Quantcast
Channel: ConfigMgr (SCCM) – All about Microsoft Endpoint Manager
Viewing all 252 articles
Browse latest View live

SCCM Configmgr Clean Old Client logs that contain SCNotify and SCClient using Compliance Settings

$
0
0

Few months ago ,i wrote blog post about how to use Compliance Settings to clean content in ccmcache folder. For more information, please refer http://eskonr.com/2016/08/sccm-configmgr-how-to-clean-ccmcache-content-older-than-x-days-using-compliance-settings/

This blog post is about deletion of client log files that contain SCNotify and SCClient.

What does these logs capture information about ?

SCNotify_<domain>@<username>_1.log : Records the activity for notifying users about software for the specified user.

SCNotify_<domain>@<username>_1-<date_time>.log: Records the historical information for notifying users about software for the specified user.

SCClient_<domain>@<username>_1.log: Records the activity in Software Center for the specified user on the client computer.

SCClient_<domain>@<username>_2.log: Records the historical activity in Software Center for the specified user on the client computer.

From these  logs ,you will see lot of wmi classes and information about application notification to user with their availability and also use activities performed against the software center.

We will use compliance settings to detect if there are any files with these logs that are older than 7 days and if the count is more than 0 then perform the cleanup.

I am not going in detail step by step to show you how to create compliance settings ,instead i will provide the discovery script and remediate script along with CAB files that i exported from my lab.

So If you want to create your own from scratch ,just replace the script form below for discovery and remediation and you are good OR

you can import the CAB file into your Configmgr and make changes how you like for example ,changing the number of days from 7 to 15 or what ever you like and logs folder location (C:\windows\ccm\logs).

Import the CAB file, deploy the configuration baseline to your clients on schedule basis.

Download the Configuration Baseline file from Technet Gallary

Discovery Script:

#discover
$MinDays = 7
(Get-ChildItem C:\windows\ccm\logs | Where-Object { ($_.Name -like 'SCNotify*' -or $_.Name -like 'SCClient*' -or $_.Name -like '_SCNotify*' -or $_.Name -like '_SCClient*') -and ([datetime]$_.LastWriteTime -lt (get-date).adddays(-$MinDays))} |Measure-Object).count

Remediation Script:

#Remediate
$MinDays = 7
$logs=Get-ChildItem C:\windows\ccm\logs | Where-Object { ($_.Name -like 'SCNotify*' -or $_.Name -like 'SCClient*' -or $_.Name -like '_SCNotify*' -or $_.Name -like '_SCClient*') -and ([datetime]$_.LastWriteTime -lt (get-date).adddays(-$MinDays))}
ForEach ($log in $Logs)
{
del $log.FullName
}

Here is the client that i noticed ,it has 1436 logs out of which with size of 530MB ,of which ,450MB+ logs are with SCNotify and SCClient that are older than 7 days.

image

Before i run the script ,there are 1436 files with size about 550MB.

After the script:

image

After the script ,file count reduced to 189 with size 20MB.

Hope this helps !


SCCM Configmgr How to make SCUP console settings available for all users and make the database as shared

$
0
0

If you are using SCUP (system Center Update Publisher) tool to manage 3rd Party updates integrated with Configuration manager, there are 2 things which you need to look at .

1) The settings that are configured in SCUP Console are per user specific and stored in User profile (user.config in C:\Users\%UserName%\AppData\Local\Microsoft\Scup2011.exe_StrongName_XXXXXXXXXX)

2) Database file that store all your 3rd party catalogue ,publications etc also stored in user profile (C:\Users\%username%\AppData\Local\Microsoft\System Center Updates Publisher 2011\) at the time of configuration of SCUP.

If other users who have permissions ,try to open SCUP console , they will see everything blank and it is because of above said points . SCUP settings ,configurations and database are user specific when installed and configured.

It is always difficult for new users to go through the configurations ,settings,importing the catalogues  etc before they publish the updates.

In this blog post,we will see how to make the SCUP console settings and database available (shared)  to all users who ever want to manage 3rd party updates.

1. How to make SCUP Settings like publish to an updating server, Configmgr Integration ,Trusted Publishers(all your catalogue’s) and proxy settings (except password) available to all users.

To copy user specific settings to all users ,perform the following changes.

Go to user profile (C:\Users\%Username%\AppData\Local\Microsoft) who had configured SCUP settings ,imported the catalogues and publish updates to Configmgr.

In this folder ,you will see folder called Scup2011.exe_StrongName_Random number ,go into the folder to see user.config file.

C:\Users\%username%\AppData\Local\Microsoft\Scup2011.exe_StrongName_2wzdfznimh1kefuisr0pqsefwkw5k4tp\5.0.1727.0

image

 

This user.config file has all settings of your SCUP console .

We will try to copy these settings to config file (kind of shared) that will be used for all users (except proxy password if you have used in SCUP console ) .

Open the user.config file using notepad and keep this file aside .We will soon copy the settings from this file to commonly used config file .

Go to your SCUP installation folder , open Scup2011.exe.config file with notepad

image

By default ,the settings in the file are not configured with any values and this settings will be used to create new user config file when they try to launch SCUP console.

image

Now we have 2 Config files (user.Config and other is Scup2011.exe.config) .

If you have proxy server name with password, copying the setting will  not help .You will have to re-enter the password for the proxy .

SNAGHTML2c6328ae

Note: Take a backup of these 2 files before editing (incase something goes wrong while editing the files ).

Copy the settings that are common from User.Config to Scup2011.exe.config

Once you have copied all the settings ,save Scup2011.exe.config .

Now we have completed the task 1 that will help new users to get certificate and SCCM integration and other settings.

Wait, we are yet to complete Task 2 which is database that will contain information about catalogue ,publications etc.

Go to User profile (C:\Users\%UserName%\AppData\Local\Microsoft\System Center Updates Publisher 2011\5.00.1727.0000) and copy the database file scupdb.sdf

image

We are going to paste the database file to SCUP installation folder which is C:\Program Files (x86)\System Center Updates Publisher 2011

image

Now ,we will edit the config (Scup2011.exe.config ) file for all users to use this database as shared.

Edit Scup2011.exe.config  located at C:\Program Files (x86)\System Center Updates Publisher 2011 .

As you can see below ,the datafile is set to empty ,we will now change the value to point to datafile.

image

Add the following database file to value as shown below and click save ,close the notepad file.

<value>C:\Program Files (x86)\System Center Updates Publisher 2011\scupdb.sdf</value>

image

From now onwards , When existing user( who is using the console to manage SCUP updates) or new user try to launch the SCUP console ,they will point the database file to C:\Program Files (x86)\System Center Updates Publisher 2011\scupdb.sdf and also settings automatically loaded ,which can be verified using SCUP console –Options—Advanced-Current connection Details

image

image

With this ,we have completed copying the setting for new users and also made SCUP database as shared.

Hope this helps!

