You are browsing the archive for SCCM 2012.

Settings Management FKA as DCM

6:48 am in Uncategorized by nsienaert

 

Hi there!

Desired Configuration Management as we know it from CM2007 is called now Settings Management.

In the field I encounter quite some environments where DCM is not used… I expect that Settings Management within CM2012 will be more popular because of the simplified user experience, user targeting and last but not least auto remediation.

Technically with CM2007 you could auto remediate as well but you had to be creative by populating collections based on the results of DCM evaluation. By linking these collections to your remediation program you were able to solve your non-compliant situation.

With CM2012 it will be less complicated, let’s have a look…

Under the “Assets and Compliance” wunderbar you can find the Compliance Settings node with Configuration items and Baselines underneath like in CM 2007.

For the sake of the demo I have created 2 baselines and each has one CI linked. Of course you can add multiple CI’s per Baseline.

clip_image001[4]

In the first Baseline (Windows 7 Labo) I will make sure that my machines have Remote Desktop enabled.

I’ll do this by checking the corresponding registry key.

In this example I use the registry but you can also use AD queries, SQL queries, scripts (see below),… to check your compliance state.

clip_image002[8]

 

Pay attention to the browse button, besides browsing the server you can also browse to a reference machine!

In the Compliance Rule tab you can specify the required value of the particular registry AND here is a checkbox available to remediate the registry setting if the value does not meet the required value.

Further you can define which type of alerts you want regarding this CI.

clip_image003[4]

 

I will add this CI now into a Baseline and target it to a machine OR user collection.

In the second baseline I will add a CI that checks if a certain folder exists, if it not it needs to be created. I’ll do this by combining to 2 simple VB scripts.

In the General tab I select I want to use a script.

I need to specify a script to check the compliant state (does the folder exist)

and another script that will remediate (create the folder).

Based on an echo command (This Folder Does Not Exist) I generate in the first script, the second script will start.

clip_image001[6]

 

In the “Compliance Rules” tab I create a new rule. I specify here if ConfigMgr receives the echo of the first script which equals “This Folder Does Not Exist” it will start the second script to create the folder. (checkbox)

!! Without quotes it will not work!!

clip_image002[10]

 

Also this CI will be added to a baseline called, Folder.

If we go to the clients and open the ConfigMgr client we see 2 baselines.

If we evaluate them we will see that the particular folder is created and Remote Desktop is enabled.

Changing the settings and removing the folder will be fixed if you hit the Evaluate button again or you can also wait for the Re-Evaluation cycle.

clip_image003[6]

 

To conclude I also point to the Revision & Audit tracking that is possible with CM2012.

So no more, “I didn’t change anything!” Knipogende emoticon

clip_image004[8]

 

Till next time,

Nico (twitter: @nsienaert)

Security Updates & Update Deployment Rules

7:12 pm in Uncategorized by nsienaert

Hi all,

Software Updates Mangement changed slightly compared with ConfigMgr 07. Update Lists and Deployments do not exist anymore and are replaced with Update Groups.

New features like automatically deleting expired updates on the DP and “Automatic Deployment Rules” are very cool. Let’s talk about about these Automatic Deployment Rules…

View of new Software Updates node:

 

With these rules it possible to approve and deploy patches automatically. Once a rule has been created an appropriate Update Group and Update package will be created.
Let’s elaborate a litte bit deeper….

I create an Update Deployment Rule, the wizard is quite straight forward, I show some screenshots of the most important windows.

I select which criteria should be compliant when an update can be approved. I choose that the custom sevirity needs to be “Important” for x64 architecture.

 

On the Deployment schedule tab 2 time intervals can be set.

Time between rule run and Deployment available” => period to give SCCM time to distribute the package to the DPs or to give you time to cancel a deployment of a patch [:)]

“Time between update available and deadline” => obvious setting which determines the time before the installation will happen mandatory.

Next, I go to the “All Software Updates” node and I select a few patches and change the custom severity into “Important”

With the excellent new search capabilities I list the updates for the sake of demo.

By default the rule will be evaluated each 7 days, this can be customized or run it automatically by by right clicking the rule and select “Run Now”.

You can follow the status of the download, creation of the packages & groups in ruleengine.log located under SCCM Server Logs.

