AdminStudio is a product from Flexera Software that can be a complete, end-to-end application management system. It includes products for application modification and deployment. It comes with Repackager, Tuner, and InstallShield, as well as a host of other products. This article will focus exclusively on Repackager.

I will start with all of the information you need to know about Repackager, then go through a simple example where I repackage Mozilla Firefox into an MSI.

Background

Repackager is a product for converting legacy EXE installers into deployable MSI installers. It captures all changes made to a system during installation and creates an MSI from these changes. This product is very useful for administrators who must deploy software using Group Policy. GPO’s can only deploy MSI installers, so this a required product for an organization that does not have a system like System Center Configuration Manager.

Repackager can also be used to detect system changes that occur from configuring a product after installation. I use it all the time to see what changed on a system whenever I open a program and check a box in the program’s settings. This is especially useful if you must deploy an application with a certain set of settings. Repackager can tell you almost instantly what changed, and you can either deploy the MSI that is created from Repackager, or grab the file or registry key that changed.

Limitations

Repackager does have some limitations. It absolutely cannot capture drivers. Flexera is very open and forward about this. If an application installs a driver as part of its installation, Repackager is not a solution for deployment. In these instances, software installation is almost always a manual process and cannot be automated.

Another limitation is that Repackager can pick up erroneous data. If you do the snapshot method (more on that later), it will pick up EVERY change made to the system. That means if your virus scanner updates its definitions that will be picked up. If Windows Update runs a sync it will be picked up. The newest version of Repackager (v11.5) mitigates this somewhat with Installation Monitoring. I will go into more detail about this later in the article.

Lab Setup

To minimize capturing erroneous data with Repackager, I recommend creating a “clean” computer to do your capturing on. I also recommend that this be a virtual machine that can easily be snapshotted back to a clean state. Products such as Hyper-V, VirtualBox, and VMware Workstation can satisfy these requirements. I further recommend that you do not install virus protection and that you disable Windows Update and Windows Firewall. This will greatly reduce the amount of erroneous data captured with Repackager. I also do not join my Repackager machine to my domain or have it in my CM 2012 environment.

The AdminStudio suite can be installed on your primary machine. Version 9 debuted the Remote Repackager. This is a shared directory that gets mounted inside your VM. Repackager then runs from the clean machine, while the suite is installed on a different machine. Flexera has a very good guide for setting this up here: http://kb.flexerasoftware.com/doc/Helpnet/adminstudio901/Content/ashelplibrary/ISR_Optimal_Remote.htm. These directions are for version 9, but they work with the newest version (11.5).

One further recommendation is to repackage the application on the operating system that it will be deployed on. For example, if I’m deploying to Windows 7, I will repackage on Windows 7. The system is supposed to work crossing operating system versions, but I have had better experiences when keeping the operating system version the same. Also, I have noticed that architecture (32 vs. 64-bit) does not make a difference. If I am deploying to both, I still try to package the application in 32-bit.

Installation Monitoring vs. Snapshot

This is basically the only option your given (besides package name) when setting up a repackage. This is the method that Repackager will use when analyzing the application installation.

For simple applications, installation monitoring works really well. It watches the installation and captures the changes. This most suited for applications that need no extra configuration after install. You can adjust shortcuts after install, but that is it. If you need to make any configuration changes, snapshot is the method that you need to use.

Snapshot takes a “picture” of the operating system before and after install. It then analyzes the before and after and captures the changes. This is most suited for applications where post-install configuration is needed. This post-install configuration can be activating the software, clicking through the EULA, or just changing an application setting. Always make sure that your license agreement supports activating the software for all users or accepting the EULA on behalf of your users. If you launch the application before analyzing the changes, any change you make will be preserved in the captured MSI.

Overall, I use the snapshot method almost exclusively. Over time, I have seen better results with this method. There is more data that you have to exclude on every capture (more on exclusions later), but it seems to work better.

