things like testing the time it takes to run that query. This is especially useful when you get collections that take a very long time to run potentially causing backlogs and delays in collections updating. Using these tools can help you quickly test the queries for timing outside of Configuration Manager.

    WBEMTEST

    Log onto your Site Server or from your tools machine you can connect remotely. Ill show you both methods.

    Start up WBEMTEST from a command line

    image

    Click Connect

    image

    In Namespace type in the following

    root\SMS\SITE_XXX

    replace XXX with your SiteCode

    If your connecting remotely

    \\Computername\root\SMS\SITE_XXX

    then click Connect

    image

    Click the Query button

    image

    Enter your WQL query and click Apply

    image

    If you have a valid query you should see a result

    image

    PowerShell

    You could also run a similar query using PowerShell (Thanks to my fellow PFE’s Ryan Hall and Anthony Watherston for this.)

    just replace the value in the $WQL variable quotes with your query and of course PRI with your SiteCode.

    $WQL = 'select * from SMS_R_SYSTEM'

    $WMI = Get-WmiObject -Namespace Root\SMS\Site_PRI -Query $WQL

    $WMI

    image

    and if I want to measure that command for approximate timing

    Measure-Command -Expression {Get-WmiObject -Namespace Root\SMS\Site_PRI -Query 'select * from SMS_R_SYSTEM' }

    image

  • PowerShell Script to list Software Updates in a Software Update Group

     

    Hi everybody,

    In a recent Workshop that I was teaching I got asked how to list all of the security updates in a software update group. So I wrote a quick PowerShell script to do exactly that.

    Here is the code I used while on R2 CU1

    ############################################################################################

    $modulelocation = 'F:\Program Files\Microsoft Configuration Manager\AdminConsole\bin\configurationmanager.psd1'
    $SUG = 'Security Updates'

    Import-Module $modulelocation
    CD PRI:

    $SoftwareUpdates = (get-cmsoftwareupdategroup | Where {$_.LocalizedDisplayN -eq $SUG}).Updates
    Foreach ($SoftwareUpdate in $SoftwareUpdates){
    (Get-CMSoftwareUpdate -Id $SoftwareUpdate).LocalizedDisplayName

    }

    ############################################################################################

    image
    UPDATE

    After going to R2 CU2 The cmdlets changed slightly.

    Found a simpler command below

    ############################################################################################

    $modulelocation = 'F:\Program Files\Microsoft Configuration Manager\AdminConsole\bin\configurationmanager.psd1'
    $SUG = 'Security Updates'

    Import-Module $modulelocation
    CD PRI:

    (Get-CMSoftwareUpdate -UpdateGroupName $SUG).LocalizedDisplayName

    ############################################################################################

    image

    You will just need to change the two initial variables

    $Modulelocation to where your psd1 sits. See Matts blog for details on this.

    $SUG to the name of your Software Update Group.

    This will simply list all of the updates so you can paste it into any Change Request you need to create for Software Updates.

    Hopefully you find this useful but more than that hopefully this gets you started with some PowerShell. A fantastic free course that I always recommend to my students if you not sure where to begin is this MVA course run by Jeffrey Snover and Jason Helmick.

    Getting Started with PowerShell 3.0 Jump Start

    Feel free to comment with your own useful PowerShell script or even a new improved version of mine below…

  • TechEd 2014 Australia: ConfigMgrDogs Troubleshoot ConfigMgr 2012 (Melbourne)

    Hey ConfigMgrDogers!

    The TechEd 2014 Australia schedule has been announced, and confirmed ConfigMgrDogs will be presenting at Melbourne only. Unfortunately, George, Ian and myself won’t make it to the Sydney TechEd, however our session will be recorded and posted on the ConfigMgrDogs blog. Please add the session to your schedule (we want the big room) and retweet to those you know attending.

    See you all there!

    Matt, Ian & George.


