How to Create a Silent, Self-Extracting Installer for use with Windows Configuration Designer

How to Create a Self-Extracting Installer using 7Zip for Complex Applications for use with Windows Configuration Designer


A challenge that may arise when trying to use modern deployment techniques with Windows 10 is the need to deploy applications that have complex installation methods. These methods may use setup.exe’s that call .msi files or have multiple files or folders. When creating a provisioning package with Windows Configuration Designer (WCD) to join a device to Azure AD you can specify applications to install during the provisioning wizard, however these applications must be a single file. These could also be .bat, .cmd, etc. files, but again, can only be a single file.

7-Zip is a free, open source application that allows for creating self-extracting installers in an .exe format. It allows for repackaging without having to install the application on a reference machine and capture the differences into a MSI file like most repackaging solutions. These self-extracting .exe files can be deployed during the provisioning of a device.

Preparing to Repackage your Application

In this example, we’ll be repackaging Office 365 ProPlus Click To Run (CTR) since it has a small footprint consisting of a single setup.exe and configuration.xml which allows for silent installation. Know that this isn’t the most efficient way of installing Office 365 ProPlus CTR using provisioning since using the standard Office 365 ProPlus CTR bits will reach out to the internet to download ~1GB+ of files.

Note: If you’re looking for a more efficient way to include Office 365 ProPlus CTR into your provisioning package, use the Office Install Toolkit, which will give you the ability to customize your office install and download the bulk of the installation files to reduce the amount of bandwidth your devices will use during provisioning.

  1. Copy your application to some folder on your machine. For example C:\temp\Office 365 ProPlus
  2. In this folder, create a new folder called custom
  3. Download 7-zip from http://www.7-zip.org/ and select the appropriate architecture type for your machine (x86 or x64)
  4. Install 7zip
  5. Download the LZMA SDK – http://www.7-zip.org/a/lzma1604.7z
  6. Right Click the lzma1604.7z, select 7-zip -> Extract Files
  7. In the Extract to: field, select a location to extract to such as C:\temp\. When it’s finished extracting, you should have a folder called C:\temp\lzma1604
  8. If you are interested in how LZMA compresses the files into a self-extracting zip, you can reference the “C:\temp\lzma1604\DOC\installer.txt”

Repackaging the application

Now that 7Zip and LZMA are both installed, we need to repackage the application. In order to repackage, we need to do four things:

  1. Zip our source files
  2. Copy the 7zSD.sfx file from LZMA – this is what creates the self-extracting exe
  3. Create a config.txt file that includes the installation command and the silent switches
  4. Run a copy command to take the compressed zip file, the sfx file, and the config file and create a single self-extracting .exe

Let’s repackage Office 365

  1. Open File Explorer and go to C:\Temp\Office 365 ProPlus
  2. Select the setup.exe and configuration.xml files and select 7Zip -> Add to “Office 365 ProPlus.7z”
     You should have an Office 365 ProPlus.7z file in the C:\temp\Office 365 ProPlus folder
  3. In file explorer, copy
    “C:\temp\lzma1604\bin\7zSD.sfx” to C:\Temp\Office 365 ProPlus
  4. In file explorer, in the c:\temp\Office 365 ProPlus folder, right click in the white are and select New – Text Document and name the file config.txt
  5. Open the config.txt file
  6. The content of the config.txt file needs to be in a certain format. The below example is for Office 365, but for your installer you’ll need to get the execute file (this could be a setup.exe, or even a .cmd file or some other extension) and whatever the parameters are.

    Copy and paste the below example into your config.txt file

    ;!@Install@!UTF-8!
     Title="Office 365 PP"
     BeginPrompt="Do you want to install Office 365 PP?"
     ExecuteFile="setup.exe"
     ExecuteParameters="/configure configuration.xml"
     ;!@InstallEnd@!

    If you have a MSI file as the installer, but still have multiple files and/or folders that comprise the installation, you can use the following:

    ;!@Install@!UTF-8!
     Title="Title of Application"
     BeginPrompt="Do you want to install Application?"
     ExecuteFile="msiexec.exe"
     ExecuteParameters="/i NameOfMSI.msi /qn /norestart"
     ;!@InstallEnd@!

