You are browsing the archive for Installation.

Step by Step guide for provisioning Intel VPro clients in SCCM 2007 SP2 Part 4

1:05 pm in AMT, ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, ConfigMgr2007 R3, Installation, Intel, OOB, out of band management, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, sccm2007, Vpro by Kenny Buntinx [MVP]

This is my last post about the step by step series about Step by Step guide for provisioning Intel VPro clients in SCCM 2007 SP2.

In my previous post I have talked about importing the 3rd Party Remote Configuration Certificate on the OOB Service Point (In this example we will use a certificate from GoDaddy ) to provision Intel vPro technology based systems in SCCM at http://scug.be/blogs/sccm/archive/2010/05/06/step-by-step-guide-for-provisioning-intel-vpro-clients-in-sccm-2007-sp2-part-3.aspx

In my previous posts I talked about what is OOB, OOB requirements and little bit about the necessary certificates. In this post I will talk about internal PKI infrastructure and how to configure OOB management point within SCCM. ConfigMgr 2007 SP2 uses four types of certificates for Out Of Band Management. These four different certificates are:

  • AMT Self Signed certificate – IntelAMT will generate a self-signed certificate during the PKI provisioning process to secure the connection with the ConfigMgr 2007 Server.
  • AMT provisioning certificate – This certificate is used by ConfigMgr 2007 to provision Intel AMT devices. The most simple and automated method for provisioning is the process of purchasing this certificate from a third-party provider (VeriSign, GoDaddy, Comodo, or Starfield). This certificate will need to be installed on each OOB Service Point in the environment.
  • Web server certificate -This certificate is generated by an internal Enterprise Certificate Authority during the provisioning process and installed on each AMT device within the firmware. This will allow for a TLS management session between the ConfigMgr 2007 OOB Management console and the AMT firmware.
  • 802.1x RADIUS Certificate – Optional certificate that allows the Intel AMT client to securely authenticate to an 802.1x network without the operating system being present.

 

In our case , you will need an internal certificate Authority and create two certificates :

AMT provisioning certificate – In this case the Godaddy cert and Request, install and prepare the AMT remote configuration certificate ( Already done in the previous blog post)

Web server certificate – this certificate is requested by the primary site server on behalf of AMT-based computers and then installed in the AMT firmware in the computers

 

To Prepare Web server certificate – see the steps below :

 

1. Open your Certificate Authority issuing PKI Server –> Click Start> All Programs > Administrator Tools > Certification Authority

2. Right Click on Certificate Templates > Manage

3. In the Certificate Templates Console Window, right click on Web Server and select Duplicate Template

4. In the Duplicate Template Window, select the radio button for Windows 2003 Server, Enterprise Edition and Click OK

DDT.d96awjjfrximbk2m2qsliu5ye

DDT.a3k4l9_t2azme_c6ef0l46s

 

5. In the Properties of New Template Window and enter ConfigMgr AMT Web Server Certificate

6. Check the Box to Publish certificate in Active Directory

7. Proceed to next step to set the security rights on this template.

DDT.1267ggmdv9kybtbns5en0x9kb

DDT.prcs5_hsztigngwakhvneme6f

8. Select the Security Tab and click Add

9. Select the ConfigMgr site server 2007 primary site server computer group and Click OK

10. With the ConfigMgr Primary Site Servers group highlighted, check Read and Enroll , Click OK

11. Close the Certificate Templates Console

DDT.ys6tg1xa66xrq0bybc63m1l2f

DDT.xifb6o_8tyh4zjfsw3k2achah

 

12. In the Certification Authority Window, right-click on Certificate Templates > New > Certificate Template to Issue

13. In the Enable Certificate Templates Window, select ConfigMgr AMT Web Server Certificate (this template was created in the previous step)

14. Click OK

DDT.sfg1r_sf0gnzq2opcslrkw5y

DDT.ardw0uy_44ezggibpo1dmc4lb

 

15. In the Certification Authority Window, you will now see ConfigMgr AMT Web Server Certificate listed in the right hand Window and ready for use by the Out of Band Service Point

Note: This Web Server Template will be used by ConfigMgr 2007 SP2 to generate a unique certificate for each Intel AMT system during the provisioning process,and used for TLS session during management of the Intel AMT client .

 

How to Configure OOB service in SCCM

 

After you have your exported *.pfx certificate we will import this into the SCCM out of band management properties box. Now you have configured all certificates, permissions and have a certificate private key we are going to configure the OOB management point.

1. Open SCCM console -> Site Settings -> Component Configuration -> Out Of Band Service Point

 

 

2. Create extra OU in Active Directory where SCCM creates AMT computer objects. Make sure the Configmgr Primary Site Server has permissions on that container to create those objects!

2. Configure MEBx password that SCCM uses to connect AMT-based computers. By default this password is admin but you can change this later on.

