Deploy SCCM 2012 SP1 CU3 Client Update via Application Method

In this post I will discuss and show how to deploy the CU3 Client Update using the Application Method instead of the auto-created Packages.  When you go to install CU3 on your server you are given the option for it to create the packages necessary to patch secondary servers, clients, and consoles.  Packages do not offer the flexibility for targeting, requirements, dependencies, automatic re-deployments, and so on.

The inspiration for this post comes from Michael Leach in which he provided instructions on how to do this for the CU2 update.  I borrow some of the items from his post but end up using a different detection method and create a custom query for a collection including all SP1, CU1, and CU2 clients.  His post can be found here.  Thanks, Michael!

1. Obtain the CU3 bits and read on the updates and changes it provides.
2. Apply the update to your Primary Server and follow pertinent steps, including creating the necessary update packages.
3. Locate the packages that you will use as your Content paths in the Application in the following location: "\\(Server)\SMS_(Site Code)\hotfix\KB2882125\Client"



4. We are now ready to create the Application for the update.  These are the steps and settings that I set up.
1. Manually specify the application install.
2. Create two deployment types, one that will apply to your x64 clients and one that will apply to your x86 clients.  Specify the pertinent requirements using the Operating System level options.
3. Choose the proper Content locations from step 3 for each of your deployment types.

4. The command-line for the installs will be the following:
1. msiexec.exe /p "configmgr2012ac-sp1-kb2882125-i386.msp" /L*v %TEMP%\configmgr2012ac-sp1-kb2882125-i386.msp.LOG /q REINSTALL=ALL REINSTALLMODE=mous
2. msiexec.exe /p configmgr2012ac-sp1-kb2882125-x64.msp /L*v %TEMP%\configmgr2012ac-sp1-kb2882125-x64.msp.LOG /q REINSTALL=ALL REINSTALLMODE=mous
5. For the Detection Method I used the version of CcmExec.exe:

                 6. Distribute your content
                 7. Test on a group of clients, both x64 and x86, to ensure everything is working as planned.
                 8.  For Collection targeting, I created my own which included the SP1 RTM Clients, CU1, and                         CU2.  Remember that 2012 RTM Clients will automatically upgrade when you install SP1, so                       long as you have the client automatic updates configured correctly.  After that, you are                                   responsible for deploying relevant CU's.
                  9.  For my query I used the 'System Resource.Client Version' criteria specifying clients that were                        at 5.00.7804.100 (SP1) or greater and less than 5.00.7804.1400 (SP1+CU3).

Machine will not join domain after OSD Task Sequence in SCCM 2012 SP1

I was fighting with an interesting issue the past few days.  I had a single Operating System Deployment (OSD) Task Sequence (TS) that I deployed to three different models of laptops for testing.  I 'Auto Apply Drivers' based on the category of the machine and use a WMI Query to determine the model of the machine and apply the task appropriately.

The problem I had was with one particular model that did not join the domain.  I logged into the machine locally and saw that it installed all the needed drivers, the TS had no failures, and I was able to join the machine manually.  It wasn't a credential issue or an issue with the image because this same TS was completely successful on other models.

What I oddly had to do to fix it is that instead of 'Auto Applying Drivers' based on Category, I had to apply the entire driver package.  This completely fixed the issue so the NIC driver must not have initialized correctly through the TS and failed the domain join.  Remember that the domain join step in your TS only appends the unattend file with the proper information and then Windows Setup does the actual joining to the domain.  The success of that single task is separate from the actual success of joining the domain.

When I have some extra time I'll try to determine if it is a model issue, or driver variation for that particular flavor of NIC.  In case you were curious, this was on an HP Probook 6560b with 32-bit Windows 7 and an Intel 82579V NIC.

Re-purposing low-end PCs using VMWare View, Windows ThinPC, SCCM 2012, and Microsoft Security Compliance Manager

In this post I will go over how to re-purpose low-end PCs as "Thin Clients" for VMWare View.  Essentially we need to replace the Windows shell so that users are only prompted to log in through the VMWare Horizon View Client and nothing else.  With this comes additional challenges and caveats.

