“Notes from the Field” of Configuration Manager 2012 Sp1 Implementation and UpgradesKenny BuntinxMVP – Principal Consultant - Inovativ

Microsoft NDA Confidential

About me

Kenny Buntinx

Principal ConsultantKenny.Buntinx@Inovativ.b

ehttp://www.inovativ.be

@KennyBuntinx

http://be.linkedin.com/pub/kenny-buntinx/3/639/107

http://scug.be/blogs/sccm

Microsoft NDA Confidential

Key Takeaways1. We are not discussing architectural changes in

depth

2. Knowledge of Configuration Manager 2012 must be at the right level

3. Don’t think all is applicable in your environment

4. I’ll try to avoid the CAS as much as possible

1. Awareness

Notice on Upgrade to SP1

ConfigMgr 2012 SP1 is a massive upgrade that includes many new features and subtle changes

Support for Windows Server 2012 , Windows 8 and SQL Server 2012 SP1.

Clients are now supported on Mac computers, and on Linux and UNIX servers.

Windows PowerShell cmdlets are available to automate Configuration Manager operations)

Notice on Upgrade to SP1

Expand a stand-alone primary site into a hierarchy that includes a new central administration site, and the migration of a Configuration Manager SP1 hierarchy to another Configuration Manager SP1 hierarchy.

Support for multiple software update points for a site to provide automatic redundancy for clients in the same way as you can configure multiple management points.

Client notification to initiate some client operations from the Configuration Manager console.

Notice on Upgrade to SP1

Support for virtual environments that allow multiple virtual applications to share file system and registry information instead of running in an isolated space.

Email alert subscriptions are now supported for all features, not just Endpoint Protection.

First, make sure you review the official KB and the documents linked there: 2801416.

1. Preparation

Prerequisites Here’s a list of things to download:

• The ADK is pretty big – 2.5GB big – so it may take a while to download.• Latest supported SQL Server SP• Latest supported SQL Server CU for the latest SP• WMF 3.0 • Latest WSUS 3.0 SP2 hotfix 2734608 - Note that this hotfix includes 2720211.• ConfigMgr SP1 installation files from the media (

make sure you downloaded the media after January 25, 2013)

Download the ConfigMgr 2012 SP1 pre-requisite files using setupdl.exe from the install media and replicate these to all site servers also for use during setup.

2. Pre-Upgrade

Upgrade Steps

1. Backup your SUSDB 2. Backup your System Center Configuration Manager DB

Note that with 2012, a normal SQL Server DB backup is sufficient for restoring a ConfigMgr site. The only major difference between a SQL Backup and the site maintenance task is the use of the afterbackup.bat process to initiate additional backup processing. Note that inboxes are discarded for both methods.

3. Upgrade SQL Server to the latest supported SP and Cumulative Update.

4. Resolve any major issues identified in the site status or component status.

Upgrade Steps

5. Install the latest Windows stability and security updates.

6. Backup ---> Again ?

In addition to your normal backup location, make an extra copy particularly if you are using the built-in task where it overwrites the backup every time. If you don’t and you have an issue, the backup task may overwrite the known good DB and you’ll be toast.

7. Restore a copy of the DB to a test server and test the DB upgrade process using the /TESTDBUPGRADE option.

Upgrade Steps

8. Uninstall WAIK and install the ADK.9. Install WMF 3.0

WMF 3.0 will break your RTM Management Point (MP), so plan on doing this shortly before the actual upgrade. Installing WMF 3.0 usually requires a reboot also.

10. Disable your anti-virus product.

11. Disable the “Delete Aged Client Operations site maintenance task” on all sites.

12.Uninstall PCM

Upgrade Steps (Wsus)

• Ensure hotfix KB2734608 is installed on your WSUS 3.0 SP2 SUP (Note: Windows Server 2012 includes WSUS 4.0 so this hotfix is not required).  

• SUP on a remote server ? Install the hotfix on the site server as well since it has the WSUS admin console installed.  This will only present a warning if it’s not installed (it actually states KB2720211, but KB2734608 includes KB2720211)

• However, if you upgrade to SP1 without this WSUS hotfix, your SUP will not function properly after the upgrade!  Therefore it is highly recommended you install the WSUS hotfix(es) before continuing.

