This is an excellent tool that I used extensively and I’m pleased that its been released so soon.
You can download it from:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=29268
Information is available on TechNet:
Enjoy!
John Riseam
System Center Consultant
Risual
All the System Center 2012 code has hit MSDN and is available for download.
This includes
John Riseam
System Center Consultant
Risual
Came across this issue at two different customers whilst demoing the cool dashboard functionality. The health status graphics are not shown for any objects either inserted, reconciled, linked to new or exported Visio diagram.
Visio 2010 Add-in for System Center Operations Manager 2007 R2 can be downloaded from here if you haven’t already tried it http://www.microsoft.com/download/en/details.aspx?id=26228
It appears that Service Pack 1 for Office\Visio 2010 breaks the add-in for Operations Manager, the symptoms include;
Currently I’m not aware of a method to fix it with SP1 installed, instead run Visio as RTM. Most media comes SP1 integrated so to remove the updates simply delete the content from the update folder in the Visio installation media, this will install Visio as RTM.
Any pages created previously will still not work but newly created or exported will now show the health status correctly.
John Riseam
System Center Consultant
Risual Ltd
The first public beta of Operations Manager has been released to the internet, it can be downloaded from the following link.
http://www.microsoft.com/download/en/details.aspx?id=26804
System Center Operations Manager 2012 provides the monitoring component of cloud and datacenter solutions, to help you manage your datacenter and cloud environments by:
Feature Summary
Ran into this issue when launching Outlook 2010 after a USMT migration.
Cannot open your default e-mail folders. The attempt to logon to Microsoft Exchange has failed.
The scenario is a Windows XP SP3 with Office 2003, to Windows 7 SP1 with Office 2010 RTM migration.
User State Migration Toolkit (USMT) 4.0 was used to copy the profile, this included the USMT update to support Office 2010 which can be downloaded here http://support.microsoft.com/kb/2023591
The profile and user settings had migrated successfully, however it appeared that the Outlook profile didn’t migrate.
This is a known issue and an Outlook hotfix is available from Microsoft at the following location.
http://support.microsoft.com/kb/2405793
Once the hotfix is installed the profile opens fine, and all settings are migrated.
This hotfix can be added directly into the task sequence, or into the Office package.
To add into the Office package extract the fix into the updates folder using the following command.
outlook2010-kb2405793-fullfile-x86-glb.exe /extract:c:\<extractiondirectory>
Then copy the two files into the updates folder of the Office 2010 installation sources files
Once you deploy Office 2010 from the updated media, the update will be slipstreamed into the install.
John Riseam
System Center Consultant
Risual Ltd
I had the following scenario, Windows 7 Enterprise deployment enabling BitLocker with TPM and PIN and Dell Latitude laptop hardware.
The companies business requirement was to encrypt laptops, the cost of this could be reduced by implementing Windows 7 Enterprise edition.
The following is a high level list of the components that need to be in-place
The schema changes for BitLocker are part of the Windows 2008 R2 schema update so if a company is moving or has moved this can be rolled into a change. A Microsoft article that explains this in depth can be found at http://technet.microsoft.com/en-us/library/dd875533(WS.10).aspx
To verify or query that the schema changes exist in an environment, use ADSIEDIT, connect to the schema and check for the following entries.
Group policy needs to be set if you want recovery keys to be stored in Active Directory, this can also configure things such as minimum PIN length.
The BitLocker Recovery Password Viewer can be enabled as a feature in Windows 2008 R2, it has to be installed on a domain controller if you want to enable the feature in Windows 7 with RSAT installed.
Once this is in place, I would recommend testing the encryption manually and checking to see if the decryption keys are being written in AD. On the tested machine, export the registry from the following location. (This will be required later as part of the deployment process.)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE
With TPM ready laptops, the BIOS will show a TPM chip as disabled and its usually a two step process to enable this. First switch TPM on and reboot and secondly, activate. To automate this in the task sequence some manufacturers allow setting the BIOS via a script or executable. Dell are no different and after lots of trials using different methods (they have a few,) I followed the Dell best practice document listed in the following link.
Best Practices for Remote TPM Enablement for Dell Business Client Systems
Once you have downloaded the Dell Client Configuration Toolkit and created the task sequence using the .xml template supplied, you should be ready to copy this into an existing deployment task sequence. I had issues with the default task sequence conditions, I’m not sure if its the template but I changed the single quotes to double quotes in the WMI command and removed some of the model types to reduce complexity.
After the BIOS is set in either the WinPE or Windows Phase, we need to set the task sequence to create a boot partition. This can either be done prior if you want the boot volume at the beginning of the disk, or after, using the following command.
bdehdcfg.exe -target default –quiet
The preferred method is to set a task sequence to partition the disk in the PreInstall phase. I created two “Format and Partition” tasks. One Operating System partition and one 300mb BDE partition where the boot and system files would reside. Add the same conditioning to the task sequence as you would to the TPM BIOS and Activation parts. This could be a simple laptop query or model specific WMI.
Then in the Apply Operating System Image task, specify the partition using the variable that the WIM will be installed onto.
In the MDTIntegrated task sequence a Bitlocker task is present, however it is limited slightly in that it only has the following options.
The defaults are great once enabled, but we need another task to add a default PIN that users enter when the machine boots.
The following tasks were put together in a task sequence
The Enable Bitlocker encrypts the current Operating System drive and stores the recovery keys in AD. The BitLocker Config task adds the exported registry information from earlier which allow the pin to be added, the PIN was then added using the manage-bde task below.
%SYSTEMROOT%\system32\manage-bde.exe -protectors -add %systemdrive% -tp 123456789
John Riseam
System Center Consultant
Risual Ltd
My preferred method when creating images is to build the machine in a virtual environment using a fully automated build and capture task sequence in SCCM or MDT. This makes the images consistent, repeatable and reliable which are all good, things to consider if you think ahead are the settings which can be applied, these can include the following.
To make sure the image is created with full UK English (A common requirement for me) the following is added to the unattend.txt
[RegionalSettings]
InputLocale_DefaultUser=0809:00000809 ; Specifies the Inputlocal and keyboard setting for default user
UserLocale_DefaultUser=00000809 ; Locale ID for default User
InputLocale=0809:00000809 ; Locale\Keyboard combinations to be installed
Language=00000809 ; Lanugage locale to be installed
LanguageGroup=1 ; Language Group to be installed
SystemLocale=00000809 ; System Locale to be specified
UserLocale=00000809 ; User Locale setting
A good starting point for a corporate desktop that require no extra stuff such as games or windows media player a good starting point is this.
[Components]
AccessOpt = on ; accessibility wizard
Calc = on ; calculator
CertSrv = off ; certificate services compontents of the certificate server
CertSrv_Client = off ; web client components of the certificate server
CertSrv_Server = off ; server components of the certificate server
CharMap = off ; enables insertion of symbols and characters into documents
Chat = off ; chat client
Clipbook = on ; clipboard viewer
Complusnetwork = off ; COM+ network access
DeskPaper = off ; desktop wallpaper
Dialer = off ; phone dialer
Dtcnetwork = off ; DTC network access
Fax = off ; Fax components
fp_extensions = off ; Front Pager Extensions
fp_vdir_deploy = off ; Visual Interdev RAD remote deployment
freecell = off ; freecell game
hearts = off ; hearts game
hypertrm = on ; hyperterm
IEAccess = on ; installs visible entry points (shortcuts) for IE
IEHardenAdmin = off ; harden IE for administrators, power users
IEHardenUser = off ; harden IE for users
Iis_Common = off ; common set of files needed by internet information services
Iis_Ftp = off ; ftp service
Iis_Htmla = off ; html based administration tools for iis
Iis_Inetmgr = off ; microsoft management console based administration tools for iis
iis_nntp = off ; NNTP server.
iis_nntp_docs = off ; NNTP server docs.
iis_pwmgr = off ; personal web manager, valid only for w2k professional
iis_smtp = off ; SMTP server.
iis_smtp_docs = off ; SMTP server docs.
iis_www = off ; www service
iis_www_vdir_printers = off ; Web printing components
iis_www_vdir_terminalService = off ; Installs terminal Services Active X control into the virtual directory
IisDbg = on ; script debugger
indexsrv_system = off ; indexing services, requires iis_common, iis_inetmgr, iis_www and com = on
inetprint = off ; internet printing, requires iis_common, iis_inetmgr, and iis_www
LicenseServer = off ; Disable Terminal Services licensing.
media_clips = off ; Sample Sounds
Media_Utopia = off ; utopia sound scheme
minesweeper = off ; game
mousepoint = off ; mouse pointers
Mplay = off ; Windows media player
msmq_ADIntegrated = off ; Integrates MSMQ into AD
msmq_Core = off ; MSMQ core components
msmq_HTTPSupport = off ; Enables MSMQ to use HTTP
msmq_LocalStorage = off ; Allows messages to be stored locally
msmq_MQDSService = off ; Provides AD and site recognition
msmq_RoutingSupport = off ; Provides MSMQ routing
msmq_TriggerService = off ; associates message arrival with com objects
msnexplr = off ; Installs MSN Explorer
MsWordPad = on ; Word Pad
NetCis = off ; microsoft com internet services, requires iis_common, iis_inetmgr, iis_www and com = on
NetOc = on ; additional optional networking components, requires [NetOptionalComponents] section
ObjectPkg = off ; object packager
OEAccess = off ; hide Outlook Express icons
Paint = on ; MS Paint
pinball = off ; game
rec = on ; sound recorder
reminst = off ; remote installation services
rootautoupdate = on ; OCM update root certificates
RStorage = off ; remote storage services enable the use of tape libraries as extensions of ntfs volumes
solitaire = off ; Solitaire game
spider = off ; spider game
Templates = on ; document templates
TerminalServer = off ; Installs Terminal Services on SERVERs only
TsClients = off ; if TsEnable = On then tsClient files for creating client disks, appx 10MB
TsWebClient = off ; Installs the ActiveX component for terminal services. requires IIS
vol = on ; volume control
wmaccess = off ; show Windows Messenger shortcuts
wmPOCM = off ; show Windows Media Player shortcuts
Wms = off ; windows media technologies components
Wms_Admin_asp = off ; windows media technologies server administration tools web components
wms_admin_mmc=off ; Windows Media MMC snap in
Wms_Server = off ; windows media technologies server, requires Wms_Admin
zonegames = off ; Installs MS Game Zone internet games
When the default theme is out of favour some like the Classic Theme, however other themes can be created and copied in the task sequence. Make sure that any spaces are wrapped in quotes (speaking from experience here) as this will make the unattend.txt corrupt/unusable.
[Shell]
DefaultStartPanelOff = yes ; No = use XP start panel, Yes= Use classic windows with icons on desktop
DefaultThemesOff = yes ; No means use XP Themes Yes means us Windows Classic themes
CustomDefaultThemeFile="c:\windows\Resources\Themes\Windows Classic.theme"
Although I would never advocate turning of the Windows Firewall if you wish to do this then it can also be added to the unattend.txt
[WindowsFirewall]
Profiles = WindowsFirewall.TurnOffFirewall
[WindowsFirewall.TurnOffFirewall]
Mode = 0
John Riseam
System Center Consultant
Risual Ltd
To create a collection like this we need to setup a collection based on a query, the attributes that we will use will be..
Attribute Class: System Resource
Attribute: System OU Name
The Operator can be set to : is equal to
Values should be available when you click the value button.
If the values are not populated chances are is that the Active Directory System Group Discovery has either not been set or the OU you require has not been specified.
Enable the group discovery and add a Custom LDAP query to the OU/OUs in question, initiate a scan by selecting “Run discovery as soon as possible” in the polling schedule tab, you can monitor the progress of this in the adsysgrp.log
After this complete you should see the SMS table System_System_OU_Name_ARR table in the SCCM database will populate with data in the System_OU_Name0 column of the database.
The OU’s will now populate for the containers or domain you specified in the AD System Group Discovery LDAP queries.
Select the OU from the list, alternatively you can specify using the following query;
select * from SMS_R_System where SMS_R_System.SystemOUName = "<FQDNDomain>/<OUName>"
John Riseam
System Center Consultant
Risual Ltd
To activate Office at installation time can be the preferred method when installing operating system via SCCM in a production environment. You would expect this to be an option in the Office Customisation Tool but after much searching you may find that it doesn’t appear as a listed item.
You need to add the following entry into the Modify Setup properties giving the Property Name AUTO_ACTIVATE and a Value of 1 this will make sure that you copy of office gets registered and negates the requirement of a manual step after installation.
John Riseam
System Center Consultant
Risual Ltd
With R3 being the latest feature pack to be released and the first to be labelled R3 in Microsoft’s history, along with functional improvements it brings its own challenges. You can roll out the hotfix to existing agents via the standard software distribution method, however I like to deploy my SCCM Clients in my task sequences fully patched. Also if you want to distribute the SCCM console into your build it become a bit of an issue as the R3 components require the hotfix to complete the installer.
If you add the hotfix to the SCCM task sequence as a software install or install it via a script it will break the Task Sequence as it stops the Winmgmt service which has to be running.
To add the patch we need to edit the “Setup Windows and ConfigMgr” step in the task sequence and add the following line to the Installation properties field.
PATCH=”C:\_SMSTaskSequence\OSD\<PackageID>\i386\hotfix\KB977384\sccm2007ac-sp2-kb977384-x86-enu.msp”
The package ID must be the ID of the Config Manager Client that is been used in the deployment and not the hotfix package ID, also make sure that the package has been updated to reflect the hotfix folder in <SCCMInstallDir>\Client\i386\hotfix. This is created during the initial R3 update when run on the site server if the option was selected to create the KB977384 – Advanced Client Patch Install.
You can confirm this during a test installation once the SCCM client is installed hit F8 if enabled in WinPE and run C:\Windows\System32\CCM\SMSCFGRC.CPL and check the ConfigMgr Client Version it should be 4.00.6487.2157
John Riseam
System Center Consultant
Risual Ltd
