Hi Guys ,

I will start a series of blog posts that will list all common applications with requirements and dependencies you need to build your general OSD Task Sequence.

Today I will start with 2 great examples such as :

1. Installing a or multiple certificate(s) for SCUP 2011 which is using a registry key as detection method
2. Internet explorer 9 Post install hotfix which is using a script as detection method

Scenario 1 :

So let’s start with the first example , being certificate deployment as an application in a  task sequence :

Let’s ask ourselves first this question : Why would we use an application to deploy certificates during an OSD deployment if we have Group Policy Object to do it for us ? Well , the answer is :  This Microsoft document at: http://technet.microsoft.com/en-us/library/bb693951.aspx states that "The Setup Windows and ConfigMgr” task sequence action is responsible for running Group Policy on the newly installed computer. At which point during the task sequence action that Group Policy is applied depends on the operating system being deployed. On Windows XP and Windows Server 2003, Group Policy runs after the task sequence is finished, the task sequence GINA has been unloaded and then replaced with the GINA on Windows. On Windows Vista and Windows Server 2008, Group Policy runs after the Setup Windows and ConfigMgr task sequence action completes. "

Let’s build our Application now :

1. Export your self signed certificate , and place it in a source folder . For Windows 7 , you don’t need any additional tooling , for XP you do. You need “certutilxp.exe and certadm.dll”

2. Create 2 batch files :

Install.cmd –> For Win7

Install_XP.cmd –> For XP

3. Create your application . In this example “ WSUS Self Signed Certificate”

4. Create 2 deployment types . One for XP and one for Win7 .

5. On the “Detection Method” tab , specify a registry key

In my case : HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\6BFF5439A57586FEF61B8D8E2194A96DD459B511 and HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6BFF5439A57586FEF61B8D8E2194A96DD459B511

Where does the “6BFF5439A57586FEF61B8D8E2194A96DD459B511” value comes from ? It will come from the properties of your exported certificate.

Take the properties of your certificate and take a look at the value “ Thumbprint” as shown below :

6. Define your requirement here directly or with a global condition :

7. Your done !

Scenario 2 : Internet explorer 9 Post install hotfix

So let’s start with the second example , being an Internet explorer 9 fix  deployment as an application in a  task sequence :

Why ? I was looking at several Windows 7 machines in an environment that whenever a new domain user who had never logged onto a machine before got the following error message:

The User Profile Service service failed the logon.

User profile cannot be loaded.

Now in this case there was an existing Microsoft KB article for this located here http://support.microsoft.com/kb/947215

Let’s build our Application now :

1. Create a VBS with the following lines :

'Fix user profile issue with IE9 setup

strFile = "c:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\SQM\iesqmdata_setup0.sqm"
Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.DeleteFile(strFile)

2.  Create your application . In this example “ Internet Explorer 9 Post Install Fix”

3. Create a deployment type.

4. Specify your Program to run . In this case “IE9….vbs”

5. Now we will use a script as detection method . If the exit code is a non-zero value, then the script has failed and the application detection status is unknown. If the exit code is zero and STDOUT contains data then the application detection state is installed. –> see http://technet.microsoft.com/en-us/library/b2483e0f-3b9b-4551-ba5e-19fe0f5be3be#BKMK_Step4

From my experience, if you use a vbscript method of detection; any returned value from wscript.echo, anything at all, means that the detection passed.  Even if you wscript.echo "FALSE", it doesn’t matter; something was returned, the script passed.

If you don’t want it to pass detection, simply don’t echo anything.

6. We specify VBScript as language and past a script to detect if the file is there or not .

Hope it Helps ,

Kenny Buntinx

To ensure that a recent backup snapshot is always available, it is recommended that you archive the backup snapshot every time the SMS backup task completes a backup cycle. The standard backup task overwrites the previous created backup by default .

To accomplish that, you can use the AfterBackup.bat file to run a third-party tool (7Zip) that automatically archives the backup snapshot every time you back up your site. After successfully backing up the site, the SMS backup task runs the AfterBackup.bat batch file. The AfterBackup.bat file integrates the archive and the backup operations, thus ensuring that every new backup snapshot is archived.

All this script does is move the backup folder to a folder named the day of the week. If the destination already exists, then it is deleted first. Resulting in 7 days of backup or more

To use the AfterBackup.bat file

1. Prepare an ASCII file with commands that archive your backup snapshot, or that perform any other post-backup tasks your site requires.
2. Name the file "AfterBackup.bat" and save it in the SMS\inboxes\smsbkup.box folder. Now, every time the backup task runs successfully, it will run the AfterBackup.bat file.
3. Every time after the AfterBackup.bat file archives the site’s backup snapshot, store that archive in a secure location.

Here is an Afterbackup.bat file that will make a daily backup of ConfigMgr Backup, so that you have a full week of backups.

Set BackupDir=\\xxx\sccm12_backup$\CM12_backup
Set ArchiveDir=\\xxx\sccm12_backup$\CM12_backup_archives
"%ArchiveDir%\7za.exe" a -r "%ArchiveDir%\%date:~0,2%%date:~3,2%%date:~-4%.7z" "%BackupDir%"

1. Place the file in the following location :

1. Make sure you copy the 7zip (command line executable) in the root of the directory . When backup is daily ran , you should see this .

Hope it Helps ,

Kenny Buntinx

Windows 7 language pack setup, lpksetup, includes parameters to support a managed installation.  I successfully tested the following from the command prompt:

lpksetup.exe /i nl-NL /p . /r /s

I created and advertised a program with this command line, but it quickly failed on a windows7 x64. 

The test system returned an error status message, ID 10003: “An error occurred while preparing to run the program for advertisement….  The operating system reported error 2147942402: The system cannot find the file specified.”

Execmgr.log contained the following:

File C:\Windows\SysWOW64\CCM\Cache\…\lpksetup.exe is not a valid executable file
Invalid executable file lpksetup.exe

It turns out that lpksetup.exe on Windows 7 64-bit is a 64-bit-only process so with WOW file redirection in a 32-bit process C:\Windows\System32 redirects to C:\Windows\SysWOW64, which does not contain lpksetup.exe.  So I altered the ConfigMgr program command line to:

%WinDir%\SysNative\lpksetup.exe /i nl-NL /p . /r /s

Using the SysNative alias allowed the language pack to be successfully installed on Windows 7 64-bit from a ConfigMgr advertised program or Task Sequence.

The Language Packs are installed successfully as i can choose the installed languages after the installation.

I have got this valuable information from Aaron Czechhowski at http://blogs.technet.com/b/aaronczechowski/archive/2011/12/18/deploying-windows-7-language-packs-via-configmgr.aspx

Hope it Helps ,

Kenny Buntinx

This post and subsequent posts will be a step by step on how to build a Hybrid base Windows 7 ( yes , I know that everyone should rollout the new fancy Win 8 ) image in Configmgr 2012 and use that image as a base to deploy it in your company. I will be outlining not necessarily pointing out every click. Hopefully others will find this helpful. This assumes an understanding of Configmgr 2012 and uses what is referred to as a “Hybrid Image Strategy”.