3. You could select “Allow out of band provisioning” and “Register ProvisionServer as an alias in DNS” but it wouldn’t be necessary if you only are going to in-band provision ( Thru the SCCM Client)

4. Configure Provisioning certificate. From here you now have to import that *.PFX file and enter your previous  configured password.

5. Configure your web certificate template. From here you have to select your internal PKI CA and select your ConfigMgr AMT Web Server Certificate.

You can configure all the other tabs at your own flavor .

You will find a good document from Intel with all the steps at www.intel.com/en_US/Assets/PDF/…/cg_MicrosoftConfigMgr_vPro.pdf

Hope it Helps ,

 

Kenny Buntinx

Opalis 6.3 : Building a VMware/SCCM Opalis provisioning workflow

7:54 pm in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, configmgr2007, ConfigMgr2007 R3, Deployment, Installation, Opalis, Opalis 6.3, Operating System Deployment, powershell, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, sccm2007, Virtual machine, Vmware by Kenny Buntinx [MVP]

Recently we did a customer private cloud project where we used all the system center tooling ( http://www.microsoft.com/systemcenter/en/us/default.aspx) , except for the hypervisor layer , which was VMware .

One of the scenarios that the customer had in mind , was to provision all there virtual servers with SCCM and we had to use Opalis to become the glue between VMware – BMC Remedy and System Center. In the first step of the project we didn’t use the Change request mechanism from BMC Remedy yet. Special thanks to my colleague Gunther Dewit for helping me out on this one .

**** Disclaimer **** – This is a very basic workflow – we will post improvements as we go along – it is for helping people moving forward **** Disclaimer ****

The workflow itself

image

Delivering input

image

The first step in creating a workflow is doing a custom start where we could input some necessary variables . The Custom Start Activity is used to create a generic starting point for Workflows. By adding parameters to the Custom Start Activity it can consume external data which can be passed to downstream Workflow Activities.

image

These are the parameters the workflow needs in further steps.  All the rest of the information that is residing in the data bus of Opalis  .

This input is required, without it, the workflow won’t start. A popup will be presented when starting the workflow.

Now that we have all the necessary input required, we can continue with the creation of the virtual machine. In order to create a virtual machine, we need to provide some parameters, some of them will come from the Custom start step, others will have to be adapted per workflow.

 

Creating the virtual machine

image

image

These are the required parameters.

  • Name: This is the name that will be given to the virtual machine, we will get it from the Custom Start  where we filled in a name.
  • Datastore: This is the datastore that will host the virtual machine disk, we will get it from the Custom Start  where we filled in the datastore.
  • DiskMB: Since it was decided to have a fixed disk with a size of 100GB, we filled it in directly instead of asking it in the first step.
  • DiskStorageFormat: This is the thick or thin format, thin was decided as the default format.
  • MemoryMB: This is the amount of memory that will be given to the virtual machine, we will get it from the Custom Start where we filled in an amount of memory.
  • NumCPU: This is the number of CPU’s that will be given to the virtual machine, we will get it from the Custom Start where we filled in the number of CPU’s we need.
  • CD: It was decided that all VM’s will have a cd drive so we set this to true.
  • VMSwapFilePolicy: This will set the swapfile policy the states where the swapfile will be saved, it was decided to do this in the VM itself.
  • VMHost: This is the physical host where the VM will be hosted, this integration pack cannot provision on cluster yet so you need to choose a physical host.
  • GuestID: This is the OS version that will be installed on the VM.
  • Folder: This is the foldername where the VM will be installed as shown in the ESX console.

You can add more details trough the “optional properties” button. If all goes well, the workflow has created the virtual machine now.

Now we need to change some things on the virtual machine.

 

Getting the network adapter settings from the created virtual machine

image

First we need to change the network settings. The VM name, we get from the Custom Start , since this is a read action, no further settings are needed.

Alternatively, you can specify some filters to narrow the data that you receive back.

Alternatively, you can specify some filters to narrow the data that you receive back.

image

Now we will delete all the network connection that VMware made by default because they are useless to us.

 

Removing the network adapters from the virtual machine

image

image

The Network Adapter name is data that we got back from the read action above and the VM name is still the name entered at the Custom Start .

This will remove all network adapters from the VM, alternatively, you can specify filters if you only want to delete a specific adapter.

 

Adding the production network adapter to the virtual machine

image

Now we need to add a network adapter to the VM. The VM name is still the name we entered at the Custom Start .

image

The NetworkName is the name of the network that you want your network adapter connecting to.

The StartConnected specifies if it will be connected to the network or only added without being connected.

The Type is e1000 as this is the only VMware adapter SCCM can work with.

Now we do another step to get the properties from the newly created adapter so we can use the information to input the computer into SCCM.

 

Getting the production network adapter settings from the virtual machine

image

image

Now that we collected the necessary information for SCCM, we can import the computer into SCCM.

This is done by a powershell script that needs to input parameters, the name and the MAC address.

 

Adding the computer to SCCM

image

Now that the computer is known is SCCM, we need to add it to the collection that has the OSD advertised to it.

image

The is done by the following step.

