System Center 2012 Configuration Manager Beta 1 Unix and Linux Client Downloads Available

System Center 2012 Configuration Manager SP1 Beta 1 offers support for managing Unix and Linux clients (and Mac OS clients as well). When download loading the beta SP1 bits, the client bits aren't available and need to be downloaded separately.

The following Unix and Linux versions are supported in Beta 1:

  • AIX Version 7.1 (Power)
  • AIX Version 6.1 (Power)
  • AIX Version 5.3 (Power)
  • HP-UX Version 11iv3 (IA64 & PA-RISC)
  • HP-UX Version 11iv2 (IA64 & PA-RISC)
  • RHEL Version 6 (x86 & x64)
  • RHEL Version 5 (x86 & x64)
  • RHEL Version 4 (x86 & x64)
  • Solaris Version 10 (x86 & SPARC)
  • Solaris Version 9 (SPARC)
  • SLES Version 11 (x86 & x64)
  • SLES Version 10 SP1 (x86 & x64)
  • SLES Version 9 (x86)

The following scenarios are supported by the UNIX and Linux clients:

  • Hardware Inventory - Hardware inventory can be viewed through Resource Explorer and can be used to create collections of UNIX and Linux computers.
  • Software Inventory - Through hardware inventory the list of natively installed software can be gathered from the UNIX and Linux computers - similar to add/remove programs for Windows systems.
  • Software Distribution - Deploy new software, update existing software and apply OS patches to collections of UNIX/Linux computers (using a package and program). Run arbitrary maintenance scripts on a collection of UNIX/Linux servers.
  • Secure and Authenticated Communications
  • Consolidated Reports

For more information and to download the client files, please visit http://www.microsoft.com/en-us/download/details.aspx?id=34609

List of RSS Feeds for KB Articles for Microsoft Products

Want to keep up with the latest KB articles for the Microsoft products that you have in your environment? The best solution I've found is to use an RSS Feed Reader and subscribe to the feeds.

Here's a list of all of the RSS feeds for every KB article that comes out.

http://support.microsoft.com/select/?target=rss

SoftwareUpdateAutomation.exe Scheduled Task Fails with an 0×1 Error Message When Updating FEP 2010 Definition Package

Issue

When using the SoftwareUpdateAutomation.exe file as a scheduled task to update the Forefront Endpoint Protection definition files, the scheduled task may fail with an error code of 0x1. In the %programdata%\SoftwareUpdateAutomation.log file may see the following error:

SQLMessage = "[22018][245][Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the varchar value 'APSB10-22' to data type int.";

Cause

This happens when SCUP is used to import third party updates. These updates sometimes include dashes as part of the articleID column in the database.

Solution

In the command line arguments for the SoftwareUpdateAutomation.exe scheduled task, use single quotes around the articleID. For example, use the following:

/AssignmentName <deployment name> /PackageName <deployment package> /RefreshDP /UpdateFilter "articleid='2461484' AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0"

How to Turn Off Compression in Configuration Manager 2007 Software Distribution

This is a question I've been asked a few times. By default, SMS and ConfigMgr both compress package content into a PCK file to distribute the content to child sites. The problem you might run into with Operating System Deployment WIM files, which are already compressed, is that they take forever to move from one site to another, finally to your distribution point.

There is a way to handle the compression and exclude WIM files, as well as any other extension you want to exclude. This can save you a good amount of time. In my customer's case this week, we noticed that distribution manager took 5 minutes to complete "compression" instead of 30 minutes that it previously took.

I mention "compression" (in quotes) because while distmgr.log will show the file being compressed, if you look at the file size, it's actually slightly bigger (in some cases) than the original WIM file.

For example, look at this screen shot of my distmgr.log where I send an x86 boot WIM that distmgr compresses

Compressed Package

Notice the first line where it says the size of the package is 129544 KBytes and the compressed size at the bottom is 129068 KBytes. Not very much space gained here, but look at the amount of time it took to compress roughly 130MB. It took 2 minutes.

Let's take a look at the same package with compression off for WIM files:

Notice here how the same package content is still "compressed", but the content is actually BIGGER, yet the amount of time is a minute less (or 50% in reduction of time to "compress"). It's bigger, likely because there is some additional information that gets added to the package as it is getting moved to a .pck file. The package will always convert from a .wim to .pck, however the compression engine simply isn't involved.

