You are browsing the archive for SCCM.

Solving the What’s new puzzles in ConfigMgr tech preview

11:40 am in ConfigMgr, Console Extension, Intune, RBA, SCCM by The WMI guy

Howdy y'all,


 

First of all, for people that don't follow my @thewmiguy twitter handle yet, shame on you. For those that do, you might have noticed that Jorgen (@ccmexec) and I fought a fierce battle over who could finish most off the different What's new scenarios in the latest ConfigMgr preview scenarios last week.

****** Spoiler alert *******

I beat him to it, but it was a photo finish kind of thing


 

******End of spoiler alert *****

Now, both Jorgen, and 2 other people that'll rename unnamed specifically inquired about how I finished the VPP scenario, or the app configuration scenario for that matter, as they couldn't figure out how to do that. The reason they couldn't, and my competitive advantage over Jorgen was that the tech preview lacked certain security roles that come along with these objects to allow you to access them.

Given my knowledge of AdminUI extension I found this out by looking through the xml's that define the adminui, as well as through the adminui.consolebuilder.exe. Both showed me that the UI nodes for these features were protected by security roles that didn't exist. So the first thing I did was remove the permission requirement using the adminui.consolebuilder.exe. Now, that's not the cleanest way to handle things, as that would mean everybody got to see these nodes, even people that have no business with it whatsoever. But hey, I was on a race against the clock, so gloves were off. After finishing the scenario's and posting the results, I figured out a cleaner way of getting the items lit up. In essence, all you have to do, is create the security roles, and below you'll find the SQL code to do just that.

Warning, Modifing the SQL database is still a big NONO, in production. As this issue only exists in Tech Preview 1601, you should be fine. Still might want to take a backup of your lab, as this only comes with the guarantee that there is absolutely no guarantee. Proceed at your own risk, refrigerators in close proximity to your site server might blow up, etc…..


Insert
into [dbo].[RBAC_RoleOperations]


VALUES (N'SMS0001R', 73, 810550295),


(N'SMS0002R', 73, 268435457),


(N'SMS0007R', 73, 809500689),


(N'SMS0008R', 73, 1048577),


(N'SMS0009R', 73, 810550295),


(N'SMS000ER', 73, 810550295),


(N'SMS0001R', 74, 1049623),


(N'SMS000ER', 74, 1049623);


 

After executing the SQL insert statement above you should be greated by the following additional entries in your Software library workspace



 

Enjoy.
"The M in WMI stands for Magic"
""Everyone is an expert at something" Kim Oppalfens - ConfigMgr Expert for lack of any other expertise
System Center Configuration Manager MVP
http://www.scug.be/thewmiguy/default.aspx

http://www.linkedin.com/in/kimoppalfens

http://twitter.com/thewmiguy

Serious Windows 7 32bit software update problem

3:17 pm in ConfigMgr, SCCM by The WMI guy

Hi All,

A growing number of customers is contacting us about the issue going on below on their Windows 7 32 bit machines. I don't often ask people to distribute my blog information further. But quite a few customers should probably be warned for this issue.

Problem description

An issues exists at present where Windows 7 32 bit machines will reply compliant/installed on any software update they scan for, even the ones that aren't installed.

I have customers reporting updates failing to install because of this, and one where Cumulative Updates for ConfigMgr started reporting compliant without them creating a deployment for the updated client.

The problem can be seen at the client side in the Windowsupdate.log. When your log contains the following text "

GetWARNING: ISusInternal::GetUpdateMetadata2 failed, hr=8007000E "

You're probably another victim of this terrible issue. The concern here is that a lot of environments might be unaware they have this issue, as nothing will point it out when looking at things centrally from the Admin UI. Clients will just report compliant on all their software update deployments.

Identifying the problem in your environment

The easiest way I could come up with to identify this problem in your environment is to create a configuration item to detect it. To do this:

  1. create a script configuration item.

