Deploying BIOS updates during SCCM Task Sequence or Advertised Program

As part of a desktop deployment project it is always a good time to make sure that all workstations have been updated to a consistent BIOS revision level to make sure any problems are not related to BIOS inconsistencies between workstations.

First you need to download the required BIOS update from your hardware vendor and create a normal SCCM Package and Program for it.  For most recent Dell hardware the typical command line to deploy the BIOS update silently and without rebooting looks like this for a Dell Latitude E6420 laptop:

“E6420A02.exe” -NOPAUSE -NOREBOOT

Then once the Package and Program are built you can create a new step in your Task Sequence that installs a the Package (just like any other software Package).  First, make a folder that limits the new BIOS software to only run on the correct model type using a WMI query (this process is not covered in this post).   With the folder limited to a particular model type it isn’t necessary to limit each installation to a particular model type, but only to the particular BIOS version.  The folder and package steps should look like this in the Task Sequence:

Task Sequence Folder

Once the installation package has been created in the task sequence and named appropriately, click on the Options tab and click the “Add Condition” button and choose “Query WMI”.

Make sure your WMI Namespace is:

root\cimv2

Then paste the following in your WQL Query:

select * from WIN32_BIOS where SMBIOSBIOSVersion < “A02″

SCCM WMI BIOS Query

This will run this Task Sequence step on all Dell Latitude E6420 laptops (based on the WMI query set at the folder level) that have a BIOS version less than A02, and will skip this step for all computers that have already been upgraded to version A02 or above.

Remember to also add a “Restart Computer” step afterwards to apply the new BIOS to the workstation.

While the above steps will cover any computers that are being reimaged, computers on the floor may still be running older versions of the BIOS.   To update the computer BIOS after initial deployment you need to create a new SCCM Collection.  Again, I already have Collections created in SCCM that limits by Model type (not covered by this post), so this new Collection is built using the parent collection using the “Limit to collection” setting:

SCCM Collection Limited to Parent

Then under the “Edit Query Statement” click the “Show Query Language” and paste in the following WQL query:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_PC_BIOS on SMS_G_System_PC_BIOS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_PC_BIOS.SMBIOSBIOSVersion < “A02″

Click OK to get back to the Configuration Manager Console and then go Advertise the BIOS program you previously created to this new Collection.  Now only users on a Dell Latitude E6420 without the A02 BIOS installed on their workstation will be able to run this update now, helping to keep all your workstations up to date.

Note: This article also posted to my work blog here.

“Error applying transforms” during Citrix XenApp HotFix Installation

During a recent troubleshooting session with a Citrix XenApp 5 server, I wanted to make sure that the server included the recommended hotfixes.  But when trying to run the downloaded .MSP file the following error was displayed:

 

Windows Installer Error applying transforms. Verify that the specified transform paths are valid.
Windows Installer Error applying transforms. Verify that the specified transform paths are valid.

Windows Installer Error applying transforms. Verify that the specified transform paths are valid.

This happened over and over with every hotfix downloaded.  This server had originally been deployed via System Center Configuration Manager 2007 (SCCM 2007) and I was wondering if the installation cache files had been removed and needed to be downloaded from the distribution point again.  The files were correctly in place, but the hotfix wouldn’t run.

Eventually I bypassed the transform file completely by temporarily renaming the “Transforms” value under the following key to “Transforms.old”:

HKEY_CLASSES_ROOT\Installer\Products\AD9C782BBE7D2D54AB21D40174D9444F

After that was renamed I was able to successfully install the hotfix, restart and rename the registry key back to the original value.

Note: This article also posted to my work blog here.

Resolve Error 012 when synchronizing Active Directory to Microsoft BPOS

I recently started implementing Microsoft BPOS (Business Productivity Online Suite) to take advantage of the Office Live Meeting accounts for internal use.  One of the first steps in the process was to setup the Directory Sync to synchronize our on premise Active Directory domain with the Microsoft Online Services directory.   The instructions for that process are very straight forward and easy to follow using the online web pages.

