Search This Blog

Thursday, July 30, 2009

Part 112: Filter software update within sccm

This guide assume you have complete the Adding software update point role and install WSUS.

Let start to talk about filtering thousand of updates/patches from Microsoft.

1.Go to Computer Management, expand Software updates, Update Repository and Right Click Search folder. Select New Folder.










2. Give the folder name "Enterprise Search"






3.On the Enterprise Search folder, Right Click and Select New Search Folder. We are going to create all the filtering inside this Enterprise Search.













4.On the Search folder criteria step 1, select BulletinID,Expired and Superseded.












5. In step 2, define the following settings:-
Bulletin: MS09 (last two digit refer to year:2009)
Expired: No
Superseded: No













Tick search all folders under this features in step 3
And enter the name as "2009 software update"

Click Ok. Now you have completed the filter for 2009 patches.

Let create more filter. This time let create the current month update.


6. In Enterprise Search Folder, Right click and Create New Search folder.
Add the following criteria as displayed:-












Click Ok when done.

7. Now, to create a filter based on products.eg: Windows Server 2008 patches. In Enterprise Search Folder, Right Click and Create New Search Folder
Add the following criteria as display












Click Ok when done.

8. Now, you have created 3 filters. Let run a test.

9. Go to Software Updates > Update Repository > In the Action pane > Select Run Synchronization. The SCCM server will connect to Microsoft Update to get the catalog update.











The system will prompt for confirmation to initiate site wide software update synchronization. Click Yes. You can refer to System Status > SMS_WSUS_SYNC_MANAGER to check the synchronization status.








10. Leave the system for few hours . The synchronization will took few hours if this is your first time synchronization.

11. After several hours, this is the result for

a) 2009 software update.
-only 2009 patches is listed-











b) Monthly search
-only showing the current month result-










c) Windows Server 2008 patches
-display update for Windows Server 2008 product-



















Now you can start to create multiple search folder for different criteria after reading this guide. Before i end, please create the following search folder for next guide use:-

Objective: Filter all critical update for Windows Server 2008.

Stay Tune for next guide.
Cheer, ericlaiys

Wednesday, July 29, 2009

Part 111:- Adding Software Update Point roles (SCCM)

Let start adding new software update point roles into site system.

1. Go to Site management > Site Code -LAB > Site Setting > SCCM01 >Right Click > New roles

.







2. New site roles wizard will open. Leave default for your Intranet FQDN and Click Next.

.








3. On the system role selection, select Software update point and click Next.

.








4.Enter the proxy detail if you environment need to connect to proxy in order to access to the Internet. This allow sccm to get the update from Microsoft. For my case, i will leave the default empty value and Click next.









5. Tick Use this server as the active software update point. Leave the port number as default. The active software update point is the server which is going to communicate with WSUS server.









6. On the synchronization source, leave the default value. The software update point will perform synchronization from Microsoft Update.Click Next









7.Tick Enable synchronization schedule and set to 1 days. Click Next









8. Check the update that you want sccm server to sync with.Click Next










9. Then you need to check the products which will be sync with the update.Click Next









10. On the Languages, select English. (Do not leave the default value) We do not want to get other update besides than English. Click Next.









11. Review the summary and Click Next to confirm.









12. The Wizard will install the software update point roles and report completed. Click Close to close the wizard.









You've completed adding software update point roles. After adding the roles, you can enable Software Update Point Client Installation to allow WSUS to push client agent.
Go to Client Installation Method > Double Click Software Update Point Client Installation and Tick Enable.

Tuesday, July 28, 2009

Part 110: Verifying sccm client

Let start the sccm client installation.

Step 1: Execute Install Client


Select Computer Management > Collections > All systems > Right Click > Install Client





The system will open Client Push Installation Wizard. Click Next







For the installation options, Tick all options








Then, the system will start to initiate Client Push Installation to deploy the sccm client.







Step 2: Verifying the sccm agent installation via Control panel

Wait for few minutes for the sccm client installation.

Here is the new component listed in the client Control Panel



-Configuration Manager
-Program download
-Remote Control
-Run Advertisement




This is the Configuration Manager general tab










This is the Components tab which listed all the component install in the client computer.









This is the Action tab










This is the Advanced Tab which indicated LAB- site code and cache size set to 8000.









Step 3: Verifying from the log files

If any problem arise, you can always go to C:\Windows\System32\ccmsetup and check the log files.
-CCMSetup.log -Records setup tasks performed by CCMSetup.
-Client.msi.LOG -Records setup tasks performed by client.msi.





Step 4: Verifying from collections.

Go to Collections > All Systems. For computer which already install with sccm client will indicated

Client - Yes
Site Code - LAB

Approved - Approved.



Now you've successfully installed sccm client into the workstation.

Monday, July 27, 2009

Intel Processor which support virtualization

The server to install Hyper V roles is a 64-bit environment, supports hardware-assisted virtualization (Intel VT or AMD-V) technology and Hardware Data Execution (DEP) enabled (Intel XD Bit or AMD NX Bit)

Please refer to Intel website to check the type of processor which support virtualization
http://ark.intel.com/VTList.aspx

To test, you can download securAble tool from :- http://www.grc.com/securable.htm



It is recommended to have minimum 2 NIC installed.

