There are various posts online, talking about how to uninstall Windows updates if something goes wrong with deployed patches but I did not find anything related to Office security updates.

In this post,I will discuss about, how to remove the Microsoft Office Updates using Configmgr /Configuration manager 2012.

Background: With the release of December 2014 patches, A Bulletin ID (MS14-082- KB2726958 )related to Microsoft Office 2013  caused the macros in Excel 2010 spreadsheets stop working /breaks the macros to work.

More information about this issue was discussed on the TechNet forum https://social.technet.microsoft.com/Forums/en-US/17254fab-9ecd-49e7-bab7-f76906167d4a/office-2013-update-kb-2726958-problem?forum=officeitpro

When user tries to execute the Excel that has Macros/VBA ,it give's error code ‘Run Time Error ‘438’’  Object doesn’t no support this property or method.

Uninstalling the update Security Update for Microsoft Office 2013 (KB2726958) 32-Bit Edition from add and remove programs returns the Excel to normal and all works good.

Microsoft had also released the fix for this problem ,can be found here ,it basically remove the files with extension ".exd" from %temp% and other folders ,but for some reason,this fix did not work for all users .

I decided to remove this patch from all the installed computers to avoid further tickets to service desk.

Since this is MS Office security updates ,you cannot use the wusa.exe to uninstall. wusa.exe is used for Windows security updates.

What other methods to try ,that will remove the specific patche on windows computers ?

Here is the command line to uninstall Microsoft Office security updates .

msiexec /package {ProductID} /uninstall {PatchID} /qn /quiet /norestart

ProductID—>Product ID of the Windows update component for Ex: Microsoft Office ,Microsoft Visio,Microsoft Lync etc.

PatchID—> PatchID is self explanatory

How do I find the Product ID and PatchID before I run the command line using Configuration manager or other methods?

If you are running configuration manager 2012, simply go to devices,find the computer and do resource explorer for that computer.

Right click on the Lync product ID row and click copy the Product ID information.

Update for Microsoft Office 2013 (KB2817626) 32-Bit Edition    {90150000-012C-0000-0000-0000000FF1CE}_Office15.LYNC_{BC369230-B0E0-4BB0-82D6-E93196060BFA}        Microsoft

So from above,you have got both product ID and Patch ID for Lync update (KB2817626).

To uninstall this Update ,replace the Product ID and Patch ID in the command line:

Uninstallation command line syntax:

msiexec /package {90150000-012C-0000-0000-0000000FF1CE} /uninstall {BC369230-B0E0-4BB0-82D6-E93196060BFA} /qn /quiet /norestart

If you have multiple patches causing trouble,create a batch file and supply the command line in each row.

Create a standard package using the batch file and deploy this to all workstations (irrespective of whether this update installed or  not) .if the update did not install on any of the computer,it will simply ignore it.

Monitor Client log execmgr.log if the command successfully executed or not.

How to find the product ID and Patch ID instead of using Configuration manager 2012 ? (if the patch inventory not reported to CM Site successfully) ?

You can get these values from Registry on the computer that have these patches installed.

Go to registry and drill down to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ (if 64bit) else HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

and use find option to search for patch with display name Security Update for Microsoft Office 2013 (KB2726958) 32-Bit Edition (you see from add and remove programs or from SCCM Console)

Look for the uninstalstring ,you can see the product ID and patch ID information.

you may wonder,why cant I use the uninstall string from registry  .You can use ,but this command line varies based on the OS architecture .I Prefer to use the msiexec method works on all platforms.

Hope it helps!

Recently , I worked on MS Office upgrade project to 2013 and before I take any action on this,I need to identify /get count of all MS Office Versions installed on the computers that are managed by Configuration manager 2012.

There is no default Configmgr report that provide you this information ,so you must create custom SSRS Report .I started working on Custom SSRS Report to get count of office versions .During my search results ,found a blog post from TechNet that provide you the count of MS Office Versions only but not what specific edition in each version (standard,professional).

In this this blog post ,I will show you how to get the summary report for MS Office Version ,also get what editions in each version with its count. So to get this,I need to create 2 reports 1) summary count 2) Sub section to display the editions for each version.

So, If you run the SQL query/SSRS report from the TechNet blog ,you get results something like below :

From the above report,you see MS office 20xx installed on X many clients but it doesn’t tell you what editions/versions they are installed .To see that, need to create another report and link to the above summary report.

The 2nd report 2) Sub section to display the editions for each version looks something like this if you click on the blue numbers.

These 2 reports are linked each other .By chance ,if you change the name of the file,you have to edit the link also in the SSRS Design else ,will fail to run the reports.

Note: Server OS is excluded from this report. The count you see above is only for workstations with client=Yes

You can edit these RDL Files to customize the SQL Query.

Download the RDL Files available from TechNet Gallary.

Upload the RDL files into same folder into your SSRS Reports ,change the Data Source ,run the reports.

