CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

Browsing Posts published in February, 2012

In February me, Stefan Schörling and Anders Ahl did a livemeeting on Configuration Manager 2012 deep-dive livemeeting as part of the System Center 2012 livemeeting series at Technet Sweden. The recording of that livemeeting is now available on youtube, it is in Swedish though.

http://www.youtube.com/watch?v=iYakHwlQqfA&feature=youtu.be

djupdykning

Missa det inte!

I started this blog post when the Unified Installer was released, then I decided to not write it and wait for the released version. A couple of days ago I got a question regarding Service Manager 2012 and integration with Configuration Manager 2012 and then I used the Unified Installer to get a test environment up and running and it saved me a lot of time.

Before starting there are a couple of things:

  • Orchestrator must be installed as the System Center Unified Installer uses it to deploy the rest of the products.
  • System Center products must be installed on the C:\
  • App Controller and Virtual Machine Manager cannot be installed on the server.

Here is how I used the Unified Installer.

  1. Start by downloading the System Center 2012 Release Candidates here: http://technet.microsoft.com/en-us/evalcenter/hh505660
  2. When you are done downloading it start downloading all the different required components, they are listed here in the user guide: http://technet.microsoft.com/en-us/library/hh751268.aspx
  3. Each required software must be in a separate folder, I created the following folder structure:
  4. SCUI_pre_1The WAIK download which is an ISO needs to be extracted for the installation to work.
  5. Each of the System Center 2012 products needs be unpacked from the format they are downloaded from into a separate folder for each product.SCUI_prod
  6. I then created two OU’s in my lab environment and configured one group policy containing the settings needed by the Unified Installer for the System Center Unified Installer computer.
    In both these GPO’s I also turned of the Windows Firewall(as it is only for testing)
    The policy settings required are listed in the User guide: http://technet.microsoft.com/en-us/library/hh751268.aspxSCUI_Installer_gpo
  7. And one GPO for the System Center Unified Installer Target computersSCUI_GPO1
  8. For the target computers Windows 2008 r2 SP1 is required to be installed so I deployed them using Configuration Manager ;-)
  9. Then you are ready to start, here are some screen shots from the rest of the installation, I hope it can be to some use.

SCUI_1

SCUI_2

SCUI_3

SCUI_4

SCUI_5

SCUI_6

SCUI_7

SCUI_8

SCUI_9

SCUI_10

SCUI_11

SCUI_12

SCUI_13

SCUI_14

I ran in to this a while ago and did it again now so I thought I would share it here. There is a hotfix for Windows Installer which solves a problem when for instance a windows 7 computer needs to self-repair an windows installer based installation and the source files are located at the Configuration Manager 2012 distribution point and is accessible via HTTP.

Title: “HTTP Error 401.1″ error message when Msiexec.exe updates an MSI file in Windows Vista, in Windows 7, in Windows Server 2008, or in Windows Server 2008 R2″

Symptoms:
Assume that you deploy an application to a client computer that is running one of the following operating systems by using System Center Configuration Manager 2012:
•Windows Vista
•Windows 7
•Windows Server 2008
•Windows Server 2008 R2
When the deployment of the application is finished, the Microsoft Installer Package (MSI) file is removed from the local drive. Then, the ConfigMgr client updates the MSI source list by accessing the content server. This behavior is controlled by the self-healing functionality. When the self-healing functionality is triggered, Msiexec.exe tries to access the content path anonymously instead of by using the credentials of the user who currently logs on the client computer. However, the Secure Windows Initiative (SWI) guidelines do not allow anonymous access to content servers. Therefore, you receive the following error message:

The full article can be found here:
http://support.microsoft.com/kb/2619572

Sometimes you want to deploy more that one Windows 7 hotfix with Configuration Manager. The hotfixes for Windows 7 is .MSU files and are installed using Wusa.exe.
If you wan to make the hotfix installation silent you simply add /quiet /norestart on the command line aswell.

Example command line: Wusa.exe c:\temp\Windows6.1-KB982018-v3-x64.msu /quiet /norestart

To simplify the installation I have made a small script the will parse all the files in the same directory as the script and install all files which ends with .MSU automatically. It can both be used to distribute the hotfixes using software distribution or in a Task Sequence so you can install the updates during OSD.

multiple_msu
To use it simply save the script in the same folder as you Windows 7 hotfixes you want to deploy and then create a package and program with the folder as package source and the command line configured as below.

multiple_msu1

I strongly recommend that you allow configuration manager to restart the computer, otherwise the user can be prompted by the Windows Update agent to restart within 10  minutes.

