How to control the bandwidth of the package movements in ConfigMgr 2007

In this post I will give some information about how to control the package movement of ConfigMgr 2007. The table in this post shows the Bandwidth Control options with the different Package Movements in ConfigMgr 2007. Besides the Bandwidth Control it also show if it uses Binary Differential Replication (BDR). BDR is used by ConfigMgr 2007 to update package source files with a minimum of additional network traffic. It sends the parts of the package that have changed since the last time the package was sent. This minimizes the network traffic between sites. A file is considered to be changed if it has been renamed, moved, or its contents have changed.

Package Movement Bandwidth Control BDR
From package source directory to site server None No
From site server to standard distribution point None Yes
From parent site server to child site server Bandwidth controlled by Address settings on the sender between sites Yes
From child site server to child standard distribution point None Yes
From standard distribution point to branch distribution point BITS or manually pre-staged on the branch distribution point Yes
From standard distribution point to client BITS, if BITS-enabled distribution point is available and advertisement is configured to download and run locally. No
From branch distribution point to client None No

More information about Distribution Points:
http://technet.microsoft.com/en-us/library/bb680614.aspx
More information about Binary Differential Replication:
http://technet.microsoft.com/en-us/library/bb680614.aspx

Installing Software Updates via a Task Sequence in ConfigMgr 2007

I noticed that when your Site is running in Native Mode you can run into problems with installing Software Updates via a Task Sequence. The first time that your are installing your computer with your Task Sequence there are no problems, but every time after that the Task Sequence will finish successful but doesn’t install any Software Updates. It looks like that it will use existing scan results of the client from the previous scan. So when there are already scan results of your client it will not rescan during your Task Sequence.

To work around this I use the following scripts (that I run before the step Install Software Updates in the Task Sequence):

  1. Initiate Software Updates Scan: http://msdn.microsoft.com/en-us/library/cc144313.aspx
    actionNameToRun = “Software Updates Assignments Evaluation Cycle”

    Dim oCPAppletMgr
    Set oCPAppletMgr = CreateObject(“CPApplet.CPAppletMgr”)

    Dim oClientActions
    Set oClientActions = oCPAppletMgr.GetClientActions()

    ‘Loop through the available client actions. Run the matching client action when it is found.
    Dim oClientAction
    For Each oClientAction In oClientActions
       If oClientAction.Name = actionNameToRun Then
          oClientAction.PerformAction 
       End If
    Next

  2. Refresh Compliance State: http://msdn.microsoft.com/en-us/library/cc146437.aspx
    dim newCCMUpdatesStore
    set newCCMUpdatesStore = CreateObject (“Microsoft.CCM.UpdatesStore”)

    ‘Refresh the server compliance state by running the RefreshServerComplianceState method.
    newCCMUpdatesStore.RefreshServerComplianceState

The first script Initiate Software Updates Scan is to let the client check if it needs new updates and the second script Refresh Compliance State is to let the client report back to the server that it needs updates.

Note: It can also happen when you are trying to avoid obsolete clients by starting the Task Sequence via Run Advertised Program.

How to install the App-V Client with ConfigMgr 2007

In some of my previous posts I mentioned that you still need the App-V Client to run the Virtual Applications. In this post I will tell the easiest way to install the App-V Client with ConfigMgr 2007. A prerequisite for this is that ConfigMgr 2007 SP1 R2 is installed and that the source files of the App-V Client (version 4.5 (CU1)) are available on a network share.

For installing the App-V Client with ConfigMgr there is a Package Definition file added by the R2 installation. I would recommend to use this file for installing the App-V Client with ConfigMgr. To do this follow the next steps:

  1. Open the Configuration Manager Console and browse to System Center Configuration Manager > Site Database > Computer Management > Software Distribution.
  2. Select Packages and click in the Actions pane New > Package From Definition to open the Create Package from Definition Wizard
  3. On the Welcome page, click Next.
  4. On the Package Definition page Browse to the AppVirtMgmtClient.sms file (the default location for the AppVirtMgmtClient.sms file is <Installation directory>\SMS\Tools\VirtualApp\AppVirtMgmtClient.sms) and click Next.
  5. On the Source Files page select Always obtain files from a source directory and click Next.
  6. On the Source Directory page Browse to the directory that contains the source files for the App-V Client and click Next
  7. On the Summary page review the Details and click Finish.
  8. To access the new package select the Packages node and the package will show in the Results pane.

Note: Do not forget to create a Distribution Point for the new package before advertising it.

