Jump to content


Special Ed

Established Members
  • Posts

    24
  • Joined

  • Last visited

Everything posted by Special Ed

  1. I'm running SCCM 2012 sp1 with MDT integration. I'm using a UDI from MDT to set some basic machine informatoin for imaging (select the OU in the domain, etc). I also have some optional apps that a tech can select from the UDI to install during the TS. All is working great with network based installations. However, I have a need for some installations using stand alone media. Is there a way to create stand alone media that will include those optional apps in the MDT UDI so that those apps can install during the TS? I don't think there is, but there are more brilliant minds than mine out there so I thought I would ask. In case you aren't sure what I'm talking about, check out Niall's instructions on setting up the 'install programs' step in the UDI designer here: http://www.windows-noob.com/forums/index.php?/topic/5250-using-sccm-2012-rc-in-a-lab-part-18-deploying-a-udi-client-task-sequence-with-mdt-2012-rc1-integrated-in-configuration-manager-2012/ I want a stand alone USB drive to be able to install the Mozilla and Winzip apps that are selected during deployment in his example. Ed
  2. I have a question on the Evaluation schedule and the Deployment Schedules and how they interact. When you set your custom schedule to have the ADR run on Patch tuesday, there are 2 dates. The START date, which is when the rule goes into effect, and the Recurrence pattern, which tells it to run on the 2nd tuesday every month going forward. The deployment Schedule, which is when the updates are to be available for install, might have a delay of 10 days. But that 10 days is based on the START date, not the run date. So I might create my rule on April 1, schedule it to run on April 7, and deploy after 10 days. But that means my deployment date is April 10. I had THOUGHT that the ADR runs again every month and pushes out a new deployment on that month. But if I'm understanding this right now, this means the ADR is really just updating an existing package/deployment and setting a 're-run' deployment flag on the clients to re-run that package again every month. So, the deployment schedule on ADR's is NOT a repeating schedule like the eval is. It's a one time only delay that applies only the first time the rule is run. This means that if I want to wait 1 week to deploy packages from Patch Tuesday, the ONLY way I can manage this is to set maintenance windows every month for 1 week after patch tuesday. If I do not have maintenance windows in place, patches will install on workstations immediately after the rule runs and the updates become available to workstations next month. Am I reading this right?
  3. Hi all, I'm looking at integrating a PKI infrastructure, and setting up an environment so clients can be supported over the inter-web. Does anyone have a 'how-to' out there? how about a basic doc outlining what you can / can't do? I've never touched it with SCCM. I'd like to setup software updates for 'roaming' clients that aren't in the office, push out software apps/packages etc. I've also got a few machines in a DMZ I'll probably manage full time through that model. I'd also appreciate any guidance regarding PKI integration and how to get that working. I know enough to know I have no clue. thanks!
  4. SCCM 2007 with an SMP. I want to do an inplace upgrade. Current machine is WinXP. The idea is to run a USMT Capture, replace the hard drive, then run an OSD on the new drive, and a restore. The problem is, because I'm swapping drives, I can't really create a computer association for the SMP, so I can't restore the data. The inplace association doesn't work because it's a new SCCM Client/Guid and a side by side association can't be created because the MAC address is already in use by the old Comp object. How can I do this? Anyone with any ideas? Thanks!
  5. Do you have any guidance on how to customize the UDI options? For example, within the default UDI the state store options do not allow selecting the state migration point as an option. How could you modify the UDI so that it will use an SMP?
  6. I'm running SCCM 2007 R3, USMT 4.0. I'm migrating User data from an XP machine to a new Win 7 install on a different machine. (side by side migration) And I've got my Stat MIgration Point configured, with a computer association configured. The user capture appeared to work just fine, as a data capture did happen. I'm running an UDI /MDT task sequence from MDT 2012 UP1 with almost no changes to the default settings that MDT would build when you create the TS to install the OS and restore the user data. When I run the task sequence to install the OS, and restore the user data, I get a "Failed to Run the action: Request State Store. Unknown Error (error: 00004005; source; unknown)" error. Can someone help me figure out what could be causing this for me? It's as if the system can't find the user data, or it doesn't know about the State Migration point. The UDI user state windows doesn't have an option for 'use the SCCM Migration point" so we leave it set to "No Data to Restore", but is there a way to tell the UDI to use the Migration point as the data source on the "User State Page" in a UDI.
