Sunday, March 25, 2018

2008R2/7 March 2018 Cumulative and vmxnet3 NIC

Hmm. I thought I posted this last week. whoops!

VMWare support notified us that there were issues with two Microsoft patches released this month.  Sure others were notified as well. We would have found this out following our Patch Testing Group process which I loosely cover here. These updates can cause Server 2008 R2 and Windows 7 Virtual Machines to loose their IP configuration. The two KBs in question are:
with this item specifically causing the problem
A new Ethernet virtual Network Interface Card (vNIC) may be created with default settings in place of the previously existing vNIC, causing network issues after applying this update. Any custom settings on the previous vNIC are still persisted in the registry but unused.
Both Twitter and Reddit are lighting up over this. My understanding is this issue requires 3 conditions to apply:
  • OS is Server 2008 R2 or Windows 7
  • NIC is vmxnet3 (therefore on VMWare)
  • IP is statically assigned.
Microsoft has a workaround which is to basically set up the new vNIC with the IP info of the old one. While most of our systems are newer versions of Windows we have enough of these impacted systems that touching each one manually is not all that appealing. VMWare suggests you not apply either of these. We choose this route to see if Microsoft more directly addresses. As we have taken a "Virtualize Only' stratagy we have alot of systems that would be affected, mostly on the server side. Per policy we have chosen to exclude these systems from the cumulatives for now until we decide on a more eleqouent resolution. Since we use ConfigMgr to patch I put together some collections to captured impacted systems.

First up is we have a 'All Virtual Systems' Collection that sources from 'All Systems' that we will pivot off.

 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.IsVirtualMachine = "True"  

as well as an 'All Physical Systems' Collection to break these out. As I am always thinking of the future vs focusing on this one issue I then collected all the Virtual Systems with a VMWare vmxnet3 NIC that had a static IP called 'All Virtual Systems with VMXNet3 NIC and Static IP':

 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_NETWORK_ADAPTER on SMS_G_System_NETWORK_ADAPTER.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_NETWORK_ADAPTER_CONFIGURATION on SMS_G_System_NETWORK_ADAPTER_CONFIGURATION.ResourceID = SMS_R_System.ResourceId where SMS_G_System_NETWORK_ADAPTER.DeviceID = SMS_G_System_NETWORK_ADAPTER_CONFIGURATION.Index and SMS_G_System_NETWORK_ADAPTER.Manufacturer like "VMWare%" and SMS_G_System_NETWORK_ADAPTER_CONFIGURATION.IPEnabled = 1 and SMS_G_System_NETWORK_ADAPTER.Name like "vmxnet3 Ethernet Adapter%" and SMS_G_System_NETWORK_ADAPTER_CONFIGURATION.DHCPEnabled = 0 and SMS_G_System_NETWORK_ADAPTER_CONFIGURATION.IPAddress is not NULL  

Additionally those with DHCP.

 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_NETWORK_ADAPTER on SMS_G_System_NETWORK_ADAPTER.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_NETWORK_ADAPTER_CONFIGURATION on SMS_G_System_NETWORK_ADAPTER_CONFIGURATION.ResourceID = SMS_R_System.ResourceId where SMS_G_System_NETWORK_ADAPTER.DeviceID = SMS_G_System_NETWORK_ADAPTER_CONFIGURATION.Index and SMS_G_System_NETWORK_ADAPTER.Manufacturer like "VMWare%" and SMS_G_System_NETWORK_ADAPTER_CONFIGURATION.IPEnabled = 1 and SMS_G_System_NETWORK_ADAPTER.Name like "vmxnet3 Ethernet Adapter%"  

Counts didnt seem quite right so looking at some systems which we learned that instead of doing an 'equal vmxnet3 Ethernet Adapter' in the query to change it to 'like vmxnet3 Ethernet Adapter%' as some had multiple NICs or "vmxnet3 Ethernet Adapter #8" (!!) in one case. I am assuming several did not get legacy devices cleaned up after a P2V operatoin. This put counts more in line with what vCenter showed but identified the vmxnet3 vs e1000 and other NICs in use.

We then took it further by narrowing on the impacted OS versions and created a collection that limits from the above 'All Virtual Systems with VMXNet3 NIC and Static IP' collection. We create collections for each OS version, and feature release for Windows 10, so we just had to include the Server 2008 R2 and Windows 7 collections and now we have the impacted systems to exclude. Called it 'All 2008R2 and 7 Virtual Systems with VMXNet3 NIC and Static IP'.

For further detail we created two more collections, one for each OS and sourced the above collection and included just the 2008R2 or 7 OS collection.

For the SUGs (Software Update Group) We follow the monthly/yearly method. So we put these two KBs into their own SUG and targeted the 2008 R2 and 7 systems but excluded the above impacted systems. With how we structured Software Update collections and Maintenence Window Collections we then had to create a collection that included all systems but excluded the impacted systems.

Took me longer to write this post then to do the actualy work! I would expect this to be resolved next month so the special SUG goes away however the initial collections seem pretty useful for the future.

-Kevin






Saturday, March 3, 2018

ConfigMgr Agent Self-Installer

We have a large percentage of remote workers and they work fine via ConfigMgr ibcm (not to be confused with icbm!). However with any system, soemtimes the agent needs to be re-installed or installed to begin with so to make life easier on both the end user and the techs working the ticket I created a self installer for the agent. Users get the perception its installing "something" and the tech can give them a download URL and instruct them to download and run it knowing it will take care of the issue.

