The dodgy wifi at the Mandalay Bay finally conspired against me and I didn't get a chance to post this entry until today - a full week later. I'll probably type up the other notes as separate blog postings.
Keynote 2 - You! Empowered to Embrace Consumerization
This keynote is available to watch here.
As suspected, SCCM 2012 will be able to do lightweight management of iPad, iPhone, Android and Symbian devices through ActiveSync.
A new feature of SCCM 2012 is Intelligent Application Delivery. This can autodetermine if you're on a corporate machine, an untrusted machine, your primary work machine and so on. It can determine rules based on hardware or software features and then deploy the same Application in different ways based on these rules.
Forefront Endpoint Protection 2010 is now part of the core CAL not just the Enterprise CAL. SCCM 2012 integration now reports on the top users that get viruses, not just the top workstations.
As reported elsewhere client settings can now be set at the collection level, so you don't need a new site just to have different Software Update settings for different machines. You can, however, set default client settings for the entire site and let other admins override them at the collection level. Editing of the sms_def.mof file shouldn't be necessary as you'll be able to enable custom hardware inventory through the client settings.
Windows Intune, a cloud based management service, was launched at the keynote. This looks like a potentially revolutionary way to manage desktop PCs in small to medium businesses.
Wednesday 30 March 2011
Thursday 24 March 2011
MMS 2011 Day 2
Day 2 - the first real day of the conference, and the day of the myitforum party!
Keynote 1 - You. Empowered by the Cloud
Surprisingly early start to day 2 with a Keynote at 8.30am. There were two keynotes at MMS 2011, the first focusing on cloud computing, the second on the consumerisation of IT.
First up was the announcement that Opalis has been renamed as System Center Orchestrator. Another new addition to the System Center family is System Center Advisor. This product, formerly codenamed Atlanta, allows you to track config changes on your systems, and compare them with best practices. The beta is available today.
A key theme in the keynote was separating the apps, data, and OS on servers to provide increased manageability and reliability. Server app-v is a key component here, which can also help reduce the number of OS images you have for your servers. To help with building and managing these private clouds, Microsoft released the beta of Virtual Machine Manager 2012 this morning.
We were given a quick demo of Avicode for client experience monitoring. The most impressive part of the demo was drilling down into exactly what part of a stored procedure is causing slowdowns.
Tomorrows keynote- the consumerisation of IT. On the slide deck they had a picture of an iPhone- does this mean we'll be managing idevices through sccm soon?
You can watch the first keynote here.
BA01 Configuration Manager State of the Union
After the keynote, comes the 'real' keynote for SCCM. The biggest announcement came at the end!
As usual, lots of top ten lists. Interestingly the User state migration hotfix is the 2nd most applied behind the r3 power management hotfix. I'll be blogging about this particular patch at a later date, it's a pain to apply and affects OSD builds even when you're not using USMT.
As mentioned in the keynote Opalis is now Orchestrator. Out fall 2011 with built in support for sccm 2012. Built in actions like add computer to collection are supported.
Adobe Reader X has had support for ConfigMgr since November 2010 for updates through SCUP.
Sccm 2012 beta 2 will be RTW any day now. There's new exclude/include rules for collections!
They provided a great demo of role based administration. Thankfully you can now scope users to collection, and hide features and collections a user doesn't have access to. And at last you can run two instances of the console at once with different credentials.
2012 has integrated global search across the entire product. They gave the example of searching for Flash. This search returned applications, deployments and software updates. You can drill down and see the context (eg properties of package) direct in the search dialog.
Supercedence is another new feature in SCCM 2012. This allows you to set rules based on versions of a product so that if you install version 9.2 of a product it will first detect and uninstall version 9.1. This also provides a graphical view of the supercedence of your apps.
SCCM 2012 also provides a graphical view of your site hierarchy. You can enter geographical locations and view a bing map with the location of all your sites.
An important point for those thinking of evaluating SCCM 2012 that are deploying/have deployed FEP - you'll need to wait for a compatible version of FEP.
