ConfigMgr (SCCM) – All about Microsoft Endpoint Manager

Recently ,I worked on on a SCCM project and as initial step ,it was mandatory to bring all the desktops and servers (where ever it was missing) into SCCM with Client installed.

Though ,there are different client installation methods available to install SCCM Client , one of the most widely used client installation method is Client startup script deployed via group policy.

Jason Sandys (MVP) created nice Client Startup Script (group policy) that install configmgr client agent during the system initial boot up.

If you want to achieve good client success rate ,would strongly recommend to look into script and get it implemented .

You can download the script from his blog post http://blog.configmgrftw.com/configmgr-client-startup-script/ .It has pdf document with all the instructions ,how to edit the xml file to make necessary changes.

In this blog post, I will show you, how to implement Jason Sandys client start script in your environment starting from creation of SCCM client folder ,creation of group policy ,deploying the group policy and tracking the results incase of any failures. Hope this blog can help to start with.

1. Login to your SCCM server ,create a folder called SCCMClient in D:drive( any other)

2. Copy the SCCM Client installation source files from your SCCM installed directory to above created folder (SCCMClient).

Copy the client installation files to SCCMClient folder

3.Create folder called hotfix in SCCMClient folder to place the hotfixes if at all any. (If you do not have any hotfixes to install ,you can simply ignore this step) .This step is needed to install the hotfixes along with SCCM client . If you are running on configmgr R2 SP1 CU3, then you need copy CU3 hotfix files into it.

4. Since am running on SCCM 2012 R2 SP1 CU3 (KB3135680) ,go to your hotfix folder (D:\Program Files\Microsoft Configuration Manager\hotfix\KB3135680\Client) ,identify the correct KB (latest cumulative update) ,client folder, copy the folder into hotfix folder.

Copy above 2 folders into hotfix folder

5. Now we need to share this folder so that ,it can be accessed during the client install at system boot up time.

Right click on the folder properties ,Go to sharing tab ,advance sharing

Client on Permissions ,give full control to every one

Click Ok ,Ok ,Ok

Note the share folder path which is need to input into the control file (xml) later.

6. Now ,we will create another folder inside the SCCMClient to store the error logs for the client that fail for some reason so we can investigate at later times.

Create a folder called Errorlogs

7. With this ,we have finished with folder creation and copied all necessary files . Now lets edit the start up script file and move onto group policy creation.

Go to the downloaded script folder ,edit ConfigMgrStartup.xml using notepad and make necessary changes as said in the PDF document .

This xml file is used supply the input parameters need for vbscript during the client installation.

You are required to make couple of changes as listed below (mandatory).

Parameters to edit are:

AgentVersion—Client with less than this version will initiate SCCM client install

ClientLocation—Client installation folder what we created above initiate ccmsetup from specified.

ErrorLocation –to store the error logs (computername.log) incase of any SCCM client failure

AutoHotfix –if you have any hotfix to install ,will added to the ccmsetup.exe command line else ,you can ignore this .

SMSMP---Management Point

For all the location paths, I would recommend to use FQDN instead of hostname.

My xml file looks like this:

<?xml version="1.0"?>
<Startup>
<Option Name="LocalAdmin" >eskonr/localadmin</Option>
<Option Name="SiteCode" >P01</Option>
<Option Name="CacheSize">10120</Option>
<Option Name="AgentVersion">5.00.8239.1403</Option>
<Option Name="MinimumInterval">0</Option>
<Option Name="ClientLocation">\\SGCM01.apac.eskonr.com\SCCMClient</Option>
<Option Name="MaxLogFile">2048</Option>
<Option Name="ErrorLocation">\\SGCM01.apac.eskonr.com\SCCMClient\Errorlogs</Option>
<Option Name="AutoHotfix">\\SGCM01.apac.eskonr.com\SCCMClient\Hotfix</Option>
<Option Name="Delay" >5</Option>
<InstallProperty Name="FSP">SGCM01.apac.eskonr.com</InstallProperty>
<InstallProperty Name="SMSMP">SGCM01.apac.eskonr.com</InstallProperty>
<CCMSetupParameter Name="BITSPriority">HIGH</CCMSetupParameter>
<CCMSetupParameter Name="noservice" />
<ServiceCheck Name="BITS" State="Running" StartMode="Auto" Enforce="True" />
<ServiceCheck Name="winmgmt" State="Running" StartMode="Auto" Enforce="True" />
<ServiceCheck Name="wuauserv" State="Running" StartMode="Auto" Enforce="True" />
<ServiceCheck Name="lanmanserver" State="Running" StartMode="Auto" Enforce="True" />
<ServiceCheck Name="RpcSs" State="Running" StartMode="Auto" Enforce="True" />
<RegistryValueCheck Key="HKLM\SOFTWARE\Microsoft\Ole" Value="EnableDCOM" Expected="Y" Enforce="True" Type="REG_SZ"/>
<RegistryValueCheck Key="HKLM\SOFTWARE\Microsoft\Ole" Value="EnableRemoteConnect" Expected="Y" Enforce="False" Type="REG_SZ"/>
<RegistryValueCheck Key="HKLM\SOFTWARE\Microsoft\Ole" Value="LegacyAuthenticationLevel" Expected="2" Enforce="False" Type="REG_DWORD"/>
<RegistryValueCheck Key="HKLM\SOFTWARE\Microsoft\Ole" Value="LegacyImpersonationLevel" Expected="2" Enforce="False" Type="REG_DWORD"/>
</Startup>

save the xml file .

we are now ready to implement the client start up script using Group policy.

if you are not authorized/permission issues to create group policy ,take the below scripts and handover to Active Directory guy to create start up script for you.

8.Login to the domain controller ,Go to Group Policy Management console ,create new Group policy and called it ‘Install Configmgr Client 2012’

Right on the GPO you created above and click on edit

Drill down to Policies –windows settings –scripts (startup/ Shutdown) ,double click on startup

Click on Show files

Now we need to place the vbscript and xml file in the startup folder

If you have issues with access denied when trying to place the files, you may have to open the actual folder (C:\windows etc) on your domain controller to place the files.

Go back to the startup script properties and click add and browse to select vb script

select ConfigMgrStartup1.75.vbs

In the script parameters ,type in /Config:ConfigMgrStartup.xml

Click ok

Click ok and close the Group Policy Management Editor .

we are now ready to link the GPO to any OU that you want the computers receive Configmgr client during the system boot up.

For troubleshooting ,script will create log file with name Scriptfilename.log (ConfigMgrStartup1.75.vbs.log) in C:\windows\temp folder and for some reason ,the client did not install ,it will copy the log file to errorlog location with computer name as log file.

Hope it helps.

For those of you who didn’t make it to Microsoft Ignite 2016 (September 26–30, 2016, Atlanta, GA ) this year or who attended and they want to recall it ,Microsoft have uploaded some of the sessions (for now ) to YouTube channel and they upload most of them for offline watching.

All the previous years ,Microsoft used to upload the videos on channel 9 but for this year ,they have made it available on YouTube channel.

These sessions are created as playlist based its content type security ,mobility ,deployment,developer etc.

Watch videos on YouTube: https://www.youtube.com/channel/UCrhJmfAGQ5K81XQ8_od1iTg/playlists

Get the session catalog from https://myignite.microsoft.com/sessions

Go through the videos and for sure ,you will take lot of interesting stuff from it .

Recently I was going through some of the Microsoft Ignite 2016 sessions that are related to windows 10,Intune ,MBAM ,UE-V ,Power BI ,Server 2016 and configuration manager which are uploaded to YouTube. During my surfing ,I found lot of videos on these technologies .

So ,in this blog post, I will share the sessions that are related to Configuration Manager ,Windows 10, Intune, MBAM ,UE-V and Power BI which will help you to go through and take notes for future reference.

Hope you will find them useful too.

