Intel vPro – Configuration – Part 10 – SCCM Integration

vPro Series of Posts


Now that we have a standalone vPro reference installation, let’s integrate it into SCCM!

Here, I’m going to turn things over to Brian Muller. His blog post on SCCM 2012 integration is excellent.

Integrating SCCM 2012 with SCS 8.1

Here is the general overview. Consider it a preview of what you’re in for (stolen from his post).

  1. Adding the Out of Band Role Management Role to your SCCM server
  2. Extending the Hardware Inventory for SCCM 2012
  3. Modifying the SCS profile for SCCM 2012
  4. Creating the collections required for the discovery and configuration of your clients
  5. Creating the Discovery and Configurations packages
  6. Creating the Task Sequences required for the discovery and configuration of your clients
  7. Creating the Deployments (SCCM 2007 – Advertisements)
  8. Creating the Status Filter rules to automatically update the Intel collections
  9. Queries to help you troubleshoot

Next up, some custom PowerShell scripting to make things a bit easier.

Advertisements

Intel vPro – The Basics of vPro

vPro Series of Posts


Hi. I’ve spent almost 6 months working on a vPro project at a college\department at OSU. Honestly, it’s been a tough technical road, but it’s relatively well-traveled.

So what is vPro? In short, it’s an embedded computer-on-a-chip built into the motherboard of many new enterprise-class systems. It provides management access to a system regardless of it’s Operating System or Power State. It’s also pretty awesome. Here are two links that provide a lot of good info.

Feature Overview

Here are the best features.

Most Commonly-Used Features

  1. KVM (Keyboard Video Mouse). With a vPro-enabled system (AMT version 6.0 and higher), you can actually use a specialized VNC client to connect to a computer. After connecting, you can mount ISO’s, Floppy images, reboot and change BIOS settings, PXE boot and image the computer with a new operating system, run system diagnostics, etc. This is independent of the Operating System.
  2. PC Alarm Clock. This lets you schedule a wake-up time for computers. This is useful for patch distribution.
  3. Asset Information. This reports some useful information like the type of RAM in each slot, disks, etc.
  4. Power Management. This lets you control the system power — power on, reboot, power off, etc.

Lesser-Known Features

There are several lesser-known features that are cool, but most people won’t use them directly.

  1. Serial-Over-LAN. This outputs the serial port over the vPro connection. It’s super-useful for Linux systems.
  2. Network Filters. This gives you limited firewall-like capability.
  3. Watchdog Policies. This lets you monitor Operating System processes.
  4. Heuristic Filters. This lets you configure an AMT service that rate-limits incoming\outgoing traffic when certain conditions are hit (virus found, etc).

Other General Info

vPro is primarily designed to be used as an underlying platform for vendor-specific implementations. Intel provides ‘reference’ designs and utilities which can be used stand-alone, but they don’t seem to outwardly or specifically support using their reference designs. The good news is that the reference designs are very stable.

For example, Microsoft SCCM has implemented Out-of-Band management support for vPro. Microsoft uses Intel API’s to do all the provisioning, security, and management of the vPro platform when used with SCCM. In this model, when you have a problem, you call up Microsoft (not Intel).

In subsequent blog posts, I’ll cover the installation and configuration of an Intel reference implementation of vPro. This will get you access to all of the vPro features. I’ll also cover vPro reference integration with SCCM, since SCCM’s native vPro support is somewhat dodgy.

vPro Tools

There are several vendor-neutral tools which can be used to connect to a vPro system. They have different purposes and strengths, and they’re all a tad buggy. Here’s a quick list that I’ve found.

  1. RealVNC+. This can be used to gain KVM and IDE Redirection (ISO and Floppy Mount) to a vPro-enabled system. It has problems waking up a PC from sleep, and it sometimes disconnects if you reboot a system. However, you can re-connect pretty quickly.
  2. Open Source Manageability Toolkit (AKA Manageability Commander). This can be used for everything except KVM, although it gives you a one-click KVM connect button as long as RealVNC+ is installed. This product is actively maintained by a very responsive and deeply knowledgeable person named Ylian Saint-Hilaire. The product currently has a bug when trying to use SOL or IDER to a Kerberos-enabled vPro system, but there is an easy workaround (more later).
  3. Intel Platform Solution Manager. This is Intel’s reference application. It gives you access to SOL, IDER, Power Management Features, and Asset Information. It’s the most stable, but doesn’t offer all of the features of the Manageability Toolkit.
  4. Intel Web-UI. This is a built-in web interface for all vPro enabled systems. It provides some basic asset information and power control.

