You are browsing the archive for sccm2007.

Detect, Inventory and report about the encryption method used by Bitlocker thru ConfigMgr

6:54 pm in bitlocker, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 R2 SP1, ConfigMgr 2012 SP1, ConfigMgr Dashboards, ConfigMgr SP2, Encryption, Inventory, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 R2 SP1, SCCM 2012 SP1, SCCM Dashboards, sccm RTM, SCCM v.Next, sccm2007 by Kenny Buntinx [MVP]

 

Recently at a client, we needed to provide a report that was listing what Bitlocker Encryption strength method was used. That information had to be fed into the CMDB to make sure we had ‘256AES with Diffuser’ enabled.

Unfortunately, Configmgr 2012 does deliver out-of-the-box a way to determine what Bitlocker Encryption strength method, and that means the information is not in the registry or WMI.

Dependencies :

Well I tried to find an easy way , and the customer required a solution that was :

– Flexible and dynamic as they where constantly migrating from Mcafee Disk Encryption to Bitlocker and the CMDB had to be dynamically updated.

– Centrally managed code , meaning that if we needed to change anything to the code , it had to be intelligent enough to update it auto magically to all clients.

– Had to be reliable .

The solution :

– was to use a kind of detection powershell script for the Bitlocker Encryption strength using the standard powershell commandlet ‘Manage-bde’ .

– The script was to be used with a “compliance Item” and deployed thru a “Baseline” as one of my colleagues Henrik Hoe explains here :  http://blog.coretech.dk/heh/configuration-items-and-baselines-using-scripts-powershell-example/ . By using a CI , you will meet the centrally managed code part , but also the automatically way of updating the detection logic to all clients.

Forget about the old package/program way and then a way to execute the script on regular basis ( That can all be done thru the Baseline deployment)

– The script will be executed and will write a registry value BitlockerEncryptionStrenght = “TheActualValue”  and the baseline will report complaint when it has the ‘256AES with Diffuser’ detected. When the machine is not bitlockered at all , we will write a value  BitlockerEncryptionStrenght = “None”

$ErrorActionPreference="silentlycontinue" $StrBEncryption = "" $objBEncryption = "" $objBEncryption=manage-bde.exe -status |Where-Object{$_ -like "*encryption method*"} $arrBEncryption=$objBEncryption.Split(":") $StrBEncryption=$arrBEncryption[1].Trim() If ($StrBEncryption.Contains("AES")) { New-ItemProperty -Path HKLM:\SYSTEM\ABPosdInstall -Name BitlockerEncryptionStrenght -Value $StrBEncryption -Property String -Force -ErrorAction SilentlyContinue | Out-Null if ($StrBEncryption -eq "AES 256 with Diffuser") { return 1 } } Else { New-ItemProperty -Path HKLM:\SYSTEM\ABPosdInstall -Name BitlockerEncryptionStrenght -Value "None" -Property String -Force -ErrorAction SilentlyContinue | Out-Null Return 0 }

– We will pick the value up later with a custom registry key hardware inventory extension and use that in our reporting later on. For more details on how to do it : https://technet.microsoft.com/en-us/library/gg712290.aspx

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Configuration Manager 2012 OSD : Only import the Intel chipset drivers you really need for your brand/model !

6:31 pm in ConfigMgr 2007 R2, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, ConfigMgr SP2, configmgr2007, Deployment, Drivers, Operating System Deployment, OSD, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, sccm RTM, sccm2007 by Kenny Buntinx [MVP]

 

Yesterday I wrote a blogpost about the reason to keep your “Driver DB” and “driver packages” as clean as possible and that you do not need to import all the junk they provide in those so called “enterprise driver packages” for multiple models.

As a first tip for helping you accomplish that , we show you in this blog post how we can limit the number of *.inf files we need to import from Intel(R) Chipset Device Software . When downloading and extracting that Intel(R) Chipset Device Software package you will see that originally there are about  98 inf files present :

image

Now reduce the number of INF files :

Two override command switches for setup.exe from Intel(R) Chipset Device Software that will help us to reduce the *.inf files we need to import into our “Driver Package” :

-AONLY Extracts the needed INF files to install on the current system. If the install has been run once successfully, ‘-AONLY’ will not return any INFs when used in conjunction with ‘-OVERALL’ switch, all the needed INFs for the system will be extracted.

