ConfigMgr 2012 R2 SP1: Rotating Assinged Management Point

This month I’m working on a new complex infra environment with few untrusted forests. For managing servers and deploying workstations we implemented SCCM 2012 R2 SP1 in the new environment. Unfortunately SCCM is not ‘designed’ for forest without trust relationships. This bug or ‘by-design-thing’ exists from the beginning of SCCM 2012. This bug is still in ConfigMgr 2012 R2 SP1, but Microsoft has released a workaround to solve the rotating assigned management point, if your environment using multiple management points.

Anoop has a nice explanation about this ‘bug\by design thing’. The link: http://anoopcnair.com/2014/03/07/configmgr-sccm-2012-mp-selection-forest-trust-related-bug/

In CU3 Microsoft has released a workaround. To use this workaround you had to add a multi string in the registry of your client(s). The string (AllowedMPs) has the info of the correct management point for the client. In ConfigMgr 2012 R2 SP1 there is an option in the properties of Sites. You can force the assigning of management points from the console. You have to go Administration -> Site Configuration -> right click on Sites. In the submenu you have the option Hierarchy Settings. Herein you have the option to turn on “Clients prefer to use management points specified in boundary groups” This option replace the AllowedMPs registry multi string workaround.

There is another thing, a tip about boundary. Don’t use IP Subnet but you have to use IP address range. If you are using the forest discovery, ConfigMgr will create the boundary with IP address range for you. The IP Subnets are not working, what it should. The created Subnet IDs are not correct and that’s why IP Subnet boundary will not work. Boundary must have the correct management point for assigning them with the clients. Jason wrote a blog about IP Subnets and IP Address range boundary. http://blog.configmgrftw.com/ip-subnet-boundaries-still-evil/

The client uses the correct management point, which is configured in the boundary and it will not rotate with assigning of management points anymore. The client get still the information from the Active Directory. So you will see the management points in the log, but is not rotating.

Advertisements

How to troubleshoot an OSD to a raw disk #OSD troubleshooting / workaround

I was implementing a SCCM 2012 R2 environment at a customer. The customer bought new Lenovo Desktops with a SSD 128GB disks. The disks were not preconfigured. The disks were new and not been used by the vendor. So, the disks were raw. Raw disk can be a problem for the OSD. I had a problem with WinPE that doesn’t recognized the SSD disk. Only the card reader and the DVD drive. This means that the card reader(removable disk) gets automatically the C letter and the DVD drive the D letter.

The workaround for this was trying formatting, partitioning and assigning the SSD before starting the deployment task sequence in WinPE. This means that the SSD has been written, and not raw anymore, before starting the task sequence. So, the solution/workaround for this problem is:

In the properties of the boot image you can use a prestart command. At the launch WinPE will run this command automatically. In this command you can set networksettings or formatting the disk before its launching the task sequence, etc. I have made a txt file within the commands for Diskpart. The commands for Diskpart are:

select disk 0

create partition primary size=300

format quick fs=ntfs label=”TEMP”

assign letter=”C”

Diskpart Scripts and Examples: http://technet.microsoft.com/en-us/library/dn614984.aspx

Source directory is the directory where SCCM can find the txt file for Diskpart.

If you updated your boot image, you can try this workaround for the OSD. Maybe you have to configure some another settings like the correct disk number. Maybe you disk has number 2. But this workaround should work as a prestart command in WinPE. After running this command successfully, the task sequence or WinPE should recognized the SSD as a C: drive..

Good luck J

System Center 2012 R2 Configuration Manager Toolkit

Finally, the toolkit for Configmgr 2012 is available. Download it from Microsoft: http://tinyurl.com/l3qgf4v

This toolkit contains fifteen downloadable tools to help you manage and troubleshoot Microsoft System Center 2012 R2 Configuration Manager.

      The Microsoft System Center 2012 R2 Configuration Manager Toolkit contains fifteen downloadable tools to help you manage and troubleshoot Microsoft System Center 2012 R2 Configuration Manager. The following list provides specific information about each tool in the toolkit.

Note: 

      Items with an * are new in the R2 Toolkit and require Microsoft System Center 2012 R2 Configuration Manager for full functionality.

Server Based Tools

      • * DP Job Manager – A tool that helps troubleshoot and manage ongoing content distribution jobs to Configuration Manager distribution points.
      • * Collection Evaluation Viewer – A tool that assists in troubleshooting collection evaluation related issues by viewing collection evaluation details.
      • * Content Library Explorer – A tool that assists in troubleshooting issues with and viewing the contents of the content library.
      • Security Configuration Wizard Template for Microsoft System Center 2012 R2 Configuration Manager – The Security Configuration Wizard (SCW) is an attack-surface reduction tool for the Microsoft Windows Server 2008 R2 operating system. Security Configuration Wizard determines the minimum functionality required for a server’s role or roles, and disables functionality that is not required.
      • Content Library Transfer – A tool that transfers content from one disk drive to another.
      • Content Ownership Tool – A tool that changes ownership of orphaned packages (packages without an owner site server).
      • Role-based Administration Modeling and Auditing Tool – This tool helps administrators to model and audit RBA configurations.
      • Run Metering Summarization Tool – The purpose of this tool is to run the metering summarization task to analyze raw metering data

