CU4 for ConfigMgr 2012 R2 has been released

An update (CU4) was released yesterday, Feb 2, 2015, for System Center Configuration Manager 2012 R2 that replaces Cumulative Update 3 (CU3).

This update addresses many distribution related issues, some minor OSD issues, a few critical site issues, some minor client bugs, some MDM fixes, and some SUP fixes.

Also, there have been some additions, like new PowerShell cmdlets ( fixes as well as 34 new ones like:

  • Add-CMDeploymentTypeDependency which adds a deployment type as a dependency to a dependency group.
  • Add-CMDeploymentTypeSupersedence which sets one deployment type to supersede another.
  • Get-CMDeploymentTypeDependency which gets existing dependent deployment types from a dependency group.
  • Get-CMQuery which gets a query.

Some optimizations have been made to reduce latency and optimize the data replication in large hierarchies.

Lastly, the updated Endpoint Protection client has been updated to match the version distributed currently.

You can find more information here:

Jason Condo
Principle Consultant

Microsoft to start blocking out of date ActiveX controls in Internet Explorer

As we all know some of the most obvious paths into the system through the browser is through out of date ActiveX controls like old versions of Java and Flash, among others. While many enterprises may still have a need to run old versions of Java for their line of business app that they just can’t get upgraded, this leaves their user and systems vulnerable to malware written to take advantage of those old, unpatched versions. I had a customer not too long ago that had to have the older version of Java 1.6 for a time keeping system. Every time I would go in and review their SCEP logs I would see JAVA vulnerabilities at the top of the list and many systems infected to a point that they had to reimage them.

Microsoft has recognized this and is implementing a patch to Internet Explorer 8 and newer that will implement functionality to identify a list of known ActiveX controls (from a hosted definition file at Microsoft) and if not in the Local Intranet or Trusted sites zone, will display a pop-up bar notifying the user the ActiveX control has been blocked and that they should upgrade it to the latest. IT Pros will be able to manage this experience, as well as make sure their line-of-business applications are in the correct zones. To aid in this, there are new ADM templates available so that GPOs can be created to assist in configuring this.

While Microsoft was looking to implement the blocking functionality this week, we have some reprieve from the feedback heard from the community and provided an update yesterday that they will initially just be warning on old ActiveX controls for 30 days before the blocking goes into effect. This give IT Pros like you about 30 days to address this. While you can read more here (, I see a few options available to you:

Upgrade or replace your application to work with the latest ActiveX control

I am pretty sure this will not be the immediate option since this most likely requires a budget, time, and resources to implement before the deadline and I have seen approvals for projects take longer than that. This is the best option though since it only takes one system to get infected from a vulnerability to bring an enterprise down.

Look to moving your applications into the proper security zones in IE

I have worked many customers who did not know how to manage security zones in IE (or even why it was important) and open their Internet zone up to enable their line-of-business apps/websites to run. I feel this is worse than any outdated ActiveX issue since every bit of code on the web gets the same open access the LOB app did. I recommend that if you aren’t familiar with zones, make an effort to do so and use them. Then look to moving your outdated application to a zone that allows it to run.

Temporarily block the IE update

If you manage your IE settings already and manage updates to your systems, you may have the ability to prevent the update from installing. While this is definitely a short term workaround, it would at least prevent the blocking aspect of the patch from taking effect until you have had time to implement a zones workaround or application upgrade. This is technically feasible but I have not tried it to verify.

Use a different browser

While I see this happening more and more because of other compatibility issues with IE, this is an option if you are dead set on keeping that old application and cannot move it to an appropriate security zone or manage it. This still may not be an option because many of those older apps were written to work with older versions of IE as well.

Whatever you choose, I wish you well in keeping your line-of-business apps working and hopefully this is a step from Microsoft towards a safer surfing experience for your users.

System Center 2012 R2 Preview released (with Server 2012 R2 also!)

System Center 2012 R2 PreviewIf you are eager to get your hands on the latest release from the System Center suite, Microsoft has released System Center 2012 R2 for preview today. That is more commonly referred to as its components; Configuration Manager (SCCM, ConfigMgr), Operations Manager (SCOM, OpsMgr), Virtual Machine Manager (SCVMM), Service Manager (SCSM), Data Protection Manager (SCDPM), and Orchestrator (SCORCH). With it you can choose to also get your hands on Server 2012 R2 as well. I will be blogging more on this later as I get the bits installed and start playing with the many new features, but I wanted to get you the information for getting to download the preview now.

