Tag Archives: SCCM 2012 SP1

SQL Server 2012 SP1 – MsiInstaller Application Log Entries

Posted on by
Reply

If you are on SQL Server 2012 SP1 (11.0.3000) and you notice the Windows Application log filling up with MSI Installer events:

  • Information / Event ID 10000 / RestartManager / Starting session 0 – YYYY-MM-DDTHH:mm:sss.xxxxxxxxxxxxxxxxxx.
  • Information / Event ID 11724 / MsiInstaller / Product: SQL Server 2012 Management Studio — Install started.
  • Information / Event ID 11728 / MsiInstaller / Product: SQL Server 2012 Management Studio — Configuration completed successfully.
  • Information / Event ID 1035 / MsiInstaller / Windows Installer reconfigured the product. Product Name: SQL Server 2012 Management Studio. Product Version: 11.1.3000.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Reconfiguration success or error status: 0.
  • Information / Event ID 1040 / MsiInstaller / Beginning a Windows Installer transaction: {A7037EB2-F953-4B12-B843-195F4D988DA1}. Client Process Id: XXXX.
  • Information / Event ID 1042 / MsiInstaller / Ending a Windows Installer transaction: {A7037EB2-F953-4B12-B843-195F4D988DA1}. Client Process Id: XXXXX.
  • Information / Event ID 10001 / RestartManager / Ending session 0 started YYYY-MM-DDTHH:mm:sss.xxxxxxxxxxxxxxxxxx.
  • Warning / Event ID 1004 / MsiInstaller / Detection of product ‘{A7037EB2-F953-4B12-B843-195F4D988DA1}’, feature ‘SQL_Tools_ANS’, component ‘{0CECE655-2A0F-4593-AF4B-EFC31D622982}’ failed. The resource ” does not exist.
  • Warning / Event ID 1001 / MsiInstaller / Detection of product ‘{A7037EB2-F953-4B12-B843-195F4D988DA1}’, feature ‘SQL_Tools_ANS’ failed during request for component ‘{6E985C15-8B6D-413D-B456-4F624D9C11C2}’

If you have the above symptoms, please look at this non-security hotfix KB download: http://www.microsoft.com/en-us/download/details.aspx?id=36215.

Do not install if you have already applied any post SP1 hotfixes, such as SP1 CU1.

Installing that fix will bring your SQL version to 11.0.3128, fix the problem with the MSI installer, and it should drop your CPU consumption a bit as well.

Components in WinPE Boot Image – SCCM 2012 SP1

Posted on by
1

I was going through the Optional Componets you can select to inject in your SCCM 2012 SP1 Boot image. Then I found this reference to the excellent Microsoft site:

http://technet.microsoft.com/en-us/library/hh824926.aspx

Here is an overview for the components. First the standard and then the optional ones!

Area

Optional component name

Description

Scripting

WinPE-Scripting

WinPE-Scripting contains a multiple-language scripting environment that is ideal for automating system administration tasks, such as batch file processing. Scripts that run in the Windows Script Host (WSH) environment can call WSH objects and other COM-based technologies that support Automation, such as WMI, to manage the Windows subsystems that are central to many system administration tasks.

Dependencies: Install WinPE-Scripting to make sure that full scripting functionality is available when you are using WinPE-NetFX4 and WinPE-HTA. The installation order is irrelevant.

Scripting

WinPE-WMI

WinPE-WMI contains a subset of the Windows Management Instrumentation (WMI) providers that enable minimal system diagnostics. WMI is the infrastructure for management data and operations on Windows-based operating systems. You can write WMI scripts or applications to automate administrative tasks on remote computers. Additionally, WMI supplies management data to other parts of the operating system and products.

Startup

WinPE-SecureStartup

New for Windows 8. WinPE-SecureStartup enables provisioning and management of BitLocker and the Trusted Platform Module (TPM). It includes BitLocker command-line tools, BitLocker WMI management libraries, a TPM driver, TPM Base Services (TBS), the Win32_TPM class, the BitLocker Unlock Wizard, and BitLocker UI libraries. The TPM driver provides better support for both BitLocker and the TPM in this preboot environment.

Dependencies: Install WinPE-WMI before you install WinPE-SecureStartup.

Network

WinPE-WDS-Tools

WinPE-WDS-Tools includes APIs to enable the Image Capture tool and a multicast scenario that involves a custom Windows Deployment Services client. It must be installed if you intend to run the Windows Deployment Services client on a custom Windows PE image.

Optional Components

Area

Optional component name

Description
Database

WinPE-MDAC

WinPE-MDAC supports Microsoft® Open Database Connectivity (ODBC), OLE DB, and Microsoft ActiveX® Data Objects (ADO). This set of technologies provides access to various data sources, such as Microsoft SQL Server®. For example, this access enables queries to Microsoft SQL Server installations that contain ADO objects. You can build a dynamic answer file from unique system information. Similarly, you can build data-driven client or server applications that integrate information from a variety of data sources, both relational (SQL Server) and non-relational.
File management

WinPE-FMAPI

WinPE-FMAPI provides access to the Windows PE File Management API (FMAPI) for discovering and restoring deleted files from unencrypted volumes. The FMAPI also provides the ability to use a password or recovery key file for the discovery and recovery of deleted files from Windows BitLocker Drive Encryption encrypted volumes.
Fonts