How to make a Virtual Application stream from a Distribution Point in ConfigMgr 2007

As a follow up on my previous post I will put another short version of a new "guide" that I created for Windowsnoob. This time it is about the settings that are needed to make a Virtual Application stream from a Distribution Point.  A prerequisite for being able to make these settings is that ConfigMgr 2007 SP1 R2 is installed. Keep in mind that even when you are streaming a Virtual Application with ConfigMgr you will still need the App-V Client to run the applications.

To stream a Virtual Application from a Distribution Point with ConfigMgr follow the next steps:VirtAppAdvDPProp

  1. Open the Configuration Manager Console and browse to System Center Configuration Manager > Site Database > Computer Management > Software Distribution > Advertisements
  2. Select an Advertisement of a Virtual Application and click in the Actions panel on Properties.
  3. Select the Distribution tab (see picture). This is where to select whether or not this Virtual Application should be streamed from the Distribution Point.

Keep in mind that when you select this it will work for all the clients that get the Advertisement. So before you do this you should really think about the load it creates and the mobility of your users.

See for an extended version with screenshots: http://www.windows-noob.com/forums/index.php?showtopic=1131
See for creating a Virtual Application Package in ConfigMgr: http://www.windows-noob.com/forums/index.php?showtopic=1129

How to make ConfigMgr 2007 ready to advertise and stream Virtual Applications

In this post I will put a short version of the “guide” that I made for Windows-Noob about the settings that are needed to be able to advertise and stream Virtual Applications. A prerequisite for being able to make these settings is that ConfigMgr 2007 SP1 R2 is installed. Keep in mind that even when you have ConfigMgr configured for Virtual Applications you will still need the App-V Client to run the applications.

To be able advertise Virtual Applications the Advertised Programs Client Agent has to be enabled for running virtual application packages. To do this, follow the next steps:

  1. Open the Configuration Manager console and navigate to System Center Configuration Manager > Site Database > Site Management > <your_sitename> > Site Settings > Client Agents
  2. Right-click the Advertised Programs Client Agent and select Properties
  3. On the General tab click Allow virtual application package advertisement to enable the client for running Virtual Applications. 
  4. Click OK to close the properties.

Note: This enables the Advertised Programs Client Agent to run Virtual Application packages on ALL Configuration Manager 2007 client computers in the site.

To be able to stream Virtual Applications the Distribution Point has to be enabled for streaming virtual application packages. To do this, follow the next steps:

  1. Open the Configuration Manager console and navigate to System Center Configuration Manager > Site Database > Site Management > <your_sitename> > Site Settings > Site Systems, and select the name of the Server or the Server Share. 
  2. Right-click the ConfigMgr distribution point, in the results pane, and select Properties
  3. On the Virtual Applications tab select Enable virtual application streaming
  4. Click Ok to close the properties.

Note: To be able to select Enable virtual application streaming make sure Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS (required for device clients and Internet-based clients). is selected on the General tab.

See for an extended version with screenshots: http://www.windows-noob.com/forums/index.php?showtopic=1123

ConfigMgr 2007, USMT 4.0 and moving collected files to :\Data

This weekend I’ve been playing with USMT 4.0 in combination with ConfigMgr R2 SP2 Beta. I have to say that it is a very powerful combination and I feel a bit stupid that I didn’t do much with it before. I always install it, with every installation that I do, but I never really did something with it. When I was diving in to it I found a special part of MigUser.xml.

<!– Uncomment the following if you want all the files collected from the above rules to move to <systemDrive>:\data –>
<!–                <locationModify script=”MigXmlHelper.Move(‘%SYSTEMDRIVE%\Data’)”>
                    <objectSet>
                    <objectSet>
                        <script>MigXmlHelper.GenerateDrivePatterns (“* [*.qdf]”, “Fixed”)</script>
                        <script>MigXmlHelper.GenerateDrivePatterns (“* [*.qsd]”, “Fixed”)</script>
                        […]
                        <script>MigXmlHelper.GenerateDrivePatterns (“* [*.mdb]”, “Fixed”)</script>
                        <script>MigXmlHelper.GenerateDrivePatterns (“* [*.pub]”, “Fixed”)</script>
                    </objectSet>
                </locationModify>
–>

This part is about moving the collected files to <systemDrive>:\Data when you uncomment it. Of course I had to try this out, but when I did that my Task Sequence errored all the time with the errorcode: 0x00004005. So I took a good look at the MigUser.xml and saw that there was a little mistake in it. It says one time <objectSet> to many. So whenever you uncomment it, don’t forget to delete one time <objectSet>. 