  7. Is there a way to migrate a task sequence that runs in pure MDT 2012 (not mdt within SCCM) into SCCM 2012? Thanks!
  8. Hi all, I'm curious about a best practice question. Assume you have a CAS and a primary server. WSUS/SCEP replication with MS is setup on the CAS. Do you let your CAS manage your SUP and SCEP deployments? For example, build your collections on your primary, then configure an autodeployment for SCEP and one for SUP on your CAS? Or should you then setup WSUS/SUP/SCEP on your primary and deploy from there? It seems to be that you should do SUP/SCEP from the CAS, but I thought I would ask. Maybe there's a reason you shouldnt. Thanks
  9. When you have SCCM configured to handle WSUS, should a client machine be able to run Windows update? Or will they get this error? My clients are getting a Windows could not search for updates error when they try it manually.
  10. I'm still working on the details of this.. but this appears to be 'normal behavior' which bugs me as I think it's poorly implemented. It appears that if a machine fails during a TS, or is interupted, SCCM leaves the unknown device in the system. Even if I re-image that machine, starting a new TS from scratch, it actually leaves the old object in place. Which was weird. If you watch a TS from start to finish, you can see the unknown device get created at start, which is normal, and then get renamed later at the end of the TS. This appears to be documented and there are discussions about if it's a 'bug' or a feature. Here's some posts on the process. But it appears that admins are going to have to keep an eye on cleaning up unknown devices for a while. Initial post http://verbalprocessor.com/2012/04/06/unknown-computer-bug-in-configuration-manager-2012/ Update http://verbalprocessor.com/2012/04/17/unknown-computer-bugupdate/ Final post http://verbalprocessor.com/2012/05/07/unknown-computer-bugfinal-update/
  11. We are trying to get the MDM running (light management through ActiveSync). But we are having problems connecting to our Exchange server. I'm NOT an exchange guy. I'm pretty sure we are just not hitting the hooks on the Exchange box. Here's relevent data from our log file. Anyone have any ideas on what we can try? Thanks! INFO: Start to process wipe/policy http://mail.Company.com/powershell. SMS_EXCHANGE_CONNECTOR 8/17/2012 10:51:54 AM 5752 (0x1678) INFO: [MANAGED] Initialize: ExchangeServer http://mail.Company.com/powershell, Account , VerboseLog 0 SMS_EXCHANGE_CONNECTOR 8/17/2012 10:51:54 AM 5752 (0x1678) ERROR: [MANAGED] Failed to open Runspace. Exception: System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found. ~~ Possible causes are:~~ -The user name or password specified are invalid.~~ -Kerberos is used when no authentication method and no user name are specified.~~ -Kerberos accepts domain user names, but not local user names.~~ -The Service Principal Name (SPN) for the remote computer name and port does not exist.~~ -The client and remote computers are in different domains and there is no trust between the two domains.~~ After checking for the above issues, try the following:~~ -Check the Event Viewer for events related to authentication.~~ -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.~~ Note that computers in the TrustedHosts list might not be authenticated.~~ -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.~~ at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()~~ at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)~~ at System.Management.Automation.Runspaces.RunspacePool.Open()~~ at System.Management.Automation.RemoteRunspace.Open()~~ at Microsoft.ConfigurationManager.ExchangeConnector.ExchangeRunspace.InitRunspace() SMS_EXCHANGE_CONNECTOR 8/17/2012 10:51:54 AM 5752 (0x1678) ERROR: Failed to call Initialize of managed COM. error = Unknown error 0x80131501 SMS_EXCHANGE_CONNECTOR 8/17/2012 10:51:54 AM 5752 (0x1678) INFO: Raise Exchange Connector connection failure alert. SMS_EXCHANGE_CONNECTOR 8/17/2012 10:51:54 AM 5752 (0x1678) ERROR: Failed to initialize managed com instance. Error = Unknown error 0x80131501, -2146233087 SMS_EXCHANGE_CONNECTOR 8/17/2012 10:51:54 AM 5752 (0x1678) INFO: End to process wipe/policy http://mail.Company.com/powershell. SMS_EXCHANGE_CONNECTOR 8/17/2012 10:51:54 AM 5752 (0x1678)
  12. Well, that's good to know which is the right setting. I am curious... is there a way to change the settings after the SUP is configured in SCCM? Or must we remove the site role and reconfigure? We are set for port 80. As for our issues... I'll post the log here. As you'll see when you review it you'll see different errors over the last week 2 weeks. Initially, we had a conflict with the old WSUS server, then you can see we played around with various GPO settings until we got it 'working'. We tried 'disabled' but that clearly wasn't a good setting. At one point we modified the server information in the GPO by cutting and pasting the policy information that was set in the local policy (http://sccmserver.local:80) into the GPO, but that didn't seem to put an end to the "Group policy settings were overwritten by a higher authority" errors for several days. (though those errors are not in this log) But we could not figure out where our conflict was. Updates were not flowing to our machines. So we moved our machines to an OU with no GPO. We've been running in that OU for a week now. As you'll see, the errors are no longer there, but it still not downloading updates as we expected. For a few days we modified the policy so that it would only pull down updates from our SCCM server, and we disabled the access to MS. Things seemed to be working ok, our compliance was at 100%. When we turned access to MS back on Wednesday, it would appear that our clients aren't pulling updates anymore. For example the machine this was pulled from had not pulled an update for a while. Our overall compliance dropped