Join Windows 10 in Azure AD in five easy steps

https://www.youtube.com/watch?v=-CorjRbc7ME

Troubleshoot Windows 10 deployment: top 10 tips and tricks

https://www.youtube.com/watch?v=PZOtTzQjeeM

Dig deeply into BranchCache: learning from the experts

https://www.youtube.com/watch?v=ak25IoIli8s

Get an independent insiders view of desktop virtualization and session remoting:

https://www.youtube.com/watch?v=Nt9U9T7dSrU

Join your Windows 10 devices to Azure AD for anywhere, anytime productivity

https://www.youtube.com/watch?v=MkPG4JhzvII

Discover how App-V and UE-V align with an Evergreen Windows 10

https://www.youtube.com/watch?v=v-QthxIGAlQ

Get your LOB application data into Microsoft Power BI

https://www.youtube.com/watch?v=pbdw6xBl0Vc

Delight users and IT with modern identity experiences on Windows 10

https://www.youtube.com/watch?v=cnpauXwB0DE

Ask us almost anything about Windows 10

https://www.youtube.com/watch?v=2HE6JYsUGN4

Learn the top 10 reasons why you'll like Windows Server 2016

https://www.youtube.com/watch?v=r2-wl1RFM3U

Upgrade, upgrade, upgrade! Say goodbye to clean installs of Windows 10

https://www.youtube.com/watch?v=wZUi_YPsvos

Implement Windows as a Service: how Microsoft IT does it

https://www.youtube.com/watch?v=fRB9_qvauQM

Discover Windows 10 Internals

https://www.youtube.com/watch?v=Qz2bRdwS4O4

Simplify OS deployments with Windows Provisioning

https://www.youtube.com/watch?v=R8IMxWJ65bs

Conduct a successful pilot deployment of Microsoft Intune

https://www.youtube.com/watch?v=ZfHhXYLGYe0

Implement Windows as a Service: how Microsoft IT does it

https://www.youtube.com/watch?v=fRB9_qvauQM

Deploy and manage BitLocker using MBAM

https://www.youtube.com/watch?v=huSiZdLcyKk

Meetup: Learn how to start a user group

https://www.youtube.com/watch?v=N_DPby9P5ZM

Deploy Microsoft Office 365 Client using Configuration Manager

https://www.youtube.com/watch?v=GzZ2haV15nY

See what's new in mobile application management with Microsoft Intune

https://www.youtube.com/watch?v=5T3F8BELCtE

Windows 10 Under the Hood updates with Michael Niehaus

https://www.youtube.com/watch?v=rPVlW7_gnps

Understand and troubleshoot power management and modern standby in Surface and Windows 10

https://www.youtube.com/watch?v=au64NQGZS-4

Case of the unexplained: Windows troubleshooting with Mark Russinovich

https://www.youtube.com/watch?v=sAUeC2LiF5s

Secure Android devices and apps with Microsoft Intune

https://www.youtube.com/watch?v=CxpZTg33grM

Manage and secure iOS and Mac devices in your organization with Microsoft Intune

https://www.youtube.com/watch?v=-kx7ZRXQlxY

Understand settings roaming solutions in Windows

https://www.youtube.com/watch?v=OG58JBMliH8

Explore Windows 10 in education: innovations for using and deploying in schools

https://www.youtube.com/watch?v=fs46MzF3VDc

Enhance Windows 10 security and management with ConfigMgr, Intune, and new cloud services

https://www.youtube.com/watch?v=UDYm-5jb_kg

Ask the experts - Windows10 deployment, servicing, and provisioning

https://www.youtube.com/watch?v=pRNkNd3VU8Q

Upgrade to Windows 10: in depth

https://www.youtube.com/watch?v=eMV7OMMJ8kM

Cert Exam Prep: Exam 70-698: Installing and Configuring Windows 10

https://www.youtube.com/watch?v=KRp69ZkNARI

Prepare for Windows 10 and UEFI

https://www.youtube.com/watch?v=XOeCi9nQW5o

Customize the start menu in Windows 10

https://www.youtube.com/watch?v=T8cHQ5jZuuY

Learn what's new with OSD in System Center Configuration Manager and Microsoft Deployment Toolkit

https://www.youtube.com/watch?v=oYz9BGb2ysM

Use simplified provisioning tools to get Windows 10 up and running in schools

https://www.youtube.com/watch?v=qbEbBodR7Uc

Master Windows 10 Deployments – Expert Level

https://www.youtube.com/watch?v=jULZkDUG6Rs

Deploy and manage Office in complex scenarios with Configuration Manager

https://www.youtube.com/watch?v=59nxWjFFeWg

Secure access to Office 365, SaaS, and on-premises apps and files with Azure AD and Intune

https://www.youtube.com/watch?v=s_t0Sy7O6KM

Manage your mobile devices and apps with System Center Configuration Manager and Microsoft Intune

https://www.youtube.com/watch?v=_OpbL8zPZDA

Meet Windows Server 2016 and System Center 2016!

https://www.youtube.com/watch?v=0LviCzsudGY

Enhance Windows 10 deployment: what's new with Windows 10 deployment?

https://www.youtube.com/watch?v=tCMijTbWNEI

Until next !

Working on fine tuning collections to get the clients (DEV,UAT,PROD etc) from Active Directory based on OU for reporting purpose .Reporting can be either application deployment or software update compliance or anything that you want .In my case, all the OU’s in Active Directory are created based on BU( Business Unit) and business unit most likely with country name in OU.

Lets take example of OU structure like below in my Active Directory.

With the above OU structure ,I want to create collection that list all computers from PROD/DR OU for each Business Unit (Hong kong,Singapore,India etc) . Parent OU can be DBS,CT,CX or anything under each Business Unit.

So to get all computers from PROD/DR OU for Hong Kong Business Unit ,we will use wildcard character (%) with like operator in WQL Query .

ESKONR.INTRANET.ASIA/HK/LI/INFRASERVERS/%PROD%

The above Query will list all PROD clients from OU ‘HK/LI/infraservers’

If you want to list all PROD computers from HK OU irrespective of what Child OU they are in, but should be in PROD OU ,use the following condition.

ESKONR.INTRANET.ASIA/HK/%PROD%

If you want to combine PROD and DR Clients into 1 collection ,you can use OR condition by creating 2 criteria's like below.

ESKONR.INTRANET.ASIA/HK/%PROD%

ESKONR.INTRANET.ASIA/HK/%DR%

So ,How to achieve this using collection ?

Create new Device Collection ,Name the collection ,limit the collection to All Systems ,Add rule and select Query rule ,name the collection again ,select Edit Query statement

Click on Criteria ,select start Burst icon ,click Select

select Attribute class as System Resource and Attribute as

Click Ok ,select Operator as like and Value is your domain name/HK/LI/%PROD%

Click Ok ,Ok ,Ok and accept the default steps you see the screen.

Below is sample collection criteria used in my lab:

List all servers from PROD and DR OU excluding server 2003 operating system as my lab is running 1 server 2003 OS.

You can still it customize this query as per your needs but all you need is ,how to wild card operator .

Hope it helps!

Great news for all us who are in SCCM Configmgr world. Microsoft just released 3 baseline builds for SCCM configmgr 1606 in October 2016 i.e Current branch ,LTSB and Tech review which means, you no longer need to use old baseline build V1511 to upgrade /Install your SCCM hierarchy from SCCM 2012 and install the Current branch updates using updates and servicing method.

In previous days ,If you want to migrate /Install new version of SCCM Configmgr current branch (V1606 for now) ,you must use the baseline build V1511 with supported ADK version of V1507 or V1511 and then install the current branch (1606) updates using updates and servicing method and then update the ADK version to V1607 to support windows 10 new builds.

But from now onwards,you can now upgrade Configuration Manager 2012/R2 directly to version 1606 of the current branch and start taking advantage of new management features, faster and easier updates, support for new Windows releases, and more.

This baseline can be used only to install New sites but not to upgrade from sites like V1511 and for that, you must use In console updates.

Below are 3 different branches of SCCM configmgr with build 1606 released .

1. Current Branch of SCCM

2. LTSB of SCCM

3.Tech Preview of SCCM

Each version has its own limitations and to know more about these limitations and which branch version you should use, please read https://docs.microsoft.com/en-us/sccm/core/understand/which-branch-should-i-use

How to download SCCM configmgr Current branch build version (1606) ?