    Note: Your MSI may have additional properties. Check with the vendor to determine any additional execute parameters that are needed.

  7. Open a command prompt by clicking the start menu and typing cmd and hitting enter
  8. Change directory to c:\temp\Office 365 ProPlus by typing cd c:\temp\Office 365 ProPlus
  9. Create the self-extracting exe by typing:
    copy /b 7zSD.sfx + config.txt + “Office 365 ProPlus.7z” O365PPInstaller.exeYou should end up with a temp folder that looks like the following:
  10. Congratulations, you now have a self-extracting exe that can be installed silently.

Testing the EXE

It’s recommended to test the exe prior to implementing in a provisioning package to validate that the exe installs successfully. There are two ways to do this:

  1. Copy the exe to a test machine (A VM is preferred) and run it via cmd prompt using O365PPInstaller.exe -y
  2. Copy the exe to a test machine (A VM is preferred) and install the exe in the system context

Option 1 is easy, however option 2 is a better test since the provisioning process uses the system context. Use option 1 first just to validate that the exe works. But use option two to make sure it works in the system context. If both tests work, then there’s a high likelihood it will work in the provisioning package.

Testing with option 1

  1. Copy the O365PPInstaller.exe file from C:\temp\Office 365 ProPlus and copy it somewhere on your test machine. In this example, we’ll use c:\temp
  2. Open an admin command prompt on the test machine by going to the start menu, typing in cmd, and pressing ctrl+Shift+Enter at the same time on the keyboard (alternatively, you can right-click on cmd and select Run as Administrator)
  3. Change directory to c:\temp by typing in cd c:\temp and hitting enter
  4. Run O365PPInstaller.exe -y

If your configuration file for O365 was configured correctly, O365 ProPlus should install silently (a black window might pop up, but no user intervention is required).

(Optional) Testing with option 2

Testing with option 2 requires the use of psexec to create a command prompt in the system context. This will allow for validation of the application as system, which is the context Intune and the provisioning process will use to install the application.

  1. Copy the O365PPInstaller.exe file from C:\temp\Office 365 ProPlus and copy it somewhere on your test machine. In this example, we’ll use c:\temp
  2. Download psexec from https://live.sysinternals.com/psexec.exe
    (Note: Sysinternals tools are Microsoft tools, psexec.exe is a safe download)
  3. Save the file to c:\temp\psexec.exe
  4. Open an admin command prompt on the test machine by going to the start menu, typing in cmd, and pressing ctrl+Shift+Enter at the same time on the keyboard (alternatively, you can right-click on cmd and select Run as Administrator)
  5. Type in c:\temp\psexec.exe -sid cmd -accepteula and hit enter
  6. A new cmd prompt will open up in the system context. Verify you are running as system by typing whoami and hitting enter
  7. Change directory to c:\temp by typing in cd c:\temp and hitting enter
  8. Run O365PPInstaller.exe -y

If your configuration file for O365 was configured correctly, O365 ProPlus should install silently (a black window might pop up, but no user intervention is required).

Integrating with a Provisioning Package

You can create provisioning packages (PPKG) with the Windows Configuration Designer (WCD) tool. This process will show how to download WCD and create a PPKG to provision a device.

  1. Download Windows Configuration Designer (WCD) from the Windows Store
    1. Go to the start menu and type store and hit enter
    2. In the search box type Windows Configuration Designer and hit enter
    3. Click the Install button
    4. When the app finishes installing, click Launch from the Windows Store application (alternatively you can find the app in your start menu)
  2. In Windows Configuration Designer, select Provision desktop devices
  3. In the New Project wizard, give your package a name and click Finish
  4. In the Set up device page, type in a name for the device such as Contoso-%RAND:5%
  5. Click Next
  6. In the Set up network page, enter your network SSID. If you are going to use a VM or a device without a wireless adapter, make sure to select Off for Connect devices to a Wi-Fi network and click Next
  7. In the Account Management page, select Enroll in Azure AD and select Get Bulk Token
  8. In the wizard that pops up, enter the Azure AD account that has rights to enroll devices (this would be a global administrator account, or an account that you have specified in Azure AD) and click Next
  9. Enter your password and click Sign In

