Jump to content


  • 0
Mike S

Configure User/Device Affinity During Image Deployment

Question

I am doing some recon on the possibility of determining user/device affinity during image deployment via a task sequence.

 

I would like to know if it is even possible to establish affinity during the imaging process? This could be automatic or manual (through the use of input field prompts during the TS). Provided this is possible, this could simplify the installation of existing applications that are already installed based on user enrollment in certain security groups. It will also eliminate the need to create additional packages and task sequences since applications do not run (at least I haven't figured out how to do this) during a task sequence.

 

We are running a single SCCM 2012 primary site with WSUS and SCOM. Nothing else is configured/needed at the moment.

 

Basically, I want to do the following:

 

  1. Start TS deployment
  2. Input/establish user affinity
  3. Finish image deployment (base image, user profile, etc.)
  4. Finished machine is added to correct user group based on affinity set in step 2 above.
  5. Required software for user group is installed.
  6. Machine deployed to user.
  7. Voila'...finshed.

It seems simple enough, but with the many "features" Microsoft has included with their products, I have my reservations.

 

I don't want to spin my wheels trying to figure this out on my own, so I thought I would ask here first to see if this is even feasible.

 

Thanks in advance,

Mike

Share this post


Link to post
Share on other sites

Recommended Posts

  • 0

You're doing something wrong with your input variables and I just noticed it based on the log file, while you already posted them before. It should be something like below. The resource name will be added as input variable.

 

param (

[string]$ResourceName,

[string]$SiteCode="YourSiteCode",

[string]$SiteServer="YourSiteServer",

[string]$Container="YourContainer"

)

Share this post


Link to post
Share on other sites

  • 0

I see clearer now. Scripting is not my strong suit. So my parameters should look like this:

 

param (

[string]$ResourceName,

[string]$SiteCode="DOR",

[string]$SiteServer="SCCM2012DOR",

[string]$Container="Applications"

)

The $ResourceName is defined in the TS step "GetApplications"...correct?

Share this post


Link to post
Share on other sites

  • 0

Almost there. The TS "Install Applications" started to run this time. Unfortunately, it failed. I think it is due to incorrect permissions...

 

Get-WmiObject : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESS RunPowerShellScript 6/3/2014 9:00:08 AM 1908 (0x0774)
DENIED)) RunPowerShellScript 6/3/2014 9:00:08 AM 1908 (0x0774)
At C:\_SMSTaskSequence\Packages\DOR0008C\GetTargetedApplications_v0_9.ps1:21 ch RunPowerShellScript 6/2/2014 2:44:19 PM 2188 (0x088C)
ar:34 RunPowerShellScript 6/2/2014 2:44:19 PM 2188 (0x088C)
+ $PrimaryUser = (Get-WmiObject <<<< -ComputerName $SiteServer -Class SMS_ RunPowerShellScript 6/2/2014 2:44:19 PM 2188 (0x088C)
UserMachineRelationship -Namespace root\SMS\Site_$SiteCode -Filter "ResourceNam RunPowerShellScript 6/2/2014 2:44:19 PM 2188 (0x088C)
e='$ResourceName'").UniqueUserName RunPowerShellScript 6/2/2014 2:44:19 PM 2188 (0x088C)
+ CategoryInfo : NotSpecified: ( :) [Get-WmiObject], UnauthorizedA RunPowerShellScript 6/2/2014 2:44:19 PM 2188 (0x088C)
ccessException RunPowerShellScript 6/2/2014 2:44:19 PM 2188 (0x088C)
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.Pow RunPowerShellScript 6/2/2014 2:44:19 PM 2188 (0x088C)
erShell.Commands.GetWmiObjectCommand RunPowerShellScript 6/2/2014 2:44:19 PM 2188 (0x088C)
RunPowerShellScript 6/2/2014 2:44:19 PM 2188 (0x088C)
This appeared as well: No Env variable with specified basename APPId and suffix '01' is found. No applications installed. InstallApplication 6/2/2014 2:44:20 PM 2280 (0x08E8)
Are there special permissions required for scripts like this to work? Again, excuse my ignorance, but I am flying blind when it comes to scripting and powershell stuff.

Share this post


Link to post
Share on other sites

  • 0

You were correct, once I added the domain computers to the read-only analyst role, things ran smoother. However, the TS failed during the Install Applications TS.

Do I need to ensure that the box is ticked under Deployment settings to enable "Pre-deploy software to the user's primary device"?

