Cumulative Update (CU1) Pack for System Center 2012 Configuration Manager Service Pack 1 (SP1)

Posted on by
2

Microsoft has released the first Cumulative Update (CU1) Pack for System Center 2012 Configuration Manager Service Pack 1 (SP1).

This CU1 is available here!

An overview:

Issues that are fixed

Administrator Console

  • A Discovery Data Record (DDR) that contains organizational unit (OU) paths that are longer than 220 characters are not processed. The DDM.log file on the site server contains event messages that resemble the following:

CDiscoverySource::ValidateSchema – array property User OU Name cannot expand size so rejecting.


CDiscoverDataManager::ProcessDDRs – Unable to update data source.

  • The Allow clients to use a fallback source location for content option is missing from the Distribution Points tab of the package properties.

Site systems

  • Replication Configuration Manager incorrectly reports the link status as Degraded and then reports the status as Activeone minute later.
  • Site replication fails after a site database is restored to a new server. Additionally, the Rcmctrl.log file contains the following error message:

ERROR: Received unhandled SQL exception, printing info and throwing it again. This will be retried in next cycle.
SqlException number: [8115]
ERROR: Exception message: [Arithmetic overflow error converting expression to data type int.~~The ‘spGetChangeTrackingMinValidVersion’ procedure attempted to return a status of NULL, which is not allowed. A status of 0 will be returned instead.]


Device management

  • The Configuration Manager client cannot be installed on devices that contain newer ARM processors. Additionally, the following error message is logged in the DmClientSetup log file:

    Fail to get the CAB file name because of unsupported processor type: 0

Software updates

  • The Allow clients to share content with other clients on the same subnet option in the properties of a Software Update Group Deployment is ignored. Additionally, the DataTransferService.log file contains the following message:

    Not using branch cache option.

  • When a custom port is configured for software updates, an Internet only client may append the custom port to the URL for the Windows Update service. Additionally, when the custom port is set to 880, log entries that resemble the following may be logged in the DataTransferService.log file:

    UpdateURLWithTransportSettings(): OLD URL – http://download.windowsupdate.com/msdownload/update.cab

    UpdateURLWithTransportSettings(): NEW URL – http://download.windowsupdate.com:880/msdownload/update.cab

  • The Schedule Updates Wizard does not list content for Windows Server 2012. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

    2793237 FIX: The Schedule Updates Wizard does not list content for Windows Server 2012 in System Center 2012 Configuration Manager Service Pack 1

Client

  • The MicrosoftPolicyPlatformSetup.msi file is now correctly signed.
  • The selection of multiple targeted applications in Software Center will fail if the calendar region is set to Arabic (Saudi Arabia). Additionally, Software Center displays the following error message:

    Software Center cannot be loaded. There is a problem loading the required components for Software Center. You can try launching Software Center at a later time. If the problem continues, you can contact your helpdesk.

  • The hardware inventory on a computer that is running a 32-bit version of Windows Server 2003 R2 may cause the Wmiprvse.exe process to exit unexpectedly. Additionally, when you view the results of the fault, the details of the fault resemble the following:

    Faulting application wmiprvse.exe, version 5.2.3790.4455, faulting module msvcr90.dll, version 9.0.30729.6161, fault address 0x00056b1d

  • PXE support is added for IA-32 EFI computers.

PowerShell

  • When the Clear-CMPxeDeployment cmdlet is run, you receive the following error message:

    The method or operation is not implemented.

  • When the Update-CMDistributionPoint –DeploymentTypeName cmdlet is run, you receive the following error message:

    Key not Found Exception.

  • When the New-CMDeviceCollection cmdlet is run, the refreshschedule parameter is not defined in theNewByLimitName parameter set.
  • When the New-CMDeviceCollection cmdlet is run together with the LimitingCollectionName option, the cmdlet is unsuccessful. Additionally, you receive the following error message:

    Unable to cast object of type ‘Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlArrayItems’ to type’System.Management.ManagementBaseObject’.

  • When the .GetType method is used for the object that is returned by the New-CMSchedule cmdlet, the method is unsuccessful. Additionally, you receive the following error message:

    The adapter cannot get property “GetType” for instance of SMS_ST_RecurInterval.

  • When the Import-CMComputerInformation -CollectionName “All Systems” -ComputerName “Computer01” -MacAddress “xx:xx:xx:xx:xx:xx command is run, the command is unsuccessful. Additionally, you receive the following error message:

    WARNING: The collection All Systems does not exist or is not suitable for adding the new device.

Functionality that is updated

PowerShell

Help for PowerShell is updated for the cmdlets that are included in Configuration Manager Service Pack 1 and in this cumulative update. In a PowerShell environment, use the Update-Help –Module ConfigurationManager cmdlet to retrieve the latest Help information from Microsoft.

The following cmdlets are added to the PowerShell module:

  • Add-CMDistributionPoint
  • Import-CMAntiMalwarePolicy
  • Import-CMDriver
  • New-CMAppVVirtualEnvironment
  • New-CMMigrationJob
  • New-CMPackage
  • New-CMSoftwareUpdateAutoDeploymentRule
  • New-CMTaskSequence
  • New-CMTaskSequenceInstallUpdateAction
  • New-CMTaskSequenceMedia
  • New-CMUserDataAndProfileConfigurationItem
  • Remove-CMTaskSequenceInstallUpdateAction
  • Set-CMTaskSequenceGroup
  • New-CMTaskSequenceGroup
  • Remove-CMTaskSequenceGroup
  • Set-CMApplicationCatalogWebsitePoint
  • Set-CMAppVVirtualEnvironment
  • Set-CMClientPushInstallation
  • Set-CMClientSetting
  • Set-CMDistributionPoint
  • Set-CMDriver
  • Set-CMEndpointProtectionPoint
  • Set-CMEnrollmentPoint
  • Set-CMEnrollmentProxyPoint
  • Set-CMHierarchySetting
  • Set-CMManagementPointComponent
  • Set-CMOperatingSystemImageUpdateSchedule
  • Set-CMOutOfBandManagementComponent
  • Set-CMReportingServicePoint
  • Set-CMSite
  • Set-CMSoftwareUpdateAutoDeploymentRule
  • Set-CMSoftwareUpdatePointComponent
  • Set-CMStateMigrationPoint
  • Set-CMStatusSummarizer
  • Set-CMSystemHealthValidatorPointComponent
  • Set-CMTaskSequence
  • Set-CMTaskSequenceInstallUpdateAction
  • Set-CMUserDataAndProfileConfigurationItem
  • Start-CMDistributionPointUpgrade

