Maik Koster at myITforum.com

Versioning / Monitoring SCCM Task Sequences – Update for SCCM 2012

maikkoster — Thu, 10 Nov 2011 17:23:53 GMT

Back in May this year I released a small tool that monitors and tracks all changes on Task Sequences on your SCCM Server and exports a copy for backup purposes each time a change happens.

Today I just published an updated version of this script, that enables the same functionality for System Center 2012 Configuration Manager.

Please have a look on the original Blog Post for some further reference about the usage etc.

Find the updated Download on CodePlex.

2011 Microsoft MVP Award - Setup & Deployment

maikkoster — Sun, 02 Oct 2011 18:06:06 GMT

Has been a great sunny weekend so far and now I also received the following mail from Microsoft

Dear Maik Koster,

Congratulations! We are pleased to present you with the 2011 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Setup & Deployment technical communities during the past year.

I’m very proud being re-awarded as a Microsoft MVP for Setup & Deployment.

And now before I start to rant, I’ll just finish with some almost famous words by Johan Arwidmark “Contributing is Everything”

Mouse without Borders

maikkoster — Fri, 16 Sep 2011 09:06:20 GMT

Today I would like to share one of the coolest Tools I’ve seen for a while.

As doing a lot of testing and developing, I typically have a bunch of computers and laptops flying around on my desk. And as you are reading my blog, it’s probably the same for you.

How often did it happen that you have to constantly switch between them. Grab the wrong mouse, or have to use the touchpad as the laptop doesn’t have a mouse connected. Trying to test something on a Laptop just to recognize that the file you need is stored on your other computer. Or you check a log file and the guid you are looking for is on the other and you wish you could just Copy&Paste it over instead of typing it down from the other screen?

Well, then be sure to have a look on “Mouse without Borders”. A project developed by Truong Do, that has just been released to the public from “The Garage”. The Garage is an initiative (and actually also a physical place) within Microsoft to let employees work on side projects. Which results in brilliant ideas from time to time.

It’s just a ~1MB download, installs within a few seconds and only requires .Net 2 to be installed. I’ve tested it on Windows 7, XP and even the Developer Preview of Windows 8 without any issues. It allowed me to seamlessly switch between those machines, all with different accounts logged on. This is really an app that makes my life a lot easier.

When you first start the application on the first computer, it will generate a security key and show to you.

This key is then used to connect to this computer if starting “Mouse without Borders” on a different computer for authentication purposes. It then connects those computers and immediately allows you to use your mouse and keyboard seamlessly between them. It even supports Copy&Paste and Drag&Drop of files and content between the computers, no matter if you are logged in with different accounts and if these computers are standalone machine or joined to different domains. Pretty kewl.

So immediately switching between computers either by moving the mouse to the different screen or using a shortcut, or moving some content from one to the other is a piece of cake now. It even allows you to take a screenshot from the connected computers

Quite handy if creating documentations (or Blog posts ). Here a combined screenshot from three currently connected Laptops while writing this post:

The developer has also added some more goodies like “personalizing” the logon screen with your own photos (or the current bing photo) etc.. So be sure to Download this software and give it a try. It’s really worth it and one of those tools that you use and immediately think about why this haven’t been available for years.

Amazing Tool Truong! I really like it!

WSUS Offline Update – Installing Windows updates without an Internet connection and WSUS

maikkoster — Fri, 09 Sep 2011 12:47:56 GMT

Today I would like to share one of the handiest tools for servicing Windows systems, if they can’t be updated via WSUS or online at Microsoft Update, or if you for any reason want to install the updates from a CD/DVD/USB or even a share.

It’s called WSUS Offline Update (formerly known as c’t offline Update), created and maintained by Torsten Wittrock. It’s main purpose is to download all critical and security related Updates to a local folder and execute the required ones on a system, without the necessity to be connected to the internet or a working WSUS Server.

It supports Updates for Windows XP, Windows Vista, Windows 7, Server 2003, Server 2003 R2, Server 2008 and Server 2008 R2 both in32 and 64 bit (where applicable), Office 2003, Office 2007 and Office 2010. One can select the required languages, in- or exclude ServicePacks, .Net Frameworks, C++ Runtime libraries, Windows Defenders definitions, Microsoft Security Essentials and so on. Updates can come either from Microsoft Update directly or also from your WSUS Server.

Once downloaded, one can create ISO images per product and language or per language only. Or copy a subset of selectable updates on a USB Stick. Then a second component can be called from each individual computer that shall be updated, either locally or over the network. This will then evaluate the current computer against the available updates and install all missing ones plus a bunch of additional items like Internet Explorer, PowerShell, Windows Defender, .Net Frameworks, etc.

OK, let’s have a quick look on how to do that

Getting the Updates

First, download the most recent version from WSUS Offline Update (http://download.wsusoffline.net/). Be sure to unblock the file and then extract the content to a folder. Can be locally or on a network share. If you place it on a share, be sure to map it with a Drive letter.

Now you want to get the updates and optionally create the Update medias. To do so, start the “UpdateGenerator.exe” from the just extracted folder.

As you can see, there are plenty of options what to download and to create. All downloads will be stored in some subfolders at the location, where you started the application from. So be sure to have some space available. We will go over some of the more important ones a bit later. Also be sure to start the download regularly to always have the latest updates available.

Now if you have selected all the products you would like to download updates for, click on “Start” and the download process will start. It will first get a list of all available updates and then just download the ones that haven’t been downloaded already. Depending on your selection and bandwidth, this can take quite some time.

It will also check for superseded Updates, mark and optionally remove them. It’s also maintaining a list of excluded Updates which can be tweaked to your own needs. See the FAQs in the “doc” folder for more information.

Updating a Client

After the Updates have been downloaded, you an use the created CD/DVD/USB media to update a computer. Optionally it’s also possible to call it over the network, even if that’s not the preferred method and contradicts a bit with the idea of an “Offline” Update . However to do so, just share the Client subfolder and make sure that you map this share with a drive letter on the computer, as the scripts don’t work with a UNC path. Now execute the “UpdateInstaller.exe”. Preferably with Administrative privileges.

The GUI will let you choose only available options. So it might differ depending what you downloaded or have made available on your media and the OS and installed components itself. Interesting to mention here is, that you can tell it to automatically reboot and recall itself as often as required by the Update process. As a side note, the automatic reboot doesn’t work, if you started the process over the network as the temporary account, created for the automatic logon, doesn’t have the appropriate drive mapped. Well, this is the out-of-the-box behavior and as most of the commands are just scripts, it is possible to tweak this to your needs if you really need to have this option available.

However, to start the process, simply click on the “Start” button again and let the magic happen. Just be aware, that it might take some time.

Automation

The whole project has been published under the GNU/GPL and most of its components are vb scripts, batch files or AutoIt scripts. It’s possible to exclude specific Updates, include additional ones, etc. Please see the FAQ (located in the “doc” folder) for some more information on this.

Interesting part here is, that you can also automate the process to keep your medias up to date. In the “cmd” folder you will find a bunch of command line scripts, that you can use for this purpose. E.g. to update your media after each Microsoft Patchday, just create a batch that calls the “DownloadUpdates.cmd” and "CreateISOImage.cmd” (or “CopyToTarget.cmd” for a USB Stick) with the appropriate parameters and schedule it to run on the required dates. Also the execution on the client can be automated as well by either calling the “Update.cmd” file from the root of your media or the “DoUpdate.cmd” from the “cmd” folder. Actually the first one just calls the latter one and as you can see in the screenshot above, also the GUI just calls them with selected parameters.