WinPE-Font Support-JA-JP

WinPE-Font Support-JA-JP contains two Japanese font families that are packaged as TrueType Collection (TTC) files. MS Gothic is the Windows Japanese user interface font in versions of Windows before Windows Vista®. MS Gothic contains a large character set and embedded bitmaps to ensure legible rendering at small sizes. Meiryo, a font that was introduced in Windows Vista, is designed specifically for use in a Microsoft ClearType® rendering environment. Meiryo does not include embedded bitmaps. Instead, Meiryo relies on hinting instructions to produce legible characters at small sizes. In addition, the module contains two Japanese bitmap fonts, App932.fon and Vga932.fon. The module also contains a bitmap-only TrueType font, Jpn_font.ttf. This font is used on boot screens.
Fonts

WinPE-Font Support-KO-KR

WinPE-Font Support-KO-KR contains three core Korean font families: Gulim, Batang and Malgun Gothic. Gulim is the legacy UI font and, as a TTC file, contains Gulim, GulimChe, Dotum and DotumChe. Batang is the legacy text font and is also a TTC file, containing Batang, BatangChe, GungSuh and GungSuhChe. Malgun Gothic, a font that was introduced in Windows Vista, is designed specifically for use in a ClearType rendering environment. Malgun Gothic does not include embedded bitmaps and instead relies on hinting instructions to produce legible characters at small sizes.
Fonts

WinPE-Font Support-ZH-CN

WinPE-Font Support-ZH-CN contains two Chinese font families that are packaged as TTC files. Simsun is the Simplified Chinese user interface font in Windows versions before Windows Vista. Simsun contains embedded bitmaps to ensure legible rendering at small sizes. The other TTC font is MingLiu. MingLiu has embedded bitmaps and provides support for the Hong Kong Supplementary Character Set (HKSCS). YaHei, a font that was introduced in Windows Vista, is designed specifically for use in a ClearType rendering environment. YaHei does not include embedded bitmaps. YaHei relies on hinting instructions to produce legible characters at small sizes. In addition, the module contains one bitmap-only TrueType font, Chs_boot.ttf. This font is used on boot screens.
Fonts

WinPE-Font Support-ZH-HK

and

WinPE-Font Support-ZH-TW

The Hong Kong and Taiwan optional components contain two Chinese font families that are packaged as TTC files. Simsun is the Simplified Chinese user interface font in Windows versions before Windows Vista. Simsun contains embedded bitmaps to ensure legible rendering at small sizes. MingLiu has embedded bitmaps and provides support for the HKSCS. JhengHei, a font that was introduced in Windows Vista, is designed specifically for use in a ClearType rendering environment. JhengHei does not include embedded bitmaps. JhengHei relies on hinting instructions to produce legible characters at small sizes. In addition, the module contains one bitmap-only TrueType font, Cht_boot.ttf. This font is used on boot screens.
HTML

WinPE-HTA

WinPE-HTA provides HTML Application (HTA) support to create GUI applications through the Windows Internet Explorer® script engine and HTML services. These applications are trusted and display only the menus, icons, toolbars, and title information that you create.
Microsoft .NET

WinPE-NetFX4

WinPE-NetFX4 contains a subset of the .NET Framework 4.5 that is designed for client applications.

Not all Windows binaries are present in Windows PE, and therefore not all Windows APIs are present or usable. Due to the limited API set, the following .NET Framework features have no or reduced functionality in Windows PE:

  • Windows Runtime
  • .NET Framework Fusion APIs
  • Windows Control Library event logging
  • .NET Framework COM Interoperability
  • .NET Framework Cryptography Model

Dependencies: Install WinPE-WMI before you install WinPE-NetFX4.
Network

WinPE-PPPoE

WinPE-PPPoE enables you to use Point-to-Point Protocol over Ethernet (PPPoE) to create, connect, disconnect, and delete PPPoE connections from Windows PE. PPPoE is a network protocol for encapsulating Point-to-Point Protocol (PPP) frames inside Ethernet frames. PPPoE enables Windows users to remotely connect their computers to the web. By using PPPoE, users can virtually dial from one computer to another over an Ethernet network, to establish a point-to-point connection between the computers. The computers can use this point-to-point connection to transport data packets.
Network

WinPE-RNDIS

WinPE-RNDIS contains Remote Network Driver Interface Specification (Remote NDIS) support. WinPE-RNDIS enables network support for devices that implement the Remote NDIS specification over USB. Remote NDIS defines a bus-independent message set and a description of how this message set operates over various I/O buses. Therefore, hardware vendors do not have to write an NDIS miniport device driver. Because this Remote NDIS interface is standardized, one set of host drivers can support any number of bus-attached networking devices.
Windows PowerShell

WinPE-PowerShell3

WinPE-PowerShell3 contains Windows PowerShell–based diagnostics that simplify using Windows Management Instrumentation (WMI) to query the hardware during manufacturing. You can create Windows PowerShell–based deployment and administrative Windows PE–based tools. In addition to deployment, you can use Windows PowerShell for recovery scenarios. Customers can boot in Windows RE and then use Windows PowerShell scripts to resolve issues. Customers are not limited to the toolsets that run in Windows PE. Similarly, you can build scripted offline solutions to recover some computers from no-boot scenarios.