    If you get an error, try again. Trying multiple times seems to help.
  10. Click Next once the bulk token has been fetched successfully
  11. In the Add applications page, click the + sign for Add an Application
  12. For Application Name, type in Office 365 Pro Plus
  13. Click Browse for the Installer path
  14. Select c:\temp\O365PPInstaller.exe
  15. For command line arguments enter cmd /c “o365ppinstaller.exe” -y
  16. Click Add
  17. Click Next
  18. In the Add certificates page, click Next
  19. In the Finish page, click Create
  20. After clicking Create, a link to the package will be listed in the app. The path to the PPKG will be similar to: C:\Users\<YourUserProfile>\Documents\Windows Imaging and Configuration Designer (WICD)\<Name You Gave The Package>The package will be in a folder that looks like the following. All you want is the .ppkg file out of this folder. Take the .ppkg file and copy this to a USB stick.

Provision a New Device

  1. Image a machine with stock Windows 10 1703 (aka Creators Update) installation media and let it sit at the first screen of the out of box experience (the screen that says “Let’s start with region. Is this right?“)
  2. Insert the USB stick that has the provisioning package (the file with the .ppkg extension)You should see a screen that looks like the following:
  3. The PC will reboot and will be on the Installing provisioning packages… screen for a little while depending on the size or the application. With Office 365 ProPlus, the installer that we captured will reach out to the internet to download the latest bits of Office 365. This can be about 1GB+ of data.

Once the installation is complete, you should be at the lock screen. Dismiss the lock screen and login with an Azure Active Directory Account. If everything succeeded, you should see Office 365 ProPlus installed on the device.

Posted in Modern Management | Tagged , | Leave a comment

System Center 2012 Configuration Manager Beta 1 Unix and Linux Client Downloads Available

System Center 2012 Configuration Manager SP1 Beta 1 offers support for managing Unix and Linux clients (and Mac OS clients as well). When download loading the beta SP1 bits, the client bits aren’t available and need to be downloaded separately.

The following Unix and Linux versions are supported in Beta 1:

  • AIX Version 7.1 (Power)
  • AIX Version 6.1 (Power)
  • AIX Version 5.3 (Power)
  • HP-UX Version 11iv3 (IA64 & PA-RISC)
  • HP-UX Version 11iv2 (IA64 & PA-RISC)
  • RHEL Version 6 (x86 & x64)
  • RHEL Version 5 (x86 & x64)
  • RHEL Version 4 (x86 & x64)
  • Solaris Version 10 (x86 & SPARC)
  • Solaris Version 9 (SPARC)
  • SLES Version 11 (x86 & x64)
  • SLES Version 10 SP1 (x86 & x64)
  • SLES Version 9 (x86)

The following scenarios are supported by the UNIX and Linux clients:

  • Hardware Inventory – Hardware inventory can be viewed through Resource Explorer and can be used to create collections of UNIX and Linux computers.
  • Software Inventory – Through hardware inventory the list of natively installed software can be gathered from the UNIX and Linux computers – similar to add/remove programs for Windows systems.
  • Software Distribution – Deploy new software, update existing software and apply OS patches to collections of UNIX/Linux computers (using a package and program). Run arbitrary maintenance scripts on a collection of UNIX/Linux servers.
  • Secure and Authenticated Communications
  • Consolidated Reports

For more information and to download the client files, please visit http://www.microsoft.com/en-us/download/details.aspx?id=34609

Posted in ConfigMgr 2012, Unix and Linux | Leave a comment

List of RSS Feeds for KB Articles for Microsoft Products

Want to keep up with the latest KB articles for the Microsoft products that you have in your environment? The best solution I’ve found is to use an RSS Feed Reader and subscribe to the feeds.