List of assumptions for this post:

1. Understanding of Group Policy and Active Directory
2. Understanding of SCCM 2012, specifically creating and deploying Packages and Images through Task Sequences.
3. Basic understanding of scripting, mostly simple batches.
4. Understanding of Horizon View, creating Pools based on snapshots and general syntax for installing and customizing the Client
5. Basic understanding of the underlying functionality of Windows 7, registry, core components, and variants

To get started, you will need the following:

1. Microsoft Windows ThinPC (aka Windows 7 Embedded).  This will be available through the Microsoft Volume Licensing Site if you have Software Assurance with your Microsoft Agreement.
2. Microsoft Security Compliance Manager
3. Microsoft System Center Configuration Manager 2012 (SCCM 2012).  You can figure out how to deploy your image utilizing another tool but for this post I will only be providing instructions for SCCM 2012.
4. VMWare Horizon View setup with a Pool in place.  This post assumes you know how to provision your pool for end-users
5. VMWare Horizon View Client.  You will need the latest x86 version as ThinPC is only 32-Bit.
6. The JCOS Installation Files for replacing the Windows Shell.
7. A reference machine for creating your image.  I recommend firing up a Virtual Machine in Virtual PC, VMWare Workstation, or VirtualBox.

Prepare you reference machine:

1. Create a Virtual Machine to boot from the ThinPC ISO.  Complete the install.
2. Install the SCCM Client.
3. Install the View Client.  I recommend doing this with a custom batch file that contains your server address and other information, otherwise you can customize this later via Group Policy.
4. Copy the latest View Client Administrative Template for Group Policy to a network location.  You will find it here: "C:\Program Files\VMware\VMware View\Client\extras\vdm_client.adm"
5. Follow the steps on the JCOS site, run their script and then let it reboot the few times that it needs.
6. At the end you should be looking at a black background with the Horizon View Client ready to login.
7. Now capture your reference machine into an image using a Required client-based Capture Task Sequence.
8. Import the image into SCCM and distribute the content as usual.

Group Policy and Client Customizations:

1. Since the machines will be joined to the domain you can control much of the settings from a Computer-Based Group Policy Object (GPO).  
2. These are the general settings you'll want to apply to your Thin Clients.  Create a new GPO and import the 'vdm_client.adm' we talked about earlier.  Use these settings as a guidance:
1. VMware View Client Configuration/Scripting definitions
1. Connect USB devices to the desktop when they are plugged in (Enabled)
2. Desktop Layout (Enabled - Full Screen)
3. DesktopName to select (Enabled, enter in the name of the Pool you want the users to automatically log into)
4. Logon DomainName (Enabled - NetBIOS of your Domain)
5. Server URL (Enabled, View Client URL used to connect to Pools)
2. VMware View Client Configuration/Security Settings
1. Certificate verification mode (Enabled - No Security)
2. Default value of the 'Log in as current user' checkbox (Disabled)
3. Display option to Log in as current user (Disabled)
4. Enable SSL encrypted framework channel (Enabled)
5. Ignore certificate revocation problems (Enabled)
3. You'll also want to disable the 'Shade' on the View Client Window that is enabled by default.  This is a registry setting which can be applied during our Deploy Task Sequence as a Package.
1. HKLM\SOFTWARE\VMware, Inc.\VMware VDM\Client
1. REG_SZ Key: EnabledShade
1. Value: 0

