Tuesday, July 16, 2013

SCCM 2012: Maintenance Windows and Business Hours

We all know by now that System Center 2012 Configuration Manager is a client-centric product.  Meaning that, while it gives us admins some power over the system to perform certain tasks, the user is ultimately in control of their device.  One way this is acheived is by the inclusion of "Business Hours" on the client.

I'm not going to go into too much detail on how Business Hours works along with Maintenance Windows, instead please see this wonderful blog post from the MS Server and Cloud Platform Team:

http://blogs.technet.com/b/server-cloud/archive/2012/03/28/business-hours-vs-maintenance-windows-with-system-center-2012-configuration-manager.aspx

Basically, regardless of the Maintenance Window the power is truely in the hands of the end-user for mandatory deployments.  Lets say, for example, that you have an OOB patch that must be pushed out immediately ... soo immediate that you bypass your maintenance windows in order to do it.  If the time is within the Business Hours of the machine (by default its 5AM - 10PM) then the user gets to decide if the installation happens immediately, or if it posponed.

Depending on your patch deployment framework, this can have some serious rammifications if your maintanence windows don't jive properly with Business Hours.  Whats worse is that since Business Hours is a client-side ONLY setting, you can't set this via the ConfigMgr console.


- BUT -

You CAN set this via VBScript or via PowerShell.  Rather than rinse/repeat, here are links to two blogs that outline how to do this:

VBScript (Piped through Google Translate)
http://translate.google.ca/translate?sl=auto&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.mssccmfaq.de%2F2012%2F03%2F26%2Fsoftware-center-business-hours-auslesen-setzen%2F&act=url

PowerShell:
http://powersheller.wordpress.com/2012/11/20/sccm-2012-setting-software-center-business-hours-with-a-compliance-configuration-item/

Given the nature of this I would suggest applying this script at logon to ensure that all systems get updated with an appropriate time.  It should also be added to your Task Sequence so that reimaged systems start with the adjusted Business Hours.

Have Fun!

Friday, July 12, 2013

How to Configure TimeZones dynamically during Imaging (Take Two!)

A few years ago I had posted what I "THOUGHT" was a method to resolve the TimeZone issue that many of us struggle with but it turned out that not only was I completly wrong, but I was actually barking up the wrong tree!

TimeZone configuration can be a major headache when your enterprise spans multiple timezones, or multiple countries, if you are trying to keep your imaging strategy basic and easy to maintain.  I'm not a huge fan of splitting imaging into numerous collections with each collection given their own Task Sequence Variable to identify TimeZone since that just takes too much work, and I'm lazy!  Up until now I have been just dealing with imaging in one TimeZone then manually adjusting based on the region, totally not efficient!

I came across this excellent blog post which explains it quite well:

http://blogs.technet.com/b/eugenev/archive/2012/12/28/task-sequence-time-zone-fun.aspx

Basically, rather than rely on a TS Variable, instead use a VB Script at the end of your Task Sequence that will automatically adjust the timezone based on the DHCP server it is connecting too.  As the blog states, the account used to run this script needs to have read rights to the registry on the DHCP server, but it works qutie beautifully.

Check it out!

Friday, June 28, 2013

Fix: Unable to update User GPO via gpupdate

Group Policy issues are always a pain in the but, I've found.  This one was particularly annoying because of the impact that it had on the user.  The user was unable to access his personal drive on our server (G:\ Drive) as it would not map it during login.  Also, what he didn't mention, the system takes up to 5 minutes to log in.

At first I was strictly working on the drive map issue ... out of 3 network drives that he should get he was only getting one.  Manually running the login script seemed to clear that up temporarily but not permanently.  I then decided to do a GPO update (gpupdate /force /wait:-1) but it threw up an error.  In the System Event Log, I saw this:

The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F\}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

Since this was the only system on the network having this particular problem, I wasn't convinced that the issue was limited that computer and ... since it was late in the day ... was just going to reimage the box and be done with it.  I decided to check the Details tab for this particular event and noticed something rather peculular:

+ System

- Provider
[ Name] Microsoft-Windows-GroupPolicy
[ Guid] {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
EventID 1058
Version 0
Level 2
Task 0
Opcode 1
Keywords 0x8000000000000000
- TimeCreated
[ SystemTime] 2013-06-27T23:33:35.377468900Z
EventRecordID 65946
- Correlation
[ ActivityID] {E6ACB131-AEEC-45A4-98D7-118272AA0081}
- Execution
[ ProcessID] 428
[ ThreadID] 3744
Channel System
Computer VAND105.mh.local
- Security
[ UserID] S-1-5-21-2823908405-3494369649-3172151183-3327

- EventData

SupportInfo1 4
SupportInfo2 816
ProcessingMode 1
ProcessingTimeInMilliseconds 16864
ErrorCode 1317
ErrorDescription The specified account does not exist.
DCName ServerName.domain.local
GPOCNName CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=local
FilePath \\domain.local\sysvol\domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini

Since I knew what stage the GPO was failing at (applying User Settings) and I knew what was able to complete successfully (applying Computer Settings) I think I figured it out ... and it was a nice easy fix:

Re-create the User Profile on the local machine!