Here is an excerpt from the System Center team blog on the announcement (

Windows Server 2012 R2 and System Center 2012 R2 provide a wealth of new advancements to help IT organizations build and deliver private and hybrid cloud infrastructure for their businesses.  Some of the highlights include:

  • Enabling hybrid cloud – Windows Server Hyper-V and System Center enable virtual machine portability across customer, service provider and Windows Azure clouds, while a new System Center Management Pack for Windows Azure enhances cross-cloud management of virtual machine and storage resources.  Windows Azure Backup and Hyper-V Recovery Manager provide offsite backup and disaster recovery options.
  • Windows Azure Pack provides Windows Azure technology that enterprises and services providers can run on their Windows Server infrastructure for multi-tenant web and virtual machine cloud services. 
  • Built-in software-defined networking – Site-to-Site VPN Gateway helps customers seamlessly bridge physical and virtual networks and extend them from their datacenter to service provider datacenters. 
  • High performance, cost effective storage Features such as Storage Spaces Tiering, VHDX resizing and de-duplication for virtual desktop infrastructure provide high performance for critical on-premises workloads (like SQL and Hyper-V) using lower-cost, industry-standard hardware.
  • Empowering employee productivity – Windows Server Work Folders, Web App Proxy, improvements to Active Directory Federation Services and other technologies will help companies give their employees consistent access to company resources on the device of their choice.

Jason Condo
Principal Consultant

Cumulative Update 2 (CU2) for System Center Configuration Manager (ConfigMgr) 2012 SP1 is available


For those of you running ConfigMgr 2012 SP1 and still having some minor issues (or major depending on the business criticality of the function), Microsoft has released a hotfix (CU2) to help address them.. I do not believe this requires you to have installed CU1 first.

This update just bundles a number of fixes discovered by MS in support of SP1. Some of the things addressed in this update are:

  • Administrator Console – issues adding site servers and screen reader software enhancement
  • APP-V – errors with 2007 migrations and cert errors
  • OSD – app installs in task sequences, custom ports issues, limited functionality with WinPE 3.1 images, multicast functionality
  • Asset Intelligence – fixed a report for more accurate data
  • MDM – fixed mobile 6.5 client issue
  • Software distribution – fixed the waiting for content forever issue, content status issues during upgrades, and status routing for DPs
  • Non-Windows support – added more OSs supported
  • Site Systems – fixed some status messages and filtering, site server installs, fixed AD discovery with deltas
  • ConfigMgr SDK – object error on 64 bit systems for CPapplet.CPAppletMgr Automation object
  • Client – fixed automatic client updates error
  • CU Setup wrapper – now can update all in one instead of separately, better logging


More information on the above items and the hotfix can be found here:

Jason Condo
Principle Consultant

Importing ConfigMgr 2007 task sequences XML to ConfigMgr 2012 ZIP

With the new 2012 import/export functionality, the new file format is “.zip” file. This compressed file contains not only the task sequence XML can also include any dependencies to the task sequence like a boot image. While this is awesome for migrating between a test and production ConfigMgr 2012 environment, it does not help if you are trying to import task sequences from a disconnected 2007 environment.

In my consulting practice, we do a lot of OSD implementations using a base set of task sequences that we already have pre-configured. Once at a customer, we customize our base templates for the specific project and then export the XML or ZIP to the project documentation. Well today I was at a client that we had previously done work for and they had already performed a 2012 upgrade and removed their old 2007 environment. However, they did not migrate any of the OSD and were looking for us to re-implement OSD in their new environment. Instead of importing our canned OSD for 2012 and then customizing for their needs, we wanted to use the customized 2007 task sequences we had implemented for their old environment. The first problem, however, was the only copy of those were from the archived XML from our project files we had left them. The second is that you can’t import that XML through the 2012 console. Not to worry though, we can still make it work.

The 2012 exports are just compressed files full of the resources, some configuration files, and then the task sequences XML. This 2012 task sequence XML is not the same as the old 2007, but we are able to insert the 2007 XML into the appropriate spot to make it useful. This enabled us to save a bunch of time from recreating the old TS logic. The following is a quick example of how this works.

