System Center 2012 R2 Update Rollup 2

I’ve created a toll for downloading the bits for Update Rollup 2, as well as extracting the .cab files. This keeps it a bit more organized and is quicker than navigating through windows update. Enjoy!

<#
.SYNOPSIS
Downloads all of UR2 (english only)   
.DESCRIPTION   
All prereqs are downloaded and unpacked   
.INPUTS  
 -DestinationFoler      
used to define the location where everything is stored.  Default is C:\SysCen2012R2UR2  
 -Cleanup     
true/false used to delete cab files after expanding.  Default is $true   
.OUTPUTS   
None    
.NOTES   
Author:         Daniel Kucinski   
Date:           June 2014   
Purpose/Change: Initial creation    
.EXAMPLE   
.\SCUR2downloader.ps1 -DestinationFolder c:\UpdateRollup2 -CleanUp $true -Verbose 
.EXAMPLE   
...just right-click and run   enjoy! 
#>

    [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='High')]
    param(
    [Parameter(position=0)]
    [string]$DestinationFolder = "C:\SysCen2012R2UR2",

    [Parameter(position=1)] #Mandatory=$true
    [bool]$CleanUp = $true
    )

$erroractionpreference = "SilentlyContinue"
$error.clear()
$download = New-Object System.Net.WebClient

function Expand-ZIPFile($file, $destination) {
    $shell = New-Object -ComObject shell.application
    $zip = $shell.NameSpace($file)
        ForEach ($item in $zip.items())
        {
            $shell.NameSpace($destination).CopyHere($item,0x14)
        } #foreach
    } #function

# create dir and download prereqs from MS
[array]$components = @("VMM","SCSM","SCO","SCOM","SPF","SMA","DPM")
    New-Item -Type directory -path $DestinationFolder | Out-Null
        ForEach ($item in $components) {
            New-Item -Type directory -Path $DestinationFolder\$item | Out-Null
        } #foreach
    Write-Verbose "created  directories - continuing..."

# SCSM
IF (Test-Path "$DestinationFolder\SCSM\SCSM2012R2_CU_KB2904710_AMD64_7.5.3079.61.exe") {
    Write-Verbose "SCSM Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading SCSM components"
        $source = "http://download.microsoft.com/download/1/6/A/16A55195-AA6A-4210-A780-0403D7F7D6EE/SCSM2012R2_CU_KB2904710_AMD64_7.5.3079.61.exe"
        $destination = "$DestinationFolder\SCSM\SCSM2012R2_CU_KB2904710_AMD64_7.5.3079.61.exe"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else

# SCOM
#management server
IF (Test-Path "$DestinationFolder\SCOM\kb2929891-amd64-server_efa0a2029f892ab08b3b5c869fe57f8c267dc6e6.cab") {
    Write-Verbose "SCSM Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading SCOM components"
        $source = "http://download.windowsupdate.com/d/msdownload/update/software/uprl/2014/04/kb2929891-amd64-server_efa0a2029f892ab08b3b5c869fe57f8c267dc6e6.cab"
        $destination = "$DestinationFolder\SCOM\kb2929891-amd64-server_efa0a2029f892ab08b3b5c869fe57f8c267dc6e6.cab"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else

#gateway
IF (Test-Path "$DestinationFolder\SCOM\kb2929891-amd64-gateway_6c78f8fcacf5e679d6ef63398fb6538322c92e98.cab") {
    Write-Verbose "SCSM Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading SCOM components"
        $source = "http://download.windowsupdate.com/d/msdownload/update/software/uprl/2014/04/kb2929891-amd64-gateway_6c78f8fcacf5e679d6ef63398fb6538322c92e98.cab"
        $destination = "$DestinationFolder\SCOM\kb2929891-amd64-gateway_6c78f8fcacf5e679d6ef63398fb6538322c92e98.cab"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else

