SCCM diet

Online notes for reference

Tag Archives: SCCM 2012

Replicating SCCM DB and adding replicated DB to SCCM Reporting – Part 5

In Part 1 I backed up the SCCM database and copied the backed up data base files to a different SQL server. I also attached the data base files and created the database

In Part 2 I created a SQL job to run daily . This job will copy the backed up files from SCCM database server. Then this job will attach the copied database files .

In Part 3 I exported the certificate from SQL server and imported in on a machine where reports will be authored.

In Part 4 I created data source from SQL reporting services server to SQL01 server and verified connection is working.

Part 5

In part 5 I am going to create SCCM reports using the data source created in Part 4 and then publish reports to SQL reporting website.

Open report builder and to system center icon and click on options

DBRepl48

Configure the report server as http://<sql reporting services server name>/reportserver and click ok

DBRepl49

Now on the bottom of report builder console click on connect

DBRepl50

As seen below , Report builder is not connected to reporting server and can use the data sources from the servers.

DBRepl51

Click on new – Data source

 

 

DBRepl52

Provide the name of data source ( LocalSQL01DataSource in this case) and click on browse

 

DBRepl53

Browse to folder on reporting server , SCCM Reports from SQL01 and select the SQL01 data source

 

DBRepl54

Now click on test connection

 

DBRepl55

Now you are able to connect to SQL01  database using a data source stored on reporting server from a window 7 client machine on the network. Click OK

 

 

DBRepl56

As seen the data source appears under Data sources on the left side menu in report builder window

 

DBRepl57

Up until now I am able to connect to database server . Next step is add some data from the database to create a report.

Subset of data from the database is called dataset. Dataset can tables , views and at time can contain joins between two tables or two or more sql views .

 

 

DBRepl58

Provide the name of Dataset

select data source from drop down and click on query designer

 

DBRepl59

When you click on query designer , It will take you inside CM_R01 database on server SQL01 .

Of all the data that is available in this data base , I am going to select a small amount of data to create a dataset.

 

 

DBRepl60

Expand views and select v_R_System and click OK

 

 

DBRepl61

You can review this query and what columns are listed and click OK

 

 

DBRepl62

Now in report builder console under datasets the data set is display . This is from view v_R_System

 

 

DBRepl63

Finally ………………………………………. Its time to create a report 🙂

On the ribbon click on insert and select insert table

 

 

 

 

DBRepl64

This by default will add a blank table

 

 

DBRepl65

Drag and drop the fields you want from data set to table , I added Name0, Obsolete0 and client0 and click on run

 

 

DBRepl66

You can view what the report looks like now

 

 

DBRepl67

Click on save and browse to the folder created to storing SCCM reports from SQL01 .

Provide the name of report and click save

 

 

DBRepl68

Report is generated from alternate SQL01 server and published to SQL reporting services server too

 

 

DBRepl69

 

 

Additional notes – There are multiple ways to author SQL reports , I am using report builder

You can store data source locally too , You can also store reports locally and publish them later .

 

This concludes Part 5

Advertisements

Replicating SCCM DB and adding replicated DB to SCCM Reporting – Part 4

In Part 1 I backed up the SCCM database and copied the backed up data base files to a different SQL server. I also attached the data base files and created the database

In Part 2 I created a SQL job to run daily . This job will copy the backed up files from SCCM database server. Then this job will attach the copied database files .

In Part 3 I exported the certificate from SQL server and imported in on a machine where reports will be authored.

Part 4

In part 4 I am going to install Report Builder 3.0 on client machine Win7 and configure data source for creating SQL reports. SQL reporting services is running from SCCM Primary server . See network diagram in Part 1

At this time you should have report builder 3.0 installed for SQL 2012 on a Windows 7 machine . If you do not have it installed download it from here and install on the workstation

DBRepl41a

Once Report builder is installed .

Open SQL reporting services , In my case it is http://cm01/reports.

Click on New folder ( Only for keeping reports separate)

 

 

DBRepl42

Provide the name of the folder and click ok.

 

 

DBRepl43 DBRepl44

After the new folder is created , Go to folder SCCM reports from SQL01

Click on New Data Source

Data Source contains the connection information for a particular database.

 

 

DBRepl45

Provide the name to the data source , SQL01 DataSource

Check – Enable this data source

Data Source type – Microsoft SQL server

In the connection string type in the following

(Change the name of Initial_Catalog to your database name and data source to your SQL server name)

Persist Security Info=False;Initial Catalog=CM_R01;
Data Source=sql01.labserv.net;
Encrypt=True;TrustServerCertificate=True

As mentioned in part 1 user labserv\cmreports has read rights to CM_R01 database. Once this database is replicated same rights are assigned to the replicated database.

Check box – Use as windows credentials when connecting to the data source

 

DBRepl46

 

Click on Test connection

and ensure that data source is able to connect successfully.

 

DBRepl47

 

 

 

 

This concludes Part 4

 

Replicating SCCM DB and adding replicated DB to SCCM Reporting – Part 2

In Part 1 I backed up the SCCM database and copied the backed up data base files to a different SQL server. I also attached the data base files and created the database

Part 2

In part 2 I am going to create a SQL job which will automate this task to run daily .This job is scheduled a time later than SCCM Backup time so that the latest backup files are present when job runs.

Open SQL management studio on server (On the replicated DB server) SQL01 in this case.

Go to SQL server agent , right click and New Job

DBRepl11

On the general menu provide the name of SQL job

 

DBRepl12

Click on Steps and and click on New

DBRepl13

First step will be close the connections to SQL server .

Add the following command to put the database in single user mode and click OK

ALTER DATABASE CM_R01 SET SINGLE_USER WITH ROLLBACK IMMEDIATE

DBRepl14

Next Step is to detach DB . This step is needed because we need to copy the DB files from SCCM server and overwrite them. If you do not detach the database files will not be overwritten

SP_DETACH_DB ‘CM_R01’, ‘TRUE’

(Change the name of the data base in the above command)

DBRepl15

Next step is to copy the files from SCCM primary server to database server using the script as described in part 1

“c:\dbcopy\dbcopy.ps1”

DBRepl16

Once the data base files are copied next step is to attach the database to SQL server

CREATE DATABASE CM_R01
ON(FILENAME = ‘C:\DBCopy\CM_R01.mdf’),
(FILENAME = ‘C:\DBCopy\CM_R01_log.ldf’)
FOR ATTACH;
GO

Click OK

DBRepl17

Once all the steps in the job are complete. Next step is to schedule this job to occur daily sometime after the SCCM backups finish.

Since SCCM backups in my lab are scheduled to run at 1:00 AM everyday I have scheduled the job to run everyday at 4:00 AM to give enough time to backup to finish.

DBRepl18

Your job will appear under SQL Server agent – Jobs

DBRepl19

If you want to manually run the job to test if it runs correctly , Right click the job and select start the job at step 1

DBRepl20

You can always check the job history for troubleshooting purposes by right clicking the job and clicking on view history

DBRepl21

By expanding the step , each step is detailed. If there are any failure those will be recorded here.

DBRepl22

 

This concludes part 2

Replicating SCCM DB and adding replicated DB to SCCM Reporting – Part 1

Benefits of SCCM reporting are obvious. Some organisations depend more on SCCM reporting than others. Dataset used for SCCM reporting is the SCCM Database.If there are multiple reports being run , written and tested while there is a lot of client activity can cause database performance to degrade.

Some organisations prefer that SCCM reports be designed , coded and tested on a separate DB server and only the final report be imported to live SQL reporting server that connects to SCCM production database.

In order to achieve this you need a separate SQL server preferably running same version of SQL in the domain.

Lab Setup

CM01 – SCCM Primary server , SCCM Database , SQL reporting Services, SCCM reporting services point

SQL 01 – SQL Database server

WIN7 – Workstation running windows 7 , Report builder 3.0 for SQL 2012

domain\cmreports – This is a user account in AD and has read permissions on SCCM database on server CM01.

