A bit more than a year ago I posted about my wife and I both reaching our weight loss goals. I also stated that the goal was to be within five pounds of our target weight a year later. I never got around to posting the update when a year rolled around, so this is the year + three months update. Julie and I are both hovering right at our target weight…within a pound or two on a given day. Weight lost and maintained for more than a year! I recently had to renew my driver’s license…very cool to see the difference there…the pic below shows a twenty pound difference…but doesn’t show the extra fifteen that I had gained between those two pictures!
Got more really good news this morning. My employer had a health screening at the office. Last year I got a good cholesterol report…down from the 220 range to 179. This morning I was at 132 for my total…with my good cholesterol at 65…VERY good news!
I am off the charts proud of my 13 year old daughter Laurel! The two of us have been running together for the last six months or so. One of our goals was to run the Autumn Woods Classic 5K this October. The AWC route is a pretty tough course with a lot of hills…not a fast/flat course. Not a course that you would ordinarily choose if you are gunning for a personal record (PR). The race was this morning.
Laurel’s goal was to run in the 28 minute range. Her previous official PR was around 29:30, but she had run this route on a training run with me in about 28:30, so she knew it was possible. She crushed her previous PR. Her time was 26:10…which was fourth place in her age category (93rd finisher out of 547 total)! As her Dad and her “coach” I simply could not be more proud of her. I can’t stop smiling. I was expecting in the 28 minute range…and was completely shocked when she came across so much faster. I watched her “kick” at the end of the race…she dug deep to sprint out the end…it was very impressive.
My goal heading into the race was to finish in under an 8:00/mile pace (24:49). I met my goal by finishing in 24:25 (55th overall). As far as I can remember, that is a PR for me as well. VERY cool that we both hit personal records on the same day! This time next year, I’ll probably be fighting to keep up with her!
BTW…a big thanks to Tim Benjamin for coming out this morning and taking pictures of us before, during and after the race! Tim actually ran out on the course to take shots of us with about 3/4 mile left in the race. Then he kept running ahead of Laurel and taking shots of her over the last leg of the race. We got some awesome shots out of that.
The company I work for is in the TAP program for Lync 2013. As a result, a bunch of us have Lync 2013 and Office 2013 installed on our production computers. There are a lot of features I like…here is a very cool one. I opened up a doc that I was working on yesterday…it opens to the first page of the doc like you would expect, then a pop out balloon opens from the bottom right side of the program asking if I’d like to go back to the last page I was working on when I closed the doc. Very nice!
For a while now I have been being annoyed by Java pestering me to update. Each time I went to the app in the system tray and unchecked the “Check for Updates Automatically” box. However, if you immediately went back into the app, the checkbox was still checked. Highly annoying.
I came across a forum post that answers the issue. Basically it is poor programing from Sun. In order for the setting to actually be set, the Java Control Panel has to run with Admin rights. Instead of the app prompting to elevate, it just fails to set the setting. Come on Sun…figure out how to work with a modern operating system. This has been part of the security model since Vista…and you still don’t have it figured out with Windows 8 being deployed? Get with the program!
To fix this, you will need to open the Java Control Panel with admin rights. First, locate javacpl.exe at one of the following locations:
- c:\Program Files\Java\jre<versionnumber>\bin\javacpl.exe
- c:\Program Files (x86)\Java\jre<versionnumber>\bin\javacpl.exe
Right click javacpl.exe and choose “Run as administrator”:
Go to the “Update” tab, and clear the “Check for Updates Automatically” checkbox.
The setting will actually take effect this time!
This one has annoyed me for years…need to get on my soapbox for a minute.
Let’s talk about the difference between Hardware and Software Inventory in Configuration Manager. Hardware inventory collects data from WMI and the registry. Software inventory looks at file properties. Hardware inventory runs relatively quickly and isn’t very resource intensive. Software inventory can be very resource intensive if not configured correctly. At a high level, here is what is covered by the two:
- Obviously info on system information – Proc, RAM, actual hardware
- Add/Remove Programs information
- File information
- Can be configured to actually collect a copy of a file. (be VERY careful!)