Start with a 2012 exported task sequence. This is in .ZIP format.

Export a Configuration manager 2012 task sequence

task sequence exported to .zip

Once exported, open the zip file and navigate to the task sequence folder and copy out the object.xml

open the object.xml file

Open the object.xml file and you will see a lot of new xml, however, scrolling almost to the end of the file you will find a section with embedded task sequence XML.

look for the embedded task sequence xml

This XML is the same task sequence XML as you have in a normal exported task sequence from 2007, however you need to be sure only to grab the appropriate XML nodes and not the whole task sequence. To do so, in the old 2007 XML, copy the nodes and data from the sequence xml node:

<sequence version=”3.00″>
copy the 2007 task sequence xml

and paste it into the object.xml in the CDATA section in the 2012 XML replacing the existing embedded sequence node:

paste the xml into the 2012 task sequence

You don’t have to worry about the text/line formatting. Save the file and then copy it back into the .ZIP file. You can then import the ZIP file into your 2012 environment and adjust your referenced objects accordingly. This is great when you have a master task sequence of custom tasks and you just would like the ability to copy/paste them into your new 2012 task sequences. One thing to remember is that your old task sequences were built on the package/program model for software installs. If you are leveraging the new applications model (which you should be) you will have to recreate those specific tasks anyways.

Jason Condo
Principle Consultant


June 26th
Additional Notes:

It seems that some people are having problems importing. While I’m not sure as to what they are seeing specifically, I found that the best option that worked for me was to create a blank default task sequence (not a MDT task sequence) to use as the export template from 2012. I grabbed the sequence node from the old and inserted it into the new, replacing the embedded sequence xml node. I don’t see why you couldn’t grab below the sequence node as well (after <sequence version=”3.00″>). It think may address some of the users’ experiences of having 3.10 as a sequence version. Hope that helps and keep sharing your experiences.

Notes from the Microsoft Management Summit 2013

This was another great year at the Microsoft Management Summit (MMS) in Las Vegas. While there were not an major product launches, much focus was given on the enhancements with SP1 for System Center. This news isn’t new since SP1 has officially been out since January but while there has been a lot of discussion about the features, seeing how Microsoft sees them in action and their alignment with the cloud mindset was beneficial. In the ConfigMgr space, there were numerous enhancements that were made with SP1 but my favorite is the hierarchal changes and the expansion of non-windows and non-PC device support.

Down to one

One great feature of the SP1 enhancements for ConfigMgr were the changes made to the architecture permitting a much flatter hierarchy. A very compelling argument was made as to why a CAS is not needed and that a single Primary site is all you need (unless you have over 100K clients or a solid reason to have multiples). Again and again it was stated from MS product team as well as MVPs managing huge deployments that you don’t need the CAS in the design and that a single Primary site server should be good for almost all but the largest deployments. This is backed up by the fact that the design changes in SP1 enable you to add a CAS server at any time later (thank goodness) and that the total number of clients supported at a single primary is 100,000. This is a huge shift for many of us, who based on the RTM specs, had installed CAS servers in solutions just in case a customer would want to expand their hierarchy later.

What was also discussed was the impact of having a CAS that doesn’t do anything, as in the solutions we described above. This impact was defined as the “replication tax” and basically described that since all primary servers in a hierarchy are equal, any change made at one server has to replicate to all the other servers and then up the hierarchy. When all your clients are reporting to a single primary with a CAS, that means that to see changes made at a Primary, you have to wait for it to replicate to see it at the CAS, for no real benefit. Since Primaries can’t be used to separate rights or access, the argument to have multiple primaries and a CAS really become difficult to support.

To example this effect, the product team was performing some “bathtub” testing against a design managing 400,000 clients during a normal Patch Tuesday rollout. With the minimal 4 Primary Site Servers they found it took around 14 hours to process all the backlogs. You would think throwing more servers at the solution would speed things up, however increasing the number of Primaries to 10 increased the backlog to 26 hours! In both scenarios the CAS was running at 100% utilization trying to keep up with the replication needs. This is huge, so make sure you are understanding this when you are designing your solution. If you have multiple Primary Servers now and have under 100,000 clients, I would strongly suggest you review your design and adjust accordingly.