Diagram below describes the systems in use for this lab setup.

DBRepl00

Enable shared folders and SCCM Backup

On SCCM Server (CM01 in this case) , Create a folder to store backups and share it.

DBRepl01

Go to SCCM 2012 console , Administration and sites . Go to site Maintenance

 

DBRepl02

As highlighted below backup is not enabled on the site . Enable the backups

DBRepl03

Then schedule the backups to occur daily or every weekday to your organisation’s standards and procedures.

DBRepl04

Now on other SQL server (SQL01 in the case)

Create a shared folder and provide permissions .

DBRepl05

 

I am using a powershell script to copy data base files from server CM01 to server SQL01. I am also storing the files in the shared folder that I just created on server SQL01.

You can down the DBcopy script and robocopy from here 

Extract the files and copy them to shared folder.

DBRepl06

Open and edit the power shell script using either ISE or any other power shell editor of your choice.

Change the path of $source = \\your sccm server\SCCMBACKUP\<sitecode>Backup\SiteDBserver

Change the path of $destination \\your sql server\DBcopy

Change the path of $log \\your sql server\DBCopy\DBCopy.log

Here are the switches for robocopy command

S- copy subdirectories, But not empty ones

E – copy subdirectories, including empty ones

/COPY:DAT

DAT D:DATA A:ATTRIBUTE T:TIMESTAMP

R – Number of retries after failed attempt , Default is 1 million

/LOG   – Name of log time to be created

DBRepl07

Save the script and run it .

Important – Run this script only after making sure that SCCM backup has run on SCCM primary server (CM01) and the backup files are present in backup folder c:\SCCMBackup on SCCM server.

DBRepl08

Once the script finishes running . Database file and log file of SCCM database has been copied to sql server SQL01 .

DBRepl09

Review the CopyDB.log to verify the size of database and log files.

DBRepl10

Now log on with an account that is SQL admin and rights to add database on SQL server and run the following commands to create a database .( Change the path if needed )

CREATE DATABASE CM_R01
ON(FILENAME = ‘C:\DBCopy\CM_R01.mdf’),
(FILENAME = ‘C:\DBCopy\CM_R01_log.ldf’)
FOR ATTACH;
GO

DBRepl10a

Once the command is run successfully ,Refresh the console . Replicated copy of the SCCM database will show up in SCCM Console.

DBRepl10b

Now we have a copy of SCCM database running on a separate SQL server.

 

This concludes Part 1

Deploying Office 2013 application with SCCM 2012

This post describes creating SCCM Office 2013 application and installing it from client computer using application catalog.

Office 2013 is available from Microsoft to download for evaluation for 60 days. There are two versions of Office 2013 install that are available.

Volume Licence

Retail

You can download retain version from evaluation site. However retail version does include the customization binaries. Customization binaries are needed to customize the Office 2013 install.

Download them from here

Extract the downloaded files and copy the admin folder to office2013 source files folder

Office2013-01

 

To start the customization , Open admin command prompt and go office2013 source folder and type in

setup.exe /admin .

Office2013-02

Setup.exe /admin open prompt to create a setup customization file . Select create new file and click ok

Here is the technet link to Microsoft Customization Tool.

 

Office2013-03

Welcome scree tell you that you are about to create a MSP file that will store all the customization

 

 

Office2013-04

Provide the install location and Origination Name

 

Office2013-05

Enter the product Key

Accept the licence agreement.

Set display level to none. For enterprise use display level none is recommended because the install then does not wait for any user input. However if display level none is selected it is also recommended that users be made aware to close all the open office files.

When display level none is selected completion notice and No cancel does not apply so does not matter if they are checked or note.

Suppress modal will not show any warnings if any files are open or if there are any errors it wont pop up on the screen.

 

 

Office2013-06

 

Next is Modify setup properties

Here is link to all the setup properties for office 2013.

Office2013-07

Add a setup property HIDEUPDATEUI and add value True . This will hide the update prompt at the start

 

 

Office2013-08

Click on add again and add another property SETUP_REBOOT and set the value to AutoIfNeeded.

Based on the office install if the a reboot is needed system will reboot after installation.

 

 

 

Office2013-09

Next to Modify user settings -> office 2013 ->Privacy->Trust Center and disable Opt-in Wizard on first run.

 

 

Office2013-10

 

Next is set feature installation states – and remove Microsoft access , Microsoft Publisher, Microsoft infopath, Microsoft Lync. (Later in the post I will verify if these components are actually not installed)

 

Office2013-11

Click on File and save as , Save this to updates folder in office 2013 source files folder

 

 

 

Office2013-12

I named the file Office2012setup.msp . This completes the msp creation process

 

Office2013-13

I am not ready to create the application . Go to SCCM console -> Software Library -> Overview -> Application Management right click create new application

 

 

 

Office2013-14

Provide the msi file path  (If it is Volume licence version folder name is proplus and if it is retail version folder name if proplusr )

\\cm01\Sources\applications\office2013\proplusr.ww\proplusrww.msi

 

 

Office2013-15

SCCM will automatically import all the information from the msi

 

 

Office2013-16

Provide the name of application , Fill in any other fields as necessary

 

 

 

 

Office2013-17

Review the summary and click Next

 

 

Office2013-18

This finishes adding application with basic settings to SCCM

 

 

 

 

Office2013-19

Now select the application from console and from the bottom screen select deployment types

right click and properties and click on content tab

Content location will be \\cm01\sources\application\office2013\proplusr.ww

Change it to \\cm01\sources\application\office2013

 

 

Office2013-20

 

Click on programs tab and change the installation program to setup.exe

Change the uninstall program to setup.exe /uninstall proplusr .

Click on apply OK to finish.

 

Office2013-21

At this point application is ready to distributed to distribution points . Once application is distributed to all distribution points .

Now create a collection of users to whom this application will be deployed.

Create a deployment to deploy this application to users.

Browse to provide the application

Browse again point to the collection you created previously and click next

 

 

Office2013-22

Content will show on which distribution points this application resides

 

 

Office2013-23

Click next

In deployment settings , Choose action install and purpose as available .

Click next

 

 

Office2013-24

I am want application to available immediately , Click next

 

 

Office2013-25

click next leaving defaults

 

 

Office2013-26

Review the summary if changes are needed at this point go back and fix them .

If every this is ok , click next

 

 

Office2013-27

Review the completion notice and click close

 

 

Office2013-28

After the deployment is complete , Go to users machine and login with the same user account which the member of the collection where the application is advertised ( errr… or deployed I meant)

Go to software center and click on application catalog website and you will see Office application if the policy is updated

 

 

Office2013-29

Select the application and click on Install

 

 

 

Office2013-30

click Yes

 

 

Office2013-31

 

 

 

Office2013-32

Application will prepare to download and then it will download the applicaiton

 

Office2013-33

At this point application install status can be checked from software center.

 

 

Office2013-34

Once install is finished , Software center displays message the application install was successful

 

 

 

Office2013-35

Now go to start and expand office 2013 and review

As seen  – Microsoft access , Microsoft Infopath , Microsoft Lync and Microsoft Publisher and not installed as configured in the msp

 

 

Office2013-36

In order to uninstall office , Close any open office files and go to software center .

Under installed software , Select office and click on uninstall

 

 

 

Office2013-37

Click Yes to uninstall

 

 

 

Office2013-38

Progress bar displays office is being uninstalled

 

 

 

Office2013-39

 

Finally confirmation that office is uninstalled from the computer.

 

 

 

Office2013-40

 

 

This concludes the post !

SCCM 2012 Configuration Items, Configuration Baselines , Compliance Settings – Part 11

In Part 1 I discussed the basic of Compliance settings .

