CCMEXEC.COM – System Center blog

I ran in to this a while ago and did it again now so I thought I would share it here. There is a hotfix for Windows Installer which solves a problem when for instance a windows 7 computer needs to self-repair an windows installer based installation and the source files are located at the Configuration Manager 2012 distribution point and is accessible via HTTP.

Title: “HTTP Error 401.1″ error message when Msiexec.exe updates an MSI file in Windows Vista, in Windows 7, in Windows Server 2008, or in Windows Server 2008 R2″

Symptoms:
Assume that you deploy an application to a client computer that is running one of the following operating systems by using System Center Configuration Manager 2012:
•Windows Vista
•Windows 7
•Windows Server 2008
•Windows Server 2008 R2
When the deployment of the application is finished, the Microsoft Installer Package (MSI) file is removed from the local drive. Then, the ConfigMgr client updates the MSI source list by accessing the content server. This behavior is controlled by the self-healing functionality. When the self-healing functionality is triggered, Msiexec.exe tries to access the content path anonymously instead of by using the credentials of the user who currently logs on the client computer. However, the Secure Windows Initiative (SWI) guidelines do not allow anonymous access to content servers. Therefore, you receive the following error message:

The full article can be found here:
http://support.microsoft.com/kb/2619572

Sometimes you want to deploy more that one Windows 7 hotfix with Configuration Manager. The hotfixes for Windows 7 is .MSU files and are installed using Wusa.exe.
If you wan to make the hotfix installation silent you simply add /quiet /norestart on the command line aswell.

Example command line: Wusa.exe c:\temp\Windows6.1-KB982018-v3-x64.msu /quiet /norestart

To simplify the installation I have made a small script the will parse all the files in the same directory as the script and install all files which ends with .MSU automatically. It can both be used to distribute the hotfixes using software distribution or in a Task Sequence so you can install the updates during OSD.

To use it simply save the script in the same folder as you Windows 7 hotfixes you want to deploy and then create a package and program with the folder as package source and the command line configured as below.

I strongly recommend that you allow configuration manager to restart the computer, otherwise the user can be prompted by the Windows Update agent to restart within 10  minutes.

If you need to troubleshoot it run it with allow user to interact, then you will see the updates being displayed in a command prompt.

Installmsu.vbs script:

Next


There is a great source of Configuration Manager 2012 information in the System Center 2012 Configuration Manager Survival Guide on Technet. Make sure to check it out, there are links to blog posts, videos, articles and blogs on System Center 2012 Configuration Manager.

It is truly a great place to start looking for information about Configuration Manager 2012.

You find it here: http://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide.aspx

As we all know FEP doesn’t have tamper protection or the possibility to password protect the uninstallation of the FEP client. I normally use the collection query I posted before on my blog to automate the re-installation of the FEP client if it is uninstalled. http://ccmexec.com/2011/11/forefront-endpoint-protection-and-locally-removed/

But in the case where we have users that are local admins, I know it is a pain but the real-world, I try to do one of these tricks as well to at least make it harder for them to uninstall the FEP client.

1. Remove the Uninstallstring registry value for the FEP client, then the FEP client is no longer visible under uninstall a program in the Control Panel. I use this really simple script to achieve it:

oReg.DeleteValue HKEY_LOCAL_MACHINE,strKeyPath,strStringValueName


2. The second option is to replace the uninstall key with a script prompting the user that it is not allowed to uninstall the FEP client, getting the below result.

I simply copy a vbscript with the below content to the C:\windows directory and then run it from there, sample script for the promptscript:


MsgBox "FEP is not allowed to be uninstalled", 0, "FEP Uninstaller"

Sample script for replacing the FEP uninstall string:


const HKEY_LOCAL_MACHINE = &H80000002

Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")

strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Security Client"

strStringValueName = "UninstallString"

strvalue = "wscript.exe c:\windows\fepuninst.vbs"

oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strStringValueName,strValue

I hope this can be helpful, it isn’t pretty but it does it’s job.

There was a question on Technet forum a couple of weeks ago so I thought I would post it here as well. It can in some scenarios be useful to set the computers AD description during SCCM OS deployment. I use a script for this which can be used to set the AD description using  a variable like for instance a Computer or Collection variable that can be filled in during the deployment or a value from MDT variables if you like.

