SCEP 2012 client in captured WIM image

Similar Messages

• SCEP 2012 Client in Windows 8 / 2012 - in Windows 2008 Domain- Not Syncing -/ Not Compatiable

  Dear All ,
  With lots of Hardship I had installed SCEp 2012 in Windows 2012 Virtual machine in WIndows 2008 Domain.
  SCCM 2012 Server in Windows 2008 Server with Sql 2008 was - performing well and there was no issues until our COmpany planned to Convert the Windows 2008 Server to  Windows 2012 Server ( AD is 2008)
  WSUS is not Fully synching with SCCM 2012 ( previously it was )
  Software Updates not pushing properly and to top all the SCEP client is not compatible with win 8.1 pro or win 2012 server
  Error: Failed to download content id 16787046. Error: Access is denied.
  Package:
    Success: The software updates were placed in the existing package:
  •     Deployment Package(JUN2014)
  Software updates that will be downloaded from the internet
    Error: Update for Forefront Endpoint Protection 2010 Client - 4.1.522.0 (KB2780435)
  Errors
      Failed to download content id 16787046. Error: Access is denied.
  Language Selection:
   English
  But the service account has full access - administrative rights and the administrator of the system
  please advise on this

  Hi,
  All the software updates downloaded failed?
  Are there any errors in PatchDownloader.log? If you use Automatic deployment rule, please also check ruleengine.log.
  Please add the account with Full rights to the source share (both NTFS and Share permissions) where the Deployment Package is located.
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• SCCM 2012 client in capture but deploy has default step "Setup Windows and ConfigMgr"

  Hi,
  We have our SCCM 2012 client in the capture but the deploy has a single step "Setup Windows and ConfigMgr" in which there is no option to NOT install the sccm 2012 client.
  So what happens then, the client is installed a second time?
  Please advise.
  J.
  Jan Hoedt

  Hello !
  This is a mandatory step in order to configure Windows for a first use. In your case, the SCCM client will just be serialized, it's not a problem. The SCCM client has generally been prepared during the design capture.
  Hope this helps.
  Note: This posting is provided 'AS IS' with no warranties or guarantees, and confers no rights. Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable. This helps the community, keeps the forums tidy, and
  recognises useful contributions.

• SCEP 2012 clients kicking off random scans

  We have an SCCM 2012 environment with SCEP 2012 recently deployed. We have a policy in place that does weekly full scans on Tuesdays at 12AM.  The client machines are 64 bit Windows 7.  We are seeing some random computers kicking off Full scans
  at various points in the day.  We thought that initially there were viruses on these machines and that was causing the scans, but according to the EP console, they do not have any type of virus or malware.
  Any ideas?

  Here is the way MS does such things. (Update works this way too) It is STUPID, of course, but then "SMART" is not a word that fits Microsoft very well. Just look at Windows 8 for an example or to the fact you can't even find a simple link to the
  SCEP client for what ever happens to be the latest greatest version.
  As for the auto scanning, it will occur REGARDLESS of the time set shortly after you start your PC if it was not able to do it at the appointed time. So if it is set for 12am, and if the system, for whatever reason was not on, it will kick off shorty after
  it is booted, REGARDLESS of the current time. (It is supposed to wait until the system is idle, but MS uses lack of keyboard or mouse action to decide if a system is active instead of actually looking to see if its. For example watching a movie. MS would say
  after five minutes, it is inactive, then run the scan, screen save, update, or whatever. Maybe you were just reading a long email, letter, or article online, doesn't matter MS will kick off the scheduled event. Of course this will cause problems for the movie
  etc, but MS won't care. Bottom line is if the MS AV is doing its job, or anyone's Av for that matter, and was installed on a 100% clean PC, then one should NEVER need to do a blind system scan. Common sense really. Of course MS AV is not very good at preventing
  the more destructive of the evils out there such as the Ransomewares and things like the ASK or the Google toolbar or the many fake "fix your PC" popups that are out there etc. etc.
  Best just to keep it disabled.
  Ralph

• Windows XP PCs installed SCEP 2012 R2 Client hanging

  All of a sudden since today morning we are keep getting calls for Windows XP PCs are hanging with issues related SCEP 2012 client. I am not sure if any recent definition update is causing ,this problem.
  Is it a known issue or is there any fix for it? I have tried many options, googling but none of any help.
  Thanks
  Regards,
  Mohammad Anwar
  InfoSeeker