In part 2 I discussed the Active Directory Query Compliance item

In part 3 I discussed the Assembly Compliance item

In part 4 I discussed the file system compliance item

In part 5 I discussed the IIS metabase compliance item

In Part 6 I discussed the registry key compliance item

In Part 7 I discussed the registry key value compliance item

In Part 8 I discussed the script compliance item

In Part 9 I discussed SQL compliance item

In Part 10 I discussed WQL query compliance item

Part 11 – X path Query Compliance item

XML documents are written in the form or tree with nodes . Xpath query provides  a way to query the data in XML files . Data is structured in nodes and using Xpath syntax is easy to obtain the data from XML document.

I created a sample XML document to use for this post . You can download it or use it or create your own.

Here is the link to download a sample XML file that I am using in the post . For testing purposes the test machines have a folder in c drive ( c:\scratch)  and XML file is copied to c:\scratch on all the machines .

Go to Assets and compliance  compliance settings  , configuration items right click and new configuration item

CIXpath01

Provide the name CI – Xpath Query , leave the configuration item as Windows and click next

 

 

CIXpath02

Select the operating systems where this setting will apply and click next

 

CIXpath03

click on new to create the configuration item

 

CIXpath04

Type in the name of XpathQuery , From setting type select X path query and data type as string.

Path – c:\scratch

File Name CI-Xpath.xml ( This file can be downloaded from link provided above)

in Xpath Query type in

/Library/Address/City

 

CIXpath05

 

Click Apply OK ,

Click next to go to compliance rules

CIXpath06

Click on new to create a compliance rule

CIXpath07

Provide the name of compliance rule and click on browse

CIXpath08

Select the configuration item just created in previous step and click on select

CIXpath10

In rule type select value

and type in equals “Hidden Valley”

CIXpath11

 

 

Click Next

CIXpath12

Review all the settings , If changes are needed go back to previous screen

CIXpath13

SCCM is working its magic 🙂

CIXpath14

Once configuration item is created , Next step is to create configuration baseline

Go to configuration baseline , right click and select create a new configuration baseline

Provide the name  CB – Xpath Query

Click on add and select configuration items

CIXpath15

select the configuration item CI – Xpath Query if not already selected and click OK

CIXpath16

Click OK to finish configuring the configuration baseline

CIXpath17

Next step is to create Deployment to , Right click the configuration baseline and select deploy

CIXpath18

‘Select the configuration baseline

Select the generate alert below the percentage you want .

Point it to collection where compliance needs to be evaluated

and change the evaluation to run every 3 hours and click OK

CIXpath19

Go to the client and from the configuration tab select CB – Xpath Query and click on evaluate .

CIXpath20

Click on view report . Machine below shows compliant

CIXpath21

Go to machine where this file is not present , For this test ,  I have not copied the file to c:\scratch .

Click on evaluate and it show error

CIXpath22

If you click on view report it shows error and not Not Compliant . Because the file is missing

CIXpath23

You can also review more information in DcmWmiProvider for more information for troubleshooting.

 

CIXpath24

This concludes Part 11

SCCM 2012 Configuration Items, Configuration Baselines , Compliance Settings – Part 10

In Part 1 I discussed the basic of Compliance settings .

In part 2 I discussed the Active Directory Query Compliance item

In part 3 I discussed the Assembly Compliance item

In part 4 I discussed the file system compliance item

In part 5 I discussed the IIS metabase compliance item

In Part 6 I discussed the registry key compliance item

In Part 7 I discussed the registry key value compliance item

In Part 8 I discussed the script compliance item

In Part 9 I discussed SQL compliance item

 Part 10 – WQL compliance item

WQL query is way to query WMI on a computer and then creating compliance item and compliance rules around that query

I am going to query WMI for a service start mode status . Service that I am querying is Windows update service.

Open an admin command prompt and type in wbemtest , This will launch wmi tester

CIWQL001

Leave the name space as root\cimv2 and click on connect  .

Click on query in the WMI tester window

In query window type in

Select startmode from win32_service where name=’wuauserv’

CIWQL002

Now it will return Win32_service=<no key> , Double click on that line

CIWQL003

Under properties scroll down to StartMode , As seen for Windows 8 , Start mode of Windows update service is manual.

and for Windows 7 this startmode will be auto . So I am going to create a compliance item base on startmode and if the startmode is auto a machine will be compliant.

Now since that is over , Lets go to SCCM

CIWQL004

Go to Assets and Compliance , compliance settings , configuration items

Right click  and select create configuration item

CIWQL02

Type in the name of configuration item CI – WQL Query  , Leave the configuration item type as Windows and click next

 

CIWQL03

Select the Operating systems where this configuration item will apply and click next

 

 

CIWQL04

Click on New

 

 

CIWQL05

Type the name of settings CI – WQL Query , From settings select WQL Query and data type as string

Namespace root\cimv2 ( as discussed in the beginning of the post )

Class – Win32_ service ( as discussed in the WQL query above)

Property – Name ( as discussed in the WQL query above)

and in where clause type in  startmode=’auto’

Click Apply OK

 

CIWQL06

Click next to go compliance rules

 

 

CIWQL07

Click on New to create a compliance rule

 

 

CIWQL08

Provide the name of the rule

 

 

CIWQL09

Click on browse and select the configuration item created just above and click on select

 

 

CIWQL10

in the rule type select value

in the rule type in

CI – WQL Query equals wuauserv , Click on OK

 

 

CIWQL11

Click next

 

 

 

CIWQL12

This screen provides the summary of settings , if any changes are needed you can go back and change

 

 

CIWQL13

SCCM is working its magic now 🙂

 

 

CIWQL14

This completes the created of configuration item .

 

 

 

CIWQL15

In order to deploy this configuration item to the machines , I need to create a configuration baseline .

Go to Configuration baseline and right click and select create configuration baseline

 

 

CIWQL16

Provide the name of Configuration baseline CB – WQL Query , Click on Add and from drop down select configuration item

 

 

CIWQL17

Select the configuration item and click OK

 

 

CIWQL18

Click OK to  finish creating the configuration baseline

 

 

CIWQL19

Next step is to create deployment for this configuration baseline

Select the configuration baseline , right click and select deploy

 

 

 

CIWQL20

Select the configuration baseline as CB – WQL Query

select generate and alert mention the threshold where you will like to see the alert

Provide the collection name

Set the evaluation schedule to every 3 hours for lab , For production this should be once or twice a week . As compliance evaluation is CPU intensive task and click on OK to finish creating the deployment

 

 

CIWQL21

Go to the client ( Windows 8.1 ) in this case

Click on configuration tab and select the configuration baseline and click on evaluate .

 

 

CIWQL22

Click on view report and as expected this machine is non compliant as start mode is manual and configuration item is looking for startmode = auto

 

 

CIWQL23

 

This concludes part 10

SCCM 2012 Configuration Items, Configuration Baselines , Compliance Settings – Part 9

In Part 1 I discussed the basic of Compliance settings .

In part 2 I discussed the Active Directory Query Compliance item

In part 3 I discussed the Assembly Compliance item

In part 4 I discussed the file system compliance item

In part 5 I discussed the IIS metabase compliance item

In Part 6 I discussed the registry key compliance item

In Part 7 I discussed the registry key value compliance item

In Part 8 I discussed the script compliance item

 Part 9 – SQL compliance item 

SQL compliance items can be used to query different elements for SQL servers in the environment . This compliance settings is particular useful if there are lot of SQL servers in production and those servers needs to adhere to certain organisational standards

Needless to say that this compliance setting is designed to be run only on SQL servers. I am going to do a basic checking for SQL version in this post .

You will also need a collection with SQL servers or a server to test the settings .

To create configuration item , Go to SCCM console , Configuration items and right click and new configuration item .

