A customer of mine asked me to create a new Windows 8.1 Enterprise SOE (golden image, standard image, whatever) and also customize the Start Menu and Start Screen layout.
This customer is pretty easy as most of their applications are web apps. Therefor I only have to deploy all the shortcuts to their web applications. Job done. Easy.
I asked the customer to give me all their shortcuts so that I can then copy them to the default user’s profile during deployment (in this case MDT 2013 stand alone, but that doesn’t matter).
The special thing here is that this customer also likes to have custom icons for each of their shortcuts, just so that users easily recognize the app they need. For demo’s sake I created a shortcut to Google.com.au in my environment, it would’ve also worked with Bing.com or any other search engine of your choice.
The Google shortcut in the file system also shows the custom icon.
I now needed to pin all these custom shortcuts to the Start Screen and then export the Start Screen layout.
Export and Import custom Start Screen with PowerShell
I don’t want to repeat everything other intelligent community members wrote on this topic, so I will just give you the PowerShell cmdlet I used to export the Start Layout:
Export-StartLayout -As BIN -Path $Servername\CustomStartLayout.bin
Export-StartLayout -As XML -Path $Servername\CustomStartLayout.xml
I started pinning the custom shortcuts to Start and when I navigated back to the Start Screen I found this:
Where is my custom icon? It’s there when I look at the shortcut via “All Apps”, but it’s gone as soon as I pin the app to the Start Screen. Strange.
It took me a while to find the issue, although I can only speculate on the why.
Shortcuts and Internet Shortcuts
The reason why the shortcuts behaved strange was because they were configured to launch an application, they were actually launching iexplore.exe and that is probably why the live tile thinks it should show the ugly Internet Explorer icon.
There is another type of shortcuts, called Internet Shortcuts, which you can deploy just the same as a regular shortcut by copying the LNK file or via GPP.
After I created an Internet shortcut, assigned the custom icon and pinned it to the Start Screen it now looks as expected – nearly.
The icon works and I can now deploy the custom Start Layout.
How to change the background color of tiles?
Last issue that remains, and I still haven’t found a solution for it, is the background color of the tiles. For whatever reason they all take that ugly grey-ish background. If there’s anybody reading this that knows how to change it, that would be very appreciated.
Using PowerShell to manage Windows Updates on computers follows along the old "even if you could, should you?" adage. From a techie’s perspective that answer is always a resounding "Yes!" In the movies, though, repercussions are always unexpected, usually dreadful, and most times hilarious.
There are an overabundance of ways for managing updates on Windows computers. Microsoft System Center Configuration Manager, WSUS, GPO, and 3rd party vendors round out a pretty full stable of options. But, for PowerShell geeks these methods are boring.
Michael Gajda, Microsoft MVP, has developed a Windows Update PowerShell Module that can be used to manage the Windows Update service running on client and server computers. Using the module, you can check, download, install, or remove updates.
The module is up to version 1.5.1 and contains the following PowerShell functions:
System Center 2012 Configuration Manager Support Center helps you to gather information about System Center 2012 Configuration Manager clients, so that you can more easily address issues with those clients when working with product support specialists. Configuration Manager Support Center includes a tool that gathers a bundle of log files, and also a tool that is used by product support specialists to examine log files and other client data for in-depth analysis of issues with Configuration Manager clients.
During a PXE boot, when the boot image file is being loaded in the client, it should not take any longer than a few minutes time depending on the size of the boot.wim and your network. If it seems that your PXE boot times are extremely slow, you may be able to speed up the process by increasing the TFTP block size. This article will show you how to speed up PXE boot in WDS and SCCM.
Trivial File Transfer Protocol (TFTP) is the network protocol used for downloading all files during network boots. TFTP is an inherently slow protocol because it requires one ACK (acknowledgment) packet for each block of data that is sent. The server will not send the next block in the sequence until the ACK packet for the previous block is received. As a result, on a slow network, the round-trip time can be very long.