Logon Process Citrix XenApp

Posted on by
Reply

While working with the ComTrade Management Pack (XenApp) for OpsMgr 2012 there was an alert about the User Logon Process.

The alert:

Well oké that takes a while!

But what are the phases they talk about?

PHASE 1: USER PROFILE LOADING

The phase starts just after the user credentials are validated and lasts until the profile is downloaded from the profile storage (network share).
Reasons for slow logon phase can be:

  • issues with network and profile storage availability;
  • high network load;
  • big profile size;
  • first time use of this profile on the server (the cached version of the roaming profile does not exist);
  • corrupted profile.

Additionally, monitoring of Windows user profiles for the presence and amount of the specific file categories is important. Various file categories should be tracked: executable files, media files, and custom files.

PHASE2: APPLYING GROUP POLICY OBJECTS (GPOs)

During this phase, the server applies user settings defined on the Domain Controller.
Reasons for the slow logon phase can be:

  • issues with network and domain controller availability;
  • issues with required infrastructure (required services and components are either not running or configured as expected);
  • system time is not configured correctly;
  • high network load;
  • high amount of policy settings.

PHASE 3: USER ENVIRONMENT INITIALIZATION

During this phase, network connections are restored and profile settings, such as fonts and screen colors, are loaded. Also, if this is the first time this profile is being used, some extra initialization is applied. The default profile is created, first time use settings are applied for the shell (Explorer), Internet Explorer, Office (particularly Outlook), and any other application that uses Active Setup.
Reasons for the slow logon phase can be:

  • corrupted profile;
  • issues with restoring the network connection(s);
  • first time use of profile on the server.

 

PHASE 4: LOGON SCRIPT EXECUTION

This phase is measured by how long the USRLOGON.CMD script (located in %SystemRoot%\system32) is being executed. The script’s original function is to address issues with legacy applications that were not written with a multi-user environment, such as Terminal Server, in mind. It uses application compatibility scripts (located in  %SystemRoot%\Application Compatibility Scripts) in conjunction with the %ROOTDRIVE% variable to address these issues. USRLOGON.CMD script is also used as a starting point for custom profiles.
Reasons for the slow logon phase can be:

  • issues with application compatibility scripts;
  • legacy applications;
  • custom profile initialization.

You should differentiate between Terminal Server (RDP client) and Citrix (ICA client) logon. If the user used the RDP connection to log on to the server, this will be the last phase of the logon process.

PHASE 5: CITRIX APPLICATION INITIALIZATION

This phase covers Citrix specific activity before it launches the requested application: launching seamless windows engine shell, auto creation of client printers, and ICA client update process.
Reasons for the slow logon phase can be:

  • issues with the client printer (usually third party printer drivers);
  • issues with retrieving ICA client version and the rest of the update process.

 

 

Original source: here.

NetApp Data ONTAP 8.1.1 – SMB2.1 oplocks

Posted on by
4

With a NetApp FAS2240-2 filer with CIFS enabled I encountered a problem with the performance of Windows File Share clients and Citrix XenApp Servers on Windows Server 2008 R2 SP1.

After investigation of the problem it filtered down to user data, but then for random users. Hmm oke not good. Further investigation led to the real error: Oplocks on the NetApp filer. Oplocks are used for performance and should not be a problem!

So what was happening?

The NetApp was running Data ONTAP 8.1.1 which should be able to talk SMB2. And it does! But Windows Server 2008 R2 SP1 talks SMB2.1….and Data ONTAP 8.1.1 does not!

Aha so that’s where my Oplocks and unrecognized commands are coming from.

Solution:

Upgrade the NetApp filer to Data ONTAP 8.1.2 (which has SMB2.1 disabled by default) and all my errors (and problems went away).

 

This is also discussed on the NetApp forum under: https://forums.netapp.com/thread/35860

 

More Info on Oplocks:

Opportunistic locking (oplocks) is a Windows-specific mechanism for client/server data to allow multiple processes to lock the same file while allowing for local (client) data caching to improve performance over Windows networks.

Microsoft’s documentation states “An opportunistic lock (also called an oplock) is a lock placed by a client on a file residing on a server. In most cases, a client requests an oplock so it can cache data locally, thus reducing network traffic and improving apparent response time. Oplocks are used by network redirectors on clients with remote servers, as well as by client applications on local servers” and “Oplocks are requests from the client to the server. From the point of view of the client, they are opportunistic. In other words, the server grants such locks whenever other factors make the locks possible.”.

You can read more about oplocks in Microsoft’s documentation:

 

 

NetApp Performance Monitoring

Posted on by
Reply

 

Netapp sysstat reports filer performance statistics like CPU utilization, the amount of disk traffic, and cache utilization. When run without options, sysstat will print a new line every 15 seconds, of just a basic amount of information. You have to use control-C (^c) or set the interval count (-c count ) to stop sysstat after time. For more detailed information, use the -u option. For specific information to one particular protocol, you can use other options.