It is a real benefit to always have a USB Stick available, filled with the latest Updates and ready to execute on any machine whenever needed. Or how about automatically updating your Reference image(s) offline with the latest updates? I will show you how, in the next Blog post.

Deployment Web service 7.3 - SCCM Client Center support

maikkoster — Tue, 30 Aug 2011 16:28:37 GMT

With the release of version 7.3 of the Deployment Webservice (Download) a completely new part has been added, integrating some functions of Roger Zanders awesome SCCM Client Center Automation library for Deployment usage. This library enables you to execute certain SCCM Client related task directly on a client like forcing Software updates or refreshing the Machine Policy. The offered functions are mainly identical to the ones offered in the SCCM Client Center Integration Pack for Opalis. And as you can see, the available functions are not only interesting for plain deployments, they are also pretty useful in your day-to-day work and can e.g. be called from a minimized administrative FrontEnd for certain helpdesk Users, that shouldn’t deal with the complete SCCM Client Center.

The web service is currently offering the following functions:

Checks / Status information

CheckAdvertisementDownloading (Computername)
Check if an advertisement is currently downloading

CheckAdvertisementRunning (Computername)
Check if an advertisement is currently running

CheckAdvertisementRequiresReboot (Computername)
Check if an advertisement is pending a reboot

CheckMissingSecurityUpdates (Computername)
Check for missing authorized security patches

CheckWUARebootPending (Computername)
Check if a reboot is pending because of installed security patches

CheckFileRenamePending (ComputerName)
Check if file rename operations are pending

Execute actions

RunCertificateMaintenance (Computername)
Initiates a Certificate Maintenance task

RunCollectFiles (Computername)
Initiates a Software Inventory (Collect Files)

RunDCMScan (Computername)
Initiates a Desired Configuration Monitoring Scan

RunDeleteOrphanedCachedPackages (Computername)
Initiates a cleanup of all orphaned packages

RunDeleteAllCachedPackages (Computername)
Deletes all packages from cache

RunDeleteCachedUpdates (Computername)
Deletes all Updates from cache

RunHardwareInventory (Computername)
Initiates a Hardware Inventory (Delta Update)

RunFullHardwareInventory (Computername)
Initiates a Hardware Inventory (Full Update)

RunSoftwareInventory (Computername)
Initiates a Software Inventory (Delta Update)

RunFullSoftwareInventory (Computername)
Initiates a Software Inventory (Full Update)

RunHeartbeat (Computername)
Initiates a Data Discovery cycle

RunLocationRefresh (Computername)
Initiates a refresh of locations

RunMachinePolicy (Computername)
Initiates a Machine Policy and Evaluation cycle

RunUserPolicy (Computername)
Requests User Policy if a User is logged on

RunUserPolicyByName (Computername, Username)
Requests User Policy for the specified User

RunResetPolicy (Computername)
Initiates a cleanup of orphaned policies cycle

RunFullResetPolicy (Computername)
Initiates a Full reset of all SCCM Policies

RunMPRefresh (Computername)
Initiates a refresh of the Default Management Point

RunMSISourceUpdate (Computername)
Initiates a Windows Installer source update cycle

RunOOBDiscovery (Computername)
Initiates an Out of Band Discovery

RunResetPausedSoftwareDistributionFlag (Computername)
Resets the paused Software Distribution Flag

RunSoftwareMeteringReport (Computername)
Generates a Software Metering Report

RunTimeoutRequests (Computername)
Initiates Timeout Requests

RunUpdateScan (Computername)
Initiates a scan for missing software updates

RunUpdateDeployment (Computername)
Deploys authorized Software updates

RunCreateServiceWindow (Computername, StartDate, hourDuration)
Creates a new Service Window

RunDeleteServiceWindow (Computername, ServiceWindowGuid)
Deletes a Service Window

Get / Update Client information

GetAgentVersion (Computername)
Returns the Agent version of the Client

GetAssignedMP (Computername)
Returns the assigned MP of the Client

GetCachePath (Computername)
Returns the Cache Path of the Client

SetCachePath (Computername, CachePath)
Sets the cache Path for the Client

GetCacheSize (Computername)
Returns the Cache size of the Client

SetCacheSize (Computername, CacheSize)
Sets the cache size for the Client

GetClientID (Computername)
Returns the GUID of the Client

GetDNSSuffix (Computername)
Returns the DNS suffix of the Client

SetDNSSuffix (Computername, DNSSuffix)
Sets the DNS suffix of the client

GetHTTPPort (Computername)
Returns the HTTP port of the Client

SetHTTPPort (Computername, HTTPPort)
Sets the HTTP port of the Client

GetInternetMP (Computername)
Returns the Internet MP of the Client

SetInternetMP (Computername, InternetMP)
Sets the Internet MP of the Client

GetProxyMP (Computername)
Returns the proxy MP of the Client

GetMissingSecurityUpdates (Computername)
Returns a list of missing authorized security patches

GetSecurityUpdates (Computername)
Returns a list of authorized security patches including their current status

GetSiteCode (Computername)
Returns the SiteCode of the Client

SetSiteCode (Computername, SiteCode)
Sets the SiteCode of the Client

GetSLP (Computername)
Returns the SLP of the Client

SetSLP (Computername, SLP)
Sets the SLP of the Client

Thanks to Roger Zander for this awesome piece of work.

As described in a former Blog post, just download the newest version of the Deployment Web Service, configure it as described in the Installation Guide and open the page http://YourWebServer/Deployment/SMSCliCtrV2.asmx to see a complete list of functions including a short description and the possibility to test each individual function. The new security model described in the last blog post will also apply to the functions of this part.

As always, I really appreciate any feedback.

Deployment Web service 7.3 – Basic security

maikkoster — Tue, 30 Aug 2011 15:14:34 GMT

With the updated Version 7.3 (Download) just being published, the growing number of available functions, covering more and more demands in todays deployments, it’s not only an advantage of having such a huge toolset available. In its default implementation, the Web Service is configured to execute actions under certain user account. While this makes it pretty easy to troubleshoot and verify the functions are working, everyone with access to this web service will now be able to execute actions, he is not supposed to execute.

So you could restrict the access to the web service with the default methods available in IIS. So only authorized users are able to access the web service and by this execute all the actions. Now it could happen that you would like to let them access only a subset of these actions. For example you might want to restrict the functionality deleting computer objects in AD or the possibility to update any property of an Active Directory object. So far the only way to deal with this problem was using pass-through authentication. By enabling this option in the web service, it would take the credentials of the calling user and pass his credentials further to execute what ever he was tasked to do. By this you are able to offer the full bunch of functions to a lot more users. But you can ensure that only the ones with appropriate permission can actually execute them.

One drawback on this solution is a much higher complexity and it’s sometimes very hard to troubleshoot problems. As actually most of the problems you might experience with the web service are security related.

To create some kind of intermediate solution, I implemented a very simple security layer into the Deployment Web Service, that became active with Version 7.3. The basic idea is to still restrict the access to the web service as you did before. But optionally choose the functions you would like to have available. No fancy Role based security whatsoever. Just a plain list of functions that shall be either excluded (supposing everything else is included) or included (supposing everything else is excluded on default). Plus a combination of both.

This can be configured for either all web services at all. Or individually for each part of the web service (AD, MDT, SCCM, SMSCliCtrV2). If a function is excluded, it will neither show up on the page that shows a documentation of all available functions, nor will it be possible for anyone to call it, even if knows the name and correct properties.

