Windows PowerShell Examples for Content Management

November 13, 2013, 11:52 am

≫ Next: Support Announcements for November 2013

≪ Previous: Announcement: Configuration Manager Documentation Library Update for November 2013

Overview This article covers some basic content management usage scenarios using Windows PowerShell for System Center 2012 R2 Configuration Manager. Included are examples on how to create a site system and configure it as a distribution point (including...(read more)

↧

Support Announcements for November 2013

November 13, 2013, 2:01 pm

≫ Next: Announcement: New Quiz for System Center 2012 R2 Configuration Manager

≪ Previous: Windows PowerShell Examples for Content Management

System Center 2012 Configuration Manager SP1 supports Windows Server 2012 R2 and Windows 8.1: System Center Configuration Manager 2012 SP1 -supports site system roles for the following operating system SKUS: Windows Server 2012 R2 Standard. ...(read more)

↧

Announcement: New Quiz for System Center 2012 R2 Configuration Manager

November 20, 2013, 12:28 pm

≫ Next: HOTFIX: Asset Intelligence sync point doesn’t sync with the System Center Online service after you install hotfix 2733615 on a Windows Server 2003-based Configuration Manager 2007 SP2 site server

≪ Previous: Support Announcements for November 2013

We are pleased to announce that we’ve just published a new quiz in our popular series of quizzes for System Center 2012 Configuration Manager. This new quiz tests your knowledge of many of the new features and functionality in System Center 2012...(read more)

↧

HOTFIX: Asset Intelligence sync point doesn’t sync with the System Center Online service after you install hotfix 2733615 on a Windows Server 2003-based Configuration Manager 2007 SP2 site server

November 25, 2013, 8:46 am

≫ Next: HOTFIX: "Error 25150. Setup was unable to register the CCM_Service_HostingConfiguration endpoint" when you try to install the client agent in Configuration Manager

≪ Previous: Announcement: New Quiz for System Center 2012 R2 Configuration Manager

Consider the following scenario:

- You have a Microsoft System Center Configuration Manager 2007 Service Pack 2 (SP2) site server that is running on Windows Server 2003.

- You install an Asset Intelligence synchronization point on the site server.

- You install the hotfix that is described in Microsoft Knowledge Base (KB) article 2733615 on the site server.

- The Asset Intelligence synchronization point tries to synchronize with the System Center Online service.

In this scenario, synchronization fails. Additionally, the following error message is logged in the Aiupdatesvc.log file:

Asset Intelligence Catalog Sync Service Error: 0 : date and time:CryptoException trying to get certificate - The specified network password is not correct.

This issue occurs because the certificate that was released in hotfix 2733615 cannot resolve some password-related issues in Windows Server 2003.

For additional details and a link to a ConfigMgr 2007 hotfix that resolves this issue please see the following:

KB2783924 - Asset Intelligence sync point doesn’t sync with the System Center Online service after you install hotfix 2733615 on a Windows Server 2003-based Configuration Manager 2007 SP2 site server (http://support.microsoft.com/kb/2783924)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

↧

HOTFIX: "Error 25150. Setup was unable to register the CCM_Service_HostingConfiguration endpoint" when you try to install the client agent in Configuration Manager

November 25, 2013, 10:56 am

≫ Next: Replication errors in System Center 2012 R2 Configuration Manager

≪ Previous: HOTFIX: Asset Intelligence sync point doesn’t sync with the System Center Online service after you install hotfix 2733615 on a Windows Server 2003-based Configuration Manager 2007 SP2 site server

When you try to install the client agent on a Microsoft System Center 2012 Configuration Manager management point that has Cumulative Update 3 for System Center 2012 Configuration Manager Service Pack 1 (CU3) installed, the installation may fail. Additionally, you may see the following error in the Client.msi log when verbose logging is enabled:

[15:02:26] Registering Hosting Configuration.
MSI (s) (6C!A8) [15:02:26:782]: Closing MSIHANDLE (22022) of type 790531 for thread 936
[15:02:26] @@ERR:25150
MSI (s) (6C!A8) [15:02:26:783]: Product: Configuration Manager Client -- Error 25150. Setup was unable to register the CCM_Service_HostingConfiguration endpoint
The error code is 80041002
MSI (s) (6C!A8) [15:02:26:784]: Closing MSIHANDLE (22020) of type 790531 for thread 936
Error 25150. Setup was unable to register the CCM_Service_HostingConfiguration endpoint
The error code is 80041002
MSI (s) (6C:7C) [15:02:26:784]: Closing MSIHANDLE (22018) of type 790536 for thread 1252
CustomAction CcmRegisterHostingConfiguration returned actual error code 1603