Problem Description:

Users (AD Security Group called: eskonr\domain Users) from specific project in the organization do not have admin privileges on their computers (don’t ask why)  .I have an application (Matrix ) which is installed using Configuration manager 2012 and users are using this application for their daily routine activities without any issues so far(without admin rights).

Recently ,due to some project requirement,they need to have full permissions to specific folders (C: \program files\matrix\3D or what ever) to modify some files and settings to get the application working  .

To grant full permissions or required permissions to specific folders for domain users or project users , You can use inbuilt windows command line Icacls.exe (Displays or modifies discretionary access control lists) .

I use this command line (icacls) to set permissions to specific folder ,but I need to check if OS architecture is X86 or X64 ,because the installation directory for this application varies.

To more about about the available syntax for Icacls.exe ,try Icacls.exe /? from cmd.exe

Below is the batch script that check if Architecture is 32 or 64 and then grant the required permissions to specific folder .

@Echo off
REM Provide Full security permissions to domain users to 3D and Client Folder

If exist "C:\Program Files (x86)\matrix"  (GOTO 64BIT) ELSE (GOTO 32BIT)
:32BIT
icacls "c:\Program Files\matrix\3D" /grant:r "eskonr\Domain Users":(OI)(CI)F
icacls "c:\Program Files\matrix\Client" /grant:r "eskonr\Domain Users":(OI)(CI)F
GOTO END   

:64BIT
icacls "c:\Program Files (x86)\matrix\3D" /grant:r "eskonr\Domain Users":(OI)(CI)F
icacls "c:\Program Files (x86)\matrix\Client" /grant:r "eskonr\Domain Users":(OI)(CI)F
GOTO END   

:END

Where eskonr: domain ,Domain users:AD security group

Note: You can also do this job using Configuration Item  but l like this way.

So ,Now I can take this script and deploy Using Configuration manager with application deployment or using Package (Legacy method ).

Using legacy method,it is easy ,straight forward  but if I want to deploy this using application ,I need to create detection rule before this script runs.

Note: If you set something (that never detects) in the detection rule ,detection rule always say ,it is unknown and script will run (even though the folder has required permissions set) which will not harm to already granted permissions.

For the application/security rights detection,I need to create custom script or something since the default available detection rules (using file,registry and MSI) do not work in this case.

Below is the PowerShell script to detect the if the security permissions already set or not.

Powershell script to Detect the Security permissions:

If (Test-Path -path "c:\Program Files\matrix")
{
$file="c:\Program Files\matrix\3D"
$user="eskonr\Domain Users"

if (((Get-Acl $File).Access | ?{$_.IdentityReference -eq "$User"}).FileSystemRights -match 'FullControl')
{
write-host "Permissions set"
}
}
if (Test-Path -path "c:\Program Files (x86)\matrix")
{
$file="c:\Program Files (x86)\matrix\3D"
$user="eskonr\Domain Users"

if (((Get-Acl $File).Access | ?{$_.IdentityReference -eq "$User"}).FileSystemRights -match 'FullControl')
{
write-host "Permissions set"
}
}

You can shortened the above PowerShell script if you are good at it.

Last week,I was having a discussion with manager about the User IE Home page/Start page to get report on, how many users are set to Company intranet Page.I then asked him,what is the method ,company currently follow to set IE Home page .He then replied,GPO ? my response for this  was,if GPO,then the Home page for IE should be set to the required one for all Domain Users (Domain users: where ever the GPO applied to) and using GPO,will have more control to restrict user to not to change the default IE Home page (Disable changing home page settings. and less troubleshooting required .

I check my computer,the Default IE Home Page set to the correct one but I do have flexibility to change it to custom. So boss asked me to try if there is way to get a compliance report on User IE Home page ,in case the GPO may not be applied to some of the OU to be identified.

Since the IE Home Page information stored in HKCU,we cannot use regkeytomof (it works only with HKLM) or MOF Extension or DCM (not easy).

The possible solution for this is involved with, 1) Create Custom WMI location 2) Copy the User IE home page info into this location 3)Edit the MOF to retrieve this WMI information into SCCM Database.

The above solution would work but how would you provide full permissions to WMI location to publish the User Registry info ? If users do not have admin rights on their computers ?

Long ago,there was a discussion on sccm forum list ,about the this issue to get User IE home pages Using Configuration manager.Our MOF Master Sherry Kissinger has got workaround for this issue which I am going shortly.

This procedure requires creation  of  package with 2 programs (legacy is preferred and easy) 1) machine 2 ) User with dependency on machine.

Create a folder with standard naming convention as per required on your network share and place these files into it .files can be downloaded from  http://eskonr.com/?wpdmdl=5651

1.wmiNameSpaceandSecurity.vbs—>This script will create custom WMI name location ( root\CustomCMClasses—>CM_IEStartPages) using file called WmiSecurity.exe.

