Friday, October 28, 2011

New System Center 2012 Pre-Release Products available

On 27-10-2011 new System Center 2012 Pre-Release Products become available. Great news that System Center 2012 Configuration Manager and System Center 2012 Endpoint Protection are Release Candidate (RC) now!

Have a look on Microsoft TechNet for download information:
Download Microsoft System Center 2012 Pre-Release Products

An overview of new Invidual System Center 2012 products available for download are:


System Center 2012 Endpoint Protection RC is the successor of Forefront Endpoint Protection 2010.
System Center App Controller 2012 Beta (for cloud purposes) is also available for download now.

Expect more news and posts about RC releases soon.

Wednesday, October 26, 2011

Windows Server Developer Preview installed (Windows Server 8)

On 14-9-2011 the first build of Windows Server Developer Preview is showed to the world. The Windows Server Developer Preview is a pre-beta version of Windows Server 8 for developers. Windows Server 8 is also build on Metro, the User Interface we know from Windows Phone 7. That way it's usable on servers and remote manageble on tablets, with touch interface!

In this blog I show you the installation & look and feel. I've created an virtual machine with 1 CPU, 2GB RAM and 20GB Disk. That's enough for having a smooth running virtual machine. The ISO can be mounted with a virtual CD/DVD-drive for installing Windows Server 8. I've used Oracle VirtualBox to install Windows Server 8 and capture screenshots.

The installation is approximately done in 10 a 15 minutes. During installation the following screens are seen:
Choose between Full Installation, Server Core or Features on Demand

The differences between these versions are:
Server Core: Windows Core, Windows PowerShell, DotNet Framework 4
Features on Demand: Same as Server Core + Server Manager, MS Management Consoles, A subset of Control Panel applets
Full Installation: Same as Features on Demand + All Control Panel Applets, Windows Help, Windows Explorer, Internet Explorer

This is the default screen after installing..
Same as Windows 8 actually

When logon, Server Manager is started automatically (as usual)

The new Server Manager in Metro style, cool!
More about that in a next blogpost

Metro dashboard with tiles and menu options, nice!

Windows PowerShell will not be missed..

If needed, Windows PowerShell Getting Started Guide: http://msdn.microsoft.com/en-us/library/windows/desktop/aa973757(v=vs.85).aspx

New Task Manager in Windows Server 8

Have a look at this blogpost for more about that: http://henkhoogendoorn.blogspot.com/2011/09/new-task-manager-functionality-in.html

The Ribbon interface is available here also..

Known functionality as Control Panel, Windows Explorer and Internet Explorer are still available. New installations adds new tiles on the Metro UI also. Next time I have a look at more functionality in Server Manager. Stay tuned for more!

Watch the introduction from Windows Server 8 on Build 2011: http://channel9.msdn.com/Events/BUILD/BUILD2011/SAC-973F

Download Windows Server 8 from the MSDN website: http://msdn.microsoft.com/nl-nl/windowsserver/
(Unlike Windows 8 only available for early adopters interested in testing the Operating System)

Friday, October 21, 2011

How to assign a computername before OS deployment

During OS deployment in ConfigMgr there are many ways to assign a computername. This can be done automatically or filled in before deployment. How to assign a dynamic computername is described here: How to assign a dynamic computername during OSD. In that post I'm using a script to create a dynamic computername from default BIOS values (assettag, serialnumber).

But what to do when you're using your own format which is not known in BIOS values? Then other ways are available. First there are ConfigMgr/MDT Task Sequence Variables. An overview of these Task Sequence Variables can be found here: http://technet.microsoft.com/en-us/library/bb632442.aspx

There are also many scripts to find for dynamic computername assignment. More about that on the following TechNet post: "SCCM R2 Unknown Computer Support and changing computer name during Task Sequence" http://social.technet.microsoft.com/Forums/en-US/configmgrosd/thread/5924e840-eb6e-48c1-858f-766a5be625a6/

The one I've used before is the ConfigMgr/MDT method, which asks the computername before deployment (manually) and uses this name during OS deployment. I will describe the steps needed for that here. First created a Non-mandatory advertisement on a OSD collection (in my case created as "Operating System Deployment"). On that specific OSD collection rightclick and choose "Modify Collection Settings".

Under "Collection Variables" tab create a new Variable called "OSDComputerName" and make sure it has no Value. Untick the "Do not display this value in the ConfigMgr console" also.

When choose OK the value will be available beneath "Collection Variables". Now choose OK to finish this configuration setting. Start the computer placed in this collection now and make sure it's non-mandatory. Use F12 for PXE boot indeed.

