You are browsing the archive for WES2009.

ConfigMgr 2012 SP1 Beta : Skipping Client prerequisites in the OSD “Setup windows and install Configmgr client” step.

6:22 pm in CM12, ConfigMgr 2012, ConfigMgr 2012 SP1, Operating System Deployment, OSD, SCCM 2012, SCCM 2012 SP1, System Center, WES, WES 2009, WES2009 by Kenny Buntinx [MVP]

 

Hi guys ,

Working for a customer on managing WES 2009 Clients with Configmgr 2012 sp1 in TAP. On of the requirements by the customer was not to install Silverlight 5.0 or .net 4.0 onto the WES2009 Device as they did not manage or support their core image.

The client prerequisites documentation can be found here on technet http://technet.microsoft.com/en-us/library/gg682042.aspx .

Silverlight is not required, Software Center and Software Catalog are the only things that need it.  You can specify a commandline switch on ccmsetup to not install Silverlight.  Example: CCMSetup.exe /skipprereq: silverlight.exe but that only works to client push or manual install in RTM

If my base image has .net 2.x installed and I don’t want install .net 3.0/3.5/4.0 because of lack of disk space – (image being build by another company and no possibility to adjust ) and app compatibility on the embedded, how can I use the */skipprereq* on the OSD “Setup windows and install Configmgr client” step ?

GOOD NEWS ! They fixed that in SP1 . Now you are able to pass that “/SKIPPREREQ” parameter in your  OSD “Setup windows and install Configmgr client” step .

Hope it Helps ,

Kenny Buntinx

Forefront Endpoint Protection 2010 : Update Rollup 1 available for download

7:29 pm in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr 2012, ConfigMgr SP2, configmgr2007, ConfigMgr2007 R3, embedded, FEP, FEP2010, Installation, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, SCCM 2012, WES2009 by Kenny Buntinx [MVP]

Update Rollup 1 for Microsoft Forefront Endpoint Protection 2010 introduces new features and updates. These new features and updates are summarized below.

The following list is a summary of the updates in FEP Update Rollup 1 for server functionality.

Finally the Forefront team came up with a solution that since the release of the product they really missed .The following Microsoft website explains how to auto deploy forefront client security definition in a step-by-step guide. aka http://technet.microsoft.com/en-us/library/dd185652.aspx

In this step-by-step guide, they essentially go into the WSUS Console to create an Auto-Acceptance rule. First of all this should make any ConfigMgr admin shiver, as it should have been drilled into your head that you are supposed to do software updates management from the ConfigMgr administrator console. Now, I and many other SCCM admins have never understood why they didn’t solve that in a more elegant manner. The solution works, however has a couple of major drawbacks.

Additionally in a multi distribution point environment, the actual definition updates will always come from the Software update point, whereas normal software updates come from the distribution points. In other words, this impacts scale quite a bit, and forefront definitions come out at a very frequent pace meaning they are hitting you software update point harder than anything else.

The main problem, is that in SCCM 2007 we have no "easy" way to create an Auto-Approval rule. This will be solved in CM12 , until then , for the CM07 they will fix that mistake by update rollup 1. Soon I will launch a blog post to see if this is a real workable solution. So now you will have with Update Rollup 1 a tool that facilitates the use of the Configuration Manager software updates functionality to download FEP definition updates and make them available to client computers running the FEP client software.

In order to use the software updates feature for definition updates, you must perform the following high-level steps:

    • Download and install the Update Rollup 1 package.
    • Configure software updates to download definitions for FEP.
    • Configure the package by which the definition updates will be distributed, and configure the distribution settings for it.
    • Install and configure the FEP Software Update Automation tool.

 

  1. Addition of support for the FEP client software for Windows Embedded 7 and Windows Server 2008 Server Core. For more information on the added client support, see Prerequisites for Deploying Forefront Endpoint Protection on a Client
  2. The following list is a summary of the updates to FEP policies included with Update Rollup 1.
  • Update Rollup 1 for FEP 2010 adds a new FEP policy option to configure definition updates for FEP client computers. After installing Update Rollup 1 for FEP, you can configure FEP policies to update definitions from a Configuration Manager software update point.

    To configure FEP policies to update definitions from a Configuration Manager software update point

    • When you create a new FEP policy or edit an existing FEP policy, the new definition update options appears as follows:

      • When creating a new FEP policy, in the New Policy Wizard, on the Updates page, select the check box for Enable updates from Configuration Manager.
      • When editing an existing FEP policy in a Configuration Manager console that on which you installed the Update Rollup 1 for FEP, in the properties for a FEP policy, on the Updates tab, select the check box for Use Configuration Manager as primary source for definition updates.
  • Addition of two new preconfigured policy templates for the following server workloads:

    • Microsoft Forefront Threat Management Gateway
    • Microsoft Lync 2010

 

You will find the Forefront Endpoint Protection 2010  Update Rollup 1to download at the following location : http://www.microsoft.com/download/en/details.aspx?id=26583

 

Hope it Helps ,

 

Kenny Buntinx

SCCM OSD Deployment : The IIS Admin service is not starting anymore on a deployed sysprepped Windows Embedded 2009 with IIS 6.0 installed

12:44 pm in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, configmgr2007, IIS, Installation, Known Issue, OSD, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 SP2, sccm2007, script, WES, WES 2009, WES2009, XPe by Kenny Buntinx [MVP]

Lately I have been busy with testing & deploying for a big project some Windows Embedded 2009 devices , called the Advantech ARK –1388 .One requirement from the customer was to have IIS 6.0 installed.We decided to include the IIS 6.0 component into the WES 2009 image with Target builder  ( witch is a tool for building the WES image ), but every time we deployed an image after it had been sysprepped with SCCM, the IIS Admin service would fail to start .