2.UserIEStartPage.vbs:This script publish the information from HKCU to custom WMI name location which is created using above script.

Before we start creating the packages,edit the script wmiNameSpaceandSecurity.vbs and replace the domain name to your domain name and save the script.

Create Package with 2 programs:

1.Create package with program cmd line: cscript.exe wminamespaceandsecurity.vbs under system context

2. Right click on the package created above and select Create program  (no need to create new package) with cmd line:cscript.exe UserIEStartPage.vbs under user context

and select ‘Run another program profile first’

we now created package with 2 programs :

Distribute the package to DP group or DP’s.

Now create deployment using UserIEStartPage to required collection.

Time to test the results:

Login to PC that has this deployment ,run machine policy ,monitor execmgr.log for progress of this deployment.

from above log, program executed successfully.

lets checkout the WMI classes and inventory information what is captured from HKCU.

open cmd and type wbemtest.exe ,connect to “root\CustomCMClasses”

lets checkout the homepage values from WMI class using simple WQL Query before we start working with MOF file.

while you are connected to “root\CustomCMClasses” ,Click on Query and use this query to run: SELECT * FROM CM_IEStartPages

From above, se see that ,User has set 2 tabs when IE Opens.Double click on either of the one and click on show MOF to see the URL page.

So far, All good. Now lets try doing some changes to the MOF to collect this information via Inventory on schedule basis (If Required,crate custom inventory to specific collection instead of doing it on default ).

Go to your CM12 Primary Site administration pane (if you have CAS then you should do make these changes there )—>client settings—Default settings. (You must import the custom attributes here before you create custom client settings.

we have now imported the custom WMI info into CM12 but we did not enable this setting to be collected from Configmgr clients.

on the background,Configmgr will be creating new table/view (CM_IESTARTPAGES_DATA/v_GS_CM_IESTARTPAGES) to store the information that comes from clients which can be monitor from dataldr.log from your Site server logs:

Now ,Create custom client agent setting that can be applied onto test collection before making to Big collection .

Deploy this setting to test collection and wait for the results (client should pick the new settings and send the inventory info to Site server). After a while,you see the information in CM12 Database.

Here is the Simple SQL Query:

SELECT  vrsv.Netbios_Name0 [machine name],isp.username0,isp.startpage0,isp.tab0,isp.datescriptran0
FROM v_GS_CM_IESTARTPAGES IsP,dbo.v_R_System_Valid AS vrsv
WHERE vrsv.ResourceID=isp.resourceid

In part 3 here of this MBAM 2.5 SP1 multi series guide,we have installed MBAM prerequisites for configuration manager 2012,changes to MOF file,inventory changes,MBAM collection etc.

In this part 4 ,we will see the main components of MBAM 2.5 SP1, which are database ,reports and web application.

Login to MBAM01 server with CM_SRV (MBAM_admin) account ,mount the MDOP 2015 ISO,browse to the MBAM 2.5 SP1 folder.

Run MBAMserversetup with default options Next,Next ,Next until the last screen.

Click on Add new features

we will first install database and reports and later will install web applications.

Enter the SQL server Name (if you have installed locally or remote server)

I have used default instance (MSSQLSERVER) so I leave it blank, if you have named instance,please provide so.

Use the account you have created in AD for Database read and write

Recovery database:

Enter the reporting role domain group name (MBAM_HD_Reports_ and compliance audit domain account name (MBAM_DB_RO)

check the summary page if all set correctly or not.

If you have other servers where you want to install these components again and you don’t want follow all these steps ,you can export the powershell script ,change the components (like certificate ,account etc) and run the script on other server to make things easy.

With this,we have installed compliance database,recovery database .

Check if these databases created or not by openings SQL server management studio.

Also the account that have specified during the installation will get automatically added with required permissions.

Next ,we will install the web Applications

On the server ,from start menu ,search mbam ,open MBAM server Configuration to add the WebApplications

Click on Add new features

As am not using any SSL now ,I will check do not use certificate

Enter the hostname,IIS path an d Port number ( if you have enabled the firewall ,you must allow the this port for website communication).

fill the details as shown below

Enable TPM Lockout Autoreset is new feature in MBAM 2.5 SP1. On computers running TPM 1.2, you can now configure MBAM to automatically unlock the TPM in case of a lockout. If the TPM lockout auto reset feature is enabled, MBAM can detect that a user is locked out and then get the OwnerAuth password from the MBAM database to automatically unlock the TPM for the user.

This feature must be enabled on both the server side (enable as shown above) and in Group Policy on the client side (we will configure this later)

SQL Server reporting service URL : http://MBAM01.corp.eskonr.com/ReportServer If you are using SSL,use https.

lets have a check on IIS server if these websites created or not.

From Run command,type inetmgr .

Right click on helpdesk ,choose manage applications –browse ,you will see the helpdesk webpage.