To test I logged the other user out and logged in as myself and noticed that there were no GPO issues under that account.  Then I did the following:

  1. Restarted the PC and logged in as local administrator (you can use any account with admin rights as long as its not the affected account)
  2. Go to C:\Users\ and back up the users content.
  3. Right-Click Computer and select Properties
  4. Click Advanced System Settings
  5. On the Advanced Tab, click Settings under the User Profiles heading
  6. Click the Profile you wish to delete, then click delete
I should point out that at this step I received an error regarding the deletion of the Profile.  I had to hit Delete a 2nd time to remove it from the list, but it didn't actually delete anything ... solidifying the determination that the local user profile is at fault.  I continued on and did the following:

Deleted the profile store manaully (C:\Users\
Launched Regedit
Went to HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList

**Take care when editing the registry as you can cause major system damage if edited incorrectly, resulting in a reinstalltion of Windows.  Only proceed with working in the registry if you are comfortable

Within this key I deleted any sub-keys related to the damaged user profile.  You can discover this by clicking on each sub-key and looking at ProfileImagePath to see if it matches the username.  Also, delete any keys that reference TEMP.  After that, restarted the computer and allowed the user to log in locally ... GPO issue resolved!

Friday, April 19, 2013

Fix: Unable to make a bootable USB stick via the USB/DVD Tool or Manually

NCIX had a great sale on a while ago for some inexpensive 32GB USB 3.0 flash drives so I just had to pick up 3.  After all, I try to travel around with a full set of device drivers, various software tools for troubleshooting, and a bootable WinRE stick just in case.  Imagine my surprise when I went to create a bootable USB stick with Server 2012 when I came across this error:

"We are unable to copy your files.  Please check your USB device and the selected ISO file and try again"

I thought that I had a bad USB stick, so I moved on to the next one ... same thing ... the THIRD one ... same thing!

I left it on the side-burner for a while but today really needed to do some manual server installs.  Came across this excellent post by Devin which outlines the fix (THANKS DEVIN!)

http://www.devinonearth.com/2012/08/cant-make-a-bootable-usb-stick-for-windows-8-join-the-club/

If you don't feel like clicking through to Devin's site (its excellent btw), here are the nitty gritty steps you need to do:

  1. Connect the affected USB stick
  2. Open either CMD or PowerShell (I really need to work more in PS)
  3. Run Diskpart
  4. Type List Disk to bring up the list of current disks on your system
  5. Type Select Disk x where x = the disk number for your USB stick
  6. Type Clean to clear the configuration of that USB stick (Caution, make sure you don't have any files on there that you need as this will erase everything)
  7. Type Create Partition Primary to create a new partition
  8. Type List Disk to verify that the new partition is made.  If you see an offset of 1024KB then the fix worked
  9. Type Exit to close diskpart, then disconnect the USB stick from the system
  10. Plug it back in, it will ask if you wish to format the USB stick, say Yes or Format
You should now be able to make a bootable USB stick!

From what I can tell, this has something to do with how the USB stick was partitioned at the factory.  Maybe it was created without Windows in mind ?

Enjoy!
Terry

Friday, March 15, 2013

Fix: Scrolling in the Application Catalog

For the longest time I've been trying to figure out why, on some of my workstations, users have to scroll horizontally in order to see the Install button when they select a program.  Even when they fullscreen the browser, same issue.

At first I though it was a problem with page scaling; when someone zooms in on their browser.  In actuality I wasn't that far off!

The solution?

DPI Settings!!!

If your DPI settings are anything other than 100% then the Application Catalog will have scrollbars all around.  To change this, do the following:

Windows 7/Windows 8

  1. Right-click anywhere on the Desktop and select Screen Resolution
  2. Click Make text and other items larger or smaller
  3. Click the 100% radio button, then click Apply

You will need to log out/log in for the DPI setting change to take affect.  But, after that .. NO MORE SCROLL BARS!!  Some laptop screens will actually use 125% DPI as the default setting.

How I came across this solution has to do with an in-house application that was developed some time ago (and retired now, thank goodness).  If your DPI was set anything over 100%, you would only see part of the input screen.

Enjoy!

Tuesday, February 26, 2013

Fix: You need permission to perform this action ...

So this is frustrating.  In an earlier post I detailed how to repair WDS/PXE when it is no longer talking properly to SCCM.  Today I had to apply that fix on another of my Secondary Site Servers however I then ended up with a new problem.

I couldn't delete the RemoteInstall folder

Interestingly enough, It was asking me for permission to delete the folder.  I thought, no worries, I'll just take ownership of the folder and sub-folders then try again.  No dice, though this time it was rather amusing since it was now saying that it needed permission from me to delete the folder!

It turns out I was on the right track for resolving this, but just didn't go far enough.