Demo

Let’s see it in action! These systems and domains are all on test\dev boxes, so don’t get too excited by seeing the FQDN. 🙂

RealVNC+

vncplus-1

vncplus-2

vncplus-3

Open Source Manageability Commander

mcmdr1 mcmdr2

Intel vPro Solutions Platform

intel-solutionmgr1

Intel Web-UI

webui1 webui2

I’m sure you’re thinking, “OK, let’s go! Show me how to set this up!”. I’ll be going over the architecture and configuration in subsequent blog posts ASAP. Thanks!

SCCM 2012 SP1 Upgrade Checklist

Alright, everyone else has a checklist — time for mine :). Here’s how we’re installing SCCM 2012 SP1. Once again, this is based off of my internal documentation, so it’s not as polished as it really should be for the open web. I’ve been putting off blogging for so long — it’s time to just get something out there and see if it helps anyone.

Overview

  1. Configure Site Backups
  2. Spin Up a SQL Server Test VM
  3. Test the Database Upgrade
  4. Disable Site Maintenance Task
  5. Backup Boot Image Customizations
  6. Upgrade from WAIK to ADK
  7. Install WSUS Hotfix
  8. Run the Prereq Checker
  9. Run the SP1 Install

You can download an actual excel checklist from the John Puskar Github Repo.

This is going to be a long post…

Step-By-Step

Configure Site Backups

  1. Administration -> Site Configuration -> Sites -> CAS -> Settings -> Site Maintenance
  2. Backup Site Server -> Edit
  3. Enable this task
  4. Set paths -> Local Drive -> F:\Backups
  5. Start time — 5mins from now. Latest start time -> 1hr after start time.
  6. OK to save.
  7. Wait and get the backup.

Spin Up a SQL Server Test VM

  • 80GB Free space
  • Install MS SQL — same version as the one which produced the database backup.
  • Install MS SQL Server 2012 Native Client. Download from here. You have to click ‘download’, then ignore the text file that gets downloaded and scroll to the middle of the download confirmation page. Microsoft® SQL Server® 2012 Feature Pack

Test the Database Upgrade

  1. Login to the test server using a domain account that has local administrator and SQL sysadmin privileges.
  2. Copy the SCCM Site Backup folder from SCCM server to test server.
  3. Open SQL Server Management Studio.
  4. Right-click the SQL Server and choose ‘attach’.
  5. Navigate to the backup folder and select the MDF file found in the site server backup folder.
  6. Click OK to attach the db.
  7. In SQL Server Management Studio, navigate to Security -> Logins.
  8. Right-click the account or group which represents your current login and choose ‘properties’.
  9. Choose ‘User Mapping’ from the left-pane, then select your attached site server database.
  10. Check the box next to the site database backup in the ‘map’ column.
  11. Check the ‘db_owner’ box in the bottom pane.
  12. Click OK to save changes.
  13. Open a command prompt as administrator and navigate to .\sccm2012sp1\smssetup\bin\x64.
  14. Run setup.exe /testdbupgrade <dbname> (ex: cm_cas)
  15. Prerequisite checker should pass.
  16. Click ‘next’ to attempt the upgrade.
  17. Watch task manager for the sqlservr.exe process’ CPU usage. It will spike for 20mins or more.
  18. When the sqlservr.exe process seems to be idle, open the file C:\configMgrSetup.log. It should read ‘Successfully upgraded the SCCM database’.

Disable Site Maintenance Task

  1. Open SCCM Console on the CAS and navigate to Administration -> Site Configuration > Sites.
  2. Right-click the CAS site and choose ‘Site Maintenance’.
  3. Select the task ‘Delete Aged Client Operations’.
  4. Click the ‘disable’ button and confirm that the column labeled ‘Enabled’ reads ‘No’ next to the task.
  5. Click ‘OK’ to save changes.

Backup Boot Image Customizations

Run the following commands and confirm that the files are actually copied.

MKDIR C:\backups
MKDIR C:\backups\bootimages
MKDIR C:\backups\bootimages\Extra
IF EXIST "C:\Program Files\Microsoft Configuration Manager\OSD\Extra" XCOPY /e /y "C:\Program Files\Microsoft Configuration Manager\OSD\Extra" C:\backups\bootimages\extra\
XCOPY /y "C:\Program Files\Microsoft Configuration Manager\bin\x64\osdinjection.xml" C:\backups\bootimages\

Upgrade from WAIK to ADK

  1. Obtain the ADK Downloader, and download the full ADK installer. The downloader is available here: Windows Assessment and Deployment Kit (ADK) for Windows 8
  2. Uninstall WAIK from control panel.
  3. Run the ADK installer.
  4. Choose to install the following features
    • Deployment Tools
    • Windows Preinstallation Environment (Windows PE)
    • User State Migration Tool (USMT)

Install WSUS Hotfix

Download the following hotfix and install.