#webconsole
IF (Test-Path "$DestinationFolder\SCOM\kb2929891-amd64-enu-webconsole_f459a18aa85e98d6270fe6bbbeb26ed29ebab466.cab") {
    Write-Verbose "SCSM Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading SCOM components"
        $source = "http://download.windowsupdate.com/d/msdownload/update/software/uprl/2014/04/kb2929891-amd64-enu-webconsole_f459a18aa85e98d6270fe6bbbeb26ed29ebab466.cab"
        $destination = "$DestinationFolder\SCOM\kb2929891-amd64-enu-webconsole_f459a18aa85e98d6270fe6bbbeb26ed29ebab466.cab"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else

# SMA
IF (Test-Path "$DestinationFolder\SMA\kb2904689_powershellmoduleinstaller_x64_d57fd83f3066ad603201e3d42630cbd00bc28e67.cab") {
    Write-Verbose "SCSM Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading SCOM components"
        $source = "http://download.windowsupdate.com/d/msdownload/update/software/uprl/2014/04/kb2904689_powershellmoduleinstaller_x64_d57fd83f3066ad603201e3d42630cbd00bc28e67.cab"
        $destination = "$DestinationFolder\SMA\kb2904689_powershellmoduleinstaller_x64_d57fd83f3066ad603201e3d42630cbd00bc28e67.cab"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else

# SPF
IF (Test-Path "$DestinationFolder\SPF\kb2932939_microsoft.systemcenter.foundation.setup_x64_0a38ef61d7850cfb903492670e3fa3cf6c8471f3.cab") {
    Write-Verbose "SPF Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading SCOM components"
        $source = "http://download.windowsupdate.com/d/msdownload/update/software/uprl/2014/04/kb2932939_microsoft.systemcenter.foundation.setup_x64_0a38ef61d7850cfb903492670e3fa3cf6c8471f3.cab"
        $destination = "$DestinationFolder\SPF\kb2932939_microsoft.systemcenter.foundation.setup_x64_0a38ef61d7850cfb903492670e3fa3cf6c8471f3.cab"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else

# VMM
#adminconsole x64
IF (Test-Path "$DestinationFolder\VMM\kb2932942_adminconsole_amd64_5dd291de44899042205ec70eecb8555f1c2c10d0.cab") {
    Write-Verbose "VMM Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading VMM components"
        $source = "http://download.windowsupdate.com/c/msdownload/update/software/uprl/2014/04/kb2932942_adminconsole_amd64_5dd291de44899042205ec70eecb8555f1c2c10d0.cab"
        $destination = "$DestinationFolder\VMM\kb2932942_adminconsole_amd64_5dd291de44899042205ec70eecb8555f1c2c10d0.cab"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else

#VMM server
IF (Test-Path "$DestinationFolder\VMM\kb2932926_vmmserver_amd64_ebd2c3f90127efa11f750f1464cb44bd1b0108bc.cab") {
    Write-Verbose "VMM Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading VMM components"
        $source = "http://download.windowsupdate.com/c/msdownload/update/software/uprl/2014/04/kb2932926_vmmserver_amd64_ebd2c3f90127efa11f750f1464cb44bd1b0108bc.cab"
        $destination = "$DestinationFolder\VMM\kb2932926_vmmserver_amd64_ebd2c3f90127efa11f750f1464cb44bd1b0108bc.cab"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else

# SCO
#webservice
IF (Test-Path "$DestinationFolder\SCO\kb2904689_webserviceinstaller_x64_fa0016be99b73e5738d9a30068ca93566d26a622.cab") {
    Write-Verbose "VMM Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading VMM components"
        $source = "http://download.windowsupdate.com/d/msdownload/update/software/uprl/2014/04/kb2904689_webserviceinstaller_x64_fa0016be99b73e5738d9a30068ca93566d26a622.cab"
        $destination = "$DestinationFolder\SCO\kb2904689_webserviceinstaller_x64_fa0016be99b73e5738d9a30068ca93566d26a622.cab"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else

