Henk's blog: 2010

Sunday, December 19, 2010

ConfigMgr 2007 with App-V integration

With ConfigMgr 2007 Release 2 (R2) it is possible to add App-V packages to the ConfigMgr console, and advertise them to ConfigMgr clients. With that functionality, no additional App-V Management or Streaming server is needed anymore. Now there is one solution for managing and publishing MSI-based & Virtual-based applications! I will explain in this blog what to configure in the ConfigMgr console, and how the App-V packages will be published to the ConfigMgr clients.

How it works?

ConfigMgr 2007 supports running sequenced applications created using the App-V Platform. App-V packages are running on ConfigMgr 2007 clients without having to install applications on the computer. Target computers must be running Windows XP (or above) to run virtual application packages. After you create a sequenced application using the App-V Sequencer, you must import the package into ConfigMgr 2007 and deploy the App-V package to ConfigMgr 2007 clients.

First you must make sure you are running ConfigMgr SP2 and R2 or R3 for having fast App-V package delivery. While Release 2 (R2) is needed for App-V functionality, Service Pack 2 (SP2) is needed for fast App-V package delivery. Because with ConfigMgr SP1 it could take up to 10 - 15 minutes for having the App-V packages available, while with SP2 there is almost no delivery delay! With ConfigMgr SP2, delivery can be as fast as with App-V streaming server, which is a great feature!

Client setup

On the computer there is a ConfigMgr client and a App-V client needed. There is no additional configuration on the App-V client needed. You need to enable Virtual Application Deployment in ConfigMgr, and ConfigMgr configures the App-V client for you. Any existing policies will be overruled. Best practice is to put the ConfigMgr client and App-V client in the Task sequence, which is used at deployment. Otherwise App-V delivery is not possible.

ConfigMgr 2007 setup

I will describe here which configuration is needed in the ConfigMgr console. These are all needed for having App-V functionality in ConfigMgr 2007.

Warning: this approach will affect every App-V client with the ConfigMgr client connected to the site. This because App-V management in ConfigMgr will overrule the existing App-V configuration.

In the ConfigMgr Distribution point properties (General) choose for "Allow clients to transfer content from this Distribution point using BITS, HTTP, and HTTPS"

In the ConfigMgr Distribution point properties (Virtuall Applications) choose for "Enable virtual application streaming"

At last, in the Advertised Programs Client Agent properties (General) enable "Allow virtual application package advertisement"

Because ConfigMgr supports two types of App-V delivery (streaming and local delivery), you need the above setting. Streaming delivery is simular to App-V streaming server and uses HTTP(S). Local delivery does "download and execute" the App-V package using BITS (same as MSI-based applications). With local delivery the App-V package will be saved on the computer, and is alltimes available (same as MSI-based (installed) applications)! Streaming is recommended on (VDI) desktops or fat clients.

App-V packages

In the ConfigMgr console you can add MSI-based & Virtual-based applications. I will describe the steps for adding App-V packages here.

Right-click on Software Distribution - Packages and choose for New > Virtual Application Package. Find the XML file, and add the App-V package.

Create an (sub)Collection for every application you want to advertise. Create a Active Directory group for every application, and add it to the collection.

Create an advertisement for every application you want to distribute, and add it to the collection with the same name. Choose for the following settings:

Schedule: Mandatory assignments (occurs on current date/time)
Distributing points: Stream virtual applications from Distribution point
Interaction: Allow users to run the program independently of assignments

While sequencing choose for leaving icons in the Start menu and/or on the Desktop. This because no App-V Publishing server will be available, and users will see no icons to start the application.

Results on the computer

When all of the above steps has been set, App-V delivery will be available. On the ConfigMgr client there will be a policy refresh everytime you logon. At that point the App-V package will be available after 5 - 30 seconds. This will depends on sizing and configuration of the ConfigMgr server.

Again more functionality becomes available in the ConfigMgr console!

Saturday, December 11, 2010

MDT integration in ConfigMgr 2007

Last month I read at Twitter that someone didn't know that MDT could be integrated with ConfigMgr 2007. For me that was the reason for writing this blog about MDT and ConfigMgr. Yes, it's true that the intregation exists, and I will explain all the possibilities and benefits of it! When you are new with MDT or ConfigMgr, you can combine them for having the best of both worlds. Also with the knowledge you have (MDT and/or ConfigMgr) it will be a lot easier for using it.

When you using Microsoft products for deployment, you can choose between:
- Windows Deployment Services (WDS)
- Microsoft Deployment Toolkit (MDT)
formely known as Business Desktop Deployment (BDD)
- System Center Configuration Manager (ConfigMgr)

While WDS and MDT are free of use; with ConfigMgr you must pay for every system you want to manage (client and/or server). In the projects I do, the choice is most of times made for ConfigMgr. This because ConfigMgr can do a lot more then MDT; and MDT will most of times be implemented for deployment only. Because MDT is customizable with build-in scripts, you want the same functionality in ConfigMgr actually! For this reason Microsoft created the integration for both products.