SCCM Configmgr software update scan stuck with error code 80080005

$
0
0

To manage software updates using SCCM/Configmgr, software update scan (with help of windows update agent) is mandatory without which ,client cannot download the update catalog (metadata) from WSUS and perform the scan for letting the server know what is required and what is not required using the state messages.

When i was looking at the software update scan reports few days ago ,identified some of the clients (Windows servers) could not able perform software update scan. So i decided to take look at the one of the client logs and troubleshoot further.

After logging into the server ,looked at wuahandler.log ,scanagent.log and windowsupdate.log as these logs will help you help to troubleshoot software update scan issues at the initial stage.

Below is windows update log.

image

WARNING:     IsSessionRemote: WinStationQueryInformationW(WTSIsRemoteSession) failed for session 2, GetLastError=2250

COMAPI    FATAL: Unable to connect to the service (hr=80080005)

COMAPI    WARNING: Unable to establish connection to the service. (hr=80080005)

After seeing this error ,i tried to stop windows update service but windows update service stuck at “stopping” status (hung) and never finish . So i have to kill the service to stop using taskkill command.

Open cmd as an administrator

  1. Run:  taskkill /f /fi “services eq wuauserv”

After the windows update service start, tried initiating the software update scan to see if that makes any any difference but again issue repeat (same error code in windows update log ,software update scan never move forward using wuahandler.log )

I even tried installing the updates manually to see if that goes through but that also failed.

image

After doing the basic troubleshooting as said above ,the issue is not with SCCM client or windows update agent rather it is more of windows issue likely to be caused due to a missing/corrupt class in root\microsoft\windows\servermanager

How do you know the issue is related to missing/corrupt wmi class ?

For this ,you need to create dump to analyse what is going on and here is what found in the dump log.

0 0000003ebe29d4c8 00007ffd372713ed ntdll!ZwWaitForMultipleObjects+0xa

1 0000003ebe29d4d0 00007ffd39a1f9e4 KERNELBASE!WaitForMultipleObjectsEx+0xe1

4 0000003ebe29d850 00007ffd2f31a1c7 wbemcore!CCoreQueue::QueueWaitForSingleObject+0x5c   Waiting for thread running wbemcore!CCoreQueue::Execute

5 0000003ebe29d8a0 00007ffd2f328f5a wbemcore!CWmiFinalizer::GetOperationResult+0x67

6 0000003ebe29d8e0 00007ffd2a999afd wbemcore!CWbemNamespace::ExecQuery+0x2ae

7 0000003ebe29d9b0 00007ffd2aaad24a wuaueng!CSystemExprEvaluator::EvaluateWmiQuery+0x1e1

10 0000003ebe29df70 00007ffd2aaa7275 wuaueng!CAgentUpdateManager::EvaluateSingleApplicabilityRule+0x1a6

11 0000003ebe29e0a0 00007ffd2aaa6a76 wuaueng!CAgentUpdateManager::EvaluateUpdateApplicabilityRules+0x51a

12 0000003ebe29e8f0 00007ffd2a9857e9 wuaueng!CAgentUpdateManager::DetectForUpdate+0x3e7

13 0000003ebe29ead0 00007ffd2a997bdf wuaueng!CAgentUpdateManager::EvaluateUpdateSet+0x129

From the dump log ,We can see the hang is due to waiting for WBEM. WBEM is Web-Based Enterprise Management, and its Microsoft implementation is Windows Management Instrumentation (WMI).

When Windows Update is in “scanning for updates” state, the WMI provider in use is ServerManager.DeploymentProvider.

Below command is to compile servermanager.deploymentprovider.mof . If the ServerManager.DeploymentProvider is bad, this command will fix it. If the ServerManager.DeploymentProvider is good, below command will not cause any damage to the machine. Thus running this command is the troubleshooting action I chose.

Open cmd as an administrator

  1. Run:  taskkill /f /fi “services eq wuauserv”
  2. Run the following command to recompile the MOF file:  mofcomp c:\windows\system32\wbem\servermanager.deploymentprovider.mof
  3. Restart the machine.

After the server reboot, software update scan went through successfully.

I could not able to find a way to check  whether ServerManager.DeploymentProvider is good or bad but compiling the MOF do not harm the server and that also fix the issue.

Hope it helps!

Microsoft Most Valuable Professional Award [MVP]

$
0
0
 

OverJoyed …..I got an email yesterday from the Microsoft MVP Award team saying that ,I have been awarded with Microsoft MVP award in Enterprise Mobility for 2017. I am extremely proud and honored to receive this award.

I started blogging (www.eskonr.com) in year 2009 to to share my technical views,tips and tricks that I have seen in my daily work on SMS 2003 /SCCM/Configmgr In 2012 and to keep this as my reference .I have no idea what the award means when I started blogging in the early stages of my career .It was purely on the basis of sharing the knowledge and helping the community. This blog has now over 2.5 million views since then with over 400+ subscribers ,500+ posts and 2000+ comments .

Here is what email says:

We are extremely pleased to present you with the 2017-2018 Microsoft Most Valuable Professional (MVP) Award! This award is given to exceptional technical community leaders who share their remarkable passion, real-world knowledge, and technical expertise with others through demonstration of exemplary commitment.

image

 

Thank you Microsoft for recognizing my contributions towards community.

Thanks to all  those who supported and encouraged me over the last few years (Janaka ,Niall Brady, Garth Jones)  and especially to my wife who let me spend time on blogging,being active in social communities .

How to check who executed SCCM Configmgr reports for auditing or troubleshooting purpose

$
0
0

If you want to know who executed (number of times ) the Configuration manager reports (or any other SSSRS reports) or if anyone compliant that some of the Configmgr reports are running slow or timed out ,how do you find the such reports and take action ?

I receive requests from remote users saying that they have issue while running some of the custom reports but when i run ,they works fine but not for remote users. There could be so many reasons why the report loads slow (network or SQL code issues etc) which am not going to discuss here.

Recently i was checking on this to see what are the reports ran by users most of the times and ,how many times they have run ,what are the top most reports and how long these report take time to execute .

When you run the SSRS reports ,it will log lot of information back into the report executionlog .

This report execution log is stored in the Reportserver database that by default is named ReportServer .if you have custom database name ,then you must that database to run the query.

As you can see in the following reportserver ,there are 3 SQL views that contain the information about execution log

image

Below is the take from Microsoft article about these executionlog sql views.

image

Now ,lets try SQL query to pull the information about the SSRS reports with its execution time, users ,time start etc.

Use  ReportServer
select * from ExecutionLog3
order by TimeStart desc

Results using above SQL Query:

SNAGHTML287b1fd3

Below query help you to find number of times that each user run the report.

Use ReportServer
select ItemPath,UserName,count(*) [No of times executed] from ExecutionLog3
group by ItemPath,UserName
order by 3 desc

image

One of the ways to reduce the disks space/cpu I/O is to enable cache use cache option in reports ,further reading ,please have a look at https://www.enhansoft.com/blog/how-to-setup-report-caching-for-a-ssrs-report

More information about the columns and its description can be found from http://www.sqlchick.com/entries/2011/2/6/querying-the-report-server-execution-log.html

Hope it helps!

