RSS

Monthly Archives: October 2013

ConfigMgr 2012: issue injecting IE10 for Windows 7 SP1 x64…

Recently, a customer faced issues to inject Internet Explorer 10 in his Windows 7 image which was built bij ConfigMgr 2012 SP1.

We discovered that injecting IE10 using Offline Servicing prevented us from successfully injecting IE10.

Attempting to inject IE10 using dism.exe failed with error 0x800f081e. During the investigation I discovered that IE10 requires the following hotfixes as prerequisite in order to install:

  • KB2533623
  • KB2670838
  • KB2729094
  • KB2731771
  • KB2786081

I found the list of prerequisites on the following forum thread:

http://social.technet.microsoft.com/Forums/windows/en-US/2b31162f-c16e-4928-a9ca-fcfab7bb6d34/error-0x800f081e-when-adding-ie10-to-windows-7-enterprise-installwim?forum=w7itproinstall

In order to be sure the hotfixes are injected before IE10 itself, I created 2 folders. One folder had all the hotfix .msu files lister above, called ‘ie10prereqs’. The other folder contained the extracted files from the ie10 installer, called ‘ie10’. The image file was copied to my local disk. I created a folder named ‘mount’ to use as a mounting directory.

Injecting hotfixes requires using dism.exe. I used the following steps to successfully inject the hotfixes and IE10:

  • dism.exe /mount-wim /wimfile:<filename.wim> /index:1 /mountdir:c:\mount
  • dism.exe /image:c:\mount /add-package /packagepath:<ie10prereqs path>
  • dism.exe /image:c:\mount /add-package /packagepath:<ie10 path>
  • dism.exe /unmount-wim /mountdir:c:\mount /commit

The modified image was added to ConfigMgr and I was able to successfully deploy Windows 7 with IE10.

Hope this helps…

 

ConfigMgr 2012 RTM/SP1/R2: unattended setup, useful when not meeting prerequisites initially…

When deploying Configuration Manager 2012, you might encounter the situation that a prerequiste is not met to allow installation of ConfigMgr 2012. In some scenario’s you need to cancel setup completely before proceeding. If that happens, then it can be pretty frustrating that all steps prior to the Prerequisite Checker need to be run again. In my lab, I unintentionally forgot to check USMT during ADK setup, which is a typical case of ‘oops’…

In a recent blog post, I investigated unattended deployments of ConfigMgr 2012. Microsoft has the following information available about an unattended setup for ConfigMgr:

http://technet.microsoft.com/en-us/library/gg712320.aspx#BKMK_UnattendedSetup

When setup is canceled, the %TEMP%ConfigMgrAutoSave.ini file is still there. This is pretty nice.

Copying the file to a different location might be helpful to allow the run the installation again.

After meeting all prerequisites, you can run an unattended setup of ConfigMgr 2012 using the setup.exe /script <path + .ini file> command again for a successful deployment…

Hope this helps…

 

An attempt to automate ConfigMgr 2012 SP1 deployment using Microsoft Deployment Toolkit: some findings…

I guess some people would say that my attempt is rather silly but I was just curious in finding out the possibilities.

Recently I was investigating the possibility to use MDT to provide some sort of automation for deploying certain server workloads. My main focus is System Center so I decided to attempt to have an LTI of ConfigMgr 2012 SP1.

I am aware of Powershell Deployment Toolkit (PDT) which is developed by Microsoft.

More info about PDT is available at the following website:

http://gallery.technet.microsoft.com/PowerShell-Deployment-822d44c7

However, Microsoft claims that PDT can only be used for lab and test purposes so I decided to try to use MDT instead.

For the sake of my investigation, my deployment scenario has the following properties:

  • OS: Windows Server 2012
  • SQL: A local installation of SQL 2012 SP1 using a default instance
  • ConfigMgr: one primary site using a single Primary Site Server

When using manual deployments, I take the following steps to install the site server:

  • I use a Powershell cmdlet to install the required Roles & Features (available at my blog)
  • I install SQL 2012 SP1
  • I install Windows ADK 8
  • I download the ConfigMgr updates
  • I configure SQL for memory requirements
  • I configure WSUS
  • I install ConfigMgr 2012 SP1 site server

Investigating the LTI deployment gave me quite some challenges. I needed to investigate if each step could run using an unattended command.

Installing the Roles & Features was pretty easy, I added a sources path because .NET Framework 3.5 is included (something .NET Framework 3.5 needs).