Once the task sequence is selected it prompts you to input the missing Task Sequence Variable. Watch out not to press Next here, but double click on "OSDComputerName" instead.

Fill in the computername of your choice (in my case HHO-01) and press OK. That way the computername will be saved and used during Operating System Deployment.

When the value is seen in the Task Sequence Wizard press Next. The Task Sequence selected will be running fine then because the missing Task Sequence Variable is known now.

That's all to assign a computername before OS deployment. Again ConfigMgr uses multiple ways to make OS deployment flexible and usable. This great product continues to astonish me with many great opportunities out there.

Thursday, October 20, 2011

How to create or change new Windows collections in ConfigMgr

By default there are 17 collections in ConfigMgr. Most of them will never be used, so they can be moved as subcollection for overview reasons. How to do that is described here: Move default collections in ConfigMgr 2007. That way collections for Windows 2000, Mobiles devices and Windows XP (for example) will be out of sight in collections overview.

Collections that can be moved (in my case) are:


Most of times I create a "_Unused Microsoft Collections" collection to move old/not used collections too. That way the Collection ID and used query will retained. Now it's time to create new collections or change existing collection queries. This for new Operating Systems like Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 (for example). The steps needed for that I will describe here.


First create a new collection in ConfigMgr and choose Membership rules based on direct membership. Click the [blue computer icon] and choose the query explained below. In this case I'm using a Resource class based on System Resource and a Attribute name based on "Operating System Name and Version". Choose "Dynamically add new resources" when using ConfigMgr R3 to automatically add new devices.


Furthermore don't use Collection limiting and select resources needed when displayed. Otherwise the query will not be saved. Then choose Finish, Next (3x) and Finish to save the new collection with query created. To change an existing collection query, choose collection properties, go to Membership Rules, edit the query, choose "Edit Query statement" and Criteria. Then choose edit to change the existing query.

For new Windows releases use the following queries:
  • Windows Vista: Value = %Workstation 6.0%
  • Windows 7: Value = %Workstation 6.1%
  • Windows 8: Value = %Workstation 6.2%
  • Windows Server 2008: Value = %Server 6.0%
  • Windows Server 2008 R2: Value = %Server 6.1%
  • Windows Server 8: Value = %Server 6.2%

That way it's possible to create new collections with support on new Operating Systems. I will add support for new Operating Systems later when available.

Wednesday, October 12, 2011

Definition Update Automation with ConfigMgr working now

Yesterday I posted a blog because the "Definition Update Automation Tool for Forefront Endpoint Protection 2010" wasn't working in my environment. Have a look at Definition Update Automation with Configuration Manager for that one. Today I succeeded to automatically receive new definitions and publish them. In this blog I will post my results and a few good tips and tricks also.

I configured a scheduled task with the following settings:

Run the task with the SYSTEM account and with highest privileges. Configure it for Windows 7 (when needed).

Run the task every hour a day so updates will be downloaded and publish almost immediately when released.

Start a program with the default settings described in "Definition Update Automation with Configuration Manager" http://technet.microsoft.com/en-us/library/hh297450.aspx

The task will run fine after that. Just make sure the tool is placed in the right folder and user account choosen has enough rights.

Existing Forefront clients will be automatically updated to the new definition version. This when deploying a new Forefront client also.

It's possible to consult reports for actual information. There are a few reports beneath the Forefront pane and more eventually beneath reporting services.

My personal favorite is report 389 "FEP information for a specific computer". That way it's possible to see Forefront install, policy and update information in one overview.

When adding the Forefront client in a task sequence this tick must be cleared. Otherwise it's not possible to select the program in a task sequence.

After that, the program is selectable but will not install during a task sequence. This because the script cannot be used during a task sequence install.

Just create a new package and program for that with the following settings: "FEPinstall.exe /q /s /policy <path>\<policy-export>.xml". Be sure that the Network access account AND client computers has access to the source folder. That way Forefront client install by task sequence is possible with the exported policy added.

