You are browsing the archive for 2011 May.

Integrate FEP 2012 with SCCM 2012

11:54 am in Uncategorized by nsienaert


Hi There!

Recently FEP 2012 Beta 2 was released. As announced at MMS, FEP is moving from the Enterprise CAL to the Core CAL, in other words if you have SCCM, you have FEP.

Knowing this, customers will be probably more interested to use and to integrate FEP within SCCM.

Also, one of the odd issues with FEP 2010 and SCCM is that there is no auto-approval process. There are some workarounds to do so but with SCCM 2012 auto-approval is an out-of-the-box feature.

Let’s have a look.

Make sure you have following prerequisites: (in my case SQL Database Engine was already installed)

  • Install Analysis Services of SQL
  • Install Integration Service for SQL
  • Re-Run SQL 2008 SP1 or Above (if SQL was already installed)
  • Make Sure SQL Server Agent service is set to automatic and started

Start the Installation:


If we open the SCCM Console for the first time what is changed?

1. There are FEP Security Roles


2. The 3 FEP packages are there…
Note: Microsoft is pushing to use Applications with SCCM 2012. For FEP they auto create Packages… Verraste emoticon


3. The FEP Collections


4. Two FEP Policies which you can use as base for custom ones.


5. In-console monitoring


Now we have seen what it’s changed in the SCCM console, let’s make the environment secure…

First, I deploy the Forefront clients to all my client machines.

Second, I will make sure WSUS is downloading my Forefront Definition updates.


Third, I create an auto-approval rule (for more info check on of my previous posts)


Fourth, I create a custom FEP policy which I assign to my client machines.

Note: You can also import pre-created FEP policies for several server roles. You can find these templates under the installation directory.


Fifth, the status of:

  • the deployment of the Forefront agent
  • installed Definition updates
  • policy deployment

can be monitored in the SCCM console.


Till next time!

Nico (twitter: nsienaert)

Pre-Deploy Applications

10:35 am in Uncategorized by nsienaert

Hi There!

In this post I will talk about pre-deployment of applications.

Quite some customers are asking me to make sure that all user-dependent applications are getting installed during an OSD scenario before the user logs on.

With CM2012 this becomes more easy to do as we can link a user to a device. In one of my previous posts I explained how you can link a user during a task sequence.

Once that is done you should take care of the following.

In my scenario I want that Firefox gets installed on each primary device. I deployed to a collection which is linked to an AD User Group.

I will make sure that there is a requirement set that will install the app when the Primary Device = True


I will make sure the App gets installed with or without user log on.


When I deploy I make sure that the application will be required. Once I do that a new checkbox becomes available: "Deploy automatically according to schedule with or without user login".

I select this check box…


So now in my OSD scenario, the application will install after the client is registered and the client receives the policy for the application.

The client typically will receive policies right after registration success. Once the policy is received, it will be evaluated and if the install deadline is hit, the application will be installed. If you use default settings on scheduling page of the deploy software wizard, then it is as soon as possible. Otherwise it is the time that you specify.

TIP: Use Client Local Time


Till next Time!

Nico (twitter: @nsienaert)

Settings Management FKA as DCM

6:48 am in Uncategorized by nsienaert


Hi there!

Desired Configuration Management as we know it from CM2007 is called now Settings Management.

In the field I encounter quite some environments where DCM is not used… I expect that Settings Management within CM2012 will be more popular because of the simplified user experience, user targeting and last but not least auto remediation.

Technically with CM2007 you could auto remediate as well but you had to be creative by populating collections based on the results of DCM evaluation. By linking these collections to your remediation program you were able to solve your non-compliant situation.

With CM2012 it will be less complicated, let’s have a look…

Under the “Assets and Compliance” wunderbar you can find the Compliance Settings node with Configuration items and Baselines underneath like in CM 2007.

For the sake of the demo I have created 2 baselines and each has one CI linked. Of course you can add multiple CI’s per Baseline.


In the first Baseline (Windows 7 Labo) I will make sure that my machines have Remote Desktop enabled.

I’ll do this by checking the corresponding registry key.

In this example I use the registry but you can also use AD queries, SQL queries, scripts (see below),… to check your compliance state.



Pay attention to the browse button, besides browsing the server you can also browse to a reference machine!

In the Compliance Rule tab you can specify the required value of the particular registry AND here is a checkbox available to remediate the registry setting if the value does not meet the required value.

Further you can define which type of alerts you want regarding this CI.



I will add this CI now into a Baseline and target it to a machine OR user collection.