Here’s a list of all of the RSS feeds for every KB article that comes out.

http://support.microsoft.com/select/?target=rss

Posted in Tips and Tricks | Leave a comment

SoftwareUpdateAutomation.exe Scheduled Task Fails with an 0x1 Error Message When Updating FEP 2010 Definition Package

Issue

When using the SoftwareUpdateAutomation.exe file as a scheduled task to update the Forefront Endpoint Protection definition files, the scheduled task may fail with an error code of 0x1. In the %programdata%\SoftwareUpdateAutomation.log file may see the following error:

SQLMessage = “[22018][245][Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the varchar value ‘APSB10-22’ to data type int.”;

Cause

This happens when SCUP is used to import third party updates. These updates sometimes include dashes as part of the articleID column in the database.

Solution

In the command line arguments for the SoftwareUpdateAutomation.exe scheduled task, use single quotes around the articleID. For example, use the following:

/AssignmentName <deployment name> /PackageName <deployment package> /RefreshDP /UpdateFilter “articleid=’2461484′ AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0”

Posted in Forefront Endpoint Protection | 1 Comment

How to Turn Off Compression in Configuration Manager 2007 Software Distribution

This is a question I’ve been asked a few times. By default, SMS and ConfigMgr both compress package content into a PCK file to distribute the content to child sites. The problem you might run into with Operating System Deployment WIM files, which are already compressed, is that they take forever to move from one site to another, finally to your distribution point.

There is a way to handle the compression and exclude WIM files, as well as any other extension you want to exclude. This can save you a good amount of time. In my customer’s case this week, we noticed that distribution manager took 5 minutes to complete “compression” instead of 30 minutes that it previously took.

I mention “compression” (in quotes) because while distmgr.log will show the file being compressed, if you look at the file size, it’s actually slightly bigger (in some cases) than the original WIM file.

For example, look at this screen shot of my distmgr.log where I send an x86 boot WIM that distmgr compresses

Compressed Package

Notice the first line where it says the size of the package is 129544 KBytes and the compressed size at the bottom is 129068 KBytes. Not very much space gained here, but look at the amount of time it took to compress roughly 130MB. It took 2 minutes.

Let’s take a look at the same package with compression off for WIM files:

Notice here how the same package content is still “compressed”, but the content is actually BIGGER, yet the amount of time is a minute less (or 50% in reduction of time to “compress”). It’s bigger, likely because there is some additional information that gets added to the package as it is getting moved to a .pck file. The package will always convert from a .wim to .pck, however the compression engine simply isn’t involved.

In order to exclude WIM files from compression you need to edit the following location in the registry:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ SMS\ Compression\ DontCompressExts on 32 bit servers

Or

HKEY_LOCAL_MACHINE\ SOFTWARE\ Wow6432Node\ Microsoft\ SMS\ Compression\ DontCompressExts on 64 bit servers

In this list, you will see:

.cab;.zip;.arj;.rar;.jpg;.jpeg;.wma;.wmv;.mpg;.mpeg;.mov

Simply add

.cab;.zip;.arj;.rar;.jpg;.jpeg;.wma;.wmv;.mpg;.mpeg;.mov;.wim

Posted in sccm | 4 Comments

Verizon Wireless Samsung SCH-LC11 EF07 Update Now Available

Samsung has released a software upgrade EF07 for the SCH-LC11, which is recommended to be installed. I used to have CONSTANT disconnecting issues with my SCH-LC11, but those issues appear to have been resolved. Will know for sure after some more time with the update, but it’s working well so far.

  • PPTP and L2TP VPN support
  • CSFR improved web security
  • Change WEB UI 4G icon change
  • RSSI indicator change
  • Extended default IP range
  • Resolves Wi-Fi disconnect / interference issue
  • Device configuration script
Posted in Uncategorized | Leave a comment

Building Windows 8 – Improving Windows Explorer

If you haven’t been to the Building Windows 8 Blog yet, I highly recommend bookmarking it as the Windows 8 team has been updating it frequently.