Follow the steps below to increase the TFTP block size in both a WDS and SCCM 2007 environment.
If you are using WDS without SCCM 2007
On the WDS server find the file default.bcd in the \REMOTEINSTALL\Boot\x86 folder (This was the folder you setup when you configured WDS)
Copy default.bcd from the \REMOTEINSTALL\Boot\x86 folder to the local C:\ drive
Then from a command line type: Bcdedit -store c:\default.bcd -set {68d9e51c-a129-4ee1-9725-2ab00a957daf} ramdisktftpblocksize 16384
Make a copy of the original \REMOTEINSTALL\Boot\x86\default.bcd file by changing the extension to default.bcd.backup
Copy the c:\default.bcd back to it’s original location at \REMOTEINSTALL\Boot\x86
Now repeat steps 1 thru 5 for the \REMOTEINSTALL\Boot\amd64\default.bcd
Then on the WDSServer from a command prompt type: Sc control wdsserver 129
If you are using SCCM 2007 without SP2
If you do not have SP2 for SCCM 2007 installed, you need to download and install the hotfix located here on the PXE site server
Once you have the hotfix installed, you need to add the registry key:
Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\PXE (for a 32 bit OS) or HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\SMS\PXE (for a 64 bit OS)
Name: RamDiskTFTPBlockSize
TYPE: REG_DWORD
Value: 16384
If you are using SCCM 2007 with SP2 or higher
When using SCCM 2007 with SP2 you just have to add the registry key to the site server with PXE as the hotfix is already included:
Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\PXE (for a 32 bit OS) or HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\SMS\PXE (for a 64 bit OS)
Name: RamDiskTFTPBlockSize
TYPE: REG_DWORD
Value: 16384 (change radio button to decimal)
If you are using SCCM 2012
When using SCCM 2012 you just have to add the registry key to the site server and restart the WDS service:
Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\DP
Name: RamDiskTFTPBlockSize
TYPE: REG_DWORD
Value: 16384 (change radio button to decimal)
NOTE: It is highly recommend that you increase this setting in multiples of 4096, 8192, 16384, and so forth, but do not exceed a value higher than 16384 or this could cause corruption.
If having issues with sluggishness, try; If you used 16384 as the block size, but this may not be a fit for all environments. You basically have to do some trial and error until you find the right match. Try using 4096 or 8192 and see if the issue persists.
This post which might help someone with the same problem, I had this annoying error which was PXE E99 when PXE booting using UEFI network boot on my gen 2 HyperV vm’s. These Gen 2 vm’s were on one of my 6 virtual switches in HyperV which I have created using a simple naming scheme to easily identify the network, eg: #1_CM12, #2_CM12 and so on.
Problem
While attempting UEFI network boot I was getting PXE E-99 on my Gen 2 vm’s (the Gen 1 vm’s cannot UEFI boot as they only have a legacy bios). The error translates to “PXE-E99: Unexpected network error.” No matter what I did server side (I tried installing new distribution points on Server 2012 R2, new X64 boot wims, etc, nothing helped,. even DHCP server options) all to no avail.
Network cable unplugged in Windows ?
Finally I got another problem (unrelated or so I thought) where my Gen 2 network adapters failed to get any ip address in Windows, and the cause according to Windows was that the network cable was unplugged, that was odd because they were definetly connected to my #1_CM12 HyperV Private Virtual Switch.
No amount of fiddling with the Gen 2 VM’s fixed that problem, I even deleted the nic on one of the Gen 2 VM’s and added a new one, that didn’t help either.
Finally I tried changing the HyperV Switch to the next in line #2_CM12, and the Gen 2 vm’s got connected immediately. The Network cable unplugged message went away and they got an ip from my other switch.
I set them back to #1_CM12 and again, network cable unplugged even though all my Gen 1 vm’s were working fine on the same switch, so in desperation I deleted that switch and recreated it, added my vm’s back to the ‘new’ #1_CM12 and lo and behold the ‘network cable unplugged’ issue was fixed.