Let’s start with an example. On default, the web service excludes the following Active Directory Functions that could be pretty dangerous if they can be used by anyone:

- DeleteComputer

- DeleteComputerForced

- SetComputerAttribute

- DeleteUser

- DeleteUserForced

- SetUserAttribute

To store this information, a couple new Application Settings have been added to the web.config. You can edit them either directly in the web.config. Or use your IIS Manager

As you can see. There are two generic include and exclude settings (IncludeFunctions, ExcludeFunctions), that will be used for all web service parts. On default all functions are included ( * ) on default. If all settings are empty, which will probably happen if you upgrade from a former version, everything will be available on default. This is to ensure backwards compatibility. So if you upgrade from a former version to 7.3 without updating the web.config, Functions like DeleteComputer might be exposed to the public.

The second setting with a value is called “ExcludeADFunctions” and is filled with a comma separated list of functions, available in the web service part covered in AD.asmx. All of these settings follow the same naming convention and are hopefully pretty self-explaining.

Excluding a function will always overrule everything else. So be sure to type in all the functions you would like to not be usable within your environment. If you would just like to just use some very few functions, excluding so many might not be the best option. In this case, just enter the ones you would like to use in the appropriate “include” setting and be sure to remove the “*”.

The combination of these settings should allow you to cover the most “basic” security demands between the former “Nothing or All” and the very individual “pass-through authentication” approach. However, it will not be able to cover more complex security demands.

If you experience any issues with this new security model or have some great suggestions for further extensions, just get back to me or start a new discussion on the MDT Customizations CodePlex project.

Deployment Web service – Version 7.3 published

maikkoster — Tue, 30 Aug 2011 07:56:00 GMT

Today I published version 7.3 of the Deployment web service. Beside some small bug fixes and minor additions, three new features have been added:

1. SCCM Client Center support

A completely new web service part has been added that’s exposing a couple of functions (55 to be accurate) from the SCCM Client Center automation library written by Roger Zander, giving the possibility to execute certain tasks on a client like pushing Software updates, refreshing the machine policy etc. A full list of functions with all information on how to call them will be published in a separate blog post coming soon. But most of them should be self explaining. Just download the new version and open the page http://YourWebServer/Deployment/SMSCliCtrV2.asmx to see a complete list including a short description and the possibility to test each individual function.

Update: Please see Deployment Web service 7.3 - SCCM Client Center support for more details

2. Active Directory support for multiple Domains

An often requested feature was enabling the possibility to use the same web service executing actions on different domains. Especially if there are separate domains for resources like computers but with security groups in a different domain. Starting with version 7.3, there will be two more or less identical versions of the Active Directory part of the web service. the AD.asmx file is offering the standard functions, that work on the configured Domain only. ADEx.asmx contains the same set of functions, but each with an additional parameter to supply the domain name. The domain can be supplied by either “DC=YourDomain,DC=com” or “YourDomain.com”. As a lot of things are going more User centric, I’ve also added a couple functions that enable all the functionality currently available for computers now for users. So you can add or remove Users automatically to Groups, move them to a different OU, get or set specific attributes, or get the parent path of a User if you e.g. would like to place the new computer object in the same OU as a specific User object (as RIS/WDS can do). It’s now also possible to list the groups the Computer or User is member of and check if a Computer/User is member of a specific group. Finally an enhanced version of the DeleteComputer/DeleteUser has been added called DeleteComputerForced/DeleteUserForced, that will now also delete a Computer/User object, if it contains child objects. That could e.g. happen if you have BitLocker configured in your Domain. As all those functions are pretty dangerous, they are disabled on default. Please have a look on the next Blog post on how to disable/enable specific functions.

3. Basic security

Another often asked question was how to restrict users from calling certain functions from the web service. Due to its former all or nothing approach, the ongoing amount of functions became a bit of a problem as it meant to either allow access to all or none of the functions. The only way so far to restrict the usage of individual functions was to pass through the credentials of the calling User and by this use the security settings of the called server. Starting with version 7.3 it’s now possible to allow or deny access to each individual function. It’s still not a complex role based security model. Rather a simple list of names that are either allowed or blocked. But should allow you to easily adjust the available functions without the necessity to built and manage “another” security model. As even this simple implementation has a lot of possibilities, I will post some detailed explanation in another blog post.

Update: Please read Deployment Web Service 7.3 - Basic security for more information.

Download and Upgrade

As always, you can download the most recent version directly from CodePlex. While the former updates have been simple copy&paste replacements, where you could just exclude the web.config, there have been now a lot of changes in the web.config this time and I highly recommend using the web.config supplied in the download and re-add the changes you made in your own (or the other way round ). Please check especially the “AppSettings” and the “webServices” sections as they contain a couple new elements that should be part of your web.config. The rest remains a copy&paste.

As mentioned I will publish more details in the next couple of blog posts and will also update the documentation on CodePlex. Might just take a moment

…

or two.

Thanks to all the Beta testers and their feedback and also for more than 6000 downloads so far. I’m still surprised how large this project went.

TechNet Radio Interview

maikkoster — Mon, 20 Jun 2011 10:01:42 GMT

I recently had an interview with John Baker for TechNet Radio which has just been published. Check it out at http://bit.ly/mMBOr8. Thanks to John Baker and Chris Caldwell for taking the time. At the end there is a demo of the new version 2 of the MDT Web FrontEnd and yes, I’m really late on the release ;-)

Note to myself: Remove the “So” from my vocabulary and replace it with some more useful words.

New Stuff in MDT 2012 – native VHD support

maikkoster — Mon, 13 Jun 2011 07:45:53 GMT

As probably most of you have seen already, the Beta 1 of the upcoming MDT 2012 has been published to connect (Download link) recently (Announcement by Michael Niehaus). Main intent for this update is enabling support for the upcoming ConfigMgr 2012. But the team also included a couple other updates into this release like a “prettier” wizard, Cross-Platform support, etc. However some of the bigger changes “under the hood” did happen on the part that handles all drive and disk related activities like UEFI Support, creating partitions, formatting, etc.

While the Cross-Platform support is really helpful if you need to deploy to different architectures and I’m for sure will have a look on the new wizard, actually my personal highlight in this version is the added support for VHD during deployments. So lets have a look on how that works.

Why VHD?

As you know, a VHD is a file, that acts as a virtual hard drive. So almost anything you can do with a physical hard drive can also be done with a VHD, except that it is still simply a file (or several ). At the beginning they have been used only for “pure” virtualization purposes in Virtual PC and Hyper-V as virtual hard drives for virtual machines. But Windows 7 and Server 2008 R2 added native VHD support. So both are able to not only create and mount a VHD file as an additional “hard drive”. They also support booting from a VHD. This means, you could now have a computer with a single file on your hard drive and it’s booting from (or into?) this file. After you booted, the content of the VHD is your “C:\” drive and the “real” hard drive is “D:\”, “E:\” or whatever (depends on your settings). Doesn’t that sound funny?

Well, funny is actually enough for me (and a couple others as well ) to start digging into it it. But there are a couple more benefits why you should have a look on it.

First it’s simply a file. Backup is now copying a file. Move your “computer” to a different hardware (yes, you need to take care about drivers) or into a virtual machine and back by a simple file transfer. Have multiple VHDs on the same hard drive, gives you multi-boot without fiddling around with partitions and changing driver letters etc. Or even more funny, create differencing disk(s) based on a parent VHD and boot from these differencing disk(s). Want to test a new Service Pack on your non-virtual computer? Create a differencing disk, boot into this differencing disk. Do some heavy testing. If it is good merge the differencing disk back into the parent VHD. If not, just boot back into the parent VHD and delete the differencing one. Due to this we are now able to move some of the features we appreciate from virtual machines into the world of physical computers.

MDT 2012 – Base support for VHD

Now lets have a look on the support, that the new version of MDT 2012 gives us for this. First, there are two new templates that can be used to create new Task Sequences with added VHD support.