 

More info: http://www.wafl.co.uk/sysstat/

 

Synopsis:

sysstat [ interval ]

sysstat [ -c count ] [ -s ] [ -u | -x | -m | -f | -i | -b ] [ interval ]

  • -c count

    Terminate the output after count number of iterations. The count is a positive, nonzero integer, values larger than LONG_MAX will be truncated to LONG_MAX.

  • -s

    Display a summary of the output columns upon termination, descriptive columns such as `CP ty’ will not have summaries printed. Note that, with the exception of `Cache hit’, the `Avg’ summary for percentage values is an average of percentages, not a true mean of the underlying data. The `Avg’ is only intended as a gross indicator of performance. For more detailed information use tools such as nfsstat, netstat, or statit.

  • -f

    For the default format display FCP statistics.

  • -i

    For the default format display iSCSI statistics.

  • -b

    Display the SAN extended statistics instead of the default display.

  • -u

    Display the extended utilization statistics instead of the default display.

  • -x

    Displays the extended output format instead of the default display. This includes all available output fields. Be aware that this produces output that is longer than 80 columns and is generally intended for “offline” types of analysis and not for “realtime” viewing.

  • -m

    Displays multi-processor CPU utilization statistics. In addition to the percentage of the time that one or more CPUs were busy (ANY), the average (AVG) is displayed, as well as, the individual utilization of each processor.

  • interval

    A positive, non-zero integer that represents the reporting interval in seconds. If not provided, the default is 15 seconds.

     

Here are some explanations on the columns of netapp sysstat command.

 

Cache age : The age in minutes or seconds (by the added s) of the oldest read-only blocks in the buffer cache. Data in this column indicates how fast read operations are cycling through system memory; when the filer is reading very large files, buffer cache age will be very low. Also if reads are random, the cache age will be low. If you have a performance problem, where the read performance is poor, this number may indicate you need a larger memory system or  analyze the application to reduce the randomness of the workload.

 

Cache hit : This is the WAFL cache hit rate percentage. This is the percentage of times where WAFL tried to read a data block from disk that and the data was found already cached in memory. A dash in this column indicates that WAFL did not attempt to load any blocks during the measurement interval.

 

CP Ty : Consistency Point (CP) type is the reason that a CP started in that interval. The CP types are:

 


  • No CP started during sampling interval

  • number

    Number of CPs started during sampling interval, if greater than one

  • B

    Back to back CPs (CP generated CP)

  • b

    Deferred back to back CPs (CP generated CP)

  • F

    CP caused by full NVLog

  • H

    A type H CP is a CP from high watermark in modified buffers. If a CP is not in progress, and the number of buffers holding data that has been modified but not yet written to disk exceeds a threshold, then a CP from high watermark is triggered.

  • L

    A type L CP is a CP from low watermark in available buffers. If a CP is not in progress, and the number of buffers available goes below a threshold, then a CP form low watermark is triggered.

  • S

    CP caused by snapshot operation

  • T

    CP caused by timer

  • U

    CP caused by flush

  • Z

    CP caused by internal sync

  • V

    CP caused by low virtual buffers

  • M

    CP caused by low mbufs

  • D

    CP caused by low datavecs

  • :

    continuation of CP from previous interval

  • #

    continuation of CP from previous interval, and the NVLog for the next CP is now full, so that the next CP will be of type B.

 

The type character is followed by a second character which indicates the phase of the CP at the end of the sampling interval. If the CP completed during the sampling interval, this second character will be blank. The phases are:

 

  • 0

    Initializing

  • n

    Processing normal files

  • s

    Processing special files

  • q

    Processing quota files

  • f

    Flushing modified data to disk

  • v

    Flushing modified superblock to disk

     

CP util : The Consistency Point (CP) utilization, the % of time spent in a CP.  100% time in CP is a good thing. It means, the amount of time, used out of the cpu, that was dedicated to writing data, 100% of it was used. 75% means, that only 75% of the time allocated to writing data was utilized, which means we wasted 25% of that time. A good CP percentage has to be at or near 100%.

 

Examples:

 

sysstat
Display the default output every 15 seconds, requires control-C to terminate.

sysstat 1
Display the default output every second, requires control-C to terminate.

sysstat -s 1
Display the default output every second, upon control-C termination print out the summary statistics.

sysstat -c 10
Display the default output every 15 seconds, stopping after the 10th iteration.

sysstat -c 10 -s -u 2

sysstat -u -c 10 -s 2
Display the utilization output format, every 2 seconds, stopping after the 10th iteration, upon completion print out the summary statistics.

sysstat -x -s 5
Display the extended (full) output, every 5 seconds, upon control-C termination print out the summary statistics.

Microsoft App-V 4.x versions

Posted on by
Reply

On a quest for App-V versions I came across a nice overview which could come in handy.

The original overview is found HERE. (and an updated version by Aaron Parker: HERE.)

Here is the full list:

Release Type Release Date Desktop Client Remote Desktop Services (RDS) Client Sequencer Management Server Streaming Server Link
4.5 RTM Full

10-1-2008

 4.5.0.1485 4.5.0.1485 4.5.0.1485 4.5.0.1485 4.5.0.1485 http://technet.microsoft.com/en-us/library/ee958108.aspx
4.5 Hotfix 2 Patch

12-4-2008

 4.5.0.15131 4.5.0.15131 N/A N/A N/A http://support.microsoft.com/kb/959834
4.5 Hotfix 1 Patch

31-10-2008

 4.5.0.15051 4.5.0.15051 N/A N/A N/A http://support.microsoft.com/kb/959083
4.5 CU1 Hotfix 1 Patch

1-3-2009

 4.5.1.15631 4.5.1.15631 N/A N/A N/A http://support.microsoft.com/kb/969564
4.5 CU1 Hotfix 2 Patch

