You are browsing the archive for ConfigMgr 2012.

When deploying Windows Server 2012R2 using an Configmgr OSD Task Sequence, additional disks will be offline when the Task Sequence completes

12:25 pm in 2012R2, CM12, CM12 R2, CM12 R2 SP1, CM12 SP1, CM12 SP2, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 R2 SP1, ConfigMgr 2012 SP1, OSD by Kenny Buntinx [MVP]

 

When using a Configuration Manager OSD Task Sequence to deploy Windows Server 2012 or Windows Server 2012 R2 to a server (VM) that contains disks that are not local (such as SAN Disk), when the Task Sequence completes, the additional disks may not come online and may show as offline. Specifically in the Disk Management, the additional disks will show offline with the message:

Disk is offline due to a policy set by an administrator

If you look at my VM, you will see I have 2 separate disks that I will need in a later phase to install the backup software to the D:\ partition, residing on the other vmdk.

clip_image002

To resolve the issue, for the WinPE phase, the steps from KB971436 need to be added to the Task Sequence. For deployments from Operating System Images, a registry key value will need to be updated with the correct SAN policy value as shown below:

Just after the step where you apply the image, create a “RunCommand line called :”load system hive” and execute :” reg load HKUtemp "%OSPART%\WindowsSystem32ConfigSystem"”

clip_image004

Just after the step where you apply the “RunCommand line called :”load system hive”, create a “RunCommand line called :”Change Default SAN policy” and execute :”reg add HKUtempControlSet001HKLMSystemCurrentControlSetServicespartmgrParameters /v SanPolicy /t REG_DWORD /d 1 /f”

clip_image006

Just after the step where you apply the “RunCommand line called :”Change Default SAN policy”, create a “RunCommand line called :”Unload system hive” and execute :”reg unload HKUTEMP”

clip_image008

Next phase is to make sure that no drives will remain offline and all drives will still have the right driveletters assigned . Run a command line with : diskpart /s diskpart.txt

clip_image010

The contents of the diskpart.txt can be determined by yourself . Here is an example

clip_image012

Hope it Helps ,

Kenny Buntinx

MVP enterprise Client Management

MMS 2015 unplugged: Unable to publish application globally if targeted user-based within Configmgr workaround

2:55 pm in App-V, App-V 5.0, Application Model, applications, AppV, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 R2 SP1, ConfigMgr 2012 SP1, ConfigMgr SP2, ConfigMgr V.next, sccm, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 R2 SP1, SCCM 2012 SP1, SCCM v.Next by Kenny Buntinx [MVP]

 

If you have been to our session called App-V standalone compared to CM12 Integrated: The Good, The Bad and The Ugly at MMS 2015 , we have showed you that some things by default cannot be done in Configmgr .

We showed a strong business case around the Application model in CM12 SP1 and using App-V 5.0 to do user-based software targeting. As most people are doing App-V integration in Configuration Manager and exploring the possibilities , they ran into some challenges I believe are critical and needs to be solved in a certain way . What the correct way is , I leave that up to the smart engineering guy’s in Redmond .

One of the great promises of application virtualization is dynamic delivery of software to end-users; however delivering plug-ins or add-ons to installed (i.e. not virtualized) software has thus far been a stumbling block. Internet Explorer has been particularly challenging due to the inability to separate the browser from the OS in a supported manner. So using App-V to deploy plug-ins like Flash or Java has meant changing the user experience with virtualization or falling back to standard install methods. Since App-V 5.0 SP2 this is very good news though, with the ability to seamlessly run an installed application inside a specified virtual environment. This means that the Flash plug-in can be delivered as a virtual package and made available to Internet Explorer without resorting to hacks or changing the user experience by providing a special shortcut.

The only requirement for specific Virtual Extensions (like the flash add-in) is that the package needs to be published Globally… only it doesn’t work great when deploying all your virtualized apps to users with System Center Configuration Manager and App-V 5.x. The table below will explain in what cases you will have to use Global publishing.

imageimage

We can overcome that hurdle with a sort of workaround that we are not going to explain in absolute detail as every customer has specific needs. See the steps below as a guide to think outside the box.

Workaround :

1. We are going to create a scheduled task which triggers on a eventID action 1003 from the eventlog “Microsoft-AppV-Client/Operational”

The script to create the scheduled task :

param( [Parameter(ParameterSetName='Register')] [switch]$Register, [Parameter(ParameterSetName='UnRegister')] [switch]$UnRegister ) switch($PsCmdlet.ParameterSetName){ "Register"{ $Xml = Get-Content (Join-Path $PSScriptRoot "ScheduledTaskTemplate_Publish.xml") $hReplace = @{ _Date_=(Get-Date -Format s) _Author_="Publish_User2Global_1.0_EN" _WorkingDirectory_=$PSScriptRoot } foreach($key in $hReplace.Keys) { $Xml = $Xml -creplace $key, $hReplace.$key } Register-ScheduledTask -Xml ($Xml | Out-String) -TaskName "1_user_Publish_User2Global" -TaskPath "Microsoft\AppV\Publishing" -Force | Out-Null $Xml = Get-Content (Join-Path $PSScriptRoot "ScheduledTaskTemplate_UnPublish.xml") $hReplace = @{ _Date_=(Get-Date -Format s) _Author_="UnPublish_User2Global_1.0_EN" _WorkingDirectory_=$PSScriptRoot } foreach($key in $hReplace.Keys) { $Xml = $Xml -creplace $key, $hReplace.$key } #Register-ScheduledTask -Xml ($Xml | Out-String) -TaskName "1_user_UnPublish_User2Global" -TaskPath "Microsoft\AppV\Publishing" -Force | Out-Null } "UnRegister"{ Get-ScheduledTask -TaskPath "\Microsoft\AppV\Publishing\" -TaskName "1_user_Publish_User2Global" | Unregister-ScheduledTask -Confirm:$False | Out-Null #Get-ScheduledTask -TaskPath "\Microsoft\AppV\Publishing\" -TaskName "1_user_UnPublish_User2Global" | Unregister-ScheduledTask -Confirm:$False | Out-Null } }

The script is based on the following templates :