This build version (1606) can be downloaded from Volume Licensing Service Center (search for “System Center Config”), from Microsoft Evaluation Center and MSDN ,evolution of System Center 2016 (SCCM Version 1606 is now is now included with System Center 2016 for download.)

The setup process of Configuration Manager (version 1606) allows you to choose to install either the current branch or LTSB.

Volume licensing:

Microsoft Evaluation Center (SC_Configmgr_SCEP_1606.exe):

System Center 2016 :

References:

· https://blogs.technet.microsoft.com/enterprisemobility/2016/10/12/configuration-manager-a-progress-update-on-the-current-branch-and-a-new-servicing-branch/

· Introduction to the Long-Term Servicing Branch of System Center Configuration Manager

· Licensing and branches for System Center Configuration Manager

· Which branch of Configuration Manager should I use?

· Supported Configurations for the Long-Term Servicing Branch of System Center Configuration Manager

· Install and Upgrade for the Long-Term Servicing Branch

· Upgrade the Long-Term Servicing Branch to the Current Branch

Long ago ,I did step by step guide series on how to Install MBAM 2.5 SP1 integration with SCCM Configmgr 2012/Current Branch . In that guide,I have used MBAM server which has SQL server and MBAM components installed on local server and integrate MBAM with Configmgr 2012 server.

Few days ago ,I was trying to install MBAM 2.5 SP1 and integrate with SCCM Configmgr Current Branch 1606 in my lab. In this setup ,my requirement was different .I do not want to install SQL Server on MBAM server (local) instead ,use existing SQL instance (remote) to install MBAM Databases and reports.

Since I already have SQL Server installed locally on my Configmgr server ,have decided to use this SQL instance for my MBAM setup.

Before I start the setup in my lab ,I followed the steps on my blog post but I encountered some issues during the installation of web components and reports.

In this blog post, I will share the steps (no screen shots),tips and PowerShell scripts that I have used to setup MBAM in my lab.

If you are looking for step by step guide series on how to install MBAM 2.5 SP1,please go through http://eskonr.com/2015/09/how-to-install-mbam-2-5-sp1-and-integrate-with-sccm-configmgr-2012-r2-sp1/

In my lab ,I already have SCCM CB 1606 installed with SQL (local) and I will use this SQL to install my MBAM databases and reports (remote).

Below is my lab setup:

1 Domain Controller (DC01 ,apac.eskonr.com)

1 SCCM server running on Current Branch (CMCB01) with SQL local

1 MBAM Server (MBM01 , Plane server with domain join)

Here are the steps what I followed in short .

1.Create required MABM Accounts.

2.Register SPN for MBAM Server

3.Login to MBAM Server (MBAM01) and install the prerequisites like IIS components (No SQL server is needed ,we will be using remote SQL) and ASP.net MVC 4

4.Login to SCCM server(CMCB01) ,perform the changes to MOF,Hardware inventory ,run the MBAM server setup to perform system center configuration manager integration. you must run this setup only in your SCCM Server .

5.Login to MBAM Server (MBAM01) ,Insert/Copy Supported Version of SQL server media and install SSRS Reporting services (native) . SSRS must be installed and running during the MBAM Server installation.

Configure SSRS in "native" mode and not in unconfigured or "SharePoint" mode. You cannot use remote installed SSRS for MBAM Server.

6. On MBAM Server ,open Reporting services configuration manager ,click on connect ,go to web service URL ,create Virtual Directory ,move on to database tab ,create reportserver database (place the database on remote server that you wish to have ,in this case it will be on my SCCM Server) and to create the reportserver DB (I name it MBAMReportServer) on SCCM SQL , make sure you have full permissions on SCCM SQL database. Follow the steps reporting services configuration manager take you through.

7. Make sure the reporting services account that is running on your MBAM Server (MBAM01) must use domain account (cannot be system account and NT account) to connect to remotely configured Reportserver database . so open services.msc ,properties of SQL Service Reporting services ,choose account that permissions to connect to reportserver DB(MBAMReportServer) on SCCM Server.

8.Restart SQL Service reporting services.

9. Now its time to start the installation of MBAM components on MBAM Server (MBAM01).

10. Launch MBAM server setup ,go with default installation and open MBAM server Configuration ,click on add new features ,select databases (Compliance and Audit, Recovery Database) ,Reports .

11. when the databases are created ,launch MBAM Server setup,again and this time select the leftover component Web Applications (Administration and monitoring and self-service portal).

At this step ,I had some issues with Application pool account that failed to connect to MBAM recovery and hardware database which was installed on my Configmgr SQL server. so I had to look at the logs to troubleshoot the issue by providing the enough permissions to MBAM Recovery and hardware database on my SCCM server for MBAM_HD_AppPool account

Error:

Cannot connect to the database using specified connection string 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Recovery and Hardware";Integrated Security=True'

Error: System.Data.SqlClient.SqlException (0x80131904): Login failed for user 'APAC\MBAM_HD_AppPool'.

12. If you see any errors during the installation of any of the MBAM components, check the event viewer which will give you more information about the issue . Where to look at event viewer ?

Open event viewer ,Applications and service logs ,Microsoft ,windows ,MBAM-Setup ,in this ,you have 2 sections 1) Admin 2) Operational .

All these steps can be performed through PowerShell scripts right from creation of MBAM User accounts/Groups to installation of MBAM components.

Tanner Slayton Sr Consultant Cyber Security from Microsoft has posted MBAM scripts on Github ,can be downloaded from https://github.com/tslayton.

13. Configure GPO settings as per the requirement ,for more information on this ,you can read part 5 of my step by step guide series

14. If you want add support for the BitLocker XTS-AES encryption type ,then install September 2016 servicing release hotfix from https://support.microsoft.com/en-us/kb/3168628

Below are scripts /command lines that I have used while installing the MBAM components in my lab.

Adding IIS Features:

Write-Host 'Adding IIS and the components required for MBAM Installation of the Helpdesk and SelfService Portals'
$Features = 'Web-Server', 'Web-WebServer', 'Web-Common-Http', 'Web-Default-Doc', 'Web-Static-Content', 'Web-Security', 'Web-Filtering', 'Web-Windows-Auth', 'Web-App-Dev', 'Web-Net-Ext45',
'Web-Asp-Net45', 'Web-ISAPI-Ext', 'Web-ISAPI-Filter', 'Web-Mgmt-Tools', 'Web-Mgmt-Console', 'NET-WCF-Services45', 'NET-WCF-HTTP-Activation45', 'NET-WCF-TCP-Activation45',
'WAS', 'WAS-Process-Model', 'WAS-NET-Environment', 'WAS-Config-APIs'
Add-WindowsFeature -Name $Features

Install MBAM componets:

Import-Module 'C:\Program Files\Microsoft BitLocker Administration and Monitoring\WindowsPowerShell\Modules\Microsoft.MBAM\Microsoft.MBAM.psd1'

# Enable compliance and audit database
Enable-MbamDatabase -AccessAccount 'APAC\MBAM_DB_RW' -ComplianceAndAudit -ConnectionString 'Data Source=CMCB01.apac.eskonr.com;Integrated Security=True' -DatabaseName 'MBAM Compliance Status' -ReportAccount 'APAC\MBAM_DB_RO'

# Enable recovery database
Enable-MbamDatabase -AccessAccount 'APAC\MBAM_DB_RO' -ConnectionString 'Data Source=CMCB01.apac.eskonr.com;Integrated Security=True' -DatabaseName 'MBAM Recovery and Hardware' -Recovery

# Enable self service web portal feature
Enable-MbamWebApplication -CompanyName 'Eskonr' -ComplianceAndAuditDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Compliance Status";Integrated Security=True' -HelpdeskUrlText 'Contact Helpdesk or IT department.' -HostName 'MBM01.apac.eskonr.com' -InstallationPath 'C:\inetpub' -Port 80 -RecoveryDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Recovery and Hardware";Integrated Security=True' -SelfServicePortal -VirtualDirectory 'SelfService' -WebServiceApplicationPoolCredential (Get-Credential -UserName "APAC\MBAM_HD_AppPool" -Message WebServiceApplicationPoolCredential)