- Deploy to VHD Client Task Sequence

- Deploy to VHD Server Task Sequence

The difference to the standard Client and Server templates is minimal. The new templates just contain three additional steps in the Preinstall phase:

- Create VHD Disk –> Creates a new VHD Disk on the local hard drive and mounts it

- Format and Partition VHD –> Formats and partitions the new mounted VHD Disk

- Clear OSDDiskIndex Variable –> Clears the global variable “OSDDiskIndex” that got set by the “Create VHD Disk” step.

The rest of the Task Sequence is identical to the Standard Task Sequences. So if you would like to use this feature, it’s actually a piece of cake as you just do the same that you did to create your “normal” Task Sequences. And you end up with your Computer booting into Windows 7 / Windows Server 2008 R2 from a VHD. You will find this VHD on the local hard drive in the VHD Subfolder. Named with the TaskSequenceID and some random characters.

A bit more curious on how that works under the hood or how to tweak it? Then read on:

Some MDT 2012 VHD Deep Dive

As we have just seen, it’s pretty easy to get MDT creating and using a VHD instead of the hard drive itself. What is really great already (Big thank you to Michael and Keith ;-)).

However as with everything in MDT, it works fine and easy out of the box, but can also be tweaked to whatever (well almost) what you want. So let’s have a deeper look into this new functionality. For the beginning, we check how the script is being called in the step that creates the VHD Disk. For easier reading, I just copied the command line to the Description:

We see it’s being called with two parameters:

The first is called VHDOutPutVariable and gets a value of OSDDiskIndex. Using this parameter, we can define into what property the disk index of the VHD file will be stored. And as OSDDiskIndex is used, this is actually the reason why we need to clear that value after the disk has been portioned and formatted (Step 3 for the three new steps).

The second parameter is VHDCreateFileName which is set to RANDOM here. What that does is creating a name starting with the Task SequenceID and some random characters. But we could supply our own name here.

Beside the naming, that doesn’t give us much options. But the script itself offers us some additional parameters as well:

VHDCreateSource –> Name (and path) of a source VHD Disk. The script will make a copy of the specified source disk and use this copy as the new VHD Disk. Interesting if you have a central repository of prepared VHD disk with syspreped base images. If using a custom source, make sure that you tweak the rest of your Task Sequence accordingly. E.g. the whole content of it would get formatted in the next step .

VHDCreateDiffVHD –> If a value is set, it will create a Differencing disk based on the new VHD that has just been created and use this differencing disk to continue the installation. You can use RANDOM to create a random file name as for the VHD disk or supply a custom name. This option will come into play if you are using an already prepared VHD as source for your new VHD (e.g. a syspreped base image). Again, it requires some custom changes. Well, actually this option will work with the default task sequence, but it doesn’t really make sense.

VHDCreateSizeMax –> Specify the maximum size in MB of the VHD file. That might be an interesting parameter, if you want to store something else on the hard drive as well. On default, MDT will size the VHD to 80% of your current free space on the partition it will place the VHD on. Now you need to be aware, that even if the VHD disk type is set to expandable, meaning the VHD disk size will only be as large as the used space within the VHD, it will blow up to the configured size as soon as you boot. So if your VHD has been configured to a size of 100GB, but uses only 15GB of space after everything has been installed, it normally has a size of 15GB as long as the computer hasn’t booted yet into this VHD. If it now boots the VHD, the size of the VHD will increase to 100GB(!) immediately. So if you plan to use several VHDs for Multiboot on the same computer, be sure to configure them for a smaller size. Otherwise you will experience a Bluescreen as soon as the computer boots and there isn’t enough space on the hard drive for the VHD to expand to its configured size. A pretty nasty thing thing if you are starting your experiments with VHDs and don’t take care about it. If the configured max size is actually larger then the mentioned 80% of the free space, it will always use the smallest value.

VHDCreateType –> sets the type of the VHD disk. Can be either FIXED or EXPANDABLE. Default is EXPANDABLE. Pretty self explaining.

There is another parameter (well actually a MDT property) that will be used by the script which is DestinationLogicalDrive. That property normally holds the partition MDT shall deploy the OS to. It should get discovered automatically but if you want to deploy the VHDs to a different hard drive/partition, you might want to adjust this property.

And finally after the script has been executed, it will write a new property called “VHDDisks” that contains the Partition Index of the new VHDDisk.

Now as we know that MDT treats all parameters as properties, we can define those properties in our Rules (customsettings.ini) as well. But we need to define them as custom properties, as they haven’t been added (yet) as standard MDT properties.

Tip: In case you are interested, see ZTIGather.xml for a list of all standard MDT properties that well be evaluated on default by the Gather step.

Test the script locally

As this script is just creating one (or two) new VHDs and mounts it to the computer, we can even run this script locally to test the behavior. Just two things to notice:

First, you need to run it elevated as it is calling Diskpart.exe internally.

Second, the script will run only if the DeploymentType is “NewComputer”. So we need to pass this properly into the script call.

Now to run this script we could call the following from an elevated command prompt:

cscript.exe ZTIVHDCreate.wsf /DeploymentType:NEWCOMPUTER /VHDOutPutVariable:OSDDiskIndex /VHDCreateFileName:RANDOM /Debug:True

Now looking at the ZTIVHDCreate.log from C:\MININT\SMSOSD\OSDLOGS we see how it parsed the properties, prepared the name, path and size and after some more details that I skipped in the screenshot, that everything went well:

And we will see the new VHD created in the VHD folder

and mounted to our Computer:

Now as we know how to call it, we can test more fancy stuff like using a differencing disk and giving it proper names

cscript.exe ZTIVHDCreate.wsf /DeploymentType:NEWCOMPUTER /VHDOutPutVariable:OSDDiskIndex /VHDCreateFileName:MyParent.vhd /VHDCreateDiffVHD:MyDiffDisk.vhd /Debug:True

etc.

So lets download the new MDT 2012 Beta 1 and start some testing.

Be aware that this information is based on the current Beta 1 so that might change until the final release. But I will update this post if anything changes, so be sure to get back to it.

Step-by-Step: Handling WMI Events permanently using VBScript

maikkoster — Mon, 30 May 2011 11:58:00 GMT

This could be called part 4 of WMI magician Kim Oppalfens 3 part series about WMI eventing in SCCM. In his series he first covered the basics of WMI eventing using wbemtest to create the event query and dig a bit through the returning objects. Then he guided us through a simple VBScript that monitored folders in SCCM to implement “securable” Configuration Manager folders. A pretty neat solution as folders aren’t securable objects within SCCM. However one drawback of his initial script is, that it needs to be running to be able to monitor events and do its magic. So as soon as the script stops due to user logging off, reboot of the server, etc. it will no longer handle any event. Pretty ugly for a solution that shall enhance SCCM usage all the time. I had the same requirement for the script I’ve published in my last post about Monitoring SCCM Task Sequences and other event scripts as well.

So lets fill this gap and get it working all the time.

What do we need ?

To let Kim's magic happen all the time, we need three things:

1. The event query

It’s provided in the original script already:

SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'SMS_ObjectContainerItem'

This queries WMI every 5 seconds for all “SMS_ObjectContainerItem” objects being created.

