Chris Nackers Blog

ConfigMgr and MDT Deployment Solutions

Useful Blogs

User Groups

April 2011 - Posts

Using ZTIWindowsUpdate.wsf To Install Updates In A System Center Configuration Manager Task Sequence

There are instances were you may want to install updates during a ConfigMgr Task Sequence without using Software Updates in ConfigMgr.  Maybe you don’t have it implemented yet, or maybe you are still using WSUS for updates.  I’ve seen it asked many times if there is a way to pull updates from WSUS during a ConfigMgr TS, so I just wanted to show you a few ways to handle this situation.

Using ZTIWindowsUpdates.wsf in a ConfigMgr Task Sequence

You can use ZTIWindowsUpdate.wsf in a non-MDT integrated task sequence without very much configuration at all.  It basically consists of using the ztiwindowsupdates.wsf script and setting a WSUSServer variable. 

In order to use the ztiwindowsupdate.wsf script, we also need to have ZTIUtility.vbs available to the script. So first, lets create a package called “ZTIWindowsUpdate” that contains the ztiwindowsupdate.wsf and ztiutility.vbs script.

image

image

Next, we’ll need to add a few steps to our task sequence. First we need to set a value for a variable “WSUSServer”, this tells it what WSUS Server to contact for the updates. This is a Set Task Sequence Variable step.

image

Next we need to add a step to call the ZTIWindowsUpdate.wsf script. This is a Run Command Line step.

image

We need to make sure that we reference the package we created earlier containing the ztiwindowsupdates.wsf and ztiutility.vbs scripts.

image

Using ZTIWindowsUpdates.wsf in a MDT-Integrated Task Sequence

You can also use the script in a MDT integrated Task Sequence.  In order to do this, we need to set the variable for WSUSServer and add a Run Command Line step to call the script.

First, you can set the variable in the Task Sequence, OR you can set the variable in your setting package that contains customsettings.ini

Setting the value using customsettings.ini

image

OR

Setting the value using a Set Task Sequence Variable step

image

Next we need to add a Run Command Line step to call the script. We don’t have to specify a package for this because the script already exists in the Toolkit Package \scripts directory.  (The Use Toolkit Package task sequence step specifies the package that contains the MDT scripts)

image

Modifying the LiteTouch Wizard in MDT 2010 – Sample 1

Our friend The Deployment Bunny has a fantastic post up over on his blog about modifying the default MDT wizard.  He’s got some great examples of how to modify the wizard using the Wizard Editor.

Be sure to read his entire post here.

When I was working for a customer a while ago, they asked me if it was possible to modify the Wizard in MDT and of course I answered yes, since that is possible. They wanted many things and in this post I will cover the easy stuff. and that is reading from the existing environment and present it on screen during the deployment…

The requirements was pretty easy, something like…

-Could you help us to create a extra page in the wizard that will help the local tech to be able to see and verify that everything is correct when he is deploying the machine?

-You mean something like this?

image

-Yes, that would be ok, thank you.

Building A Windows XP Reference Image, Typical Customizations Examples

Nick Moseley has a nice post on some typical XP customizations that are done to your reference XP Image.  He has some examples of system settings, user settings, and some unattend.txt settings as well. 

Read his full post here.

USMT 4.0, Hardlink and Bitlocker in SCCM OSD

Michael Petersen has a really nice post on USMT 4, Hardlink and Bitlocker over on his blog. 

Read his full post here.

I’m often asked if its possible to use the USMT 4.0 hardlinking (keep backup file on the OS Disk), in combination with bitlocker..

I guess the reason for the question is, that one might think!

  • How can I do a backup of a machine, and keep the files on the encrypted drive, and then be able to reinstall that same drive with a new OS, ginning access to the backup that was on the encrypted drive?
  • How do I stage WinPE on the Bitlocked disk, and then gain access to that same disk for the OS installation part when inside WinPE.Or at least something like that?

The thing is, that not only is it possible, it will also save you the time it takes to encrypt the drive again, because, even though a new OS is applied to the disk, the encryption is still in effect…

Remote Desktop Services - RemoteFX Guides

The RemoteFX documentation team has been hard at work creating topics that you can use to evaluate and deploy Microsoft RemoteFX within your environment. Following is a list of all the RemoteFX documents that were published to coincide with the Windows Server 2008 R2 with Service Pack 1 release.