They announced PCM (Package Conversion Manager) to ease the transition to the new application model. This tool analyzes and checks whether classic software packages can be converted to the new app model, and if so, can convert them for you. It has a cool dashboard which gives pie and bar charts for readiness and conversion status.
One potential point of confusion with the new application model that they cleared up - legacy software distribution is still there. You can continue to use the classic way of deploying apps if you want to.
The SCCM 2012 SDK has been updated with powershell cmdlets such as new-collection, get-package.
Server Configuration Packs look interesting. These are packs of DCM settings built and converted from the Microsoft Best Practices Analyzers. DCM is becoming much more important in SCCM, and has been rebranded as Settings Management for the 2012 release of the product. This now includes settings enforcement to remediate configuration drift.
They quickly mentioned the P2V Migration Toolkit, which will assist with virtualizing SCCM site systems. Yesterday's BA17 Virtualizing Configuration Manager went into much more depth about this tool.
The last announcement was the headline grabber. SCCM 2012 will support Linux/unix servers. They are planning to offer support for various versions of Red Hat, SuSE, Solaris, HP-UX and AIX. These appear to be the same supported platforms as OpsMgr. The client will offer a subset of current Windows ConfigMgr functionality, and will be available some months after SCCM 2012 RTMs. They revealed a previously hidden talk on Wednesday - BA16 Configuration Manager 2012: Cross Platform Management.
Finally, they will be uploading howto videos for SCCM 2012 on Connect.
BA03 Configuration Manager 2012: Technical Overview
The main change in SCCM 2012 seems to be the Application model. In SCCM 2012 you will be managing applications, not scripts. By managing the Application you get a host of nice new features - automatic revision management and supercedence. As mentioned above, supercedence can enforce the uninstall of a previous version before installing the new version. The Application model also allows a choice of deployment options based on the device the user is sitting at - so, for example, a full install on their primary PC, but a streamed app on any other PC.
The PXE Service Point role has been bundled into the Distribution Point role.
Client health has been greatly improved in SCCM 2012 - a new program ccmeval.exe runs on the client itself and can check and remediate problems with the client.
There's lightweight device management based on Exchange ActiveSync - this will provide limited inventory and tasks that can be run on mobile devices that connect to your Exchange server via ActiveSync.
They've improved the Settings Management (DCM) interface, and you can now browse for Registry keys to check/remediate!
MMS 2011
Day 1 of MMS
According to Brad Anderson Wednesday was day 2 of the conference, so I'm guessing this was day 0.
I went to a couple of nice talks-
BA17 Virtualizing Configuration Manager - What you need to know and how to get there
This was a pretty technical talk which went into a lot of detail about the hardware considerations when looking at virtualizing SCCM 2007.
After covering the hardware, the speaker went into detail about the different ways you could virtualize SCCM. Firstly, you could create a new site in a VM and migrate your existing site to the VM instance of SCCM. Or, you could just run a P2V tool (this is what we did). Looking at my notes, the only thing if importance I've written down is 'don't cluster your MP'.
BA37 Buried Inventory Treasure
A Sherry Kissinger talk, this was full of nuggets of information. I believe Sherry is putting a number of the reports from the demos on her blog. Some of the coolest bits involved DCM. It was a revelation to see SCCM 2007 DCM not just read values, but also set them via scripts.
Another cool demo was Mark Cochrane's RegKeytoMof- a nice tool to autogenerate the code to insert into SMS_def.mof for custom inventory. She's blogged about the new version here.
Hands on lab- Microsoft Bitlocker Administration and Monitoring
Nice solution to the Bitlocker key recovery issue if you're licensed for mdop. This tool backs up enterprise bitlocker keys to a SQL database. A web based portal then allows helpdesk agents recover keys without the need for a domain admin to go near active directory users and computers.
I'm about 2 days behind in my MMS updates, but I'll just blame that on the awful in-room wifi at the Mandalay Bay.