In order to exclude WIM files from compression you need to edit the following location in the registry:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ SMS\ Compression\ DontCompressExts on 32 bit servers

Or

HKEY_LOCAL_MACHINE\ SOFTWARE\ Wow6432Node\ Microsoft\ SMS\ Compression\ DontCompressExts on 64 bit servers

In this list, you will see:

.cab;.zip;.arj;.rar;.jpg;.jpeg;.wma;.wmv;.mpg;.mpeg;.mov

Simply add

.cab;.zip;.arj;.rar;.jpg;.jpeg;.wma;.wmv;.mpg;.mpeg;.mov;.wim

Verizon Wireless Samsung SCH-LC11 EF07 Update Now Available

Samsung has released a software upgrade EF07 for the SCH-LC11, which is recommended to be installed. I used to have CONSTANT disconnecting issues with my SCH-LC11, but those issues appear to have been resolved. Will know for sure after some more time with the update, but it's working well so far.

  • PPTP and L2TP VPN support
  • CSFR improved web security
  • Change WEB UI 4G icon change
  • RSSI indicator change
  • Extended default IP range
  • Resolves Wi-Fi disconnect / interference issue
  • Device configuration script

Building Windows 8 – Improving Windows Explorer

If you haven't been to the Building Windows 8 Blog yet, I highly recommend bookmarking it as the Windows 8 team has been updating it frequently.

Today's post comes from Alex Simons and takes a brief look at the history of Windows Explorer (going back to MS-DOS Executive in Windows 1.0) and a very interesting look at the telemetry data (the data we use when we ask you to opt into the Customer Improvement Experience Program for many of our products) from our users to see how they are using the product and how we can make the products better.

Goals of the new Windows Explorer

We set out to accomplish three main goals with this new version of Explorer.

  1. Optimize Explorer for file management tasks. Return Explorer to its roots as an efficient file manager and expose some hidden gems, those file management commands already in Explorer that many customers might not even know exist.
  2. Create a streamlined command experience. Put the most used commands in the most prominent parts of the UI so they are easy to find, in places that make sense and are reliable. Organize the commands in predictable places and logical groupings according to context, and present relevant information right where you need it.
  3. Respect Explorer's heritage. Maintain the power and richness of Explorer and bring back the most relevant and requested features from the Windows XP era when the current architecture and security model of Windows permits.

Read more at Improvements in Windows Explorer

Using Your Distribution Points for FEP Definitions with the Software Update Automation Tool – Forefront Endpoint Protection 2010 Update Rollup 1

In my previous post on using your distribution points for Forefront Endpoint Protection (FEP) 2010 definition files, we had to leverage a vbscript in order to automate the download of the definition files from Microsoft via a scheduled task and then create a package that updated automatically on schedule and have a recurring advertisement. We also had to create some additional DCM configuration items and collections. This whole thing became a pretty tedious process to setup, but in the end it worked and the clients could get the definitions from their local DPs instead of the Software Update Point, WSUS server, UNC Share, or Microsoft Update. FEP 2010 Update Rollup 1 makes the process of getting the defs from your DPs a whole lot easier!

Downloading FEP 2010 Update Rollup 1

When you download FEP 2010 Update Rollup 1, you will have the option for x86 and x64 versions as well as a hotfix KB2554364 which is reporting fix that must be installed prior to installing Rollup 1. The reporting fix needs to be installed on your Reporting server. Once you have downloaded FEP 2010 Update Rollup 1 and KB2554364 for the architecture types in your environment (32 or 64 bit) you also need to download the FEP 2010 Update Rollup 1 Tools. It's not required to download all of the tools, but for the purposes of this post, the tool that you want to download is the fepsuasetup.cab which is the Definition Update Automation Tool.

In summary download the following:

Installing FEP 2010 Update Rollup 1 on Infrastructure Servers

Installing FEP 2010 is simple, but can be slightly confusing at first.

  1. Install FEP2010-Update-KB2554364-xxx-yyy.exe on the server you installed FEP Reporting to (where xxx is the architecture type and yyy is the language; e.g. FEP2010-Update-KB2554364-x64-enu.exe )
  2. Run FEP2010-Update Rollup-KB2551095-xxx-yyy.exe (this will extract into three folders: FepExt, FepReport, FepUx)
    1. FepExt is the FEP Extension for Configuration Manager. This needs to be applied on your SCCM Site Server(s).
    2. FepReport is for FEP Reporting and needs to be installed on the server you installed FEP Reporting to.
    3. FepUx is the FEP Console Extension and will need to be installed on all SCCM Consoles that plan on managing FEP.