For SQL 2012 SP1, I created a ConfigurationFile.ini file using a standard setup procedure, modified it and added it to my setup using the following command: setup.exe /ConfigurationFile=ConfigurationFile.INI /IACCEPTSQLSERVERLICENSETERMS /Q

For ADK, I used a previously downloaded setup which allows me to run the installation unattended: adksetup.exe /q /features OptionId.DeploymentTools OptionId.WindowsPreinstallationEnvironment OptionId.UserStateMigrationTool

ConfigMgr, however, requires an .ini file which must be created and added to the installation binaries. I used the instructions to create the .ini file available at TechNet:

http://technet.microsoft.com/en-us/library/gg712320.aspx#BKMK_UnattendedSetup

My SQL skills are too limited to generate a command which will set the SQL memory requirements for ConfigMgr (feel free to inform me how to do this). I ignored the WSUS config for the LTI. The .ini for ConfigMgr is very static and contains a lot of hard-coded input. It would take a lot of time to investigate how to generate an .ini file during deployment which would dynamically populate the lines in the file.

Result is a successful, but rather ‘crude’ ConfigMgr 2012 SP1 deployment.

I have to admit that I wasn’t really satisfied accomplishing my goals, it was pretty time consuming as well. I might have an attempt to investigate if I can achieve something similar with the other System Center products but for now I consider it pretty time wasting.

However, I learned much from doing unattended installations of ADK and SQL 2012 SP1. This is something I can use in the future…

I’d rather prepare some VM templates with a sysprepped SQL install and a sysprepped OS and work from there…

For now, I suppose I should investigate more deeply into PDT…

 

Thoughts on optimizing Application Deployment in Configuration Manager 2012 SP1/R2…

In many organizations where I introduce Configuration Manager 2012 SP1 (and/or R2 soon) customers ask me how to deploy applications as efficiently as possible. Configuration Manager 2012 provides administrators a ton of options on how to achieve this. Unfortunately, I’m not able to explain what would be THE solution but after thinking this over I believe I can provide a recommendation that comes close.

For the sake of this blog, I limit my thoughts on deploying applications on the following environments:

  • Fat clients (I consider a tablet with Windows 8/8.1 Enterprise a fat client)
  • Server Based Computing (SBC)
  • Virtual Desktop Infrastructure (VDI)

The first goal organizations should achieve, is to virtualize as many applications as possible using App-V 5.

Application Virtualization allows administrators to deploy applications to end users, the application can be started on the desired location but it doesn’t require an installation (.msi does). This is particularly convenient in SBC and VDI environments. SBC environments requires an installation which would disconnect user sessions (change user /install and change user /execute), with application virtualization this is no longer required.

For a while I was struggling to figure out how to deploy these applications as efficiently as possible, but then it hit me: Shared Content Store Mode. It took a while for me to understand how it works because I couldn’t find out where the content is actually shared. You can enable Shared Content Store Mode but you’re unable to configure its location. I figured out that the distribution mechanism tells the App-V client where the content is available. The Configuration Manager client is responsible for retrieving the required information using a Distribution Point, this makes the DP the Shared Content Store location effectively. All you need is to configure the deployment to stream all the content from the DP, a very small set of files (just a few KB) will be downloaded to the client machine to allow the application to be started (shortcuts etc.).

The Shared Content Store Mode is extremely useful for SBC and VDI environments, I can imagine you would consider using it on desktop machines as well. Laptop and tablet devices are less likely candidates to use Shared Content Store Mode since they will most likely leave the building which might prevent access to a DP using a fast LAN. For those environments I would actually recommend downloading the virtual application locally and run it from the local disk.

SBC and VDI environments are often configured by a provisioning mechanism such as Citrix Provisioning Services (for SBC), for VDI the most likely configuration is pooled VMs.

If you use OSD to deploy Operating Systems, then you don’t need to install these applications when the Task Sequence is running (just leave them out of the TS). This can make your Windows image very thin and will significantly speed up OSD deployments. Keep in mind though that laptop and tablet devices need time to download the virtual applications locally…

Finally, using application supersedence allows administrators to quickly replace virtual applications with newer versions (even revisions of the same virtual application), replacing a few KB of data is something that end users would barely notice.

Keep in mind though, this blog is aimed at App-V 5. The scenario’s here can’t be used for App-V 4.6, you can do something with a read-only cache but this is pretty complex. You should consider converting 4.6 sequences to 5 using the instructions displayed at the following location:

http://technet.microsoft.com/en-us/library/jj713472.aspx

I can conclude that so many options are available, the rich features offered by App-V 5 offers with Configuration Manager 2012 are quite powerful in my opinion…

 

Deploying Servers using MDT: Prevent starting Server Manager automatically

At the moment I’m currently researching the possibility to automate server deployments with applications using MDT 2012 U1. In order to have a good understanding of automating the required steps, a lot of trial and error is used to see if everything works correctly.

As we all know MDT logs on with the local administrator account to finishing installing the steps configured in the Task Sequence.

