Remember this?: Software Distribution is currently paused on this computer with ConfigMgr 2007

This is more of a remember this for my self then probably in general, as this is a problem that we don’t run into that much. Only for me it was the second time already, but I couldn’t directly remember anymore what the problem was. So this post will be more of a reminder for the eventually next time…

RegLocStateX64Also this will be a short post as it will just describe the problem we ran into with my current customer and what the solution was. The problem we ran into was that after we deployed a new machine we could advertise software to it, but the installation would never start. Looking into the execmgr.log we could see the following message: “This program cannot run because a reboot is in progress or software distribution is paused.”.

Well, the solution for this was actually quit simple, just the searching for it took a while… Looking into the registry we could see that the Software Distribution-State-Paused-key was set to 1 and changing this back to 0 resolved the problem. This key can be found in the following location:

  • x86 – HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client\Software Distribution\State\
  • x64 – HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SMS\Mobile Client\Software Distribution\State\ (see picture)

We’re still not quite sure what caused this problem, but it seems to be something with ending a Task Sequence with a restart. After resolving the issue we found some other people with the same issue here and they are also guessing and linking it to the last step of the Task Sequence.

Remember this?: Re-run Advertisement for one (or more) specific client(s) with ConfigMgr 2007

I’m not sure if this is going to be a ‘remember this’ –series, but at least in this case it fits really good. We all know it, but sometimes we need a refreshment.

RegLocX64We all know those scenario’s where we send an Advertisement to a Collection of clients and for some reason we may want to rerun the Advertisement for only one (or more) specific client(s). In this case we can use the general rerun options of an Advertisement (like always rerun), but they will affect all clients in the collection and won’t work for user-targeted Advertisements. So what’s left in this case? Well the option I like the most is that there is a registry change that we can make to trick the Advertisement to run again. When we look at a client’s registry, we will see the following the following registry key (depending on the architecture). 

  • x86 – HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client\Software Distribution\Execution History\System\
  • x64 – HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SMS\Mobile Client\Software Distribution\Execution History\System\ (see picture)

As this key is located in the HKEY_LOCAL_MACHINE, it can also be found by opening regedit and then make a connection with a remote client. Under System we will find the PackageID of each Package that has previously run. When we now delete the PackageID, for the Program that we want to rerun, it will trigger the Program to run again (during the next evaluation) even though it already completed successfully.

To find the PackageID that we need we can open the Configuration Manager Console and select the Packages –node (under Site Database > Computer Management > Software Distribution). In the overview there will be a list of all the packages with the corresponding PackageID.

Using USMT 4.0 and ConfigMgr 2007 while migrating from local profiles to partially redirected profiles

This time I want to devote a post to a situation I haven’t been in that often. The customer was migrating from Windows XP to Windows 7, well.. nothing special here, but also migrating from local profiles to (partially) redirected profiles, well.. that’s a challenge. So to capture the userdata AND -settings we had to come up with something special. Of course we could do some things with scripting, but the biggest challenge was the fact that the new (partially redirected) profile location was only available after the first logon to Windows 7.

With this information I started thinking about USMT 4.0 again. Most often you use this to migrate on a computer basis, but we made an exception on this. We came up with the following five steps that should do the trick:

  1. (On Windows XP) A batch file that kicks of Scanstate. Nothing special here, just used /uel:1 or /uel:0 to get the user profile we need (0=Logged on user, 1=Modified accounts last 24 hours).
  2. (On Windows XP) A batch file that copies the captured data and settings to the users share on the network.
  3. (On Windows 7) A batch file that copies the captured data and settings back to a local drive.
  4. (On Windows 7) A batch file that kicks of Loadstate. Nothing special here, just used /ue to exclude some possible captured local/ admin account.
  5. (On Windows 7) A batch file that copies the last bits of data straight in to the redirected profile.