<?xml version="1.0" encoding="UTF-16"?> <Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>_Date_</Date> <Author>_Author_</Author> <URI>\Microsoft\AppV\Publishing\1_user_Publish_User2Global</URI> </RegistrationInfo> <Triggers> <EventTrigger> <Enabled>true</Enabled> <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Microsoft-AppV-Client/Operational"&gt;&lt;Select Path="Microsoft-AppV-Client/Operational"&gt;*[System[Provider[@Name='Microsoft-AppV-Client'] and EventID=1003]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription> <ValueQueries> <Value name="ThePackageId">Event/EventData/Data[@Name='Package']</Value> <Value name="TheVersionId">Event/EventData/Data[@Name='Version']</Value> <Value name="UserSid">Event/System/Security/@UserID</Value> </ValueQueries> </EventTrigger> </Triggers> <Principals> <Principal id="Author"> <GroupId>S-1-5-18</GroupId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>false</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context="Author"> <Exec> <Command>powershell.exe</Command> <Arguments>-NonInteractive -ExecutionPolicy RemoteSigned -WindowStyle Hidden -File User2Global.ps1 -Publish -PackageId $(ThePackageId) -VersionId $(TheVersionId) -UserSid $(UserSid)</Arguments> <WorkingDirectory>_WorkingDirectory_</WorkingDirectory> </Exec> </Actions> </Task>

2. When the scheduled task is triggered by event-ID action 1003 from the eventlog “Microsoft-AppV-Client/Operational” , we kick-off the following Powershell script (see below). It will unpublished the  package from the user and will publish the package globally instead.

param( [Parameter(ParameterSetName='Publish')] [switch]$Publish, [Parameter(ParameterSetName='UnPublish')] [switch]$UnPublish, [guid]$PackageId, [guid]$VersionId, [string]$UserSid ) Function New-BurntToastNotification{ <# This function will show a BurnToastNotification #> [CmdletBinding(SupportsShouldProcess = $True)] Param ( [Parameter(Mandatory=$True)] $Text, [Parameter(Mandatory=$True)] $Title ) # create toast template TO xml [Windows.UI.Notifications.ToastNotificationManager, Windows.UI.Notifications, ContentType = WindowsRuntime] > $null $toastXml = ([Windows.UI.Notifications.ToastNotificationManager]::GetTemplateContent([Windows.UI.Notifications.ToastTemplateType]::ToastImageAndText02)).GetXml() # message to show on toast $stringElements = $toastXml.GetElementsByTagName("text") | select -First 1 $stringElements.AppendChild($toastXml.CreateTextNode($Title)) > $null $stringElements = $toastXml.GetElementsByTagName("text") | select -Last 1 $stringElements.AppendChild($toastXml.CreateTextNode($Text)) > $null # image $imageElements = $toastXml.GetElementsByTagName("image") $imageElements[0].src = "file:///" + "$PSScriptRoot\appv.png" # convert from System.Xml.XmlDocument to Windows.Data.Xml.Dom.XmlDocument $windowsXml = New-Object Windows.Data.Xml.Dom.XmlDocument $windowsXml.LoadXml($toastXml.OuterXml) # send toast notification $toast = New-Object Windows.UI.Notifications.ToastNotification ($windowsXml) [Windows.UI.Notifications.ToastNotificationManager]::CreateToastNotifier("App-V").Show($toast) } Import-Module "$env:ProgramFiles\Microsoft Application Virtualization\Client\AppvClient\AppvClient.psd1" $package = Get-AppVClientPackage -PackageId $PackageId -VersionId $VersionId -All switch($PsCmdlet.ParameterSetName) { "Publish" { try { Unpublish-AppvClientPackage $package -UserSID $UserSid if (! $package.IsPublishedGlobally) { Publish-AppVClientPackage $package -Global New-BurntToastNotification -Text "$($package.name)`nSuccesfully Published Globally." -Title "App-V User2Global" } } catch { New-BurntToastNotification -Text "Something went wrong while Publishing: `n$($package.name)." -Title "App-V User2Global" } } "UnPublish" { try { if (($package = Get-AppVClientPackage -PackageId $PackageId -VersionId $VersionId -All).IsPublishedGlobally) { $package | stop-AppVClientPackage -Global -ErrorAction SilentlyContinue | Unpublish-AppvClientPackage -Global New-BurntToastNotification -Text "$($package.name)`nSuccesfully UnPublished Globally." -Title "App-V User2Global" } } catch { New-BurntToastNotification -Text "Something went wrong while unpublishing: `n$($package.name)." -Title "App-V User2Global" } } }

You can choose how to deploy the script. You can create an App-V bubble or simply deploy this with Configmgr or GPO ….

Disclaimer : The script are delivered AS-IS and are not the complete solution to this story. It is an example on how to think outside the box and make a potential solution that will fit your specific company issue.

Hope it Helps ,

Kenny Buntinx & Roy Essers .

Configmgr 2012 : Broken Applications in your task sequences after an upgrade (error 615)

1:08 pm in 615, Application Model, applications, CM12, CM12 R2, CM12 R2 SP1, CM12 SP1, CM12 SP2, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 R2 SP1, ConfigMgr 2012 SP1, ConfigMgr SP2, coretech, err, error 615, OSD, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 R2 SP1, SCCM 2012 SP1, troubleshooting, xmasblogroll by Kenny Buntinx [MVP]

 

Scenario: Upgrading a Configmgr 2012 RTM/SP1/R2 environment to a new R2 SP1 environment will end up into broken applications in your Task sequences with error 615 in the status messages.

Issue: After the upgrade was successfully performed , suddenly all applications within my OSD task sequence start failing with the following error code :

The task sequence failed to install application Intel Management Engine 6.0.40.1215(ScopeId_67A221E3-64F0-47D4-AA5A-BB3729EC221F/Application_2071f753-7604-42a5-b6be-b1b45c3c1f0a) for action (Install HW Driver Applications for HP8540P) in the group () with exit code 615. The operating system reported error 615: The password provided is too short to meet the policy of your user account. Please choose a longer password.

clip_image002

To be honest with my blog readers, this particular message can be caused by multiple reasons. I will list all possible solutions / workarounds that I have come across to solve this issue.

Cause 1 – Applications have no ContentID associated:

I blogged about this beginning of 2013 at http://scug.be/sccm/2013/01/08/configmgr-2012-sp1-broken-applications-after-upgrading-from-rtm/

After some checks, I saw that it concerned only applications and I discovered that had no ContentID associated to each Deployment Type. In other words, all the applications created and that are embedded in a TS with no direct deployments attached to the Application. It appears that the upgrade process broke all applications.

You can confirm this with the Application Catalog downloads as well. You will see “+++ Did not detect app deployment type”… in the AppDiscovery.log file. Additionally, the Software Center will show the error message “Failed”. Clicking on the details will result in “The software change returned error code 0x87D00607(-2016410105).”

We found as workaround, you have simply to add a comment to each DT and it will update the content ID. Nevertheless, the change means that a redistribution of your application on all your DP’s.