 

CISQL01

Assign a name to configuration item CI – SQL Version

 

CISQL02

 

Select the operating system where this setting will apply and click next

 

CISQL03

 

Click on New to create the configuration item

 

CISQL04

Provide the name to the setting , From settings type select SQL query and type string

Now to form an SQL query that is going to run on the computers  select the database as master and for column select version

type in

Select @@VERSION as version;

and apply OK

 

CISQL05

Click next to go to compliance rule

 

CISQL06

Click on new to create a compliance rule for SQL version

 

CISQL07

Type in the compliance rule name and click on browse

 

 

CISQL08

Select the SQLquery compliance item created in previous step and click on select

 

 

 

CISQL09

From rule type select value if not already select

Now next step is where the query will be evaluated and if the the version of SQL begins with Microsoft SQL server 2012 SP1 and click ok

 

CISQL10

 

Click next to finish creating the compliance rules

CISQL11

This page provides the summary for compliance item and rules , if changes need to made you can go back and make changes .

Click next

 

CISQL12

SCCM is working its magic.

 

CISQL13

The screen provides the summary of configuration item

 

CISQL14

 

Next step is to create configuration baseline before the setting is applied to the SQL servers

Right click on configuration baseline and select create configuration  baseline

 

 

CISQL15

Provide the name of the configuration baseline CB – SQL Query – version  , Click on add and select configuration  items from  drop down.

 

CISQL16

select the configuration item and click OK

 

CISQL17

Click OK to complete the creation of configuration baseline

 

 

CISQL18

Now I am ready to deploy this configuration baseline to a collection . select the configuration baseline and select deploy

 

 

CISQL19

Select the configuration baselines

select generate alert if compliance is below certain thresh hold

select the SQL collection name and for schedule change it to run every 3 hours for lab or test setup and click OK

 

 

CISQL20

To verify the settings , Go to a SQL server where this configuration baseline is applied

Open SCCM client properties , Configuration tab and select CB – SQL – Check SQL Version and click on evaluate

 

 

CISQL21

Click on view  report to check if the version is how is defined in compliance rule or not .

This server is running SQL 2012 SP1 and is therefore compliant

 

 

 

CISQL22

 

 

This concluded part 9

SCCM 2012 Configuration Items, Configuration Baselines , Compliance Settings – Part 8

In Part 1 I discussed the basic of Compliance settings .

In part 2 I discussed the Active Directory Query Compliance item

In part 3 I discussed the Assembly Compliance item

In part 4 I discussed the file system compliance item

In part 5 I discussed the IIS metabase compliance item

In Part 6 I discussed the registry key compliance item

In Part 7 I discussed the registry key value compliance item

Part 8 Script compliance item 

In part 8 I am going to use a script for evaluating  compliance on computers . I am going to keep focus on compliance item only therefore using a basic power shell script . It is also possible to use one script to evaluate the compliance of a machine and second script to remediate non compliant machines.

In post I am going to discuss how to a script  to evaluate compliance on a machine

Script first , The script that I am using is a basic script that checks state of Windows update service . It is a one line power shell script .

Script running on a Windows 8 machine

get-service -Name wuauserv | select-object -ExpandProperty “Status”

When this script is run result is stopped .

Script01

When this script is run on a Windows 7 machine

get-service -Name wuauserv | select-object -ExpandProperty “Status”

When this script is run result is running

 

 

 

 

Script02

Based on this I know the outcome of script would differ depending on which OS the script is run. (By default windows update service is not running on Windows 8 and is running on Windows 7)

Now since that is out of the way , Lets get back to compliance items in SCCM

Go to Assets and Compliance , Compliance settings configuration items , right click and select Create a new configuration item

 

 

 

 

 

Script03

 

 

Provide the name CI – Script – Windows update service check , Leave the configuration item type as windows and press next

 

Script04

 

Select the OS where this configuration item will be applied and click next

 

Script05

 

To create configuration item click new

Script06

Type in the name CI – Script , From drop down of settings type select script and data type as string .

There are two options to specify where a script would reside

Discovery Script

Remediation Script

I am going to place my script in discovery script since I am going to evaluate compliance , Click on add script

 

Script07

Select script language as Windows power shell  and type in the script as explained in the beginning of the post and click ok

 

Script08

Click next

 

Script09

Now compliance rule needs to be created , This rule  will determine how the compliance is reported once the script runs on a computer ( Based on how I define the compliance a machine could be either compliant or non compliant ).

Click on new

 

Script10

 

Type in the compliance rule name and click on browse

Script11

Select the name of the configuration setting that I just created , If not already selected and then click on select

 

Script12

In the Rule Type select value and then select if the value returned is running .

Now as discussed in the beginning if it Windows 7 the value will be running and if it Windows 8 value will be stopped (By default) . So if this setting is applied to a collection of windows 8 and Windows 7 machines , Windows 7 machines will be compliant and windows 8 won’t

click OK

 

Script13

Click next

 

Script14

This screen presents the summary of the settings , If any changes are needed then you can go back and make changes here . Click next

 

Script15

 

SCCM is working its magic here 🙂

Script16

And configuration item is ready .

 

Script17

Next step is to create configuration baseline . Right click Configuration baseline and create configuration baseline.

 

 

Script18

 

Type the name of configuration baseline CB – Script – Window update service . Click on add and select configuration item from drop down

 

 

Script19

Select the configuration item  just created and click ok . This would finish creating configuration baseline

 

 

Script20

 

Now it is time to deploy this base line to machines

Go to configuration baseline and right click and select deploy .

Script21

Select the configuration baseline CB – Script – Windows update service

Browse and point it to the collection

In lab scenario change the evaluation schedule to every three hours . In production running this probably once or twice a week is recommended based upon network size

click OK

 

Script22

Go to Windows 8 client , Click on configurations and click on evaluate.

 

Script23

Since we know by this time that on windows 8 this is going to be non compliant because the value returned by script is going to be stopped .

Script24

 

 

Now go to a windows 7 client and click on configurations tab and click on evaluate

 

Script25

Windows 7 machine reports this settings as compliant because value returned by script is running .

 

 

Script26

 

 

This concluded part  8

SCCM 2012 Configuration Items, Configuration Baselines , Compliance Settings – Part 7

In Part 1 I discussed the basic of Compliance settings .

In part 2 I discussed the Active Directory Query Compliance item

In part 3 I discussed the Assembly Compliance item

In part 4 I discussed the file system compliance item

In part 5 I discussed the IIS metabase compliance item

In Part 6 I discussed the registry key compliance item

Part 7 – Registry key value compliance item

This post is very similar to Part 6 where registy key is involved . In the post , Compliance item can be created for a registry key value.

To start , Go to Assets and Compliance and configuration items and right click Configuration item and select Create Configuration Item.

RegKeyValue01

Type in the name CI – Registy Key  Value  , Leave the configuration item type as Windows

RegKeyValue02

Select for which operating systems this compliance item will apply and click next

RegKeyValue03

Click on new

RegKeyValue04

Type the name of the setting CI – RegistyKey and click on browse

RegKeyValue05

On the left hand pane navigate to the key in this example to HKLM\Software\Vmware, Inc\Vmware Tools\InstallPath

(note that install path is c:\program files\Vmware\Vmware Tools)

Click OK

RegKeyValue06

So far I have defined the setting , Click OK here

RegKeyValue07

Click next to go to compliance options

RegKeyValue08

On the next screen click on new and provide the name of the compliance rule . Compliance rule will determine how this setting will be evaluated

Click on browse

RegKeyValue09

Select the name of the compliance item that I just created and click select

RegKeyValue10

From drop down select rule type as existential and make sure the value “Registry value must exist on client devices” and click OK

RegKeyValue11

Click next

RegKeyValue12

This screen provides the summary of compliance item and compliance setting , If any thing needs to  be changed I can go back and change it

Click next

RegKeyValue13

SCCM is working its magic now 🙂

RegKeyValue14

This will complete the creation of compliance item .  Next step is to create Configuration Baseline.

Go to Configuration baseline right click and select

RegKeyValue15

 

Provide the name of Configuration Baseline , In this case CB – Registry Key Value

Click on Add and select Configuration Item from dropdown

RegKeyValue16

Select the compliance item just created and click OK

 

RegKeyValue17

Click OK again

RegKeyValue18

After configuration baseline is created next step is to advertise it .

