Archive for the ‘SCCM’ Category

Can we use Windows Azure SQL Databases for ConfigMgr 2012?

January 20, 2014


This question popped up when i was doing a demo ConfigMgr environment, running completely in Windows Azure.

Simple setup, All ConfigMgr roles on a single server, including local SQL DB.

For this, i used an  “A5” VM instance, which has 2 vCpu cores and 14 GB of RAM.

For storing the data, i attached a “persistent disk” , as that is storage that is guaranteed to remain persistent after reboot (don’t use the temp-disk!)


Now this is a costly machine, as running an A5 VM costs about 220 euros per month. (pricing)

And this is only the running of the VM, not taking into account the storage costs, download traffic costs, etc.

Now storage and download bandwidth are pretty cheap in Azure, compared to the computing costs.  But still, can we save money somewhere?

Cutting costs

So, can we cut the costs somehow? Do we need 2 cores and 14 GB of RAM?

The major reason for this amount of RAM is running the SQL server locally. If we could move that somewhere else, a “medium VM” with 2 cores and 3,5 GB would be sufficient.

This type of VM only costs about €100 per month. Quick saving, right?

Azure SQL

So, Azure also offers SQL Database services. And a lot cheaper (a default 5 GB CM database would cost about €20 per month)But are they suitable for running a ConfigMgr 2012 database?

Let’s compare the ConfigMgr Database Requirements, and the specifications for Azure SQL Databases.


-1:  “At each site both the instance of SQL Server that is used for the site database and the site database must use the following collation: SQL_Latin1_General_CP1_CI_AS.”

Well, that doesn’t seem to be a problem. Although the site database cannot be configured in Azure (because it uses a shared sql server of course), the default collation for new databases is SQL_Latin1_General_CP1_CI_AS. Which suggests that the Instance is also using that collation, but we cannot be sure at this point.

-2: “Configuration Manager requires Windows authentication to validate connections to the database.”

Whoops. That is a problem, since Azure does not support this. (Windows Authentication is not supported)

The Verdict

For those wondering if we can use Azure SQL DB services for hosting a ConfigMgr database:

– No, you cannot.


Tip: Do not change the default installation location for ConfigMgr 2012

December 11, 2013

When you specify a different installation location for ConfigMgr 2012 when installing your siteserver or server with MP role, you might get into some trouble.
It seems that some components are very attached to the default “C:\Program Files\Microsoft Configuration Manager” folder.

Error 1: when installing smsmmp, the installation is unable to create the SMS_CCM folder underneath the “Microsoft Configuration Manager” folder, and thus fails the smsmp.msi install with vague error 1603.
“mp.msi exited with return code: 1603″
Fatal MSI error – mp.msi could not be installed”
Also the BGBsetup.msi fails, with the same errors.
After manually creating this folder, the install of the MP role and the BGB succeeds.

Error 2: after installing the bgb role, its registration with .Net 4 fails.
The Error in BgbSetup.Log says:
“Fatal MSI Error – bgbisapi.msi could not be installed”
And a little bit above that:
“CTool::RegisterComPlusSErvice: Failed to register E:\Program Files\Microsoft Configuration Manager\bin\x64\microsoft.configurationmanager.bgbserverchannel.dll with .Net FX 4.0”

This is also due to the files being installed in a different location, which the Regsvc.exe of .Net FW doesn’t like.
In order to fix this, you have to modify 2 files in your .Net FW folder (probably C:\Windows\Microsoft.NET\Framework64\v4.0.30319)
Modify InstallUtil.exe.config and Regsvc.exe.config
Add the following text to these files, just below the “configuration” bit: (remove the <Code> tags, i included them to keep WordPress from removing my code)


<loadFromRemoteSources enabled=”true”/>


After saving these file, retry the configuration of bgb by stopping and starting the SMS_SITE_COMPONENT_MANAGER.
This will re-trigger the configuration of the Client Notification Service, and this time, the registration with .Net FW 4.0 will succeed.

If you have problems editing these files, check this post

ConfigMgr Clients not receiving any advertisements – unapproved / blocked?

August 17, 2013

On a freshly upgraded ConfigMGr 2012 SP1 environment, a customer noticed that machines did not get any advertisements anymore.  I was called in to investigate what happened.

I noticed the following:

– The machines were listed as members of the All Systems Collection.

– An OSD Task Sequence had been deployed to the All Systems Collections, making it available to only Media and PXE (not to configmgr clients).

Still, the machines they mentioned did not pick up any advertisements when booted through PXE.

However, other machines that were part of the All Systems collection, DID get the advertisement.

It turned out that the systems that did not get the advertisements, had not been added to the domain properly. Therefore, they had not automatically been approved in ConfigMgr, and were not allowed to access the ConfigMgr Site.

The analysis

I have reconstructed this in my lab environment, to show you what this looks like.