Shortly after the synchronization process started we started to receive the following error messages:

Error 012: Unable to update this object in Microsoft Online Services because the proxy address associated with this object in the local Active Directory is already associated with another object. Fix this in your local Active Directory.

This was happening with a number of the distribution groups associated with our Cisco Unity implementation like unaddressedmessages@kkl.com and unaddressedmessages@kraftkennedy.com.   After searching through our domain for identical ProxyAddresses (there weren’t any), it was time to bring Microsoft Online Service Tech Support in to troubleshoot the problem.

A knowledgeable support engineer answered the phone and we started looking into the normal solutions to this problem which have already been covered elsewhere.    We eventually narrowed down the problem to the length of the SMTP email addresses.  It appears that something in the Directory Sync process only looks at the first 20 characters of an email address (at least for the distribution groups that we were synchronizing).   For example, the email addresses were unaddressedmessages@kkl.com and unaddressedmessages@kraftkennedy.com, so both of these email addresses appeared to be identical in the first 20 characters “unaddressedmessages@” as far as Directory Sync is concerned.  Not until we turned off the RUS for these email addresses and removed the duplicates in the first 20 characters of the email addresses did the Error 012 error messages go away.

Also during our testing we were seeing some issues with similar duplication in the Display Name as well, so if you are continuing to get Error 012 messages you may also want to make sure the Display Name is unique in the first 20 characters.

Unfortunately the Microsoft Support Engineer wasn’t able to confirm that Directory Sync and BPOS actually worked this way, but hopefully this will help you resolve your own Error 012 messages going forward.

Note: This blog article also posted on my work blog here.

Problem adding NIC to Broadcom Team after installation of Symantec Endpoint Protection

We had a Dell Server with a Broadcom team of NIC’s running Microsoft Windows Server 2008 R2.  The motherboard died and was replaced with a new one and got new NIC’s that we needed to add to the team.  Every time we tried to add the NIC to the existing team we got the following error message:

[0006] Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client)
#2 does not support teaming.
Please select an adapter with NDIS 6 driver.

In looking at the Device Manager go to the View menu and choose “Show Hidden Devices” and you’ll see two entries for each of the network adapters:

Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client) #5
Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client) #5 Teefer2 Miniport

The second Teefer2 Miniport driver is added when Symantec Endpoint Protection (SEP) is installed on the server.  This driver is used for the firewall features in Symantec Endpoint Protection.

In order to get the teaming working again, we uninstalled Symantec Endpoint Protection, then setup the team, then rebooted the server and reinstalled Symantec Endpoint Protection.

Problems with Silent Installation / Upgrade of Dell ControlPoint System Manager A16 Update

I was trying to update the Dell ControlPoint System Manager update from A15 to A16 on my Dell Latitude E6410 laptop today via a package created in SCCM.  However, in trying to use the silent installation command:

msiexec.exe /i dellsysmgr.msi REBOOT=ReallySuppress /qn /l*v %TEMP%\DellSysMgr.log

The installation continued to fail.  When running it non-silently I’m getting the following prompt:

—————————

Question
—————————
This will update the System Manager software present on your system. Note: This version will no longer integrate into the Dell ControlPoint launcher. Continue?
—————————
Yes   No
—————————

So far I’ve tried the following command line Properties without success based on an .MST capture to compare the MST to the original MSI file:

ISCHECKFORPRODUCTUPDATES=0

UPGRADE_REMOVE_DCPFRMWRK=1

ISACTIONPROP1={4DEF2722-7EB8-4C5F-8F0A-0295A310002A}

SYSCAP.LLP=1 or 0

SYSCAP.PORTABLE=1 or 0

LAUNCHREADME=1 or 0

InstalledSysMgrVersion=1.4.00001

Eventually I just gave up and used the old standby approach of uninstalling the old version before installing the new version with the following command line:

MsiExec.exe /X{4DEF2722-7EB8-4C5F-8F0A-0295A310002A} /QN REBOOT=ReallySuppress

Anyone else have a more elegant solution to this problem?