    ConfigMgrDogs Troubleshoot ConfigMgr 2012

    Date: Wednesday, 8 October
    Time: 3:00 PM - 4:00 PM
    Room: Datacenter and Infrastructure Management
    Session Type: Breakout
    Session Code: DCIM.004
    Session Levels: 400


    For those attending, here are all the relevant links:

    Public Information : http://techedmelbourne.azurewebsites.net/SessionDetail.aspx?id=19005 

    Add to My Schedule : http://techedmelbourne.hubb.me/Sessions/Details/19005

    Tweet about our session: https://twitter.com/intent/tweet?&hashtags=ConfigMgrDogs,ConfigMgrDogsAtTechEd,DCIM.004 

    10110Speaking melb

  • Wake On LAN Proxy “Have You’s?”

    If you’re trying to get the Wake On LAN Proxy feature of ConfigMgr 2012 SP1+ working, there’s a lot of steps required. Here’s a simple list of “have you’s?” to make sure you haven’t missed any requirements. For a more detailed guide, check out Muhammad Adil’s blog post.

    1. Have you enabled Wake On LAN on the Site?

    image

    For traditional Wake On LAN (broadcast based), select the Subnet-directed broadcasts option. If you want to use the Wake On LAN Proxy feature, you must select the Unicast method.

    2. Have you enabled the Wake On LAN features in your clients Power Management policy settings?

    image

    3. Have you ensured that Wake On LAN ports are being allowed through firewalls? Both hardware and software?

    image

    4. Have you got Hardware Inventory enabled?

    image

    5. Have you ensured the Hardware Inventory information correct?

    The WOL features use the IP Address provided by the Hardware Inventory scan as the target addresses. If you’re running Hardware Inventory every 7 days, these addresses may be stale and obviously unusable/.

    6. Have you confirmed your switches forward UDP packets?

    Confirm with your networking team that UDP packet forwarding has been configured across every network switch between your ConfigMgr servers and the target clients. Don’t forget those $99 switches under someone's desk!

    7.Have you ensured your BIOS hardware support wake-up packets? Is the feature turned on in BIOS? Is it enabled on the NIC?

    image

    image

    (Note: this is a screen cap of my wireless network adapter as my laptop doesn’t have a physical NIC. We do not support Wake On LAN via the Wireless network adapter)

    8. Have you checked that your network settings are not effecting supportability?

    802.1X port authentication, MAC address binding on switches and MAC flapping being blocked will all cause unicast Wake On LAN to fail.

    Matt

  • Supported AV clients for SCEP to automatically remove

    I’ve just spent a frustrating 10 minutes searching bing/google for the list of the supported anti-virus programs that SCEP (System Center Endpoint Protection) can automatically uninstall. So to save my scalp for a future hair pulling, I thought I’d blog the list so I can find it quickly next time. Hopefully bing/google will index this post and save us all some time!

    http://technet.microsoft.com/en-us/library/gg682067.aspx#BKMK_EndpointProtectionDeviceSettings

    Automatically remove previously installed antimalware software before Endpoint Protection is installed

    Endpoint Protection uninstalls the following antimalware software only:

    • Symantec AntiVirus Corporate Edition version 10
    • Symantec Endpoint Protection version 11
    • Symantec Endpoint Protection Small Business Edition version 12
    • McAfee VirusScan Enterprise version 8
    • Trend Micro OfficeScan
    • Microsoft Forefront Codename Stirling Beta 2
    • Microsoft Forefront Codename Stirling Beta 3
    • Microsoft Forefront Client Security v1
    • Microsoft Security Essentials v1
    • Microsoft Security Essentials 2010
    • Microsoft Forefront Endpoint Protection 2010
    • Microsoft Security Center Online v1
  • 20 Years Of SMS/Configuration Manager

    On the 7th of November 1994, a little product called Systems Management Server (SMS) 1.0 was released. Since that date, there have been four major revisions (SMS 2.0, SMS 2003, ConfigMgr 2007 and ConfigMgr 2012), three Service Packs (ConfigMgr 2007 SP1 & SP2, ConfigMgr 2012 SP1), three Rx releases (ConfigMgr 2007 R2 & R3, ConfigMgr 2012 R2) and countless Release Candidates/Betas, Cumulative Updates (CU’s) and Hotfixes!