WinPE-PowerShell3 has the following known limitations:

  • Windows PowerShell remoting is not supported. Any cmdlets that have remoting functionality will return an error.
  • The Windows PowerShell Integrated Scripting Environment (ISE) is not supported.
  • Windows PowerShell 2.0 is not supported.

Dependencies: Install WinPE-WMI > WinPE-NetFX4 > WinPE-Scripting before you install WinPE-PowerShell3.
Windows PowerShell

WinPE-DismCmdlets

WinPE-DismCmdlets contains the DISM PowerShell module, which includes cmdlets used for managing and servicing Windows images.

For more info, see Deployment Imaging Servicing Management (DISM) Cmdlets in Windows PowerShell.

Dependencies: Install WinPE-WMI > WinPE-NetFX4 > WinPE-Scripting > WinPE-PowerShell3 before you install WinPE-DismCmdlets.
Windows PowerShell

WinPE-StorageWMI

WinPE-StorageWMI contains PowerShell cmdlets for storage management. These cmdlets use the Windows Storage Management API (SMAPI) to manage local storage, such as disk, partition, and volume objects. Or, these cmdlets use the Windows SMAPI together with array storage management by using a storage management provider. WinPE-StorageWMI also contains Internet SCSI (iSCSI) Initiator cmdlets for connecting a host computer or server to virtual disks on external iSCSI-based storage arrays through an Ethernet network adapter or iSCSI Host Bus Adapter (HBA).

Dependencies: Install WinPE-WMI > WinPE-NetFX4 > WinPE-Scripting > WinPE-PowerShell3 before you install WinPE-StorageWMI.
Recovery

WinPE-WinReCfg

WinPE-WinReCfg contains the Winrecfg.exe tool, and it enables the following scenarios:

  • Boot from x86-based Windows PE to configure Windows RE settings on an offline x64-based operating system image.
  • Boot from x64-based Windows PE to configure Windows RE settings on an offline x86-based operating system image.

Before Windows 8, the Winrecfg.exe tool was included in the Windows 7 OEM Preinstallation Kit (Windows OPK).
Setup

Winpe-LegacySetup

Winpe-LegacySetup contains all Setup files from the \Sources folder on the Windows media. Add this optional component when you service Setup or the \Sources folder on the Windows media. You must add this optional component together with the optional component for the Setup feature. To add a new Boot.wim file to the media, add the parent WinPE-Setup, either of the children (WinPE-Setup-Client or WinPE-Setup-Server), and Media optional components. Media Setup is required to support Windows Server® 2008 R2 installation.
Setup

WinPE-Setup

WinPE-Setup is the parent of WinPE-Setup-Client and WinPE-Setup-Server. It contains all Setup files from the \Sources folder that are common to the client and the server.
Setup

WinPE-Setup-Client

WinPE-Setup-Client contains the client branding files for the parent WinPE-Setup optional component.

Dependencies: Install WinPE-Setup before you install WinPE-Setup-Client.
Setup

WinPE-Setup-Server

WinPE-Setup-Server includes the server branding files for the parent WinPE-Setup optional component.

Dependencies: Install WinPE-Setup before you install WinPE-Setup-Server.
Storage

WinPE-EnhancedStorage

New for Windows 8. WinPE-EnhancedStorage enables Windows to discover additional functionality for storage devices, such as encrypted drives, and implementations that combine Trusted Computing Group (TCG) and IEEE 1667 (“Standard Protocol for Authentication in Host Attachments of Transient Storage Devices”) specifications. This optional component enables Windows to manage these storage devices natively by using BitLocker.

Cumulative Update (CU1) Pack for System Center 2012 Configuration Manager Service Pack 1 (SP1)

Posted on by
2

Microsoft has released the first Cumulative Update (CU1) Pack for System Center 2012 Configuration Manager Service Pack 1 (SP1).

This CU1 is available here!

An overview:

Issues that are fixed

Administrator Console

  • A Discovery Data Record (DDR) that contains organizational unit (OU) paths that are longer than 220 characters are not processed. The DDM.log file on the site server contains event messages that resemble the following:

CDiscoverySource::ValidateSchema – array property User OU Name cannot expand size so rejecting.


CDiscoverDataManager::ProcessDDRs – Unable to update data source.

  • The Allow clients to use a fallback source location for content option is missing from the Distribution Points tab of the package properties.

Site systems

  • Replication Configuration Manager incorrectly reports the link status as Degraded and then reports the status as Activeone minute later.
  • Site replication fails after a site database is restored to a new server. Additionally, the Rcmctrl.log file contains the following error message:

ERROR: Received unhandled SQL exception, printing info and throwing it again. This will be retried in next cycle.
SqlException number: [8115]
ERROR: Exception message: [Arithmetic overflow error converting expression to data type int.~~The ‘spGetChangeTrackingMinValidVersion’ procedure attempted to return a status of NULL, which is not allowed. A status of 0 will be returned instead.]


Device management

  • The Configuration Manager client cannot be installed on devices that contain newer ARM processors. Additionally, the following error message is logged in the DmClientSetup log file:

    Fail to get the CAB file name because of unsupported processor type: 0

Software updates

  • The Allow clients to share content with other clients on the same subnet option in the properties of a Software Update Group Deployment is ignored. Additionally, the DataTransferService.log file contains the following message:

    Not using branch cache option.