# Enable report feature
Enable-MbamReport -ComplianceAndAuditDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Compliance Status";Integrated Security=True' -ComplianceAndAuditDBCredential (Get-Credential -UserName "APAC\MBAM_DB_RO" -Message ComplianceAndAuditDBCredential) -ReportsReadOnlyAccessGroup 'APAC\MBAM_HD_Reports'

# Enable agent service feature
Enable-MbamWebApplication -AgentService -ComplianceAndAuditDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Compliance Status";Integrated Security=True' -DataMigrationAccessGroup 'APAC\MBAM_HD_DataMig' -HostName 'MBM01.apac.eskonr.com' -InstallationPath 'C:\inetpub' -Port 80 -RecoveryDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Recovery and Hardware";Integrated Security=True' -WebServiceApplicationPoolCredential (Get-Credential -UserName "APAC\MBAM_HD_AppPool" -Message WebServiceApplicationPoolCredential)

# Enable administration web portal feature
Enable-MbamWebApplication -AdministrationPortal -AdvancedHelpdeskAccessGroup 'APAC\MBAM_HD_Adv_Users' -ComplianceAndAuditDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Compliance Status";Integrated Security=True' -HelpdeskAccessGroup 'APAC\MBAM_HD_Users' -HostName 'MBM01.apac.eskonr.com' -InstallationPath 'C:\inetpub' -Port 80 -RecoveryDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Recovery and Hardware";Integrated Security=True' -ReportsReadOnlyAccessGroup 'APAC\MBAM_HD_Reports' -ReportUrl 'http://mbm01.apac.eskonr.com/ReportServer' -VirtualDirectory 'HelpDesk' -WebServiceApplicationPoolCredential (Get-Credential -UserName "APAC\MBAM_HD_AppPool" -Message WebServiceApplicationPoolCredential)

Hope it helps!

Working on setting up the new hierarchy for SCCM Configmgr Current Branch 1606. As part of installation process ,it ask for prerequisite downloads folder and for it ,I can either choose Download Required files (it will download from internet )or Use previously downloaded files (download the files on any machine that has internet access and copy the files to your SCCM server). I choose download required files from internet as my server is has internet access through proxy IP.

After a while ,download of prereq’s failed ,which lead me to look at ConfigMgrSetup.log for the error details.

Log (ConfigMgrSetup.log) snippet is below:

ERROR: WinHttpReceiveResponse failed 80072ee2

ERROR: Download() failed with 0x80072EE2

ERROR: Failed to download language pack manifest (0x80072EE2)

I open IE on my windows server 2012 R2 Box and try to browse the URL that is displayed in log http://go.microsoft.com/fwlink/?LinkId=746984 to see if it works or not.

Below is what I see when I browse the URL and this is due to default Internet explorer settings .Download of any file is disabled (Default setting) on server 2012 R2.

In order to fix this ,we have to do some custom changes to Internet explorer settings to enable download file.

So I opened Internet Explorer options ,go to Security tab ,select Internet and Custom Level to enable the download File option but I see Custom Option is disabled with message : Some settings are managed by your system administrator (GPO policy)

This is due to the Group policy .My Group policy does not allow to perform any changes to the default IE settings.

What to do next next to download the files and allow my SCCM Server download files going forward ? Should I talk to AD team who control the group policy to allow custom level settings ? Nah .you don’t need to.

There is registry setting that control the above Custom Level Setting .If you make changes to that setting ,your IE setting Custom Level option is enabled and from there ,you can enable Download file.

Open the Registry on your server (you need to be administrator or run CMD as administrator)

Browse through HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

change Security_HKLM_only value to 0 from 1.

Now open IE Settings ,Security Tab, Internet ,Go to Custom Level

Downloads –>file Download ,select enable.

Click Ok.

Now try to browse the URL ,you are good to download the files.

After a while ,GPO policy will refresh and the registry setting may change back to 1 but Enable download option in the security setting custom Level will not be changed .

Thanks to my Friend (Alpesh) for providing the quick Fix .

Other day ,I have got a request to install/update VMware tools (32bit and 64bit) on servers that are running on VMware platform to latest version (as per the vsphere server version or what requester needs).

VMware Tools is a suite of utilities that enhances the performance of the virtual machines guest operating system and improves management of the virtual machine. Without VMware Tools installed in your guest operating system, guest performance lacks important functionalities.

To deploy VMware tools ,you can either use Legacy method called package or Application deployment method .If you go with package ,you will loose the control of deploying the vmware tools only on computers with model vmware virtual platform (unless you create collections separately) and check if the required tools already installed and many other things.

Application method always preferable for any deployments (unless specific reason) as it provides much control over packages to deploy applications.

In this blog post, we will see ,how to create VMware tools application for 32bit ,64bit with detection logic and requirements to install only on computers with model ‘VMware Virtual Platform‘.

I will divide this guide into 4 steps as listed below.

1. Copy VMware source files.

2.Create Global Condition for Computer model

3. Create Application which consists of 2 deployment types (32bit & 64bit ) with detection logic ,requirement rules.

4.Distribute the Application

5.Deploy the application to collection

6.Check the application status on Client

7.Deployment Results

1. Copy VMware source files.

Get the source files from the requestor and copy it to SCCM content source folder location.

It contain source files for both 32bit (setup.exe)and 64bit (setup64.exe) Operating system.

2.Create Global Condition for Computer model:

Before we create application for VMware tools ,we want to check if the computer model is vmware or not, if OS is not running on vmware platform ,we do not want to install vmware tools.

To check the application mode, we need to create global condition which can be used later in Requirements tab.

Right click on Global Conditions –>select create Global Condition

Fill the information as listed below.

Name: Computer Model

Device Type:Windows

Condition Type: Setting

Setting Type: WQL Query

Data Type: String

Name Space: root\cimv2

Class: Win32_computerSystem

Property: Model

Click on Ok

Now ,on the Global Condition node, you will see newly created Condition with Type -Custom (not default and created by User) ,read only –No (can edit it) and In Use –No (not yet used).

3.Create Application

Go to Application Management –Applications Node

Right click on folder that you would like to create the application and select Create Application

Since the file is exe ,select Manually specify the application information

Enter the application name and other information as needed

Accept the default (unless you don’t have anything to specify)

We will now create 2 deployment types 1 for 32bit and other for 64bit and I call them as x86 ,x64.

Click on Add

Since we are using exe for the deployment and it doesn’t come with msi ,select type as script and select manual this time as well.

Name it as Install x86 .

Specify the content location folder that you have copied the source files.

Installation Program: setup.exe /S /v" /qn REBOOT=R"

It will install silently without reboot .If you to reboot upon the completion of installation ,remove reboot=R ,more information here

We will now add detection method .It will help us to skip if the deploying version or greater already exist ,if not,install the tools.

Click On add Clause

Fill the content as per below screenshot.

Setting Type: File System

Type: File

Patch:C:\Program Files(x86)\VMware\VMware Tools\

File or Folder Name: vmtools.dll

Value: 10.0.9.55972

How to get version ?

On your source folder ,right click on setup.exe file ,you will find the vmware tools version in details tab.

Click Next

As per settings shown below for User Experience tab

Requirements tab:

We will now create 2 requirement rules 1 for OS and other for Model .

Click on Add

Since this is 32bit vmware tools and we want to install only on OS running x86 with vmware model.

select category: Device

Condition: Operating System

One of the Operating system: 32bit of server 2008 and others if you need.

Click Ok

we need to add one more rule for model ,so click on Add again

Select Category :Custom

Condition : Computer Model

Operator: Equals

Value:VMware Virtual Platform

These requirement rules use AND operator .So Server OS must be running on x86 and model: VMware Virtual Platform

Click Next ,accept default settings

Verify Summary Page

Click Next

We have now created deployment type for 32bit VMware tools .We need to do the same for 64bit vmware tools as well.