In this post I’m going to outline how to handle multiple languages in a Windows 7 Enterprise deployment. Windows 7 Enterprise comes natively as a MultiLanguage User Interface type OS to which you can add on Language Packs. A language pack allows user to change the interface display language of Windows’ dialog boxes, menus and other text to the selected language. You can download/install them in a few different ways.

They take a long time to install and in our scenario it’s better to integrate them into your hybrid base .WIM image.

For this example, we’re going to configure and capture an OS image with the Dutch language pack installed. The reason why we use the Windows 7 base OS in English is :

<component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> 
            <InputLocale>%OSDInputLocale%</InputLocale> 
            <SystemLocale>%OSDSystemLocale%</SystemLocale> 
            <UILanguage>%OSDUILanguage%</UILanguage>
            <UILanguageFallback>%OSDUILanguageFallback%</UILanguageFallback> 
            <UserLocale>%OSDUserLocale%</UserLocale> 
    </component> 

4) Create four (4) OSD collections and set your collection variables accordingly :

Define the following variables accordingly :

• Name the task sequence something appropriate like “Build & Capture Windows 7 SP1 X64 Hybrid Image”
• Select the x64 boot image
• Create a “Disk Format and Partition” step and choose properties on the Default (Primary) partition and check the “Quick Format” option
• Select the Operating System Package you created in step 1 and specify your unattend.xml file you created in step 2
• Set the local admin password to blank ( needed for sysprep to work )
• Join a Domain and use a domain join account for security reasons. An example of a how to create a domain join account could be found here : http://scug.be/sccm/2008/10/20/configmanager-osd-joining-machines-to-a-domain-and-its-security/
• Select the ConfigMgr 2012 client that is already available in Configmgr 2012
• Create a few Task sequence variables to identify the machine and do some branding. We will use that later to create our automatic  naming when we are capturing the image.
  • Set “OSDModel for VMware" when the following query is true “select * from Win32_ComputerSystem WHERE model like ‘%VMware%’ “
  • Set OSDARCHITECTURE=”X64"
  • Set OSDVERSION=”Windows 7"
  • Set OSDREVISION=”SP1

• Add your Language Pack(s)  –> see http://scug.be/sccm/2013/01/04/how-to-install-windows-7-language-packs-online-during-osd-task-sequence-or-in-your-hybrid-base-image/
• All the various Visual C++ Report Viewers (2005 SP1 , 2008 SP1, 2010 SP1 )
• Latest .NET Framework 3.5 SP1 and 4.0 . If you really want , .NET 4.5 should work as well

• Windows Management Framework 3.0  = KB2506146 or KB2506143 ( Attention : There are few code defects but a toxic issue with using ConfigMgr 2012 RTM  – It is FIXED with ConfigMgr 2012 SP1 –> Only install if you have SP1 !! )
• All the various Visual C++ Runtime Libraries (2005 SP1 , 2008 SP1, 2010 SP1 )

• Internet explorer 9 ( or 10 when it releases for Windows 7 ) –> See http://scug.be/sccm/2012/12/28/configmgr-2012-rtmsp1-part-1-not-so-basic-applications-and-there-detection-methods/ 

• Optional : Office 2007 / 2010 / 2013 MUI (Remember the task sequence variable we have set at collection level !)

• All current Patches –> setup SU
• Set your image properties and Capture settings
• Select a location to save the image and make sure you include the full path including the .wim extension

Capture Without Office : (Remember the task sequence variable we have set at collection level !)

Capture With Office : (Remember the task sequence variable we have set at collection level !)

• Enter an account with rights to write to the share
• Finish up

5) Deploy your “Build and capture” task sequence to a VMware , XEN or Hyper-V VM : Look here how to do it for VMware : http://scug.be/sccm/2010/02/03/sccm-deploying-windows-7-on-a-vmware-esx-environment-howto/

Create your deployments (advertisements) accordingly :

Stay tuned for Part 2 , where we will deploy the Hybrid image ( that we just created)  for full deployment..

Hope it Helps

Kenny Buntinx

System Center 2012 Configuration Manager: The original RTM version of Microsoft System Center 2012 Configuration Manager installs Microsoft SQL Server Express 2008 R2 Service Pack 1 (SP1) when you deploy a new secondary site. The minimum supported SQL Server version is Cumulative Update 4 for SQL Server 2008 R2 Service Pack 1 (SP1).

System Center 2012 Configuration Manager Service Pack 1:  System Center 2012 Configuration Manager SP1 requires Cumulative Update 6 for SQL Server 2008 R2 Service Pack 1 (or SQL Server 2008 R2 SP2).

You must manually install the Cumulative Update for SQL Server 2008 R2 SP1 on the new secondary site after the site is installed. More information here : http://support.microsoft.com/kb/2688247

Hope it Helps ,

Kenny Buntinx

Scenario : Upgrading a Configmgr 2012 RTM environment to a new SP1 environment . It was a standalone primary site RTM Build without any CU (5.00.7711.0000).

Issue : After the upgrade was successfully performed , suddenly all applications within my OSD task sequence start failing with the following error code :

The task sequence failed to install application Intel Management Engine 6.0.40.1215(ScopeId_67A221E3-64F0-47D4-AA5A-BB3729EC221F/Application_2071f753-7604-42a5-b6be-b1b45c3c1f0a) for action (Install HW Driver Applications for HP8540P) in the group () with exit code 615. The operating system reported error 615: The password provided is too short to meet the policy of your user account. Please choose a longer password.

Identifying the cause:  After some checks, I saw that it concerned only applications and I discovered that had no ContentID associated to each Deployment Type. In other words, all the applications created and that are embedded in a TS with no direct deployments attached to the Application.  It appears that the upgrade process broke all applications.

Workaround :

We found a workaround, you have simply to add a comment to each DT and it will update the content ID. Nevertheless, the change means that a redistribution of your application on all your DP’s.

Hope it Helps ,

Kenny Buntinx

Did you ever felt like sequencing your Configmgr 2012 console with App-V ? Somaning Turwale , a Support Engineer from Management and Security Division has written these steps on how to do this :

1. Follow the best practices for the Microsoft Application Virtualization Sequencer:

http://technet.microsoft.com/en-us/library/dd351420.aspx

2. Build your clean sequencing system with the 64-bit version of Windows 7 Service Pack 1 and join it to the domain. 

3. Install .NET 4 full version on the Sequencer machine (http://www.microsoft.com/en-us/download/details.aspx?id=17851).

4. Copy the Tools folder from your ConfigMgr 2012 central site server to the sequencing machine and place it in the following path:

C:\Program files\Microsoft Configuration Manager\Tools

NOTE This is used for sequencing ConfigMgr 2012 Version 5.00.7711.0000 and build 7711

5. Install the App-V 4.6 SP1 Sequencer with Hotfix 8 (http://support.microsoft.com/kb/2761558)

6. Launch the Microsoft Application Virtualization Sequencer and select Create New Virtual Application Package.

7. Select the Create Package (Default) option and click Next.  Note that Prepare the Computer for Creating a Virtual Package may give the Warning “Windows Defender is active”.  If so, launch the Services.msc snap-in and stop the Windows Defender service.  After doing so, click Refresh and then click Next.