  2. Select All Windows 7 32 bit as the supported platform

  3. Use String as the data type

  4. Choose powershell as your script language of choice

  5. Paste the following text in the discovery script:select-string-pattern'GetWARNING: ISusInternal::GetUpdateMetadata2 failed, hr=8007000E'-path"$env:windir\windowsupdate.log"

  6. Add the configuration item to a Configuration baseline

  7. Deploy the configuration baseline to All Windows 7 32bit machines

  8. The report list of assets by compliance state for a given baseline is a good report to check the results.

  9. !!!! Any machines reporting compliant to this baseline have a serious issue as they won't install any software updates, yet report compliant on all !!!!


 

Possible workarounds


    1. Decline unneeded updates within the WSUS server (Declined updates do not get offered to clients during scans.)

      1. Unneeded updates include superseded updates, updates for products and/or classifications that are not present in the client environment, and expired updates.

      2. You can manually decline the updates within the WSUS console or use a script method . NOTE:  Always backup the WSUS database (SUSDB) prior to performing any changes like this.

      3. After declining unneeded updates, re-index the susdb, and run WSUS Server Cleanup Wizard:https://gallery.technet.microsoft.com/ScriptCenter/6f8cde49-5c52-4abd-9820-f1d270ddea61/https://technet.microsoft.com/en-us/library/dd939856(v=ws.10).aspx






  • Set user VA to 3072 MB: bcdedit /set IncreaseUserVA 3072

    1. This will free up another GB of memory in user space..

    2. This does require a restart of the machine.

    3. It’s possible some machines or applications may have problems when this setting is enabled


     


 

  1. Move wuauserv to its own SVCHost instance running following commands in elevated command prompt:

    1. Net stop wuauserv

    2. ‘sc config wuauserv type= own’

    3. Net start wuauserv




More details:

You can find the nitty gritty details and soulmates in this forum post.

https://social.technet.microsoft.com/Forums/en-US/cf8fbe28-714d-49d3-b2ce-5cc5f6f79c63/some-clients-not-updating-reporting-compliant-hr8007000e-error-in-windowsupdatelog?forum=configmanagersecurity

Technorati Tags: SystemCenter
Tags van Technorati: SCCM,ConfigMGr

Enjoy.
"The M in WMI stands for Magic"
""Everyone is an expert at someting" Kim Oppalfens - ConfigMgr Expert for lack of any other expertise
System Center Configuration Manager MVP
http://www.scug.be/blogs/sccm/default.aspx

http://www.linkedin.com/in/kimoppalfens

http://twitter.com/thewmiguy

The future of Configuration Manager / Microsoft Intune – my personal view

7:17 pm in ConfigMgr, Intune, SCCM by The WMI guy

Hi All,

This is a blog post that is long overdue from my part, as I’ve been willing to write this for a long time. I will however start off with a “disclaimer” on this one. These are my personal views, and although I’ve been rewarded the Enterprise Client Management MVP for 10 years, or a decade if you will, none of this is based on inside information I’ve received from the product group.

Current State of affairs


Intune Standalone


Intune standalone tends to receive new feature first, Microsoft has a Cloud first and Mobile First strategy. Microsoft Intune, which as I’ll attest in this post, is largely a mobile device management solution seems a natural fit for that. A couple of important things are happening for Intune, significant changes are going around protecting the data with EMS including Rights Management, and Multi factor authentication being added. Combined with an alignment of the device management enrollment experience accross the different mobile platform are important steps for the future of Microsoft Intune. I still feel steps need to be set to make managing the online identities easier, granted the newly released Azure Active directory sync services seems to be a good step in the right direction at that.

Hybrid Intune


Hybrid Intune, integrated into System Center Configuration Manager 2012 R2 usually receives features released for Intune Standalone some time after the standalone release. Some features follow quickly, some take a little more time.