  • When a custom port is configured for software updates, an Internet only client may append the custom port to the URL for the Windows Update service. Additionally, when the custom port is set to 880, log entries that resemble the following may be logged in the DataTransferService.log file:

    UpdateURLWithTransportSettings(): OLD URL – http://download.windowsupdate.com/msdownload/update.cab

    UpdateURLWithTransportSettings(): NEW URL – http://download.windowsupdate.com:880/msdownload/update.cab

  • The Schedule Updates Wizard does not list content for Windows Server 2012. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

    2793237 FIX: The Schedule Updates Wizard does not list content for Windows Server 2012 in System Center 2012 Configuration Manager Service Pack 1

Client

  • The MicrosoftPolicyPlatformSetup.msi file is now correctly signed.
  • The selection of multiple targeted applications in Software Center will fail if the calendar region is set to Arabic (Saudi Arabia). Additionally, Software Center displays the following error message:

    Software Center cannot be loaded. There is a problem loading the required components for Software Center. You can try launching Software Center at a later time. If the problem continues, you can contact your helpdesk.

  • The hardware inventory on a computer that is running a 32-bit version of Windows Server 2003 R2 may cause the Wmiprvse.exe process to exit unexpectedly. Additionally, when you view the results of the fault, the details of the fault resemble the following:

    Faulting application wmiprvse.exe, version 5.2.3790.4455, faulting module msvcr90.dll, version 9.0.30729.6161, fault address 0x00056b1d

  • PXE support is added for IA-32 EFI computers.

PowerShell

  • When the Clear-CMPxeDeployment cmdlet is run, you receive the following error message:

    The method or operation is not implemented.

  • When the Update-CMDistributionPoint –DeploymentTypeName cmdlet is run, you receive the following error message:

    Key not Found Exception.

  • When the New-CMDeviceCollection cmdlet is run, the refreshschedule parameter is not defined in theNewByLimitName parameter set.
  • When the New-CMDeviceCollection cmdlet is run together with the LimitingCollectionName option, the cmdlet is unsuccessful. Additionally, you receive the following error message:

    Unable to cast object of type ‘Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlArrayItems’ to type’System.Management.ManagementBaseObject’.

  • When the .GetType method is used for the object that is returned by the New-CMSchedule cmdlet, the method is unsuccessful. Additionally, you receive the following error message:

    The adapter cannot get property “GetType” for instance of SMS_ST_RecurInterval.

  • When the Import-CMComputerInformation -CollectionName “All Systems” -ComputerName “Computer01” -MacAddress “xx:xx:xx:xx:xx:xx command is run, the command is unsuccessful. Additionally, you receive the following error message:

    WARNING: The collection All Systems does not exist or is not suitable for adding the new device.

Functionality that is updated

PowerShell

Help for PowerShell is updated for the cmdlets that are included in Configuration Manager Service Pack 1 and in this cumulative update. In a PowerShell environment, use the Update-Help –Module ConfigurationManager cmdlet to retrieve the latest Help information from Microsoft.

The following cmdlets are added to the PowerShell module:

  • Add-CMDistributionPoint
  • Import-CMAntiMalwarePolicy
  • Import-CMDriver
  • New-CMAppVVirtualEnvironment
  • New-CMMigrationJob
  • New-CMPackage
  • New-CMSoftwareUpdateAutoDeploymentRule
  • New-CMTaskSequence
  • New-CMTaskSequenceInstallUpdateAction
  • New-CMTaskSequenceMedia
  • New-CMUserDataAndProfileConfigurationItem
  • Remove-CMTaskSequenceInstallUpdateAction
  • Set-CMTaskSequenceGroup
  • New-CMTaskSequenceGroup
  • Remove-CMTaskSequenceGroup
  • Set-CMApplicationCatalogWebsitePoint
  • Set-CMAppVVirtualEnvironment
  • Set-CMClientPushInstallation
  • Set-CMClientSetting
  • Set-CMDistributionPoint
  • Set-CMDriver
  • Set-CMEndpointProtectionPoint
  • Set-CMEnrollmentPoint
  • Set-CMEnrollmentProxyPoint
  • Set-CMHierarchySetting
  • Set-CMManagementPointComponent
  • Set-CMOperatingSystemImageUpdateSchedule
  • Set-CMOutOfBandManagementComponent
  • Set-CMReportingServicePoint
  • Set-CMSite
  • Set-CMSoftwareUpdateAutoDeploymentRule
  • Set-CMSoftwareUpdatePointComponent
  • Set-CMStateMigrationPoint
  • Set-CMStatusSummarizer
  • Set-CMSystemHealthValidatorPointComponent
  • Set-CMTaskSequence
  • Set-CMTaskSequenceInstallUpdateAction
  • Set-CMUserDataAndProfileConfigurationItem
  • Start-CMDistributionPointUpgrade

Security Compliance Manager 3.0

Posted on by
Reply

With the Microsoft Security Compliance Manager (SCM) can help you to create and maintain security baselines using Group Policy Objects or System Center Configuration Manager 2012.

With SCM, you can obtain baseline policies based on security best practices , customize them to the particular needs of your organization and export them to a number of formats for use in different scenarios.

From the Microsoft site:

New! Version 3.0 of the Security Compliance Manager (SCM) tool is now available for download! In addition to key features from the previous version, SCM 3.0 offers new baselines for Internet Explorer 10, Windows 8, and Windows Server 2012! SCM enables you to quickly configure and manage computers and your private cloud using Group Policy and Microsoft System Center Configuration Manager.

