Category Archives: System Center Configuration Manger

Rename A Computer Using Dell Service Tag During An System Center Configuration Manager 2007 Task Sequence

As part of a Windows 7 deployment I wanted to automate the naming of computers using the Dell service tag, prefixed with “D” for desktop, “L” for laptop and “O” for other.

You can detect the computer type using WMI and the Win32_SystemEnclosure class

strComputer = “.”
Set objWMIService = GetObject(“winmgmts:” _
    & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)
Set colChassis = objWMIService.ExecQuery _
    (“Select * from Win32_SystemEnclosure”)
‘Determine the computer type
For Each objChassis in colChassis
    For  Each strChassisType in objChassis.ChassisTypes
        Select Case strChassisType
            Case 3,4,5,6,7,13,15,16,17,18,19,20,21,22,23,24
strComputerType = “D”
            Case 8,9,10,11,12,14
strComputerType = “L”
            Case Else
strComputerType = “O”
End Select
    Next
Next
Wscript.Echo strComputerType
Reading the Dell service tag is possible using WMI and the Win32_BIOS class
‘Read the Service Tag from the BIOS
Set colBIOS = objWMIService.ExecQuery _
    (“Select * from Win32_BIOS”)
For Each objBIOS in colBIOS
strComputerSerial = objBIOS.SerialNumber
Next
Wscript.Echo strComputerSerial
Renaming the computer proved to be the difficult part.  You can use WMI and the Win32_ComputerSystem class to rename a computer, but I didn’t have much success using this in the task sequence.  PowerShell and WMIC commands use the same underlying technique and also failed.  I believe the difficulty was caused by the computer being joined to the domain, rather than being a member of a workgroup.  I found a utility called WSNAME http://mystuff.clarke.co.nz/MyStuff/wsname.asp,  which is capable of renaming domain joined computers using the Windows APIs.  Unfortunately, WSNAME is not native 64bit compatible and I needed to deploy Windows 7 64bit using WinPE 64bt.
The final solution to rename the computer consists of a vbs script which detects the computer type and Dell service tag.  The new computer name is passed to WSNAME which renames the computer using a domain account with a hashed password.  Finally, the vbs script reboots the computer.  The trick to make it work is to add the vbs script to the runonce registry key through the SCCM task sequence, followed by a reboot task, which completes the task sequence.  When Windows starts following the reboot task, the vbs script runs and renames the computer.  As the vbs script is run by Windows 7, rather than WinPE, wsname.exe will work as Windows 7 64bit has WOW64 support, whereas WinPE 64bit does not.
The complete vbs script is
strComputer = “.”
Set objWMIService = GetObject(“winmgmts:” _
    & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)
Set colChassis = objWMIService.ExecQuery _
    (“Select * from Win32_SystemEnclosure”)
‘Is the computer a VM?
Set colComSys = objWMIService.ExecQuery _
    (“Select * from Win32_ComputerSystem”)
For Each objComSys in colComSys
If objComSys.Model = “Virtual Machine” Then
bolVM = True
Else
bolVM = False
End If
Next
‘Wscript.Echo bolVM
‘Determine the computer type
For Each objChassis in colChassis
    For  Each strChassisType in objChassis.ChassisTypes
        Select Case strChassisType
            Case 3,4,5,6,7,13,15,16,17,18,19,20,21,22,23,24
strComputerType = “D”
            Case 8,9,10,11,12,14
strComputerType = “L”
            Case Else
strComputerType = “O”
End Select
    Next
Next
‘Wscript.Echo strComputerType
‘Read the Service Tag from the BIOS
Set colBIOS = objWMIService.ExecQuery _
    (“Select * from Win32_BIOS”)
For Each objBIOS in colBIOS
strComputerSerial = objBIOS.SerialNumber
Next
‘Wscript.Echo strComputerSerial
‘Only rename if not a VM
If bolVM = False Then
‘Wscript.Echo “Computer name will be: ” & strComputerType & strComputerSerial
Set objShell = CreateObject(“Wscript.Shell”)
objShell.Run(“SHARE HOLDIGN WSNAME.EXE /n:” & strComputerType & strComputerSerial & ” /rcid /user:DOMAIN\USERNANE /passm:HASHED PASSWORD”)
objShell.Run(“shutdown.exe /r”)
End If
To add the vbs script to the runonce registry add a Command Line step to the task sequence and enter the command as shown in the screenshot below.  Update the command to include the appropriate path to the vbscript.
Advertisements

Forefront Endpoint Protection 2010 Report. Error: Subreport Could Not Be Shown

When running the Antimalware Activity Report, the Malware Activity section of the report failed to run and showed the error “Subreport could not be shown”.

The environment is System Center Configuration Manager (SCCM) 2007 R2, Forefront Endpoint Protection 2010 and SQL Server 2005 SP4.

In order to fix the error I added the -g startup parameter to the SQL Server service.  The -g startup parameter specifies the amount of memory in MB that SQL Server will leave available for memory allocations within the SQL Server process.  I set the option to 384MB.  More information on the startup parameter is available here: http://msdn.microsoft.com/en-us/library/ms190737.aspx

To apply the startup parameter, open SQL Server Configuration Manager under Microsoft SQL Server 2005 -> Configuration Tools  on the start menu.

Right-click on the SQL Server service, choose properties and open the Advanced tab.

Add ;-g384 to the end of the existing startup parameters and restart the SQL Server service.

