Problem Description:

Users (AD Security Group called: eskonr\domain Users) from specific project in the organization do not have admin privileges on their computers (don’t ask why)  .I have an application (Matrix ) which is installed using Configuration manager 2012 and users are using this application for their daily routine activities without any issues so far(without admin rights).

Recently ,due to some project requirement,they need to have full permissions to specific folders (C: \program files\matrix\3D or what ever) to modify some files and settings to get the application working  .

To grant full permissions or required permissions to specific folders for domain users or project users , You can use inbuilt windows command line Icacls.exe (Displays or modifies discretionary access control lists) .

I use this command line (icacls) to set permissions to specific folder ,but I need to check if OS architecture is X86 or X64 ,because the installation directory for this application varies.

To more about about the available syntax for Icacls.exe ,try Icacls.exe /? from cmd.exe

Below is the batch script that check if Architecture is 32 or 64 and then grant the required permissions to specific folder .

@Echo off
REM Provide Full security permissions to domain users to 3D and Client Folder

If exist "C:\Program Files (x86)\matrix"  (GOTO 64BIT) ELSE (GOTO 32BIT)
:32BIT
icacls "c:\Program Files\matrix\3D" /grant:r "eskonr\Domain Users":(OI)(CI)F
icacls "c:\Program Files\matrix\Client" /grant:r "eskonr\Domain Users":(OI)(CI)F
GOTO END   

:64BIT
icacls "c:\Program Files (x86)\matrix\3D" /grant:r "eskonr\Domain Users":(OI)(CI)F
icacls "c:\Program Files (x86)\matrix\Client" /grant:r "eskonr\Domain Users":(OI)(CI)F
GOTO END   

:END

Where eskonr: domain ,Domain users:AD security group

Note: You can also do this job using Configuration Item  but l like this way.

So ,Now I can take this script and deploy Using Configuration manager with application deployment or using Package (Legacy method ).

Using legacy method,it is easy ,straight forward  but if I want to deploy this using application ,I need to create detection rule before this script runs.

Note: If you set something (that never detects) in the detection rule ,detection rule always say ,it is unknown and script will run (even though the folder has required permissions set) which will not harm to already granted permissions.

For the application/security rights detection,I need to create custom script or something since the default available detection rules (using file,registry and MSI) do not work in this case.

Below is the PowerShell script to detect the if the security permissions already set or not.

Powershell script to Detect the Security permissions:

If (Test-Path -path "c:\Program Files\matrix")
{
$file="c:\Program Files\matrix\3D"
$user="eskonr\Domain Users"

if (((Get-Acl $File).Access | ?{$_.IdentityReference -eq "$User"}).FileSystemRights -match 'FullControl')
{
write-host "Permissions set"
}
}
if (Test-Path -path "c:\Program Files (x86)\matrix")
{
$file="c:\Program Files (x86)\matrix\3D"
$user="eskonr\Domain Users"

if (((Get-Acl $File).Access | ?{$_.IdentityReference -eq "$User"}).FileSystemRights -match 'FullControl')
{
write-host "Permissions set"
}
}

You can shortened the above PowerShell script if you are good at it.

Last week,I was having a discussion with manager about the User IE Home page/Start page to get report on, how many users are set to Company intranet Page.I then asked him,what is the method ,company currently follow to set IE Home page .He then replied,GPO ? my response for this  was,if GPO,then the Home page for IE should be set to the required one for all Domain Users (Domain users: where ever the GPO applied to) and using GPO,will have more control to restrict user to not to change the default IE Home page (Disable changing home page settings. and less troubleshooting required .

I check my computer,the Default IE Home Page set to the correct one but I do have flexibility to change it to custom. So boss asked me to try if there is way to get a compliance report on User IE Home page ,in case the GPO may not be applied to some of the OU to be identified.

Since the IE Home Page information stored in HKCU,we cannot use regkeytomof (it works only with HKLM) or MOF Extension or DCM (not easy).

The possible solution for this is involved with, 1) Create Custom WMI location 2) Copy the User IE home page info into this location 3)Edit the MOF to retrieve this WMI information into SCCM Database.

The above solution would work but how would you provide full permissions to WMI location to publish the User Registry info ? If users do not have admin rights on their computers ?

Long ago,there was a discussion on sccm forum list ,about the this issue to get User IE home pages Using Configuration manager.Our MOF Master Sherry Kissinger has got workaround for this issue which I am going shortly.

This procedure requires creation  of  package with 2 programs (legacy is preferred and easy) 1) machine 2 ) User with dependency on machine.

Create a folder with standard naming convention as per required on your network share and place these files into it .files can be downloaded from  http://eskonr.com/?wpdmdl=5651

1.wmiNameSpaceandSecurity.vbs—>This script will create custom WMI name location ( root\CustomCMClasses—>CM_IEStartPages) using file called WmiSecurity.exe.

2.UserIEStartPage.vbs:This script publish the information from HKCU to custom WMI name location which is created using above script.

Before we start creating the packages,edit the script wmiNameSpaceandSecurity.vbs and replace the domain name to your domain name and save the script.

Create Package with 2 programs:

1.Create package with program cmd line: cscript.exe wminamespaceandsecurity.vbs under system context

2. Right click on the package created above and select Create program  (no need to create new package) with cmd line:cscript.exe UserIEStartPage.vbs under user context

and select ‘Run another program profile first’

we now created package with 2 programs :

Distribute the package to DP group or DP’s.

Now create deployment using UserIEStartPage to required collection.

Time to test the results:

Login to PC that has this deployment ,run machine policy ,monitor execmgr.log for progress of this deployment.

from above log, program executed successfully.

lets checkout the WMI classes and inventory information what is captured from HKCU.

open cmd and type wbemtest.exe ,connect to “root\CustomCMClasses”

lets checkout the homepage values from WMI class using simple WQL Query before we start working with MOF file.

while you are connected to “root\CustomCMClasses” ,Click on Query and use this query to run: SELECT * FROM CM_IEStartPages

From above, se see that ,User has set 2 tabs when IE Opens.Double click on either of the one and click on show MOF to see the URL page.

So far, All good. Now lets try doing some changes to the MOF to collect this information via Inventory on schedule basis (If Required,crate custom inventory to specific collection instead of doing it on default ).

Go to your CM12 Primary Site administration pane (if you have CAS then you should do make these changes there )—>client settings—Default settings. (You must import the custom attributes here before you create custom client settings.

we have now imported the custom WMI info into CM12 but we did not enable this setting to be collected from Configmgr clients.

on the background,Configmgr will be creating new table/view (CM_IESTARTPAGES_DATA/v_GS_CM_IESTARTPAGES) to store the information that comes from clients which can be monitor from dataldr.log from your Site server logs:

Now ,Create custom client agent setting that can be applied onto test collection before making to Big collection .

Deploy this setting to test collection and wait for the results (client should pick the new settings and send the inventory info to Site server). After a while,you see the information in CM12 Database.