I have talked to numerous clients who are looking at Software Inventory to try to gather data about what software is installed…which it does not gather at all. My pet peeve is not with the way that the system is designed…I think it is a very good design. My issue is with the name. Software inventory is NOT an inventory of software. It is an inventory of FILES. A much better name would be to call it what it actually is…File Inventory.
I have seen very few companies with a real need for information on specific files. Most are simply wanting to know what software is installed on which machines…which Hardware Inventory provides. Some valid uses that I have seen include:
- Locating PST files in an effort to get rid of them.
- Locating password dump files. (Company had experienced internal espionage issues.)
The key to the valid uses of Software inventory is that they had absolutely nothing to do with installed software. They were looking for files.
I have run across this issue when installing both the Cisco AnyConnect VPN client and the “regular” Cisco VPN client. Once the client is installed and you attempt to establish the VPN connection you might get one of the following messages: “Unable to establish VPN” or “The VPN client driver encountered an error.”
The fix is really simple…you simply need to change the Display Name in the registry. Open the following registry key and take out the INF garbage at the front of the Display Name. Note that only one of these may exist depending on which VPN client you have installed…for that matter…I can’t remember the exact key for the regular VPN client…but I’m 99% that it is one of the second two…if the DisplayName has INF garbage in the value…that is the one.
Had a situation this week where I needed to configure IP address, IP Gateway, DNS, Subnet Mask, and DNS Suffix from the command line. Not hard once you have the commands. Putting it here as a reference for myself and others. Here are the three commands for doing this…be careful of line wrapping.
netsh interface ipv4 set address name="local area connection" source=static address=10.10.0.100 mask=255.255.0.0 gateway=10.10.0.254
netsh interface ipv4 add dnsserver name="local area connection" address=10.10.1.1 index=1
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v "SearchList" /d "domain.com" /f
I came across this while helping a client yesterday. Good post by Steve Rachui with links to TONS of info to get you up to speed on Configuration Manager 2012.
Update: This bug has been fixed with the version of MDT 2012 Update 1 that is currently available for download. Update was released on 9/19/2012.
I came across a bug in MDT 2012 Update 1 today. This has been previously reported to the MDT team. They are able to reproduce it and are working on a solution. Here are the details:
- Configuration Manager 2012 installed.
- Configuration Manager 2012 Cumulative Update 1 applied.
- MDT 2012 Update 1 installed.
- MDT/Configuration Manager integration performed.
- Attempted to create an MDT Task Sequence which failed with the following error:
Microsoft.ConfigurationManagement.ManagementProvider.SmsConnectionException: Failed to validate property
The recommendation from the forums is to roll back to MDT 2012. I have confirmed that this does in fact allow you to create an MDT integrated task sequence.
TechNet Posts on this issue:
For a long time I have been a proponent of backing up your personal data to an online location. I know many people will backup data to external hard drives…but that has always caused me concern because of the possibility of losing both the original and the backup in a fire/theft/natural disaster. Over the years I have gone through a number of different backup options and have switched for various reasons. I am in the process of switching again (the initial upload is currently taking place). For a while I was using Mozy.com because it was simple and reasonably cheap ($6/month). About a year or so ago I switched to CrashPlan from Code42.com…mainly because they were significantly cheaper. Both of these products are very easy to use and easily configurable.
My problem with them…and especially with CrashPlan is that it is a memory hog. Mozy is arguably not terrible…but it was still using approximately 70MB or RAM on my wife’s computer..while it was sitting idle. CrashPlan was a LOT worse…it was using between 250-300MB of RAM while doing absolutely nothing. That is simply unacceptable…which got me re-evaluating options again.
Earlier this year, Microsoft did an update to SkyDrive that allows a couple of new features that make it a viable personal backup solution. The key features are:
- A decent amount of free space (existing SkyDrive users could have 25GB for free…new users get 7GB free)
- The ability to purchase up to 100GB of additional space for a very reasonable price
- 20GB added to your free space is $10/year
- 50GB added to your free space is $25/year
- 100GB added to your free space is $50/year
- A desktop app to make copying to/from SkyDrive very very easy
Here is how I implemented it on my computer and my wife’s computer. (Note…do this at your own risk…if you do something wrong…or if I don’t explain it clearly…or whatever else…you take the risk on yourself. If you lose data, don’t blame me…I warned you!)