-P <Installation Path> Specifies the hard disk location to which the INF program files are copied. If this flag is not specified at the command line, the <Installation Path> directory is as follows: C:\Program Files\Intel\INFInst .

If this flag is used without the ‘-A’ option, only the Readme will be copied to <Installation Path>. The directory name can include spaces, but then a pair of double quotes (") must enclose the directory name. There should not be any space between the switch ‘-p’ and the directory name. This flag works in either Silent Mode or Interactive Mode.

Lets execute on the local brand/model that contains an intel chipset :

The result of running the setup with those parameters:

And then the result after running the tool on your local brand/model , you will see that the number of *.inf files are reduced to five (5) items ! isn’t that great ? Now copy those drivers to your regular driver import process and you reduced the number of bloat in your ConfigMgr driver database by 80% at least !

 

image

 

Hope it Helps ,

Kenny Buntinx

MVP enterprise Client Management

How to Install Windows 7 Language packs online during OSD Task Sequence (or in your Hybrid base image)

7:27 am in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr 2012, ConfigMgr 2012 SP1, ConfigMgr SP2, configmgr2007, ConfigMgr2007 R3, language Packs, MUI, OSD, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, SCCM 2012, SCCM 2012 SP1, sccm2007, Task Sequence, Windows 7, Windows 7 SP1, Windows7 by Kenny Buntinx [MVP]

 

Windows 7 language pack setup, lpksetup, includes parameters to support a managed installation.  I successfully tested the following from the command prompt:

lpksetup.exe /i nl-NL /p . /r /s

I created and advertised a program with this command line, but it quickly failed on a windows7 x64. 

1

The test system returned an error status message, ID 10003: “An error occurred while preparing to run the program for advertisement….  The operating system reported error 2147942402: The system cannot find the file specified.”

Execmgr.log contained the following:

File C:\Windows\SysWOW64\CCM\Cache\…\lpksetup.exe is not a valid executable file
Invalid executable file lpksetup.exe

It turns out that lpksetup.exe on Windows 7 64-bit is a 64-bit-only process so with WOW file redirection in a 32-bit process C:\Windows\System32 redirects to C:\Windows\SysWOW64, which does not contain lpksetup.exe.  So I altered the ConfigMgr program command line to:

%WinDir%\SysNative\lpksetup.exe /i nl-NL /p . /r /s

3

Using the SysNative alias allowed the language pack to be successfully installed on Windows 7 64-bit from a ConfigMgr advertised program or Task Sequence.

The Language Packs are installed successfully as i can choose the installed languages after the installation.

I have got this valuable information from Aaron Czechhowski at http://blogs.technet.com/b/aaronczechowski/archive/2011/12/18/deploying-windows-7-language-packs-via-configmgr.aspx

Hope it Helps ,

Kenny Buntinx

Configmgr 2007 / 2012 : Using AfterBackup.bat to Daily Archive a Backup Snapshot

8:23 am in backup, ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr 2012, ConfigMgr 2012 SP1, ConfigMgr SP2, configmgr2007, ConfigMgr2007 R3, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, SCCM 2012, SCCM 2012 SP1, sccm2007 by Kenny Buntinx [MVP]

 

To ensure that a recent backup snapshot is always available, it is recommended that you archive the backup snapshot every time the SMS backup task completes a backup cycle. The standard backup task overwrites the previous created backup by default .

To accomplish that, you can use the AfterBackup.bat file to run a third-party tool (7Zip) that automatically archives the backup snapshot every time you back up your site. After successfully backing up the site, the SMS backup task runs the AfterBackup.bat batch file. The AfterBackup.bat file integrates the archive and the backup operations, thus ensuring that every new backup snapshot is archived.