Today’s post comes from Alex Simons and takes a brief look at the history of Windows Explorer (going back to MS-DOS Executive in Windows 1.0) and a very interesting look at the telemetry data (the data we use when we ask you to opt into the Customer Improvement Experience Program for many of our products) from our users to see how they are using the product and how we can make the products better.

Goals of the new Windows Explorer

We set out to accomplish three main goals with this new version of Explorer.

  1. Optimize Explorer for file management tasks. Return Explorer to its roots as an efficient file manager and expose some hidden gems, those file management commands already in Explorer that many customers might not even know exist.
  2. Create a streamlined command experience. Put the most used commands in the most prominent parts of the UI so they are easy to find, in places that make sense and are reliable. Organize the commands in predictable places and logical groupings according to context, and present relevant information right where you need it.
  3. Respect Explorer’s heritage. Maintain the power and richness of Explorer and bring back the most relevant and requested features from the Windows XP era when the current architecture and security model of Windows permits.

Read more at Improvements in Windows Explorer

Posted in Windows 8 | Leave a comment

Using Your Distribution Points for FEP Definitions with the Software Update Automation Tool – Forefront Endpoint Protection 2010 Update Rollup 1

In my previous post on using your distribution points for Forefront Endpoint Protection (FEP) 2010 definition files, we had to leverage a vbscript in order to automate the download of the definition files from Microsoft via a scheduled task and then create a package that updated automatically on schedule and have a recurring advertisement. We also had to create some additional DCM configuration items and collections. This whole thing became a pretty tedious process to setup, but in the end it worked and the clients could get the definitions from their local DPs instead of the Software Update Point, WSUS server, UNC Share, or Microsoft Update. FEP 2010 Update Rollup 1 makes the process of getting the defs from your DPs a whole lot easier!

Downloading FEP 2010 Update Rollup 1

When you download FEP 2010 Update Rollup 1, you will have the option for x86 and x64 versions as well as a hotfix KB2554364 which is reporting fix that must be installed prior to installing Rollup 1. The reporting fix needs to be installed on your Reporting server. Once you have downloaded FEP 2010 Update Rollup 1 and KB2554364 for the architecture types in your environment (32 or 64 bit) you also need to download the FEP 2010 Update Rollup 1 Tools. It’s not required to download all of the tools, but for the purposes of this post, the tool that you want to download is the fepsuasetup.cab which is the Definition Update Automation Tool.

In summary download the following:

Installing FEP 2010 Update Rollup 1 on Infrastructure Servers

Installing FEP 2010 is simple, but can be slightly confusing at first.

  1. Install FEP2010-Update-KB2554364-xxx-yyy.exe on the server you installed FEP Reporting to (where xxx is the architecture type and yyy is the language; e.g. FEP2010-Update-KB2554364-x64-enu.exe )
  2. Run FEP2010-Update Rollup-KB2551095-xxx-yyy.exe (this will extract into three folders: FepExt, FepReport, FepUx)
    1. FepExt is the FEP Extension for Configuration Manager. This needs to be applied on your SCCM Site Server(s).
    2. FepReport is for FEP Reporting and needs to be installed on the server you installed FEP Reporting to.
    3. FepUx is the FEP Console Extension and will need to be installed on all SCCM Consoles that plan on managing FEP.

Once you have installed the three components, you have completed the server installation of FEP 2010.

Installing FEP 2010 Update Rollup 1 on Clients

FEP 2010 Update Rollup 1 has a client upgrade as well. By default it modifies the files in the FEP – Deployment package that it created with the initial install. Basically, there’s a new FEPInstall.exe file.

Using the “Old” Advertisement to Upgrade Your Clients

Prior to installing FEP 2010 Update Rollup 1, you likely made an advertisement to target machines to install the FEP client. If you would like to use that same advertisement, you will need to modify the program rerun behavior to Always Rerun Program.