Here is the Simple SQL Query:

SELECT  vrsv.Netbios_Name0 [machine name],isp.username0,isp.startpage0,isp.tab0,isp.datescriptran0
FROM v_GS_CM_IESTARTPAGES IsP,dbo.v_R_System_Valid AS vrsv
WHERE vrsv.ResourceID=isp.resourceid

In part 3 here of this MBAM 2.5 SP1 multi series guide,we have installed MBAM prerequisites for configuration manager 2012,changes to MOF file,inventory changes,MBAM collection etc.

In this part 4 ,we will see the main components of MBAM 2.5 SP1, which are database ,reports and web application.

Login to MBAM01 server with CM_SRV (MBAM_admin) account ,mount the MDOP 2015 ISO,browse to the MBAM 2.5 SP1 folder.

Run MBAMserversetup with default options Next,Next ,Next until the last screen.

Click on Add new features

we will first install database and reports and later will install web applications.

Enter the SQL server Name (if you have installed locally or remote server)

I have used default instance (MSSQLSERVER) so I leave it blank, if you have named instance,please provide so.

Use the account you have created in AD for Database read and write

Recovery database:

Enter the reporting role domain group name (MBAM_HD_Reports_ and compliance audit domain account name (MBAM_DB_RO)

check the summary page if all set correctly or not.

If you have other servers where you want to install these components again and you don’t want follow all these steps ,you can export the powershell script ,change the components (like certificate ,account etc) and run the script on other server to make things easy.

With this,we have installed compliance database,recovery database .

Check if these databases created or not by openings SQL server management studio.

Also the account that have specified during the installation will get automatically added with required permissions.

Next ,we will install the web Applications

On the server ,from start menu ,search mbam ,open MBAM server Configuration to add the WebApplications

Click on Add new features

As am not using any SSL now ,I will check do not use certificate

Enter the hostname,IIS path an d Port number ( if you have enabled the firewall ,you must allow the this port for website communication).

fill the details as shown below

Enable TPM Lockout Autoreset is new feature in MBAM 2.5 SP1. On computers running TPM 1.2, you can now configure MBAM to automatically unlock the TPM in case of a lockout. If the TPM lockout auto reset feature is enabled, MBAM can detect that a user is locked out and then get the OwnerAuth password from the MBAM database to automatically unlock the TPM for the user.

This feature must be enabled on both the server side (enable as shown above) and in Group Policy on the client side (we will configure this later)

SQL Server reporting service URL : http://MBAM01.corp.eskonr.com/ReportServer If you are using SSL,use https.

lets have a check on IIS server if these websites created or not.

From Run command,type inetmgr .

Right click on helpdesk ,choose manage applications –browse ,you will see the helpdesk webpage.

If you don’t see reports ,then you are not member of group ‘MBAM_HD_Reports’. Only user MBAM_report1 is member can can view reports.

To view below 2 options like Drive recovery and Manage TPM,user must be member of MBAM_HD_ADv group.To see only reports,user must be member of MBAM_HD_reports.

If user member of only MBAM_HD_Reports then can see only reports.

do the same for self-service portal

If you want to configure the selfservice portal to change the company name, display text etc ,you can go to IIS Server ,click on selfservice ,open application settings

With this,we have successfully installed the database,reports and web applications on our MBAM server.

In next part 5 of this multi series ,we will see how to configure the prerequisites (GPO’s etc) for Clients before we start doing computer bitlocker.

In part 5 here ,we have downloaded the MDOP 2015 templates ,extracted,copied MBAM 2.5 SP1 .admx and .adml templates to our Domain controller ,Created GPO for workstation OU and deployed it. In this Part 6 of MBAM 2.5 SP1 multi series guide ,we will create collection ,application for MBAM 2.5 SP1 agent and deploy to our Clients and do the bitlocker encryption stuff.

In earlier versions of  MBAM ,it usually ships with MSI which can be directly import to SCCM /GPO where as in MBAM 2.5 SP1, a separate MSI is no longer included with the MBAM product. However, you can extract the MSI from the executable file (.exe) that is included with the product.

If you look into the MBAM installer file in MDOP 2015, you will find only 2 .exe files as shown below for X64 ,same applicable to X86 (clientsetup) also.

we will try to extract MbamClientSetup.exe to get .msi and then import into SCCM application deployment method.

The command line to extract .MSI from .exe file is : MBAMClientSetup.exe /extract "D:\MBAMClient\MbamClientSetup" /acceptEula=Yes

MBAMClientSetup.exe : is the actual file trying to extract

D:\MBAMClient\MbamClientSetup: Path to extract MSI

if you don’t want to go with MSI file,can still use .exe file to deploy MBAM Agent using command line: MBAMClientSetup.exe /acceptEula=Yes

Command line installation for MSI: msiexec /i "MSI file name" /qn REBOOT=ReallySuppress

we will now copy the MSI file to our Source folder in SCCM server.

Create collection called MBAM_client_2.5SP1 and add few test computers (windows8 and Windows 10) to it. In my lab,I used following Query based rule to add all workstations with Client Agent=Yes

select *  from  SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "%Workstation%" and SMS_R_System.Client = "1"

Lets create Application using this MSI file and deploy to our MBAM_client_2.5SP1 Collection. Create application as you do for other MSI’s .

Edit the deployment type to change the name of the DT (like MBAM Client 2.5 SP1 X64,if deploying 32bit then X86) ,requirements tab to limit this to workstations (win8,Win10 etc) and other properties if needed.

Deploy the application to Distribution point Group/Distribution and deploy to collection.

Login to test PC (windows 8.1/Windows 10) ,check if MBAM Agent 2.5 SP1 is deployed or not.

Demo: Windows 8.1

On physical machines, to do bitlocker encryption,you must have TPM chipset enabled and activated. TPM chipset is hardware based sits on motherboard and does specific functions.More information about TPM and Bitlocker,read https://msdn.microsoft.com/en-us/library/windows/hardware/dn653315(v=vs.85).aspx 

Note:while performing the Bitlocker drive encryption on Hyper-V vms, I always keep getting error (will in below guide) “BitLocker Drive Encryption only supports Used Space Only encryption on thin provisioned storage.” so I assume this is known iss as vm’s aren’t supported as per this TechNet article but should work in physical machines without any issue.So in lab,we will try to do bitlocker using manual method instead of doing it via MBAM agent and rest will be managed by MBAM only. I will update this post ,when I find solution.

So in lab,instead of encrypting the the drive using MBAM agent,we use manual method from control panel. This is only step we are by-passing and rest of process is managed by MBAM .

If you are trying this on physical machine that ,it should work good for you without any issues(atleast you will not see above error).

Login to Windows 8.1 PC ,check if the MBAM agent is deployed successfully or not .You can check this from either Software Center or from C:\program files \Microsoft\ MDOP MBAM

After the Agent installed ,next step to check is GPO settings that we have created in part 5 (MBAM 2.5 SP1 Client settings) loaded correctly or not.How do we check if the GPO settings applied correctly or not  ?