Anyhow after fixing that issue I got back to what I was originally testing (UEFI network boot) and I PXE booted my Gen 2 v and voila, the PXE E99 error was gone and all worked fine after that point.
Summary
If you are getting strange things happening (network wise) on your Gen 2 vm’s and if nothing you do helps the situation then try what I did, delete the HyperV private virtual switch and recreate it, it worked for me !
Note: a web clip is a custom icon that is displayed on a user’s home screen. Users tap the icon to reach your web content in one easy step.
Problem
Due to the Apple App Store submission guidelines, line-of-business apps deployed through Windows Intune cannot be viewed from the Windows Intune Company Portal app for iOS. When these types of apps are deployed as an optional install, they are only visible from the Mobile Web Portal (MWP) on an iOS device.
Information workers need a way to discover additional apps through the Mobile Web Portal (MWP) easily.
Solution
Create and deploy a web clip to end users that links to the Mobile Web Portal which contains any optional line-of-business apps available for the user.
Scenario
You decide to start supporting in-house apps for iOS.
You want to provide a shortcut into the Mobile Web Portal for use on an iOS device.
Download a file containing the web clip properties.
Download and import an “App Package” that contains all of the localized strings for the web clip.
Instruction
Use these instructions to create and deploy a web clip for iOS devices that opens the MWP.
System Center Configuration Manager Deployment
Open the Configuration Manager Console
In the Software Library workspace, click Applications, then click Create Application
In the Type drop-down list, select Web Application
For location, enter . Click Next >
After reviewing the imported information on the next screen, click Next > again
In the Name: box, enter a name, such as Get Apps. Fill out the remaining fields accordingly
Click Next, review the results And then click Next again
Click Close to exit the wizard
Select the application and then click Deploy (right-click or in ribbon)
Windows Intune Deployment
Open the Windows Intune administrator console
Publish a web app with the URL, , through the Windows Intune Software Publishing Application
Providing users with easy access to the MWP ensures that everyone has access to the apps they need. Creating and deploying a web clip for iOS devices is a simple and effective way to accomplish this goal.
When you create a reference Image it will in most cases it will be updated with patches and some more patches and then some… That will make the image bigger and therefore the deployment of that image will take longer and consume more network resources. That can be corrected by getting rid of superseded patches, junk, temp files and much more. MDT does take care of much using the wimscript.ini during the capture process, but not all, not the old updates among other things.
The Solution
Since MDT is the preferred method to create reference images you can download the script, import it as an application and then run the application just before the Sysprep and Capture step. The Script works for the following versions of Windows:
The script will use clenmgr.exe in all client versions of Windows. In Windows Server 2008 R2 it also uses clenmgr.exe, but it is never installed, instead it is copied from the SXS folder, that way we don’t need to install Desktop Experience. On Windows 8 and Server 2012 the script also runs the dism /online /clenup-image /startcomponentclenup and on 8.1 and server 2012 R2 the script adds the /Resetbase to make it impossible to remove patches.
Open the Deployment Workbench and browse to the Application node and import the folder you downloaded, giver it a name and as command line you type:
cscript.exe Action-CleanupBeforeSysprep.wsf
Modify the Task Sequence
Open your task sequence and before the Sysprep and capture step, something like this works fine.
Add the HotFix (only for Windows 7 SP1 and Windows Server 2008 R2)
You need to add the patches in the deployment workbench. If you would like the deployment of the reference image to a bit faster, create three folders put the correct patch in each folder and then create corresponding Selection Profiles and modify the Task Sequence to use them. You download the update here http://support.microsoft.com/kb/2852386
Here you can see the patches imported in the Deployment Workbench.
The patches you need.
Here you can see the Selection Profiles and the selection in one of them.
The Selection Profiles.
Here you can see how the modification in the Task Sequence.
