July 2009 - Posts

• MOF Object queries for Wired and Wireless Network Adapters

  Planning to deploy script which will enable Wake-On-Lan for all target computers.  Before doing so, I wanted to get a list models for each.  Creating a query for something like this is applicable to just about any ConfigMgr environment and the admins would find valuable. Queries like this should be created once and then additional models can be added as needed.  Thanks to Garth Jones the "Query Master", I've also provided an associated report which shows the total count of each inventoried network adapter.  And last, there's a spreadsheet of the output from the report. Well, here they are...I hope you find them useful!! PS - If you have additional models that are NOT listed in the query, just shoot me an email and I will keep the MOF's updated. All Network Adapters (Wired).MOF (3.21 kb) All Network Adapters (Wireless).MOF (5.29 kb) Network Adapter model count (Report).MOF (2.37 kb) Network Adapter Model count report.xls (38.50 kb) Posted Jul 29 2009, 12:10 PM by 1E Blogs Filed under: ConfigMgr

• MPControl.log and error code 12030

  I just ran across this in my Native Mode ConfigMgr site hierarchy, where the MP at the Central Site had a number of these entries in the MPControl.log.  The problem turned out to be that the Web Server certificate was not binding to the website on the server (NMCM01.contoso.com).  It was “bound” before, so I’m not sure what why it was lost.  This is not the first time I’ve seen this behavior on Windows Server 2008 servers hosting secure IIS websites. Once the Web Server certificate binding to the website was re-established, the error code 12030 entries in MPControl.log ceased. The RED section below shows when the web server certificate was NOT binding to the web site. The GREEN section shows the new entries in MPControl.log after fixing the binding issue on the website. Posted Jul 24 2009, 02:08 PM by 1E Blogs Filed under: ConfigMgr

• Podcast: Episode 2 of the 1E Podcast Now Available

  In this episode, I chat with Mike Terrill (SCCM Practice Lead), Neil Kimberley (Solutions Engineer) and Michelle Hazelton (Product Manager) about how an organization’s carbon footprint is calculated and how to minimise it and reduce costs. The discussion is centered around Ashby's Incorporated (our ficticious company) and their need to reduce their carbon footprint and actively monitor PC state.  You can get the podcast from 1e.com here We at 1E are dedicated to bringing you real world scenarios to help solve some of the most challenging problems faced by IT professionals. If you are wrestling with an issue, would like some advice or have a topic you would like to see covered, please feel free to send me an email outlining your issue or idea. If selected for inclusion in the 1E Podcast, we'll make sure to get you invloved and have you contribute to the podcast. Posted Jul 22 2009, 06:05 AM by 1E Blogs Filed under: Green IT, PC Power Management

• Shopping User and Computer categories explained

  I have been asked many times about the difference between User and Computer categories in Shopping and for what scenarios they are most useful. Well, here goes... User Categories - These allow you to do two things; 1) Group you applications into logical groups and 2) to restrict the user's ability to see these applications and therefore shop for it. So, an organization can bundle their applications into user categories, as follows. All applications would be grouped within each category which are shown on the Shopping web browser down the left hand side. This makes them easier to find. You would want all users to be able to see the free utilities, so no restrictions would need to be added here. However if you have Windows Security groups for development, sales and marketing users, then you can restrict the User Categories as well so that only people from each group can see the whole category. Free Utilities  Developer Software Sales Software Marketing Software Computer Categories - These allow you to restrict access to Shopping Applications based upon the machine from which the request is being made. This is done on an application level. For example, Joe works in marketing. His user permissions allow him to shop for 8 applications which have been added to the Marketing Software User Category, however his PC is located in UK. Unfortunately UK PCs are not licensed for 3 of the applications in the Marketing Software User Category. Joe will therefore only be able to shop for (and see) 5 out of the 8 applications. i.e. He will only be able to shop for applications for which both his user and his machine permissions allow him. There will be changes to Computer Categories coming soon, which increase the capabilities of branch administrators to manage applications at a branch/computer level. More info to follow as we approach release (Q4 2009). Posted Jul 20 2009, 03:03 PM by 1E Blogs Filed under: 1E Products