For additional details on this problem and a link to a ConfigMgr 2012 hotfix that resolves this issue please see the following:

KB2905359 - "Error 25150. Setup was unable to register the CCM_Service_HostingConfiguration endpoint" when you try to install the client agent in Configuration Manager (http://support.microsoft.com/kb/2905359)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

↧

Replication errors in System Center 2012 R2 Configuration Manager

November 26, 2013, 11:28 am

≫ Next: HOTFIX: Per-computer variables for imported computers are not read in System Center 2012 R2 Configuration Manager

≪ Previous: HOTFIX: "Error 25150. Setup was unable to register the CCM_Service_HostingConfiguration endpoint" when you try to install the client agent in Configuration Manager

Issue Several customers reported that child primary sites were entering maintenance mode after upgrading the central administration site from System Center 2012 Configuration Manager Service Pack 1 (SP1) with CU2 or CU3 to System Center 2012 R2 Configuration...(read more)

↧

HOTFIX: Per-computer variables for imported computers are not read in System Center 2012 R2 Configuration Manager

December 2, 2013, 9:26 am

≫ Next: HOTFIX: An update is available for the "Operating System Deployment" feature of System Center 2012 R2 Configuration Manager

≪ Previous: Replication errors in System Center 2012 R2 Configuration Manager

You may notice that per-computer task sequence variables that are defined for imported computers are filtered out of client policies. This prevents the variables from being read during task sequence execution. This problem does not affect per-computer variables that are defined for existing clients.

For additional details and a link to a ConfigMgr 2012 R2 hotfix that resolves this issue please see the following:

KB2907591 - Per-computer variables for imported computers are not read in System Center 2012 R2 Configuration Manager (http://support.microsoft.com/kb/2907591)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

↧

HOTFIX: An update is available for the "Operating System Deployment" feature of System Center 2012 R2 Configuration Manager

December 5, 2013, 9:50 am

≫ Next: Now available for download: The System Center 2012 R2 Configuration Manager Toolkit

≪ Previous: HOTFIX: Per-computer variables for imported computers are not read in System Center 2012 R2 Configuration Manager

This update resolves the following issues in Microsoft System Center 2012 R2 Configuration Manager.

Issue 1

After you enable the PXE Service Point role on an instance of a specific distribution point, or you select the Deploy this boot image from the PXE-enabled distribution point property of a boot image, the Windows Deployment Service (WDS) stops running. Additionally, entries that resemble the following are logged in the Windows Application log:

Faulting application name: svchost.exe_WDSServer, version: 6.3.9600.16384, time stamp: 0x5215dfe3
Faulting module name: MSVCR100.dll, version: 10.0.40219.1, time stamp: 0x4d5f034a
Exception code: 0xc0000005
Fault offset: 0x000000000005f61a
Faulting process id: 0xae4
Faulting application start time: 0x01cec5d767184634
Faulting application path: C:\Windows\system32\svchost.exe
Faulting module path: C:\Program Files\Microsoft Configuration Manager\bin\x64\MSVCR100.dll

Note This problem affects only distribution points that are installed on site servers.

Issue 2

When operating system image files are downloaded to Configuration Manager 2012 R2 clients, you may find that the download takes longer than it did in previous versions of Configuration Manager 2012 clients. You may see this behavior when the target client is running Windows PE or a full Windows operating system.

For additional details and a link to a ConfigMgr 2012 R2 hotfix that resolves these issues please see the following:

KB2905002 - An update is available for the "Operating System Deployment" feature of System Center 2012 R2 Configuration Manager (http://support.microsoft.com/kb/2905002)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

↧

Now available for download: The System Center 2012 R2 Configuration Manager Toolkit

December 9, 2013, 8:50 am

≫ Next: List of the role-based administration permissions and permission groups in System Center 2012 Configuration Manager

≪ Previous: HOTFIX: An update is available for the "Operating System Deployment" feature of System Center 2012 R2 Configuration Manager

The Microsoft System Center 2012 R2 Configuration Manager Toolkit contains fifteen downloadable tools to help you manage and troubleshoot Microsoft System Center 2012 R2 Configuration Manager. The following list provides specific information about each tool in the toolkit.