Part 109: Firewall Setting for SCCM client

In order to deploy SCCM Client, you need to open Windows Firewall ports. Rather than configure the port in each of the workstation, i will use Group Policy to configure the windows firewall.

Below is the recommended port to open as suggested by Microsoft:-

a)Client Push Installation:-
-File and Printer Sharing
-Windows Management Instrumentation (WMI) -TCP & UDP 1024 -5000

b)Client request:-
-Port 80 - for http communication
-Port 443 -for https communication

c)NAP:-
-UDP 67 and UDP 68 for DHCP
-TCP 80/443 for IPSEC

d)Remote Control:-
-TCP 2701
-TCP 2702
-TCP 135

e)Remote Assistance and Remote Desktop
-exception program helpsvc.exe and TCP 135
-Remote Assistance and Remote Desktop (TCP 3389)

f)Windows Event Viewer, Windows Performance Monitor and Windows Diagnostics
-Exception File and Printer sharing.

Based on above ports, here is my configuration that i've performed in the Group Policy.

a) Go to Group Policy management snap in.
b) Expand Computer Configuration > Administrative Templates >Network >Network Connections >Windows Firewall >Domain profile

c) Configure Windows Firewall:Allow inbound file and printer sharing exception

-Set Enabled
-IP: 192.168.10.47 ( SCCM Server IP Address)









d) Configure Windows Firewall: Define inbound port exceptions

-Enabled
-Click Show
-Add below configuration









Format for define inbound port exception:-
Port:Transport(TCP/UDP):Scope:Status(enabled/disabled):Name

135:TCP:192.168.10.47:enabled:TCP135
80:TCP:192.168.10.47:enabled:Port80
443:TCP:192.168.10.47:enabled:Port443
67:UDP:192.168.10.47:enabled:NAPDHCP
68:UDP:192.168.10.47:enabled:NAPDHCP
2701:TCP:192.168.10.47:enabled:RemoteControl
2702:TCP:192.168.10.47:enabled:RemoteControl








Invalid configuration:-
1024-5000:TCP:192.168.10.47:enabled:WMI
1024-5000:UDP:192.168.10.47:enabled:WMI
*.TCP:192.168.10.47:enabled:All

WMI is using Random port from 1024 - 5000.

Note:
You cannot define to open a range of Windows Firewall ports. Each port need to define individually.

If you still insist to open a range of ports, you can write a script to run the following command:-
for /L %i in (1024,1,5000) do netsh firewall add portopening TCP %i "Port-range %i"

The script will execute and create a rule from 1024 until 5000.
For WMI port, let ignore first .

e) Configure Windows Firewall: Allow inbound remote administration exception

-Set Enabled
-Ip: 192.168.10.47









f) Configure Windows Firewall: Allow inbound Remote Desktop exceptions

-Set Enabled
-IP:192.168.10.47









g) Configure Windows Firewall: Define inbound program exceptions

-Set Enabled
-Click Show and add the below settings










Format for define inbound program exceptions:-
Path:Scope:Status:name
%systemroot%\system32\sessmgr.exe:*:enabled:sessmgr.exe

%systemroot%\PCHEALTH\HELPCTR\Binaries\helpsvc.exe:*:enabled:helpsvc.exe







The above configuration is tested on the workstation running on Windows Vista and Windows XP.

As I've mentioned previously, you need to install BITS version 2.5 into Windows XP and Windows Server 2003.

Stay tune for Part 110: Verifying sccm client installation.

Sunday, July 26, 2009

Part 108: SCCM Client Installation Method

Configuration Manager clients can be installed and automatically assigned to sites when the computer resource is within the boundaries defined for a configuration manager site.

Any installation of client outside the boundary, you need to manually defined for Site code of the required site.

Client that are not successfully assigned to a site remain unmanaged. This means that these client cannot receive policy and will be unable to install software distribution, software update, etc. Please refer to Part 103: SCCM 2007 Post-configuration on how to reconfigure the site boundary.

Let look at the pre-requisite to install CM client

For Client:-
Pre-requisite for client deployment is depend on your site mode.
Mixed mode - At least Windows 2000 Professional SP4
native mode - At least Windows XP SP2

Besides that, all computer requite to have Microsoft Background Intelligent Transfer Service (BITS) version 2.5 or higher.

For Server:-
The SCCM server must has the following roles installed:-
a) Management Point
b) Server Locator Point
c) Fallback Status Point

After define the pre-requisite, let look at the following client installation methods which are available.

a) Client Push Installation (Common client installation)



In the Configuration Manager console, navigate to the Client Installation Methods node under Site Hierarchy.
-Right Click Client Push Installation and select Properties.