Heavy Investments in Microsoft Intune explained


Clarification Heavy investments in extending its mobile capabilities


To be clear, a lot of the ConfigMgr administrators aren’t particularly happy with how much investment goes to the “cloud”, and what seems to be a fraction going to the “on-premise” stuff. Quite a couple of them seem to conclude that Microsoft is aiming at replacing Configuration Manager. When you look at the investments though, most if not all of these investments are being done in features related to mobile device management. In fact, quite a few companies that were onboard with Windows Intune in the days it was still named that, and was originally geared as a systems management solution for SMB are disappointed for the the lack of progression made in that field in the last 3 years or so. Nothing new has been done for that market in a long long time, yet this might add to the confusion as the original Intune was seen as a replacement for System Center Essentials whose development was stopped not so long before Windows Intune surfaced. In my view, Microsoft completely repurposed the Windows Intune infrastructure / architecture for mobile device management. They didn’t go as far as to eliminate the workstation management features already in it, but other than sustaining the code I've yet to see huge improvements in that particular field. If they did happen, I definitely have missed them. So, yes, Microsoft has a cloud focus, however, as being stated by Microsoft plenty of times it’s Cloud Only, it’s Cloud first. Which, is to my point, was recently changed to Cloud First, Mobile First.

Mobile device market booming like crazy


The level of investments in the mobile device management market are largely because the mobile device market itself is booming like crazy. Again, some people seem to draw the conclusion that this means the end of the regular windows market. Again, when you look at today’s numbers, the regular Windows market is nothing shy of steady for the next 3 years according to the same predictions used by Brad Anderson in his post here: http://blogs.technet.com/b/in_the_cloud/archive/2014/06/17/success-with-enterprise-mobility-empowering-sccm-admins.aspx There’s no huge increase in sales number, yet there’s no significant decrease or collapse neither. When looking at IDC’s latest forecasts, which is the same source Microsoft used, the numbers are actually still increasing: http://www.idc.com/getdoc.jsp?containerId=prUS24314413. Less desktops, largely compensated by higher lapto sales, given that some of those tablets. With the success of the Surface pro 3 part of that tablet market is in the category of regular Windows as well. The mobile device market on the other hand has a projected potential of becoming anywhere between 3 to 5 times the size of the regular Windows market. On top of that number of devices game, there is still a challenge in convincing/finding on offer to convince quite a few businesses that mobile device management is needed. I guess I am kicking in an open door when I say that systems management of mobile devices requires a vastly different feature set than that of managing non-mobile devices.

Systems management in mobile device market undergoing rapid changes as well


The other reason Intune is drawing in so many investments / is costing so much money is that the systems management field is offering management of multiple platforms, which increases the effort that has to be put in. And every new Mobile Os comes with increased abilities for management that need to be supported. This combined with the rapid pace at which new versions of Mobile platforms are released mean you need a big team to keep up. In the past couple of years though, keeping up was far from enough for Microsoft. They were new in the market and had to play catch-up feature wise big time. With the investments done in the past 2 to 3 years, and the release of EMS Microsoft is finally closing the gap somewhat.

Requirements for Intune to take over the world


You’ll notice a theme in this section on things I consider a requirement before Microsoft Intune can become the Systems Management tool to rule them all. I believe you need at least 4 features for a systems management solution that Microsoft Intune standalone at present doesn’t offer, or where it needs extensive work to provide something competitive.

  1. OS Deployment

  2. Software distribution

  3. Server Management

  4. License management


NOTE: These 4 features are needed in my perspective for what me and a colleague of mine have starting to name “Open devices”. To explain systems management in today's world we’ve chosen to kitagorize devices as open versus closed, instead of using mobile devices, hybrids, laptops, desktops, etc….

Open devices to us are devices that have alternate means of installing software outside of a controlled store, whereas closed devices are devices that can only install software from the corresponding store.

OS Deployment


OS Deployment should be an integral part of a decent systems management solution. However, the technical field of OS Deployment is changing at a rapid pace. With Microsoft increasing the cadence of new version of their client/workstation/mobile whatever you want to call it this field might become either more important, or loose its importance overall. It’s no secret that Microsoft is aiming for an application upgrade experience for consumers much like IOS upgrades go. In-place upgrades that sustain your data and applications is where the future lies for OS Deployment, at least to consumer devices. Whether this same approach is a good fit for businesses and enterprises remains to be seen.