Open the registry key on windows 8.1 client ,(type regedit from RUN command) ,browse to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE

From below snippet,you can see that ,Configure pre-boot recovery message and URL’s configured via GPO are applied which is new in MBAM 2.5 SP1.

and from HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement

You can copy the URL from the registry key and check if you can browse to that or not to confirm if Client is able to talk to MBAM server.

We can also check if the Client is able to download the MBAM policies from MBAM server or not using event viewer.s

Location to check Bitlocker encryption and operation issues : Event Viewer – Applications and Services Logs – Microsoft – Windows – MBAM (Admin and Operational)

After this settings applied correctly to our Windows 8.1 client ,you will soon receive a prompt like  below.

If you don’t see the prompt,troubleshooting is required, but you can launch the MBAM wizard by running MBAMCLIENTUI.exe from C:\program files\Microsoft\MDOP MBAM (this folder may vary depends on the OS architecture)

In the GPO settings, we have set 0 without any grace period to postpone the bitlocker drive encryption .With this setting,user cannot close this action and must do encryption (But in production this setting may vary).

Enter the password between 8-255 character and click Create Password.

Here is my next screen for bitlocker status:

For some reason,it failed encrypting the disk .What next ? we don’t have any logs like we do for SCCM but as I discussed above,can check the reasons for this failure using event viewer.

Go to Event Viewer – Applications and Services Logs – Microsoft – Windows – MBAM (Admin and Operational)

Check for operational if Client is able to download the policies correctly or not.

From above screen,client is able to pull the download the policies ,next look at Admin section.

So as I discussed earlier in Note,lets do the bitlocker manually .For this,open Control Panel\All Control Panel Items\BitLocker Drive Encryption

Turn on Bitlocker

It will verify the prerequisites and prompt window to enter password:

Enter password between 8-255 characters

For now,we will try to save the file to remote PC (this file consists of Bitlocker recovery key help you to unlock your computer incase you forget the above password).

Accept the default option and click Continue

Restart now

After you restart,it ask for password to continue .if you press ESC,bitlocker encryption process will get cancel and you must do the procedure again.

After you login to the PC,a small window appear on the taskbar with encryption is in progress.

After a while,encryption gets complete and you must see the bitlocker information about this client from your MBAM Server reports.

With this,we have completed the bitlocker encryption on client side using manual method instead of doing it via MBAM Agent.

How to use MBAM 2.5 SP1 selfservice portal to retrieve Bitlocker recovery Key ?

Next ,we will look at MBAM compliance reports using SCCM and also try to recover the bitlocker recovery key incase user forget the password to unlock the computer during the boot process.

Restart the Client PC (8.1 VM) ,it prompt to enter the password

Incase if you forget the Password and want to retrieve the bitlocker recovery key. Press ESC ,it takes you to below screen to enter the recovery Key for this drive.

Note: This recovery key keeps changing every times you press ESC .When you press ESC ,a new recoverykey will be created in the MBAM Recovery and Hardware database.

To retrieve the Bitlocker Recovery Key ,we need to have the first 8 digit of Recovery Key ID (364ACBC6) shown in the below screen and retrieve the recovery Key using self service portal as discussed in part 4.

So launch the selfservice portal on any computer who has enough security permissions to run the selfservice portal and run the URL: http://mbam01.corp.eskonr.com/SelfService

As shown below ,enter the first 8 digit recovery Key ID and select the reason what you are interested in (all these requests will be stored in database for auditing purpose incase you want to check how many times performed like this).

238689-104929-336666-292017-263890-562496-482768-388982

again,this bitlocker is one time usage and not used again and again.Every time when you request for recovery key,it creates new one.

You can also perform the SQL query to get the recovery key instead of going via portal .This recovery key information stored in database (MBAM Recovery and Hardware) table (RecoveryAndHardwareCore.Keys).

Enter the recovery Key which we obtained from above and press Enter

it should allow you to login.

With this ,we have completed the demo on ,how to get  Bitlocker recovery key using self service portal.

Next ,we will see the compliance results using SCCM configmgr reports.

Before that ,you must confirm if the hardware and Configuration.mof changes are processed successfully on the server also enabled the inventory for TPM,Bitlocker,MBAMpolicy etc as discussed in part 3 here

Once you are confirmed,lets run the hardware inventory schedule on the client (if you want can’t wait for the default schedule to run) and monitor inventoryagent.log on the client PC.

From the log,we mainly interested in changes i.e MBAM policy and Bitlocker as the MBAM reports are mainly depends on these tables/views.

wait for few min for the site server to process this information and update in database.

Run the Configuration manager reports URL http://cm01/Reports/ (my SCCM report server CM01).

I am interested to to know the Bitlocker Enterprise Compliance summary report.

By default,the report select MBAM supported computers but you can select the collection from drop down list.

We have got 1 computer with 100% complaint but this report is missing linked report to know what computer is that .

If you get any error "Error: the 'MBAM Policy' view does not exist" while running the reports, make sure you have at least one client reported the inventory for MBAMPolicy  else the report have nothing to present you.

With this,we have completed how to extract MBAM 2.5 SP1 Client agent MSI from EXE ,created application using MSI in SCCM 2012 R2 SP1 ,deployed to collection,did bitlocker manually due to vm support issue ,retrive the bitlocker key using self service portal and finally run the compliance reports using SCCM.

In the next part 7,we will see the new features added to support windows 10 like  Customize pre-boot recovery message and URL .

Recently ,I have got a request from the business unit manager on the reboot of computers due to patch management (applicable to Applications as well) .The Custom client device setting ‘ Display temporary notification to the user ' (shown below) set with 480 minutes across the enterprise workstations but specific department (ex: Engineering), not happy with this setting  due to the nature of their business. So ,we have agreed to have custom reboot settings .

Creating Custom device settings and applying it onto collection is not that much difficult but the deal here is,creating a device collection using user department.

Once we have this collection,we can create device client settings and make sure this has higher priority over the other Client device settings that has similar setting applied to all workstations.The higher the priority (Low number is applied first than higher number) will be applied onto clients. You can also use resultant set of policies to check the client device settings for particular client from SCCM device collection.

How to create Device collection using Department attribute :

Before creating collection ,make sure you have department attribute added to the active Directory user discovery properties.

Device Collection:

Create new collection,select the limiting collection,edit the Query ,paste the following query .(change the department Name) .When you click Ok,you may get errors but just ignore them.Collection works good.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System JOIN SMS_UserMachineRelationship ON SMS_R_System.Name=SMS_UserMachineRelationship.ResourceName
JOIN SMS_R_User ON SMS_UserMachineRelationship.UniqueUserName = SMS_R_User.UniqueUserName
WHERE   SMS_UserMachineRelationship.Types=1 AND SMS_R_User.department0 like "Engineering"

In part 6 here,we have created MBAM collection ,application for MBAM 2.5 SP1 agent and deployed to our Clients and did the bitlocker drive encryption for windows 8.1 Client.We have also retrieved the bitlocker recovery key using self service portal and reviewed the bitlocker compliance reports.