The following documents were created for Microsoft RemoteFX:

· Deploying Microsoft RemoteFX on a Single Remote Desktop Virtualization Host Server Step-by-Step Guide

· Deploying Microsoft RemoteFX for Personal Virtual Desktops Step-by-Step Guide

· Deploying Microsoft RemoteFX for Virtual Desktop Pools Step-by-Step Guide

· Configuring USB Device Redirection with Microsoft RemoteFX Step-by-Step Guide

· Deploying Microsoft RemoteFX on a Remote Desktop Session Host Server Step-by-Step Guide

· What’s New in RemoteFX

· Hardware Considerations for RemoteFX

· Microsoft RemoteFX for Session Virtualization: Architectural Overview

· Microsoft RemoteFX for Virtual Desktop Infrastructure: Architectural Overview

The following existing Remote Desktop Services documents were updated to include Microsoft RemoteFX:

· Deploying Remote Desktop Licensing Step-by-Step Guide

· Remote Desktop Services Deployment Guide for Windows Server 2008 R2

· RDP Settings for Windows Server 2008 R2

· Group Policy Settings for Windows Server 2008 R2

For information about the RemoteFX WMI provider documentation, see MSDN.

If you are interested in seeing more Remote Desktop Services documentation, see the Remote Desktop Services TechCenter.

Why Hyper-V for VDI whitepaper

Download the whitepaper here.

Brief Description

This whitepaper demonstrates why organizations should choose Microsoft® Hyper-V™ as their hypervisor when designing and implementing a Virtual Desktop Infrastructure (VDI) solution.

Overview

Choosing a hypervisor for deploying a VDI solution involves a number of important considerations, each of which can be fulfilled by using Microsoft's Hyper-V 2008 R2 SP1 hypervisor-based virtualization technology. When implemented together with the Microsoft System Center family of products and desktop virtualization technologies from partners like Citrix, organizations can build integrated VDI solutions that can meet the needs of your business while keeping costs under control.Based on the results obtained from internal testing and because VM density has a significant influence on datacenter cost structures; an integrated Citrix/Microsoft VDI solution that includes Microsoft Hyper-V 2008 R2 SP1 and System Center delivers unique end-to-end business value for organizations planning on implementing VDI.

An update is available that lets you add Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1 as supported platforms for Configuration Manager 2007 Service Pack 2

http://support.microsoft.com/kb/2489044

SYMPTOMS

On a computer that is running Microsoft System Center Configuration Manager 2007...

On a computer that is running Microsoft System Center Configuration Manager 2007 Service Pack 2 (SP2), you have the following features:

  • Software distribution
  • Software update management
  • Desired configuration management
However, the following products are not listed as supported platforms for these features:
  • Windows 7 Service Pack 1 (SP1)
  • Windows Server 2008 R2 Service Pack 1 (SP1)
A System Center Configuration Manager 2007 SP2 client cannot register to its management point after an OSD task sequence reinstalls its operating system

http://support.microsoft.com/kb/2504229

SYMPTOMS

Consider the following scenario:

  • You configure native site mode on a Microsoft System Center Configuration Manager 2007 Service Pack 2 (SP2) site server.
  • You reinstall the operating system of a System Center Configuration Manager 2007 SP2 client by using an operating system deployment (OSD) task sequence.
  • You specify a different computer name in the OSD task sequence. This new computer name is registered by another client.
In this scenario, the new System Center Configuration Manager 2007 SP2 client of the reinstalled operating system cannot register to its management point.
For example, consider the following scenario:
  • You configure native mode as the site mode on a System Center Configuration Manager 2007 site server.
  • You install the System Center Configuration Manager 2007 SP2 client on two computers that are named "PC1" and "PC2."
  • You reinstall the "PC2" client by using an OSD task sequence.
  • You specify the name "PC1" for the client in the operating system deployment task sequence.

In this scenario, the "PC2" client cannot register itself to its management point.

RESOLUTION

The following hotfix package resolves an issue on the site server on which the management point role is installed.
To resolve this issue, install the following hotfix package on the primary and secondary System Center Configuration Manager 2007 SP2 site servers.
For more information about the steps to deploy a hotfix package to the System Center Configuration Manager 2007 SP2 site server, click the following article number to view the article in the Microsoft Knowledge Base:

2477182 (http://support.microsoft.com/kb/2477182/[anySimpleType]/ ) System Center Configuration Manager 2007 Hotfix Installation Guidance

Note The following hotfix package can be installed on a System Center Configuration Manager 2007 SP2 site server that is running an x86-based or x64-based version of Windows:

SCCM2007-SP2-2504229-X86-ENU.msi

Fix: Unable to delete the OSDStateStorePath folder in an OSD Task Sequence using USMT 4.0 with Hard Links in ConfigMgr 2007

Read the original post here, contributed by:

Clifton Hughes | Senior System Center Support Engineer

When using Hard Links for User State Migration, attempting to remove the OSDStateStorePath folder after restoring the users data in a Task Sequence may fail or appear to hang.