 

Adding the computer to an SCCM collection

image

In the collection field, you can enter 2 things, either the name of the collection or the ID of the collection. What you enter must match the collection value type. If you enter an ID as shown here, the value type must be ID as well. The same is true for the computer where we use the name from the Custom Start step so the value type is name in this case.

image

Now that the VM is created and provisioned in SCCM, we are ready to deploy the operating system on it.

So let’s power on the VM.

 

Powering on the virtual machine

image

The only thing you need to power on a VM is the name and we still get the from the first step.

image

Now that the VM is booting up, SCCM can start the task sequence to deploy an operating system on the VM.

Meanwhile, we will check the progress in Opalis.

 

Getting the virtual machine deployment status

image

The advertisement ID is the ID as it is known in SCCM and the computer name is still the name as we specified in the first step.

image

Looping the task

Now since the OSD deployment takes some time to complete, we will let the step loop until it gets a result back from SCCM.

image

image

It will recheck every 300 second and will do this 8 times or when it gets back from SCCM that the deployment was successful in order not keep the loop while the deployment was finished faster then in 8 loops.

 

Getting the deployment result

image

Now we need to output the result to any medium you want (logfile, mail, …), I do an output to a text file as an example.

Conditional progress

Now how does Opalis know when to write to which log file?

This can be regulated by double clicking on the arrows. This is the arrow toward the success file.

image

As you can see, it will only follow this arrow when SCCM outputs a succeeded message for the advertisement. If not, it will take the other path towards the failed log file.

 

So , It is not so easy to get it all together , but if I may give a great tip: ” Write down all steps of your manual flow  and then try to translate them into an opalis workflow “

 

Hope it Helps ,

Kenny Buntinx

Forefront Endpoint Protection 2010 : Update Rollup 1 available for download

7:29 pm in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr 2012, ConfigMgr SP2, configmgr2007, ConfigMgr2007 R3, embedded, FEP, FEP2010, Installation, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, SCCM 2012, WES2009 by Kenny Buntinx [MVP]

Update Rollup 1 for Microsoft Forefront Endpoint Protection 2010 introduces new features and updates. These new features and updates are summarized below.

The following list is a summary of the updates in FEP Update Rollup 1 for server functionality.

Finally the Forefront team came up with a solution that since the release of the product they really missed .The following Microsoft website explains how to auto deploy forefront client security definition in a step-by-step guide. aka http://technet.microsoft.com/en-us/library/dd185652.aspx

In this step-by-step guide, they essentially go into the WSUS Console to create an Auto-Acceptance rule. First of all this should make any ConfigMgr admin shiver, as it should have been drilled into your head that you are supposed to do software updates management from the ConfigMgr administrator console. Now, I and many other SCCM admins have never understood why they didn’t solve that in a more elegant manner. The solution works, however has a couple of major drawbacks.

Additionally in a multi distribution point environment, the actual definition updates will always come from the Software update point, whereas normal software updates come from the distribution points. In other words, this impacts scale quite a bit, and forefront definitions come out at a very frequent pace meaning they are hitting you software update point harder than anything else.

The main problem, is that in SCCM 2007 we have no "easy" way to create an Auto-Approval rule. This will be solved in CM12 , until then , for the CM07 they will fix that mistake by update rollup 1. Soon I will launch a blog post to see if this is a real workable solution. So now you will have with Update Rollup 1 a tool that facilitates the use of the Configuration Manager software updates functionality to download FEP definition updates and make them available to client computers running the FEP client software.

In order to use the software updates feature for definition updates, you must perform the following high-level steps:

    • Download and install the Update Rollup 1 package.
    • Configure software updates to download definitions for FEP.
    • Configure the package by which the definition updates will be distributed, and configure the distribution settings for it.
    • Install and configure the FEP Software Update Automation tool.

 

  1. Addition of support for the FEP client software for Windows Embedded 7 and Windows Server 2008 Server Core. For more information on the added client support, see Prerequisites for Deploying Forefront Endpoint Protection on a Client
  2. The following list is a summary of the updates to FEP policies included with Update Rollup 1.
  • Update Rollup 1 for FEP 2010 adds a new FEP policy option to configure definition updates for FEP client computers. After installing Update Rollup 1 for FEP, you can configure FEP policies to update definitions from a Configuration Manager software update point.