The important part is something a didn’t mention yet. In the migration XML files there is the possibility to copy data to an alternative location and that’s what we used for the parts of the profile that would get redirected. The reason for that is simple, because the SYSTEM account has no security rights to write something to there, as it is a network location. Here is a sample of the part we added to the migration XML files:

<locationModify script="MigXmlHelper.RelativeMove(‘%CSIDL_DESKTOP%\’, ‘C:\Temp\Desktop’)">
   <objectSet>
      <pattern type="File">%CSIDL_DESKTOP%\* [*]</pattern>
   </objectSet>    
</locationModify>

This specific part would copy the desktop items to C:\Temp\Desktop instead of the desktop location in the (redirected) profile. Also important to note is that, in this case, all the copy actions have to run with user rights, as it’s all copied to the users directory.

Auto Deployment of FEP Definition Updates with ConfigMgr 2007

This week Microsoft released Forefront Endpoint Protection (FEP) 2010 Update Rollup 1 (including some extra tools). The tools update included some extra policies and also a Definition Update Automation Tool. Together with this, there was also an article published about Definition Update Automation with Configuration Manager.

Personally I don’t like the idea of creating a new Task with the Windows Task Scheduler, while we’ve got Status Filter Rules within ConfigMgr. With these rules we can make a “connection” between the scheduled synchronization of the Software Update Point (SUP) and the start of the Definition Update Automation Tool. Otherwise the tool might run while there hasn’t been a new synchronization of the SUP. To prevent this, I will show in this post how to create the Status Filter Rule.

The prerequisites for this post are the same as mentioned in Definition Update Automation with Configuration Manager.

Open the fepsuasetup.cab file and copy SoftwareUpdateAutomation.exe to <Installationdirectory>\AdminUI\bin

In the ConfigMgr Console browse to Site Database > Site Management > <Sitename> > Site Settings > Status Filter Rules and select New Status Filter Rule in the Actions pane.

NSFR

On the General page, fill in a Name, select as Source ConfigMgr Server, select as Component SMS_WSUS_SYNC_MANAGER, fill in as Message ID 6702 and click Next.

This makes sure that every time the SMS_WSUS_SYNC_MANAGER is DONE this action (which we configure in the next step) will start.

NSFRW_General

On the Actions page, select Run a Program, fill in as commandline “<Installationdirectory>\AdminUI\bin\SoftwareUpdateAutomation.exe”
/AssignmentName <DeploymentName> /PackageName <PackageName> and click Next.

NSFRW_Actions

On the Summary page and click Next.

NSFRW_Summary

On the Summary page and click Finish.

NSFRW_Confirmation

Download Microsoft Forefront Endpoint Protection (FEP) 2010 Update Rollup 1 Tools: http://www.microsoft.com/download/en/details.aspx?id=26613

Update 18-07: There are some issues discovered with the new tool, take a look here for more information and solutions: http://blogs.technet.com/b/clientsecurity/archive/2011/07/18/errors-when-using-the-fep-2010-definition-update-automation-tool.aspx

Update 01-11: A new version of the Definition Update Automation Tool has been released. This version refreshes the Distribution Point by default and has a new option to disable that behavior (/DisableRefreshDP): http://blogs.technet.com/b/configmgrteam/archive/2011/11/01/how-to-use-definition-update-automation-tool-for-forefront-endpoint-protection-2010-update-rollup-1.aspx

The best informational links about FEP 2010 (and its integration with ConfigMgr 2007)

FEP_Logo This time I want to devote a post to some of the best informational links about Forefront Endpoint Protection (FEP) 2010 (and its integration with ConfigMgr 2007). These links can make it a lot easier to plan, scale, install, manage and troubleshoot your ConfigMgr 2007 with FEP 2010 integrated -environment.

Microsoft Deployment Toolkit 2012 Beta is available!

For those who didn’t read it on Twitter, Facebook or mail yet, MDT 2012 B1 is available for download! Some of the best things that are mentioned in the release notes, are that it supports ConfigMgr 2012 B2 and also still supports ConfigMgr 2007 SP2! Besides that it also supports the deployment of ALL operating systems from Windows XP and Windows Server 2003 until now. So it only delivers extra’s! For more information, read here the mail of Microsoft Connect:

Thanks for your ongoing interest and participation in the MDT beta review program. We hope you’ll take the time to preview and provide feedback on MDT 2012 Beta 1.