Following the steps as further discussed in this blog post at http://scug.be/sccm/2013/01/27/configmgr-2012-sp1-powershell-script-to-repair-broken-applications-after-upgrading-them-from-rtm/, the application will successfully install afterwards.

Cause 2 – Corrupt task sequence:

In some cases the policy that is related to the task sequence gets corrupt. This can be easily solved by creating a brand new task sequence and copying the steps from the older one side-by-side. Delete the old task sequence & create a new deployment for the just newly created task sequence.

Cause 3 – SMSMP parameter set incorrect:

I had also had problems after upgrading to SCCM R2 SP1. I was not able to install any applications as part of a task sequence as they all failed with error 615 or error 0x80004005. Installing applications outside of a Task sequence did work normally. The status message reported was exactly the same as described above "615 Password too short".

After investigating the client side log files it turned out, that the SCCM client was trying to download the application package using https first and after a few retry’s would switch to http only.

Because my DP is configured to accept http and https as like default behavior. I fixed the Problem by changing the value of the SMSMP parameter in the Task sequence step "Setup Windows and Configuration Manager" from

SMSMP=myserver.mydomain.local

to this:

SMSMP=http://myserver.mydomain.local

After this change, application installation worked as expected again.

clip_image004

Cause 4 – FIPS has been enabled :

Enabling FIPS mode makes Windows and its subsystems use only FIPS-validated cryptographic algorithms. An example is Schannel, which is the system component that provides SSL and TLS to applications. When FIPS mode is enabled, Schannel disallows SSL 2.0 and 3.0, protocols that fall short of the FIPS standards. Applications such as web browsers that use Schannel then cannot connect to HTTPS web sites that don’t use at least TLS 1.0. (Note that the same results can be achieved without FIPS mode by configuring Schannel according to KB 245030 and this blog post.)

Enabling FIPS mode also causes the .NET Framework to disallow the use of non-validated algorithms.

Microsoft advises not to use FIPS anymore as shown in the screenshot below : http://blogs.technet.com/b/secguide/archive/2014/04/07/why-we-re-not-recommending-fips-mode-anymore.aspx

clip_image006

In our case this solved the issue with the error 615. Probably it was a combination of things , but this is certainly something to disable and try.

Cause 5 – Use the latest CU2 on CM12 R2 SP1 :

Always make sure to use the latest CU’s as they include important fixes . You can download CU2 over here : https://support.microsoft.com/en-us/kb/3100144#/en-us/kb/3100144

The two most important fixes that may help to avoid error 615 in CU2 for R2 SP1 are :

– Applications will not install when you use them with a dynamic variable list in a task sequence if no SMB package share was defined for the content. This affects only installations that use a dynamic variable list. Other installation methods are unaffected.

No Http location found
Failed to download content for SMS package PRI00080, hr=0x80004005
Install Dynamic software action failed to resolve content for packageID: ‘PRI00080′, programID: ‘TestApp’. Error Code 0x80004005

– In a Configuration Manager environment in which multiple certificates are deployed to client computers, the client may select the wrong certificate for use in management point communication. This occurs when one certificate is based on a version 2 template and one is based on version 3. The client will select the certificate that has the longest validity period. This may be the version 3 certificate, and this certificate may not be currently supported by Configuration Manager. Errors that resemble the following are recorded in the ClientIDManagerStartup.log file.

[RegTask] – Executing registration task synchronously.
RegTask: Failed to create registration request body. Error: 0x80090014

 

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Mobility

Detect, Inventory and report about the encryption method used by Bitlocker thru ConfigMgr

6:54 pm in bitlocker, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 R2 SP1, ConfigMgr 2012 SP1, ConfigMgr Dashboards, ConfigMgr SP2, Encryption, Inventory, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 R2 SP1, SCCM 2012 SP1, SCCM Dashboards, sccm RTM, SCCM v.Next, sccm2007 by Kenny Buntinx [MVP]

 

Recently at a client, we needed to provide a report that was listing what Bitlocker Encryption strength method was used. That information had to be fed into the CMDB to make sure we had ‘256AES with Diffuser’ enabled.

Unfortunately, Configmgr 2012 does deliver out-of-the-box a way to determine what Bitlocker Encryption strength method, and that means the information is not in the registry or WMI.

Dependencies :

Well I tried to find an easy way , and the customer required a solution that was :

– Flexible and dynamic as they where constantly migrating from Mcafee Disk Encryption to Bitlocker and the CMDB had to be dynamically updated.

– Centrally managed code , meaning that if we needed to change anything to the code , it had to be intelligent enough to update it auto magically to all clients.

– Had to be reliable .

The solution :

– was to use a kind of detection powershell script for the Bitlocker Encryption strength using the standard powershell commandlet ‘Manage-bde’ .

– The script was to be used with a “compliance Item” and deployed thru a “Baseline” as one of my colleagues Henrik Hoe explains here :  http://blog.coretech.dk/heh/configuration-items-and-baselines-using-scripts-powershell-example/ . By using a CI , you will meet the centrally managed code part , but also the automatically way of updating the detection logic to all clients.

Forget about the old package/program way and then a way to execute the script on regular basis ( That can all be done thru the Baseline deployment)

– The script will be executed and will write a registry value BitlockerEncryptionStrenght = “TheActualValue”  and the baseline will report complaint when it has the ‘256AES with Diffuser’ detected. When the machine is not bitlockered at all , we will write a value  BitlockerEncryptionStrenght = “None”

$ErrorActionPreference="silentlycontinue" $StrBEncryption = "" $objBEncryption = "" $objBEncryption=manage-bde.exe -status |Where-Object{$_ -like "*encryption method*"} $arrBEncryption=$objBEncryption.Split(":") $StrBEncryption=$arrBEncryption[1].Trim() If ($StrBEncryption.Contains("AES")) { New-ItemProperty -Path HKLM:\SYSTEM\ABPosdInstall -Name BitlockerEncryptionStrenght -Value $StrBEncryption -Property String -Force -ErrorAction SilentlyContinue | Out-Null if ($StrBEncryption -eq "AES 256 with Diffuser") { return 1 } } Else { New-ItemProperty -Path HKLM:\SYSTEM\ABPosdInstall -Name BitlockerEncryptionStrenght -Value "None" -Property String -Force -ErrorAction SilentlyContinue | Out-Null Return 0 }

– We will pick the value up later with a custom registry key hardware inventory extension and use that in our reporting later on. For more details on how to do it : https://technet.microsoft.com/en-us/library/gg712290.aspx

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Detect if machine has an SSD and report on it thru custom HW inventory

7:18 am in ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 R2 SP1, ConfigMgr 2012 SP1, HW inventory, OSD, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 R2 SP1, SCCM 2012 SP1, SCCM v.Next, SSD, windows 10, Windows 7, Windows 7 SP1, windows 8, windows 8.1 by Kenny Buntinx [MVP]

 

Recently at a client, we needed to provide a report that was listing whether a workstation or laptop had an SSD or a spinning disk. That information had to be fed into the CMDB

Unfortunately, Windows or Configmgr 2012 does deliver out-of-the-box a way to determine a disk is spinning or solid state, and that means the information is not in the registry or WMI.