Beta 2 Gotcha:

It might be possible that you can download updates “manually” by right clicking an update\download even though when using the rules you might facing

issues downloading the updates and following error is listed in the log file.

By default, to connect to the Internet and download software updates when automatic deployment rules run Local System will be used to configure automatic deployment rules. When this account does not have access to the Internet, software updates fail to download, and the following entry is logged in ruleengine.log: Failed to download the update from internet. Error = 12007.

WORKAROUND Use the UpdDwnldCfg.exe tool to specify a different account to download the software updates from the Internet. The tool is located in <ConfigMgr Source Path>\SMSSETUP\BIN\x640000409 and has the following syntax:

UpdDwnldCfg.exe /s:<proxyserver:port> /u:<accountname> /allusers

 Prior to this tool you need to install a required hotfix (2538394) which is avaiable on the Connect site for download.

Other posts will follow, so stay tuned!

Till next time,

Nico

 

 

 

SCCM 2012 Gotcha’s

9:44 am in Uncategorized by nsienaert

 

Hi There!

Since a few months I’m working with SCCM 2012 and during my LAB experience I encountered some odd issues, which may sound stupid but quite blocking. :-)

As I’m quite sure I will not be the only one on this planet that will bump into these I’ll post a small overview. [:)]

 

Gotcha 1: Application content could not be located

 

In the CIAgent.log I could see that my content could not be located.

How was that possible?

My Applications were stored correctly on the Distribution Point, I had no issues

with my environment (MP for instance) or what so ever.

 

Well the reason was Boundary Groups.

 

Boundary Groups are a new concept within SCCM 2012.

 

They are designed to simplify Boundary management.

To keep boundareis organized in logical containers, to avoid overlapping boundaries in migration scenarios.

 

BUT ALSO, now these groups are the primary object for content location so not longer the boundary itself.

 

Boundary Groups are added on the Distribution Point and on the State Migration Point.

 

 

Gotcha 2: User Device Affinity did not work

 

When starting to play with UDA I deployed a common scenario.
I had an application with 2 deployment types:

  • One installing the MSI if the user is working on its primary device
  • Another one installing the App-V version when NOT working on its primary device.

 

So what happend, I was 100% sure that my requirements were set correctly.

 In AppIntentEval.log I could see that the MSI deployment type was always applicable even on a machine where a certain user was not the primary user…

 

The root cause was the application was deployed to a Machine collection.

If you target machines, primary device will always be true. BUMP.

Sounds logic of course but a mistake fast to make.

If you want to use UDA, you better target to User Collections. [:)]

 

 

Gotcha 3: Add tools to Windows PE

 

I like to add Trace32 into Windows PE for troubleshooting. If you open the properties of a boot image you will see that you are obliged to enable a prestart command hook, even if you don’t need that, you have to otherwise you cannot inlcude files…

 

So what I did was….. WScript.Quit(0)

 

 

 

 

Gotcha 4: Where do you import a machine?

 

With Beta 1, if you wanted to import machines into SCCM you had to navigate to the “User State Migration” node and select “Import Computer Information”.

Since Beta 2, you can only create a computer association on the “User State Migration” node.

 

So where is it now??

 

 

After digging for a while in the console I discovered it!

Right Mouse Click the device node and YES there you have it.

 

And yeah, if I watched the tabs more in detail I discovered it probably quite faster.
So lessons learned, use the new Tabs!

 

 

Gotcha 5: How do I troubleshoot the new App Model?

 

In this post I mentioned already some log files. With the new Application model there are quite some new log files. Here you have an overview of the most important ones and what they can tell you:

 

PolicyAgent.log: Check to ensure policy has been received by client

DCMAgent.log: Check log for Assignment  ID (app + collection)

CIAgent.log: Evaluates CIs for App, DCM and SUM jobs

AppIntentEval.log: Contains highlevel information on applicability of each Application/Deployment Type.

AppProvider.log: Check Detection methods and install/uninstall specific failures

 

Also check these logs for infrastructure issues CIStore.log, CIStateStore.log, DCMReporting.log and CIDownloader.log.

 

All these test are done with SCCM Beta 2.

 

 

Till next time,

 

Nico Sienaert