For the user they see a familair experience as this installer is used for many products, both free and commercial.






Behind the scenes this extracts the agent files to the users %TEMP% and then runs the agent installer after extraction is completed.

First step is to put the agent install into a working directory. In my case I pulled it from GPO as a VBS does all sorts of checks and balances as well as manages other components such as 1E Nomad, WUA versions, or fix WMI. Similar to Jasons starutp script. If you dont have it wrapped you can just install CCMSETUP.EXE with your ibcm info as you would manually run.

To create this I am using HM NSI Edit and NullSoft installer. HM NSI has a nice wizard interface to generate the install text file and from habit I use Nullsoft installer to compile it into something useable. HM NSI Edit has a compiler but it doesnt support everything Nullsoft does directly. There are other tools that work with NSI but I've used these for years with great success.

Start HM Edit and choose File | New Script from Wizard to start its Wizard. On the app info dialog I leave the website blank but you can point to say a KB article URL or support desk.



On the Setup Options dialog you can point to an icon file for a company logo and point to the setup file. This is what you are going to generate. Additionally if you want to add support for multiple languages you can do that. I just use English. The Modern GUI is the best looking one and I would suggest LZMA for compression as it packs the tightest. we'll make a minor tweak to this later.



For the Application directory and license dialog I just use '$TEMP\SCCMAgentInstall' for the App default directory. As NSI is an installer that will put files into Program Files, registry, add/remove etc  however in this case we are only extracting it and having it run the agent install silently. Since its an internal app the license file is blank.



Now you get to tell it what to do. On the Application Files dialog you remove the two entires on the right.



Click the Directory icon


and point to the directory you cached the agent install previously. Validate the Destination directly is set to $INSTDIR so it gets put into the temp dir you set a few steps above. If you use this to acutally install software you can use different sections and actions. For this use case the defaults are fine.


It then populates all the files from your cache dir. Otherwise leave this dialog alone


On the Application Icons dialog you want to remove the checkboxes and shortcuts so this is all blank.


Now you get to set your switches around your install. If you have a wrapper like me then you just enter the exe and move on, but if you do not and are calling CCMSETUP.EXE directly you can put your switches here as shown below. Additionally there is option for a readme if you have some sort of support KB. Note it is text and needs to be in the files you imported.


For the uninstaller dialog just uncheck the box as there is no uninstaller in this case.


Finally on the finish dialog select to save the script and convert relative paths. Do not compile as we will make some changes within the script file first.


Open the saved script file in your favorite text editor.  First change is to not put this "install" into the registry. Just comment (or delete) out the PRODUCT_DIR_REGKEY line. Note NSI files use semi-colon as comment code.

 ;!define PRODUCT_DIR_REGKEY "Software\Microsoft\Windows\CurrentVersion\App Paths\CMSEtup.EXE"  

Modify the SetCompresor setting add /solid switch. This will cause it to treat the files as one big blob vs individual files so you get greater compression.

 SetCompressor /SOLID lzma  

Comment (or delete) the MUI_FINISHPAGE_RUN line. This puts a checkbox in the final diaog of the installer to run the program after closing, in this case CMSetup.exe. You silently run CMSetup.EXE (or CCMSETUP) later in the file so no need to give the user an option to uncheck it since we are forcefully running it.

 ; By uncommenting the next line you can run CMSCript after NSIS exits via Run checkbox. If so then you need to  
 ; comment the secion CMScript below  
 ;!define MUI_FINISHPAGE_RUN "$INSTDIR\CMScript.exe"  

This is simply referencing this section. This will run CMScript.EXE silently without any user choice. Since we are installing the ConfigMgr agent this is the behavior we want.

 Section "CMScript"  
  File "SCCMAgentInstall\CMScript.exe"  
  Exec "$INSTDIR\CMScript.exe"  
 SectionEnd  

That should be all the changes you need to make however you can tweak as you test before making available to end users. To compile I use NSIS but HM will do it as well. Just open NSIS, click Compile NSI scripts then drag the script file to the new window it created and away it goes.


Once complete just close it out and go test your installer to make sure the behaviour is what you want and that the agent is actually installed. Note this compressed the install 77% so its pretty small and self contained in an EXE.

So what do you do when you update the agent install due to the backend being upgraded? You can go through the entire process above or just edit the your MSI file to update source files. I have not found an easy way to modify the text file so I actually go through the wizard and ignore all steps and stop on the Application Files dialog to import the updated files.


Then just copy the MainSection from the new file and replace in the original script file.

 Section "MainSection" SEC01  
  SetOutPath "$INSTDIR"  
  SetOverwrite try  
   ...  
 SectionEnd  

Be sure to update other sections of the file such as the version. Then compile again and test.

If you want to get real creative there is a huge community and documentation around Nullsoft Installer to get suggestions. In my case I just needed to create a simple way for remote users to install or re-install the latest agent under instruction from support staff. For example, I wanted to polish it a little and change the users install dialog to hide the details so I changed this setting from show to hide:

 ShowInstDetails hide  



-Kevin