 

Could not enroll iOS devices to SCCM Configmgr Hybrid environment

$
0
0

 

I had setup standalone intune (MDM authority to Intune)  to manage mobile devices long-time ago ,but after doing some testing on android,windows and iOS devices ,i decided to change MDM authority from Intune to Configuration Manager console (hybrid) . To change the MDM authority from intune to hybrid ,Login login to SCCM console  ,go to administration –>cloud services –>Microsoft intune subscription –>Add Microsoft Intune Subscription

image

This process will prompt you to login using Microsoft intune subscription ,configure company contact information,logo etc.

After doing all the initial setup , verified logs and confirm that the MDM authority is set to Hybrid using URL https://admin.manage.microsoft.com/MicrosoftIntune/App.aspx

Admin page—>Mobile device management ,Mobile device management authority set to Configuration Manager

image

After this is done ,you can enable windows and android platform directly but for iOS devices ,you need to create APN certificate request ,download the APN certificate which is used to establish a trust relationship between the Apple Push Notification server and Intune’s mobile device management authority.

Once you are done with the enable iOS enrolment and uploaded the Apple Push Notification service certificate ,you can start enrolling the iOS devices.

Note:Do not upload the Apple Push Notification service (APNS) certificate until you enable iOS enrolment in the Configuration Manager console.

Once am done with the configuration setup ,i have enrolled windows and Android devices and these devices appear in SCCM console but not iOS devices.

Have tried enrolling few iOS devices ,but they never appear in SCCM console.I can see the applications ,company logo etc that i published to my users in the company portal in iOS device but the compliance just stuck for longer time without any joy.

This lead me to look at the logs .For this ,open the company portal and shake the device to get option to send logs.

Here is snippet from log .

2017-08-16 05:20:22.812 ERRO  com.microsoft.ssp.aad 0 TID=1   AADTokenFactory.swift: 55 (init()) ADAL 2.4.1 iOS 10.3.3 [2017-08-16 05:20:22 - 47F99BAC-ED26-4C45-980F-47C45A4E5F23] Error raised: (Domain: "ADAuthenticationErrorDomain" Code: AD_ERROR_UI_USER_CANCEL ProtocolCode: "(null)" Details: "The user has cancelled the authorization."

correlationId = "47F99BAC-ED26-4C45-980F-47C45A4E5F23";

error = "Error with code: AD_ERROR_UI_USER_CANCEL Domain: ADAuthenticationErrorDomain ProtocolCode:(null) Details:The user has cancelled the authorization.. Inner error details: Error domain: ADAuthenticationErrorDomain\nCode: 403\nDescription: The operation couldn\U2019t be completed. (ADAuthenticationErrorDomain error 403.)\nUser info: {\n}";

After going through lot of troubleshooting steps which includes verifying the APN certificate expiry date in SQL database ,settings etc ,finally reach out to microsoft to check what is happening behind the scenes. There is nothing for us to troubleshoot on the intune part .

After spending few hours time with Microsoft support engineer ,they have told me that ,APN certificate that was uploaded corrupted and it requires to reset the MDM authority to fix the issue.

To reset MDM authority ,i need to perform the following actions

1. remove the users from the Intune User Group. Point the Intune Subscription to an empty user collection, or, remove all users from the targeted collection  and confirm in the CloudUserSync.log that users are removed.

2. Uncheck the iOS platform to purge the APNs certificate

3.  Delete any and all published applications that are for MDM Devices

4. Delete any and all polices that are for MDM Devices

5. Remove the Windows Intune Connector from within the Configuration Manager Console.

6. Remove the Intune subscription by right-clicking the subscription and selecting Delete

• Restart the SMS Executive Service

Once you are done with these steps ,Microsoft Engineer will proceed to reset MDM authority and able to successfully enroll iOS devices.

After you change the MDM authority from intune to sccm ,devices are already enrolled to intune will switch to SCCM and for this ,it can upto 8 hours to re-appear these devices into your SCCM console.

What you need to consider (best practise)  while switching your MDM authority from Intune to Configuration Manager is that ,you should use the same APN certificate that was used in standalone in SCCM but with renewed  certificate means ,renew the APN certificate that was used intune ,download it from apple store and uploaded into SCCM to avoid corruption of APN certificates.

Reference https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/change-mdm-authority

SCCM Configmgr Powershell script to remove the Maintenance Window on list of collections

$
0
0

 

Maintenance windows in SCCM Configmgr enable you to define a time when SCCM operations can be carried out on members of a device collection. These maintenance windows are helpful to ensure that client configuration changes occur during periods that do not affect the productivity of the organization. More information about  Maintenance windows refer https://docs.microsoft.com/en-us/sccm/core/clients/manage/collections/use-maintenance-windows

I had requirement to remove all Maintenance windows that are set on list of collections .Removing the Maintenance windows for each collection would be tedious task. Right click on collection ,select maintenance window and delete the Maintenance window.

Note:Removing the Maintenance windows allow to install deployments that are pushed to collections.

In this blog post, we will see how powershell can do this task in seconds for any number of collections that you pipe into txt file.

All you need is ,get the list of Collection IDs and supply it to text file ,run the script.

This script will not output any results to log file saying what is the existing Maintenance window and what is deleted. If you want ,you can customize the script to log the output.

This script uses 2 basic powershell cmdlets available in configuration manager module which are

Get-CMMaintenanceWindow Gets the maintenance windows for a collection

Remove-CMMaintenanceWindow Removes a maintenance window associated with a collection

image

Download the powershell script from Technet Gallary ,supply the list of collection IDs ,run the script.

SCCM Configmgr Report for Boundary group relationships with Fallback Sites

$
0
0

Beginning with Configmgr Version 1702, clients use boundary groups to find a new software update point. You can add individual software update points to different boundary groups to control which servers a client can find.

More information about boundary groups and its relation with  software update point changes in 1702 and 1706 ,please refer TechNet link  https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/boundary-groups ,it has lot of information than i explain.

Few weeks ago ,i was looking at the boundaries and boundary groups that are configured for my environment with its fallback information (distribution point and software update point).

I find it hard to locate the boundaries that are configured with fallback distribution points and fallback software update point.Incase you want to know the list of boundaries/boundary groups that are configured with fallback options,there is no default report.

I have created SSRS report that will help to pull information from SQL database into nice reporting .

 

SNAGHTMLd278da3

 

References:

SNAGHTMLd2a7208

Relationships:

SNAGHTMLd296e8f

 

How does the report work ?

Download the report from Technet Gallary , upload the report into Configmgr SSRS reports folder,change the data source and run the report.

When you run the report, it prompt for Site Code since all the boundary groups that you created must have assigned to specific Site Code for site assignment. If you have not assigned the boundary groups to any specific site code, they will not be listed here .

So choose the Site Code (Primary or Secondary) or select All

SNAGHTMLd3ef980

Boundary groups that are assigned with specific Site Code will be listed with following information.