• Podcast: 1E System Center Episode 1 Released

  We are pleased to announce the release of Episode 1 of the 1E System Center Podcast. In this episode, Andy Dominey (OpsMgr Practice Lead and MVP) and I chat with Kevin Muldoon and Barry Shilmover from the OpsMgr Product team about 2 key new features of OpsMgr R2. Kevin discusses the new Interop Connector, how it works and the software it supports (Tivoli, OVO etc.). Whilst Barry gives us a background on the new Cross Platform capabilities within OpsMgr R2 and how you can now extend your monitoring into the Linux/Unix world. You can download the podcast here (under Systems Management at the bottom of the page), or alternatively, you can subscribe to the podcast on iTunes by clicking here. We at 1E are dedicated to bringing you real world scenarios to help solve some of the most challenging problems faced by IT professionals. If you are wrestling with an issue or would like some advice, please feel free to send me an email outlining you issue or idea. If selected for inclusion in the 1E Podcast, we'll make sure to get you invloved and have you contribute to the podcast. Posted Jul 14 2009, 11:07 AM by 1E Blogs Filed under: System Center

• Don't like Tuesdays?

  Try creeping up on your nearest IT Manager and yelling 'It's Patch Tuesday'! If he doesn't faint, shake uncontrollably and/or cry then he's probably a 1E customer..  Once a month ('Patch Tuesday') we are asked to rollout the latest Microsoft updates to all PCs, and here's a nice little piece by Dan Raywood that was pinged over to me today as it seems that this month's Patch Tuesday is one of those 'tricky' ones. Patch Tuesday for July is set to be challenging for security departments So, in essence there are a whole heap of updates that need to be rolled out, some requiring reboots (which is always tricky). To quote from the article: "IT leaders and their organisations should be prepared for the disruption that can accompany the process of rebooting all Microsoft systems." However, if you are a 1E customer, Tuesdays can be just another day.. One of the most important ways that 1E software can assist in the smooth running of IT departments is in helping to manage this very process. Our NightWatchman software gracefully manages reboots by ensuring that user documentation and programs can be safely closed and any work saved. Obviously keeping users happy during these patch rollouts is of primary importance. Secondly, our 1E WakeUp software will ensure that the entire desktop population can be powered on at the correct time in order to install the updates. Having this capability is extremely powerful, giving you the ability to 'batch rollout' patches at staged times throughout the evening, department by department. Overall this makes for a more controlled (and controllable) approach to the headache of multiple patches and reboots. By combining the flexibility of Microsoft System Center and 1E software, This Patch Tuesday (and indeed ALL Tuesdays) need not be the source of sleepless nights for IT managers.   Posted Jul 14 2009, 09:46 AM by 1E Blogs Filed under: Power Management, 1E Products

• Team Green Britain Supporter Switches off PCs at Night

  London, July 7th 2009 - With over one million visitors annually, the award-winning Eden Project is one of the UK’s leading visitor attractions and an environmental education charity. It is also a supporter of the up-coming Team Green Britain event taking place on 10th July 2009 throughout the UK. The event is designed to encourage us to make life better for ourselves and better for our world through team work, making simple steps to coming together to fight climate change. With this in mind, it is worth considering that, according to a recent survey by 1E and the Alliance to Save Energy, in the UK alone, nearly 50% of PC users don’t turn off their machines at night. If the 17 million workers in the UK who regularly use a computer turned it off at night, it would reduce carbon dioxide emissions by 1,329,182 metric tons, the equivalent of removing 243,440 cars from the road, approximately 1% of all UK vehicles or 77% of all traffic entering the congestion zone in London. 1E is supplying the Eden Project in Cornwall with its PC power management software, specifically designed to intelligently shut down PCs at the end of the working day. The organisation is currently deploying NightWatchman and 1E WakeUp across its PC estate as well as the retail point-of-sale till sites, ensuring substantial savings throughout the organisation and a significant reduction in the carbon footprint of the project.Members of 1E will be attending the Team Green Britain event in Leicester Square, London on Friday. Feel free to contact 1E if you would like to find out more about the carbon emissions you can save simply be switching off your machines at work. Posted Jul 14 2009, 09:21 AM by 1E Blogs Filed under: Power Management, 1E News, Green IT

• PRODUCT OVERVIEW: NightWatchman

  This is the first in a short series of videos giving a brief overview of some of 1E's flagship software offerings. NightWatchman offers companies the chance to control the power management of all desktop systems, reducing energy use and increasing overall IT efficiency. If you like this introduction you can find out more about NightWatchman here. Enjoy   Posted Jul 13 2009, 05:42 AM by 1E Blogs Filed under: Power Management, 1E Products, Green IT

