You are browsing the archive for 2009 November.

Step by Step guide for provisioning Intel VPro clients in SCCM 2007 SP2 Part 2

4:45 pm in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, configmgr2007, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 SP2, sccm2007, Vpro by Kenny Buntinx [MVP]

In my previous post I have talked about  the summary of Prerequisites required for OOB Management in SCCM at .

Now we will talk about the 3rd Party Remote Configuration Certificate that is needed on each OOB Service Point to Provision Intel vPro technology based systems (e.g. VeriSign, GoDaddy, Comodo, and Starfield).

Optionally you can generate your own certificate Provisioning Certificate from your Enterprise CA but that will require you to enter the certificate hash on each machine that you have in you’re environment. We do not want this , so we will selected in our case our third party vendor , nl

You normally only need one OOB Service point in your organisation per forest , unless you go for a multidomain certificate. Those are way more expensive than a single domain certificate.

To acquire a certificate from you will need to perform the following steps :

  1. You must purchase ‘Deluxe SSL’ or ‘Premium SSL’ from GoDaddy. ‘Standard SSL’ will not work !
  2. Key items that are detailed in the steps below that were required to get my certificate:
  3. ○ Certificate type must be a Deluxe Assurance SSL certificate

    ○ Certificate request is for an Organization

    ○ OU = Intel(R) Client Setup Certificate

    ○ CN = (this must be the FQDN of the Provisioning Server for Remote Configuration generating the CSR)

    ○ Organization = The legal name of your organization that can approve your certificate request

    ○ Required Documentation to be submitted (Your Passport, Bank Statement, and Approval Letter on Company Letterhead)

  4. To generate the CSR you need to perdorm the following steps :
    • In Windows 2008 with IIS 7 :
      • Go to Internet Information Manager as shown below and select “Server Certificates”


      • In the “Server Certificates”window  , select “Create certificate request”


      • In the “Request Certificate”window  , Fill in all the necessary fields


      • Select a minimum of 2046 bits encryption


      • Save the request to a file you specify . You will need this file when your perform your request by the third party  certificate provider.


      • When finished , it should look like this :


How to purchase a godaddy intel Vpro certificate is explained here :

In part 3 we will explain how to import the Vpro certificate and to export the certificate again for the use of the OOB role in system Center config manager.


Hope it Helps ,


Kenny Buntinx

Step by Step guide for provisioning Intel VPro clients in SCCM 2007 SP2 Part 1

7:35 pm in Uncategorized by Kenny Buntinx [MVP]

Today I finally finalized my Intel VPro configuration on a SCCM 2007 SP2 box.In this blog post I try to explain all the details on how to provision clients with Vpro and what infrastructure steps are needed to make it work.

My fellow MVP Kim Oppalfens has already presented a great session on this topic at one of our SCUG events …You could find his session online here :

Assumptions :

  1. Everything has been executed on a SCCM 2007 Primary site server with Service Pack 2 installed on a Windows 2003 x86 SP2 box.
  2. We will work with one of the five trusted certificate vendors.
  3. You have a Intel Vpro capable machine


First the important stuff  : Summary of Prerequisites required for OOB Management !

The list below describes the necessary client, server, and infrastructure elements required in order to
manage your Intel vPro technology based systems Out-of-Band using Microsoft Configuration Manager

You will need :

• An Enterprise Certificate Authority to issue Web Server certificates to each Intel vPro technology based system for encrypted communications with ConfigMgr 2007 SP1 Management Console (Standalone CA is insufficient).
• Active Directory OU to store Intel AMT objects for each Intel vPro technology based system that will be managed by OOB.
• ConfigMgr 2007 SP2 Out of Band Service point installed and configured to support Intel vPro technology based systems.
• OOB Service Point installed on Windows 2003 Server requires Windows 2003 SP2 with hotfix 942841.
• Windows Remote Management (WinRM) installed on each ConfigMgr 2007 server that the OOB Service Point installed with hotfix:
• 3rd Party Remote Configuration Certificate on each OOB Service Point to Provision Intel vPro technology based systems (e.g. VeriSign, GoDaddy, Comodo, and Starfield) – Optionally you can generate your own certificate Provisioning Certificate from your Enterprise CA but that will require you to enter the certificate hash on each machine that you have in you’re environment. We do not want this , so we will use a third party vendor from

• Enable OOB network discovery of Intel vPro technology based systems
• Intel vPro technology and firmware of 3.2.1 or higher are required for native support from ConfigMgr 2007 SP2
• Intel HECI Driver installed on the OS (see OEM for latest driver)
• Configuration Manager Client agent installed on each Intel vPro system to initiate the provisioning process (there are alternative methods available in the help file but this is the most effective and easiest method)
• Intel vPro technology based systems joined to the same domain as the OOB Service point provisioning and managing these devices
• Open Intel vPro technology related network ports on routers and firewalls: 9971 – Provisioning Port; and 16992 through 16995 – OOB Management Ports


Lets keep the rest for Part 2 …


Hope it Helps ,

Kenny Buntinx

SCCM : ESX VMWare Vsphere 4 Tools Silent Install/Upgrade in an Windows 2008 R2 OSD Task Sequence ANSWER !