Boundary Group Name ,Site system Role,Site Code,Fallback Boundary Group,Fallback Site System,Fallback DP,Fallback SUP.

 

SNAGHTMLd48018b


SCCM Configmgr SUP sync error The underlying connection was closed Could not establish trust relationship for the SSL/TLS secure channel

$
0
0

 

I was contacted by colleague that Configmgr is not showing the updates that were published day ago by SCUP . So i started checking the SCUP configuration (proxy) and the updates status if they are published or not using the date published and also verified SCUP logs.

From SCUP perspective,all looks good. Next to look at Configmgr ,in this ,i checked the SUP properties if the published products are selected or not , check the proxy details in site system role properties.

Next to look at proxy details that are configured in IE for system account for which ,you can use psexec tool to verify it.

How to open IE using system account or check the proxy details in cmd using pxecec ? run the cmd using administrator ,run psexec –i –s cmd.exe

Type netsh winhttp show proxy it must give you the proxy details if at all configured .Run the following command to open IE using system account

PsExec.exe -i -s "C:\Program Files\Internet Explorer\iexplore.exe"

set the proxy in IE ,once this is done ,come back to cmd prompt (system account) and run netsh winhttp import proxy source =ie to import the IE settings .

This also looks good to me .What else could go wrong for the updates not shown up in SCCM console ?

Now ,i move onto the SUP logs WCM.log and WSUSCtrl.log both looks good and the final log is sync log wsyncmgr.log which has some errors init.

Sync failed: UssCommunicationError: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.~~at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request). Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncWSUS

image

we know that ,there are no changes to IIS or any configurations in the last few months with respect to SSL. I have tried the sync by providing the user name in site system role properties to use credentials to connect to proxy server but it failed with same error.

After searching in Google with above error ,found few blogs that refers to https://technet.microsoft.com/en-us/library/dn265983.aspx (configure trusted roots) but they do not apply to me .

 https://the-d-spot.org/2011/05/17/sccm-sup-sync-failed-6703/

http://www.mssccmfaq.de/2012/06/02/sup-synchronisation-schlagt-fehl-could-not-establish-trust-relationship-for-the-ssltls-secure-channel/

https://www.windows-noob.com/forums/topic/7559-sup-sync-issue/

After sometime ,got to know from another colleague that ,there were some changes made to the proxy server by NOC team which requires SSL authentication. What it means is ,software update sync happens using system account instead of user account which require SSL authentication and in this case, we need to get approval from security team to allow the SCCM site server computer account to bypass or added to exception list.

References and troubleshooting https://support.microsoft.com/en-us/help/10329/configuring-software-update-synchronization-in-system-center-configura 

https://technet.microsoft.com/en-sg/library/bb892795.aspx

Configmgr Client push installation install the client software from specified site is blank

$
0
0

This is quick blog post to address the issue of blank site in the installation options while installing SCCM Client software using client push installation method.

In SCCM 2012 and above ,you have RBAC (Role based administration access) to secure the access that is needed to administer Configuration Manager. You also secure access to the objects that you manage, like collections, deployments, and sites. For more information about RBAC ,please read https://docs.microsoft.com/en-us/sccm/core/understand/fundamentals-of-role-based-administration  and https://blogs.technet.microsoft.com/hhoy/2012/03/06/role-based-administration-in-system-center-2012-configuration-manager/

Coming to the subject line ,We have created security scopes and security roles for different LBU’s with required permissions limiting to their country collections (Note: we have removed the default security scope from user/group permissions ).

when the LBU (local business unit) team try to perform the client installation using client push ,they do not see option to choose the site to install the client software . Allowing this will install the client software from specified site server.

image

This happens because user do not have access to view/read the site (it could be primary or secondary site).

To fix this ,you need to add the security scope that you assigned to user/group in primary/secondary site .

Go to administration—site configuration sites ,right click on Primary or secondary site that you want users to select ,click on set security scopes

image

choose from the available security scopes

SNAGHTML15825560

Click ok ,now users should be able to choose the site to install client software from.

SNAGHTML158422cc

 

Hope it helps!

System Center Updates Publisher (SCUP) September 2017 Preview 2 is available

$
0
0

Microsoft has released SCUP 2017 preview 2 update with enhanced update catalog to provide better experience for users in consuming large catalog updates. While old catalog formats are still supported, catalog providers will need to add information to their existing catalogues to take advantage of these improvements that exist in this preview 2 update. This preview 2 update contains the following improvements:

  • Indexing for quicker imports of previously imported catalogs – Catalog producers can now index their catalogs. This will allow users to import large catalogs containing few new updates more quickly.
  • Inclusion of signing certificates within updates catalogs – Catalog producers can now include signing certificates with their updates catalogs. This enables users to add the certificates to the trusted publishers list during import so that approval prompts will not block publish operations.
  • Signature Timestamp – Updates published to a WSUS server will by default have the signature time-stamped. Note, this functionality requires internet access. If you have upgraded from preview 1 this will not be automatically enabled.  To enable or disable the signature timestamp or configure the timestamp server that is used see the Advanced page under Options.

In this post ,we will see how to

1. Download the SCUP Preview here.

2. Run UpdatesPublisher.msi on a computer that meets the prerequisites.

3. Configure the options for SCUP.

4. Start using the features of SCUP.

Download the SCUP Preview from https://www.microsoft.com/en-us/download/details.aspx?id=55543 ,installer size is around 5MB

Run the downloaded file on supported platform OS ,in this case, i will run the installer on my SCCM server in my lab.My lab server do not have any SCUP .since this is still in preview,do not install in production environment.

System requirements to install SCUP 2017 Preview 2:

image

Installation is straight forward.

image

Click next,next,finish

On the device that you installed preview, search for Update publisher (Preview)

image.

Accept the license terms ,let it do some pre checks before the console made available to you.

image

Version of this SCUP 2017 Preview 2 is : 6.0.219.0

image

If you are using SCUP 2011 ,you now have 2 new features added in preview release with updates and logging.

image

Logging:

image

In advance tab ,you can now change the database file instead of leaving it in user profile and Signature Timestamp URL is enabled by default.

image

In preview release, all the nodes are added with workspace like updates workspace,publications workspace,rules workspace and catalos workspace.

image

From the default catalog i can see only acrobat and reader but no flash player along with dell,HP,Fujitsu . For Adobe flash player ,you need to add the scup catalog manually. http://fpdownload.adobe.com/get/flashplayer/distribution/win/AdobeFlashPlayerCatalog_SCUP.cab

image

SCUP log that track the information about importing catalogs, publish and download of updates is changed from SCUP.log to updatepublisher.log which still store in user profile (%appdata%)

image

when you try to import download catalog file(cab) ,it will prompt you with few options like approve,always approve and decline.

image

Once the catalog is approved (always) ,you will not see any prompts during the publish of updates (content download) .This is really helpful if you are trying to publish lot of updates and have a coffee while it download the content and publish the info .

In the older version,when you try to publish the updates ,it prompt to approve the content which is troublesome if you have multiple updates published at one go.

