RSS

Monthly Archives: May 2013

ConfigMgr 2012 SP1: are your machines able to handle WinPE 4.0?

ConfigMgr 2012 SP1 is out for a while now. It should be pretty well known that ConfigMgr 2012 SP1 uses WinPE 4.0 boot images, MDT 2012 U1 integration is irrelevant for this feature. However, MDT 2012 U1 integration allows you to build very feature rich boot images so it is strongly recommended to integratie MDT 2012 U1 into ConfigMgr 2012 SP1.

WinPE 4.0 boot images are used by Windows 8 and Windows Server 2012.

One feature that kind of escaped my attention is the requirement of PAE/NX/SSE2 to allow Windows 8 or Windows Server 2012 to be installed. This requirement is also present for WinPE 4.0 as well.

More information regarding this require is available here: http://msdn.microsoft.com/en-us/library/windows/hardware/hh975398.aspx

Thanks to Russ Rimmerman’s blog I became aware of this requirement, which is available here: http://blogs.technet.com/b/configmgr_geek_speak/archive/2013/03/03/winpe-4-0-boot-images-not-working-with-cpu-s-that-do-not-support-nx-pae-sse2.aspx

The most important feature of the 3 is the presence of the NX bit. NX is used for Hardware DEP support in Windows, this became available in Windows XP Service Pack 2.

Even though you’re not deploying Windows 8 on client machines, WinPE 4.0 boot images are still used.

The absence of NX is most likely the case on very old machines, machines which are most likely not used anymore but some environments are still these ancient machines for various reasons.

A couple of years ago, I studied for the Windows Server 2008 R2, Server Virtualization (70-659). For this training I used the CBT Nugget for this. The instructor, Greg Shields, demonstrated at that video how to check if your CPU has the hardware support for Server virtualization using Hyper-V. Hyper-V requires Hardware DEP to be supported. He used the tool SecurAble which is freely available at the following website:

https://www.grc.com/securable.htm

SecurAble is a good ol’ tool which allows you to check if your environment will actually be able to run WinPE 4.0. This is not limited to physical machines. Some hypervisors might not be able to pass through Hardware DEP on virtual machines either which will cause booting from WinPE 4.0 to fail. Well fail, it will start but it hangs during loading the boot image…

Running SecurAble on my machine give me quite a funny result:

052313_2133_ConfigMgr201.png

 

Yeeeeh, I can run WinPE 4.0 and Windows 8/Windows Server 2012 on my laptop J.

Funny detail is that I have no support for Hardware Virtualization, even though my laptop allows me to install the Hyper-V role and running 64 bit virtual machines.

However, the focus is on Hardware DEP this time…

Try it out yourself before getting started with ConfigMgr 2012 SP1…

Advertisements
 

ConfigMgr 2012: Managing security for content, is it something you need?

As many people may already know, ConfigMgr 2012 distributes content using IIS instead of SMB. However, the legacy method of SMB is still available for package content which is a necessity if you migrate from ConfigMgr 2007 to ConfigMgr 2012 and want to migrate your packages…

Distribution using SMB resulted in the creation of SMSPKGX$ (where X is your drive letter) folders and shares which allows users to browse to directly. Personally, I believe that more advanced skilled end users would probably bother to browse to these folders (if they are aware which server is a distribution point) and see if they can find something they like.

Hardening access is possible by using the Manage Access Accounts option on content.

051913_0935_ConfigMgr201.png

The default permissions are:

051913_0935_ConfigMgr202.png

You can add users or groups and assign them the permissions needed.

Even in the days of SMS 2003 and ConfigMgr 2007, I never used this feature at all and I haven’t done so in ConfigMgr 2012. Reason is that for almost all customers, I configured the distribution to be completely hidden for end users. Experience tells me that end users just want the applications to do their job and they don’t want to be bothered with deployments (or even starting the installation itself)…

However, being a consultant it happens almost any time that a customer is using a feature I never use myself but that’s OK. It keeps my job challenging which is a good thing since I don’t like routine that much…

This feature is also available for Applications in ConfigMgr 2012. As the title of this blog says: do we really need it?

ConfigMgr 2012 allows administrators to fully use the benefits of deploying content using IIS using either HTTP or HTTPS, all content is stored in the SCCMContentLib folder on a distribution point. Browsing this folder and looking for the content is still possible but digging the folder and finding the content end users would intentionally look for becomes much harder and especially time consuming. Not to mention that end users need to locate the share first…

I wonder if most end users want to put the effort in this.

Of course I’m aware that security through obscurity is a faulty mechanism and securing the content share is no exception. Most administrators don’t make any announcements where to locate content. Using auditing mechanisms you can monitor who accessed the content share and take appropriate action if someone accessed something he or she shouldn’t access.

My default recommendation is not to use this feature since it might result in additional administrative effort and it adds customization to your ConfigMgr environment. If possible, then stick with the defaults.

However, this feature should be used where high levels of security matters. Examples are applications that handle patient’s medical data (which are considered very private).

If you’re want to familiarize yourself with this features, then use a test environment for this.

 

ConfigMgr 2012 SP1: Updating your clients to CU1, a ‘lazy’ approach…

Cumulative Update 1 for Configuration Manager 2012 SP1 is out now for a while.

I haven’t detected any re-releases recently. I had some time to work out a strategy to create an updating mechanism as easy as possible and my goal is to create a ‘fire and forget’ mechanism. If you visit my blog regularly, you notice that my approach is using as little customization as possible and to have it automated as much as possible.