SCM 3.0 provides ready-to-deploy policies and DCM configuration packs based on Microsoft Security Guide recommendations and industry best practices, allowing you to easily manage configuration drift, and address compliance requirements for Windows operating systems and Microsoft applications.

And

Overview

The Microsoft Security Compliance Manager takes our extensive guidance and documentation—including the previously stand-alone product-specific security guides—and incorporates it into one tool, enabling you to access and automate all of your organization’s security baselines in a centralized location.

To access the security guidance for Windows client and server operating systems and Microsoft applications, simply download the tool, and select the “Attachments \ Guides” node within each product baseline tree.

Take advantage of the experience of Microsoft security professionals, and reduce the time and money required to harden your environment. This end-to-end Solution Accelerator will help you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and Microsoft applications. Access the complete database of Microsoft recommended security settings, customize your baselines, and then choose from multiple formats—including XLS, Group Policy objects (GPOs), Desired Configuration Management (DCM) packs, or Security Content Automation Protocol (SCAP)—to export the baselines to your environment to automate the security baseline deployment and compliance verification process. Use the Security Compliance Manager to achieve a secure, reliable, and centralized IT environment that will help you better balance your organization’s needs for security and functionality.

Key Features & Benefits

  • Integration with the System Center 2012 Process Pack for IT GRC: Product configurations are integrated into the Process Pack for IT GRC to provide oversight and reporting of your compliance activities.
  • Gold master support: Import and take advantage of your existing Group Policy or create a snapshot of a reference machine to kick-start your project.
  • Configure stand-alone machines: Deploy your configurations to non-domain joined computers using the new GPO Pack feature.
  • Updated security guidance: Take advantage of the deep security expertise and best practices in the updated security guides and the attack surface reference workbooks to help reduce the security risks that you consider to be the most important.
  • Centralized Management of Your Baseline Portfolio: The centralized management console of the Security Compliance Manager provides you with a unified, end-to-end user experience to plan, customize, and export security baselines. The tool gives you full access to a complete portfolio of recommended baselines for Windows client and server operating systems, and Microsoft applications. The Security Compliance Manager also enables you to quickly update the latest Microsoft baseline releases and take advantage of baseline version control.
  • Security Baseline Customization: Customizing, comparing, merging, and reviewing your baselines policy configurations just got easier. Use the customization capabilities of the Security Compliance Manager to duplicate any of the recommended baselines from Microsoft and quickly modify security settings to meet the standards of your organization’s environment.
  • Multiple Export Capabilities: Export baselines in formats like XLS, Group Policy objects (GPOs), Desired Configuration Management (DCM) packs, or Security Content Automation Protocol (SCAP) to enable automation of deployment and monitoring baseline compliance.
  • Available policy configuration baselines include Windows Server 2012, Windows Server 2008 R2 SP1, Windows Server 2008 SP2, Windows Server 2003 SP2, Hyper-V, Windows 8, Windows 7 SP1, Windows Vista SP2, Windows XP SP3, BitLocker Drive Encryption, Windows Internet Explorer 10, Windows Internet Explorer 9, Windows Internet Explorer 8, Microsoft Office 2010 SP1, Microsoft Office 2007 SP2, Exchange Server 2010 SP2 and Exchange Server 2007 SP3.

So how does this work?

First you have to download SCM. This can be done HERE.

Installation

Kick off the Security_Compliance_Manager_Setup.exe

Prerequisite installation

SQL Express 2008 is required. If there is no instance found you can install a version here.

And off we go!

After you select ‘Finish‘ SCM will start automatically, and will import the first Baselines.

And then the console opens

One of the features I like is the export to ‘SCCM DCM 2007 (.cab)‘ file which you can import in ConfigMgr. Yes this is the old name, but the files are also usable in ConfigMgr 2012 SP1!

So fire up your SCCM 2012 SP1 console, go to Assets and Compliance – Overview – Compliance Settings – Configuration Baselines and ‘Import‘. Click ‘Add

You will get a warning that the publisher could not be verified (too bad because it is from Microsoft..)

But it will succeed.

Browse through the settings and find out the best practices Microsoft has in mind J

Now all you have to do is ‘Deploy‘ the baseline to a Collection and see if your environment is healthy according to Microsoft’s Best practices!

HTTPS Communication SCCM 2012 SP1 (Part 3)

Posted on by
3

If you do a default installation of ConfigMgr 2012 the clients will communicate over HTTP with the Management Point. Also all traffic from the Distribution Point will be over HTTP. And if you use the Application Catalog, well that’s HTTP also.

In this 3 post series I will explain the steps to go from HTTP to HTTPS communication.
The first post (HERE) I explained the Certificates needed, the second (HERE) and third one (this one) will do the actual work of transforming ConfigMgr from HTTP to HTTPS.

What is going to happen:

  • Have HTTPS traffic from and to the Distribution Point

 

So I have got my clients communicating over HTTPS, with my PKI Infrastructure, to the Management Point. Nice!
But now I want the traffic from and to the Distribution Point also over HTTPS.

 

ConfigMgr Configuration

Under Administration – Overview – Site Configuration – Servers and Site System Roles select the server with the Distribution Point Role. Select Properties.