#runbook server
IF (Test-Path "$DestinationFolder\SCO\kb2904689_runbookserver_x86_4cfc6f108fc6432d251ab861401ceeb6c93acd8a.cab") {
    Write-Verbose "SCO Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading SCO components"
        $source = "http://download.windowsupdate.com/d/msdownload/update/software/uprl/2014/04/kb2904689_runbookserver_x86_4cfc6f108fc6432d251ab861401ceeb6c93acd8a.cab"
        $destination = "$DestinationFolder\SCO\kb2904689_runbookserver_x86_4cfc6f108fc6432d251ab861401ceeb6c93acd8a.cab"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else

#runbook designer
IF (Test-Path "$DestinationFolder\SCO\kb2904689_runbookdesigner_x86_55fa0a511b6def5b80e72f7edb162277b32b9ae9.cab") {
    Write-Verbose "SCO Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading SCO components"
        $source = "http://download.windowsupdate.com/d/msdownload/update/software/uprl/2014/04/kb2904689_runbookdesigner_x86_55fa0a511b6def5b80e72f7edb162277b32b9ae9.cab"
        $destination = "$DestinationFolder\SCO\kb2904689_runbookdesigner_x86_55fa0a511b6def5b80e72f7edb162277b32b9ae9.cab"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else

# DPM
#central console server
IF (Test-Path "$DestinationFolder\DPM\dpmcentralconsoleserver-kb2963543_ce185cdaad05fb7f5df55a6b14883eede2c031b2.exe") {
    Write-Verbose "DPM Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading DPM components"
        $source = "http://download.windowsupdate.com/d/msdownload/update/software/uprl/2014/05/dpmcentralconsoleserver-kb2963543_ce185cdaad05fb7f5df55a6b14883eede2c031b2.exe"
        $destination = "$DestinationFolder\DPM\dpmcentralconsoleserver-kb2963543_ce185cdaad05fb7f5df55a6b14883eede2c031b2.exe"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else   

#dpm
IF (Test-Path "$DestinationFolder\DPM\dataprotectionmanager2012r2-kb2963543_a975a99c79b2c1267f3087dc34af68398994849d.exe") {
    Write-Verbose "DPM Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading DPM components"
        $source = "http://download.windowsupdate.com/d/msdownload/update/software/uprl/2014/05/dataprotectionmanager2012r2-kb2963543_a975a99c79b2c1267f3087dc34af68398994849d.exe"
        $destination = "$DestinationFolder\DPM\dataprotectionmanager2012r2-kb2963543_a975a99c79b2c1267f3087dc34af68398994849d.exe"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else   

#management shell 1
IF (Test-Path "$DestinationFolder\DPM\dpmmanagementshell-kb2963543_015ac9652a3cbb3fef17496fdaf90a0b64feeb95.exe") {
    Write-Verbose "DPM Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading DPM components"
        $source = "http://download.windowsupdate.com/d/msdownload/update/software/uprl/2014/05/dpmmanagementshell-kb2963543_015ac9652a3cbb3fef17496fdaf90a0b64feeb95.exe"
        $destination = "$DestinationFolder\DPM\dpmmanagementshell-kb2963543_015ac9652a3cbb3fef17496fdaf90a0b64feeb95.exe"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else   

#management shell 2
IF (Test-Path "$DestinationFolder\DPM\dpmmanagementshell-kb2963543_7e533fb1e095022cb8a4298af77c139ae0c34bd7.exe") {
    Write-Verbose "DPM Update Rollup 2 located"
    }
    ELSE {
        Write-Verbose "Downloading DPM components"
        $source = "http://download.windowsupdate.com/d/msdownload/update/software/uprl/2014/05/dpmmanagementshell-kb2963543_7e533fb1e095022cb8a4298af77c139ae0c34bd7.exe"
        $destination = "$DestinationFolder\DPM\dpmmanagementshell-kb2963543_7e533fb1e095022cb8a4298af77c139ae0c34bd7.exe"
        Invoke-WebRequest -Uri $source -OutFile $destination
        Write-Verbose "Downloaded $destination"
    } #else   

