Thursday, 20 September 2012

Sophos detecting itself as a virus

Ouch. Last night Sophos released a definition update that categorised it's own updater as malware. Depending on the policy set by the administrator Sophos then quarantined or, in some cases, deleted it's own updating mechanism.

Sophos have a support article at http://www.sophos.com/en-us/support/knowledgebase/118311.aspx. The bad ide file causing the Shh/Updater-B False positives is agen-xuv.ide.

Assuming you had set your Sophos installation up to quarantine the files and not delete them, you can get Sophos working again by running the following commands on each affected machine -

net stop "Sophos Anti-Virus"
Alupdate.exe -manualupdate

(you may need to specify the full path to Alupdate.exe, which may change depending on your OS)

This is not a great solution because it disables your on-access protection while the fixed IDE file is deployed!.

Sophos have not specified this as a solution. The reason I post this is that some people cannot use any of their current solutions. If you are in this situation I would check with them before deploying this. However, from the limited testing I have done, this seems to work. Again, test test and test again before deploying any fix like this, and try all the Sophos recommended options before this one.

An alternative, non-ConfigMgr solution, is to use group policy to delete the bad IDE file.

It also appears that only Windows machines are affected. MacOS seems to be fine with the bad definition file.

Friday, 15 June 2012

New platform support in SCCM 2012 SP1

Microsoft announced this week that Service Pack 1 for SCCM 2012 would be released in Q3. In addition to the expected support for Windows 8, they've added support for Mac OS X and Linux. Yes, really.

The announcement was at TechEd America 2012, but I found out about it at the Best of MMS event in Edinburgh being run by Charteris. The Microsoft guy I spoke to confirmed that Endpoint Protection is part of this support. Yes, that's a Microsoft antimalware solution for your Mac and Linux machines!

Wednesday, 30 May 2012

Troubleshooting the TFTP Service

This is a companion post to the Troubleshooting PXE in SCCM OSD series.

Troubleshooting PXE in SCCM OSD Part 1
Troubleshooting PXE in SCCM OSD Part 2
Troubleshooting PXE in SCCM OSD Part 3

As seen in the previous blog posts, a key part of the PXE process is the TFTP download of boot files to the client machine. If things aren't working it's always worth checking the tftp service is behaving as you'd expect. Microsoft provide a basic TFTP client with Windows. It's installed by default on Windows XP, but you'll need to do a wee bit of work to get this program working on Windows 7.

Installing and configuring the TFTP client on Windows 7

Firstly, to install the tftp client
  1. In Control Panel, choose Programs and Features.
  2. On the left hand pane, click "Turn Windows features on and off"
  3. Find the entry for TFTP Client and tick the box. This will probably require a restart.


Secondly, you need to allow the tftp client through the Windows Firewall
  1. Go to the Windows Firewall Control Panel.
  2. On the left hand pane, click Allow a program or feature through Windows Firewall.
  3. Click Allow another program.
  4. Click Browse. Browse to C:\Windows\system32, choose tftp.exe then click Open.
  5. On the Add a Program dialog, ensure "Trivial File Transfer Protocol App" is selected. Click Add.
  6. Check that on the "Allow programs to communicate through Windows Firewall" page "Trivial File Transfer Protocol App" is selected and allowed-



A quick test to see whether TFTP is working

Once you have a working tftp client, run up a command prompt. Run the following command-
C:\Users\Administrator>tftp -i servername get smsboot\x86\pxeboot.n12
-where servername is your PXE server. You should get an almost instantaneous response-
Transfer successful: 25772 bytes in 1 second(s), 25772 bytes/s
If this works, then your TFTP service looks healthy. If not, read on...

Some common TFTP errors

  • Error on server : The specified file was not found.

    If you get the following response-
    Error on server : The specified file was not found. Connect request failed
    You are probably missing files in the RemoteInstall directory. Browse to this directory, or map a drive to the folder (it's shared out as \\servername\reminst) and check that you have the relevant file structure



    If the folders are missing, or the folders are empty, then something is wrong with the PXE service point. The most common solution to this is to remove the role and reinstate it.
  • Error on server : Access violation.