• Activating a Nomad package

  If you manually copy some files into the Nomad cache from a CD or other media, then you will need to activate this package to ensure that Nomad is able to respond to election requests. In order to do this without restarting the service, then you will need to run the activate command for each package. NomadBranch.exe -activate=PKG0001E This is only supported on Nomad 3.x and requires a valid Nomad index file (LSZ or LST) to also be copied across. Nomad will check the contents of the package against the index file and then populate its own registry keys with useful package information. As the index file is checked, the package is considered valid so Nomad can now participate in election requests for this package. If no Nomad LST or LSZ file exists for this package, then the package will not be activated. The next time the service restarts, the package will be deleted as its contents cannot be trusted. This is also commonly used during OS deployment. As part of the ConfigMgr task sequence, the Nomad cache can be saved and then recopied to the new OS. Providing Nomad is re-installed, then the packages can be made active again by running the activate command line as part of the task sequence. Posted Jul 10 2009, 02:41 PM by 1E Blogs Filed under: 1E Products

• Windows 7 - Problem Step Recorder

  Windows 7 – Problem Step Recorder Capturing the Symptoms For an IT support or help-desk administrator, being able to see what’s happening on screen and have an interactive conversation with the end-user, can be vital to diagnosing and solving problems as they occur. This is why applications such as Remote Desktop, VNC or Remote Assistance (or even low-tech approaches like walking to see the problem, if practical) are really helpful, if not vital to understanding the exact issues and providing speedy resolution. However, there are some scenarios where different time-zones and/or network and security restrictions would prevent using remote tools and this is where a nifty new feature in all Windows 7 versions called Problem Step Recorder (PSR.exe) could come in very handy. Windows 7 Problem Step Recorder The process that the end-user has to follow is very simple and intuitive: Run PSR from the Windows 7 Start Menu Click Start Record at the beginning of problem and continue to work normally, going through all the required steps to bring up the issue. Optionally, click Add Comment to type and insert other explanatory information with specific steps Click Stop Record To finish and the various screens and steps to create the problem will be captured in compiled html format (mht) as a zipped folder, stored where selected. The single .mht can then e-mail or stored in a shared location and the IT Administrator opening it will have a blow-by-blow account of what clicks/menu selections produced the problem and all messages and screen details that user saw. (In short, everything needed to reproduce the problem) An example of the typical output is illustrated in the screen-shots below – In-short, all steps screens and error messages recorded by the sequence in one place.        Posted Jul 10 2009, 10:09 AM by 1E Blogs Filed under: 1E Internal blogs, Windows 7

• Windows 7 Application Compatibility – Part 2

  Windows 7 Application Compatibility – Part 2 In the first part of this series, I covered the internals of Windows in-built application compatibility.  Version checks and folder location differences are the most common types of problem you are likely to encounter, but the full list of major changes in Windows 7 (or Vista for that matter) compared to Windows XP are the five things covered below: Operating System and Browser Version Checks Many applications check the version of the OS and behave differently or fail to run when an unexpected version number is detected. This issue can be resolved by setting appropriate compatibility modes or applying version lie shims. Folder Redirection User folders, "My Documents” folders and folders with localization have changed moving to Windows Vista and with File Libraries in Windows 7. Applications with hard-coded paths may fail. This can be mitigated using directory junctions or by replacing hard coded paths w/ appropriate API calls to get folder locations. Session 0 Isolation Running services and user applications together in Session 0 poses a security risk because services run at elevated privilege and therefore are targets for malicious agents looking for a means to elevate their own privilege level. In earlier versions of the Windows OS, services and applications run in the same session as the first user who logs on to the console (Session 0). To help protect against malicious agents, in Windows 7, Session 0 has been isolated from other sessions. This could impact services which communicate with applications using standard in-built message services. Windows Resource Protection WRP is designed to protect the system in a read-only state to increase system stability, predictability and reliability. This will affect specific files, folders, and registry keys. Updates to protected resources are restricted to the OS trusted installers, (e.g. Windows Servicing). This helps to protect components and apps that ship with the OS from any impact of other apps and administrators. This can be an issue for custom installations not detected as setup by Windows 7 when they try to replace WRP files/registry and check for specific versions/values. Internet Explorer Protected Mode (IEPM) In Windows 7 and Windows Vista, Microsoft IE8 processes run in IEPM with greatly restricted privileges to help protect users from attack. IEPM significantly reduces the ability of an attack to write, alter, or destroy data on the user's machine, or to install malicious code. This could impact ActiveX controls and other script code which try to modify higher integrity level objects. User Account Control (UAC) Windows 7 and Windows Vista, all interactive users including members of the administrators group run as standard user. UAC is the mechanism through which users can elevate applications to full administrator privileges. Because of UAC, applications that require administrator rights or check for administrator privileges behave differently in Windows 7 and Windows Vista even when run by a user as administrator. Testing for Application Problems The Setup Analysis Tool (SAT) automates the running of application installations while monitoring the actions taken by each application’s installer. The standalone version of SAT can monitor any Windows installers and third-party installers. The SAT detects the following potential issues: Installation of kernel mode drivers Installation of 16-bit components Installation of Graphical Identification and Authentication (GINA) DLLs Modification of files or registry keys that exist under Windows® Resource Protection Standalone SAT (also known as SAT Guest) is the version of the SAT that runs locally for analyzing application installation issues. This version is recommended for monitoring a single application setup using a test, standard Windows XP computer (it has to be XP as the application installation may not work on Windows 7 full stop, so it needs to be tested down-level). The user interface is shown in the screen-shots below: SAT runs as a wrapper to the installation or setup program (.exe or .msi) and records and logs everything that happens during the installation to report on where the installation would “break the rules” if it was installed under Windows 7. The SAT tool is that straightforward. The application issues it detect can usually be fixed through, updated versions, standard “shims” or occasional re-packaging. The “real biggie” is UAC and that’s why I’ve left that to last to cover in the next posting in this series. Posted Jul 10 2009, 06:54 AM by 1E Blogs Filed under: Windows 7