from 100% to 17% since Wednesday. Again, all our machines are now in a group with no GPO to create a conflict. What's weird is that while we were working on this, late last week, updates seemed to start flowing. This was after I posted my initial post. We thought all was happy with no GPO, and thought that was our solution, so then we turned back on access to MS on Wednesday and it's stopped again. It's really weird. I would think that the access to MS would simply give us a redundant access to updates should our server go down. Am I misunderstanding how it should work? So,this morning in an attempt to duplicate our original issues for your entertainment pleasure, and show you what we see, we moved this machine back into the OU with the GPO. You should see the logs changed after 9am Aug 17. The machine pulled it's policy like we want, and updated nicely. No errors in the log. We then modified the policy so it should only pull from our server, and not be able to pull updates from MS. We forced a synch with MS so that it has updated policies since then, and ran our auto deployment rules so we should have nice fresh policies in place. And of course, now it would seem that things are working. But I'm still not trusting it. It feels like things work for a few days, then stop, and I can't figure out why. I've also posted an export view of the GPO we are trying to use initially (and for the above test). It's very likely our GPO is/was our problem. Note that I've pulled any corporate/Domain names from the logs and GPO and tried to replace them with generic names. Many thanks! WUAHandler.log WSUS - Use SCCM 01.htm
  13. Is this Software Update Group that we created updated automatically? Or must we re-create a group like this on a monthly basis to deploy updates to the clients?
  14. Anyweb, I would like some clarification... perhaps you can help me out here. In this step: http://www.windows-noob.com/forums/index.php?/topic/5683-using-system-center-2012-configuration-manager-part-5-adding-wsus-adding-the-sup-role-deploying-the-configuration-manager-client-agent/ you suggest that the SUP role should use the CUSTOM web site in Step 2. However, in other SUP configurations walkthroughs you have published (look here: http://www.windows-noob.com/forums/index.php?/topic/4427-using-sccm-2012-rc-in-a-lab-part-2-add-sup-and-wds/ ) you built the server using the default websites. What are the pros/Cons of those choice and how will them impact how the systems work? Thanks!
  15. Very interesting. We did NOT use a netbios name in the GPO. We used a FQDN. THAT I am sure of as that was my first troubleshooting step, and we verified that several times. However, looking over your instructions again... I'm wondering if when the site role was configured, they did not select "WSUS is configured to use a custom web..." option for WSUS but instead used the default port options. I noticed in your GPOs, you specified the ports. I was not present when they configured the WSUS component, but they team did follow your instructions. Could this be a cause of our problems? And if so, is there a way to change this setting without removing the SUP role and reconfiguring from scratch? Thanks!
  16. I'm running a simple OSD of Win7 through SCCM 2012. I'll boot from a CD/PXE and when my WinPE connects and I select my TS to run, it creates an "Unknown" device in SCCM with the MAC address of my target machine in it's properties. After the TS completes, I have another device created with my proper machine name in SCCM, client installed, etc. The original 'unknown' device is still there. Did I miss a setting someplace that would cause this behavior? I would have expected my completed TS would then update the original "unknown" device so that it has the updated machine name etc. I don't want to have to delete a bogus 'unknown' everytime I run an OSD.
  17. Just following up on myself. I just saw this posting on technet. Can anyone confirm this is actually the case? Ended up contacting MS Support and got it fixed. The problem was with a Group Policy setting that was being applied to the machines - specifically the "Computer Configuration - Policies - Administrative Templates - Windows Components - Windows Update - Specify intranet Microsoft update service location" policy. In this policy, I had my SCCM Software Update Point machine specified as the update server, as instructed in part 3 of the installation walkthrough I had followedhere. Apparently, having this policy applied to a workstation overrides any Software Update configurations that you try to apply using SCCM 2012. So, when SCCM tried to apply my definition updates, it saw that this particular group policy was applied to the machine and aborted the update. The definition updates downloaded successfully once this group policy was removed. If this is true... then if you have previous WSUS installations, and are moving to an SCCM managed SUP & SCEP model, you actually need to remove the GPO's you can't just define the SCCM server as the source in the GPOs. This kind of makes sense as the SCCM client is actualy setting LOCAL policies on the client to manage updates, and any GPO would over-ride that. I'm just surprised that WUA would get cranky about not working if the GPO defines the same server that the SCCM local policy would provide. The entire discussion the above quote is from is here: http://social.technet.microsoft.com/Forums/en-US/configmanagersecurity/thread/a05601a2-7843-471b-8ce4-5cdcdc616a92
  18. Also, is there a log for the SCEP product which tells you where it's pulling updates? When I manually run an update, the WUAHandler log doesn't track where it's getting it's definitions. By default, the clients could go to SCCM, WSUS, and microsoft. So it's possible that a client could be pulling definitions from MS if my server isn't running right. How can I tell where my clients are getting the SCEP definitions?