    This suggests a permission problem in the RemoteInstall directory. Check the NTFS permissions.


If you are getting a response from the server, but are seeing a timeout error, this could be due to an overaggressive network filter. To check this create a small file in the SMSBoot folder. In the following example I created a text file called test.txt which contained the word "test".
C:\Users\Administrator>tftp -i servername get smsboot\test.txt
Transfer successful: 8 bytes in 1 second(s), 8 bytes/s
If this command is successful, but larger files can not be transferred, then check with your networking people. I have seen this happen when port 69 is opened but other ports are blocked. From our observations, the first 512 bytes can be transferred over port 69, but anything above 512 bytes will be transferred on a randomly assigned ephemeral port. If you've asked the networking people to allow tftp traffic, there is a chance they've only opened up port 69 and not factored in the ephemeral ports.

Monday, 30 April 2012

Create a Windows 8 bootable USB drive

For those that can't find a blank DVD, the Windows 8 Consumer Preview ISOs can be put on a USB drive and made bootable using the Windows 7 USB/DVD download tool. Instructions are on the Windows 8 ISO download page.

Windows 8 Consumer preview - http://windows.microsoft.com/en-US/windows-8/iso
Windows 7 USB/DVD Download tool - http://www.microsoftstore.com/store/msstore/html/pbPage.Help_Win7_usbdvd_dwnTool

You might need to enter the product key to install the preview - from the FAQ page it's DNJXJ-7XBW8-2378T-X22TX-BKG7J.

Wednesday, 18 April 2012

MMS 2013 - New Orleans in June

Another surprise at the second keynote was the announcement that MMS 2013 will not be in Las Vegas in Spring, but New Orleans in June. A good move in my opinion - it's difficult to get approval to go to a conference at the best of times, but when your boss sees that it's in Vegas he's probably imagining gambling and showgirls. New Orleans is probably easier to get approval for as it's not Mardi Gras time, and your boss is probably thinking of Jazz, Roger Moore in a 70s suit or Van Damme in Hard Target.

MMS 2012 - Deploying apps to iOS devices

Of all the stuff presented in the second MMS 2012 keynote, I was most impressed by something the camera didn't catch. If you watch the on demand version the bit near the end is pretty special. It was an app deployment to an iPhone using Microsoft management tools. The tech details were thin on the ground, but this could be massive for those of us who have to manage iDevices in the enterprise.

Tuesday, 17 April 2012

Windows Server 8 official name revealed at MMS 2012

Brad Anderson has just announced that Windows Server 8 will now be known as Windows Server 2012. Apart from the name change, the user interface has had a subtle Metro ribbon upgrade. If you want to watch some demos then have a look at the MMS 2012 keynote at http://www.microsoft.com/en-us/server-cloud/new.aspx.

Microsoft Management Summit 2012

Rod Trent has put up some pictures from this years MMS at myitforum. I didn't manage to get to go this year, but there's some great online resources available for those of us who can't make it.

The first keynote can be streamed from here. System Center 2012 has been officially released today, but some of us have been using it for a few weeks!

The MMS website claims that you can watch individual sessions at http://www.mms-2012.com/digitalmms, but the links aren't active yet. If you've never been to MMS before, or viewed MMS sessions, I highly recommend you use the digital MMS resource.

Thursday, 12 April 2012

Managing iTunes with Group Policy

iTunes is one of those apps that is becoming a bit difficult to avoid in the workplace. With the growth of iPads in the enterprise, employees are starting to ask for iTunes on their workstations. Getting the software on a workstation is easy enough, but how do you manage it?

Luckily Apple have a support document at http://support.apple.com/kb/HT2102 which details what registry settings to change. You'll probably want to skip to the "Preconfiguring Parental Controls" section, as the top half suggests you should create a unique entry in HKLM for every user that will ever log in to that machine. Thankfully it's a lot more straightforward than that.