Windows Task Scheduler: The directory name is invalid. (0x8007010B)

Ran into an interesting little problem this morning with getting a job to run in the Task Scheduler of a Windows Server 2008 server with Service Pack 2 installed.

Every time I tried to run the job I would get the error message “The directory name is invalid. (0x8007010B)”.

In looking at the Actions for this Task the “Start in (optional)” field was filled in with the correct path name:

“C:\Program Files (x86)\BLAH\”

I thought it might be the trailing backslash problem, so I removed it.  Same error message.

Turns out it is the quotes that are causing the problem here as the “Start in (optional)” field just doesn’t support them.  Take out the quotes and your task should run just fine.  You can set this directory with or without the trailing backslash and it will still work.

Here’s what my corrected Action looks like in the Task Scheduler.

Corrected Task Scheduler Job

You’ve Got to be Nuts to Eat a Cashew Nut Shell

Last November we joined our next door neighbors on a lovely trip to Brazil.  We saw lots of interesting places, met lots of interesting people, ate lots of interesting foods.  One food in particular fascinated me, the cashew.  For most Americans the cashew is just a nut (like a walnut or almond) and we don’t think too much about where they come from or what they look like.  My grandparents used to always have a bowl of shelled nuts and a nutcracker that you had to use to break the shells, so I had a pretty good idea of what a walnut and almond looked like in their natural habitat.  Not so with cashews.  In Brazil cashews are primarily a fruit (usually consumed as a juice) and only sold as an afterthought to tourists on the beach as the roasted nut that we know in the States.

The fruits themselves are very unusual, so it was great to see them in the local market and understand how they grow.  First the nut part appears on the tree (see the cashew nut shaped object on each fruit below), then the fruit grows after it.  Very different than your regular apple, pear, or peach.

Fresh Cashews at the Market
Fresh Cashews at the Market

Our host family usually had cashew juice for breakfast every day which I enjoyed.  The flavor is a little difficult to describe, but think of combining a lime and orange and a mango together and you are getting close.  They even brought a cashew home from the market so I could try the fruit directly.  We brought it back to our apartment and it sat in the refrigerator for several days.

On the day before we were to leave Brazil, I decided to try and eat the fruit.  It tasted pretty much like the juice, with a slightly mushy pulp.  The juice of the cashew squeezes out of the pulp so you are just left with a flavorless glob of pulp that you spit out.  Not too bad.  Now I had this nice little cashew nut shaped shell in my hand, I wondered if there might be a nut inside.  There is only one way to find out.  First I tried using a knife from the kitchen, but as I worked at the leathery slippery skin I was worried that the knife would slip and I might cut myself.  So why not just bite it open?  Okay.

I stuck the nut in the corner of my mouth to get a good grip on it and bit down.  Hmmmm, that tastes very odd.  Wow that tastes really bad!  A bitter taste spreads through the side of my mouth.  My teeth and inside of my cheek become sticky.  The corner of my lips start burning.  I ran to get some water to try and stop the burning and it didn’t work.  Next stop, the Internet!

Thanks to Wikipedia I found out:

The seed is surrounded by a double shell containing an allergenic phenolic resin, anacardic acid, a potent skin irritant chemically related to the more well known allergenic oil urushiol which is also a toxin found in the related poison ivy. Some people are allergic to cashew nuts, but cashews are a less frequent allergen than nuts or peanuts.

GREAT!  So basically I’ve just been chewing on the equivalent of poison ivy or poison oak.   Time to break out the big guns and start treating this like a poison ivy infection.  First I brushed my teeth with toothpaste.  Sort of helped.  Next I literally washed my mouth out with soap.  Bar soap didn’t work so well, dishwashing soap was better.  More water and more spitting later seemed to resolve most of the pain.

Then back to the Internet to find out what you are supposed to do if this happens.  Interestingly, they don’t say very much about this.  Do I go to the hospital?  Am I going to have a major allergic reaction on our flight back from Brazil?  We called up our host family and they just laughed and said you aren’t supposed to do that, and started to tell all their friends about what the silly American did with the cashew fruit.