Using a New Advertisement to Upgrade Your Clients

Chances are you likely want to use a new advertisement to upgrade your clients. I will assume that you know how to create an advertisement for your environment, however what I would like to point out is a potential collection you can target. FEP creates a collection called Out of Date which is under FEP Collections – Deployment Status. This collection leverages a custom SQL query created by FEP that identifies machines that have an old version of the FEP client. You can target this collection with the new FEP 2010 Update Rollup 1 client package to upgrade your clients, but be forewarned that this collection doesn’t limit workstations or servers, so you may want to create other collections that limit to the Out of Date collection if you want to manage your FEP client rollout better.

Configuring a Deployment Package and Deployment for FEP Definitions

In order for the software update automation tool to work, you will need a deployment and package to leverage. But before that, you’ll need to make sure you are syncing the FEP 2010 Definitions.

Syncing the FEP 2010 Definition Files

  1. From the site server that is top most Software Update Point (the one that syncs with Microsoft Update) – Expand Site Database – Site Management – Site Code – Site Settings – Component Configuration
  2. In the middle pane double click select Software Update Point Component
  3. In the Classifications tab select Definition Updates
  4. In the Products tab select Forefront Endpoint Protection 2010 (note: if this is your first time syncing with Microsoft update, you may not see Forefront Endpoint Protection in this list. After the first sync you should see a lot of additional products in this list)
  5. In the Sync schedule tab select Custom schedule and click the Customize… button
  6. For the Recurrence Pattern select Custom interval and for Recur every select 1-8 hours (set this at an interval you are comfortable with. The definitions come out three times a day, so at most set this to 8 hours, but if you are comfortable doing it more frequently, then hourly is probably fine)
  7. Click OK
  8. Click OK at the Software Update Point Component Properties dialog window

If you had to do the above steps to get the FEP 2010 Definitions to sync, you probably don’t want to wait for the sync time to start, so to kick off a manual sync, do the following:

  1. Expand Site Database – Computer Management – Software Updates – Update Repository
  2. Right Click on Update Repository
  3. Select Run Synchronization
  4. Open <ConfigMgr Install Dir>\logs\wsyncmgr.log to watch the synchronization progress

After you have sync’d the catalog, you should now be able to create a package.

Creating the Deployment Package

  1. In the ConfigMgr console expand Site Database – Computer Management – Software Updates – Update Repository – Definition Updates – Microsoft – Forefront Endpoint Protection 2010
  2. In the Forefront Endpoint Protection 2010 pane in the middle, select the latest definition file in the list (you may have more than one file in here)
  3. Right Click the update you have selected and click Download Software Updates
  4. Alternatively, you could also select Update List which will allow you to add the definition file to an update list AND download the definition to a package. It’s up to you, however in this example I will not be making an update list and will just download to a package.
  5. In the Download Updates Wizard select Create a new deployment package
  6. In the Name field, type an appropriate name
  7. In the Description field, type an appropriate description
  8. For the package source, create a shared location for the definition files to be downloaded to
  9. Click Next
  10. Click Browse in the Distribution Points wizard and select the DPs you would like to send the package to
  11. Click Next
  12. Click Next at the Data Access step
  13. Click Next at the Distribution Settings step
  14. Click Next at the Download Location step (unless you have downloaded the defs manually to a location on the local network)
  15. Select the languages you would like the updates in at the Language selection step and click Next
  16. Click Next at the Summary step
  17. The updates will download, click Close when finished

If all went well, you should now have a package flowing to the DPs you have selected. You can look at the package status node for the package, or you can watch the distmgr.log on each of the servers if you are so inclined. The next step is to create your deployment.

Creating the Deployment

So just like your package, the deployment will also just have “one” update in it (as you’ll find over time the package and deployment will grow to have many updates, but initially we will just select one update).