1-5-2009

 4.5.1.15681 4.5.1.15681 N/A N/A N/A http://support.microsoft.com/kb/969774
4.5 CU1 Hotfix 3 Patch

1-6-2009

 4.5.1.15981 4.5.1.15981 N/A N/A N/A http://support.microsoft.com/kb/971917
4.5 CU1 Hotfix 4 Patch

1-7-2009

 4.5.1.16371 4.5.1.16371 N/A N/A N/A http://support.microsoft.com/kb/973205
4.5 CU1 Hotfix 5 Patch

1-8-2009

 4.5.1.16791 4.5.1.16791 N/A 4.5.1.16791 N/A http://support.microsoft.com/kb/973873
4.5 CU1 Hotfix 6 Patch

1-9-2009

 4.5.1.16811 4.5.1.16811 N/A N/A N/A http://support.microsoft.com/kb/974278
4.5 Hotfix 3 Patch

1-9-2009

 4.5.0.15341 4.5.0.15341 N/A N/A N/A http://support.microsoft.com/kb/961473
4.5 SP1 Full

1-11-2009

 4.5.2.17140 4.5.2.17140 4.5.2.17140 4.5.2.17140 4.5.2.17140 http://support.microsoft.com/kb/976338
4.5 SP1 Hotfix 1 Patch

1-1-2010

 4.5.2.18131 4.5.2.18131 N/A N/A N/A http://support.microsoft.com/kb/978480
4.6 RTM English Full

1-2-2010

 4.6.0.1523 4.6.0.1523 4.6.0.1523 N/A N/A http://technet.microsoft.com/en-us/library/ee958101.aspx
4.6 RTM All Languages Full

1-3-2010

 4.6.0.20200 4.6.0.20200 4.6.0.20200 N/A N/A http://technet.microsoft.com/en-us/library/ee958101.aspx
4.5 CU1 Full

4-3-2010

 4.5.1.15580 4.5.1.15580 4.5.1.15580 4.5.1.15580 4.5.1.15580 http://support.microsoft.com/kb/963693
4.5 SP1 Hotfix 2 Patch

1-4-2010

 N/A N/A N/A 4.5.2.18541 N/A http://support.microsoft.com/kb/980850
4.5 SP2 Patch

1-5-2010

 4.5.3.19480 4.5.3.19480 4.5.3.19480 4.5.3.19480 4.5.3.19480 http://support.microsoft.com/kb/980847
4.6 RTM Hotfix 1 Patch

1-5-2010

 4.6.0.10181 4.6.0.10181 N/A N/A N/A http://support.microsoft.com/kb/981787
4.6 RTM Hotfix 2 Patch

1-5-2010

 4.6.0.10241 4.6.0.10241 N/A N/A N/A http://support.microsoft.com/kb/983173
4.5 SP1 Hotfix 4 Patch

30-6-2010

 4.5.2.19631 4.5.2.19631 N/A N/A N/A http://support.microsoft.com/kb/2267046
4.6 RTM All Lang HF 1 Patch

9-8-2010

 4.6.0.30051 4.6.0.30051 4.6.0.30051 N/A N/A http://support.microsoft.com/kb/2252568
4.6 RTM Hotfix 3 Patch

27-8-2010

 4.6.0.10271 4.6.0.10271 N/A N/A N/A http://support.microsoft.com/kb/2307495
4.6 RTM Hotfix 4 Patch

5-10-2010

 4.6.0.10291 4.6.0.10291 N/A N/A N/A http://support.microsoft.com/kb/2432513
4.6 RTM Hotfix 5 Patch

22-11-2010

 4.6.0.10311 4.6.0.10311 N/A N/A N/A http://support.microsoft.com/kb/2471081
4.5 SP2 Hotfix 1 Patch

30-11-2010

 4.5.3.19901 4.5.3.19901 N/A N/A N/A http://support.microsoft.com/kb/2432506
4.5 SP1 Hotfix 5 Patch

16-12-2010

 4.5.2.19911 4.5.2.19911 N/A N/A N/A http://support.microsoft.com/kb/2471145
4.6 RTM All Lang HF 2 Patch

2-2-2011

 4.6.0.30091 4.6.0.30091 N/A N/A N/A http://support.microsoft.com/kb/2497486
4.6 RTM SP1 Full

10-3-2011

 4.6.1.20870 4.6.1.20870 4.6.1.20870 N/A N/A http://support.microsoft.com/kb/2445990
4.5 SP2 Hotfix 2 Patch

28-3-2011

 4.5.3.20031 4.5.3.20031 N/A 4.5.3.20031 N/A http://support.microsoft.com/kb/2507096
4.6 RTM All Lang HF 6 Patch

13-4-2011

 4.6.0.30101 4.6.0.30101 N/A N/A N/A http://support.microsoft.com/kb/2517188
4.6 RTM Hotfix 6 Patch

13-4-2011

 4.6.0.10331 4.6.0.10331 N/A N/A N/A http://support.microsoft.com/kb/2517187
4.6 SP1 Hotfix 1 Patch

29-4-2011

 4.6.1.30051 4.6.1.30051 N/A N/A N/A http://support.microsoft.com/kb/2532192
4.6 SP1 Hotfix 2 Patch

23-6-2011

 4.6.1.30081 4.6.1.30081 N/A N/A N/A http://support.microsoft.com/kb/2549352
4.6 RTM Hotfix 7 Patch

28-6-2011

 4.6.0.10351 4.6.0.10351 N/A N/A N/A http://support.microsoft.com/kb/2555574
4.6 RTM All Lang HF 7 Patch

28-6-2011

 4.6.0.30121 4.6.0.30121 N/A N/A N/A http://support.microsoft.com/kb/2555575
4.6 SP1 Hotfix 3 Patch