The Task Sequence modification to inject the the correct patch to the correct OS.
Posted on: Friday, May 30, 2014 3:06 PM Author: micham Subject: Sideloading Store Apps to Windows 8.1 DevicesView article…The term sideloading refers to the installation of Store Apps by an IT Administrator on a Windows device. Typically, the App in question is a line of business (LOB)application that is internal to the company. Therefore, the company (maybe your customer if you are and ISV) will want to make it available only to its employees rather than making it publically accessible Windows Store. This is not to say that there are no LOB Store Apps published in the Windows Store. Have a look at the SAP client Apps, for example.There a three aspects that you may have to deal with when considering LOB sideloading: licensing requirements, technical requirements and management of sideloaded apps. You will want to understand all of them to understand if there is additional cost, how plan for the best way to enable your devices for sideloading or what are your options for handling new App version updates. Let´s have a look then.
1. Sideloading Licensing Requirements
Sideloading functionality is available “out of the box” for Windows 8.1 Professional and Windows 8.1 Enterprise but only if they are domain-joined. The addition of the Professional edition is new and has been announced as recently as April 2014:
“Easier Deployment – Delivering Windows 8.1 Update via Windows Update allows businesses to deploy updates with increased predictability. And, to help businesses develop and deploy modern apps for their workforce, we are enabling sideloading for any domain-joined Windows Pro PC or tablet”
The Windows 8.1 Professional, Windows 8.1 Enterprise that are not domain-joined and the Windows 8.1 RT edition (that cannot be domain-joined) still can be enabled for sideloading but will require a sideloading key that has to be installed and activated on the device. It is a multiple activation key (MAK) and you can obtain it from the reseller.
page 12 and further has a full detail in section “Windows 8.1 Enterprise Sideloading”.
Typically, the sideloading activation key will have to be acquired by to owner of the operating system license. So how much it is going to cost? Well, the thing to check is if you have existing volume licensing Enterprise Agreement with Microsoft. The licensing guide mentioned above lists all of the programs that include them free of charge as of 1 May. If you are in a qualifying licensing program, just contact your reseller who will make the keys available to you.
If you do not have a qualifying volume licensing program then you can purchase from a reseller unlimited number of sideloading activation keys for approx. $100 through the Open contract as also mentioned by [1]. The best thing is to contact the reseller that you normally work with to check out all these options for your particular case.
PartNumber
PartDesc
4UN-00005
WinSideloadingRights SNGL OLP NL Qlfd
So in summary, if you are dealing with devices that will not be in domain and you want to install LOB Store App you will need the sideloading activation key. Before you attempt the installation, however, the devices will have to be prepared by your IT pro, so read on.
2. Technical Requirements for Sideloading
There are three technical requirements that have to be met by the device before you attempt to install Store App on it regardless if you are doing it manually, via Powershell scripts or via Mobile Device Management system such as Windows Intune. You will find them explained in
but here they are summarized and I illustrate them with screenshots taken on Windows 8.1 Professional with Update 1 that is not domain joined and therefore requires all the steps.
1. Enable the Windows Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\AllowAllTrustedApps = 1.
If you are dealing with domain joined device you get this key set via group policy Allow all trusted applications to install. If you are preparing a device that will not domain joined you will most likely find out that the Appx in not present in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows. In that case: a) create a New Key named Appx b) right click the Appx node you just created and select New-> DWORD (32-Bit) Value, assign it a Name AllowAllTrustedApps c)right click the DWORD you just created and select Modify and type 1 in the Value Data. You should have an entry as per figure below:
.
Figure 1. AllowAllTrustedApps Windows Registry Key2. Ensure that the
2. Ensure that the code signing certificate has been issued by a trusted certification authority.
All Store App packages are signed with a code signing certificate. If the developer uses an Authenticode code signing certificate that has been purchased from common certificate authority (e.g.: Symantec, VeriSign) then you do not need to take an action because the root certificates for these authorities are already present in the Local Machine\Trusted Root Certification Authority certificate store. However, if the application package has been signed with the certificate emitted by customers own Certification Authority or the developer used the self-signed certificate generated by Visual Studio then you will have to make sure the root certificate is present in the Trusted Root Certification Authority store.