Download the beta materials on Connect: https://connect.microsoft.com/site14/Downloads/DownloadDetails.aspx?DownloadID=8689

Microsoft Deployment Toolkit (MDT) 2012 Beta 1 rides the next wave of System Center releases with support for System Center Configuration Manager 2012. For Lite Touch installations, MDT 2012 improves the overall client-side user experience, while also providing behind-the-scenes enhancements for partitioning, UEFI, and user state migration. These features, combined with many small enhancements, bug fixes, and a smooth and simple upgrade process, make MDT 2012 Beta 1 more reliable and flexible than ever.

Key Benefits:

  • Fully leverages the capabilities provided by System Center Configuration Manager 2012 for OS deployment.
  • Improved Lite Touch user experience and functionality.
  • A smooth and simple upgrade process for all existing MDT users.

Tell us what you think!
We value your input. Download the beta on Connect and tell us what you think!Please submit your feedback through Connect and direct any support questions you may have to satfdbk@microsoft.com.

Availability
This program is now open. The beta review period will run through August 2011.

Tell your friends
To join the beta review program for Microsoft Deployment Toolkit (MDT) 2012, visit Microsoft Connect:
https://connect.microsoft.com/site14

Learn more
Visit the MDT home page: http://www.microsoft.com/MDT

Get the latest news straight from the MDT team: http://blogs.technet.com/mniehaus/

MDT works with the Microsoft Assessment and Planning Toolkit and Security Compliance Manager to help you plan, securely deploy, and manage new Microsoft technologies—easier, faster, and at less cost. Learn more at http://www.microsoft.com/solutionaccelerators.

Thank you for your interest in the development of MDT. We look forward to receiving your feedback!

Sincerely,
Solution Accelerators MDT Team
Microsoft Corporation

Asset Intelligence Reports are not showing correct data since the upgrade to ConfigMgr 2007 SP2

AIReportClassSettThis blog post is going to be a short explanation about why the Asset Intelligence (AI) Reports are not showing the correct data after an upgrade to ConfigMgr 2007 SP2. The cause of not showing data was actually more logic then I first thought. One of the items on the checklist for an upgrade (http://technet.microsoft.com/en-us/library/ee344152.aspx) is the following:

If you have customized the default SMS_def.mof hardware inventory reporting file, you must create a backup of this file before upgrading the site. When upgrading a site, customizations made to the existing SMS_def.mof file will be overwritten.

Maybe this still doesn’t make sense, but it will after the following piece of history about enabling AI in ConfigMgr 2007. In the ConfigMgr 2007 RTM version AI had to be enabled by manually editting the SMS_def.mof. This got renewed in ConfigMgr 2007 SP1 by adding the Asset Intelligence Reporting Class Settings dialog box, BUT these settings are still written in the SMS_def.mof.

So the combination of these two point mean that after the upgrade to ConfigMgr 2007 SP2, the AI settings have to be re-enabled. This can be done through the Asset Intelligence Reporting Class Settings dialog box by reselecting the needed items, or by manually editing the SMS_def.mof.

ConfigMgr 2007 and clearing a Computers’ Last PXE Advertisement by script

In a previous post I showed a script to remove a computer from a collection. This post will be an add-on to that previous post. As we are removing the computer from the collection anyway, we can as well perform a Clear Last PXE Advertisement –action. By doing this, it’s not necessary to perform a manual action the next time the computer needs to be re-imaged.

ClrLstPXEAdvAn easy way to do this is to run a script at the end of a Task Sequence that will clear the last PXE Advertisement. This makes sure that a computer can get re-imaged as soon it gets added to the correct collection. For this you can use the script from this post.

The usage of this script is cscript <ScriptName>.vbs /ComputerName:[ComputerName]. Keep in mind that it needs to be run with an account that has enough rights in ConfigMgr. See also this picture for an example.