Note: This is in reference to the steps listed in this article: http://technet.microsoft.com/en-us/library/ee344267.aspx

The command .\%PROCESSOR_ARCHITECTURE%\usmtutils.exe /rd %OSDStateStorePath% may appear to hang unless you configure a timeout value on the Run Command Line step, and/or it may fail with one of the following errors or warnings depending on how the Task Sequence Advertisement is configured:

SMSTS.log may show one of the following errors or warnings.

Warning: This command is going to delete the following list of path(s).
Please review before continuing...
C:\UserState
Are you sure you want to proceed (Y/N)?

If you do not configure a timeout value, it will hang at this point, however, since you cannot see the prompt for user input you cannot continue.

Or, if you configure a timeout value on the Run Command Line step, you may see this error in the SMSTS.log

This operation returned because the timeout period expired. (Error: 800705B4; Source: Windows)

The amount of detail you see in the log will also depend on how you have configured the Advertisement for the Task Sequence. If the Advertisement is configured to Download content locally when needed by running the task sequence (commonly referred to as Download and run locally) then you will not see as much detail on the command line being run. However, if you select Access content directly from a distribution point when needed by the running task sequence (commonly referred to as Run from DP), then you will get more details on the command line being run, and it may show the prompt "Are you sure you want to proceed (Y/N)?" in the SMSTS.log. If you tried adding the cmd.exe /c echo Y | in front of the command and still try to use the Run from DP option, the command will fail with a Path not found error.

Cause

There are two things we are trying to overcome with this issue when running the USMTUTILS.EXE command from a ConfigMgr 2007 OS Deployment Task Sequence:

1. This command requires user input in order to delete the OSDStateStorePath folder and does not seem to support any command line switches to bypass this prompt.

2. Although we are able to use the echo command to pass the Y for yes to the command line step using cmd.exe /c echo Y | "command", this will only work if the Advertisement is configured to Download content locally when needed by running the task sequence (commonly referred to as Download and run locally). If you select Access content directly from a distribution point when needed by the running task sequence (commonly referred to as Run from DP) this step will fail. This is due to the echo command we are needed to pass, it is a built in command in the command interpreter, cmd.exe, so that is why we must specify the cmd.exe /c in the beginning of the command line, as this is not present in the package on the DP.

Resolution

Note: This will only work if the Advertisement is configured to Download content locally when needed by the running task sequence (commonly referred to as Download and run locally). If you select Access content directly from a distribution point when needed by the running task sequence (commonly referred to as Run from DP) this step will fail.  This is because  the echo command we need  to pass is a built in command in the command interpreter, cmd.exe,  We must specify the cmd.exe /c in the beginning of the command line since this is not present in the package on the DP.

NOTE: Data Loss Warning, do not select Continue on error on the Restore User Files and Settings!  It is also important to not select “Continue on error” on the Options tab, or  “Continue if some files cannot be restored” on the “Properties” tab of the “Restore User Files and Settings” task sequence step, Selecting these options will allow the next task sequence step to delete the User Files and Settings even if they are not successfully restored.

This resolution assumes you have already successfully configured and tested an OS Deployment with ConfigMgr 2007 SP2 using Hard Links with USMT 4.0 . If not, follow the steps to configure the OSDStateStorePath, OSDMigrateAdditionalCaptureOptions, and OSDMigrateAdditionalRestoreOptions variables for using Hard Links with USMT 4.0 in ConfigMgr 2007 SP2:

http://technet.microsoft.com/en-us/library/ee344267.aspx

To add a step that should successfully remove the User State folder after the User Files and Settings are restored, follow these steps:

1. In the Task Sequence Editor, after the Restore User State step, click Add, navigate to General, and then click Run Command Line action. Type the following in the Run Command Line action:

2. Type the following in the Command line field:

cmd.exe /c echo Y | ".\%PROCESSOR_ARCHITECTURE%\usmtutils.exe" /rd "%OSDStateStorePath%"

3. Select the Package check box.

4. In the Select a Package dialog box, browse to the USMT 4.0 package, and then click OK.

Although we are able to use the echo command to pass the Y for yes to the command line step using the command line step:

cmd.exe /c echo Y | ".\%PROCESSOR_ARCHITECTURE%\usmtutils.exe" /rd "%OSDStateStorePath%"

New Hotfix: Advertisement is not scheduled to run on a ConfigMgr 2007 SP2 client if the client computer starts or awakens within the maintenance window–KB2392488

Read the original post here.