Dependencies :

Well I tried to find an easy way , and the customer required a solution that was :

– Flexible and dynamic as they where constantly upgrading physical disks to SSD and there CMDB had to be dynamically updated.

– Centrally managed code , meaning that if we needed to change anything to the code , it had to be intelligent enough to update it auto magically to all clients.

– Had to be reliable .

The solution :

– was to use a kind of detection powershell script for the SSD that we grabbed initially from here : “https://gist.github.com/grantcarthew/c74bbfd3eba167cd3a7a#file-test-ssd” but slightly altered it to fit our needs.

– The script was altered to be used with a “compliance Item” and deployed thru a “Baseline” as one of my colleagues Henrik Hoe explains here :  http://blog.coretech.dk/heh/configuration-items-and-baselines-using-scripts-powershell-example/ . By using a CI , you will meet the centrally managed code part , but also the automatically way of updating the detection logic to all clients.

Forget about the old package/program way and then a way to execute the script on regular basis ( That can all be done thru the Baseline deployment)

– The script will be executed and will write a registry value SSD_Detected = 1 or 0 and the baseline will report complaint when it has an SSD detected.

 

<# .SYNOPSIS Detects if the passed Physical Disk Id is a Solid State Disk (SSD) or a spindle disk. Returns true for an SSD and false for anything else. .DESCRIPTION The methods used for detecting are by reading the Nominal Media Rotation Rate and Seek Penalty. These values are measured through method calls into the Kernel32.dll. If either of the Win32 DLL calls return true then the script will return false. If an exception occurs in either of the Win32 DLL calls, the return value will be dependant on the remaining call. .PARAMETER PhysicalDiskId The LUN based physical disk id. #> $Code = @" using Microsoft.Win32.SafeHandles; using System; using System.Runtime.InteropServices; using System.Text; namespace Util { public class DetectSSD { // For CreateFile to get handle to drive private const uint GENERIC_READ = 0x80000000; private const uint GENERIC_WRITE = 0x40000000; private const uint FILE_SHARE_READ = 0x00000001; private const uint FILE_SHARE_WRITE = 0x00000002; private const uint OPEN_EXISTING = 3; private const uint FILE_ATTRIBUTE_NORMAL = 0x00000080; // CreateFile to get handle to drive [DllImport("kernel32.dll", SetLastError = true)] private static extern SafeFileHandle CreateFileW( [MarshalAs(UnmanagedType.LPWStr)] string lpFileName, uint dwDesiredAccess, uint dwShareMode, IntPtr lpSecurityAttributes, uint dwCreationDisposition, uint dwFlagsAndAttributes, IntPtr hTemplateFile); // For control codes private const uint FILE_DEVICE_MASS_STORAGE = 0x0000002d; private const uint IOCTL_STORAGE_BASE = FILE_DEVICE_MASS_STORAGE; private const uint FILE_DEVICE_CONTROLLER = 0x00000004; private const uint IOCTL_SCSI_BASE = FILE_DEVICE_CONTROLLER; private const uint METHOD_BUFFERED = 0; private const uint FILE_ANY_ACCESS = 0; private const uint FILE_READ_ACCESS = 0x00000001; private const uint FILE_WRITE_ACCESS = 0x00000002; private static uint CTL_CODE(uint DeviceType, uint Function, uint Method, uint Access) { return ((DeviceType << 16) | (Access << 14) | (Function << 2) | Method); } // For DeviceIoControl to check no seek penalty private const uint StorageDeviceSeekPenaltyProperty = 7; private const uint PropertyStandardQuery = 0; [StructLayout(LayoutKind.Sequential)] private struct STORAGE_PROPERTY_QUERY { public uint PropertyId; public uint QueryType; [MarshalAs(UnmanagedType.ByValArray, SizeConst = 1)] public byte[] AdditionalParameters; } [StructLayout(LayoutKind.Sequential)] private struct DEVICE_SEEK_PENALTY_DESCRIPTOR { public uint Version; public uint Size; [MarshalAs(UnmanagedType.U1)] public bool IncursSeekPenalty; } // DeviceIoControl to check no seek penalty [DllImport("kernel32.dll", EntryPoint = "DeviceIoControl", SetLastError = true)] [return: MarshalAs(UnmanagedType.Bool)] private static extern bool DeviceIoControl( SafeFileHandle hDevice, uint dwIoControlCode, ref STORAGE_PROPERTY_QUERY lpInBuffer, uint nInBufferSize, ref DEVICE_SEEK_PENALTY_DESCRIPTOR lpOutBuffer, uint nOutBufferSize, out uint lpBytesReturned, IntPtr lpOverlapped); // For DeviceIoControl to check nominal media rotation rate private const uint ATA_FLAGS_DATA_IN = 0x02; [StructLayout(LayoutKind.Sequential)] private struct ATA_PASS_THROUGH_EX { public ushort Length; public ushort AtaFlags; public byte PathId; public byte TargetId; public byte Lun; public byte ReservedAsUchar; public uint DataTransferLength; public uint TimeOutValue; public uint ReservedAsUlong; public IntPtr DataBufferOffset; [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)] public byte[] PreviousTaskFile; [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)] public byte[] CurrentTaskFile; } [StructLayout(LayoutKind.Sequential)] private struct ATAIdentifyDeviceQuery { public ATA_PASS_THROUGH_EX header; [MarshalAs(UnmanagedType.ByValArray, SizeConst = 256)] public ushort[] data; } // DeviceIoControl to check nominal media rotation rate [DllImport("kernel32.dll", EntryPoint = "DeviceIoControl", SetLastError = true)] [return: MarshalAs(UnmanagedType.Bool)] private static extern bool DeviceIoControl( SafeFileHandle hDevice, uint dwIoControlCode, ref ATAIdentifyDeviceQuery lpInBuffer, uint nInBufferSize, ref ATAIdentifyDeviceQuery lpOutBuffer, uint nOutBufferSize, out uint lpBytesReturned, IntPtr lpOverlapped); // For error message private const uint FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000; [DllImport("kernel32.dll", SetLastError = true)] static extern uint FormatMessage( uint dwFlags, IntPtr