Microsoft Security Compliance Manager and LocalGPO Tool

1. You'll  notice that the machine is logging in by default using a local account which you cannot remotely manage using Group Policy.  The problem arises in that some of the settings you want to manage are only available via a User-Based GPO and that will not work for a local account.  You can either manage the local Group Policy settings on your reference machine prior to capturing it, or you can utilize the LocalGPO Tool within the Microsoft Security Compliance Manager and capture these local Group Policy settings and then apply them to your machines as a Task in your Deploy Task Sequence.
2. Install Microsoft Security Compliance Manager (MSCM) on a reference machine.
3. Navigate to where you installed MSCM and find the LGPO folder.  Copy this to a network location, you'll need it and want to use it in the future.
4. Fire up another ThinPC Virtual Machine and install the LocalGPO.msi found within the LGPO folder.
5. Create a folder called 'GPBackups' at the root of C:
6. After LocalGPO is installed, navigate to where it is installed.  Here you will find a 'command-line here.cmd' file.  Copy and paste this in the same folder and rename it 'ExportLocalGPO.bat.'
7. Edit that file and modify it so it looks like the following:
1. @Echo off
2. ECHO.
3. ECHO LocalGPO Tool
4. ECHO ____________________
5. ECHO.
6. 
   
7. %~d0
8. CD %~dp0
9. 
   
10. cscript //H:CScript //B //NoLogo
11. cscript LocalGPO.wsf /path:C:\GPBackups /export /GPOPack
8. Now we need to modify the local Group Policy before we capture the settings.
9. At the 'run command' type in 'gpedit.msc'
10. Much of what you'll want to configure will be found under:
1. User Config - Administrative Templates - System - Ctrl+Alt+Del Options
1. Remove Change Password (Enabled)
2. Remove Lock Computer (Enabled)
3. Remove Task Manager (Enabled)
4. Remove Logoff (Enabled)
2. Feel free to configure any other User Configurations.  Remember, the computer ones we can do over the network via a standard GPO applied to the targeted Organizational Unit.
11. Now go back and run 'ExportLocalGPO.bat' (Run as Administrator).
12. If everything completes successfully, go to C:\GPBackups and you should see a file with a long GUID name.  Copy GPBackups to a network share in it's own folder.
13. Within GPBackups on the network share, create a batch file called 'ImportGPOPack.bat'
14. Here is the syntax on what to put into that batch file:
1. cscript "%~dp0{GUID}\GPOPack.wsf" /Path:"%~dp0{GUID}" /silent
2. This will apply those local GPO settings to a remote machine.
15. Create a Package within SCCM.  The Source Files should point to 'Network Share\GPBackups' and the command to run will be 'ImportGPOPack.bat'
16. Test Deploying this Package to a machine prior to adding it to your Deploy Task Sequence.

Final Deploy Task Sequence

1. Within the JCOS folder you downloaded, copy the 'sysprep.reg' file to a lone folder on a network share.
2. Create another SCCM Package with the above folder as the source files and for the command line specify 'regedit /s sysprep.reg'
3. Look at the settings within 'sysprep.reg' and then deploy the package and ensure it does what it is supposed to.
4. Create a Deploy Task Sequence
5. Specify the image as the one you originally captured
6. Go through the standard list of tasks, including any Driver Packages you have set to apply to your specific machines.
7. At the end of the Task Sequence, create another Task Sequence Group called 'Post ThinPC Settings'
1. Add a Package and choose your 'ThinPC Sysprep Package'
2. Add another Package and choose your 'ThinPC ImportGPOPack Package'
3. Add another Package and choose your 'ThinPC Disable View Shade'
4. Follow it all up with a 'Restart Computer' and specify booting to local OS, NOT WinPE as to avoid Client Provisioning issues.
5. Deploy
6. Test
7. Test some more..