    To configure FEP policies to update definitions from a Configuration Manager software update point

    • When you create a new FEP policy or edit an existing FEP policy, the new definition update options appears as follows:

      • When creating a new FEP policy, in the New Policy Wizard, on the Updates page, select the check box for Enable updates from Configuration Manager.
      • When editing an existing FEP policy in a Configuration Manager console that on which you installed the Update Rollup 1 for FEP, in the properties for a FEP policy, on the Updates tab, select the check box for Use Configuration Manager as primary source for definition updates.
  • Addition of two new preconfigured policy templates for the following server workloads:

    • Microsoft Forefront Threat Management Gateway
    • Microsoft Lync 2010

 

You will find the Forefront Endpoint Protection 2010  Update Rollup 1to download at the following location : http://www.microsoft.com/download/en/details.aspx?id=26583

 

Hope it Helps ,

 

Kenny Buntinx

Configmgr 2007 and how to automate Windows 7 Backup Activation thru a task sequence

11:43 am in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, ConfigMgr2007 R3, Deployment, Installation, Operating System Deployment, OSD, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, sccm2007, Task Sequence, Windows 7, Windows 7 SP1 by Kenny Buntinx [MVP]

One of my customers is using a GHOST principle on their laptops, to restore an original image from a restore partition. This partition is right now visible for the end user. Now that we are migrating towards SCCM we want to do the same thing thru Configmgr.

To accomplish this, we only focus on the integrated windows 7 backup tools as they have a native build in wizard to restore as well .

Scenario to accomplish :

  1. We want to do a full backup at the end of the deployment task sequence , including the standard applications and save it locally. This one allows you to restore the machine as it was at the end of the task sequence.
  2. We want to let any user restore that image on an easy way with helpdesk support . Mainly this scenario is for end users that are sitting somewhere in the “bush bush” and no direct connection to a nearby office .
  3. We want to schedule for those kind of users a backup when he is working on his machine , based on VSS technology . ( impossible with ghost ).

Steps to accomplish the scenario :

First of all I want to thank Kim Oppalfens and George Simons ( both MVP ConfigMgr ) for helping me accomplish this scenario. We had some offline discussions to accomplish this scenario and it is not yet perfect .

The initial process we have in mind during the Operating system deployment phase when we stage an image to a machine for a user:

1. Creating the necessary partitions :

  • System partition (+/- 500 mb) that will hold the bootloader (think of Bitlocker ) and the WINRE environment. ( hidden )
  • C:\ OS partition
  • D:\ Data partition
  • E:\ IMAGE system image backup partition (drive letter will be removed in the process)

2. Create local admin user f.e. RECOVERY and added the local admins group. We have tested this with a power user or backup operator , however you need local admin rights to restore the image. For security purposes we investigate later to have a daily/weekly/monthly password changer based upon an algorithm.

3. Run the windows 7 built-in WBADMIN tool, with the following parameters : “wbadmin START BACKUP –BackupTarget:E: -include:c: -AllCritical –Quiet”

4. Remove drive letter of the “Image”Partition , in this case E:\ 

 

We don’t care about hiding the volume. Standard users have no permissions to reassign a drive letter, and hence won’t be able to see or use the partition. That is more than enough for us. Hiding the partition just complicates matters for us from an admin perspective.

The additional process we could have in mind is to send down a task sequence to back up his system when a user requests it. This could be performed with or without  any user interaction.

Task Sequence example :

</group>
      <group name="Backup" description="">
        <step type="SMS_TaskSequence_RunCommandLineAction" name="Create Admin Recovery User" description="" timeout="900" runIn="WinPEandFullOS" successCodeList="0 3010">
          <action>smsswd.exe /run: net user recovery Helpdesk123 /add</action>
          <defaultVarList>
            <variable name="CommandLine" property="CommandLine" hidden="true">net user recovery Helpdesk123 /add</variable>
            <variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">false</variable>
            <variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">false</variable>
            <variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable>
          </defaultVarList>
        </step>
        <step type="SMS_TaskSequence_RunCommandLineAction" name="Add Recovery User to Local Admin" description="" timeout="900" runIn="WinPEandFullOS" successCodeList="0 3010">
          <action>smsswd.exe /run: net localgroup "Administrators" recovery /add</action>
          <defaultVarList>
            <variable name="CommandLine" property="CommandLine" hidden="true">net localgroup "Administrators" recovery /add</variable>
            <variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">false</variable>
            <variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">false</variable>
            <variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable>
          </defaultVarList>
        </step>
        <step type="SMS_TaskSequence_RunCommandLineAction" name="Create Backup" description="" timeout="1200" runIn="WinPEandFullOS" successCodeList="0 3010">
          <action>smsswd.exe /run: wbadmin START BACKUP -BackupTarget:e: -include:c: -AllCritical -Quiet</action>
          <defaultVarList>
            <variable name="CommandLine" property="CommandLine" hidden="true">wbadmin START BACKUP -BackupTarget:e: -include:c: -AllCritical -Quiet</variable>
            <variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">false</variable>
            <variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">false</variable>
            <variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable>
          </defaultVarList>
        </step>
        <step type="SMS_TaskSequence_RunCommandLineAction" name="Hide Drive Letter" description="" timeout="900" runIn="WinPEandFullOS" successCodeList="0 3010">
          <action>smsswd.exe /run: Mountvol e: /D</action>
          <defaultVarList>
            <variable name="CommandLine" property="CommandLine" hidden="true">Mountvol e: /D</variable>
            <variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">false</variable>
            <variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">false</variable>
            <variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable>
          </defaultVarList>
        </step>
      </group>