Once you have installed the three components, you have completed the server installation of FEP 2010.

Installing FEP 2010 Update Rollup 1 on Clients

FEP 2010 Update Rollup 1 has a client upgrade as well. By default it modifies the files in the FEP - Deployment package that it created with the initial install. Basically, there's a new FEPInstall.exe file.

Using the "Old" Advertisement to Upgrade Your Clients

Prior to installing FEP 2010 Update Rollup 1, you likely made an advertisement to target machines to install the FEP client. If you would like to use that same advertisement, you will need to modify the program rerun behavior to Always Rerun Program.

Using a New Advertisement to Upgrade Your Clients

Chances are you likely want to use a new advertisement to upgrade your clients. I will assume that you know how to create an advertisement for your environment, however what I would like to point out is a potential collection you can target. FEP creates a collection called Out of Date which is under FEP Collections – Deployment Status. This collection leverages a custom SQL query created by FEP that identifies machines that have an old version of the FEP client. You can target this collection with the new FEP 2010 Update Rollup 1 client package to upgrade your clients, but be forewarned that this collection doesn't limit workstations or servers, so you may want to create other collections that limit to the Out of Date collection if you want to manage your FEP client rollout better.

Configuring a Deployment Package and Deployment for FEP Definitions

In order for the software update automation tool to work, you will need a deployment and package to leverage. But before that, you'll need to make sure you are syncing the FEP 2010 Definitions.

Syncing the FEP 2010 Definition Files

  1. From the site server that is top most Software Update Point (the one that syncs with Microsoft Update) – Expand Site Database – Site Management – Site Code – Site Settings – Component Configuration
  2. In the middle pane double click select Software Update Point Component
  3. In the Classifications tab select Definition Updates
  4. In the Products tab select Forefront Endpoint Protection 2010 (note: if this is your first time syncing with Microsoft update, you may not see Forefront Endpoint Protection in this list. After the first sync you should see a lot of additional products in this list)
  5. In the Sync schedule tab select Custom schedule and click the Customize… button
  6. For the Recurrence Pattern select Custom interval and for Recur every select 1-8 hours (set this at an interval you are comfortable with. The definitions come out three times a day, so at most set this to 8 hours, but if you are comfortable doing it more frequently, then hourly is probably fine)
  7. Click OK
  8. Click OK at the Software Update Point Component Properties dialog window

If you had to do the above steps to get the FEP 2010 Definitions to sync, you probably don't want to wait for the sync time to start, so to kick off a manual sync, do the following:

  1. Expand Site Database – Computer Management – Software Updates – Update Repository
  2. Right Click on Update Repository
  3. Select Run Synchronization
  4. Open <ConfigMgr Install Dir>\logs\wsyncmgr.log to watch the synchronization progress

After you have sync'd the catalog, you should now be able to create a package.

Creating the Deployment Package

  1. In the ConfigMgr console expand Site Database – Computer Management – Software Updates – Update Repository – Definition Updates – Microsoft – Forefront Endpoint Protection 2010
  2. In the Forefront Endpoint Protection 2010 pane in the middle, select the latest definition file in the list (you may have more than one file in here)
  3. Right Click the update you have selected and click Download Software Updates
  4. Alternatively, you could also select Update List which will allow you to add the definition file to an update list AND download the definition to a package. It's up to you, however in this example I will not be making an update list and will just download to a package.
  5. In the Download Updates Wizard select Create a new deployment package
  6. In the Name field, type an appropriate name
  7. In the Description field, type an appropriate description
  8. For the package source, create a shared location for the definition files to be downloaded to
  9. Click Next
  10. Click Browse in the Distribution Points wizard and select the DPs you would like to send the package to
  11. Click Next
  12. Click Next at the Data Access step
  13. Click Next at the Distribution Settings step
  14. Click Next at the Download Location step (unless you have downloaded the defs manually to a location on the local network)
  15. Select the languages you would like the updates in at the Language selection step and click Next
  16. Click Next at the Summary step
  17. The updates will download, click Close when finished

If all went well, you should now have a package flowing to the DPs you have selected. You can look at the package status node for the package, or you can watch the distmgr.log on each of the servers if you are so inclined. The next step is to create your deployment.