Note: Items with an * are new in the R2 Toolkit and require Microsoft System Center 2012 R2 Configuration Manager for full functionality.

Server Based Tools

* DP Job Manager - A tool that helps troubleshoot and manage ongoing content distribution jobs to Configuration Manager distribution points.
* Collection Evaluation Viewer - A tool that assists in troubleshooting collection evaluation related issues by viewing collection evaluation details.
* Content Library Explorer - A tool that assists in troubleshooting issues with and viewing the contents of the content library.
Security Configuration Wizard Template for Microsoft System Center 2012 R2 Configuration Manager - The Security Configuration Wizard (SCW) is an attack-surface reduction tool for the Microsoft Windows Server 2008 R2 operating system. Security Configuration Wizard determines the minimum functionality required for a server's role or roles, and disables functionality that is not required.
Content Library Transfer – A tool that transfers content from one disk drive to another.
Content Ownership Tool – A tool that changes ownership of orphaned packages (packages without an owner site server).
Role-based Administration Modeling and Auditing Tool – This tool helps administrators to model and audit RBA configurations.
Run Metering Summarization Tool - The purpose of this tool is to run the metering summarization task to analyze raw metering data

Client Based Tools

Client Spy - A tool that helps you troubleshoot issues related to software distribution, inventory, and software metering on System Center 2012 Configuration Manager clients.
Configuration Manager Trace Log Viewer – A tool used to view log files created by Configuration Manager components and agents.
Deployment Monitoring Tool - The Deployment Monitoring Tool is a graphical user interface designed help troubleshoot Applications, Updates, and Baseline deployments on System Center 2012 Configuration Manager clients.
Policy Spy - A policy viewer that helps you review and troubleshoot the policy system on System Center 2012 Configuration Manager clients.
Power Viewer Tool – A tool to view the status of power management feature on System Center 2012 Configuration Manager clients.
Send Schedule Tool - A tool used to trigger a schedule on a client or trigger the evaluation of a specified DCM Baseline. You can trigger a schedule either locally or remotely.
Wakeup Spy – A tool that provides a view of the power state of Configuration Manager client computers and which operate as managers or manages.

For all the details and a download link, please see the following:

System Center 2012 R2 Configuration Manager Toolkit

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

↧

List of the role-based administration permissions and permission groups in System Center 2012 Configuration Manager

December 9, 2013, 2:37 pm

≫ Next: System Center Updates Publisher 2011 Support Statement Update

≪ Previous: Now available for download: The System Center 2012 R2 Configuration Manager Toolkit

If you’ve tinkered with security roles for role-based administration in System Center 2012 Configuration Manager, you might have noticed that there are a ton of permissions and permission groups involved. This is most evident when you copy a built...(read more)

↧

System Center Updates Publisher 2011 Support Statement Update

December 11, 2013, 11:21 am

≫ Next: Why wait? Get a jumpstart on mobile device management with Configuration Manager and Windows Intune today!

≪ Previous: List of the role-based administration permissions and permission groups in System Center 2012 Configuration Manager

System Center Updates Publisher 2011 and Windows Server 2012 R2 System Center Updates Publisher 2011 (SCUP) is supported for use on computers with Windows Server 2012 R2 with the following known limitations: 1. Windows Server 2012 R2 includes Windows...(read more)

↧

Why wait? Get a jumpstart on mobile device management with Configuration Manager and Windows Intune today!

December 11, 2013, 11:34 am

≫ Next: A closer look at Internet Based Client Management in ConfigMgr 2012

≪ Previous: System Center Updates Publisher 2011 Support Statement Update

MDM… BYOD… acronyms for some of the hottest buzzwords in IT these days. As I’ve had a chance to talk with various customers over the last several months, it’s clear that organizations are embracing the bring-your-own-device philosophy...(read more)

↧

A closer look at Internet Based Client Management in ConfigMgr 2012

December 11, 2013, 11:47 am

≫ Next: Karan Daftary’s Bio

≪ Previous: Why wait? Get a jumpstart on mobile device management with Configuration Manager and Windows Intune today!

~ Prabhat Joshi

Hello Everyone, Prabhat Joshi here with another Configuration Manager support tip for you, this time for Internet Based Client Management (IBCM) in System Center 2012 Configuration Manager (ConfigMgr 2012).