Upgrade Steps (Migration Connector)

• Additionally, if you have your 2012 hierarchy connected to your 2007 hierarchy for migration purposes, you will temporarily need to click the “Stop Gathering Data” button in the Migration folder in order to install SP1. 

• When the upgrade is completed, in order to be able to restart the data gathering, you will need to go back into the Source Hierarchy section of the Migration folder, select the hierarchy, and click “Configure”. 

3. Upgrade

Upgrade itself 1. Restart the site servers.

2. Run setup! Follow the wizard.

3. Review the log.

4. Take a break.

Wait up to 30 minutes or so for the site components to re-install (watch the sitecomp.log) before proceeding any further with any post-install steps. Sometimes there may be component installation failures or sometimes the re-install of the management point completes but states that a reboot is required (3010 exit code.)

4. Post-Upgrade

Post-Upgrade 1. Perform your standard health checks like reviewing replication,

site status, and component status.

2. Perform a backup.

Make sure you don’t overwrite any of the previous backups made during the course of upgrading the sites – you may still need them.

3. Perform a functionality check.

4. Re-enable the “Delete Aged Client Operations site maintenance task” on all sites.

Post-Upgrade 5. Simply redeploy the default boot images to your PXE enabled

DPs and look if they were successfully updated.

In general, you should be injecting fewer drivers into your boot images though because they will hopefully already be built in. Also note of course that older systems (6+ years or so) are not Win8 (and thus not WinPE 4.0) compatible and neither are some ATOM processors because of the lack of some processor options. This goes for some versions of VMWare also. There is currently no supported fix or work-around for this – you have been warned.

6. Deploy the updated client agent.

Use the auto-upgrade process was completely re-designed in 2012 SP1 to handle this for any size organization (in fact, they used this at Microsoft to upgrade all 250,000+ clients to SP1).

Post-Upgrade

7. Review, test, and update Task Sequences

Native task sequences have changed a bit in SP1 but you shouldn’t haven’t any issues with them after the upgrade; however, if you have anything non-native, like MDT in your task sequence, then you will have some work ahead of you. Generally, MDT based task sequences need lots of TLC after the upgrade and many folks just end up recreating them. Also note that MDT 2012 Update 1 had a minor update also to support SP1 so make sure you have the latest version.

That is another reason why I stay away from MDT

Post-Upgrade 8. Track ConfigMgr client and WUA upgrade process.

Using reporting or console queries (not collections).

9. Re-enable your Anti-virus product.

Make sure you have all of the recommended exclusions in place before doing this. If you are using SCEP, there are templates built-in.

Post-Upgrade defaults• Software Center

After upgrade to Configuration Manager SP1, the following Software Center items will be reset to their default values:

• Work information is reset to business hours from 5.00am to 10.00pm Monday to Friday.

• Computer maintenance is reset to Suspend Software Center activities when my computer is in presentation mode.

• Remote control is set to the value configured by the client settings assigned to the computer.

• Software update summarization schedules

Custom summarization schedules for SU or SU groups are reset to the default value of 1 hour. After the upgrade completes, reset custom summarization values to the desired frequency.

Post SP1 Hotfixes

• Post SP1 Hotfixes to install  

Cumulative Update 1 for SP1http://support.microsoft.com/kb/2817245/en-us

Post CU1 Hotfix - packages getting stuck in “In progress – Waiting for Content” after updating a package to a distribution pointhttp://support.microsoft.com/kb/2828900

 

5. Gotcha’s and Potential Issues

Gotcha 1 – Built-in collections

• The built-in collections are overwritten in the site database. If you have customized a built-in collection, create a copy of that collection before you upgrade.

• This issue occurs because built-in collections are read-only and cannot be changed in System Center 2012 Configuration Manager SP1. 

More details in http://support.microsoft.com/kb/2739984.

Gotcha 2 – Admin Console backwards compatibility• When you use a Configuration Manager console that is of a lower

service pack version than the site you connect to, the console cannot display or create some objects and information that are available in the new service pack version.

• When you use a Configuration Manager console that is of a higher service pack version than the site you connect to, the connection is blocked. 

