Home » Archive by category "SCCM"

SCCM 2012 Remote Assistance Not Working

How to fix SCCM 2012 Remote Assistance Not Working.

After a brand new successful roll out of SCCM 2012 (System Center Configuration Manager) into a live environment I got a call from client clamming there Windows Remote Assistance was not working and it worked under there old system meaning SCCM 2007.  They sent me the error below.

 

After some research and a little digging I found the following.  You need to set the Manage soliciated Remote Assitance settings to True. Otherwise the Remote Assistance will just work if your customer is sending you a Remote Assistance offer.  So I went into there SCCM 2012 Client settings under Administration and Client Settings and changed these to settings as seen below.

 

Posted on September 20, 2012 by , Reply

System Center Configuration Manager 2012 Install Guides

I have been doing a System Center Configuration Manager 2012 (SCCM 2012) install and these guides have been a big help and so far the system is work great.  I posted the link at the bottom there are a lot of different configuration setups depending on your environment.  I know this setup works cause I did these step by step and it worked great.

Using Configuration Manager 2012 RC in a lab – Part 1. Installation.
Part 1, Installation [October 27th 2011]

Using Configuration Manager 2012 RC in a lab – Part 2, Adding SUP and WDS.
Part 2. Adding Sup and WDS [October 28th 2011]

Using Configuration Manager 2012 RC in a lab – Part 3, Configuring Discovery and Boundaries.
Part 3. Configuring Discovery and Boundaries [October 29th 2011]

Using Configuration Manager 2012 RC in a lab – Part 4, Configuring Client Settings and adding roles.
Part 4. Configuring Client Settings and adding roles [October 29th 2011]

Using Configuration Manager 2012 RC in a lab – Part 5, Enable the Endpoint Protection Role and configure Endpoint Protection settings.
Part 5. Enable the Endpoint Protection Role and configure Endpoint Protection settings[November 5th 2011]

Using Configuration Manager 2012 RC in a lab – Part 6, Deploying Software Updates.
Part 6. Deploying Software Updates [November 5th 2011]

using Configuration Manager 2012 RC in a LAB – Part 7. Build and Capture Windows 7 X64
Part 7. Build and Capture Windows 7 X64[November 6th 2011]

How can I import computers into Configuration Manager 2012 using a file ?
Importing Computers using a file in Configuration Manager 2012 [November 11th, 2011]

using Configuration Manager 2012 RC in a LAB – Part 8.Deploying Windows 7 X64
Part 8.Deploying Windows 7 X64 [November 12th, 2011]

using Configuration Manager 2012 RC in a LAB – Part 9. Adding an Application, editing a Deployment Type, Copying the Deploy Task
Part 9. Adding an Application, editing a Deployment Type, Copying the Deploy Task[November 13th, 2011]

using Configuration Manager 2012 RC in a LAB – Part 10. Using Prestart and Extrafiles to get more out of UDA
Part 10. Using Prestart and Extrafiles to get more out of UDA [November 14th, 2011]

using Configuration Manager 2012 RC in a LAB – Part 11. Adding the Reporting Services Point role
Part 11. Adding the Reporting Services Point role [November 18th, 2011]

using Configuration Manager 2012 RC in a LAB – Part 12. Updating an Operating System image using Offline Servicing.
Part 12. Updating an Operating System image using Offline Servicing. [December 11th, 2011]

using Configuration Manager 2012 RC in a LAB – Part 13. using Role Based Administration to define permissions in the ConfigMgr Console
Part 13. using Role Based Administration to define permissions in the ConfigMgr Console[January 27th, 2012]

using Configuration Manager 2012 RC in a LAB – Part 14. Performing a side-by-side Migration from Configuration Manager 2007
Part 14. Performing a side-by-side Migration from Configuration Manager 2007. [January 27th, 2012]

using Configuration Manager 2012 RC in a LAB – Part 15. Deploying Windows 8 Customer Preview
Part 15. Deploying Windows 8 Consumer Preview using Configuration Manager 2012 RC2[February 29th, 2012]

using Configuration Manager 2012 RC in a LAB – Part 16. Integrating MDT 2012 RC1 with Configuration Manager 2012
Part 16. Integrating MDT 2012 RC1 with Configuration Manager 2012 [March 1st, 2012]

using Configuration Manager 2012 RC in a LAB – Part 17. Using MDT 2012 RC1 with Configuration Manager 2012
Part 17.Using MDT 2012 RC1 within Configuration Manager 2012 [March 18th, 2012]

using Configuration Manager 2012 RC in a LAB – Part 18. Deploying a UDI Client Task Sequence
Part 18. with MDT 2012 RC1 integrated in Configuration Manager 2012 [March 22nd, 2012]

How can I setup a Distribution Point on a Windows 7 computer in Configuration Manager 2012 ?
Setting up a DP on a Windows 7 box.[February 18th, 2012]

How can I capture an image using Capture Media in Configuration Manager 2012 ?
Capturing an image using capture media [February 21st, 2012]

Link to all Guides

http://www.windows-noob.com/forums/index.php?/topic/4045-system-center-2012-configuration-manager-guides/

Posted on August 1, 2012 by , Reply

SCCM 2012 wsus sync fails unknown SQL error

After moving the System Center 2012 Configuration Manager (SCCM2012) SQL Site Database to another drive, creating a new Software Update package or a new application fail

Symptoms

After moving the System Center 2012 Configuration Manager SQL Site Database to another drive, creating a new Software Update group, Software Update package, or creating a new application fails and errors similar to the following are logged in the SMSProv.log file:

*** *** Unknown SQL Error! SMS Provider 14-03-2012 07:56:47 2016 (0x07E0)
*~*~*** Unknown SQL Error! ThreadID : 2016 , DbError: 50000 , Sev: 16~*~* SMS Provider 14-03-2012 07:56:47 2016 (0x07E0)
*** [24000][0][Microsoft][SQL Server Native Client 10.0]Invalid cursor state SMS Provider 14-03-2012 07:56:48 2016 (0x07E0)
*~*~[24000][0][Microsoft][SQL Server Native Client 10.0]Invalid cursor state *** Unknown SQL Error! ThreadID : 2016 , DbError: 0 , Sev: 0~*~* SMS Provider 14-03-2012 07:56:48 2016 (0x07E0)
 