You can locate the code signing certificate in Visual Studio solution by looking up the application manifest as shown in the figure below
Figure 2. Application Manifest with code signing certificate
Configure Certificate button allows developer to pick existing code signing certificate from the certificate store a file or get Visual Studio to generate a self signed certificate. If you click the View Full Certificate button you can get the full certification path, copy the certificate to a file, etc. When the Store App is packaged (using the Store->Create App Packages option) the code signing certificate will also be available in the AppPackages solution subfolder. So if you are using self-signed certificate you could just pick it up together with the .appxbundle that contains the application package and take both to your target machine.
On the device that you want to configure simply double click the self signed certificate (.cer) file, select Install Certificate and then in the Certificate import Wizard select Local Machine as the Store Location instead of Current User that will be selected. In the next step select Place all certificates in the following store and browse for the Trusted Root Certification Authorities store to get it installed.
Should you install incorrectly then on Windows 8.1 with Update 1 you will get explicit error message (on Windows 8 you may get more cryptic error HRESULT: 0x80073CFF) as per figure below:
Figure 3. Lack of root certificate error
If all is well the command will complete silently and you should be able to locate the application installed. For domain joined machines you would be able to run the app at this stage, however, for cases that require sideloading key you will see the message App can´t open as in the figure below
Figure 4. App can´t open message
This is because we are missing the step 3 described below.
3. Install and Activate the sideloading key on the devices that require it (as described it in previous section).
There are two commands that we have to execute exactly as described in the “To activate a sideloading product key” section of the sideloading requirements: one to install the key and the second to activate it. You need Administrator privilege to execute these commands as per figures below:
Figure 5. Installation of the sideloading key
Note that the key you type here is the sideloading key that you have purchased from your reseller.
Figure 6. Activation of the key.
In this second step the string supplied (ec67814b….) is always the same because it is a guid that identifies the sideloading feature that we are enabling. If you are unsure if the device has already the sideloading key activated you can check it with command slmgr / dlv that will display the license information. Then scan it for the section with Name: APPXLOB-Client add-on and ensure that the line License Status is showing Licensed.
With all these steps concluded you can install and launch the Store Application successfully.
I should mention for completeness that in development environment you do not require sideloading key. The store apps can run thanks to the Developer License. This license is temporal and periodically will expire. If you are putting in production the machine that was perhaps previously a test machine you can check if it has developer license installed (Get-WindowsDeveloperLicense) and remove it (Unregister-WindowsDeveloperLicense) before configuring production sideloading key using the powershell commands documented in
The licensing requirements and the technical requirements mentioned in the two previous sections have to always be met regardless of the actual method you choose for installing the applications. You have already seen that you can install the application using the Add-AppxPackage command. The command will take an application package (.appx) or the newer application bundle (.appxbundle) as an argument. You can use the Remove-AppxPackage to remove the application.
However, most customers will require more sophisticated solution to manage the application. They will want to assign specific LOB Apps to users in certain groups (Finance, HR) and will want to have a mechanism to install the new versions of the applications even for users with no access to domain.
Windows Intune offers a complete Mobile Device Management solution. It can help not only manage the applications but also (in case of Windows RT) activate the sideloading keys and install root certificates on devices that user enroll for management. Also Windows Intune integrates with System Center Configuration Manager that many customers already have deployed.
The end user has access to the Company Portal application that lists the applications that the Administrator made available in Windows Intune. The Company Portal is essentially a Store App that communicates with the Windows Intune tenant.
