Task sequences best practices Configuration Manager 2012

Microsoft has recently released a document series which contain best practices for task sequences with Configuration Manager 2012 R2. This series goes trough a step-by-step in all the different steps in a task sequence.

For all IT-pros working with task sequences I suggest taking a look at the document series here –> http://www.microsoft.com/en-us/download/details.aspx?id=43412

In other related news, my fellow MVP Kent Agerlund has released a new book (updated) for Configuration Manager 2012 R2 master the fundamentals, which you also should take a look at if you want to learn more –> http://www.amazon.co.uk/System-Center-2012-Configuration-Manager/dp/9187445085/ref=sr_1_1?ie=UTF8&qid=1404503771&sr=8-1&keywords=kent+agerlund

#configuration-manager-2012, #sccm, #system-center

XenApp & XenDesktop 7.5 released!

Today as promised, Citrix released XenApp & XenDesktop 7.5!
Which can be downloaded from mycitrix here – – –> http://bit.ly/1gXdots

This new release contains alot of new interesting features such as integration with SCCM for WoL and integration with Amazon for cloud provisioning (Azure will come later)

It also contains a new release of Storefront 2.5 which allows for SSO to web (Finally!)

You can take a closer look at the admin guide to read more about the new changes here –> http://citrix.edocspdf.com/media/output/en.xenapp-xendesktop.cds-xenapp-xendesktop-75-landing.pdf

#amazon, #sccm, #xenapp-7-5, #xendesktop-7-5

Status update: Book and NIC2014

So been a few hetical weeks! (Or should I say months)

My book has been released to most of the major online book resellers, its called

Microsoft System Center Configuration Manager High-Availability and Performance tuning

You can see it from Amazon here –> http://amzn.to/19Uid4q

I am also in the process of writing another book regarding Citrix Netscaler which will most likely be finished in Q2 2014 so really exited about that since I see few Netscaler book out there and hopefully with the latest changes in Netscaler my book has a place in that major gap.

Also im speaking in January at NIC (Nordic Infrastructure Conference) which is one of the largest IT-conference in the nordics. It mostly focuses on Microsoft technology (System Center, Hyper-V, Collabaration etc)

I have a session on thursday regarding Cross-platform monitoring using System Center, which will mostly focus on how to monitor different platforms such as Citrix, Vmware, Azure, Amazon and what other possibilities we have with Operations Manager. So for those that are attending NIC please drop by! Smilefjes

#book, #netscaler, #nic2014, #sccm

My little System Center book project!

For sometime now I have been occupied with my little book project, it has taken a lot of time from my blogging since it has been completely new territory for my part. But! it has been a unique learning experience and I think that I’ve never been this good a using Word… Ever!

A while back a publisher contacted me and asked if I was interested in writing a book for them, at first I thought nah… don’t have the time and capasity to finish this in time.. But after thinking about it a couple of days I thought when am I going to get this opportunity again ? Therefore I said yes! and fast forward a couple of months ahead and here I am with the finished product.

So allow me to introduce my little book

Configuration Manager 2012 High-availability and Performance Tuning

Microsoft SCCM High Availability and Performance Tuning


FThis is the first time I’ve ever written anything that was over 10 pages (Yes including school as well) and it has been a unique experience and I wish to thanks the publisher Packt www.packtpub.com who has given me this opportunity.

I also wish to thank my reviewers
Marius Skovli and Dragos Madarasan for good feedback in the review process.

#configmgr, #configuration-manager, #sccm, #sysctr, #system-center

Excalibur and Configuration Manager

Now Citrix released a beta build of Excalibur a couple of months ago, which shows the next generation of XenDesktop and XenApp architecture. (Well actually just XenDestkop, since the XenApp architecture is disappearing)
In addition, with this release we have some fancy choices for how to manage the machines within XenDesktop.

Excalibur will add additional WMI classes to all its desktop.
Which are listed here à


This allows you to create collections based upon if it’s VDI or Session host based, and even if it is assigned to a user or not.
Now in order to make these attributes available in Configuration Manager we have to add some WMI classes.

Go into Client Settings -> and alter the clients policy -> Go into hardware inventory and choose add classes. And from the list choose Add Hardware inventory class. From there you can browse to a remote computer that is installed as a VDA and in the namespace you can type \root\citrix\desktopinformation

And choose «Citrix_VirtualDesktopInfo»
Then Press OK

This will give you some more attributes on that WMI class

Which you can again use to create collections based on the variables.

Since Excalibur does not have any direct integration with for instance App-V you can now create user-based assignments to delivery groups.
So the user has multiple options of application deliveries.