Internet Based Client Management allows you to manage Configuration Manager clients when they are not connected to your company network but still have a standard Internet connection. This arrangement has a number of advantages, including the reduced costs of not having to run virtual private networks (VPNs) and being able to deploy software updates in a timely manner.

Because of the higher security requirements of managing client computers on a public network, Internet Based Client Management requires that the site is using certificates. This ensures that connections to the management point, software update point and distribution points are authenticated by an independent authority, and that data to and from these site systems is encrypted using Secure Sockets Layer (SSL).

New supported scenarios

1. User policies are supported when the Internet based MP can authenticate the user by using Windows authentication.

2. Task Sequences are supported for simple scripts, however just like ConfigMgr 2007, deploying an OS over the Internet is still not supported.

3. Using Microsoft Update to download required software updates rather than from an Internet based DP in their assigned site is supported.

Unsupported scenarios

Not all client management functionality is appropriate for the Internet; therefore they are not supported when clients are managed on the Internet. The features that are not supported for Internet management typically rely on Active Directory Domain Services or are not appropriate for a public network, such as network discovery and Wake-on-LAN (WOL).

The following features are not supported when clients are managed on the Internet:

Ø Client deployment over the Internet, such as client push and software update-based client deployment. Instead, use manual client installation.

Ø Automatic site assignment.

Ø Network Access Protection (NAP).

Ø Wake-on-LAN.

Ø Operating system deployment. However, you can deploy task sequences that do not deploy an operating system; for example, task sequences that run scripts and maintenance tasks on clients.

Ø Remote control.

Ø Out of band management.

Ø Software deployment to users, unless the Internet-based management point can authenticate the user in Active Directory Domain Services by using Windows authentication (Kerberos or NTLM). This is possible when the Internet-based management point trusts the forest where the user account resides.

Additionally, Internet-based client management does not support roaming. Roaming enables clients to always find the closest distribution points to download content. Clients that are managed on the Internet communicate with site systems from their assigned site when these site systems are configured to use an Internet FQDN and the site system roles allow client connections from the Internet. Clients non-deterministically select one of the Internet-based site systems, regardless of bandwidth or physical location.

Prerequisites for IBCM

- Clients and Site Systems supporting IBCM should have Internet Connectivity.

- Site systems that will support Internet-based client management must be in an Active Directory domain, but can be in a different Active Directory forest from the forest that contains the site server.

- You must have a supporting public key infrastructure (PKI) that can deploy and manage the certificates that the clients require and that are managed on the Internet and the Internet-based site system servers.

For more information see Planning for Communications in Configuration Manager at http://technet.microsoft.com/en-us/library/gg712701.aspx#BKMK_PrerequisitsForInternetClientMgmt.

The links below can help you in planning & configuring IBCM in your environment:

- Planning for IBCM: http://technet.microsoft.com/en-us/library/gg712701.aspx#Support_Internet_Clients

- Planning for Communications in Configuration Manager: http://technet.microsoft.com/en-us/library/gg712701.aspx

- Planning for Certificates: http://technet.microsoft.com/en-us/library/gg712284.aspx#BKMK_PlanningForCertificates

- PKI Certificate Requirements for Configuration Manager: http://technet.microsoft.com/en-us/library/gg699362.aspx

- Step by step deployment of certificates: http://technet.microsoft.com/en-us/library/gg682023.aspx

ConfigMgr client install scenarios for IBCM

Internet-only management : Such clients will always contact the FQDN of the Internet Management Point (MP). Below is an example command line used to install a client in this manner.

Ccmsetup.exe /usepkicert ccmhostname=”FQDN of Internet MP” smssitecode=”Site code” CCMALWAYSINF=1

Internet or Intranet management : Clients configured for this scenario will be able contact the FQDN of both Internet and Intranet MPs depending on the network it is on (e.g. LAN or Internet). Note that workgroup clients do not support this scenario. Here’s a command line for this type of install:

Ccmsetup.exe /usepkicert smsmp=”FQDN of Intranet MP” ccmhostname=”FQDN of Internet MP” smssitecode=”Site code”

See the article below to understand the purpose of switches used in both cases. You may add more of them depending upon your requirements.

