jeudi 20 décembre 2012

[Windows Intune] Usefull links

Intune is a great tool for small companies that can't afford SCCM 2012 or for companies that don't need special features that are only available in SCCM 2012 and that make the choice of the cloud.

Microsoft just released the last version called "Wave D".

In this article, I would like to share with you my list of the most important resources for Windows Intune.

Windows Intune website: : General presentation, video...


Jump Start:

What's New in Windows Intune:
Getting Started Guide:

Microsoft Virtual Academy:

Mobile management with SCCM 2012 SP1 and Intune :
 - Part 1: Configure Windows Intune connector in SCCM 2012 SP1:

Intune for partners:

See you soon !


[Windows 8] Usefull links

You certainly heard of Windows 8.
 Probably that you even installed that OS on a PC to test it.

Surprised by lack of Start Menu ? Did you ever tested that OS on a touch device ?

In this article, I would like to share with you my list of the most important resources for Windows 8.

To start, I recommend you to watch a global presentation of some features in Windows 8 Entreprise :
If you've got time, you can watch the rest of the series (unless perhaps the first episode)/

Plan for and deploy Windows 8:

Windows 8 Library:
What's New:
Deployment with the Windows ADK:

Introducing Windows 8: An Overview for IT Professionals (Final Edition):
Windows 8 and Windows RT Product Guide:
Windows 8 Product Guide for Business:

Download Windows 8 Enterprise Evaluation:
Windows Assessment and Deployment Kit (ADK) for Windows® 8:
Microsoft Deployment Toolkit (MDT) 2012 Update 1:
Microsoft Assessment and Planning Toolkit (MAP):


Windows 8 Deployment:

Technical Training:
Microsoft Virtual Academy:
Partner Readiness Kit:

Windows 8 for partners:
Jump Start: 
Download Campaign (Presentation Deck, Battle card...):

Licensing and Volume Activation

See you soon !

jeudi 13 décembre 2012

[SCCM 2007] [SCCM 2012] Computer Accounts behavior in Collections

Your probably noticed some changes between SCCM 2007 and SCCM 2012 on the computer accounts behaviors in collections mainly during computers re-installation or accounts deletions.

In this article, I'll give you some results from my own experience.

Before starting, I would like to tell you about how SCCM 2007 and SCCM 2012 handle computer accounts in a Collection. You probably know the "GUID" or the "SMS Unique Identifier" called "Configuration Manager Unique Identifier" in SCCM 2012. This ID is used to identify the client, however, for internal management, SCCM uses another field called "Resource ID".

Properties for a SCCM 2007 client

Let's look at the Collection_Rules table, to understand how rules are stored in SCCM. In this case, I created a direct rule :

However "Resource ID" can be changed even if the client GUID is the same.

Computer Refresh
In this scenario, Windows XP, 7 or 8 is working on the client computer and OSD task sequence is launched. Data and configuration are saved during first steps.

With SCCM 2007, Resource ID is the same before and after the task sequence. Computer account remains in the same collections and advertisements are applied again.

With SCCM 2012, Resource ID is regenerated. If you created direct rules, collection attachments are lost !

There is a problem with direct rules in SCCM 2012 without SP :
If you check the collection properties, you can confirm that the computer account is still registered. However, the computer account never appears in the collection.

...look what happens with the other scenarios.

New Installation
In this scenario, the computer boots directly on WinPe (PXE, CD, USB key...).

In SCCM 2007 in native mode and in SCCM 2012, Resource ID is the same before and after the task sequence. Computer account remains in the same collections and advertisements are applied again.

In SCCM 2007 in mixed mode, a new computer account is created with a new Resource ID. The previous computer is marked as obsolete. In the console, depending on you settings, you can merge manually the two accounts to attach the new account to the last account collections.

Account suppressed and recreated (thanks to Heartbeat Discovery) :
In this scenario, you just remove the computer account. The computer account is recreated few time later during heartbeat discovery.

Both in SCCM 2007 and SCCM 2012, the new computer account is recreated with a new Resource ID.

In SCCM 2007, direct rules are removed.
In SCCM 2012 without SP, direct rules are not correctly handled. As for "computer Refresh", you still see your direct rules, but the computer account never appears in the collection.

So What's wrong with direct rules in SCCM 2012 without SP ?
 Let's look at the database again : The Resource ID has been incremented to 16777219...