If you need to troubleshoot it run it with allow user to interact, then you will see the updates being displayed in a command prompt.

Installmsu.vbs script:

Dim objfso, objShell

Dim folder, files, sFolder, folderidx, Iretval, return

Set objfso = CreateObject("Scripting.FileSystemObject")
Set objShell = CreateObject("Wscript.Shell")
sFolder = left(WScript.ScriptFullName,(Len(WScript.ScriptFullName))-(len(WScript.ScriptName)))
Set folder = objfso.GetFolder(sFolder)
Set files = folder.Files
For each folderIdx In files
If Ucase(Right(folderIdx.name,3)) = "MSU" then
wscript.echo "wusa.exe " & sfolder & folderidx.name & " /quiet /norestart"
iretval=objShell.Run ("wusa.exe " & sfolder & folderidx.name & " /quiet /norestart", 1, True)
If (iRetVal = 0) or (iRetVal = 3010) then
wscript.echo folderidx.name & " Success"
Else
wscript.echo folderidx.name & " Failed"
wscript.quit(1)
End If
End If
Next

Dim objfso, objShell

Dim folder, files, sFolder, folderidx, Iretval, return

Set objfso = CreateObject("Scripting.FileSystemObject")

Set objShell = CreateObject("Wscript.Shell")

sFolder = left(WScript.ScriptFullName,(Len(WScript.ScriptFullName))-(len(WScript.ScriptName)))

Set folder = objfso.GetFolder(sFolder)

Set files = folder.Files

For each folderIdx In files

If Ucase(Right(folderIdx.name,3)) = "MSU" then

wscript.echo "wusa.exe " & sfolder & folderidx.name & " /quiet /norestart"

iretval=objShell.Run ("wusa.exe " & sfolder & folderidx.name & " /quiet /norestart", 1, True)

If (iRetVal = 0) or (iRetVal = 3010) then

wscript.echo folderidx.name & " Success"

Else

wscript.echo folderidx.name & " Failed"

wscript.quit(1)

End If

End If

Next

There is a great source of Configuration Manager 2012 information in the System Center 2012 Configuration Manager Survival Guide on Technet. Make sure to check it out, there are links to blog posts, videos, articles and blogs on System Center 2012 Configuration Manager.

It is truly a great place to start looking for information about Configuration Manager 2012.

You find it here: http://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide.aspx

As we all know FEP doesn’t have tamper protection or the possibility to password protect the uninstallation of the FEP client. I normally use the collection query I posted before on my blog to automate the re-installation of the FEP client if it is uninstalled. http://ccmexec.com/2011/11/forefront-endpoint-protection-and-locally-removed/

But in the case where we have users that are local admins, I know it is a pain but the real-world, I try to do one of these tricks as well to at least make it harder for them to uninstall the FEP client.

1. Remove the Uninstallstring registry value for the FEP client, then the FEP client is no longer visible under uninstall a program in the Control Panel. I use this really simple script to achieve it:

const HKEY_LOCAL_MACHINE = &H80000002
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Security Client"
strStringValueName = "UninstallString"
oReg.DeleteValue HKEY_LOCAL_MACHINE,strKeyPath,strStringValueName

const HKEY_LOCAL_MACHINE = &H80000002

Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")

strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Security Client"

strStringValueName = "UninstallString"

oReg.DeleteValue HKEY_LOCAL_MACHINE,strKeyPath,strStringValueName

2. The second option is to replace the uninstall key with a script prompting the user that it is not allowed to uninstall the FEP client, getting the below result.

FEP_Uninstall

I simply copy a vbscript with the below content to the C:\windows directory and then run it from there, sample script for the promptscript:


MsgBox "FEP is not allowed to be uninstalled", 0, "FEP Uninstaller"


Sample script for replacing the FEP uninstall string:


const HKEY_LOCAL_MACHINE = &H80000002

Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")

strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Security Client"

strStringValueName = "UninstallString"

strvalue = "wscript.exe c:\windows\fepuninst.vbs"

oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strStringValueName,strValue

I hope this can be helpful, it isn’t pretty but it does it’s job.