Run the Prereq Checker

  • Navigate to .\smssetup\bin\x64 and double-click ‘prereqchk.exe’.
  • You will probable see a SQL Server process memory allocation error, but that should be the only issue.

Run the SP1 Install

  1. WOOOOOOOO!
  2. Run the following command:
    cmd /c mkdir C:\SCCMDownloads-SP1
  3. Navigate to .\smssetup\bin\x64 and double-click ‘setup.exe’.
  4. On the ‘Getting Started’ screen, choose to ‘Upgrade this Configuration Manager site’
  5. On the ‘Product Key’ screen, enter the licensing information and click ‘next’.
  6. On the ‘Microsoft Software License Terms’ screen, choose ‘I accept’ and click ‘next’.
  7. On the ‘Prerequisite Licenses’ screen, accept all the license terms and click ‘next’.
  8. On the ‘Prerequisite Downloads’ screen, choose the download required files to C:\SCCMDownloads-SP1 and click ‘next’.
  9. On the ‘Server Language Selection’ screen, click ‘Next’.
  10. On the ‘Client Language Selection’ screen, click ‘Next’.
  11. On the ‘Settings Summary’ screen, confirm that the box reads ‘Setup Type – Upgrade’, then click ‘Next’.
  12. On the ‘Prerequisite Check’ screen, click ‘Begin Install’.
  13. Complete the wizard.

One thing I noticed is that database replication doesn’t work well until all the site servers are upgraded. Good luck!

SCCM 2012 OSD Driver Management – Advanced Tips

I’ve got a few tips for working with OSD drivers in SCCM. Here we go:

Finding the Model Name in WinPE

In task sequence actions, I use a WMI filter to target my ‘Apply Driver Package’ actions. Sometimes the target device is new and doesn’t have an OS yet. Since WinPE doesn’t run powershell, I can’t use my regular command to find the model.

Instead, try this. It’ll return the model.

wmic computersystem get model

Testing the Driver Package for Completion

Sure, you can wait until the OS is fully deployed, then run control panel -> system -> device manager, etc. You can also do this _during_ the task sequence :).

Anytime after the step named ‘Setup Windows and ConfigMgr’, press F8 to launch the command prompt, and then run the following command.

mmc devmgmt.msc

Driver Source Folder Organization

When importing new drivers, there’s a couple things to keep in mind.

  1. Keep your drivers organized. Create subfolders for the driver classes (model\net, model\sata, model\audio, model\graphics, etc.).
  2. Don’t put .exe files or .zip files in the driver source folders.
  3. If you extract an .exe or .zip file into the driver source folder, and the extracted contents don’t contain .inf files (autorun.inf doesn’t count), then delete that driver and try to work without it. Only drivers with .inf files are imported. If your driver doesn’t have any .inf files, you’ll need to treat it like you would an application or package.

SCCM Vendor Plugins

Look into the Dell DCIP and Lenovo Thin Installer. They can automate a lot of the driver\bios work.

SCCM 2012 Dev Installation – Scripted

I have SCCM 2012, but I wanted to be able to quickly spin up development versions of our environment to test new features. I’ve put together some files and scripts to be able to do this quickly, and would love to share ’em with you. There may be a few steps missing, because the post is based off of my internal documentation. However, the script will get you 90% of the way there.

Overview

  1. Gather the Required Files
  2. Create a Slipstreamed SQL Install
  3. Install a Dev Domain
  4. Install the Offline Root CA
  5. Run the SCCM script for the CAS
  6. Run the SCCM script for the Site Server

Download the Required Files

Install the Dev Domain

Follow the instructions on my previous blog post: Installing a Server 2008 Dev Domain – Scripted.

Create SQL 2008 R2 SP2 Slipstreamed Media

Follow the instructions on my previous blog post: Optimizing SQL 2008 R2 Install.

Install ADCS on AD1 – Enterprise Root

Many domains have a pre-existing single-tier PKI installed despite the fact that this is, in general, not the best practice. We will replicate this condition on our domain controller so that we have to work-around it.