When the account logs on it automatically starts Server Manager to allow administrators to configure the server. While this may work well for manual deployments, for automated deployments I personally find it somewhat frustrating to have Server Manager started automatically. This is the default setting for Windows Server 2008 and newer.I believe Windows Server 2003 has some similar behavior but I don’t remember my last Windows Server 2003 deployment (the solution doesn’t apply to Windows Server 2003). It eats resources as well.

After looking around a bit on the Internet I learned that you can configure this behavior by GPO.

You need to enable the following GPO settings:

  • Computer Configuration\Policies\Administrative Templates\System\Server Manager\Do not display Initial Configuration Tasks windows automatically at logon
  • Computer Configuration\Policies\Administrative Templates\System\Server Manager\Do not diplay Server Manager automatically at logon

After enabling these GPO settings my frustrations went away…

 

ConfigMgr 2012 with MDT: use ZTIGather.log as a Task Sequence Variable reference

As many of us already know, integrating MDT into ConfigMgr allows administrators to create holistic Task Sequences. ConfigMgr allows administrators to create a few Task Sequences with building in a lot of options. Examples are:

  • You can have multiple steps to deploy images, and create conditions to determine which image must be applied
  • You can have multiple steps to add machines to a domain with different Organizational Units, you create conditions to determine which to which OU a machine should joined
  • You can deploy applications for laptops only, even though the Task Sequence is used for desktops and laptops. You use conditions to determine if the machine is a laptop or not

I would be able to create just two Task Sequences, one for Client machines and one for Servers.

Even though ConfigMgr without MDT integration has quite some Task Sequence Variables available, I find them somewhat difficult to understand. I need to do quite a lot of WMI querying to figure out what I need.

Fortunately, MDT creates a lot of properties during the ‘Gather’ step. During this step, the script ZTIGather.wsf is executed. The results of this script are logged in the file ZTIGather.log.

The default location for this log is %WINDIR%\CCM\Logs. If ccmsetup.exe is instructed to use a different location, then the log is placed on the alternate location specified.

An example of using these properties is displayed in the screenshot below:

100713_1040_ConfigMgr201.png

The application used is a 32 bit version of Cisco VPN client. This application will install if the following conditions are met:

  • Machine must be a laptop
  • The architecture of the Windows OS must be X86

Feel free to play around with these settings. Make sure to use a test environment in order to verify the results that are required…

 

ConfigMgr 2012: Application Deployment and User Account Control (UAC)

Image yourself the following situation:

You need to deploy applications using ConfigMgr 2012. You need to provision applications to end users, these end users need to use the Application Catalog website to install applications on demand. However, User Account Control (UAC) is enabled with the default settings. Company policy requires UAC to be enabled. Users have no admin rights, company policy forbids this privilege. End users are not allowed to install their own software. Software published in the Application Catalog are allowed to be used.

The situation described here creates a rather problematic challenge:

Default users receive a prompt every time they want to start installing an application from the Application Catalog. Users need to provide credentials of a user who has these administrative privileges. Since they don’t have one, all installations fail.

This behavior is by design, this is how UAC works.

I was faced with this challenge at one of my customers.

ConfigMgr 2012 allows using the local SYSTEM account to install applications (Run with administrative rights). The local SYSTEM account has administrative privileges which will install applications successfully. The Application Catalog provides separation between publishing applications to users, and the account used to install them.

I know the separation exists so I must find a way to allow the installation of applications provided by ConfigMgr 2012 to run successfully without UAC kicking in, but UAC should not be disabled.

I found the following TechNet location which explains me what GPO settings I have to configure UAC:

http://technet.microsoft.com/nl-nl/library/dd835564(v=ws.10).aspx

The following GPO setting allowed me to beat this challenge:

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

After setting it to Elevate without prompting I was able to successfully deploy applications provided by the Application Catalog. After all, SYSTEM is an administrator…

To make sure that UAC is maintained and forbidding users to install their own applications, I tried to install an application setup manually. In this scenario, a standard user who is not an admin is trying to install something. After a short while, I got a prompt…

Mission accomplished J

I’ve seen quite a lot of forum articles explaining to completely disable UAC. Disabling UAC is something that I don’t recommend. Using Windows 8, turning off UAC will break quite some functionality which is explained in the following KB article:

http://support.microsoft.com/kb/2736601/en-us

 
 
Steve Thompson [MVP]

The automation specialist

Boudewijn Plomp

Cloud and related stuff...

Anything about IT

by Alex Verboon

MDTGuy.WordPress.com

Deployment Made Simple

Modern Workplace

Azure, Hybrid Identity & Enterprise Mobility + Security

Daan Weda

This WordPress.com site is all about System Center and PowerShell

IT And Management by Abheek

Microsoft certified Trainer -Abheek

Heading To The Clouds

by Marthijn van Rheenen