Option Explicit

DIM objSWbemLocator, objSWbemServices, ProviderLocation, Location, Connection
DIM colResourceID, objResourceID, iResourceID, aResources, InParams
DIM sComputerName, sSiteServerName, objArguments

sSiteServerName = “<SiteServerName>”

‘====================================
‘ Check arguments
‘====================================
Set objArguments = Wscript.Arguments
If WScript.Arguments.Count = 1 Then
   sComputerName = objArguments.Named.Item(“ComputerName”)
Else
   Wscript.Echo “Usage: ClearPxeAdvertisement.vbs /ComputerName:[ComputerName]”
   Wscript.Quit
End If

‘====================================
‘ MAIN Script
‘====================================
Set Connection = ConnectToSMSProvider(sSiteServerName)
iResourceID = GetResourceID(Connection, sComputerName)

aResources = Array(1)
aResources(0) = iResourceID

Set InParams = Connection.Get(“SMS_Collection”).Methods_(“ClearLastNBSAdvForMachines”).InParameters.SpawnInstance_
InParams.ResourceIDs = aResources

Connection.ExecMethod “SMS_Collection”,”ClearLastNBSAdvForMachines”, InParams
WScript.Echo “Cleared PXE advertisement for resource: ” & iResourceID

‘====================================
‘ Function to RETURN a Connection to the SMS Provider
‘====================================
Function ConnectToSMSProvider(ServerName)
   Set objSWbemLocator = CreateObject(“WbemScripting.SWbemLocator”)
   Set objSWbemServices = objSWbemLocator.ConnectServer(ServerName, “root\sms”)
   Set ProviderLocation = objSWbemServices.InstancesOf(“SMS_ProviderLocation”)
   For Each Location In ProviderLocation
      If Location.ProviderForLocalSite = True Then
         Set objSWbemServices = objSWbemLocator.ConnectServer(Location.Machine, “root\sms\site_” + Location.SiteCode)
         Set ConnectToSMSProvider = objSWbemServices
      End If
   Next
End Function

‘====================================
‘ Function to RETURN a ResourceID by a ComputerName
‘====================================
Function GetResourceID(Connection, ComputerName)
   Set colResourceID = Connection.ExecQuery(“Select ResourceID from SMS_R_System where Name = ‘” & ComputerName & “‘”)
   For Each objResourceID in colResourceID
      GetResourceID = objResourceID.ResourceID
   Next
End Function

WScript.Quit(0)

There also exists an (basic) example on MSDN about How to Clear a PXE Advertisement for a Configuration Manager Resource, here: http://msdn.microsoft.com/en-us/library/cc143002.aspx

ConfigMgr 2007 and Forefront Endpoint Protection 2010

Let’s start this post with a simple question. What’s the reason why the new version of Microsoft’s Forefront Endpoint Protection (FEP) 2010 is so kewl? Well, it’s the same reason why I’m blogging about it, it’s because it fully integrates with ConfigMgr 2007! In this post I will go through the installation and the integration of FEP 2010 with ConfigMgr 2007 in three parts.

(PART 1) Integration with ConfigMgr 2007 – How to install

FEP01_WelcomeFor the installation I will go through a Basic topology installation and its prerequisites (the installation has to be performed on a Central/ Primary Site server).

  1. (Optional) Install Windows Installer 3.1.
  2. (Optional) Install .NET Framework 3.5 SP1.
  3. (Optional) Install ConfigMGr Hotfix KB2271736.
  4. Run the serversetup.exe of the DVD and the Microsoft Forefront Endpoint Protection 2010 Server Setup wizard opens.
  5. On the Welcome page, type your name, the name of your organization, and click Next.
  6. On the Microsoft Software License Terms page, select the I accept the software license terms check box, and click Next.
  7. On the Installation Options page, select Basic topology, and click Next.
  8. On the Reporting Configuration page, verify the URL of your reporting server and the name of a user account that is used, type the password for the specified user account, and click Next.
  9. On the Updates and Customer Experience Options page, only select Join the Customer Experience Improvement Program, and click Next.
  10. On the Microsoft SpyNet Policy Configuration page, select Join Microsoft SpyNet, click Advanced SpyNet membership, and click Next.
  11. On the Installation Location page, specify the folder for installation, and click Next.
  12. On the Prerequisites Verification page, click Next.
  13. On the Setup Summary page, click Install.
  14. On the Installation page, click Next.
  15. On the Installation Complete page, click Finish.