  1. In the ConfigMgr console expand Site Database – Computer Management – Software Updates – Update Repository – Definition Updates – Microsoft – Forefront Endpoint Protection 2010
  2. In the Forefront Endpoint Protection 2010 pane in the middle, select the latest definition file in the list (you may have more than one file in here)
  3. Right Click the update you have selected and click Download Software Updates
  4. In the name field, enter FEPDefs (you can name this something different, however I like to keep the package and deployment the same name, and with the Software Update Automation Tool, this will make things easier later, especially if the name of the package and deployment do not have spaces in the name)
  5. Click Next in the General step
  6. Click Next in the Deployment Template step
  7. In the Collection step, use a collection that makes sense for your environment. I would use a test collection here. Click Next
  8. In the Display/Time settings step, I prefer to select Suppress display notifications on clients, and Client Local Time. Leave the duration at the default of 2 weeks and click Next
  9. In the Restart Settings step, check the Servers and Workstations boxes to suppress restarts. Definitions should NEVER cause a reboot, but I do this just to be safe. Click Next
  10. Click Next in the Event Generation step
  11. In the Download Settings step, I prefer to have clients that are in slow boundaries to download software updates from a distribution point and install. I also prefer to keep the Download software updates from unprotected distribution point and install option selected. Click Next.
  12. In the Create Template step, if you would like to save the template, create a template name, otherwise uncheck the Save deployment properties as a template option and click Next.
  13. In the Deployment Schedule step, keep As soon as possible selected and set a deadline to something appropriate (I prefer to set my deadline to a few minutes ahead of the current time so my clients start to install definitions right away). You can also opt to Enable Wake on LAN and Ignore maintenance Windows and install immediately (which I would do since definitions are constantly being sent out and most maintenance windows are open once a month for most customers, however some may have a nightly window, so treat this option as something that will depend on your environment) and click Next.
  14. At the Summary step click Next
  15. Click Close when finished

If all went well, you should now have a deployment targeting a test collection. During this time, the package should have completed being copied to all the DPs as well. It’s a good idea to validate that the package is on all the DPs at this point. What we have basically done up to this point is created a package and a deployment for a single definition file. Over time, the definitions will obviously be out of date if we don’t update the package and deployment. This is where the Software Update Automation Tool will come into play. This will run a scheduled task which triggers an exe to run and update both the package and deployment for FEP AND it will cause the content to be updated on the DPs.

Configuring the Software Update Automation Tool

This step will require creating a scheduled task. I will do the steps from a Windows 2008 R2 stand point. For 2003, the steps will be different

  1. Extract the SoftwareUpdateAutomation.exe file from the fepsuasetup.cab to <ConfigMgr Installation Folder>\AdminUI\bin
  2. Open Task Scheduler (on Windows 2008 or 2008 R2 just go to Start and in the Search Field type in Task Scheduler)
  3. In the Task Scheduler window, right click
    Task Scheduler Library and select Create Task
  4. In the Create Task window, type in an appropriate name for the task
  5. Under security options in the General tab, click the Change User or Group
  6. In the Select User or Group window, under Enter the object name to select type in System and click OK
  7. Click the Triggers tab
  8. Click New…
  9. Under settings, select One Time and under Advanced Settings select Repeat task every 1 hour for duration of Indefinitely and click OK
  10. Click the Actions tab
  11. Click New
  12. For Action select Start a program
  13. Under Settings for the Program/script enter <ConfigMgr Install Dir>\AdminUI\bin\SoftwareUpdateAutomation.exe
  14. For Add arguments (optional) use /AssignmentName <deployment name> /PackageName <deployment package> /RefreshDP /UpdateFilter “articleid=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0” (replace <deployment name> and <deployment package> with the names of the deployment and package, for example: /AssignmentName FEPDefs /PackageName FEPDefs /RefreshDP /UpdateFilter “articleid=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0”) and click OK.
  15. Click OK to close and save the Scheduled Task

Updating Your Policies for Clients to Download the Definitions from Configuration Manager

With update rollup 1 installed, you’ll notice in your policies that a slight change has been made to the updates tab.

With update rollup 1 we can leverage the ability to specify Configuration Manager as the primary source for definition updates and also select the ability to check alternative sources if definitions on the client computer are older than a specific number of days. The previous options that we had with FEP 2010 RTM are now classified as alternative sources. So make sure that in your Policies that you update them to leverage Configuration Manager as the primary source for definition updates.