To implement this query in WMI we need to create a new “__EventFilter” object. We use the following VBScript snippet:

Set oEventFilterClass = oWbemService.Get("__EventFilter")
Set oEventFilter = oEventFilterClass.SpawnInstance_()

oEventFilter.Name = "SCCMFolderMonitorEvent"
oEventFilter.QueryLanguage = "WQL"
sQuery = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'SMS_ObjectContainerItem'"
oEventFilter.Query = sQuery
oEventFilter.EventNamespace = "root\sms\site_XXX"

oEventFilter.Put_()

We first get the class for “__EventFilter” and create a new instance of it. Then we supply some necessary properties like the query language, the query itself and the namespace for the event. I also gave the Filter a name, so that we are able to reference it later if we e.g. would like to remove the event filter again. If no name is specified, it will be set to a GUID, making it a bit more complicated to find.

2. The event consumer

Now as we have our Event Filter, we need an Event Consumer. The event consumer should call our script that is handling the events we get from our event query. We are not going to cover what the script is actually doing with this event objects or what is required to get it working (the “dummy” object that holds the permission etc.). Please see Create "securable" Configuration Manager folders using WMI eventing of course for more details or see the script as its pretty well commented.

As mentioned by Kim in his series, there are a couple built-in event consumers available in WMI already. One of them is called “ActiveScriptEventConsumer” that “runs a predefined script in an arbitrary scripting language”. Sounds like what we need. So we use the following VBScript snippet to create the ActiveScriptEventConsumer:

Set oConsumerClass = oWbemService.Get("ActiveScriptEventConsumer")
Set oConsumer = oConsumerClass.SpawnInstance_()

ScriptPath = Replace(WScript.ScriptFullName, WScript.ScriptName, "") 
oConsumer.Name = "SCCMFolderMonitorConsumer"
oConsumer.ScriptFileName = WScript.ScriptFullName 
oConsumer.ScriptingEngine = "VBScript"

oConsumer.Put_

Again, we first get the class “ActiveScriptEventConsumer” and create a new instance of it. We define the scripting engine, which is VBScript in our case and can supply either the script itself as a string, or the path to the script. In this example I simply reference the script itself. This way we can create a script that registers and unregisters itself or executes the event handling, depending on the caller and keep everything at one place. As a sidenote, the WScript object is only available if the script is called by a user. On the event it’s not running in Windows Script Host (WSH) so no WScript object during execution!

You: Sounds nice, but how can we detect if the user or the event consumer called the script?

Me: Well, if the script is called by the event consumer, it supplies an object “TargetEvent” that contains the event object. Or nothing if called by the user. I leave this up to you to implement (You could actually cheat and look into the script I’ve published to CodePlex )

3. Binding the Event Query to the Event Consumer

And now the last part is gluing those two things together. We do this by a WMI object called “__FilterToConsumerBinding”. Let’s have a look on another VBScript snippet:

oEventFilter.Refresh_()
oConsumer.Refresh_()

Set oBindingClass = oWbemService.Get("__FilterToConsumerBinding")
Set oBinding = oBindingClass.SpawnInstance_()

oBinding.Filter = oEventFilter.Path_
oBinding.Consumer = oConsumer.Path_

oBinding.Put_()

Important thing to note here is, that we need to refresh our newly created Event Filter and Event Consumer objects first to update their “Path” property. Now as before, we get the class “__FiltertoConsumerBinding” and create a new instance, set the Filter and consumer to the appropriate entries and are done!

If everything went well, it will now query every 5 seconds for new SMS_ObjectContainerItem objects and if found, call the supplied script that should handle the event object appropriately.

A couple things to highlight:

a Script called from ActiveScriptEventConsumer runs as local System on default !!!

There aren’t many limits on what local System can do to your “local System”. So be sure you have tested your script thoroughly, especially if it “does” something (like the sample script).

Make sure you have tight permission set on the script so it can’t be exchanged by someone else, gaining permission he isn’t supposed to have.

As mentioned already, the ActiveScriptEventConsumer does not use WSH to run the script. By this, you don’t have the WScript object available and can’t use its methods in the code executed by the Event handler.

As running in system context, the script can’t interact with the user. Avoid any message or input boxes and be sure to have at least some error handling.

As it can’t interact with the user, troubleshooting/debugging the script if something fails is pretty tough. Please see my last post on some more information about this. I recommend adding extensive logging to your script that can be enabled or disabled if required.

Based on my script from the last post, I’ve rewritten the sample that Kim provided for this permanent event consuming and, with his permission, posted it to CodePlex. Be sure to properly test the script before using it in a production environment, as it will make changes to SCCM. It is provided AS IS and neither I nor Kim will be liable for any damage or problem this script might cause. The actually processing of the event object is more or less the same, I’ve just rewritten the parts for permanent event consuming, added some logging capabilities and refactored it to my preferred naming conventions.

DOWNLOAD HERE

If you have other kewl ideas on what you could do with WMI eventing, just drop me a note and I will happily reference what you did (or publish it for you, if you don’t want to publish it yourself).

Also be sure to check out a new CodePlex project called “PowerEvents for Windows PowerShell” published by Trevor Sullivan. It’s an awesome way of doing the same I’ve shown here with PowerShell. Which reminds me on spending much more time on PowerShell

Versioning / Monitoring SCCM Task Sequences

maikkoster — Thu, 12 May 2011 09:12:46 GMT

One thing I’m really missing in SCCM is some kind of versioning or history especially for those quite complex Task Sequences, sometimes consisting of hundreds of steps, each with a bunch of properties. And how often did it happen that you came back to the office and one of your Task Sequences suddenly behaved differently, just to figure out that “someone” changed “something” without telling anybody, especially not you? Or have you ever been working on a Task Sequence, just to recognize that you missed something important and this single time haven’t duplicated or exported this Task Sequence before? And now you are stuck, trying to remember what you just changed to get it working again.

Well, if you now start thinking, this post is for You!

I just published a script to CodePlex that runs on a Primary/Central and monitors all or specific Task Sequences for changes. If a change happened it will export either the previous or the current version of the Task Sequence into a XML file that could then be used to see what has been changed or to restore an older state by importing this xml back into SCCM. It has a bunch of properties that can be used to tweak this process to your specific needs and after it has been started once, runs in the background, not matter if you log off or even reboot the server. So using this script gives you a real history of your Task Sequences that you can use for backup purposes, Versioning and change tracking.

First Steps – The “Installation”

First - get the script from CodePlex and save it to a local folder on the server that you would like to monitor. As Task Sequences can only be edited on the server they have been created on, it might make sense to manage them on one or just a few servers to keep the managing and also the monitoring easy. Be sure to remove the security flag from the script as you downloaded it from the internet (Unblock).

Second - execute the script with administrative privileges. On W2K8 and above it needs to run elevated. If everything works, you should see a message box stating that the event filter and consumer have been created.

That’s actually all you need to do to get it working !!!

From now on, WMI will monitor all changes on any Task Sequence and if a change happened, it will call this script again (Don’t move the script after you executed it the first time). The script will then get some additional information from SCCM like the person that changed it and finally export the Task Sequence into an XML file. This XML file is already prepared in a way that you can import it back again into SCCM. Additionally you can now compare different versions to see the changes. I will write an additional blog post outlining this in more detail.

Making some adjustments

As you have seen, the script works right out of the box. But depending on your environment and your needs, it might be necessary to adjust the behavior a bit. You might want to have it export the Task Sequences to a different path. Add a date-time identifier instead of a version, use it just for OSD Task Sequences or would like to include or exclude specific Task Sequences. Well, the script is flexible enough to cover those demands. It has a couple variables defined at the beginning, that you can use to tweak it to your needs. And as the script gets called every time a change happens, this updated behavior will actually take place on the next execution already.

You will find the following variables at the top of the script:

- ExportPath : Specifies the location the Task Sequences will be exported to. Default is “C:\SCCMTSMonitor\”

- UsePrevious : If set to “True” it will export the previous version of the Task Sequence. Default is “False” so it exports the current version.