  19. I'm setting up a new server. Never had any SCCM environment in this network. I've enabled Software inventory on the client policies, and told it to search for *.exe as well. However, I'm not getting any software inventory. On the client the inventory agent log says "it will do a full report" but it's never updating the report. I can see it doing the WMI queries, from hardware inventory, which is reporting. But I'm never getting my software inventory on the servers. It looks like it's not completing. Even when I manually tell my client to run the Software inventory, it says "already in queue." which is great, but SI shouldn't take hours to run I wouldn't think. Is it just really slow and painful to run in 2012?
  20. We are implementing a new sccm 2012 install which is going to handle all Endpoint (SCEP) and software updates. The network has an existing WSUS server, but it will go away once the migration is complete. There is no preexisting FEP infrastructure. Existing systems have GPOs assigned to configure WSUS on the clients. I've created a new OU for SCCM pilot systems as we get this running. Unfortunately, the OU inherits all the existing GPOs in the company. I can't filter the OU at this time. But I need to build a NEW gpo for this OU, so that it will supersede the current WSUS GPO and free up SCCM to handle the SUP and SCEP processes. When we are done, and the environment is to be totally managed by SCCM, I don't think we need ANY GPOs as SCCM handles this all via client local policy assignments. However, I need to know what to set in my pilot GPO so that machines in my Pilot OU wont be getting conflicting GPO settings. Can someone tell me what to set in my GPOs for my pilots so SCCM can manage the environment? Since SCEP is now in the mix, I'm not sure what I need to have on and off, and based on conversations I'm seeing online, it's not exactly clear. Most of the docs I've seen are with a FEP infrastructure external to SCCM (SCCM07, with FEP, etc), or are written assuming you have no preexisting infrastructure to migrate from. Now I've got one integrated system managing all 3 processes, so I'm not sure what GPO to set to get the old stuff out and let the new stuff play. Thanks!
  21. I need to make some basic changes to my Win 2008 R2 install. One specific that I want to change is my UAC settings in 2008. I know that I can do this in my unattended file. For this setting for example, I know that I can make changes to the UAC settings which are in the EnableLUA section Microsoft-Windows-LUA-Settings. But I can't seem to figure out how to do that in the WAIK. Everything I've seen gives me stuff I can cut and paste into the XML, or just references the component I need to reference, but I don't have a clue how to create that reference in WAIK/WISM. Can anyone post me a quick and simple "here's the steps to make component mods via the answer file editing process in MDT/WAIK?" I'd appreciate it. What I really need to know is how to create a new section for data that's not in the default answer file, such as creating a UAC setting. I can get the stuff opened, but I can't seem to figure out the context to actually create a new setting and have it reference the changes that I want within WSIM.
  22. Well, sort of. I think I'm starting to understand the basics of the process, but DCM seems to want to focus on the existance of a specific file, registry key etc. it's much easier to look to see if c:\windows\system32\notepad.exe exists for example. But I'm trying to look for files and flag machines that have these files AND have the right text within that file. So my script needs to locate files, read them, and flag a positive/negative if they have the string I need. Then I can say, "here are the machines with the file, and with the string in the file." I'm wondering if I'm doing this the wrong way. It might be easier for me to run a script via a standard deployment that does my searching, and if it finds something it creates a file, then just build a DCM that identifies machines with the file. That might be better and easier to manage.
  23. I want to identify machines that have a specific files and/or strings in those files. I've written scripts that will search for the files in question, and I'd like to use DCM to identify those machines that come back as a positive that the files have been found. THen I can build collections based on the DCM to do other things to those machines as needed. My problem is that I have no idea how to setup DCM so that it will run the scripts and determine their 'compliance'. (If they have the stuff the script looks for, they should be 'compliant' then I can isolate those machines) Has anyone every setup a DCM to run a script to determine compliance? If so, can you give me some guidance on HOW to do this? I'm clueless with DCM, but know SCCM well in other areas. My OSD works great. Thanks!
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.