All this script does is move the backup folder to a folder named the day of the week. If the destination already exists, then it is deleted first. Resulting in 7 days of backup or more

To use the AfterBackup.bat file

  1. Prepare an ASCII file with commands that archive your backup snapshot, or that perform any other post-backup tasks your site requires.
  2. Name the file "AfterBackup.bat" and save it in the SMS\inboxes\smsbkup.box folder. Now, every time the backup task runs successfully, it will run the AfterBackup.bat file.
  3. Every time after the AfterBackup.bat file archives the site’s backup snapshot, store that archive in a secure location.

Here is an Afterbackup.bat file that will make a daily backup of ConfigMgr Backup, so that you have a full week of backups.

  1. Place the file in the following location :

3

  1. Make sure you copy the 7zip (command line executable) in the root of the directory . When backup is daily ran , you should see this .

2

 

Hope it Helps ,

Kenny Buntinx

Configmgr 2012 : How to create custom boot images that will support #VMware’s native VMXnet3 NIC

8:46 pm in ConfigMgr, ConfigMgr 2007, ConfigMgr 2012, ConfigMgr 2012 SP1, ConfigMgr SP2, configmgr2007, ConfigMgr2007 R3, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, SCCM 2012, SCCM 2012 SP1, sccm2007, Vmware by Kenny Buntinx [MVP]

 

Though VMware Tools does not support the WAIK or ADK’s WINPE 3.1 environment, you can take advantage of specific VMware Tools drivers, such as vmxnet3, and pvscsi by creating a customized Configmgr 2007/2012 Boot Image .

To create a customized Configmgr 2007/2012 Boot Image :

  • On your Primary site server Click Start > All Programs > Microsoft Windows AIK > Windows PE Tools Command Prompt to open the Windows PE Tools command prompt.
  • Run this command to create a Windows PE build environment in the WinPE folder.
      • for a 32bit boot wim – copype x86 C:\winpe-x86
      • for a 64bit boot wim – copype amd64 C:\winpe-amd64
  • Install VMware Tools on Windows 2008 and copy the entire contents of the C:\Program Files\VMWare\VMWare Tools\Drivers\pvscsi and vmxnet3 folders to a C:\VMDrivers folders on the virtual machine.
  • From the Windows PE command prompt (<Drive>:\winpe-x86), run this command to mount winpe.wim to the mount folder:
    dism /mount-Wim /wimfile:<drive>:\winpe.wim 1 /mountdir:<drive>:\WinPE_tmp
  • Run this command at the Windows PE Tools command prompt to copy the vmxnet, vmxnet3 (enhanced), and pvsci drivers:
    winpe.wim: dism /image:<drive>:\WinPE_tmp /Add-Driver /driver:c:\VMDrivers /recurse
  • Run this command to save the changes to winpe.wim:
    dism /unmount-Wim /Mountdir:<drive>:\WinPE_tmp /commit

Import your custom bootimages in Configmgr 2007/2012 and distribute them to your DP . Your done !

Hope it Helps ,

Kenny Buntinx

New CM07 KB 2783466: Software updates are displayed as invalid unexpectedly in the Administrator Console in System Center Configuration Manager 2007

10:41 am in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, sccm2007, wsus by Kenny Buntinx [MVP]

 

After a Software Update Point (SUP) synchronization with Windows Software Update Services (WSUS) is complete, software updates that were previously successfully deployed are displayed unexpectedly as invalid in the Administrator Console in Microsoft System Center Configuration Manager 2007. Specifically, the invalid updates icon (a red arrow) appears alongside the updates when you view the updates in the Deployment Management node of the Administrator Console. Additionally, these updates are no longer listed under the Deployment Packages node.

This issue may occur because of changes that were made to the Microsoft Update service in October 2012. These improvements contain metadata updates that affect all WSUS servers. These changes caused some updates to be marked as having a content change, even though the update binaries were not changed. For some administrators, the metadata changes may have been applied automatically when WSUS synchronized with the Microsoft Update servers in October. Other administrators received the changes by applying update 2734608 to their WSUS servers.