lpSource, uint dwMessageId, uint dwLanguageId, StringBuilder lpBuffer, uint nSize, IntPtr Arguments); // Method for no seek penalty public static bool HasSeekPenalty(string sDrive) { SafeFileHandle hDrive = CreateFileW( sDrive, 0, // No access to drive FILE_SHARE_READ | FILE_SHARE_WRITE, IntPtr.Zero, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, IntPtr.Zero); if (hDrive == null || hDrive.IsInvalid) { string message = GetErrorMessage(Marshal.GetLastWin32Error()); throw new System.Exception(message); } uint IOCTL_STORAGE_QUERY_PROPERTY = CTL_CODE( IOCTL_STORAGE_BASE, 0x500, METHOD_BUFFERED, FILE_ANY_ACCESS); // From winioctl.h STORAGE_PROPERTY_QUERY query_seek_penalty = new STORAGE_PROPERTY_QUERY(); query_seek_penalty.PropertyId = StorageDeviceSeekPenaltyProperty; query_seek_penalty.QueryType = PropertyStandardQuery; DEVICE_SEEK_PENALTY_DESCRIPTOR query_seek_penalty_desc = new DEVICE_SEEK_PENALTY_DESCRIPTOR(); uint returned_query_seek_penalty_size; bool query_seek_penalty_result = DeviceIoControl( hDrive, IOCTL_STORAGE_QUERY_PROPERTY, ref query_seek_penalty, (uint)Marshal.SizeOf(query_seek_penalty), ref query_seek_penalty_desc, (uint)Marshal.SizeOf(query_seek_penalty_desc), out returned_query_seek_penalty_size, IntPtr.Zero); hDrive.Close(); if (query_seek_penalty_result == false) { string message = GetErrorMessage(Marshal.GetLastWin32Error()); throw new System.Exception(message); } else { return query_seek_penalty_desc.IncursSeekPenalty; } } // Method for nominal media rotation rate // (Administrative privilege is required) public static bool HasNominalMediaRotationRate(string sDrive) { SafeFileHandle hDrive = CreateFileW( sDrive, GENERIC_READ | GENERIC_WRITE, // Administrative privilege is required FILE_SHARE_READ | FILE_SHARE_WRITE, IntPtr.Zero, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, IntPtr.Zero); if (hDrive == null || hDrive.IsInvalid) { string message = GetErrorMessage(Marshal.GetLastWin32Error()); throw new System.Exception(message); } uint IOCTL_ATA_PASS_THROUGH = CTL_CODE( IOCTL_SCSI_BASE, 0x040b, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS); // From ntddscsi.h ATAIdentifyDeviceQuery id_query = new ATAIdentifyDeviceQuery(); id_query.data = new ushort[256]; id_query.header.Length = (ushort)Marshal.SizeOf(id_query.header); id_query.header.AtaFlags = (ushort)ATA_FLAGS_DATA_IN; id_query.header.DataTransferLength = (uint)(id_query.data.Length * 2); // Size of "data" in bytes id_query.header.TimeOutValue = 3; // Sec id_query.header.DataBufferOffset = (IntPtr)Marshal.OffsetOf( typeof(ATAIdentifyDeviceQuery), "data"); id_query.header.PreviousTaskFile = new byte[8]; id_query.header.CurrentTaskFile = new byte[8]; id_query.header.CurrentTaskFile[6] = 0xec; // ATA IDENTIFY DEVICE uint retval_size; bool result = DeviceIoControl( hDrive, IOCTL_ATA_PASS_THROUGH, ref id_query, (uint)Marshal.SizeOf(id_query), ref id_query, (uint)Marshal.SizeOf(id_query), out retval_size, IntPtr.Zero); hDrive.Close(); if (result == false) { string message = GetErrorMessage(Marshal.GetLastWin32Error()); throw new System.Exception(message); } else { // Word index of nominal media rotation rate // (1 means non-rotate device) const int kNominalMediaRotRateWordIndex = 217; if (id_query.data[kNominalMediaRotRateWordIndex] == 1) { return false; } else { return true; } } } // Method for error message private static string GetErrorMessage(int code) { StringBuilder message = new StringBuilder(255); FormatMessage( FORMAT_MESSAGE_FROM_SYSTEM, IntPtr.Zero, (uint)code, 0, message, (uint)message.Capacity, IntPtr.Zero); return message.ToString(); } } } "@ # Function CheckSSD($PhysicalDiskId) { #initialize Add-Type -TypeDefinition $Code $hasRotationRate = $true $hasSeekPenalty = $true $driveString = "\\.\PhysicalDrive" + $PhysicalDiskId #Check RotationRate try { $hasRotationRate = [Util.DetectSSD]::HasNominalMediaRotationRate([string]$driveString) } catch { #"HasNominalMediaRotationRate detection failed with the following error;" # $Error[0].Exception.Message $hasRotationRate = $true } #Check SeekPenalty try { $hasSeekPenalty = [Util.DetectSSD]::HasSeekPenalty([string]$driveString) } catch { #"HasSeekPenalty detection failed with the following error;" #$Error[0].Exception.Message $hasSeekPenalty = $true } # Only return true if the disk has no rotation rate or no seek penalty. If ($hasRotationRate -eq 0 -and $hasSeekPenalty -eq 0) { #SSD detected New-ItemProperty -Path HKLM:\SYSTEM\ABPosdInstall -Name SSD_Detected -Value 1 -PropertyType DWORD -Force -ErrorAction SilentlyContinue | Out-Null Return 1 } Else { #No SSD detected New-ItemProperty -Path HKLM:\SYSTEM\ABPosdInstall -Name SSD_Detected -Value 0 -PropertyType DWORD -Force -ErrorAction SilentlyContinue | Out-Null Return 0 } } #initialize #Default No SSD detected $ResultCheckSSD=0 #check disk 0 Try { $ResultCheckSSD=CheckSSD(0) return $ResultCheckSSD } Catch { #error then no SSD detected $ResultCheckSSD=0 }

– We will pick the value up later with a custom registry key hardware inventory extension and use that in our reporting later on. For more details on how to do it : https://technet.microsoft.com/en-us/library/gg712290.aspx

 

Hope it Helps,

Kenny Buntinx

MVP Enterprise Client Management

Ignite keynote summary from an ECM perspective

7:27 pm in ConfigMgr, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr V.next, EMS, Enterprise Mobility Suite, hybrid, Ignite, intune, Intune Standalone, SCCM 2012, sccm 2012 R2, SCCM v.Next, System Center, System Center 2016 by Kenny Buntinx [MVP]

 

For me this was the best keynote ever for all Microsoft’s events I’ve been at, virtually or physically. Wrapped up after three hours, I want to give you guys a heads up for what is happening in my area of expertise, Enterprise Client Management.

