How to make a Virtual Application stream from a Distribution Point in ConfigMgr 2007

As a follow up on my previous post I will put another short version of a new "guide" that I created for Windowsnoob. This time it is about the settings that are needed to make a Virtual Application stream from a Distribution Point.  A prerequisite for being able to make these settings is that ConfigMgr 2007 SP1 R2 is installed. Keep in mind that even when you are streaming a Virtual Application with ConfigMgr you will still need the App-V Client to run the applications.

To stream a Virtual Application from a Distribution Point with ConfigMgr follow the next steps:VirtAppAdvDPProp

  1. Open the Configuration Manager Console and browse to System Center Configuration Manager > Site Database > Computer Management > Software Distribution > Advertisements
  2. Select an Advertisement of a Virtual Application and click in the Actions panel on Properties.
  3. Select the Distribution tab (see picture). This is where to select whether or not this Virtual Application should be streamed from the Distribution Point.

Keep in mind that when you select this it will work for all the clients that get the Advertisement. So before you do this you should really think about the load it creates and the mobility of your users.

See for an extended version with screenshots: http://www.windows-noob.com/forums/index.php?showtopic=1131
See for creating a Virtual Application Package in ConfigMgr: http://www.windows-noob.com/forums/index.php?showtopic=1129

How to make ConfigMgr 2007 ready to advertise and stream Virtual Applications

In this post I will put a short version of the “guide” that I made for Windows-Noob about the settings that are needed to be able to advertise and stream Virtual Applications. A prerequisite for being able to make these settings is that ConfigMgr 2007 SP1 R2 is installed. Keep in mind that even when you have ConfigMgr configured for Virtual Applications you will still need the App-V Client to run the applications.

To be able advertise Virtual Applications the Advertised Programs Client Agent has to be enabled for running virtual application packages. To do this, follow the next steps:

  1. Open the Configuration Manager console and navigate to System Center Configuration Manager > Site Database > Site Management > <your_sitename> > Site Settings > Client Agents
  2. Right-click the Advertised Programs Client Agent and select Properties
  3. On the General tab click Allow virtual application package advertisement to enable the client for running Virtual Applications. 
  4. Click OK to close the properties.

Note: This enables the Advertised Programs Client Agent to run Virtual Application packages on ALL Configuration Manager 2007 client computers in the site.

To be able to stream Virtual Applications the Distribution Point has to be enabled for streaming virtual application packages. To do this, follow the next steps:

  1. Open the Configuration Manager console and navigate to System Center Configuration Manager > Site Database > Site Management > <your_sitename> > Site Settings > Site Systems, and select the name of the Server or the Server Share. 
  2. Right-click the ConfigMgr distribution point, in the results pane, and select Properties
  3. On the Virtual Applications tab select Enable virtual application streaming
  4. Click Ok to close the properties.

Note: To be able to select Enable virtual application streaming make sure Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS (required for device clients and Internet-based clients). is selected on the General tab.

See for an extended version with screenshots: http://www.windows-noob.com/forums/index.php?showtopic=1123

ConfigMgr 2007, USMT 4.0 and moving collected files to :\Data

This weekend I’ve been playing with USMT 4.0 in combination with ConfigMgr R2 SP2 Beta. I have to say that it is a very powerful combination and I feel a bit stupid that I didn’t do much with it before. I always install it, with every installation that I do, but I never really did something with it. When I was diving in to it I found a special part of MigUser.xml.

<!– Uncomment the following if you want all the files collected from the above rules to move to <systemDrive>:\data –>
<!–                <locationModify script=”MigXmlHelper.Move(‘%SYSTEMDRIVE%\Data’)”>
                    <objectSet>
                    <objectSet>
                        <script>MigXmlHelper.GenerateDrivePatterns (“* [*.qdf]”, “Fixed”)</script>
                        <script>MigXmlHelper.GenerateDrivePatterns (“* [*.qsd]”, “Fixed”)</script>
                        […]
                        <script>MigXmlHelper.GenerateDrivePatterns (“* [*.mdb]”, “Fixed”)</script>
                        <script>MigXmlHelper.GenerateDrivePatterns (“* [*.pub]”, “Fixed”)</script>
                    </objectSet>
                </locationModify>
–>

This part is about moving the collected files to <systemDrive>:\Data when you uncomment it. Of course I had to try this out, but when I did that my Task Sequence errored all the time with the errorcode: 0x00004005. So I took a good look at the MigUser.xml and saw that there was a little mistake in it. It says one time <objectSet> to many. So whenever you uncomment it, don’t forget to delete one time <objectSet>. 