More to test on this ,Stay tuned until further updates.

Configmgr SQL query to get the list of clients that require a specific software update patch

$
0
0

This is quick blog post about getting the list of clients that require a specific software update contained (it can be based on title,article ID(KB),bulletin ID).

You can get the client list using the default software update compliance reports but it doesn't give you the inventory information about client ,like ip address,hardware scan,software update scan ,OS etc and creating custom SQL allow you to filter lot more like collection ID,hostname contains,OS not like etc.

Adobe has released a security update (APSB17-32) for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. This update addresses a critical type confusion vulnerability that could lead to code execution.

Security team has requested to get this updated on all machines that are required by this update ,so in order to proceed further, you need to identify the list of clients prior and notify to application team(mainly for servers) and follow the change request etc.

Below is the SQL query to get list of clients that are required by bulletin ID: APSB17-32 .I have also added couple of filter options like excluding server OS 2003 and include only server OS.

I have also added title,article ID,collection ID,hostname which are commented in the query .If you want filter the results using these ,you can simply uncomment them (removing the dashes - - )

You can use this SQL query to create SSRS to run the report directly from the URL , without running it from SQL server management studio.

select vrs.Name0 [Host],os.Caption0 [OS],
IP.IPAddress AS [IP Address],
CONVERT(VARCHAR(26), ws.lasthwscan, 100) as [LastHWScan],
CONVERT(VARCHAR(26), uss.lastscantime, 100) AS 'LastSUScanTime',
CONVERT(nvarchar(26), OS.LastBootUpTime0, 100) AS [Last Reboot],
ui.InfoURL as InformationURL,ui.Title,ui.dateposted [Date Posted]
from V_UpdateComplianceStatus  css
join v_UpdateInfo ui on ui.CI_ID=css.CI_ID
inner join v_FullCollectionMembership fcm on fcm.ResourceID=css.ResourceID
JOIN dbo.v_R_System AS vrs ON vrs.ResourceID = css.ResourceID
join v_GS_OPERATING_SYSTEM OS on os.ResourceID=css.ResourceID
join v_GS_WORKSTATION_STATUS WS on ws.ResourceID=css.ResourceID
join v_UpdateScanStatus USS on uss.ResourceID=css.ResourceID
JOIN (SELECT     IP1.resourceid AS rsid2, IPAddress = substring
((SELECT     (IP_Addresses0 + ', ')
FROM    v_RA_System_IPAddresses IP2
WHERE     IP2.IP_Addresses0 NOT LIKE '169%' AND IP2.IP_Addresses0 NOT LIKE '0.%' AND IP2.IP_Addresses0 NOT LIKE '%::%' AND
IP_Addresses0 NOT LIKE '192.%' AND IP1.resourceid = IP2.resourceid
ORDER BY resourceid FOR xml path('')), 1, 50000)
FROM    v_RA_System_IPAddresses IP1
GROUP BY resourceid) IP ON IP.rsid2 = fcm.resourceid
WHERE css.Status=2 --for required
and ui.BulletinID='APSB17-32'
--AND ui.Title='2017-08 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems (KB4034664)'
--and ui.ArticleID='4034664'
and vrs.operatingSystem0 not like '%2003%'
--and fcm.CollectionID='PS100118'
--and (fcm.name like '%WP%')
and vrs.operatingSystem0 like '%server%'
group by vrs.Name0,vrs.operatingSystem0 ,ui.InfoURL,ui.Title,ui.dateposted,
os.caption0,
ws.lasthwscan,
uss.lastscantime,
IP.IPAddress,
OS.LastBootUpTime0
ORDER BY 1

 

image

 

Hope  it helps!

ConfigMgr How to use Compliance Settings to check the windows update policy settings like WUServer, UseWUServer,NoAutoUpdate on clients

$
0
0

 

When you install configuration manager client to manage any windows device ,it will try to configure local group policy to set WSUS server settings (unless you have no GPO configured to set these settings) .If at all ,you have any GPO to configure the WSUS information ,local GPO that created by configmgr client will fail which will be logged in wuahandler.log,windowsupdate.log.

If you look at wuahandler.log, you will see error something like below. “Group policy settings were overwritten by a higher authority (domain controller) to server and policy not configured” .

image

So before you try to install SCCM client,it is always recommended  to disable GPO settings for windows update to avoid the conflict with local GPO created by Configmgr client .More information about software update troubleshooting http://eskonr.com/2015/04/sccm-2012-troubleshoot-client-software-update-issues/ 

If you want to know more about Configmgr software update management and group policy relation ,please read Jason Sandy's explanation https://home.configmgrftw.com/software-update-management-and-group-policy-for-configmgr-what-else/ 

https://home.configmgrftw.com/software-updates-management-and-group-policy-for-configmgr-cont/

In this blog post, we are going to see ,how to check 4 primarily used windows update policy settings the WSUS settings like USEWUServer,WUServer,NoAutoupdate and accept trusted publisher certs (for 3rd party patching) that are correctly configured or not before clients perform software update scan.

1.WUServer

2.UseWUServer

3.NoAutoUpdate

4.AcceptTrustedPublisherCerts

Although you can do SQL query to get the clients that are having issue with GPO conflict ,but it is always good to check the these registry keys to make sure clients are good .

AcceptTrustedPublisherCerts—> for trusting the 3rd party updates if you are using SCUP to trust adobe,flash ,java and other updates that are deployed via SCCM.

Location that store above policy settings in the client registry is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate (for both 32bit and 64bit OS)

SNAGHTML557420a

NoAutoupdate –>is to disable auto windows update

image

Following is SQL query to get clients info that have issues with GPO conflict:

select distinct sys.name0 [Computer Name],os.caption0 [OS],convert(nvarchar(26),ws.lasthwscan,100) as [LastHWScan],convert(nvarchar(26),sys.Last_Logon_Timestamp0,100) [Last Loggedon time Stamp],
sys.user_name0 [Last User Name] ,uss.lasterrorcode,uss.lastscanpackagelocation from v_r_system sys
left join v_gs_operating_system os on os.resourceid=sys.resourceid
left join v_GS_WORKSTATION_STATUS ws on ws.resourceid=sys.resourceid
left join v_updatescanstatus uss on uss.ResourceId=sys.ResourceID
inner join v_FullCollectionMembership fcm on fcm.ResourceID=sys.ResourceID
where uss.lasterrorcode!='0'
--and fcm.CollectionID in('PS100140')
and sys.client0 is not NULL
and uss.LastErrorCode='-2016409966'
order by sys.name0

image

Now lets focus on the Configuration item/configuration baseline to create task and deploy to collection:

I have couple of blogs how to create configuration item with settings hence i am not going to show you step by step . I will go through the settings that are really important for this task.

At the end ,i also attach the exported version of configuration baseline however you might have to edit it after import due WSUS server information.

In new setting, provide the following information.