7. Select the Standard Application (default) option and click Next.

8. On the Select Installer screen, browse to the Tools folder and select ConsoleSetup.exe, then click Next.

9. Name the package ConfigMgr2012Console, leave other options as the defaults and click Next.

10. Once the ConfigMgr installation screen appears, click Install Configuration Manager 2012 and click Next.

11. Type the FQDN of the Central Site server name and click Next.

12. Leave the Destination Folder as the default (e.g. C:\Program Files(x86)\Microsoft Configuration Manager Console\) and click Next.

13. Click Install and wait for the installation to complete, then click Finish.

14. Now the ConfigMgr 2012 console will launch. Verify that everything functions properly and exit from the console.

15. Select the I am finished installing option and click Next.

16. Select the ConfigMgr console and run it. After launching the console close it.  Click Next to review the installation report and click Next when you’re done.

17. Select the Customize option and click Next.

18. If you would like to remove the "Remote Control View" then right-click and remove it.

19. Click Next and then Run All. Once the console launches completely, verify the settings and exit the console.

20. Select the Target OS, click Next and then select Create the Package. The package will be saved as ConfigMgr2012Console.

21. Copy the package to the App-V management content share.

22. Follow the normal procedure to import the package into your App-V Management server.

23. Verify that the console is published to the App-V users.

24. Ensure that the .NET 4 full version is installed on the App-V clients as it is a prerequisite for console.

25. Make sure that the App-V clients have the latest hotfix installed (e.g. 4.6.1.30151).

26. Ensure that you have the required permissions and connectivity to the Site server.

If all steps are followed correctly then the client should be able to launch the Configuration Manager console successfully.

For the full article on how to sequence the console , please visit http://blogs.technet.com/b/appv/archive/2013/01/08/how-to-sequence-the-microsoft-system-center-2012-configuration-manager-admin-console-with-microsoft-app-v.aspx

Hope it Helps ,

Kenny Buntinx

Issue : When you do a fresh install or you do an upgrade from Configmgr 2012 RTM to SP1 , you will see your install/upgrade failing with “No default boot images available” or "Only finalized boot images are supported" . The Configmgr setup log file will confirm that the migration/creation of boot images did not succeed.

Adding the boot images manual isn’t working neither. You will see the following error message :

Reason :  You have the following components running in your environment :

• McAfee VirusScan Enterprise (VSE) 8.8 Patch 2
• Microsoft Windows Assessment and Installation Kit (WAIK)
• ADK (Assessment and Deployment Kit)
• Microsoft Deployment Toolkit (MDT) 2012 / SP1
• Microsoft Configuration Manager 2012 RTM / SP1

Solution :

Issue during upgrade from RTM to SP1 : If you find yourself in this situation where boot images didn’t get updated during site upgrade, you can manually update the boot images using the following instructions:

1. Rename the boot.wim and the default boot wims in each architecture folder of the <smsinstall>OSD\boot\ folder – both the i386 and x64 to <wim>.bak
2. Starting with the i386 folder first…Find the install folder of the ADK, which should be here if you installed with the defaults: “C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\en-us\winpe.wim”. You will need to copy the winpe.wim to the <smsinstall>OSD\boot\i386 folder. Rename it to boot.wim.
3. You will also need to copy it again, but this time rename it so it matches the name of the default boot wim for the site – so it should look like boot.<packageid>.wim
4. Update default boot image.
5. Click “Execute Method” -> input object path as SMS_BootImagePackage.PackageID="<Image ID you see in the Console e.g. POL00001>" -> UpdateDefaultImage
6. You will need to do this for the x64 folder as well. Do not do this for any custom boot images – this is just to update the default boot wims installed during setup of the site.

Before full install or upgrade :

Folders to exclude from AV scanning:

· Temporary folder for these cases is C:\Windows\TEMP\BootImages\{GUID}.  Exclude C:\Windows\TEMP\BootImages and subfolders.

· Temporary folder for offline servicing is <X:>\ConfigMgr_OfflineImageServicing and several subfolders used for different purposes – staging files, mounting OS, etc. – where <X:> is the StagingDrive value from the Offline Servicing Manager section of the site control file.  If this value is missing, we use the drive where the site is installed.  Exclude <X:>\ConfigMgr_OfflineImageServicing and subfolders.

Information from Mcaffee : KB: https://kc.mcafee.com/corporate/index?page=content&id=KB76867&actp=search&viewlocale=en_US&searchid=1357907921573

Product team Blog :

http://blogs.technet.com/b/systemcenterpfe/archive/2013/01/11/updated-system-center-2012-configuration-manager-antivirus-exclusions-with-more-details.aspx

Hope it Helps ,

Kenny Buntinx

MVP System Center Configuration Manager 2012

Ever since we’ve been capturing our images with ConfigMgr 2012 SP1 we’ve noticed that 8dot3name creation is disabled on all volumes on the hard drive on the volume level when installing a machine with the same installation source as before (Windows 7 Enterprise SP1 x64). In our environment, we need this to be enabled for certain applications to work properly. ( Almost all Legacy XP Apps that work on Win7) . Nowhere is this change documented .

This wasn’t the case with ConfigMgr 2012 RTM , the difference there was that we where using WAIK instead of ADK.

I’ve been in discussions with the System Center Configuration Manager product team and received a response from them late yesterday.  They did, in fact, change the default behavior of the formatting tools in Windows 8. (ADK) 

They are working with them (ADK Team)  to figure out where/how this change was communicated, and to see how they can best communicate it more broadly.  In the meantime, They’ll continue working with them to figure out what our options are for resolving/working around this issue in Configmgr 2012 SP1.

Workarounds :

One option would be to create your own partitioning and formatting script and use that as a Run Command Line action instead of using there built-in Format and Partition Disk action.  I know that’s not elegant, but may be your best bet for now.

Here’s what the Windows imaging team had to say (with some additions/clarifications from me)…

Windows 8 does have 8.3 disabled on non-OS drives by default.  ImageX (and other Windows imaging tools) does preserve the same when capturing the image, and will apply as how the image was captured.  In the case where files with short file names are in a captured image, but the volume where the image will be applied has 8.3 disabled, WIMGAPI will enable 8.3 on the volume and set the short file names accordingly when the image is applied.

If they formatted a data volume using a Windows 8 format utility, short names would be disabled by default on the volume.  This is the default way format behaves.

How short names get enabled on the system volume is that setup explicitly turns them back on after formatting the system volume.  (i.e. if you’re applying an image and not running Setup, they won’t be turned back on automatically)

They can override this on the format command line with the following switch:  format x: /s:enable (where x: is the drive letter to format)  Unfortunately, you can’t add your own command line switches when using our built-in Format and Partition Disk action.