Select the configuration baseline right click and select deploy

RegKeyValue19

On the deployment screen select the configuration baseline just created

Point it to the collection

and select schedule to run  every 3 hours and click OK

RegKeyValue20

On the client go to control panel and configuration manager client and click on configurations tab . There is a new configuration item .

Click on evaluate and click on view report

RegKeyValue21

Well this machine is compliant.

RegKeyValue22

 

 

This concludes part 7

SCCM 2012 Configuration Items, Configuration Baselines , Compliance Settings – Part 6

In Part 1 I discussed the basic of Compliance settings .

In part 2 I discussed the Active Directory Query Compliance item

In part 3 I discussed the Assembly Compliance item

In part 4 I discussed the file system compliance item

In part 5 I discussed the IIS metabase compliance item

Part 6 – Registry Key Compliance Item

With registry key compliance we can check if a certain registry key exist on the devices or not. Based on what I specify in the compliance rule I can then determine if the device is compliant or not.

To configure Registry Key compliance item , Go to Assets and compliance , compliance settings – Configuration item . Right click and new configuration item

P-Registry01

 

Provide the name of configuration item .  Click next

 

P-Registry02

Select all the operating system version to which this setting will apply .

P-Registry03

Now click on new to configure the configuration item

P-Registry04

 

Specify the name for setting CI-RegistryKey .

From setting type drop down select registry key

For hive name select HKEY_LOCAL_MACHINE from drop down and then click on browse to go the actual registry key

P-Registry05

 

If the registry key exists on the server where are you configuring the setting browse to the key and select . Else on the computer name field type in \\Computer_name and browse to registry key . Also ensure remote registry service is running

Now ensure the radio button – This key must exist on client devices is selected . Click OK

P-Registry06

Ensure that key name is selected and click ok

 

 

P-Registry07

Next step is to define the compliance rule, Compliance rule will determine how this setting is evaluated . Click on new

 

P-Registry08

Provide the name for Compliance rule and click on browse to select the compliance settings

 

 

P-Registry09

 

Select CI-RegistyKey and click on select

 

 

P-Registry10

 

Now select rule type as Existential from drop down

And ensure Registry key must exist on the client devices click ok

P-Registry11

Review the compliance settings and compliance rule, if everything looks ok click next

 

 

P-Registry12

SCCM is working its magic now

 

 

P-Registry13

This complete creation of Compliance setting

 

 

 

P-Registry14

 

Next step is to create Configuration baseline

Right click configuration baseline and select create configuration baseline

 

 

 

 

 

P-Registry15

 

Provide the name CB-RegistryKey . Click on add and select configuration item  . This will complete creation of configuration baseline.

 

 

P-Registry16

Select the configuration item  CI-RegistryPath  and click OK

 

 

P-Registry17

Next step is to deploy the configuration baseline to collection . Right click configuration baseline CB-RegistryKey and select deploy

 

 

 

P-Registry18

 

 

On the deployment configuration window , Ensure CB-RegistyKey is selected for baselines

select generate alert

Click on browse to point it to a device collection

on schedule , select every 3 hours for LAB , In production it should be every few days to distribute the load on client computers

 

 

P-Registry19

Now  , On the client computer , Go to control panel , configuration manager – click on configurations tab and select the configuration baseline  CB-RegistryKey

Click on evaluate  , This will check if the registry key exists on this computer or not

P-Registry20

 

After that click on View report to view local web style report

 

 

 

 

P-Registry21

 

This concludes part 6

SCCM 2012 Configuration Items, Configuration Baselines , Compliance Settings – Part 5

In Part 1 I discussed the basic of Compliance settings .

In part 2 I discussed the Active Directory Query Compliance items

In part 3 I discussed the Assembly Compliance items

In part 4 I discussed the file system compliance items

Part 5 – IIS Metabase Compliance item

IIS Metabase compliance item can look through IIS Server metabase and report compliance based on conditions defined in compliance rules.

There are changes made to IIS Metabase after IIS 6.0 and some of the functionality is moved to xml based configuration files.

If working with servers Windows 2008 and higher (which have versions of IIS greater than 6.0) there are certain prerequisites that need to completed.

On IIS servers running version greater than IIS 6.0 install IIS 6 metabase compatibility from server manager program and features

IISMetabase01

Download IIS 6.0 resource kit from here and install it on IIS servers to navigate and exlpore the IIS metabase.

Double click on resource kit installer

IISMetabase02

Click Next

 

 

IISMetabase03

 

Accept license agreement

 

IISMetabase04

Provide user name and company name and click next

 

 

IISMetabase05

 

Select custom and click next

 

IISMetabase06

Select the location or choose default location of install

IISMetabase07

Select Metabase explorer 1.6

IISMetabase08

Click Next

IISMetabase09

Click on finish

 

 

IISMetabase10

 

Open IIS metabase explorer as highlighted in the picture below . I am going to check the compliance for PID 3001 and if the path of the website on a webserver is c:\inetpub\wwwroot . If the path is c:\inetpub\wwwroot then the webserver is compliant

 

IISMetabase11

 

 

OK , With all that out of the way , Lets start with SCCM now

Go to Assets and Compliance -> Compliance Settings ->Configuration Items-> Right click Create Configuration item

IISMetabase12

 

Provide a name CI – IIS Metabase ( in this case)

 

 

 

 

 

IISMetabase13

Select the operating systems where this compliance item will apply , For IIS Metabase settings you may only want to choose where IIS is installed in the environment. Click next

 

 

 

 

IISMetabase14

 

To create a configuration item for IIS , Click on new

IISMetabase15

 

Provide the name of setting, Select setting type as IIS Metabase , Data type string

For metabase path as explained in this post in the beginning  will be LM ( for local server) , Property ID 3001 for the path .

Click OK

 

 

IISMetabase16

 

Click on New to create a compliance rule on how this configuration setting will be evaluated by SCCM

 

 

IISMetabase17

Provide the name for Compliance rule and click on browse to select the compliance setting

IISMetabase18

Select IIS metabase compliance setting if not already selected  and click select .

 

 

IISMetabase19

Rule type select value

in rule specify c:\inetpub\wwwroot ( if pid 3001 value for W3SVC\1\ROOT  is c:\inetpub\wwwroot then a machine will be in compliant state)

 

 

 

IISMetabase20

 

Click ok and Review the settings in this step , If anything needs to changed , You can change it by going to previous steps

IISMetabase21

 

SCCM is working its magic 🙂

 

 

IISMetabase22

 

Next step is to create Compliance baseline . To create compliance baseline right click configuration baseline and select create configuration baseline

 

 

IISMetabase23

 

 

Provide a name for configuration baseline ( CB – IIS Metabse Settings)

IISMetabase24

Click on Add -> Configuration Items , Select CI -IIS Metabase created earlier and click OK

 

 

IISMetabase25

 

 

Once Configuration Baseline is created , I am ready to deploy it to Web servers collections . If you have not already created a collection until now , Create the collection first which has webs servers to evaluate IIS metabase compliance.

Right click the configuration baseline and select deploy

 

 

 

 

IISMetabase26

 

Make sure CB -IIS Metabase Settings is selected .

Select generate alert

Click on Browse and point it to web servers collections

Set evaluation schedule to run every three hours and click ok

IISMetabase27

 

 

Go to web server where the compliance is evaluated , Go to configuration manager client properties in control panel and select configurations tab . Click on evaluate to check if the machine in compliant or not

 

IISMetabase28

 

Click on view report to see detailed status.

 

 

 

 

IISMetabase29

 

This means that on server LABSERV1 default website has path c:\inetpub\wwwroot .

This concludes part 5

SCCM 2012 Configuration Items, Configuration Baselines , Compliance Settings – Part 4

In Part 1 I discussed the basic of Compliance settings .