Name: WUServer (anything you like) , Setting Type Registry value .Data type: String , Hive Name:HKEY_Local_Machine ,Key Name:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

Click on browse to select the registry key

image

Registry key:  Choose the following settings.

Click Ok

SNAGHTML153a618f

Click on compliance Rules , you will see 2 conditions .

f you have multiple WSUS servers ,click on the wuserver one of ,click Edit rule,

Paste all the WSUS server locations into the one of field setting and click ok

image

How do you get list of all WSUS server locations ?

Run the following SQL query against your CM database.

select LastScanPackageLocation from v_UpdateScanStatus
where LastScanPackageLocation not like ''
group by LastScanPackageLocation

image

we now have created one setting for WUserver ,like this we need to create for 3 more entries .

For UseWUServer ,click on New ,follow the options listed below.

image

While you are at this page ,click on browse ,follow the path below to select the registry key

image

Click on Ok .

Under compliance rules ,select Report noncompliance if this setting instance is not found .

image

we will create the rest 2 conditions in similar way that we created for UseWUServer . All you need is point the registry key to respective value.

3.NoAutoUpdate –> SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

image

Under compliance rules ,select Report noncompliance if this setting instance is not found

4.AcceptTrustedPublisherCerts—>SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

SNAGHTML159a8f83

Under compliance rules ,select Report noncompliance if this setting instance is not found

image

Click ok

we now set 4 conditions that required to check windows update policy settings

image

Click next to verify all compliance rules

image

Click next for the completion of configuration item wizard.

We can now create configuration baseline and deploy it to collection .

If any of the above setting is not found on the client computer, it will report as non-compliant which will help you to troubleshoot and fix software update scan issues.

Download the CB – Configuration baseline for Windows update policy settings here .

To import ,go to compliance settings – configuration baseline ,right click and import the cab file.

After you import the cab file ,don't forget to edit the configuration item and modify your WSUS server settings.

Hope this guide helps!

Configmgr report for count of MS office versions with architecture type 32bit and 64bit

$
0
0

This blog post is going to be version 3 on the same topic (report for MS office versions) but with different requirements.My previous posts on ssrs report for count of MS office versions and drilled report to see client names etc will have some limitations like they will not give you bit type(architecture) like 32bit or 64bit of office installed on the client. They simply get the count of the MS office edition installed and then drill down further to get you the list of client computers with office edition,version,its OS and hardware scan date info.

Both the versions with ssrs report can be found on https://gallery.technet.microsoft.com/office/SCCM-Configmgr-Report-for-2c36f1b9 https://gallery.technet.microsoft.com/office/SCCM-Configmgr-2012-SSRS-c482cca2 and

https://support.microsoft.com/en-us/help/928516/description-of-product-code-guids-in-2007-office-suites-and-programs

After posting these 2 reports, blog viewers ,TechNet gallery and in forums have asked to get bit type (32bit or 64bit) information for the office product that is installed on the client.

I have lot of requests /posts in my To-DO list to blog about ,but due to time limitations ,i cannot bring all them.

So for this requirement to get 32bit and 64bit for MS office ,i found microsoft article to identify if the MS office is 32bit or 64bit. https://support.microsoft.com/en-us/help/928516/description-of-product-code-guids-in-2007-office-suites-and-programs and it is based on the product code.

This product is that we use to uninstall any software using msiexec /x {productID} /x

Below is the screenshot from the support article .

image

From the product code ,21st character from left (substring(productID,21,1) ) will tell you if it is 32bit or 64bit .

0 for x86

1 for x64

If you read support article ,there are lot of other information like release version (RTM,SP1,SP2 etc) ,release type (Volume,retail,trail) ,

This product ID is stored in different SQL views in CM database ,of which  we are going to utilize v_Add_Remove_Programs. For more information about SQL views in SCCM, please refer https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

Following are the office editions are added into the report . If you have any other office editions which are not in below list ,please edit the report and append it.

'Microsoft Office Personal 2007'
'Microsoft Office Professional 2007'
'Microsoft Office Professional 2007 Trial'
'Microsoft Office Professional Hybrid 2007'
'Microsoft Office Professional Plus 2007'
'Microsoft Office Professional Plus 2007 (Beta)'
'Microsoft Office Standard 2007'
'Microsoft Office Standard 2007 Trial'
'Microsoft Office Ultimate 2007'
'Microsoft Office Enterprise 2007'
'Microsoft Office Ultimate 2007'
'Microsoft Office Ultimate 2007'
'Microsoft Office 2010'
'Microsoft Office Professional Plus 2010'
'Microsoft Office Standard 2010'
'Microsoft Office Professional 2010'
'Microsoft Office Home and Student 2010'
'Microsoft Office Home and Business 2010'
'Microsoft Office Professional Plus 2010 (Beta)'
'Microsoft Office Starter 2010 - English'
'Microsoft Office 2013'
'Microsoft Office Professional Plus 2013'
'Microsoft Office Standard 2013'
'Microsoft Office Professional 2013'
'Microsoft Office Home and Student 2013'
'Microsoft Office Home and Business 2013'
'Microsoft Office Professional Plus 2013 (Beta)'
'Microsoft Office Starter 2013 - English'
'Microsoft Office 2016'
'Microsoft Office Professional Plus 2016'
'Microsoft Office Standard 2016'
'Microsoft Office Professional 2016'
'Microsoft Office Home and Student 2016'
'Microsoft Office Home and Business 2016'
'Microsoft Office Professional Plus 2016 (Beta)'
'Microsoft Office Starter 2016 - English'

As usual ,download the SSRS reports (rdl) files from Technet gallery here ,upload to your reporting folder in SCCM reports,change the data source and run the report.

Output:

SNAGHTML2377b296

Linked report:

SNAGHTML23790def

 

This report supports RBA (role based administration) functionality.

Note that, 2nd report (drilled report) cannot be run individually and to run that, you must run the 1st report which is count of office versions and drill to 2nd report.

SQL code and parameter values for dataset (RBA): The following information is for your information only and no input required from you to run this report.

DataSetAdminID:select dbo.fn_rbac_GetAdminIDsfromUserSIDs(@UserTokenSIDs) as UserSIDs

Parameter for UserTokenSIDs: General—>Parameter visibility—>Internal, default values—>specify values—>=SrsResources.UserIdentity.GetUserSIDs(User!UserID)
Parameter for UserSIDs:General—>Parameter visibility—>Internal, default values—>Get values from a query and choose DatasetAdminID

you can always edit the RDL files ,customize it.

Happy reporting!

Configmgr How use compliance settings to check windows update agent version (WUA) is older ,Collection and SQL query

$
0
0

Using compliance settings in Configmgr, you can do many tasks as part of compliance. In the last couple of blogs, we have utilized compliance settings to identify WU settings,automatic update,trusted publisher settings etc. http://eskonr.com/2017/10/configmgr-how-to-use-compliance-settings-to-check-the-windows-update-policy-settings-like-wuserver-usewuservernoautoupdate-on-clients/

In this blog post ,we will see how to use compliance settings to check for Windows update agent version if it is older or latest one as per https://support.microsoft.com/en-us/help/949104/how-to-update-the-windows-update-agent-to-the-latest-version.