If you don’t see reports ,then you are not member of group ‘MBAM_HD_Reports’. Only user MBAM_report1 is member can can view reports.

To view below 2 options like Drive recovery and Manage TPM,user must be member of MBAM_HD_ADv group.To see only reports,user must be member of MBAM_HD_reports.

If user member of only MBAM_HD_Reports then can see only reports.

do the same for self-service portal

If you want to configure the selfservice portal to change the company name, display text etc ,you can go to IIS Server ,click on selfservice ,open application settings

With this,we have successfully installed the database,reports and web applications on our MBAM server.

In next part 5 of this multi series ,we will see how to configure the prerequisites (GPO’s etc) for Clients before we start doing computer bitlocker.

In part 4 here ,we have installed the MBAM components on our MBAM server (MBAM01) . In this part 5 of this MBAM 2.5 SP1 series guide,we will configure the prerequisites required for windows clients using Group Policy objects before we deploy MBAM Agent and drive encryption.

Before we Configure and deploy MBAM 2.5 SP1 Agent settings using Group policy to our client computers,lets have a look at, what types of Bitlocker that MBAM supports.

Types of BitLocker protectors that MBAM supports:

In MBAM 2.5 SP1, if you enable Used Space Encryption via BitLocker Group policy, the MBAM Client honors it.It also have new feature that support for windows 10 is Configure pre-boot recovery message and URL (More will see while doing Demo’s).

Next ,we will download the latest MBAM 2.5 SP1 Group policy templates from here to our workstation and copy it to our Domain controller.if you are trying to create these group policy objects on your workstations (meaning you have installed the GPMC) then you can copy these templates to your workstation folder (you can find the location in the below post).

After you downloaded the cab file,you must extract it .I have used free unzip tool 7-Zip to extract it. This cab file consists of templates for MDOP components like App-v,UE-V,MBAM all versions. So we will try to copy only the MBAM 2.5 SP1 templates to our Domain controller.

Copy the two .admx files (BitLockerManagement.admx and  (BitLockerUserManagement.admx) and 2 .adml files (BitLockerManagement.adml and BitLockerUserManagement.adml) from en-us folder to below locations.

Local files. To configure Group Policy settings from the local device, copy template files to the following locations:

Group Policy template (.admx) : %systemroot%\policyDefinitions
Group Policy language file (.adml) : %systemroot%\policyDefinitions\[MUIculture]

Domain central store. To enable Group Policy settings configuration by a Group Policy administrator from any computer on the domain, copy files to the following locations on the domain controller:

Group Policy template (.admx) : %systemroot%\sysvol\domain\policies\PolicyDefinitions
Group Policy language file (.adml) : %systemroot%\sysvol\domain\policies\PolicyDefinitions\[MUIculture]\[MUIculture]

For example, the U.S. English ADML language-specific file will be stored in %systemroot%\sysvol\domain\policies\PolicyDefinitions\en-us.

Login to our Domain controller (DC01) using an account that has enough permissions to create Group policy ,Copy the .admx and .adml files to %systemroot%\policyDefinitions and %systemroot%\policyDefinitions\en-US  respectively.

.admx templates:

.adml templates:

Next , we will create group policy objects with MBAM 2.5 SP1 Bitlocker settings and deploy to workstation OU.

I already have OU called ‘Workstations’ in my Domain .If you don’t have ,create one like MBAM or something  and move the workstation’s to it for MBAM testing.

Note:Do not change the Group Policy settings in the BitLocker Drive Encryption node, or MBAM will not work correctly. When you configure the Group Policy settings in the MDOP MBAM (BitLocker Management)node, MBAM automatically configures the BitLocker Drive Encryption settings for you.

On your domain controller,you can search with Group policy ,open Group policy Management or go to control panel –>Administrative Templates—>Group Policy Management OR from run command ,type GPMC.msc

From your forest ,domain—>Group policy Objects ,create New ,give it name ‘MBAM 2.5 SP1 Client Settings’ ,click Ok

Edit the Group policy by right click on the object and select ‘Edit’ .This is our GPO with all the MBAM 2.5 SP1 Bitlocker settings and will be applied to our Workstation OU later.

Navigate to Computer configuration > Policies > Administrative Templates > Windows Components > MDOP MBAM (BitLocker Management).

We will be configuring these policy groups for our Bitlocker drive Encryption .

Client Management : Configure MBAM Services

Operating System Drive: Operating system drive encryption settings

Removable Drive : Control use of BitLocker on removable drives

Fixed Drive :Control use of BitLocker on fixed drives

Complete description of these policy groups and what each group policy setting does can be found from Technet guide https://technet.microsoft.com/en-us/library/dn645338.aspx.

As we are running our client Operating system in Virtual ,we will be configuring the settings that supports for VM bitlocker encryption.For you,the settings may be different in production with your requirements.

Lets start with Client Management Group to Configure the MBAM services.