By default iTunes will have created the following key on install (on a 32-bit machine remove the Wow6432Node part)-

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apple Computer, Inc.\iTunes

Create keys named Parental Controls and Default so you get this path-

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apple Computer, Inc.\iTunes\Parental Controls\Default

In the Default key create a DWORD value (choose 32-bit if you're on a 64-bit machine) named AdminFlags. To test it works, let's try and disable Ping and the iTunes Store. From the table at the article above we can see the flags we want are-

kParentalFlags_DisableMusicStore 0x00000004
kParentlFlags_DisablePing 0x00800000

The AdminFlags value is a bitmask of these flags, so we just add these values together. This gives us a value of 0x00800004. But if you set AdminFlags to that value nothing will happen. Apple state that "these flags are only respected in AdminFlags when kParentalFlags_Locked is set." From the table at apple-

kParentalFlags_Locked 0x00000001

So, for any of these values to take effect we need to add 1. This gives us 0x00800005 or the decimal value 8388613. Set this value and lets see what happens.



So here is iTunes before setting the value...



...and here is iTunes after we set the value...



For people working in education this is a useful flag - 0x01940005 or 26476549 in decimal. This prevents the welcome screen from loading and allows access to iTunes-U while blocking access to the rest of the iTunes store.

Wednesday, 11 April 2012

Using Orca to fix "the operating system is not adequate" MSI failures

Packaging up an MSI install for Windows 7 x64 I got this message-



"The operating system is not adequate for running [app]". Obviously Windows 7 x64 is adequate, but how do we get round this problem?

The simplest of all options is to right click the MSI and on the Compatibility tab tick the box "Run this program in compatibility mode for: Previous version of Windows". However, knowing that this is probably just a spurious error, I wanted to patch the MSI so that I don't need to worry about this condition in the future.

Launching Orca I can see straight away there is a LaunchCondition set that will probably be causing the issue-



(Version9X = 400) OR (Version9X = 410 And Not WindowsBuild = 2222) OR (Version9X = 410 And WindowsBuild = 2222) OR (Version9X = 490) OR (VersionNT = 400) OR (VersionNT = 500) OR (VersionNT = 501)

I could just remove the condition and save the modified MSI, but I always prefer to leave the MSI intact and create a transform file. So, from the Transform menu choose New Transform. The title bar will change to say "[app].msi (transformed by Untitled)".



Right click the row we want to delete and choose "Drop Row"



A green line should now appear through the row. From the Transform menu choose Generate Transform and save the mst file in the same folder as your MSI. I called mine platformfix.mst.



Now try installing the app. To check the transform is working, run the MSI without the transform, then with the transform. This command should return the original error-

msiexec /i Plastics.msi

Whereas this should bypass the version check-

msiexec /i Plastics.msi TRANSFORMS=platformfix.mst

Tuesday, 3 April 2012

Configuration Manager 2012 released

Microsoft quietly RTM'd SCCM 2012 over the weekend. At the moment it only looks like it's available for Volume Licensing customers. Presumably the official release date will be April 17th 2012, the morning Brad Anderson does the Keynote at MMS 2012.



If you're having trouble finding it in the download center, that's probably because it is not listed under Configuration Manager. Searching for Configuration manager will only find SCCM 2007. SCCM 2012 can be found listed under the System Center 2012 Standard and System Center 2012 Datacenter suites.

Thankfully the suites are logically split into collections of ISO files. The Standard Configuration Manager and Endpoint protection ISO is 1.67GB in size.



If you've installed Configuration Manager before you'll recognise the installer. Let the migration begin!

Wednesday, 29 February 2012

Configuration Manager 2012 Licensing

I went to the System Center 2012 Preview Roadshow in Edinburgh yesterday. Sadly, this wasn't one of Microsoft's best events (it was pretty awful), but there was one bit of information they presented that I hadn't noticed before.

There are some big changes with the way the System Center products are licensed with the 2012 release. Gone are the days when you could licence Operations Manager or Configuration Manager separately. All the products are bundled together and there are only two options for licensing now-
  • System Center 2012 Datacenter Edition
  • System Center 2012 Standard Edition
Both products give you the entire System Center suite - Operations Manager, Config Manager, DPM, VMM, Service Manager, Forefront Endpoint Protection and the two new guys Orchestrator (formerly Opalis) and App Controller (formerly project Concero). The only difference (apart from price) is that the Datacenter edition allows you to install as many virtual machines as you want on a two core server - the Standard edition is stuck at two VMs.