- CreateSubfolders : If set to “True”, which is the default, it will create a subfolder per Task Sequence at the location specified by ExportPath.

- UseName : If set to “True”, it will use the Task Sequence name instead of the Package ID as name for the XML File. Default is “False”, so it will use the Package ID.

- UseVersion : If set to “True”, which is the default, it will add a version identifier to the name of the XML file.

- VersionLength : Defines the length of the version identifier. Default is 3 digits.

- AddDate : If set to “True”, it will add the current Date to the name of the XML File. Default it “False”.

- AddTime : If set to “True”, it will add the current time to the name of the XML File. Default is “False”.

- UseOSDTSOnly : If set to “True”, it will limit the export to OSD Task Sequences only. No custom Task Sequence will be exported then. Default is “False” to cover all Task Sequences.

- IncludePackages : comma separated list of PackageIDs that shall be included in the export. Default is “*” which will export all Task Sequences except the ones specified by ExcludePackages.

- ExcludePackages : comma separated list of PackageIDs that shall be excluded from the export.

So on default it will export the current version of every changed Task Sequence, create a subfolder per Task Sequence, use the PackageID as name and add a three-digit version identifier. Which I think should be OK for most common scenarios.

“Uninstall” the script

As mentioned, the script registers within the WMI namespace and with this survives reboots. To unregister it, simply execute the script again with administrative privileges/elevated. If successful it should show a message box stating that it removed the event filter and consumer. Next execution will register it again. If you e.g. want to move the script to a different folder, just run it once to unregister it, move it to the new location and execute it again to create the filter an consumer again. Pretty simple.

Logging / Troubleshooting

As the script runs in system context, it’s quite difficult to figure out what’s going on if it doesn’t do what it is expected to do. To give some “feedback” the script is writing to a log file that is located at the same location where the Task Sequences will be exported to. On default it will show only informational and error messages. But as mentioned in the “Making some adjustments” part, it’s possible to change the behavior of the script during runtime. One of the additional variables not listed there is called “Debug”, which is set to “False” on default. Just set it to “True” and the script will be a bit more verbose on what it is doing . The logging routine has been taken from MDT and only slightly adjusted. So preferred Log Viewer is Trace32 from the ConfigMgr Toolkit.

Additionally WMI also writes some log information itself. On Servers and Clients before Vista/W2K8 it was a lot easier. WMI wrote text based log filed that could be found at “%SystemRoot%\System32\wbem\Logs\”. On Vista/W2K8 and above it’s using the default Event tracing for Windows (ETW), so you need to enable it in the Event Viewer and it’s writing to a binary file. See Tracing WMI activity for more information.

I hope you find this script useful. Even if I still consider it a Beta version at the moment, it has been tested on 32 and 64 Bit Systems and is in use in some larger environments already. And as it is mainly reading/gathering information, it shouldn’t have any negative side-effects. But again, this script is provided AS-IS. Be sure to properly test it before using it in your production environment and be sure to regularly check the CodePlex page for an updated version. If you like what it does, you can also review it on CodePlex and be sure to spread the word so others can benefit from it as well.

As always, I really appreciate any feedback. If you find a bug or would like to suggest an additional feature just get back to me.

I you are interested in some additional information about WMI eventing, especially if it comes to SCCM be sure to check out the following sources:

- Blog from the “quiet shy” WMI guy aka Kim Oppalfens (WMI Event basics). Please be sure to bug him about his still missing Part 3 of his series of WMI eventing Blog posts he started after last years MMS.

- CodePlex Project PowerEvents for Windows PowerShell by Trevor Sullivan. Really nice way on managing WMI Events with PowerShell instead of VBScript.

Easily access information from any database and publish it via a web service – Part 2 – The Web Service

maikkoster — Thu, 07 Apr 2011 10:55:19 GMT

After we have configured the connection to our Database and created our model (see the last post for more details), we will jump now to the creation of our new Web Service.

Create a Web Service

Lets save our changes and add a new item. As mentioned already in my last post, I personally prefer the “older” asmx style web services most of the time. So we choose “Web Service” template for now (if you can’t find it easily, simply search for it) and give it a name. I’ll use MDT.asmx for this demo.

Now we see the source code of that newly created web service (Yes, it’s VB.Net, see my last post for more information about that) and it contains only one function called “HelloWorld”.

Lets simply rename it to “GetRoles”, as we want it to return a list of Roles, and specify what it returns exactly. In our case it’s a List of RoleIdentity.

Now we need to connect to the database. We create a simple object for that and call it “context”.

Finally we just use the context to get a all the Roles and convert them into the list that we want to return.

Now we can debug/run the web service, call this new function and voila, have a list of Roles with just two lines of code.

OK, the XML result is not really great to look at and probably doesn’t cause a wave of excitement, but as we know, it’s quite easy consumable by our scripts. More importantly, we are now able to create web service functions for all information that we would like to publish like let’s say the Roles of a computer based on it’s Mac Address

or call the Stored procedure and return a list of Packages

And a lot more. The nice thing about this way is, that you have a lot of control about what happens exactly. You can filter out unwanted stuff, do some manipulation/calculation on the items etc. This kind of web service is also a lot easier to use from a scripted environment like MDT. The “bad” thing about it is, that it’s a lot of typing. So lets see how to use a more automatic way for this.

Create a WCF Web Service

Michael Niehaus posted a quite similar example some time ago in his post using the MDT Database from a web service without writing code. Have a look in his post for some more background information and to see how we can make more use of it.

First we add a new item to our project. This time we need to choose the “WCF Data Service” template with a nice name. Let’s use MDTWCF.svc

What we see in the source now are two “TODOs”.

The first one is to specify which model to use. Well, we want to use the one we created in our last post. The next one is to specify what we would like to publish and what access we want to give via this web service. For now let’s give Read-Only access to all entities from the model. That can be achieved with a one-liner

Running this example now and pointing it to the list of Roles again, gives a slightly different look, but still the same content

The beauty of this way is, that it also supports things like filtering, paging etc. out of the box. Let’s just get the first 5 computers with “MMS” in the name and order it by MacAddress. The URL for this looks like: http://YourWebServer/MDTWCF.svc/ComputerIdentities?$filter=startswith(Description, 'MMS')&$top=5&$orderby=MacAddress

and the result

Again, it looks a bit strange, but as said already, it’s not meant to be consumed by a human. It’s human readable to ease troubleshooting but is typically consumed by a script, application, etc. For a working example, that makes use of such a web service have a look at another post from Michael Niehaus about MDT 2010 wizard example role selection. You might also check out OData URI Conventions - Query String Options or Accessing Data Service Resources to get a list of the possible query strings you can use querying this WCF based Data Services.

I personally like those WCF based web services mainly for giving fast access to a data source and have all those nice features like filtering, sorting, etc. included. However if I have some restrictions on what to show or want to manipulate the data, I still prefer the “old style” asmx web services as they give me more possibilities with less code.

Rather long post and there is probably a ton more to say about this. But that should be enough to give you an idea. Again, find the full source code on CodePlex with some sample functions. Feel free to add and change whatever you like, just make sure you adjust the connection (point to the right SQL Server/Database in the connection String of the web.config as show in the post Implementing a very simple Maintenance Mode for MDT LiteTouch). If you created something really fancy/useful with it, please share it again with the community.

It’s all about contributing and giving something back.

As always, feel free to contact me with any problem or feedback you have.

Easily access information from any database and publish it via a web service – Part 1 – The Database

maikkoster — Thu, 07 Apr 2011 08:34:00 GMT

OK, (probably) my two last post regarding my MMS 2011 sessions, if I haven’t missed something important .