-Tick enable Client Push Installation to assigned resources and select system types to Servers, Workstation and Domain controller.
-Tick Enable Client Push Installation to site system.










for Accounts, set the account to SMSadmin

To successfully install the Configuration Manager 2007 client, the Windows user account used must have administrative rights on the destination computer. If the install fails with all accounts in the list then the installation will be attempted using the computer account from the Configuration Manager 2007 site server.

Next click on the Advanced client tab and set your Installation Properties string to something like this.
SMSSITECODE=LAB SMSCACHESIZE=8000


















b) Software Update point based installation
This installation method leverage WSUS software update infrastructure to install client software. To use software update point based installation, you must use the same WSUS server for both client installation and software updates. This server must be the active software update point in a primary site. you must configure and assign an Active Directory Group Policy object to specify the software update point server name from which the computer will obtain software updates.

It is not possible to add command line properties to a software update point based client installation. If you have extended the Active Directory schema for Configuration Manager 2007, client computers will automatically query Active Directory Domain Services for installation properties when they install.

To use this method, you must

a) Configure Active Directory Group Policy
In the Group Policy editor, navigate to Computer Configuration / Administrative Templates / Windows Components / Windows Update, and then open the properties of the setting Specify intranet Microsoft update service location. Click Enabled



In the Set the intranet update service for detecting updates: field, specify the name of the software update point server you want to use, and the port. These must match exactly with the server name format and the port being used by the software update point:

If the Configuration Manager site system is configured to use a fully qualified domain name (FQDN), specify the server name using FQDN format.

If the Configuration Manager site system is not configured to use a fully qualified domain name (FQDN), specify the server name using a short name format.

If the site is in mixed mode and software updates is using the default Web site, the port number is likely to be 80 unless it has been changed.

If the site is in mixed mode and software updates is using a custom Web site, the port number is likely to be 8530 unless it has been changed.

b)To publish the Configuration Manager 2007 client to the software update point

1.In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / / Site Settings / Client Installation Methods.
2.Right-click Software Update Point Client Installation, and click Properties.
3.To enable client installation, select the Enable Software Update Point Client Installation check box.
4.If the client software on the Configuration Manager 2007 site server is a later version than the client version stored on the software update point, the Upgrade Client Package Version dialog box will open. Click Yes to publish the most recent version of the client software to the software update point.

Note
If the client software has not been previously published to the software update point, this field will be blank.

5.To finish configuring the software update point client installation, click OK.

c) Group Policy installation
You can publish or assign Ccmsetup.msi using Group Policy. This file can be found in the folder SMS\bin\i386 on the Configuration Manager 2007 site server. It is not possible to add properties to this file to modify installation behavior.




If the Active Directory Schema is extended for Configuration Manager 2007 and Publish this site in Active Directory Domain Services is selected in the Advanced tab of the Site Properties dialog box then client computers will automatically search Active Directory for installation properties.





d) Manual installation
To manual installation, you need to run CCMSetup.exe ( located in network shared Site Server Name\SMS_Site Code\Client ) with administrative right in the target computer.

This manual installation is use if you're installing client that are in workgroup, on the Internet or belong to different Active Directory forest.

The format of the CCMSetup.exe command line is as follows:

CCMSetup.exe [ccmsetup properties] [client.msi setup properties]

For example, CCMSetup.exe /mp:SCCM01 /logon SMSSITECODE=LAB FSP=SCCM01 performs the following actions:

Specifies to download installation files from the management point named SCCM01.
Specifies that installation should stop if a version of the Configuration Manager 2007 or SMS 2003 client already exists on the computer.
Instructs client.msi to assign the client to the site code LAB.
Instructs client.msi to use the fallback status point named SCCM01.

If you have extended the Active Directory schema for Configuration Manager 2007, many client installation properties are published in Active directory and read automatically by the Configuration Manager 2007 client.

For more detail about the properties, please refer to
http://technet.microsoft.com/en-us/library/bb680980.aspx

e) Logon Script installation
Use the same method as manual installation.If no installation source is specified using the /Source switch and no management point from which to obtain installation is specified using the /MP switch, CCMSetup.exe can locate the management point by searching Active Directory if the schema has been extended for Configuration Manager 2007. If the schema has not been extended then CCMSetup will search WINS for a server locator point to query for a management point from which to install the client

f) Installation using computer imaging
On the master image computer, you must pre-install the SCCM client. Follow the process below.

Process:-
1.You must not specify a site code to assign the client to. When computers are imaged from this master image, they will contain the Configuration Manager 2007 client, but this will not be assigned to any site code.
2.Type net stop ccmexec from a command prompt to ensure that the SMS Agent Host service (Ccmexec.exe) is not running on the master image computer.
3.Remove any certificates stored in the local computer store on the master image computer. Additionally, remove any native-mode client certificates if applicable. For more information, refer to your public key infrastructure (PKI) documentation.
4.If the clients will be installed in different Configuration Manager 2007 hierarchies than the master image computer, remove the Trusted Root Key from the master image computer.
5.Use your imaging software to capture the image of the master computer.
6.Deploy the image to destination computers.

That's concluded SCCM Client installation Method. Stay tune for Part 109: Firewall Setting for SCCM client.