• Zombie Nomad cache folders

  With Nomad 3.x, we introduced the concept of a 'zombie' cache. If you see these, do not be alarmed. These are almost considered live, but not quite. A Nomad agent will still respond to an election request however as it has an unverified cache, it will only win the election if no other agents have 100% of the package. A zombie cache is defined when the Nomad service starts up. If it sees an index file (either an lsz or an lst file) and has a cache folder, but it does not have the Nomad registry information for that cache, then it will verify the cache contents against the index file. If it matches, then the cache is defined as a zombie cache. If it does not match, then the cache is not valid and is deleted. This can occur if cache files are file copied between machines without using Nomad functionality, for example using a OS deployment restore Nomad cache step. It can also occur if you uninstall Nomad and then re-install. The registry entries are deleted during the uninstall, however the cache folders remain. Once Nomad is re-installed, then zombie cache folders will be created. A zombie cache is not entirely trusted. The contents has been validated against the index file so it will therefore respond to elections, however it is not as trusted as a Nomad agent which actively remembered downloading the cache. In order to resurrect this cache, then run the following command line. This is often incorporated as part of an OSD task sequence. NomadBranch.exe -activate=PKG0001E    Posted Jul 09 2009, 12:03 PM by 1E Blogs Filed under: 1E Products

• Problem encountered creating MDT 2008 Boot Image when SMS Provider is not installed on site server

  Let me first state that this is not necessarily a problem with MDT 2008 or ConfigMgr, but has to do with setting share-level permissions.  So who should be responsible for doing that?  The product (automated), or the admin (manually)? So let’s walk through creating the problem and how to resolve it… Create an MDT boot image Provide the package source location Note: This is key, so remember this for later!! Give the boot image package a name in the General Settings dialog box Set the image options Note: These are just the options I selected, you can choose your own. After selecting the image options and clicking Next, the wizard proceeds with creating the boot image WIM in the package source location and making it into a package …however, the wizard eventually fails, stating that there is an error importing the MDT Task Sequence into the WIM So what is happening here? The wizard goes through the process of creating the WIM and the last step is to import the MDT Task Sequence into the WIM.  This “importing” step is actually not handled by the site server, but by the SMS Provider.  So which ever site system server has the SMS Provider installed, is the one responsible for importing the MDT Task Sequence. “So what’s the problem?” you ask… PROBLEM: In my environment, the SMS Provider is NOT installed on the site server, but on the remote SQL Server. In order for the MDT Boot Image wizard to execute successfully importing the MDT Task Sequence into the WIM-file, the configuration requires that the remote SQL Server in my environment (or whatever site system server has the SMS Provider installed) has permissions to access the UNC path for the package source and modify permissions to the actual WIM-file itself. “So what does this actually mean?” you ask… WORKAROUND:  This requires modifying the “share/folder/file”-level permissions of the UNC path for the package source.  If you remember earlier, I said to remember or note the UNC path used for the package source folder.  Here’s what I did to implement the workaround… View the share-level permissions of the package source folder (e.g. \\NMCM02\IMAGES) Change the ACL’s on the share, granting the computer account of the site system server where the SMS Provider is installed, change (e.g. RWXD or Co-owner since this is W2K8) permission to the share.  In my environment, this is NMSQL02$. Since I’m using Windows Server 2008, the share-permissions dialog box looks different from W2K3. As seen here, after modifying the share-level permissions and re-running the wizard Create Boot Image using Microsoft Deployment, the MDT boot images will be created.   Take a look at some other blog entries I’ve made that provide solutions for issues where the SMS Provider is not installed locally on the ConfigMgr site server. MDT 2008: Error occurred integrating with ConfigMgr Installing Shopping Central when SMS Provider is NOT hosted on ConfigMgr site server Troy L. Martin | Senior Consultant | 1E | troy.martin@1e.com | www.1e.com Posted Jul 08 2009, 01:16 PM by 1E Blogs Filed under: System Center, 1E Internal blogs, OS Deployment

