You are browsing the archive for Power Management.

How to replace expired certificates on ADFS 3.0 the right way

1:44 pm in 2012R2, ADFS, ADFS 3.0, BYOD, certificates, Cloud, Enterprise Mobility Suite, Global Managed Service Account, IIS, Known Issue, Lab, Power Management, WAP, Web Application Proxy by Kenny Buntinx [MVP]

 

As with all IT equipment that is using certificates for enhanced security, there will be a time when the certificates expire and it will need to be replaced. Below you will find the procedure for ADFS 3.0 and the Web Application Proxy:

First step is to create a new CSR on one of you’re servers and request a renewal of the existing certificate ( in our case a *.demolabs.be) . After the request has been processed , download your certificate and import the certificate on the server where you created the CRS earlier. For ADFS / WAP it is very important you will have the private key exported with the certificate. You can only export the certificate with a private key on the sever where you previously created the CSR .Export with private keys to *.pfx and import on WAP + ADFS

If you do not do it as described above with and export of the private keys , you will face issues even if you did it exactly as described below as shown in the screenshot below :

image

 

Follow the procedure below , starting with the ADFS server:

  1. Log onto the ADFS server.
  2. Import the new (exported with private key) certificate to the server. Make sure this is added to the personal certificate store for the computer account.
  3. Find your thumbprint for the new certificate. Either use the GUI thru the MMC to see the details of the certificate or us powershell with Run Get-AdfsSslCertificate.. Take a copy of the thumbprint and ensure that the spaces are removed.
  4. Make sure that the service account that is running the ‘Active Directory Federation Services’ service is granted read access to the private key.
  5. Launch AD FS Management, expand ‘Service’ within the left pane and click ‘Certificates’ , then click ‘Set Service Communications Certificate

image

 

  1. Restart the ADFS services. However this is not enough. Changes made in  the GUI does not change the configuration based on the HTTP.sys. To complete the configuration change, run the following PowerShell command : Set-AdfsSslCertificate –Thumbprint <Thumbprintofyourcertificate>.
  2. Make sure to restart the server

Now you need to log onto the WAP server.

  1. Import the new (exported with private key) certificate to the server as in step 1. 
  2. Run the PowerShell commando for changing the certificate: Set-WebApplicationProxySslCedrtificate –Thumbprint <Thumbprintofyourcertificate>
  3. All of your publishing rules defined in the WAP need to be updated with the thumbprint of the new certificate. Use Powershell for  updating them with the new thumbprint. Run: Get-WebApplicationProxyApplication –Name “WebAppPublishingRuleName” | Set-WebApplicationProxyApplication –ExternalCertificateThumbprint “<Thumbprintofyourcertificate>”
  4. Restart the Web Application Proxy services to complete the configuration

Now you are done and you are a happy admin once more . Took me some time to figure it out .

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

MMS 2011 is only 5 weeks away and Birds of a Feather session on ConfigMgr R3 Power management : Lessons learned from the field

8:50 pm in BOF, configmgr2007, ConfigMgr2007 R3, mms, MMS-2011, Power Management, R3, SCCM 2007, SCCM 2007 R3 by Kenny Buntinx [MVP]

Hi All,

I have recently deployed Configuration Manager 2007 R3 RTM in production at my TAP customer. Those who attended my presentation at the Belgian System Center Day “http://scug.be/blogs/sccm/archive/2010/09/30/announcement-system-center-day-in-belgium.aspx” have seen already the best practices & lessons learned on implementing R3 Power Management .

I just proposed a birds of a feather session on ConfigMgr R3 Power management : Lessons learned from the field together with our Finish Configmgr MVP Panu Saukko (who also did a large R3 TAP implementation).

We are hoping to get enough votes to put on an ultra-slick, seriously hardcore ConfigMgr 2007 R3 Power management : Lessons learned from the field BOF session at MMS 2011.

I am still trying to get enough votes to raise this up so that it can take place.

 

A short clip from his blog posting to wet your appetite:

  • R3 Power Management Overview
  • R3 Installation flow
  • R3 In-Depth Power Management Implementation notes
  • R3 Power Management Caveats
  • R3 Power management Tips & Tricks
  • R3 Power management Advanced Reporting

 

If you want to see this session go through then vote for this session thru the roof by performing the following procedure:

· Log into CommNet (http://www.mms-2011.com)

· Click on “BOF Survey” in the left Nav

· In the “Commonly Requested Topics” dropdown select “ConfigMgr R3 Power management : Lessons learned from the field”

· Press “Submit”

 

Hope it Helps ,

Kenny Buntinx and Panu Saukko

SCCM R3 : Power Management In Practice (Lessons Learned)

6:56 am in ConfigMgr, ConfigMgr 2007, ConfigMgr SP2, configmgr2007, ConfigMgr2007 R3, Deployment, Power Management, R3, sccm, SCCM 2007 R3, sccm2007, Windows 7 by Kenny Buntinx [MVP]

Hi there ,

I have recently deployed Configuration Manager 2007 RTM in production at my TAP customer. Those who attended yesterday my Presentation at the Belgian System Center Day “http://scug.be/blogs/sccm/archive/2010/09/30/announcement-system-center-day-in-belgium.aspx” have seen already the best practices & lessons learned .