You can view two videos that show Windows Intune capabilities with respect to App sideloading:
The alternative to Windows Intune is to build this capability yourself. This could be as basic as the network share containing the scripts or a more complex application equivalent to the Company Store communicating with your package repository of choice (Azure Storage / SharePoint, etc.) but you would need to decide if the development effort would be worth it.
Of course, security is always best implemented as defense in-depth, which simply means setting up multiple layers of security to protect your information. One of the first things you want to do is prevent unauthorized access by implementing strong password (PIN) compliance settings.
System Center 2012 R2 Configuration Manager supports several password compliance settings to help protect devices:
Requiring passwords
Minimum password length
Password history
Idle time before the device is locked (and requires password to unlock)
Number of failed logons before the device is wiped.
Another area in a comprehensive defense in-depth security approach is protecting the data already on the device. This level of protection is centered on encryption of either individual files or the entire device. Some devices (such as Windows and Windows Phone devices) support encryption of internal storage, while others encrypt individual files only.
Another possible source of leaked information is the secure digital (SD) card that some devices support. One approach is to disable the SD card slot entirely, but this isn’t practical for personally owned devices in Bring Your Own Device scenarios. Some devices (such as Windows Phone) create an encryption partition for any apps or data stored on the SD card. User data is still stored on an unencrypted partition on the SD card.
Again, you can configure these settings by using System Center 2012 R2 Configuration Manager configuration items (CIs) and baselines (see part three of this series: how-to configure mobile device settings).
Finally, some devices (such as Windows and Windows Phone devices) support Information Rights Management (IRM), which allows users to protect access to information used in apps. For example, you can use IRM to protect email conversations, prevent unauthorized users from opening a document, or prevent forwarding of email messages. Just as with other settings, you can configure IRM by using System Center 2012 R2 Configuration Manager CIs and baselines.
Communication protection
Another aspect of security that is often overlooked is protecting communication between the device and the information on your intranet. This protection can be broken down into strong authentication protocols and encrypting communication.
Many new device operating systems support Trusted Platform Module chips and virtual smart cards. You can use these technologies to provide stronger authentication and protection of certificates and PINs.
Also, ensure that all virtual private network (VPN) connections to your intranet use strong authentication protocols and require encryption. You can push VPN connection profiles to devices based on your organization’s security standards.
Again, you can configure all of these things by using System Center 2012 R2 Configuration Manager CIs and baselines (see my previous blog post, “Configuring mobile device settings”).
Remotely remove business apps and data
So, what happens if the device is lost or stolen? Or, what if a user is dismissed while they still have a mobile device with your information? Not to fear! System Center 2012 R2 Configuration Manager and Windows Intune allow you to remotely:
Wipe the entire device. Restore the device to factory settings and remove all apps and data (that your organization and the user installed). Built-in apps and data are restored to factory defaults, as well.
Remove only your organization’s apps, data, and configuration settings. Remove only the apps, data, and configuration settings deployed through your MDM system from the device. Any user-owned data and apps are retained.
Of course, most device vendors allows users to locate and remotely wipe their own devices by using a device-specific web app (such as Find My iPhone for Apple iOS devices or Find My Phone for Windows Phone devices). And if the user has physical access to the device, they can do a hardware reset, which restores the device to factory settings and removes all data. The ability to remotely remove business apps and data is essential for any comprehensive MDM system!
Summary
Protecting business apps and data is critical for mobile devices that are “out in the wild.” But you can sleep easier by using the protection that System Center 2012 R2 Configuration Manager and Windows Intune provide. Regardless of the device platform, you can set security baselines that can be applied across them all to help prevent information theft or disclosure.
This wraps up my series of blogs on MDM by using System Center 2012 R2 Configuration Manager and Windows Intune. I bet you can’t wait to try them both, so I have good news for you. You can download an evaluation version of System Center 2012 R2 Configuration Manager and a trial subscription of Windows Intune to experience what I’ve been talking about for yourself. Thank you for reading this series. Until next time!