    I thought it would be really cool to check out the Wayback Machine for the TechNet page for the day that SMS 1.0 was released, but back then TechNet.com wasn’t even around! (how did we ever find our supportability numbers!)

    The first mention of SMS on the Wayback Machine TechNet is in mid 2000 and talked about deploying SMS 2.0, administering Inventory and Software Metering, as well as the standard Server Sizing advice we all so heavily rely on. (in their Contoso sizing example, the Central Site with 14k clients required a server with a whopping 300-MHz processor and 256 MB of RAM!)

    image

    http://web.archive.org/web/20000817202621/http://www.microsoft.com/technet/sms/ 

    (I love that the comments and suggestions hyper-link is a mailto:technet@microsoft.com)

    I was fortunate enough to not have really dealt with SMS, starting my Systems Management journey with Configuration Manager 2007 but some of my colleagues remember those days well.


    Sebastian Baboolal, Senior PFE at Microsoft

    I started with SMS 2.0. SP5 back around 2004.

    I was working for Microsoft support back then. We had one week of training and we were put on the phones.Classic trial by fire. My first call was a critsit for a customer. They had a large environment at the time > 100K clients being managed. They had a top-level SMS site. Then sites under that with lots of other primary sites under those. One of the 2nd tier primaries went belly up. Had to do a DR on that site. We didn’t cover DR at all in the training (just my luck). Back then you had to go thru like 20 pages of stuff to get the site back up. I was on that call for 14 hrs. Did not leave my desk. We got it fixed but then I was thinking what in the world did I get myself into. Smile
    Glad we’ve moved on from CAPs and smsclitoken accounts but did like die_evil_bug_die and dial_me_in_baby


    George Smpyrakis, Senior PFE at Microsoft

    I started with SMS 1.2 back in 1997. I had just started in IT straight out of Uni and helped setup these Site Servers that seemed to take an entire day to complete. I took these boxes out to a couple of remote sites and got them up and running then started the long and arduous procedure of attempting to install the client on the workstations. At the time we used it as a  Remote control tool for the workstations and In the end it only lasted a couple of months before we removed it and that was a monumental effort in itself as the client seemed to never go away. A few years later a lovely virus called Nimda came along and brought the company I was working for to a halt. We literally had to go around the State of Victoria with floppy disks (Look it up for those under 30.) to patch each workstation so we could bring Internet access back. That’s when my Manager came up to me and said I want you to run with SMS so we never have to do that again. So I then Implemented and starting using SMS 2.0 and have never looked back…


    Anthony Watherston, PFE at Microsoft

    I started with SCCM 2007 implementing it because I had nothing better to do and looking to expand my horizons – some of my favourite memories.

    • Reading through log files in Notepad until my eyes hurt – then discovering trace32
    • The satisfaction of being able to remotely rebuild machines – we used to have people ship the box to us so it could be rebuilt
    • Finally patching an enterprise – then fighting with people because they wouldn’t reboot their machines when patches were installed
    • Releasing a hotfix to 180 secondary servers then watching as all the high impact tickets rolled in because all the site systems were reinstalling.
    • Learning patience when installing new sites – sometimes things just take time to appear in the console
    • Working all day on an issue – then doing a site reset and fixing it instantly

    Through all this though it is one of the most complex systems management products and only limited by your imagination as to what you can do!


    Russell Stevens, Senior PFE at Microsoft

    I started with SMS (slow moving software) version 2.0 RTM in a distributed environment at a UK government department that may have had something to with mail in 2000…

    Highlights include:

    • SMSServer and SMSClient connection accounts for hundreds of Primary and Secondary sites.
    • Software Metering ‘mark one’
    • Switching from NT 4.0 domains to Active Directory domains (see point one).
    • Restoring SMS 2.0 without a wizard, hours and hours and then monitoring for weeks and weeks.
    • Preinst.exe became a useful companion from 2.0 -> 2003 -> 2007 –> 2012
    • Seeing the feature packs become part of the Configuration Manager OSD\BDD, Software Updates (remember ITMU……..)
    • Gigantic DDR backlogs.