To be able to make our Deployments more dynamic and as unattended as possible, we need to have all the information available, that we need to take decisions automatically . We typically use information from the local hardware, the customsettings.ini and maybe the MDT Database. If we are really advanced, we also make use of some web services like the Deployment Web Service to drive our deployment.

But what if the necessary information is somewhere else? Maybe you have already an Asset Management System or other Databases? Well, MDT can, as we all know, query almost any database. You just need to tell it how and what. But what if you can’t really access this database as your security guys simply won’t open Named pipes for that? Or you would just like to publish a subset of the available information or need to do some processing on the data first, before handing it out to the client?

Here again, web services might be an interesting choice. And in this post I’m showing you how you can easily access almost any relational database and publish this information via a web service. I will use Microsoft Visual Web Developer 2010 Express for this demo (download it for free at Microsoft) and as with the last couple posts, I will publish the complete source code to CodePlex. As Database, I simply use the MDT Database, but it could be any database, so see it just as a sample. Also this post shall just give ideas and cheer you on implementing your own stuff.

All right, lets start!

Create the project

Again, we first open Visual Studio and create a new Project. I chose the “ASP.Net Empty Web application” template to create one. This way we have nice, clean web based project to start from and don’t have any pre-configured junk in there. Just give it a useful name and a few seconds later, we are ready to start.

Connect to a Database

In a former Post I wrote already about using LINQ and the Entity Framework to query SMS/SCCM. And I will make again use of the Entity Framework to establish our connection to the database. Why would I want to do this? Well, the Entity Framework is an Object-Relational-Mapper. It will take a table/view/Stored Procedure from the database, create a new class based on it and automatically map them. So instead of having to deal with DataTables and columns and such stuff, we have “real” objects and properties, that (mostly)simply map to a column of a table with the same or different name. Yes, that’s very simplified but I’m not a developer and this post is also not targeted to developers

OK, lets add a new item to our almost empty project (Right-click on the project –> Add Item). We choose the “ADO.Net Entity Data Model” for this. Give it a useful name and click on Add.

It will open a wizard, that asks us to either automatically generate a model for us or if we want to create our own. Well, as we are lazy, we will let it generate one.

To enable the wizard to generate something, we need to tell it the database to connect to. To do so we need to specify the connection by either choose an existing one, or adding a new one by clicking on “New Connection” to connect to a new database.

The Note about storing sensitive information pops up only as I specified a SQL user with password to connect. It won’t show up if you use integrated security. Just configure it the way it’s appropriate for your environment. I simply prefer SQL accounts for such tasks.

The wizard now connects to the database and returns a list of all Tables, Views and Stored Procedures. Select whatever you need from your database. I’d also suggest to check the “pluralize” option. The option for including the foreign key should be checked by default. You can also select just a few tables for now and come back later at any time to add more or even update existing tables, that e.g. got a new column.

Clicking on Finish will now generate a Model based on the selected items. Next we will see a graphical representation of that model. Let’s have a quick look on a part of it.

We will immediately see that the wizard took the table name and created a class (Entity) with the same name. And all the columns became properties of this entity.

It even converted existing relationships between tables, as we can see between the LocationIdentity and LocationIdentity_Gateways entities. The connection is implemented with something called Navigation properties. The Location entity contains a list of Gateways and each Gateway entity contains a reference to exactly one location entity. They are called Navigation properties, as we can use them to easily navigate between them, as they work both ways.

We could now implement some changes that are independent of the Database. For example we could give some properties a different name that seems more appropriate for our project, and they would still map to the correct column. But we can also right click somewhere on the background and click on “Update from Database” and this will open up the wizard again, we have seen before, giving us the chance to add more tables/views or update existing ones.

The last thing I would like to mention is how we can use Stored Procedures, as that could become a bit tricky sometimes. We have selected one Stored procedure already during the wizard, but sadly, that isn’t enough to be able to use it. We need to create a new function in our model and map it to that particular stored procedure. Often its enough to simply double-click on the Stored procedure (You can find it in the Model Explorer in the “Store” node) or right-click somewhere on the background of the model and choose Add –> Function Import …

This opens a new wizard where we can specify a name for the function, the stored procedure it shall map to and (here comes the troubling part) what to do with the result of the Stored Procedure. Often the result maps quite easily to some scalar types (String, Integer, etc.) or an already existing Entity. If not, the Wizard gives us the possibility to get the column information and create a new complex type that we can use for this. However this doesn’t work all the time and as we expected already doesn’t do in our case. It says the store procedure doesn’t return any columns which isn’t really true but lets don’t argue with the wizard.

Now we need to create a complex type ourselves. Luckily this isn’t complicated at all. We simply right-click again somewhere on the background of the model and choose Add –> Complex Type

After giving it a name, we add a couple Properties by right-clicking on our new complex type and choose Add –> Scalar Property –> String

to add two new properties. “ARPName“ and “Packages“ as these are the names of the columns the stored procedure returns.

Now we can double-click again on the Stored Procedure “RetrievePackages” and now map the result to this new complex type

OK, we know now how to connect to a database and create a model from it that fits our needs. In the next post, we will jump right into the creation of our new Web Service to publish our new model.

The full source is published to CodePlex. If you download either the source or pre-compiled binaries, just make sure you adjust the connection string to Your MDT Database (see my last post Implementing a (very) simple Maintenance Mode in MDT LiteTouch for more information on how to adjust the Connection String.

Implementing a (very) simple Maintenance mode in MDT Litetouch

maikkoster — Tue, 05 Apr 2011 08:48:06 GMT

While preparing for a session about MDT enhancements at the MMS 2011 (find the video at DeploymentResearch), Mikael Nyström had a very interesting idea for a web service demo. The idea was to implement something simple that allows to set a single or all locations into some kind of “Maintenance Mode”. Meaning if you have some server maintenance to do or maybe some global issues and you don’t want to have any new deployments starting, just go to a webpage and “switch off” the deployment for that particular location or even globally. So some kind of baby version of the ConfigMgr Maintenance Windows.

Having just two hours preparation allowed only a pretty simple implementation, but I think this idea has potential for further extensions as it might become handy. I especially dislike the current fact that I had to change an existing table. But more on this later.

To implement this “initial” simple version, I just added a column to the “LocationIdentity” table to store the Maintenance Information. And this “Maintenance information” is a pretty simple “YES” or “NO”. Well, as with most of those kind of configurations in MDT, anything else than a “YES” implicitly results to a “NO”.

Now all we need are four things to get it working:

1. Add a new column called “Maintenance” to the LocationIdentity table of the MDT Database

2. A Webpage that allows us to configure these values

3. A Webservice that interprets and returns the result to the Client Computer

4. A script that calls the webservice, interprets the result and stops the deployment if necessary

The Database

To add the new column to the MDT database, you can simply use the SQL Management Studio. Even the free Express version will do it (Express Editions at Microsoft).

- Open SQL Management Studio (Express)

- connect to the MDT database

- expand the MDT Database node

- expand the “Tables” node

- right click on LocationIdentity –> Design

- Create new columns with the name “Maintenance” and type of “nvarchar(50)” simply because it’s the default . Optionally set the Default Value to “NO”.

- Save your changes

The Webpage

The download on CodePlex contains a webpage that allows you to easily switch the maintenance mode for either each location individually or even globally. It has been written against .Net 4 so make sure you have it installed on your web server. It is based on the ASP.Net MVC 2 templates (see http://www.asp.net/mvc for more details about ASP.Net MVC). As it is available in source feel free to change whatever you need. There is just one thing you need to adjust to your local environment and that is to update the connection string and point it to the correct MDT database. You can do this by either using the “Connection Strings” item from the IIS Manager

or just open the web.config file from the root of this web page with your favorite XML editor.