If you are trying to figure out a change outside of an installation, snapshot must be used. This is where you are trying to figure out what changes when you change an application setting, or anything post-install.

Exclusions

After capture, the repackaging wizard comes up. This is where you can exclude erroneous information. There is no set of items that you can automatically exclude after every capture. You must look at it the files and registry keys and decide if what Repackager captured really belongs with this installation. After doing a few these, you will get the hang of what can be excluded. If you find that you excluded something that should’ve been included, you can always change it back and rebuild the MSI.

A few general things to look for are files stored in Windows, system32/SysWOW64, and off the root of your system drive. Most applications do not write to these locations anymore. Again, you cannot just blanket exclude changes in these directories, but they are a good place to start.

On the registry side, things that write to HKLM\SOFTWARE\Microsoft or HKLM\Software\Classes can be excluded. In the Classes key, be sure not to exclude items that have to do with your product. Sometimes, file associations can be written to these registry keys. Also, anything written to HKLM\SYSTEM can normally be excluded.

The main thing to remember when excluding things is to just pay attention to what you are doing. If something seems like it’s needed, then keep it. Also, remember that if you exclude something and the install does not work, you can always go back and include it.

Example

Here is an example of the Repackager process. I am going to use Firefox as an example. This is a simple demo, but it will illustrate all of the features of the program. I will use the snapshot method to capture the installation. After install, I will set a bookmark that will persist into the MSI. After capture, I will compile it into an MSI, reset my VM to a snapshot, and install the MSI.

When you first open Repackager, you are presented with this screen. We want to capture an installation, so we select “Capture an Installation Using Repackaging Wizard”.

Next, you are presented with this screen. This is where you tell it if you want to use Installation Monitoring or Snapshot. Since I want to set a bookmark in my Firefox install, I am going to select snapshot.

On the next screen, I select multiple steps. The single step process is pretty much the same thing as installation monitoring, so we will not be able to customize Firefox. Once we analyze the system status, the second option, “Analyze system status changes”, will be selectable.

When we click “Next”, the system analysis will begin. This process can take some time, depending on your system. After the analysis is complete, you get this screen:

When you click Finish, the wizard goes away. This is where we install our application. I am not going to go through the Firefox install process, but I did use all of the defaults.

I am now going to open Firefox and set a bookmark.

While doing this, it also took care of initializing and authorizing any plugins. It also performed the import of IE settings.

Now that I have my configured application, I am going to launch the Repackager again. I select the “Capture an Installation Using Repackaging Wizard” option again. Select “Snapshot” again for the capture type, and you’re presented with this screen:

As you can see, the analyze system option is now selected. Just click “Next” on this screen.

Next is the product information page. Fill in these values and click “Next”. Note that the “Product Name” and “Company Name” options are required. These fields define their corresponding MSI property fields.

Keep the default package location on the next screen and click “Start”. Repackager now analyzes your system. Again, this process can take a few minutes. When it is done, click the “Finish” button. Repackager now launches the project.

This set of screens is where we can go through and exclude files, registry keys, and INI file settings. With this particular example, there were no files/folders that need to be excluded. Here is a screenshot of what I am excluding from the registry section:

As you can see, even with a simple installation, there were a lot of erroneous registry keys that the system captured.

Once you have gone through everything and excluded the bad data, we need to compile this into an MSI. You can do that by clicking the “Build” icon in the toolbar:

This constructs the MSI and saves it to “C:\Packages\MSI_Package”. You are looking for the file called “Firefox.msi” in this directory. Once you have the MSI, you can import it into SCCM, Group Policy, or whatever deployment system you choose.

After I built the MSI, I reverted my VM back to the snapshot and installed my MSI. Before reverting your VM, be sure that you copy the ENTIRE Packages directory off of the VM. You will need the entire directory (not just the MSI) to make any further changes.