In the second baseline I will add a CI that checks if a certain folder exists, if it not it needs to be created. I’ll do this by combining to 2 simple VB scripts.

In the General tab I select I want to use a script.

I need to specify a script to check the compliant state (does the folder exist)

and another script that will remediate (create the folder).

Based on an echo command (This Folder Does Not Exist) I generate in the first script, the second script will start.



In the “Compliance Rules” tab I create a new rule. I specify here if ConfigMgr receives the echo of the first script which equals “This Folder Does Not Exist” it will start the second script to create the folder. (checkbox)

!! Without quotes it will not work!!



Also this CI will be added to a baseline called, Folder.

If we go to the clients and open the ConfigMgr client we see 2 baselines.

If we evaluate them we will see that the particular folder is created and Remote Desktop is enabled.

Changing the settings and removing the folder will be fixed if you hit the Evaluate button again or you can also wait for the Re-Evaluation cycle.



To conclude I also point to the Revision & Audit tracking that is possible with CM2012.

So no more, “I didn’t change anything!” Knipogende emoticon



Till next time,

Nico (twitter: @nsienaert)

SCCM 2012: OSD & UDA

7:56 am in Uncategorized by nsienaert

Hi There!

As you all probably know one of the new features within SCCM 2012 is the user centric approach.

With this you can assign a User to a Primary device or vice versa.

This relationship is many-to-many, so you can assing different users to different devices and the other way around.

During an OS Deployment you can already set Primary Users for that device that you are installing. You can do this via 2 new variables that are introduced with SCCM 2012.

First you have the UDA Mode that needs to be defined with SMSTSAssingUsersMode


Other values: Pending and Disabled

This setting can also be configured on the PXE or Bootable media:


Second we need to specify the user via SMSTSUDAUsers


After the OS Deployment is done you can see on the machine record that the particular user is set as primary user via OSD.


Beta 2 Gotcha: I didn’t got this to work by specifing the mode on PXE or media. It did only work so far by adding the variable directly in the Task Sequence or on the machine record itself.

In one of my next blogs I’ll talk about pre-deployment of applications via OSD where we can re-use this process to define UDA during OSD.

Till next time!

Nico (twitter: @nsienaert)

Security Updates & Update Deployment Rules

7:12 pm in Uncategorized by nsienaert

Hi all,

Software Updates Mangement changed slightly compared with ConfigMgr 07. Update Lists and Deployments do not exist anymore and are replaced with Update Groups.

New features like automatically deleting expired updates on the DP and “Automatic Deployment Rules” are very cool. Let’s talk about about these Automatic Deployment Rules…

View of new Software Updates node:


With these rules it possible to approve and deploy patches automatically. Once a rule has been created an appropriate Update Group and Update package will be created.
Let’s elaborate a litte bit deeper….

I create an Update Deployment Rule, the wizard is quite straight forward, I show some screenshots of the most important windows.

I select which criteria should be compliant when an update can be approved. I choose that the custom sevirity needs to be “Important” for x64 architecture.


On the Deployment schedule tab 2 time intervals can be set.

Time between rule run and Deployment available” => period to give SCCM time to distribute the package to the DPs or to give you time to cancel a deployment of a patch [:)]

“Time between update available and deadline” => obvious setting which determines the time before the installation will happen mandatory.

Next, I go to the “All Software Updates” node and I select a few patches and change the custom severity into “Important”

With the excellent new search capabilities I list the updates for the sake of demo.

By default the rule will be evaluated each 7 days, this can be customized or run it automatically by by right clicking the rule and select “Run Now”.

You can follow the status of the download, creation of the packages & groups in ruleengine.log located under SCCM Server Logs.

Beta 2 Gotcha:

It might be possible that you can download updates “manually” by right clicking an update\download even though when using the rules you might facing

issues downloading the updates and following error is listed in the log file.

By default, to connect to the Internet and download software updates when automatic deployment rules run Local System will be used to configure automatic deployment rules. When this account does not have access to the Internet, software updates fail to download, and the following entry is logged in ruleengine.log: Failed to download the update from internet. Error = 12007.

WORKAROUND Use the UpdDwnldCfg.exe tool to specify a different account to download the software updates from the Internet. The tool is located in <ConfigMgr Source Path>\SMSSETUP\BIN\x640000409 and has the following syntax:

UpdDwnldCfg.exe /s:<proxyserver:port> /u:<accountname> /allusers

 Prior to this tool you need to install a required hotfix (2538394) which is avaiable on the Connect site for download.

Other posts will follow, so stay tuned!

Till next time,