Archive for the ‘SCCM 2012’ Category

Can we use Windows Azure SQL Databases for ConfigMgr 2012?

January 20, 2014

Demo

This question popped up when i was doing a demo ConfigMgr environment, running completely in Windows Azure.

Simple setup, All ConfigMgr roles on a single server, including local SQL DB.

For this, i used an  “A5” VM instance, which has 2 vCpu cores and 14 GB of RAM.

For storing the data, i attached a “persistent disk” , as that is storage that is guaranteed to remain persistent after reboot (don’t use the temp-disk!)

Costs

Now this is a costly machine, as running an A5 VM costs about 220 euros per month. (pricing)

And this is only the running of the VM, not taking into account the storage costs, download traffic costs, etc.

Now storage and download bandwidth are pretty cheap in Azure, compared to the computing costs.  But still, can we save money somewhere?

Cutting costs

So, can we cut the costs somehow? Do we need 2 cores and 14 GB of RAM?

The major reason for this amount of RAM is running the SQL server locally. If we could move that somewhere else, a “medium VM” with 2 cores and 3,5 GB would be sufficient.

This type of VM only costs about €100 per month. Quick saving, right?

Azure SQL

So, Azure also offers SQL Database services. And a lot cheaper (a default 5 GB CM database would cost about €20 per month)But are they suitable for running a ConfigMgr 2012 database?

Let’s compare the ConfigMgr Database Requirements, and the specifications for Azure SQL Databases.

Requirements

-1:  “At each site both the instance of SQL Server that is used for the site database and the site database must use the following collation: SQL_Latin1_General_CP1_CI_AS.”

Well, that doesn’t seem to be a problem. Although the site database cannot be configured in Azure (because it uses a shared sql server of course), the default collation for new databases is SQL_Latin1_General_CP1_CI_AS. Which suggests that the Instance is also using that collation, but we cannot be sure at this point.

-2: “Configuration Manager requires Windows authentication to validate connections to the database.”

Whoops. That is a problem, since Azure does not support this. (Windows Authentication is not supported)

The Verdict

For those wondering if we can use Azure SQL DB services for hosting a ConfigMgr database:

– No, you cannot.

Advertisements

Tip: Do not change the default installation location for ConfigMgr 2012

December 11, 2013

When you specify a different installation location for ConfigMgr 2012 when installing your siteserver or server with MP role, you might get into some trouble.
It seems that some components are very attached to the default “C:\Program Files\Microsoft Configuration Manager” folder.

Error 1: when installing smsmmp, the installation is unable to create the SMS_CCM folder underneath the “Microsoft Configuration Manager” folder, and thus fails the smsmp.msi install with vague error 1603.
“mp.msi exited with return code: 1603″
Fatal MSI error – mp.msi could not be installed”
Also the BGBsetup.msi fails, with the same errors.
After manually creating this folder, the install of the MP role and the BGB succeeds.

Error 2: after installing the bgb role, its registration with .Net 4 fails.
The Error in BgbSetup.Log says:
“Fatal MSI Error – bgbisapi.msi could not be installed”
And a little bit above that:
“CTool::RegisterComPlusSErvice: Failed to register E:\Program Files\Microsoft Configuration Manager\bin\x64\microsoft.configurationmanager.bgbserverchannel.dll with .Net FX 4.0”

This is also due to the files being installed in a different location, which the Regsvc.exe of .Net FW doesn’t like.
In order to fix this, you have to modify 2 files in your .Net FW folder (probably C:\Windows\Microsoft.NET\Framework64\v4.0.30319)
Modify InstallUtil.exe.config and Regsvc.exe.config
Add the following text to these files, just below the “configuration” bit: (remove the <Code> tags, i included them to keep WordPress from removing my code)

<code>

<runtime>
<loadFromRemoteSources enabled=”true”/>
</runtime>

</code>

After saving these file, retry the configuration of bgb by stopping and starting the SMS_SITE_COMPONENT_MANAGER.
This will re-trigger the configuration of the Client Notification Service, and this time, the registration with .Net FW 4.0 will succeed.