Consider the following scenario:

  • You configure a maintenance window for a Microsoft System Center Configuration Manager 2007 Service Pack 2 (SP2) client.
  • You configure an advertisement to run on the client computer within the maintenance window.
  • The client computer starts or awakens from hibernation within the maintenance window.

In this scenario, the advertisement does not run within the maintenance window as scheduled.

The issue is caused by a timing issue between the service window manager and the execution manager. Both the service window manager and the execution manager start when the client computer wakes up within the maintenance window. In this situation, the service window manager posts a service window start event. Because of the timing issue, the execution manager is in its initialization process and misses the service window manager event. Therefore, the advertisement is not scheduled to run within the maintenance window.

For a downloadable hotfix and a workaround to this issue please see the following Knowledge Base article:

KB2392488 - FIX: Advertisement is not scheduled to run on a System Center Configuration Manager 2007 SP2 client if the client computer starts or awakens within the maintenance window

ConfigMgr 2007 Quick Fix: Remote Tools fail with Access Denied

 

Read the original post here.

This post was contributed by:

Nuno Oliveira | Senior System Center Support Engineer

Here’s an issue I ran into the other day and since I didn’t see a lot documented about it I thought I’d go ahead and post the fix here.  If you’re getting an Access Denied error when trying to connect to a client using the Remote Tools then here are some permissions you should check.

Symptoms

When launching a System Center Configuration Manager 2007 Remote Tools session against a Windows 7 x64 (64-bit) client, the session will fail with one of the two messages below:

- If launching the RC.EXE > File > Connect > IP of the Windows 7 x64 client > you get error Unable to contact host

- If instead from we use the command prompt and execute RC.EXE 1 <IP address> you get Access Denied

In the RemoteControl.log you will see entries similar to the following:

Remote Control Server started. RemoteControl 01.02.2010 16:32:29 2856 (0x0B28)
Failed to activate launcher object (0x80070005) RemoteControl 01.02.2010 16:32:29 2856 (0x0B28)
Server is no longer in use. Shutting down. RemoteControl 01.02.2010 16:32:29 2856 (0x0B28)
Remote Control Server terminated normally. RemoteControl 01.02.2010 16:32:29 2856 (0x0B28)

If ProcMon is executed on the Windows 7 64-bit client you see an "Access Denied" for the following directories:

C:\Windows\SysWOW64\CCM\clicomp\RemCtrl\RCLaunch.exe
C:\Windows\SysWOW64\CCM\Logs\RemoteControl.log

Cause

This issue can occur due to a lack of permissions for the Windows 7 x64 client file \Windows\SysWOW64\CCM\clicomp\RemCtrl\RCLaunch.exe.

Resolution

To resolve this issue, give Read and Execute rights to the "ConfigMgr Remote Control Users" group for the Windows 7 x64 client file \Windows\SysWOW64\CCM\clicomp\RemCtrl\RCLaunch.exe. 

New Hotfix: Program does not run in a task sequence on a System Center Configuration Manager 2007 SP2 client if the program name contains extended ASCII characters

Read the original post here.

Consider the following scenario:

  • You create a deployment package on a Microsoft System Center Configuration Manager 2007 Service Pack 2 (SP2) site server.
  • You create a program in the package. The name of the program contains extended ASCII characters.
  • You create a task sequence, and you add an Install Software step to the task sequence.
  • You select the Install multiple applications option, and you configure the Base variable name setting to include the program that contains extended ASCII characters in the Install Software step.
  • You deploy the task sequence to a client computer.

This issue occurs because an incorrect data type is used to handle the program name that contains extended ASCII characters.

For more details and a downloadable hotfix for this issue see the following:

KB2507187 - Program does not run in a task sequence on a System Center Configuration Manager 2007 SP2 client if the program name contains extended ASCII characters

Got orphaned collections in ConfigMgr?