SQL Profiler provides the following additional details:

An error occurred in the Microsoft .NET Framework while trying to load assembly id 65539. The server may be running out of resources, or the assembly may not be trusted with PERMISSION_SET = EXTERNAL_ACCESS or UNSAFE. Run the query again, or check documentation to see how to solve the assembly trust issues. For more information about this error:

System.IO.FileLoadException: Could not load file or assembly ‘cryptoutility, Version=5.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35′ or one of its dependencies. An error relating to security occurred. (Exception from HRESULT: 0x8013150A)

System.IO.FileLoadException:

   at System.Reflection.Assembly._nLoad(AssemblyName fileName, String codeBase, Evidence assemblySecurity, Assembly locationHint, StackCrawlMark& stackMark, Boolean throwOnFileNotFound, Boolean forIntrospection)

   at System.Reflection.Assembly.InternalLoad(AssemblyName assemblyRef, Evidence assemblySecurity, StackCrawlMark& stackMark, Boolean forIntrospection)

   at System.Reflection.Assembly.InternalLoad(String assemblyString, Evidence assemblySecurity, StackCrawlMark& stackMark, Boolean forIntrospection)

   at System.Reflection.Assembly.Load(String assemblyString)

Cause

This can occur if the SQL Site Database MDF and LDF files are moved to a different drive. For example, if originally the Configuration Manager Site Database was created on C:\Program files\MSSQL server\data but then later the MDF and LDF files were moved to different drive to save space (e.g. D:\CM2012DB), you may see the issue above.

Note that this is a supported SQL operation. For more information see the following:

How to move SQL Server databases to a new location by using Detach and Attach functions in SQL Server – http://support.microsoft.com/kb/224071

How to Move SQL Server Data File(s) (.mdf) and Log File(s) (.ldf) Files From One Location to Another – http://support.microsoft.com/kb/965095

This occurs with System Center 2012 Configuration Manager because by default, the SQL Site Database has the SQL TRUSTWORTHY property set to ON, however when you detach and reattach the database it gets set to OFF.  When the database is not configured with this setting ON, <ConfigMgr_Install>\bin\x64\CryptoUtility.dll fails to load into SQL and you get an ’invalid cursor state’ message.

Resolution

To resolve this issue complete the following steps:

1. Manually set the property back to ON by running the following command against your CM database:

ALTER DATABASE CM_SAG SET TRUSTWORTHY ON

2. Ensure that the database that was moved is owned by SA.

Posted on July 30, 2012 by , Reply

Installing Forefront 2010 Extensions on SCCM

When setting up Microsoft ForeFront The first thing to do is to run Serversetup.exe.
Of course you’ll want to run the file so click Run.Fill in your Name and Organization then click Next.You’re going to have to put a check in I accept the software license terms.When you do Next will be available so click Next.Now this is where you’re be choosing your topology. For this example we’llgo ahead and chose a Basic topology. This will install Microsoft ForefrontEndpoint Protection 2010 Database, Site Server Extension, Console Extension,Reporting components, and Reporting database based on your currentConfiguration Manager deployment. Maybe in future blogs I’ll go through otherdeployment options. Don’t forget to click Next.

Here is where you will setup the Reporting server account information.Mostly it will be filled out by the user running setup but you can change thedomainusername. Click Next.

If the password you typed doesn’t match the domainusername you’ll get theerror below.

Microsoft Forefront Endpoint Protection 2010
Error: The password is incorrect, or this account is not valid. Account :domainusername

After I corrected my intentional typo FEP is now warning me that I shouldn’tuse my domain admin account.
Microsoft Forefront Endpoint Protection 2010
For security reasons, it is not recommended to use a domain administratoraccount ‘domainusername’ as the reporting account.

I’m going to OK this because it’s just a test lab.
By default FEP will want to Join the Customer Experience ImprovementProgram. I recommend keeping this checked. I also checked User Microsoft Updateto keep my products up to date.

Join Microsoft Spynet Basic is checked by default. I changed mine toAdvanced SpyNet.

Location and disk space requirements blah blah blah.

Oh no! It looks like my Verifying SQL Server prerequisite Failed with anError.

When I click the More link I see the error below
Forefront Endpoint Protection 2010 requires that the SQL Server Agentservice is running. Set the service to start automatically, and then start theservice.
Service Name: SQLSERVERAGENT
SQL Server: SERVER01
Warning: Forefront Endpoint Protection 2010 requires the following servicesto be set to start automatically.
Service Name: SQLSERVERAGENT
Server Name: SERVER01
Forefront Endpoint Protection 2010 requires that the SQL Server Agentservice is running. Set the service to start automatically, and then start theservice.
Service Name: SQLSERVERAGENT
SQL Server: SERVER01
Warning: Forefront Endpoint Protection 2010 requires the following servicesto be set to start automatically.
Service Name: SQLSERVERAGENT
Server Name: SERVER01
Warning: Setup has detected that the connection to the SQL Server is notencrypted. If the SQL Server and Forefront Endpoint Protection 2010 are notlocated on a shared secure subnet, transmitted data can be viewed by third parties.We recommend that you secure the connection to the SQL Server. For moreinformation, see Securing SQL Server in the SQL Server documentation.

Fixing the error was simple. I set the SQL Server Agent to Automatic and startedit.

When I ran the Prerequisites Verification again (by clicking back then next)I got a warning.

Clicking more gave me the message below.
Warning: Setup has detected that the connection to the SQL Server is notencrypted. If the SQL Server and Forefront Endpoint Protection 2010 are notlocated on a shared secure subnet, transmitted data can be viewed by thirdparties. We recommend that you secure the connection to the SQL Server. Formore information, see Securing SQL Server in the SQL Server documentation.