If you have problems editing these files, check this post

Windows 8.1 Hyper-V – Simplified VM Import, and Generation 2 VMs

October 16, 2013

After upgrading my Windows 8 workstation to Windows 8.1, i was eager to try out all the new functionality within Hyper-V in 8.1

Simplified VM Import

The first thing i noticed was that i could easily re-import my VMs, which i had stored on another disk during the migration. While in previous versions you had to properly export a VM before you could import it again, this has gotten a lot easier. Now, you can just import any VM from disk, without it having been exported first.

This is called Simplified Import.

After getting my lab-VMs back in the Hyper-V Management Console, i created a new VM.

Second Generation VM

In this wizard i got the option to create a Generation 1 or a Generation 2 VM:

HYPER-V GEN 2 vm

Here i chose 2nd generation of course:

2nd generation Virtual Machines, providing features like

* UEFI and Secure Boot

* boot from virtual SCSI harddisk or DVD instead of IDE

* PXE boot by using a standard (synthetic) NIC instead of an old  legacy NIC

So the new VM looked like this:

GEN 2 - UEFI BOOT

Notice the Synthetic NIC for PXE Boot, the SCSI bootdisk, and the UEFI BIOS.

This asked for a test installation using SCCM 2012 SP1, using all these features of course 🙂

Booting this machine in UEFI mode caused the PXE boot to look and behave different too:

uefi-pxe-1

Also, no more “Press F12” , but “Press Enter for network boot service”

uefi-pxe-2

Also, a slightly different WDS – PXE screen where the client is contacting the Siteserver to determine applicable client policy:

uefi-pxe-3

Finally we’re in the Task Sequence.

uefi-pxe-5

No keyboard during OSD

What i noticed here, is that i could not use the keyboard.

Keyboard commands were simply not passed on into the VM.

So I could only select the desired Task Sequence using the mouse.  This seems to be a bug.. (link)

I tried disabling the Enhanced Session Mode but that didn’t solve it unfortunately.

Update – This turned out to be a bug indeed: click.
Something with keyboard drivers in WinPE and WinRE. Workaround is to use Windows 8.1-based WinPE

FAST

After selecting the proper OS to install (Generation 2 VMs are only supported when using 64-bit Windows 8 or 8.1, or Server 2012 / 2012 R2) the install started.

And it went FAST!

Where starting ConfigMgr OSD by booting from PXE tended to be quite slow using Hyper-V before, this was as quick as when using bootable media (iso).

Very fast indeed. Downloading the WIM file and applying the OS took no more than 3 minutes…

Installing the ConfigMgr client took 5 minutes.. within a total of 12 minutes the thing was up and running. Nice.

ConfigMgr Clients not receiving any advertisements – unapproved / blocked?

August 17, 2013

On a freshly upgraded ConfigMGr 2012 SP1 environment, a customer noticed that machines did not get any advertisements anymore.  I was called in to investigate what happened.

I noticed the following:

– The machines were listed as members of the All Systems Collection.

– An OSD Task Sequence had been deployed to the All Systems Collections, making it available to only Media and PXE (not to configmgr clients).

Still, the machines they mentioned did not pick up any advertisements when booted through PXE.

However, other machines that were part of the All Systems collection, DID get the advertisement.

It turned out that the systems that did not get the advertisements, had not been added to the domain properly. Therefore, they had not automatically been approved in ConfigMgr, and were not allowed to access the ConfigMgr Site.

The analysis

I have reconstructed this in my lab environment, to show you what this looks like.

First, i installed a Windows 7 machine, adding it to a workgroup instead of to the domain. Then installed the ConfigMgr client, using the parameters /SMSMP=<my MP name> and /SMSSITECODE=<name of my ConfigMgr site>.

After this, the machine showed up in ConfigMGr in the All Systems Collection as Windowsclient-3:

unapproved-1

Now when you would just look at this, you would think it is a member of the All Systems collection, and therefore would get all the advertisements (or deployments) that are targeted to this collection, right?

Well, no.

Let’s add some more columns to this view; rightclick the title bar, and you get a list of columns you can add to the view:

unapproved-2

Let’s add the Approved and Domain columns;

unapproved-3Now we can clearly see that windowsclient-3 is not a member of the domain, and therefore also not approved.

Well, not automatically anyway. This is something we configure in the Site Hierarchie Settings:

unapproved-4As you can see, by default only computers that are member of the same domain, or a trusted domain are automatically approved.

Since the windowsclient-3 machine is not in any domain, but in a workgroup, it is not approved.