Creating the Deployment

So just like your package, the deployment will also just have "one" update in it (as you'll find over time the package and deployment will grow to have many updates, but initially we will just select one update).

  1. In the ConfigMgr console expand Site Database – Computer Management – Software Updates – Update Repository – Definition Updates – Microsoft – Forefront Endpoint Protection 2010
  2. In the Forefront Endpoint Protection 2010 pane in the middle, select the latest definition file in the list (you may have more than one file in here)
  3. Right Click the update you have selected and click Download Software Updates
  4. In the name field, enter FEPDefs (you can name this something different, however I like to keep the package and deployment the same name, and with the Software Update Automation Tool, this will make things easier later, especially if the name of the package and deployment do not have spaces in the name)
  5. Click Next in the General step
  6. Click Next in the Deployment Template step
  7. In the Collection step, use a collection that makes sense for your environment. I would use a test collection here. Click Next
  8. In the Display/Time settings step, I prefer to select Suppress display notifications on clients, and Client Local Time. Leave the duration at the default of 2 weeks and click Next
  9. In the Restart Settings step, check the Servers and Workstations boxes to suppress restarts. Definitions should NEVER cause a reboot, but I do this just to be safe. Click Next
  10. Click Next in the Event Generation step
  11. In the Download Settings step, I prefer to have clients that are in slow boundaries to download software updates from a distribution point and install. I also prefer to keep the Download software updates from unprotected distribution point and install option selected. Click Next.
  12. In the Create Template step, if you would like to save the template, create a template name, otherwise uncheck the Save deployment properties as a template option and click Next.
  13. In the Deployment Schedule step, keep As soon as possible selected and set a deadline to something appropriate (I prefer to set my deadline to a few minutes ahead of the current time so my clients start to install definitions right away). You can also opt to Enable Wake on LAN and Ignore maintenance Windows and install immediately (which I would do since definitions are constantly being sent out and most maintenance windows are open once a month for most customers, however some may have a nightly window, so treat this option as something that will depend on your environment) and click Next.
  14. At the Summary step click Next
  15. Click Close when finished

If all went well, you should now have a deployment targeting a test collection. During this time, the package should have completed being copied to all the DPs as well. It's a good idea to validate that the package is on all the DPs at this point. What we have basically done up to this point is created a package and a deployment for a single definition file. Over time, the definitions will obviously be out of date if we don't update the package and deployment. This is where the Software Update Automation Tool will come into play. This will run a scheduled task which triggers an exe to run and update both the package and deployment for FEP AND it will cause the content to be updated on the DPs.

Configuring the Software Update Automation Tool

This step will require creating a scheduled task. I will do the steps from a Windows 2008 R2 stand point. For 2003, the steps will be different

  1. Extract the SoftwareUpdateAutomation.exe file from the fepsuasetup.cab to <ConfigMgr Installation Folder>\AdminUI\bin
  2. Open Task Scheduler (on Windows 2008 or 2008 R2 just go to Start and in the Search Field type in Task Scheduler)
  3. In the Task Scheduler window, right click
    Task Scheduler Library and select Create Task
  4. In the Create Task window, type in an appropriate name for the task
  5. Under security options in the General tab, click the Change User or Group
  6. In the Select User or Group window, under Enter the object name to select type in System and click OK
  7. Click the Triggers tab
  8. Click New…
  9. Under settings, select One Time and under Advanced Settings select Repeat task every 1 hour for duration of Indefinitely and click OK
  10. Click the Actions tab
  11. Click New
  12. For Action select Start a program
  13. Under Settings for the Program/script enter <ConfigMgr Install Dir>\AdminUI\bin\SoftwareUpdateAutomation.exe
  14. For Add arguments (optional) use /AssignmentName <deployment name> /PackageName <deployment package> /RefreshDP /UpdateFilter "articleid=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0" (replace <deployment name> and <deployment package> with the names of the deployment and package, for example: /AssignmentName FEPDefs /PackageName FEPDefs /RefreshDP /UpdateFilter "articleid=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0") and click OK.
  15. Click OK to close and save the Scheduled Task

Updating Your Policies for Clients to Download the Definitions from Configuration Manager

With update rollup 1 installed, you'll notice in your policies that a slight change has been made to the updates tab.