Update: This is the same with MigUser.xml from USMT 3.0.1

Prepare ConfigMgr Client for Capture doesn’t remove the AllowedRootCAHashCode value

In the most situations it doesn’t matter that the AllowedRootCAHashCode value doesn’t get removed during a Capture of the client, but there is one situation where it does matter. This one situation is when there has to be one image for multiple domains and every domain has its own issuing CA’s. This situation is a problem because the client stores a copy of the Root Certificate in the AllowedRootCAHashCode key. Because it contains the wrong value for the Root Certificate the client isn’t able to get a new Site Signing Certificate (which is also stored in the registry), so the client isn’t able to check the policies.

As workaround for this I created a Task Sequence step (in the install Task Sequence) to delete the HKLM\SOFTWARE\Microsoft\CCM\Security\AllowedRootCAHashCode.

Another workaround (which is probably a bit easier) can be found at the ConfigMgr Technet forum (http://social.technet.microsoft.com/Forums/en-US/configmgribcm/thread/3ac574ca-c562-4a44-92da-5c640a71c3c6) where I posted this situation. The workaround posted here is to create a Task Sequence step (in the Build and Capture Task Sequence) to delete the whole HKLM\SOFTWARE\Microsoft\CCM\Security\ key.

More information about the Task Sequence Step Prepare ConfigMgr Client for Capture: http://technet.microsoft.com/en-us/library/bb633049.aspx
More information about Renewing or Changing the Site Signing Certificate: http://technet.microsoft.com/en-us/library/bb633098.aspx

Active Directory Site Boundaries are “static”

Active Directory sites are the easiest way of defining ConfigMgr site boundaries, because they are based on physical segments. BUT besides that, you have to keep in mind that they are also static in two different ways:

  1. All the different subnets have to be manually included and configured in the Active Directory sites.
  2. Once an Active Directory Site Name is selected as an ConfigMgr Site Boundary, ConfigMgr will check on the selected Site Name. Even when you rename the Active Directory site!

For more information about site boundaries: http://technet.microsoft.com/en-us/library/bb633084.aspx

How a client chooses a Distribution Point

Lately I get and see a lot of situations like this…

Question: I created an extra Distribution Point (DP) on a remote location, but the clients on the remote location are still connecting to the standard DP. Why are these clients not connecting to their local DP?
Answer:
When there are more DP’s in the same site and/or boundary, by default, the client will first connect to the DP with BITS enabled and not the closest one. If you want the clients to connect to their local DP, you have to make the DP protected.

…So I thought it might be handy to write in a few short steps how this process works.

Step From Action
1 Client Sends a content location request to its Management Point (MP)
2 MP The search for Distribution Points (DP’s), with the content, starts in the client’s current site. This can be the client’s assigned site, secondary site attached to it, or a site to which the client is roamed. When the content is not available here the search goes to the assigned site.
3 MP The list of found DP’s will be sorted. When a protected DP is found, where the client’s boundary is included, only this will be returned. If there is not a protected DP found it will return a list of non-protected DP’s that host the content.
4 MP The remaining DP’s on the list will be marked as local, or remote depending on the boundary that you have connected to it.
5 MP The list with available DP’s is send back to the client.
6 Client Tries to connect to the DP’s (of the list) in the following order, first for the local DP’s and then for the remote DP’s: Same IP subnet, Same AD site, remaining. In every category the client prefers DP’s with BITS enabled.

Then where does it go wrong?? Well, often the assumption is that the client searches for the DP’s by itself. But instead you have to tell your MP which boundaries you have and connect them to your DP’s by protecting them.

For extra information: http://technet.microsoft.com/en-us/library/bb632366.aspx

Certificates needed for Native Mode

The biggest problem, for me, with Native Mode were all the certificates that were needed. That’s why I created an table for myself with the basic certificates that are needed for Native Mode and where to add them. The “Where to add” column is based on Windows Server 2008.