Either via Software Portal and Configuration or Storefront with Citrix.

#citrix, #configmgr, #configuration-manager, #excalibur, #sccm, #system-center

Configuration Manager and hierarchy planning

With 2012 release of System Center Configuration Manager, planning and designing a hierarchy became a bit more difficult.
Not because of the limitations, but because of the huge mix of different possibilities you have.
For instance with the introduction of CAS role (Which sits on the top of the hierarchy and is used for management purposes of many primary sites) you have even more options of how to manage your infrastructure.

In addition, with SP1 you have even more options, for instance you can now have more than one SUP for a primary site. (Which you could not have before SP1) and that the CAS SUP now doesn’t need to sync directly with Windows Update as well) so this post is what factors you need to think of in terms of planning and how to manage the devices. In addition, for many which have multiple domains, trusted and untrusted, and in different forests and depending on how you want the flow of traffic to go it takes a lot of planning!

This post is meant as a guideline and might not always present the best options but just to show some possible examples of how you deploy Configuration Manager 2012 SP1.

Now first I am going to define how the hierarchy in Configuration Manager looks like.
In the first picture we have a stand-alone site (Primary Site) in the secondary picture we have a Primary site with two secondary sites.
In addition, in the last picture we have the CAS with three primary sites and with their secondary sites.

Source: http://i.technet.microsoft.com/dynimg/IC638818.gif

First I’m going to specify the limits of each hierarchy role:

CAS: (Does not process client data, and does not support clients assignments.
400.000 clients (If you use SQL Enterprise) 50,000 if you use standard.
25 Child Primary Sites
Asset Intelligence synchronization point (Can only be one in the hierarchy)
Endpoint Protection point (Can only be one in the hierarchy)
Reporting services point
Software update point
System Health Validator point
Windows Intune connector

Primary Site:
250 secondary sites
100,000 clients (50,000 clients if the SQL is installed on the same computer as the site server)
10,000 WES clients
50,000 Mac
Application Catalog web service point
Application Catalog website point
Asset Intelligence synchronization point (not if it’s a child primary site)
Distribution point
Fallback status point
Management point
Endpoint Protection point (not if it’s a child primary site)
Enrollment point
Enrollment proxy point
Out of band service point
Reporting services point
Software update point
State migration point
System Health Validator point
Windows Intune connector (not if it’s a child primary site)

Secondary Site: (Must be linked to a primary site, MP and DP are installed automatically, installs SQL Express if nothing else is available)
5,000 clients.
Distribution point
Management point
Software update point
State migration point

Software Update Point:
25,000 clients (That is installed on the same server as the site server 100,000 else)
After SP1 (Supports multiple SUP per Site)

Distribution Point:
4,000 clients
250 DP per Primary Site
250 DP per secondary site
10,000 packages and applications

Management Point:
25,000 clients
10,000 Mac computers
10 MP per primary site

Now there are some roles that cannot be deployed in a untrusted domain:
These are out of band service point and the Application Catalog web service point.

But always think simplicity, so if it is possible avoid the CAS role where it seems logical.

(1 domain) ( 1 location ) 1 Primary Site

Depending on how many clients you have in your infrastructure, but with one location and one domain this is only and easiest way to go ahead, for high-availability purposes you should have 2 of each system role and a clustered SQL server for the site server.

( 1 domain ) ( 2 locations) 1 Primary Site 1 Secondary Site (Slow link)
Lets for the purpose of this post say that you have 1 location where you have most of your infrastructure, you have one remote site with 200 clients which has a limited connection to the primary site, one secondary site on the remote location would be the best approach. Clients there would talk directly to the management point and the distribution point of the secondary site.

(1 domain) ( 2 locations) 1 Primary Site and 1 Distribution Point (Fast link for secondary site)
In this case we have also a remote location but we have a fast wan link so we don’t need a secondary site which has the agents and the applications and packages. Therefore, we have a distribution point at the remote location and clients communicate with a MP in the central location.

(1 domain) (2 locations) ( one small branch office )
I would recommend using branch cache on a distribution point and for the clients, when the first client requests content from the DP it will download it and cache it for other clients on the same subnet. This requires a DP installed with Branch cache.

NOTE: Remember that for a remote domain installation to work properly you would need to install the management point with an account that has access to the Configuration Manager database. You configure this during the installation of the Management Point.

( 2 domains untrusted forest ) ( 1 locations) 1 Primary Site in Primary (1 Management Point 1 Distribution Point)

Now we cannot install a primary or secondary site in a untrusted domain, we can only install user facing system roles in a untrusted domain. So therefore, we install a management point and a distribution point in the untrusted domain.
And we can also publish the site in AD for the untrusted domain as well.