..., however the direct rules always point to the old Resource ID (16777218).

There is no obsolete account functions... To solve that situation, you need to :
 - Remove your old direct rules
 - Click on Apply. Otherwise, your new direct rule will still point to the previous Resource ID...
 - Recreate your direct rules

We hope that this mistake will be solve in the SP1 :

That's certainly a good reason to test "User Affinity" and to start to deploy applications on users :-)

See you soon !

lundi 3 décembre 2012

[SCCM 2007] Task Sequence fails because boot image is inaccessible on SMSPXEIMAGES$

Take a really common OSD Task sequence (for example the default Deployment task sequence) where you need to restart on WinPE.
You deploy normally boot image on PXE point (shares like \\MyServer\SMSPXEIMAGES$) and everything works fine : You press F12, the computer starts with PXE, loads the boot image...
and you get the following error message !?! :

Obviously, someone will tell me that a SMSPXEIMAGES$ share is not a "real" Distribution Point. It's only made to boot on PXE.
To avoid that problem, people deploy images everywhere : on PXE shares (SMSPXEIMAGES$ share) and "Real" Distribution Points.

Wrong and Really Wrong ! And I'll prove i:

Let's look at the smsts.log file when the client tries to check if all packages used in the Task Sequence are available. We can perfectly note that the client tries to access the boot image on the SMSPXEIMAGES$ share but something seems wrong because it tries to do that several times.

If we check access rights, we can notice that the default access rights set on the SMSPXEIMAGES$ share are too restrictive. Indeed, only the local administrators group and the system account can access it.

In order to solve that problem, I recommend to add at least the read access right to the Network Access Account on the SMSPXEIMAGES$ share.
The default NTFS rights are OK.


For more :
You are probably not totally satisfied of my explanation. Indeed, how a client can start on a boot image and can't access the same image few seconds later ?!

When a client boots with PXE, the boot image is not downloaded from the SMSPXEIMAGES$ share but through the WDS service and the TFTP protocol. WDS service runs with the system account and doesn't have any problem to access the boot images.
On the contrary, latter, when SCCM client tries to access the boot image, it used the SMSPXEIMAGES$ windows share.

Moreover :
In certain circumstances, you can get that error randomly with a Task sequence !
Imagine a task sequence where no step consists on restarting on WinPE excepted for the initial boot with PXE (for example, the defaut "Build and Capture" task sequence).

If several task sequences (with several boot images) are advertised on a client, do you know what boot image will be distributed by PXE ?
The client will load the boot image of the latest task sequence advertised on the computer account !
I let you imagine scenarios where depending on the assignments of the collections and the advertisements, 2 computers can have exactly the same task sequence but start on different boot image.

If the boot image loaded on the client corresponds to the task sequence that you select, the task sequence simply starts.

But what happens if you choose a task sequence that requires another boot image than the one loaded ?
The client downloads the right boot image, configures the hard disk boot parameters to start on that boot image, requests the user to eject the CD and restarts the computer. Task sequence starts as soon as the boot image is loaded on the computer.

If the client can't download the boot image, task sequence fails !
That will happen if the boot image is deployed only on the SMSPXEIMAGES$ shares and if you don't modify right access as recommended.

If you provide the read access right to the network access account on the SMSPXEIMAGES$, everything will work fine.

Tricky to understand ? Let's take an example :
On one hand, an OSD Task sequence called "TS1" that use the boot image "Boot1". That task sequence is advertised (not mandatory) on the collection "Coll1".
On the other hand, another OSD Task sequence called "TS2", that use the boot image "Boot2" and that is advertised (not mandatory) on the collection "Coll 2".

You have 2 computers called CompA and CompB.
You add CompA in Coll1 and Comp B in Coll2. You wait few minutes and you add CompA in Coll2 and Comp B in Coll1.
The task sequences TS1 and TS2 are advertised on both computer. However, with PXE, CompA will boot the "Boot2" image and CompB will boot the "Boot1" image. Ok ? fun :o)

Both computers are started and on the SCCM OSD client wizard, you select the task sequence TS1.
No problem for CompB because "Boot1" is already loaded. Task sequence TS1 starts.
For CompA, client must download "Boot1". However that operation will not be made through PXE service but through the windows shares. If client can't download boot image, task sequence fails.

See you soon !