In this part 7 of MBAM 2.5 SP1 multi series guide,we will do the bitlocker drive encryption for windows 10 ,also see the new features(Configure pre-boot recovery message and URL) included for windows 10. To know more whats new in MBAM 2.5 SP1 ,refer TechNet document here

I have created a windows 10 RTM 10240 virtual machine ,installed SCCM 2012 R2 SP1 client ,waited for few min to let MBAM 2.5 SP1 agent deploy automatically .( The MBAM collection was created to get all workstations ,deployed MBAM agent to this collection,more info ,refer part 6 ).

Login to windows 10 client,verify MBAM agent installed or not either from C:\program files\Microsoft\MDOP MBAM or from software center or from SCCM 2012 monitoring console/Reports.

lets check the GPO if the policies applied or not. For this,Open registry key , HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE.

From below snippet,you can see that ,Configure pre-boot recovery message and URL’s configured via GPO are applied which is new in MBAM 2.5 SP1.

You can either wait for the GPO to start the MBAM agent or manually trigger MBAMclientUI.exe from C:\program files\Microsoft\MDOP MBAM

As I Discussed in my previous post here ,cannot bitlocker the drive using MBAM agent on virtual machines .To check,go to event viewer,Microsoft-Windows-MBAM/Admin ,check the error code.

An error occurred while applying MBAM policies.
Volume ID:\\?\Volume{3968637d-842e-45c4-abb5-5f3a6421ec72}\

Error code:
-2144272219

Details:
BitLocker Drive Encryption only supports Used Space Only encryption on thin provisioned storage.

But in physical machines,it should work (atleast you will not see this error).So I go and do bitlocker manually .Go to control panel ,open Bitlocker drive encryption ,Turn on bitlocker

PowerShell commands to enable bitlocker https://technet.microsoft.com/en-us/library/jj649837(v=wps.630).aspx

Restart the Computer

Enter the bitlocker password that you have set earlier ,login to the client using your domain password.

After you login,wait for while until the drive encryption is done.

After the completion of encryption , reboot the client .This time ,we don’t enter the password to login instead ,we use recovery key and see the

As you can see from below snippet,pre-boot recovery message and URL which are customized in our group policy ,can help to recover the bitlocker key from another client by entering the first 8-digit number into selfservice portal.

With this,we have completed the bitlocker drive encryption for windows 10 using MBAM 2.5 SP1.

In the next post part 8,we will see the troubleshooting steps ,how and where to start for any bitlocker encryption issues related to MBAM.

Being as SCCM Configmgr administrator,your primary aspect is to maintain health of your sccm clients for application deployment,software updates,inventory etc. Questions often come up in forums ,email list asking for ,list of computers not contacted the server since X days (25) or how do I know the clients who’s policy request is old or days since last communication is more than X days older.

From the Configmgr Console,we can see the client activity like policy request,heartbeat DDR,hardware scan ,Management point etc as shown in below picture.

How do I present this information into SSRS report for further troubleshooting ? Creating report ,exporting results and working /troubleshooting clients who’s communication is older than x days would be easier.

The client activity information is stored in view called vWorkstationStatus in SQL DB.So I use this view to join with collection views to get desired results.

I have SQL Query to retrieve this information but not in SSRS Report. I usually run the SQL Query in SQL Management studio but I thought of creating SSRS report to get this information against specific collection.

Below is SQL query ,if you want to create powershell grid view. (This query is filtered to get clients if LastPolicyRequest request is more than 25 days and collection).

SELECT ws.Name, ws.UserName,ws.LastMPServerName,
CONVERT ( varchar (26) , ws.CreationDate , 100) CreationDate,
CONVERT ( varchar (26) , ws.LastDDR , 100) LastDDR,
CONVERT ( varchar (26) , ws.LastPolicyRequest,100) LastPolicyRequest,
CONVERT ( varchar (26) , ws.LastHardwareScan,100) LastHardwareScan,
ws.SystemRole,
DATEDIFF ( DAY , ws.LastPolicyRequest , getdate() ) 'Days Since Last Communication'
FROM  vWorkstationStatus ws
JOIN dbo.v_FullCollectionMembership vfcm ON vfcm.ResourceID = ws.ResourceID
JOIN dbo.v_Collection vc ON vc.CollectionID = vfcm.CollectionID
WHERE vc.Name=’Your collection Name'
GROUP BY ws.Name, ws.UserName,ws.CreationDate,ws.LastMPServerName,ws.LastDDR,
ws.LastPolicyRequest,ws.LastHardwareScan,ws.SystemRole
HAVING (datediff(dd,max(ws.LastPolicyRequest),getdate()-25) >0)

In SSRS Report, I have made 2 parameters as prompts 1) Collection Name and 2) Number of days .

Below is SSRS report how it looks like?

Download the RDL File from TechNet here ,upload report to your SSRS Reports folder ,change the Data source and runt the report.

Questions appeared on https://social.technet.microsoft.com/Forums/en-US/b9940352-7382-462d-8ef9-8c7a1483a29f/sccm-client-last-communication-report?forum=configmanagerdeployment

https://social.technet.microsoft.com/Forums/office/en-US/5b21299a-d91a-43bd-bae7-dc02c09a8694/how-to-create-a-collection-based-on-days-since-last-communications?forum=configmanagerapps

https://www.reddit.com/r/SCCM/comments/3l67e8/help_with_custom_report/

Microsoft is bringing exciting features into Configuration manager product and making things more and more easy in all aspects to manage the infrastructure.Last month (September 2015) ,Microsoft has introduced new features into Configuration manager (expecting it would be called 2016 )technical preview 3 (Version 1509 ) called ‘Updates and servicing (this replaces the need to install separate service packs, cumulative updates, or Extensions for Microsoft Intune)’ and New look /update for Software Center (Apps that are published to users will be available in software center as well).

On October 14th 2015 ,Microsoft released another update for Configuration manager Technical Preview 3 with version 1510 (YYMM ,easy to remember unlike previous versions) with new capabilities :

• Windows 10 servicing
• Wipe and retire for on-premises mobile device management

You can install this update (1510) on Technical preview 3 with Version 1509 or earlier versions also. You do not need to install 1509 before installing 1510.

Windows 10 servicing:

In this release, you can view the state of Windows as a service in your environment, create servicing plans to form deployment rings and ensure that Windows 10 current branch systems are kept up to date when new builds are released, and view alerts when Windows 10 clients are near end of support for their build of Current Branch or Current Branch for Business.

Wipe and Retire for on-premises mobile device management:

System Center Configuration Manager Version 1510 adds support for remotely wiping and retiring devices for on-premises mobile device management (MDM).

I have already updated my Configmgr TP3 to September month released version 1509 using update servicing feature.

Before you update to the latest version (if you are on 1509 or earlier versions),make sure you have internet connection as it downloads the entire content before it starts updating your site to 1510 version.

If you are starting from scratch to install Configuration manager technical preview 3 ,you must download the TP3  version from here ,install it like other Configuration manager 2012/TP3 versions with all the prereq ,once you are done with that ,continue to update to latest version using steps below.