Click on Add and follow the same procedure as we did above except few things need change and they are listed below:

Installation Program:setup64.exe /S /v" /qn REBOOT=R"

Detection method:

Path :C:\Program Files\VMware\VMware Tools\

Requirement rules: OS will be only 64bit (can be server 2008 ,server 2012 and others)

when you are done, you will see 2 deployment types

Verify summary Page:

Click close to close the application wizard

we now created application with 2 deployment types (32bit and 64bit) .

By default ,when you create application ,settings Allow clients to use a fallback source location for content and deployment options for deployment are not enabled.

If you need above settings to be enabled ,do it for both the deployment types else ignore it.

Now ,we will distribute the application to distribution points . Right click on application and select distribute content

Go through the steps as you do for other applications.

when you are done with application distribution ,its time to deploy application to collection.

5.Deploy the application to collection

Create a collection that wanted to receive the new vmware tools (Installing the new version of vmware tools will automatically upgrade the existing version (old) to new .Only new version will exist )

If you simply add all systems ,this application will not install on all computers as we have a requirement rule to install it only on computer running on vmware platform with either 32bit or 64 bit.

So create collection as your needs and deploy the application to the collection.

6.Check the application status on Client

Open Software Center ,you will now see vmware tools appear on available software tab (This is for CM12 ,if you are on CMCB with new software center,you know where it will be)

Click on Install ,Client will download the source files into ccmcache and start the installation

Monitor the application deployment logs ( AppDiscovery.log,AppEnforce,DcmWmiProvider) more about logs ,please refer https://technet.microsoft.com/en-us/library/hh427342.aspx

After a while ,you will see application installed . If it fails,check the logs and troubleshoot why did it failed

7. Deployment results:

you can run the default report to check the status of application or can also see from deployment monitoring tab or from the console itself as shown below

Hope you found this post useful!

Few days back ,I was helping friend of mine ,who had some issues with SCCM Client and he was unable to launch Software Center .When he try to open Software Center application,it immediately pop-up with error code as shown below .

SCNotification has stopped working .

The procedure entry point HttpsisHostHstsEnabled could not be located in the dynamic link library WININET.dll

I tried launching event viewer ,MMC etc but unable to open any of them and all giving same error code as No storage available to perform this operation.

I tried uninstalling SCCM Client, remove SMS certificates ,delete smscfg.ini ,restart the client and install the client but still get same error.

How do I fix this issue if reinstalling the client did not help ?

If you look at the error message ,it says ,The procedure entry point HttpsisHostHstsEnabled could not be located in the dynamic link library WININET.dll.

This lead me to replace the existing WININET.dll file from working client in both System 32 and Syswow64 folder .

Note: In order to perform the following steps,you need to have local administrative rights on the client .

By default ,this file is owned by trusted installer and if you simply delete /rename this file and copy wininet.dll from working client ,it doesn’t allow you replace the file.

How to delete\replace the file then ? Well ,we will try to take the ownership of this file and then perform the operation on it.

Go to C:\windows\system32 folder on problem client ,right click on wininet.dll, Properties ,go to security ,click on Advanced

click on Owner Tab and select Edit

On the owner tab ,select administrators or user listed in the Change Owner from Trustedinstaller.

Windows security pop-up appear and proceed to perform these changes.

Now ,we have taken the ownership of WININET.dll file .

We will try to rename the file to something else like WININET_old.dll and then we will copy the file from working client to here.

Login or access admin$ share on any other working client ,copy WININET.dll file from C:\windows\system32 folder ,paste it on non-working client folder C:\windows\system32

We need to perform the same procedure as we did above for Syswow64 folder (incase if x64 OS) as well .

Go to C:\windows\syswow64 and take the ownership of file WININET.dll from trustedinstaller to administrators or other user who has local administrative rights.

Rename the file to WININET_old.dll .

Login or access admin$ share on any other working client ,copy WININET.dll file from C:\windows\syswow64 folder ,paste it on non-working client folder C:\windows\syswow64

Now reboot the client and launch System Center application ,it works as usual without any errors.

I have no idea what causes this issue and have not spent much time to find the root cause.

If you have any other better solution which worked, please post it via comments ,I will update the blog post for others.

Hope it helps!

Since few months ,Microsoft publishing some great guides (deep dive) on SCCM Configmgr understanding and troubleshooting process ,tips and tricks that will help Configmgr administrators in solving issues.

It is really hard to find these useful links through search engines when needed for reference and to send it internally for the team to go through .

I have tracked all the useful links in my OneNote and I have decided to let it go out for public incase for reference.

This blog post will be updating now and then ,when there is new content available.

1. Understanding and Troubleshooting Content Distribution in Microsoft Configuration Manager: This guide helps administrators understand the content distribution process and serves to build a foundation for diagnosing and resolving general content distribution related problems

2.Software Updates in Configuration Manager Current Branch Deep Dive – Client Operations

3.Troubleshooting the Database Replication Service in Microsoft Configuration Manager: This guide helps determine the type of DRS problem you are experiencing, explains how the processes work and offers troubleshooting suggestions for some of the most common problems.

4.Troubleshoot the Install Application task sequence in Microsoft Configuration Manager: This guide helps you understand the Install Application task sequence process and troubleshoot common problems that may occur. The Install Application task sequence step issued to install applications as part of the overall task sequence.

5.Troubleshooting PXE boot issues in Configuration Manager 2012:Helps administrators diagnose and resolve PXE boot failures in System Center 2012 Configuration Manager(ConfigMgr 2012 or ConfigMgr 2012 R2).

6.Software Update Management Troubleshooting in Configuration Manager: This guide helps you troubleshoot the software update management process in Microsoft System Center Configuration Manager, including client software update scanning, synchronization issues and detection problems with specific updates.

7.Configuring Software Update synchronization in System Center Configuration Manager: This guide explains the System Center Configuration Manager software update synchronization process from start to finish. Each step in the process is explained, including the various settings that control how update retrieval and synchronization are performed, common problems seen with each step in the process, as well as general troubleshooting tips.

8.complete guide to Microsoft WSUS and Configuration Manager SUP maintenance

9.Flowchart - Update replication for System Center Configuration Manager :These data flows display the process by which an in-console update you select to install replicates to additional sites. These flows also display the process of extracting the update to run prerequisite checks and to install updates at a central administration site and at primary sites.

10.Software Update Management Troubleshooting in Configuration Manager:This guide helps you troubleshoot the software update management process in Microsoft System Center Configuration Manager, including client software update scanning, synchronization issues and detection problems with specific updates.

See you all in the next post!

Microsoft released SCCM Configmgr Technical Preview branch update 1610 (YYMM) for October 2016 with some new client features.

This Technical Preview 1610 is available as both an in-console update for the Configuration Manager Technical Preview, and as a new baseline version that is available from the TechNet Evaluation Center website. If you are planning to build new lab ,you can now use this preview update as new installation and carry your testing.

This month previous update contains the following new features:

Improvements to the notification experience for high-impact task sequence and required application deployments – Task sequence deployments that have a high-impact to the end user, such as operating system deployments for example, now display more intrusive notifications. However, end users can dismiss (snooze) these notifications, and control when they reappear. Any relevant client settings for notification frequency are still honored.
Deny previously approved application requests – As an administrator, you can deny a previously approved application request. This prevents new installations of the application To install this application later, users must resubmit a request. If the application was previously installed, it will not be uninstalled.
Filter by content size in automatic deployment rules – Use the content size filter in automatic deployment rules to prevent large software updates from automatically downloading to better support simplified Windows down-level servicing when network bandwidth is limited.
Exclude clients from automatic upgrade – When you configure settings to control how clients automatically upgrade, you can now specify a collection to exclude specific clients from the upgrade. This applies to automatic upgrade as well as other methods such as software update-based upgrade. This can be used for a collection of computers that need greater care when upgrading the client.

Download SCCM Configmgr technical preview 1610 from TechNet Evaluation Center

For more information about this preview update ,read https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1610

For Technical preview documentation read https://docs.microsoft.com/en-us/sccm/core/get-started/technical-preview

Configuration Manager Resources:

Documentation for System Center Configuration Manager Technical Previews

Documentation for System Center Configuration Manager

System Center Configuration Manager Forums

System Center Configuration Manager Support

Download the Configuration Manager Support Center

System Center Configuration Manager and Endpoint Protection (technical preview branch – version 1610

Colleague of mine has received request to check why did the SCCM client (server OS) rebooted during office hours and more details about the reboot (who initiated etc.). I started looking at this request to find out whether the client was rebooted due to windows patching or any applications pushed by SCCM.