Here is a screenshot of the Firefox windows, complete with my custom bookmark:

Summary

That was a quick and simple example of the power of Repackager. I have used it to repackage applications much more complicated, as well as capture settings such as the bookmark. I could have used Repackager to only capture the bookmark if I wanted too, or to simply find where the file is that controls Firefox bookmarks. More information and pricing for the entire AdminStudio suite can found here: http://www.flexerasoftware.com/.

CM 2012 does not provide a built-in method for alerting administrators when a remediation action fails for Endpoint Protection. When remediation fails, the device is still considered infected. Even more of a concern is if the infection changes Endpoint Protection settings.

This is the first of a two part series that will go over how to create an alert so that administrators can be notified when remediation fails. This part goes through the first half of creating the run-book, and next week will be the second half, and the other run-book that is required.

Background

In the Monitoring node on the CM 2012 console is a section for Endpoint Protection. If you expand this node, and select “System Center 2012 Endpoint Protection Status”, you can see a chart like this:

This chart shows you what is happening in almost real time. As you can see, I have four devices where remediation failed (ie the device is still infected) and one device where the malware modified the client settings. These are the machines we are focusing on.

By default, this chart updates every 20 minutes when Endpoint Protection summarization runs. You can set that value lower or higher by using the CM 2012 PowerShell cmdlets. Simply connect to CM 2012 using PowerShell (in the file menu of the console) and type:

Set-CMEndpointProtectionSummarizationSchedule -Interval <value> -UnitType <minutes, hours, or days>

To complete this runbook, your Orchestrator service account will need at least “Read-Only Analyst” in the CM 2012 console. This allows the service to execute WMI queries again CM 2012. If you want to do the query database step to grab the path of the infection, the Orchestrator service account will need “db_datareader” access to your CM 2012 database. You will also need to open port 1433 (TCP and UDP) from your Orchestrator runbook server to the server running the CM 2012 database. If you do not use the default SQL port, replace 1433 with the port number you use.

Preparing the System

For my process, I create a marker file that is the name of the device. I create this file in a share on the runbook server. You need to create this share before building the runbook. Creating the share is outside the scope of this article, but I do recommend hiding it (simply put a dollar sign ($) after the share name). Your Orchestrator service account will need Full Control rights for the share, and Read / Write / Modify NTFS rights to the folder containing the files.

When the runbook executes, it creates this file after sending the alert email. When the runbook executes again, it checks this directory for those files, and does not send another email if a file with the infected computer name exists. This is to prevent you from getting multiple emails for a single computer. I then have another runbook that runs that deletes these files once the computer is cleaned (more on that later).

Creating the Alert Runbook

Here is a picture of what your runbook will look like:

It looks complicated, but it’s actually quite simple. The items on the top line are the “essential” processes. These are what gathers the data and does the processing. The bottom line can be left out if you want. I will go through each one individually.

Find Computers with Remediation Errors

To get started, expand the “System” integration pack and drag a “Run .Net Script” activity into your workspace. Open it, click the “General” node, and give this step a name. I named mine “Find Computers with Remediation Errors”. Next, go back to the “Details” node, and set the language type to PowerShell. In the box, paste this code:

This step creates an array of all devices where the EPInfectionStatus property is set to “4”. When a device infection status is set to four, it means that remediation has failed or the client settings have been modified by the infection.

Next, click on the “Published Data” node. Click the “Add” button, and fill the box in like this:

This publishes the list of devices to the next step. The variable name field is the value you assigned to the variable, and the name field is a common name for the variable.

Check to see if Computer has Alerted Already

Drag another “Run .Net Script” activity into your workspace. Open it, give it a name, and return to the Details node. Change the language type to PowerShell, and paste the following code into the script box:

$comps = “{Computer Name from “Find Computers with Remediation Errors”}”

$alerted = “No”

ForEach ($comp in $comps) {
If ((test-path \\<FDQN of server running marker share>\<share name>\EP\$comp) -eq $true) {
$alerted = “Yes” }
}

Delete the “{Computer Name from “Find Computers with Remediation Errors”}” part (leaving the outside quotes). In its place, right-click, go to “Subscribe”, and select “Published Data”. Select “Computer Name” from the box, and click ok. This inserts the variable. Remember this, as we will be doing this a lot through the rest of the article.