With it being “Not approved”, it is also denied access to Site content, like policy and Files.

So, although the system is listed in the All Systems collection, it will not get any Deployments advertised.

If i PXE boot the client:

unapproved-5Sorry, no OSD for you 🙂

On the machine itself, we see the following in the ConfigMgr Client:

unapproved-6

unapproved-7

On the “Actions”, we can see by the limited number of cycles available, that only the core client is installed, and no policy has been retrieved yet.

If we look through the client log files we see that it can contact the MP (since we specified this during client installation), but it will get no policy from it.

Also, it cannot contact find information about available MPs from Active Directory, since it is not a domain member.

So, the only thing it can do now, is to keep contacting its MP, and hope for Approval 🙂

Now, let’s Approve the client in the ConfigMgr Console, and see what happens.

Rightclick the machine and select “Approve”

unapproved-8

Are we sure? :p

unapproved-9

Now, a reboot of the client to speed things up, and a Machine Policy Retrieval later, the clients starts working, and then:

unapproved-10Well this looks better 🙂

And there we get the policy assigned to the collections:

unapproved-11See the “Software changes are required” balloon pop up in the corner?

Yes, this is one happy client now 🙂

 

Powershell for ConfigMgr 2012 – part 1 (introduction)

August 9, 2013

ConfigMgr 2012 comes with a lot of powershell cmdlets to make your life easier.

Since SP1, a whopping 471 of them even!

But how do we access them? There is no shortcut called “PowerShell for ConfigMgr” placed on your desktop after installation of ConfigMgr, we have to do some work for that ourselves.

How to:

First, start the x86 version of Powershell (run as admin).

Image

Since the ConfigMgr Console is 32-bit still, and the powershell cmdlets come with the console, they are also 32-bits.

Then in powershell type: cd “C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin” to get to the proper folder where the ConfigMgr Powershell module is located.

Image

Then we type Import-Module .\ConfigurationManager.psd1 to load the powershell module for Configuration Manager, making all the CmdLets available to us.

Image

Now we can start running the cmdlets. But which are they, and what can we do with them?

For that, let’s first update the help files. Make sure your machine has internet connectivity, so the updated help files can be downloaded from Microsoft;

Type Update-Help

After the help-updates have been downloaded, let’s see which cmdlets we have now for Configuration Manager.

Type get-command -module ConfigurationManager | out-gridview

This will show a nice list of all available ConfigMgr Cmdlets

Image

For a complete list of all the CmdLets, including a brief description of their function click here

You can get more info for each CmdLet by typing get-help <cmdlet>

For instance: get-help Add-CmDeploymentType

Now, we can also launch the PowerShell CmdLets from the ConfigMgr Admin Console!

However, it is very will hidden in my opinion.  Ever seen the little blue arrow on the top-left of the console?

Image

 

Whoomp, there it is. A x86 Powershell session, started as admin.

Type Y to allow the execution of the script, and off you go.

Capture6

In the next post, i will discuss some common useful Cmdlets, to create collections and such.

 

Deploying Windows 8? Not with ConfigMgr 2007…

September 21, 2012

Windows 8 and SCCM 2007 / 2012
I just read this post from the ConfigMgr team about support for Windows 8 and Server 2012 in ConfigMgr versions.
Although Windows 8 and Server 2012 will be fully supported as ConfigMgr clients for ConfigMgr 2012 SP1 and ConfigMgr 2007 Sp2, the deployment of Windows 8 or Server 2012 through the ConfigMgr Operating System Deployment (OSD) feature will NOT be supported with ConfigMgr 2007 SP2.
So, if you want to a large scale deployment of Windows 8 and/or Server 2012 in your environment, you will have to upgrade your ConfigMgr 2007 environment to ConfigMgr 2012 SP1.
Oh, and with “upgrade”, i mean “replace”.

That’s right, there is no option to in-place-upgrade your ConfigMgr 2007 environment to ConfigMgr 2012.
You can do a side-by-side migration, meaning you install ConfigMgr 2012, migrate all your packages to the new environement, and then migrate your clients.

This is not a problem however,  because ConfigMgr 2012 simply ROCKS!

So, let’s all get those ConfigMgr 2007 environments upgraded to 2012!