Update: This is the same with MigUser.xml from USMT 3.0.1

Prepare ConfigMgr Client for Capture doesn’t remove the AllowedRootCAHashCode value

In the most situations it doesn’t matter that the AllowedRootCAHashCode value doesn’t get removed during a Capture of the client, but there is one situation where it does matter. This one situation is when there has to be one image for multiple domains and every domain has its own issuing CA’s. This situation is a problem because the client stores a copy of the Root Certificate in the AllowedRootCAHashCode key. Because it contains the wrong value for the Root Certificate the client isn’t able to get a new Site Signing Certificate (which is also stored in the registry), so the client isn’t able to check the policies.

As workaround for this I created a Task Sequence step (in the install Task Sequence) to delete the HKLM\SOFTWARE\Microsoft\CCM\Security\AllowedRootCAHashCode.

Another workaround (which is probably a bit easier) can be found at the ConfigMgr Technet forum (http://social.technet.microsoft.com/Forums/en-US/configmgribcm/thread/3ac574ca-c562-4a44-92da-5c640a71c3c6) where I posted this situation. The workaround posted here is to create a Task Sequence step (in the Build and Capture Task Sequence) to delete the whole HKLM\SOFTWARE\Microsoft\CCM\Security\ key.

More information about the Task Sequence Step Prepare ConfigMgr Client for Capture: http://technet.microsoft.com/en-us/library/bb633049.aspx
More information about Renewing or Changing the Site Signing Certificate: http://technet.microsoft.com/en-us/library/bb633098.aspx

Active Directory Site Boundaries are “static”

Active Directory sites are the easiest way of defining ConfigMgr site boundaries, because they are based on physical segments. BUT besides that, you have to keep in mind that they are also static in two different ways:

  1. All the different subnets have to be manually included and configured in the Active Directory sites.
  2. Once an Active Directory Site Name is selected as an ConfigMgr Site Boundary, ConfigMgr will check on the selected Site Name. Even when you rename the Active Directory site!

For more information about site boundaries: http://technet.microsoft.com/en-us/library/bb633084.aspx

How a client chooses a Distribution Point

Lately I get and see a lot of situations like this…

Question: I created an extra Distribution Point (DP) on a remote location, but the clients on the remote location are still connecting to the standard DP. Why are these clients not connecting to their local DP?
Answer:
When there are more DP’s in the same site and/or boundary, by default, the client will first connect to the DP with BITS enabled and not the closest one. If you want the clients to connect to their local DP, you have to make the DP protected.

…So I thought it might be handy to write in a few short steps how this process works.

Step From Action
1 Client Sends a content location request to its Management Point (MP)
2 MP The search for Distribution Points (DP’s), with the content, starts in the client’s current site. This can be the client’s assigned site, secondary site attached to it, or a site to which the client is roamed. When the content is not available here the search goes to the assigned site.
3 MP The list of found DP’s will be sorted. When a protected DP is found, where the client’s boundary is included, only this will be returned. If there is not a protected DP found it will return a list of non-protected DP’s that host the content.
4 MP The remaining DP’s on the list will be marked as local, or remote depending on the boundary that you have connected to it.
5 MP The list with available DP’s is send back to the client.
6 Client Tries to connect to the DP’s (of the list) in the following order, first for the local DP’s and then for the remote DP’s: Same IP subnet, Same AD site, remaining. In every category the client prefers DP’s with BITS enabled.

Then where does it go wrong?? Well, often the assumption is that the client searches for the DP’s by itself. But instead you have to tell your MP which boundaries you have and connect them to your DP’s by protecting them.

For extra information: http://technet.microsoft.com/en-us/library/bb632366.aspx

Certificates needed for Native Mode

The biggest problem, for me, with Native Mode were all the certificates that were needed. That’s why I created an table for myself with the basic certificates that are needed for Native Mode and where to add them. The “Where to add” column is based on Windows Server 2008.

ConfigMgr Component Use Where to add
Primary Site Server Document Signing ConfigMgr > Site Management > Site Database > Properties Primary Site > Tab Site Mode
Management Point, Proxy Management Point, Distribution Point, Software Update Point en (State Migration Point) Server Authentication (Web Server Template) IIS > -Right-click- Sites > Edit Bindings > HTTPS -Edit-
Client computers Client Authentication (Computer Template) GPO > Policies > Computer Configuration > Windows Settings > Security Settings > Public Key Policies > -Right-click- Certificate Services Client –Auto-enrollment
Operating System Deployment/PXE Client Authentication (Workstation Template) Don’t forget the option: Allow Private Key to be exported ConfigMgr > Site Management > Site Database > Primary Site > Site Settings > Site Systems > Properties ConfigMgr PXE Service Point > Tab Database
Root CA for OSD Root ConfigMgr > Site Management > Site Database > Properties Primary Site > Tab Site Mode > Specify Root CA Certificates…

 

For more detailed information: http://technet.microsoft.com/en-us/library/bb680733.aspx