First…sign up for a Microsoft account at Outlook.com. This will get you both an email address (that you can choose to either use or not) as well as access to your free space. From there you can “Manage Storage” to add additional space. From the SkyDrive site, look in the bottom left corner and click “Get SkyDrive apps” which will take you to a page to install the Windows Desktop app. (Note that they also have apps for Windows Phone, iPhone/iPad and Android.) When installing the app, it will ask for the location to save SkyDrive files into (the default is c:\users\username\SkyDrive). Instead of accepting the default option, I chose to have it use D:\SkyDrive. I then changed all of my “special folders” (My Docs, My Pics, My Music, Favorites) to point to D:\SkyDrive\Documents, D:\SkyDrive\Favorites, etc. Now…I just save as normal to Docs/Pics/Favorites…and they are automatically uploaded to SkyDrive. Nothing to think about…nothing to configure.
To change the location of the special folders, open up the c:\users\username folder, then right click one of the special folders (like “My Music”). Flip to the “Location” tab and select “Move…”. Choose the “d:\SkyDrive\Music” folder (change to reflect where you put the SkyDrive folder). Allow Windows to move the data to the new folder. This could take a while, so be patient and let it continue.
Another way of doing this would be to use the Junction Point feature of Windows. This is basically a pointer to another folder…so you would still create the d:\SkyDrive (or wherever you wanted to put it), then create Junction Points that map “d:\SkyDrive\Music” to “C:\users\username\music”. Then anything you put in to “My Music” (which is really in the C:\users\username\music) would also appear to be in D:\SkyDrive\Music…which means it would get backed up by SkyDrive
There are advantages and disadvantages to this backup method. Some of them are:
- Limited storage if you have more than 100GB of data to back up. I would expect them to expand this later, but right now…you have a max of 107GB (125 if you signed up in time).
- You have to choose one “root” folder to backup…you can’t pick various folders around the drive…although you CAN create “Junction” points to back up other folders…so this isn’t
- Very low footprint…even in the height of backup up 50+GB of data, the RAM used by SkyDrive on my wife’s computer was at most 34MB…it was commonly below 30MB.
- You have full access to the data from you computer as well as your mobile device (Windows Phone, iPhone/iPad, Android).
- You can also configure the SkyDrive app to allow you access to the rest of your computer.
BTW…I did take a screenshot of the RAM usage while both CrashPlan and SkyDrive were running. Any wonder why I didn’t want to continue using CrashPlan?
Would love to know what goes through my son’s mind sometimes…
Yesterday I went upstairs to grab lunch and found my wife and oldest daughter on their hands and knees in the living room with baby wipes in their hands. My younger daughter was making sure that my son stayed IN the bathtub. Turns out that he had gone into the pantry, grabbed the jar of peanut butter, carried it to the living room, stuck his whole hand inside, then ran through the house shaking the peanut butter covered hand.
To say that there was peanut butter on every square foot of the path he ran is not an exaggeration. It took three of us almost an hour to just clean up the worst of the mess. Then Julie went to pick up a carpet cleaner. Many many hours of work caused by a less than thirty second mad dash of a peanut butter spraying three year old.
And I wish I had some hope that he wouldn’t do it again…but unfortunately I don’t.
I saw Jason’s post on this, and had to agree…IP Subnet Boundaries in Configuration Manager are indeed evil. Use IP Range boundaries instead!
Definitely check out Jason’s post for full info.
Very cool to see this today! Microsoft has released the initial offline help file for System Center 2012 Configuration Manager. But…better than that…it comes in three formats.
- a 13MB, 2000+ page PDF
- a 2MB, 2000+ page DOCX
- a CHM file…with an update utility!!!
If you install the ConfigMgr2012HelpUpdate.msi app, you will see the following on your Start Menu.