    It has been a great ride with some ups and downs, and has delivered some outstanding results over the 20 years, loved it.


    So here’s to ConfigMgr! May our next 20 years be full of smooth CU upgrades, clear of inbox backlogs and void of all accidental deployments!

    Matt Shadbolt

  • R2 CU3 Management point communications update

     

    Hi All,

    with the release of R2 CU3 we now have the ability to restrict which Management points a client can talk to. This can be particularly useful in case you have a Remote MP or only certain MP’s a client can access.

    All we simply need to do is

    • Install the Client Hotfix KB2994331 which comes with the CU3 update above. The Client version will be 5.00.7958.1401

    image

    • add a new REG_MULTI_SZ (multi-string) type key under HKEY_LOCAL_MACHINE\Software\Microsoft\CCM on each client called AllowedMPs and add the FQDN of the Management Point we want to allow the client access to. (We can control this with Compliance Settings.)

    image

    image

    After restarting the SMS Agent Host we can see that our MP is being forced in the Locationservices.log

    image

    and we can confirm that we are talking to the correct MP in ClientLocation.log

    image

    keep in mind the following Note from the CU3 update

    Note After this value is defined, there is no fallback or other method for clients to communicate with other MPs. This new entry is only intended for permanently located workstation and server clients and is not portable to devices such as mobile PCs or tablets.

  • First 100 at TechEd Melbourne

    Morning Gang,

    Well, TechEd Australia 2014 is less than two weeks away, and Ian, George and I are furiously fine tuning our demos in time for our Wednesday session.

    As a special treat for the first 100 people into our session, we’re giving away some very cool looking ConfigMgrDogs badges!

    BxjSd_iCYAEAbne

    We’ll also have a t-shirt give-away for one lucky person who tweets a picture of themselves wearing their badge, hash tagging #ConfigMgrDogs.

    Looking forward to seeing you all in Melbourne!

    Matt

  • Modern Style ConfigMgr Visio Stencil

    I went searching for some nice looking ConfigMgr Visio Stencils this morning and found the most amazing set created by Ryan Boud.

    You can download the stencils here (http://gallery.technet.microsoft.com/Modern-Style-Visio-da5a7470) and visit his blog (http://hmmconfused.wordpress.com/)

    Generic

    image

    Servers

    image

    Specialised

    image

    Thanks Ryan for such great work!

    Matt

  • Managing APP-V Deployments in ConfigMgr 2012

    Many customers are still configuring collection structures similar to 2007 and using collections to control the validity of who should receive which applications.

    Where possible we should be changing how we now manage application deployments and move the validity processing of the application back to the client by using our Global Conditions (state based) to manage Requirement Rules. This works well for many Off The Shelf (OTS) applications that do not have specific procurement constraints as we can safely deploy this category of applications to ALL USERS and if needed implement an Application Approval workflow. Where I am increasingly seeing customers still reverting back to specific targeted of applications, normally based of an AD Security Group, is for APP-V application deployments.

    I continue to see a large uptake of APP-V in many customer sites as we move towards a user-centric mobile environment, which is great, however I am seeing a lot of customers experiencing poor publishing times of virtual applications which is often a result of poor administrative processes.

    In SCCM 2007 we had the option to instruct the virtual application advertisement to auto remove the virtual application when the advertisement was no longer available to a client. Unfortunately this option is no longer available in 2012 and as a result many customers have gone searching for a solution by looking to the ConfigMgr Community forums. Unfortunately a lot of members of the community are simply recommending to use the general deployment rule that an INSTALL deployment takes precedence over an UNINSTALL deployment.  As a result many of the community forums have been instructing customers to simply create an UNINSTALL deployment for each virtual application and target this to the ALL USERS or ALL SYSTEMS collections. Please DO NOT DO THIS as you will continue to experience slow publishing times for APP-V applications.