Reference Links:

1. Backing up and restoring the Local GPO (There are some syntax errors in this link)
2. Backup and restore the Local GPO (There are some sytax errors in this link)
3. VMWare Horizon View 5.3 Client Install (See page 20 for details)
4. How to Build a Thin Client on Existing Hardware

Google & Group Policy

Google has increasingly been getting involved in the Enterprise with its push of Google Apps for Education and Business.  Along with this they have finally offered their applications with an MSI and Administrative Templates (ADM or ADMX) to manage them through Group Policy.  The problem with this, however, is that they're not very good at letting us know when they have added MSIs and Administrative Templates, or when they have been updated.  I am going to office links to everything I have discovered here:

MSI:

Google Chrome

Google Cloud Connect

Google Chat Plug-In (My previous post explains how to get the MSI out of it)

Google Earth (Download the EXE via the 'Advanced Setup' option.  Extract its contents using 7Zip and you will then have the MSI)

Group Policy Administrative Templates:

Google Update ADM (Allows you to manage Google Update and the update/installation options for many of their other pieces of software)

Google Chrome ADM & ADMX (Zip file includes ADM and ADMX, as well as documentation)

Misc. Settings:

Google Chrome - Customizations and Preferences


I get in the habit of downloading the Administrative Templates every month since they seem to be updated quite frequently without notice.  The Chrome template basically gets updated with every new stable release which tends to be at least once a month.

Deploying Google Talk Plug-in through Group Policy

If your organization is going to Google Apps and Gmail, you'll want to deploy the Google Chat Plug-in in order to do video chats.  The problem is that Google doesn't have a way of distributing this plug-in, nor do they offer an MSI......seemingly.  Follow these steps in order to get the Google Chat Plug-in MSI and deploy it via Group Policy.

1. Go to this link and click on 'click here' in order to download the GoogleVoiceAndVideoSetup.exe
2. Navigate to the following location:
• C:\Users\%username%\AppData\Local\Google\Update\Download\%guid% (Windows Vista/7)
• C:\Documents and Settings\%username%\Local Settings\Application Data\Google\Update\Download (Windows XP)
• You may have to change your Folder Options to display Operating System Files
3. You now need to run the 'GoogleVoiceAndVideoSetup.exe.'  Once you execute it, at some point the 'googletalkpluginaccel.msi' will show in the above locations, depending on which OS you are running.  You'll want to copy and paste that MSI very quickly, as it'll be erased after the application finishes executing and installing.
4. This is the MSI that you'll want to deploy via Group Policy.  Be sure to edit it using the Orca tool and look at the Property table in order to determine the version of the plug-in.  It seems like this plug-in is updated every few weeks so you'll want to keep up-to-date with it.
5. Add it to a Software-Installation GPO and apply!

Saving Energy by using Group Policy Preferences

With School District budgets being constantly constrained, we have been looking at different methods of saving money. Having roughly 1800 machines in production, we wanted to be able to shutdown machines at the end of the day and also change their Power Options. We looked at solutions like Faronics PowerSave but that would cost about $12,000. We tried running scripts through our Deployment Solution but that was unpredictable, unreliable, and caused unneeded stress on our server and network. With Group Policy Preferences we were able to accomplish everything we needed quickly for no cost.

Requirements:

1. Active Directory 2003 Environment or better

2. Windows XP SP2 or better clients

3. A Windows 2008, 7, or Vista Machine to run the Group Policy Management Console and create GPOs

4. Client-Side Extensions (CSE) installed on clients - this can be done using WSUS

5. XMLlite installed on clients (Is included on XP SP3, and XP SP2 if you have IE7 or greater installed)

6. Download PsShutdown from SysInternals (http://technet.microsoft.com/en-us/sysinternals/bb897541.aspx)

7. Download ADMX Templates for Windows 7/2008 R2 (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=16f69ffe-d51b-4e02-9d02-3e57f3ccd490)

Steps:

1. Install the CSE's on all clients using WSUS. It is under the 'Updates' classification on the WSUS console. It is referenced as KB943729.

2. Install XMLlite on all clients. If you have SP3 for XP, then you're already covered. If you have SP2 and IE7 or greater, then you're already covered as well. If you have neither of those, update your clients already! You can push IE7 through WSUS if you want to stay on SP2, or you can push SP3 through WSUS.