The Windows Update Agent runs on each client computer and checks for availability of updates. If you are using configmgr ,when the software update scan cycle runs ,a scan request is passed to the Windows Update Agent (WUA). This WUA then connects to the WSUS server location that is listed in the local policy (this policy will be created at the time of configmgr client installation), retrieves the software updates metadata (update catalog) that has been synchronized on the WSUS server, and scans the client computer for the updates. To read further on software updates https://docs.microsoft.com/en-us/sccm/sum/understand/software-updates-introduction

Daniel (PotentEngineer) has document all the versions of windows update agent on http://www.potentengineer.com/windows-update-agent-build-numbers-for-windows-7/

There are lot  cases on windows update issue which happened due to old version of windows update hence you need focus on brining the windows update agent to latest supported version.

I will not go in-detail (step by step) about how to create configuration Item and Configuration baseline instead ,i will guide you through the settings that you need configure for Windows update agent.

Though the configurations used in the settings/creation of rule in compliance setting is very simple ,i would like to get it in this blog post along with SQL Query and WQL collection to identify how many clients in your organisation are running older .

1.Define Compliance setting for the applicable OS (Windows update agent varies from OS to OS)  .This blog post focus on windows 7.

Once you deploy the configuration baseline to collection ,clients will perform the CI evaluation and send the results to Configmgr which will help you to create collection from the baseline results and deploy latest windows update agent.

Compliance Item :

New setting:

image

New Rule:  Replace the windows update agent that you are looking for.

image

Note: The above WUA agent is only for windows 7 hence you need to configure the OS while creation of CI or deploy this to only windows 7 collection.

If you want to create the rule for multiple OS to check WUA version ,you can try something like below (it is untested at the time of writing the blog post).

Make sure you add the latest version of windows update agent into the one of list.

image

2.WQL Query for collection:

Ronni has nice post on this ,please follow it https://www.ronnipedersen.com/2015/06/04/updating-the-windows-update-agent-on-windows-7-clients/

3.SQL Query:

Windows update agent version stored in v_GS_WINDOWSUPDATEAGENTVERSION  SQL view.

We will use this SQL view to find count of versions.

select a.version0 as 'WUA Version', count(*) as 'Total'
from v_GS_WINDOWSUPDATEAGENTVERSION as a
group by a.version0
order by 2 desc

More information http://eskonr.com/2010/02/sccm-collection-for-windows-update-agent/ 

Using this ,you can create nice SSRS report .you can also create drilldown report to find what are the machines that are running lower versions with computer name ,user name etc.

List of SCCM Configmgr SQL views documentation is available on TechNet https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b


How to change Power Management settings using Configmgr Compliance settings

$
0
0

I had request to disable the setting ‘Allow the computer to turn off this device to save power’ in power management settings on network adaptor.

image

From the screenshot above,there are 3 settings that will help for wake on Lan .All these settings information stored in client WMI. we want to uncheck the first option (Allow the computer to turn off this device to save power’ ) by leaving the rest of the 2 controls as it is.

In this blog post ,we will see how to change the power management settings on client using configuration manager compliance settings.

Before i go into compliance settings, i will provide you the WMI class and instance that store the information about power management settings ,so we can make use of these options in compliance settings

1. Allow the computer to turn off this device to save power , wmi class: root\wmi , instance:MSPower_DeviceEnable , property:Enable
2. Allow this device to wake the computer ,wmi class:root\wmi  , instance: MSPower_DeviceWakeEnable , property:Enable
3.Only allow a magic packet to wake the computer ,wmi class:root\wmi  , instance: MSNdis_DeviceWakeOnMagicPacketOnly, property:Enable

After you have the information about wmi ,it is easy to create configuration item and configuration baseline.

Create configuration item with name: Disable ‘Allow the computer to turn off this device to save power’ ,leave the default settings ,click next,choose the operating system that you want to deploy this setting

Under settings, create new with following information:

Name:MSPower_DeviceEnable ,Setting Tpe: WQL Query ,Data Type: Boolean , wmi class: root\wmi , instance:MSPower_DeviceEnable , property:Enable ,WQL Query: InstanceName like 'PCI%'

image

For other 2 settings ,all you  need is ,change the class with information given above in point 2 and 3.

Click on Compliance Rule ,click New ,follow the below settings.

For other 2 settings point 2 and 3 ,you can either set to True or False as per your needs.

image

Click ok

We now created configuration item and ready to create configuration baseline and deploy to Device Collection.

When you deploy the configuration baseline, make sure you choose the following setting to remediate (Allow remediation outside maintenance window is upto you ,you can either for maintenance window or ignore the window and remediate the setting)

image

End user results:

SNAGHTML24acd22d

Hope it helps!

ConfigMgr console update failed to download with ‘Error in verifying the trust of file’ WARNING: Failed to call IsFileTrusted

$
0
0

Microsoft released December month ConfigMgr Technical Preview version (1712). It has been while since I look at my SCCM Tech preview lab. So I had chance to look at the new features that are released with this preview version and play around it in my lab.

Following are the new features released with this preview version (This is only for lab purpose,not for production release).

Do not automatically upgrade superseded applications

Install multiple applications in Software Center

Client-based PXE responder service

Change in the Configuration Manager client install

Change to the Surface device dashboard

Improvements to Office 365 Client Management dashboard

Improvements to the Configuration Manager console

Improvements to operating system deployment

Windows 10 Feedback Hub app integration

More information about these features and documentation,please refer https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1712 

As usual ,I open the console ,go to administration node, from updates and servicing ,click on check for updates .After a while (make sure you have internet connection for this to work) ,I saw Configuration manager technical preview 1712 but the state stuck at downloading for longer period . I looked at the internet connection if there is any outage ,internet connection looks good.Since my configmgr lab is running on virtual environment ,there is no AV (antivirus product running ). I went ahead to look at the log file that track the information about download of updates dmpdownloader.log . As you can see in the below snippet ,it throw different error codes.

Error in verifying the trust of file 'F:\ConfigMgr\EasySetupPayload\51d629d3-c355-4b80-ad6f-ba44b27f84ed.cab'.

image

after few lines later ,I can see the following error code.

Error in verifying the trust of file 'F:\ConfigMgr\EasySetupPayload\51d629d3-c355-4b80-ad6f-ba44b27f84ed.cab'.

WARNING: Failed to call IsFileTrusted

image

I tried the solution given in the TechNet article when  the update stuck with a state of Downloading in the Updates and Servicing node https://docs.microsoft.com/en-us/sccm/core/servers/deploy/install/release-notes but it doesn’t help for me ( I changed the registry key value ,stop the SMS_DMP_downloader component and start).

If you look at the folder F:\ConfigMgr\EasySetupPayload as per the log ,you will see cab file with hash ID:51d629d3-c355-4b80-ad6f-ba44b27f84ed and size is 0 bytes.

