Special Ed

I'm running SCCM 2012 sp1 with MDT integration. I'm using a UDI from MDT to set some basic machine informatoin for imaging (select the OU in the domain, etc). I also have some optional apps that a tech can select from the UDI to install during the TS. All is working great with network based installations. However, I have a need for some installations using stand alone media. Is there a way to create stand alone media that will include those optional apps in the MDT UDI so that those apps can install during the TS? I don't think there is, but there are more brilliant minds than mine out there so I thought I would ask. In case you aren't sure what I'm talking about, check out Niall's instructions on setting up the 'install programs' step in the UDI designer here: http://www.windows-noob.com/forums/index.php?/topic/5250-using-sccm-2012-rc-in-a-lab-part-18-deploying-a-udi-client-task-sequence-with-mdt-2012-rc1-integrated-in-configuration-manager-2012/ I want a stand alone USB drive to be able to install the Mozilla and Winzip apps that are selected during deployment in his example. Ed

I have a question on the Evaluation schedule and the Deployment Schedules and how they interact. When you set your custom schedule to have the ADR run on Patch tuesday, there are 2 dates. The START date, which is when the rule goes into effect, and the Recurrence pattern, which tells it to run on the 2nd tuesday every month going forward. The deployment Schedule, which is when the updates are to be available for install, might have a delay of 10 days. But that 10 days is based on the START date, not the run date. So I might create my rule on April 1, schedule it to run on April 7, and deploy after 10 days. But that means my deployment date is April 10. I had THOUGHT that the ADR runs again every month and pushes out a new deployment on that month. But if I'm understanding this right now, this means the ADR is really just updating an existing package/deployment and setting a 're-run' deployment flag on the clients to re-run that package again every month. So, the deployment schedule on ADR's is NOT a repeating schedule like the eval is. It's a one time only delay that applies only the first time the rule is run. This means that if I want to wait 1 week to deploy packages from Patch Tuesday, the ONLY way I can manage this is to set maintenance windows every month for 1 week after patch tuesday. If I do not have maintenance windows in place, patches will install on workstations immediately after the rule runs and the updates become available to workstations next month. Am I reading this right?

Hi all, I'm looking at integrating a PKI infrastructure, and setting up an environment so clients can be supported over the inter-web. Does anyone have a 'how-to' out there? how about a basic doc outlining what you can / can't do? I've never touched it with SCCM. I'd like to setup software updates for 'roaming' clients that aren't in the office, push out software apps/packages etc. I've also got a few machines in a DMZ I'll probably manage full time through that model. I'd also appreciate any guidance regarding PKI integration and how to get that working. I know enough to know I have no clue. thanks!

SCCM 2007 with an SMP. I want to do an inplace upgrade. Current machine is WinXP. The idea is to run a USMT Capture, replace the hard drive, then run an OSD on the new drive, and a restore. The problem is, because I'm swapping drives, I can't really create a computer association for the SMP, so I can't restore the data. The inplace association doesn't work because it's a new SCCM Client/Guid and a side by side association can't be created because the MAC address is already in use by the old Comp object. How can I do this? Anyone with any ideas? Thanks!

Do you have any guidance on how to customize the UDI options? For example, within the default UDI the state store options do not allow selecting the state migration point as an option. How could you modify the UDI so that it will use an SMP?

I'm running SCCM 2007 R3, USMT 4.0. I'm migrating User data from an XP machine to a new Win 7 install on a different machine. (side by side migration) And I've got my Stat MIgration Point configured, with a computer association configured. The user capture appeared to work just fine, as a data capture did happen. I'm running an UDI /MDT task sequence from MDT 2012 UP1 with almost no changes to the default settings that MDT would build when you create the TS to install the OS and restore the user data. When I run the task sequence to install the OS, and restore the user data, I get a "Failed to Run the action: Request State Store. Unknown Error (error: 00004005; source; unknown)" error. Can someone help me figure out what could be causing this for me? It's as if the system can't find the user data, or it doesn't know about the State Migration point. The UDI user state windows doesn't have an option for 'use the SCCM Migration point" so we leave it set to "No Data to Restore", but is there a way to tell the UDI to use the Migration point as the data source on the "User State Page" in a UDI.