MBAM Recovery and Hardware service endpoint : http(s)://<MBAM Administration and Monitoring Server Name>:<the port the web service is bound to>/MBAMRecoveryAndHardwareService/CoreService.svc.

For our Lab,the setting looks like: http://MBAM01.corp.eskonr.com/MBAMRecoveryAndHardwareService/CoreService.svc

MBAMRecoveryAndHardwareService: is our IIS website name from our MBAM01 server

Select BitLocker recovery information to store : 90 (default)

MBAM Status reporting service endpoint : Disable ---As we have integrated MBAM with Configuration manager 2012. If you are running standalone, You must configure this setting to enable MBAM Client BitLocker encryption management.

For Standalone ,setting would be : http(s)://<MBAM Administration and Monitoring Server Name>:<the port the web service is bound to>/MBAMComplianceStatusService/StatusReportingService.svc

In production,you may have to look at other policy settings to configure but for now in my virtual lab,I leave the other settings to be as it is.

In MBAM 2.5 SP1,there is new setting added called ‘Configure Automatically resetting TPM Lockouts’ :  This policy setting lets MBAM automatically reset TPM lockouts. During normal policy enactment cycles, MBAM checks the TPM to determine whether it is in a lockout mode. MBAM contacts the MBAM services to retrieve the TPM password hash that is associated with the client machine. MBAM attempts to reset the TPM lockout counter only if the BitLocker Recovery Key for the OS volume has been disclosed by the MBAM services. MBAM checks if any TPM protectors enabled such as TPM or TPM and PIN before resetting the TPM lockout counter.

If you enable this policy setting, MBAM will attempt to automatically reset the TPM lockout counter on client machines if the TPM is in a lockout mode.

If you disable or do not configure this policy setting, MBAM will not attempt to automatically reset the TPM lockout counter.

Note: This policy setting has no effect on computers with TPM version 2.0 and above.

Next Policy Group we look at is  Fixed Drive Group:

Encryption Policy Enforcement Settings: Use this policy setting to configure the number of days that fixed data drives can remain noncompliant until they are forced to comply with MBAM policies. Users cannot postpone the required action or request an exemption from it after the grace period. The grace period starts when the fixed data drive is determined to be noncompliant. However, the fixed data drive policy is not enforced until the operating system drive is compliant.

Specifying a grace period of 0 will enforce the policy immediately after the operating system drive becomes compliant.

Next Policy group we look at is  Operating System Drive Group:

Operating system drive encryption settings :This policy setting lets you manage whether the operating system drive must be encrypted.

As I am running Windows 8 Operating System (later) and I do not have TPM chipset (Client is VM ) ,I will select the Allow BitLocker without a compatible TPM check box. In this mode, a password is required for startup. If you forget the password, you have to use one of the BitLocker recovery options to access the drive.

On a computer with a compatible TPM (production Environment), two types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require the entry of a personal identification number (PIN).

Configure use of passwords for operating system drives: By default ,the domain controller has the ‘Password must meet complexity requirements’ enabled so we can enable this setting to unlock BitLocker-protected operating system drives with ‘Allow password complexity’

Password must meet complexity requirements :

Setting that I choose is do not enable password complexity as am running in lab and I want to have simple password for testing .In Production,you may have to choose the password complexity.

Encryption Policy Enforcement Settings: Use this policy setting to configure the number of days that users can postpone complying with MBAM policies for their operating system drive. The grace period begins when the operating system is first detected as noncompliant. After this grace period expires, users cannot postpone the required action or request an exemption from it.

Specifying a grace period of 0 will enforce the policy immediately on the operating system drive.

Enforce drive encryption type on operating system drives (new in MBAM 2.5 SP1):This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.

Configure pre-boot recovery message and URL: This is is new feature in MBAM 2.5 SP1 and Enable this policy setting to configure a custom recovery message or to specify a URL that is then displayed on the pre-boot BitLocker recovery screen when the OS drive is locked. This setting is only available on client computers running Windows 10. (will see this in the Demo on Windows 10 Client).

Use custom recovery message: Use this link to recover the Key

Use custom recovery URL:: http://mbam01.corp.eskonr.com/SelfService/Recovery/Index

This URL is selfservice URL from my MBAM01 server to recover the Key.

The remaining settings are upto you and depends on your organization requirement.Go through them and enable if required.

Summary of Group Policies settings that we configured for MBAM 2.5 SP1 Bitlocker encryption in our Lab:

Client Management:

Configure MBAM Services

Fixed Drive:

Encryption Policy Enforcement Settings

Operating System Drive:

Operating system drive encryption settings

Configure use of passwords for operating system drives

Encryption Policy Enforcement Settings

Enforce drive encryption type on operating system drives

Configure pre-boot recovery message and URL.

Now ,lets link this Group policy to our Workstation OU.

Close the Group policy setting window and go back to our Group policy management console.