That night the corner of my mouth just stung, but it was bearable, the flight back to the U.S. was okay, but things went downhill from there.  First my belly started itching, then my butt, then my arms, legs and under my neck.  I never really broke out in the usual poison ivy type sores, but everything was itchy.  Seven days after the incident I woke up and couldn’t see out of my right eye.  Nothing itchy, but just all completely puffed up.  This went on for a few more days before things started getting back to normal and most of the itchiness was gone in about a month.

Day 7 After Biting Cashew Nut Shell
Day 7 After Biting Cashew Nut Shell

So it turns out the one reason you never see raw cashew nuts (in or out of the shell) anywhere is that the nuts are surrounded by a nice little poison.  The pickers of cashew fruit are often affected by this oil, but that’s usually about it.  All cashew nuts that are sold are actually roasted to deactivate the toxin in the shells which is why you never see true “raw” cashew nuts for sale.

So next time you are eating unusual fruits that you know the fruit is edible and the nut is edible, stop for a second and check the Internet to see if some other part of the fruit might be poisonous.  You have been warned.

Free Art From Costco

My three year old son loves to take the receipt from Costco to the “receipt checker” as you leave the store.  Usually the nice person there will check the receipt and draw a little smiley face on the back of the receipt.  Recently my son has been asking for particular art requests and the Costco employee usually tries to comply.  Some of the results have been very humorous and I thought should be shared at a domain name like CostcoArt.com (domain doesn’t exist….yet), but someone else has already been collecting Costco receipt art on their blog here.  I’ll be posting our pictures there, but will also include ours on this blog as well.

2010-07-01 - Costco Art - Mouse - Everett, MA $9.92
2010-07-01 - Mouse - Everett, MA $9.92

Personally I think this one looks more like a bug than a mouse, but he tried to make big Mickey Mouse style round ears.

 

2010-07-27 - Costco Art - Rhinoceros - Everett, MA $337.32
2010-07-27 - Rhinoceros - Everett, MA $337.32

This rhino is only missing a couple legs, but it has a nice friendly look about it.

UPDATE: 4/27/2011

We’ve had a couple new additions to add as well.  We normally get these pretty generic smiley faces from the checkers who feel they can’t draw.  Sometimes they are pretty interesting.

2011-03-31 - Smiley Face - Everett, MA $268.96
2011-03-31 – Smiley Face – Everett, MA $268.96

And the mouse is an always popular option, but in this case it is sort of a cross between a mouse and a lion:

2011-04-21 - Mouse - Everett, MA $192.62
2011-04-21 - Mouse - Everett, MA $192.62

Expand Your Vocabulary: Mantrip

While on the phone today with a client (they are involved with coal mining in Kentucky) she mentioned they almost got run over by a mantrip today.  Since a mantrip sounded like something that it isn’t, I asked for more information and they were nice enough to take a couple of photos.

From Wikipedia:

A mantrip is a shuttle for transporting miners down into an underground mine at the start of their shift, and out again at the end. Mantrips usually take the form of a train, running on rails and operating like a cable car, but mantrips may also be self-powered, for example by a diesel engine. Other types of mantrips do not require a track and take the form of a pickup truck running on rubber tires.

Because many mines have low ceilings, mantrips tend to have a reduced height.

So, basically it is like a low riding golf cart where you can really lean back to avoid hitting your head on the ceiling of the mine.

Here’s the stealthy electric version that almost ran them over:

Electric Mantrip
Look at the lean back on that seat!

And the larger diesel powered mantrip that is used at the beginning and end of the shifts:

Diesel Mantrip
Larger mantrip used in the mines

So while you are having your next “man trip” to the local hardware store, you can now add the word mantrip to your vocabulary and impress your friends.

p is a shuttle for transporting miners down into an underground mine at the start of their shift, and out again at the end. Mantrips usually take the form of a train, running on rails and operating like a cable car, but mantrips may also be self-powered, for example by a diesel engine. Other types of mantrips do not require a track and take the form of a pickup truck running on rubber tires.