  There is already a thread that deals with this issue:
  http://social.technet.microsoft.com/Forums/en-US/043515cb-2746-43dc-94e0-441f70fd50b8/system-center-endpoint-protection-error-0x80004005?forum=configmanagergeneral
  Locking this one.
  Torsten Meringer | http://www.mssccmfaq.de

• FEP 2010 Admin Template Breaks GPResult /H on SCCM 2012 clients

  We have both FEP 2010 clients, which are being managed by a GPO created from the FEP2010 Admin Template in our Central store, and SCCM 2012/SCEP clients which are being managed by
  SCCM but we have noticed when running GPResult /h on the SCCM clients, you get an error in the Administrative Template section:
  An error has occurred while collecting data for Administrative Templates.
  The following errors were   encountered:
  Registry   value "%windir%\SoftwareDistribution\Datastore\Logs\Edb.chk" is of   unexpected type.
  We have discovered the SCCM/SCEP client local policy creates the exclusion paths in the registry as a DWORD but the FEP2010 Admin Template creates the exclusion paths
  as a REG_SZ on the FEP 2010 clients. When you run GPResult /h, the templates from the Central Store are used and since the value types are different on the SCCM/SCEP 2012 client, GPResult /H fail.
  The current work-around is to create a GPO using the FEP 2010 Admin Template with the exclusion paths that are the same as your SCCM 2012 settings and apply that GPO to the SCCM Clients. That changes the registry keys from DWORD to REG_SZ
  and GPResult start working again!!
  Running GPResult /Z also works!! 
  Any one else experience this behavior?

  Hi,
  I tried and found that the value type is different too. The DWORD value for Forefront Client also works, so the workaround you are currently using is applicable. Anyway, I will record the situation that the ADMX template has a different value type with SCEP
  policy value.
  Juke Chou
  TechNet Community Support

• Wsus + Scep 2012 Defenition Updates

  Hi 
  Im using Wsus to manage Pattern file updates for my scep 2012 clients an my proplem is that most Pattern files do get applied to my machines but like today my computers had
  Pattern file (1.185.908.0)  but when I check on Microsoft website they say the latest pattern file is (1.185.926.0) so I
  synced my wsus to see if there where any new files available and it return with nothing new... so I manualy ran "mpam-feX64" and my client got update to (1.185.933.0)  so it seems that my Wsus server is missing every other updates,,
   Can it be that MS is slow to update there Wsus Store or is something wrong with my wsus.. it is configured to check for updates every hour..  I also tested to let my workstation check online for updates and the result was the same "no new pattern
  files"  
  Best Regards 
  Jon G
  Jón G Sævarsson

  Can it be that MS is slow to update there Wsus Store or is something wrong with my wsus.. it is configured to check for updates every hour..
  Configured for "every hour" is probably a bit excessive, but much more likely is that you've not properly configured your WSUS server and your WSUS clients to be able to get Definition Updates in a timely manner.
  In addition to synchronizing WSUS at least 3x daily (every 8 hours), you also need to do the following:
  Create an Automatic Approval rule for the Definition Updates update classification for the "All Computers" target group.
  Enable the policy setting "Allow Automatic Updates immediate installation".
  Set the CLIENT Detection Interval to 6 hours.
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• SCEP 2012 and GP Update

  SCEP 2012 Client settings currently have "Install Endpoint Protection client on computers" set to Yes. This is deployed to quite a few machines. The client installs just fine, everything updates, and we are set. In the Endpoint Protection Agent
  log shows periodic checks for if SCEP needs to be installed. Which technically isn't an issue and eventually I'll flip this setting to No and leave it Manage only.
  However, around the times it checks the client I notice a GP Update kicking off. Does anyone know if installing SCEP or having the client check to see if it is installed kicks off a GP Update?