I want to thank everyone that has attended our event as it was a great success. The presentations and the links to the recordings will be uploaded very soon , but for those who cannot wait , I’ll post a few teasers below :

 

  • Communication and User Preparation :

We created a communication plan that supported two main objectives:

Drive awareness : Client power management can reduce client computer power consumption, which in turn reduces both the carbon footprint and operational expenses.

Allow users adequate time to decline participation in the program, prior to enforcement:

–Established a four-week period between initial communications and the enforcement of the power management settings.

–Clear communication about the program, the extent of impact, and a link to a process to decline participation were critical to the success of the program. Even though the majority of users would perceive little or no impact, it was key that they reach the few that might.

  • Operational remarks :

 

    • You must Reboot the computer after installing the power mgmt. hotfix.
    • If you create your own Package/Program to install the hotfix, you must select: The program restarts the computer setting, even though the hotfix DOES NOT reboot the computer.
    • If you want to install the power mgmt hotfix during a task sequence for new computers, select “Continue on error”. Put it as the last step of the task sequence.
    • A computer requires an active keyboard/mouse, otherwise it might not go to sleep at all. Mostly this affects KVMs, but we had few examples where a computer is only used remotely (no KVM or a mouse/keyboard) & they don’t fall a sleep.
    • The basic principle: get rid of all your XP machines!
    • Windows XP machines could been switched on for too long. There are multiple processes that can block sleeping!
    • Use correct drivers. Especially display drivers. Fortunately (Vista and higher), R3 report nicely shows those problem machines.
    • It could be very difficult to pinpoint what is the culprit of machines that will not sleep. It could be a client/server app , a remoteApp (TS connection , Citrix , etc ). Regular rebooting helps the situation!
    • Change currency symbol in your reports from $ to €.
    • The following (non limited list) could cause sleeping issues on windows XP or other machines :
    • •Anti Virus scanner

      •Video Card Drivers

      •Report on “Standard VGA Graphics Adapter”

      •Report on “Video Controller”

      •Report on “Video Controller (VGA Compatible)”

      •Check at vendor if Video card supports S3/S4 principle (white brand desktop)

      •Capable hardware with power management features disabled in BIOS ( S3/S4 )

      •HW BIOS version ( Put them on the same level )

 

These lessons learned sections has been build up by sharing our own experiences at our TAP Customers. Thanks to Panu Saukko (MVP) for also sharing his experiences during his TAP assignment with me.

 

Hope it Helps ,

Kenny Buntinx

Configuration Manager 2007 R3 RC Update now available

5:48 pm in ConfigMgr, ConfigMgr 2007, ConfigMgr SP2, configmgr2007, ConfigMgr2007 R3, Power Management, R3, sccm, SCCM 2007, SCCM 2007 R3, SCCM 2007 SP2, sccm2007 by Kenny Buntinx [MVP]

Hi SCCM guys & Girls,

I just wanted to let you know that the Release Candidate for ConfigMgr 2007 R3 was been signed off. 

The update is now available through the Connect Beta Program on https://connect.microsoft.com 

RTM is getting closer !

What’s changed/added in the R3 Release Candidate ? :

  • Changes in Power Computer Activity Report flow which helps admin to better understand trends between computer and user activity and associated drilldowns
  • New report Power Insomnia Report which reports most common insomnia reasons based on number of machines impacted for Vista/Win7 machines not sleeping
  • New report Power Computer Details Report to view all power data for a specific machine (plans applied, capability, inventory..)
  • Admin console improvements

Soon I will write a small blog post on how to go from Beta1 to RC , so have a look in a few days .

 

Hope it Helps ,

Kenny Buntinx

SCCM R3 : Power Management In Practice (how-to) Part 1

9:33 am in ConfigMgr, ConfigMgr 2007, ConfigMgr SP2, configmgr2007, ConfigMgr2007 R3, Power Management, R3, Reporting, sccm, SCCM 2007, SCCM 2007 R3, SCCM 2007 SP2, sccm2007 by Kenny Buntinx [MVP]

Hi there ,

I have recently deployed Configuration Manager 2007 R3 beta (refresh) in production at my TAP customer.In my previous blog post I highlight the R3 the beta installation on your SCCM 2007 SP2 lab environment .

See “http://scug.be/blogs/sccm/archive/2010/05/14/sccm-2007-r3-beta-refresh-installation-howto.aspx

Disclaimer: You are not allowed to install any beta products in your production environment!!! This is only allowed for selected TAP Customers !!! Always install beta products in lab environments !!!

This blog post highlights the R3 Powermgmt feature ; how to use it in your environment and start using reporting on your powerconsumption.