To manually enable 8.3 naming after formatting, you can use fsutil.exe from the command line:

                fsutil 8dot3name set x: 0 (where x: is the drive letter to enable 8.3 naming on)

This will enable short names on the given volume and it takes effect immediately.  (and yes, 0 does enable short names).  Unfortunately, fsutil.exe is not included in Windows PE, so you would have to copy it over to your boot media and run it with a Run Command Line action.

Hope it Helps,

Kenny Buntinx

MVP System Center Configuration Manager

Upgrading a Configmgr 2012 RTM environment to a new SP1 environment . After the upgrade was successfully performed , suddenly all applications within my OSD task sequence start failing as described in my previous blog post here : http://scug.be/sccm/2013/01/08/configmgr-2012-sp1-broken-applications-after-upgrading-from-rtm/

Finally we have found some other errors as well , they are listed here :

• The task sequence failed to install application Intel Management Engine 6.0.40.1215(ScopeId_67A221E3-64F0-47D4-AA5A-BB3729EC221F/Application_2071f753-7604-42a5-b6be-b1b45c3c1f0a) for action (Install HW Driver Applications for HP8540P) in the group () with exit code 615. The operating system reported error 615: The password provided is too short to meet the policy of your user account. Please choose a longer password.
• The task sequence failed to install application NVIDIA Quadro/NVS Mobile Drivers 305.93(ScopeId_67A221E3-64F0-47D4-AA5A-BB3729EC221F/Application_17e0153e-3d4f-467b-a2b3-68491516b0e1) for action (Install HW Driver Applications for HP8540P) in the group () with exit code 580. The operating system reported error 580: An event pair synchronization operation was performed using the thread specific client/server event pair object, but no event pair object was associated with the thread.
• The task sequence failed to install application Synaptics Touch Pad Driver(ScopeId_67A221E3-64F0-47D4-AA5A-BB3729EC221F/Application_a0628bfc-3f06-4096-a001-c1a6c92675ea) for action (Install HW Driver Applications for HP8540P) in the group () with exit code 16389. The operating system reported error 2: The system cannot find the file specified.

We found a workaround, you have simply to add a comment to each DT and it will update the content ID. Nevertheless, the change means that a redistribution of your application on all your DP’s.

BUT , that is all manual work , and we hate that , don’t we  . Luckily we have an excellent PowerShell scripter in our team and all credits for creating this script goes to  Bart Serneels. He has written a PowerShell script to do all the work . He was happy to share this with you guys.

Here is the script : (replace VVM with your “Site Code” )

$PSDFile = "C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1"
$SiteCode = "VVM"

Write-Host Importing System Center Configuration Manager 2012 Module...
import-module $PSDFile
cls
cd $SiteCode":"
write-host "Querying for Applications without deployments"
$AffectedApps = get-cmapplication | Where-Object NumberOfDeployments -eq 0
Write-Host "Found these affected Applications:"
$AffectedApps | select LocalizedDisplayName
write-host ""
Write-Host "Updating Deployment Types..."
$AffectedApps | Foreach {
    $AppName = $_.LocalizedDisplayName
    Write-Host "Looking up deployment types for $AppName"
    $DTypes = @(get-CMDeploymentType -Applicationname $AppName)
    
    $DTypes |foreach {
        $DtypeDescription = $_.LocalizedDescription
        $DtypeName = $_.LocalizedDisplayName
        $DtypeNameNew = $DtypeName + "_"
        
        write-host Found: $DtypeName
        write-host Updating the comment to `"$DtypeNameNew`"
        set-CMDeploymentType -ApplicationName $AppName -DeploymentTypeName $DtypeName -AdministratorComment $DtypeNameNew
        if (!$DTypeDescription) {
            write-host Updating comment back to `"$DtypeDescription`"
            set-CMDeploymentType -ApplicationName $AppName -DeploymentTypeName $DtypeName -AdministratorComment " "
            }
        if ($DTypeDescription) {
            write-host Updating comment back to `"$DtypeDescription`"
            set-CMDeploymentType -ApplicationName $AppName -DeploymentTypeName $DtypeName -AdministratorComment $DtypeDescription
            }
        write-host ""
        }
    write-host "----------------------------------------------"
    }

What the script will do is :

1. Look for any application that has no deployment attached to it
2. Opens the application deployment type(s) and looks for a description .
3. If the description field is empty , it will update that field with the deployment type name.
4. If the description field exists , it will make a backup , adapt it with the deployment type name , save it , reopen and revert to the backup descriptions and save it once more .

Again  , this is a workaround that helped us fixing our issues and no guarantee it will work for you .

Hope it Helps ,

Kenny Buntinx

MVP ConfigMgr

Hi All,

It’s been a while since I blogged anything, so for those of you wondering yes, I am still alive. Been pretty busy over the past year doing live presentations at several events, but blogging has suffered a bit. This is a quick blog post to announce that I’ll be doing another live webinar. I still love doing those, and this one is scheduled for next week already.

The registration page can be found over here: http://bit.ly/17i2lrj

Session title: ConfigMgr 2012: RBA through Z
Session Abstract: System Center Configuration Manager comes with a completely revamped security model. The feature was named Role Based Administration or RBA for short. In this session we’ll go beyond the basics of security scopes, roles and collections to give you a deeper understanding of the possibilities of this new security model. Kim Oppalfens, who’s been an sms/configmgr/enterprise client management mvp for the past 10 years will walk you through some real life example scenarios and will explain how you work these into the new model.

!!! Special Service Announcement for Mr. Brian Mason: Yes, Brian this session is called RB a through Z. No Brian this does NOT mean you’ll be served RBV’s during this webinar.

– Enjoy. "The M in WMI stands for Magic"
"Everyone is an expert at someting" Kim Oppalfens – ConfigMgr Expert for lack of any other expertise
System Center Configuration Manager MVP
http://www.scug.be/blogs/sccm/default.aspx

http://www.linkedin.com/in/kimoppalfens

http://twitter.com/thewmiguy

Hi,

After configuring a trial intune subscription I got a funny error in the CloudUserSync log:

ERROR: SetLicensedUsers exception The Dmp Connector cannot connect to Windows Intune. Verify that you are connected to the Internet,….
UserSync: Failed to perform delta sync. error = Unknown error 0x8013150C, 0x8013150C

further down in the log file :

ERROR: GetServiceAddresses – LSU cannot be reached: System.ServiceModel.ProtocolException: The content type text/html; charset=UTF-8 of the response message does not match the content type of the binding (application/soap+xml; charset=utf-8). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly

If you search for this error you can see this happening with other services as well (Azure) and it is where the binding from your local server doesn’t match the endpoint (in this case intune/Azure)

Turned out that the customer provide me with a demo lab environment and it was still sitting on System Center Configuration Manager R2 Preview

#Notetomyself : Check all components on the correct versioning before you start . Never take it for granted

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Domain Join is what we have had for a long time, tight admin control, group policy, managing the desktop in full glory and control. "Workplace Join is much lighter, and is about authenticating an unknown device like a Surface RT, iOS or Android device. We will put a certificate on the device, and can challenge the device for this as part of claims based authentication to applications or other resources such as data, plus there is no admin control of the device, it remains under the control of the end user.