(PART 2) Integration with ConfigMgr 2007 – How does it look

After the successful installation of FEP 2010, it’s time to take a closer look at how it’s integrated with ConfigMgr 2007. For this I will create a list with all the changes/ add-ons to the ConfigMgr Console that are created during the installation of FEP.

  • FEPActionsFEP Operations are added to right-click menu, and Actions pane for computer objects
  • FEP Collections are added to Site Database > Computer Management > Collections
    • FEPCollectionsDefinitions Status
      • Older Than 1 Week
      • Up to 3 Days
      • Up to 7 Days
      • Up to Date
    • Deployment Status
      • Deployment Failed
      • Deployment Succeeded
        • Deployed Desktops
        • Deployed Servers
      • Locally Removed
      • Not Targeted
      • Out of Date
    • Operations
    • Policy Distribution Status
      • Distribution Failed
      • Distribution Pending
      • Policy Distributed
    • Protection Status
      • Healthy
      • Not Reporting
      • Protection Service Off
    • Security Status
      • Full Scan Required
      • Infected
      • Recent Malware Activity
      • Restart Required
  • FEPPackagesFEP Packages are added to Site Database > Computer Management > Software Distribution > Packages
    • Microsoft Corporation FEP – Deployment 1.0
    • Microsoft Corporation FEP – Operations 1.0
    • Microsoft Corporation FEP – Policies 1.0
  • FEPAdvertismentsFEP Advertisements are added to Site Database > Computer Management > Software Distribution > Advertisements
    • FEP Operations
    • FEP Policies
      • Assign FEP policy Default Desktop Policy
      • Assign FEP policy Default Server Policy
  • FEPDCMFEP Configuration Baselines are added to Site Database > Computer Management > Desired Configuration Management > Configuration Baselines
    • FEP – High-Security Desktop
    • FEP – Laptop
    • FEP – Performance-Optimized Desktop
    • FEP – Standard Desktop
    • FEP Monitoring – Antimalware Status
    • FEP Monitoring – Definitions and Health Status
    • FEP Monitoring – Malware Activity
    • FEP Monitoring – Malware Detections
  • FEPConsoleFEP Console extensions are added to Site Database > Computer Management > Forefront Endpoint Protection
    • Policies
    • Alerts
      • Malware Detection Alerts
      • Malware Outbreak Alert
      • Repeated Malware Detection Alerts
      • Multiple Malware Detection Alerts
    • Reports

(PART 3) Integration with ConfigMgr 2007 – How does it work

Now we know how FEP is installed and what it all creates during the installation, let’s take a look at how it all works together. This part is not about all the possibly different settings, but about how/ when it gets called in ConfigMgr 2007.

FEPClientClient Deployment
For the deployment of the FEP client, the Microsoft Corporation FEP – Deployment 1.0 –package can be used. This package contains a script that also  will make sure that any of the following previously installed antimalware clients will be uninstalled:

  • Symantec Endpoint Protection version 11
  • Symantec Corporate Edition version 10
  • McAfee VirusScan Enterprise version 8.5 and version 8.7 and its agent
  • Forefront Client Security version 1 and the Operations Manager agent
  • TrendMicro OfficeScan version 8 and version 10

FEPPolicyClient Policies
For the policy deployment to the FEP client, the Microsoft Corporation FEP – Policies 1.0 –package will be used. By default the already existing advertisement of Assign FEP policy Default Desktop Policy and Assign FEP policy Default Server Policy are used for this. This package contains a script that will make sure that policy changes, that are made through the console (and saved in XML), get updated on the clients. For this the Deployed Desktops and Deployed Servers –collections are used.