  Interesting. I didn't think to check that specific log. I do see activity in there for other GP objects besides SCEP. Perhaps it runs the equivalent of gpupdate /target:computer
  I don't think I see any user items in there.
  This reminds me of an issue I ran into before. Take the scenario of a domain joined machine that is currently connecting via the Internet. You have an IBCM server set up, so Internet connected machines are able to receive policy and software. You would think
  that would include changes to SCEP policy too. However, if you make a change to SCEP policy and then try to update policy on the client, it won't actually apply the SCEP policy changes until it's back on the domain. I guess that's because whatever ConfigSecurityPolicy.exe
  is doing requires a connection to be made to a domain controller and even though the SCEP content is stored locally in an XML file, it can't finish the process of getting it into Registry.pol and then into the Registry itself until it can connect to the DC
  again.
  Seems like it would make more sense to just import it directly into the Registry and bypass the GP client entirely. Anyway, I don't mean to hijack the thread but it would be nice to see Microsoft clarify exactly what's going on in both cases :-)

• Replacing FCS with SCEP 2012

  I'm in the pilot phase of replacing FCS on our workstations, servers with SCEP 2012.
  The FCS client was uninstalled as soon as the SCEP 2012 client appeared, SCEP Definitions are updated, but I'm getting prompted in the Software Center for http://support.microsoft.com/kb/2508824.
  Why would I even need (be offered) this if FCS is not on the machine? If I try to install it it fails.
  EDIT: am I right in assuming Client Update for Microsoft Forefront Client Security (1.0.1736.0) is not needed if SCEP is being used and I can just remove it from my Software Updates Group?

  Yes, I know this is an old post, but I’m trying to clean them up. Did you solve this problem, if so what was the solution?
  Garth Jones | My blogs: Enhansoft and
  Old Blog site | Twitter:
  @GarthMJ

• Creating Windows 8.1 master image with MDT 2013,cannot capture .WIM

  I am having an issue with creating a master image with Windows 8.1 and MDT 2013.  
  I have followed extensive tutorials on how to create a master image using Microsoft Deployment Toolkit. my goal is to have a fully configured windows 8.1 image which I can deploy through Windows Deployment Services. I have been relatively successful thus far,
  except for one issue I have run into, which is successfully capturing this image as a .WIM.
  I have successfully created a task sequence and the task sequence is able to run all the way through until the final step. Essentially the task sequence is supposed to install Windows and Office, then suspend the task sequence to allow me to make customisations
  to the start screen and desktop background, and I simply click resume task sequence, and the task sequence should sysprep reboot and capture the machine image as a .WIM file.
  the task sequence is able to sysprep the machine, but upon rebooting it boots into out of box experience, and does not create a wim file. I receive an error saying: "cannot find script file C:\ltibootstrap.Vbs" after the machine completes OOBE 
  I am using Windows Server 2012 r2, creating my Master machine image using hyper-v, and my master image is running Windows 8.1.
  Any help would be greatly appreciated.

  I'm not sure about the sequence of steps here. Try taking your captured.wim file and deploying it using MDT again, or at least to another machine. MDT sometimes leaves extra files around on the captured machine, so simply rebooting it may not get a accurate
  test results.
  IF you are getting the ltibootstrap.vbs it is most likely because there is a stray unattend.xml file somewhere in your image that is looking for this file. Crack open your Wim file and search for any unattend.xml files.
  Keith Garner - Principal Consultant [owner] -
  http://DeploymentLive.com

• WDS 2012 Image Capture - Stuck at 50% "Capturing Windows image metadata..."

  I have tried capturing a few images after running sysprep, and they are getting stuck at 50% completion, never moving past after hours of waiting.  "Capturing Windows image metadata...".  If I look on the WDS server I see that the file
  hasn't been modified since it was actually capturing and moving the progress bar.
  Has anyone ever experienced this, or have any ideas of how to troubleshoot?
  Thank you!

  Hi motenoob,
  What system edition and MDT edition you are capturing? If it is Windows8 or 8.1, it seems is the know issue, you can refer the following KB:
  Sysprep and Capture task sequence fails when it tries to capture Windows 8 or Windows 8.1 images
  https://social.technet.microsoft.com/Forums/en-US/4e28cac0-29e4-4f24-a8f0-30d34d543a76/wds-2012-image-capture-stuck-at-50-capturing-windows-image-metadata?forum=winserversetup
  Regards,
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• SCEP 2012 definitions not updating on few clients

  Hi!
  The SCEP 2012 definitions are not updating on few clients. It works for all other machines.
  In MPLog i can only see that Signature update on date but not a line saying Signature updated via ...
  Its not telling me where it got the updates in past and why its not updating now..
  The definitions are pushed via SCCM, WSUS and MS not unc shares.
  Which log file i should look for to get some answers why its not updating.
  Thanks