More info here :

KB 2783466: Software updates are displayed as invalid unexpectedly in the Administrator Console in System Center Configuration Manager 2007

Hope it helps ,

Kenny Buntinx

SCCM Out of Band Management Troubleshooting (Part1)

1:47 pm in AMT, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, ConfigMgr2007 R3, OOB, out of band management, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, sccm2007, System Center Service Manager, Tokensize, Vpro by Kenny Buntinx [MVP]

It’s no secret for most people that KVM Remote Control is one of my favorite vPro features within System Center Configuration Manager  (System Center Configuration Manager 2007 R3 / System Center Configuration Manager 2012 Beta 2) or System Center Service Manager (System Center Service Manager 2010).

Why go to an end user to fix his PC when you can use KVM Remote Control to do it from your own desk? With a feature this awesome, it’s challenging to make improvements. With the next generation Intel Core vPro Processors, KVM Remote Control now supports resolutions up to 1920×1200 at 16 bits per pixel color depth.

In my previous blog posts I explained already where to download the Intel vPro KVM stuff for System Center Configuration Manager . You can read the article here at “SCCM 2007 : Intel AMT–VPRO KVM add-on for SCCM 2007

If you want to go and download the tools directly from the Intel site , please go to the following links  :

However to use any of the above plugins , your systems should be made ready to use Vpro. There are a lot of requirements to make it happen , that I am not going to explain here in detail . Here are all my System Center Configuration Manager 2007: Out Of Band Management blog posts. I am just going to list them up  :

After you have performed the installation by the book , it will probably not work directly out of the box and this could have multiple reasons. I will explain below  the necessary steps to debug your potential issues in different blog posts:

1. Kerberos Ticket Size issue !

If you have problem that the Out Of Band Management console won´t connect to client computer, then it might be that Kerberos Ticket size is too big. It means that your user account belongs to too many groups.

You can find more information here:

 

If you have problems to connecting client computer with OOB console then check OOBConsole.log  at <ConfigMgrInstallationPath>\AdminUI\AdminUILog .

I found this error message when I tried to connect with OOB console with user account which has too big Kerberos Ticket size after I modified the OOBConsole.exe.config file and set error logging value in the file to verbose.

[22.07.2011 13:54:32] :System.Management.ManagementException\r\nInvalid parameter \r\n at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
[22.07.2011 13:56:25] :RefreshAmtThirdPartyStorage fail with result:0x80338126
[22.07.2011 14:00:26] :GetAMTPowerState fail with result:0x800703E3

or

[22.07.2011 14:54:32] :System.Management.ManagementException\r\nInvalid parameter \r\n at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
[22.07.2011 14:56:25] :RefreshAmtThirdPartyStorage fail with result:0x80070005
[22.07.2011 15:00:26] :GetAMTPowerState fail with result:0x80070005

To see the value of the tokensize  , you need the following background information . Each AMT version has a different maximum tokensize as shown below in the table :

 

 

Below I have 2 accounts :

  • My account
  • SCCMAMT – An account especially created to be only in the AMT SCCM group and the rights to execute AMT stuff within SCCM

In the screenshot below , you will clearly see that my accounts tokenize is way to big (9418) :

image

While the SCCMAMT accounts Token Size is (2577) :

image

 

After Logging in with the SCCMAMT account , check OOBConsole.log at <ConfigMgrInstallationPath>\AdminUI\AdminUILog . You will see success to at least connect to the AMT/vPro device :