End user experience :

1.When your Windows 7 machine gets broken it will automatically jump to the window shown below , otherwise Press F8 during boot :

image

2. When you start “Repair your computer” , WinRe will start up .

image

3. Once “WinRe”is loaded it will ask for your keyboard layout :

image

4. Fill in your credentials

image

5. Select “System Image Recovery”

image

6. Select the image that you want to restore and wait until the process has been completed .

image

 

Remarks / Improvements to make :

  1. The complete process works only once with a hidden drive letter…….until you do the restore. After the restore the drive letter is back and then a user could mess around and delete stuff. I have tried to remove the driveletter before running wbadmin , but I have no success to use the GUID as my drive is MBR and not GPT. Anyway the basic principle works .
  2. User security : We need a algorithm to change the custom local admin restore user  on a daily/weekly/monthly basis as a default password just isn’t secure enough .
  3. Now I am testing to get a function key on a Lenovo to do his magic ( Press F5 and it launches auto magically the recovery environment ) . More on that in a later blog post .

 

Hope it Helps ,

Kenny Buntinx

FEP 2010 with ConfigMgr Integration : Computers are no longer accessible remotely

1:25 pm in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, configmgr2007, ConfigMgr2007 R3, FE, FEP, FEP2010, Installation, R3, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2 by Kenny Buntinx [MVP]

Hi ,

When migrating slowly at a customer from Symantec Endpoint protection to FEP 2010 we encountered the following issue :

After the FEP client has been installed, the computer is no longer remotely accessible , even with RC.exe from System Center Configuration Manager

Problem Description : In some cases, after the FEP client has been installed, the computer is no longer remotely accessible using any form of remote control utility or Computer Management tools, including but not limited to Windows Computer Management, ConfigMgr Remote Control utility, DameWare, VNC. The cause has been found to be the Windows Firewall/ICS service that cannot be started. When an attempt is made to start the service, the resulting error is: Error 0x80004015: The class is configured to run as a security id different from the caller.

Possible solutions ( I say possible because it was linked to our environment) :

  • This appears to be the same error as reported in MS Support Article ID 892199, applicable to Windows XP SP2. The FEP client however is only installed on XP SP3 machines. When we used method 1 of the support article applied on the conflicting machine, the issue is resolved and is remotely accessible again. However we where not convinced and digged some deeper into it

 

  • I went with the default descriptor D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

The Authentic Users group only gets read permissions, not start/stop permissions as I feared, so I’m fine with that. I just left out the Power Users group as it’s not used in our environment.

It is imperative that you test this on one or two systems before rolling it out, and make sure it works well in your environment. I used this KB to identify Local Service and Network Service: http://support.microsoft.com/kb/243330

     

    Hope it Helps ,

    Kenny Buntinx

Configmgr 2007 OSD : Using Lenovo Update Retriever to install all your drivers without importing them in the ConfigMgr driver catalog

11:00 pm in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, configmgr2007, ConfigMgr2007 R3, Deployment, Drivers, Installation, Operating System Deployment, OSD, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, sccm2007, script, Task Sequence, Windows 7 by Kenny Buntinx [MVP]

Did you also think that driver management  in OSD could be more simplified ? For example when you have Lenovo devices , you need to also install a lot of “bad” drivers en also in a very specific way or features such as “hotkeys”does not work .Let’s look at the process right now:

1. Search drivers from the internet manually

2. Unpack them in a correct folder structure

3. Import drivers and categorize

4. Handle duplicate drivers

Problems often seen :

1. Not all drivers work with the import ( there are drivers that simply do not work with the export method , they need to run thru setup.exe ) HP is a king in that area with the sound card & Quick launch buttons. This means that the admin need to create packages , programs and multiple steps in the TS to let it work.

2. For getting some drivers you need to install the vendor msi on your test laptop , go to the install folder and find the extracted drivers there.After that you could import.

3. HP & Lenovo needs certain additional software such as HP quick launch , HP power manager , Lenovo Hotkeys , Lenovo think vantage , etc . A lot of those packages needs to be installed in a very specific order or it just don’t work .

4. You test your deployment and damn it seems you forgot 2 drivers . Find out by HWguid , download and import again …

 

Lenovo Update Retriever – Thinstaller solution :

If you don’t want to spent hours on searching, downloading and importing drivers for you LENOVO computer when going to build a Win7 image , read on . I have found a better way to accomplish this with thanks to Karel Serroels.

It normally takes so much time for an admin , while with the HP / IBM solution it is a 5 minutes job per HW model :

 

1. Install and run the Lenovo update retriever, select your model and software /drivers you want to install , download the drivers into a pre-defined file share . Nice , quick and easy .

2. Create a package with the Lenovo Thinstaller source files , copy the Lenovo Thinstaller files to the local disk & run it thru your TS

 

The advantage here is that I as an admin does not need to worry about the right install sequence , prerequisites , number of needed drivers or even OS type .The Thinstaller tool will do it for you .