The first link is the help file…note that it is dated May 2012. The second is the update wizard…which presumably will keep the local copy up to date with the online version when a new offline copy is published. Very nice!
Anyone who works in enterprise IT (and with products such as Configuration Manager) needs to know how to install applications silently…without requiring user intervention. Recently I came across a web page that gives really good info on the various installation types (MSI / InstallShield / Wise / etc) and how to make them silent. It goes beyond the basics and gives background on how each of them work. The page hasn’t been updated in a while, but there is still some very good information there. This could be a good one to bookmark.
Over the weekend I got a final update on the Unknown Computer “bug” in Configuration Manager 2012 that I wrote about recently. This time the update came from John Vintzel who for those who don’t already know him is a Senior Program Manager on the Configuration Manager product team. Basic gist of the update is that they will evaluate a change in this behavior for a future release.
In my opinion (which based on conversations I’ve had I know is shared by many others), this is a necessary change. There should not be a requirement to delete an object when a system doesn’t even begin the task sequence…or when it fails early in the process. A few options for how this could be changed:
- Don’t create the Unknown object at all. (I’m guessing there is a reason behind why it exists though.)
- Create the object after the system becomes a manageable object. (probably the same as #1 though)
- Have logic built into the task sequence process that automatically removed the “unknown” object from the database if the Task Sequence fails before the system becomes a manageable object.
I have had a few discussions over the years about whether a Configuration Manager installation should include SQL “on box” or “remote”. The answer is generally “it depends”. This blog post is not going to dig into all of the reasons why you would choose either local or remote SQL…it is designed to highlight one particular security concern with the remote SQL option. Let’s think through several of the underlying components that are necessary for remote SQL to take place along with a few very common scenarios when this is the case.
- Generally a company will choose remote SQL because they want to have a beefy SQL box that is managed by their DBA team. This SQL box will commonly house several SQL databases…not just the Configuration Manager DB. Which means that any disruption on that SQL server has an impact on much more than just Configuration Manager.
- A requirement for remote SQL with Configuration Manager is that the Configuration Manager server’s computer account must be in the local admin group on the SQL server.
- Commonly there will be a number of Configuration Manager administrators that have admin rights on the Configuration Manager server.
- Commonly there will be a number of those same Configuration Manager administrators that do NOT have admin rights on the remote SQL server.
THAT is where the problem rears it’s head. Let’s connect all of the dots…
- Joe Admin is an admin on the Configuration Manager server…but is not an admin on the SQL server.
- The Configuration Manager server’s computer account is an admin on the SQL server.
- Joe Admin has read my article on how to run a command prompt as local system. Uh oh.
- Joe Admin uses psexec to run a command prompt (or SQL Management Studio…or regedit…or services.msc…or disk management…or whatever else) as local system on the Configuration Manager server.
- Joe Admin then connects that app (running in the “user” context of the Configuration Manager server’s computer account) to the SQL server.
- Joe Admin is now able to do anything that the Configuration Manager server’s computer account has rights to do…which is full Administrator rights…ON THE SQL SERVER!!!
- That security you thought you had…well it didn’t work so well.
Is there anything to keep Joe Admin from (either accidentally or maliciously):
- Stopping services?
- Deleting files?
- Rebooting the server?
- Jacking with the registry?
- Installing (either good or bad) software?
- Copying data off of the SQL server?
- etc (I think you get the picture.)
Now…for some people that doesn’t matter. In many smaller installations the same team is managing Configuration Manager and SQL. However…if you are that small…why take on the extra complexity of the remote SQL scenario?
For others it matters big time! I’ve had conversations with customers who cringe at the very idea that some random Configuration Manager admin could possibly gain full rights to the SQL server that other business critical databases are stored on.
Just a quick update on the potential bug that I reported a couple of weeks ago. I’ve had a few back and forth exchanges via Connect about this issue, and it is being called “by design”. They asked my how I would like for this to work and at what point I would like for the machine to become “known”. Here is my response:
Thinking through the whole scenario…it would be best if the computer is seen as "known" AFTER it becomes a manageable system (i.e. after the Configuration Manager client is installed). Until that time, it is not a system that can be managed…it doesn’t even have an operating system until just before the client install step in the task sequence.