[9/08/2011 9:39:43] :GetAMTPowerState success with 2.
[9/08/2011 9:39:53] :GetAMTPowerState success with 2.
[9/08/2011 9:39:58] :Open SOL connection…
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession2 with user = VVM\sccmamt fail with result:0x20, description:Failed to Establish TLS Connection
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession2 with user = VVM\sccmamt fail with result:0x20, description:Failed to Establish TLS Connection
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession2 with user = VVM\sccmamt fail with result:0x20, description:Failed to Establish TLS Connection
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession2 with user = VVM\sccmamt fail with result:0x20, description:Failed to Establish TLS Connection
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession2 with user = VVM\sccmamt fail with result:0x20, description:Failed to Establish TLS Connection
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9/08/2011 9:39:59] :status message Type:Audit, ID:0x00000000C000766A, User:VVM\sccmamt, Machine: xxxx, Target: xxxxx add to queue, waiting for report.
[9/08/2011 9:40:01] :Closing SOL terminal…
[9/08/2011 9:40:01] :SOL terminal closed
[9/08/2011 9:40:02] :GetAMTPowerState success with 2.
[9/08/2011 9:40:12] :GetAMTPowerState success with 2.
[9/08/2011 9:40:21] :GetAMTPowerState success with 2.
[9/08/2011 9:40:31] :GetAMTPowerState success with 2.
[9/08/2011 9:40:40] :GetAMTPowerState success with 2.
[9/08/2011 9:40:50] :GetAMTPowerState success with 2.
[9/08/2011 9:40:59] :GetAMTPowerState success with 2.
[9/08/2011 9:41:08] :GetAMTPowerState success with 2.

You will see that you will connect to the AMT/Vpro chipset , but you still aren’t able to connect to the BIOS with a SOL / IDE connection with the following message “IMR_SOLOpenTCPSession fail with result:0x00000020”.

I will explain the fix for this error in SCCM Out of Band Management Troubleshooting (Part2) , that is under construction.

Hope it Helps ,

Kenny Buntinx

Step by Step guide for provisioning Intel VPro clients in SCCM 2007 SP2 Part 4

1:05 pm in AMT, ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, ConfigMgr2007 R3, Installation, Intel, OOB, out of band management, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, sccm2007, Vpro by Kenny Buntinx [MVP]

This is my last post about the step by step series about Step by Step guide for provisioning Intel VPro clients in SCCM 2007 SP2.

In my previous post I have talked about importing the 3rd Party Remote Configuration Certificate on the OOB Service Point (In this example we will use a certificate from GoDaddy ) to provision Intel vPro technology based systems in SCCM at http://scug.be/blogs/sccm/archive/2010/05/06/step-by-step-guide-for-provisioning-intel-vpro-clients-in-sccm-2007-sp2-part-3.aspx

In my previous posts I talked about what is OOB, OOB requirements and little bit about the necessary certificates. In this post I will talk about internal PKI infrastructure and how to configure OOB management point within SCCM. ConfigMgr 2007 SP2 uses four types of certificates for Out Of Band Management. These four different certificates are:

  • AMT Self Signed certificate – IntelAMT will generate a self-signed certificate during the PKI provisioning process to secure the connection with the ConfigMgr 2007 Server.
  • AMT provisioning certificate – This certificate is used by ConfigMgr 2007 to provision Intel AMT devices. The most simple and automated method for provisioning is the process of purchasing this certificate from a third-party provider (VeriSign, GoDaddy, Comodo, or Starfield). This certificate will need to be installed on each OOB Service Point in the environment.
  • Web server certificate -This certificate is generated by an internal Enterprise Certificate Authority during the provisioning process and installed on each AMT device within the firmware. This will allow for a TLS management session between the ConfigMgr 2007 OOB Management console and the AMT firmware.
  • 802.1x RADIUS Certificate – Optional certificate that allows the Intel AMT client to securely authenticate to an 802.1x network without the operating system being present.

 

In our case , you will need an internal certificate Authority and create two certificates :

AMT provisioning certificate – In this case the Godaddy cert and Request, install and prepare the AMT remote configuration certificate ( Already done in the previous blog post)

Web server certificate – this certificate is requested by the primary site server on behalf of AMT-based computers and then installed in the AMT firmware in the computers

 

To Prepare Web server certificate – see the steps below :

 

1. Open your Certificate Authority issuing PKI Server –> Click Start> All Programs > Administrator Tools > Certification Authority

2. Right Click on Certificate Templates > Manage

3. In the Certificate Templates Console Window, right click on Web Server and select Duplicate Template

4. In the Duplicate Template Window, select the radio button for Windows 2003 Server, Enterprise Edition and Click OK

DDT.d96awjjfrximbk2m2qsliu5ye

DDT.a3k4l9_t2azme_c6ef0l46s

 

