ConfigMgr 2012 : Application Catalog Login Popup Cross-Domain

So, you can probably see from the spat of recent articles on here that I’m working on a Configuration Manager deployment..! The deployment spans multiple domains, with the Application Catalog role residing in another domain to some user accounts – all within the same forest mind. This will cause a login prompt if a user tries to open the Application Catalog Web Site, even if the site is in the Trusted Sites zone.

First things first you need to modify the ACL of the folder containing website itself on the Application Catalog server – <Install Path>\SMS_CCM\CMApplicationCatalog. Add each domain’s Domain Users group with Read and Execute, Read and List Folder Contents.

Next you need to add the site URL’s to the Local Intranet zone in order for credentials to be sent. Unfortunately this cannot be achieved using the Configuration Manager Device Policies, you’ll have to either use a Group Policy or a script.

Scripted Method (preferred)

The following VBscript will work, change the FQDN of your Internet Management Point and then distribute as a package in ConfigMgr 2012. Create a program within your package that has the following command line setup: cscript.exe /nologo <script file>.vbs

Note that this will not work on machines that have Internet Explorer Enhanced Security Configuration (IE ESC) enabled.

{code lang:javascript showtitle:false lines:false hidden:false}On Error Resume Next
Const HKEY_CURRENT_USER = &H80000001

strComputer = “.”

Set objReg = GetObject(“winmgmts:{impersonationLevel=impersonate}\\” & strComputer & “\root\default:StdRegProv”)
strKeyPath = “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\<internet MP FQDN>”

objReg.CreateKey HKEY_CURRENT_USER,strKeyPath

strValueName = “https”
dwValue = 1

objReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue
{/code} 

Group Policy Method

Create a new/edit an existing GPO in each domain with the settings defined below.

Browse to: Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page

Then look for the Site to Zone Assignment List, enable and add the following (the value ‘1’ is used to define the Local Intranet zone)

    • Value Name: https://<intranet fqdn>/  Value: 1
    • Value Name: https:/</internet> fqdn>/    Value: 1
    • Value Name: http://<intranet fqdn>/  Value: 1
    • Value Name: http:/</internet> fqdn>/    Value: 1

Don’t use the built-in Configuration Manager Device Policy method to add this to Trusted Sites as this will not pass NTLM credentials.

There is a downside to this, all Zones becomes ‘Managed’ – i.e. users will be unable to modify the membership of any zones.

ConfigMgr 2012 : Creating a Multi-Regional / Multi-Lingual Windows Image

You can use this language pack deployment method to integrate many languages at once into a Windows Image during Build and Capture, or even Image Deployment, the primary display and input language are set by the Unattend file.

Continue reading “ConfigMgr 2012 : Creating a Multi-Regional / Multi-Lingual Windows Image”

ConfigMgr 2012 : Deploy VMWare Tools During OSD

Addig an ‘intelligent’ VMWare Tools installation ensures that all of your VM’s get the necessary drivers and tools automatically during Operating System Deployment. Using WMI we can ensure that the tools are only deployed to VMWare machines.

1. Create a VMWare Tools Package

  1. Copy the contents of the VMWare Tools CD to a Source Folder
  2. Create a New Package with Source Files
  3. Within the Package create a Program with the following configuration:
    1. General
      1. Command Line: msiexec /i “VMware Tools64.msi” ADDLOCAL=ALL REMOVE=”Hgfs,WYSE,GuestSDK,vmdesched” /qn /norestart
      2. After Running: Configuration Manager Restart Computer
    1. Requirements
      1. Select Required Platform: Windows 2003 64-bit or newer – note 64-bit ONLY
    1. Environment
      1. Program can run: Whether user is logged in or not
    1. Advanced
      1. Tick ‘Allow this program to be installed from the Install Package task sequence without being deployed’

2. Prepare the Task Sequence

  1. Create a new group with the following ‘Query WMI’ condition:
    1. WMI Namespace: root\cimv2
    2. WQL Query: select Model from Win32_ComputerSystem where Model = “VMware Virtual Platform”
  2. Add a Install Package Task underneath this group that deploys the VMWare Tools Program you have just created

ConfigMgr 2012 : SMS_SITE_BACKUP Error 5060

When using the SMS_SITE_BACKUP component to perform a Configuration Manager 2012 backup you may receive the following errors:

SMS SQL Backup service on the SQL Server \\<SQL Server Name> failed to backup the site database CM_<Site Code>;. The error reported by the service is Error: SQL Writer not found.. Backup operation is not completed.

Site Backup failed. The error reported by the service is Error: Sql Server could not prepare for the Backup.. Backup operation is not completed. Please see smsbkup.log for more information.

To resolve this simply configure the NTAUTHORITY\SYSTEM account to have SYSADMIN permissions on the System Center 2012 Configuration Manager SQL Instance. This is required for the VSS writer to backup the SQL database.