Client Based Tools

    • Client Spy – A tool that helps you troubleshoot issues related to software distribution, inventory, and software metering on System Center 2012 Configuration Manager clients.
    • Configuration Manager Trace Log Viewer – A tool used to view log files created by Configuration Manager components and agents.
    • Deployment Monitoring Tool – The Deployment Monitoring Tool is a graphical user interface designed help troubleshoot Applications, Updates, and Baseline deployments on System Center 2012 Configuration Manager clients.
    • Policy Spy – A policy viewer that helps you review and troubleshoot the policy system on System Center 2012 Configuration Manager clients.
    • Power Viewer Tool – A tool to view the status of power management feature on System Center 2012 Configuration Manager clients.
    • Send Schedule Tool – A tool used to trigger a schedule on a client or trigger the evaluation of a specified DCM Baseline. You can trigger a schedule either locally or remotely.
    • Wakeup Spy – A tool that provides a view of the power state of Configuration Manager client computers and which operate as managers or manages.

Configure Endpoint Protection 2012 in SCCM 2012 SP1

In this blog I’ll explain how to configure Endpoint Protection 2012. This scanner/protection is in SCCM 2012 integrated and it will be installed automatically if the client has the Configmgr client installed.

So, this is a simple, but a quick how-to. (You must already have installed the WSUS and installed and configured the Software Update Point role (SUP))

First, we have to make a new collection. This collection is for all Windows 7 clients or Windows 8 clients. In my example I’m using Windows 8.

The Endpoint Protection updates works only with Device collection.

Step 1 Device Collection

Go to Assets and Compliance and right click on Device Collections. Click on Create Device Collection.

A new window will appear. Give the collection a name. I’ll choose for All Windows 8 Computers.

Limiting collection is All Systems

Click on Add Rule and click on Query Rule.

Give the query a name. In my example All Windows 8 Computers and click on Edit Query Statement

In the new window click on the button Show Query Language.

Ok, add this SQL query.

Select * from SMS_R_System where SMS_R_Systems.OperatingSystemNameAndVersion like “%Workstation 6.2%”

(for Windows 7 = Workstation 6.1)

Click Ok.

Click Ok.

Change schedule to 10 minutes (this is a lab)

Like this:

Click Next

And close the wizard.

Right click on the new collection and go to properties.

Open the tab Alerts

Enable View this collection in the Endpoint Protection dashboard.

Click Ok to close the properties.

Step 2 (Configure Software Update Point and Software updates)

Go to Administration -> Sites and select your site. Right click on your site and go to Configure Site Components -> Software Update Point

You have to select Forefront Endpoint Protection 2010 in the tab Products. Click Ok to close.

Go to Software Library in the menu. Right Click on All Software Updates and choose for Synchronize Software Updates.

You will get this warning. Click on Yes.

To check the status, you have to open wsyncmgr log. This log is located in C:\Program Files\Microsoft Configuration Manager\Logs

Go back to the console and right click on Automatic Deployment Rules and click on Create Automatic Deployment Rule.

Give the rule a name. In my example is that Automatic Deployment Rule for Endpoint Protection Updates.

Collection is the new collection All Windows 8 Computers.

Click Next.

Check Date Released or Revised and choose for last 1 day.

Check Product and choose for Forefront Endpoint Protection 2010.

Like this:

Change schedule to 1 day.

Change Time based to UTC and Software available time to 2 hours. Installation deadline is As soon as possible. Like this:

Click Next.

Enable Configuration Manager alerts.

Change deployment options to Download software updates from distribution point and install.

Select Create a new deployment package. Enter a name and the source path for the updates.

Add a distribution point.

Click Next.

Click Next.

Click Next

Click Close.

Step 3 (configure custom antimalware policies)

You have to configure an antimalware policies. Do not configure the default policy but always make a new one. This is the best practise to use the policies. The custom policies always take precedence over default antimalware policies as they have a higher priority.

Go to Assets and Compliance and right click on Antimalware Policies. Click on Create antimalware policy.

Enter a name and select everything in the list.

Ok, we have to configure the list in the left pane.

You have to configure the list items on the left. This is for every environment different, so I don’t go into the details of that. Don’t forget the source in Definition updates.

After that right click on the policy and choose for Deploy

Select the correct collection, in my example is All Windows 8 Computers.

Step 4 (Custom Client Device Settings)

You have to tell the client that you want to use Endpoint Protection. This means we have to change the Client Device Settings. Go to Administration and right click on Client Settings. Click on Create Custom Client Device Settings. Also with this custom has a higher priority than the Default Client settings.

Enter a name and select Endpoint Protection.

Go to Endpoint Protection in the left pane.

Change some settings if you want, but this is default. Click Ok.

Right click on the custom client device settings and click on deploy.

Select the collection and click Ok.

Now we have to check if everything is working. Go to the client and open Endpoint Protection. Click on the Arrow next to Help and click on About System Center Endpoint Protection

IN the list you have to find your custom policy, if not then we have to force or wait the sync with SCCM.