 

Prerequisites :

First you need to start rolling out the R3 Client mgmt hotfix to your clients.When done the SCCM client will show up with a newer version build.The current version is 4.00.6487.2125.

image 

Enable your Power management client under “Client Agents”:

image

Configuration Manager 2007 R3 beta Client upgrade Validation Report

After you have deployed the R3 beta Client hotfix, you can use the below query to create a web or SQL SRS report for tracking the R3 beta Client upgrade status

SELECT  CASE sis.Client_Version0
             WHEN ‘4.00.6487.2000’ THEN ‘ConfigMgr SP2 RTM’
             WHEN ‘4.00.6487.2125’ THEN ‘ConfigMgr SP2 R3 beta’
        END AS [ClientVersion]
       ,COUNT(1) AS [Total]
  FROM v_R_System sis where
         sis.Client0 = 1
         AND sis.Obsolete0 = 0
         AND sis.Client_Version0 IN (‘4.00.6487.2000′,’4.00.6487.2125′)
GROUP BY CASE sis.Client_Version0
               WHEN ‘4.00.6487.2000’ THEN ‘ConfigMgr SP2 RTM’
               WHEN ‘4.00.6487.2125’ THEN ‘ConfigMgr SP2 R3 beta’
          END

Collections :

You basically need 3 collections :

    • A Baseline collection : This collection contains the members that have will be in scope for Powermgmt.
    • An Enforcement collection : This collection are going to have a Powermgmt plan applied.
    • An Opt-Out collection : This collection will never have a Powermgmt plan applied.

Some people have different requirements for implementing power plan: some people will have longer work hours (eg. From 6 am – 11 pm), some branch office may have different working hours, etc. To define different power policy, people need to communicate with different teams and make different power settings for different requirements. So you will define different PowerMgmt collections to meet different needs.
In this blog post example, we will only enforce power policy for one set of regular working hours.

This is how my collection structure looks like :

image 

Like you see here , I have made the difference between laptops/Desktops . This has been done to monitor more closely of what the consumption/savings would be , but also with in the back of my mind for later enabling different powerplans between desktops/laptops.

[PC-DESKTOP-POWERMGMT-SITE] PowerPlan Baseline Collection query :

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_POWER_MANAGEMENT_CAPABILITIES on SMS_G_System_POWER_MANAGEMENT_CAPABILITIES.ResourceId = SMS_R_System.ResourceId where SMS_R_System.OperatingSystemNameandVersion like "Microsoft Windows NT Workstation %" and SMS_R_System.Name not like "OCHP%" and SMS_R_System.Client is not null  and SMS_R_System.ADSiteName = "CDM-Hoofdzetel" and SMS_G_System_POWER_MANAGEMENT_CAPABILITIES.PreferredPMProfile = 1

It looks like this :

image 

As you can see I use the “Power Capabilities.PreferedPMProfile” .

This value is been returned from your HW inventory that reads out the value from the BIOS that have the ACPI v2.0 Specification  The set of values is currently:

    • 0–Unspecified
    • 1–Desktop
    • 2–Mobile
    • 3–Workstation
    • 4–Enterprise Server
    • 5–SOHO Server
    • and more

 

[PC-DESKTOP-POWERMGMT-SITE] PowerPlan Disabled Collection query :

This is right now a static collection membership as I want to add different computers quickly

[PC-DESKTOP-POWERMGMT-SITE] PowerPlan Enabled Collection query :

I had the need to make a collection that toke all the members from my baseline “[PC-DESKTOP-POWERMGMT-SITE] PowerPlan Baseline Collection” collection and exclude members from my “[PC-DESKTOP-POWERMGMT-SITE] PowerPlan Disabled” collection.I needed to seperate several custom machines that I don’t want to be treated by my powermgt plan . I had a really hard time trying to find and/or build a query that actually worked.

The query to use :

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.Client = 1

and SMS_R_System.ClientType = 1

and SMS_R_System.ResourceId in (select ResourceID from SMS_CM_RES_COLL_xxxxxxx)

and SMS_R_System.ResourceId not in (select ResourceID from SMS_CM_RES_COLL_yyyyyyy)

Replace the item in red with the Collection ID of the baseline collection : “[PC-DESKTOP-POWERMGMT-SITE] PowerPlan Baseline Collection” and replace the item in Blue with the Collection ID of the collection : “[PC-DESKTOP-POWERMGMT-SITE] PowerPlan Disabled” you are trying to exclude, which is located under the General tab of the properties window.

It looks like this :

image

Power Plans :

Before enabling Powerplans to your collections , you need to know about which clients are capable to apply any of your powerplan settings and eventually at that moment take corrective measures.

To do that we will use SRS reporting  and I will explain that in my other blog post next week . So stay tuned to see my next blog post on how to indentify machines that will need different powerplans and actions taken to resolve some of the issues found.

 

Hope it Helps ,

Kenny Buntinx .