The conference is being held in Chicago and has over 20K people in the house. If you want you can watch a replay of this morning’s keynote on demand at http://news.microsoft.com/ignite2015/

Most Important Ignite Keynote Announcements from an enterprise Client Management perspective

Windows Update for Business – This is an advanced version of what you already know today and it’s called WSUS. Together with Windows 10 it will allow you to control which machines get Windows Updates or even feature updates. Integration with your existing tools like System Center and the Enterprise Mobility Suite – so that these tools can continue to be that ‘single pane of glass’ for all of your systems management.

Office 2016 Public Preview – Available for Office 365 subscribers and those who want to run the full standalone install.  This version will really kick down the #EMS offering on IOS , Android or Windows. Office will be the key in the whole mobility story.

Windows Server 2016 – A second technical preview is now available for download and testing and will allow you to unlock some additional Hybrid functionallity , such as updates for Hyper-V ,ADFS , Workfolders , etc .

System Center 2016 – Has new provisioning, monitoring and automation abilities for your data center. A new preview will be available soon online

· New technical preview for ConfigMgr 2016 for Windows10 available for a trial at http://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview

New features in today’s Technical Preview includes:

          • Support for Windows 10 upgrade with OS deployment task sequence
          • Support for installing Configuration Manager on Azure Virtual Machines
          • Ability to manage Windows 10 mobile devices via MDM with on-premises Configuration Manager infrastructure

· New service packs for Configuration Manager 2012 and 2012 R2 (They will be released somewhere next week)

These will deliver full compatibility with existing features for Windows 10 deployment and management as well as several other features, including:

          • App-V publishing performance
          • Scalability improvements
          • Content distribution improvements
          • Native support for SQL Server 2014
          • Hybrid Parity (Intune) and new features

Microsoft Advanced Threat Analytics – Brings on premise Azure AD level security monitoring and threat detection.  This software/service is the result of Microsoft’s acquisition last November of Aorato and it’s a great add-on for EMS and AD premium. The preview is available now from here.

 

During Brad Anderson’s piece of the keynote, his team showed 11 different technologies on stage and here are links to all of those services and programs:

I hope that you are as thrilled and exited as myself and that we can show you all these cool things in our own lab and we hope that we can see you at one of our SCUG.be events.

Hope it helps,

Kenny Buntinx

MVP Enterprise Client Management MVP

CM12 R2 TS after upgrade: Failed to resume task sequence (0x800700EA) error

2:15 pm in 2012R2, bootimages, capture, CM12, CM12 R2, CM12 SP1, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, Cumulative Update, Deployment, OSD, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, Task Sequence by Kenny Buntinx [MVP]

 

I upgraded one of my customers site from SP1 to R2 on a Monday morning and have hit a number of hurdles. I have discovered that my customers OSD Task sequences were not functioning correctly. Everything seems to go fine, until it reaches the Setup Windows and ConfigMgr, and then once that step is complete, it reboots and I’m left on the ctrl+alt+del screen, with the computer joined to domain but no additional steps performed.

The TS does end with an error “Failed to resume task sequence (0x800700EA) error” , as if the new client gets installed and it just ends the TS!

**** Remember **** –> Support for Windows PE 3.1 boot images above of Windows ADK 8.1 is there as feature when upgraded to R2 !! **** Remember ****

I looked at my boot images and it looked good, but frankly the x64 boot image didn’t upgrade well and stayed to version 6.2.x instead of 6.3.x. I had a script to manually update it , but it didn’t like it so it failed again.

Created a new bootimage (x64) from scratch , updated my TaskSequence  to use the new bootimage and *BAM* , it worked again

Hope it Helps ,

Kenny Buntinx

MVP enterprise Client Management  

Deploying IE11 the right way with Enterprise mode & Site Discovery thru Configmgr 2012

10:37 am in CM12, CM12 R2, CM12 SP1, ConfigMgr, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, enterprise mode, IE11, internet explorer, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1 by Kenny Buntinx [MVP]

Deploy Internet Explorer 11 today as from January 2016 only the latest version of IE will be supported on the currently supported OS’s such as Windows 7 – 8.1 – 10. You should really deploy IE11 today and start working with compatibility testing for your web applications.

 

For deploying IE11 you will need a lot of prerequisites fulfilled and you will need to do a lot of work to get it deployed successfully. More or less you will need to do it in four steps:

1. Deploy about 9 prerequisites! You must deploy KB2834140, KB2670838, KB2639308, KB2533623, KB2731771, KB2729094, KB2786081, KB2888049, KB2882822 to be able to install IE11 without any issues. Make sure you download the latest updates!

2. Reboot

3. Deploy IE11 itself. If you need the Google search provider, the only way is to repackage IE11 with IEAK.To customize Internet Explorer 11, first things first: download the Internet Explorer Administration Kit 11 here.

4. Force a reboot here

5. Make sure if you want to use IE11 Enterprise mode, you will need to deploy KB 2929437 after the installation of IE11.

6. Reboot

7. Deploy all security updates thru CM12/WSUS

8. Reboot

Luckily for us we have ConfigMgr 2012 and the fantastic Application model to handle that.

IE11 Enterprise Mode?

Enterprise Mode in IE11 is a compatibility mode that runs web apps in IE8 mode to make them work on IE11. Enterprise Mode is turned on by IT Pro using Group Policy settings for specific domains or pages. It’s much like the compatibility view settings, but provides Internet Explorer 8 compatibility. WebPages that work in Internet Explorer 8 work seamlessly in Enterprise Mode.

More on IE11 Enterprise Mode and Enterprise Mode Site List Manager.

Using the Internet Explorer Site Discovery Tool?

What do you say ??

Not so long ago Microsoft released a little tool that will inventory all the web sites a user visits to provide means to get a grip on web app compatibility. The inventory can be used for all or only some specific clients. The data is collected via WMI and inventoried with System Center Configuration Manager. There are pre-made reports included that can be imported and used in ConfigMgr.

You will find more information here on Enterprise Site Discovery Toolkit for Internet Explorer 11.

