The Realm of the Verbal Processor

Jarvis's Ramblings

Silent App Install Help Page

Anyone who works in enterprise IT (and with products such as Configuration Manager) needs to know how to install applications silently…without requiring user intervention. Recently I came across a web page that gives really good info on the various installation types (MSI / InstallShield / Wise / etc) and how to make them silent. It goes beyond the basics and gives background on how each of them work. The page hasn’t been updated in a while, but there is still some very good information there. This could be a good one to bookmark.

http://unattended.sourceforge.net/installers.php

May 24, 2012 Posted by | ConfigMgr, ConfigMgr 2012, Packaging | Leave a Comment

Unknown Computer Bug–Final Update

Over the weekend I got a final update on the Unknown Computer “bug” in Configuration Manager 2012 that I wrote about recently. This time the update came from John Vintzel who for those who don’t already know him is a Senior Program Manager on the Configuration Manager product team. Basic gist of the update is that they will evaluate a change in this behavior for a future release.

In my opinion (which based on conversations I’ve had I know is shared by many others), this is a necessary change. There should not be a requirement to delete an object when a system doesn’t even begin the task sequence…or when it fails early in the process. A few options for how this could be changed:

  1. Don’t create the Unknown object at all. (I’m guessing there is a reason behind why it exists though.)
  2. Create the object after the system becomes a manageable object. (probably the same as #1 though)
  3. Have logic built into the task sequence process that automatically removed the “unknown” object from the database if the Task Sequence fails before the system becomes a manageable object.

May 7, 2012 Posted by | ConfigMgr 2012 | Leave a Comment

Remote SQL Security Concern

I have had a few discussions over the years about whether a Configuration Manager installation should include SQL “on box” or “remote”. The answer is generally “it depends”. This blog post is not going to dig into all of the reasons why you would choose either local or remote SQL…it is designed to highlight one particular security concern with the remote SQL option. Let’s think through several of the underlying components that are necessary for remote SQL to take place along with a few very common scenarios when this is the case.

  1. Generally a company will choose remote SQL because they want to have a beefy SQL box that is managed by their DBA team. This SQL box will commonly house several SQL databases…not just the Configuration Manager DB. Which means that any disruption on that SQL server has an impact on much more than just Configuration Manager.
  2. A requirement for remote SQL with Configuration Manager is that the Configuration Manager server’s computer account must be in the local admin group on the SQL server.
  3. Commonly there will be a number of Configuration Manager administrators that have admin rights on the Configuration Manager server.
  4. Commonly there will be a number of those same Configuration Manager administrators that do NOT have admin rights on the remote SQL server.

THAT is where the problem rears it’s head. Let’s connect all of the dots…

  1. Joe Admin is an admin on the Configuration Manager server…but is not an admin on the SQL server.
  2. The Configuration Manager server’s computer account is an admin on the SQL server.
  3. Joe Admin has read my article on how to run a command prompt as local system. Uh oh.
  4. Joe Admin uses psexec to run a command prompt (or SQL Management Studio…or regedit…or services.msc…or disk management…or whatever else) as local system on the Configuration Manager server.
  5. Joe Admin then connects that app (running in the “user” context of the Configuration Manager server’s computer account) to the SQL server.
  6. Joe Admin is now able to do anything that the Configuration Manager server’s computer account has rights to do…which is full Administrator rights…ON THE SQL SERVER!!!
  7. That security you thought you had…well it didn’t work so well.

Is there anything to keep Joe Admin from (either accidentally or maliciously):

  • Stopping services?
  • Deleting files?
  • Rebooting the server?
  • Jacking with the registry?
  • Installing (either good or bad) software?
  • Copying data off of the SQL server?
  • etc (I think you get the picture.)

Now…for some people that doesn’t matter. In many smaller installations the same team is managing Configuration Manager and SQL. However…if you are that small…why take on the extra complexity of the remote SQL scenario?

For others it matters big time! I’ve had conversations with customers who cringe at the very idea that some random Configuration Manager admin could possibly gain full rights to the SQL server that other business critical databases are stored on.

April 27, 2012 Posted by | ConfigMgr, ConfigMgr 2012, Security, SQL | 4 Comments

Unknown Computer Bug–Update

Just a quick update on the potential bug that I reported a couple of weeks ago. I’ve had a few back and forth exchanges via Connect about this issue, and it is being called “by design”. They asked my how I would like for this to work and at what point I would like for the machine to become “known”. Here is my response:

Thinking through the whole scenario…it would be best if the computer is seen as "known" AFTER it becomes a manageable system (i.e. after the Configuration Manager client is installed). Until that time, it is not a system that can be managed…it doesn’t even have an operating system until just before the client install step in the task sequence.

At minimum, I would not expect the computer to be "known" until after the task sequence successfully started. In the scenario I provided (task sequence erroring out at dependency check…which is VERY common), the task sequence has not begun…it is failing during the dependency check. The computer object that is created (named "Unknown") is not a manageable object. It is however an object that will block the computer from being able to run a task sequence that would allow it to be come manageable unless action is taken to remove it from the console.