According to Brad Anderson Wednesday was day 2 of the conference, so I'm guessing this was day 0.
I went to a couple of nice talks-
BA17 Virtualizing Configuration Manager - What you need to know and how to get there
This was a pretty technical talk which went into a lot of detail about the hardware considerations when looking at virtualizing SCCM 2007.
After covering the hardware, the speaker went into detail about the different ways you could virtualize SCCM. Firstly, you could create a new site in a VM and migrate your existing site to the VM instance of SCCM. Or, you could just run a P2V tool (this is what we did). Looking at my notes, the only thing if importance I've written down is 'don't cluster your MP'.
BA37 Buried Inventory Treasure
A Sherry Kissinger talk, this was full of nuggets of information. I believe Sherry is putting a number of the reports from the demos on her blog. Some of the coolest bits involved DCM. It was a revelation to see SCCM 2007 DCM not just read values, but also set them via scripts.
Another cool demo was Mark Cochrane's RegKeytoMof- a nice tool to autogenerate the code to insert into SMS_def.mof for custom inventory. She's blogged about the new version here.
Hands on lab- Microsoft Bitlocker Administration and Monitoring
Nice solution to the Bitlocker key recovery issue if you're licensed for mdop. This tool backs up enterprise bitlocker keys to a SQL database. A web based portal then allows helpdesk agents recover keys without the need for a domain admin to go near active directory users and computers.
I'm about 2 days behind in my MMS updates, but I'll just blame that on the awful in-room wifi at the Mandalay Bay.
Tuesday 8 March 2011
Migrating from Sophos to Forefront Endpoint Protection
One of the great things about deploying FEP 2010 is that it eases the pain of migrating away from your existing antimalware solution. According to the documentation it can detect and remove the following products
But what if you use Sophos Endpoint Protection?
Sadly, if you're like me you'll have to work it out yourself. Sophos used to provide a script that could uninstall old versions of the client software, however I seem to recall it wasn't officially supported.
The problem with Sophos is that you have two components to remove- the update agent and the antimalware engine.
Both components are installed by MSI packages which are cached in the AutoUpdate folder. So, to perform the uninstall of Sophos you can create a cmd file in your FEP deployment folder with the following lines
If you're planning an enterprise deployment you'll probably want to add more error checking in your script, but this should help you get started.
The cache folder can be useful if you still need to deploy Sophos as part of your transition. Create a new package that contains the sau folder from the Cache folder. Create a program with the following command line.
This will install the AutoUpdate agent on its own. Once installed, the agent will install the latest version of the antimalware agent from the Central Install Directory.
A final point that applies to both Sophos and Forefront endpoint protection - don't put your antimalware software in your image. Install it as a post-deployment step in your task sequence. This gives you the option to migrate between antimalware packages without the need to recreate your images.
- Symantec Endpoint Protection version 11
- Symantec Corporate Edition version 10
- McAfee VirusScan Enterprise version 8.5 and version 8.7
- Trend Micro OfficeScan version 8.0 and version 10.0
- Forefront Client Security version 1 including the Operations Manager agent
But what if you use Sophos Endpoint Protection?
Sadly, if you're like me you'll have to work it out yourself. Sophos used to provide a script that could uninstall old versions of the client software, however I seem to recall it wasn't officially supported.
The problem with Sophos is that you have two components to remove- the update agent and the antimalware engine.
Both components are installed by MSI packages which are cached in the AutoUpdate folder. So, to perform the uninstall of Sophos you can create a cmd file in your FEP deployment folder with the following lines
msiexec /x "%programfiles%\Sophos\AutoUpdate\Cache\savxp\Sophos Anti-Virus.msi" /qn /quiet /norestart
msiexec /x "%programfiles%\Sophos\AutoUpdate\Cache\sau\Sophos AutoUpdate.msi" /qn /quiet /norestart
FEPInstall.exe /s /q
If you're planning an enterprise deployment you'll probably want to add more error checking in your script, but this should help you get started.
