Advanced adventures with the sccm 2012 security model and how to get by them…

wow, I think this is probably the longest title I ever used over here, but I wanted to draw attention to it anyway…

I will try to explain here (since I went for the public forum without much useful info) some issues I had when implementing the security model in a very strict environment

let’s start by describing the environment first:

the environment (all in the same AD dom & forest) consists of a central branch and about 15 other branches. most of the content and the overall structure and management of the environment will be done centrally, but in each branch you will have people that can also add new content, create collections and so on

we will stick with 1 Primary site with only DPs for the branches

we have a good naming convention where the branch name is put first in every collection and content, so eg: CET package 1 would be a package that must be available for everyone, whereas 100 package 1 would be a package that will be only available to the people of branch 100 (i’m trying to explain as basic as I can) – so this is useful to define scopes in cm12!

the content they get to see can thus be: centralized content accessible for everyone and their own content (so if I am the It guy in branch 100, I cannot see (or worse: delete) content that was made in branch 200

so basically security wise in cm12 this comes to creating 2 new custom roles : 1 for helpdesk people of the branch and 1 for the IT guys of the branch

then I created a scope for the central branch and one for each branch.

issue 1: how to use collection limiting in this environment?

remember: the branch guys must see the central collections AND their own collections.

I cannot give them access to the all systems collection, that would break things

solution: I created a new empty collection, lets say GLOBAL with limiting collection set to all systems.

then for every collection I want everyone to see/manage, I set the GLOBAL collection as limiting and not the all systems (this can be done with powershell)

(so the administrative user will get access to the global collection and his own decentral systems collection, thats all)

issue 2: how to use scoping in this environment?

remember: the branch guys must see the central content AND their own content.

solution: each branch scope must be set on ALL content you want them to see (do not give someone two security scopes)

by doing it this way, if the decentral guy creates new content, the proper security for his location will be added directly

issue 3: how to import a computer if one doesn’t have the default scope?

security wise in cm12 for this to happen the user must have the collection: read, modify and modify resource permissions and also the site: read and import computer information permissions (those were set in one of the new security roles)

BUT: since the decentral guys will not have the default scope, they CANNOT import a device!

solution: you need to give on the administration/site node also access to the non standard security scopes

issue 4: decentral IT guys cannot distribute content to a dp

the users security role already has the necessary permissions DP: copy to distribution point, DP Group: copy to distribution point group, but they do not see ANY DP

(also because they don’t have the default security scope)

solution: you must go to administration/distribution point and add the non standard scope (next to the default one which was already there) to one or more DPs.

issue 5: delegating the create collection privilege

the users security role already has the necessary permissions collection: CREATE but still he/she could not create a new collection?

solution: it seems you also need the permission MANAGE Folder

nice but this one creates a new hurdle to overcome: the user will be able to create new folders but also delete existing ones (so I cannot use this)

workaround: we created a device collection “_template collections” with one empty collection for each branch (where already the limiting collection is set).  so all they have to do is copy their own template collection (they will probably only see one because of the collection limiting), rename it and move it to the appropriate folder, done!

 

Conclusion: if you are trying to accomplish some advanced security privileges in CM12, don’t give up too soon!

 

Ps: this is also a subject in one of my advanced SCCM 2012 trainings that should go on schedule later this year

July 10, 2014

Revision history vs dependencies vs APP-V 5 client

discovered an odd thing today…

in an SCCM 2012 SP1 environment we had the client installation of APP-V 5 SP2 + update 2 already running for quite a while

recently the installation Always failed initially, but on the second attempt it worked.

as the deployment was made available this is quite annoying.

there are many ways already described on the WWW how you can install the APP-V 5 client with its dependencies, so I’m not going to say which is best.

initially what we did is create an application for .net framework 4, one for WMF 3, one for KB2533623 and one for kb2758857 (which is the replacement of kb2533623).  then create another application for APP-V 5 SP2 and another for hotfix 2

dependencies where setup this way: WMF3 dependent on .net framework 4, kb2533623 and 2758857 dependent on WMF3, APPV5 hotfix 2 dependent on APPV 5 SP2, this to make sure that the dependencies would be installed in the proper order

as only one of the hotfix needs to be present (2533623 OR 2758857) they are placed in the same dependency group:

Capture2

create separate deployment types for X86 and x64 for the applications WMF, 2533623, 2758857, appv5 SP2 and appv 5 SP2 hf2

so if you check the dependency relationship on APPv5 SP2 HF 2 you will get something like:

Capture

OK, now back to the problem of the day…

the installation chain of the APP-V sequence was Always failing on the first attempt, why?

upon looking through the appintenteval.log I saw that somehow the chain was trying to detect .net framework 4, while in the dependencies the .net framework 4.5.1 was set

last week the customer decided that .net framework 4.5.1 was the new standard, so created a new application for it and superseded .net framework 4 by .net framework 4.5.1

ok, sounds reasonable to me, but why is the installation of APP-V streams still trying to do something with .net framework 4 ?

the key is revision history -> upon displaying the references column in the console, we could see that there were still 9 references that depended upon .net framework 4, but those references were still pointing to an old revision of the dependent applications.

after cleaning up old revisions, the installation of the APP-V stream from software center worked again as designed!

May 13, 2014

App-V 5 and Office 2013 import: Database error when importing into the AppV Mgmt Server

After creating an Office 2013 package, generated with the current Office Deployment Tool for Click-to-Run (ODT) version (24/02/2014), the import in the App-V Management Server fails.

App-V 5 package import error (Office 2013)

There were problems interacting with the database on the server.  The error was: String or binary data would be truncated.
The statement has been terminated.

Applying the latest hotfix for the management server didn’t fixed this issue.

I created and imported several Office 2013 packages before, but never had this issue. The only difference between them is that this package contains not only Office 2013 ProPlus, but also Project & Visio and four languages. This results in a huge file name and package name.

After opening the package for Update Edit with the AppV Sequencer, and shorten the Package Name the import went fine!

Conclusion

This issue reminds me of an old Softgrid issue : http://blogs.technet.com/b/appv/archive/2011/02/03/error-code-0000c800-when-trying-to-import-a-package-on-the-app-v-management-server.aspx

The Office Deployment Tool should make our life easier. But in the real world it generates packages with names that are to long to import into the Management Server.

/Ben

0 Comments
Tags:
April 11, 2014

SCCM 2012 R2: Deploy Console Hotfix kb2905002 as an application

If you are not able, or don’t want to use SCUP as a solution to install the console hotfix, you could make an application of the hotfix instead. With this solution, you only need to deploy the hotfix application, and the console will be fully installed. Below, I will explain all the necessary steps.

1.You need to create an application for .NET Framework 4. (this is necessary for the console)
Create a DeploymentType with commandline: dotNetFx40_Full_x86_x64.exe /q /norestart /ChainingPackage ADMINDEPLOYMENT
For detection method, use the following:
NET4Detection

No requirements or dependencies needed.

2. You need to make an application of the SCCM 2012 R2 console. Use adminconsole.msi & consolesetup.exe as sourcefiles.
The sourcefiles for the Adminconsole are located on the Primary Site Server in the Configuration Manager installation folder under Tools\ConsoleSetup.
Create a new application.

CreateApp1
Enter general info for the app. Press next until you need to configure Deployment Types. Click Add.
Select Script Installer.
CreateApp2
Select a content location for the sourcefiles and specify the install cmd: consolesetup.exe /q TargetDir=C:\ConfigMgrConsole EnableSQM=0 DefaultSiteServerName=sccm.network.int
Uninstall cmd: Consolesetup /uninstall /q

For the detection method, use windows installer with the adminconsole.msi
CreateApp3
Create a dependency with the dotnet 4 application.
CreateApp4

3. Create an application of the Console hotfix.

Use Configmgr2012adminui-r2-kb2905002-i386.msp as sourcefile.

Installation program: msiexec.exe /p configmgr2012adminui-r2-kb2905002-i386.msp /L*v %TEMP%\configmgr2012adminui-r2-kb2905002-i386.msp.LOG /q REINSTALL=ALL REINSTALLMODE=mous

uninstall cmd: Consolesetup.exe /uninstall /q

For detection method, use the following:
hotfix1

Create a dependency for the SCCM 2012 R2 console app, made in the previous step. This one needs to be installed before the hotfix is applied.
hotfix2

Make sure you distribute all the content to your Distribution Points. Now you can deploy the Console application hotfix, made in step 3. The system will check if the R2 console has been installed along with Netfx4. After that, it will apply the hotfix.

You can easily check the version of CreateTsMediaAdm.dll on the destination pc, to make sure the hotfix has been applied. Browse to the installation folder of the console: .\Bin\I386\CreateTsMediaAdm.dll
consoleversion

 

March 27, 2014

App-V 5 Error publish connection groups

While synchronizing packages from the App-V 5.0 server, I encountered some issues with connection groups.