It definitively poses challenges to deliver the OS Deployment service we tend to offer now-a-days. Delivering the user with a device that fully works (Is domain joined, has access to all the necessary company resources and all applications installed the user needs) is a major challenge without going through OS Deployment. I recently had a customer asking me whether he needed to wipe and load his Surface Pro 3’s with the company image or whether we could use these out of the box. As with many of our customers their need for the image roughly comes down to “Make sure all the drivers are installed so there’s no unknown devices in device manager, and eliminate all the vendor installed junk”. Well the Surface Pro 3 image completely fits that need, so a wipe and load shouldn’t be necessary. From a process perspective though that would mean the IT department would have to:

  1. take a machine and login with a local admin account

  2. Join it to the domain and change the local admin password to meet with the company’s needs.

  3. Install the Configuration Manager client onto it

  4. Wait for policies to come down

  5. Verify whether all applications and software updates are installed


In the end, the overhead of not wiping-and-loading seemed larger than just following the standard process, as is.

So, in short, OS Deployment needs to be added to Microsoft Intune or businesses must decide that the need for OS Deployment is eliminated.

For this last bit to hold true, Microsoft needs to deliver on their failsafe OS Upgrade scenario well-enough to win the hearts of IT Departments, businesses will most likely have to adopt workplace join as opposed to domain join, and users will have to be self-sufficient to get their software themselves.

At present, and it’s not because of lack of requests, Intune seems to expect that the need for OS deployment will disappear somewhere in the future, as no announcements, commitments or what-so-ever seem to indicate OS Deployment is on the roadmap anytime soon.

Software distribution


I don’t think I am exaggerating when I say that in today’s day and age, without Software distribution to deliver additional software, you don’t have a systems management solution. People need additional software, and without local admin privileges for end users, it departments need a way to deliver. Yes, I am aware Microsoft Intune delivers software distribution as a feature. However, what they’re offering out of the box isn’t anything you would want to fully rely on as your main means of software distribution as it barely offers more than group policy based software distribution, and lacks flexibility and versatility.

Again, in short, Software distribution needs to be strongly enhanced or business must decide on the elimination of the need for Extended Software distribution.

For this last bit to hold true, either users need to become self-sufficient and get all their software from the store, or all applications have to become web apps most likely html5, or a mix of both.

Again when looking at the investments made into the Store, and the lack of investments in this field for Microsoft Intune my conclusion is Intune expects the need for Software Distribution to become less needed over time.

Server Management


A bit like the OS Deployment bit, and not because of lack of requests, but Microsoft Intune offers no server management worth that name.

So, either Server management needs to be added to Microsoft Intune, or businesses need to decide on the elimination of the need for server management. (Caught the theme yet?)

Again, that last bit might hold true in the future, assuming you believe in the idea that businesses are no longer going to have their own servers, and everything is hosted by a limited number of datacenter providers, that’ll maintain and patch/test your servers for you. When looking at the current Azure RemoteApp offering, when you want to include custom apps, that last bit seems to bit something we might see in a distant future.

License Management


The License Management feature discussion is similar to the one on extended software distribution.

Some form of license management or elimination of the need for license management needs to occur.

Again, the latter could happen when all apps come from the store, or are html5 subscription based apps.

Where it the Systems Management market heading for?


Data protection


Data protection is key. The recent Sony hack emphasizes this point once more, data protection is critically important. In fact one might argue that this might actually be the answer to managing BYOD type of devices, where we could decide to no longer manage these devices, but start managing and protecting the data. In a world where the users can self-service most of its tasks themselves, the largest need for systems management is to

  1. Keep the device operational

  2. Protect the data on the device


When the data is protected by let’s say, rights management and multi-factor authentication the largest need for systems management comes down to 1. Which could be solved by allowing factory-reset like functionality.

New version of Configuration Manager coming


A new version of Configuration Manager is coming, and it’ll have a 10-year support lifecycle as all Microsoft enterprise products, so ConfigMgr Administrators are still good for a while.