5. In the Properties of New Template Window and enter ConfigMgr AMT Web Server Certificate

6. Check the Box to Publish certificate in Active Directory

7. Proceed to next step to set the security rights on this template.

DDT.1267ggmdv9kybtbns5en0x9kb

DDT.prcs5_hsztigngwakhvneme6f

8. Select the Security Tab and click Add

9. Select the ConfigMgr site server 2007 primary site server computer group and Click OK

10. With the ConfigMgr Primary Site Servers group highlighted, check Read and Enroll , Click OK

11. Close the Certificate Templates Console

DDT.ys6tg1xa66xrq0bybc63m1l2f

DDT.xifb6o_8tyh4zjfsw3k2achah

 

12. In the Certification Authority Window, right-click on Certificate Templates > New > Certificate Template to Issue

13. In the Enable Certificate Templates Window, select ConfigMgr AMT Web Server Certificate (this template was created in the previous step)

14. Click OK

DDT.sfg1r_sf0gnzq2opcslrkw5y

DDT.ardw0uy_44ezggibpo1dmc4lb

 

15. In the Certification Authority Window, you will now see ConfigMgr AMT Web Server Certificate listed in the right hand Window and ready for use by the Out of Band Service Point

Note: This Web Server Template will be used by ConfigMgr 2007 SP2 to generate a unique certificate for each Intel AMT system during the provisioning process,and used for TLS session during management of the Intel AMT client .

 

How to Configure OOB service in SCCM

 

After you have your exported *.pfx certificate we will import this into the SCCM out of band management properties box. Now you have configured all certificates, permissions and have a certificate private key we are going to configure the OOB management point.

1. Open SCCM console -> Site Settings -> Component Configuration -> Out Of Band Service Point

 

 

2. Create extra OU in Active Directory where SCCM creates AMT computer objects. Make sure the Configmgr Primary Site Server has permissions on that container to create those objects!

2. Configure MEBx password that SCCM uses to connect AMT-based computers. By default this password is admin but you can change this later on.

3. You could select “Allow out of band provisioning” and “Register ProvisionServer as an alias in DNS” but it wouldn’t be necessary if you only are going to in-band provision ( Thru the SCCM Client)

4. Configure Provisioning certificate. From here you now have to import that *.PFX file and enter your previous  configured password.

5. Configure your web certificate template. From here you have to select your internal PKI CA and select your ConfigMgr AMT Web Server Certificate.

You can configure all the other tabs at your own flavor .

You will find a good document from Intel with all the steps at www.intel.com/en_US/Assets/PDF/…/cg_MicrosoftConfigMgr_vPro.pdf

Hope it Helps ,

 

Kenny Buntinx

Intel AMT Vpro KVM Configmgr plugin doesn’t work out of the box

12:49 pm in AMT, ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, ConfigMgr2007 R3, Intel, out of band management, sccm, sccm2007, Vpro by Kenny Buntinx [MVP]

In my previous blog post “SCCM 2007 : Intel AMT–VPRO KVM add-on for SCCM 2007” , I have written that Intel had release a KVM (version 6 or higher) plugin for Configmgr 2007 .

I was experiencing issues with the Intel Vpro KVM Configmgr plugin. It seems that the extensions are not installed correctly by Intel. After installing the plugin , I opened up the console and it didn’t show me any Intel Vpro options as shown in the picture below .

image

 

If you launch the KVM tool manually , it works perfectly. However in the console I don’t see any right click action as shown in the above screenshot.

When I looked a little closer , I saw that the default SCCM admin console is installed in the following default path “C:\Program files\Microsoft Configuration Manager Console\” while Intel’s setup seems to create the following path “C:\Program files\Microsoft Configuration Manager\”(missing the console part)  that contains the extensions XML file called “IntelVproExt.XML”.

 

clip_image001

Also if you didn’t stick to the default install paths , you will have the same issues .