Import Certificate.
You need the ConfigMgr Client Distribution Point certificate (the .PFX), supply the password and OK.

 

And now the data is flowing secure from and to your DP.

 

Part 1 Here.

Part 2 Here.

HTTPS Communication SCCM 2012 SP1 (Part 2)

Posted on by
7

If you do a default installation of ConfigMgr 2012 the clients will communicate over HTTP with the Management Point. Also all traffic from the Distribution Point will be over HTTP. And if you use the Application Catalog, well that’s HTTP also.

In this 3 post series I will explain the steps to go from HTTP to HTTPS communication.
The first post (HERE) I explained the Certificates needed, the second (this one) and third one (HERE) will do the actual work of transforming ConfigMgr from HTTP to HTTPS.

What is going to happen in this post:

  • Have the Clients talk over HTTPS to the site server (Management Point)

 

With all the certificates in place let’s see if I can change the Client to communicate over PKI and HTTPS instead of HTTP and a self-signed certificate.

 

Site Server Communication

Export the Root CA Certificate as a DER encoded binairy X.509 (.CER) Certificate.

In the ConfigMgr console go to Administration – Overview – Site Configuration – Sites and select your Site.

Right-click and select Properties.

Go to the tab Client Computer Communication and change the setting to HTTPS Only. If you still have clients with HTTP then you can select HTTP or HTTPS.

Under Trusted Root Certification Authorities select your Root CA Certificate.

 

For a client that has already been deployed just wait and the Client Certificate will change to PKI.

And I am communicating over HTTPS with my PKI:

As I can also see in my ClientLocation.log

 

From the ccmsetup.log is visible that all communication is secure.

 

Part 1 Here.

Part 3 Here.

HTTPS Communication SCCM 2012 SP1 (Part 1)

Posted on by
3

If you do a default installation of ConfigMgr 2012 the clients will communicate over HTTP with the Management Point. Also all traffic from the Distribution Point will be over HTTP. And if you use the Application Catalog, well that’s HTTP also.

In this 3 post series I will explain the steps to go from HTTP to HTTPS communication.
The first post (this one) I explained the Certificates needed, the second (HERE) and third one (HERE) will do the actual work of transforming ConfigMgr from HTTP to HTTPS.

As you could read in previous post my PKI Infrastructure is already in place.
Time to put it to its full use!

For full background details look here: http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_clientdistributionpoint2008_cm2012

 

ConfigMgr 2012 SP1 needs 3 certificates to fully function:

  1. Client Certificate
  2. Web Server Certificate
  3. Client certificate for Distribution Points

 

The Client Certificate will be deployed through Active Directory with an auto-enrollment GPO. The other 2 will be imported on the SCCM 2012 SP1 server.

The Web Server Certificate will be configured in Internet Information Server (IIS), and the Client certificate for Distribution Points will be used authenticate the Distribution Point to HTTPS and for PXE support to clients. This will be configured in SCCM 2012 SP1.

 

Client Certificate

On the Certificate Authority (CA) server open up your CA and Duplicate Template.
The template you need for this is the Workstation Authentication.
Make sure to select ‘Windows Server 2003 Enterprise’ as ‘Windows Server 2008 Enterprise’ is NOT supported by ConfigMgr 2012 SP1!

On the security tab select ‘Read’ and ‘Autoenroll’ for Domain Computers, do not clear ‘Enroll’.

Back in the CA console, right-click Certificate Templates, New and Certificate Template to Issue. Choose your Client Certificate.


 

Auto-enrollment of the Client Certificate

For auto-enrollment use a Group Policy Object (GPO).

Best practice is to use a separate GPO for the auto-enrollment.
In the Group Policy Management console, Create a GPO in this domain, and Link it here.
(be sure to point to the right Organizational Unit (OU)).

Now go to Computer Configuration – Policies – Windows Settings – Security Settings – Public Key Policies.

 

Right-click and Enable auto-enrollment:


 

Web Server Certificate

On the Certificate Authority (CA) server open up your CA and Duplicate Template.
The template you need for this is the Web Server.
Make sure to select ‘Windows Server 2003 Enterprise’ as ‘Windows Server 2008 Enterprise’ is NOT supported by ConfigMgr 2012 SP1!

On the security tab select ‘Read’ and ‘Enroll’ for your SCCM Site (IIS) Server(s), clear ‘Enroll’ for Enterprise Admins.

On the Subject Name tab be sure the Supply in the request is selected.

Back in the CA console, right-click Certificate Templates, New and Certificate Template to Issue. Choose your ConfigMgr Web Server Certificate.

 

Enrollment of the ConfigMgr Web Server Certificate

Open a MMC and add the Certificate snapin for Local Computer.

Right-click Certificates and Request New Certificate. Select the ConfigMgr Web Server Certificate you created.

Select More information is required to enroll for this certificate. Click here to configure settings.

In the Certificate Properties dialog box, in the Subject tab, do not make any changes to the Subject name. This means that the Value box for the Subject name section remains blank. Instead, from the Alternative name section, click the Type drop-down list, and then select DNS.

In the Value box, specify the FQDN values that you will specify in the Configuration Manager site system properties, and then click OK to close the Certificate Properties dialog box.