Now we need to publish some more data. Open the “Published Data” node again, select “Add”, and fill the box out like this:

This publishes the “alerted” variable to the next step, which tells the system there has already been an alert generated for this device.

Process Computer Data

Next, create another “Run .Net Script” activity. Open it, give it a name, and go to the “Details” node. Change the type to PowerShell. This the main activity in the runbook. It is what gathers all of the data needed to generate the alert email. Paste this code into the script box:

$comp = Get-WmiObject -ComputerName <FQDN of CM 2012 server> -namespace “root\sms\site_ <CM 2012 site code>” -class SMS_CombinedDeviceResources | Where-Object -FilterScript {$_.Name -
eq “{Computer Name from “Find Computers with Remediation Errors”}”}

ForEach ($infection in $comp) {

$compname = $infection.Name
$resourceid = $infection.ResourceID
$infectionname = $infection.EPLastThreatName
$sigversion = $infection.EPAntivirusSignatureLastVersion
If (($infection.EPAntispywareSignatureLastUpdateDateTime) -gt “1″) {$virdefupdate =
$infection.ConvertToDateTime($infection.EPAntispywareSignatureLastUpdateDateTime)}

If (($infection.EPLastFullScanDateTimeEnd) -gt “1″) {$fullscan =
$infection.ConvertToDateTime($infection.EPLastFullScanDateTimeEnd)}

If (($infection.EPLastInfectionTime) -gt “1″) {$lastinf =
$infection.ConvertToDateTime($infection.EPLastInfectionTime)}
}

$usra = (Get-WmiObject -ComputerName  <FQDN of CM 2012 server> -namespace “root\sms\site_<CM2012 site code>” -class SMS_UserMachineRelationship | Where-Object -FilterScript {$_.ResourceName -
eq “{Computer Name from “Find Computers with Remediation Errors”}“}).UniqueUserName
ForEach ($usr in $usra) {

If ($usr -like “*”) {
$ = $usr
$usrname = $.replace(“\”,”") }
}

$ipa = (Get-WmiObject -ComputerName <FQDN of CM 2012 server> -namespace “root\sms\site_ <CM2012 site code>” -class SMS_R_System | Where-Object -FilterScript {$_.Name -eq “{Computer Name
from “Find Computers with Remediation Errors”}”}).IPAddresses
ForEach ($ip in $ipa) {

If ($ip -like “.*”) {
$ippub += $ip }
}

In this step, we are running three WMI queries against the CM 2012 server. The first pulls all relevant information from the SMS_CombinedDeviceResourses class. It is pulling the computer name, the resource ID of the infected client, the name of the infection, the anti-virus definition file version, the date and time of the last definition update, the date and time of the last full scan, and the date and time that the device was infected. All of this data, except for the resource ID, will be used in the email. We will need the resource ID for the query database step. All of the date and time variables are channeled through IF statements because the “ConvertToDateTime” action will error the PowerShell statement if the field is blank. I am not sure at this point why the field would be blank, but I have noticed it in some cases.

The second WMI query is pulling the primary user of the machine. It is also tunneled through an IF statement, because that value can also be a local user. This step pulls local users out, and only sends through the domain user. This is important in the “Get User” step that is coming up. Replace <domain name> with your domain name.

Finally, the third WMI query is pulling the IP address(es). This is piped through an IF statement also to strip off non-company IP addresses that get stored in CM 2012. Replace <first two octets of IP range> with the first two sets of numbers from your organization’s IP range. Make sure you keep the “.*” as is. It would appear that this section would form an array if a computer has a wired and wireless card. Because we do not have $ippub = @(), the array is never actually formed. If you actually type this into PowerShell and view the output, it will look similar to “192.168.2.3192.168.2.4”. This is the purpose of the next item. We will split these into two sections. It is important that this step is not an array, because Orchestrator recognizes an array and splits it into separate jobs, which would create two emails for one computer. This process (not adding $ippub = @()), essentially “flattens” the array.