Open the console,Administration\Cloud services\Updates and Servicing

Updated version 1510 for TP3 not yet shown in the console which could be that,My SCCM having issues with internet. Check log DMPDownloader.log (as this is for Cloud services) from your Configmgr logs directory.

By default,it is scheduled to sync every 7 days to get latest updates.

Now we will force to sync by restarting SMS_Executive or simply restarting the SMS DMP Download manager component from Monitoring node\site hierarchy\component status .I will simply restart the component instead of restarting the sms exec service.

Start monitoring the DMPDownloader.log . You can see that,download has been initiated and store the content under folder  E:\SCCM\EasySetupPayload\.

All the updates are being saved to Easysetuppayload folder.Size of this downloaded content (TP3 version 1510) is around 1.6GB

Status for this update in the console should now be changed to available from downloading . Run the prereq check (if you want,you can ignore this and directly go to install update pack step)

To know the status ,go to monitoring ,look at site servicing status for the prereq check

after a while ,you would see something like this

now start the update pack installation:

you can monitor the update status from monitor\update servicing status

After a while,you will see ,it is installed successfully .

Console is still opened in my lab ,so I went to see the version of the console ,it immediately prompted window to upgrade it to new version.So click Yes,it will close the console and upgrade to new version.

After the console upgraded, the evaluation period reset to 60 days from the previous leftover days and also you see the new feature called Feedback (didn't notice if it was part of previous version) which takes you to Microsoft user voice portal to listen your feedback about this product for new ideas to incorporate into this product http://configurationmanager.uservoice.com/forums/300492-ideas

Console Version :5.0.8315.1000

With this Update (1510),new feature introduced called windows 10 servicing into software library node .more to be tested on this feature.

Clients that are part of preproduction collection will receive the policy about the new SCCM client and will be installed automatically .

Login to the the client PC that is part of pilot collection ,should have new version 5.0.8315.1000.

that’s it for now and more about the features introduced with this TP3 update in next blog.

There are instances (you might want to get list of required patches by server ,so can download and install in DMZ who do not have internet or for patch compliance checking for specific computer and many) , where you might be searching for list patches of required by specific computer/computers and generally ,we look at default reports if there is any report which can give me the required information.

If you look at default reports,there is no exact report give you the list of patches required by specific computer with targeted,required,when was it released and other information.

You can use below SQL Query to run  from SQL SERVER MANAGEMENT STUDIO or use this in your SSRS Reports with parameter for computer name.

This query has been customized to present the Month posted,Title of the patch,Targeted to the client,Required ,KB URL,Date posted and deadline if there is any.

Note: This Query is filtered with Severity (Security and critical)  from view v_UpdateInfo.

SQL Code:

select CAST(DATEPART(yyyy,ui.DatePosted) AS varchar(255)) + '-' + RIGHT('0' + CAST(DATEPART(mm, ui.DatePosted) AS VARCHAR(255)), 2) AS MonthPosted,
ui.bulletinid [BulletinID],ui.articleid [ArticleID], ui.Title,
    Targeted=(case when ctm.ResourceID is not null then '*' else '' end),
    IsRequired=(case when css.Status=2 then '*' else '' end),
    ui.InfoURL as InformationURL,
    ui.dateposted [Date Posted] ,
    Deadline=cdl.Deadline
    from V_UpdateComplianceStatus  css
    join v_UpdateInfo ui on ui.CI_ID=css.CI_ID
    left join v_CITargetedMachines  ctm on ctm.CI_ID=css.CI_ID and ctm.ResourceID = css.ResourceID
    INNER join v_CICategories_All catall2 on catall2.CI_ID=css.CI_ID
    INNER  join v_CategoryInfo catinfo2 on catall2.CategoryInstance_UniqueID = catinfo2.CategoryInstance_UniqueID
    and catinfo2.CategoryTypeName='UpdateClassification'
    JOIN dbo.v_R_System AS vrs ON vrs.ResourceID = css.ResourceID
       outer apply (
       select Deadline=min(a.EnforcementDeadline)
       from v_CIAssignment  a
       join v_CIAssignmentToCI atc on atc.AssignmentID=a.AssignmentID and atc.CI_ID=css.CI_ID
       ) cdl
   WHERE vrs.Name0='Win7X64-001' and
   ui.Severity IN (8, 10) --this is for security and critical updates
  AND css.Status=2  --for required
ORDER BY 1

I posted the same query on TechNet forums ,more info https://social.technet.microsoft.com/Forums/en-US/8fe96532-d9ef-48f2-a356-6e1195d9273e/report-of-what-updates-are-needed-by-server?forum=configmanagergeneral#7185a84e-afab-47d2-82bd-7418e02dd75f

While Creating SSRS reports for configuration manager ,I use lot of expressions through the report definition. These expressions (formula filed) are used frequently in reports to control content and report appearance. Expressions are written in Microsoft Visual Basic, and can use built-in functions, custom code, report and group variables, and user-defined variables. Expressions begin with an equal sign (=) syntax.

These expressions can be used in reports to present data like calculate values for parameters, queries, filters, report item properties, group and sort definitions, text box properties, bookmarks, document maps, dynamic page header and footer content etc.

SQL Expressions Optimizes the report performance,used to speed up the report from the complicated selections.You cannot use Expression to connect MORE THAN 1 DATA SET in your Report.

In this blog post,I would like to show you some of the expression (like syntax) examples which I use in most of the my Configmgr reports.

You can Use thee simple expression directly on the design surface, in a dialog box, or in the Properties pane, or you can edit it in the Expression dialog box, just as you would with any expression.

Print Date—>How do you print the report execution date

="Printed on " & Globals!ExecutionTime

Total Report Runtime (Sec)—>Calculate the total execution time of report
="Total Run time (in Sec): "& System.DateTime.Now.Subtract(Globals!ExecutionTime).Seconds

Report Executed by—Print the UserID who executed the report
="Report Run by: "& User!UserID

Altering the row colors (BackgroundColor property on Text Box )—>Change the background color for alternate lines instead of having single color across all rows
=IIF(Rownumber(nothing) mod 2, "Transparent", "Silver")

How to show parameters (prompts) in report—> You wanted to bring the parameter value into the report for Ex: collection Name to be printed on the report
=Parameters!CollID.Label

To show the values in UPPERCASE—> To print all the values in UpperCase
=UCASE(Fields!FieldName.Value)

Convert text to Proper case—> To print the first letter of the word to be in UpperCase
=StrConv(Fields!FieldName.Value, VbStrConv.ProperCase)

If you want to replace NULL with other value—>replace the NULL with other values
=iif(Fields!FieldName.Value = nothing, "No Value",Fields! FieldName.Value)

How to set colors in Pie Chart instead of Random Colors based on the output (Example taken is patch compliance , Color property on Text Box  ):
=SWITCH(Fields!Patch_Status.Value = "Compliant", "Green",Fields!Patch_Status.Value= "Non-compliant", "Yellow",Fields!Patch_Status.Value = "Compliance state unknown", "Red")

you can also use IIF condition (Values greater than or equal to 10 display with a green background, between 1 and 9 display with a Yellow background, and less than 1 display with a red background.):
=IIF(Fields!status.Value >= 10, "Green", IIF(Fields!status.Value >= 1, "Yellow", "Red"))