The cache folder can be useful if you still need to deploy Sophos as part of your transition. Create a new package that contains the sau folder from the Cache folder. Create a program with the following command line.
msiexec /i "sophos autoupdate.msi" BOOTSTRAP=NOUPDATE RMSACTION=0 REBOOT=ReallySuppress /qb
This will install the AutoUpdate agent on its own. Once installed, the agent will install the latest version of the antimalware agent from the Central Install Directory.
A final point that applies to both Sophos and Forefront endpoint protection - don't put your antimalware software in your image. Install it as a post-deployment step in your task sequence. This gives you the option to migrate between antimalware packages without the need to recreate your images.
Monday 7 March 2011
Troubleshooting PXE in SCCM OSD Part 3
Troubleshooting PXE in SCCM OSD Part 1
Troubleshooting PXE in SCCM OSD Part 2 Troubleshooting the TFTP Service
Now that the PXE process is working correctly, we can look at troubleshooting errors surrounding abortpxe.com. If you get this error message then you at least have a working PXE environment, even if SCCM doesn't think it should offer a Task Sequence to the machine. Here are some reasons you'll get this error.
Other pre-Windows PE errors
Troubleshooting PXE in SCCM OSD Part 2 Troubleshooting the TFTP Service
Now that the PXE process is working correctly, we can look at troubleshooting errors surrounding abortpxe.com. If you get this error message then you at least have a working PXE environment, even if SCCM doesn't think it should offer a Task Sequence to the machine. Here are some reasons you'll get this error.
- The machine has not been registered in a build collection
The simplest of all reasons why you get this error. Does the machine have a Task Sequence advertised to it? If not, create a collection, advertise a Task Sequence to that collection and add your machine to the collection. Check smspxe.log, you should see an error such asProcessDatabaseReply: No Advertisement found in Db for device 05/03/2011 08:51:36 10368 (0x2880) - The machine has been recently registered in a build collection, but the server takes some time (up to an hour) to process this information
This can be commonly seen when a technician PXE boots the machine to write down the MAC address. If you then create a new computer object based on the MAC address, you need to wait an hour before the WDS service will lookup the database again. You can see this happening in the smspxe.log with an entry such asMAC=FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF SMBIOS GUID=00000000-0000-0000-0000-000000000000 > Device not found in the database. 07/03/2011 15:18:46 8552 (0x2168)
This is fixed by this hotfix or SP2 for SCCM. The patch alone won't fix this behavior, you also need to configure a registry setting. If it doesn't already exist, create aREG_DWORDvalue atHKLM\SOFTWARE\Microsoft\SMS\PXE\CacheExpire
...or on a 64-bit server at...HKLM\SOFTWARE\Wow6432Node\Microsoft\SMS\PXE\CacheExpire
Set the value of CacheExpire to the value you want in seconds - a value of 600 would be a timeout of 10 minutes. On a SP2 SCCM site, setting the value to be 0 will actually set the timeout to 3600 seconds (back to the 1 hour timeout).
If you are unable to apply the hotfix or SP2, stopping and restarting the WDS service can flush out the cache. - The SMBIOS guid of the machine is not unique
This can be seen if you have older hardware, or if you've had an engineer swap out some motherboards and not flashed the BIOS correctly.
If you want to find out which machines have duplicate SMBIOS guids then you can run this report-
SELECT SMBIOS_GUID0, COUNT(SMBIOS_GUID0) AS Count
FROM v_R_System
GROUP BY SMBIOS_GUID0, Active0, Client0, Obsolete0
HAVING (Active0 = 1) AND (Client0 = 1) AND (Obsolete0 = 0) AND (COUNT(SMBIOS_GUID0) > 1)
You can then use the following report to pull out the names of the machines with duplicate SMBIOS guids-
SELECT SMBIOS_GUID0, Name0
FROM v_R_System
WHERE SMBIOS_GUID0= '00000000-0000-0000-0000-000000000000'
-where 00000000-0000-0000-0000-000000000000 is the GUID that you identified in the previous report.