26-7-2011

 4.6.1.30091 4.6.1.30091 4.6.1.30091 N/A N/A http://support.microsoft.com/kb/2571168
4.6 SP1 Hotfix 4 Patch

14-9-2011

 4.6.1.30101 4.6.1.30101 N/A N/A N/A http://support.microsoft.com/kb/2586968
4.6 SP1 Hotfix 5 Patch

2-2-2012

 4.6.1.30111 4.6.1.30111 N/A N/A N/A http://support.microsoft.com/kb/2645225
4.6 SP1 Hotfix 6 Patch

16-5-2012

 4.6.1.30121 4.6.1.30121 N/A N/A N/A http://support.microsoft.com/kb/2693779
4.6 SP1 Hotfix 7 Patch

28-9-2012

 4.6.1.30131 4.6.1.30131 N/A N/A N/A http://support.microsoft.com/kb/2744141
4.6 SP1 Hotfix 8 Patch

4-10-2012

 4.6.1.30151 4.6.1.30151 4.6.1.30151 N/A N/A http://support.microsoft.com/kb/2761558
4.6 SP2 Patch

1-11-2012

 4.6.2.24020 4.6.2.24020 4.6.2.24020 N/A N/A http://support.microsoft.com/kb/2738315

 

Security Compliance Manager 3.0

Posted on by
Reply

With the Microsoft Security Compliance Manager (SCM) can help you to create and maintain security baselines using Group Policy Objects or System Center Configuration Manager 2012.

With SCM, you can obtain baseline policies based on security best practices , customize them to the particular needs of your organization and export them to a number of formats for use in different scenarios.

From the Microsoft site:

New! Version 3.0 of the Security Compliance Manager (SCM) tool is now available for download! In addition to key features from the previous version, SCM 3.0 offers new baselines for Internet Explorer 10, Windows 8, and Windows Server 2012! SCM enables you to quickly configure and manage computers and your private cloud using Group Policy and Microsoft System Center Configuration Manager.

SCM 3.0 provides ready-to-deploy policies and DCM configuration packs based on Microsoft Security Guide recommendations and industry best practices, allowing you to easily manage configuration drift, and address compliance requirements for Windows operating systems and Microsoft applications.

And

Overview

The Microsoft Security Compliance Manager takes our extensive guidance and documentation—including the previously stand-alone product-specific security guides—and incorporates it into one tool, enabling you to access and automate all of your organization’s security baselines in a centralized location.

To access the security guidance for Windows client and server operating systems and Microsoft applications, simply download the tool, and select the “Attachments \ Guides” node within each product baseline tree.

Take advantage of the experience of Microsoft security professionals, and reduce the time and money required to harden your environment. This end-to-end Solution Accelerator will help you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and Microsoft applications. Access the complete database of Microsoft recommended security settings, customize your baselines, and then choose from multiple formats—including XLS, Group Policy objects (GPOs), Desired Configuration Management (DCM) packs, or Security Content Automation Protocol (SCAP)—to export the baselines to your environment to automate the security baseline deployment and compliance verification process. Use the Security Compliance Manager to achieve a secure, reliable, and centralized IT environment that will help you better balance your organization’s needs for security and functionality.

Key Features & Benefits

  • Integration with the System Center 2012 Process Pack for IT GRC: Product configurations are integrated into the Process Pack for IT GRC to provide oversight and reporting of your compliance activities.
  • Gold master support: Import and take advantage of your existing Group Policy or create a snapshot of a reference machine to kick-start your project.
  • Configure stand-alone machines: Deploy your configurations to non-domain joined computers using the new GPO Pack feature.
  • Updated security guidance: Take advantage of the deep security expertise and best practices in the updated security guides and the attack surface reference workbooks to help reduce the security risks that you consider to be the most important.
  • Centralized Management of Your Baseline Portfolio: The centralized management console of the Security Compliance Manager provides you with a unified, end-to-end user experience to plan, customize, and export security baselines. The tool gives you full access to a complete portfolio of recommended baselines for Windows client and server operating systems, and Microsoft applications. The Security Compliance Manager also enables you to quickly update the latest Microsoft baseline releases and take advantage of baseline version control.
  • Security Baseline Customization: Customizing, comparing, merging, and reviewing your baselines policy configurations just got easier. Use the customization capabilities of the Security Compliance Manager to duplicate any of the recommended baselines from Microsoft and quickly modify security settings to meet the standards of your organization’s environment.
  • Multiple Export Capabilities: Export baselines in formats like XLS, Group Policy objects (GPOs), Desired Configuration Management (DCM) packs, or Security Content Automation Protocol (SCAP) to enable automation of deployment and monitoring baseline compliance.
  • Available policy configuration baselines include Windows Server 2012, Windows Server 2008 R2 SP1, Windows Server 2008 SP2, Windows Server 2003 SP2, Hyper-V, Windows 8, Windows 7 SP1, Windows Vista SP2, Windows XP SP3, BitLocker Drive Encryption, Windows Internet Explorer 10, Windows Internet Explorer 9, Windows Internet Explorer 8, Microsoft Office 2010 SP1, Microsoft Office 2007 SP2, Exchange Server 2010 SP2 and Exchange Server 2007 SP3.

So how does this work?

First you have to download SCM. This can be done HERE.

Installation

Kick off the Security_Compliance_Manager_Setup.exe

Prerequisite installation

SQL Express 2008 is required. If there is no instance found you can install a version here.

And off we go!

After you select ‘Finish‘ SCM will start automatically, and will import the first Baselines.

And then the console opens

One of the features I like is the export to ‘SCCM DCM 2007 (.cab)‘ file which you can import in ConfigMgr. Yes this is the old name, but the files are also usable in ConfigMgr 2012 SP1!