Hint: If you have many administrators connecting to your hierarchy, the ConfigMgr 2012 admin console is a prime candidate for virtualization using App-V v5 – which by the way has no more Q: drive!!!

Gotcha 3 – Dynamic SQL Ports

• Using dynamic ports in SQL?  You must change them back to static in order to successfully install SP1 on your SQL instance (this includes secondary sites). Configuration Manager does not support dynamic ports. 

For more information refer to http://technet.microsoft.com/en-us/library/gg682077.aspx#BKMK_SupConfigSQLDBconfig

If you aren’t sure how to configure SQL to listen on a specific TCP/IP port, visit http://technet.microsoft.com/library/ms177440.aspx.

Gotcha 4 – Upgrading Secondary sites

• Have Secondary sites to upgrade?  SQL Server cumulative updates must be manually installed on secondary sites that use SQL Express. 

See http://support.microsoft.com/kb/2688247 for more information.  You must update to SQL 2008 R2 SP1 CU6 or SP2 at minimum.

Gotcha 5 – Got McAfee or Trend?• Visit :

https://kc.mcafee.com/corporate/index?page=content&id=KB76867&actp=search&viewlocale=en_US&searchid=1357907921573

http://blogs.technet.com/b/systemcenterpfe/archive/2013/01/11/updated-system-center-2012-configuration-manager-antivirus-exclusions-with-more-details.aspx

or prepare to suffer from corrupted boot images or setup failure. There are some additional A/V exclusions that are important to add to insure this doesn’t happen.

Gotcha 6 – Using a service account for your “Site System Installation Account”

• Using a service account for your “Site System Installation Account” (rather than the site server’s computer account)? 

There is a known issue if you are using an AD account.  The evidence that you are experiencing this issue is your console will have errors on the DP Monitoring stating “Distribution Manager failed to find or create the defined share or volume on distribution…”  Your distmgr.log will say things like “Failed to set share security on share \\server\SMSSIG$.  Error = 5” (which is access denied and “Failed to set access security on share SMSSIG$ on server xxx”. 

• To resolve this issue, change your site server settings back to use the “site server’s computer account” to install the site system, and your DP will successfully install. 

Gotcha 7 – OS Deployments on older hardware may become an issue

• OS Deployments on older hardware may become an issue due to the fact that SP1 changes from utilizing WAIK (WinPE v3.x) to using ADK (WinPE v4.0 – Win8/Server 2012). 

If a BIOS update does not resolve it, make sure your PC is Windows 8 compatible or the new WinPE 4 in the ADK will not boot properly.  Freezing or blue screens with errors such as “HAL_INITIALIZATION_FAILED”, and “UNSUPPORTED_PROCESSOR” along with a 0x0000005D are the more common symptoms of this. 

More importantly, see this blog posting on how to collect NX, PAE, and SSE2 supportability information from your [PowerShell execution capable] clients at http://blogs.technet.com/b/configmgr_geek_speak/archive/2013/03/03/winpe-4-0-boot-images-not-working-with-cpu-s-that-do-not-support-nx-pae-sse2.aspx.

CONTENT SLIDE

Gotcha 8 – VMware’s vSphere 4 is not supported

• VMware’s vSphere 4 doesn’t and will not support running Windows 8 and Windows Server 2012

• Solution : Upgrade your vSphere environment to version 5.1 Hyper-V

Gotcha 9 – The 8dot3name settings• Capturing images with ConfigMgr 2012 SP1, 8dot3name creation

is disabled on all volumes. They changed the default behavior of the formatting tools in Windows 8. (ADK).

• In some environments, certain applications do not work properly. (Almost all Legacy XP Apps that work on Win7).

To manually enable 8.3 naming after formatting, you can use fsutil.exe from the command line: fsutil 8dot3name set x: 0 (where x: is the drive letter to enable 8.3 naming on)

More info at : http://scug.be/sccm/2013/01/15/configmgr-2012-sp1-the-8dot3name-settings-are-disabled-on-the-volumes-upon-partitioning-and-formatting-of-the-local-disk/

Gotcha 10 – “Broken Applications after upgrading them from RTM”• After the upgrade was successfully performed , suddenly all applications within my

OSD task sequence start failing :

The task sequence failed to install application Intel Management Engine 6.0.40.1215(ScopeId_67A221E3-64F0-47D4-AA5A-BB3729EC221F/Application_2071f753-7604-42a5-b6be-b1b45c3c1f0a) for action (Install HW Driver Applications for HP8540P) in the group () with exit code 615. The operating system reported error 615: The password provided is too short to meet the policy of your user account. Please choose a longer password.