Michael Niehaus posted a nice script over on his blog for identify orphaned collections in ConfigMgr. 

Read his original post here.

This one goes back several years to when I was routinely writing code that used the ConfigMgr SDK (although in an odd coincidence, I was writing such code again yesterday).  It was pretty easy to run some buggy code that didn’t quite do what was intended, and as a result ConfigMgr might be left in an odd state.

One example of this: orphaned collections.  These exist in ConfigMgr, and if you look via WMI you can see them.  But they don’t exist in the console anywhere – they are invisible.  This would happen because those collections were not “rooted” to the top-level collection called “COLLROOT” (or any other collection, if you build collection hierarchies).

Other than “buggy code”, how else could these orphaned collections happen?  Good question, hard to say.

So how do you fix these?  Well, simple:  You “re-root” them by creating a new SMS_CollectToSubCollect WMI instance that says “this collection is a subcollection of COLLROOT”.  A long time ago, I wrote a script to do this.  After enough digging around, I found it again, so I’ll provide it here…..

Core Configurator 2.0 for Server 2008 R2

Another colleague sent a link for this awhile back and I’ve been meaning to blog about it for quite some time.

Download the tool and read the original post here.

We are pleased to announce the latest version of Core Configurator built and designed for Windows Server 2008 R2 x64 Core edition!


It is completely open source so it can be amended and change to fit your requirements, this version has been a year in the making and has been written in powershell with a reference to Winforms so that a GUI format is displayed.


The primary focus of this project is to try and get feedback and contributions back from the community to make this a tool the best/ free tool everyone will want in there toolkit, so if you have some code or features that you might want included then please leave a comment and we will get in touch.
Core Configuration tasks include:

  • Product Licensing
  • Networking Features
  • DCPromo Tool
  • ISCSI Settings
  • Server Roles and Features
  • User and Group Permissions
  • Share Creation and Deletion
  • Dynamic Firewall settings
  • Display | Screensaver Settings
  • Add & Remove Drivers
  • Proxy settings
  • Windows Updates (Including WSUS)
  • Multipath I/O
  • Hyper-V including virtual machine thumbnails
  • JoinDomain and Computer rename
  • Add/remove programs
  • Services
  • WinRM
  • Complete logging of all commands executed

Pics.jpg

Step by Step Guide for Extending Active Directory Schema for System Center Configuration Manager

Account Permissions

The account that will be used to run the extadsch.exe needs to have appropriate access and be in the “Schema Admins” group. You cannot run the extadsch.exe with alternate credentials using Run As.

clip_image002

Locating ExtADSch.exe

The exe used to extend the AD Schema can be located in the default installation directory under the bin\i386 folder.

clip_image004

If you have installed ConfigMgr to an alternate location, then it will be located in that installation path (installation paht\bin\i386).

Running ExtADSch.exe

You can run the file by either opening a command prompt and running the extadsch.exe, or by double-clicking the file.

clip_image006

Once it’s ran, you are looking for the “Successfully extended the Active Directory schema” output. You can also view the results by viewing the ExtADSch.log that is created on the C: drive.

This log file will detail the changes made to the schema and also show the success of the schema extensions.

clip_image008

Creating the Systems Management Container

After the schema is extended successfully, the Systems Management container needs to be created in Active Directory.

Open ADSI Edit and expand to the “System” container.

clip_image009

Right-click on the System container and select “new” then “object”.

clip_image010

Select “container” from the object list, and then select “Next”.

clip_image012

Next, enter in “System Management” and then click “Next”.

clip_image014

Click “Finish”.

clip_image016

Once you click Finish, you should see the new container listed.

clip_image017

Setting Security on the System Management container

Once the System Management container has been successfully created in Active Directory, the appropriate permissions needs to be set on the object.

With ADSI Edit still open, right-click on the System Management container object and select properties.

clip_image018

Go to the Security tab of the Properties dialog box and then select “Add”. Once the next dialog box opens, add the computer account of the primary site server(s) or the Active Directory group containing the servers. It’s recommended to use an Active Directory group so that you are not required to make this change again. Once you have entered in the required information, select “Ok”

clip_image020

Select “Full Control” for the site server or group you just added.

clip_image022

Next select Advanced, and then configure the server or AD group permissions to apply to “this object and all descendant objects”.

clip_image024

Click “OK” 3 times to save your changes.

More Posts Next page »