Prerequisites :

Get the following software’s online from the Lenovo site as you will need it

  1. Link thininstaller: http://www-307.ibm.com/pc/support/site.wss/TVAN-ADMIN.html#ti
  2. Link update retriever: http://www-307.ibm.com/pc/support/site.wss/TVAN-ADMIN.html#ur

 

Step 1 : Install Lenovo Update Retriever on your server and follow instructions to create a share for the repository , etc .

image

Step 2 : Launch the Lenovo Update Retriever and select your Model an Operating System. Download all files to the repository.

image

Step 3 : Modify your Task Sequence and add Run Thinstaller Trustzone. It needs to work with Dot.net 2.0 .

If you run Lenovo Thinstaller via Configuration Manager task sequence , you cannot run the installation program, because it is a .NET executable and the default policy is to disallow running it from a network share or distribution point. You must therefore change the  following ipadress and sharename with the one from your environment!

image

Step 4 : Create the Lenovo thinstaller package in Configuration Manager.

image

Step 5 : Copy the Lenovo Thinstaller directory to C:\Windows\Thinstaller

image

Step 6 : Run Thinstalle with the following commend line . You must therefore change the  following ipadress and sharename with the one from your environment!

image

Step 7 : Remove the Thinstaller source files . Do a nice cleanup .

image

 

There you go .. The only disadvantage from using this , is the fact that your sourcefiles need to be always to one spot . You can solve this by using Sysvol , DFS or other technologies . However , Most companies have a team that will build the initial image on site and than replicate the images across the company .

Hope it helps ,

Kenny Buntinx.

Softgrid 4.1 migration towards ConfigMgr with App-V 4.6 Integration : The story of automation , Part 4.

11:20 am in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, configmgr2007, ConfigMgr2007 R3, Deployment, Installation, migration, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, sccm2007, SQL by Kenny Buntinx [MVP]

Today , I will continue explaining my little migration project to migrate away from a standalone Softgrid 4.1 infrastructure towards a fully integrated SCCM2007 SP R2 App-V 4.6 infrastructure . You can read my previous posts right here :

 

Below I will discuss the migration scenario once more in a few bullet points to migrate away from the Softgrid 4.1 standalone environment :

1. Deploy the new app-V 4.6 clients on all workstations and check for inconsistencies (luckily all packages where sequenced with 4.2) DONE in Part 1.

2. Pull all existing Softgrid 4.2 sequenced packages thru the new App-V 4.6 Sequencer to avoid any complications. DONE in Part 1.

3. Import all packages into ConfigMgr 2007 SP2 R2 DONE in Part 1.

4. Create all necessary collections and create a dynamic membership query with a AD group name. Partially explained in Part 2 , DONE in Part 3.

5. Create all the necessary advertisements.

6. Switch over from Softgrid standalone to Configmgr 2007 R2 SP2. (Think about network impact !)

 

So that will leave us to creating all the necessary advertisments (remember 400 Pieces) between the virtual Packages and the necessary collections.

As explained in Part 3, we have created a CSV file with all the necessary information as APP-V package Name , ResourceID & Collection Names. Now we need to add the PackageID , Advertisement Name and CollectionID to the CSV file  ( you can extract that kind of information out of your SQL DB (dbo.v_Package & dbo.v_collections)

image

Figure 1: The modified CSV file added with PackageID, Advertisement Name, CollectionID

Once the CSV file is filled up with the necessary data , we can start working on the script to create those advertisements based on that Csv file , as we need the PackageID , CollectionID and Advertisment Name tables to make it work .

Below I will post the VBS code to read out the csv file and create all advertisements :


 

Stay tuned for Part 5 very soon talking about the actual switch over from Softgrid standalone to Configmgr 2007 R2 SP2. ….

 

Hope it Helps ,

Kenny Buntinx

SCCM OSD issue with Win7 x64 bit deployment on HP 8740W

12:16 pm in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, configmgr2007, ConfigMgr2007 R3, Deployment, Drivers, Installation, Operating System Deployment, OSD, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, sccm2007, Windows 7 by Kenny Buntinx [MVP]

Hi,

I was deploying a windows 7 64 bit, at a customer on a HP 8740W , witch is a monster machine ( core I7 , Nvidia Quatro 512 mb graphics , etc ) but during the step “setup windows and Configmgr” it fails with the following error :

Windows setup failed, code 31

Failed to run the action: Setup Windows and ConfigMgr.
Unspecified error (Error: 80004005; Source: Windows)

Looking further in the SMSTS.log it looks like :