Sync-AppvPublishingServer : There were errors encountered when trying to publish connection groups from the server.
Operation attempted: RefreshPublishingServer.
AppV Error Code: 070000000F.
Please consult AppV Client Event Log for more details.

image

Above errors doesn’t say much, but here is an entry from the Event Log:

The connection group {xxx} version {xxx} could not be published because the virtual COM settings of the individual packages conflict. 
Verify that the virtual COM settings are the same for all member packages and try again.
Error code: 0x8E90070A – 0x3000F

OK, now we are getting somewhere!

After verifying the User and Deployment XML’s, there was a clear difference in the virtual COM settings of both packages.

XML files package #1:

<COM Mode=”Isolated”>
        <IntegratedCOMAttributes OutOfProcessEnabled=”true” InProcessEnabled=”false” />
      </COM>

XML files package #2:

      <COM Mode=”Integrated”>
        <IntegratedCOMAttributes OutOfProcessEnabled=”true” InProcessEnabled=”true” />

Aha!

By editing both XML files to reflect the settings in package #2 it should be resolved .. In my dreams, the error remains.

After changing the following line in both Deployment and User XML files:

<Objects Enabled=”false” />

(was set to “true” in package #1).

After setting the virtual COM settings in both packages the connection group was loaded from the App-V 5.0 server as it should!

/Ben

Good read about this issue:

Roel Beijnes: http://ictworkspace.wordpress.com/2013/03/14/microsoft-app-v-5-connectiongroups-and-errors/

0 Comments
January 14, 2014

App-V 5.0 SP2 Client and the pain to upgrade

Microsoft released the long awaited SP2 for the App-V 5.0 client. With new features like better integration with the local OS (shell extensions!), the possibility to sequence some dependencies like MsXML and Visual C++ run times. A welcome change with this release is that the volume license editions of Office 2013 Standard and Professional, Visio 2013 Std & Pro and Prject 2013 Std & Pro are supported! Many customers will look at App-V 5.0 again!

It’s time to deploy the new App-V client to workstations!

As I’m always trying to get my hands on the MSI’s to deploy software, the first thing I did was getting and extracting the sources. Once I had played arround with the MSI’s I decided to take a walk to consider things and throw the MSI’s gently in the bin and install the EXE wrapper instead!! The next step was to find the required confguration parameters and finally deploy to workstations.

Prepare the sources

Get the App-V Client 5.0 SP2 binaries from the MDP ISO and extract the contents from it.

APPV_CLIENT_SETUP.EXE /Layout /LayoutDir=c:\temp

This will extract all the MSI’s from the EXE. The result is the App-V Client MSI and the all language pack(s) available.

AppV5SP2_MSI

I’m only interested in the English version, I will install only one language pack.

AppV5SP2_LP_MSI

Install the App-V client (MSI) and language packs

Command-line to install the App-V client:

msiexec /i appv_client_MSI_x64.msi /qn /NORESTART AcceptEULA=1 /L*v “LogPath\appv5SP2_client_MSI_x64.log”

English Language Pack:

msiexec /i “appv_client_LP_enus_x64.msi” /qn /NORESTART AcceptEULA=1 /L*v “LogPath\appv5SP2_appv_client_LP_enus_x64.log”

So far so good!

Issue’s with upgrading SP1 to SP2

A clean SP2 client installation works fine by using the MSI’s, but upgrading a previous version gave nothing but errors.

errorLoadingAppAfterAppV50SP2Upgrade

Sync-AppvPublishingServer : CoCreateInstance() failed

 Get-AppvClientPackage : CoCreateInstance() failed. The Microsoft Application Virtualization Service may not have been started. Please verify that the service is running.

It’s clear that the AppV service wasn’t running, but I wasn’t able to get it up and running again.

Reinstalling the AppV Client solved this issue, using the EXE wrapper!  … Then I decided to use the default EXE wrapper instead.

Install the App-V client (EXE)

I’m using these setup paramaters against the AppV client installer.