When coupled with BYO device management with a solution like Windows Intune, you can apply policy, deploy apps and control access to resources on machines that you otherwise have no control over."

Through the new Workplace Join feature within R2, AD FS becomes a focal point for mobile access in the enterprise and an integral component in the Microsoft Bring Your Own Device (BYOD) vision with Windows Intune. Workplace Join allows unmanaged or untrusted operating systems such as Windows RT / Windows 8.1 and IOS to be moved into a more controlled access context, by allowing their registration and affiliation with Active Directory.

Workplace Join is made possible by the Device Registration Service (DRS) that is included with the Active Directory Federation Role in Windows Server 2012 R2. When a device is Workplace Joined, the DRS provisions a device object in Active Directory and sets a certificate on the consumer device that is used to represent the device identity. The DRS is meant to be both internal and external facing. Companies that deploy both DRS and the Web Application Proxy will be able to Workplace Join devices from any internet connected location. To further secure this process, additional factors can be also used with Windows Azure Active Authentication (Phone Factor).

Lost Device Protection

As covered earlier, devices registered via ‘Workplace Join’ are registered within Active Directory in the following container ;

CN=<Device ID>,CN=RegisteredDevices,DC=mydomain,DC=com.

Lost devices can be denied access by disabling or deleting the appropriate object within AD (I moved the device objects to another OU to test this). Access through AD FS is immediately revoked for the workplace joined client.

From testing thus far, devices joined, left and re-registered via Workplace Join are currently not cleaned up within the ‘RegisteredDevices’ container. Some PowerShell scripting is currently required to enforce this. Later in this blog post we will explain you what we made available thru powershell.

This is question comes up all the time … how do I map a user to the devices that they have registered ?

1. The first attempt of Microsoft can be found here as this blog post is provided by Adam Hall . This is the output if you run the original script :

2. The second attempt to optimize the readout was done by a colleague Stijn Callebaut and it was already an improvement

The optimized code could be found below :

#user is provide by argument
if ($args.count -ne 1)
{        
    Write-Host "Usage: GetRegisteredDeviceForUser.ps1 <user name>"
    exit 1 
}

#get user's sid
$domain = Get-ADDomain
$userName = $args[0]
$userSid = (New-Object System.Security.Principal.NTAccount($domain.NetBIOSName, $userName)).Translate([System.Security.Principal.SecurityIdentifier]).value

#search device object when registeredUser = user sid
$objDefaultNC = New-Object System.DirectoryServices.DirectoryEntry

$ldapPath = "LDAP://CN=RegisteredDevices," + $objDefaultNC.distinguishedName 
$objDeviceContainer = New-Object System.DirectoryServices.DirectoryEntry($ldapPath)
$strFilter = "(&(objectClass=msDS-Device)(msDS-RegisteredOwner=$userSid))"

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDeviceContainer 
$objSearcher.PageSize = 100
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Onelevel"
$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults){
    $props = @{
        cn=$objResult.Properties['cn']
        whencreated=$objResult.Properties['whencreated']
        whenchanged=$objResult.Properties['whenchanged']
        displayname=$objResult.Properties['displayname']
        }
    new-object PSObject -Property $props
            
}

3. But weren’t quite there yet. We wanted three things :

• Easy browsing and easily find devices registered to a user
• Easy selection of the devices needed
• Delete the devices properly

A colleague working with me on a project and good friend Kurt Depre , learned to use Powershell Xaml thru MVP Kaido Jarvemets for our customer project and said he would make a great interface for my issue. After some days of testing we finally can show you the result of our powershell tool.

The tool is called Workplace Join Hitman and can let you do easy searching for devices that are workplace joined by a single user and revoke access by deleting the object .

You can download it and please rate the tool if you like it. It’s downloadable on Technet Gallery here : http://gallery.technet.microsoft.com/WorkPlace-Join-Hitman-8c691238

It is not perfect , but it is intended to give you some idea’s to further automate the process when a device is stolen , lost or just discontinued. Next idea is to do that in a kind of Orchestrator workflow.

Hope it Helps , 

Kenny Buntinx

Enterprise Client Management MVP

A new version of the iOS 7 Security Settings extension is now available for System Center 2012 R2 Configuration Manager environments that are configured with the Windows Intune connector. This updated extension adds support for iOS 8 devices. New features include: iOS 8 added to the supported platform list, configuration settings to manage and assess the compliance on iOS 8 devices, company resource access on iOS 8 devices and the ability to define an applicability rule for applications, allowing you to deploy applications to iOS 8 devices.

If you already have the iOS 7 Security Settings extension enabled, an updated extension called iOS 7 and iOS 8 Security Settings will appear as a new item in your Configuration Manager console in the Extensions for Windows Intune node. You will also be able to see other enabled extensions in this location.

To install the updated version, select the iOS 7 and iOS 8 Security Settings extension from the list and then click Enable. You do not need to disable the older version of the extension before you enable this updated version. As the updated version is installed, the configurations you previously made for the extension are retained. Once the installation is complete, only the most recent version of the extension will display in the console.

Read further at http://blogs.technet.com/b/configmgrteam/archive/2014/09/29/ios-8-support-now-available-for-sc-2012-r2-configmgr-via-extension-for-intune.aspx

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

To make the most out of you’re lab or production environment when going to implement several features that are combined when using System Center Configuration Manager 2012 R2 and Intune for mobile workforce deployment, I will advise you to install the following hotfixes :

For your System Center Configuration manager 2012 R2 environment and Windows Intune connector:

1. Install Cu3 KB2994331 . A lot of things are fixed in each Cu , but not every fix is noted down in the release notes. It is therefore very important that you install the latest cumulative updates in general !

Why CU’s Matter (again ! ) –> Pre CU3 NDES templates need to be recreated > Re-targeting from device to user is not sufficient as there no good migration happening when upgrading from Cu1 or Cu2 !

2. Install KB article 2990658 . This hotfix greatly reduces the time that’s required to execute a successful retire or wipe of an MDM device by using a notification to "push" these tasks. Without this hotfix, retire and wipe operations could require 24 hours to run successfully, because they relied on a "pull" mechanism of this frequency . This hotfix will probably included when the next Cumulative Update will be released.

3. Install KB article 3002291 . This hotfix will fix when a user becomes a cloud-managed user In Microsoft SystemCenter 2012 R2 Configuration Manager, a settings policy may not target the assignment for the user.

For your ADFS and WAP (Web Application Proxy) with Server 2012 R2 environment:

1. To fix the "Profile Installation Failed" error when iOS device is workplace-joined by using DRS on a Windows Server 2012 R2-based server , look at Knowledgebase article 2970746 and make sure you deploy KB2967917 on your WAP Server , which is the July 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 .