Intune and ConfigMgr – Better together

Another great feature in ConfigMgr SP1 is the expanded support for deploying applications across numerous platforms and devices. Native support for IOS 10.6+, Linux, and Android means that you can have an agent, manage devices, and deploy software all from the same console. The user experience across all devices are similar and can even deeplink into the platform’s store to a specific public software install (App Store, Microsoft Store, Google Play). You can even use SCEP 2012 on your Apple systems.

While using ConfigMgr natively is great to manage on-prem devices, Microsoft expects you to manage cloud devices (mobile devices, disconnected pc’s, windows RT) from the cloud. Sounds obvious, and why not, since that is the easiest way to ensure an internet connected device can be managed without the work of making your management solution public facing. Microsoft has been working hard on their unified device management initiative, and with the latest version of Intune, creates a connection between your ConfigMgr SP1 solution and your Intune subscription service. Now there are ways you can empower users to be able to enroll their own devices and allow you to inventory, manage, deploy applications, and wipe those devices. All while having a single toolset to manage and a consistent experience for the end-user for application delivery. Let’s face it, keeping things simple and having a happy user makes a productive user and a happy you. There is so much to tell about this that I just can’t write it all but if you want more details feel free to reach out to me and I can help you dig in deeper.

As always, the sessions were great, the food was plentiful, the vendor parties were fun, and the socializing with other IT folks that wrestle with the same things I do was priceless. If you didn’t get a chance to go or was able to but missed some sessions in lieu of other ones, Microsoft has the recorded sessions along with slide decks available for download at

Now the only question (beside the obvious one about upgrading to SP1) is whether I will see you at next year’s MMS. However, the decision as to whether Microsoft will have another is still up in the air. We can leave that for another post though 🙂

Jason Condo
Principal Consultant

System Center 2012 – Service Manager with Orchestrator RunBooks

Want users to make their own Service Requests to kick off advanced system tasks without IT administrator assistance? Service Requests through the Service Manager Portal can help provide a solution that can help alleviate IT administrative overhead. Below are some quick steps to create your own Service Request to kick off a Runbook to do an IT administrative task.

The administrative task we are creating allows a Windows User to add designated Windows Users to the local administrative group on a Windows computers.

Overview of the scenario:    

  1. Create an Orchestrator Runbook
  2. Connect Service Manager to Orchestrator
  3. Import the Runbook
  4. Add the Runbook to a Service Request
  5. Publish the Service Request

The first step we will cover in this scenario is creating an Orchestrator Runbook

  1. Create an Orchestrator Runbook

For this scenario please make sure you have the AD integration pack installed in the Deployment Manager, please see below. The AD Integration Pack can be downloaded from Microsoft.

Open Runbook Designer and Create an Initialize Data Control:

Make sure to create the details below:

Add the user control from Active Directory

Add the computer control from Active Directory

Add the run program from System:

Make sure to add this to the command:
net localgroup Administrators {Sam Account Name} /{Type}

Final Runbook layout:


Follow the series for Step 2.

Nathan Mertz
| Bennett Adelson | Columbus
Active Directory and Identity and Access Management Principal Engineer
User Experience | Mobility Solutions | Information Worker | Architecture & Development | Advanced Infrastructure

System Center Roadshow – May 2012

Consumerization of IT and how it affects User Centric Management.

This May, Bennett Adelson went out on a multi city roadshow across the Microsoft Heartland District (of which we are the 2011 Partner of the Year) speaking about how the trends in consumerization forces the need for IT to shift from managing assets (hardware and software) to managing users and empowering them to make decisions. This shift is from asset-centric management to user-centric management (UCM).

Jason Condo opened the roadshow with a presentation on IT trends with some eye-opening results from recent surveys conducted by industry leaders. This showed how the trending of user savvy in devices, technology and solutions is inevitable and will only grow in the years to come. Using the User Experience Equation, he showed the five areas that IT always must think about when managing assets, users, or data.

Keith Mayer, IT Evangelist from Microsoft, spoke on the benefits of the whole System Center 2012 suite of products and how they can be leveraged to provide UCM and manage the whole enterprise.