Forest—>domain—OU called eskonr—workstation OU ,right click on it and select Link an Existing GPO.

select the newly created GPO ‘MBAM 2.5 SP1 Client Settings’ ,Click ok

You will see the GPO linked to our Workstation OU.

With this ,we have completed the Group policy settings required to enable the bitlocker drive encryption on our clients and deployed to Workstations OU.

In the next part (part 6) ,we will deploy MBAM 2.5 SP1 agent using System center configuration manager 2012 R2 (SCCM 2012 R2 SP1) with application deployment method.

In part 5 here ,we have downloaded the MDOP 2015 templates ,extracted,copied MBAM 2.5 SP1 .admx and .adml templates to our Domain controller ,Created GPO for workstation OU and deployed it. In this Part 6 of MBAM 2.5 SP1 multi series guide ,we will create collection ,application for MBAM 2.5 SP1 agent and deploy to our Clients and do the bitlocker encryption stuff.

In earlier versions of  MBAM ,it usually ships with MSI which can be directly import to SCCM /GPO where as in MBAM 2.5 SP1, a separate MSI is no longer included with the MBAM product. However, you can extract the MSI from the executable file (.exe) that is included with the product.

If you look into the MBAM installer file in MDOP 2015, you will find only 2 .exe files as shown below for X64 ,same applicable to X86 (clientsetup) also.

we will try to extract MbamClientSetup.exe to get .msi and then import into SCCM application deployment method.

The command line to extract .MSI from .exe file is : MBAMClientSetup.exe /extract "D:\MBAMClient\MbamClientSetup" /acceptEula=Yes

MBAMClientSetup.exe : is the actual file trying to extract

D:\MBAMClient\MbamClientSetup: Path to extract MSI

if you don’t want to go with MSI file,can still use .exe file to deploy MBAM Agent using command line: MBAMClientSetup.exe /acceptEula=Yes

Command line installation for MSI: msiexec /i "MSI file name" /qn REBOOT=ReallySuppress

we will now copy the MSI file to our Source folder in SCCM server.

Create collection called MBAM_client_2.5SP1 and add few test computers (windows8 and Windows 10) to it. In my lab,I used following Query based rule to add all workstations with Client Agent=Yes

select *  from  SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "%Workstation%" and SMS_R_System.Client = "1"

Lets create Application using this MSI file and deploy to our MBAM_client_2.5SP1 Collection. Create application as you do for other MSI’s .

Edit the deployment type to change the name of the DT (like MBAM Client 2.5 SP1 X64,if deploying 32bit then X86) ,requirements tab to limit this to workstations (win8,Win10 etc) and other properties if needed.

Deploy the application to Distribution point Group/Distribution and deploy to collection.

Login to test PC (windows 8.1/Windows 10) ,check if MBAM Agent 2.5 SP1 is deployed or not.

Demo: Windows 8.1

On physical machines, to do bitlocker encryption,you must have TPM chipset enabled and activated. TPM chipset is hardware based sits on motherboard and does specific functions.More information about TPM and Bitlocker,read https://msdn.microsoft.com/en-us/library/windows/hardware/dn653315(v=vs.85).aspx 

Note:while performing the Bitlocker drive encryption on Hyper-V vms, I always keep getting error (will in below guide) “BitLocker Drive Encryption only supports Used Space Only encryption on thin provisioned storage.” so I assume this is known iss as vm’s aren’t supported as per this TechNet article but should work in physical machines without any issue.So in lab,we will try to do bitlocker using manual method instead of doing it via MBAM agent and rest will be managed by MBAM only. I will update this post ,when I find solution.

So in lab,instead of encrypting the the drive using MBAM agent,we use manual method from control panel. This is only step we are by-passing and rest of process is managed by MBAM .

If you are trying this on physical machine that ,it should work good for you without any issues(atleast you will not see above error).

Login to Windows 8.1 PC ,check if the MBAM agent is deployed successfully or not .You can check this from either Software Center or from C:\program files \Microsoft\ MDOP MBAM

After the Agent installed ,next step to check is GPO settings that we have created in part 5 (MBAM 2.5 SP1 Client settings) loaded correctly or not.How do we check if the GPO settings applied correctly or not  ?

Open the registry key on windows 8.1 client ,(type regedit from RUN command) ,browse to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE

From below snippet,you can see that ,Configure pre-boot recovery message and URL’s configured via GPO are applied which is new in MBAM 2.5 SP1.

and from HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement

You can copy the URL from the registry key and check if you can browse to that or not to confirm if Client is able to talk to MBAM server.

We can also check if the Client is able to download the MBAM policies from MBAM server or not using event viewer.s

Location to check Bitlocker encryption and operation issues : Event Viewer – Applications and Services Logs – Microsoft – Windows – MBAM (Admin and Operational)

After this settings applied correctly to our Windows 8.1 client ,you will soon receive a prompt like  below.