I like the fact that it’s encouraging you to enable SQL server encryptionbut since this is for testing and and on the same box this isn’t required. I’mgoing to ignore this warning.
The final screen is where you’ll get a summery of what the setup applicationwill do.
Microsoft Forefront Endpoint Protection 2010
General Settings
Local Computer Name: server01.fep.local
Location of Setup media files:C:UsersAdministrator.SERVER01Desktopevalcdmedia_en_amd64
Installation Directory: C:Program FilesMicrosoft Forefront
Configuration Manager Console Directory: C:Program Files (x86)MicrosoftConfiguration ManagerAdminUIbin

Updates, Spy Net and Customer Experience Options
Windows Update: Enabled
Participation in Customer Experience Improvement Program: Enabled
Participation Microsoft SpyNet: Join with an advanced membership

FEP 2010 Site Extension for Configuration Manager
Configuration Manager Site Server: server01.fep.local

FEP 2010 Reporting and Monitoring components
Configuration Manager Site Server: server01.fep.local
Configuration Manager Database Server: SERVER01
Configuration Manager Database Instance Name: MSSQLSERVER
Configuration Manager Database Name: SMS_AAA
FEP 2010 Database Name: FEPDB_AAA
FEP 2010 Reporting Database Server: SERVER01
FEP 2010 Reporting Database Instance Name: MSSQLSERVER
FEP 2010 Reporting Database Name: FEPDW_AAA
Liveness checking URL for SQL Reporting Service: http://server01.fep.local/ReportServer/ReportService2005.asmx
User account used for accessing of FEP 2010 Reports: FEPAdministrator

Configuration Manager Console Extensions for Forefront Endpoint Protection 2010
No additional properties for this component

Clicking Next will start the install so sit back and take a break. I know Idid.

Hello. Why are you popping up?

It appears a hotfix got installed and is asking for a reboot. I’m not sureif it’s because of the FEP install or not.
http://support.microsoft.com/kb/981889
A Windows Filtering Platform (WFP) driver hotfix rollup package is availablefor Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2

The install was successful.
.
I’m going to view the log.
[7/26/2010 1:55:43 PM] Setup Started
[7/26/2010 1:55:44 PM] Product ID validation succeeded (Product ID:03116-270-0001260-04309)
[7/26/2010 1:56:28 PM] For security reasons, it is not recommended to use adomain administrator account ‘FEPAdministrator’ as the reporting account.
[7/26/2010 1:56:33 PM] Error: The password is incorrect, or this account is notvalid. Account: FEPAdministrator
[7/26/2010 1:56:45 PM] For security reasons, it is not recommended to use adomain administrator account ‘FEPAdministrator’ as the reporting account.
[7/26/2010 1:57:19 PM] Setup Log has been relocated from’C:UsersAdministrator.SERVER01AppDataLocalTemp1ServerSetup_26072010_135543.log’
[7/26/2010 1:57:21 PM] [7/26/2010 1:57:21 PM] Verifications started:

[7/26/2010 1:57:21 PM]
[7/26/2010 1:57:21 PM] Verification(Verifying hardware requirements) passed
[7/26/2010 1:57:21 PM]
[7/26/2010 1:57:21 PM] Verification(Verifying .NET Framework 3.5 SP1prerequisite) passed
[7/26/2010 1:57:41 PM]
[7/26/2010 1:57:41 PM] Verification(Verifying SQL Server prerequisite) failed
Forefront Endpoint Protection 2010 requires that the SQL Server Agent serviceis running. Set the service to start automatically, and then start the service.
Service Name: SQLSERVERAGENT
SQL Server: SERVER01
Warning: Forefront Endpoint Protection 2010 requires the following servicesto be set to start automatically.
Service Name: SQLSERVERAGENT
Server Name: SERVER01
Forefront Endpoint Protection 2010 requires that the SQL Server Agentservice is running. Set the service to start automatically, and then start theservice.
Service Name: SQLSERVERAGENT
SQL Server: SERVER01
Warning: Forefront Endpoint Protection 2010 requires the following servicesto be set to start automatically.
Service Name: SQLSERVERAGENT
Server Name: SERVER01
Warning: Setup has detected that the connection to the SQL Server is notencrypted. If the SQL Server and Forefront Endpoint Protection 2010 are notlocated on a shared secure subnet, transmitted data can be viewed by thirdparties. We recommend that you secure the connection to the SQL Server. Formore information, see Securing SQL Server in the SQL Server documentation.
[7/26/2010 1:58:05 PM]
[7/26/2010 1:58:05 PM] Verification(Verifying SQL Reporting Servicesprerequisite) passed
[7/26/2010 1:58:06 PM]
[7/26/2010 1:58:06 PM] Verification(Verifying Configuration Manager version)passed
About to compare required version ’4.0.6487.2000′ to installed version’4.0.6487.2000′
[7/26/2010 1:58:06 PM]
[7/26/2010 1:58:06 PM] Verification(Verifying Configuration Manager Site Serverpermissions) passed
About to verify Configuration Manager Site Server permissions
[7/26/2010 1:58:08 PM]
[7/26/2010 1:58:08 PM] Verification(Verifying Configuration Manager clientcomponents) passed
About to verify client component ‘Configuration Management Agent’ is enabled
About to verify client component ‘Hardware Inventory Agent’ is enabled
About to verify client component ‘Software Distribution’ is enabled
[7/26/2010 1:58:08 PM]
[7/26/2010 1:58:08 PM] Finished running verifications.
[7/26/2010 1:59:52 PM] [7/26/2010 1:59:52 PM] Verifications started:

[7/26/2010 1:59:52 PM]
[7/26/2010 1:59:52 PM] Verification(Verifying hardware requirements) passed
[7/26/2010 1:59:52 PM]
[7/26/2010 1:59:52 PM] Verification(Verifying .NET Framework 3.5 SP1prerequisite) passed
[7/26/2010 2:00:08 PM]
[7/26/2010 2:00:08 PM] Verification(Verifying SQL Server prerequisite) failed
Forefront Endpoint Protection 2010 requires that the SQL Server Agent serviceis running. Set the service to start automatically, and then start the service.
Service Name: SQLSERVERAGENT
SQL Server: SERVER01
Forefront Endpoint Protection 2010 requires that the SQL Server Agentservice is running. Set the service to start automatically, and then start theservice.
Service Name: SQLSERVERAGENT
SQL Server: SERVER01
Warning: Setup has detected that the connection to the SQL Server is notencrypted. If the SQL Server and Forefront Endpoint Protection 2010 are notlocated on a shared secure subnet, transmitted data can be viewed by thirdparties. We recommend that you secure the connection to the SQL Server. Formore information, see Securing SQL Server in the SQL Server documentation.
[7/26/2010 2:00:09 PM]
[7/26/2010 2:00:09 PM] Verification(Verifying SQL Reporting Servicesprerequisite) passed
[7/26/2010 2:00:09 PM]
[7/26/2010 2:00:09 PM] Verification(Verifying Configuration Manager version)passed
About to compare required version ’4.0.6487.2000′ to installed version’4.0.6487.2000′
[7/26/2010 2:00:10 PM]
[7/26/2010 2:00:10 PM] Verification(Verifying Configuration Manager Site Serverpermissions) passed
About to verify Configuration Manager Site Server permissions
[7/26/2010 2:00:11 PM]
[7/26/2010 2:00:11 PM] Verification(Verifying Configuration Manager clientcomponents) passed
About to verify client component ‘Configuration Management Agent’ is enabled
About to verify client component ‘Hardware Inventory Agent’ is enabled
About to verify client component ‘Software Distribution’ is enabled
[7/26/2010 2:00:11 PM]
[7/26/2010 2:00:11 PM] Finished running verifications.
[7/26/2010 2:00:52 PM] [7/26/2010 2:00:52 PM] Verifications started:

[7/26/2010 2:00:52 PM]
[7/26/2010 2:00:52 PM] Verification(Verifying hardware requirements) passed
[7/26/2010 2:00:53 PM]
[7/26/2010 2:00:53 PM] Verification(Verifying .NET Framework 3.5 SP1prerequisite) passed
[7/26/2010 2:01:08 PM]
[7/26/2010 2:01:08 PM] Verification(Verifying SQL Server prerequisite) warning
Warning: Setup has detected that the connection to the SQL Server is notencrypted. If the SQL Server and Forefront Endpoint Protection 2010 are notlocated on a shared secure subnet, transmitted data can be viewed by thirdparties. We recommend that you secure the connection to the SQL Server. Formore information, see Securing SQL Server in the SQL Server documentation.
[7/26/2010 2:01:09 PM]
[7/26/2010 2:01:09 PM] Verification(Verifying SQL Reporting Servicesprerequisite) passed
[7/26/2010 2:01:09 PM]
[7/26/2010 2:01:09 PM] Verification(Verifying Configuration Manager version)passed
About to compare required version ’4.0.6487.2000′ to installed version’4.0.6487.2000′
[7/26/2010 2:01:10 PM]
[7/26/2010 2:01:10 PM] Verification(Verifying Configuration Manager Site Serverpermissions) passed
About to verify Configuration Manager Site Server permissions
[7/26/2010 2:01:11 PM]
[7/26/2010 2:01:11 PM] Verification(Verifying Configuration Manager clientcomponents) passed
About to verify client component ‘Configuration Management Agent’ is enabled
About to verify client component ‘Hardware Inventory Agent’ is enabled
About to verify client component ‘Software Distribution’ is enabled
[7/26/2010 2:01:11 PM]
[7/26/2010 2:01:11 PM] Finished running verifications.
[7/26/2010 2:23:20 PM]
[7/26/2010 2:23:20 PM] Installation tasks started:
Root Folder: C:UsersAdministrator.SERVER01Desktopevalcdmedia_en_amd64
Current Folder: C:UsersAdministrator.SERVER01Desktopevalcdmedia_en_amd64
[7/26/2010 2:25:04 PM]
[7/26/2010 2:25:04 PM] Installation(Installing the Microsoft Forefront EndpointProtection 2010 Security Client) completed
Installing FepInstall.exe.
completed
[7/26/2010 2:25:42 PM]
[7/26/2010 2:25:42 PM] Installation(Installing Microsoft Forefront EndpointProtection 2010 Console Extensions for Configuration Manager) completed
Installing FEPUX.msi.
completed
[7/26/2010 2:29:45 PM]
[7/26/2010 2:29:45 PM] Installation(Installing Microsoft Forefront EndpointProtection 2010 Site Server Extension for Configuration Manager) completed
Installing FEPExt.msi.
completed
[7/26/2010 2:40:03 PM]
[7/26/2010 2:40:03 PM] Installation(Installing Microsoft Forefront EndpointProtection 2010 Reporting) completed
Installing FepReport.msi.
completed
[7/26/2010 2:40:04 PM]
[7/26/2010 2:40:04 PM] Finished running installation tasks.

[7/26/2010 2:40:05 PM] Setup has completed successfully.
Here’s the final screen in the setup program. I really want to see theConsole and check for updates so I’ll leave them both checked and click Finish.

As I’m waiting for SCCM to open I’ll look and see what databases FEPcreated.
It appears it created a FEPDB_AAA and FEPDW_AAA database. AAA being my SCCMsite code.