First things first, download and install CU1 on your site server so it will update your site and create the required CU1 update packages for your clients (and your console as well)…

You can download it here:

http://support.microsoft.com/kb/2817245

After installing the update, you see a few packages installed:

051813_1645_ConfigMgr201.png

You quickly notice that two client packages are installed, one for x86 clients and an x64 one.

First, distribute the content to all distribution points. I’m not going to show that since this is basic ConfigMgr knowledge…

Second, I recommend enabling the Suppress program notifications option since you don’t really want to bother end users with this kind of maintenance work…

051813_1645_ConfigMgr202.png

Third, create 2 device collections which will check if the ConfigMgr client version is still SP1, which has version number 5.00.7804.1000. The client version of CU1 is 5.00.7804.1202.

The screenshot below displays the criteria for the query rule:

051813_1645_ConfigMgr203.png

NOTE: for x64 clients, the System Type is x64-based PC. Everything else is the same.

Both collections are limited to All Desktop and Server Clients. We don’t need All Systems because we want to upgrade clients only.

After a while you should see these collections being populated with clients.

Finally, deploy the packages to the collections using a required deployment. If everything is configured correctly, then clients are updated in a nice way. They will ‘leave’ the collection since they no longer meet the query membership rules.

It is possible to install the patches during the OSD by adding the PATCH rule in your Task Sequence. However, I wouldn’t really bother doing so since they will become a member of one of the collections temporarily and become updated by the deployment created for the CU1 packages. After all, this is a lazy approach and I’m not really interested in editing a bunch of Task Sequences because it adds an element of customization. Customizations add complexity which is against my belief of delivering manageable ConfigMgr environments…

I’m aware that other update scenarios exist. This one works the best for me…

As usual, please test this functionality in a test environment before implementing this in a production environment…

 

Windows Intune: first impressions…

At MMS 2013 I had a very interesting evening (birds of a feather) session regarding Windows Intune. We were with only 3 guys (including the host Chris Nackers), after a while three representatives of Microsoft’s Windows Intune Product Team joined the session, which made me more and more curious about this technology. Even before MMS 2013, I already played around a bit with Windows Intune.

One of my customers is interested in using Windows Intune because he’s looking for a way to manage his mobile devices (Apple and Surface tablets). We agreed to start up a Proof of Concept using the free 30-day trial that Microsoft offers for Windows Intune. Windows Intune will be configured in a stand-alone mode, so no connection with a Configuration Manager 2012 SP1 Primary Site.

This blog describes my first impressions while preparing the Proof of Concept and documenting my findings and configurations before going to the customer and starting with the PoC.

NOTE: my colleague Robin Verbeek wrote some nice blog articles regarding Windows Intune and Configuration Manager 2012 SP1. You can find his blog on http://focusonsystemcenter.nl

Setting up a Windows Intune trial is a straightforward process and doesn’t require much administrative effort.

After opening the portal and checking out some settings it gave me a feeling that some things look quite similar to Configuration Manager 2012 SP1. This would flatten the learning curve and I expect something similar for you ConfigMgr guys and girls out there…

For now I configured some basic things as update management for just three Operating Systems: Windows 7, Windows 8 and Windows RT.

Part of the test was enrolling three machines, two desktops and one Surface tablet. This is pretty straightforward as well…

The portal has a feature that I really like: hyperlinks to the TechNet page which displays the instructions.

It saves me a lot of time and it allows me to redirect the administrator to use these pages.

I need to explore Windows Intune more intensively to use more features as well, expect a few blogs about these features as well.

Windows Intune makes sense if I can provide added value for customers to use this technology. Many organizations have started exploring to use cloud services, others are not really ready for that. Finally, you have organizations who are not allowed to use cloud services because the law forbids them (this is the case for some government organizations here in The Netherlands).

Here are some opinions why Windows Intune can be added value for customers:

  • One tool to manage multiple platforms (traditional Windows Operating Systems, Windows RT, Apple iOS and Android (a bit limited though))
  • New features are added every 3 months
  • No investment required to build an infrastructure in your environment, it’s all in the cloud…
  • Great for smaller organizations who are looking for an inexpensive way to manage their devices, even if you don’t have mobile devices in your environment
  • A good alternative for organizations where Configuration Manager 2012 SP1 is pure overkill

Calculations must be made to justify the monthly subscription compared to all the costs for managing the functionalities on-premise. Costs such as energy usage, daily administration and depreciation should be included in these calculations

To continue comparing Windows Intune with Configuration Manager 2012 SP1. They have similar functionalities but are not necessarily able to replace each other. One feature Windows Intune doesn’t have is Operating System Deployment (OSD). If your organization doesn’t require ZTI, then MDT 2012 U1 is a good tool to facilitatie OSD…

NOTE: experience tells me that since Windows 7 the frequency of redeploying client machines have been significantly reduced…

MDT 2012 U1 is free, which is really nice too…

 
Leave a comment

Posted by on 04/05/2013 in Uncategorized

 
 
Steve Thompson [MVP]

The automation specialist

Boudewijn Plomp

Cloud and related stuff...

Anything about IT

by Alex Verboon

MDTGuy.WordPress.com

Deployment Made Simple

Modern Workplace

Azure, Hybrid Identity & Enterprise Mobility + Security

Daan Weda

This WordPress.com site is all about System Center and PowerShell

IT And Management by Abheek

Microsoft certified Trainer -Abheek

Heading To The Clouds

by Marthijn van Rheenen