For having this functionality, install ConfigMgr and MDT (2010) on the same system. After that look in the Start Menu for Microsoft Deployment Toolkit, and start "Configure ConfigMgr Integration". Click Next, Finish, and start the ConfigMgr console again! Now you will have the following added features.

New Task sequences added:
The new Task sequences offers very useful deployment templates that are constructed using a new MDT wizard.

Client Task Sequence: Creates a complete task sequence complete with additional task sequence elements.
Client Replace Task Sequence: Creates a task sequence specifically for use when replacing hardware (capture user state).
OEM Task Sequences (Pre- and Post-OEM): Creates task sequences specifically designed for use with the hardware OEM.
Microsoft Deployment Custom Task Sequence: Creates a task sequence that is essentially empty.
Server Task Sequence: The server version of the Client Task Sequence with additional task sequence elements.
User Driven Installation Task Sequence: UDI means that there is now an easy way to get users “involved” in an OS Deployment.

New options in existing Task sequences:
The new options offers additional environmental checks and data. This provides for prerequisite and safety checks before applying the image, and additional environment variables for use in customization.

Use Toolkit Package: Takes care of getting the needed files to the computer (needed to use any other actions)
Install Language Packs Online: Specify that package should be installed online (after the OS is running)
Gather: Sets variables that can be used elsewhere in the task sequence (needed for dynamic deployments)
Validate: Perform hardware checks to make sure the machine is capable, and prevent accidental deployment of client operating systems to server hardware
Install Roles and Features: Install any available Windows Server 2008 (R2) role, role service, or feature
Configure ADDS: Automates the DCPROMO process, and supports creating new forests, new domains, and new domain controllers
Configure DNS: Define the zones that need to be created (Primary, secondary, stub, Integrated or standard)
Configure DHCP: Define the scopes that need to be created (Address ranges, scope settings)
Install Updates Offline: Apply patches to Windows before the OS boots for the first time (uses an existing software update package)
Install Language Packs Offline: Specify that package should be installed offline (before the OS boots for the first time, similar to patching)

Create new Boot images:
This provides the ability to build customized Windows PE boot images, through a wizard added to the boot images menu item.

Add extra folders and files to the boot image (example: Trace32 utility)

Add support for additional databases in the boot image

At last you can use the build-in scripts that's included with MDT, for using in ConfigMgr 2007 Task sequences. With MDT integration in ConfigMgr 2007 you have the best of both worlds. And with new functionality in MDT 2010 Update 1 there is even more available! (User Driven Installation)

MDT 2010 can be used for Lite Touch Installation (LTI):
- Aligns with ConfigMgr
- Evolutionary refinements
- Adds server support
- Upgrade from BDD 2007 and MDT 2008

ConfigMgr 2007 (with MDT) is needed for Zero Touch Installation (ZTI):
- Fully integrated experience
- Single console
- Adds server support
- Extends and enhances ConfigMgr 2007

You can even have a dynamic computername filled-in, and place it in Active Directory in the right OU. In the customsettings.ini file (MDT) or Task sequence (set Task sequence variable) there must be an entry that looks like this:

- OSDComputerName=%SERIALNUMBER% to use SERIALNUMBER as computername

- OSDComputerName=%ASSETTAG% to use ASSETTAG as computername

It is also possible to use a script for it. With all of this you can have a dynamic deployment, without the need for manually actions!

Tuesday, November 30, 2010

Best Practice in Group Policy Management

When using Group Policy Objects (GPO), what is the best practice for using it? I come many times at customers with a lot of policies, and most of the times people don't know what to do with it. This because new settings are needed, and everytime there will be a new policy created. When this proces goes on for years, nobody knows the reason for all these policies anymore. But what's the best practice for using it then? I will explain that, and also talk about other products for managing policies!

Group policies are exists a long time now. First there were the local policies, then group policies became available. It became even better when the Group Policy Management Console (GPMC) was available. Now there was truly management of all the policies. Today there is also an extension available. When using Group Policy Preferences (GPP) there will be also new Windows and Control Panel settings available to manage. With that the need of a login script isn't necessary anymore. And the good news is, it's free of use!