First, i installed a Windows 7 machine, adding it to a workgroup instead of to the domain. Then installed the ConfigMgr client, using the parameters /SMSMP=<my MP name> and /SMSSITECODE=<name of my ConfigMgr site>.

After this, the machine showed up in ConfigMGr in the All Systems Collection as Windowsclient-3:


Now when you would just look at this, you would think it is a member of the All Systems collection, and therefore would get all the advertisements (or deployments) that are targeted to this collection, right?

Well, no.

Let’s add some more columns to this view; rightclick the title bar, and you get a list of columns you can add to the view:


Let’s add the Approved and Domain columns;

unapproved-3Now we can clearly see that windowsclient-3 is not a member of the domain, and therefore also not approved.

Well, not automatically anyway. This is something we configure in the Site Hierarchie Settings:

unapproved-4As you can see, by default only computers that are member of the same domain, or a trusted domain are automatically approved.

Since the windowsclient-3 machine is not in any domain, but in a workgroup, it is not approved.

With it being “Not approved”, it is also denied access to Site content, like policy and Files.

So, although the system is listed in the All Systems collection, it will not get any Deployments advertised.

If i PXE boot the client:

unapproved-5Sorry, no OSD for you 🙂

On the machine itself, we see the following in the ConfigMgr Client:



On the “Actions”, we can see by the limited number of cycles available, that only the core client is installed, and no policy has been retrieved yet.

If we look through the client log files we see that it can contact the MP (since we specified this during client installation), but it will get no policy from it.

Also, it cannot contact find information about available MPs from Active Directory, since it is not a domain member.

So, the only thing it can do now, is to keep contacting its MP, and hope for Approval 🙂

Now, let’s Approve the client in the ConfigMgr Console, and see what happens.

Rightclick the machine and select “Approve”


Are we sure? :p


Now, a reboot of the client to speed things up, and a Machine Policy Retrieval later, the clients starts working, and then:

unapproved-10Well this looks better 🙂

And there we get the policy assigned to the collections:

unapproved-11See the “Software changes are required” balloon pop up in the corner?

Yes, this is one happy client now 🙂


SMS Component Manager failed to install component SMS_PORTALWEB_CONTROL_MANAGER on server . The IIS ASP.NET is not registered correctly

May 10, 2012

When installing ConfigMgr 2012 on a site, i was looking at the Site Status node to check if all components were doing good.
This is located in the ConfigMgr Console under \Monitoring\Overview\System Status\Site Status
One component had a red X, specifically the Application Catalog Website Point Role.

Specific error messages were:

Site Component Manager failed to install component SMS_PORTALWEB_CONTROL_MANAGER on server .

The IIS ASP.NET is not registered correctly.
Solution: Review Microsoft Technet article located at: to resolve the issue.

Wow, now that’s a pretty clear errormessage, even including a link how to fix it.
Lets see some more info about this though.
There is a specific logfile for this component, called SMSPORTALWEBsetup.log, which in a default installation is located under C:\Program Files\Microsoft Configuration Manager\Logs.

In this file, the following was shown

So, ASP.NET isn’t properly registered in IIS. And we know how to fix it.
Just run

%windir%\Microsoft.NET\Framework\version\aspnet_regiis.exe” -i

Ehm, but what about the \version\ bit then?
There are no less then SIX versions of .NET present on this system:

Now which one to register?
It would make sense it it was the 4.0 version, since that is a new requirement in ConfigMgr 2012.
So, lets do that one:

Hey waddayaknow? It worked.
The installation of the role finished nicely:

Thanks to Markus Baker, whose blog posting confirmed my findings. Was hard to find though, in German 🙂

SCCM 2012 RTM PXE not working… Warning: Matching Processor Architecture Boot Image (0) not found

April 8, 2012

So, i am working on setting up a System Center 2012 RTM test environment, all in VMware Workstation, on a 16 GB Dell Precision M4600 laptop.
After setting up a 2008 R2 SP1 DC and a 2008 R2 SP1 CU4 SQL Server, i started with my favourite product, Configuration Manager.
After the initial installation and some basic configuration of Boundaries, Service accounts, and Server Roles, i was ready for my first OSD TS.

However, when booting my test client (vmware workstation) for PXE boot, i didn’t receive any boot file name.

Into the logs then! The smspxe.log logfile on the SCCM 2012 server showed the following error:

Okay, that’s weird. After checking that the 2 default boot images (x86 and x64) were properly distributed to the DP, i opened the boot images themselves.
Clicking around on them i found this setting:
So, that’s a new one. Appearantly you have to explicitly enable a boot image to be used on a PXE service point.

Lets see the documentation on Technet about this new feature:Click here and then expand the item “To Modify the Properties of a Boot image”.
Here we see the option mentioned.
And some more information here, in the section “Distributing Boot Images to the Distribution Point
Basically when you make the Boot Images availiable to a DP, they are only copied to the DP folders, and not to the Reminst share, which is used for PXE deployment.