David Norling-Christensen provided the  first technical session demonstrating how the new application model in System Center Configuration Manager 2012 aids in driving the move towards UCM. Using the application model, the IT Administrator can make different installation types of a software available for the user and allow specific attributes of the users’ experience to dictate how the software is installed or used. He also demonstrated the new self-service model that empowers the user to get what they want or need while freeing up administrators to provide services instead of installing software.

Jason  provided the second technical session around Microsoft’s Virtual Desktop Infrastructure (VDI) implementation and how it can be leveraged for UCM. By leveraging VDI as a tool, IT can empower the user while freeing themselves of trying to manage unmanaged devices. Using System Center Virtual Machine Manager 2012, Jason showed how it can be leveraged to manage VDI implementations and how it can also manage and organizations hypervisors throughout the enterprise, whether they are VMware, Xen, or Hyper-V.

Lastly, David wrapped up our discussion on UCM by showing the previous technologies in action with MDOP’s User Environment Virtualization (UE-V) that allows users’ personalized application settings to be saved and migrated from machine to machine as they need it. David presented on how this works and how to implement it. He then demonstrated it leveraging the System Center Configuration Manager 2012 applications used in his first session along with Personal and Pooled virtual machines from Jason’s session. This was an excellent demo showing a seamless user experience across physical workstations, virtual machines and even Remote Desktop Services (RDS, formerly Terminal Services).

This was a great roadshow and the System Center team is looking forward to the next ones. Please find the PowerPoint decks used in the roadshow available for download from this post.

System Center Roadshow, May 2012 – Introduction – Keith Mayer, Microsoft

System Center Roadshow, May 2012 – 1 – Consumerization of IT and UCM – Jason Condo, BA

System Center Roadshow, May 2012 – 2 – ConfigMgr 2012 UCM – David Norling-Christensen, BA

System Center Roadshow, May 2012 – 3 – VDI and UCM – Jason Condo, BA

System Center Roadshow, May 2012 – 4 – UE-V UCM – David Norling-Christensen, BA

System Center Roadshow


System Center 2012 – Embracing User Centric Management

User Centric Management (UCM) is the delivery of necessary resources for corporate end-users anywhere, on any device, in a safe and compliant manner.  Bennett Adelson will explore how System Center 2012 and UCM is creating a paradigm shift in how enterprises go from supporting devices to supporting their end-users.

Come learn how you can leverage UCM to support your users’ business needs and personal expectations with System Center 2012.



Recognizing IT Trends – User Centric Management (UCM)

Part 1:  System Center Configuration Manager 2012 and UCM

By: David Norling-Christensen

    • Technical Overview
    • The new application model
    • Self-Service Portal

Part 2:  System Center Virtual Machine Manager 2012 and UCM

By: Jason Condo

    • Technical Overview
    • VDI and RDS
    • Personal and Pooled VMs

Part 3:  User Experience Virtualization (UE-V)

By: David Norling-Christensen

    • Technical Overview



Columbus (May 21st)

Time: 8:30am – 12:00pm
8800 Lyra Dr. Suite 400
Columbus Ohio, 42340

Cleveland (May 23rd)

Time: 8:30am – 12:00pm
6050 Oak Tree Blvd, Suite 300
Independence Ohio, 44131

Detroit (May 24th)

Time: 8:30am – 12:00pm
1000 Town Center, Suite 1930
Southfield Michigan, 48075

DPM 2012 RTM: LAB in Place Upgrade from DPM 2010 and SQL 2008

In this post, I am going to upgrade a LAB DPM 2010 server to DPM 2012 RTM.  This process will require several hours and take your backup environment offline during the entire process.  Be sure to do this during a time period where no backups are needed to be created or restored.  Additionally all backups will have to have a consistency check run against them which is very intensive process for both the network and protected machines.

Lab Environment – Requirements

  1. A server (or virtual machine) running Server 2008 R2 SP1.
  2. DPM 2010 installation.  DPM 2010 must have the latest QFE rollup ( installed along with a DPM 2012 required hotfix (  Additionally you must push the client update to all protected sources.  This server will be named BACLEVDPM01.
  3. SQL 2008 R2 Standard or Enterprise (as required by DPM 2012) media (or already installed with DPM 2010)
  4. System Center DPM RTM media

Setup – SQL 2008 to 2008 R2 Upgrade

Since my lab environment was running SQL 2008 and not the required 2008 R2, the following steps are required to upgrade SQL.  If your environment is using SQL 2008 R2, you can skip these SQL based steps.