How to Install Clients on Windows-Based Computers in Configuration Manager : http://technet.microsoft.com/en-us/library/gg712298.aspx

Basic things to check when troubleshooting IBCM client install & registration scenarios

- There should be a site system that will be used as an Internet Management Point. It should be published via public DNS. If there is only one site system that is a site server itself then you can still use it as an Internet MP.

- Under site properties, verify “Client computer communication -> client computer settings” and make sure that “Use PKI client certificate when available” is checked.

- For the site system that will act as an Internet MP, please make sure that correct URL has been specified under the Site System property “Specify an FQDN for this site system for use on the Internet”.

- In the Internet MP properties, make sure that HTTPS is enabled (checked), and depending upon your requirement, that either “Allow Internet-only connections” or “Allow Internet and Intranet connections” is checked.

- After the above is done, make sure that the web server certificate has the name of the Internet MP in the Subject Alternative Name. After you have done this, then bind this certificate in IIS and check MPcontrol.log to confirm the health of the MP.

Some common client registration issues

Symptoms: After installing a ConfigMgr 2012 agent on an IBCM client, the machine is unable to register with the Internet facing Management Point. The following errors can be seen:

Client machine log:

ClientIDmanagerstartup.log - Server rejected request 3

Server Side log:

MP_Registration.log - Registration hint is expired.
CCMValidateAuthHeaders failed (0x87d0029b) to validate headers for client 'GUID:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
MP Reg: Certificate is not valid, HR = 0x80092012, In-band Cert SubjectName = xxxxxxx.COM (NAME OF THE CLIENT MACHINE)

Cause: Error 0x80092012 reads:

“The revocation function was unable to check revocation for the certificate.
CRL was neither published nor accessible from the client machine.
PORT 10123 was blocked on the hardware firewall in the internal network from the outside network.”

Resolution:

First publish the CRL and verify that it can be accessed from the client. You can verify whether the CRL is accessible by running the following command:

Certutil –verify –urlfetch <cert name>.cer

If this shows that the CRL is not accessible, check the ports. You may notice that port 10123 is blocked.

Port 10123 is used by the Management Point to notify client computers about an action that it must take when an administrative user selects a client action in the Configuration Manager console, such as download computer policy or initiate a malware scan. If this is blocked, add the following as an exception to the Windows Firewall:

Outbound: TCP Port 10123

If this communication does not succeed, Configuration Manager automatically falls back to using the existing client-to-Management Point communication port of HTTP or HTTPS:

Outbound: TCP Port 80 (for HTTP communication)
Outbound: TCP Port 443 (for HTTPS communication)

======

Symptoms: After installing a ConfigMgr 2012 agent on an IBCM client, the machine is unable to register with the Internet facing Management Point. The following errors can be seen:

Locationservices.log

LSRefreshTrustedKeyInfo failed with error '0x87d00306'
Failed to refresh trusted key info with error '0x87d00306'
Failed to validate the certificate
'308205E8308204D0A00302010202….0D99AAFC70BB0999B548CD07' from management point 'abc.test.com'

Raising event:
instance of CCM_LocationServices_ManagementPointCertificate_CrossVerificationFailure

{
DateTime = "20130819094515.860000+000";
ManagementPoint = "abc.test.com";
ProcessID = 1608;
ThreadID = 2192;
};

Refreshed Certificate Information over HTTP
Failed to verify message. Could not retrieve certificate from MPCERT.
MPCERT requests are throttled for 00:04:59
Failed to send site information Location Request Message to abc.test.com
LSIsSiteCompatible : Client is Always on Internet. Unable to check compatibiliy of Site <SITE CODE>
LSRefreshSiteCode failed with error (0x8000ffff)

Cause: This can occur if the trusted root key on the client is incorrect or non-existent. Follow the steps below to verify if the trusted roots key exists:

1. On the Start menu, click Run, and then type Wbemtest.

2. In the Windows Management Instrumentation Tester dialog box, click Connect.

3. In the Connect dialog box, in the Namespace box, type root\ccm\locationservices and then click Connect.

4. In the Windows Management Instrumentation Tester dialog box, in the IWbemServices section click Enum Classes.

5. In the Superclass Info dialog box, select Recursive and then click OK.

6. In the Query Result window, scroll to the end of the list and then double-click TrustedRootKey ().

7. In the Object editor for TrustedRootKey dialog box, click Instances.

8. In the new Query Result window that displays the instances of TrustedRootKey, double-click TrustedRootKey=@

9. In the Object editor for TrustedRootKey=@ dialog box, in the Properties section, scroll down to TrustedRootKey CIM_STRING. The string in the right column is the trusted root key. Verify that it matches the SMSPublicRootKey value in the file <Configuration Manager directory>\bin\mobileclient.tcf.