 

Solution:

Copy the folder structure from “C:\Program files\Microsoft Configuration Manager\” to “C:\Program files\Microsoft Configuration Manager Console\” . Now you will have the option in the console .

 

Hope it helps

Kenny Buntinx

Windows 7 OSD deployment (SCCM or MDT ) and starting with a patched media = More secure & Saves time !

9:03 am in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr 2012, ConfigMgr SP2, ConfigMgr V.next, configmgr2007, ConfigMgr2007 R3, Deployment, DISM, OSD, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, SCCM 2012, SCCM v.Next, sccm2007, WAIK, Windows 7, Windows 7 SP1, Windows7 by Kenny Buntinx [MVP]

1. Download your patches to a folder

You could always download the patches from the following link http://catalog.update.microsoft.com/v7/site/Install.aspx?referringpage=Home.aspx and save them to a local folder or automate it by the following process :

  • First step will be to install a clean Windows 7 machine without any application . After that process we will run wuauclt /detectnow and install all available updates . You will need to reboot a few times and rerun the wuauclt /detectnow to allow all patches to be installed properly

  • Then run the procedure below for WSUS patch extraction :

Go to C:\windows and open windowsupdate.log in excel. Delimit the file by Tab and space

Run the auto-filter and filter on “Downloading” in column “G”

Select all rows in column “I” and copy the table. Go to new sheet and paste in this in column “B”

We select column “B” and select Data -> text to column en delimit by ‘/’. Now we remove column “B,C,D and E”

Go back to sheet where you imported the “Windowsupdate.log” and select all rows in column “K” and copy the column. Go to the new sheet and paste in column “D”

We select column “K” and select Data -> text to column en delimit by ‘\’. Now we remove column “D,E,F,G and H”

Paste the following formula in column “A” “="Copy H:\" & B2 & "\" & C2 & " c:\Patches\" & D2”

Drag the formula to below , select column A , select all and copy it

Open notepad , paste the text and save as “getpatch.cmd”

Map your drive H: to \\yourwsusserver\WsusContent and run “getpatch.cmd”

Copy your downloaded patches to the location you need them

 

2. Applying the offline patches to the windows 7 media

 

Open up a WINPE command prompt via the WAIK.

Run the following commands in the following sequence .

Dism /Mount-Wim /Wimfile:"F:\DISM\Windows 7 Enterprise SP1 Eng X64 Source\sources\install.wim" /index:1 /Mountdir:F:\DISM\temp

clip_image002

Dism /image:F:\DISM\temp /add-package /packagepath:F:\DISM\Patches (where the patches folder contains your downloaded CBS windows patches)

clip_image004

dism /commit-WIM /Mountdir:F:\DISM\temp

clip_image006

dism /unmount-WIM /commit /Mountdir:F:\DISM\temp

clip_image008

 

3. What if you get an error applying the offline patches?

 

It can happen that there are patches that cannot be applied offline. When that happens, you will get the following error as shown below in the screenshot. In this case KB2533552. Do not worry, the process does not need to run again.

However, please note all patches that couldn’t be applied, so you could keep track of them for later deployment .

clip_image010

To see what is really going on and to verify this is a patch that cannot be applied offline , you should open the DISM.log file and search for the specific update as shown below in the screenshot.

clip_image012

When you look closer at the screenshot, you will see the message “Cannot perform offline servicing with an online-only package “, meaning this patch is not a CBS update and needs to be applied online.

You could always check the update on the following link http://catalog.update.microsoft.com/v7/site/Install.aspx?referringpage=Home.aspx

 

4. Import the image in SCCM or MDT

 

After this process you need to import the source content in SCCM. When done start adding it to the distribution points and wait until it is replicated, preferably with a good naming convention.

After importing the image in SCCM, add it to the DP’s and check if the image is replicated correctly on all selected DP’s.

When it’s done, change the media in the task sequence to use the new patched media. This will allow you to minimize staging downtime.

 

Now you are running from the start with a patched offline media , meaning less deployment time and being more secure when deploying your machines !

 

Hope it Helps ,

 

Kenny Buntinx