——SMSTSLog—–

Command line for extension .EXE is "%1" %*    OSDSetupWindows    4/29/2010 7:45:19 PM    1576 (0x0628)
Set command line: "\\<yourSCCMServer>\SMSPKGE$\ABC00014\SOURCES\SETUP.EXE" "/unattend:C:\_SMSTaskSequence\unattend.xml" /noreboot    OSDSetupWindows    4/29/2010 7:45:19 PM    1576 (0x0628)
Executing command line: "\\<yourSCCMServer>\SMSPKGE$\ABC00014\SOURCES\SETUP.EXE" "/unattend:C:\_SMSTaskSequence\unattend.xml" /noreboot    OSDSetupWindows    4/29/2010 7:45:19 PM    1576 (0x0628)
Process completed with exit code 31    OSDSetupWindows    4/29/2010 7:45:34 PM    1576 (0x0628)
Windows Setup completed with exit code 31    OSDSetupWindows    4/29/2010 7:45:34 PM    1576 (0x0628)
Entering ReleaseSource() for \\<yourSCCMServer>\SMSPKGE$\ABC00014\    OSDSetupWindows    4/29/2010 7:45:34 PM    1576 (0x0628)
reference count 1 for the source \\<yourSCCMServer>\SMSPKGE$\ABC00014\ before releasing    OSDSetupWindows    4/29/2010 7:45:34 PM    1576 (0x0628)
Released the resolved source \\<yourSCCMServer>\SMSPKGE$\ABC00014\    OSDSetupWindows    4/29/2010 7:45:34 PM    1576 (0x0628)
exitCode == 0, HRESULT=80004005 (e:\nts_sms_fre\sms\client\osdeployment\setupwindows\setupwindows.cpp,440)    OSDSetupWindows    4/29/2010 7:45:34 PM    1576 (0x0628)
Windows setup failed, code 31    OSDSetupWindows    4/29/2010 7:45:34 PM    1576 (0x0628)
setup.run(), HRESULT=80004005 (e:\nts_sms_fre\sms\client\osdeployment\setupwindows\setupwindows.cpp,1707)    OSDSetupWindows    4/29/2010 7:45:34 PM    1576 (0x0628)
Exiting with code 0x80004005    OSDSetupWindows    4/29/2010 7:45:34 PM    1576 (0x0628)
Process completed with exit code 2147500037    TSManager    4/29/2010 7:45:34 PM    1384 (0x0568)

——SMSTSLog—–

 

This error (error 31) could have multiple causes in my environment. I will summarize them below :

  • As I was deploying from OEM Media  kit ( Yes , I know , companies should have a volume license key ) , it could cause some issues as on the OEM Media there is no such thing as a Pid.txt where the product key is stored . OEM media uses the unique key that has been sticked under your pc/ Laptop
  • A badly written Unattend.xml , but as that xml has been used at other customers as well and posted on my blog , it seems unlikely .
  • The Product key mentioned in the Task Sequence . Checked it , no product key mentioned .This error usual happens though because you are using an MAK key when you should not be using any key during the TS — you can use the KMS client key (this is different than the KMS Server key you get from the MVLS site), but this is not required as your KMS client key is embedded in the OS source files in a file called pid.txt mentioned earlier.
  • Faulty Drivers ….

 

I eliminated very soon 2 of the 4 options and was left over with :

  • As I was deploying from OEM Media  kit ( Yes , I know , companies should have a volume license key ) , it could cause some issues as on the OEM Media there is no such thing as a Pid.txt where the product key is stored . OEM media uses the unique key that has been sticked under your pc/ Laptop
  • Faulty Drivers ….

 

Next step I have disabled the step “Auto apply drivers” and magically the setup continued …. That’s funny  , so it has to be a driver….

Now that I know my root cause , lets investigate. The fun part is that Configmgr has the possibility to disable drivers on an easy way.

After some testing it became clear that the “IDT High Definition Audio Codec” was giving me error 31 because it has been written very crappy !

Solution :

  1. Remove the driver from the database
  2. Create a software Package and launch the setup via Setup.exe in your Task Sequence .

 

It now works like a charm .

 

Hope it Helps ,

Kenny Buntinx

ConfigMgr 2007 R3 : Installing Hotfix Prerequisite KB977384 on a Site Server with ICP Pack will fail.

6:26 am in ConfigMgr, ConfigMgr SP2, ConfigMgr2007 R3, Installation, R3, SCCM 2007 R3, SCCM 2007 SP2 by Kenny Buntinx [MVP]

When you install an ICP pack on your Site Server , the Site Server version number gets incremented. When you want to install the R3 Prereq hotfix (977384), it checks to make sure it is not being installed on a ICP Site Server as there is no support yet for any other languages than English. In Europe this happens more than in other parts of the world.

Basically if you try to install this hotfix on a ConfigMgr 2007 SP2 Site Server running an ICP the installation will fail with the following message :

This hotfix is not valid for this version of Configuration Manager"

 

Their is no supported way to uninstall a ICP pack from a site server , and that leaves you only with one  or two options :

  • Wait for the hotfix KB977384 with ICP1 and/or ICP2 support to be released.
  • Install R3 on a Site Server that isn’t running an ICP.