  1. Open AD1, the ADDS\DNS\DHCP VM.
  2. Open Server Manager -> Roles -> “Add Roles”.
  3. Under “Select Server Roles”, check the box next to “Active Directory Certificate Services” and click “Next”.
  4. Under “Select Role Services”, check the box next to “Certificate Authority” and click “Next”.
  5. For “Specify Setup type”, choose “Enterprise” and hit next.
  6. For “Specify CA Type”, choose “Root CA”.
  7. For the “Set Up Private Key” step, choose “Create a new private Key”, and click “Next”.
  8. For “Configure Cryptography for CA”, leave everything to default (RSA) and click next.
  9. For “CA name”, leave defaults and click next.
  10. For “Set Validity Period”, keep it at 5 years and click next.
  11. Keep the default database and log locations, and finish the wizard.

Build the Offline Root VM

Settings:

  • Name: DEV-CA0
  • HD: 40 Thin
  • Nics: 1 nic, vmxnet3, on the private VLAN.
  • IP Address: 192.168.0.20 (Private VLAN)

Install ADCS on CA0 – Standalone Root

  1. Make two folders on your C: drive named “certdb” and “certlog”
  2. Download the following scripts from the John Puskar Github Repo and place them in C:\Install_Files
    • SetupCA-RootCA.ps1
    • Install-StandAlone.cmd
  3. Modify the last line of SetupCA-RootCA.ps1 and replace the CADNSuffix parameter.
  4. Modify the DN, CDP, and AIA lines of the install-standalone.cmd script to fit your dev environment.
  5. Open a command prompt as administrator and run the script named ‘Install-standalone.cmd’.

Build the CAS VM

Settings:

  • Name: DEV-SCCM-CAS
  • HD’s (all thin)
    • C: – 40GB
    • D: – 40GB
    • E: – 22GB
    • F: – 100GB
  • Nics: 1 nic, vmxnet3, on the private VLAN.
  • IP Address: 192.168.0.30 (Private VLAN)

Prep and Install the CAS

  1. Login to the John Puskar Github Repo and download the following files. Place them in C:\workingtemp.
    • AD-Functions.ps1
    • Install-Dev-CAS.PS1
  2. Copy the downloaded prereq files from the first step to C:\Install_Files
  3. Modify the variables at the top of the Install-Dev-CAS.ps1 script as necessary for your site.
  4. Open a powershell window as administrator and run the install-dev-cas.ps1 script.

Build the Primary Site Server VM

Settings:

  • Name: DEV-SCCM-TES
  • HD’s (all thin)
    • C: – 40GB
    • D: – 40GB
    • E: – 22GB
    • F: – 100GB
  • Nics: 1 nic, vmxnet3, on the private VLAN.
  • IP Address: 192.168.0.40 (Private VLAN)

Prep and Install the Site Server

  1. Login to the John Puskar Github Repo and download the following files. Place them in C:\workingtemp.
    • AD-Functions.ps1
    • Install-Dev-Site-Server.PS1
  2. Copy the downloaded prereq files from the first step to C:\Install_Files
  3. Modify the variables at the top of the Install-Dev-Site-Server.ps1 script as necessary for your site.
  4. Open a powershell window as administrator and run the install-dev-cas.ps1 script.

Alright! Your site should be up and running in HTTP mode at this point. You can streamline this process quite a bit after the first couple runs.

SCCM 2012 – Enabling the Endpoint Protection Role

Endpoint protection is pretty sweet, and the integration with SCCM Console is very well done. Nice work MS guys!

This is basically a dump from my internal documentation. It might be a little unpolished, but sometimes it’s better to ship a product then continue fretting about perfection…

Install EPP Role on the CAS

  1. Navigate to Administration -> Sites -> Site Server and System Roles
  2. Right-click the CAS and choose “Add site server role.”
  3. On the System Role Selection screen choose ‘Endpoint Protection Point’ and click Next.
  4. On the Endpoint Protection screen accept the license terms.
  5. On the Microsoft Active Protection screen review the information and make a choice.

Create EPP Collectons

  1. Download the script named prep-site-server-wsus.ps1 from my Github page.
  2. Modify the variables at the top of the script to match your Org’s name and site code.
  3. Run the script ON THE SITE SERVER, using your admin account.