Examples:

  • If the site system will only accept client connections from the intranet, and the intranet FQDN of the site system server is sccm2012.lab.local: Type sccm2012.lab.local, and then click Add.
  • If the site system will accept client connections from the intranet and the Internet, and the intranet FQDN of the site system server is sccm2012.lab.local and the Internet FQDN of the site system server is sccm2012.wibier.me:
    • Type sccm2012.lab.local, and then click Add.
    • Type sccm2012.wibier.me, and then click Add.

 

Configure IIS to use the ConfigMgr Web Server Certificate

On the SCCM Web Server open Internet Information Services (IIS) Manager.

Expand Sites, right-click your site (usually ‘Default Web Site’) and select Edit Bindings.

Select the HTTPS entry and Edit.

OK and Close.

(You can check the site by opening Internet Explorer and browse to your site with https://. There should not be a warning about a certificate.)

 

Client certificate for Distribution Points

On the Certificate Authority (CA) server open up your CA and Duplicate Template.
The template you need for this is the Workstation Authentication.
Make sure to select ‘Windows Server 2003 Enterprise’ as ‘Windows Server 2008 Enterprise’ is NOT supported by ConfigMgr 2012 SP1!

On the security tab select ‘Read’ and ‘Enroll’ for your SCCM Site Server(s), clear ‘Enroll’ for Enterprise Admins.

On the Request Handling tab select the Allow private key to be exported.

Back in the CA console, right-click Certificate Templates, New and Certificate Template to Issue. Choose your ConfigMgr Client Certificate for Distribution Points.

 

Enrollment of the Client certificate for Distribution Points

Open a MMC and add the Certificate snapin for Local Computer.

Right-click Certificates and Request New Certificate. Select the Client certificate for Distribution Points you created.

After that Export the certificate WITH the private key.

Part 2 HERE!

Part 3 HERE!

Create Cloud Distribution Point on Windows Azure with SCCM 2012 SP1 (Part 2)

Posted on by
1

Cloud, everybody is talking about that.
And with the new ConfigMgr 2012 SP1 fully integrating with Windows Azure it’s time to see how this works.

You need to have some things in place first, so here we go:

  • A Windows Azure subscription (duh)
  • A working PKI Infrastructure
  • 2 (a .cer and a .pfx) certificates to talk to the Management service of Windows Azure
  • A certificate (the .cer) added to the Management service of Windows Azure
  • Your Windows Azure Subscription ID. This can be found on the Management Portal of Windows Azure.
  • And well, uh SCCM 2012 SP1 😉

 

In Part 1 I took care of the setup of the necessary PKI Infrastructure and take care of the Certificate part..
In Part 2 I will configure SCCM 2012 SP1 for talking to that big Cloud called Windows Azure.

 

So we took care of the Certificate, now we have upload it to Windows Azure.

 

Upload Certificate

Log on to the Windows Azure Management Portal.
Under Settings you can upload your Certificate (this will be the .CER one)

And the result is visible:

Create the Windows Azure Cloud Distribution Point:

Now it’s time to create the Distribution Point in the Cloud!

Launch you ConfigMgr Console and let’s start.

Under Administration – Overview – Hierarchy Configuration – Cloud is the Create Cloud Distribution Point.

 

And here you need your Subscription ID and Certificate (the .PFX one)

 

Select your Region, and Certificate:

 

Specify the alerts:

 

And off we go

 

Look good:

 

You can follow the process by looking in the CloudMgr.log.

 

This can take a while! So be patient, it will come eventually.

Still working:

 

 

 

And there we are!

 

And also in the Windows Azure Management Portal:

 

Distribute content to the Windows Azure Cloud Distribution Point:

There are no extra steps needed to distribute content to a Windows Azure DP.
You take an application and distribute it to the Cloud.

Logging under DistrMgr.log.

 

And in the console:

 

Cloud rules!

 

Read Part 1 Here!

Create Cloud Distribution Point on Windows Azure with SCCM 2012 SP1 (Part 1)

Posted on by
2

Cloud, everybody is talking about that.
And with the new ConfigMgr 2012 SP1 fully integrating with Windows Azure it’s time to see how this works.

You need to have some things in place first, so here we go:

  • A Windows Azure subscription (duh)
  • A working PKI Infrastructure
  • 2 (a .cer and a .pfx) certificates to talk to the Management service of Windows Azure
  • A certificate (the .cer) added to the Management service of Windows Azure
  • Your Windows Azure Subscription ID. This can be found on the Management Portal of Windows Azure.
  • And well, uh SCCM 2012 SP1 😉

 

The subscription isn’t much of a hassle. Takes about 10 min!

In Part 1 I will setup the necessary PKI Infrastructure and take care of the Certificate part..
In Part 2 I will configure SCCM 2012 SP1 for talking to that big Cloud called Windows Azure.

 

PKI Infrastructure

Nothing fancy here as this is a lab environment. Just setup the PKI infrastructure.

Add Server Role à Active Directory Certificate Services

 

Certificate Authority:

 

Enterprise:

 

Root CA:

 

New private key:

 

Select 2048 for Key character length:

 

CA Name:

 

Validity period (I don’t think my lab will last this long ;-))

 

Now Install the CA.

 

Deploy the Certificate

 

So that’s up and running, now for the fun part.

Microsoft has some good info on what certificates you need.