A few sites with good information on Forefront deployment and troubleshooting issues:

Errors When Using the FEP 2010 Definition Update Automation Tool
http://blogs.technet.com/b/clientsecurity/archive/2011/07/18/errors-when-using-the-fep-2010-definition-update-automation-tool.aspx

Installing the Forefront Endpoint Protection 2010 client and OSD
http://ccmexec.com/2011/02/installing-the-forefront-endpoint-protection-2010-client-and-osd/

Invalid argument format (index 7) "AND", arguments are supposed to start with a / (SoftwareUpdateAutomation.exe)
http://social.technet.microsoft.com/Forums/en-US/FCSNext/thread/ca500b36-c667-4030-85f9-ebd0defbdaf7/ 

Definition update automation tool
http://social.technet.microsoft.com/Forums/en-US/FCSNext/thread/9105024f-3a61-4fe0-bc88-803b502881a8/

Monday, October 10, 2011

Definition Update Automation with Configuration Manager

With System Center Configuration Manager (ConfigMgr) it's possible to install and use Forefront Endpoint Protection (FEP) 2010 also. Both products can be integrated so ConfigMgr will also handle Forefront Antivirus and Definition updates. Microsoft released some Forefront Endpoint Protection (FEP) 2010 Update Rollup 1 Tools also. These free downloads make it easier for Forefront Endpoint Protection 2010 Update Rollup 1 customers to use Group Policy for centralized management, provide optimized settings for various server roles, and diagnose and troubleshoot support issues. It can be downloaded here: http://www.microsoft.com/download/en/details.aspx?id=26613

The one I'm using is "Definition Update Automation Tool for Forefront Endpoint Protection 2010". This tool enables you to automate downloading and publication of FEP definition updates using the Configuration Manager 2007 Software Update feature. This is a command line tool that uses the Configuration Manager API to download new definitions from Microsoft Update, distribute them to the software update point, and publish the definitions to the endpoints. To automate the tool, you must add a Windows task to run it automatically at a scheduled interval. More information about "Definition Update Automation with Configuration Manager" can be found here: http://technet.microsoft.com/en-us/library/hh297450.aspx

Point is, it isn't working in my environment. It's true that new definitions are downloaded automatically in Deployment Packages. But distribute them and publish the definitions isn't working yet. This because Distribution Points are not updated after running the tool and new definitions are not added to Deployment Management. The command I'm using is: SoftwareUpdateAutomation.exe
  • /AssignmentName <AssignmentName>
  • /PackageName <PackageName>
  • /RefreshDP
  • /UpdateFilter "ArticleID=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0"
Anyone else has the same behaviour seen? I will post the results when it's working properly in my environment. To be continued till then..

Friday, October 7, 2011

Failed to run task sequence error in ConfigMgr 2007

When using (multiple) driver packages in a ConfigMgr task sequence it's possible that the following error message is displayed: "Failed To Run Task Sequence". This error message will be displayed before the task sequence will actually run, because ConfigMgr checks all packages that are connected in a task sequence.


When looking in the SMSTS.log file the following error message is displayed: "Failed to find ccm_SoftwareDistribution object for AdvertID="<AdvertID>", PackageID="<PackageID>", ProgramID="*". The Package ID displayed here refers to the driver package which is not found by the ConfigMgr task sequence.

To resolve the error message it's needed to update at least the driver package listed in the SMSTS.log file at "PackageID="<PackageID>". When no driver package is updated once before, do the same for all drivers packages which are connected in the task sequence.

Just select Distribution Points > Update Distribution Points on all driver packages needed, and look in the Package status for a new source version displayed. When starting the task sequence again (after reboot) the error message must be resolved.

Thursday, October 6, 2011

Integrate Forefront Endpoint Protection (FEP) 2010 with ConfigMgr

With System Center Configuration Manager (ConfigMgr) it's possible to install and use Forefront Endpoint Protection (FEP) 2010 also. Both products can be integrated so ConfigMgr will also handle Forefront Antivirus and Definition updates. In this blog I will describe the installation of Forefront and configuring policies.

Before FEP 2010 can be installed some prerequisites are needed on the ConfigMgr server. These are:
When installing choose the following options:
  • Select "FEP 2010 Update Rollup 1"
  • Welcome to FEP 2010 Server Setup Wizard: Fill in name and organization
  • MS Software License Terms: "I accept the software license terms"
Based on type of installation there's the choice between Basic topology (with remote reporting database), Advanced topology & ConfigMgr console extension.

  • Installation Options: Advanced topology (Select All)
  • FEP 2010 Server Database Configuration: FEPDB_<sitecode>
  • Reporting Configuration: MS FEP 2010 Reporting Database settings: FEPDW_<sitecode>
  • Reporting Configuration: SQL Reporting Services execution account (domain user account)
  • Updates and Customer Experience Options (enable/disable)
  • Microsoft SpyNet Policy Configuration (enable/disable)
  • Specifify Installation Location
  • Prerequisites Verification: All verifications passed
  • Setup Summary and Complete
After that an Forefront Endpoint Protection pane is visible in the ConfigMgr console.