Well there it is. FEP installed and in SCCM. FEP looks like it’s going to becompletely different than FCS so in my upcoming blogs I’ll talk about thedifferences.

 http://blogs.catapultsystems.com/arafels/archive/2010/07/25/installing-microsoft-forefront-endpoint-protection-2010-beta.aspx

Posted on April 3, 2012 by , Reply

SCCM Query Script To Find Broken Clients

Log into SCCM and click on query and create this query to find broken SMS clients

(
System Resource.Client is equal to 0
or
System Resource.Client is Null
or
System Resource.Agent site is not equal to “D80″
)
and
System Resource.Operating System Name and Version is like “microsoft%”
and
System Resources.SMS Assigned Sites is not Null

Posted on March 23, 2012 by , Reply

Upgrading MDT 2008 to 2010 for SCCM

MDT (Microsoft Deployment Toolkit) provides the ability to do Lite Touch Deployments of computers. MDT has enhanced task sequence steps over those that are included in SCCM by default.

Luckily you can integrate MDT with SCCM to get the best of both worlds (and achieve
Zero Touch Deployments!) . This guide runs through the steps required to upgrade your version of MDT to 2010 and maintain the SCCM integration…

This morning MDT 2010 RTM was released to the public (you can download it here).

To see a list of the changes and new features you can expect to find take a look here.

MDT 2008 integrated with SCCM task sequences
To play safe before upgrading MDT first remove the integration with SCCM:
• Run the “Configure ConfigMgr Integration” shortcut provided by MDT 2008 and select
“remove components”.
• Enter your SCCM site details and click Finish.
• After confirming the MDT options have disappeared from the SCCM task sequence
menus run the MDT 2010 setup Next perform the install of MDT
• Step through the wizard selecting the components you want and the install location
• The MDT setup will now take care of removing MDT 2008 and installing itself over the
top After the wizard completes you can then re-run the integration wizard to add the MDT hooks back into SCCM
• Enter your site details that you used in the first step
When the wizard completes the MDT options should now be back in under the task sequence options:

Note: If you had used MDT 2008 to provide unknown computer support to SCCM (if you can’t upgrade to R2 to get it natively) then you might want to consider not upgrading. MDT 2010 does not support the PXE filter driver but it does still allow you to remove it if you didn’t uninstall it before upgrading.

Posted on March 22, 2012 by , Reply

Setup SCCM PXE Point

There have been many posts out there trying to address the issue behind Native Mode and PXE and/or Boot Media problems. This posting publishes information I found in the following article and additions which I have made to clarify some certificate configurations.

Step 1
In the site properties , check that you have imported your Root CA certificates. If you have subordinate CA servers , import them as well as I have seen issues arriving when not importing them .The picture below will give you the idea :

Step 2
Create your OSD PXE service point Certificate & export it . Go to your certificate authority and duplicate the Computer certificate , name it Configmgr OSD certificate and make sure that you could export the private key !

My Comments:
MAKE SURE SUBJECT NAME TAB CONTAINS: SUPPLY IN REQUEST. When the
request is made, give the certificate the following Attributes:
• CommonName: (i.e. OSDpxeBootCert..Com)
• Alternate name: OSDpxeBootCert..com
• Friendly name: Any descriptive name.
Note: Because certificates are Required through out the native mode deployment. FQDNs are also required for certificate Subject name and Alt Subject Names.
When you have created the certificate , export it to a DER format by going to MMC -
Certificates – personal – Request new certificate . Select the Configmgr OSD certificate and install it on your machine . When done , right click on the certificate and select export . Export the certificate with private key and when exported , delete the certificate you have requested .

Step 3
Import you in the PXE role configuration pane .
Now we go to the SCCM console and go to Site systems – PXE Role , import the certificate you just exported . The picture below explains it :
You will get the following warning when you exported the certificate on the Site server itself . This is no problem and you should select “yes” to continue
Check the PXE Certificate in the SCCM console. Verify that the Root CA is trusted.
Try opening the Certificates | PXE node in SCCM. Find the certificate that is not “blocked” and right-click to Open it. Check the status of the CA Certificate. I found that it was “Not Trusted” in my environment.

When I clicked the Install button and selected the Trusted Root CA Authorities, the certificate was then “valid” when I reopened the certificate. My SMSPXE.log no longer reflected that the certificate was not set.

Step 4
Check that the following things below are set correctly
Network Access Account Not Set
Go into the Client Policy in SCCM and set a Network Access Account. It sometimes
“disappears” even after everything has been working fine. And then the OSD Task sequence cannot access the content on the Distribution point !

Posted on March 22, 2012 by , Reply

Creating and Issuing the Site Server Signing Certificate Template on the Certification Authority

To create and issue the site server signing certificate template

1. On the domain controller running the Windows Server 2003 console, click Start,
Programs, Administrative Tools, Certification Authority.

2. Expand the name of your certification authority (CA), and then click Certificate Templates.

3. Right-click Certificate Templates, and click Manage to load the Certificates Templates management console.

4. In the results pane, right-click the entry that displays Computer in the Template Display Name column, and then click Duplicate Template.

5. In the Properties of New Template dialog box, on the General tab, enter a template
name for the site server signing certificate template, such as ConfigMgr Site Server
Signing Certificate.

6. Click the Subject Name tab, and then click Supply in the request.

7. Click the Extensions tab, make sure Application Policies is selected, and then click
Edit.

8. In the Edit Application Policies Extension dialog box, select Client Authentication,
press Shift and select Server Authentication, and then click Remove.

9. In the Edit Application Policies Extension dialog box, click Add.

10. In the Add Application Policy dialog box, select Document Signing as the only
application policy, and then click OK.

11. In the Properties of New Template dialog box, you should now see listed as the
description of Application Policies: Document Signing.

12. Click the Issuance Requirement tab, and select CA certificate manager approval.

13. Click OK and close the Certificate Templates administrator console, certtmpl –
[Certificate Templates].

14. In Certification Authority, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

15. In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr Site Server Signing Certificate, and then click OK.
Note If you cannot complete steps 14 or 15, check that you are using the Enterprise Edition of Windows Server 2003. Although you can configure templates with Windows
Server Standard Edition and Certificate Services, you cannot deploy certificates using
modified certificate templates unless you are using the Enterprise Edition of
Windows Server 2003.