 

Source:

  • Deployment of the PKI Certificates for Configuration Manager:

http://technet.microsoft.com/en-us/library/230dfec0-bddb-4429-a5db-30020e881f1e#BKMK_clouddpcreating2008

  • PKI Certificate Requirements for Configuration Manager:

http://technet.microsoft.com/en-us/library/gg699362.aspx

We will go from there.

  • Create a Security Group that contains the member servers to install System Center 2012 Configuration Manager SP1 primary site servers that will manage cloud-based distribution points.
  • On your Certificate Authority (CA) server go to the console and right-click Certificate Templates, choose Manage.
  • Right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template.
  • Select Windows Server 2003, Enterprise Edition
  • On the General tab enter a name (ConfigMgr Cloud-Based Distribution Point Certificate)
  • On the Request Handling tab – Allow private key to be exported.
  • Security tab – Remove Enroll for Enterprise Admins and Add your Security Group.
  • Click OK and close the Template console.
  • Right-click Certificate Templates, NewCertificate Template to Issue.
  • Select your Template and select OK.

Request the Certificate

Now we have to request the certificate.

  • Go to your site server.
  • Open up a MMC and add Certificates – Local computer as snap-in.
  • Go to Personal and in All Tasks select Request New Certificate.

Now you have to enter some information:

The info you need for Windows Azure is:
– the name of your Windows Azure Cloud Distribution Point

 

  • Select and Enroll.

 

 

  • Enrollment successful.

 

 

  • The Certificate will be visible in the CA console under Issued Certificates.

 

Export the Certificate

You will have to export the Certificate twice, once with and once without the private key!

  • Without the Private Key:

 

  • And with the Private Key:

 

The certificate is now ready to be imported when you create a cloud-based distribution point.

In Part 2 I will continue!

SCCM 2012 SP1 Site Backup and Afterbackup.bat

Posted on by
2

It’s always better and a preventive thought to Back-up your Daily SCCM 2012 Backup, (keeping a daily copy on the server and copying the backups to an alternate location). Because if your SCCM server falls down you still have a back-up!

In the process of SCCM’s daily backup (visible in smsbkup.log), there’s an ‘AfterBackup.bat‘ file used to perform post-backup actions automatically after the Backup Site Server maintenance task runs successfully. By default, the AfterBackup.bat batch file does not exist. You have to create and place it manually.


As we all know there was a bug in the SCCM 2012 RTM Backup Site procedure. There was a workaround by creating a sub-folder underneath the Backup folder when using UNC paths.

This is described by Microsoft in: http://blogs.technet.com/b/configurationmgr/archive/2012/08/01/support-tip-a-backup-site-server-maintenance-task-may-fail-to-run-in-configmgr-2012.aspx

 

Microsoft stated this would be addressed in SP1 of SCCM 2012, well let’s take a look and check-out the use of the ‘AfterBackup.bat’ procedure!

Activating site backup

ConfigMgr console > Administration tab > Site settings > Site maintainance > Backup site server


Edit and fill out the needed values.


You can set a local or remote UNC backup path and the scheduling options. Whatever you decide you can use the AfterBackup.bat to move or archive it afterwards.

The computer account of the ConfigMgr server has to have been granted full control permissions on the remote backup location.

Creating the AfterBackup.bat file

Here is a simple script for ‘AfterBackup.bat’ written by ‘Garth Jones’, which saves 7 days backup to a folder named after the first 3 letters of the day of the week, and also deletes/overwrites the older ones.

***********************************************************************************

REM @echo off

setlocal enabledelayedexpansion

set target=\\Destination_Server\E$\AfterBackup\%date:~0,3%

If not exist %target% goto datacopy

RD %target% /s /q

:datacopy

xcopy “\\Source_Server\*” “%target%\” /E /-Y

***********************************************************************************

where, “Source_Server” is the Primary Server from which the backup has to be copied,

and “Destination_Server” is the Remote Server where you want to copy the Site Backup.

 

Source_Server (This is the UNC path specified in ConfigMgr)

\\SCCM2012\sccm$\_Backup

Destination_Server (This is where we store the backup)

\\FILE01\SCCM$\SCCM_Backup

 

Although the intended use of AfterBackup.bat is to archive SCCM backup snapshots, you can use that file for other tasks that you need to perform at the end of every back up operation, such as:

 

  • Run a SQL Server DBCC test to verify that there are no integrity problems with the SCCM Site database.
  • Run a site health tool, or other health tools.

 

Putting the AfterBackup.bat to work

ConfigMgr has the ability to run an after backup batch file which you can use to perform archiving and other administrative functions.

Start by creating the AfterBackup.bat and copy it to the location below.

{ConfigMgrInstallPath}\inboxes\smsbkup.box\AfterBackup.bat

Once it’s in place ConfigMgr will automatically execute its contents at the end of a sms_site_backup task. It runs as the computer system account.

ConfigMgr overwrites each backup when it runs the site backup task. You must use the AfterBackup.bat or manual copy to archive more than one backup.

Starting a backup outside of the schedule

You can start a backup at any time by going into the service manager which can be launched through the console.

Monitoring tab > System Status > Component State > Ribbon > Start > Configuration Manager Service Manager

Once in service manager, locate the SMS_SITE_BACKUP service and right click start. A backup will now start.


Another option is to go to Windows Services.msc and start the SMS_SITE_BACKUP service.


 

After a successful backup you will see this in your logs:

And the backup is copied over to your alternate backup location!