Summary


Is Intune going to be replace System Center Configuration Manager, it might, but it won’t happen overnight. My current point of view is that Microsoft is focusing on Microsoft Intune for mobile device management, yet have no desire to kill off a billion dollar market in managing non-mobile devices. Even if the amount of growth feasible in non-mobile device management is minimal, investments are still made. Some of them in fields were growth can be achieved (Mac & Linux mgmt anyone?). When a popular train of thought sees the light of day, and we all stop working on “Open Devices” and make the switch to “Closed aka mobile devices”, that’s when Microsoft is ready to pull the plug on System Center Configuration Manager, as long as that is not the case, they’ll happily cash in on that billion dollar business and try to grow a multi-billion dollar cloud service right alongside it.

How I reached that point of view, is what I tried to explain in this article.

-- Enjoy. "The M in WMI stands for Magic"
"Everyone is an expert at something"

Kim Oppalfens - ConfigMgr Expert for lack of any other expertise
System Center Configuration Manager MVP – Belgium MEET member

mail: Kim.oppalfens@oscc.be
http://www.scug.be/thewmiguy

http://www.linkedin.com/in/kimoppalfens

http://twitter.com/thewmiguy

Client Notification status custom admin UI Node (Part 1)

1:23 pm in CMCE, ConfigMgr, Console Extension, SCCM, SDK by The WMI guy

Summary

Hi All,

This blog post is a follow-up to my tweet around figuring out how-to create custom nodes in the Configuration Manager admin UI. The sample at hand will be based on displaying Client Notification status for clients based on the new Client Notification functionality added in ConfigMgr SP1. I’ll split this post up in 2 sections, one for those of you that are interested in adding the Client Notification Status Node, and one for those that are interested in building their own node(s).

The client notification status node explained

The client notification status is based on the feature added to System Center Configuration Manager 2012 SP1. The feature is also known as fast channel internally at Microsoft or the Big Green Button. You can’t talk about this feature without mentioning the thoroughly detailed blog on the topic by Randy Xu. You can read up on that here: http://blogs.technet.com/b/configmgrteam/archive/2012/09/27/fast-channel-for-system-management.aspx

In the Q&A one of the question’s is: Can I see the online status of clients from the Configuration Manager console? The answer to that has been, Not currently.

So that’s what I wanted to solve as I was looking for a sample node I could create. The client notification status returns results from the SMS_CN_Clientstatus as mentioned in the blog post. (Funny side note, if you ask me, is that I actually found the blog post based on searching for this class, as I had discovered the class while casually browsing WMI. And yes, I am aware I have a problem :-))

The node has 5 columns, client computer name, Online Status, Channel Type, LastStatusTime, ServerID

NetBIOS Name

The Client computer name is self-explanatory.

Online Status

Online status is the info I really cared about. As that tells you whether client is “Online” Now what does Online actually mean in the context of Client Notification Status? Does that mean the machine is turned on and on the network? Well, the answer to that is “It depends”. When we thoroughly read the aforementioned blog post there’s a couple of caveats.

  1. There’s a random sleep timer of 10 minutes when starting a machine before it contacts the Client Notification Server (So the machine could be online although it is reported as offline because it hasn’t reported in just yet.
  2. Client Notification Server is expecting some form of communication every 20 minutes, which means that worst-case a client could be reported as Online, whereas it actually went offline 19 minutes ago.

So, to summarize this information isn’t really real-time, although it does give you a pretty good indication.

Channel Type

The Client Notification Status feature can work over TCP (Port 10123 by default) or HTTP. There’s some interesting things to note here as well. Most importantly, the thing that sets Client Notification Status apart from different right-click actions, is the direction of the network traffic. The Fast Channel communication channel is opened from the client towards the “Notification Server or BGB Server”. Now, the Notification Server isn’t a separate role you get to install, every management point post SP1 automagically becomes a BGB server as well. The interesting bit here is the direction, from a firewall perspective opening up communications in one direction or another can be a big deal. A lot of security folks will prefer not opening up any ports towards your clients.

The other important note in the Q&A section is that fast channel communications happens with the MP in the assigned site. So, when you have clients in a secondary site, they’ll contact the BGB Server in the primary. This might make client notification non-workable in these type of environments unless you are prepared to let that firewall traffic pass.