3:29 pm in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, configmgr2007, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 SP2, sccm2007, Vmware by Kenny Buntinx [MVP]

We struggled with this for a long time, but we finally found a way to make it work. We could deploy the tools manually with no issue, but trying to automate it was a complete nightmare.

Basically, the problem turned out to be that trying to use setup.exe from VMware to do an automated Install is effectively impossible.

The supported solution from Wmware  that we initially found was to use setup.exe. The command was: setup.exe /s /v"/qn"

The only caveat to be aware of is that if you’re scripting the process in a task sequence for example , that the command will execute, spawn the install/upgrade process, and then immediately terminate. Hence, your task sequence or whatever will think that the command has finished even though the upgrade has just started to run in the background. We normally suppress all reboots in our packages and then decide when to boot via the Task sequence, but in this case that was not possible. Even with the reboot=Suppress option to the install the VMware tools would finish executing with instantly rebooting and failing your Task Sequence.

When we’re installing the tools, we use msiexec because it doesn’t have the "terminates instantly" problem that you get with setup.exe and is therefore easier to deal with in your task sequence.

That command is : msiexec.exe /i VMwareToolsx64.msi /QN ADDLOCAL=ALL REBOOT=ReallySuppress ( make sure to rename your msi file and remove the space in between !)

Using that method, we successfully Installed the VMware tools in out  Windows 2008 R2 x64 task sequence .


Hope it helps

Kenny Buntinx.

SCCM : Microsoft Updates suddenly stops at 50% of downloading.

6:19 am in Uncategorized by Kenny Buntinx [MVP]


Last week at a customer of us had problem to get some patches been delivered to the end users computer. This months updates worked fine too, no problem distributing them as usual with CM , BUT,  we have now gotten several cases where all the updates except one has been downloaded to the client.

The last update will not pass 50% of downloading no matter how long we wait.

So, what we see in the Software Updates Installation progress window is now several updates with status "Preparing for installation" and one with status "Downloading 50%".

I have of course done some checking to solve the problem like checking logs, connectivity, errorreports etc .. ..
Usually when there is some kind of errors i find the answers in the logs but this time they are clean as far as i can see.

The strange thing was that all updates except one were downloaded smoothly as always and that on approx 3000 clients. The update that won´t be downloaded is Kb968389.


SOLUTION : Well the answer to this issue is to download the latest Windows Update Agent 7.4.2600.xx and get this installed on all clients .


Hope it helps ,


Kenny Buntinx

Video New Efficiency: Deploying Windows 7 with SCCM – Dutch

10:01 am in chopsticks, Conficker, ConfigMgr 2007, ConfigMgr 2007 R2, configmgr2007, events, Windows 7 by Kenny Buntinx [MVP]

This session introduces tool enhancements new to Windows 7 and System Center Configuration manager for every stage of a Windows 7 desktop deployment project. During this talk you will learn more on how to test your application against possible compatibility issues and different technologies you can use to help you against these issues.

Furthermore we will discuss other deployment mechanisms based on the free Microsoft Deployment toolkit.


Recovering your Applications with ConfigMgr in a refresh or side-by-side migration

4:07 pm in ConfigMgr 2007, sccm, SCCM 2007 by Kenny Buntinx [MVP]

Hi All,


In this post I will introduce a couple of ways of getting your Applications redeployed in a side-by-side or refresh scenario. After all, USMT makes migrating your data and settings a breeze, so it is about time we look at getting those applications redelivered so that the impact of a migration on our beloved end-users is minimized. (To avoid them hassling us about their missing apps).

In short there are 4 ways of making sure apps get redeployed, each with their own unique pro’s & con’s.

  1. Advertise to End users. This is obviously one of the easiest ways. If you advertise to end users, once the user logs in, all advertisements targeted at the user will re-run and eventually the user will get all his applications back. Drawbacks of this method are rather obvious. For one, it can take quite a while for all these apps to get installed, and secondly if that user logs in to another machine to “quickly lookup something on the internet” than all those apps would end up on that machine as well. A nice way to alleviate much of this drawbacks is using Microsoft App-V and virtual applications.
  2. Use dynamic collections. By using dynamic collections, the machines will eventually (how long this takes depends on what your collection uses as criteria) end up back in the necessary collections, and will get his original applications redeployed. Drawbacks of this method is that “eventually” might take a pretty long time, depending on which criteria you use, and what schedules you have running on hardware inventory or the different active directory discovery methods.
  3. Use direct membership collections and migrate the SMSID. By migrating the SMSID from the old machine, so that the machine does remains its guid, and hence keeps it direct memberships, and by consequence receives all his original advertisements back. Kenny posted a way to have your id’s migrated using tranguid here:
  4. Use a script in your OSD tasksequence to analyze the original installed software from inventory in the database. By analyzing your inventory, you now, what applications were installed originally. If your script can tie that information to a package & programname pair, than you can set tasksequence variables and use the “install multiple applications” task sequence step to redeploy originally installed applications.



"Everyone is an expert at something"
Kim Oppalfens – Sms Expert for lack of any other expertise
Windows Server System MVP – SMS