Now we need to set up our published data. If you go to the “Published Data”, set it up like this using the same method from above:

To finish this action, we need to modify the connection between “Check to see if computer has already alerted” and “Process Computer Data”. If you double-click on the arrow connecting the two, you get a box like this:

If you click on “Check to see if computer has alerted already”, you select “alerted”. Once you do that, the statement changes so that it will only proceed if “alerted” equals some value. You specify this value by clicking on “value”. Put a value of No in this box. Once complete, it should look like this:

This concludes this part of the series. Next week we will talk about the second half of this runbook, and the runbook that removes the markers when created.

This is the second part in a series about migrating from SCCM 2007 to CM 2012. For a high-level overview of the migration process, please click here: http://www.windowsmanagementexperts.com/migrating-from-sccm-2007-to-system-center-2012-configuration-manager/migrating-from-sccm-2007-to-system-center-2012-configuration-manager.htm.

There are several key points that are worth mentioning again from the first article. The first is the planning your migration is vital. You must determine what data needs to be migrated, and what data needs to be rebuilt or redesigned. Second, collections are now either user or device based, not both. If you rely on collections with both users and devices, those collections will have to be redesigned. Third, not everything can be migrated. For a full list of what can and cannot be migrated, see this TechNet article: http://technet.microsoft.com/en-us/library/gg712991.aspx.

Setting up your migration

When setting up your migration, you need an Active Directory account that has full administrator rights in CM 2012. Microsoft recommends making this account the computer account for the 2012 primary server. This same account needs read access to all objects in your SCCM 2007 site. It also needs db_datareader and smsschm_users access to the SCCM 2007 database. You also must add this account to the “Distributed COM Users” group on your SCCM 2007 site server. By granting this account essentially read access to your SCCM 2007 environment, CM 2012 can make no modifications to it, so there is no risk of one system messing up the other system.

You must also open ports 445, 135, and 1433 (all TCP) from your CM 2012 server to your SCCM 2007 server. Port 1433 is for access to the SQL server, so adjust that accordingly if your SQL server runs on a different port.

Once your migration account and ports are configured, open your CM 2012 console and click on the “Administration” node. Expand the “Migration” tab, and right-click on “Source Hierarchy”. Select the “Specify Source Hierarchy” option. This is where you tie your SCCM 2007 system to your CM 2012 system. You should get a windows like this:

From this window, you specify all of the settings required for migration. In this window, the “Top-level Configuration Manager site server” is the FQDN of your SCCM 2007 server. Also, “source hierarchy” means your SCCM 2007 environment, and “destination hierarchy” means you CM 2012 environment. I recommend using the same account for the SMS Provider access and the SQL Server access. Once all of the information is provided, click OK, and CM 2012 begins to scan your SCCM 2007 environment.

Migrating objects

Once CM 2012 is done scanning the environment, you can set up migration jobs. From the CM 2012 console, select the “Administration” node, then the Migration tab, right-click on Migration Jobs, and select “Create Migration Job”. Give your job a name, then select the “Job type” drop-down box. You are presented with three options – Collection migration, Object migration, and Objects modified after migration.

Object migration is packages, task sequences, driver packages, images, etc. This makes a direct copy of the object, so if your source directory changes, you will have to change it on the package once it is imported into CM 2012. Migrate your objects in this order:

1. Software Distribution Packages

2. Operating System Deployment Images

3. Operating System Deployment Drivers

4. Operating System Deployment Driver Packages

5. Recreate your Boot Images (not migrate)

6. Task Sequences

Following this order will ensure that your task sequences are migrated successfully. Migrating your boot images is possible, but CM 2012 will want to recreate them with the newest version of WinPE, so recreating them is usually a better method then migration.