During my troubleshooting ,I went through several client logs ,event viewer,SQL Query,PowerShell script etc .

In this blog post, I will try to list down the steps that went through to identify who rebooted the SCCM Client (server OS).

1. First and foremost that anyone would look at is ,event viewer to find out who rebooted the server (whether it was SCCM Client or any user).

Go to event viewer –> Windows logs –-> system ,right click and select filter current log ,enter 1074 (Event ID:1074 for reboot) as shown below.

Event ID:1074 –>This event is written when an application causes the system to restart, or when the user initiates a restart or shutdown by clicking Start or pressing CTRL+ALT+DELETE, and then clicking Shut Down. This event is written to the system log only when the Shutdown Event Tracker group policy setting is enabled or not configured.

You will see lot of entries with 1074 event ID ,of which ,we only look at the recent one .

From the above screen, the recent restart was initiated by SMS agent host (ccmexec) on 10/31/2016 05:45:10 PM due to applications or software update installation. This doesn’t tell you the username as the restarted was initiated by system account (NT AUTHORITY\SYSTEM)

The process C:\Windows\CCM\CcmExec.exe (ComputerName) has initiated the restart of computer ComputerName on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
Reason Code: 0x80020001
Shutdown Type: restart
Comment: Your computer will restart at 10/31/2016 05:45:10 PM to complete the installation of applications and software updates.

Now ,we need to find out ,what was installed on the server during the reboot time/before and does client have enough maintenance window to reboot .

2. Lets check what is the available maintenance window for the server ,that might help to analyze any installation that has pending reboot with enough maintenance window allowed reboot or not.

I use the following SQL query to check the available maintenance window for specific client.

DECLARE @file varchar(5000);
SET @file='Server Name'

select MW.[Collection Name],MW.[MW Name],MW.Description,convert(nvarchar(26),MW.StartTime,100)[StartTime],MW.Duration
from
(
select fcm.CollectionId, coll.Name [Collection Name],s.Name [MW Name],s.Description,s.StartTime,s.Duration
from dbo.v_R_System sys
Right JOIN dbo.fn_SplitString(@file,',' ) AS fss ON sys.Name0 = fss.substring
join dbo.v_FullCollectionMembership FCM on sys.ResourceID = fcm.ResourceID
join dbo.v_Collection coll on Coll.CollectionID = fcm.CollectionID
left join v_ServiceWindow S on s.CollectionID=fcm.CollectionID
) MW
where MW.[MW Name] not like ''

I have used @file is basically to pipe large number of clients that I wanted to query for. If you want to list the MW for more than 1 client ,your @file should be @file=’server1,server2,server3,server4’

With above SQL query ,I do not see any maintenance window available for server to reboot that time (server rebooted time ).

3. Now ,we will go back to problem server ,login to see what was Installed by SCCM during the reboot time or before the reboot.

we will try to look at AppEnforce.log (for applications),execmgr.log (for packages) and windows update logs (WUAHandler.log,UpdatesHandler.log) and other logs that you suspect.

AppEnforce.log :

From appenforce.log, there was an application that installed silently without any reboot (Matched exit code 3010 to a PendingSoftReboot entry in exit codes table.)

So the application doesn’t have any force reboot option and for sure,something else is caused the reboot .

4. Now ,take a look at the RebootCoordinator.log and MaintenanceCoordinator.log if that helps to reveal some information about reboot behavior.

RebootCoordinator.log

From above log,I see couple of entries related to server reboot which help my job to identify the root cause.

User S-1-5-21-1009845188-1641970364-1010270793-4361695 is getting pending reboot information

ServiceWindowsManager has not allowed us to Reboot

MTC allowed us to reboot

Notified UI grace period start with 900 grace seconds and 300 final seconds.

System reboot request succeeded.

As you see from the log, user SID is getting pending reboot information which means, someone logged into the server during the reboot of the server.

How to find who is that user ? Well ,you can find it using event viewer security logs or PowerShell script that converts SID to User name.

I have used below PowerShell script that convert SID Value to User Name

$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-5-21-1009845188-1641970364-1010270793-4361695")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value

copy the script ,change the SID Value and run the PowerShell script on the problem server to find the user name.

Now I got the user name ,who logged into the server during the reboot, but I cannot take this information as granted and confirm that this user initiated the reboot.

Well, RebootCoordinator.log doesn’t confirm if logged user restarted the server .So what next ?

In SCCM Configmgr 2012 and above, there are logs for users as well.These logs records the activity for notifying users about software for the specified user.

These user notify logs named with SCNotify_<domain>@<username>_1.log

open the log for the user (_SCNotify_<domain>@<Username>_2.log) who logged into the server during the server reboot if he/she initiated .

From this log,found lot of useful information of which ,found below entry that confirm user allowed to restart system.

RestartCountdownDialog: IsRestartSystemAllowed - user is allowed to restart system (Microsoft.SoftwareCenter.Client.Pages.RestartCountdownDialog at .ctor)

Notification is for a logoff/restart required or logoff/restart countdown. (Microsoft.SoftwareCenter.Client.Notification.NotifyObjectBase at ShowBalloonTip)

Number of total seconds in countdown is 900; starting value is 2; seconds til restart is 898, system will restart at 5:45:09 PM (utc end time = 9:45:10 AM) (Microsoft.SoftwareCenter.Client.Pages.RestartCountdownDialog at .ctor)

This confirm that, user who logged into the server has initiated the reboot and nothing from SCCM client.

If you have any other possible methods to identify who initiated the reboot, post it via comments section.

Until next!

Have seen couple of times on SCCM Configmgr forums asking for ‘How to get applications /deployment types that has allow clients to use fallback source location for content ’ is checked or not.

Allow fallback source location for content: This feature is designed to allow client to gain access (fallback) to content that is not available on a Distribution Point (DP) that is located in their Boundary Group.

If this feature is not implemented correctly, it can lead to unexpected results and high network utilization over remote WAN links.

For more information about fallback source location and distribution point, please read TechNet article https://technet.microsoft.com/en-us/library/gg712321.aspx?f=255&MSPPError=-2147217396#BKMK_PreferredDistributionPoint .

When this question was asked ,I thought ,I would look at it when I get time and later it went to my To-Do item list due to time constraints and never looked at it in the recent days.

Recently ,I had similar requirement to identify the list of applications with its deployment type properties to find out how many of them are not checked this option ‘allow clients to use fallback source location for content ‘ and download options (slow or unreliable network boundary)

If you want to know the list of applications that has this option checked or not ,there is no default report and no easy way to check in console as well.

Either you have to create custom report or PowerShell (PoSH) script.

when you create an application using application wizard ,there are couple of options that doesn’t show you in GUI (unless you use scripting to create apps) and these are like allow clients to use a fallback and deployment options etc.

If you have few number of applications in SCCM ,it is easy to do manual check by right click on deployment type and look for this option ,but what if you have large number of applications with multiple deployment types and you want them to be displayed in report ?

Before we try to create report for this ,we need to identify ,what table/view this information is stored in and after we identify the right view,we can write SQL query.

Application and its deployment type property information in SCCM 2012 and above, is not stored directly in database view instead, it is stored in xml file in function fn_ListDeploymentTypeCIs(1033) with column name SDMPackageDigest.

Once we know where the application deployment property information is stored, we need to know how to extract the required information from this xml file.

This xml file contains lot of information out of which ,we now only look at couple of important fields like application name,deployment name,type,UserInteractionMode,ExecutionContext ,RequiresLogOn,FallbackToUnprotectedDP,OnSlowNetwork. If you want retrieve other information from the xml ,do customize the report yourself.

To know more information about the xml file and how to extract the information from xml file using SQL query ,read here .