On the client side, the Core CAL will still give you ConfigMgr and Forefront Endpoint Protection. The Enterprise CAL adds DPM, OpsMgr, Orchestrator and Service Manager.

Monday, 20 February 2012

SQL Server 2008 R2 in a task sequence

When packaging up software for SCCM I like to find a silent install switch that shows some kind of progress bar. This has the obvious benefit of providing feedback during testing, but can cause unexpected problems. Like when installing SQL Server 2008 R2 Express.

There are 2 silent install parameters for SQL Server 2008 R2-
  • /Q - quiet install with no user interface
  • /QS - quiet install but with progress dialog

I'd normally prefer to use /QS so I can see what is going on during testing. However, this is the result of my testing with SCCM-
  • /Q - works fine in a Task Sequence
  • /QS - doesn't work at all

So, if you're having an issue with installing SQL Server 2008 R2 (and 2008 R2 Express), try using /Q instead of /QS.

The other issue that I saw with the install is that the command line can be longer than 255 characters and this is a hard limit in the Program Command Line box in SCCM. The solution to this is to copy the command line into an install.cmd file and run that instead. This allows you to have command lines like this-

SQLEXPR_x86_ENU.exe /ACTION=INSTALL /FEATURES=SQLEngine /INSTANCENAME=MyInstance /SQLCOLLATION=Latin1_General_BIN /SQLSVCSTARTUPTYPE=Automatic /SQLSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /IAcceptSQLServerLicenseTerms="True" /Q

Thursday, 2 February 2012

Automatically delete roaming profiles on workstations

If you're running a pre-Vista OS and have roaming profiles enabled you have probably noticed that Windows will cache those profiles on workstations. This is great if it's your primary machine as you don't need to download the entire profile every time you log in, but can be a real pain for lab style machines. If you have enough different logins your workstations can run out of disk space!
One of the solutions to this is to run Delprof. This is a Microsoft utility that will delete inactive profiles. A sample command line is

delprof.exe /I /Q /D:30

The above command will remove inactive profiles that are over 30 days old. Depending on the traffic on your machines you may wish to increase this value. But what is the best way of running this command?

I'd recommend deploying this using schtasks. This allows you to run delprof when the machine is idle - I've seen corruptions occur when delprof runs at logon or logoff, so this is probably a safer way. I run the following batch file on each workstation -

copy delprof.exe c:\windows\system32

schtasks /create /tn "Delete Inactive Profiles" /tr "delprof.exe /I /Q /D:5" /sc ONIDLE /i 5 /ru "SYSTEM"

Delprof is available from the Microsoft download center (www.microsoft.com/download/en/details.aspx?id=5405).

Wednesday, 1 February 2012

Fixing broken SMSSLP settings

MadLuka has a great post here about some issues related to the R3 upgrade for the SCCM client. Basically, deploying this hotfix without respecifying the correct parameters can knock out your SMSSLP settings on your clients. This is not an issue if your clients can find the management point using WINS, DNS or Active Directory, but is a massive issue if you have workgroup clients that don't use these technologies.

Our fix was to roll out the registry key HKLM\SOFTWARE\Microsoft\CCM\SMSSLP to all affected machines and this fixed the issue.

Monday, 30 January 2012

SCCM 2012 RC2 released

Microsoft have released the open beta of Configuration Manager 2012 Release Candidate 2. It can be found at http://www.microsoft.com/en-us/server-cloud/system-center/configuration-manager-2012.aspx.

Tuesday, 24 January 2012

Uninstalling the SCCM Client

The only supported method of uninstalling the client is ccmsetup /uninstall (See Technet).

On most systems this executable is found at C:\WINDOWS\system32\ccmsetup

But since Operating System Deployment relies on the SCCM client, how do you uninstall it as part of a task sequence? The answer is simple - schtasks.

The following command should work as the last step in a task sequence-

schtasks /create /tn "Remove SCCM Client" /tr "C:\WINDOWS\system32\ccmsetup /uninstall" /sc ONSTART /Z /ru "SYSTEM"

It should work, but I've not tested it. It's one of those things that was a requirement, but was quickly dropped, so never even got into testing.