When migrating any objects, simply select the type, then the object (or group of objects), and then click Next.

You are then asked to confirm the sites. You should be able to keep the defaults. The next screen asks you to assign security scopes. Security scopes are outside of the scope of this article, but they basically are the new way to assign security rights in CM 2012 and work a lot like groups. Select the appropriate scopes, and click next. Read over the job information, then click next. The schedule window allows you to either run the job now, or schedule it. If you are migrating a lot of objects at once, scheduling the job may be beneficial, because the import process can be resource intensive on both the SCCM 2007 and CM 2012 servers. You can also specify what to do if there is a conflict. This runs based on the object ID and not the name, so be mindful of that. You can either set it to not overwrite current objects, or overwrite objects. Finally, you can have the system keep the same folder structure in the console.

After completing this window, click Next and view the Summary. If everything is correct, click Next and the migration job will execute.

Collection migration is exactly what it says – it migrates collections and their settings. This is also where you can migrate advertisements and turn them into deployments. The system reads the fact that there are advertisements related to the collection, and asks you if want to migrate those as well. If you plan to migrate advertisements, I would recommend doing collections last, because the packages and task sequences must be in place before the deployments can be created.

To migrate a collection, right-click on “Migration Jobs” and select “Create Migration Job”. Give the job a name, and leave “Job type” as “Collection”. Keep in mind that you cannot migrate collections that have both users and devices. These collections will not even show up in this list. You can click the “View Collections that Cannot Migrate” to see a list of these collections.

If you want to migrate advertisements, keep the “Migrate objects that are associated with the specified collections” option checked.

Check the collections that you want to migrate, and click Next.

The screen will list the deployments and packages associated with the collections that you selected. You can uncheck any of these options if you do not want to migrate something. Keep “Software Distribution Packages” checked, even though you have already migrated them. Click Next when you are ready to move on to the next screen.

Click Next through the site ownership screen. The next screen is the Security Scope screen. Apply security scopes as needed. Click Next through the next two screens (Collection Limiting and Site Code Replacement). Review the information on the next screen, and click Next. Configure schedule, conflict options, and organizational folder options on the Settings screen. These are the same settings we saw when migrating objects. The only new addition is the “Enable programs for deployment in the destination hierarchy after an advertisement is migrated from a source hierarchy”. This option does exactly what is says – activates a deployment after it is migrated. Click Next after all of the settings are configured. Review the summary, and click Next to run the job.

The final migration “Job type” is “Objects modified after migration”. This allows you to update an object if it is already been migrated. It will overwrite the object in the CM 2012 environment, so be careful when using this. It runs off the object ID, so just changing the object name will not keep it from being overwritten.

Summary

The most important thing with migrating from SCCM 2007 to CM 2012 is planning. It is critical to the success of your migration. When done correctly, migration can be very easy and really cut down on the time that you must maintain two systems. Lay out what you want to migrate and a timetable to get it done, and let the system do the rest.

Please be sure to come back for the third part in the series about how to migrate clients.

This is an article in a continuing series on the new Application model in SCCM 2012. You can find a high level overview of applications and how they differ from packages here: http://www.windowsmanagementexperts.com/sccm-2012-applications-vs-packages/sccm-2012-applications-vs-packages.htm.

Detection methods allow the administrator to check software installs to ensure that the application is not already installed. It can also prevent an install of an application if it conflicts with another application that is already installed. Also, during the normal “Application Deployment Evaluation Cycle”, the SCCM client can detect whether an application is installed using these methods, even if the user did not use Software Center or the Application Catalog to install it.

Default Detection Types

There are three default ways that SCCM can detect an application. Any of these methods work great, especially given the granularity at which the administrator can define the method.

File System

The first method is file system. This method detects whether a file or folder is present on the system. If the file system object is not present, the application is marked as not installed. The administrator can mark it as just being present, or apply logic to say that the file or folder had to have been modified after a certain date or equal a particular file version (just to name a few). You can use the “Browse” button to find the file on your computer. This will pull in all relevant information, such as the file version or modified date. You can also use the “Computer name” box to connect to a remote computer (Windows Remote Management must enabled in your environment for this to work).