Combining more than one filed using concatenation using (& vbCrLf & ):
=Fields!CollectionID.Value & vbCrLf & Fields!CollectionName.Value

The Right, Len, and InStr functions are useful for returning a substring, for example, trimming DOMAIN\username to just the user name. The following expression returns the part of the string to the right of a backslash (\) character from a parameter named User:
=Right(Parameters!User.Value, Len(Parameters!User.Value) - InStr(Parameters!User.Value, "\"))

How to display text prior to the selected values (Ex:Collection ID or Name):
="Collection Name: "& Parameters!CollID.Label

How to use If condition to return the value if that matches (example to check if client is installed or not return True or False):
=IIF(Fields!Client.Value =1, True, False)

If the date value is more than week ,display red color ,else Green (This is needed when checking the hardware inventory date of client):
=IIF(DateDiff("d",Fields!LastHWScan.Value, Now())>7,"Red","Green")

How to display page number and total pages in report in footer:
=Globals.PageNumber & " of " & Globals.TotalPages

How to display name of the reprot in the footer or body in each page:
=Globals.ReportName & ", dated " & Format(Globals.ExecutionTime, "d")

Page breaks—>place a page break at the end of a specified number of rows instead of, or in addition to, on groups or report items.:

=Ceiling(RowNumber(Nothing)/25)

Recommended Reading

 https://msdn.microsoft.com/en-us/library/ms345237.aspx

https://msdn.microsoft.com/en-us/library/ms157328.aspx?f=255&MSPPError=-2147217396

Microsoft released Technical preview 4 (TP4) for Configmgr Vnext ( System Center Configuration Manager and Endpoint Protection ) .The previous technical preview was Technical preview 3 with updated version 1510 (YYMM). Microsoft haven’t updated the TechNet documentation with capabilities available with this release (TP4) for now but soon to be updated here on https://technet.microsoft.com/library/dn965439.aspx.

This technical preview must be installed as new installation on server box with all the prerequisites met .Upgrading to SCCM Configmgr Vnext TP4 from a previous version of SCCM Configmgr Vnext TP3 is not supported. Upgrading from TP4 4 to a later version of SCCM Configmgr Vnext also not supported. For this Technical Preview 4, up to 10 clients can be managed. Only a standalone primary site is supported; secondary sites are not supported.

The Technical Preview is intended for use only in a lab environment due to its limited build which expires after 60 days and cannot be used in a production environment.

The Build version with TP4 released is: 5.0.8325.1000

Client Version: 5.0.8325.1000

Hoping to see some excitement features which are raised through configuration manager voice user support.

Download SCCM Configmgr Vnext Technical Preview 4 From https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview?i=1

A direct link to download Technical preview 4 is available here

Will update the installation document and features soon in next post.

The latest version of Configuration manager which is V1511 (YY/MM) RTM for December 2015 from Microsoft is now available for download and ready to install to production Environment.

We call this version as System Center Configuration Manager current branch (CB) and Microsoft has updated TechNet documentation on December 8 (Yesterday) for this version .The documentation is Applies To: System Center Configuration Manager (current branch) https://technet.microsoft.com/en-us/library/mt346023.aspx
As you all know by now that ,going forward ,Microsoft do not use year or product identifier like previous versions 2003,2007 and 2012 and it supports incremental product updates (no more service packs or cumulative update versions to track) called update versions like YY/MM whenever new updated published (servicing model).

Download the Evaluation version of System Center configuration manager V1511 from https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection

To know more about this product what's new in Configuration manager V1511,read https://technet.microsoft.com/en-us/library/mt622084.aspx

Couple of important links that would like to share for reference are below:

Get ready for System Center Configuration Manager https://technet.microsoft.com/en-US/library/mt608540.aspx
Design a hierarchy of sites for System Center Configuration Manager https://technet.microsoft.com/en-US/library/mt622312.aspx
Supported operating systems for sites and clients for System Center Configuration Manager https://technet.microsoft.com/en-US/library/mt589738.aspx
Support for SQL Server versions for System Center Configuration Manager https://technet.microsoft.com/en-US/library/mt589592.aspx
Prepare your network environment for System Center Configuration Manager  https://technet.microsoft.com/en-US/library/mt346021.aspx

After the release of Configmgr V1511,really busy setting up the new lab,upgrading the stuff from Configmgr 2012 R2 SP1 to SCCM Configmgr V1511 (In Place) and doing things with it.

This post is about,what are the SQL views in SCCM Configmgr V1511 that helps you to write custom SSRS /SQL queries.

As you know,there are lot many changes/updates in newly released Configmgr  V1511 from its previous version I.e Configmgr 2012 R2 SP1 ,along with it,there are also newly added SQL views that help you to generate reports for the newly added features.So for this,we need to have that information in hand when writing custom reports else you will stuck and spend lot of time in getting what you need.

I use this SQL views documentation spreadsheet a lot when writing the custom SSRS Reports and I always make this as reference for any such custom reports and it help a lot without searching here and there for    ex: where does the information stored about IP address or software update scan ,task sequence package information or software update scan results etc.

Download SCCM Configmgr V1511 SQL views documentation from TechNet Gallery here .

I have color coded (Black color Bold) the SQL views that are added newly in Configmgr V1511 from Configmgr 2012 R2 for your information.

Happy SSRS/SQL Reporting .

Few months ago,I posted blog on How to get list of missing/Required software updates for specific computer which helps to identify if a PC is 100% complaint or not for list of available patches(metadata) from SCCM,but that report gives you overall missing patches from SCCM DB irrespective of whether they are part of any software update groups or not.

Since the previous report do not have any limitation to apply on specific software update group,lot of guys commented on the blog post to have filter with software update group so that,they can apply the PC to specific software update group to know the compliance level.

This report is all about that ,to get the list of missing/Required software updates for particular PC from specific Software update group.

Report looks like this:

Download the RDL report from TechNet Gallery here, upload to your Configmgr SSRS Reports,change the data source and run it.

Note: I have tested this report both in Configmgr 2012 R2 SP1 and Configmgr V1511 ,it works fine.

There are couple of posts on TechNet blog and other forums asking for ‘Is there any report that list all updates with compliance status for specific collection’ ? Read it once again ,A software update compliance report that list all updates whether Targeted, Installed, Missing for specific Collection. A collection may contain X number of clients and each client may produce Y Number of patches for sure from your Configmgr environment with compliance status . So when you generate report with this requirement,you know how many rows do you get ? X (number of clients)* Y (number of patches).

Assume X=200 Clients and Y =100 Patches (till date) ,the report consists of 200* 100=20,000 rows.

So if you are going to generate report for management to show ,what is the compliance status (this is not really compliance status required for Management) with this requirement,Are they going to read it ? How does it matter to them,if particular computer is missing XX number of patches .Management wants to know if the PC is compliant or not .