( 2 domains trusted forest ) ( 1 location )

This depends on the number of clients but again a solution with a distribution point and a management point in the other domain could be a solution. In case there are too many clients, you would need to expand the hierarchy with a CAS and a primary site in each forest.

(Multiple domains untrusted) (Multiple domains)

Primary site or depending on how many clients. Use Primary Site in one domain (Pref the largest one) and deploy a distribution point and a management point in the other domains.

Here I will also link to some example hierarchy scenarios from Microsoft

Identify requirements to plan for a hierarchy

I would also recommend that you read Microsoft’s own hierarchy for their internal Configuration Manager solution

#configuration-manager, #sccm, #sccm-2012

Trouble with Application Catalog

Had some trouble with a case today that the application catalog would not start. When we opened the catalog they could not connect to the catalog service and got this error message. According to the error message it could not connect to the application service.


If we checked the service with ConfigMgr console we can see that Application Catalog Web Point has status Critical


So when we checked the latest events for that components.


As we can see here WCF is not activated, so make sure that WCF is installed,


So after the component in installed try to reinstall the Application Portal Catalog point and it should work Smile

#configmgr, #sccm

Configuration Manager 2012 Client Communication & Hardware Planning

Now Configuration Manager is a complex beast, when designing a ConfigMgr site you have to plan carefully your network because there is going to be a lot of traffic going back and forth from your servers to your clients, and from your servers to your other servers. So you have to take some considerations on how many clients and how many distribution points you are going to have for your site, also depending on what kind of features you are going to use.

Now before we start with the networking part, let’s review the supported configuration and hardware requirements.

25 child primary sites.
400.000 clients

Primary Site:
250 secondary sites.
100,000 clients
10,000 devices running windows embedded
10 Management Points
250 Distribution Point
1 Fallback Status Point
Multiple Application Catalog Website Point

Secondary Site:
5,000 clients
1 Management Point

Management Point:
25,000 clients

Fallback Status Point:
100,000 clients

Distribution Point:
4,000 clients

Software Update Point:
25,000 clients

Application Catalog Website Point:
400,000 clients

Application Catalog Web Service Point:
400,000 clients

And as you can see this can lead up to a VERY complex setup if you have a large setup. Microsoft has also deployed Configuration Manager on their own computers

And Microsoft also have made a good Hardware Requirement for list.

You can read more about it here –> http://bit.ly/S3fRJB

Clients searches for a management point by using the following options in the order specified:

  1. Management point (If specified by agent installation)
  2. Active Directory Domain Services
  3. DNS

Now when an agent connects to a MP it makes a list of all the Management Point which is within the Boundary and if the client has PKI certificate installed it makes a priority list over all
MP’s that has HTTPS enabled.
Now let’s start with the client communication to the servers. There are 3 ports that are the common used
Port 443 HTTPS = Used to communicate with a management point over HTTPS
Port 445 SMB = Used to communicate
Port 80 = Used to contact the Fallback status point
New with SP1! Port 10123 = Client Notification, to start or initiate an malware or policy update/scan
Port 9 UDP = Wake on Lan
You can see more about the port requirements for ConfigMgr here –> http://technet.microsoft.com/en-us/library/hh427328.aspx
Now clients connect to a distribution point either via HTTP or HTTPS using BITS. Now in order to limit the usage of network you have to specify a client setting for BITS.
Here we can define the bandwidth usage and throttling time.


You can also specify BITS settings in Group Policy. You need to remember that you have to plan on what features that you are going to use.
If you are using Software Metering, Software Inventory, Baselines & Compliance, Hardware Inventory etc. So there is a lot of feature that can generate a lot of traffic.

#configmgr, #configuration-manager-2012, #sccm, #system-center

SCCM and Windows Embedded

Configuration Manager SP1 will come with support for managing Windows Embedded. This will open a new world for managing thin clients.
Dell Wyse has also announced that they will come with a integration possibility with their own device manager to allow for more management possibilities outside Windows on the thin clients.
This will include support for the following Windows Embedded editions.

  • Embedded Operating Systems based on Windows XP (32-bit) includes the following:
    • Windows XP Embedded
    • Windows Embedded for Point of Service
    • Windows Embedded Standard 2009
    • Windows Embedded POSReady 2009
  • Embedded operating systems based on Windows 7 (32-bit) includes the following:
    • Windows Embedded Standard 7 (32-bit)
    • Windows Embedded POSReady 7 (32-bit)
    • Windows ThinPC
  • Embedded operating systems based on Windows 7 (64-bit) includes the following:
    • Windows Embedded Standard 7 (64-bit)
    • Windows Embedded POSReady 7 (64-bit)

And for Wyse’s part there are a lot of different clients to choose from. http://www.wyse.com/products/cloud-clients/firmware/WES
But in a Citrix environment, I’m guessing most are going for thinOS.