APPV_CLIENT_SETUP.EXE /q /ACCEPTEULA /CEIPOPTIN=0 /MIGRATIONMODE=1

/ENABLEPACKAGESCRIPTS=1 /S1PUBLISHINGSERVERNAME=AppV5PubServer

/S1PUBLISHINGSERVERURL=http://myServer:someport

/S1GLOBALREFRESHENABLED=1 /S1GLOBALREFRESHONLOGON=1 /S1USERREFRESHENABLED=1

/S1USERREFRESHENABLED=1 /S1USERREFRESHONLOGON=1

/Log “<myLogPath>\appv5SP2_client_EXE_x64.log”

Don’t forget the /AcceptEULA paramater, apart from the information in the log file “Initializing string variable ‘ACCEPTEULA’ to value ’0′” you will get an meaningless error;

Exit code: 0x68e

But this silent install gave the same error when upgrading an SP1 App-V Client!

All things considered, I gave up and ended up with a manual installation of APPV_CLIENT_SETUP.EXE :-S

Luckily I had only some POC workstations with AppV client 5.0 SP1 installed! For new installations the MSI’s did the job.

Configuration

With the deployment of the SP1 client, I used a Powershell script to configure the client. There are also ADMX templates avalaible to deploy with GPO’s and the MSI/EXE installers accept switches to configure the client.

Conclusion

My intention was to blog about the deployment of the App-V Client 5.0 SP2 using the MSI installer. But it became a total failure, I’m publishing this post just to start a discussion and maybe to find a solution over time.

/Ben

 

11 Comments
Tags:
December 6, 2013

HELP – I have the infamous error 80091007 during a task sequence!

In my previous post on the error 2148077575, I already mentioned that my top 1 most feared error in SCCM is the 80091007.

I decided to list all causes that I have either personally experienced or found on other sources

In most cases you will not get the error all the time -> god help you !

First thing to do is to update the package that is reported by the error.  If this still fails you can recreate the package.  If this still fails, it may not be a package problem…

It happens only on physical machines ?  In an environment where the sccm server is running on ESX 5.1 it seems you can have problems because of  the E1000 NIC on ESX 5.1 – you should change it to VMXNET3 and the problem will go away.

It happens only behind some switches? Check if portfast is enabled and jumbo frame is enabled.

It happens on only one machine ? you might have bad RAM!

Is there anything special in the IIS logs? Maybe the problem is a blocked file extension or filtering rule !

Try disabling the antivirus on the SCCM server (or at least have the appropriate exclusions for SCCM in place)

If multicast fails, try with unicast

It only happens if your OS image size is bigger than 10 GB?

 

quite a long list of causes isn’t it. feel free to comment if you have gotten this error but caused by something else!

0 Comments
October 12, 2013

Error during Task Sequence: 2148077575

It’s been a while since my last post, not that I have been sitting in a quiet corner…

I want to share an experience I got last week with the error 2148077575 during testing with an MDT integrated Task Sequence in SCCM 2012 SP1.

as I found using the logfiles (thank god we have them – I know many of you hate having so much logfiles…) this error in my case was caused by three different things:

- during the Task Sequence the sccm client cache became too small to be able to download an application (so I increased the cache to solve this one)

- detection method problem when installing oracle. the detection method was set on the presence of the folder c:\oracle. the thing is that I saw a timing problem. the folder c:\oracle only appeared when the next application started to install. (I created a package of oracle instead)

- return code 1 during an application installation. although the installation AND detection both where ok (still figuring out how to solve this, but I set return code 1 for that app as success temporarily)

So this error code 2148077575 is now in my top 3 of most hated and headache-causing sccm problems, right after the feared 80091007 !

0 Comments
October 12, 2013

Sms writer service does not exist or is not running

Last week I noticed that the SMS_Site_backup component was marked with the red error icon, so I examined what could be wrong.

the description of the component (message id: 5045): site backup could not find the sms writer in the list of writers provided by the VSS.  proceeded by another error (message id : 5060): site backup failed. error: gatherwritermetadata failed. please see smsbkup.log

ok, so what does the smsbkup.log tell us?

backup1

at the same time the event 4354 is logged in the application event log:

backup2

the first check would be to verify if the service SMS_Site_VSS_writer is running? Yes, it was!

second check would be to verify if the SMS writer is still listed in VSS (use the commandline vssadmin list writers) ?

Hey, it’s not there!

apparently if you restart the service SMS_Site_VSS_writer it will list itself again and the backup will also start again…

but that solution is not something we want to do everyday, don’t we?

so I decided to create a status filter rule with the following configuration:

backup3

backup4

the startbackup.cmd script contains this:

net.exe stop “SMS_SITE_VSS_WRITER” && net.exe start “SMS_SITE_VSS_WRITER”  

 

3 Comments
June 3, 2013

Service Pack 1 released for App-V 5.0

0 Comments
April 10, 2013