The operating system reported error 615: The password provided is too short to meet the policy of your user account. Please choose a longer password.

Recently i've upgraded a customer's site from SCCM 2012 SP1 to SCCM 2012 R2 and everything seemed to go well, even console was upgraded without any issues... until we've started deploying OS to the clients...

there are a couple of know issues described here and here so read carefully before upgrading or even installing a brand new SCCM R2 site.

the first issue - slow .wim file download - was predictable and quiet known. It is already fixed in KB2905002 and as soon as it was installed, the download speed went back to normal. According to Microsoft you should apply this cu during TS as well. Applying a cumulative update during TS is described here.

the second issue however  is far less known and there is neither hotfix nor CU from Microsoft available for it right now.

installation of an application or applications failes during Task Sequence and you ger the following error message in the log:
"The operating system reported error 615: The password provided is too short to meet the policy of your user account. Please choose a longer password."

Fortunately the guys from scug.be have already ran into this problem and were so kind to  document the solution on their blog. And i really like those guy's, because they've even shared the script to fix it site wide.

Please note: they've had this issue after upgrading from SCCM 2012 RTM to SCCM 2012 SP1. however this solution also works after upgrade to SCCM R2 screwed up your applications too.

MDOP 2013 R2 is released

MDOP 2013 R2 has been made available for download

It contains:

• App-V 5.0 SP2
• App-V 4.6 SP3
• UE-V 2.0
• MBAM 2.0 SP1
• and more ...

Both App-V 4.6 and 5.0 service packs contain only client updates, there are no server side service packs.
the latest server version for App-V 4.x is App-V 4.5 SP2
the latest server version for App-V 5.0 is App-V 5.0 SP1

unfortunately App-V 5.0 SP2 still has security descriptors enforced by default without possibility to change it. Workaround is discussed here.
as far as i know App-V dev team is still thinking what they are going to do with security descriptors in App-V 5.0

Task Sequence stops randomly

imagine:
you've installed SCCM 2012 site, configured roles, feature, client settings, set up updates management, created and tested software deployment based on the still new and still cool apllication model...
... created your build and capture task sequence, and it even did run without failures, or you were so mighty you could resolve then at no time...
and then you are ready to deploy :)...
... well thats what you are thinking, BUT SCCM 2012 seams to think differently. and your ubercool deployment task sequence, that was supposed to roll out the freshly built image just stops at some point and doesn't want to go any further :(... like the #@$%@ thing is telling you - "nope, you haven't learned enough to be that cool"

the simptoms are:
you've just captured the image using a build and capture TS.
you've added the fresh image to SCCM 2012 and want to deploy it right away.
you've even (maybe) applied some remaining updates off-line...

when this task sequence runs, it'll apply image, drivers etc, install and configure the clients and then - it'll hang up while trying to install the first application or package. the very misleading thing in this case is that if you run a script (using "run command line" TS step ;)) and specify a package, it'll work, but the very next (and first) install program or install application step will just hang up. and it'll do it like forever.
and your SMSts.log will contain entries like this:
<![LOG[Waiting for installation job to complete..]LOG]!>
<![LOG[Waiting for job status notification...]LOG]!>
<![LOG[Waiting for job status notification...]LOG]!>
...

please don't worry!
do not try to remove, rearrange or simply adjust that app or package, cause it will not help!

this discussion on the Technet contains the solution!
so don't be a hero, just execute the script below before capturing the image :D

strComputer = "."
Set objSWbemServices = GetObject("winmgmts:\\" & strComputer & "\root\ccm")
Set colSWbemObjectSet = objSWbemServices.InstancesOf("SMS_MaintenanceTaskRequests")
For Each objSWbemObject In colSWbemObjectSet
strInstance = "SMS_MaintenanceTaskRequests.TaskID='"&objSWbemObject.TaskID&"'"
objSWbemServices.delete strInstance
Next

 thats how the corresponding TS step could look like...

do not mess with WSUS or how to get crazy with software updates.

when you are configuring SCCM 2007 or SCCM 2012 it is stated on the TechNet and all blogs:

DO NOT MODIFY WSUS CONFIG MANUALLY!

Just install WSUS role and then SUP role. SCCM will configure everything it needs on its own.

it is also known by advanced users that yes, you can fine tune some things through WSUS console, but only when you've got enough experiance and you know exactly what you are doing.

why am i telling this?

a colleague of mine is involved with a customer for almost a year now. the IT guys there managed to set up SCCM 2012 on their own and it even works now, after we've spent a few month (re)configuring and fine-tuning it for all their needs. unfortunately they still don't know how SCCM 2012 works and is something happens they just blame SCCM for it and start nagging.

The last issue they've had was really weird - they are using Forefront as well and everything was fine until approximately a month ago the clients started receiving Forefront engine update that was causing system reboot. It is a health care organization and they can't afford unexpected or not announced desktop reboots. The strange thing was that this update wasn't approved on SCCM site. It wasn't even downloaded to a package. so... it was a big mess :O... the local IT disabled the ADR, they've even deleted and recreated it, and disabled again... configured update source location settings and so on... but nothing could help.