The only way to solve this problem is to flash the BIOS on the affected workstation to set a unique SMBIOS guid. Contact the PC vendor for the tool to do this. - The machine is linked to an obsolete object on the server
This can happen if you have "Automatically create new client records for duplicate hardware IDs" set in the Advanced tab of your site properties. The solution to this one is to manually delete those obsolete objects. - The machine was imaged using a technology such as Ghost, but the SID and/or SCCM client guid were not reset
This can be a bit of a pain to troubleshoot on the server - I once saw a machine that according to the SCCM reports had 30 separate users logging into it. Since this machine was kept in a locked office, this appeared to be a bit odd. It turned out the support team had used Ghost to image one of their machines and then deployed this image to all the machines in their department.
This highlights a wider point in deploying SCCM in your environment - the process and procedures that worked in the past may need revising. In this case, they'd never had a problem before because their authentication was handled by Netware.
The easiest way to fix this problem is to power off the machine, delete the computer object in SCCM, recreate the record manually then PXE build the machine.
Other pre-Windows PE errors
- \Boot\BCD error
Assuming you can get past abortpxe.com, there is another error you can see at this stage. After pressing the F12 key to PXE boot you can sometimes see
Windows Boot Manager (Server IP: x.y.z.a)
Windows failed to start. A recent hardware or software change might be the cause.
File: \Boot\BCD
Status: 0xc000000f
Info: An error occurred while attempting to read the boot configuration data.
The simple solution is to delete the computer object and recreate it, which should fix this problem. I've only ever seen this problem with SCCM 2007 SP2 when deploying Windows 7.
This does look like a bcd error, but in the SCCM implementation of WDS there is no single boot.bcd file, the boot.bcd file is created on the fly in theRemoteInstall\SMSTempfolder with a name of year.month.day.hour.minute.number.number.guid.boot.bcd.
If anyone knows the actual fix for this (without having to delete the computer object) please post in the comments! - Only using 32-bit boot images when you have 64-bit machines in your environment
Again, this one seems a bit odd. If your workstation is 64-bit (and you'd be hard pressed to find a non-64-bit machine these days), then you need the 64-bit boot files available - even if you are only deploying 32-bit Windows, and are using a 32-bit boot image. The 64-bit boot files are extracted from the boot image and used during the initial PXE process, so if they're missing, you won't be able to PXE boot a 64-bit machine.
If you're getting this error, you'll see something like this in smspxe.logThe SMS PXE Service Point does not have a boot image matching the processor architetcure of the PXE booting device.
Troubleshooting PXE in SCCM OSD Part 2
Troubleshooting PXE in SCCM OSD Part 1
Troubleshooting PXE in SCCM OSD Part 3 Troubleshooting the TFTP Service
PXE-E32: TFTP Open Timeout
Assuming your client gets an IP address, there is still a large number of ways for it to fail before you even get an abortpxe.com message. PXE-E32 TFTP open timeout can be a frustrating message - but it does at least give you a clue where to look.
This error means that your client machine can't access the TFTP daemon running on your PXE Service point. Assuming your PXE Service Point is set up correctly (check the WDS service is running), the most common reason for this message is network filters/firewall settings. Fortunately, Microsoft provide a document which lists what ports need to be open for the TFTP daemon to work. Read this document carefully, you need to open more than just ports 69 and 4011 to get this to work. The daemon listens on port 69 but responds on a randomly chosen high port. You'll need to configure the network filter rules to allow this behavior before TFTP will work.
You might also see this error if DHCP is misconfigured. If you have DHCP and the PXE Service point on different servers then you'll need to set option 66, the Boot Server Host Name. A small tip here - use the IP address of the PXE Service Point when troubleshooting this setting - this removes the possibility that it's a DNS resolution issue. You can always set it back once you're happy everything is back working.