• MDT 2008: Error occurred integrating with ConfigMgr

  After installing MDT 2008, you can then integrate it with ConfigMgr by running the Configure ConfigMgr Integration wizard. In doing this, I uncovered an issue where if the ConfigMgr SMS Provider is NOT installed on the site server, the wizard will error-out.  A hint to the root cause of the problem has a RED rectangle around it in the screen-capture below: The problem is that the wizard is searching the site server’s WMI repository for the SMS Provider namespace (e.g. root\sms\site_<sitecode>).  The screen-capture below gives some examples of the SMS Provider namespace.   In my ConfigMgr site, the SMS Provider is located/installed on the remote SQL Server.  There are a few apps I’ve worked with that “integrate” with ConfigMgr (and SMS), but assume that the SMS Provider is also installed locally on the site server.  There may be valid reasons why this practice is done, but as we saw in the first screen-capture, it doesn’t work all the time. By default when you start the Configure ConfigMgr  Integration wizard (if MDT was installed on the site server as most do), the wizard will automatically detect the Site server name and Site code.  If you installed MDT somewhere other than the site server, the Site server name and Site code textboxes will be blank and you would have to type them in. We saw above what happens when the site server name is typed in the textbox and the SMS Provider is not installed on the site server. So how do you get around this issue? WORKAROUND: So in my situation with the SMS Provider NOT being installed on the site server, but on the remote SQL Server, I would type the remote SQL Server’s name (e.g. NMSQL02).  If you installed the SMS Provider on a site system server other than the remote SQL Server, then type-in that server’s name.  The site code would be site code for the site where MDT is being installed. Most admins install the SMS Provider locally on the site server, and would not encounter this issue.  However in large site installations where you often see the site database hosted on a remote SQL Server, you are more likely to encounter this issue. Troy L. Martin | Senior Consultant | 1E | troy.martin@1e.com | www.1e.com Posted Jul 08 2009, 11:01 AM by 1E Blogs Filed under: System Center, 1E Internal blogs, OS Deployment

• Uninstalling a Management Pack using Powershell

  I recently had the need to uninstall a ManagementPack from OpsMgr without using the Operators Console (kept getting a exception error every time I opened the console after importing the eXcSoftware Management Pack). Here’s how I did it:   On the RMS, open Command Shell. You’ll need to know the name of the MP, so at the powershell prompt type Get-ManagementPack. If [like me] you have a large number of MP’s installed, you’ll probably want to pipe this into a text file, or expand the Screen Buffer Size to something like 3000, run the command and then [right click and select find to] search. Once you have the name we can now uninstall the MP. Start by typing the following: $MP = Get-ManagementPack :where-object {$_.Name -eq ‘eXcSoftware.nonWindows’ We’ve now set the variable $MP to contain the values for the MP. Now type in: uninstall-managementpack -managementpack $mps Sadly, there is no confirmation that the MP has been uninstalled. You’ll have to go into the console to confirm. Powershell (and the Command Shell) adds a whole new set of functionality to OpsMgr and allows for data mining and scripting that is otherwise unavailable. You can install the OpsMgr command shell on your desktop by running setup.exe from the install media. Posted Jul 07 2009, 11:15 AM by 1E Blogs Filed under: System Center