You should not encourage for such unrealistic requests,if they are going to ask you,tell them ,what they are going to get .Garth has blogged similar kind of requirement How to perform basic Software Audit ,read it here http://www.enhansoft.com/blog/how-to-perform-a-basic-software-audit

So ,how do you perform basic software update compliance audit ? There are variety of reports available by default in Configmgr with category  Software Updates - A Compliance.

if your management asked for any patch compliance report, get them overall compliance status of each machine from specific collection for specific update (this will get overall compliance from specific software update group only) or compliance status for each machine from specific collection (this will generate report with all updates in your Configmgr).

There are lot of patch compliance reports on my blog with different requirements ,so have a look at them ,download the RDL file ,edit the RDL file using your favorite Tool(Report builder or BI or Visual studio etc) ,

edit the RDL file,copy the code into SQL server management studio ,do adjustments what is needed for you and get back the query to SSRS Report.

The recommended procedure /best practice is ,try to use the existing default reports or reports posted on my blog for compliance status per collection OR Per OU etc and start looking at computers that are NON-Compliant (if at least one patch is required by Client,it report as Non-Compliant)  and start troubleshooting the non-Compliant PC rather generating unnecessary date.

If you still want to generate such report, here is the SQL query for you .All you need is ,just change the collection ID  and run it from SQL Server management Studio.

select
vsv.Netbios_Name0 [PC Name],
CAST(DATEPART(yyyy,ui.DatePosted) AS varchar(255)) + '-' + RIGHT('0' + CAST(DATEPART(mm, ui.DatePosted) AS VARCHAR(255)), 2) AS MonthPosted,
ui.BulletinID,
ui.ArticleID,
ui.Title,
UpdateClassification=cls.CategoryInstanceName,
Targeted=(case when ctm.ResourceID is not null then '*' else '' end),
Installed=(case when css.Status=3 then '*' else '' end),
IsRequired=(case when css.Status=2 then '*' else '' end),
Deadline=CONVERT ( varchar (26) , cdl.Deadline , 100),
ui.dateposted [Date Posted],
ui.InfoURL as InformationURL
from V_UpdateComplianceStatus  css
join V_UpdateInfo ui on ui.CI_ID=css.CI_ID
join V_CICategoryInfo_All vnd on vnd.CI_ID=ui.CI_ID and vnd.CategoryTypeName='Company'
join V_CICategoryInfo_All cls on cls.CI_ID=ui.CI_ID and cls.CategoryTypeName='UpdateClassification'
join v_ClientCollectionMembers ccm on ccm.ResourceID=css.ResourceID
JOIN dbo.v_R_System_valid vsv ON vsv.ResourceID = css.ResourceID
left join V_CITargetedMachines   ctm on ctm.CI_ID=css.CI_ID and ctm.ResourceID = css.ResourceID
outer apply (
select Deadline=min(a.EnforcementDeadline)
from V_CIAssignment  a
join V_CIAssignmentToCI atc on atc.AssignmentID=a.AssignmentID and atc.CI_ID=css.CI_ID
) cdl
where ccm.CollectionID='PS100018'
order by ui.Title

Output of the SQL Query:

This is quick post on How to check Client is member of what collections and display its Maintenance window .

Maintenance Window information for collections are stored in view called v_ServiceWindow .Here is the excel spreadsheet that I always make it as reference for any custom queries always help to find right view. http://eskonr.com/2013/10/download-sccm-configmgr-2012-r2-sql-views/

You can use the below SQL Query to run it from SQL management studio or use it in SSRS Reports.

Change the PC name in marked in bold letters.

select fcm.CollectionId, coll.Name [Collection Name],s.Name [MW Name],s.Description,s.StartTime,s.Duration
from dbo.v_R_System sys
join dbo.v_FullCollectionMembership FCM on sys.ResourceID = fcm.ResourceID
join dbo.v_Collection coll on Coll.CollectionID = fcm.CollectionID
left join v_ServiceWindow S on s.CollectionID=fcm.CollectionID
Where sys.Name0 ='WIN10X64-003'

Full Details : https://social.technet.microsoft.com/Forums/en-US/3a171c53-9ca4-4ecb-9ce6-5dfca19cdadc/query-to-get-server-name-which-collection-it-is-a-member-of-and-the-associated-maintenance-window?forum=configmanagergeneral

Another interesting report  on software update compliance which will really helps lot of people in their daily job . Did you ever receive any requests to report compliance status(in one line report) for bunch of clients for ex: specific collection ? Management or Security guys do not really care about what software updates the computer is missing and they always look for final results i.e Compliant or Non-Complaint .Only these 2 status matters for them to ensure the computers are fully patched.

Generally ,how do you check when such requests comes ? Look at default the compliance reports (Software Updates - A Compliance--Compliance 5 - Specific computer ) or other compliance reports?

There are 2 ways to tell if the client is complaint or not using the default reports.

1) You can run the report based on software update group for specific collection—Compliance 1—Overall Compliance

2) Compliance for specific computer--Compliance 5 - Specific computer 

Report 1) will give you only the status for specific software update group for specific collection but not for all software updates deployed to specific PC. A PC might have 100 software updates deployed and these software updates coming through multiple software update groups.it will be really challenging to find if PC is compliant for all the Deployed patches unless you have only one software update group.

Report 2) will give you list of all updates with targeted (approved) ,missing and installed but to tell if the PC is compliant for all the patches you see in the report takes time for you to filter the missing/required column and compare it with targeted patch. (Note:You only care about the Deployed patches but not all the updates required by PC,more about it will discuss soon).

Note: This post is strictly talking about software updates compliance but not for Endpoint Protection updates.

If you want to run the report 2) for bunch of PC’s ,you need to create custom report and it is not easy to say in one line,PC is Compliant for all the deployed patches.

So,how do I check quickly, if PC is compliant for all the targeted patches meaning,if I enter the Collection name into the Report,it should give me results of PC Name , How many Patches Targeted ,How many missing and Is Complaint or not ? For this report, I have also included other computer information like Last logged on User Name,Last Hardware Scan,Last Update Scan and what is the Update Scan result etc to identify the PC health.

So,How do I come to the conclusion to say ,PC is Complaint or not based on the Targeted PC’s and Missing PC’s ? Here is the logic I have used in the report if you want to know before editing the report .

If Count of Missing Patches =0 and Count of Target Patches=0 Then PC is Complaint

If Count of Missing Patches!=0 and Count of Target Patches!=0 then PC is Non-Complaint

If Count of Missing Patches!=0 and Count of Target Patches=0 then PC is Complaint

Before you proceed to download the report,you need to understand few things how this SQL query is written and what filters are used in the report to achieve the task.

Client becomes Non-Complaint only when there are updates needed by the PC otherwise ,we can say PC is Complaint. So my primary filter (where condition ) used here is to check if status=2 means Required/Missing from V_updateCompliancestatus. Based on this criteria,I will calculate the total number of patches deployed to the PC and how many are still needed by the PC.