In part 2 I discussed the Active Directory Query Compliance items

In part 3 I discussed the Assembly Compliance items

Part 4 – File system Compliance items 

File system compliance item can be used to search for a file or folder Including sub folders . Compliance can be reported for either a value of if the file or folder exists on the device or not.

I am going to check a existence of a file in the drive . ( C:\Scratch\file\Filecompliance.txt) if this text file exists , System is compliant else system will be non-compliant .

This machine below has the text file in location c:\scratch folder . Machine name is WIN8

P-File01

 

 

Machine below has c:\scratch folder but there is no file , So this machine will be non-compliant . Machine name is WIN7

P-file02

 

Well since that is out of the way . Let go to SCCM

Go to Compliance settings -> Configuration Items-> right click -> Create a new configuration item

P-File03

 

 

Provide Name – CI – FileSystem , Leave type as Windows and click next

 

P-File04

 

 

Select the operating system to which this configuration will apply . By default all operating systems are selected. Click Next

P-File05

 

This is where File System setting will be defined.  Click on New

P-File06

 

 

Specify the Name – It could be anything  . Here it is FileSystem .

From the drop down select the setting type as file system

Specify the path (c:\scratch) in this case

and name of the file  (FileCompliance.txt) in this case and Click OK.

 

P-File07

 

Next step is to create compliance rule  . Compliance rule will determine what to do when compliance setting is evaluated

 

P-File08

 

Type the name of compliance rule . Click to browse to select the configuration settings that I just created above

P-File09

 

Select FileSystem compliance settings , If not already selected and click select

P-File10

 

Specify the rule type as Existential . I want to check if the file exist in location c:\scratch on the computers . Click OK.

P-File11

 

Click next

P-File12

This screen presents the summary , if changes are needed you can go back and change it from here

 

P-File13

 

 

SCCM is working its magic now 🙂

 

P-File14

 

Configuration item is created and summary is presented

P-File15

 

Next step is to create configuration baseline based upon configuration item that we just created

To create configuration baseline , Go to Configuration baseline under compliance settings and right new configuration baseline

 

P-File17

Provide the name of new configuration baseline

Click on add and select Configuration items

P-File18

Select the configuration item created earlier CI- FileSystem . Click on OK . This will create the configuration baseline.

P-File19

 

Next step is to deploy the configuration baseline to computers . Select the configuration item , right click  and select deploy.

P-File20

 

 

Make sure the configuration baseline is selected to the right CB-FileSystem

Select on generate an alert to generate a alert . I set to 90%

Point the deployment to compliance collections

Set the deployment schedule to run every 3 hours .

P-File21

 

Go the machine which has file present in c:\scratch folder. In my example this computer is WIN8

P-File22

 

Click on evaluate and then scroll to right to see the compliance status or click on view report

P-File23

 

Now go the system which does not have file in c:\scratch . In my case the computer name is WIN7

P-File24

Click on evaluate and scroll to right , As seen this machine is non-compliant . Click to view report to check detailed status

 

P-File25

 

This concludes part 4

 

 

SCCM 2012 Configuration Items, Configuration Baselines , Compliance Settings – Part 3

In Part 1 I discussed the basic of Compliance settings .

In part 2 I discussed the Active Directory Query Compliance items

Part 3 – Assembly Compliance settings

An assembly is code that applications can share. The global assembly is located under %systemroot%\Assembly .

P-Assembly01

In this post , I am going to verify if the Microsoft.VisualC assembly exists on computers on not. If it exists then a machine is compliant.

OK , Since that is out of the way , Lets get back to SCCM.

Under Assets and Compliance , Go to compliance settings -> Configuration items .

Right click configuration items and select new configuration item

 

P-Assembly02

 

Type in the name and description and click next

P-Assembly03

Select operating systems to which this setting will apply

P-Assembly04

 

On Specify settings for Operating System , Click on new

P-Assembly05

 

Type name Microsoft.VisualC , Setting type Assembly and then name of assembly for which compliance needs to be evaluated

P-Assembly06

 

Now specify the compliance rules , Compliance rules would determine how this compliance item is evaluated.

P-Assembly07

Specify the name and click on browse to select the compliance setting

 

P-Assembly08

Select Microsoft.VisualC from the list and click OK

P-Assembly09

 

Change the rule type to Existential . Select radio button setting must exist on client devices. Click OK

P-Assembly10

Review the summary , If changes need to made you can go back and change . If everything looks ok click next

P-Assembly11

SCCM is working its magic now 🙂

P-Assembly12

Compliance item created successfully .

P-Assembly13

Next step is to create Compliance baseline .

Go to Configuration Baseline , Right click Configuration baseline and select Create configuration baseline.

P-Assembly14

Provide name of the Configuration Baseline.

Click on add , select Configuration item from the list

P-Assembly15

 

Select the configuration item CI – Assembly – Microsoft.VisualC if not already added and click on add. Click OK

P-Assembly16

 

Next step is to deploy the base line to a device collection .

Right click CB – Assembly – Microsoft.visualC and select deploy .

 

 

 

 

P-Assembly17

Make sure CB – Assembly – Micrsoft.VisualC is selected.

Select on Generate alert .

Browse to device collection to evaluate the compliance for. Change the schedule to occur every 2 hours . For production large network you may want to set this to once a week or once every few days. Click OK .

 

P-Assembly18

 

Go to client computer to review compliance settings is applied to device . By going to control panel , click on configuration manager client and selecting configurations tab.

P-Assembly19

 

Click on view report to see expanded results .

 

P-Assembly20

 

This machine has Microsoft.visualC assembly and is therefore compliant .

This concludes Part 3

 

SCCM 2012 Configuration Items, Configuration Baselines , Compliance Settings – Part 2

In Part 1 I discussed the basic of Compliance settings .

Before proceeding to Part 2 create a device collection which will be used for deploying configuration baselines.

Part 2 – Active Directory query  Compliance settings.

I am going to create a Active directory configuration item , This configuration item will evaluate a Active directory property value to determine compliance.

Open ADSI edit tool and navigate to a object property . I am going to use attribute “isCriticalSystemObject” in Active directory compliance setting.

P-ADConfig01

OK , Since that is out of the way , Lets get back to SCCM.

Under Assets and Compliance , Go to compliance settings -> Configuration items .

Right click configuration items and select new configuration item

P-ADConfig02

 

Give name to Configuration item . Notice the type of configuration item is windows and click next

P-ADConfig03

Select the applicable operating system , Choosing all OS that you want to evaluate the compliance for

P-ADConfig04

 

This is where Configuration setting is defined . Click on new to start configuring the configuration item.

P-ADConfig05

Assign a name to configuration settings

Select Active Directory query from down for settings Name and data type string

LDAP prefix LDAP://

Distinguished Name   OU=MBAM Testing OU,OU=MBAM,DC=labserv,DC=net  ( I am only evaluating the compliance for OU name MBAM testing)

Search filter – (objectclass=*) means all types of object ( users, computers , printers etc )

Scope – select subtree if you need to evaluate the current OU as mentioned in Distinguished Name and all sub OU’s

Property – I am using property isCriticalSystemObject as explained above .

Once all this is done , Click apply OK.

P-ADConfig06

 

This is where Compliance rule is configured . Compliance rule determine how compliance item is reported after being evaluated.

Click on new

 

P-ADConfig07

Assign the name , click on browse to select the configuration item I just created.

 

P-ADConfig08

select the CI-Active Directory – IsCriticalSystemObject  configuration item and click select

P-ADConfig09

Select

Rule Type – value ( Because I am going to evaluate value for AD attribute isCriticalSystemObject

Select value equals FALSE

SO — Our compliance settings is if an AD object has a attribute isCritialSystemObject value FALSE , It will be a compliant object.

Click ok

P-ADConfig10

This is finalized screen with all the settings , If changes are needed there is still time and hope , You can go back 🙂

If everything looks good , click next

P-ADConfig11

SCCM is working its magic right now 🙂

P-ADConfig12

Final confirmation screen for Configuration item creation wizard.

P-ADConfig13

 

Once Configuration item is created , Next step is to create Configuration baseline.

Right click configuration baseline -> Create Configuration Baseline

P-ADConfig14

 

Provide a name for Configuration Baseline .

Under configuration data , Click on Add and select Configuration item

P-ADConfig15

Select the configuration item  CI – Active Directory – IsCriticalSystemObject and click on OK

P-ADConfig16

Now that the Configuration baseline is created , It is time to deploy it to collection

Right click the Configuration item and select deploy

P-ADConfig17

 

Select the configuration baseline CB – Active Directory – IsCriticalSystemObject

Also select Generate an alert when compliance is below 95% . Data and time when deployment should start.

Select the collection

For lab I updated the evaluation to every 2 hours . For production environments you want to keep it Once every few days.

 

 

P-ADConfig18

 

Go to a Client machine which has this compliance baseline applied . Go to control panel and open configuration management client

select configuration tab

 

Select the CB – Active Directory – IsCriticalSystemObject and click on evaluate. Then click on refresh

P-ADConfig191

Click on view report

It show this Compliance settings green and compliant

P-ADConfig20

 

 

This concludes Part 2

SCCM 2012 Configuration Items, Configuration Baselines , Compliance Settings – Part 1

Compliance Settings in SCCM 2012 can be used to evaluate a setting on devices and or users objects which are present in SCCM by targeting to devices or user collections.

To evaluate compliance , Configuration baselines are deployed to collections. Configuration baselines are made up of Configuration items and or software updates . Configuration items are further made up of configuration settings .

SCCM 2012 offers 3 different categories of settings  configuration items

1. Windows

2. Mobile Device

3. Mac OS X

P-Configuration01

In these posts I am going to cover Windows ( Operating system) Category since I don’t have Mobile OS and Mac OS in my lab.

Configuration settings structure 

Chart below explains how Configuration items and Configuration baselines works together to form Compliance settings

P-ConfigurationItems-1

Configuration Settings for Windows – Section 1 

There are total 10 configuration settings available to use in Windows Configurations items as outlined by red line in the picture above , But the scope of what can be achieved is great. Understanding these configuration settings is very important to effectively use compliance settings.

I am going to explain each of these settings with an example .

One or more of these configuration settings form a Configuration item.

Picture below show these windows settings available to use as seen in SCCM

P-Configuration02

Configuration Items – Section 2 

There are 3 types of Configuration items as show in section 2 + Software updates

In the post following this one I am going to cover Windows Configuration item from section 2 .

Note – Though software Update is a configuration settings it cannot be configured from level 1 and can only be added from level 2 up directly to configuration baseline.

Configuration Baseline – Section 3

Configuration baseline is group which could consist of

one configuration item

One or more configuration item

configuration items and software update

software update only

SCCM Collections – Section 4

Configuration baselines are applied to SCCM collections and that is where compliance is evaluated . One collection can have multiple configuration baselines applied at one point in time.

Compliance can be evaluated for device collections or user collections.

From next post I am going to start configuring these settings .

Enable Compliance from Device policies

P-Configuration03

Ensure Compliance evaluation on client is set to Yes . I changed the compliance evaluation schedule to every 3 hours . However based on an organization requirement it could either default once a week or higher.

Compliance evaluation has some implications for clients activity therefore very frequent compliance evaluations can slow down clients.

This concludes Part 1

 

Adding SCCM PreStart media hook to MDT boot media

SCCM gives options to add prestart media hook to SCCM boot media .Prestart media hook means that after a client a booted from boot media and before a task sequence start prestart media hook can execute a script, batch file program etc.

In this post I am using SCCM 2012 R2 SP1 , MDT 2013 integrated with SCCM. Prestart command by default will execute a script ztimediahook.wsf.

Though you can execute any script using same method before task sequence begins.

These are steps from very beginning to create a boot media with prestart media hooks.

 

I usually create 3 folders to store following

Folder to store MDT boot files
Folder to store prestart files
Folder to store wall paper

1. In SCCM console go to Operating system- boot images , Right click and select create a boot image using MDT

P-PreStart01

2. Specify the location of MDT folder you created to store MDT boot files and click next

P-PreStart02

3. Assign a name and comment which easily identifies a boot image

P-PreStart03

4.  Choose platform and scratch space. For most cases x86 boot images will be fine and a scratch space of 128 MB is probably enough to hold files

P-Prestart04

5.  Leave it at default components and click next

P-Prestart05

6. This is THE step where prestart options are set.

Select Add prestart command file , This will automatically populate ZTIMediahook.wsf line .

Provide the path of the folder you create to store pre start files

If you use custom background , like I do , provide the path where the bmp file is stored.

Enable command prompt is enabled by default , leave it as is , helps with troubleshooting.

P-Prestart06

7.  Summary is provided , review it and if needed go back and change it

P-Prestart07

8. Boot image creation in progress

P-PreStart08

9. Confirmation on steps performed click finish

P-PreStart09

10. Distribute the image to distribution points

P-PreStart10

11. Specify distribution point or distribution point group and click next

P-PreStart11

12. Click on close and image will be distributed

P-PreStart12

And thats it , You are done  !! You have enabled MDT boot image  with pre start media hook. Technically you are done at this point.

But wait if you want to know what just happened stick around …

13. Now lets inspect the contents of folder prestartv5 ( This folder was used to store pre start files )

Top of this folder has TSConfig.ini file , This file will executed during pre start phase,

P-PreStart13

14. Lets take a look at TSConfig.ini file , so we find out what is it going to execute

OK, So I can tell ZTIMediahook.wsf is going to be executed in prestart phase

P-PreStart14

15.  Now what about the deploy folder

If you go in deploy folder and go in scripts folder here is what u see

These files are from two locations , One MDT tool kit scripts folder and SCCM folder from your MDT install folder

typically c:\Program files\Microsoft deployment toolkit\SCCM

This folder also contains ZTIMediahook.wsf , This main script that is called during prestart

P-PreStart15

16. So now we have the boot image ready now. We now need to create a boot media so we can boot a PC and see what happens

Go to task sequence and select create a new task sequence media and select bootable media

P-PreStart16

17.  Provide a name for the media

P-PreStart17

18.  Enable unknown computer support , I did not provide password but in production it is a good idea to give password as this provides one layer of security

P-PreStart18

19.  Select the boot image we just create , Provide distribution point and click next

P-PreStart19

20. OK , I admit this can be confusing , After doing all the prestart exercise I am presented again with prestart options , Leave this blank as we have configured everything while creating boot image and we don’t need to do it again.

P-PreStart20

21. And we are done

P-PreStart21

22.  Review and click close

P-PreStart22

23. Technically we done  , ISO is ready to boot .

But …wait ..if you want to see exactly where all the prestart stuff went hang in there

Lets mount the iso we just created , nothing much here

P-PreStart23

24. Go to sources folder and copy boot.wim to a temp folder

P-PreStart24

25. Boot.wim in a temp folder ( may be this was unnecessary screen shot 🙂

P-PreStart25

26. Mount this boot.wim to a folder ( If you dont a empty folder to mount create one first) . This step uses dism and which comes with ADK

I am mounting boot.wim store in c:\scratch\temp\boot.wim to c:\scratch\mount  folder

P-PreStart26

27.  Now open mount folder in windows explorer

Aha ..now review TSConfig.ini file . This files tells to start executing ZTIMediahook.wsf  using source SMS10000
P-PreStart27

28. So where is SMS10000 and ZTIMediahook.wsf

It is located under SMS\PKG\ and scripts folder contain ZTIMediahook.wsf

P-PreStart28

29. OK Moment of truth , lets put this boot media to work and see what happens .

Boot a machine with this ISO , When you pick a task sequence this happens,You will notice that path from where scripts are executed , ZTIMediahook.wsf is main routine which calls other scripts and here u can see it calling ZTIGather etc…

Notice the custom background we set while creating boot image

P-PreStart29

30. Wizard.hta launches now

P-PreStart30

Give a computer name and you are good to go.

Notes – Wizard.hta is starting point as you can see this is a basic hta but there is no end how it can be customized to fit your needs

You can leverage SCCM_BootStrap.ini , Deploy_SCCM_Scripts.vbs, Deploy_SCCM_Definition_ENU.xml files to construct a hta with more functions code

 

OSD fails with error 80070490

I came across this issue after adding a new wim file to SCCM and then editing the task sequence to add the wim file. Well it was all fine until then.

After I starting OSD again I got  error , Looking at smst log shows following

Image

I checked the package was available on distribution points no errors reported on the package.

After some searching over internet I found out that image index might not be correctly selected on new wim file. When I looked the OS image package properties , there were certain details missing 

Image

After selecting image 2-2 , I could see it showing all the fields correctly . This is image that I should have applied in Task sequence instead of 1-1

Image

After finding this out , This change needs to incorporated in OSD Task sequence

Image

After making these changes , OSD worked fine.

 

 

 

 

 

OSD Fails with error 801901F4

I was this issue with OSD failing to download package . There were errors for a package missing , unable to download .

Task sequence will usually fail with error 80070002

Image

While checking smsts.log , I found this in logs , Error 801901f4

Image

Some research on this pointed to installing hotfix 2801987, But this only applied to SCCM 2012 SP1 and I was running SCCM 2012 SP1 R2.

I tried removing Network access account and re adding it again did not work

I checked management point was available and IIS was functional  to eliminate http 500 errors.

Only way I was able to resolve this error was by checking allow anonymous access to distribution point.

Image

This fixed the issue for me.

Though while researching this error I could not find real reason for this error neither was there a one solution for this error.

I am yet to find out what caused this error . But OSD seems to working again for now.

 

OSD Fails with error HRESULT=80040102

If OSD fails while resolving task sequence dependencies and package ID it cannot locate is of SCCM client. Check the SMSTS logs and if the logs show following

Content location request failed error 80040102

Failed to resolve package ID

Failed to resolve Task sequence dependencies

Image

Check following –

Make sure package is available on distribution point

Make sure Boundary group is configured. If boundary group is configured but no site servers added Boundary group error will still persist

Image

Add site server to boundary group.

To add site server , Click on references tab , Add site server . This should fix the error.

Image

Click apply ok and try OSD again.

 

Capture Task sequence media SCCM 2012

WIM file for OSD deployment for Windows 7 or Windows 8 can be generated using capture media feature in SCCM 2012 . This is two part process.  First part is to create capture media. Second part is run capture media on a pre installed windows 7 or 8 machine.

Steps on SCCM Server

Image

Image

Provide the path for iso file.

Image

Provide boot image and distribution point where boot image is distributed.

Image

Image

Image

This will finish the capture media step.

Steps to be done in workstation

Insert the iso generated from steps above on either a windows 7 or windows 8 machine.

Setup will start (make sure workstation is not member or AD domain.

Image

Provide the path where wim file will be stored. Provide user name and password to connect to share.

Image

Provide information as needed

Image

Click finish. Once complete it will place wim file in the folder specified.

Image

This WIM can be used to create a OSD deploy task sequence for Windows 7 or Windows 8

CMTrace to user desktop

CMtrace is handy to look up logs in SCCM. This is how to package it and send it to user’s desktop for any user who logs on to the computer.

 Copy CMTrace to package source folder and create the package . Run with program with install.bat 

Image

 

 

Now to Install .bat  file

Image

Once this package is run on a machine , It will copy the CMTrace on all the users desktop who ever will login to the computer.

 

Installing SP1 in SCCM 2012 hierarchy

SP1 should be installed from top of hierarchy

This install setup is for Windows server 2008 R2 SP1 and SCCM 2012 , Based on OS version and SCCM version steps may change.

CAS first then primary then secondary and DP’s if any . After all the site servers are installed clients should be upgraded.

Three software packages are needed to install SP1

Download the software needed to install SP1.

Download ADK setup

Download Windows management framework 3.0

Download KB2734608 for windows 8 and windows 2012 support

START THE INSTALL OF SP1

Step 1

Uninstall WAIK on CAS

P-UninstallWaik

Step 2

Install Windows Assessment and Deployment Kit (ADKsetup.exe)

P-InstallADK

Choose following three components at least

Deployment tools

Windows Preinstallation envirnoment

User state migration tool

P-InstallADKComps

Finish the ADK install by clicking on install.

Step 3

Install hotfix for WSUS 3.0 SP2 , Hotfix is KB2734608

P-InstallWSUSHotFix

Restart the server.

Step 4

Install Windows Management Framework 3.0 . This is needed for power shell 3.0 . Windows 2008 servers need it

P-ManagementFrameWork3

Restart server once done.

Step 5

Start SP1 install and choose upgrade

P-InstallSP1

Enter the product key in next step and then click on download updates , Provide download folder path

P-DownloadingCabfiles

Select the language and then select the setup type , Since I am installing SP1 it is already selected to upgrade.

P-SetupType

If there is migration job setup between 2012 and 2007 hierarchy it needs to stopped before running SP1 setup else install won’t continue.

P-MigrationJobError

If there are no more errors upgrade will go through

P-SP1UpgradeInstall

This will complete the SP1 install.

P-SP1InstallFinish

These steps needs to be repeated on Primary and secondary servers in hierarchy

Running Powershell scripts from SCCM

To use Powershell library for SCCM there are few steps needed to done before all the cmdlets can be used

Do the following on SCCM server from ISE

Import-Module ‘<SCCM Install Drive>\AdminConsole\Bin\ConfigurationManager.psd1’

Run Get-PSDrive after that

Get-PSDrive will list the drive for SCCM

Run CD ABC: ( If ABC is the drive for SCCM)

All cmdlets for SCCM 2012 should run now.

 

Distribute content to pre stage distribution point SCCM 2012

Pre stage distribution point is just distribution point which has check box for pre stage

content enabled . If this setting is enabled then when a package is distributed to a distribution point it does not go over the network.

The package waits to pre staged on remote distribution point.

There are three broad steps to distribute a pre stage package to remote distribution point , If you don’t want to validate the content then basically two steps.

Step One

Create the pre stage file and export it

Copy the file to the remote distribution point

Step two

Distribute the content to the distribution point.

— Checks – If you go to Monitoring work space and go to ” Distribution point configuration status” You will notice that the distribution point is waiting for content to be pre staged on remote distribution point

Step three

Import the content on remote distribution point using  “extractcontent.exe” command

Syntax of the command is

extractcontent.exe /P:<PATH OF THE PACKAGE>\filename.pkgx /S

Once again go to CAS after running this command and go to monitor workspace and go to ” Distribution point configuration status”

Status of package on remote DP should change to processing content.

Once the processing of the content is complete, DP status returns to green check mark from a downloading arrow mark . Downloading green arrow mark is also a sign of package replication is in progress

SCCM 2012 Install notes

SQL Server service cannot run with NT Service\ account , SCCM setup will not allow this

ADK needs to be installed before SCCM setup can continue ( At least need USMT , pre install environment and deployment tools)

Default port for WSUS have changed to 8530 & 8531 . When configuring SUP use those port to configure .
WSUS installation broke after installing SCCM 2012 R2 . I had to uninstall SUP , Uninstall WSUS. Reinstall WSUS and reinstall SUP.

Reporting services

When configuring reporting services , The DB option was blank and wizard was not seeing the database. I had to open port 1433 inbound on DB server for reporting services wizard to work.

In 2012 now there is an option to capture the wim file for OS deployment using a capture media. After the capture media is created , Insert the media in virtual machine CD rom and run the setup. I found that setup sysprep’s the machine and captures the image and copies it to network share .

Capture media option was not there in SCCM 2007

Software packages cannot be validated to install during OSD if Boundary groups are not configured. Winpe install cannot find software package if the software package is not associated with a boundary group.