This is the script I use:


dim Computerdn, strComputerName

dim Args

Set WshShell = WScript.CreateObject("WScript.Shell")

'----Get Computer DN------

Set objADSysInfo = CreateObject("ADSystemInfo")

ComputerDN = objADSysInfo.ComputerName

strcomputerdn = "LDAP://" & computerDN

Set objADSysInfo = Nothing

'-----Read commandline---

Set args = WScript.Arguments

end function

Then I run it from a package in the task sequence. It must be run after the “Setup Windows & ConfigMgr” step, so that the computer is restarted after it is joined to the domain.
The account which executes the script must have permissions in the AD to set the AD Description. Just replace the %desc% with the variable you want to use or static value if you want to use that.

If you want to be prompted for an AD description when the Task Sequence starts create a Collection variable for the OSD Collection with an empty value like this:

When you have a task sequence in SCCM with many steps the monitor goes into power save mode before the installation is complete. In some cases the end-user can believe that the computer installation is finished and closes the lid on the laptop and goes home and the OS installation fails. It is also really annoying when waiting for an installation is complete.

I use the following to simple steps in my Windows 7 deployment task sequence to prevent the computer monitor for entering power save.

The first step simple configures the current power scheme to not turn off the monitor when power is connected, this command must run after the “Setup Windows and ConfigMgr” step so that the computer has restart with the locally installed OS:

When the installation of the OS is complete i simply restore the Power Scheme back to default by running the following command. When the OS deployment is complete I simply configure the power option either by using Group policy Preferences or Configuration Manager.

Last week on the 17-18 of January the SCCM Summit 2012 event arranged by Cornerstone took place in Stockholm Sweden. A great event focusing on System Center 2012: Configuration Manager for 1 1/2 days. The event hosted speakers like Johan Arwidmark, Anders Ahl, Niall Brady and Peter Frodin.
I had the great opportunity to deliver three sessions myself:

• System Center 2012: Endpoint Protection
• CM 2012 Application Management part 1
• CM 2012 Application Management part 2

It was great fun and a really great event! Thanks Cornerstone for a great event and thanks to everyone who attended, looking forward to next year!

I wrote a post a year ago or more about how to install the SCCM 2007 Admin Console including R2, this is something I use a lot in my projects as it is more and more to install when installing the Admin Console.
In the example below I install the Admin Console, the required hotfix(kb977384) and R3. If you are using Forefront Endpoint Protection you need to install the FEP Admin UI extensions as well on your client machines which should have the SCCM console locally installed, I will post an example of a script with the FEP integration later on.

When R3 came along the SCCM 2007 R3 requires a hotfix(KB977384) which restarts a lot of services on the computer during installation for instance ccmexec, WMI and so on, if a Task Sequence or application installation runs it will stop and return error.
so I wrote a little vbscript which uses a .MIF file to report the installation status back to the SCCM server. It will report any errors back to the SCCM server so that it is easy to troubleshoot.

The script can be downloaded here: Install

To implement the script do the following:

1. Copy the needed installation media to a folder with the following sub-folders.
   Note: to save space I deleted files in the WAIK directory from the Configuration Manager SP2 installation source as these files are not needed to install the admin console.
2. Save the downloaded vbscript to the folder you just created and rename it to install.vbs.
3. Create a Unattend.ini file in the ConfigMgr_sp2 folder with the following content, you need to change the server name to your SCCM Primary Site server.
   
[Identification]
Action=InstallAdminUI
[Options]
SMSInstallDir=c:\program files\Configuration Manager 2007
ParentSiteServer=SCCM1
SDKServer=SCCM1

4. In SCCM Create a Package with the source folder beeing the folder structure just created.
5. In the package properties configure the following under the reporting tab: (this is used to match the .mif file generated by the script with the package)
   
6. Create a program with the following settings:
   
7. If you want to display the installation progress in a cmd windows to the users, configure the program to “Allow users to interact with this program”
8. Add the package to your Distribution Points
9. Advertise the program to a test collection and start testing.

I hope this can be useful for more than me.