Because many mines have low ceilings, mantrips tend to have a reduced height.

Disable Client Popup Message for SCCM Task Sequences

By default an advertised Task Sequence in SCCM (Microsoft System Center Configuration Manager) will popup a message on the client workstation indicating that there is a new application that is available to be run. This is sometimes not desirable. By default it is possible to turn off notification for a regular Software Distribution Program in SCCM via the GUI by checking the box on the Program for “Suppress Program Notifications”. This GUI option is not available from a Task Sequence, but can manually be added via VBScript.

The value that we are adding to the ProgramFlags setting is 0x00000400 (which in decimal is 1024). You can find more details about the ProgramFlags from here.

Here’s the basic process:

1. Copy the following script to your SCCM server and save as “DisableTaskSequencePopupMessage.vbs”

‘Disable the popup message on a client workstation for a Task Sequence
‘Run this VBScript on your SCCM server
strSMSServer = “.”
‘Set COUNTDOWN value to 0x00000400 in HEX
COUNTDOWN = &H00000400

Set objLocator = CreateObject(“WbemScripting.SWbemLocator”)
Set objSCCM = objLocator.ConnectServer(strSMSServer, “root\sms”)
Set Providers = objSCCM.ExecQuery(“SELECT * From SMS_ProviderLocation WHERE ProviderForLocalSite = true”)
For Each Provider in Providers
If Provider.ProviderForLocalSite = True Then
Set objSCCM = objLocator.ConnectServer(Provider.Machine, “root\sms\site_” & Provider.SiteCode)
End If
Next
Set TaskSequencePackage = objSCCM.ExecQuery(“SELECT * FROM SMS_TaskSequencePackage”,,48)
For Each PackageID in TaskSequencePackage
PackageIDS = PackageIDS & VbCrLF & PackageID.PackageID & ” – ” & PackageID.Name
Next
Do
strTSID = InputBox(“Please enter the packageID that corresponds to your Task Sequence:” & vbCrLF & PackageIDS)
If strTSID = “” Then WScript.Quit ‘Detect Cancel
If strTSID <> “” Then Exit Do ‘Detect value strTSID.
‘MsgBox “You must enter a numeric value.”, 48, “Invalid Entry”
Loop
Set objProgram = objSCCM.Get(“SMS_TaskSequencePackage.PackageID='” & strTSID & “‘”)

OldProgramFlags = objProgram.ProgramFlags
ProgramFlags = objProgram.ProgramFlags
ProgramFlags = ProgramFlags OR COUNTDOWN
MsgBox “Flag for ” & strTSID & ” currently set to ” & OldProgramFlags & ” (HEX: 0x” & HEX(OldProgramFlags) & “)” & vbCrLF & vbCrLF & “Adding 0x00000400 (COUNTDOWN. The countdown dialog is not displayed)” & VBCrLF & vbCrLF & “Set flag to: ” & ProgramFlags & ” (HEX: 0x” & HEX(ProgramFlags) & “)”,,”SUCCESS!”
‘ see ConfigMgr SDK for details (“SMS_Program Server WMI Class”)
objProgram.ProgramFlags = ProgramFlags
objProgram.Put_

2. Run the VBscript. You’ll be prompted with a list of the Task Sequences. Type in the name of the task sequence you want to change (e.g. NYC000279) and hit OK.

3. You should see a response like the following:

—————————
SUCCESS!
—————————
Flag for NYC00279 currently set to 152084496 (HEX: 0x910A010)

Adding 0x00000400 (COUNTDOWN. The countdown dialog is not displayed)

Set flag to: 152085520 (HEX: 0x910A410)
—————————
OK
—————————

4. Then advertise the Task Sequence and the Task Sequence will not popup any messages on the client workstation.

5. NOTE: This version is improved in that it prompts you for the task sequence ID and also now “OR’s” the value together rather than just blindly adding 1024 to the value every time the script runs, so you can safely run this script multiple times without any issues on the same Task Sequence.

References:

Workaround to disable notification for task sequence?
Notifications for virtual packages

What interests me now on the Internet