At minimum, I would not expect the computer to be "known" until after the task sequence successfully started. In the scenario I provided (task sequence erroring out at dependency check…which is VERY common), the task sequence has not begun…it is failing during the dependency check. The computer object that is created (named "Unknown") is not a manageable object. It is however an object that will block the computer from being able to run a task sequence that would allow it to be come manageable unless action is taken to remove it from the console.
The final response back from Microsoft via Connect was that this would be submitted to the Product Group as a Design Change Request.
This will be a very welcome change if it is implemented. Until then, be aware of the issue and what you need to do to fix this issue when you run into it in your environment.
Just a quick note for those interested in the morning Bible Study we are having at MMS 2012. We decided to meet at a slightly different time for the rest of the week to allow for time to get to breakfast each morning. We will be meeting from 7:15-7:45am each morning of MMS in Marco Polo 702 which is basement level of the Venetian convention center.
See you in the morning!
I finally broke down and joined Twitter. A good friend (Dennis Brockman) tried to get me to do it a few years ago and I thought the whole concept was absurd. I still don’t know how much I will use it, but I do have an active account. Funny thing is that the account has been active since mid-February and I have a grand total of one follower. Dennis…it may have taken a while, but I finally did open a Twitter account…but don’t get your hopes up…you aren’t going to win the Mac argument with me anytime soon!
If anyone cares, I am @VerbalProcessor.
Who cares? That is the thought that went through my mind last night a few hours after I posted the last of my five part series on Dynamic Operating System Deployment and application replacement. Even if you don’t now, you SHOULD care. Let’s see if I can convince you…
Let me give one example of the difference that the concepts in that series made at a company. I had a client recently who was performing a company-wide Windows 7 rollout…migrating from Windows XP. This coincided with a PC replacement cycle, so this rollout was predominantly a “Computer Replace” scenario…so replacing the old XP box with a new Win7 box. After replacement, users obviously needed to be able to do their jobs on the new Win7 system…which meant that they needed some key applications that had previously been installed on their Windows XP system…but these apps had been installed on a case by case basis previously. The company has not implemented role-based application deployment at this time.
And THAT is where the problem arose. MANY of these applications are not in the core Windows 7 image for obvious reasons. (Visio, Project, Creative Suite, Oracle apps, numerous internal apps) For that matter, many of the apps that were installed in Windows XP were being replaced with a newer version in Windows 7 for application compatibility reasons. For this company it meant that when they performed the Windows 7 refresh on a location, they flew two employees to the refresh location to perform the upgrade. The PRIMARY reason that they needed to do this was so that the two employees could re-install applications on the user’s Windows 7 computer post-install on a case by case basis. This resulted in significant business problems including:
- User downtime because necessary applications weren’t installed on their new Windows 7 system.
- IT staff were pulled away from their day-to-day job for a week at a time to drive the migrations…mainly because of the need to install additional applications.
- The Windows 7 migration for the company was taking SIGNIFICANTLY longer than desired because of these limitations (both app installs and a limited number of employees to travel to numerous locations).
- Significant additional costs were associated with all of this (travel, time, delays, loss of user productivity)
Quite simply it was an unacceptable situation. Way too much wasted time and effort. That’s when they called us to see if we could help them streamline this process. I implemented the steps I outlined in posts 1, 2, 3, 4, and 5. The client saw some very significant improvements from a business value perspective…including…
- A VERY significant reduction in the number of special post-image application installations.
- Automated re-installation of required applications without the need for IT staff intervention.
- Significant reduction in user downtime as a result of the migration process.
- Consistency from an end user perspective. (i.e. My computer used to have Program X and it still does.)
- Smoother Windows 7 migrations.
- The company expects that significantly less travel will be required to perform the Windows 7 migrations.
- Cost savings…both travel related and time related.
So…should you care about making your operating system deployments dynamic and adding the application replacement functionality to the process? If cost and time savings mean anything to you, then yes you should. Don’t know about you, but I’ve got better things to do with my life than to babysit an OS deployment! :-)