The information that is stored in xml file for allow clients to use fallback source location for content is in column FallbackToUnprotectedDP with values true or NULL

If you have selected option called Deployment options as shown in the diagram ,either with do not download content or download content from distribution point and run locally ,is in column ‘OnSlowNetwork’ with values Download or DoNothing or NULL

I have created SSRS Report for you .So all you need is ,download the report from Technet, upload to your SSRS reports, change the data source and run the report.

Note:If you have large number of applications and you are looking for deployment type names that has not checked ‘allow clients to use fallback source location for content ’ option ONLY ,then may have to edit the report and do custom changes to list only those applications with filtering instead listing all in your SCCM.

How does the report look like ?

Hope you enjoyed reading this article.

See you in the next post!

Setting up new SCCM Configmgr Current Branch 1606 in production environment .As part of it ,have created source folder (repository for content store) and placed couple of packages/applications for testing . while trying to distribute the packages, all failed with same error code.

The source directory \\servername\sources$\Applications\Microsoft\SCUPCert doesn't exist or the SMS service cannot access it, Win32 last error = 5

Win32 last error = 5 translates to access denied .I made sure ,SCCM site Server account, user account /group had full access to the source folder location but missed to add System account.

To see if the system account have enough read permission to the above share ,simply use sysinternal tools and access the share if that works or not.

PSEXEC -i -s -d CMD

In my case ,it says access denied but am able to access using user account.

To fix this ,you need to provide permissions to SYSTEM account as well both in sharing and security tabs (NTFS Sharing).

Hope it helps!

The Microsoft Deployment Toolkit (MDT) is a free tool for automating Windows and Windows Server operating system deployment, leveraging the Windows Assessment and Deployment Kit (ADK) for Windows 10. Microsoft released new build version 8443 for Microsoft Deployment Toolkit with some quality updates. This build update requires Windows Assessment and Deployment Kit (ADK) for Windows 10, version 1607, which you can download from Microsoft Hardware Dev Center(adksetup.exe file version 10.1.14393.0).

You can download MDT build version 8443 from Microsoft Download Center.

Summary of the significant changes in this build of MDT:

Supported configuration updates
Support for the Windows ADK for Windows 10, version 1607.
Support for Windows 10, version 1607, and Windows Server 2016.
Support for Configuration Manager, version 1606.

Quality updates :

Deployment Wizard scaling on high DPI devices
Johan’s “uber bug” for computer replace scenario
Multiple fixes for the Windows 10 in-place upgrade scenario
Several fixes to Configure ADDS step
Removed imagex/ocsetup dependencies, rely solely on DISM
Includes the latest Configuration Manager task sequence binaries (version 1606)

Reference: https://blogs.technet.microsoft.com/msdeployment/2016/11/14/microsoft-deployment-toolkit-8443-now-available/

Microsoft released Update 1610 for SCCM Configmgr current branch (CB) that is available as an in-console update for previously installed sites that run version 1511, 1602, or 1606 which includes some great new features and product enhancements.

This update (1610) includes lots of new features and enhancements in Windows 10 and Office 365 management, application management, end user experience, client management and also includes new functionality for customers using Configuration Manager in hybrid mode with Microsoft Intune.

changes and new capabilities introduced in version 1610 of Configuration Manager current branch are:

In-console monitoring of update installation status
Exclude clients from automatic upgrade
Improvements for boundary groups
Peer Cache for content distribution to clients
Migrate multiple shared distribution points at the same time
Cloud management gateway for managing Internet-based clients
Improvements to the Windows 10 Edition Upgrade Policy
Manage hardware identifiers
Enhancements to Windows Store for Business integration with Configuration Manager
Policy sync for Intune-enrolled devices
Use compliance settings to configure Windows Defender settings
General improvements to Software Center
Customizable Branding for Software Center Dialogs
Enforcement grace period for required application and software update deployments
Improved functionality for required software dialogs
Software updates dashboard
Improvements to the application request process
Filter by content size in automatic deployment rules
Office 365 Client Management dashboard
Task sequence steps to manage BIOS to UEFI conversion
New compliance settings for configuration items
Improvements to the Prepare ConfigMgr Client for Capture task sequence step

For more information ,Whats new in Configmgr Current branch 1610 on https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1610

How to get this update available in your Configmgr Current branch ?

As the update is rolled out globally in the coming weeks, it will be automatically downloaded and you will be notified when it is ready to install from the “Updates and Servicing” node in your Configuration Manager console. If you can’t wait to try these new features, this PowerShell script can be used to ensure that you are in the first wave of customers getting the update. By running this script on your central administration site or standalone primary site, you will see the update available in your console right away.

Launch the console ,administration node—>updates and servicing—>Click check for updates.

Account that you use to run this ,make sure the security scope is set to All ,for more information ,read http://eskonr.com/2016/04/why-dont-i-see-sccm-configmgr-1602-updates-in-my-console/

If you are not able to see the updates ,run the powershell script.

Download the script and launch powershell cmd using administrator ,run it using the syntax:

EnableFastUpdateRing1610.ps1 <SiteServer_Name | SiteServer_IP> where SiteServer refers to the CAS or standalone primary site server

Monitor dmpdownloader.log to know the status of update downloading.

If the update installation is suspended at “Downloading” state for extended period of time, restart the SMS_EXECUTIVE (smsexec) service on the standalone primary or central administration site server (CAS).

After a while you will see updates in the console.

Once the download is ready ,state will be changed to available and ready for installation.

Right click on the update and choose Install Update Pack ,choose next next next depends on the options you need.

For installation status ,monitor CMUpdate.log .

1610 update has following version for:

Console Version:5.0.8458.1500

Site Version:5.0.8458.1000

Client Version:5.00.8458.1005

Recently I had a requirement to create a PowerShell script to read text file/CSV for list of clients (servers mainly) and check if they appear in SCCM if so delete them ,track the information into log file for reference.

There could be various reasons why do you want to delete computer record from SCCM and for that, you can either delete the record directly from the console or use scripting to do it for you.

One of of the reason for me to create this script is ,to help the team to delete the server records from SCCM after they decom immediately using task scheduler. Why immediate ? can't I wait for default maintenance tasks to remove the computer object after it becomes inactive or aged ? well ,it does . Once the computer record is disabled in AD or not online for X days ,It becomes inactive . Once the client is inactive and fall into the range X days to match site maintenance tasks then it will be removed from SCCM database . When I leave these decom clients for deletion using site maintenance tasks ,these decom servers do appear in compliance reports and client health reports in SCCM and because of this ,the client health dashboard doesn’t appear in good status.

So ,this script will help guys to pipe the computer records into text file (as input ) and run the script or can schedule the script to run weekly once or so. The script will read the text file ,check if the computer record exist in database or not ,if not ,out-put to log ,if exist ,delete the entry ,out-put results to log and this loop continue until the last line read in text file.

Removing a device client manually deletes the client record from the Configuration Manager database. Typically, you should not use this action unless it is for troubleshooting scenarios. If you delete the client record and the Configuration Manager client is still installed and communicating with Configuration Manager, Heartbeat Discovery recreates the client record the Configuration Manager database, although the client history and any previous associations are lost.

To delete computer record from SCCM if exist ,I used inbuilt SCCM powershell cmdlet called Remove-CMDevice -name $comp –force .

You can download Powershell script to delete computer records from SCCM via TechNet .

You can use this script as schedule task to run on weekly basis .All you need is ,pipe the computer records into the notepad and let the script run for you automatically.

Problem:

Few weeks ago ,colleague of mine was trying to perform patch management on bulk number of clients (servers) as monthly patching ,as part of it he made sure the maintenance window was in place,deployment was set rightly for software updates deployment.

Maintenance window started ,patches started installing and after a while ,he logged in ( browse the reports ) to check the status for deployed patches (software update groups) using reports. He found that, 30-40% was compliant and rest of them non-compliant (majority) /unknown (very few) .

By the time ,he found something wrong ,he has only 1 hr left to finish the patching activity due to the maintenance window and after the maintenance window passed ,cannot reboot the servers and you need confirm the patching status with the application teams so that they can perform the application testing.

What do do now and how to get these non-compliant servers get fix in 1hr before the maintenance window elapse ? Since there was not enough time to troubleshoot the clients and look for other methods to fix ,had preferred manual method Winking smile .