So fire up your SCCM 2012 SP1 console, go to Assets and Compliance – Overview – Compliance Settings – Configuration Baselines and ‘Import‘. Click ‘Add

You will get a warning that the publisher could not be verified (too bad because it is from Microsoft..)

But it will succeed.

Browse through the settings and find out the best practices Microsoft has in mind J

Now all you have to do is ‘Deploy‘ the baseline to a Collection and see if your environment is healthy according to Microsoft’s Best practices!

System Center 2012 Configuration Manager Configuration Pack

Posted on by
5

Compliance Settings for ConfigMgr 2012. Microsoft has provided us with a Configuration Pack for ConfigMgr 2012. This Configuration Pack contains Configuration Items and a Configuration Baseline for our ConfigMgr 2012 environment.

This Configuration Pack monitors following:

  • Management Point(s);
  • Site Server(s);
  • Software Update Point(s).

You can download the Configuration Pack HERE.

From the Microsoft site:

Overview

Software installation errors and misconfigurations compromise security and stability, resulting in escalated support costs. The System Center 2012 Configuration Manager Configuration Pack can help prevent errors, increasing your organizational uptime and helping you build a more secure and reliable Configuration Manager 2012 infrastructure. This Configuration Pack contains Configuration Items intended to manage your Configuration Manager 2012 site system roles using the desired configuration management component in Configuration Manager 2012. This configuration pack monitors the following site system roles: management points, site server, and software update points. The Configuration Pack can also monitor Windows Server Update Services (WSUS) components on software update points or upstream WSUS servers. To manage your site system roles with this Configuration Pack, import and assign the Microsoft System Center 2012 Configuration Manager Server Roles configuration baseline to a collection which contains your Configuration Manager 2012 site systems. While there is one configuration baseline for all site systems, it evaluates compliance only for roles configured on the site system. For example, if a computer has only the management point role, it will not be evaluated for software update point configurations. To understand in detail what each configuration item will be evaluating, review the properties of that configuration item in the context of the Configuration Manager 2012 Server Role being addressed.

Installation.

After download (HERE) install the MSI package.

That was easy!

In the installation directory you will find several files. That notice that the ConfigMgr2012ConfigPackReview.doc contains all the info about the Configuration Pack. Nice info!

I will put the content of the doc at the end of this post (HERE).

Import the Configuration Pack

Now you have to import the Configuration Pack.

Go to: Assets and Compliance – Overview – Compliance Settings and right-click on ‘Configuration Baselines‘, choose ‘Import Configuration Data‘.

Add, browse to your installation directory and click: CM2012ServerRolesConfigpack.cab

2x Next

And there you are, you have 1 Configuration Baseline and 4 Configuration Items.

You can browse through the configuration items by selecting ‘Properties’. One thing you will notice that all the ‘Remediate‘ options are standard set to ‘No‘. This is actually a good thing, you don’t want anything automatically remediated on you ConfigMgr environment without you knowing about it. But it is possible J

 

Deploy the Configuration Baseline

Make a collection with your SCCM 2012 site server(s) and deploy the Configuration Baseline.

Pick a collection and select OK.

 

And now you have to wait until the Baseline has run on the SCCM 2012 server(s).

Here you can choose ‘View Report’. This is the report from my SQL server:

Not much to do here, but at least it is nice and Green 😉

And this is the one from my ConfigMgr site server.

Hm, Non-Compliant, let’s check this out.

And the details:

Under Non-Compliant rules we see that BGB firewall port for Management point should be open. As per the Script the warning is set to generated if BGB port is found closed on MP. The rest of the configuration items report that our server is Compliant.

Oké let’s check this script. It is found under Configuration Items – Microsoft System Center 2012 Configuration Manager Management Point, Properties, BGB firewall port.

Edit

Compliance Rules

Edit

So what this tells us is that the script is generating a Warning when it finds the port used for BGB is closed. But my firewall is disabled so it should not generate this error?

Check the underlying script:

Edit Script:

Option Explicit

Function GetBGBPort()

    Const HKEY_LOCAL_MACHINE = &H80000002

    Dim strComputer,strKeyPath,oReg,arrSubKeys,dwValue,strValueName,WshShell

    strComputer = “.”

    strKeyPath = “Software\Microsoft\SMS\NotificationServer”

    strValueName=”TCP Listener Port”

    Set oReg=GetObject(“winmgmts:{impersonationLevel=impersonate}!\\” & strComputer & “\root\default:StdRegProv”)

    Set WshShell = WScript.CreateObject(“WScript.Shell”)

    If oReg.EnumKey(HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys) = 0 Then

        oReg.GetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, dwValue

    End If

    If not IsNull(dwValue) Then

        If not IsEmpty(dwValue) Then

            GetBGBPort = dwValue

        End If

    End If

End Function

Function FirewallPortIsOpen(iBGBPort)

    FirewallPortIsOpen = false

    Dim objFirewall, objPolicy, colPorts, objPort

    Set objFirewall = CreateObject(“HNetCfg.FwMgr”)

    Set objPolicy = objFirewall.LocalPolicy.CurrentProfile

    Set colPorts = objPolicy.GloballyOpenPorts

    For Each objPort in colPorts

        If objPort.Port = iBGBPort Then

            FirewallPortIsOpen = true

        End If

        Next

End Function

Dim iBGBPort

iBGBPort = GetBGBPort()

If FirewallPortIsOpen(iBGBPort) Then

    WScript.echo “Port Open”

Else

    WScript.echo “Port Closed”

End If

 

 

And here you have the culprit. Although my firewall is disabled the script enumerates the current firewall profile to see if the used port is open!

So I opened up the port (standard 10123 TCP) in the firewall policy (Inbound Rule) et voila all green!