Is there a way to migrate a task sequence that runs in pure MDT 2012 (not mdt within SCCM) into SCCM 2012? Thanks!

Hi all, I'm curious about a best practice question. Assume you have a CAS and a primary server. WSUS/SCEP replication with MS is setup on the CAS. Do you let your CAS manage your SUP and SCEP deployments? For example, build your collections on your primary, then configure an autodeployment for SCEP and one for SUP on your CAS? Or should you then setup WSUS/SUP/SCEP on your primary and deploy from there? It seems to be that you should do SUP/SCEP from the CAS, but I thought I would ask. Maybe there's a reason you shouldnt. Thanks

When you have SCCM configured to handle WSUS, should a client machine be able to run Windows update? Or will they get this error? My clients are getting a Windows could not search for updates error when they try it manually.

I'm still working on the details of this.. but this appears to be 'normal behavior' which bugs me as I think it's poorly implemented. It appears that if a machine fails during a TS, or is interupted, SCCM leaves the unknown device in the system. Even if I re-image that machine, starting a new TS from scratch, it actually leaves the old object in place. Which was weird. If you watch a TS from start to finish, you can see the unknown device get created at start, which is normal, and then get renamed later at the end of the TS. This appears to be documented and there are discussions about if it's a 'bug' or a feature. Here's some posts on the process. But it appears that admins are going to have to keep an eye on cleaning up unknown devices for a while. Initial post http://verbalprocessor.com/2012/04/06/unknown-computer-bug-in-configuration-manager-2012/ Update http://verbalprocessor.com/2012/04/17/unknown-computer-bugupdate/ Final post http://verbalprocessor.com/2012/05/07/unknown-computer-bugfinal-update/

Nope.

We are trying to get the MDM running (light management through ActiveSync). But we are having problems connecting to our Exchange server. I'm NOT an exchange guy. I'm pretty sure we are just not hitting the hooks on the Exchange box. Here's relevent data from our log file. Anyone have any ideas on what we can try? Thanks! INFO: Start to process wipe/policy http://mail.Company.com/powershell. SMS_EXCHANGE_CONNECTOR 8/17/2012 10:51:54 AM 5752 (0x1678) INFO: [MANAGED] Initialize: ExchangeServer http://mail.Company.com/powershell, Account , VerboseLog 0 SMS_EXCHANGE_CONNECTOR 8/17/2012 10:51:54 AM 5752 (0x1678) ERROR: [MANAGED] Failed to open Runspace. Exception: System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found. ~~ Possible causes are:~~ -The user name or password specified are invalid.~~ -Kerberos is used when no authentication method and no user name are specified.~~ -Kerberos accepts domain user names, but not local user names.~~ -The Service Principal Name (SPN) for the remote computer name and port does not exist.~~ -The client and remote computers are in different domains and there is no trust between the two domains.~~ After checking for the above issues, try the following:~~ -Check the Event Viewer for events related to authentication.~~ -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.~~ Note that computers in the TrustedHosts list might not be authenticated.~~ -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.~~ at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()~~ at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)~~ at System.Management.Automation.Runspaces.RunspacePool.Open()~~ at System.Management.Automation.RemoteRunspace.Open()~~ at Microsoft.ConfigurationManager.ExchangeConnector.ExchangeRunspace.InitRunspace() SMS_EXCHANGE_CONNECTOR 8/17/2012 10:51:54 AM 5752 (0x1678) ERROR: Failed to call Initialize of managed COM. error = Unknown error 0x80131501 SMS_EXCHANGE_CONNECTOR 8/17/2012 10:51:54 AM 5752 (0x1678) INFO: Raise Exchange Connector connection failure alert. SMS_EXCHANGE_CONNECTOR 8/17/2012 10:51:54 AM 5752 (0x1678) ERROR: Failed to initialize managed com instance. Error = Unknown error 0x80131501, -2146233087 SMS_EXCHANGE_CONNECTOR 8/17/2012 10:51:54 AM 5752 (0x1678) INFO: End to process wipe/policy http://mail.Company.com/powershell. SMS_EXCHANGE_CONNECTOR 8/17/2012 10:51:54 AM 5752 (0x1678)