2.  To fix the “Large URI request in Web Application Proxy fails in Windows Server 2012 R2” when deploying and NDES server thru the Web Application Proxy (WAP) , look at Knowledgebase article 3011135 (Issue found and resolved by Pieter Wigleven) and make sure you deploy KB3013769 on your WAP Server , which is the December 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

For your CA (certificate Authority) infrastructure when you want to use NDES:

1. The issuing CA needs to be Windows Server 2008R2 (with KB2483564) or preferable with a Windows Server 2012 R2 OS.

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Enterprise Mobility Suite (EMS) is Microsoft’s new bundle that includes Azure Active Directory Premium, Windows Intune and Azure Rights Management.The Enterprise Mobility Suite is Microsoft’s answer for Mobile Device Management requirements.

For people that have already Configuration Manager 2012 R2 , you can connect your Windows Intune subscription to get a single pane of glass for management. In the so called hybrid mode you can manage all your assets, from one single console.

While you can create a new WAAD (Windows Azure Active Directory) account directly from the Windows Azure Management Portal, but the most common way that WAAD directories where created before EMS existed was through the Windows Intune Sign Up process.

When setting up an Windows Intune subscription for the first time, you have to pick a tenant name (In our case demolabsbe.onmicrosoft.com). When you create the tenant name, a Windows Azure Active Directory (WAAD) account is created behind-the-scenes to store your users and groups, using the domain “demolabsbe.onmicrosoft.com” (you can add your domain names to this WAAD account later, but you will always have the original .onmicrosoft.com domain associated with it).

Windows Intune creates the WAAD accounts, but doesn’t let you manage it out of the box . You only can attach custom domains, configure users, groups & global administrators from the Windows Intune account management portal.

Attention: The WAAD account is not the same as a Windows Azure Subscription. A Windows Azure Subscription does not get automatically created or associated to your Windows Intune or Office 365 subscription or visa versa !

When you log in with your Windows Intune tenant account into the Windows Azure Management Portal (https://manage.windowsazure.com) you will see a message that there are no associated Azure Subscriptions.

Windows Azure however lets you manage all the advanced settings of WAAD accounts, including names, premium features, Apps, SSO access, multi-factor authentication, etc. The Enterprise Mobility Suite (EMS) feature , Windows Azure AD Premium can only be managed properly when you link your Windows Intune WAAD to your organizational Windows Azure Subscription.

Step 1: How to add your  Existing Windows Azure Active Directories to your Windows Azure Subscription ?

The process to add a WAAD account to your Windows Azure subscription used to be pretty painful , but now you can easily do this by adding an “Existing WAAD account”. The process is as follows:

1. Login to Windows Azure Management Portal with your Microsoft Account.

2. Click on the Active Directory category on the left, and then click the New button.

3. Choose New > App Services > Active Directory > Directory > Custom Create.

4. On the Add Directory dialog, click the Directory dropdown, and choose Use Existing Directory.

5. The dialog will switch, and inform you that you will be signed out, and need to sign in with a Global Administrator for the existing WAAD account. Check the box and click Sign Out.

6. Login with a Global Administrator for the WAAD account.

7. Once you login, you’ll be asked to confirm the link. Linking will make the Microsoft Account a Global Administrator in the WAAD account. Proceed through this, and you will be asked to Sign Out.

8. After Signing Out, and signing back in with your Microsoft Account, you’ll now see the WAAD account in the list of Active Directory accounts in the Windows Azure Management Portal!

Step 2 : Activate Azure AD Premium  and assign licenses to your users

Now that your previous created Windows Azure Active Directories from Windows Intune are visible within our Azure subscription , we can add the Azure AD Premium features to it .

In the picture below , you will see a newly created WAAD called EMSExperts from the Azure portal . By default the Azure AD Premium  can be found under the licenses tab. Now you can assign licenses to users.

In the other picture below , you will see the previously created WAAD from Windows intune ( added to the azure subscription later ) called MSCloudExperts. By default only the Windows Intune licenses can be found but the Azure AD Premium cannot be found under the licenses tab.

To add the “Azure AD Premium” licenses , you must go to the bottom of the page and hit the “Activate Trial” or “Purchase”  .

Now you will see that there are 2 license plans added to your WAAD . One for Windows Intune and one for Azure AD Premium. Now you can assign licenses to your users accordingly

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Together, Windows Server 2012 R2, System Center 2012 R2 Configuration Manager, Microsoft Azure AD Premium , Microsoft Azure RMS and Microsoft Intune , also called the Enterprise Mobility Suite (EMS) help organizations address the consumerization of IT. With Microsoft’s people-centric IT solution, organizations can empower their users, unify their environment, and protect their data, ultimately helping to embrace consumerization and a people- centric IT model, while maintaining corporate compliance.

What can the Microsoft Enterprise Mobility Suite (EMS) bring for you :

· Enabling your end users to work on the device or devices they love and providing them with consistent and secure access to corporate resources from those devices. Part of the way we do that is by providing a hybrid identity solution, enabled by Azure Active Directory Premium.

· Delivering comprehensive application and mobile device management from both your existing on-premises infrastructure, including Microsoft System Center Configuration Manager, Windows Server, and Active Directory, as well as cloud-based services, including Windows Intune and Windows Azure. This helps to unify your environment. EMS provides mobile device management, enabled by Windows Intune

· Helping protect your data by protecting corporate information and managing risk. EMS provides data protection, enabled by Azure Rights Management service

Here are the 10 reasons why to consider EMS:

10. The ability to protect corporate information by selectively wiping apps and data. With System Center Configuration Manager 2012 and/or Microsoft Intune, IT can selectively and remotely wipe any device, including applications and sensitive company data, management policies and networking profiles.

9. Identification of compromised mobile devices. Jailbreak and root detection enables IT to determine which devices accessing corporate resources are at-risk, so that IT can choose to take appropriate action on those devices, including removing them from the management system and selectively wiping the devices.

8. Comprehensive settings management across platforms, including certificates, virtual private networks (VPNs), and wireless network and email profiles. With System Center Configuration Manager 2012 and/or Microsoft Intune, IT can provision certificates, VPN’s, and wi-fi profiles on personal devices within a single administration console.

7. Access on-premises and in-the-cloud resources with common identity. IT can better protect corporate information, manage and control resource access, and mitigate risk by being able to manage a single identity for each user across both on-premises and cloud-based applications. IT can better protect corporate information and mitigate risk by being able to restrict access to corporate resources based on user, device, and location.

6. Simplified, user-centric application management across devices. IT gains efficiency with a single management console, where policies and applications can be applied across groups (user and device types).

5. Enhance end-user productivity with self-service and Single-Sign-On (SSO) experiences. Help users be more productive by providing each with a single identity to use no matter what they access, whether they are working in the office, working remotely, or connecting to a cloud-based Software-as-a-Service (SaaS) application. Access company resources consistently across devices. Users can work from the device of their choice to access corporate resources regardless of location.