    If you are already doing this approach, I strongly recommend you read this blog to understand why this is a BAD idea and be VERY CAUTIOUS in your approach to undo this setup. DO NOT do a BIG BANG approach and remove all of the current UNINSTALL deployments in one hit and create the new recommended workflow as this will cause a huge amount of deployment policy objects potentially causing significant issues in your environment. It would be very advisable that you slowly stage the changes in your environment over a few days to prevent a mass number of policy changes in one hit.

    When to use explicit collections for Tier 2 applications?

    Only when you have specific LOB applications that require a REQUIRED Deployment.

    • Valid Reason: APP-V Deployments where an automatic unpublished workflow is required

    AGAIN DO NOT Target APP-V Uninstall deployments to the ALL USERS / ALL SYSTEMS collection as mentioned in many other forums. This will only delay your application publishing times and add unnecessary load on your ConfigMgr environment.

    Understanding WHY this is BAD practice

    When a client polls for new policy changes, a SPROC is run by the Management Point consuming SQL resources.

    The more records in ResPolicyMap and DepPolicyAssignment, the more CPU time required to process the “GET” SPROC like

    MP_GetMachinePolicyAssignments – Machine Targeted Deployments

    MP_GetUserAndUserGroupPolicyAssignments – User Targeted Deployments

    ResPolicyMap maps the resource ID and PADBID, (unique identifier for the policy). You can Query the count of ResPolicyMap objects to determine the number of policies being targeted to each user / system that must be processed.

    DepPolicyAssignment links a policy object with its dependency polices and are provided to both users &/or machines when a policy request is initiated.

    Examples:

    • Application Requirement Rules defined
    • Multiple Deployment Types per application

    How you should mange APP-V Deployments in your environment

    • Minimise the number of Required Deployments to the ALL USERS / ALL SYSTEMS Collections.
    • Prevent making any large policy changes that target the ALL USERS / ALL SYSTEMS collections, or any large number of objects in one hit.
    • Create an explicit UNINSTALL Collection for each REQUIRED Install Deployment.
    • Base the Collection membership on the compliance state of the application = true and exclude the INSTALL collection.

    Below are examples of the Collection Queries you can use to manage an auto un-publish workflow for App-V deployments based off an AD Security Group.

    USER Centric Deployments.

    1. Create an AD Security group for the application you are deploying.

    2. Create an INSTALL Collection for each Virtual Application with a dynamic query linked to the AD Security Group. Target the INSTALL Deployment for each APP-V Application to this Collection.

    2. Create a specific UNINSTALL Collection for each Virtual Application with a dynamic query using the syntax below. Also add an explicit EXCLUDE Collection membership rule that excludes the INSTALL Collection for that application. Ensure the application name matches that listed in the ConfigMgr database.

    select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain
    from SMS_R_User inner join SMS_G_System_AppClientState on SMS_R_USER.UniqueUserName = SMS_G_System_AppClientState.UserName
    where SMS_G_System_AppClientState.AppName = "APPLICATIONNAME"
    and G_System_AppClientState.ComplianceState = 1

    Example

    image

    image

    image

    image

    Create and Target the UNINSTALL deployment policy to the UNINSTALL Collection.

    The result will be…. When a User is added to the AD Security Group the virtual application will be made available to the end user and install silently. When the user is removed from the AD Security group that has previously successfully published the APP-V application, they will be added to the UNINSTALL collection resulting in the virtual application being automatically removed from the client only then. This approach will minimise the ongoing policy objects that every user in the organisation will have to process.

    Disclaimer: The queries and examples provided in this post are offered “AS IS” and should be used at your own discretion. Please ensure extensive testing be done before implementing this solution into any production environment. While this solution has been tested and confirmed, the ConfigMgrDogs team takes no responsibility for any unexpected results this may have in your ConfigMgr 2012 environment.…