The connection string itself seems a bit long. Just make sure you only edit the “real” connection string that you will see in the screenshots above. You can use any valid connection string format like “Data Source=SQ01;Initial Catalog=MDT2010;Integrated Security=SSPI;” to use the account of the Application pool or to connect with the credentials of a specific SQL user account as shown in the example. I personally prefer the latter. Find more information about connections strings at www.connectionstrings.com. Just make sure that the account used has read and write access to that table.

Now we can open the web page at http://YourWebServer/YourWebPage/ and it should look like this (well, with your locations)

You remember that blue background, don’t you?

The Web Service

The Web Service is now pretty easy. If you have the web page running the web service should work out of the box as it re-uses the same connection. To verify just open the page http://YourWebServer/YourWebPage/Maintenance.asmx and you should be able to see the function “GetMaintenanceStatus”.

Now you can also test the function from that page if you like. It takes just one parameter “LocationIdentifier”. In our example this is only the default Gateway. But it’s easy to use something like Active Directory sites for this (the upcoming Version 2 of the MDT Web FrontEnd adds support for using ADSites to identify the MDT location).

and we get a result as XML

The Script

In the download you will also find a script called Z_Maintenance.vbs. It has been written as a UserExit script so it’s meant to be called directly from the Gather step of MDT as this one is called as first in your Deployment process and so yields to a good point to decide if the process should continue. To get it working, just copy this script to your MDT Scripts folder and adjust your Rules file according to the sample CustomSettings.ini provided in the download as well. You actually just need to add a new section and have it called at the very beginning of your Task Sequence.

After this, make sure you update your DeploymentShare!

Now if the Gather step is called at the beginning of your deployment, it will query this Web Service function and call the UserExit script to evaluate the result. If maintenance mode is set, it will return an error to the gather step and by this stop all further processing. And just to be sure it also sets the MDT property “OSInstall” to “NO” that would also stop all MDT TaskSequences if executed anyhow.

As you can see above, the Gather step just freaks out now and no further deployments are possible. It will, however not stop already running deployments.

Final thoughts

As mentioned already, I really dislike modifying existing tables in the MDT database, as this could have side effects that I try to avoid if possible. To make something more useful out of this it should have some more possibilities:

- It should be stored in a separate table(s), that just links to the location.

- It would be nice to be able to configure Time periods to define the maintenance windows.

- Time periods should be either one-time or recurring on different periods.

- Have it link/sync/re-use existing maintenance information as available in other tools like ConfigMgr, OpsMgr, Nagios, …

- Integrate into the MDT Web FrontEnd and the Deployment Web service

- …

If you like the idea, I encourage you to share your thoughts about the design and implementation. Feel free to take the source and do whatever you want.

Michael Niehaus RIS style naming web service - Step by Step

maikkoster — Mon, 04 Apr 2011 10:36:00 GMT

One of the interestingly often asked question is how to properly name a computer. And it’s sometimes incredible to see how much time people can spend on that rather boring and actually not really helpful topic. Anyway, one solution a couple people really like is to have some kind of prefix and then just add a sequential number to it. In RIS deployments you have the option to do exactly that but with MDT this doesn’t work on default, forcing you to add your own bits to make this work. A couple people took this challenge already and published some working solutions:

Johan Arwidmark created a solution that is based on a simple Stored Procedure. Find the download and explanation at Generate Computernames in MDT 2010. You might also want to have a look on Rune Bakkens slightly extended version at http://runebelune.blogspot.com/2011/03/generate-computer-names-in-mdt-2010sccm.html. The beauty of this implementation is, that it works with what you have available already and it’s quite easy to extend and customize to your needs. Especially the post by Rune shows some interesting ideas. All it takes is somebody with some basic TSQL knowledge. The “bad” thing about it is, that the naming happens completely within MDT or better to say the database. So no verification if that name exists already in Active Directory etc.

And here the “Godfather of MDT” Michael Niehaus stepped in and wrote a “simple” web service that does the same, but is storing this information in Active Directory instead. Actually quite identical to what RIS/WDS is doing. It also creates the computer account and stores the UUID as a property. This way computers get the same name back if they were created already. On his blog he posted the complete source code on how to do that, but he actually didn’t supply a compiled version. He left it to the readers to do that. As a lot of people asked on how to do that exactly, I did a demo on this during the web service session I had together with Kenneth at MMS 2011. And I promised to publish this to CodePlex as well, so here you are . I’ll also go through what we did step-by-step, just to demonstrate, that taking such examples from the web, adjusting and getting them to work in your environment doesn’t need to be difficult.

Compiling the example code – Step by Step

1. Get the source code from Michaels Blog Post (Link)

1b. The example is written in C#. If you prefer VB.Net (as I do) over C# then just have it converted to VB.net first, using one of the freely available online converters. I normally use developerFusions converter for this. The following steps will cover C# and VB.Net if they differ at some aspect.

2. Open Visual Studio. You actually don’t need a full version for this. I used Visual Studio 2010 Web Developer Express in this demo, that can be downloaded for free at Microsoft. (Express Downloads).

3. Create a new ASP.Net Web Service Project. If you can’t find it in the list of project templates, just search for “web service”. Microsoft sometimes likes to “hide” the “older” stuff from us. Especially if they would like us to use some “newer” things like WCF in this case .

4. Delete the default Service1.asmx (Optional).

5. Add a new item “Web service” to the project (Right click on project –> Add Item –> Web Service) and give it the name “NameService.asmx”. Again, if you have problems finding it, just utilize the search.

6. Mark all existing code and simply replace it with the code we got from Michaels Blog.

Tadaaa!!! We are done! …. Well, not really

Some required changes

Now we need to tweak some minor things to get it working:

1. We will see some issues with the System.DirectoryServices namespace. To solve this, we need to add a reference to Systems.DirectoryServices.

- On C# right-click on “References” –> Add Reference –> .NET –> System.DirectoryServices)

- On VB.Net you need to right-click the project –> Add Reference –> .NET –> System.DirectoryServices

C#	VB.Net

2. As our project has probably a different name as the one Michael used in his example, we need to adjust the namespace of our web service.

- On C# we just need to rename the Namespace to the name of our Project.

- On VB.Net we need to remove the namespace, as it uses the Project name as default namespace already.

C#	VB.Net

If you miss this or have a typo in the name, you will most probably see something like the following error, if you try to run the web service:

To verify the name used by the web service, right-click on the NameService.asmx –> View Markup and verify that the names match

Now it is already possible to execute and use the web service. However it has a minor “bug” as all computer accounts will be created as disabled. Not really that usable out-of-the-box. To solve this, we add another Active Directory property called “userAccountControl” to the new computer account and set the value to 4128.

C#	VB.Net

If we know click on “Start Debugging” (just press F5) we can test the web service using the built-in Development web server and generate new computer names.

For further information on how to integrate it into your Deployments, please have a look on Michaels Post as it covers that already in more detail.

Now we could add some additional logic like getting the default computer container if no OU has been specified (Tip: There are well known GUIDs for those containers), or move the computer to the specified OU if it is currently somewhere else, etc. But as this is just a demo I leave this to You. Feel free to implement your changes and if you would like to share them, I’ll happily post them to CodePlex so others can benefit from it as well.

Find the complete source for C# and VB.Net on CodePlex at this Download link. As a sidenote, the next version of the Deployment Webservice will have this function integrated already. With some more features for sure

As always, feel free to contact me with any ideas or comments you have. I really appreciate feedback, and try to respond as quick as possible.