4. Protect information anywhere with Microsoft Azure RMS. Protecting information at rest and in transit requires authentication and preventing alteration, both key requirements for protecting sensitive corporate information.

The Microsoft Azure Rights Management Solution (RMS) that can help enterprises transition from a device-centric to a people-centric, consumerized IT environment without compromising compliance on document protection.

3. Single Pane of Glass Mobile device management of on-premises and cloud-based mobile devices. IT can manage mobile devices completely through the cloud with Microsoft Intune or extend its System Center Configuration Manager infrastructure with Microsoft Intune to manage their devices (PCs, Macs, or servers) and publish corporate apps and services, regardless of whether they’re corporate-connected or cloud-based.

2. Simplified registration and enrollment for BYOD. Users can register their devices for access to corporate resources and enroll in the Microsoft Intune management service to manage their devices and install corporate apps through a consistent company portal.

And… Number 1 if you ask me for the Microsoft Enterprise Mobility Suite…

1. Enable users to work on the device of their choice and from where they want. Give your users access to applications, data and resources from any device from virtually everywhere, while ensuring documents are secured and your mobile devices are compliant.

Hope it Helps ,

Kenny Buntinx

Deploy Internet Explorer 11 today as from January 2016 only the latest version of IE will be supported on the currently supported OS’s such as Windows 7 – 8.1 – 10. You should really deploy IE11 today and start working with compatibility testing for your web applications.

For deploying IE11 you will need a lot of prerequisites fulfilled and you will need to do a lot of work to get it deployed successfully. More or less you will need to do it in four steps:

1. Deploy about 9 prerequisites! You must deploy KB2834140, KB2670838, KB2639308, KB2533623, KB2731771, KB2729094, KB2786081, KB2888049, KB2882822 to be able to install IE11 without any issues. Make sure you download the latest updates!

2. Reboot

3. Deploy IE11 itself. If you need the Google search provider, the only way is to repackage IE11 with IEAK.To customize Internet Explorer 11, first things first: download the Internet Explorer Administration Kit 11 here.

4. Force a reboot here

5. Make sure if you want to use IE11 Enterprise mode, you will need to deploy KB 2929437 after the installation of IE11.

6. Reboot

7. Deploy all security updates thru CM12/WSUS

8. Reboot

Luckily for us we have ConfigMgr 2012 and the fantastic Application model to handle that.

IE11 Enterprise Mode?

Enterprise Mode in IE11 is a compatibility mode that runs web apps in IE8 mode to make them work on IE11. Enterprise Mode is turned on by IT Pro using Group Policy settings for specific domains or pages. It’s much like the compatibility view settings, but provides Internet Explorer 8 compatibility. WebPages that work in Internet Explorer 8 work seamlessly in Enterprise Mode.

More on IE11 Enterprise Mode and Enterprise Mode Site List Manager.

Using the Internet Explorer Site Discovery Tool?

What do you say ??

Not so long ago Microsoft released a little tool that will inventory all the web sites a user visits to provide means to get a grip on web app compatibility. The inventory can be used for all or only some specific clients. The data is collected via WMI and inventoried with System Center Configuration Manager. There are pre-made reports included that can be imported and used in ConfigMgr.

You will find more information here on Enterprise Site Discovery Toolkit for Internet Explorer 11.

Collect data using Internet Explorer Site Discovery

Internet Explorer Site Discovery overview

You can use Internet Explorer to collect data on computers running Internet Explorer 11 on either Windows 8.1 or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your Internet Explorer deployments, including figuring out which sites might be at risk or require overhauls during future upgrades.

By default, Internet Explorer doesn’t collect data; you have to turn this feature on if you want to use it. You must make sure that using this feature complies with all applicable local laws and regulatory requirements.

What data is collected?

Data is collected on the configuration characteristics of Internet Explorer and the sites it browses, as shown here.

Where is the data stored and how do I collect it?

The data is stored locally, in an industry-standard WMI class, Managed Object Format (.MOF) file. This file remains on the client computer until it’s collected. To collect the file from your client computers, we recommend using Microsoft System Center 2012 R2 Configuration Manager. However, if you don’t use System Center, you can collect the file using any agent that can read the contents of a WMI class on your computer.

Requirements

Before you start, you need to make sure you have the following:

• MS14-056: Cumulative security update for Internet Explorer: October 14, 2014 (KB2987107)

Setup and configuration package, including:

• Configuration-related PowerShell scripts
• IETelemetry.mof file
• Sample System Center 2012 report templates

Both the PowerShell script and .mof file need to be copied to the same location on the client computer, before you run the scripts.

Setting up your client computers for data collection

On your test computer, run the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file, update security privileges for the new WMI classes, and to set the registry key.

To set up your computers:

1. Create a Package/Program in Configmgr 2012 that runs the IETElemetrySetUp.ps1
2. Restart your computer to start collecting your WMI data.

Using System Center 2012 R2 Configuration Manager to collect your data

After you’ve collected all of the data, you’ll need to get the local files off of your computers. To do this, use the hardware inventory process in System Center Configuration Manager, in one of the following ways.

Collect your hardware inventory using the MOF Editor while connecting to a computer

You can collect your hardware inventory using the MOF Editor, while you’re connected to your client computers.

To collect your inventory

1. From the System Center Configuration Manager, click Administration, click Client Settings, double-click Default Client Settings, click Hardware Inventory, and then click Set Classes.

2. Click Add, click Connect, and connect to a computer that has completed the setup process and has already existing classes.

3. Change the WMI Namespace to root\cimv2\IETelemetry, and click Connect

4. Select the check boxes next to the following classes, and then click OK:

· IESystemInfo

· IEURLInfo

· IECountInfo

5. Click OK to close the default windows.

Your environment is now ready to collect your hardware inventory and review the sample reports.

Collect your hardware inventory using the MOF Editor with a MOF import file

You can collect your hardware inventory using the MOF Editor and a MOF import file.

To collect your inventory:

1. From the System Center Configuration Manager, click Administration, click Client Settings, double-click Default Client Settings, click Hardware Inventory, and then click Set Classes.

2. Click Import, choose the MOF file from the downloaded package we provided, and click Open.

3. Pick the inventory items to install, and then click Import.

4. Click OK to close the default windows.

Your environment is now ready to collect your hardware inventory and review the sample reports.

Collect your hardware inventory using the SMS_DEF.MOF file

You can collect your hardware inventory using the using the Systems Management Server (SMS_DEF.MOF) file.

To collect your inventory:

1. Using a text editor like Notepad, open the SMS_DEF.MOF file, located in your <Config_Manager_install_location>\inboxes\clifiles.src\hinv directory.