At this point you should now have a scheduled task that will run every hour. This will run hourly and update your package and deployment. When your client computers download policy, they will start to install the latest FEP definition files silently from their distribution points. If you have any questions about the setup of this method, please submit a comment and I’ll try to answer when I can.

Posted in Forefront Endpoint Protection | 19 Comments

Have ConfigMgr Client Health Problems? Check out the ConfigMgr Client Health and Remediation Services Offering!

Normally I don’t try and sell things on my blog here, however there’s a new service offering that I think many that come across this blog will be highly interested in. I know when I worked as a customer before coming to Microsoft I had to deal with Client Health issues (Client health was actually my full time job for nearly a year) and I would have loved a service like this.

Sometime in September, the ConfigMgr Client Health and Remediation Service offered by the Premier Field Engineering (PFE) group (the group I am apart of at Microsoft) will be made available to all Premier customers. This offering will have an engineer come on site and install our client health solution and offer training on how to utilize it. We will then setup a separate engagement a couple of weeks later to work on remediation (this will allow time for the clients to report back their health state).

If you’ve ever had a CMRAP done on your environment, this is an excellent complement to that offering as the RAP will look at the risk and health of the server environment, however it won’t go into detail about the health of your clients. There’s no requirement that a RAP be done on your environment to leverage our Client Health and Remediation Service, however to get a good idea how things are going, doing both is highly recommended.

If you’re interested in having a Microsoft PFE come on site to look at the health of your SCCM clients, please leave a comment on this post, or send me an email at richbal a.t. Microsoft.com. You can also work with your Technical Account Manager (TAM), however since this offering is relatively new, they may or may not be aware of it.

For more information on the offering, please see Chris Sugdinis’ blog post.

Posted in sccm | Leave a comment

Fix for Accessing Windows Vista and Windows 7 Administrative Shares (C$, Admin$, etc) – Client Push

This post isn’t exactly just a Configuration Manager fix for Client Push, however it will help anyone who is trying to connect to an administrative share on a Windows Vista or Windows 7 machine that is having problems with “Access Denied” messages even though you know 100% for a fact that the account you’re using is the right one.

User Account Control Remote Restrictions

Starting with Vista, User Account Control introduced some remote restrictions of administrative accounts. You can click the previous link if you want to read up on it. Suffice it to say, to disable these remote UAC restrictions of accounts that are in the local administrators group, do the following:

  1. Click Start, click Run, type regedit, and then press ENTER.
  2. Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion
    \Policies\System
  3. If the LocalAccountTokenFilterPolicy registry entry does not exist, follow these steps:
    1. On the Edit menu, point to New, and then click DWORD Value.
    2. Type LocalAccountTokenFilterPolicy, and then press ENTER.
  4. Right-click LocalAccountTokenFilterPolicy, and then click Modify.
  5. In the Value data box, type 1, and then click OK.
  6. Exit Registry Editor.
HomeGroup
If the machine you’re trying to manage happens to be apart of a HomeGroup (introduced in Windows 7) then you may run into some issues. To leave a HomeGroup:
  1. Click Start, Click Control Panel
  2. Click View by Small Icons
  3. Click HomeGroup
  4. Click Leave HomeGroup
Turn on File and Printer Sharing in the Windows Firewall
If you happen to have the Windows Firewall enabled, you’ll need to make sure File nd Printer Sharing is enabled in the firewall settings:
  1. Click Start 
  2. Click Control Panel
  3. Click Category and select Small Icons
  4. Click Windows Firewall
  5. Click Allow a Program or feature through Windows Firewall
  6. Find File and Printer Sharing and enable Home/Work and Public network

By following the above tips, you should now be able to access any administrative shares that you have proper credentials for, and should also get client push working for some machines in which you are getting access denied or invalid network path messages and/or Failed to get token for current process (5) messages in the ccm.log.

Posted in sccm, Tips and Tricks, Windows | Tagged , | Leave a comment