# unzip cab files
$Cabs = Get-ChildItem -Path $DestinationFolder -Recurse -Filter *.cab

    foreach ($cab in $cabs) {
        #$FriendlyName =
        Write-Verbose "Expanding $Cab.BaseName"
        Expand-ZIPFile –File $Cab.FullName –Destination $Cab.DirectoryName
        Write-Verbose "done..."
    } #foreach

# cleanup
IF ($CleanUp -eq $true) {
    foreach ($cab in $cabs) {
        #$FriendlyName =
        Write-Verbose "Deleting $Cab.BaseName"
        Remove-Item $Cab.FullName -Force
        Write-Verbose "done..."
    } #foreach
} #IF

Collection of Virtual Machines

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from  SMS_R_System where SMS_R_System.ResourceId not in (select SMS_R_SYSTEM.ResourceID from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.Model like "%Virtual%")

Offline Serving a WIM without SCCM

Recently, I came across a problem while setting up OSD at one of my clients: I was unable to use install Windows 7 on a variety of their systems using the drivers from the manufacturer.  Specifically, with the Lenovo T440s, it would fail when booting up the first time, after successfully applying the driver pack.

The error read: Windows could not configure one or more system components.  To install Windows, restart the computer and then restart the installation.

This problem is caused by the drivers some of these newer systems are using, and their reliance on an updated version of the Kernel Mode Driver Framework.  The best approach, in my opinion, is to add the latest hotfix to the WIM so that Windows is ready when the drivers come down.  Normally this could be accomplished through the ConfigMan console with offline servicing.  However, my current client isn’t using SCCM for patching, so our site doesn’t have a SUP.  Furthermore, all I’m doing here is an OSD build out, so I’m not going to go setting one up.  Instead, I’m going to inject the hotfix the same way SCCM does, just manually.  This is also useful if you’ve ever just wondered what goes on under the hood.

To start, we’ll need the latest KMDF from Microsoft: http://www.microsoft.com/en-us/download/details.aspx?id=38423

Once you’ve downloaded it to your SCCM server, you’ll need to extract it using a tool such as 7zip:

.\7za.exe x kmdf-1.11-Win-6.1-x64.msu

Also, we’ll need to find our WIM.  If you don’t know which image index you’re after, you can retrieve it using dism /get-wiminfo /wimfile:F:\source$\OSD\WIMs\MYWIM.wim like I did here.

Mount it using DISM:

dism /mount-wim /wimfile:F:\source$\OSD\WIMs\MYWIM.wim /mountdir:E:\Scratch /index:1

Inject the hotfix you extracted earlier:

dism /image:E:\Scratch /add-package /Packagepath:F:\source$\Hotfix\KMDF1.11

Since I still had the .MSU file in my directory, I got an error, but the hotfix (KB2685811) did install properly.  I can verify this with DISM:

dism /get-packages /image e:\scratch

Now all that’s left to do is unmount and commit:

dism /unmount-wim /mountdir:E:\Scratch /commit

That’s it!  Once it unmounts, just update your distribution points and we’re ready to support newer drivers for newer models.

-easy

Configuring SCCM 2012 for PKI and SSL: Managing Apple Computers

Now that our site is running in HTTPS, we’re ready to setup and enroll our first Mac clients.  This requires some additional infrastructure, as well as another cert, which we’ll walk through here.

Enrollment Point Role

Managing Macs requires the Enrollment point and Enrollment proxy point roles.  That’s pretty easy, just install them same as other roles.  There really aren’t any special configurations that need to be done, so just follow through the wizard.