2. Add this text to the end of the file:

[SMS_Report     (TRUE),
 SMS_Group_Name ("IESystemInfo"),
 SMS_Class_ID   ("MICROSOFT|IESystemInfo|1.0"),
 Namespace      ("root\\\\cimv2\\\\IETelemetry")  ]
Class IESystemInfo: SMS_Class_Template
{
    [SMS_Report (TRUE), Key  ]
        String SystemKey;
    [SMS_Report (TRUE)       ]
        String IEVer;
};

[SMS_Report     (TRUE),
 SMS_Group_Name ("IEURLInfo"),
 SMS_Class_ID   ("MICROSOFT|IEURLInfo|1.0"),
 Namespace      ("root\\\\cimv2\\\\IETelemetry")  ]
Class IEURLInfo: SMS_Class_Template
{
    [SMS_Report (TRUE), Key  ]
        String URL;
    [SMS_Report (TRUE)       ]
        String Domain;
    [SMS_Report (TRUE)       ]
        UInt32 DocMode;
    [SMS_Report (TRUE)       ]
        UInt32 DocModeReason;
    [SMS_Report (TRUE)       ]
        UInt32 Zone;
    [SMS_Report (TRUE)       ]
        UInt32 BrowserStateReason;
    [SMS_Report (TRUE)       ]
        String ActiveXGUID[];
    [SMS_Report (TRUE)       ]
        UInt32 CrashCount;
    [SMS_Report (TRUE)       ]
        UInt32 HangCount;
    [SMS_Report (TRUE)       ]
        UInt32 NavigationFailureCount;
    [SMS_Report (TRUE)       ]
        UInt32 NumberOfVisits;
    [SMS_Report (TRUE)       ]
        UInt32 MostRecentNavigationFailure;
};

[SMS_Report     (TRUE),
 SMS_Group_Name ("IECountInfo"),
 SMS_Class_ID   ("MICROSOFT|IECountInfo|1.0"),
 Namespace      ("root\\\\cimv2\\\\IETelemetry")  ]
Class IECountInfo: SMS_Class_Template
{
    [SMS_Report (TRUE), Key  ]
        String CountKey;
    [SMS_Report (TRUE)       ]
        UInt32 CrashCount;
    [SMS_Report (TRUE)       ]
        UInt32 HangCount;
    [SMS_Report (TRUE)       ]
        UInt32 NavigationFailureCount;
};

3. Save the file and close it to the same location.

Your environment is now ready to collect your hardware inventory and review the sample reports.

Viewing the sample reports

The sample reports, SCCM Report Sample – ActiveX.rdll and SCCM Report Sample – Site Discovery.rdl, work with System Center 2012, so you can review your collected data.

SCCM Report Sample – ActiveX.rdl

Gives you a list of all of the ActiveX-related sites visited by the client computer.

SCCM Report Sample – Site Discovery.rdl

Gives you a list of all of the sites visited by the client computer.

Turning off data collection on your client computers

After you’ve collected all of your data, you’ll need to turn this functionality off.

To stop collecting data:

Deleting already stored data from client computers

You can completely remove the data stored on your client computers.

To delete existing data:

On the client computer, start PowerShell in elevated mode (using admin privileges) and run these commands:

1. Remove-WmiObject -Namespace root/cimv2/IETelemetry IEURLInfo
2. Remove-WmiObject -Namespace root/cimv2/IETelemetry IESystemInfo
3. Remove-WmiObject -Namespace root/cimv2/IETelemetry IECountInfo
4. Remove-Item -Path 'HKCU:\Software\Microsoft\Internet Explorer\WMITelemetry'

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

For me this was the best keynote ever for all Microsoft’s events I’ve been at, virtually or physically. Wrapped up after three hours, I want to give you guys a heads up for what is happening in my area of expertise, Enterprise Client Management.

The conference is being held in Chicago and has over 20K people in the house. If you want you can watch a replay of this morning’s keynote on demand at http://news.microsoft.com/ignite2015/

Most Important Ignite Keynote Announcements from an enterprise Client Management perspective

– Windows Update for Business – This is an advanced version of what you already know today and it’s called WSUS. Together with Windows 10 it will allow you to control which machines get Windows Updates or even feature updates. Integration with your existing tools like System Center and the Enterprise Mobility Suite – so that these tools can continue to be that ‘single pane of glass’ for all of your systems management.

– Office 2016 Public Preview – Available for Office 365 subscribers and those who want to run the full standalone install.  This version will really kick down the #EMS offering on IOS , Android or Windows. Office will be the key in the whole mobility story.

– Windows Server 2016 – A second technical preview is now available for download and testing and will allow you to unlock some additional Hybrid functionallity , such as updates for Hyper-V ,ADFS , Workfolders , etc .

– System Center 2016 – Has new provisioning, monitoring and automation abilities for your data center. A new preview will be available soon online

· New technical preview for ConfigMgr 2016 for Windows10 available for a trial at http://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview

New features in today’s Technical Preview includes:

• Support for Windows 10 upgrade with OS deployment task sequence
• Support for installing Configuration Manager on Azure Virtual Machines
• Ability to manage Windows 10 mobile devices via MDM with on-premises Configuration Manager infrastructure

· New service packs for Configuration Manager 2012 and 2012 R2 (They will be released somewhere next week)

These will deliver full compatibility with existing features for Windows 10 deployment and management as well as several other features, including:

• App-V publishing performance
• Scalability improvements
• Content distribution improvements
• Native support for SQL Server 2014
• Hybrid Parity (Intune) and new features

– Microsoft Advanced Threat Analytics – Brings on premise Azure AD level security monitoring and threat detection.  This software/service is the result of Microsoft’s acquisition last November of Aorato and it’s a great add-on for EMS and AD premium. The preview is available now from here.

During Brad Anderson’s piece of the keynote, his team showed 11 different technologies on stage and here are links to all of those services and programs:

• The New Outlook App: A Modern Standard for Secure E-mail
• Enhanced Data Protection with Windows 10
• Windows 10 Device Guard
• Azure RemoteApp
• Document Tracking & Secure Collaboration with Azure RMS
• SaaS Management with Cloud App Discovery
• Detecting Anomalous Sign-Ins with EMS
• Microsoft Advanced Threat Analytics
• Deploying Azure in Your Datacenter
• The Microsoft Operations Management Suite (OMS)
• Power BI in SCCM

I hope that you are as thrilled and exited as myself and that we can show you all these cool things in our own lab and we hope that we can see you at one of our SCUG.be events.

Hope it helps,

Kenny Buntinx

MVP Enterprise Client Management MVP

If you upgraded your ConfigMgr 1702 or earlier environment to Configmgr 1706 and in the status messages after the upgrade you get :

Microsoft SQL Server reported SQL message 2627, severity 14: [23000][2627][Microsoft][SQL Server Native Client 11.0][SQL Server]Violation of PRIMARY KEY constraint ‘SUM_DriverUpdates_PK’. Cannot insert duplicate key in object ‘dbo.SUM_DriverUpdates’. The duplicate key value is (d8483f4f-0390-49db-b251-faf884dd8eaf

Be aware that the Product Group are aware of this issue and are on a working on a fix. The result of this problem is that admins cannot see new Surface driver updates.

Other than that, nothing else is impacted so it can be ignored.

Hope it helps ,

Kenny Buntinx

MVP Enterprise Mobility