SMS Component Manager failed to install component SMS_PORTALWEB_CONTROL_MANAGER on server . The IIS ASP.NET is not registered correctly

May 10, 2012

When installing ConfigMgr 2012 on a site, i was looking at the Site Status node to check if all components were doing good.
This is located in the ConfigMgr Console under \Monitoring\Overview\System Status\Site Status
One component had a red X, specifically the Application Catalog Website Point Role.

Specific error messages were:

Site Component Manager failed to install component SMS_PORTALWEB_CONTROL_MANAGER on server .

The IIS ASP.NET is not registered correctly.
Solution: Review Microsoft Technet article located at: http://support.microsoft.com/kb/306005 to resolve the issue.

Wow, now that’s a pretty clear errormessage, even including a link how to fix it.
Lets see some more info about this though.
There is a specific logfile for this component, called SMSPORTALWEBsetup.log, which in a default installation is located under C:\Program Files\Microsoft Configuration Manager\Logs.

In this file, the following was shown

So, ASP.NET isn’t properly registered in IIS. And we know how to fix it.
Just run

%windir%\Microsoft.NET\Framework\version\aspnet_regiis.exe” -i

Ehm, but what about the \version\ bit then?
There are no less then SIX versions of .NET present on this system:

Now which one to register?
It would make sense it it was the 4.0 version, since that is a new requirement in ConfigMgr 2012.
So, lets do that one:

Hey waddayaknow? It worked.
The installation of the role finished nicely:

Thanks to Markus Baker, whose blog posting confirmed my findings. Was hard to find though, in German 🙂

Mobile Device Management in SCCM 2012 – Hands on (Part 2)

April 29, 2012

So, after connecting the SCCM 2012 server to Exchange and getting some info about devices through EAS, now it’s time to really get busy with Mobile Device Management.

In this posting i will show you how i set up the Mobile Device Enrollment, and actually got my old Windows Mobile 6.5 phone enrolled. W00t!

Starting point in this is this 10-step program to get your mobile devices managed in SCCM 2012.

The basic steps are:

  • Set up a working Microsoft PKI infrastructure
  • Install and configure certificates to SCCM servers
  • Install Enrollment Point Roles
  • Publish the Enrollment point so devices can contact it
  • Allow users to enroll their device

The first step is a tricky one already. Setting up a single issuing Root CA in a test environment is no big deal. But setting up a PROPER PKI Infrastructure is a whole different ballgame.

Since this is way out of scope for this post, i’ll just assume you’ve got a working PKI Infrastructure already. (hehe)

So, onto configuring the required certificates then.

I created a couple of new certificate templates:

Important note when creating these certificate templates and enabling them, is to use the “Windows Server 2003, Enterprise Edition” version.  That is the only supported version in ConfigMgr.

O, and don’t forget to configure a GPO for auto-enrollment of workstation certificates

Well, after you get all the certificates created, enabled and installed, it’s time to configure them in ConfigMgr.

Yes, that’s step 5 of the 10 step program already 🙂

This involves first configuring the MP and DP to manage Mobile Devices, which basically means enabling https, allowing internet-based client access, and selecting certificates. And don’t forget to first configure the Site System on which these roles run, with an external FQDN.

Then the Distribution Point:

and finally the MP:

Then, onto step 6, installing the Enrollment Point Role, and the Enrollment Proxy Point Roles.

When adding these roles it is important to keep in mind that you must use the external FQDN that you will use for Device Enrollment.

After his, you can already access the website containing the Device Enrollment Agents:

This very basic page (what, not even a nice System Center logo??)  contains two links, to the Client Agent installers for Windows Mobile (.cab format) and for Nokia Symbian Belle (.sisx format)

Now, we fly to step 9, to configure the device settings for Mobile Devices

Here you can set things like which usergroup you want to allow to enroll their devices.

This is done in the Mobile Device Enrollment Policy:

Now, that’s it. Now to get the old Windows Mobile device charged up, and see what we can do with it.

In the next posting that is.

Mobile Device Management in SCCM 2012 – Hands on (part 1)

April 28, 2012

In SCCM 2012 there is a completely revised version of the Mobile Device Management part.

Sure, this was already there in SCCM 2007, but hey, would YOU want to “manage” ancient Windows CE or Windows Mobile 5.0 devices? I didn’t think so too. Also, in the SCCM 2007 era, Bring Your Own Device (BYOD) wasn’t as hot as it is today, with everyone wanting to bring in and use their own Tablets, Smarphones and laptops.

