Today I’ve been playing with my System Center Configuration Manager SP1 lab and came across a very painful little bug. A little searching and I came across this thread on the TechNet forums. Essentially the problem I suddenly started having today, after it was working fine last week, was that my Config Manager client wasn’t installing through Windows Update.
It started by giving me a Code 1 message, as below:
That 1 update is the Config Man client being deployed through WSUS. So the next thing I did was ran the ccmsetup.exe install from my Primary Site Server. Nothing. So I checked out the ccmsetup.log file that’s in c:\windows\ccmsetup\logs and low and behold spotted the following:
That line that says Couldn’t verify ‘c:\windows\ccmsetup\MicrosoftPolicyPlatformSetup.msi’ authenticode signature is a bit of a problem. It turns out that there’s a bit of a bug luckily there is already a hotfix for it and there are some updates on Windows Update already to solve the issue…that said there is still work to do…
In order to now install the Config Manager client on a new device we first need a patch in place on that client machine:
KB2749655 for anything other than Windows 8 or Server 2012 and KB2756827 for Windows 8 or Server 2012. I tested this on my Windows 8 client by manually running the MSU, then installing the update and the Config Manager client installed like a champ!
Now however I need to be able to do OSD on a regular basis, so I just offline serviced my Windows 8 image with DISM to get the job done quickly…here’s what you need to do:
Then I updated my distribution points and jobs a good-un. I did the same to my Windows 7 OS image too.
I have to say this one caught me out. I’m just setting up a task sequence to deploy Windows 8 and pre-provision BitLocker (which is wicked fast by the way!) and got caught with enabling and activating the TPM from WinPE. The solution I came up with works for me, on a Samsung Series 7 Slate but might not work for all hardware vendors (TPM is a little tricky like that).
The process turned out to be pretty simple.
The final effect takes advantage of Windows 8’s used space only encryption and starts encryption before the OS is even deployed, encrypting as the OS deploys – the net result is a fully encrypted machine within minutes!
Don’t forget to download Windows Server 2012, System Center and Windows 8 Enterprise to try this out and take a look at my other posts on System Center.
If you’re looking to make sure that your enterprise desktops are secure and all to the same level then you’ll want to check out the recently updated Security Compliance Manager tool and with Windows 7 in your environment you’ll be wanting the Windows 7 settings pack. Full details of the pack are available in the TechNet library. Why is this tool useful? Well the solution accelerator team have the best answer:
Since the release of the Security Compliance Manager tool, one of the most frequent requests has been to add all of the available Group Policy settings to the Microsoft-recommended baselines so that they can be accessed through the tool. While our baselines include hundreds of settings, there are hundreds of additional settings available in Group Policy. In response to this request, the team has created setting packs. The setting packs include the basic information required by the Security Compliance Manager tool to define custom baselines that you can use to create GPO backups, DCM configuration packs, and SCAP content. This is a temporary solution to address this request. A future version of the tool will provide the capability to add the settings customers need to their baseline without using a setting pack.
To learn more about Windows Deployment check out Springboard
Springboard is the place to find great resources for Windows 7 and Office 2010 deployment (as well as my blog obviously!) The Springboard team will be hitting the campus Reading in the UK on November 1st to talk about:
All wrapped up with a panel Q&A. There will be lunch and coffee obviously as well as the rare opportunity to talk to the gang. You’ll need to register for the event here
I’m really excited about this event, so the first three people to register and tweet me @simonster will get a copy of Windows 7 Pocket Consultant when I see you at the event!
I started life as an IT Pro so long ago that I can’t even remember when I started, it was all different back then, when I needed to know something I got out the first CD and searched TechNet for some nugget using specific keywords (ntstop, and all that jazz). I loved it. TechNet had a deep impact on me professionally and starting a blog on TechNet with my own name is monumental for me.
Hi, I’m Simon May, I’m a new part of the IT Pro team in the UK – I’m an IT Pro Evangelist – to give me my full title. It’s our job to help UK IT Pros understand Microsoft’s plethora of technology and make the most of it. So what does that mean for you? Well it means that we’re here to help by introducing you to new tools and techniques and to get you testing, deploying, managing Microsoft technologies and getting the types of results you need.
Previously I’ve worked in banking, healthcare and energy, written about Windows, helped seed and inspire communities and I hope fixed hundreds of peoples PCs and worked with a few people who are reading this – drop me a line please. I’ve fixed virus outbreaks, rewired data centers, made it possible for people to shop quickly (sorry can’t tell you how) and helped doctors and nurses get the latest info on their patients before caring for them. Mostly I’ve had fun.
Okay, Okay, let’s talk about the job title, Evangelist. Lots of people have asked me about it and all I can say is it’s the coolest title and job in the world (to me). Basically it means I explain the world Microsoft to IT Pros.
I’ll be here and there, mainly here, sometimes there introducing new stuff and explaining current stuff and helping you get off the old stuff…cough…IE6…cough…XP…. But it’s not all about work.
Almost as much as I love being an IT Pro community I love our (I can say OUR now) consumer focused technology so I’ll be talking about that too probably, although I only get to see what everyone else gets to see, there’s no inside track here.
Follow me on twitter and say hi and you might as well subscribe to my main RSS feed (it’s not just tech stuff).