Finally, there’s the potential question on, why would I enable TCP when this can pass over https just as well? A question I won’t answer here, a) because it’s a why question :-) and b) because it is thoroughly answered in the product team’s blog.

Last Status Time

Not entirely sure on this one, but my guess is this is updated whenever a client contacts its BGB server, so that would be on establishing the fast channel. My preliminary tests show out this happens on Client restart, yet not on successfully executing a client notification action.

Server ID

The Server ID is the actual BGB Server you are having a fast channel with. I am not positive on how interesting this info is, and neither whether this can be different from the management point you are connected to. I’d like for this to display the server name, however, haven’t found a way to get the ID through WMI. I can get it from SQL but that would require special permissions and I am not really in favor of adding ui elements that bypass WMI.

So this is what it all looks like in the end: (The NetBIOS Name column entries have been masked to hide my lock of creativity in choosing computer names for my lab)

image

 

Installing the Client Notification Status Node

Installing the custom console node is easy enough, especially for those that have installed extensions before. In essence it means placing some executable/dll in the adminconsole\bin folder, plus adding the right xml to the AdminConsole\XmlStorage\Extensions\Nodes folder. The XML itself needs to be placed in a subfolder of this nodes folder. The subfolder needs the format of a guid, and the location in the admin ui depends on the guid used.

A lot has been written in the past, on how to figure out what guid to use. For this particular task, I just relied on adminui.consolebuider.exe, one of those nifty hidden tools in the Configuration Manager installation directory.

Step by Step

  1. Download the ClientNotificationStatus.zip from here: http://1drv.ms/1zfvwIO
  2. Extract the zip file to a location of your choice.
  3. Copy the the client notification status.dll to the adminconsole\bin folder of your admin ui console installation
  4. Create the Nodes  subfolder in AdminConsole\XmlStorage\Extensions\ if it doesn’t exist already
  5. Copy the guid folder (ec1eb040-7957-45c3-aad0-a0ef9afba98a) to AdminConsole\XmlStorage\Extensions\Nodes
  6. Restart the System Center Configuration Manager Admin UI
  7. The client status node in the Monitoring workspace should now contain a new sub view

 

Known issues / potential future enhancements

These have been pointed to me by a grumpy old man already (Not naming names here)
  1. The node isn’t limited to only display 1.000 entries by default
  2. The node doesn’t have a search box like most other nodes
Other items
  • Show the BGB server name you’re connected to.
  • see whether I can choose which columns to show by default
  • Include some form of RBA?

-- Enjoy. "The M in WMI stands for Magic"
"Everyone is an expert at something"
Kim Oppalfens - ConfigMgr Expert for lack of any other expertise
System Center Configuration Manager MVP – Belgium MEET member
mail: Kim.oppalfens@oscc.be


http://www.scug.be/thewmiguy
http://www.linkedin.com/in/kimoppalfens
http://twitter.com/thewmiguy

ConfigMgr 2012 RB A through Z webinar

8:08 am in ConfigMgr, RBA, SCCM by The WMI guy

Hi All,

It's been a while since I blogged anything, so for those of you wondering yes, I am still alive. Been pretty busy over the past year doing live presentations at several events, but blogging has suffered a bit. This is a quick blog post to announce that I'll be doing another live webinar. I still love doing those, and this one is scheduled for next week already.

The registration page can be found over here: http://bit.ly/17i2lrj

Session title: ConfigMgr 2012: RBA through Z
Session Abstract: System Center Configuration Manager comes with a completely revamped security model. The feature was named Role Based Administration or RBA for short. In this session we'll go beyond the basics of security scopes, roles and collections to give you a deeper understanding of the possibilities of this new security model. Kim Oppalfens, who's been an sms/configmgr/enterprise client management mvp for the past 10 years will walk you through some real life example scenarios and will explain how you work these into the new model.

-- Enjoy. "The M in WMI stands for Magic"
"Everyone is an expert at someting" Kim Oppalfens - ConfigMgr Expert for lack of any other expertise
System Center Configuration Manager MVP
http://www.scug.be/blogs/sccm/default.aspx

http://www.linkedin.com/in/kimoppalfens

http://twitter.com/thewmiguy