The task sequence failed to install application NVIDIA Quadro/NVS Mobile Drivers 305.93(ScopeId_67A221E3-64F0-47D4-AA5A-BB3729EC221F/Application_17e0153e-3d4f-467b-a2b3-68491516b0e1) for action (Install HW Driver Applications for HP8540P) in the group () with exit code 580. The operating system reported error 580: An event pair synchronization operation was performed using the thread specific client/server event pair object, but no event pair object was associated with the thread.

The task sequence failed to install application Synaptics Touch Pad Driver(ScopeId_67A221E3-64F0-47D4-AA5A-BB3729EC221F/Application_a0628bfc-3f06-4096-a001-c1a6c92675ea) for action (Install HW Driver Applications for HP8540P) in the group () with exit code 16389. The operating system reported error 2: The system cannot find the file specified.

Gotcha 10 – “Broken Applications after upgrading them from RTM”

• We found a workaround, you have simply to add a comment to each DT and it will update the content ID. Nevertheless, the change means that a redistribution of your application on all your DP’s.

• Confirmed with Application Catalog downloads as well. You will see “+++ Did not detect app deployment type”… in the AppDiscovery.log file. Additionally, the Software Center will show the error message “Failed”. Clicking on the details will result in “The software change returned error code 0x87D00607(-2016410105).”

Following the steps above and further discussed at http://scug.be/sccm/2013/01/27/configmgr-2012-sp1-powershell-script-to-repair-broken-applications-after-upgrading-them-from-rtm/, the application will successfully install.

This is also resolved with an upgrade from SCCM 2012 SP1 RTM to SCCM 2012 SP1 CU1

Gotcha 11 – “Applications won’t install during a Win7 task sequence”

• You get an access denied (hresult of 0×80070005) when downloading the application content and is clearly denoted in either smsts.log (if the application install is during a task sequence) or CAS.log.

• This only happens on client systems in untrusted domains (note that workgroups are essentially untrusted domains); for task sequences, this is of course the case during a build and capture.

Create a deployment tasksequence that install’s the following hotfix : http://support.microsoft.com/kb/2522623/en-us

For a build and capture task sequence, simply put the hotfix msu into a “classic” package and use a Software Install task followed by a reboot task before you try to deploy any applications.

Gotcha 12 – “Specify your MP during Build & Capture Win7 task sequence”

• For build and capture task sequences, you should also be specifying the SMSMP public property in the Setup Windows and ConfigMgr task so that the MP can be found.

• During a build and capture, the client is in a workgroup and thus has no way to locate the MP which is needed for Application installs as well as Software Updates during the task sequence.

Gotcha 13 – "Only finalized boot images are supported"

Reason :  You have the following components running in your environment :

• McAfee Virus Scan Enterprise (VSE) 8.8 Patch 2 • TrendMicro enterprise scan

http://scug.be/sccm/2013/01/14/cm2012-sp1-no-default-boot-images-available-only-finalized-boot-images-are-supported/

Gotcha 14 – “Windows 7 does not support setup.exe"• Windows 7 Setup.exe install is not supported (but also VISTA ,

Windows Server 2008 / 2008 R2) on ConfigMgr 2012 SP1.  With SP1, you need to use a WIM installation unless you’re installing Windows 8. 

http://technet.microsoft.com/en-us/library/jj591552.aspx#BKMK_WhatsNewSP1_Software

• You must add a Set Task Sequence Variable step before the Apply Operating System step that sets OSDPreserveDriveLetter=False if you want to have the WIM file on the c:\ drive

http://scug.be/sccm/2013/01/13/configmgr-sp1-windows-7-deployment-is-not-supported-anymore-from-the-setup-exe/

Thank You to our SPONSORS

Q and A

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.