 

Collect data using Internet Explorer Site Discovery

Internet Explorer Site Discovery overview

You can use Internet Explorer to collect data on computers running Internet Explorer 11 on either Windows 8.1 or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your Internet Explorer deployments, including figuring out which sites might be at risk or require overhauls during future upgrades.

By default, Internet Explorer doesn’t collect data; you have to turn this feature on if you want to use it. You must make sure that using this feature complies with all applicable local laws and regulatory requirements.

What data is collected?

Data is collected on the configuration characteristics of Internet Explorer and the sites it browses, as shown here.

Data point

Description

URL

URL of the browsed site, including any parameters included in the URL.

Domain

Top-level domain of the browsed site.

ActiveX GUID

The GUID of the ActiveX controls loaded by the site.

Document mode

Document mode used by Internet Explorer for a site, based on page characteristics.

Document mode reason

The reason why a document mode was set by Internet Explorer.

Browser state reason

Additional information about why the browser is in its current state. Also called, browser mode.

Hang count

Number of visits to the URL when the browser hung.

Crash count

Number of visits to the URL when the browser crashed.

Most recent navigation failure (and count)

Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened.

Number of visits

The number of times a site has been visited.

Zone

Zone used by Internet Explorer to browse sites, based on browser settings.

Where is the data stored and how do I collect it?

The data is stored locally, in an industry-standard WMI class, Managed Object Format (.MOF) file. This file remains on the client computer until it’s collected. To collect the file from your client computers, we recommend using Microsoft System Center 2012 R2 Configuration Manager. However, if you don’t use System Center, you can collect the file using any agent that can read the contents of a WMI class on your computer.

Requirements

Before you start, you need to make sure you have the following:

Setup and configuration package, including:

    • Configuration-related PowerShell scripts
    • IETelemetry.mof file
    • Sample System Center 2012 report templates

Both the PowerShell script and .mof file need to be copied to the same location on the client computer, before you run the scripts.

Setting up your client computers for data collection

On your test computer, run the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file, update security privileges for the new WMI classes, and to set the registry key.

To set up your computers:

  1. Create a Package/Program in Configmgr 2012 that runs the IETElemetrySetUp.ps1
  2. Restart your computer to start collecting your WMI data.

Using System Center 2012 R2 Configuration Manager to collect your data

After you’ve collected all of the data, you’ll need to get the local files off of your computers. To do this, use the hardware inventory process in System Center Configuration Manager, in one of the following ways.

Collect your hardware inventory using the MOF Editor while connecting to a computer

You can collect your hardware inventory using the MOF Editor, while you’re connected to your client computers.

To collect your inventory

1. From the System Center Configuration Manager, click Administration, click Client Settings, double-click Default Client Settings, click Hardware Inventory, and then click Set Classes.

clip_image002

2. Click Add, click Connect, and connect to a computer that has completed the setup process and has already existing classes.

3. Change the WMI Namespace to root\cimv2\IETelemetry, and click Connect

clip_image004

4. Select the check boxes next to the following classes, and then click OK:

· IESystemInfo

· IEURLInfo

· IECountInfo

5. Click OK to close the default windows.

Your environment is now ready to collect your hardware inventory and review the sample reports.

Collect your hardware inventory using the MOF Editor with a MOF import file

You can collect your hardware inventory using the MOF Editor and a MOF import file.

To collect your inventory:

1. From the System Center Configuration Manager, click Administration, click Client Settings, double-click Default Client Settings, click Hardware Inventory, and then click Set Classes.

2. Click Import, choose the MOF file from the downloaded package we provided, and click Open.

3. Pick the inventory items to install, and then click Import.

4. Click OK to close the default windows.

Your environment is now ready to collect your hardware inventory and review the sample reports.

Collect your hardware inventory using the SMS_DEF.MOF file

You can collect your hardware inventory using the using the Systems Management Server (SMS_DEF.MOF) file.

To collect your inventory:

1. Using a text editor like Notepad, open the SMS_DEF.MOF file, located in your <Config_Manager_install_location>\inboxes\clifiles.src\hinv directory.

2. Add this text to the end of the file:

[SMS_Report (TRUE), SMS_Group_Name ("IESystemInfo"), SMS_Class_ID ("MICROSOFT|IESystemInfo|1.0"), Namespace ("root\\\\cimv2\\\\IETelemetry") ] Class IESystemInfo: SMS_Class_Template { [SMS_Report (TRUE), Key ] String SystemKey; [SMS_Report (TRUE) ] String IEVer; }; [SMS_Report (TRUE), SMS_Group_Name ("IEURLInfo"), SMS_Class_ID ("MICROSOFT|IEURLInfo|1.0"), Namespace ("root\\\\cimv2\\\\IETelemetry") ] Class IEURLInfo: SMS_Class_Template { [SMS_Report (TRUE), Key ] String URL; [SMS_Report (TRUE) ] String Domain; [SMS_Report (TRUE) ] UInt32 DocMode; [SMS_Report (TRUE) ] UInt32 DocModeReason; [SMS_Report (TRUE) ] UInt32 Zone; [SMS_Report (TRUE) ] UInt32 BrowserStateReason; [SMS_Report (TRUE) ] String ActiveXGUID[]; [SMS_Report (TRUE) ] UInt32 CrashCount; [SMS_Report (TRUE) ] UInt32 HangCount; [SMS_Report (TRUE) ] UInt32 NavigationFailureCount; [SMS_Report (TRUE) ] UInt32 NumberOfVisits; [SMS_Report (TRUE) ] UInt32 MostRecentNavigationFailure; }; [SMS_Report (TRUE), SMS_Group_Name ("IECountInfo"), SMS_Class_ID ("MICROSOFT|IECountInfo|1.0"), Namespace ("root\\\\cimv2\\\\IETelemetry") ] Class IECountInfo: SMS_Class_Template { [SMS_Report (TRUE), Key ] String CountKey; [SMS_Report (TRUE) ] UInt32 CrashCount; [SMS_Report (TRUE) ] UInt32 HangCount; [SMS_Report (TRUE) ] UInt32 NavigationFailureCount; };

3. Save the file and close it to the same location.

Your environment is now ready to collect your hardware inventory and review the sample reports.

Viewing the sample reports

The sample reports, SCCM Report Sample – ActiveX.rdll and SCCM Report Sample – Site Discovery.rdl, work with System Center 2012, so you can review your collected data.

SCCM Report Sample – ActiveX.rdl

Gives you a list of all of the ActiveX-related sites visited by the client computer.

clip_image006

SCCM Report Sample – Site Discovery.rdl

Gives you a list of all of the sites visited by the client computer.

clip_image008

Turning off data collection on your client computers

After you’ve collected all of your data, you’ll need to turn this functionality off.

