Friday 21 December 2012

Recommended WMI Hotfixes

Just a reminder post for myself more than anything...

TechNet Wiki page containing a list of Pre and Post SP1 Windows 7 and Windows 2008 R2 recommended WMI Hotfixes.

Thursday 20 December 2012

System Center 2012 Service Pack 1 RTM & Download

There's been bits of information floating around the internet over the last few days that System Center 2012 SP1 had gone RTM.

Like everything, people were sceptical as there was no official announcement, only a blog post on the DPM forums.

However, it had gone RTM internally and today saw it released to those with TechNet and MSDN subscriptions.


For those without TechNet or MSDN, chances are you will still have to wait another week or so until about the 3rd of January (rumoured)

Time to go update the lab!

Friday 14 December 2012

Installing the SCVMM (Non SP1) console on Windows 8

If you find yourself running the new swanky Windows 8 OS on your desktop that you use for administration, you might run into a problem with trying to install the System Center 2012 Virtual Machine Manager console for remote admin purposes.

When Service Pack 1 is released (very soon) this isn't too much of an issue, except when you may want to administer a non-SP1 SCVMM setup.

So, there's a "hack" to install the SCVMM console, without SP1, on a Windows 8 machine.

** Firstly - disclaimer - This is in no way shape or form supported and you are to run this at your own risk, it's not my responsibility if it kills your infrastructure!!! **

  1. Grab the SP1 Beta install folder for SCVMM and copy it locally to a folder called VMMSP1
  2. Copy the Non-SP1 install files locally to a folder too called VMMNONSP1
  3. Rename the setup folder in either i386 or amd64 depending on your OS in the SP1 media to setupOrig.  In the screen shot below I've done this for the i386 folder.

  4. Copy the setup folder for the relevant os (x86/x64) from the non-sp1 folder to the SP1 folder

  5. Edit the PrerequisiteInputFile1033.xml in the setup folder copied across to the SP1 folder and look for the Win7 section below:

    <LogicDelegate LogicType="or" DelegateId="OSVersion-win7-Fail"
  6. Add this new section underneath the Win7 section:

    <LogicDelegate LogicType="or" DelegateId="OSVersion-win8-Fail"

  7. Go back to the root level for the OS "bitness" you're doing this for and run SetupVMM.exe

  8. Don't worry when you see the splash screen as this will still say SP1, just click "Install"

  9. This will then launch the Non-SP1 install and allow you to step through the options as normal to install the admin console.

As I said before, use this at your own risk and test fully in a lab environment first.  I will not be held responsible for what may go wrong, there's probably a reason Microsoft blocks the install, but I've always hated to be told no so had to try this.

Thanks to Dirk Flakowski for getting me side-tracked on this one today!

System Center 2012 Endpoint Protection Cookbook Review

The publisher of the Service Manager Cookbook that I was a co-author on have a variety of different cookbooks also on the topic of System Center 2012. 
One of these is the cookbook for Endpoint Protection which is a component of the System Center 2012 suite and delivered and managed by System Center 2012 Configuration Manager.

I've never been the fastest of readers and I mentioned a while back I'd post a review on this.

If you’ve had experience in the past with either Forefront Endpoint Protection, Microsoft Security Essentials or the new built in Windows Defender in Windows 8 then you may recognise the interface for SCEP, but instead of it being a standalone product like previous versions, this release is heavily integrated into ConfigMgr.  This provides you a single pane of glass approach to both settings and compliance management and AV/Malware security.


The Book
Author: Andrew Plue
Reviewers: Nicolai Henriksen (SCCM MVP), Matthew Hudson (SCCM MVP) and Stephan Wibier

The book is broken down into the following chapters:
  • Chapter 1 - Getting Started with Client-Side Endpoint Protection Tasks
    Provides a number of recipes for performing tasks at the local client level, such as forcing a definition update or modifying the SCEP client policy.
  • Chapter 2 - Planning and Rolling Installation
    This will walk you through some of the considerations you will need to make before deploying SCEP, as well as showing you how to enable the SCEP role on your SCCM server.
  • Chapter 3 - SCEP Configuration
    This will show you recipes for performing essential tasks, such as configuring SCEP policies and alerts, as well as walking you through the process of setting up SCEP's reporting features.
  • Chapter 4 - Client Deployment Preparation and Deployment
    This includes a number of recipes to assist you with every step of client deployment from preparation to actually deploying the clients.
  • Chapter 5 - Common Tasks
    This covers a number of day-to-day tasks that every SCEP administrator will need to know how to do it correctly in order to keep SCEP healthy and your Endpoints protected from malware.
  • Chapter 6 - Management Tasks
    This covers important high level tasks, such as using policy templates, merging polices, and responding to SCEP alerts.
  • Chapter 7 - Reporting
    This takes a deep dive into the reporting capabilities offered with SCEP. You will be shown how to execute reports, as well as provide access to reports. You will also be shown how to create your own custom reports.
  • Chapter 8 - Troubleshooting
    This provides you with some tools to assist you with the time-consuming effort of troubleshooting an anti-malware product. The recipes in this chapter will help you deal with Definition Update issues, as well as how to approach false positives.
  • Chapter 9 - Building an SCCM 2012 Lab
    This is a great chapter for anyone who has not yet taken the plunge on SCCM 2012. There is just a single recipe in the chapter that will show you the quickest down-and-dirty method for standing up an SCCM 2012 server in a lab environment. This is vital to anyone considering deploying SCEP, because with the total integration of SCEP with SCCM 2012, you can't experience SCEP without an SCCM environment.
Also the Appendix includes some really good info around integrating SCEP with Operations Manager (SCOM) for monitoring, some information around the version of Endpoint Protection used with Intune (Microsoft’s cloud based device management solution) and some deployment checklists which are useful.