The following functionality is added in the ConfigMgr console now: 
  • Collections > FEP Collections
    • Definition Status
    • Deployment Status
    • Operations
    • Policy Distribution Status
    • Protection Status
    • Security Status
  • Software Distribution > Packages
    • FEP – Deployment
    • FEP – Operations
    • FEP – Policies
  • Software Distribution > Advertisements
    • FEP Operations
    • FEP Policies
  • Software Updates > Update Repository
    • Definition Updates > Microsoft > FEP 2010
  • Reporting > Reports/Reporting Services
    • FEP: FEP information for a specific computer
    • FEP – Deployment: Computers with a specific deployment state
    • FEP – Deployment: Deployment for a specific collection
    • FEP – Deployment: Deployment Overview
    • FEP – Policy: Policy Distribution for a specific collection
    • FEP – Policy: Computers with a specific policy distribution state
    • FEP – Policy: Policy Distribution Overview
  • Desired Configuration Management
    • Configuration Baselines
    • Configuration Items
  • Forefront Endpoint Protection node
    • Policies > Default Server Policy
    • Policies > Default Desktop Policy
    • Alerts > Malware Detection Alerts
    • Alerts > Malware Outbreak Alert
    • Alerts > Repeated Malware Detection Alerts
    • Alerts > Multiple Malware Detection Alerts
    • Reports > Antimalware Activity Report
    • Reports > Antimalware Protection Summary Report
    • Reports > Computer List Reports

Microsoft Forefront Endpoint Protection 2010 Update Rollup 1 includes the Definition Update Automation tool. This tool enables you to use System Center Configuration Manager 2007 software update points to distribute FEP definition updates to your client computers.

To configure your environment to use the Definition Update Automation tool, you must first download the tool (fepsuasetup.cab) and copy it to the appropriate location on your Configuration Manager site server. It can be download here: http://technet.microsoft.com/en-us/library/hh297450.aspx

There are also Microsoft Forefront Endpoint Protection (FEP) 2010 Update Rollup 1 Tools available. These free downloads make it easier for Forefront Endpoint Protection 2010 Update Rollup 1 customers to use Group Policy for centralized management, provide optimized settings for various server roles, and diagnose and troubleshoot support issues. They can be download here: http://www.microsoft.com/download/en/details.aspx?id=26613

As you can see many new functionality comes available in ConfigMgr. Now it's time to configure policies and create update packages. More about that in the next blogpost.

Tuesday, October 4, 2011

Error in ConfigMgr after Reporting Services Point installation

In ConfigMgr the default Reporting Point role is installed normally. Then reports will be generated and processed on the ConfigMgr server. There is however the choice to install a Reporting Services Point role on the SQL Server. Then reports will be generated and processed on the SQL Server. Much faster that way, industry standard formatting and the possibility to export reports to many formats!


Just add the Reporting Services Point role to the SQL Server and follow the steps in SQL "Reporting Services Configuration". Create a ReportServer database and virtual directory there. Then go back to the ConfigMgr server and choose "Copy Reports to Reporting Services". Just follow the wizard and specify the SQL Server with Reporting Services installed (and configured!).


After copying reports is done it's possible that an error message is displayed in the ConfigMgr system status. The Message ID displayed is 7403 : SMS SRS web service is not running on SRS Reporting Point server "<SQL server>". Although Reporting Services is running fine and reports can be started it's not quite nicely.


The solution for this is not that hard, but maybe not easy to find. An SQL Server update is needed to resolve this issue. Now the Cumulative Update (CU) package 4 for SQL Server 2008 R2 fix the error 7403. It can be downloaded here: http://support.microsoft.com/kb/2345451/en-us

It's even better to install Service Pack (SP) 1 to include all Cumulative Updates released before. It can be download here: http://www.microsoft.com/download/en/details.aspx?id=26727 

Mandatory need for Reporting Services?
An Reporting Services Point is needed when Power Management (R3) and/or Forefront Endpoint Protection (FEP) integration is used in ConfigMgr. If that's not the case, you can choose between both Reporting solutions!

ConfigMgr and OpsMgr on the same SQL Server?
When multiple Reporting Services instances are needed (for example: ConfigMgr and OpsMgr on the same server), remember to place ConfigMgr in the "default instance". you need to install ConfigMgr first because it wants the default instance where as OpsMgr can bet set to a different one.  So you should be able to have them both use the same server, but not the same instance.