Usually this cab file should be of size around 600MB+ as this is set of installation files that will be used to update the configmgr to new version.

So I search in the log file using hash ID:51d629d3-c355-4b80-ad6f-ba44b27f84ed  ,I got URL http://download.microsoft.com/download/6/6/B/66B981F8-5740-4072-9B74-767541EA9915/51D629D3-C355-4B80-AD6F-BA44B27F84ED.cab

image

After I download the file manually ,put it in folder F:\ConfigMgr\EasySetupPayload  . Once you are done with it , open the configuration manager service manager ,stop SMS_DMP_DOWNLOADER ,start the component.

image

Monitor the log file dmpdownloader.log ,you will see the extraction of the cab file will be happening and after a while ,the cab file will disappear from F:\ConfigMgr\EasySetupPayload  folder.

image

If you did not notice any errors in the log file, you are good to install the update from console .Go back to your console and install the update ,monitor the status using cmupdate.log and ConfigMgrSetup.log.

At the end ,you will see the following screen to upgrade the existing console to new version.

image

image

Hope it helps.

How to deploy Onedrive for Business using Configmgr

$
0
0

 

Deploying Onedrive for Business is straight forward .The command line switches are very simple :"OneDriveSetup.exe" /silent ,but when you create application in Configmgr, there are couple of things that you need to focus on like detection method and install behaviour.

If you search online ,how to deploy onedrive for business using Configmgr, you will get various post however the following method is what i have been using and it works fine . I would like to share the solution in simple steps.

Create application that you do normally but use use the following information to fill detection method ,User experience and install command line .

Install command line:"OneDriveSetup.exe" /silent

Detection method : The version that i deployed to users (user based collection) is 17.3.7076.1026 hence my detection method will look for 17.3.7076.1026. (There is already latest version available yet to deploy )

Onedrive for Business will store the installation files in user profile (C:\Users\eswar.koneti\AppData\Local\Microsoft\OneDrive)

image

Registry key from user profile for uninstall:

image

Setting Type: Registry

Hive: HKCU

Key:Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe

Value:DisplayVersion

Date Type: String

image

User Experience:

image

Deploy the application to user collection and you are good.

If you have any issues with this ,post via comment section.

Configmgr Report list empty collections with no query rules defined (collection clean-up)

$
0
0

 

I was looking at the console other day and found that, there were many collections created in the root folder (device collection) with 0 count. So i looked at the collection properties ,i found empty there  (No direct or query based rule).

So i decided to write SQL query to identify the list of collections that have empty results with no query rules (Direct or query based) defined in it.

For this query ,i have used 2 SQL views (v_Collection and v_CollectionRuleQuery ) .

For full list of SQL views that exist in SCCM Configmgr ,please refer https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b .

Following is the SQL Code to identify empty collections with no query rule defined ,You can delete these collections to simplify the list of collections displayed when deploying objects as part of maintenance tasks ,unless there is a reason to be in the console.

You can use the following code to create SSRS report as well.

select coll.CollectionID,coll.Name,
case when coll.CollectionType='1' then 'User' else 'Device' end as 'Collection Type'
from v_Collection coll
where coll.collectionid not in (select CRQ.collectionid from v_CollectionRuleQuery CRQ)
and coll.MemberCount=0
group by coll.CollectionID,coll.Name,coll.CollectionType

Configuration manager Technical preview 1708 has ability to identify Applications without deployments and Empty collections as part of Management insights.  More information ,please read https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1708#management-insights

Hope it helps!

 

SCCM Report for Missing Boundaries and Troubleshooting

$
0
0

 

Introduction:

Boundaries for SCCM define network locations on your intranet that can contain devices that you want to manage. Boundary groups are logical groups of boundaries that you configure. For more information click here

Few days ago ,Jason Sandy’s has blogged about boundary group caching and missing boundaries ,more details ,read through https://home.configmgrftw.com/boundary-group-caching-and-missing-boundaries-in-configmgr .

This is one of the highly needed solution that everyone must implement in their environment to evaluate what is their accuracy of the boundaries /boundary groups defined. Boundaries play major role for site assignment and content download. If you do not define the boundaries correctly,client will not function as expected hence it take up lot of your time to troubleshoot and identify it is because of missing boundaries and it is recurring issue.

Jason has covered most of the part about missing boundaries,Boundary group caching ,wmi location and basic SQL query . In this blog post, i am going to show you how to get list of the clients devices that are missing in the boundaries/boundary groups using SSRS Report and troubleshoot these devices. Sometimes You may see something like ‘waiting for content download forever’ in software center and this is because of boundaries/boundary group are missing .

This blog post will help you to identify such client devices with its basic  inventory information like OS,hardware inventory ,software update scan,IP address, last reboot etc.

You can also use other methods to achieve this solution using Compliance Item/baseline but HINV method will give you more information and better reporting .

How to create report/upload report ?

Before you download the report ,please make the necessary changes as per the guideline from Jason Sandy's post.

Following are quick points to implement the changes:

1.Open SCCM console ,go to client settings, edit default client settings ,hardware inventory ,set classes,add,choose the wmi namespace and add ,once the boundary group cache added ,uncheck it from default settings and click ok. For more information ,how to add custom inventory ,you can refer guide here

2.Go to your custom client agent settings (if you have ,else you can make these changes in default client settings)

,hardware inventory ,set classes ,choose the class name that we added in default client agent settings.

3.Monitor dataldr.log to see if these changes are processing and view are created in SQL database (v_GS_BOUNDARYGROUPCACHE).

Once you are done with above steps ,download the SSRS report from Technet Gallary ,upload to your SCCM reports ,change the data source and run it.

Report will display the following information. This report is created with filter Client0='1' .I do not want to display the client information that do not have SCCM client .

Note: As of CB 1610, all clients that do not fall within the scope of a defined boundary group will be associated with the Default Boundary Group. This is not reflected in the BoundaryGroupCache class. Essentially, if the instance of the BoundaryGroupCache class contains no BoundaryGroupIDs, then the client is considered within the scope of the Default Boundary Group.

image

 

How to troubleshoot these missing boundaries that are displayed in report:

1. From the report, we see that ,it has one device with its IP address . So we can go back to SCCM console ,look at under boundaries if the this IP address is part of the specified boundaries or not (it is ALWAYS recommended go with IP address range while defining the boundaries unless you have any specific reason not to use it) .

2.Make sure the client device has sent the inventory report successfully after you have made changes in the HINV and they are deployed to collection.

3.If the IP address is defined in boundaries ,check for boundary group ,if it is not ,add to boundary group with site system role .

4.If the IP address is part of boundaries and boundary group .what else can cause the client device appear in this report ?

5. If boundaries and boundary groups are added correctly ,MP must have returned the list of the distribution points that are configured in boundary groups for client to pick for content download.

6.If all above points looks ok ,would suggest to take a look at the client device logs (clientlocation.log ,locationservices.log and ContentTransferManager.log that will help you to identify the DP details.

 

Happy troubleshooting!

Viewing all 252 articles
Browse latest View live