The final response back from Microsoft via Connect was that this would be submitted to the Product Group as a Design Change Request.

This will be a very welcome change if it is implemented. Until then, be aware of the issue and what you need to do to fix this issue when you run into it in your environment.

April 17, 2012 Posted by | ConfigMgr 2012 | Leave a Comment

Unknown Computer Bug in Configuration Manager 2012

I just posted an update to this issue. It has been submitted as a Design Change Request to the System Center Product Group.

Today I ran into what I believe to be a bug in the RTM of Configuration Manager 2012. (I have replicated the issue below multiple times in both the RC and RTM.) I’m submitting it on Connect and will update this post if I hear anything back from the product team. BTW…I have mixed feelings writing this post. On one hand it’s exciting to find a bug in a released product (Geek Nirvana). On the other hand, Configuration Manager 2012 is a very solid product that I’m very excited about…I don’t want to make it look bad. Anyway…

I was testing an OSD proof of concept at a client this morning. This is a Configuration Manager 2012 POC and we were deploying Windows 7 32bit over PXE to an HP desktop. I had the following in place:

  • OSD has been working fine.
  • PXE booting is working without problems.
  • I have previously deployed the Win7 image to a different hardware model without issues.
  • The Task Sequence is deployed to a Collection that has “All Unknown Computers” as members via an “Include Rule”

In this instance we were needing to deploy to a new model. I imported the drivers into Configuration Manager and added a new “Apply Driver Package” step into the Task Sequence. I forgot to add the new driver package to a Distribution Point…so when I kicked off the new bare metal deployment to this unknown computer, it naturally failed at the “resolving selected task sequence dependencies” check. I quickly realized what I had overlooked and added the driver package to the DP (and ensured it was source version 2…I was surprised to see that this is STILL an issue.). When I attempted to PXE boot the computer again (the unknown computer that had JUST run the task sequence as an unknown) it failed with the “abortpxe.com” error message that typically means that there is no Task Sequence deployment applicable to this computer.

5_AbortPXE

After doing some troubleshooting, I found the following issue…

When the task sequence starts for an unknown computer it creates a new computer object named “Unknown” in the “All Systems” collection. 2_AllSystemsMembership

This computer object has the MAC address and BIOS ID of the previously unknown computer…except that it is now a Known computer…not an Unknown computer…although the System Resource “Unknown Computer” property is set to “1”.

4_UnknownComputerObject_14_UnknownComputerObject_4

So…my deployment to “All Unknown” computers now fails. This is easy to resolve…simply delete the computer object named “Unknown” and restart the PXE process. But…at best this is an unexpected and undesirable result.

I was able to easily replicate this issue. Here are the steps to replicate the issue:

  1. Add a package to your Task Sequence that has not been distributed to a Distribution Point
  2. Deploy the Task sequence to a collection that includes “All Unknown Computers”
  3. PXE boot a computer that is unknown to Configuration Manager.
  4. Start the task sequence
  5. The Task Sequence fails at the “resolving selected task sequence dependencies” check because of the package in step #1
  6. Find the package that isn’t on a DP and distribute content to the DP (or simply remove it from the Task Sequence).
  7. Attempt to PXE boot the client again and you will get the “abortpxe.com” message. “TFTP Download: smsboot\x64\abortpxe.com. PXE Boot aborted. Booting to next device…”
  8. In “All Systems” is a computer object named “Unknown” that has the MAC address of the system that was previously unknown. Because it is in the database, it is now a “known” computer…so deployments to “Unknown Computers” won’t pick up this computer any more.

Options to resolve:

  1. Delete the computer object(s) named “Unknown” from All Systems
  2. Add a query rule to the Collection that grabs new computers where the System Resource “Unknown Computer” property = “1”

Note for Option 2: if the TS continues to fail, it will create a second/third/etc object with different resource IDs.

April 6, 2012 Posted by | ConfigMgr 2012 | 3 Comments

Windows 7 Customizations

Over the last few years as a consultant I’ve had numerous engagements where clients wanted to customize the look/feel/settings in Windows 7. Different clients had different requirements around which customizations, whether it was permanent or a preference, etc. Below is a list of several customizations that I have helped clients perform. Many of these are found at various locations in forums, blog posts and Microsoft documentation. My goal is to gather these into one location so that it is easier for some of the more common (and for that matter some of the more obscure) customizations to be found. These are in no particular order. I will update this list from time to time. If you have any favorite customizations that you’d like to pass on, email me on my contact form and I’ll add them in. This post is REALLY long, so click the “Read More” link if you want to see the customizations.

Read more »

April 1, 2012 Posted by | ConfigMgr, ConfigMgr 2012, MDT 2010, Windows 7 | 1 Comment

Visio Stencil for Configuration Manager 2012

Over the years I have used the Visio stencil for Configuration Manager 2007 that is on myITforum.com (Thanks Rod!). It’s been great for creating diagrams of a Configuration Manager hierarchy for various clients. With Configuration Manager 2012 on the horizon, I’ve already done a design for a reasonably large client, and I’m prepping  my session for MMS which is about hierarchy simplification…having a Visio Stencil for CM2012 would be really hand. I’ve looked multiple times…have not been able to locate a Visio stencil for 2012 anywhere. Had searched every search term I could think of…had called Brian Mason (Configuration Manager MVP) and he didn’t know where to find one. Basically I had completely struck out.