If you don’t see the prompt,troubleshooting is required, but you can launch the MBAM wizard by running MBAMCLIENTUI.exe from C:\program files\Microsoft\MDOP MBAM (this folder may vary depends on the OS architecture)

In the GPO settings, we have set 0 without any grace period to postpone the bitlocker drive encryption .With this setting,user cannot close this action and must do encryption (But in production this setting may vary).

Enter the password between 8-255 character and click Create Password.

Here is my next screen for bitlocker status:

For some reason,it failed encrypting the disk .What next ? we don’t have any logs like we do for SCCM but as I discussed above,can check the reasons for this failure using event viewer.

Go to Event Viewer – Applications and Services Logs – Microsoft – Windows – MBAM (Admin and Operational)

Check for operational if Client is able to download the policies correctly or not.

From above screen,client is able to pull the download the policies ,next look at Admin section.

So as I discussed earlier in Note,lets do the bitlocker manually .For this,open Control Panel\All Control Panel Items\BitLocker Drive Encryption

Turn on Bitlocker

It will verify the prerequisites and prompt window to enter password:

Enter password between 8-255 characters

For now,we will try to save the file to remote PC (this file consists of Bitlocker recovery key help you to unlock your computer incase you forget the above password).

Accept the default option and click Continue

Restart now

After you restart,it ask for password to continue .if you press ESC,bitlocker encryption process will get cancel and you must do the procedure again.

After you login to the PC,a small window appear on the taskbar with encryption is in progress.

After a while,encryption gets complete and you must see the bitlocker information about this client from your MBAM Server reports.

With this,we have completed the bitlocker encryption on client side using manual method instead of doing it via MBAM Agent.

How to use MBAM 2.5 SP1 selfservice portal to retrieve Bitlocker recovery Key ?

Next ,we will look at MBAM compliance reports using SCCM and also try to recover the bitlocker recovery key incase user forget the password to unlock the computer during the boot process.

Restart the Client PC (8.1 VM) ,it prompt to enter the password

Incase if you forget the Password and want to retrieve the bitlocker recovery key. Press ESC ,it takes you to below screen to enter the recovery Key for this drive.

Note: This recovery key keeps changing every times you press ESC .When you press ESC ,a new recoverykey will be created in the MBAM Recovery and Hardware database.

To retrieve the Bitlocker Recovery Key ,we need to have the first 8 digit of Recovery Key ID (364ACBC6) shown in the below screen and retrieve the recovery Key using self service portal as discussed in part 4.

So launch the selfservice portal on any computer who has enough security permissions to run the selfservice portal and run the URL: http://mbam01.corp.eskonr.com/SelfService

As shown below ,enter the first 8 digit recovery Key ID and select the reason what you are interested in (all these requests will be stored in database for auditing purpose incase you want to check how many times performed like this).

238689-104929-336666-292017-263890-562496-482768-388982

again,this bitlocker is one time usage and not used again and again.Every time when you request for recovery key,it creates new one.

You can also perform the SQL query to get the recovery key instead of going via portal .This recovery key information stored in database (MBAM Recovery and Hardware) table (RecoveryAndHardwareCore.Keys).

Enter the recovery Key which we obtained from above and press Enter

it should allow you to login.

With this ,we have completed the demo on ,how to get  Bitlocker recovery key using self service portal.

Next ,we will see the compliance results using SCCM configmgr reports.

Before that ,you must confirm if the hardware and Configuration.mof changes are processed successfully on the server also enabled the inventory for TPM,Bitlocker,MBAMpolicy etc as discussed in part 3 here

Once you are confirmed,lets run the hardware inventory schedule on the client (if you want can’t wait for the default schedule to run) and monitor inventoryagent.log on the client PC.

From the log,we mainly interested in changes i.e MBAM policy and Bitlocker as the MBAM reports are mainly depends on these tables/views.

wait for few min for the site server to process this information and update in database.

Run the Configuration manager reports URL http://cm01/Reports/ (my SCCM report server CM01).

I am interested to to know the Bitlocker Enterprise Compliance summary report.

By default,the report select MBAM supported computers but you can select the collection from drop down list.

We have got 1 computer with 100% complaint but this report is missing linked report to know what computer is that .

If you get any error "Error: the 'MBAM Policy' view does not exist" while running the reports, make sure you have at least one client reported the inventory for MBAMPolicy  else the report have nothing to present you.

With this,we have completed how to extract MBAM 2.5 SP1 Client agent MSI from EXE ,created application using MSI in SCCM 2012 R2 SP1 ,deployed to collection,did bitlocker manually due to vm support issue ,retrive the bitlocker key using self service portal and finally run the compliance reports using SCCM.

In the next part 7,we will see the new features added to support windows 10 like  Customize pre-boot recovery message and URL .