So, if you get "You need permission to perform this action ..." when trying to delete a folder tree, you can try the following:

1) Open an Elevated Command Prompt (Right-click Command -> Run As Administrator)
2) Run: takeown /f path/foldername  /R /D Y
3) Run: icacls path/foldername  /grant accountName:F /t

After running these commands against the RemoteInstall I was able to delete it and continue on to rebuilding WDS/PXE for my Distribution Point.

Enjoy!

Monday, February 11, 2013

Opinion - Are Tablets truly ready for the Enterprise ?

#Mobility #windows8 #tablets

So I've decided to take a break from my usual Technical Blog to air some of my opinions on tablet computing in the Enterprise.  I'll start with a bit of a disclaimer:

This post is my opinion about the future of tablet computing in the Enterprise, and is only an opinion.  Everything posted here is completely open for discussion and I may be COMPLETLY wrong on some of this.  All told, I welcome your comments and discussion on this exciting topic.

Tablets have been around for a very long time, longer than a lot of people realize.  Back in November of 2001, Bill Gates introduced Comdex to the concept of tablet computing (Link) but unfortunately the available technology at that time was just not 'there' yet so it got off to a rocky start at best.  Then Apple came along and introduced the iPad and the tablet/slate device was popularized.  Since the iPad's launch in April of 2010, tablets have exploded to the point where they are starting to outpace laptop and desktop sales ... but is this just another fad like the netbook?

Since the iPad launched a number of competing devices using various OS's have worked their way into the market with varying success.  Microsoft's partners tried to counter the iPad with tablets based on Windows 7 but that OS was just not ready to be used in a full-touch environment, even though it had touch functionality built in.  Android has been ported to run on tablet hardware, with Google even releasing versions of Android designed to run on tablets.  Blackberry launched its ill-fated PlayBook, HP tried and failed with WebOS.  Now that Windows 8 is out, which is a Windows OS designed from the ground up to run on tablets ... what now?

Lets be clear, most of the tablet offerings that have been made available to date are NOT enterprise devices.  Sure, you can invest in apps to bring some enterprise functionality to the tablet, but they are mostly of the "Remote Desktop" variety so really shouldn't count.  How many tablets have BUILT-IN enterprise functionality?  What actually constitutes enterprise functionality?  Is this even a fair question to ask?

Personally, I think that Microsoft and their hardware partners have an opportunity here to really win over the enterprise market by providing basically a replacement for a laptop.  Think about it for a sec, what can a tablet on Windows 8 Enterprise bring you?

  1. Connectivity into your corporate network via DirectAccess
  2. Device-level security by the use of BitLocker
  3. Device Management and Application Deployment via System Center Configuration Manager 2012 SP1
  4. Ability to use your standard application catalog as well as any Line-Of-Business apps that you already have in place, without having to invest in new specialized applications designed specifically for tablets
  5. Provide users the flexibility of having a tablet AND a laptop in one small package, great for road warriors and users who may do some form of field review
There are many more reasons, but I don't want this post to be TOO long in case you get tired of reading.

So what does Microsoft and their hardware partners need to do?

RELEASE COMPELLING HARDWARE!

I'm typing this blog entry from my Dell Latitude 10, which is connected to a docking station and to a 24" monitor.  Forgive me for being blunt, but this tablet sucks in many ways.  Its using an Atom-based CPU which is incredibly slow.  The video card is not capable of displaying the native resolution of my monitor (1900x1200) even though it uses the HDMI 1.3a spec which allows for much higher resolutions.  Microsoft Office is incredibly slow, it hangs on most operations.  I don't use this tablet for any heavy tasks, just word processing, email, internet, and connecting to remote desktops.  It isn't all bad though, I've had to do some remote troubleshooting while away from the office, using my Mobile Hotspot on my Blackberry and DirectAccess to get into the network ... that functionality alone is making me not want to give up on tablets.

Now, this isn't strictly a Microsoft problem.  Indeed, Microsoft did something quite smart by essentially releasing reference hardware in the form of the Microsoft Surface and the Surface Pro.  Their hardware partners need to see those devices for what they are, the lowest common denominator from a performance and functionality standpoint.  Atom-based Win 8 tablets are, as far as I'm concerned, dead in the water.  I wish Dell would have released a tablet in their latitude line-up based on the i5 CPU like they did with the XPS 12 (though that is a convertible tablet, not a slate device).

At BEST, tablets are a niche device that will never really take over the desktop and laptop market.  Without a doubt, it will slow the market down since people will spend more and more time on tablets for their day to day needs, but will fall back to their desktop or laptop PCs when they need to do anything heavy.

Am I off base here?  Is there something I'm missing?

For the record, I have a desktop, 2 laptops and 3 tablet computers at my disposal that I use on almost a daily basis.  The Desktop, Laptops and one of the tablets run Windows 8, then I have a Windows RT tablet and a Blackberry PlayBook.  I have colleagues who have iPads who don't really use them that often for work use, with the exception of using iTap to remote into servers when needed.  I'm not new to tablets, I've pushed many initiatives with my employer to try to increase the adoption of tablets within the company, but even they are starting to push back to say that its just not a viable platform.

What do you think ?  How are YOU adopting tablets for the Enterprise ?