Wednesday, 28 May 2014

ConfigMgr 2012/1E Nomad - Downloading (0% complete)

Back to ConfigMgr main menu

This was tricky to solve. Everything looked correct. ConfigMgr 2007 and 1E Branch Nomad clients had been installed on several computers. The ConfigMgr clients were upgraded to 2012. Boundaries and boundary groups were correct. Yet, in Software Center, all content was stuck on Downloading (0% complete) (updates, packages etc.)

In normal ConfigMgr 2012 operation, content is downloaded directly to the cache (C:\Windows\ccmcache) and executed from there. In testing, I uninstalled the Nomad Branch client and the process worked perfectly. However, when the Nomad client was installed again the problem re-occurred. 

In a correctly operating "ConfigMgr + Nomad Branch" client the content should be downloaded to the ConfigMgr cache and transferred immediately to the Nomad Cache (ProgramData\1E\NomadBranch). At this point execution takes place. Strangely enough, the content was being transferred to the Nomad cache but never installed. Also, ConfigMgr did not know that the content had been downloaded and the Software Center did not report correctly.

Nomad uses CcmCTMNotification.dll to provide status updates to the ConfigMgr client. A review of the Nomad log files revealed that version 4.0.xx of this file was reporting on the effected clients. This is a 2007 file. The 2012 version should read 5.0.x.x. It seems that the file was locked by Nomad during the ConfigMgr client upgrade process and could not be deleted.

The issue was resolved by deleting the C:\Windows\System32\CCM folder and rebooting the computer (note that this is the 2007 location, the 2012 client uses C:\Windows\CCM). All content could then be downloaded and installed.

Note that this issue only occurred on 60 of 1000 computers.

Tuesday, 20 May 2014

MBAM Console - An error has occurred

MBAM 2.5 (Microsoft BitLocker Administration and Monitoring) was shipped with MDOP 2014, which was released on 13th May 2014. I installed it today and got this error when I opened the console.

"An error has occurred"

During the installation I had configured port 80 for the MBAM site.

However I needed to change that afterwards and did so using IIS Manager (changed to port 8080). 

I figured that my problem was in some way related to this. I was right.

I browsed to 

C:\inetpub\Malta BitLocker Management Solution\Help Desk Website

and opened the web.config file

My change was not reflected in this file. I changed it to 8080, saved the file and restarted IIS.

Problem solved.

Friday, 16 May 2014

MBAM 2.5 - FORCE a user to encrypt

Finally we can FORCE a user to start BitLocker Drive Encryption via MBAM (Microsoft BitLocker Administration and Monitoring). In previous versions you could configure Group Policy Objects that would prompt users to encrypt. However there was a "Postpone option", which users could use indefinitely. You could view compliance reports to identify culprits, but that wasn't very satisfactory.

Now MBAM 2.5 (shipped with MDOP 2014, released on 13th May 2014) has additional GPOs which greatly enhance the Microsoft encryption offering. 

My favourite is shown below. Simply enable Encryption Policy Enforcement to force encryption.

The policy also allows you to configure a grace period. You can define a number of days, after which encryption will be forced. My standard grace period is 0 days.


Monday, 12 May 2014

ConfigMgr 2012 - additional Management Points

Back to ConfigMgr 2012 menu 

In a large site, multiple Management Points assist in load-balancing traffic from multiple clients. They are also useful so that clients continue to receive their policy after Management Point failure. Howver this feature should be regarded as load-balancing rather than true High Availability.

This Technet Library article explains the limitations well: 

Planning for High Availability with Configuration Manager

You can also configure the additional Management Point to use a database replica (rather than the site database) and this further reduces the CPU processing on the site database server. This is described here:
Configure Database Replicas for Management Points

ConfigMgr 2012 Management Points are only supported on Windows Server 2008 and upwards (see Supported Configurations)


For Windows Server 2012

Prior to Windows Server 2012

Add the computer account of the Primary Site server to be Local Administrator of the new Management Point server.

Management Point Installation

Navigate to Administration > Site Configuration.

Right click "Servers and Site Systems" and choose "Create Site System Server".

 Enter the server name and choose your site code.

Select "Management Point".

Choose to use either the site database or a database replica (see above).

Click Next to install the Management Point.

Close the wizard.

The new site system appears in the console. 

Verify the installation using  the SITECOMP.log file.

See additions in Site Status.

See additional components.

Folder structure on new MP.

New objects published to Active Directory.