ConfigMgr Component Use Where to add
Primary Site Server Document Signing ConfigMgr > Site Management > Site Database > Properties Primary Site > Tab Site Mode
Management Point, Proxy Management Point, Distribution Point, Software Update Point en (State Migration Point) Server Authentication (Web Server Template) IIS > -Right-click- Sites > Edit Bindings > HTTPS -Edit-
Client computers Client Authentication (Computer Template) GPO > Policies > Computer Configuration > Windows Settings > Security Settings > Public Key Policies > -Right-click- Certificate Services Client –Auto-enrollment
Operating System Deployment/PXE Client Authentication (Workstation Template) Don’t forget the option: Allow Private Key to be exported ConfigMgr > Site Management > Site Database > Primary Site > Site Settings > Site Systems > Properties ConfigMgr PXE Service Point > Tab Database
Root CA for OSD Root ConfigMgr > Site Management > Site Database > Properties Primary Site > Tab Site Mode > Specify Root CA Certificates…

 

For more detailed information: http://technet.microsoft.com/en-us/library/bb680733.aspx

Rename your ConfigMgr Primary Site

Once you have installed your ConfigMgr Primary Site it is not possible to change the name of your Primary Site. At least not through the console… But what if you made a mistake or your company changes it’s naming conventions?? Well there is one way to change it. First off all stop the SMS_EXECUTIVE Service. After that open the site control file (<Installation directory>\Microsoft Configuration Manager\inboxes\sitectrl.box\Sitectrl.ct0) and search for BEGIN_SITE_DEFINITION. Close to that you will find your Primary Site name and you can change it (do not change anything else!!). After this save the file and start the SMS_EXECUTIVE Service again. Then after a few site refreshes your Primary Site name wil be changed.

In some cases it could be possible that you also have to change the value of the regkey: HKLM\Software\Microsoft\SMS\Identification.

Update: Keep in mind that editing the sitectrl.ct0 is not supported by Microsoft!

ConfigMgr Backup in combination with WSUS

I noticed that the scheduled backup of ConfigMgr can conflict with the installation of WSUS. When you have WSUS 3.0 SP1 installed on the same machine as your ConfigMgr Site you can, at random occassions, get problems with your WSUS installation. This is what happens: During the execution of the ConfigMgr Backup it does some kind of a healthcheck. When it then notices that the SUP/WSUS is not responding good it will try to do an repair action of WSUS. At this point the problem starts, bacause the installer of WSUS 3.0 SP1 doesn’t have a repair function, so WSUS will get uninstalled… After this has happened you can get errors like “Sync failed: WSUS server not configured. Source: CWSyncMgr::DoSync SMS_WSUS_SYNC_MANAGER” in the ConfigMgr Site Status.

There are two ways to workarround this:

  • Disable the backup of ConfigMgr (not really an option).
  • Make sure that the ConfigMgr Backup can’t find the WSUS 3.0 SP1 installer. You can do this by editting (just change the name or the location of the MSI) the following registrykey [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\<Random number>\InstallProperties] “LocalPackage”=”C:\\WINDOWS\\Installer\\<Random number>.msi” “DisplayName”=”Microsoft Windows Server Update Services 3.0”

They say it is getting solved in WSUS 3.0 SP2. When your interested in that you can join the RC Program on: https://connect.microsoft.com/site/sitehome.aspx?SiteID=110.

App-V future ready???

Let’s start my first post about App-V being future ready (or not). When I was trying to deploy an App-V Sequence on a Windows 7 Client (with App-V Client 4.5 CU1) the application didn’t seem to work… At first I thouhgt it was just me, so I recreated everything from scratch, but still no luck. The next step was to search on Google and here I found a very helpfull link: http://www.softgridblog.com/?p=126.

The solution is this: During the proces of making a sequence with the App-V Sequencer you get to tab Deployment. In this tab you can specify the Operating System (OS) on which this sequence can run. Before the App-V 4.5 CU1 version you didn’t have the option to select Windows 7. This means that the sequence will not be able to run on Windows 7. The sequence can only run on the OS that is selected on the Deployment tab (it is possible to change the OS directly in the OSD-file, for this you have to add an extra line like: <OS VALUE=”Win7″>).

After all this you can say that App-V is future ready, because by adding Windows 7 to the Deployment tab it was possible to deploy the sequence on Windows 7. Just a shame that you have to make changes to already excisting sequences…