Continue reading →

Configuring SCCM 2012 for PKI and SSL: Setting up HTTPS communication

Recently, I’ve begun a rather large and complex SCCM implementation for a customer here in Seattle.  One of the requirements that they have is managing their rather extensive fleet of Apple laptops.  As you know, SP1 introduced OS X support, and that has expanded with R2.  However, I have never implemented this, and I was worried doing so might be a bit tricky.

This is my attempt at a soup-to-nuts guide at setting it up. As you know, PKI is a requirement for managing macs, but you should be using SCCM in SSL-mode anyway. But why? I often here people state that they don’t need encryption on a bunch of info about Windows patches etc. While this is true, it misses the point, and encryption is only a by-product of what we’re really after: authentication. SCCM is a very powerful tool, used to manage the configuration of your entire environment. Authenticating the servers that are doing the managing to the systems that are being managed is important.

Enough on that. For starters, I’ll assume the following:

• A windows domain
• SCCM 2012 R2 installed and basic configurations completed
• Active Directory Certificate Services is installed and configured

If you’ve not set up a domain or installed ADCS before, good luck with that.  I’ll try to look around for a good guide and post, but that is beyond the scope of this guide.  You can review the basic of ADCS here: http://technet.microsoft.com/en-us/library/hh831740.aspx

If you’ve not installed SCCM before, I highly recommend you check out MVP Niall Brady’s guides here: http://www.windows-noob.com/forums/index.php?/topic/4045-system-center-2012-configuration-manager-guides/

Clear?  Great!  Let’s get started.  We’ll need a few certs to put our site into HTTPS mode, so we’ll start by creating those here:

Workstation Client Certificate

Continue reading →

Configuring Server 2008 x86 for use as a Distribution Point

So, I’m running into an interesting problem:

I have about 20 servers that are running 2008 SP2 x86 that are in remote offices that will be used as DPs in my customer’s 2012 site.  Installation is going well, and everything is working perfectly, except for these recurring errors in SMS_SITE_COMPONENT_MANAGER:

Severity,Type,Site code,Date / Time,System,Component,Message ID,Description
Error,Detail,PRI,8/1/2013 11:03:23 AM,PRIMARYSITESERVER.DOMAIN.local,SMS_SITE_COMPONENT_MANAGER,1039,Site Component Manager detected that the site server does not contain the binary files for the platform (processor architecture) of site system “\\REMOTEDP.DOMAIN.LOCAL”. Possible cause: When installing this site, you did not specify that the binary files for this site system’s platform should be installed on the site server. Solution: Use Configuration Manager Setup to modify the configuration of this site. When asked to select the server platforms for this site, select this site system’s platform. Possible cause: You accidently configured the site to use the wrong computer as a site system. Solution: Remove this site system from the list of site systems for this site, and add the correct site system to the list. The list appears in the Site Systems node of the Configuration Manager Console. Possible cause: The site system is turned off, not connected to the network, or not functioning properly. Solution: Verify that the site system is turned on, connected to the network, and functioning properly. Possible cause: Site Component Manager does not have sufficient access rights to remotely administer the site system. Solution: Verify that the Site System Installation accounts are properly configured to allow the site to remotely administer the site system. Possible cause: Network problems are preventing Site Component Manager from properly accessing to the site system. Solution: Investigate and correct any problems on your network.

 

I’m getting one every hour for each of the 2008 x86 servers.

WQL query to create a collection of newly installed systems

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceId = SMS_R_System.ResourceId where (DateDiff(day, SMS_G_System_OPERATING_SYSTEM.InstallDate, GetDate()) < 30)

-easy

Uninstall Internet Explorer 9 from Systems

Recently, I had to uninstall IE9 from a bunch of production machines for a client whose site I am working at. Because of other mitigating circumstances, this had to be done during the day, with notification to the user and without forcing a reboot. After a little bit of digging, I stumbled upon MS article 2579295, and after a little tweaking I was able to create a program with this command:

FORFILES /P %WINDIR%\servicing\Packages /M Microsoft-Windows-InternetExplorer-*9.*.mum /c “cmd /c echo Uninstalling package @fname && start /w pkgmgr /up:@fname /quiet /norestart”

Worked well executed in both a task sequence and as a program. Cheers.