 

 

System Center 2012 Configuration Manager Configuration Pack

Detailed Summary

Configuration Manager 2012 Configuration Pack

Configuration Baseline: Microsoft System Center 2012 Configuration Manager Server Roles

  • Included Configuration Items (If these optional application configuration items are detected, they must be properly configured)
    • Microsoft System Center 2012 Configuration Manager Site Server
    • Microsoft System Center 2012 Configuration Manager Management Point
    • Microsoft System Center 2012 Configuration Manager Software Update Point
    • Windows Server Update Services configuration for Microsoft System Center 2012 Configuration Manager Software Update Point

Configuration Item: Microsoft System Center 2012 Configuration Manager Site Server

Type – Application

Detection Method – ScriptDiscovery (VBScript)

Settings:

  • ConfigMgr Distribution Manager Startup Type
    • Title– ConfigMgr Distribution Manager Startup Type
    • Description – Verifies the Distribution Manager component startup type is configured correctly. This setting applies to all primary sites, secondary sites, and Central Administration Server.
    • Type of provider – Registry value.
  • ConfigMgr Offer Manager Startup Type
    • Title– ConfigMgr Offer Manager Startup Type
    • Description – Verifies the Offer Manager component startup type is configured correctly. This setting applies only to primary site servers.
    • Type of provider – Registry value.
  • SMS_EXECUTIVE
    • Title– SMS_EXECUTIVE
    • Description – SMS_EXECUTIVE registry key should be present on site server.
    • Type of provider – Registry key.
    • Sync Done
      • Title– Sync Done
      • Description – Script checks status message system for presence of sync done message.
      • Type of provider – Script.
    • Sync in Progress: WSUS Server
      • Title– Sync in Progress: WSUS Server
      • Description – Script checks status message system for presence of sync in progress: WSUS server message.
      • Type of provider – Script.
  • Sync Started
    • Title– Sync Started
    • Description – Script checks status message system for presence of sync started message.
    • Type of provider – Script.
  • WSUS Configuration Manager Startup Type
    • Title– WSUS Configuration Manager Startup Type
    • Description – Verifies the WSUS Configuration Manager Component startup type is configured correctly.
    • Type of provider – Registry value.
  • WSUS Sync Manager Startup Type
    • Title– WSUS Sync Manager Startup Type
    • Description – Verifies the WSUS Sync Manager Component startup type is configured correctly.
    • Type of provider – Registry value.

Configuration Item: Microsoft System Center 2012 Configuration Manager Management Point

Type – Application

Detection Method – ScriptDiscovery (VBScript)

Settings:

  • Background Intelligent Transfer Service (BITS) Server Extensions
    • Title– Background Intelligent Transfer Service (BITS) Server Extensions
    • Description – Verify that BITS is installed on this IIS server.
    • Type of provider – Script.
  • BGB firewall port is opened
    • Title– BGB firewall port is opened
    • Description – Verifies that the ‘Big Green Button’ (BGB) firewall port for this Management Point is open.
    • Type of provider – Script.
  • BITS Upload Enabled
    • Title– BITS Upload Enabled
    • Description
      Verify that BITS Upload is enabled in IIS.
    • Type of provider – WQL query.
  • IIS Admin Service Start Mode
    • Title– IIS Admin Service Start Mode
    • Description
      Verifies the IIS Admin Service is properly configured to auto start.
    • Type of provider – WQL query.
  • IIS Admin Service State
    • Title– IIS Admin Service State
    • Description
      Verifies the IIS Admin Service is running.
    • Type of provider – WQL query.
  • IIS Windows Authentication
    • Title– IIS Windows Authentication
    • Description
      Verifies that IIS has Windows Authentication enabled.
    • Type of provider – Script.
  • Microsoft Distributed Transaction Coordinator Service State
    • Title– Microsoft Distributed Transaction Coordinator Service State
    • Description
      Distributed Transaction Coordinator Service should be running on Management Point.
    • Type of provider – WQL query.
  • Microsoft Distributed Transaction Coordinator Start Mode
    • Title– Microsoft Distributed Transaction Coordinator Start Mode
    • Description
      Verifies the MSDTC service is properly configured to auto start.
    • Type of provider – WQL query.
  • Minimum Physical Memory Requirement
    • Title– Minimum Physical Memory Requirement
    • Description
      Management Point meets minimum physical memory (RAM) requirements.
    • Type of provider – WQL query.
  • Windows Task Scheduler Service State
    • Title– Windows Task Scheduler Service State
    • Description
      Task Scheduler Service should be running on Management Point.
    • Type of provider – WQL query.
  • Windows Task Scheduler Start Mode
    • Title– Windows Task Scheduler Start Mode
    • Description
      Verifies the Windows Task Scheduler is properly configured to auto start.
    • Type of provider – WQL query.
  • World Wide Web Publishing Service Start Mode
    • Title– World Wide Web Publishing Service Start Mode
    • Description
      Verifies the World Wide Web Publishing Service is properly configured to auto start.
    • Type of provider – WQL query.
  • World Wide Web Publishing Service State
    • Title– World Wide Web Publishing Service State
    • Description
      World Wide Web Publishing Service should be running on Management Point.
    • Type of provider – WQL query.

Configuration Item: Microsoft System Center 2012 Configuration Manager Software Update Point

Type – Application

Detection Method – ScriptDiscovery (VBScript)

Settings:

  • WSUS Control Manager Current State
    • Title– WSUS Control Manager Current State
    • Description
      Verifies the WSUS Control Manager Component is running.
    • Type of provider – Registry value.
  • WSUS Control Manager Startup Type
    • Title– WSUS Control Manager Startup Type
    • Description
      Verifies the WSUS Control Manager Component startup type is configured correctly.
    • Type of provider – Registry value.