Best Practices of Group policies are:

- Don't create a new policy for every new setting you want to use (only for testing purposes)
- Minimize the number of policies, for faster logons (less files) and easy management
- Create a user policy and disable the computer part of it (screenshot)
- Create a computer policy and disable the user part of it (screenshot)
- For policies with an extra ADM file (imported in Administrative templates), create a separate policy for easy management (screenshot)
- When putting user settings on computer objects, use Loopback processing mode with the merge or replace option (screenshot)

How to disable user or computer policy settings (2 ways):

Right-click the name of the GPO, and click Properties. Click Disable Computer Configuration settings or Disable User Configuration settings.
Right-click the name of the GPO, and click GPO Status. Click Disable Computer Configuration settings or Disable User Configuration settings.

Import a ADM file in Administrative Templates:

Right-click on Administrative Templates in the GPO, and choose for Add/Remove Templates.
Click Add and search for the ADM file to import. (this file will be copied to the Sysvol folder after that)

Usage of User Group Policy loopback processing mode:

This setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. By default, the user's Group Policy objects determine which user settings apply. If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy objects determine which set of Group Policy objects applies.

To use this setting, select one of the following modes from the Mode box:

"Replace" indicates that the user settings defined in the computer's Group Policy objects replace the user settings normally applied to the user.
"Merge" indicates that the user settings defined in the computer's Group Policy objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy objects take precedence over the user's normal settings.

If you disable this setting or do not configure it, the user's Group Policy objects determines which user settings apply.

Download Group Policy Management Console (GPMC):

The Group Policy Management Console is the easiest way for managing Group Policies. For using it there are different ways to follow:

For Windows Server 2003 (and Windows XP) you must download and install it from the following URL: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
For Windows Server 2008 you need to add it manually using the Server Manager: Add Features. After that GPMC has been installed, and you can find it as normal in the Administrative Tools.
For Windows 7 you must download the Remote Server Administration Tools (RSAT) from the following URL and install it: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displayLang=en
After that GPMC has been installed, and you can find it as normal in the Administrative Tools.

Managing Group Policy Preferences (GPP) settings:

This extension of Group Policy Objects (GPO) allows the use of a logon script is less applicable. Default settings like Drive Mappings, Printers, Start Menu items and Shortcuts can now be assigned with Preferences, allowing the establishment as a whole it looks easier. The configuration of Group Policy Preferences is as follows. When opening the Group Policy Management Console on a Windows 2008 server, not just the policies are shown, but also the preferences will be shown.

Here you will have the choice for configuring all new Windows and Control Panel settings available. With the Targeting Editor you can even control on which condition the new Preferences will be become active. There are many types of Targeting possible, example: Computer Name, IP Address Range, Organizational Unit, Security Group or WMI Query.

Best practice for these are creating new GPO's and placing the Preferences settings in that. All you need is a Windows Server 2008 (R2) or Windows 7 or Vista for managing the preferences. You don't need a Windows 2008 domain level for Preferences!

For more information about Preferences, download the following white paper: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=42E30E3F-6F01-4610-9D6E-F6E0FB7A0790

Managing GPO's with Advanced Group Policy Management:

Microsoft Advanced Group Policy Management (AGPM) is a component of the Microsoft Desktop Optimization Pack (MDOP). AGPM increases the capabilities of the Group Policy Management Console (GPMC), providing:

- Standard roles for delegating permissions to manage GPO's to multiple Group Policy administrators.
- An archive to enable Group Policy administrators to create and modify GPO's offline before deploying them to a production environment.
- The ability to roll back to any previous version of a GPO.
- Check-in/check-out capability for GPO's to ensure that Group Policy administrators do not overwrite each other's work.

Some features include:

Offline editing of GPO's
Difference reporting and audit logging
Recovery of a deleted GPO (Recycle Bin) <- Nice feature!
Repair of live GPO's
Creation of GPO template libraries
Subscription to policy change e-mail notifications
Version tracking, history capture, and quick rollback of deployed changes
Role-based administration (Editor, Reviewer, Approver)
Change request approval

I hope you have enough information about Group Policy Management by now! Check my blog regular for more information about GPO's.

And remember: Always create a back-up when deleting GPO's! When restoring them settings and rights will be restored again.

Wednesday, November 17, 2010

Useful Information from TechEd 2010 Berlin

Last week I was at TechEd 2010 in Berlin. With 6,000 delegates the event was sold out! It was a nice week with lots of useful information about Management and Windows Client (my favourite tracks). There were many companies with further additions for ConfigMgr (software catalog, mobile devices, self service portal, etc.). The sessions I've done are about the following products:

Deployment (best practices, issues, etc.)
ConfigMgr 2007 and v.Next (2012)
MDOP (Advanced Group Policy Management 4.0)
Migrate Windows XP to Windows 7
Windows Embedded (WES2009 and WES7)
MS Deployment Toolkit (MDT) 2010
Forefront Endpoint Protection (FEP) 2010
Group Policy Objects (and Preferences)
MS Enterprise Desktop Virtualization (Med-V) v2