Use PowerShell to connect to multiple domains

To administer a second or third domain in AD via PowerShell, you’ll need to connect to the other domain thusly:

Import-Module ActiveDirectory
New-PSDrive -Name ADDriveName -PSProvider ActiveDirectory -Server 'mydomain.com' -root '//RootDSE/'</pre>
</div>
<div>

This cmdlet will allow you to create the connection as another drive in PowerShell, the same way that the AD: connection is created when you import the AD module.  Now, just type Set-Location ADDriveName: and you’re off.

McAfee Access Protection Prevents creation of boot disk in SCCM 2012 SP1

This has been driving me crazy the past couple of days:

https://kc.mcafee.com/corporate/index?page=content&id=KB76867&actp=search&viewlocale=en_US&searchid=1357907921573

Last week I started on an install for SCCM 2012 SP1 for a customer who has McAfee as the main security solution in their environment.  I have some previous experience with McAfee, and i hadn’t previously experienced any issues with it.  All of the previous clients I had that used McAfee were on 2012 RTM, and this was the first one I had done with SP1.  Sp1 uses the ADK, instead of the AIK, of course, and all has not gone smoothly.

The first problem I encountered was with the site installation itself: the site seemed to install fine, but no boot images were created.  This seemed a bit odd, so I checked the ConfigMgrSetup.log file located on the root of C:\

The boot images were not created properly during setup.  The boot image files were both at their default location (\\server\SMS_sitecode\osd\boot) but they weren’t in the console.  I decided to try and import them manually:

A bit of an odd error message, however, the DISM log file showed that SCCM was unable to insert the OSD binaries into the WIM.  Now we’re getting somewhere.  I figured I’d try creating one from scratch with MDT.  That was also unsuccessful.

Searching around the web was not very helpful  as most people seemed to be reporting problems related to permissions.  Given the access denied error that others reported, and the fact that my permissions were fine, I believed the culprit would be McAfee.  Since the logs didn’t show McAfee blocking or deleting anything, I didn’t have much to go on.  I talked to the security team and got them to allow me to temporarily disable McAfee, and like clockwork, I was able to create a boot image.  My first thought was to exclude C:\Windows\Temp\BootImages from McAfee, but the customer’s security team wanted specific justification before adding any exclusions.  We tried it as a troubleshooting step, but once Access Protection was reactivated, the problem returned.

Earlier today I came across the article above from McAfee, hopefully they’ll come to a more permanent solution, but for the time being, we need to turn off Access Protection whenever we update or edit any boot image, or perform offline servicing on a WIM.  I’ve been in other environments with SCCM 2012 SP1 and other AV solutions, such as Symantec Endpoint Protection, Kaspersky, and of course SCEP, but haven’t experienced this issue yet.

AV White-list Considerations

This issue has prompted me to review some of the community resources concerning AV policy on an SCCM site server.  My personal feeling is to exclude these locations from any AV client:

• %programfiles%\Microsoft Configuration Manager\Inboxes\*
• %programfiles(x86)%\Microsoft Configuration Manager\Inboxes\*
• <C:>\ConfigMgr_OfflineImageServicing – defaults to the same drive the site is installed on
• C:\Windows\TEMP\BootImages

You may want to review the following links for more information:

http://blogs.technet.com/b/systemcenterpfe/archive/2013/01/11/updated-system-center-2012-configuration-manager-antivirus-exclusions-with-more-details.aspx

http://www.systemcenterblog.nl/2012/05/09/anti-virus-scan-exclusions-for-configuration-manager-2012/

SCCM 2007:  http://blogs.technet.com/b/configurationmgr/archive/2010/11/30/configmgr-2007-antivirus-scan-and-exclusion-recommendations.aspx

-easy