To stop collecting data:

On your test computer, start PowerShell in elevated mode and run IETElemetrySetUp.ps1 using this command: powershell .\IETElemetrySetUp.ps1 -IEFeatureOff. clip_image009

Turning off data collection only disables the Internet Explorer Site Discovery feature – all data already written to WMI stays on the client computer.

Deleting already stored data from client computers

You can completely remove the data stored on your client computers.

To delete existing data:

On the client computer, start PowerShell in elevated mode (using admin privileges) and run these commands:

    1. Remove-WmiObject -Namespace root/cimv2/IETelemetry IEURLInfo
    2. Remove-WmiObject -Namespace root/cimv2/IETelemetry IESystemInfo
    3. Remove-WmiObject -Namespace root/cimv2/IETelemetry IECountInfo
    4. Remove-Item -Path 'HKCU:\Software\Microsoft\Internet Explorer\WMITelemetry'

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

Windows 7 Configmgr 2012 Balloon tips : Setting it more then 5 sec to display.

7:06 am in CM12, CM12 R2, CM12 SP1, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, Portal, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, Software Center by Kenny Buntinx [MVP]

 

The balloon tip when System Center configuration manager 2012 SP1 / R2 wants to install  your software is only shown for a few seconds. Often users complain that they can’t read the balloon tip that fast. So we have to increase the display time of the balloon.

image

Right click and choose New, Registry Item

Key Path: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify
Value name: Balloontip
Value type: REG_DWORD
Value Data (dec): 00000020

Click OK and you’re all set!

This changes the display time to 20 seconds.

You can handle this with creating a Configuration Item and deploying it thru a Configuration Baseline . Below you will find the steps :

1. Create a configuration Item called “ RegSetting BalloonTip “

image 

image

2. In the settings , create the regkey to check as specified above in the first section of this blog post .

image

3. Create the compliance Rule and enter the value you want . In this case it will be 20 seconds.

image

4. Save your configuration Item. Create a Configuration baseline that contains you Configuration Item and deploy it to your workstations. Make sure to select “Remediate non complaint rules when supported” in your deployment.

image

Hope it Helps ,

Kenny Buntinx

MVP enterprise Client Management

Enterprise Mobility Suite: Steps to get to Azure AD Premium when already using your hybrid Configmgr 2012 R2 and Windows Intune infrastructure.

9:32 am in azure, CM12, CM12 R2, ConfigMgr, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, EMS, Enterprise Mobility Suite, intune, Intune Standalone, Mobility, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, WAAD, Windws Intune by Kenny Buntinx [MVP]

 

Enterprise Mobility Suite (EMS) is Microsoft’s new bundle that includes Azure Active Directory Premium, Windows Intune and Azure Rights Management.The Enterprise Mobility Suite is Microsoft’s answer for Mobile Device Management requirements.

For people that have already Configuration Manager 2012 R2 , you can connect your Windows Intune subscription to get a single pane of glass for management. In the so called hybrid mode you can manage all your assets, from one single console.

While you can create a new WAAD (Windows Azure Active Directory) account directly from the Windows Azure Management Portal, but the most common way that WAAD directories where created before EMS existed was through the Windows Intune Sign Up process.

When setting up an Windows Intune subscription for the first time, you have to pick a tenant name (In our case demolabsbe.onmicrosoft.com). When you create the tenant name, a Windows Azure Active Directory (WAAD) account is created behind-the-scenes to store your users and groups, using the domain “demolabsbe.onmicrosoft.com” (you can add your domain names to this WAAD account later, but you will always have the original .onmicrosoft.com domain associated with it).

Windows Intune creates the WAAD accounts, but doesn’t let you manage it out of the box . You only can attach custom domains, configure users, groups & global administrators from the Windows Intune account management portal.

Attention: The WAAD account is not the same as a Windows Azure Subscription. A Windows Azure Subscription does not get automatically created or associated to your Windows Intune or Office 365 subscription or visa versa !

When you log in with your Windows Intune tenant account into the Windows Azure Management Portal (https://manage.windowsazure.com) you will see a message that there are no associated Azure Subscriptions.

Windows Azure however lets you manage all the advanced settings of WAAD accounts, including names, premium features, Apps, SSO access, multi-factor authentication, etc. The Enterprise Mobility Suite (EMS) feature , Windows Azure AD Premium can only be managed properly when you link your Windows Intune WAAD to your organizational Windows Azure Subscription.

 
Step 1: How to add your  Existing Windows Azure Active Directories to your Windows Azure Subscription ?

 

The process to add a WAAD account to your Windows Azure subscription used to be pretty painful , but now you can easily do this by adding an “Existing WAAD account”. The process is as follows:

1. Login to Windows Azure Management Portal with your Microsoft Account.

2. Click on the Active Directory category on the left, and then click the New button.

clip_image002

3. Choose New > App Services > Active Directory > Directory > Custom Create.

4. On the Add Directory dialog, click the Directory dropdown, and choose Use Existing Directory.

clip_image004

5. The dialog will switch, and inform you that you will be signed out, and need to sign in with a Global Administrator for the existing WAAD account. Check the box and click Sign Out.

clip_image006

6. Login with a Global Administrator for the WAAD account.

7. Once you login, you’ll be asked to confirm the link. Linking will make the Microsoft Account a Global Administrator in the WAAD account. Proceed through this, and you will be asked to Sign Out.

image

image

8. After Signing Out, and signing back in with your Microsoft Account, you’ll now see the WAAD account in the list of Active Directory accounts in the Windows Azure Management Portal!

image

 

Step 2 : Activate Azure AD Premium  and assign licenses to your users

 

Now that your previous created Windows Azure Active Directories from Windows Intune are visible within our Azure subscription , we can add the Azure AD Premium features to it .

In the picture below , you will see a newly created WAAD called EMSExperts from the Azure portal . By default the Azure AD Premium  can be found under the licenses tab. Now you can assign licenses to users.

image

In the other picture below , you will see the previously created WAAD from Windows intune ( added to the azure subscription later ) called MSCloudExperts. By default only the Windows Intune licenses can be found but the Azure AD Premium cannot be found under the licenses tab.

image

To add the “Azure AD Premium” licenses , you must go to the bottom of the page and hit the “Activate Trial” or “Purchase”  .

image

Now you will see that there are 2 license plans added to your WAAD . One for Windows Intune and one for Azure AD Premium. Now you can assign licenses to your users accordingly

image

 

 

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP