Tuesday, July 16, 2013

SCCM 2012: Maintenance Windows and Business Hours

We all know by now that System Center 2012 Configuration Manager is a client-centric product.  Meaning that, while it gives us admins some power over the system to perform certain tasks, the user is ultimately in control of their device.  One way this is acheived is by the inclusion of "Business Hours" on the client.

I'm not going to go into too much detail on how Business Hours works along with Maintenance Windows, instead please see this wonderful blog post from the MS Server and Cloud Platform Team:

http://blogs.technet.com/b/server-cloud/archive/2012/03/28/business-hours-vs-maintenance-windows-with-system-center-2012-configuration-manager.aspx

Basically, regardless of the Maintenance Window the power is truely in the hands of the end-user for mandatory deployments.  Lets say, for example, that you have an OOB patch that must be pushed out immediately ... soo immediate that you bypass your maintenance windows in order to do it.  If the time is within the Business Hours of the machine (by default its 5AM - 10PM) then the user gets to decide if the installation happens immediately, or if it posponed.

Depending on your patch deployment framework, this can have some serious rammifications if your maintanence windows don't jive properly with Business Hours.  Whats worse is that since Business Hours is a client-side ONLY setting, you can't set this via the ConfigMgr console.


- BUT -

You CAN set this via VBScript or via PowerShell.  Rather than rinse/repeat, here are links to two blogs that outline how to do this:

VBScript (Piped through Google Translate)
http://translate.google.ca/translate?sl=auto&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.mssccmfaq.de%2F2012%2F03%2F26%2Fsoftware-center-business-hours-auslesen-setzen%2F&act=url

PowerShell:
http://powersheller.wordpress.com/2012/11/20/sccm-2012-setting-software-center-business-hours-with-a-compliance-configuration-item/

Given the nature of this I would suggest applying this script at logon to ensure that all systems get updated with an appropriate time.  It should also be added to your Task Sequence so that reimaged systems start with the adjusted Business Hours.

Have Fun!

Friday, July 12, 2013

How to Configure TimeZones dynamically during Imaging (Take Two!)

A few years ago I had posted what I "THOUGHT" was a method to resolve the TimeZone issue that many of us struggle with but it turned out that not only was I completly wrong, but I was actually barking up the wrong tree!

TimeZone configuration can be a major headache when your enterprise spans multiple timezones, or multiple countries, if you are trying to keep your imaging strategy basic and easy to maintain.  I'm not a huge fan of splitting imaging into numerous collections with each collection given their own Task Sequence Variable to identify TimeZone since that just takes too much work, and I'm lazy!  Up until now I have been just dealing with imaging in one TimeZone then manually adjusting based on the region, totally not efficient!

I came across this excellent blog post which explains it quite well:

http://blogs.technet.com/b/eugenev/archive/2012/12/28/task-sequence-time-zone-fun.aspx

Basically, rather than rely on a TS Variable, instead use a VB Script at the end of your Task Sequence that will automatically adjust the timezone based on the DHCP server it is connecting too.  As the blog states, the account used to run this script needs to have read rights to the registry on the DHCP server, but it works qutie beautifully.

Check it out!

Friday, June 28, 2013

Fix: Unable to update User GPO via gpupdate

Group Policy issues are always a pain in the but, I've found.  This one was particularly annoying because of the impact that it had on the user.  The user was unable to access his personal drive on our server (G:\ Drive) as it would not map it during login.  Also, what he didn't mention, the system takes up to 5 minutes to log in.

At first I was strictly working on the drive map issue ... out of 3 network drives that he should get he was only getting one.  Manually running the login script seemed to clear that up temporarily but not permanently.  I then decided to do a GPO update (gpupdate /force /wait:-1) but it threw up an error.  In the System Event Log, I saw this:

The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F\}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

Since this was the only system on the network having this particular problem, I wasn't convinced that the issue was limited that computer and ... since it was late in the day ... was just going to reimage the box and be done with it.  I decided to check the Details tab for this particular event and noticed something rather peculular:

+ System

- Provider
[ Name] Microsoft-Windows-GroupPolicy
[ Guid] {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
EventID 1058
Version 0
Level 2
Task 0
Opcode 1
Keywords 0x8000000000000000
- TimeCreated
[ SystemTime] 2013-06-27T23:33:35.377468900Z
EventRecordID 65946
- Correlation
[ ActivityID] {E6ACB131-AEEC-45A4-98D7-118272AA0081}
- Execution
[ ProcessID] 428
[ ThreadID] 3744
Channel System
Computer VAND105.mh.local
- Security
[ UserID] S-1-5-21-2823908405-3494369649-3172151183-3327

- EventData

SupportInfo1 4
SupportInfo2 816
ProcessingMode 1
ProcessingTimeInMilliseconds 16864
ErrorCode 1317
ErrorDescription The specified account does not exist.
DCName ServerName.domain.local
GPOCNName CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=local
FilePath \\domain.local\sysvol\domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini

Since I knew what stage the GPO was failing at (applying User Settings) and I knew what was able to complete successfully (applying Computer Settings) I think I figured it out ... and it was a nice easy fix:

Re-create the User Profile on the local machine!

To test I logged the other user out and logged in as myself and noticed that there were no GPO issues under that account.  Then I did the following:

  1. Restarted the PC and logged in as local administrator (you can use any account with admin rights as long as its not the affected account)
  2. Go to C:\Users\ and back up the users content.
  3. Right-Click Computer and select Properties
  4. Click Advanced System Settings
  5. On the Advanced Tab, click Settings under the User Profiles heading
  6. Click the Profile you wish to delete, then click delete
I should point out that at this step I received an error regarding the deletion of the Profile.  I had to hit Delete a 2nd time to remove it from the list, but it didn't actually delete anything ... solidifying the determination that the local user profile is at fault.  I continued on and did the following:

Deleted the profile store manaully (C:\Users\
Launched Regedit
Went to HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList

**Take care when editing the registry as you can cause major system damage if edited incorrectly, resulting in a reinstalltion of Windows.  Only proceed with working in the registry if you are comfortable

Within this key I deleted any sub-keys related to the damaged user profile.  You can discover this by clicking on each sub-key and looking at ProfileImagePath to see if it matches the username.  Also, delete any keys that reference TEMP.  After that, restarted the computer and allowed the user to log in locally ... GPO issue resolved!

Friday, April 19, 2013

Fix: Unable to make a bootable USB stick via the USB/DVD Tool or Manually

NCIX had a great sale on a while ago for some inexpensive 32GB USB 3.0 flash drives so I just had to pick up 3.  After all, I try to travel around with a full set of device drivers, various software tools for troubleshooting, and a bootable WinRE stick just in case.  Imagine my surprise when I went to create a bootable USB stick with Server 2012 when I came across this error:

"We are unable to copy your files.  Please check your USB device and the selected ISO file and try again"

I thought that I had a bad USB stick, so I moved on to the next one ... same thing ... the THIRD one ... same thing!

I left it on the side-burner for a while but today really needed to do some manual server installs.  Came across this excellent post by Devin which outlines the fix (THANKS DEVIN!)

http://www.devinonearth.com/2012/08/cant-make-a-bootable-usb-stick-for-windows-8-join-the-club/

If you don't feel like clicking through to Devin's site (its excellent btw), here are the nitty gritty steps you need to do:

  1. Connect the affected USB stick
  2. Open either CMD or PowerShell (I really need to work more in PS)
  3. Run Diskpart
  4. Type List Disk to bring up the list of current disks on your system
  5. Type Select Disk x where x = the disk number for your USB stick
  6. Type Clean to clear the configuration of that USB stick (Caution, make sure you don't have any files on there that you need as this will erase everything)
  7. Type Create Partition Primary to create a new partition
  8. Type List Disk to verify that the new partition is made.  If you see an offset of 1024KB then the fix worked
  9. Type Exit to close diskpart, then disconnect the USB stick from the system
  10. Plug it back in, it will ask if you wish to format the USB stick, say Yes or Format
You should now be able to make a bootable USB stick!

From what I can tell, this has something to do with how the USB stick was partitioned at the factory.  Maybe it was created without Windows in mind ?

Enjoy!
Terry

Friday, March 15, 2013

Fix: Scrolling in the Application Catalog

For the longest time I've been trying to figure out why, on some of my workstations, users have to scroll horizontally in order to see the Install button when they select a program.  Even when they fullscreen the browser, same issue.

At first I though it was a problem with page scaling; when someone zooms in on their browser.  In actuality I wasn't that far off!

The solution?

DPI Settings!!!

If your DPI settings are anything other than 100% then the Application Catalog will have scrollbars all around.  To change this, do the following:

Windows 7/Windows 8

  1. Right-click anywhere on the Desktop and select Screen Resolution
  2. Click Make text and other items larger or smaller
  3. Click the 100% radio button, then click Apply

You will need to log out/log in for the DPI setting change to take affect.  But, after that .. NO MORE SCROLL BARS!!  Some laptop screens will actually use 125% DPI as the default setting.

How I came across this solution has to do with an in-house application that was developed some time ago (and retired now, thank goodness).  If your DPI was set anything over 100%, you would only see part of the input screen.

Enjoy!

Tuesday, February 26, 2013

Fix: You need permission to perform this action ...

So this is frustrating.  In an earlier post I detailed how to repair WDS/PXE when it is no longer talking properly to SCCM.  Today I had to apply that fix on another of my Secondary Site Servers however I then ended up with a new problem.

I couldn't delete the RemoteInstall folder

Interestingly enough, It was asking me for permission to delete the folder.  I thought, no worries, I'll just take ownership of the folder and sub-folders then try again.  No dice, though this time it was rather amusing since it was now saying that it needed permission from me to delete the folder!

It turns out I was on the right track for resolving this, but just didn't go far enough.

So, if you get "You need permission to perform this action ..." when trying to delete a folder tree, you can try the following:

1) Open an Elevated Command Prompt (Right-click Command -> Run As Administrator)
2) Run: takeown /f path/foldername  /R /D Y
3) Run: icacls path/foldername  /grant accountName:F /t

After running these commands against the RemoteInstall I was able to delete it and continue on to rebuilding WDS/PXE for my Distribution Point.

Enjoy!

Monday, February 11, 2013

Opinion - Are Tablets truly ready for the Enterprise ?

#Mobility #windows8 #tablets

So I've decided to take a break from my usual Technical Blog to air some of my opinions on tablet computing in the Enterprise.  I'll start with a bit of a disclaimer:

This post is my opinion about the future of tablet computing in the Enterprise, and is only an opinion.  Everything posted here is completely open for discussion and I may be COMPLETLY wrong on some of this.  All told, I welcome your comments and discussion on this exciting topic.

Tablets have been around for a very long time, longer than a lot of people realize.  Back in November of 2001, Bill Gates introduced Comdex to the concept of tablet computing (Link) but unfortunately the available technology at that time was just not 'there' yet so it got off to a rocky start at best.  Then Apple came along and introduced the iPad and the tablet/slate device was popularized.  Since the iPad's launch in April of 2010, tablets have exploded to the point where they are starting to outpace laptop and desktop sales ... but is this just another fad like the netbook?

Since the iPad launched a number of competing devices using various OS's have worked their way into the market with varying success.  Microsoft's partners tried to counter the iPad with tablets based on Windows 7 but that OS was just not ready to be used in a full-touch environment, even though it had touch functionality built in.  Android has been ported to run on tablet hardware, with Google even releasing versions of Android designed to run on tablets.  Blackberry launched its ill-fated PlayBook, HP tried and failed with WebOS.  Now that Windows 8 is out, which is a Windows OS designed from the ground up to run on tablets ... what now?

Lets be clear, most of the tablet offerings that have been made available to date are NOT enterprise devices.  Sure, you can invest in apps to bring some enterprise functionality to the tablet, but they are mostly of the "Remote Desktop" variety so really shouldn't count.  How many tablets have BUILT-IN enterprise functionality?  What actually constitutes enterprise functionality?  Is this even a fair question to ask?

Personally, I think that Microsoft and their hardware partners have an opportunity here to really win over the enterprise market by providing basically a replacement for a laptop.  Think about it for a sec, what can a tablet on Windows 8 Enterprise bring you?

  1. Connectivity into your corporate network via DirectAccess
  2. Device-level security by the use of BitLocker
  3. Device Management and Application Deployment via System Center Configuration Manager 2012 SP1
  4. Ability to use your standard application catalog as well as any Line-Of-Business apps that you already have in place, without having to invest in new specialized applications designed specifically for tablets
  5. Provide users the flexibility of having a tablet AND a laptop in one small package, great for road warriors and users who may do some form of field review
There are many more reasons, but I don't want this post to be TOO long in case you get tired of reading.

So what does Microsoft and their hardware partners need to do?

RELEASE COMPELLING HARDWARE!

I'm typing this blog entry from my Dell Latitude 10, which is connected to a docking station and to a 24" monitor.  Forgive me for being blunt, but this tablet sucks in many ways.  Its using an Atom-based CPU which is incredibly slow.  The video card is not capable of displaying the native resolution of my monitor (1900x1200) even though it uses the HDMI 1.3a spec which allows for much higher resolutions.  Microsoft Office is incredibly slow, it hangs on most operations.  I don't use this tablet for any heavy tasks, just word processing, email, internet, and connecting to remote desktops.  It isn't all bad though, I've had to do some remote troubleshooting while away from the office, using my Mobile Hotspot on my Blackberry and DirectAccess to get into the network ... that functionality alone is making me not want to give up on tablets.

Now, this isn't strictly a Microsoft problem.  Indeed, Microsoft did something quite smart by essentially releasing reference hardware in the form of the Microsoft Surface and the Surface Pro.  Their hardware partners need to see those devices for what they are, the lowest common denominator from a performance and functionality standpoint.  Atom-based Win 8 tablets are, as far as I'm concerned, dead in the water.  I wish Dell would have released a tablet in their latitude line-up based on the i5 CPU like they did with the XPS 12 (though that is a convertible tablet, not a slate device).

At BEST, tablets are a niche device that will never really take over the desktop and laptop market.  Without a doubt, it will slow the market down since people will spend more and more time on tablets for their day to day needs, but will fall back to their desktop or laptop PCs when they need to do anything heavy.

Am I off base here?  Is there something I'm missing?

For the record, I have a desktop, 2 laptops and 3 tablet computers at my disposal that I use on almost a daily basis.  The Desktop, Laptops and one of the tablets run Windows 8, then I have a Windows RT tablet and a Blackberry PlayBook.  I have colleagues who have iPads who don't really use them that often for work use, with the exception of using iTap to remote into servers when needed.  I'm not new to tablets, I've pushed many initiatives with my employer to try to increase the adoption of tablets within the company, but even they are starting to push back to say that its just not a viable platform.

What do you think ?  How are YOU adopting tablets for the Enterprise ?

Thursday, January 31, 2013

SCCM 2012: Not able to boot clients from PXE

Talk about Murphy's Law ...

One of my Secondary Site servers stopped processing PXE requests.  In fact, I actually have 2 Secondary Site servers doing this, but haven't had much time to troubleshoot the other one.

I noticed the following things were happening:

  1. In \Program Files\SMS_CCM\Logs ... the SMSPXE.log file does not exist
  2. The Windows Deployment Service will not start.  When checking the Event logs there are two errors that pop up:
    1.  An error occurred while trying to initialize provider WDSDDPS from C:\Windows\system32\wdsddps.dll. Windows Deployment Services server will be shutdown. Error Information: 0x906
    1.  An error occurred while trying to start the Windows Deployment Services server.  Error Information: 0x906
So searching for that error code: 0x906 returned some excellent articles for troubleshooting WDS on its on, however nothing specific for SCCM.  Typically they would get you to run the following two commands:

wdsutil /uninitialize-server
wdsutil /initialize-server /reminst:

This doesn't jive very well for SCCM though since it prefers to configure WDS on its own.  Here is how I fixed it:

1) ConfigMgr Console: Administration -> Site Configuration -> Servers and Site System Roles.  Select your site server, then right-click Distribution Point and select Properties
2) Go to the PXE tab and uncheck to disable, do the same for Multicast if you have it enabled.  When asked if you want SCCM to remove WDS, say No.
3) On the Secondary Server, uninstall the Windows Deployment Services Role then restart.
4) If exists, manually delete the RemoteInstall folder which is on your largest partition by default
5) Reinstall the Windows Deployment Services role and restart
6) Go back into the ConfigMgr Console and re-check the PXE box in the Distribution Point Properties and configure your PXE settings
7) Watch the distmgr.log to monitor the progress of the PXE installation and setup

SCCM will re-create the RemoteInstall folder and populate it with your boot images.  This can take a while depending on  the configuration of your Secondary Site server so be patient.  Once it is done go ahead and give it a shot!

Terry


 

Wednesday, January 30, 2013

Happy Launch Day Blackberry!

#BB10, #Blackberry.

A break from my usual missives about SQL and SCCM.  RIM has announced that they have not only released their new flagship phone, the Z10, but they also decided to re-name the company!

Us Canadians will be able to get the new Blackberry Z10 starting Feb 5th, with the US starting sometime in March.  I've long been a fan of the Blackberry platform so I'm pretty optimistic about it!


Good Luck Blackberry!  I really can't wait to get my hands on one ! :D

Monday, January 28, 2013

Report Building Part 5: Parameters

So we have this lovely SQL Query, but how do we tell it where to look?

The answer ?

Simple, we give it Parameters!

There are built-in Parameters that come with Report Builder but unfortunately they aren't styled specifically for SCCM (mostly of the time/date variety), so we would have to create our own.  The type of Parameters I'm going to focus on is a Dataset Parameter since that allows us the kind of granular control that we are looking for.  The Dataset Parameter has two parts:

The Dataset

This is basically a SQL query to identify a specific section of your database that relates to what you want to find.  In this example, I'm trying to limit my query to only run against specific collections, and I want that option to be available as a dropdown so I can easily choose collections at will.  In the last post I'll take you through the complete creation process in Report Builder, but for the time being this is the query that I'm going to use:

SELECT Name, CollectionID
FROM v_Collection
ORDER BY Name

This query will basically report back all the Collections you have in your environment and order them by name.  So now that we have the dataset figured out, now we need to create:

The Parameter

A Parameter is usually identified with an @ symbol at the beginning of the name.  Within the Parameter would specify which dataset you are using in the Parameter as well as the value and label fields.  This is important as this is how the dropdown is populated.  Looking back at the dataset query above,  you can gleen this info out of it:

Dataset: Dataset1 (this is the name assigned automatically by Report Builder, you can change this if you wish)
Value field: CollectionID
Label field: Name

This will give you a list of collections that are sorted by the collection name.  In the background its linking the name to the CollectionID so you don't have to try to do this by Collection ID specifically.

Once the Parameter is built, you have to add it to your primary SQL Query so the two essentially talk to each other.  This is done using a WHERE statement, like this:

SELECT Manufacturer0, Model0, COUNT(model0) AS 'Count'
FROM v_GS_COMPUTER_SYSTEM
INNER JOIN v_FullCollectionMembership ON v_GS_COMPUTER_SYSTEM.ResourceID = v_FullCollectionMembership.ResourceID
INNER JOIN v_Collection ON v_FullCollectionMembership.CollectionID = v_Collection.CollectionID
WHERE v_Collection.CollectionID = @CollectionID
GROUP BY Manufacturer0, Model0
ORDER BY Model0

Note that in this, I've named the Parameter CollectionID.  Because it is a parameter, you will need to enter it as @CollectionID.

So how does this all fit into Report Builder?  So far we've talked about some general/basic SQL Query building concepts but haven't really touched Report Builder yet.  In the next segment we will go through the Report Building process from end-to-end using the queries that we've built.

Everyone is different when it comes to building SQL Queries, as to how they wish to go about it.  Personally, I've gotten the hang of manually typing out a Query in Notepad first, then slowly cleaning it up with the actual report building as a final step.  If you wanted to check your progress along the way you can use Report Builder or SQL Server Management Studio to test your SQL Query to ensure that you are using the correct syntax.

Once this series is complete I do plan on revisiting a lot of this as I'm still developing my skills as a blogger .. there is a lot that I have to clean up.

Monday, January 21, 2013

System Center 2012 - SP1 RELEASED!!!

Looks like Microsoft dropped SP1 for the System Center 2012 Suite!!

Pierre Roman over at the IT Pro Connection blog posted about it today, outlining the features of the entire System Center 2012 SP1 Suite as well as some info on licensing.  You can check it out here:

http://blogs.technet.com/b/canitpro/archive/2013/01/21/system-center-2012-sp1-overview.aspx

Happy Updating!

Sunday, January 20, 2013

Installing Windows 8 Enterprise on a Dell Latitude 10 via USB

While SCCM 2012 SP1 is on the horizon, this still may be useful information for anyone who has a Dell shop like mine.

The Dell Latitude 10 Tablet ships with Windows 8 or Windows 8 Pro.  In order to get advanced networking features like DirectAccess, you need to run Windows 8 Enterprise.  Since the Latitude 10 has a UEFI BIOS, the process is slightly different if you wanted to install Windows 8 Enterprise via USB stick.  Here is what you need to do; you will need a USB stick that is at least 4GB in size with nothing on it:

  1. Download and install the Windows 7 USB/DVD Download Tool
  2. Download your Windows 8 Enterprise 32-bit ISO from Microsoft
    1. The Latitude 10 runs a 32-bit Atom CPU, it is not 64-bit capable
  3. Do these steps to create the bootable USB Stick
    1. First, choose your ISO file, then click Next
    2. Select USB Device
    3. From the dropdown, choose your USB device and select Begin Copying
    4. Once the Tool has finished building the bootable USB stick, click Finish
    5. LEAVE THE USB STICK CONNECTED TO YOUR PC
  4. Open Windows Explorer and then open the USB stick
  5. Copy the contents of the USB stick to your Desktop
  6. Once the content has been copied, format the USB stick using FAT32
  7. Copy the contents back to the USB stick
You now have a USB Stick that is bootable for systems running a UEFI BIOS.  UEFI is unable to boot from an NTFS-formatted USB stick, only FAT32.  Now on to the Latitude 10:

*Note: You will need the included Dock for this or a USB hub to connect into the USB port.  The Win 8 Enterprise ISO does not contain any drivers for the Dell touch interface so a keyboard and mouse is a MUST.

  1. Connect the USB key, a Keyboard, and a Mouse.
  2. Turn the Latitude 10 on, start tapping F12 as soon as you see the Dell Logo
    1. FYI if you do not have a keyboard, you can bring up the boot menu by pressing and holding Vol + when you see the Dell Logo
  3. Select the USB key as your boot device
  4. Install Win 8 Enterprise
    1. I don't yet fully know the school of thought around the built-in partitioning.  For sake of testing I deleted all of the partitions on the SSD and let Win 8 create a partition, the tablet runs fine.  Do this with caution though if you did not receive media with the Tablet and want to maintain a copy of the original software.
Now you will need to go to the Dell Support Site to download drivers.  I recommend downloading the Driver CAB, which contains all the drivers for this device, along with a copy of 7-zip or your favorite unpacking tool to extract the CAB file info.  Some of the drivers include an installer, others will have to be installed using the Update Driver method via Device Manager.

So there you have it, here is one great way to install Windows 8 Enterprise on your Latitude 10 tablet.  I suspect these instructions would work for other tablets as well with a few modifications but I haven't tested that.  If there are other ways to do this please share them below in the comments!

*UPDATE*
An observation that I've found on my Latitude 10.  I decided to immerse myself in the platform by ditching my laptop and only using the Lat 10 for everything.  While attempting to build another bootable USB key for 2008 R2, I came across a frustrating little quirk regarding the Windows 7 USB/DVD Download Tool.  When you attempt to create a USB key with a device that uses an EFI-based BIOS, bootsect.exe doesn't work which results in having a USB key that is not bootable.

The problem ?

bootsect.exe cannot be used with EFI-based systems.

DOH!