Useful information about Configuration Manager:

The name for the next release of ConfigMgr, will be System Center Configuration Manager 2012. The 2012 release will be User Centric instead of Device Centric. The product is currently in Beta 1; Beta 2 is expected to be released around H1 2011.
New for the user in ConfigMgr 2012 is, the Software Catalog portal on the workplace. With the Software Catalog portal you can easily search for new software and install (or request) the software on your computer.
There will be more support for mobile devices in ConfigMgr 2012. Not only support for Windows Mobile 6.x, but also for Android 2.2.2, iOS 4.0, Symbian 3.3.3 and Windows Phone 7. Maybe more to come!?
You can deploy WES2009 and WES7 in WDS, MDT 2010 and ConfigMgr 2007 on Embedded devices. With ConfigMgr 2007 there is also support for using Task Sequences.
Forefront Endpoint Protection (FEP) 2010 will be fully integrated with ConfigMgr 2012. You only need one console to manage your clients!
Choose which installation you want on different kind of devices in ConfigMgr 2012 (e.g. MSI-based on fat clients and App-V packages on Tablet devices. (works great!)
In ConfigMgr 2012 there is Delegation of control by default. No need for selecting functionalities by yourself! Also the ConfigMgr console shows only the information which you may see, so it's custom by default!
There is an Hotfix available for solving duplicate drivers issues in ConfigMgr 2007: (no more troubleshooting on driver packages)! http://support.microsoft.com/kb/2213600
There is an Exchange Server connector build in ConfigMgr 2012 for managing Windows Phone 7 devices! Maybe more to come!?
With Collection membership rules, you can put subcollections in other collections for managing deployments and distributions.
You can set overall ConfigMgr client settings, for pushing new settings to all clients at once! (handle with care)
With Med-V v2 there will be ConfigMgr integration! It will be fully manageable with ConfigMgr, which will simplify overhead and management for IT professionals.

Useful information about Group Policy (Preferences):

With Advanced Group Policy Management 4.0 you can compare settings between GPO's. Also Delegation of control is possible (decide which GPO's you may see or change). And there is an History function in it, so you can go back to older versions of a GPO.
Another nice thing in Advanced Group Policy Management 4.0 is the Recycle bin, where all deleted GPO's will be saved for some time. Because everything will be tracked in the program, it's easy to see which administrator has done some changes in it.
New in version 4.0 is the search option (for searching GPO's, not in GPO's) and multiforest support. There is also support for Preferences and AppLocker!
When troubleshooting Group Policies, search for the userenv.log (for errors) on Windows XP or the GPO log (Event Viewer) on Windows 7.
There is a nice tool for troubleshooting Windows Vista & 7, called Group Policy Log View. http://www.microsoft.com/downloads/en/details.aspx?FamilyID=BCFB1955-CA1D-4F00-9CFF-6F541BAD4563&amp%3Bdisplaylang=en
Look on Jeremy Moskowitz site for more info:

http://www.gpanswer.com/ (Group Policy Community)
http://www.policypak.com/ (PolicyPak Software)

Useful information about other deployment tools:

You can use the install.wim for Windows 7 deployment (with Vista that didn't work, it will be installed on the D: drive)
Use Windows Automated Installation Kit (AIK) 2.0 for deploying Windows 7 with ConfigMgr: http://www.microsoft.com/downloads/en/details.aspx?familyid=696DD665-9F76-4177-A811-39C26D3B3B34&displaylang=en
When using WDS make sure you use the Server 2008 version (multicast support, Server Message Block (SMB) 2.x for faster deployments, driver management)
With MDT 2010 you have light touch deployment functionality, but ConfigMgr stays needed for zero touch deployment!
In ConfigMgr you can press F8 for command support (e.g. troubleshooting). In MDT 2010 you can press SHIFT + F10 for the same functionality!
WES2009 and WES7 can be deployed with either CD/USB media, PXE boot, boot from VHD, WDS/MDT 2010 and ConfigMgr 2007 (with some kind of customization) <- I will blog on that later
Use the MS Assessment and Planning (MAP) Toolkit 5.0 for inventory, assessment and reporting for assess IT environments: http://technet.microsoft.com/en-us/solutionaccelerators/dd537566.aspx
Use the MS Application Compability Toolkit (ACT) 5.6 for Windows 7 application support: (very handy!) http://www.microsoft.com/downloads/en/details.aspx?FamilyId=24DA89E9-B581-47B0-B45E-492DD6DA2971&displaylang=en
When searching for all kind of drivers, use the Microsoft Update Catalog! (choose for search on name or also GUID from driver) http://catalog.update.microsoft.com/v7/site/Home.aspx
With Med-V v2 you can access Windows XP apps within Windows 7 (Windows XP mode). There will be seamless integration for both Windows XP and Windows 7 in the same start menu. (very nice!)