16. Do not close Certification Authority. Requesting the Site Server Signing Certificate for the Server That Will Run the Configuration Manager 2007 Site Server
To request the site server signing certificate

1. On the member server, load Internet Explorer and connect to the Web enrollment service with the address http:///certsrv where is the name or IP address of
the Enterprise CA.

2. On the Welcome page, select Request a certificate.

3. On the Request a Certificate page, select Advanced certificate request.

4. On the Advanced Certificate Request page, select Create and submit a request to this CA.

5. On the Advanced Certificate Request page, specify the following:
o Under the Certificate Template section, select ConfigMgr Site Server Signing

Certificate for the Certificate Template.
Note If you cannot see this certificate template displayed, check that you restarted the
member server (if it was running) after you configured the security group in the
earlier procedure.

o Under the section Identifying Information for Offline Template, in the Name
text box enter the following: The site code of this site server is , where
is the site code of the site. This exact text string in English must be used,
in the same case, without a trailing comma or period, and the site code must be
specified at the end of the string in the same case as it appears in the
Configuration Manager console. It is very important that this exact wording is
used, because this forms the certificate Subject name, which is used to identify the
site server signing certificate.
o Under the section Key Options, enable Store certificate in the local computer
certificate store.

Note
If you do not see this option displayed, it is likely that you have installed the
hotfix for KB 922706 to support Web enrollment for Windows Vista and
Windows Server 2008. This hotfix removes the option to store an advanced
certificate request in the computer store, so if this option is not available on your
Web enrollment pages, you must use an alternative certificate deployment method
for the site server signing certificate. For example, you can install the certificate
into the user store and then export it and import it into the computer store, or you
can use the command-line utility Certreq.exe to request the certificate. The
Certreq.exe method is used in the following topic: Step-by-Step Example

Deployment of the PKI Certificates Required for Configuration Manager Native
Mode: Windows Server 2008 Certification Authority.
o Under the section Additional Options, enter your choice for Friendly Name,
such as ConfigMgr site server certificate.

6. Click Submit.

7. On the Certificate Pending page, you will see that your certificate request has been
received but requires an administrator to issue the certificate. Make a note of the
displayed Request ID.

8. Do not exit Internet Explorer.
Approving the Site Server Signing Certificate on the Certification Authority
To approve the site server signing certificate
1. On the domain controller, in Certification Authority, click Pending Requests.

2. In the results pane, you will see the requested certificate with the Request ID that was displayed on the Web enrollment page.

3. Right-click the requested certificate, click All Tasks, and then click Issue. Do not close Certification Authority.

Installing the Site Server Signing Certificate on the Server That Will Run the
Configuration Manager 2007 Site Server

To install the site server signing certificate
1. On the member server, on the Microsoft Certificate Services Web page, click Home on the top right side to return to the Welcome page.

2. On the Welcome page, click View the status of a pending certificate request.

3. On the View the Status of a Pending Certificate Request page, click the hyperlink that displays the friendly name you supplied for the site server signing certificate, and the date and time in parentheses it was requested.

4. On the Certificate Issued Web page, click Install this certificate.

5. If you are prompted with a Potential Scripting Violation warning message, click Yes.

6. The final page should display that your new certificate has been successfully installed.

7. Close Internet Explorer.

The member server is now provisioned with a Configuration Manager 2007 site server signing certificate.

Deploying the Web Server Certificate
This step has four procedures:
• Creating a Windows Security Group for the Site System Servers
• Creating and Issuing the Web Server Certificate Template on the Certification Authority
• Requesting the Web Server Certificate
• Configuring IIS to Use the Web Server Certificate

Creating a Windows Security Group for the Site System Servers (Management
Point, Distribution Point, Software Update Point, State Migration Point)
To create a Windows security group for the site system server
1. On the domain controller, click Start, Programs, Administrative Tools, Active
Directory Users and Computers.

2. Right-click the domain, click New, and then click Group.

3. In the New Object – Group dialog box, enter ConfigMgr IIS Servers as the Group
name and then click OK.

4. In Directory Users and Computers, right-click the group you have just created and then click Properties.

5. Click the Members tab, and then click Add to select the member server.

Note
In our test environment, there is only one server to add. However, in a production
environment, it is likely that various servers will host the Configuration Manager 2007
site systems that require certificates, such as the site’s management point and distribution points. It is therefore good practice to assign permissions to a group and add the site systems that require the same type of certificate. Creating a security group for these servers enables you to assign permissions so that only these servers can use these certificates.

6. Click OK, and then click OK again to close the group properties dialog box.

7. Restart your member server (if running) so that it can pick up the new group membership.

Creating and Issuing the Web Server Certificate Template on the Certification
Authority
To create and issue the Web server certificate template on the certification authority
1. On the domain controller, while still running the Certification Authority management
console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.

2. In the results pane, right-click the entry that displays Web Server in the column
Template Display Name, and then click Duplicate Template.

3. In the Properties of New Template dialog box, on the General tab, enter a template
name to generate the Web certificates that will be used on Configuration Manager site
systems, such as ConfigMgr Web Server Certificate.

4. Click the Subject Name tab, select Build from this Active Directory information, and
then select one of the following for the Subject name format:
o Common name: Select this option if you will use fully qualified domain names
for site systems in Configuration Manager (required for Internet-based client
management, and recommended for clients on the intranet).
o Fully distinguished name: Select this option if you will not use fully qualified
domain names in Configuration Manager.

5. Click the Security tab, and remove the Enroll permission from the security groups
Domain Admins and Enterprise Admins.

6. Click Add, enter ConfigMgr IIS Servers in the text box, and then click OK.

7. Select the following Allow permissions for this group: Read, Enroll, and Autoenroll.

8. Click OK and close the Certificate Templates management console, certtmpl –
[Certificate Templates].

9. In the Certification Authority management console, right-click Certificate Templates,
click New, and then click Certificate Template to Issue.