  Hi,
  You can check C:\Windows\WindowsUpdate.log file to find the related error information.
  In addition, did you configure an automatic deployment rule to deliver definition updates? If yes, I recommend you to make sure that all the clients are in the collection.
  Best regards,
  Susie

• SCEP 2012 and VDI offline servicing

  I've seen this question being asked before in another thread (Best practice to run Microsoft Endpoint Protection client in VDI environment) however the answer doesn't provide enough information (for me at least)
  We are planning to use a Citrix XenDesktop environment with Provisioning services providing VDI clients. As far as I know the SCCM client will be installed in the VDI golden image and after some adjustments SCCM client registration will go well. We will
  also use SCCM 2012 and deploy SCEP 2012 for anti-malware scanning.
  SCCM 2012 provides offline servicing for Software Updates in WIM images, but what is a best practice in keeping the VDI's up-to-date? I can't find any good information about this, so maybe the answer is very simple?... Is there a way to offline service the
  VDI image so Software Updates and Anti-Malware updates are injected in the image?
  Or do the VDI's get updated as physical systems, at the time they are logged in to the network, discarding all changes when logging off. This doesn't seem the right way to go.
  Any help would be appreciated.
  thx. Niels

  I struggled with this same problem for a while, and likewise didn't find a great answer anywhere. In our case, this is for an RDS VDI environment, but the solution I ended up employing should work anywhere.
  First, set up SCCM/WSUS to download the updates to a UNC share (if you haven't already; here's a helpful guide:
  http://blog.thesysadmins.co.uk/sccm-2012-scep-unc-definition-updates-automation-powershell.html). Also, create an antimalware policy for the VDI machines with the definition updates source set to UNC only, and set the UNC Path section accordingly.
  Here's the key part: create a scheduled task in your master image to run based on boot or resume (RDS puts the VDI VMs in a Saved state rather than Off). Here are the settings I used for the task:
  General tab: I set it to run as the SCCM Network Access Account; Run whether user is logged on or not
  Triggers tab: Begin the task On an event; Basic; Log: System; Source: Kernel-General; Event ID: 1 (this pops up on a startup or resume event); Delay task for: 5 minutes (during VM creation, it boots the machine for just a couple minutes, and I
  didn't want this task to be interrupted by a shutdown halfway through); Enabled
  Actions tab: Action: Start a program; Program/script: "C:\Program Files\Microsoft Security Client\MpCmdRun.exe"; Add arguments: -SignatureUpdate
  I left the other tabs with their defaults
  In RDS, the VMs on creation are spun up briefly and then put into a Saved state. It then spins up just a few, waiting for users to connect. By the time a user logs in, the machine should have the latest updates, but even if it doesn't, it should be
  no more than ~5 minutes before it does.
  Hope this helps!
  Ryan

• Deploying the SCCM 2012 Client to WES 7 devices that are locked down with the FBWF using 2007 task sequence via WEDM.