PXE-E53: No boot filename received
Check option 67 on the DHCP server. It should be something like
PXE-E55: ProxyDHCP service did not reply to request on port 4011
Related to the TFTP timeout problem, this suggests a firewall or routing issue. Check the firewall settings allow 4011 UDP through.
If the client and the PXE Service Point are on different subnets, check that the traffic is being forwarded from the client subnet to the PXE Service Point.
PXE-E3B: TFTP error file not found
At this point we know the client is getting service from DHCP and has managed to find the TFTP server and request the boot file. Two things to check here are
Check the SMSBoot folder in the
The missing boot files can be fixed in a number of ways. The easiest way is to just copy the correct files over from a working PXE Service Point. I would not recommend this though - the files are missing for a reason, and you should really fix the underlying cause.
This error can be caused by a number of things- updating drivers in the default OSD Boot Images, restarting the server hosting the PXE Service Point or just a botched PXE Service Point install. The first thing you should try is clearing out temp files used by PXE.
If this doesn't work it might be a more fundamental problem with the PXE Service Point. Remove the role from the server, restart the server hosting the PXE Service Point and Add the role back.
Troubleshooting PXE in SCCM OSD Part 3 Troubleshooting the TFTP Service
PXE-E32: TFTP Open Timeout
Assuming your client gets an IP address, there is still a large number of ways for it to fail before you even get an abortpxe.com message. PXE-E32 TFTP open timeout can be a frustrating message - but it does at least give you a clue where to look.
This error means that your client machine can't access the TFTP daemon running on your PXE Service point. Assuming your PXE Service Point is set up correctly (check the WDS service is running), the most common reason for this message is network filters/firewall settings. Fortunately, Microsoft provide a document which lists what ports need to be open for the TFTP daemon to work. Read this document carefully, you need to open more than just ports 69 and 4011 to get this to work. The daemon listens on port 69 but responds on a randomly chosen high port. You'll need to configure the network filter rules to allow this behavior before TFTP will work.
You might also see this error if DHCP is misconfigured. If you have DHCP and the PXE Service point on different servers then you'll need to set option 66, the Boot Server Host Name. A small tip here - use the IP address of the PXE Service Point when troubleshooting this setting - this removes the possibility that it's a DNS resolution issue. You can always set it back once you're happy everything is back working.
PXE-E53: No boot filename received
Check option 67 on the DHCP server. It should be something like
smsboot\x86\wdsnbp.com
PXE-E55: ProxyDHCP service did not reply to request on port 4011
Related to the TFTP timeout problem, this suggests a firewall or routing issue. Check the firewall settings allow 4011 UDP through.
If the client and the PXE Service Point are on different subnets, check that the traffic is being forwarded from the client subnet to the PXE Service Point.
PXE-E3B: TFTP error file not found
At this point we know the client is getting service from DHCP and has managed to find the TFTP server and request the boot file. Two things to check here are
- Option 67 is configured correctly and pointing to a file that exists on the server
- The files are actually on the TFTP server
Check the SMSBoot folder in the
reminst share on the PXE Service Point. There should be 3 folders in the SMSBoot folder - ia64, x64 and x86. Each folder should contain some boot files. If not, you have problems!The missing boot files can be fixed in a number of ways. The easiest way is to just copy the correct files over from a working PXE Service Point. I would not recommend this though - the files are missing for a reason, and you should really fix the underlying cause.
This error can be caused by a number of things- updating drivers in the default OSD Boot Images, restarting the server hosting the PXE Service Point or just a botched PXE Service Point install. The first thing you should try is clearing out temp files used by PXE.
- Stop the WDS Service
- Delete (or move) the folder
%temp%\PXEBootFiles - Start the WDS Service
If this doesn't work it might be a more fundamental problem with the PXE Service Point. Remove the role from the server, restart the server hosting the PXE Service Point and Add the role back.
Subscribe to:
Posts (Atom)