While I’ve been using Configuration Manager for years, SCEP has always been something that I’ve only lightly touched on as it’s been something that I would do the initial planning and setup for and then had over to the customers security teams to manage longer term.

Being able to have a complete reference guide to hand that not only validates and refreshes my installation approach but then expands on the longer term configuration and management is great.

For those attempting to put this in from scratch it’s ideal as it can accelerate your deployment and hopefully avoid you making some common mistakes that could be costly in the long run.

Little nuggets throughout such as the MpCmdRun.exe usage for remote/local admin tasks are so cool and open up avenues such as creating ConfigMgr packages to restore files from quarantine quickly in case of mistakenly captured files.

As always, you can order the book in 'dead tree' format from Amazon here or in Kindle format from here.

There’s also the option of purchasing from Packt directly and I’d recommend signing up for their library (free signup) where you can mange/download your purchases in various formats and while you’re there, why not purchase the Service Manager Cookbook too!

Monday 10 December 2012

Print Server Management Pack - Finally Updated!

Microsoft released the other day an update for the Print Server management pack, finally!

I've moaned about Microsoft's attitude towards this management pack for some time.

The quick fix MP for 2008 R2 that Myself and Rob Ryan (He did most of the work...) is no longer available as his blog is currently down.  However, Kevin Holman created a better one that was more preferable to use anyway.

But back to the here and now... MS have an updated MP available for Microsoft Print Servers.

From the MP Documentation it appears that not only is Server 2012 now supported, but finally 2008 R2 is as well.

Going through the Import MP Wizard and searching the catalogue will at present not get you access to the new Print MP as it doesn't yet seem to be updated.

That's not always a bad thing however as I would always recommend downloading the MP manually otherwise you may miss the associated MP Guide document.  As always with SCOM MP's, RTFM first before import!!
*Update 11/12/12 - Apparently the catalogue has now been updated, thanks for the heads up Daniel Savage*

*Update #2 11/12/12 - Confirmed, the catalogue has now been updated*

The MP can also be downloaded from here:

Surprisingly, this MP is only listed as an Operations Manager 2007 R2 MP.

This is slightly strange with them adding Print Server monitoring on Server 2012 since monitoring Server 2012 with SCOM 2007 R2 isn't supported natively, well not without running 2012 Agents reporting back to your 2007 R2 Management Servers.

I've downloaded it anyway to test with SCOM 2012 and on first try of importing, I'm presented with an error that a dependant MP for the Print Server 2003 MP is missing.

This is fine though, it's only because I've not got any of the Windows 2003 MP's in my environment, after all who still uses Server 2003?  (I am joking before anyone comments!)

Import works fine on SCOM 2012.


After import there's plenty of Discoveries, Monitors and Rules...

Notice there's no reference to 2008 R2?

Well in the 2008 Print Server MP the discovery ran this WMI query:

SELECT Name FROM Win32_ServerFeature WHERE Name = "Print Services"

Kevin Holman's addendum MP changed this to this following query which then discovered 2008 R2 print services roles:

SELECT Name FROM Win32_ServerFeature WHERE Name = "Print Services" OR Name = "Print and Document Services"

Well the discovery for 2008 R2 is contained within the 2008 MP and now looks like this:

SELECT Name FROM Win32_ServerFeature WHERE ID = 7

Easy little change and simpler than listing specific names as it covers both 2008 & 2008 R2 regardless of the specific name.

This link shows all Win32_ServerFeature ID's:

The same WMI query is also used in the 2012 MP which should mean if any name changes are made in an R2 release of 2012 the MP should carry on working.

I was going to run a difference compare against the old and the new MP, but I seem to have misplaced my old copy of the MP.  As soon as I can get my hands on one I'll run one and update the post.