 

Hope it Helps ,

 

Kenny Buntinx

Softgrid 4.1 migration towards ConfigMgr with App-V 4.6 Integration : The story of automation , Part 1.

8:05 pm in App-V, AppV, ConfigMgr, ConfigMgr 2007 R2, ConfigMgr SP2, configmgr2007, ConfigMgr2007 R3, Installation, migration, R3, sccm, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, sccm2007, script, SDK, Softgrid, Toolkit by Kenny Buntinx [MVP]

Today we have reached the second phase of migrating the existing Softgrid 4.1 stand-alone infrastructure towards the already upgraded and optimized System Center Configuration Manager 2007 SP2 R2 that we did in fase 1.

We all know that integrating a standalone Softgrid/App-V infrastructure towards a integrated Configmgr 2007 SP2 R2 – App-V implementation could only be done with a big bang. It is either On or Off. We also know that Softgrid sequenced app’s lower then version 4.5 can cause issues and more important , they are lacking the manifest.xml file that is necessary to create virtual packages in ConfigMgr 2007 SP2 R2.

 

image

 

Below I will discuss the migration scenario in a few bullet points to migrate away from the Softgrid 4.1 standalone environment “

  1. Deploy the new app-V 4.6 clients on all workstations and check for inconsistencies (luckily all packages where sequenced with 4.2)
  2. Pull all existing Softgrid 4.2 sequenced packages thru the new App-V 4.6 Sequencer to avoid any complications.
  3. Import all packages into ConfigMgr 2007 SP2 R2
  4. Create all necessary collections and create a dynamic membership query with a AD group name.
  5. Create all the necessary advertisements.
  6. Switch over from Softgrid standalone to Configmgr 2007 R2 SP2. (Think about network impact !)

 

Step 1 :

As the old Softgrid 4.1 stand-alone infrastructure has around 400 virtual packages , and they need to pass thru the app-V 4.6 sequencer to avoid any inconsistencies or complications , the last thing you want to do is play the monkey and open up all packages in the sequencer and save them manually … For this part I had very good teamplayers that are very skilled VBscript writers , again a big thank you to Ewald Lieuwes ( http://www.wchulseiee.net/) & Wouter Schrijvens …

Below I will post the VBS code written for :

 

  1. Going thru the list of virtual packages stored at E:\Softgrid\<Package Name>….
  2. Open them one by one in the App-V 4.6 sequencer and save then to a new location called F:\App-V\<Package Name> to have a backup!
  3. As you see in this script ,we use E:\, F:\ and U:\. The U:\ is the virtual drive partition (default this is Q:\)
  4. Make sure the virtual drive partition is big enough for all of your packages. In this case, this was limited to 2 GB ( standard as Softgrid 4.1 has this limitation of 2 GB in the size of sequenced apps ). We had to resize this to 50 GB.

 

 The code :


 

Step 2 :

As we need to import all 400 upgraded App-V 4.6 virtual packages into ConfigMgr , the last thing you want to do is play the monkey and create all packages in ConfigMgr 2007 R2 SP2 by hand … For this part I had a very good teamplayers that are very skilled VBscript writers , again a big thank you to Ewald Lieuwes ( http://www.wchulseiee.net/) & Wouter Schrijvens …

 

You could do it by using the ConfigMgr SDK , located at http://www.microsoft.com/downloads/en/details.aspx?familyid=064a995f-ef13-4200-81ad-e3af6218edcc&displaylang=en or you could use a standard base script that is located under <Drive>\<PathWhereYouInstalledSCCM>\Tools\VirtualApp\ManageVappPackage.vbs and wrap another VB script around it to build in some other checks or functionalities.

I used the default script located  under <Drive>\<PathWhereYouInstalledSCCM>\Tools\VirtualApp\ManageVappPackage.vbs and wrap another VB script around it .

Below I will post the VBS code written for :

 

  1. Going thru the list of upgraded 4.6 virtual packages stored at a DFS share \start\sccmsrc\[VIRTUALPACKAGESRC]\">\start\sccmsrc\[VIRTUALPACKAGESRC]\">\start\sccmsrc\[VIRTUALPACKAGESRC]\">\\<YourDomainName>\start\sccmsrc\[VIRTUALPACKAGESRC]\<Package Name>….
  2. Create a Source directory App-V package Folder for SCCM , In this case \\<ServerName\VIRTUALPKG$\<Package Name>… , if not exists.
  3. Import the App-V Package in ConfigMgr and add it to the distribution points , called \\CMSRV and \\CMDPMP
  4. Run this script on your SCCM box where your SCCM provider is installed !!

 

The code :


 

In Part 2 , I will continue to blog , if I technically manage to succeed in the following days to do the following :

  • Create all necessary collections and create a dynamic membership query with a AD group name on a automated fashion.
  • Create all the necessary advertisements on an automated fashion.

     

    Come back and check soon.

     

    Hope it Helps ,

     

    Kenny Buntinx