Now there are some things you need to remember when deploying an SCCM agent and with Endpoint Protection to an Windows Embedded.
And that is Write filters. These write filters take all writes and redirects it from the disk to ram to a space called «overlay” this way, all changes made to the system will be wiped when rebooted.
So in this case if we installed the agent and the system does a reboot the agent is gone!

With SP1, Configuration Manager can automatically temporarily disable these write filters before installing the agent and then activating them again.

So when you are creating custom policies for a Windows Embedded Computer Collection.
Endpoint Protection:

  • Install Endpoint Protection client on client computers
  • For Windows Embedded devices with write filters, commit Endpoint Protection client installation (requires restart)
  • Allow Endpoint Protection client installation and restart to be performed outside maintenance windows

Microsoft has also created an scenario for deploying ConfigMgr SP1 to Windows Embedded.

So what else can be done with this ? users typically use a thin clients and a Citrix connection, use the XenApp connector on ConfigMgr and get full control of the applications that are published out to the users! Smile

#dell-wyse, #sccm, #windows-embedded

Configuration Manager 2012 silent install

To run the Setup Downloader from command promt

setupdl \\MyServer\MyShare\ConfigMgrUpdates

  • /VERIFY: Use this option to verify the files in the download folder, which include language files. Review the ConfigMgrSetup.log file in the root of the C drive for a list of files that are outdated. No files are downloaded when you use this option.
  • /VERIFYLANG: Use this option to verify the language files in the download folder. Review the ConfigMgrSetup.log file in the root of the C drive for a list of language files that are outdated.
  • /LANG: Use this option to download only the language files to the download folder.
  • /NOUI: Use this option to start Setup Downloader without displaying the user interface. When you use this option, you must specify the download path as part of the command-line.

Setup Downloader starts, verifies the files in the \\MyServer\MyShare\ConfigMgrUpdates folder, and downloads only the files that are missing or newer than the existing files.

To run the prerequisites downloader from command prompt 

  1. Open a command prompt and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64 or <ConfigMgrInstallationPath>\SMSSETUP\BIN\X64.

  2. Type prereqchk.exe /LOCAL to open Prerequisite Checker and run all prerequisite checks on the server.


To install the ConfigMgr 2012 console unattended from command prompt.

consolesetup.exe /q TargetDir=»D:\Program Files\ConfigMgr» EnableSQM=0 DefaultSiteServerName=MyServer.Contoso.com

To install a ConfigMgr 2012 Primary Site

First of you need to create a setup.ini file where you need to define a lot of variables. For a Primary site these are the ones you need.
After you have created this file you need to start the setup with the following command. setup.exe /script scriptpathandname

Content of the setup.ini file



SiteCode=<Site Code>
SiteName=<Site Name>
SMSInstallDir=<ConfigMgr install folder path>
SDKServer=<FQDN for SDKServer>
PrerequisitePath=<Prereqs folder path>
ManagementPoint=<FQDN MP server>
DistributionPoint=<FQDN DP server>
AdminConsole=1 (0 is you don’t want to install the console)

SQLServerName=<FQDN SQL server machine>
DatabaseName=<SQLServerName\InstanceName> (leave blank for the default instance)


Now last but not least, unattended install of SQL server 2012.

/SQLSVCACCOUNT=»<DomainName\UserName>» /SQLSVCPASSWORD=»xxxxxxxxxxx»

So next time I will start with PowerShell automation with ConfigMgr

Updated with ADK install since you need this for SP1

Install Windows ADK silent

 Feature     Identifier
Application Compatibility Toolkit (ACT)     OptionId.ApplicationCompatibilityToolkit
Deployment Tools                                               OptionId.DeploymentTools
Windows (Windows PE)                                    optionId.WindowsPreinstallationEnvironment
User State Migration Tool                                 OptionId.UserStateMigrationTool

adksetup /quiet /installpath <path> /features <featureID1><featureID2>

adksetup /quick/ installpath C:\programfiles\adk /features OptionId.ApplicationCompatibilityToolkit OptionId.DeploymentTools optionId.WindowsPreinstallationEnvironment OptionId.UserStateMigrationTool

#configmgr-2012, #sccm, #system-center