Enable Windows Server 2008 R2 Features During Installation Using A System Center Configuration Manager Task Sequence

As part of  an operating system deployment task in System Center Configuration Manager 2007 R2 (SCCM), I needed to enable the .NET Framework 3.5.1 Feature on Windows Server 2008 R2.  I thought it would be easy to do this as part of the task sequence, but it proved trickier than I expected.

I added a “Run Command Line” step and entered the command “Dism.exe /online /Enable-Feature /FeatureName:NetFx3 /LogPath:c:\Dism.log”.  On its own this isn’t enough for the feature to be enabled.  you must also tick the “Disable 64-bit file system redirection” in order for the feature to be enabled.

Create A Dynamic Collection Containing The Last PC Used By The Member Of An Active Directory Group

During a recent project to roll out Windows Updates using System Center Configuration Manger 2007 R2 (SCCM) I wanted to deploy updates to a user group.  Unfortunately, SCCM will only deploy Windows Updates to a collection that contains computers, not users.  I used the code below to create a SCCM collection that contains the computer that was last logged onto by a member of a given Active Directory group.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.UserName in (select UniqueUserName  from  SMS_R_User where SMS_R_User.UserGroupName = “DOMAIN\\GROUPNAME“)

To use the code follow the steps below.

Firstly, start the new collection wizard, enter a name and click Next

Click on the button highlighted in yellow bellow.

Enter a name and click Edit Query Statement

Paste in the code replacing the domain and group name with your own.  Click OK and finish the wizard.

Find Collections With Maintenance Windows in System Center Configuration Manager 2007 R2

If you need a list of System Center Configuration Manager (SCCM) collections with maintenance windows, run this query against the SCCM site database using SQL Server Management Studio.

SELECT c.Name, c.Comment,SW.Description, SW.StartTime, SW.Duration
FROM v_ServiceWindow SW
JOIN v_Collection C ON C.CollectionID = SW.CollectionID
ORDER BY c.Name

Configure ForeFront Endpoint Protection 2010 with System Center Configuration Manager 2007 R2

These are brief notes on how configure ForeFront Endpoint Protection (FEP) 2010 to work with System Center Configuration Manager (SCCM) 2007 R2 and set the FEP client to receive definition updates from the SCCM server.

Install the FEP 2010 prerequisites on the SCCM http://technet.microsoft.com/en-us/library/ff823830.aspx

Install FEP on the server.  I chose a Basic installation as I wanted all components to install on to the SCCM server.

I wanted the FEP updates to be controlled by SCCM, so installed this hotfix http://support.microsoft.com/kb/2597508

Next I downloaded the Definition Update Automation Tool for Forefront Endpoint Protection 2010 Update Rollup 1 http://blogs.technet.com/b/clientsecurity/archive/2011/11/03/how-to-use-the-definition-update-automation-tool-for-forefront-endpoint-protection-2010-update-rollup-1.aspx

Follow the instructions at the link above under the section “How to Configure Configuration Manager for Forefront Endpoint Protection Update and Create Deployment Package and Assignment”  This creates a Deployment Package and Assignment to install the FEP definition updates.

To schedule the update of the FEP definition package with the latest definitions follow the instructions under the section “How to Use Definition Update Automation Tool with Task Scheduler”.

Open your FEP policy and in the Updates tab tick “Use Configuration Manager as the primary source of definition updates”

As I configured the FEP updates to be controlled by SCCM, when the FEP client is first installed the icon turns red because the definitions are out of date.  If you leave the client, it will eventually have the latest definitions pushed to it by SCCM.  However, I wanted to have protection from installation.  In order to get this working I enabled automatic approval of the FEP updates within WSUS.  Using the FEP policy you’re able to tell FEP to go to WSUS for updates if the definitions are older than x days.

To configure WSUS, open the WSUS console from Administrative Tools and navigate to Options.  Open Automatic Approvals, click New Rule and configure it as below.  WSUS will now automatically download FEP updates and they’ll be available to FEP clients via the policy.

 

If you still have issues with the FEP client updating after installation e.g. when deploying as part of an SCCM operating system task sequence, you can force a definition from a file share.  Setup a script to download the definitions to a share and schedule it to run daily using Task Scheduler.  These two posts provide information on how to create the script: http://blogs.technet.com/b/clientsecurity/archive/2010/09/16/using-a-script-to-automate-unc-definition-updates.aspx http://technet.microsoft.com/en-us/library/gg398041

In the SCCM task sequence add a reboot task after FEP has been installed.  Configure the reboot step to reboot into the currently installed operating system

 

Next, add a Command Line step.  Update the share path to match the location of the FEP definitions in your environment.  This will run a manual definition update from the file share.

 

Deploy Intel AMT/HECI/SOL Drivers Using System Center Configuration Manager

This post describes how I deployed the Intel AMT/HECI/SOL Drivers using System Center Configuration Manager (SCCM).

I was deploying the drivers to Dell OptiPlex desktops and Latitude laptops, so I downloaded the drivers from http://support.euro.dell.com/ .  The drivers download as compressed files, so I extract them using 7-zip http://www.7-zip.org/.  This leaves you with a set of files like those below.

In the screenshot above you’ll see setup.cmd batch file.  This is the secret to deploying the drivers using SCCM.  The Intel documentation states that you can run setup.exe -s to silently install the drivers.  However, when I created a software distribution package and set it to run setup.exe -s the drivers never installed and the installer routine exited due to an invalid command option.  What you need to do is create a batch file which calls setup.exe -s and point the software package as the batch file, e.g.

\\SCCMSERVER\SoftwareDistribution\Packages\755_HECI_Driver\setup.exe -s