10. In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr Web Server Certificate, and then click OK.

11. Close Certification Authority.

Requesting the Web Server Certificate
To request the Web server certificate
1. Restart the member server to ensure it can access the certificate template with the
configured permission.

2. Click Start, click Run, and type mmc.exe. In the empty console, click File and then
click Add/Remove Snap-in.

3. In the Add/Remove Snap-in dialog box, click Add, click Certificates, and then click
Add.

4. In the Certificate snap-in dialog box, select Computer account and then click Next.

5. In the Select Computer dialog box, ensure Local computer: (the computer this
console is running on) is selected, and then click Finish.

6. In the Add Standalone Snap-in dialog box, click Close.

7. In the Add/Remove Snap-in dialog box, click OK.

8. In the console that now displays Certificates (Local Computer), expand Certificates
(Local Computer), and then expand Personal.

9. Right-click Certificates, click All Tasks, and then click Request New Certificate.

10. On the Welcome to the Certificate Request Wizard page, click Next.

11. On the Certificate Types page, select ConfigMgr Web Server Certificate from the list of displayed certificates, and then click Next.

12. On the Certificate Friendly Name and Description page, optionally enter a friendly
name and description to help you identify this certificate, and then click Next.

13. On the Completing the Certificate Request Wizard page, click Finish.

14. You should see the Certificate Request Wizard dialog box informing you that the
certificate request was successful.

15. Close Certificates (Local Computer).

Configuring IIS to Use the Web Server Certificate
To configure IIS to use the Web server certificate
1. On the member server, click Start, click Programs, click Administrative Tools, and
then click Internet Information Services (IIS) Manager.

2. Expand Web Sites, right-click Default Web Site, and then select Properties.

3. Click the Directory Security tab, and then click Server Certificate.

4. On the Welcome to the Web Server Certificate Wizard page, click Next.

5. On the Server Certificate page, click Assign an existing certificate and then click Next.

6. On the Available Certificates page, select the Web server certificate you have just
requested, identifying it by the Intended Purpose field that has a value of Server
Authentication and the Friendly Name you supplied, and then click Next.

7. On the SSL Port page, accept the default port number of 443 and then click Next.

8. On the Certificate Summary page, click Next.

9. On the Completing the Web Server Certificate Wizard page, click Finish.

10. Click OK to close the Default Web Site Properties.

11. Close Internet Information Services (IIS) Manager.

The member server is now provisioned with a Configuration Manager 2007 Web server
certificate.
Note
If this server will be configured for software updates, there is additional IIS configuration that must be performed after WSUS is installed. For more information, see How to Configure the WSUS Web Site to Use SSL.

Deploying the Client Certificate
This step has two procedures:
• Configuring Autoenrollment of the Computer Template Using Group Policy
• Automatically Enrolling the Computer Certificate and Verifying Its Installation on
Computers Configuring Autoenrollment of the Computer Template Using Group PolicyTo configure autoenrollment of the computer template using Group Policy
1. On the domain controller, click Start, click Administrative Tools, and then click Group Policy Management.

2. Right-click the domain, and then select Create and Link a GPO Here.

Note
This step uses the best practice of creating a new Group Policy for custom settings rather than editing the Default Domain Policy that is installed with Active Directory Domain Services. By assigning this Group Policy at the domain level, you will apply it to all computers in the domain. However, on a production environment you can restrict the autoenrollment so that it enrolls on only selected computers by either assigning the Group Policy at an organizational unit (OU) level, or you can filter the domain Group Policy with a security group so that it applies only to the computers in the group. If you restrict autoenrollment, remember to include the server that is configured as the managementpoint.

3. In the New GPO dialog box, enter a name for the new Group Policy, such as Autoenroll Certificates, and then click OK.

4. In the results pane, on the Linked Group Policy Objects tab, right-click the new Group Policy, and then click Edit.

5. In the Group Policy Object Editor, navigate to Computer Configuration / Windows
Settings / Security Settings / Public Key Policies.

6. Right-click Automatic Certificate Request Settings, click New, and then click
Automatic Certificate Request.

7. In the Welcome to the Automatic Certificate Request Setup Wizard, click Next.

8. On the Certificate Template page, select Computer from the list of available certificate templates, and then click Next.

9. On the Completing the Automatic Certificate Request Setup Wizard page, click
Finish.

10. Close Group Policy Management.

Automatically Enrolling the Computer Certificate and Verifying Its Installation
on Computers
To automatically enroll the computer certificate and verify its installation on the client
computer
1. Restart the workstation computer, and wait a few minutes before logging on.

Note
Restarting a computer is the most reliable method of ensuring success with certificate
autoenrollment.

2. Log on with an account that has administrative privileges.

3. Click Start, click Run, and then type mmc.exe.

4. In the empty management console, click File, and then click Add/Remove Snap-in.

5. In the Add/Remove Snap-in dialog box, click Add, click Certificates, and then click
Add.

6. In the Certificate snap-in dialog box, select Computer account and then click Next.

7. In the Select Computer dialog box, ensure Local computer: (the computer this
console is running on) is selected and then click Finish.

8. In the Add Standalone Snap-in dialog box, click Close.

9. In the Add/Remove Snap-in dialog box, click OK.

10. In the console that now displays Certificates (Local Computer), expand Certificates
(Local Computer) and then click Personal.

11. In the results pane, confirm a certificate is displayed that has Client Authentication
displayed in the Intended Purpose field and Computer displayed in the Certificate

Template field.

12. Close Certificates (Local Computer).

13. Repeat steps 1 through 12 for the member server to verify that the server that will be configured as the management point also has a client certificate.
The workstation and member server are now provisioned with a Configuration Manager 2007 client certificate.

Posted on March 22, 2012 by , Reply

Installing New SCCM CA on IIS 7

1.Open the IIS manager console

2. Click on the server name

3. Click Server Certificates

4. Right Click and select Create Domain Certificate

5. Complete all the needed information and select your certificate store server. Make sure you use the FQDN for the server in the Common Name section.