If the key is not there, complete the resolution steps below.

Resolution:

Uninstall the client using ccmclean utility, then reinstall it by specifying the trusted root key using following command line:

ccmsetup.exe /usePKICert /NOCRLCheck CCMHOSTNAME=abc.test.com CCMALWAYSINF=1 SMSMP=https://abc.test.com SMSSITECODE=001

======

When multiple CA’s are being used to issue required certificates to Internet MP & Client authentication certificate

CA1: Issuer of web server certificate for Internet MP.

CA2: Issuer of client certificate on IBCM clients.

After installing the client with the above mentioned command line, you may see this error on a client machine:

ClientIDManagerStartup.log:

Failed in GetCertificate(…): 0x87d00281

Error code 87d00281 means “No certificate matching criteria specified”

In order to resolve this, navigate to Client Computer Communication under Site Properties and go to Trusted Root Certification Authorities and click on Set. Afterdoing that, specify the self-signed cert of CA2 without its private key and click on OK.

Then, restart ccmexec on the client machine and now it should be able to register.

Prabhat Joshi| Technical Lead | Microsoft

Get the latest System Center news on Facebook and Twitter:

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

↧

Karan Daftary’s Bio

December 16, 2013, 3:27 pm

≫ Next: Mac OS X 10.9 Support for System Center 2012 R2 Configuration Manager Clients

≪ Previous: A closer look at Internet Based Client Management in ConfigMgr 2012

Hi I am a Program Manager on the Mac team for System Center Configuration Manager. I graduated from Georgia Institute of Technology and joined Microsoft in 2013. Upon joining Microsoft I’ve had the opportunity to ship the VPN feature for System...(read more)

↧

Mac OS X 10.9 Support for System Center 2012 R2 Configuration Manager Clients

December 16, 2013, 3:28 pm

≫ Next: Announcement: Configuration Manager Documentation Library Update for December 2013

≪ Previous: Karan Daftary’s Bio

Mac OS X 10.9 Support for the System Center 2012 R2 Configuration Manager Mac Client Mac OS X 10.9 is supported on System Center 2012 R2 Configuration Manager with the following known exception: USB devices on Mac computers cannot be inventoried...(read more)

↧

Announcement: Configuration Manager Documentation Library Update for December 2013

December 19, 2013, 11:46 am

≫ Next: HOTFIX: Applications that use dynamic variable lists are not installed in System Center 2012 R2 Configuration Manager

≪ Previous: Mac OS X 10.9 Support for System Center 2012 R2 Configuration Manager Clients

The Documentation Library for System Center 2012 Configuration Manager has been updated on the web and the latest content has Updated: December 1, 2013 at the top of the topic. Downloadable versions will be available soon and announced on this blog...(read more)

↧

HOTFIX: Applications that use dynamic variable lists are not installed in System Center 2012 R2 Configuration Manager

January 6, 2014, 9:55 am

≫ Next: Support Tip: Cannot add or remove alerts on a collection after upgrading to ConfigMgr 2012 SP1 or R2

≪ Previous: Announcement: Configuration Manager Documentation Library Update for December 2013

Consider the following scenario:

- You have an application that does not have the Allow this application to be installed from the Install Application task sequence action without being deployed option selected.

- You deploy a task sequence that uses the Install Application step and that has the Install the following applications option selected and referencing the application that is mentioned in step 1.

- Later, you make a change to the application and then click to select the Allow this application to be installed from the Install Application task sequence action without being deployed check box.

- You create a new task sequence or change the existing task sequence and then deploy the task sequence while the Install applications according to dynamic variable list option is selected.

In this scenario, the Install Application step of the new or changed task sequence does not run in Microsoft System Center 2012 R2 Configuration Manager, and applications that use dynamic variable lists are not installed.