If you don’t find your custom policy, go to Control Panel and open Configuration Manager. Open the tab Actions and select Machine Policy Retrieval & Evaluation Cycle and then click on the Run Now button.

You will get this message. Click Ok and waith for a minute. After that the machine gets the custom antimalware policy.

You can also check the logs in C:\Windows\CCM\Logs\ for the endpoint protection status and for the updates.

#4 troubleshoot: CCMsetup error WOW64 Emulation Layer – Event ID 1109

I was deploying Windows 7 and Windows 8 images, but after installing Configmgr client it stops without any error or warning.

So, after checking the logs and eventvwr I got still no clue about the stop/failure. The only thing I could do is running the setup manually from the distribution point.

I ran CCMsetup.exe from \\SCCM2012\C$\SMSPKGE$\CM200014\ and I got this message:

This is btw on a Windows 7 machine, but I got also the same error on a Windows 8 machine.

Very odd, so the next step was copy the Client folder to the local drive and ran it from there, but after that I get still the same error. Checking the eventvwr I got this event ID.

Ok, now from the source directory. Running CCMsetup.exe from \\SCCM2012\SMS_CM2\Client and didn’t get warnings nor errors. So this must be a corruption after updating the package to the distribution point.

I have checked the settings of the package and found this option. This option is disabled by default. It’s a simple option and it’s says also if you want to run this from the distribution point you have to enable this.

I have enabled “Copy the content in this package to a package share on distribution points: ”

I have tried the installation from the share again, and it runs without any problems.

But this will fixed the deploying maybe not. If you have got still the same problem. Check this blog:https://albertneef.wordpress.com/2013/03/12/5-troubleshoot-couldnt-verify-cwindowsccmsetupmicrosoftpolicyplatformsetup-msi-authenticode-signature-return-code-0x800b0101-in-ccmsetup-log/

 

#5 troubleshoot: Couldn’t verify ‘C:\Windows\ccmsetup\MicrosoftPolicyPlatformSetup.msi’ authenticode signature. Return code 0x800b0101 in ccmsetup.log

I was deploying Windows 7 en 8 images, but after copying the setup files en installing the Configmgr Client it stops. I don’t get any warnings or information about the stop. So, I have searched for the error in the logs.

You see in the SMSTS.log (located in C:\Windows\Temp) a failure look like this:

Hmm ok? But the client setup has own log file, maybe better to understand. This log file is located in C:\Windows\ccmsetup\Logs\ccmsetup.log

Now we see a better warning why the setup stops. The failure is Couldn’t verify ‘C:\Windows\ccmsetup\MicrosoftPolicyPlatformSetup.msi’ authenticode signature. Return code 0x800b0101

What I found on the Internet is that this is a bug in Service Pack 1. Microsoft has released a hotfix for Windows 7 and the old OS versions. Windows 8 has also a hotfix for this problem.

There is 2 methods to solve this.

Method 1:

This hotfix is for al site servers. Install this KB2801987 to all site servers in your hierarchy.

Method 2:

For Win7 and beneath that look at this link: KB2749655

For Win8 look at this link: KB2756872

This hotfix must be installed before installing the Configmgr client (duh). This means you have to update your images. There is an easy way to do that.

Open the command prompt (run as administrator) and go to the directory where the hotfix is located. (on SCCM server!)

In my example is that E:\Resource\hotfix\win7\Windows6.1-KB2749655-x64.msu

We have to extract the MSU file. We need the cab file inside the MSU file. So type in:

Windows6.1-KB2749655-x64.msu /extract:E:\Resource\hotfix\win7\

Like this:

Now we have some files in the Win7 directory. Two of the files is .cab.

Next step is mounting the WIM file. Run this commando to mount the image to a folder. First create a folder. In my example is E:\mount

Then run this commado:

DISM /mount-wim /wimfile:E:\resource\images\win7.wim /index:1 /mountdir:E:\mount

This can take a few minutes.

Then, DISM /image:E:\mount /Add-Package /PackagePath:E\resource\hotfix\win7\Windows6.1-KB2749655-x64.cab

You will get this:

You are done. You have to unmount the WIM file by this commando:

DISM /Unmount-WIM /Mountdir:E:\mount /Commit

Like this:

And to this also with Windows 8 images.

Last step before test it/ deploying it. Update your distribution point by right click on the Windows 7 image and choose for Update Distribution Points.

That’s all folks.

#3 troubleshoot: OSD – Content location request for IDXXXXXX:X failed (Code 0x80040102)

I was working with a new build and capture of Windows 8 deployment but at the begin of the task sequence in WinPE I got this message.

Content location request for IDXXXXXXX failed (Code 0x80040102) See screenshot:

So, the only thing you have to do is, go to Administration in the console and go to Boundary Groups. Right click on the item and go to properties. I have got 1 item. Maybe you have more.

This is an infra is migrate from a SCCM 2007 infrastructure. That’s the reason of the name.

G

Go to the Reference tab.

And enable “Use this boundary group for site assignment” and choose for the correct site.

Also add the content location. Choose for your distribution point.

You are done..