Handy URL's for best practice in deployments are:

www.deploymentcd.com (Johan Arwidmark & Mikael Nystrom)
www.deployvista.com (Johan Arwidmark)
www.deploymentdr.com (Rhonda Layfield)

Next year on TechEd 2011 and MMS 2011/2012 there will be more information about ConfigMgr 2012, and all new functionality in it!

Wednesday, November 3, 2010

Using Multicast functionality in ConfigMgr

By default ConfigMgr 2007 Operating System Deployment (OSD) is deploying in Unicast. Every deployment or software distribution will be bit by bit transferred to the device. With ConfigMgr 2007 R2, and specific configuration, Multicast is also possible. Then you can deploy maybe 50 or 100 devices at a time, without the data (bits) being transferred to every device for itself. It's good to know that you have a few possibilities in Multicast, and it's only working in WinPE mode. So what's the advantage of it, with Software distribution in the Task Sequences?

When you talk about Multicast in ConfigMgr R2, there are two types of it. There is a Autocast and Scheduled Multicast possibility. I will describe them both, and explain the differences between them.

Autocast: With Autocast the deployment will start on the first device. When you deploy another device (or more than one) the stream will also be transferred to the other device(s). When the first one is finished, the other device(s) must only pick the other bits for completion. The only thing you have to do for Autocast functionality, is enable Multicast. (screenshot)

Scheduled Multicast: With Scheduled Multicast the deployment will wait for a few minutes or number of clients. The deployment will then start when one of the two conditions are met. The idea behind this, that you have more time to prepare your devices. With this type of deployment the bitstream wil go once over the network, to all your machines that are ready! (screenshot)

For Multicast to get it working, there is a Distribution Point and the Transport server in Windows Deployment Services (WDS) needed. When both are installed and enabled on a Windows 2008 Server, the configuration in ConfigMgr 2007 will take place.

Distribution point: In the ConfigMgr Distribution Point properties you must enable the setting "Allow clients to transfer content from the distribution point using BITS, HTTP and HTTPS". Also on the Multicast tab you must enable the "Enable multicast" setting. Have also a look on the Transfer rate possibility. Ideally this must be set to 100 Mbps or 1 Gbps for a good transfer speed.

When you also want to make use of Scheduled Multicast, you must enable the setting "Enable scheduled multicast" and set the Session start delay (# minutes) and the Minimum session size (# clients). When one of two are met, the deployment will be started (one bitstream).

Image deployment: When you want a succesfull Multicast deployment, the default WIM image must also be Multicast enabled. Open the properties of the WIM image (example: Windows XP SP2), and enable the setting "Allow this package to be transferred via multicast". You can also see here that Multicast functionality is only possible with WinPE (so during the first part of deployment).

When you don't want any Unicast deployment, enable also the setting "Transfer this package only via multicast". Then you are sure that Multicast will be used! Because this will only works in WinPE, there isn't any need to enable this setting on your Software packages. Now there only must be set an advertisement to get it work.

Advertisement: In the advertisement enable the setting "Download content locally when needed by running task sequence". When this is set on: "Access content directly from a distribution point when needed by the running task sequence", Multicast deployment will not work.

Deployment: These are some pictures displayed during deployment. The first one is captured during deployment in Autocast; the second one is captured during Scheduled Multicast.

Because Multicast works only in WinPE mode, you have the choice to put your applications in the default WIM image. Not installing them, but only put the source in it. Then you are still flexible, and make use of full Multicast functionality! Otherwise a part of the installation will be in Multicast, and the other part (applications) will not.

In the Task Sequence don't add your packages with "Install Software", but choose for "Run Command Line". Then put in there the command which is normally placed in Programs - Command Line, for unattended installation. For get it working place the location (e.g. C:\Apps) before the command, and the application will be installed from the local source.

That's all about Multicast for now!

Thursday, October 28, 2010

Troubleshooting Task Sequences

In my last blog I explained some Troubleshooting issues in ConfigMgr 2007, especially foccussed on Windows Deployment Services (WDS). But what to do when the Task Sequence is running, and you get an error during deployment? This blog will help you troubleshooting on that part!

During the time your Task Sequence is running; where to find the logfiles when it goes wrong? First of all enable "command prompt support" on both boot images. This enables pressing F8 during deployment in the WinPE stage. This will become very useful when troubleshooting deployment issues. This because you can open the various logfiles, access network shares or try to ping/access your Distribution point(s).

During installation the smsts.log file is located at different places. Everytime the device is booted again while the Task Sequence is still running, the smsts.log will be copied to a smsts--.log file, and a new smsts.log file will be created.