3. Install the GPMC for your policy-creating machine. Using Windows 7 as an example, you'll have to install the RSAT Tools for Windows 7, then add the GPMC under 'Programs and Features - Turn Windows Features on or off.'

4. While you're at it, you might as well create the Central Store for you Group Policy Templates. You will need to copy your ADMX and ADML files you downloaded above. See this article for creating the Central Store: http://support.microsoft.com/kb/929841.

5. Copy PsShutdown.exe to "\\FQDN\SYSVOL\FQDN\"

6. Open up the GPMC on your Windows 7 machine. Create a new GPO and named it "Shutdown." Right-Click and Edit the Policy Object.

7. Under Computer Configuration > Preferences > Windows Settings > Files go to New - File.

a. For Action choose 'Update.'

b. Under source files, choose the location of PsShutdown.exe from Step 5.

c. For destination file choose 'C:\WINDOWS\psshutdown.exe.'

d. Check 'Suppress errors on individual file actions.'

8. Under Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks go to New - Scheduled Task.

a. Action: Replace

b. Name: PsShutdown

c. Run: C:\Windows\psshutdown.exe

d. Arguments: -c -t 600 /accepteula (600 refers to number of seconds the user has to cancel shutdown)

9. Schedule Tab

Choose your schedule. Mine is:

a. Scheduled Task: Daily

b. Start Time: 4:45 PM

c. Schedule Task Daily ever 1 day(s)

d. Advanced: Repeat Task every 30 Minutes until 2 hours. Check 'If the task is still running, stop it at this time.' (This means the task will run at 4:45, then every 30 minutes if it is cancelled)

10. Common Tab

a. Check 'Stop processing items in this extension if an error occurs'

b. Check 'Remove this item when it is no longer applied'

c. Check 'Item-level targeting' if you'd like to specify different tasks, at different times. I use this to set up different times for each of our buildings, since they each have different times for releasing children at the end of the day. Each building has its own subnet so I make that task run in only that IP range.

11. Apply the GPO to target OU (Test first!).

12. Within GPMC, create a new GPO called 'Power Management.' Right-Click and choose 'edit.'

13. If your clients are Windows XP, you'll want to make this a User Configuration as XP uses the Power Management settings of the current logged-on user. That user's settings also apply after they log-off. I believe Vista and newer can correctly apply these settings via a Computer Configuration.

14. Under User Configuration > Preferences > Control Panel Settings > Power Options. Right-click and choose New > Power Options (Windows XP). Choose the settings you'd like on your clients. Make note of the green lines. Anything that has a green line under it will be pushed to your clients, and anything with a red line will be ignored. You can use the F5, F6, F7, and F8 buttons to ignore a single setting, ignore all settings, apply a single setting, apply all settings. Play around with it until you know it!

15. Under User Configuration > Preferences > Control Panel Settings > Power Options. Right-click and choose New > Power Scheme (Windows XP)

a. Action: Update

b. Power Schemes - Minimal Power Management. Check 'Make this the active Power Scheme.' This will ensure that, on all CPUs that support it, your processors will "underclock" themselves when the power isn't needed. This is a power saver and will produce less heat.

c. The rest of the settings are up to you! I highly recommend at least instituting Standby if you can but make note that it may or may not affect your ability to wake up your client machines. There is a VBScript I have that'll apply the correct setting to your NICs allowing you to wake them up during Standy/Hibernate states.

16. Apply the GPO to target OU (Test first!).

17. Sit back, watch the results, and bask in the glory that is Group Policy Preferences.

Update:

See this link to learn more on how Power Management settings are applied to Windows XP Workstations.  In essence, your Power Management GPO will need to have 'Loopback Processing with Replace' enabled on the Computer Configuration portion, and then you'll have your Power Settings under your User Configuration portion.  You then apply that GPO to your machines.  It basically enforces those User Settings on the machines and then all users get that setting.  Otherwise, when the computer is restarted it would apply the Power Management settings that were in the .DEFAULT Registry Hive.