Last night I was emailing Stefan Schorling (another Configuration Manager MVP) about something unrelated and at the last second thought to ask if he knew where I could get one. SCORE!!! This morning Stefan had emailed back with a link to Jean-Sébastien DUCHÊNE’s blog (yet another Configuration Manager MVP) where he has posted a Visio stencil for Configuration Manager 2012! A huge thanks to Stefan for sending the link and to Jean-Sébastien for creating and posting the stencil!

The reason it never turned up in my searches was I kept searching on “visio stencil” (with the quotes). Because Jean-Sébastien’s site is in French, those words are reversed…a search for “stencil visio” would have found the link.

March 2, 2012 Posted by | ConfigMgr 2012, MMS 2012 | Leave a Comment

Speaking at MMS 2012

I just got the alert that one of my session proposals for MMS 2012 was approved! My session will be titled “Case Study: Hierarchy Simplification With ConfigMgr 2012“.

Session Abstract:

One company, 15000 systems, 70 locations…and 23 Primary Sites in ConfigMgr 2007. This may be the poster child for hierarchy simplification with ConfigMgr 2012. Working with ConfigMgr 2012 RC1, we were able to plan the architecture redesign to simplify this down to a single primary site while expanding the ability to safely delegate management across multiple business units. This case study digs into the decision process that took place through the architecture and management redesign process.

I’m super excited! See you in Vegas!

January 18, 2012 Posted by | ConfigMgr 2012, MMS | 5 Comments

System Center Roadmap 2011

This was one of the slides from the second keynote at MMS last week. This is a slide they show every year to highlight what is coming in the System Center arena over the coming year. What is really exciting about this one is that a new version is coming for everything in the System Center family this calendar year. This is a lot of very exciting changes coming. This does come with a caution though…there’s a lot of work to be done ahead of time to be prepared for the launches!

image

March 29, 2011 Posted by | ConfigMgr, ConfigMgr 2012, Microsoft, MMS 2011 | Leave a Comment

Anti Malware–the landscape just changed

HUGE announcement at MMS just now. Forefront Endpoint Protection 2010 is now part of the Microsoft Core CAL. This means that all the customers who have a Core CAL already…which many who own ConfigMgr have it licensed via the Core CAL…ALREADY have the licensing in place for FEP…they already own it. If you have a Core CAL…it eliminates the need to purchase a separate AV license. You can just use FEP…which is managed via the ConfigMgr console…which eliminates a separate management infrastructure for malware…you simply manage it all via ConfigMgr.

This will likely have a big impact on AV vendors. I can hear clients asking the question now…”I already have FEP licensed via the Core CAL…and I can manage it with ConfigMgr which I already have deployed. Why should I renew my AV licensing with ______________?”

This is huge. It should be very interesting to see the full impact of this announcement over the next year or so.

March 23, 2011 Posted by | ConfigMgr, ConfigMgr 2012, MMS 2011 | Leave a Comment

ConfigMgr 2012 Beta 2–OSD Findings

I was poking around in one of the ConfigMgr 2012 Hands on Labs at MMS today to see what is new/different. I came across some pretty interesting things when looking at task sequences.

[Thanks to Torsten for pointing out an oversight on my part…that one of the “new things” I mentioned is already in ConfigMgr 2007. I’ve done plenty of OSD…I’ve never noticed the “Apply Data Image” task sequence step. Heck…I even pointed it out to two other people yesterday and they had never noticed it either.]

First, there is a new option for “Apply Data Image”. Not apply an OS Image…take a WIM file that does not include an OS…and apply that to a disk/partition. Definitely some cool options with that.

Second, I was looking at the “Options” tab on a task sequence item and found some new (and VERY cool) options there. The new options with their key components that were available as criteria on the Options tab are:

  • File Properties
    • Path
    • Version
    • timestamp
  • Folder Properties
    • Path
    • timestamp
  • Registry Setting
    • Exists
    • Not exists
    • Equals
    • Not equals
    • Greater than
    • Greater than or equals
    • Less than
    • Less than or equals
  • Installed software
    • Choose filename which fills out
      • Name
      • Version
      • Product code
      • Upgrade code
    • Options for
      • Match specific product (Product code and upgrade code)
      • Match any version of this product (Upgrade code only)

Over time I have written vbscripts to pull file properties, registry settings and installed software to then set a TS variable…which I could then use later as criteria in a “TS variable equals xyz” condition on a task. It is very cool that this will be part of the core functionality in ConfigMgr 2012.

March 23, 2011 Posted by | ConfigMgr 2012, MMS 2011 | 1 Comment

   

Follow

Get every new post delivered to your Inbox.