One important thing to watch is the “This file or folder is associated with a 32-bit application on 64-bit systems” check box. By default, if you are on a 64-bit system, SCCM will only verify against “C:\Program Files” or “C:\Windows\system32” for files or folders and not “Program Files (x86)” or “SysWOW64”. If the application installs to “C:\ProgramFiles (x86)” or puts something in “C:\Windows\SysWOW64” and you queue off of that file, SCCM will not find it. When the user attempts to run the application, it will install again, possibly corrupting it or making it unusable.

Registry

The second method is registry. The first thing to select here is the hive. You can select any registry hive you want. You can use the “Browse” button in the same way that you can for file system. You simply put the Key path in the “Key” box, and the value in the “Value” box. In the “Data Type” box, select the type of the data the value holds. If you must test for the data in a key, select the “This registry setting must satisfy the following rule to indicate the presence of this application” and fill in the data in the “Value” box.

I would caution against using a key in HKEY_CURRENT_USER. This hive is loaded per user, and every user’s CURRENT_USER hive is different. Using this hive will work if the application can only be installed per user, instead for all users on a machine.

As with the file system method, pay attention to the “This registry key is associated with a 32-bit application on 64-bit systems” check box. This checkbox needs to be checked if you are targeting a key on a 64-bit system that gets put into “HKEY_LOCAL_MACHINE\SOFTWARE\Wow64Node” or “HKEY_CURRENT_USER\SOFTWARE\Wow64Node”.

Windows Installer

The third method is Windows Installer. This method is automatically filled in when using an MSI install type. This method detects whether the MSI product code exists on the system. This method should only be used when dealing with an MSI. If you do not use the MSI install type, you can use the “Browse” button and find the MSI installer to automatically pull the product code.

For products that update, but keep the same product code, you can use the “This MSI product code must exist on the target system and the following condition must be met to indicate the presence of this application” options to specify the version of the MSI. A product keeps the same product code if it updates via an .MSP file. It is best to test these before deploying them.

Custom Detection

If you cannot adequately detect your application using one of the default methods, you can use a custom script. SCCM determines that the application is installed if the script returns successful. To use a custom script, select “Use a custom script to detect the presence of this deployment type”. Click the “Edit” button to bring up the script window.

From the edit window, there are three script types. You can select PowerShell, VBScript, or JScript, depending on your preference. If you already have the script typed up, you can hit the browse button to find it, and SCCM will import it for you.

Again, pay attention to the “Run script as 32-bit process on 64-bit clients” check box. SCCM must execute the script properly for it to detect the application.

Logs

It can be difficult to get these methods working if they are complex. There are two logs that you can reference to see what SCCM is doing. They are “Appenforce.log” and “Appdiscovery.log”. These will give you detailed information on what exactly SCCM sees when it runs the detection methods, and the subsequent result. Appenforce.log shows the actual install of the program, while the Appdiscovery.log shows the discovery engine testing the machine for the deployment method. These logs can be found in “C:\Windows\CCM\logs” and are viewable using the CMTrace.exe tool.

Summary

While complex, these new detection methods allow administrators to finely tune their installers to ensure that they only get to the devices that need them. Setting these detection methods up correctly will also give you a better count of machines that have something installed. Even if the user does not install the application from Software Center or the Application Catalog, their devices will still register as having the program. This is a huge step forward in software management. This final screenshot illustrates this fact. The application shown here was only converted from a package to an application a week before this article’s writing. All of the machines in this count installed this software before it was converted. These statistics are viewable just be clicking on the application in the SCCM console.

With the introduction of SCCM 2012, Microsoft debuted a new way of managing software. This method is Applications. The new application model closed a lot of the gaps left by packages in SCCM 2007. This article will go through the similarities and differences between the two, and will also tell you when one may be better then the other.