The local IT guys were going to make some dramatic decisions like completely wiping SCCM 2012 site server and reinstalling it from scratch of calling Microsoft Premium support, or may be even both of those steps (in the right sequence ;) )

Just before that happened, my college has decided to get involved and just take a look at complete chain of severs, clients and applications involved. After some deep digging in an affected client's logs, site server logs, lots of other logs, all the relevant SCCM 2012 console parts... he went to WSUS console, to look if he could find something "unusual"...

AND HE HAS FOUND IT!!!

WSUS has got "Default Automatic Approval Rule" and it was enabled!!!

well what can i say...

Back in SCCM 2007, when you wanted to automatically update Forefront clients from SCCM, you, indeed, needed to configure certain settings on WSUS server to make it work. but it is no longer the case with SCCM 2012, so do not do that!!!

unfortunately some wise guy had itch on his fingertips and didn't have proper understanding of what he was doing...

so, once again - DO NOT MESS WITH WSUS!

and of course - make sure you've got proper understanding of what you are doing and how it all works.

upgrade to 2012 R2 or how to kill your (LAB) SCCM 2012 environment

every once in a while we do some things in System Center environment
... sometimes those things are cool and we are proud to share it with everybody around
... sometimes those things are quiet crazy, and not always worth sharing ... or are they? ;)

recently I've killed my System Center 2012 LAB while upgrading to 2012 R2 release :D

don't worry, the actual upgrade from System Center 2012 to System Center 2012 went perfectly well and this process is already covered into certain extend on the different blogs. I personally like Anoop's coverage of upgrade to SCCM 2012 R2, for example.

Any way the simple story of how i destroyed my LAB:

one day, soon after the System Center 2012 R2 and Windows Server 2012 R2 bits were released for GA i was enjoying a brain killing Change Advisory Board meeting at a customer, it had a huge agenda and i had no excuse to escape. After first 5 minutes i've realized that i was already brain dead and it'll take just a few more minutes at most to switch into a coma sleep. I had to do something to prevent insulting the customer's management...
And I've found!!! I've decided to upgrade my System Center 2012 LAB to the R2 release.
unfortunately i've got a very fast notebook with lots of RAM and SSD's and event updating both SCCM 2012 and SCOM 2012 servers simultaneously went pretty fast and without issues...
So i was where i've began fighting the fight i could never win against the coma-sleep...
Apparently my brain was  severely damaged at that time and i've decided to upgrade my LAB's OS to Windows Server 2012 R2 from Windows Server 2008 R2 i was happily using for a while...
AND I DID IT :D
it was quiet straight forward, and upgrading DC and two management server went reasonably fast.
well... usually i do create VM snapshots before i want to test even a small change, but this time i thought - it's just my own LAB, what can happen?
DC worked perfectly after upgrade...
SCOM 2012 R2 also worked perfectly after upgrade...
SCCM 2012 R2 also worked perfectly after upgrade... well, actually it seemed to work, but i've discovered quite soon that it was quiet messed up:

• Software update Point - wasn't working because WSUS service wasn't running. When i've checked, i've discovered that WSUS was just messed up after upgrade. Removing SUP and WSUS and reinstalling them didn't resolve those issues.
• PXE - wasn't working becauseWDS was messed up. After removing all DP roles and DP itself and reinstalling WDS the PXE errors in event log to be resolved.
• Management Point - MP was acting weird. After some investigation it appeared that some IIS components and settings were messed up during server OS upgrade.

After i've noticed IIS issues, i didn't even tried to resolve them... maybe because the meeting was over :D...
... instead i've deleted the VM and created a new clean W2K12_R2 build with SCCM 2012 R@ and SCSM 2012_R2 on it.

somebody may ask me - why did you do this in the first place?
the answer is as simple as it can - my other customer had actually asked me if they could perform inplace OS upgrade of they servers because they are moving all of their servers to W2K12_R2 asap.

the short answer (at least for SCCM 2012 site servers) is don't.

if you want to upgrade OS of your site server from W2K8_R2 to Win12, then perhaps you should consider using old fashioned backup and restore instead of inplace upgrade.
HOW TO UPGRADE your server OS?
just back-up your whole source site server.
get a new VM with the same disk layout and identical name and restore the ConfigMgr site to the new server.
have fun :)

By the way, do you want (or nee/must) upgrade your site server's OS from 32-bit to 64-bit?
Then this back-up and recovery is the only possible way to achieve the result.

Using SCCM 2012 Compliance Settings to update license files

when you are using licensed applications, some of them require locally present license files and this files needs to be updated once in a while. one way to do it is just to push the new license file to all clients and go drink some coffee...
... but there is a more intelligent way to achieve this goal through utilizing Compliance Settings in SCCM 2012...