1. System booted in WinPE and the local harddisk is not modified (smsts.log in the "x:\windows\temp\smstslog" folder)
2. System booted in WinPE and the local harddisk is partitioned and formatted (smsts.log in the "x:\smstslog" folder and after that in the "c:\_SMSTaskSequence\Logs\Smstslog" folder
3. System booted in Windows before the ConfigMgr client is installed (smsts.log in the "c:\_SMSTaskSequence\Logs\Smstslog" folder)
4. System booted in Windows after ConfigMgr client is installed (smsts.log in the "c:\windows\system32\ccm\logs\Smstslog" folder)
(When using a x64 device, you can find it in the "c:\windows\SysWOW64\ccm\logs\Smstslog" folder)

From this point you can examine the smsts.log in order to find out what went wrong. The messages displayed give you mostly a good idea on where to start looking.

When watching these logfiles; Trace32 is the recommended way. This because Notepad will not dynamicly update the information you see, and Trace32 will do that for you. Also any warnings are displayed in yellow, and any errors are displayed in red. In that way you have a quick view what's wrong during deployment. Remember that trace32 only works in a x86 environment, so for the x64 boot image it will not work. Then you must copy the logfiles to a fileshare, and open it from another x86 machine with Trace32 installed on it.

For error solving there is an additional option to look for error codes. This can be found in Trace32 - Tools - Error lookup. Now you are ready for true troubleshooting in Task Sequences! Trace32 is part of the "System Center Configuration Manager 2007 Toolkit V2" and can be found here: http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=5a47b972-95d2-46b1-ab14-5d0cbce54eb8

----------------------------------------------------------------------

The following list provides specific information about each tool in the toolkit.

Client Spy - A tool that helps you troubleshoot issues related to software distribution, inventory, and software metering on Configuration Manager 2007 clients.
Delete Group Class Tool - A tool used to remove inventory group definitions along with history data, tables, views and stored procedures for the group.
Desired Configuration Management Migration Tool - A tool used to migrate from the DCM Solution for SMS 2003 to DCM in ConfigMgr 2007.
Desired Configuration Management Model Verification Tool - A tool used by desired configuration management content administrators for the validation and testing of configuration items and baselines authored externally from the Configuration Manager console.
Desired Configuration Management Substitution Variable Tool - A tool used by desired configuration management content administrators for authoring desired configuration management configuration items that use chained setting and object discovery.
Management Point Troubleshooter Tool - A tool that checks a computer system before and after a management point installation to ensure that the installation meets the requirements for management points.
Policy Spy - A policy viewer that helps you review and troubleshoot the policy system on Configuration Manager 2007 clients.
Preload Package Tool - A tool used to manually install compressed copies of package source files on Configuration Manager 2007 sites.
Security Configuration Wizard Template for Configuration Manager 2007 - The Security Configuration Wizard (SCW) is an attack-surface reduction tool for the Microsoft Windows Server 2008 R2 operating system. Security Configuration Wizard determines the minimum functionality required for a server's role or roles, and disables functionality that is not required. The Configuration Manager 2007 Service Pack 2 Security Configuration Wizard template supports new site system definitions and enables the required services and ports.
Send Schedule Tool - A tool used to trigger a schedule on a Client or trigger the evaluation of a specified DCM Baseline. You can trigger a schedule either locally or remotely.
Trace32 - A log viewer that provides a way to easily view and monitor log files created and updated by Configuration Manager 2007 clients and servers.

Tuesday, October 26, 2010

ConfigMgr 2007 Troubleshooting issues

Everybody knows there are some challenges when installing, configuring and managing ConfigMgr 2007. With SMS 2003 that was the same, a great product when it works, but a lot of frustration when it doesn't. I personally think ConfigMgr 2007 does work a lot better then SMS 2003, but still there are some challenges. In this blog I will define some of that challenges, and how I resolve them. Also I will put some handy URL's for troubleshooting, so your ConfigMgr environment will function a lot better! In my other blogs I declare what to do with driver management and migrating collections. Now I go further and treat the rest.. These are all real live situations, so take it to your advantage!

First of all you must put your network drivers in the boot images, because otherwise deployment will not work at all. This must be the newest drivers with support for WinPE OS. Best practice is using the x64 boot image for Capturing images, and the x86 boot image for Deploying images. Also Trace32 is a nice utility (available since SMS 2003) for putting in the boot images. When reading logfiles you can do it better in Trace32 and not in Notepad. Have a look for yourself, and you know what i mean. There is no Trace64 utility at the moment, so you must do it with the older one. Trace32 will become very handy! Remember that it's only functional in a x86 environment. For x64 troubleshooting you must put in on a share, and open the logfile on a x86 device, with trace32 installed. More about logfiles in my next blog!

Also check if the packages (listed in the Task Sequence) are available on the Distribution point. Otherwise deployment will fail also. When using Multicast, ConfigMgr 2007 R2 and specific configuration is needed. Because Multicast works only in WinPE mode, you have the choice to put your applications in the default WIM image. Not installing them, but only put the source in it. Then you are still flexible, and make use of full Multicast functionality! Otherwise a part of the installation will be in Multicast, and the other part (applications) will not. I will write a blog about Multicast later, so stay tuned for that one!

Now some other Troubleshooting issues! When deploying an image on the same device many times (for testing possibilities) deployment will fail with abortpxe.com. This because Windows Deployment Services (WDS) cannot handle that, and must have a reset. The best thing you can do is resetting the WDS service on the ConfigMgr server. When this is not the solution you must stop the WDS service, deleting the PXEBootFiles folder and all other PXE folders and files in C:\Windows\Temp and start the service again. When it's still not working, then your object is obsoleted in the collection. For solving that add an "Membership rule" on the specific collection (blue computer icon), and choose the following:

(Where Value is your computername) On the next setup page "Collection Limiting" choose No collections and go further. On the next setup page "Select Resources" choose all devices you see (mostly two i think). When back in the collection delete the object that is obsolete. Then deployment will work finally again! When advertising a Task Sequence (or something else) you can choose between mandatory deployment or not. For testing possibilities it's better for choosing No mandatory deployment. Otherwise you must remove the PXE Advertisement (screenshot) after each try. The above steps are needed because WDS cannot handle re-imaging of devices within one hour. There is a way for shorten the delay, but default it will be one hour.

The way for that is installing a Microsoft hotfix and modyfing a registry key. The hotfix can be found at: http://support.microsoft.com/kb/969113
(Operating system deployment fails in a System Center Configuration Manager 2007 SP1 environment if you deploy a different operating system to a client within one hour of a previous deployment).
This hotfix is not needed anymore when you installed ConfigMgr SP2 in your environment.

The registry key which must be changed can be found at: [HKLM\Software\Microsoft\SMS\PXE\CacheExpire] or when using a x64 device it can be found at: [HKLM\Software\Wow6432Node\Microsoft\SMS\PXE\CacheExpire].
Change the value from 0 tot 180 decimal (0x000000b4); this changes the default 60 minutes to 3 minutes (another value is also possible).
Microsoft explanation: http://support.microsoft.com/kb/2019640

For questions or improvements please put some comments on this blog!

Tuesday, October 19, 2010

New functionality in ConfigMgr 2012 (vNext)

Now ConfigMgr R3 is released we must wait for ConfigMgr v.Next to get new functionality. Here is a (small) list of changes between ConfigMgr 2007 and v.Next:

While ConfigMgr 2007 is 32-bit, v.Next is 64-bit Native only! (some may require W2k8 R2)
Mobile Device Manager is built-in (so the product itself doesn't exist anymore)
SQL Server 2008 64-bit is required for the ConfigMgr database!
SQL Reporting Services is the only reporting platform, instead of standard reporting
Distribution groups are added for administrative purpose
The default "All" collections is minimized to All Systems only!
Advertisements are renamed into Deployments (and positioned better, because they were beneath Software Distribution in 2007)
Improvements to OS Deployment and Remote Control (now possible with the usage of CTRL-ALT-DEL)
There are some new System roles in it: Software Catalog Web Service Point, Software Catalog Web Site Point, Mobile device enrollment proxy point, Mobile device enrollment point (because of Mobile Device Manager functionality)
A migration from ConfigMgr 2007 will be a clean install, not an in-place installation!
Desired Configuration Management and Asset Intelligence roles are integrated into a “Assets and Compliance” tab
Software Updates auto-deployment (including Forefront definitions)!
The product is more user-based instead of computer-based! (e.g. software distribution to users)
And last but not least: v.Next looks like a real System Center product, and not like SMS 2003 ;o)

The product itself will be available end of 2011, so that takes another year! In the meanwhile we can play with the Beta version, so more information is on it's way!

Monday, October 18, 2010

Creating dynamic collections in ConfigMgr

When designing a new ConfigMgr environment, there is not only a total design needed but also a plan for the collections. I let my decision mostly be based on what functionality is needed, and if Active Directory is leading or not. This because you can create collections on many different ways, and advertisements can only be set on collections. So when you advertise an operating system, application or software update it will be bound to a collection. For OS deployment you can create additional colllections, but what to do with the other ones? The most used way is bound the collections to Active Directory OU's. In that way Active Directory is leading, and it will synchronize objects to ConfigMgr collections. I will explain here what to do, and how to bind them to Active Directory.