You may wonder on the 3rd logic, how come the count of missing patches>0 and count of target patches=0 ? you really need to check with your admin who manages the SUP deployment ,why these updates are not deployed though, they are critical and security updates (this condition used in the query) .So we assume that, Client has verified the status for all the Deployed patches and it has nothing to do with the missing patches since you never deployed them and it is COMPLAINT.

All clear now ? if you still have questions,please report them via comments section .

Download the RDL file from TechNet Gallery here, upload the report into your Configmgr SSRS Reports ,change the Data Source and run the Report .

Try to run the report ,pick one PC which is Compliant and simultaneously use your favorite default /Custom reports to check if the PC is complaint for all the deployed patches.

How does the report look like ?

By default,when you install Configmgr Reporting services point role,it create lot of reports with NT AUTHORITY\SYSTEM  account and this information can be seen from log called ‘srsrp.log’ on your Site system server.If you look at srsrp.log,there will be lot of information tracked along with list of reports it created ,its path (web path) etc. If you want to find the rdl files for these reports(only for default ) ,browse <Configmgr Installation Drive>:\SMS_SRSRP\Reports . Some of the reports resides in these respective category folders ,they do not have proper naming for ex: I look at category ‘Software_Updates_-_A_Compliance’,reports are named with ‘report290,report291’ etc which are unclear and always go with Web Reporting. If you want to do some modifications/changes to the default reports,I would suggest to download the RDL file using your web browser ,edit it using your favorite reporting tools.

Coming to the Subject line ,How do I list all the Configmgr Default reports (created under System) and custom reports that are created by domain Users along with additional information like created by,Modified by,DataSource,Path and Report Description.  At times,it will be useful to check the reports created by Whom and see who modified those ,it can be either default reports or created by Someone (Custom).

SQL Code:

SELECT c.Name,CreatedBy = UC.UserName,

CreationDate = C.CreationDate,

ModifiedBy = UM.UserName,ModifiedDate,

DS.Name AS DatasourceName,

C.Description,c.path

FROM Reportserver.dbo.Catalog C

JOIN Reportserver.dbo.Users UC ON C.CreatedByID = UC.UserID

JOIN Reportserver.dbo.Users UM ON c.ModifiedByID = UM.UserID

LEFT OUTER JOIN ReportServer.dbo.SecData AS SD ON C.PolicyID = SD.PolicyID

AND SD.AuthType = 1

INNER JOIN ReportServer.dbo.DataSource AS DS ON C.ItemID = DS.ItemID

order by 1

As usual , I have created SSRS Report for this ,which is uploaded to TechNet Gallery Here ,Download the report,Upload to your Configmgr Report server ,change the datasource and run the report.

Once you have the report, you can sort the report by Either Created By or Modified by to know the custom reports or reports created by someone and modified by someone.

This report also helps you to identify how many reports are using specific datasource if you sort the report by Datasource Name.

Full Details https://social.technet.microsoft.com/Forums/en-US/53bb8f5c-0193-47a8-bd33-73c58802fbd5/is-there-any-way-to-find-out-all-custom-reports-in-sccm-2012?forum=configmanagergeneral

How does the report look like ?

Microsoft is doing fabulous job on System Center configuration manager product  by enhancing ,adding the new features ,update the existing features in the form of Technical preview’s before making them to Production version and they listen the ideas ,suggestions reported through Configuration manager User Voice https://configurationmanager.uservoice.com/forums/300492-ideas

A day before (18th Feb 2016) ,Microsoft released Configmgr 1602 (YYMM) for Technical Preview 4 which is latest version (Note : this is only for Technical preview but not for Current Branch V1511,Production version) with some exciting features and updates to the existing features that were in 1601.

One of the most exciting feature is ,You can now upgrade your Operating System running on Windows server 2008 R2 to Windows server 2012 R2 for Configmgr 1602 ,which means,you must first upgrade your Configmgr to Configmgr 1602 version and later do In-place Operating System Upgrade .

what's new in Configmgr 1602 Technical Preview 4 ?

• Windows 10 Team configuration settings
• Automatic creation of Microsoft Office mobile apps for iOS and Android - Microsoft Office mobile apps for iOS and Android are pre-created for customers using ConfigMgr integrated with Microsoft Intune
• Sync Policy button – The new Sync Policy button lets you run the Machine Policy Retrieval & Evaluation Cycle and User Policy Retrieval & Evaluation Cycle with a click of a button. Find it in the Software Center options tab under Computer Maintenance
• In-place upgrade of ConfigMgr Site Server’s operating system – Support for ConfigMgr Site Server’s in-place upgrade of operating system from Windows Server 2008 R2 to Windows Server 2012 R2
• iOS Activation Lock management – Capabilities including enabling, querying for the status, retrieving bypass codes, and performing an Activation Lock bypass on corporate-owned iOS devices

Updates to the existing features:

• Improvements to mobile device management
• Improvements to Software Center
• Improvements to Windows 10 Servicing

For more information about Technical preview updates ,installation notes etc. ,please read https://technet.microsoft.com/library/mt595861.aspx

For step by step guides,go through https://www.niallbrady.com/2016/02/18/system-center-configuration-manager-technical-preview-1602-is-now-available/

if you have any Ideas or suggestions or improvements that you want to see in Configuration manager, raise them through https://configurationmanager.uservoice.com/forums/300492-ideas and get them Implemented.

There was a question on the MyItform list ,asking for ‘is there a way to get superseded patch list’ for all windows 7 ,So thought of writing this blog post that helps others who are in similar needs.

If you want to know particular patch (ex:Cumulative Update for Windows 10 Version 1511 (KB3124200)) superseded by what software updates in SCCM/Configmgr ,you can simply browse Software Library /Software updates nodes,search with this title ,right click on the Software Update Properties ,Go to Supersedence Information ,You can see, this software update is superseded by (To replace ) also ,if this software update supersedes by any other update .

This method is easy if you want to check for specific software update but,what if you want to have a list of software updates that are superseded by what software updates ? 

In Configmgr ,Software update information is scattered across multiple tables/views and depends on your requirement ,you must choose right table to query the information.

For Writing the SQL Queries /SSRS Reports,always have these 2 as reference 1)Configmgr SQL views and 2)SSRS expressions

For our requirement, we will be retrieving the software update information from V_updateinfo and superseded information from v_CIRelation_all.

Based on the above 2 SQL views, I will be retrieving the Software updates that are superseded by what updates.

SQL Code:

select UI1.Title,UI1.IsSuperseded,ui1.BulletinID,UI1.InfoURL,
UI2.Title [S Title],ui2.IsSuperseded,UI2.BulletinID [S BulletinID],UI2.InfoURL [S InfoURL]
from v_CIRelation_all CA
left join v_UpdateInfo UI1 on CA.ReferencedCI_ID=UI1.CI_ID
left join v_UpdateInfo UI2 on ca.CI_ID=ui2.CI_ID
where RelationType=6
and UI1.title like '%Windows 10%'

If you want to list only windows 7 updates ,replaced 10 with 7 .if you want to list all Software updates irrespective of OS ,then simply comment using --

you can use this SQL Code to put in SSRS Reports with your customizations.