For additional details and a link to a ConfigMgr 2012 R2 hotfix that resolves this issue please see the following:

KB2913703 - Applications that use dynamic variable lists are not installed in System Center 2012 R2 Configuration Manager (http://support.microsoft.com/kb/2913703)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

↧

Support Tip: Cannot add or remove alerts on a collection after upgrading to ConfigMgr 2012 SP1 or R2

January 6, 2014, 1:35 pm

≫ Next: HOTFIX: Automatic Deployment Rules do not work when you use specific proxy authentication on a site server that is running Microsoft System Center 2012 R2 Configuration Manager

≪ Previous: HOTFIX: Applications that use dynamic variable lists are not installed in System Center 2012 R2 Configuration Manager

After upgrading to System Center 2012 Configuration Manager Service Pack 1 or System Center 2012 R2 Configuration Manager, you may discover that the 'Add' and 'Remove' buttons for the Conditions in the Alerts tab of a device collection are grayed out, thus no new conditions can be created or existing conditions removed or modified.

This can occur if the CAS, the primary site and any secondary sites are not yet upgraded as well. Until the CAS, the primary site and any secondary sites are all upgraded, the setting in the Alert tab cannot be changed. This is by design.

NOTE When the Mode value of the WMI class SMS_Site is non-zero, editing of the Alerts tab of Device Collections will be disabled. This class is located in the WMI namespace root\sms\site_<sitecode>. Possible values in this field range from 0-7, with 0 being a site that is in the status of 'Normal'.

SiteStatus = 1 is the CAS or the site is in maintenance mode.

SiteStatus = 2 means the site is in recovery.

SiteStatus = 3 means the site is upgrading.

SiteStatus = 4 means the site is running an Evaluation license that has expired.

SiteStatus = 5 means the site is in expansion mode (attaching the primary to a new CAS).

SiteStatus = 6 or 7 means not all of the sites (CAS, primaries or secondaries) have been upgraded.

Larry Mosley| Senior Escalation Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

greyed out

↧

HOTFIX: Automatic Deployment Rules do not work when you use specific proxy authentication on a site server that is running Microsoft System Center 2012 R2 Configuration Manager

January 7, 2014, 9:09 am

≫ Next: Announcement: Creating Custom Reports by Using SQL Server Views in System Center 2012 Configuration Manager Documentation

≪ Previous: Support Tip: Cannot add or remove alerts on a collection after upgrading to ConfigMgr 2012 SP1 or R2

Consider the following scenario:

- You have a primary site server that is running Microsoft System Center 2012 R2 Configuration Manager.

- You configure the software update point and the Windows Server Update Services (WSUS) role on the site server.

- You set up a proxy server that requires a user account for authentication.

- You set up a user account in site system properties for proxy authentication.

- You create and run Automatic Deployment Rules (ADR).

In this scenario, the update cannot be downloaded successfully. Additionally, an error message that resembles the following is logged in the PatchDownloader.log file:

Downloading content for ContentID = number, FileName = filename.cab. Software Updates Patch Downloader datetime 3872 (0x0F20)
Try username domain\username Software Updates Patch Downloader datetime 3204 (0x0C84)
Proxy enabled proxy server IPaddress:port Software Updates Patch Downloader datetime 3204 (0x0C84)
HttpSendRequest failed HTTP_STATUS_PROXY_AUTH_REQ Software Updates Patch Downloader datetime 3204 (0x0C84)
Download http://wsus.ds.download.windowsupdate.com/d/msdownload/update/software/crup/2013/09/filename.cab to C:\windows\TEMP\filename.tmp returns 407 Software Updates Patch Downloader datetime 3204 (0x0C84)
ERROR: DownloadContentFiles() failed with hr=0x80070197 Software Updates Patch Downloader datetime 3872 (0x0F20)

For additional details and a link to a ConfigMgr 2012 R2 hotfix that resolves this issue please see the following:

KB2916611 - Automatic Deployment Rules do not work when you use specific proxy authentication on a site server that is running Microsoft System Center 2012 R2 Configuration Manager (http://support.microsoft.com/kb/2916611)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

↧

Announcement: Creating Custom Reports by Using SQL Server Views in System Center 2012 Configuration Manager Documentation

January 8, 2014, 3:09 pm

≫ Next: Taking a closer look at ConfigMgr client registration failure when the site server is configured for HTTPS only

≪ Previous: HOTFIX: Automatic Deployment Rules do not work when you use specific proxy authentication on a site server that is running Microsoft System Center 2012 R2 Configuration Manager

We are pleased to announce, in response to many customer requests, that the SQL Server Views documentation for System Center 2012 Configuration Manager is now available. This documentation is split into three sections: SQL Server Views in System...(read more)

↧