*Update 11/12/12*
I'll also retract my previous comment (below) as it was rather harsh and actually untrue.  Now that I've done more that skim the MP guide, it does contain numerous references to 2008 R2 /facepalm.
So much for taking my own RTFM advice...

As mentioned by Daniel Savage in the comments, the MP Guide includes all rules etc stored within the MP for reference.

In short, it appears at first glance to run ok on SCOM 2012, but requires more testing.  I think it's probably just laziness on Microsoft's part that they couldn't be bothered to re-write the MP guide completely and just chose to add references to Server 2012 only rather than go back and add 2008 R2, which to be honest wouldn't add much value as it's 99.9% the same monitoring as plain 2008.

Saturday 1 December 2012

Configuration Manager and 1E

This is an old post (July 2012) that I never got round to finishing and posting as I was typing it up during the session.  It's readable (just about) and would be a shame just to bin so I thought I'd just post it RAW anyway...

I'm in Reading today for a ConfigMgr day with Wally Mead which is sponsored by 1E.

So 1E kick off the event with a session on who they are and beating records on deploying Win 7.
A quick poll of the room shows lots of people migrating to Windows 7 but few are finding it quick or easy job.
Application packaging and compatibility seems to be the biggest problem for people and then the scope/number of devices to upgrade.

1E tend to see some of these challenges:
  • Data Transfer - Terabytes daily - Business app impact?
  • Many locations - Many servers/site visits
  • Many Applications - Rationalisation exercise?
  • Migration Schedules - End user disruption
  • Complex Project - People, time, resources and associated costs.

Where 1E can add value are:
  • User driven processes - increase satisfaction
  • Remove legacy software
  • Minimise infrastructure requirements
  • Tame complex projects and scenarios

1E feel that Windows 7 migration projects shouldn't be treated as "special projects" but should be considered as a business as usual project which is perfectly inline with how myself and Trustmarque approach Desktop Migration projects.
This is with the view of keeping skills in house, building processes and skill sets so that next time round for example Windows 8 can be smoothly rolled out with the infrastructure, methods and skills already in-place.

1E used Verizon as an example where they helped migrate around 90,000 devices.

1E Solution Set:
Shopping + AppClarity + Nomad

Example Nomad implementation - reduced 76 Sites, 1 Cent, 12 Primary, 63 Sec, 98 Dist

Nomad Features were demoed:
  • USMT utilising peer to peer for storage
  • PXE anywhere - No server requirement, use local client peers to auto elect one and use that as a PXE deployment point.  Keep OSD imaging within the local subnet and reduce network traffic.
1E can help with record breaking deployments:
Speed - Terabytes of data with zero business impact
Flexibility -

Bypass Corporate WSUS for update check

I've had an issue a couple of times now when testing/running Windows 8 in an environment where group policy enforces WSUS settings causing a problem as the WSUS server hasn't been updated to support Windows 8 clients or hasn't had the required updates published.

Sometimes this can easily be got around by simply clicking the "Check online for updates from Windows Update" link, however this was removed by GPO in these cases.

In these cases I've had to fall back to using this simple batch file script:

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v UseWUServer /t REG_DWORD /d 0 /f
net stop "Windows Update"
net start "Windows Update"
control /name Microsoft.WindowsUpdate

After running this batch file, you can run Windows Update as normal and it will go directly to Windows Updates to check.

This is obviously not something a normal "user" should use, but then they shouldn't have the access rights to run this anyway!  Neither is it a permanent workaround, just a quick fix while the WSUS server is updated to provide Windows 8 updates.

Previous blog post on preparing WSUS for Windows 8/Server 2012:

Error when creating MDT Packages for ConfigMgr 2012

Recently I ran into an error while creating the MDT 2012 packages for use with ConfigMgr, unfortunately the error message was not the most useful one to be seen...

Ok, so access to the path is denied... but what's the path that it's trying to access???

This occurs when stepping though creating a new MDT task sequence and selecting to create new packages for the first time and unfortunately you have to re-step though all of the wizard options from scratch each time while trying to troubleshoot.

Anyway, long story short, running Process Monitor while trying to create the packages showed it failing while trying to create an autorun.inf as part of the MDT Package.

While the screen shot above shows a successfully built package, the folder we were seeing contained a temp file only.
A bit more digging narrowed it down to McAfee Anti-Virus running on the server that was blocking the creation of Autorun.inf files.  Strangely enough though it didn't block the MDT installer or the creating of the deployment share.
After messing with disabling the AV and stopping services to prevent the ePO restarting the AV we ran through the MDT Task Sequence wizard again and it installed successfully.

I suppose I should have paid more attention to the note by Michael Niehaus on this old blog post for MDT 2010 Update 1