6. Right Click on Default Web Site

7. Click edit Bindings

8. click on edit for https then select your newly issued certificate

9. You do not need to reboot the server or restart IIS.

Posted on March 22, 2012 by , Reply

How to Renew SCCM Site Server Signing Certificate

Have you tried to renew the existing SCCM site server signing certificate for a native mode site, and wondered how to do this without creating a new certificate? This post provides a procedure to do this that is suitable for when the site server is on either Windows Server 2003 or Windows Server 2008, and your PKI uses Microsoft Certificate Services.

Disclaimer: This procedure is external to Configuration Manager, so you will not find this information in the Configuration Manager product documentation. However, we realize that PKI is often new to Configuration Manager admins, and aim to share our knowledge and experience to help you be more successful with the product.
You can use the same procedure to renew any certificate that’s deployed through Certificate Services, but Group Policy auto-enrollment usually takes care of client certificate renewal automatically.

And the IIS site system certificates for server authentication can be easily renewed from the Certificates MMC, by right-clicking on the certificate and selecting All Tasks, and then either Renew Certificate with New Key (recommended), or Renew Certificate with Same Key.

However, there are 2 challenges for renewing the site server signing certificate:
The Certificates MMC on Windows Server 2003 does not let you specify the Subject value, so you cannot renew the certificate with a new site code. The Certificates MMC is not designed for certificate templates that are configured for manual approval.

A note here about manual approval and why changing this to automatic approval in order to workaround the Certificates MMC design is not recommended. Manual approval is recommended for the site server signing certificate because it is a “high value” certificate. It’s high value because it represents the key to the kingdom – your Configuration Manager hierarchy.

In comparison with the other certificates, if this certificate is compromised (requested by a compromised or rogue site server), the whole integrity of the hierarchy is in jeopardy. One of the main differences between mixed mode and native mode (in addition to using PKI certificates instead of self-signed certificates) is that policy is
signed by both the site server and the management point. Even if the management point is compromised, clients are protected by checking this extra signature on their policies. Policy that is fabricated on a compromised management point, even if the management point has a valid certificate, will be rejected by clients because the policy won’t be signed by the site server signing certificate.

You can use this same procedure to renew any certificate that’s deployed with Certificate Services. However, Group Policy auto-enrollment usually takes very efficient care of certificate renewal automatically. And the IIS site system certificates for server authentication can be easily renewed from the Certificates MMC, by right-clicking on them and selecting All Tasks, and then either Renew Certificate with New Key (recommended), or Renew Certificate with Same Key.

How to Use CertReq to Renew the Site Server Signing Certificate

To adhere to the security best practice of manual approval for this particular certificate, renew the certificate by using the CertReq command line tool, and the certificate serial number. To find the certificate serial number, double-click the certificate from the Certificates MMC, click the Details tab, and then note the value for Serial number. When you specify the serial number with the command-line tools, you must remove the spaces in the string. You will need to specify this number in the .inf file that you use with CertReq.exe, in the [NewRequest] section and with the option RenewalCert. You will also need to specify MachineKeySet = True, or the renewal will actually create a new certificate in the User store rather than renewing the existing
certificate in the Computer store.

This means that your .inf text file will look similar to this:
[NewRequest]
RenewalCert=237f66a4000000000011
MachineKeySet = True

It’s as simple as that. Then run through the standard CertReq commands for requesting, retrieving, and installing the certificate. If you need step-by-step instructions because you’re not familiar with CertReq,
use the Windows Server 2008 CA step-by-step, section Deploying the Site Server Signing Certificate - only use the .inf file contents above instead of the .inf contents in the step-by-step. However, if you need only a quick reminder (and I often do!):
Certreq – new sitesigning.inf sitesigning.req Certreq – submit sitesigning.req sitesigning.cer (select CA when prompted and note request ID
number).

Check and issue the pending certificate request from the CA.

Certreq -retrieve sitesigning.cer (select CA when prompted)
Certreq -accept sitesigning.cer

In the Certificates MMC, view the certificate details again and the Valid from and Valid to values should now be updated.

Want to renew the certificate but with a new site code? Add the Subject option to the .inf file, so that it looks similar to this before requesting the certificate:
[NewRequest]
Subject=”CN = The site code of this site server is BCD”
RenewalCert=237f66a4000000000011
MachineKeySet = True

Want to renew the certificate with an existing key set? Use my previous post to find the long string of numbers for the certificate’s key container, using the Certutil command. Then specify this string in the .inf file with the KeyContainer option, along with UseExistingKeySet = Yes so that it looks similar to this before requesting the certificate:
[NewRequest]
RenewalCert = 237f66a4000000000011
KeyContainer= b759e34928886fea1ec1bc7beacc5e80_016106cf-c351-4ab3-a3f1-7e56916dae0b
UseExistingKeySet = True
MachineKeySet = True

Want to renew the certificate when it’s expired? You’re out of luck. The CA will reject the request to renew an expired certificate and you will see a message similar to “Error Verifying Request Signature or Signing Certificate. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495).” This message is
also displayed in the Failed Requests node of the issuing CA. When the certificate has already expired, you must request a new certificate instead of renewing the existing certificate.

Using the Renewed Certificate with Configuration Manager
Even though you’ve renewed the existing certificate rather than replaced it, it still has a new serial number and a new certificate thumbprint. This means that you must still specify the renewed site server signing certificate in the site properties, Site Mode tab. When you’ve done the hard work of renewing the certificate, don’t forget this last piece of the renewal process! Remember to do it at a quiet time when it’s OK that all the policies will be resigned. Only if the certificate chains to a root CA
certificate with a different key pair will you have to take additional configuration steps for the clients. Otherwise, you’re good to go.

Posted on March 22, 2012 by , Reply
12 » Last
This site is protected by Comment SPAM Wiper.