  I'm wondering how people are migrating their embedded devices that are using the FBWF. I've done some googling and it seems like most people are just re-imaging the devices and after migrating a single device i see why. Its not a pretty process. This will
  be a long description but ultimately my question stems more from trying to find a better way to execute the device migration from 2007 to 2012.
  Some back ground on my situation might be in order here. I'm in the process of wrapping up our 2007 to 2012 migration. We have a 2007 infrastructure that was a central server with 2 primaries and 286 secondary site servers. I've consolidated that to a single
  2012 primary site server that hosts all the main roles. There are 2 more servers in the data centers both operating solely as push distribution points I'll refer to them as 2012 01 02 and 03. I'm over half way through the migration and so far haven't needed
  to offload any site roles. There are almost 10,000 clients now reporting to the 2012 site server and almost a 100 field servers pulling content from 2012 02 as their source dp as pull dp is the only way forward for this many devices. I've read the horror stories
  of trying spin up 200 plus push dps. We are running PKI. I'm at the point now where i need to start migrating the Windows Embedded Seven Standard clients that have the 2007 sccm client on them with WEDM for write filter handling.
  What i'm wondering is if anyone has any pointers for me regarding migrating the WES 7 devices. My plan that i've come up with is to somehow script the process using a 2007 WEDM Task Sequence to try and migrate them over to 2012. Things are complicated as
  I need to somehow script the install, the policy checkin, hardware inventory, software inventory, and validate the SCEP client installs before I reboot the device one last time to enable the FBWF. How I handled the SCCM 2007 client install on these devices
  when they were provisioned was to just create a batch file that would sleep for ten minutes then check to see if the inventoryagent.log file had been created yet. I realize now that is inefficient as i can kick off the inventory using a WMI method once the
  client has installed. Also I need to make sure the machine gets its first policy as that is how it creates the communication using PKI through that first policy transfer and that also finalizes the client install. The biggest piece i'm uncertain about in this
  regard is the SCEP client.
  I had to change the SCEP client install from yes to no in the default client settings as we have some Mcaffee servers that can't have the SCEP client on them. I have incremental updates enabled on the collection that has the policy that installs the SCEP
  client but this will take an unknown amount of time unless i force the environment to update as the device starts in 2012 install, or if I could kick off the SCEP isntall... IDK. I'm also wondering if i should keep the device in the migration process until
  i validate it has its proper scep policy applied which I believe can be validated by a registry key somewhere.
  Once the 2012 client gets installed will that cause it to lose its place within the 2007 Task Sequence? Considering its going to take a minimum of 2 reboots I'd normally use the task sequence to handle its progression through the process.
  I'm also considering trying to use an Orchestrator runbook, as that would be a good way to keep track of the migration process as each device migrates. Especially since this might take several seperate scripts.
  I'm going to take a stab at scripting the migration process, but if anyone has any pointers that might make this a less complicated I'd really appreciate it as I've got about 3000 of these devices that need to be migrated over. The other things i've learned
  the hard way is any time you have something this complicated over the course of 3000 devices you will run into unknowns and the failure rate increases. I'm in the precarious position of having to not only build this process out but in some situations have
  it complete in the shortest amount of time possible as we have sites running 24x7. I know the end users behavior all to well and they will just keep hitting the power button sometimes even though their not supposed to so they can get their device functional
  again. In those situations i'd end up, if i'm lucky with a device that no longer has a healthy SCCM client in either environment and the write filter disabled.
  So like i said any pointers anyone could throw my way i'd really appreciate. I manually went through the migration process on a single device for proof of concept and ended up with almost 2 pages of pseudo code for my migration script/scripts.
  Thanks,
  -K.R.

  Hi,
  In R2 there are some new variables you can use to solve this,
  http://ccmexec.com/2014/12/smstsmplistrequesttimeout-value-in-milliseconds/
  In Sp1 though adding a step to sleep for 2-5 minuter after reboot and before the application install step is a common workaround.. a powershell command with "Start-Sleep
  -s 120" should do it. 
  /Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Capturing an image to use for PXE boot

  I'm using Windows Deployment Services in conjunction with Windows Deployment Terminal (Windows Server 2008) to capture an image from one of our workstations to use as a PXE boot image for future computers. I've created the capture image and PXE booted
  to that image, which brings up the "Image Capture" wizard. After capturing the image, I created an install image in WDS using the same .wim file. After trying to PXE boot, the workstation yet again brings up the "Image Capture" wizard.
  I then right clicked the image under Boot Images (in WDS) and selected "Create Discover Boot Image." A loading window pops up, but always ends with an error saying something to the extent of the image doesn't have WDSClient Binaries. Does anyone
  know what this is or how to fix this? Or even if I'm going about it the right way? If anyone has any advice, I'd appreciate it.

  Hi,
  Yes, you can.
  Here are the rough steps:
  1. 
  Install and configure the WDS Server.
  2. 
  Add the Windows 7 boot image to WDS.
  3. 
  Create a Capture Boot Image and add it to Boot Image.
  4. 
  Create a reference Windows 7 computer (install Windows 7, Office and other applications as you like)
  5. 
  Sysprep the Windows 7 computer.
  6. 
  PXE boot the reference Windows 7 computer into capture image on the boot screen and then capture the image.
  7. 
  Upload the captured image to WDS server.
  8. 
  PXE boot clients, choose the captured image to install the system.
  Please refer to this link
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/be3af7db-b71b-4b14-b166-fef83cde0ac6/deploy-windows-7-from-waik-with-some-application-added?forum=winserversetup
  I had the similar problem couple of years back
  UMESH DEUJA MCP,MCTS,MCSA,CCNA