Setup – SQL Upgrade

  1. Launch setup.exe from the SQL 2008 R2 media
  2. Select Installation on the left sideimage
  3. Select Upgrade from SQL Server 2000, SQL Server 2005 or SQL Server 2008image
  4. Select OK to continueimage
  5. A new Setup Support Rules screen will appear.  Continueimage
  6. Enter your product key (or evaluation)image
  7. If you accept the license terms continueimage
  8. Ensure your instance is selected in the drop down field and continueimage
  9. Feel free to look at the features that will be upgraded and continueimage
  10. Validate the Instance Configuration and continueimage
  11. Verify the Disk Space Requirements and continueimage
  12. Verify Authentication Mode and continueimage
  13. Decide if you want to send error reports and continueimage
  14. Ensure the Upgrade Rules pass and continueimage
  15. Verify the settings and continueimage
  16. The upgrade will run for a long time.  If you get an error stating a *ReportServer-rsctr.dll is stuck in use, kill “WmiPrvSE.exe” and continue the upgrade.
  17. A reboot is required after the upgradeimage
  18. Verify the upgrade was successful and continueimage
  19. Reboot the machine as requested

Verify – DPM 2010 Works with SQL 2008 R2 Upgrade

  1. Launch the DPM 2010 console and verify DPM 2010 continues to function as it did previously.  if all goes well, you are ready to upgrade to DPM 2012!  You may also want to apply SP1 for SQL 2008 R2 however it is not required for DPM to install or function.
  2. Setup – DPM 2010 to 2012 Upgrade

    Since SQL 2008 R2 is now running (because of the upgrade or because you started with 2008 R2) we can now upgrade to DPM 2012.

Setup – DPM Upgrade

  1. Launch setup.exe from the SCDPM folder
  2. Choose to install Data Protection Managerimage
  3. If you accept the license terms continueimage
  4. Acknowledge the Setup wizard information and continueimage
  5. Choose to Use the dedicated instance of SQL Server and click Check and Installimage
  6. Assuming the prerequisites are met, you will get a message stating The required hardware and software prerequisites are met on this computer (don’t be silly and assume it states they are not met like I first assumed…).  Then continueimage
  7. Enter your product keyimage
  8. Verify the Installation settings and continueimage
  9. Enter the password for your existing account and continue (it will not re-create the account)image
  10. Feel free to choose your update method and continueimage
  11. Select your Customer Experience Improvement Program option and continue with the upgradeimage
  12. After a long time, it will finish.  If you want to have fun follow the link to the latest DPM updates (it goes to DPM 2010 information).image

Setup – DPM Agent Upgrade

  1. Launch Microsoft System Center 2012 Data Protection Manager.  You will likely notice a lot of Critical Alerts.  We will work towards resolve the Replica is inconsistent errorimage
  2. Click on Management (so you can see all your Agent Status showing Needs updating)image
  3. Mass select all computers with the protection agent and click on Update (on the top ribbon)image
  4. Acknowledge the warning and continueimage
  5. If all goes well, your agents will have a status of OKimage

Setup – DPM Protection Group Consistency Check

  1. Launch Microsoft System Center 2012 Data Protection Manager.
  2. Navigate to Protectionimage
  3. Select a protection group and click Consistency checkimage
  4. Accept the warning message and allow the consistency check to runimage
  5. You will need to repeat steps 3 and 4 for each protection group.
  6. You can monitor the status of the consistency check by going to Monitoring, All jobs in progress
  7. Once the consistency check is done, normal backups should continue as scheduled.

Setup – DPM Email Notifications

The upgrade apparently removes previously setup email notifications (it’s a feature ;).  To enable email notifications you will need to do the following:

  1. Launch Microsoft System Center 2012 Data Protection Manager.
  2. Navigate to Management
  3. Selection Options from the top ribbonimage
  4. Select the SMTP Server tab
  5. Enter the appropriate SMTP information for your environmentimage
  6. Select Send Test Email and enter your email address to send a test email toimage
  7. You should get an email within a few minutes if you have setup SMTP successfully
  8. Navigate to the Notifications tab
  9. Select the appropriate alerts and enter the recipients before selecting OK