Black screen on HP ProBook 4730s

December 22, 2011

Just rolled out Windows 7 SP1 image to HP ProBook 4730s.
Downloaded drivers from hp site
This laptop contains not one, but two videoadapters.
One is an Ati Radeon HD 6490M, the other an Intel HD 3000 IGP.
This dual video technology is what AMD calls Switchable Graphics Technology
Looks nice, whith automatic switching between video-adapters when needed. But during OSD with SCCM, this poses a problem.
After the drivers have loaded, the screen stays black.
You can however, connect to the pc using RDP, and when opening devicemanager, both display-adapters show perfectly installed, with the correct drivers. But still, only a black screen.
Tried the previous version of the driver, (8.840.7.0 instead of the newer 8.840.7.1000) but still no dice.
I imagine there is some problem with sccm/windows figuring out which display adapter to send the information to…
So finally i disabled all display drivers for this model in SCCM, so i would get only the native windows 7 drivers.
After that i got some display on screen, although in default vga, but hey, better that than nothing.

I then found out that when you disable the adapter switching in the BIOS, the OSD imaging goes smooth.
Basically what you’re doing then is disabling the Ati video adapter.
It then finds the Intel HD IGP, installs the driver, and voila.
How to disable this adapter switching?
Reboot laptop, press F10 to enter the BIOS, choose the tab called System Configuration, choose Device Configurations, and scroll all the way down to “Switchable Graphics”.
Put this on “No”, save, and reboot.

SCCM OSD fails failed to set administrator password

November 17, 2011

Problem: a reference computer used for taking image captures starts failing when re-imaging it with a OSD task sequence, it hangs on the “set local admin password” step.
But when i acknowledge the error (click ok) it continues the TS and finishes properly. I don’t even have to type the new password manually or anything, just clicking OK on the error is enough.

So after the TS was done, checked out the c:\windows\setuperr.log file and it contained the following:

Setup was unable to change the password for user account Administrator using the encrypted password apecified because of the following error:
SetLocalUserEncryptedPassword(Administrator) returned error 1325 (52d).

Looked up the error here and it reads

Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.

Since the computer is not domain joined at the time of capturing, it must be a local password policy thing. I think it has been set so restrictive while being a member of the domain, and this settings is maintained after disjoining from the domain.
And since the machine has been sysprepped before, the might be a problem.

So i fired up gpedit.msc locally BEFORE the next image capture task and set the password policies to 0 characters, no restrictions whatsover, not on length, complexity, or password history.

and another problem was solved :p

By the way, i never set the local admin password to before running the OSD Capture Sequence, because that step is done by the “Prepare Windows for Capture” TS step, as can be read here

SCCM: Unattended installation of program using Run with Administrative Rights not working…

October 11, 2011

I tried to deploy a program using SCCM, during an OSD Task Sequence.
The program was actually a batch file which called upon an installer with a couple of parameters like /silent and such.

The installation of this program failed, even when i created a seperate Advertisement for Software Distribution for this program and ran it within windows.
But, when i browsed to c:\windows\system32\ccm\cache\ and manually fired up the installation, it did run.
So the syntax of the program installation was correct, but the program just did not want to run/install under the system account.
It probably needed some sort of user feedback or such.

So in the properties of the Program, on the Environment tab i checked the box on “Allow users to interact with this program” .
And now the installation of the program worked just fine.
But when you select that option, you can no longer select the program to be used in a Task Sequence.
After all, everything in a TS has to be run automatically, silent and without user intervention.
Then i found this post, which basically deals with the same issue of having a program that only runs when you allow users to interact, but you want to use it in a Task Sequence.

So i added a “Run Command Line” step to the TS, included the program package in it, and voila.
The command line simply contained the content of the batch file.

Problem joining computer to domain in SCCM OSD TS

October 11, 2011

In an SCCM OSD Task Sequence i had put in the step to join the computer to a domain, using a low-priviliged account.
This special serviceaccount had been granted the right to join computers to the domain, by using the Delation of Control wizard in ADUC. (Active Directory Users and Computers)
This worked fine the first time the computer was imaged.

The second time during imaging however, the domainjoining step failed.

When i tried to manually join the system to the domain afterwards, using the credentials of the serviceaccount, i got an “Access is denied” error.

So a little googling turned up with this KB arcticle, which mentioned exactly this problem.

It turns out that when you use the standard Delegation of Control wizard to grant someone the right to join computers to the domain, this does not include the resetting of the computer password, which is exactly what is done when you re-install a computer that was already joined to a domain.
By following the steps in the KB article and granting additional rights to the account, everything worked fine.

Quickly removing all packages from distribution point

October 11, 2011

How to quickly remove all sccm packages from one or more DPs? Either by clicking each package and going through the Manage Distribution Point Wizard to remove it from a DP, but that takes too long when we’re talking about 100+ packages.
Fortunately, someone ( Cory Becht) built a nice little tool for this : get it here