Configure and Deploy Custom Anti-Malware Policies

  1. Navigate to Assets and Compliance -> Endpoint Protection -> Antimalware Policies.
  2. Right-click -> Import.
  3. In the import dialog, navigate to “C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\XmlStorage\EPTemplates”.
  4. For each Endpoint Collection that was created, there should be a custom anti-malware setting found in the folder that can be imported. Choose to import an .xml template that matches a collection you’re interested in working on.
  5. Right-click the imported EPP Policy and choose ‘Deploy’.
  6. Deploy the policy to the collection that matches the policy name best.
  7. Repeat this process for all of your EPP collections.

Configure Client Settings

  1. Navigate to Administration -> Client Settings.
  2. Right-click and choose to create a new client settings package.
  3. On the ‘General’ screen, name the new package and check the box labeled ‘Endpoint Protection’.
  4. On the Endpoint Protection screen, set the following settings
    Manage Endpoint Protection client on client computers: True
    Install Endpoint Portection client on client computers: True
    Automatically remove previously installed antimalware software: True
    Suppress any required computer restarts: True
    Disable alternate sources for the initial update: False
  5. Click OK to save changes.
  6. Right-click the new client settings package and choose ‘deploy’.
  7. Deploy the client settings to a collection of your computers.

Endpoint should now be uninstalling your previous virus scanner, and installing the EPP. Wooo!

SCCM 2012 – Installing the SUP Role

I posted previously about configuring software updates in SCCM. This post is about installing the SUP role on the CAS and site servers. A little backwards, I know.

This post is a slightly modified version of my internal documentation on the process. Sorry if it’s a little un-treated. These instructions assume that you’re not using a proxy server, and that you’re installing the SUP role on the same server as your CAS and site server management points.

Install WSUS and Hotfix on CAS

  • WSUS 3 SP1 Download
  • WSUS Install cmd line. The F:\WSUS line is where you want WSUS to store the license agreements for updates which require them.
    WSUS30-KB972455-x64.exe /q CONTENT_LOCAL=1 CONTENT_DIR=F:\WSUS SQLINSTANCE_NAME=%COMPUTERNAME% MU_ROLLUP=1 DEFAULT_WEBSITE=0 CREATE_DATABASE=1 CONSOLE_INSTALL=0
  • WSUS Hotfix Download
  • WSUS Hotfix Install cmd line:
    WSUS-KB2734608-x64.exe /q

Install SUP Role on CAS

  • Administration -> Site Configuration -> Servers and Site System Roles -> CAS Server.
  • Right-click -> Add Site System Role
  • Specify the server’s FQDN.
  • Check ‘Software Update Point’.
  • Do not use a proxy sever unless actually needed.
  • Active Settings: Check ‘Use this server as the active software update point’, and ‘WSUS is configured to use a custom website’.
  • Synchronization Source: ‘Synchronize from Microsoft Update’ and ‘Do not create WSUS reporting events’
  • Synchronization Schedule: Check ‘Enable synchronization on a schedule’. Run every 1 days. Alert when synchronization fails on any site in the hierarchy.
  • Supersedence Rules: Choose ‘Immediately expire a superseded software update’.
  • Classifications: All
  • Products: DO NOT CHOOSE EVERYTHING, only what you need right now. You can always add more later. Choosing everything makes the console really slow.
  • Languages: Only select languages for which you actually install that specific language’s OS version of Windows. This is not about keyboard layouts, it’s about the whole OS language scheme.
  • Next, wait, close.

Run a Full WSUS Synchronization

  • Software Library -> Software Updates -> Right-click -> Run Synchronization

Enable SUP Internet Mode on CAS

  • Admin -> Sites -> Right-click Site -> Configure Site Components -> Software Update Point
  • Choose ‘Allow both intranet and internet clients’.

Install WSUS and Hotfix on Site Server

  • See the previous section regarding the WSUS and Hotfix install. It’s the same process for both the CAS and Site Server.

Install SUP Role on Site Server

  • Admin -> Site Config -> Servers and Site System Roles -> CAS Serevr.
  • Right-click -> Add Site System Role
  • Specify FQDN
  • Check Software Update Point
  • Do not use a proxy sever
  • Active Settings: Check Use this server as the active software update point, and WSUS is configured to use a custom website.
  • Synchronization Source: Do not create WSUS reporting events.
  • Languages: Only select languages for which you actually install that specific language’s OS version of Windows. This is not about keyboard layouts, it’s about the whole OS language scheme.
  • Next, wait, close.

Run a Full WSUS Synchronization

  • Software Library -> Software Updates -> Right-click -> Run Synchronization

Now, you should be ready to actually configure the SUP to push out updates. Good luck!