The application model, combined with the application catalog, is where Microsoft is going. The day will most likely come where there is no Software Center and everything is done via the website that hosts the application catalog. Learning how to create and manage applications now, as well as beginning to slowly migrate your legacy packages to applications, will benefit you in the long run.

Differences

I will start with a quick run-through of the differences between applications and packages. First, applications are primarily designed for user deployments, while packages are primarily designed for device deployments. You can still use packages for user deployments and applications for device deployments – the settings in each type are just more geared for one versus the other. Either of these types can also be installed using required deployments, either for user or device.

Second, applications can utilize the new approval request feature. This is the feature that allows the administrator to deploy applications to a wider user base, while still maintaining license control. You can find an entire article on approval requests here: http://www.windowsmanagementexperts.com/sccm-2012-%E2%80%93-application-requests-and-orchestrator-alert-2/sccm-2012-%E2%80%93-application-requests-and-orchestrator-alert-2.htm.

Third, applications provide a much greater level of detail when looking at the application’s deployment status. It pulls up error codes, and also has more categories of statuses.

Fourth, the application feature can deploy apps to devices that are in the Apple App Store (for iOS devices), Google Play store (Android devices) or the Windows Store (for Windows Phone or Windows 8). This allows administrators to provide these apps in a managed format.

Applications

Applications give you more options to target particular devices. You can set detection method clauses to determine if a particular file, folder, registry key, or Windows installer code exists. If the condition is met, then the application either runs or it doesn’t, depending on what the administrator specifies. With packages, the administrator would have to specify certain files or file types in the Software Inventory section of the SCCM client. SCCM must have a pervious inventory record of these files or file types to create collections based on them. The application model makes this whole process much simpler, because it can look at any criteria on the fly. An article on these methods is forthcoming.

Applications can also be superseded. This means that if you update your version of Flash player, and you supersede the old version, the application will re-run, and install the new version of Flash without having to redeploy it. Applications provide an entire process of developing an application, deploying it, and then eventually retiring it.

For certain installer types, applications are very easy. If you have a MSI, SCCM will automatically set the name, manufacturer, version, and uninstall string (you change these if you want) for you. It will also set the detection clause for you based on the Windows installer code. This doesn’t only apply to MSI’s. It also applies to apps for the Windows Store that comes with Windows 8. Applications that come in a Scriptable installs format (i.e. EXE’s) will still work with the application method, but the administrator must add all of this information manually.

Finally, applications utilize single-instance storage (now called the content library), meaning that they only need to store the content once on your distribution points. For packages, content must be saved to the distribution point and to the package share to deploy software from the network (i.e. not have to download the content then run it). Applications do not have this restriction. They get saved one time, and run either from the network or by downloading the content first.

Packages

Packages are far easier and less time consuming to set up than applications. For an application, the administrator must figure out the correct detection clause, and fill out a lot more information. Packages are created the same way they are created in SCCM 2007, and the administrator only has about five screens to go through.

Also, management of the deployment of specific programs is separated with packages. With applications, you are deploying all of the deployment types that you set up. You cannot pick only one to deploy. The biggest issue this gives is if you need different user experience settings for an install from Software Center versus an install from a task sequence. Say you have one deployment type that is set to run only when a user is logged in or allow the user to interact with the program. Applications or Packages cannot be added to a task sequence with either of these settings. For applications, you would have to have two separate applications to do this.

One glaring disadvantage to packages is reporting. Applications have much more detailed reporting then packages. With packages you only get whether the install was success or failed.

Example of Application Deployment Status

Example of Package Deployment Status

Summary

Because Microsoft is moving towards the application model, enterprises running SCCM 2012 should begin migrating their legacy packages to applications. A tool to help you convert your packages to applications is available at: http://www.microsoft.com/en-us/download/details.aspx?id=34605. I hope this article helped explain a little bit of the differences between the two.