Configuration Item: Windows Server Update Services configuration for Microsoft System Center 2012 Configuration Manager Software Update Point

Type – Application

Detection Method – ScriptDiscovery (VBScript)

Settings:

  • microsoft.updateservices.admindataaccessproxy.dll
    • Title– microsoft.updateservices.admindataaccessproxy.dll
    • Description – Verify all instances of microsoft.updateservices.admindataaccessproxy.dll.
    • Type of provider – File system.
  • microsoft.updateservices.administration.dll
    • Title– microsoft.updateservices.administration.dll
    • Description – Check for the existence of microsoft.updateservices.administration.dll.
    • Type of provider – File system.
  • microsoft.updateservices.baseapi.dll
    • Title– microsoft.updateservices.baseapi.dll
    • Description – Verify all instances of microsoft.updateservices.baseapi.dll.
    • Type of provider – File system.
  • Setup
    • Title– Setup
    • Description – Setup Registry key should be present.
    • Type of provider – Registry key.
  • SMS_EXECUTIVE
    • Title– SMS_EXECUTIVE
    • Description – SMS_EXECUTIVE Registry key should be present.
    • Type of provider – Registry key.
  • Windows Server Update Services Start Mode
    • Title– Windows Server Update Services Start Mode
    • Description – Verifies the WSUS Service start mode is configured correctly.
    • Type of provider – WQL query.
  • WSUS
    • Title– WSUS
    • Description – WSUS Registry key should be present.
    • Type of provider – Registry key.
  • WSUS Control Manager Startup Type
    • Title– WSUS Control Manager Startup Type
    • Description – Verifies the WSUS Control Manager Component startup type is configured correctly.
    • Type of provider – Registry value.

ConfigMgr 2012 Compliance Settings

Posted on by
Reply

 

Compliance Settings in SCCM 2012 SP1. This was called ‘Desired Configuration Management’ in SCCM 2007. Compliance Settings consist of ‘Configuration Items’ and ‘Configuration Baselines’. There is another node here: ‘User Data and Profiles’. This one is not a Compliance Setting but Folder Redirection from within the ConfigMgr Console…(hmm well that’s what GPO’s are for, aren’t they?)

The Compliance Settings help you to assess the compliance of Users and/or Devices for all kind of configurations in your organization. For instance: right OS version, updates, hotfixes, applications, application settings, prohibited applications etc.

The Configuration Items do all the magic. They can be of various kinds:

  • Windows;
  • Mobile Device;
  • Mac OS X.

And can query through various ways. Configuration Items can also remediate non-compliant settings if you like!

Compliance is evaluated by defining a configuration baseline that contains the configuration items that you want to evaluate and settings and rules that describe the level of compliance you must or like to have. You can import this configuration data from Microsoft System Center Configuration Manager Configuration Packs which can contain best practices that are defined by Microsoft and other vendors, into ConfigMgr. You can create new configuration items and configuration baselines yourself for your own applications.

After a configuration baseline is defined, you can deploy it to users and devices through collections and evaluate its settings for compliance on a schedule. Client devices can have multiple configuration baselines deployed to them.

Configuration items: A collection of settings, values, and criteria that defines what is compared, checked, or evaluated on a target system.

Configuration baselines: Contains one or multiple configuration items. Configuration items must be part of a configuration baseline to be assigned for evaluation on a collection of systems.

 

To use Compliance Settings in your environment there are a few steps you have to take:

  • Enable Compliance Settings on your clients;
  • Reporting Services must be installed as a site role.

 

Enable Compliance Settings on your clients.

Go to: Administration, Client Settings

Edit or Create ‘Client Device Settings

Select ‘Compliance Settings

And select ‘Enable compliance evaluation on clients‘ to Yes

Then deploy the Client Device Settings to a collection.

 

Reporting Services must be installed as a site role.


The Reporting services point is installed.

 

Now you can Add Configuration Items and Define Configuration Baselines!

That’s next time!

WSUS and ConfigMgr 2012 HTTPS communication

Posted on by
3

When you have your ConfigMgr 2012 site fully communicating over HTTPS you may also want your Software Updates delivered over a secure channel.

Well that´s possible!

More info: http://technet.microsoft.com/en-us/library/bb633246.aspx

When you have the WSUS component installed on the SCCM 2012 SP1 server, the same certificate that was used to secure the ´Default Web Site´ can be used to secure the WSUS Administration site from within IIS.

TIP

Not all the virtual directories within the WSUS Administration site need to be enabled for SSL.
Only enable SSL for:

  • APIRemoting30
  • ClientWebService
  • DSSAuthWebService
  • ServerSyncWebService
  • SimpleAuthWebService

Web Server Configuration

 

To configure WSUS for SSL communication:

  1. Open Internet Information Services (IIS) Manager.
  2. Expand Sites, and select the WSUS administration site (which is often the ‘Default Web Site’).
  3. Click the Bindings action.
  4. Click Add, select HTTPS, and click Edit.
  5. Choose the certificate from the list.
    (Click View to verify the correct certificate was selected, click OK, and then click Close).
  6. Select the APIRemoting30 virtual directory.
  7. Double-click the SSL Settings option.
  8. Enable the Require SSL option and click Apply.
  9. Repeat for the ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService virtual directories.

With the WSUS virtual directories correctly configured, run the following command on the WSUS server to finalize the configuration needed to support SSL:

WSUSUtil.exe configuressl {FQDN.stiteservername}

This utility is located in the Tools folder located within the WSUS installation folder.
(By default, this is folder is C:\Program Files\Update Services\Tools).

 

ConfigMgr Configuration

Under Administration – Overview – Site Configuration – Servers and Site System Roles choose your Software Update Point and select Properties.

Now select the Require SSL communication to the WSUS server.

 

And as visible in the WCM.log we have SSL communication: