After upgrading to ConfigMgr 2007 R2 SP2 (RC) all OS Deployment Task Sequences are failing

After the upgrade of my test lab (which is running in Native Mode) to ConfigMgr 2007 R2 SP2 (RC) all my Task Sequences suddenly fail with the error: An error occurred while retrieving policy for this computer (0x80004005).

Taking a look at my SMSTS.LOG it showed me the error: No cert available for policy decoding.

This made me wonder what happened to my PXE Certificate that I applied to my PXE Service Point. So I took a look at my certificates (System Center Configuration Manager > Site Database > Site Management > <MySiteName> > Site Settings > Certificates > PXE). Here I noticed that my PXE Certificate was just suddenly missing…

So after re-adding my PXE Certificate to my PXE Service Point it all worked fine again. To add a PXE Certificate to the PXE Service Point follow the next steps:

  1. Open the Configuration Manager console and browse to System Center Configuration Manager > Site Database > Site Management > <YourSiteName> > Site Settings > Site Systems.
  2. Select the PXE Service Point and click in the Actions pane Properties to open the ConfigMgr PXE Service Point Properties.
  3. Select the Database tab and select Import Certificate.
  4. Browse to the needed certificate, fill in the Password and click Ok.
Share

Configuration Manager 2007 SP2 RC has been released

Today a little newsflash from the System Center Configuration Manager team.

The System Center Configuration Manager team would like to announce that the following has been released and available for download: Configuration Manager 2007 Service Pack 2 Release Candidate.

This is the official Release Candidate build for Configuration Manager 2007 SP2.

New features:

  • Refer to the SP2 Overview article posted on the primary Configuration Manager MSConnect site for all the new features and new supported configurations.
  • Hotfixes included in SP2 article can be found on the primary Configuration Manager MSConnect page.
  • Deployment guides for BranchCache and the new AMT features are available in the download section.
  • The new OpsMgr07 R2 ConfigMgr07 Management Pack can also be downloaded, this supports 64bit OpsMgr client agents.
  • Please review the Release Notes before performing any installation and upgrade.

Feedback and Support:

  • All registered Sp2 Open Beta users can submit bugs, design change requests (DCR’s), and other feedback. See the help link on the ConfigMgr MSConnect homepage for more instructions.
  • Newsgroups are a great way to post questions and receive general support question answers.

If you experience any issues with the download or the MSConnect site please contact, sccmtap@microsoft.com

Regards,
The Configuration Manager Customer Team

Share

How to control the bandwidth of the package movements in ConfigMgr 2007

In this post I will give some information about how to control the package movement of ConfigMgr 2007. The table in this post shows the Bandwidth Control options with the different Package Movements in ConfigMgr 2007. Besides the Bandwidth Control it also show if it uses Binary Differential Replication (BDR). BDR is used by ConfigMgr 2007 to update package source files with a minimum of additional network traffic. It sends the parts of the package that have changed since the last time the package was sent. This minimizes the network traffic between sites. A file is considered to be changed if it has been renamed, moved, or its contents have changed.

Package Movement Bandwidth Control BDR
From package source directory to site server None No
From site server to standard distribution point None Yes
From parent site server to child site server Bandwidth controlled by Address settings on the sender between sites Yes
From child site server to child standard distribution point None Yes
From standard distribution point to branch distribution point BITS or manually pre-staged on the branch distribution point Yes
From standard distribution point to client BITS, if BITS-enabled distribution point is available and advertisement is configured to download and run locally. No
From branch distribution point to client None No

More information about Distribution Points:
http://technet.microsoft.com/en-us/library/bb680614.aspx
More information about Binary Differential Replication:
http://technet.microsoft.com/en-us/library/bb680614.aspx

Share

Installing Software Updates via a Task Sequence in ConfigMgr 2007

I noticed that when your Site is running in Native Mode you can run into problems with installing Software Updates via a Task Sequence. The first time that your are installing your computer with your Task Sequence there are no problems, but every time after that the Task Sequence will finish successful but doesn’t install any Software Updates. It looks like that it will use existing scan results of the client from the previous scan. So when there are already scan results of your client it will not rescan during your Task Sequence.

To work around this I use the following scripts (that I run before the step Install Software Updates in the Task Sequence):

  1. Initiate Software Updates Scan: http://msdn.microsoft.com/en-us/library/cc144313.aspx
    actionNameToRun = “Software Updates Assignments Evaluation Cycle”

    Dim oCPAppletMgr
    Set oCPAppletMgr = CreateObject(“CPApplet.CPAppletMgr”)

    Dim oClientActions
    Set oClientActions = oCPAppletMgr.GetClientActions()

    ‘Loop through the available client actions. Run the matching client action when it is found.
    Dim oClientAction
    For Each oClientAction In oClientActions
       If oClientAction.Name = actionNameToRun Then
          oClientAction.PerformAction 
       End If
    Next

  2. Refresh Compliance State: http://msdn.microsoft.com/en-us/library/cc146437.aspx
    dim newCCMUpdatesStore
    set newCCMUpdatesStore = CreateObject (“Microsoft.CCM.UpdatesStore”)

    ‘Refresh the server compliance state by running the RefreshServerComplianceState method.
    newCCMUpdatesStore.RefreshServerComplianceState

The first script Initiate Software Updates Scan is to let the client check if it needs new updates and the second script Refresh Compliance State is to let the client report back to the server that it needs updates.

Note: It can also happen when you are trying to avoid obsolete clients by starting the Task Sequence via Run Advertised Program.

Share

How to install the App-V Client with ConfigMgr 2007

In some of my previous posts I mentioned that you still need the App-V Client to run the Virtual Applications. In this post I will tell the easiest way to install the App-V Client with ConfigMgr 2007. A prerequisite for this is that ConfigMgr 2007 SP1 R2 is installed and that the source files of the App-V Client (version 4.5 (CU1)) are available on a network share.

For installing the App-V Client with ConfigMgr there is a Package Definition file added by the R2 installation. I would recommend to use this file for installing the App-V Client with ConfigMgr. To do this follow the next steps:

  1. Open the Configuration Manager Console and browse to System Center Configuration Manager > Site Database > Computer Management > Software Distribution.
  2. Select Packages and click in the Actions pane New > Package From Definition to open the Create Package from Definition Wizard
  3. On the Welcome page, click Next.
  4. On the Package Definition page Browse to the AppVirtMgmtClient.sms file (the default location for the AppVirtMgmtClient.sms file is <Installation directory>\SMS\Tools\VirtualApp\AppVirtMgmtClient.sms) and click Next.
  5. On the Source Files page select Always obtain files from a source directory and click Next.
  6. On the Source Directory page Browse to the directory that contains the source files for the App-V Client and click Next
  7. On the Summary page review the Details and click Finish.
  8. To access the new package select the Packages node and the package will show in the Results pane.

Note: Do not forget to create a Distribution Point for the new package before advertising it.

Share

How to make a Virtual Application stream from a Distribution Point in ConfigMgr 2007

As a follow up on my previous post I will put another short version of a new "guide" that I created for Windowsnoob. This time it is about the settings that are needed to make a Virtual Application stream from a Distribution Point.  A prerequisite for being able to make these settings is that ConfigMgr 2007 SP1 R2 is installed. Keep in mind that even when you are streaming a Virtual Application with ConfigMgr you will still need the App-V Client to run the applications.

To stream a Virtual Application from a Distribution Point with ConfigMgr follow the next steps:VirtAppAdvDPProp

  1. Open the Configuration Manager Console and browse to System Center Configuration Manager > Site Database > Computer Management > Software Distribution > Advertisements
  2. Select an Advertisement of a Virtual Application and click in the Actions panel on Properties.
  3. Select the Distribution tab (see picture). This is where to select whether or not this Virtual Application should be streamed from the Distribution Point.

Keep in mind that when you select this it will work for all the clients that get the Advertisement. So before you do this you should really think about the load it creates and the mobility of your users.

See for an extended version with screenshots: http://www.windows-noob.com/forums/index.php?showtopic=1131
See for creating a Virtual Application Package in ConfigMgr: http://www.windows-noob.com/forums/index.php?showtopic=1129

Share

How to make ConfigMgr 2007 ready to advertise and stream Virtual Applications

In this post I will put a short version of the “guide” that I made for Windows-Noob about the settings that are needed to be able to advertise and stream Virtual Applications. A prerequisite for being able to make these settings is that ConfigMgr 2007 SP1 R2 is installed. Keep in mind that even when you have ConfigMgr configured for Virtual Applications you will still need the App-V Client to run the applications.

To be able advertise Virtual Applications the Advertised Programs Client Agent has to be enabled for running virtual application packages. To do this, follow the next steps:

  1. Open the Configuration Manager console and navigate to System Center Configuration Manager > Site Database > Site Management > <your_sitename> > Site Settings > Client Agents
  2. Right-click the Advertised Programs Client Agent and select Properties
  3. On the General tab click Allow virtual application package advertisement to enable the client for running Virtual Applications. 
  4. Click OK to close the properties.

Note: This enables the Advertised Programs Client Agent to run Virtual Application packages on ALL Configuration Manager 2007 client computers in the site.

To be able to stream Virtual Applications the Distribution Point has to be enabled for streaming virtual application packages. To do this, follow the next steps:

  1. Open the Configuration Manager console and navigate to System Center Configuration Manager > Site Database > Site Management > <your_sitename> > Site Settings > Site Systems, and select the name of the Server or the Server Share. 
  2. Right-click the ConfigMgr distribution point, in the results pane, and select Properties
  3. On the Virtual Applications tab select Enable virtual application streaming
  4. Click Ok to close the properties.

Note: To be able to select Enable virtual application streaming make sure Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS (required for device clients and Internet-based clients). is selected on the General tab.

See for an extended version with screenshots: http://www.windows-noob.com/forums/index.php?showtopic=1123

Share

ConfigMgr 2007, USMT 4.0 and moving collected files to :\Data

This weekend I’ve been playing with USMT 4.0 in combination with ConfigMgr R2 SP2 Beta. I have to say that it is a very powerful combination and I feel a bit stupid that I didn’t do much with it before. I always install it, with every installation that I do, but I never really did something with it. When I was diving in to it I found a special part of MigUser.xml.

<!– Uncomment the following if you want all the files collected from the above rules to move to <systemDrive>:\data –>
<!–                <locationModify script=”MigXmlHelper.Move(‘%SYSTEMDRIVE%\Data’)”>
                    <objectSet>
                    <objectSet>
                        <script>MigXmlHelper.GenerateDrivePatterns (“* [*.qdf]”, “Fixed”)</script>
                        <script>MigXmlHelper.GenerateDrivePatterns (“* [*.qsd]”, “Fixed”)</script>
                        […]
                        <script>MigXmlHelper.GenerateDrivePatterns (“* [*.mdb]”, “Fixed”)</script>
                        <script>MigXmlHelper.GenerateDrivePatterns (“* [*.pub]”, “Fixed”)</script>
                    </objectSet>
                </locationModify>
–>

This part is about moving the collected files to <systemDrive>:\Data when you uncomment it. Of course I had to try this out, but when I did that my Task Sequence errored all the time with the errorcode: 0x00004005. So I took a good look at the MigUser.xml and saw that there was a little mistake in it. It says one time <objectSet> to many. So whenever you uncomment it, don’t forget to delete one time <objectSet>. 

Update: This is the same with MigUser.xml from USMT 3.0.1

Share

Prepare ConfigMgr Client for Capture doesn’t remove the AllowedRootCAHashCode value

In the most situations it doesn’t matter that the AllowedRootCAHashCode value doesn’t get removed during a Capture of the client, but there is one situation where it does matter. This one situation is when there has to be one image for multiple domains and every domain has its own issuing CA’s. This situation is a problem because the client stores a copy of the Root Certificate in the AllowedRootCAHashCode key. Because it contains the wrong value for the Root Certificate the client isn’t able to get a new Site Signing Certificate (which is also stored in the registry), so the client isn’t able to check the policies.

As workaround for this I created a Task Sequence step (in the install Task Sequence) to delete the HKLM\SOFTWARE\Microsoft\CCM\Security\AllowedRootCAHashCode.

Another workaround (which is probably a bit easier) can be found at the ConfigMgr Technet forum (http://social.technet.microsoft.com/Forums/en-US/configmgribcm/thread/3ac574ca-c562-4a44-92da-5c640a71c3c6) where I posted this situation. The workaround posted here is to create a Task Sequence step (in the Build and Capture Task Sequence) to delete the whole HKLM\SOFTWARE\Microsoft\CCM\Security\ key.

More information about the Task Sequence Step Prepare ConfigMgr Client for Capture: http://technet.microsoft.com/en-us/library/bb633049.aspx
More information about Renewing or Changing the Site Signing Certificate: http://technet.microsoft.com/en-us/library/bb633098.aspx

Share

Active Directory Site Boundaries are “static”

Active Directory sites are the easiest way of defining ConfigMgr site boundaries, because they are based on physical segments. BUT besides that, you have to keep in mind that they are also static in two different ways:

  1. All the different subnets have to be manually included and configured in the Active Directory sites.
  2. Once an Active Directory Site Name is selected as an ConfigMgr Site Boundary, ConfigMgr will check on the selected Site Name. Even when you rename the Active Directory site!

For more information about site boundaries: http://technet.microsoft.com/en-us/library/bb633084.aspx

Share