Now with SCCM 2012, there is proper support for BYOD. Yeah! For a nice overview of this, see this video of Principal Program manager Jeffrey Sutherland, talking about Mobile Device Management in SCCM 2012.

 

Light and Depth Management

We can define two types of device management in SCCM 2012:

-> Light Management <

Working through Exchange ActiveSync, we leverage on the existing Exchange Device Policies, to do light management of the device (remote wipe, lockdown etc)

Why do we want this? It’s already in Exchange right?

Well, the Exchange admins might not be very concerned with specific end-users devices as they are with handling the mailflow, so this task may better fit with the desktop/enduser/device management team in your organization. They are the ones working with SCCM 2012, and they are the ones most interested in gathering information about, and managing the devices. Also, SCCM provides some very nice Reporting on these devices.

->In-Depth Management <-

The other type is the In-Depth Management of Mobile Devices

This does not work through EAS, but through two new SCCM Roles that have been introduced in SCCM 2012; the Enrollment Point and the Enrollment Proxy point.

In-depth management can be done in two ways;

– Enroll the mobile devices into SCCM by installing the Mobile Device Client on them. Only on supported mobile OS’s.(Currently WinMobile 6.1, 6.5 and Nokia Symbian Belle) .Offers most features.

– Enroll the mobile devices into SCCM by installing the Legacy Mobile Device Client on it. Only on supported mobile OS’s, which currently are ancient WinCE 5, 6 and 7, and WinMo 6.0. Less features, but still way more options than with EAS.

For a good comparison of all features on all three scenarios( EAS, Mobile Device Client on device, and Legacy Mobile device client), see this page on Technet.

Note that both in-depth solutions require a PKI Infrastructure, because of the Certificates that are used on the devices!

So, more on the In-Depth part later, let’s first get the EAS connected. (Yes, you can also choose hybrid solutions, ie. managing with both EAS and through the Enrollment)

 

Configuration of Mobile Device Management through Exchange

So, how do we set this up?

First the prereqs: an Exchange 2010 SP1 server (or Exchange Online(office365),and a working SCCM 2012 server (duh) and a network connection between them.

Then we have to establish a connection between the SCCM server and the Exchange (CAS) server.

We click Add exchange server and get the wizard:

Specifiy the name of the exchange CAS server…

Hey, look at this screen. A precise listing of the exchange permissions that the connector account requires. I’d say this calls for a new RBAC  Role in Exchange!

So, lets first create a serviceaccount for this connection and assign the proper exchange permissions to it.

Now i am going to be assigning Read-Only rights to this service account, ’cause i just want to get data from EAS about the devices, and not do any remote wiping. Which is by the way also how Microsoft IT did this (read here )

 

Then continue through the wizard:

I just set this to Weekly Full discovery, and Delta discovery twice a day.

So, after this wizard, the connection has been established with the CAS server.

 

As you can see, the path /powershell has been added to the targetpath of the Exchange server. Which makes sense, because all it really does is fire up PowerShell cmdlets against the CAS, to get information from it.

So, do we see any devices now?

First lets kick off a discovery cycle:

And behold:

 

Well that device has my name written all over it (tee-hee)

So, what can we do with it then?

Well, not an awfull lot:

Wipe, Block, and.. hmm. well.

Lets have a look at those Reports then:

Wow. That’s a lot of Reports Built-in. Very cool!

 

So far for this then.

Time to get really busy, and fire up an old Windows Mobile 6.5 phone, and start doing some real managing.

In the Next post that is.

 

SCCM 2012 – Boundary groups are REQUIRED in order for clients to locate DPs

April 13, 2012

If you have setup your new SCCM 2012 (test)environment, you might run into issues with clients not being able to locate required content on Distribution Points, for instance during an OSD TS.
When going into the smstslog logfile on the client, you will then see that no local DPs can be found. ( 0x80040103, Could not access package content in the DP )
This happens when you have defined boundaries, but have not yet created a Boundary Group, and have added the boundaries to this Boundary Group.
Yes, this is a new feature compared to SCCM 2007, where defining boundaries was enough for clients in a site to locate content.
“Each boundary must be a member of a boundary group before a device on that boundary can identify an assigned site, or a content server such as a distribution point.”
See more information about Boundary Groups here