Well, that's good to know which is the right setting. I am curious... is there a way to change the settings after the SUP is configured in SCCM? Or must we remove the site role and reconfigure? We are set for port 80. As for our issues... I'll post the log here. As you'll see when you review it you'll see different errors over the last week 2 weeks. Initially, we had a conflict with the old WSUS server, then you can see we played around with various GPO settings until we got it 'working'. We tried 'disabled' but that clearly wasn't a good setting. At one point we modified the server information in the GPO by cutting and pasting the policy information that was set in the local policy (http://sccmserver.local:80) into the GPO, but that didn't seem to put an end to the "Group policy settings were overwritten by a higher authority" errors for several days. (though those errors are not in this log) But we could not figure out where our conflict was. Updates were not flowing to our machines. So we moved our machines to an OU with no GPO. We've been running in that OU for a week now. As you'll see, the errors are no longer there, but it still not downloading updates as we expected. For a few days we modified the policy so that it would only pull down updates from our SCCM server, and we disabled the access to MS. Things seemed to be working ok, our compliance was at 100%. When we turned access to MS back on Wednesday, it would appear that our clients aren't pulling updates anymore. For example the machine this was pulled from had not pulled an update for a while. Our overall compliance dropped from 100% to 17% since Wednesday. Again, all our machines are now in a group with no GPO to create a conflict. What's weird is that while we were working on this, late last week, updates seemed to start flowing. This was after I posted my initial post. We thought all was happy with no GPO, and thought that was our solution, so then we turned back on access to MS on Wednesday and it's stopped again. It's really weird. I would think that the access to MS would simply give us a redundant access to updates should our server go down. Am I misunderstanding how it should work? So,this morning in an attempt to duplicate our original issues for your entertainment pleasure, and show you what we see, we moved this machine back into the OU with the GPO. You should see the logs changed after 9am Aug 17. The machine pulled it's policy like we want, and updated nicely. No errors in the log. We then modified the policy so it should only pull from our server, and not be able to pull updates from MS. We forced a synch with MS so that it has updated policies since then, and ran our auto deployment rules so we should have nice fresh policies in place. And of course, now it would seem that things are working. But I'm still not trusting it. It feels like things work for a few days, then stop, and I can't figure out why. I've also posted an export view of the GPO we are trying to use initially (and for the above test). It's very likely our GPO is/was our problem. Note that I've pulled any corporate/Domain names from the logs and GPO and tried to replace them with generic names. Many thanks! WUAHandler.log WSUS - Use SCCM 01.htm

Is this Software Update Group that we created updated automatically? Or must we re-create a group like this on a monthly basis to deploy updates to the clients?

Anyweb, I would like some clarification... perhaps you can help me out here. In this step: http://www.windows-noob.com/forums/index.php?/topic/5683-using-system-center-2012-configuration-manager-part-5-adding-wsus-adding-the-sup-role-deploying-the-configuration-manager-client-agent/ you suggest that the SUP role should use the CUSTOM web site in Step 2. However, in other SUP configurations walkthroughs you have published (look here: http://www.windows-noob.com/forums/index.php?/topic/4427-using-sccm-2012-rc-in-a-lab-part-2-add-sup-and-wds/ ) you built the server using the default websites. What are the pros/Cons of those choice and how will them impact how the systems work? Thanks!