After installation of ConfigMgr there are a lot of default collections, but they are not always handy and useful. You can move this default collections to a new one, so there not in sight all the time. Now it's better to create your own collections, so you can decide which devices to put in your collections. There is a query needed for bounding collections to OU's, but first you must create these collections. You can do this manually, or there is also a way for importing them from Active Directory. The tool needed for that is named "SCCM OU Collection creator". This tool can be download here:

http://www.sccm-tools.com/tools/standalone/sccm-ou.rar.

With this tool you can create many collections at once, and the good news is it will be automatically bound to Active Directory OU's. Because you want to move these collections afterwards to another location, there is another tool needed, The tool needed for that is named "CollTree for SCCM". This tool can be download here:

http://myitforum.com/cs2/blogs/bleary/attachment/68439.ashx.

This tool is even compatible with SMS2003 collections, and it will become very handy. Okay, now the collections are imported, moved, and there is an query on it. But how to set a manually query on the collections? The command for that is not that difficult. First create a new collection, and open the properties of it. On the tab “Membership rules” create a new SQL query, and choose System Resource & Edit Query Statement, then select the Criteria tab. Choose New Query and fill in the following properties:

Choose OK after that. Now you must decide how fast collections will be synchronized. Default the collection will be synchronized within 1 day. Because it can be to slow to have the objects in Active Directory synchronized with the collections, you can shorten the schedule to 1 hours, or even 15 minutes. Better is it to choose for the new R3 update, because collections will synchronized must faster then before. I will post that new functionality later. This is all you have to do for having dynamic collections in ConfigMgr.

Friday, October 15, 2010

ConfigMgr 2007 R3 is here!

Sooner then expected, but even a long wait: ConfigMgr 2007 R3 is here! This will be probably the last release for ConfigMgr 2007, because the next release is now available in beta. Which improvements will R3 bring to us, and is it worth it for installing the update? The answer is Yes, because there are some cool things in this release. Below is a quick summary of what’s new with R3:

Centralized Power Management
Configuration Manager R3 lets IT organizations centrally manage the power settings of Windows 7, Vista and XP computers, helping reduce energy consumption and costs. You can plan and apply a power management policy for high and low PC usage periods, monitor user activity to avoid any productivity interruptions and correct non-compliance. Detailed reports of trends and settings help you make smart power management choices, and also validate Green IT projects with summaries of power, money and CO2 savings.

Mobile Device Management
Configuration Manager R3 includes licenses for the popular System Center Mobile Device Manager, so you can run comprehensive asset inventories, deploy software, manage settings and enforce password policies for Windows phones.

Enhanced Scalability and Performance
Configuration Manager R3 is more scalable than ever, increasing the number of supported clients to 300,000 per site. R3 is also more efficient in the way it communicates with Active Directory, helping you discover user or machine changes more quickly and allowing custom queries to define user, system or group attributes.

Finally, it is worth noting that, just like Configuration Manager R2, R3 will be the foundation for the upcoming Forefront Endpoint Protection 2010. By bringing endpoint security into overall endpoint management, you can reduce costs and inefficiencies, and also improve security and compliance.

Especially the Power Management integration, and communication with Active Directory (which will be must faster), are useful functionality. Also the right-click tools are not necessary anymore for putting clients in a collection. This because R3 has this functionality build-in now. Right-click on a collection you want to manage and there is a new option available, "Add Resource". It is also possible to right-click a resource like a computer and use “Manage Collection Membership” to add it to a collection. Really useful!

Thursday, October 14, 2010

Driver management in ConfigMgr 2007

One of the difficult things in deployment is getting all drivers to work. Best practice here is to remove the "auto-apply drivers" in the Task sequence, and put "add driver package" instead. Most of the time when i'm import drivers, i give them a tag-name for the model. In that way you can easely update or remove a model later. There is also an option for creating folders in it. Bad thing is you can't import a driver multiple times, so that's not a good idea after all. Also the search folder will be a good idea actually.. In that way the folders are query based, so you can seperate the drivers in different folders.

For getting the right driver package on a system, you must put a condition on the driver packages. The most implemented way is by model name of the systems. The command for getting that is by CMD.exe - WMIC /Node - CSProduct Get Name. The result for that command must be placed in the condition of the driver package. The rule for that is "SELECT * FROM Win32_ComputerSystem WHERE Model LIKE "%<MODEL>%" where %<MODEL>% must be replaced with the actual model name. Now you are ready for deploying many types of systems with different driver packages.

But what to do with drivers that are not installed after deployment? There are drivers that won't be installed on the system, whatever you do. For solving that look at the option for creating a software package. If there is a setup-file in that specific driver folder, you can do an unattended install, and put it in your Task sequence. Now you will see that every single driver will be installed. For boot images it's the best to work with the newest NIC drivers for getting it to work. Now you can truly enjoy the "one image" functionality!