The blog does a really good job exposing how the Index optimizer decides to rebuild indexes. That is a good thing!
Let’s walk through some of the key points:
This query is what ConfigMgr executes when running the Rebuild Index site maintenance task
SELECT DISTINCT sch.name + ‘.’ + Object_name(stat.object_id),
ind.name, CONVERT(INT, stat.avg_fragmentation_in_percent)
FROM sys.Dm_db_index_physical_stats(Db_id(), NULL, NULL, NULL, ‘LIMITED’) stat
JOIN sys.indexes ind
ON stat.object_id = ind.object_id
AND stat.index_id = ind.index_id
JOIN sys.objects obj
ON obj.object_id = stat.object_id
JOIN sys.schemas sch
ON obj.schema_id = sch.schema_id
WHERE ind.name IS NOT NULL
AND stat.avg_fragmentation_in_percent > 10.0
AND ind.type > 0
ORDER BY CONVERT(INT, stat.avg_fragmentation_in_percent) DESC
[ST] Identify any table index with more than 10% fragmentation.
[ST] The DBCC DBREINDEX rebuilds an index for a table or all indexes defined for a table.
Using the sp_MSforeachtable will run this statement for each table, allowing an 80% fill factor for each index. (20% index free space will reserved for additional index growth). Assumption is made here that the re-indexing will occur for each table located within the previous query.
The remainder of the article shows as an alternative to the (broken) maintenance plan how to create an SQL Server Maintenance Plan Wizard to rebuild indexes and update statistics.
Then summarizes with how to validate the degree of index fragmentation, both before and after.
Now to the comment…
…that basically involves creating a maintenance database and then running Ola Hallengren’s SQL script against it to create the necessary objects and then run the index optimizer script against the ConfigMgr 2012 database on a weekly basis. There seems to be some, dare I say disagreement, amongst some SCCM MVPs regarding the best way to go about doing this. Some of the MVPs believe that the Rebuild Indexes Site Maintenance Task in ConfigMgr 2012 still has some issues. Therefore, some of them are stating that the best method is to keep the Rebuild Indexes disabled and then use the Steve Thompson method. I just want a consensus and use a method that is going to work, but one that is not going to create additional overhead for me.
Summary
Consensus is always a good thing, however, it is always not that simple or easy. Also, I do not believe there is really any disagreement within the MVP community about this information. In light of that, I’d like to share what I know.
I first discovered Ola’s excellent index and statistics optimization task after looking for a solution to the Configuration Manager Index Maintenance task not always running. We’ve seen this failure on SCCM 2007 and ConfigMgr 2012. This has been reported by other MVPs, and observed first hand by this MVP on multiple occasions, on multiple sites. This led to a presentation at MMS 2013:
Ironically, at the MMS 2013 conference, we learned that Microsoft IT that is responsible for running their ConfigMgr 2012 site runs Ola’s Index Maintenance script as well.
What makes Ola’s script unique, it does not take a blunt force approach to rebuilding every index for every table, rather only rebuild indexes that need to be reorganized or rebuilt if necessary. And, this is based on thresholds you can configure.
Other advantages:
Further, it will only update the Statistics that need to be updated.
If indexes are only lightly fragmented a reorganization might be the most efficient method. However, if heavily fragmented (>30%), then it might be faster to rebuild (essentially drop and create an index).
It is possible to set the number of pages the index occupies before running any tuning… if the index falls on less than 1,500 pages, SQL will likely read the entire index into memory. No real need to optimize that index scenario.
Furthermore, the more frequently this task is run, the less time it takes to complete, because there is less work to do!
Conclusions
Will the other method optimize your indexes and statistics? Yes it will.
Is it better than a non-functional site maintenance task? Yes it is.
Is it the most efficient way to optimize a ConfigMgr database? Not in my opinion. Further, this approach does not scale well to very large sites and/or databases.
My recommendation, do your own benchmark testing and then decide.