... So, lets take a look on how to update Immidio Flex+ license from SCCM 2012 utilizing Compliance Settings feature.

if you are wondering what Configuration Settings feature is, take a look on this TechNet article.
BTW in SCCM 2007 it was called Desired Configuration Management ;)
i'm not going to explain Configuration Settings in detail, because there are already a lot of people who spent enough time doing it, for example guy's from Windows Noob. The important thing for this article is what Compliance Settings can and can't remediate.
Compliance Settings can only remediate Registry, Script and WMI.
REMEMBER - remediation is only supported for "Equal" Operator. If you set operator other than ‘Equal’ the remediation option will disappear.
This TechNet forum post contains good explanation on can and can't do topic.

Beacuse we cannot remediate file, we'll have to create collection, based on compliance status, and deploy new license file to that collection.


The approach is simple:
- create Configuration Items and Configuration Baseline.
- deploy that baseline to a device collection.
- create query based collection that includes all non-compliant devices.
- deploy new license file to the collection containing non-complient clients.

Disclamer - this post assumes the reader has got basic knowlege of SCCM 2012 and has access to properly configured and working SCCM 2012 site with software distribution and (custom) client settings etc.

Create Compliance Settings:

Create  Configuration Item
in Configuration Manager Admin Console go to "Assets and Compliance"->"Compliance Settings"
click on "Configuration Items" and select "Create Configurattion Item" on the ribbon.



On the General page of the New CI Wizard call it Configuration Iten "[CI] Flex+ license" and click on "Summary" and "Next"





Now we've got the new Configuration Item in console


double click on the newly created Configuration Item, go to "Settings" tab and click on "New"


configure the settings on the General tab as shown on the screenshot below and click on OK





NOTE - The path is target dir where the license file is located on the clients. In this case it is the installation folder for Immidio Flex+.

now, switch to the Compliance Rules tab and create two colpliance rules.





1-st rule will check if the license file exists
NOTE - this rule might not seem to be really necessary, but some times you want to verify if the clients has got the license file at all.



and the second rule will check the creation date of the license file



NOTE - for this sample i'm using two Flex+ demo license files, one of them was created on 2013.10.25 and another one a few days before. For this example the new file has to replace the old one somehow.

Create Configuration Baseline
in Configuration Manager Admin Console go to "Assets and Compliance"->"Compliance Settings"
click on "Configuration Baseline" and select "Create Configuration Baseline" on the ribbon.



provide the name of the Configuration Baseline
click the "Add" button and select "Configuration Item" from drop-down menu




in the Add Configuration Items wizard select [CI] Flex+ license Configuration Item we've preveously created, click "Add" and then "OK".

After "Configuration Baseline" has been created, deploy it to you target collection. Deployment process is the same as for anything else in SCCM 2012 - just right click on the thing you what to deploy and choose "Deploy" option ;)

before we'll proceed add "CI ID" field to the view in Configuration Baselines section. we'll need it later to create the collection query

Create Collection:

now that we've got Configuration Baseline created and deployed and assuming that enougth time/effort passed to get the baseline to the clients, evaluate it and report back to the SCCM site...
we'll create device collection based on evaluation results which will contain all the clients

create device collection
in this case i've named it  "[software] Immidio Flex+ 8.1 license update", but feel free to use any other name :D



the most important part of this collection is the query-based membership rule
in the Membership Rules  step of the wizard click on "Add Rule" and select "Query Rule" from the drop-down menu


give your query a name and click on "Edit Query Statement"



 switch to the "Criteria" tab and add two query criteria

1-st criteria will be our Configuration Baseline's "CI ID"

in the "Criterion Properties" click on "Select" button 



and set "Configuration Item Compliance State" as "Attribute Class" and "CIID" as value.



after clicking on the "OK" we are back in "Criterion Properties"
remember that we've added "CI ID" field to the "Configuration Baseline" window view? this is the place where we need those 8 digits.
NOTE - do not forget to replace CI_ID value with the correct CIID from your environment!




2-nd criteria will be our Configuration Baseline's "Compliance State"





Optionally, you can just click on "Show Query Language" button



and paste the query below into it.

select *  from  SMS_R_System inner join SMS_G_System_CI_ComplianceState on SMS_G_System_CI_ComplianceState.ResourceId = SMS_R_System.ResourceId where SMS_G_System_CI_ComplianceState.CI_ID = 16811141 and SMS_G_System_CI_ComplianceState.ComplianceStateName = "Non-Compliant"

NOTE - do not forget to replace SMS_G_System_CI_ComplianceState.CI_ID value with the correct CIID from your environment!

Deploy license file:

This part doesn't differ from any other software deployment activity.
just create a software package, containing the license  file you want to deploy or update, and script to do the job and you are done.

after some time, depending on collection evaluation time, client policy settings etc, we'll see the license file being updated where necessary.