With update rollup 1 we can leverage the ability to specify Configuration Manager as the primary source for definition updates and also select the ability to check alternative sources if definitions on the client computer are older than a specific number of days. The previous options that we had with FEP 2010 RTM are now classified as alternative sources. So make sure that in your Policies that you update them to leverage Configuration Manager as the primary source for definition updates.

At this point you should now have a scheduled task that will run every hour. This will run hourly and update your package and deployment. When your client computers download policy, they will start to install the latest FEP definition files silently from their distribution points. If you have any questions about the setup of this method, please submit a comment and I'll try to answer when I can.

Have ConfigMgr Client Health Problems? Check out the ConfigMgr Client Health and Remediation Services Offering!

Normally I don't try and sell things on my blog here, however there's a new service offering that I think many that come across this blog will be highly interested in. I know when I worked as a customer before coming to Microsoft I had to deal with Client Health issues (Client health was actually my full time job for nearly a year) and I would have loved a service like this.

Sometime in September, the ConfigMgr Client Health and Remediation Service offered by the Premier Field Engineering (PFE) group (the group I am apart of at Microsoft) will be made available to all Premier customers. This offering will have an engineer come on site and install our client health solution and offer training on how to utilize it. We will then setup a separate engagement a couple of weeks later to work on remediation (this will allow time for the clients to report back their health state).

If you've ever had a CMRAP done on your environment, this is an excellent complement to that offering as the RAP will look at the risk and health of the server environment, however it won't go into detail about the health of your clients. There's no requirement that a RAP be done on your environment to leverage our Client Health and Remediation Service, however to get a good idea how things are going, doing both is highly recommended.

If you're interested in having a Microsoft PFE come on site to look at the health of your SCCM clients, please leave a comment on this post, or send me an email at richbal a.t. Microsoft.com. You can also work with your Technical Account Manager (TAM), however since this offering is relatively new, they may or may not be aware of it.

For more information on the offering, please see Chris Sugdinis' blog post.

Fix for Accessing Windows Vista and Windows 7 Administrative Shares (C$, Admin$, etc) – Client Push

This post isn't exactly just a Configuration Manager fix for Client Push, however it will help anyone who is trying to connect to an administrative share on a Windows Vista or Windows 7 machine that is having problems with "Access Denied" messages even though you know 100% for a fact that the account you're using is the right one.

User Account Control Remote Restrictions

Starting with Vista, User Account Control introduced some remote restrictions of administrative accounts. You can click the previous link if you want to read up on it. Suffice it to say, to disable these remote UAC restrictions of accounts that are in the local administrators group, do the following:

  1. Click Start, click Run, type regedit, and then press ENTER.
  2. Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion
    \Policies\System
  3. If the LocalAccountTokenFilterPolicy registry entry does not exist, follow these steps:
    1. On the Edit menu, point to New, and then click DWORD Value.
    2. Type LocalAccountTokenFilterPolicy, and then press ENTER.
  4. Right-click LocalAccountTokenFilterPolicy, and then click Modify.
  5. In the Value data box, type 1, and then click OK.
  6. Exit Registry Editor.
HomeGroup
If the machine you're trying to manage happens to be apart of a HomeGroup (introduced in Windows 7) then you may run into some issues. To leave a HomeGroup:
  1. Click Start, Click Control Panel
  2. Click View by Small Icons
  3. Click HomeGroup
  4. Click Leave HomeGroup
Turn on File and Printer Sharing in the Windows Firewall
If you happen to have the Windows Firewall enabled, you'll need to make sure File nd Printer Sharing is enabled in the firewall settings:
  1. Click Start 
  2. Click Control Panel
  3. Click Category and select Small Icons
  4. Click Windows Firewall
  5. Click Allow a Program or feature through Windows Firewall
  6. Find File and Printer Sharing and enable Home/Work and Public network

By following the above tips, you should now be able to access any administrative shares that you have proper credentials for, and should also get client push working for some machines in which you are getting access denied or invalid network path messages and/or Failed to get token for current process (5) messages in the ccm.log.

Primary Site Installation Greyed Out in SCCM 2007 SP2 installation?

Had an annoying issue today where the customer and I tried to install a primary server but kept getting stuck with the option to install a primary server greyed out. Turns out we were using the SP2 upgrade media that was used when they were upgrading the SCCM sites in their environment awhile back.

So in short, make sure you have the slipstreamed SCCM 2007 w/SP2 media instead of upgrade media to prevent this bone-headed move :)