 

Here is a snippet from the logfile:

 

Retrieving Policy Assignments: InstallApplication 6/3/2014 3:39:11 PM 1548 (0x060C)
assignmentList.size() > 0, HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\installapplication\dautils.cpp,452) InstallApplication 6/3/2014 3:39:11 PM 1548 (0x060C)
No matching policy assignments received. InstallApplication 6/3/2014 3:39:11 PM 1548 (0x060C)
Policy download failed, hr=0x80004005 InstallApplication 6/3/2014 3:39:11 PM 1548 (0x060C)
daUtil.DownloadPolicies(), HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\installapplication\dainstaller.cpp,295) InstallApplication 6/3/2014 3:39:11 PM 1548 (0x060C)
Successfully cleared App model names from TS env. InstallApplication 6/3/2014 3:39:11 PM 1548 (0x060C)
daInstaller.Execute(), HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\installapplication\main.cpp,260) InstallApplication 6/3/2014 3:39:11 PM 1548 (0x060C)
Process completed with exit code 2147500037 TSManager 6/3/2014 3:39:11 PM 1912 (0x0778)
!--------------------------------------------------------------------------------------------! TSManager 6/3/2014 3:39:11 PM 1912 (0x0778)
Failed to run the action: Install Applications.
Unspecified error (Error: 80004005; Source: Windows) TSManager 6/3/2014 3:39:11 PM 1912 (0x0778)
MP server http://xx.xxx.xx.xx. Ports 80,443. CRL=false. TSManager 6/3/2014 3:39:11 PM 1912 (0x0778)
Setting authenticator TSManager 6/3/2014 3:39:11 PM 1912 (0x0778)
Set authenticator in transport TSManager 6/3/2014 3:39:11 PM 1912 (0x0778)
Sending StatusMessage TSManager 6/3/2014 3:39:11 PM 1912 (0x0778)
Setting message signatures. TSManager 6/3/2014 3:39:11 PM 1912 (0x0778)
Setting the authenticator. TSManager 6/3/2014 3:39:11 PM 1912 (0x0778)
CLibSMSMessageWinHttpTransport::Send: URL: xx.xxx.xx.xx:80 CCM_POST /ccm_system/request TSManager 6/3/2014 3:39:11 PM 1912 (0x0778)
Request was successful. TSManager 6/3/2014 3:39:11 PM 1912 (0x0778)
Set a global environment variable _SMSTSLastActionRetCode=-2147467259 TSManager 6/3/2014 3:39:11 PM 1912 (0x0778)
Set a global environment variable _SMSTSLastActionSucceeded=false TSManager 6/3/2014 3:39:11 PM 1912 (0x0778)
Clear local default environment TSManager 6/3/2014 3:39:11 PM 1912 (0x0778)
Let the parent group (Install User Applications) decides whether to continue execution TSManager 6/3/2014 3:39:11 PM 1912 (0x0778)
The execution of the group (Install User Applications) has failed and the execution has been aborted. An action failed.
Operation aborted (Error: 80004004; Source: Windows) TSManager 6/3/2014 3:39:11 PM 1912 (0x0778)
Failed to run the last action: Install Applications. Execution of task sequence failed.
Unspecified error (Error: 80004005; Source: Windows) TSManager 6/3/2014 3:39:11 PM 1912 (0x0778)

Share this post


Link to post
Share on other sites

  • 0

I have fixed the above "problem". It seems that I forgot to check the little box in the application properties under the "General Information" tab that allows the application to be installed from the Install Application task sequence action without being deployed.

 

I tested everything again and it worked like a charm (after about 40 attempts). I have got to learn more about powershell.

 

Quick question, is there a limit to the number of applications that can be installed using this method? I know that if a manual list is used, only 8 applications can be installed per step. Wondering if it is different for dynamic lists?

 

Thank you Peter for all of your assistance.

 

As time permits, I will try to piece together a detailed guide on how to do this. This is an excellent way to deploy user-specific software during the OSD.

Share this post


Link to post
Share on other sites

  • 0

After testing this a couple of times, I decided to attempt using a collection based on a security group instead of individual users assigned to the group. The user set during the OSD deployment was a member of the security group assigned to the user collection. When I executed the OSD, it failed as soon as the get/install applications TS started.

 

Can the automated process you developed be implemented with security groups, or will I need to ensure that each user be added to the correct application collection? My guess is that since the affinity is looking for a specific user to belong to a group, when a security group is used to define multiple members, the affinity does not see the user as being a member. It only sees the security group as the member and therefore fails.

 

I hope I explained that correctly.

 

**EDIT**

I think I have it figured out, I added a query rule to add users individually based on the AD group membership.

 

Thanks again :)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...



×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.