Because this needed to be deployed onto three thousand (3000) WES devices , we contacted Microsoft PSS support for some help. Below you will find our findings and workaround for the issue .

Our problem :

We installed a Windows Embedded 2009 image with IIS 6.0 on a Advantech ARK-1388 and it is running fine.The OS is prepared for system cloning using the sysprep.exe tool ( supported since WES 2009 ).

When we reapplied the master image  with SCCM R2 SP2 and mini-setup was completed, the OS seems to run fine, however the "IIS Admin" service does not start and returns the following error:
"Windows could not start the IIS Admin on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code -2146893818."

There are no related errors in the Event Logs. IIS cannot be repair-installed using the Add/Remove Programs component of the Control panel.( this was done to see if we could automate a self –repair )

We would like to deploy the WES image using the OSD feature of SCCM 2007 R2 ,but the problem also occurs when customer calls sysprep.exe manually without the usage of SCCM. ( that’s what we thought , SCCM always works great !! :-) )

 

Our environment :

We have a Windows Embedded 2009 image with IIS 6.0
We have a SCCM 2007 R2 SP2 environment

 

The summary of our troubleshooting :

1. Microsoft CSS discussed with the WES and SCCM teams if WES2009 is supported on SCCM 2007 R2. After a discussion they have modified there statement on the web , see http://blogs.technet.com/configmgrteam/archive/2010/01/25/things-you-need-to-know-when-using-windows-embedded-standard-2009.aspx

2. the proposed workarounds from Microsoft (re-installing MSDTC and IIS) from the " WES Resource Kit" didn’t solve the problem.

3. We checked the FBWF status on the sysprepped image. It was still disabled as it should .

4. Microsoft spoke with the IIS team about the issue. Discussion results:
  a) It’s a known problem that IIS doesn’t work after sysprepping the image because of the changes made by sysprep.
  b) Using sysprep on XP Pro is not supported, see KB326779 "Supported IIS configurations for use with Sysprep"
  c) The only supported solution is to install IIS after the sysprep phase. On XP Pro PCs you can run an unattended IIS installation
     using the Sysocmgr command (which can add or remove Windows Components). E.g. as described in
     KB309506 "How To Perform an Unattended Installation of IIS 6.0"
     Here is the catch !! : Unfortunately Sysocmgr.exe is not shipped with the XPe database ===> meaning that it is impossible to install IIS 6.0 after we have deployed our WES 2009 client !

5. As discussed with Microsoft and the IIS team I tried to "repair" the IIS Admin service after the final sysprep boot by using SysOCmgr.We have copied the missing sysocmgr.exe from an XP Pro SP3 PC and I’ve had to insert an XP Pro SP3 CD into the CD drive for the missing files.We don’t believe this workaround can be used by my customer (legal and technical issues).

6. For a test we have used fbreseal instead of sysprep. The IIS Admin service was running after fbreseal.But as I know deployment via SCCM 2007 OSD requires the usage of sysprep and fbreseal cannot be used in this scenario.

 

Our Solution :

Together with the WES product team & Microsoft PSS support we found an easy workaround to get the "IIS Admin" service running again on the sysprepped WES 2009 image.
The workaround switched off the IIS components in the registry and called the FBAOC.exe tool to re-install IIS.It solved the problem on our test devices.

Here’re the details about this workaround:

1. It doesn’t need the XP Pro SP3 CD.
2. It doesn’t need any file from an XP Pro SP3 PC (like sysocmgr.exe).
3. It doesn’t need to collect any IIS files into a special installation location.

The workaround is just:

1. Uses your original SLX file and WES 2009 image which uses the FBOCMgr phase 5550 for the IIS components.
   It means you can run the workaround on your original sysprep-ed images.
2. Changes some IIS registry settings used by the OS to install IIS.
3. Uses a WES-specific command (FBAOC.exe) which is part of your original SLX file and image.
4. Step 2-3 can be executed by the attached files:

  a) MyIIS-Off.reg      for changing the registry

*********************************CODE BEGIN**********************************

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents]
"iis_common"=dword:00000000
"iis_inetmgr"=dword:00000000
"iis_www"=dword:00000000
"iis_www_vdir_scripts"=dword:00000000
"iis_www_vdir_printers"=dword:00000000
"iis_doc"=dword:00000000
"iis_ftp"=dword:00000000

*********************************CODE ENDS**********************************


  b) MyIISinstall.bat   runs the workaround (by using MyIIS-Off.reg)

*********************************CODE BEGIN**********************************

@echo off

echo Changing registry settings…
regedt32 /s \MyIIS-Off.reg

echo Enabling IIS features…
\windows\FBA\FBAoc.exe

echo Done.

*********************************CODE ENDS**********************************

Pls. put the files in the C:\ root folder on your sysprep-ed WES 2009 image and call the MyIISinstall.bat file from a command line.

When running properly the batch file will run for 1-2 minutes and it’ll display 3 output lines:
        Changing registry settings…
        Enabling IIS features…
        Done.

Afterwards the "IIS Admin" service should be running.

So this scenario is not supported on XP Pro. But this workaround is supported.
This is a known problem/limitation on XP Pro. The same problem occurs on WES installations because WES uses exact the same XP Pro binaries.

 

Hope it Helps ,

 

Kenny Buntinx