Client Operations
For the execution of the FEP client actions, the Microsoft Corporation FEP – Operations 1.0 –package will be used. This action can be performed via the right-click menu, and the Actions pane for computer objects. After this the computer object gets populated in the Operations –collection and the script (of this package) gets assigned to the collection.

FEPDashboardClient Health
For the client health the FEP Dashboard (see picture) can be used. This dashboard shows an overview of Deployment Status, Policy Distribution Status, Definition Status, Protection Status, Security Status and Forefront Endpoint Protection Baselines. The statuses are based on the memberships of the FEP * Status –collections. So indirect the membership –queries of these collections make sure what the dashboard shows.

Client Updates
For the client updates it’s still possible to use an Auto-Approval rule for Definitions Updates in WSUS.

More information about FEP 2010: http://technet.microsoft.com/en-us/library/gg412482.aspx

ConfigMgr 2007 and removing a Computer from a Collection by script

I have to admit that it’s just really easy/ handy to create scripts to make life a bit easier. This also counts for this scenario… A customer wants to prevent, at all costs, that a computer can’t get re-imaged “by accident”. It already happened a few times that somebody by accident did a Clear Last PXE Advertisement on a Computer, or even on a Collection.

An easy solution for this scenario is to run a script at the end of a Task Sequence that will remove the Computer directly from the Collection. This makes sure that a computer can’t get re-imaged, as it’s not a member of the collection anymore. For this you can use the script from this post.

RemCompfrCollThe usage of this script is cscript <ScriptName>.vbs /CollectionID:[CollectionID] /ComputerName:[ComputerName]. Keep in mind that it needs to be run with an account that has enough rights in ConfigMgr. See also this picture for an example.

Option Explicit

DIM objSWbemLocator, objSWbemServices, ProviderLocation, Location, sSiteServerName
DIM sComputerName, sCollectionID, objCollection, colRuleSet, Rule, objArguments

‘=============================
‘ Check arguments
‘=============================
Set objArguments = Wscript.Arguments
If WScript.Arguments.Count = 2 Then
   sCollectionID = objArguments.Named.Item(“CollectionID”)
   sComputername = objArguments.Named.Item(“ComputerName”)
Else
   Wscript.Echo “Usage: RemoveComputerFromCollection.vbs /CollectionID:[CollectionID] /ComputerName:[ComputerName]”
   Wscript.Quit(0)
End If

‘=============================
‘ MAIN Script
‘=============================
sSiteServerName=”<SiteServerName>”
ConnectToSMSProvider(sSiteServerName)

Set objCollection = objSWbemServices.Get(“SMS_Collection='” & sCollectionID & “‘”) 
colRuleSet = objCollection.CollectionRules
For Each Rule In colRuleSet
    If Rule.Path_.Class = “SMS_CollectionRuleDirect” Then 
        If LCase(Trim(Rule.RuleName)) = LCase(Trim(sComputerName)) Then 
            objCollection.DeleteMembershipRule Rule
            Wscript.Echo “Succesfully removed ” & sComputerName & ” from collection: ” & sCollectionID
        End If
    End If
Next

‘=============================
‘ Sub Routine to Connect to the SMS Provider
‘=============================
Sub ConnectToSMSProvider(SiteServerName)
   Set objSWbemLocator = CreateObject(“WbemScripting.SWbemLocator”)
   Set objSWbemServices = objSWbemLocator.ConnectServer(SiteServerName, “root\sms”)
   Set ProviderLocation = objSWbemServices.InstancesOf(“SMS_ProviderLocation”)
   For Each Location In ProviderLocation
      If Location.ProviderForLocalSite = True Then
         Set objSWbemServices = objSWbemLocator.ConnectServer(Location.Machine, “root\sms\site_” + Location.SiteCode)
      End If
   Next
End Sub

WScript.Quit(0)