I got to know about this on the next day morning while I was chatting with him . I tried to sneak into the logs to help what could be the problem but the logs are overwritten and nothing found for previous day issue.

The only status I got to know from him was that ,all updates available in software center showing ‘Past due – will be installed’.

Solution:

If you ever get into such issues ,I would suggest to start picking one problem client for troubleshooting ,go through the logs to check if the client is waiting for enough maintenance window or updates are waiting to complete something before they could start etc.

There could be various reasons why the software updates failed or not even started on client and to troubleshoot ,you must check the logs. I written couple of articles on software updates troubleshooting and reference guides .

http://eskonr.com/2015/04/sccm-2012-troubleshoot-client-software-update-issues/

http://eskonr.com/2016/10/sccm-configmgr-troubleshooting-guides-for-reference/

coming to the problem ,how do I force to install the updates that are available in software center if I don’t have enough time to troubleshoot the issue or how do I install the updates that are made available on the client ?

Well ,we can use PowerShell script to select all the updates available in software center and install followed by settings configured in software update deployment like reboot or suppress reboot etc.

This script also useful to check if any updates are failed (from reporting you can get list of clients with status) for some reason and you want to install them without login to the client .

Part of the script taken from book Microsoft System Center Software Update Management Field Experience.pdf ,modified it to log the output,read notepad file for clients.

$MissingUpdates = Get-WMIObject -Namespace root\CCM\ClientSDK -Class CCM_SoftwareUpdate -Filter ComplianceState=0
$MissingUpdatesReformatted = @(MissingUpdates | Foreach-Object {if($_.ComplianceState -eq 0){[WMI]$_.__PATH}})
$InstallReturn = Invoke-WMIMethod -Namespace root\CCM\ClientSDK –Class CCM_SoftwareUpdatesManager -Name InstallUpdates –ArgumentList (,$MissingUpdatesReformatted)

Download the complete PowerShell script from TechNet Gallery Here.

To run the script on remote computers ,make sure you have enough permissions to connect wmi on remote computer and RPC (dynamic ) ports opened.

This script will check if the account you trying to run has enough permissions on remote computer ,if yes go into loop else move onto next client to perform the check and it repeat.

Script pipe the information into log file with client name, Targeted patches (approved patches) ,pending patches (include failed,waiting for MW etc) ,reboot pending and finally Compliant if it has nothing in software center to install.

If a client already installed all patches and waiting for reboot ,I considered it as compliant in the script as it will be rebooted either manually or auto reboot based on the settings you configured in deployment.

Post your feedback via comments section.

A week after the release of SCCM Configmgr current branch 1610 ,Microsoft released another update but that is for Configmgr technical preview with build version 1611 as part as part of ongoing commitment to quality and innovation.

These technical preview updates will help to test in lab environment and report feedback to Microsoft before they made into current Branch (production version).To see these preview updates in your Configmgr console,you must have the base version of SCCM Configmgr Technical preview 1610 (not applicable to current branch).These Technical Preview updates are intended for use in a lab environment. For more information about technical preview and updates, please refer https://technet.microsoft.com/library/mt595861.aspx?

At the time of writing this blog ,Microsoft hasn’t published any document on the new features released in this update (1611) but will update this post after seeing what's new.

If you do not have lab to play around with Configmgr technical preview features ,download the baseline version of technical preview 1610 from https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview .

To download and install preview update 1611 ,launch the console ,go to administration node,cloud services ,updates and serving ,click on check for updates

Monitor dmpdownloader.log for downloading the content.

After a while ,content will be downloaded to G:\Configmgr\EasySetupPayload\ca846c5b-64bf-4805-b95b-3ccf7589acc5

State status will be changed to available in the console for preview update 1611.

select the update and click install update pack ,go with the options that it take you through.

For installation status ,monitor CMUpdate.log or use updates and servicing status in the console—>monitoring node.

Close the SCCM console and open it to install new console version.

Technical preview update 1611 has following version for:

Console Version:5.0.8465.1000

Site Version:5.0.8465.1000

Client Version:5.00.8465.1000

For Technical preview documentation read https://docs.microsoft.com/en-us/sccm/core/get-started/technical-preview

Configuration Manager Resources:

Documentation for System Center Configuration Manager Technical Previews

Documentation for System Center Configuration Manager

System Center Configuration Manager Forums

System Center Configuration Manager Support

Download the Configuration Manager Support Center

Introduction:

One of my blog reader asked question about ‘There is report in your blog to find out packages that has no advertisements created,but is there similar report to find applications with no deployments created’.

I found this question is valid and is needed if you want to perform maintenance tasks like cleanup packages,applications,collections etc .Performing regular maintenance is important to ensure correct site operations.

There are several default site maintenance tasks available that maintain the health of your site database but when it comes to clean up unused collections,packages,applications etc,you have to find way to do it.

There are instances where someone create application without any deployment or deployment was created and deleted it later leaving the application in the console for longer time ,many other instances .

If you are Maintaining a maintenance log to document dates that maintenance was conducted, by whom, and any maintenance-related comments about the task conducted, I would add the following tasks to the maintenance document as they also required to cleanup every 6 months or yearly once.

1.Clean up unused collections

2.clean up unused packages

3.clean up unused applications etc.

This blog post covers task 3 to identify applications without any deployments and not used in any other task sequence.

How to create SQL query or SSRS report to identify applications with no deployments?

To create such report ,first you need to identify the SQL views that store the information about applications and its dependencies. For that, you can refer Configmgr SQL view documentation available here

There are 3 main sql views/functions that store the information about applications ,its deployment info,dependent application info and task sequence app references etc and they are listed below:

dbo.fn_ListApplicationCIs(1033)

vSMS_AppRelation_Flat

v_TaskSequenceAppReferencesInfo

I will be using above views to create nice SSRS report.This report mainly output applications that has zero deployments and these applications are not referenced in any task sequence.

This report contains fields like application name,Created by,Datelastmodified,Application age since created (days),Isenabled,is deployed,number of DT(deployment types),no of dependencies,number of devices with app,number of devices with failure.

After you run the report, take a look at column dependentdeployments as this filed refers this application is used as dependent application in another application (supersedence ).

ex: Application A appear in this report with dependentdeployments >1 which means ,application A is used as supersedence application in other applications listed in the dependentdeployments .

How does the report look:

Download the RDL file from Technet Gallery Here ,upload to your SSRS reports ,change the datasource and run it.

SCCM Configmgr How to implement Jason Sandys Client Startup Script to achieve good client success rate

Microsoft Ignite 2016 sessions are available on YouTube channel

List of SCCM Configmgr Windows 10 Intune MBAM sessions from Microsoft Ignite 2016

SCCM Configmgr How to Create collections based on OU that contains DEV UAT PROD etc

SCCM Configmgr comes with 3 branches of 1606 (Current Branch, LTSB and Tech Preview) from October 2016 that helps to upgrade from SCCM 2012 to CB 1606 directly

Install MBAM 2.5 SP1 on remote SQL and integrate with SCCM Configmgr 1606 Notes and Scripts

SCCM Configmgr Failed to download prerequisite files due to Internet Settings not allow to download file

SCCM Configmgr How to deploy VMware tools (32bit and 64bit ) using Application deployment method

SCCM Configmgr client issue SCClient.exe Entry Point Not Found WININET.dll could not be located in the dynamic link library

SCCM Configmgr troubleshooting guides for reference

SCCM Configmgr Technical Preview update 1610 Available

How to find who initiated restart of SCCM Configmgr Client

SCCM Configmgr check if allow clients to use fallback source location for content is selected or not

SCCM Configmgr the source directory doesn’t exist or the SMS service cannot access it, Win32 last error = 5

Microsoft Deployment toolkit (MDT) build version 8443 is now available

SCCM Configmgr Current Branch update 1610 available

Powershell script to delete computer records from SCCM

SCCM Configmgr Powershell script to install software updates on remote clients

SCCM Configmgr Technical Preview update 1611 Available

SCCM Configmgr how to find applications with no deployments as part of maintenance tasks