Recently ,I have got a request from the business unit manager on the reboot of computers due to patch management (applicable to Applications as well) .The Custom client device setting ‘ Display temporary notification to the user ' (shown below) set with 480 minutes across the enterprise workstations but specific department (ex: Engineering), not happy with this setting  due to the nature of their business. So ,we have agreed to have custom reboot settings .

Creating Custom device settings and applying it onto collection is not that much difficult but the deal here is,creating a device collection using user department.

Once we have this collection,we can create device client settings and make sure this has higher priority over the other Client device settings that has similar setting applied to all workstations.The higher the priority (Low number is applied first than higher number) will be applied onto clients. You can also use resultant set of policies to check the client device settings for particular client from SCCM device collection.

How to create Device collection using Department attribute :

Before creating collection ,make sure you have department attribute added to the active Directory user discovery properties.

Device Collection:

Create new collection,select the limiting collection,edit the Query ,paste the following query .(change the department Name) .When you click Ok,you may get errors but just ignore them.Collection works good.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System JOIN SMS_UserMachineRelationship ON SMS_R_System.Name=SMS_UserMachineRelationship.ResourceName
JOIN SMS_R_User ON SMS_UserMachineRelationship.UniqueUserName = SMS_R_User.UniqueUserName
WHERE   SMS_UserMachineRelationship.Types=1 AND SMS_R_User.department0 like "Engineering"

In part 6 here,we have created MBAM collection ,application for MBAM 2.5 SP1 agent and deployed to our Clients and did the bitlocker drive encryption for windows 8.1 Client.We have also retrieved the bitlocker recovery key using self service portal and reviewed the bitlocker compliance reports.

In this part 7 of MBAM 2.5 SP1 multi series guide,we will do the bitlocker drive encryption for windows 10 ,also see the new features(Configure pre-boot recovery message and URL) included for windows 10. To know more whats new in MBAM 2.5 SP1 ,refer TechNet document here

I have created a windows 10 RTM 10240 virtual machine ,installed SCCM 2012 R2 SP1 client ,waited for few min to let MBAM 2.5 SP1 agent deploy automatically .( The MBAM collection was created to get all workstations ,deployed MBAM agent to this collection,more info ,refer part 6 ).

Login to windows 10 client,verify MBAM agent installed or not either from C:\program files\Microsoft\MDOP MBAM or from software center or from SCCM 2012 monitoring console/Reports.

lets check the GPO if the policies applied or not. For this,Open registry key , HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE.

From below snippet,you can see that ,Configure pre-boot recovery message and URL’s configured via GPO are applied which is new in MBAM 2.5 SP1.

You can either wait for the GPO to start the MBAM agent or manually trigger MBAMclientUI.exe from C:\program files\Microsoft\MDOP MBAM

As I Discussed in my previous post here ,cannot bitlocker the drive using MBAM agent on virtual machines .To check,go to event viewer,Microsoft-Windows-MBAM/Admin ,check the error code.

An error occurred while applying MBAM policies.
Volume ID:\\?\Volume{3968637d-842e-45c4-abb5-5f3a6421ec72}\

Error code:
-2144272219

Details:
BitLocker Drive Encryption only supports Used Space Only encryption on thin provisioned storage.

But in physical machines,it should work (atleast you will not see this error).So I go and do bitlocker manually .Go to control panel ,open Bitlocker drive encryption ,Turn on bitlocker

PowerShell commands to enable bitlocker https://technet.microsoft.com/en-us/library/jj649837(v=wps.630).aspx

Restart the Computer

Enter the bitlocker password that you have set earlier ,login to the client using your domain password.

After you login,wait for while until the drive encryption is done.

After the completion of encryption , reboot the client .This time ,we don’t enter the password to login instead ,we use recovery key and see the

As you can see from below snippet,pre-boot recovery message and URL which are customized in our group policy ,can help to recover the bitlocker key from another client by entering the first 8-digit number into selfservice portal.

With this,we have completed the bitlocker drive encryption for windows 10 using MBAM 2.5 SP1.

In the next post part 8,we will see the troubleshooting steps ,how and where to start for any bitlocker encryption issues related to MBAM.

Being as SCCM Configmgr administrator,your primary aspect is to maintain health of your sccm clients for application deployment,software updates,inventory etc. Questions often come up in forums ,email list asking for ,list of computers not contacted the server since X days (25) or how do I know the clients who’s policy request is old or days since last communication is more than X days older.

From the Configmgr Console,we can see the client activity like policy request,heartbeat DDR,hardware scan ,Management point etc as shown in below picture.

How do I present this information into SSRS report for further troubleshooting ? Creating report ,exporting results and working /troubleshooting clients who’s communication is older than x days would be easier.

The client activity information is stored in view called vWorkstationStatus in SQL DB.So I use this view to join with collection views to get desired results.

I have SQL Query to retrieve this information but not in SSRS Report. I usually run the SQL Query in SQL Management studio but I thought of creating SSRS report to get this information against specific collection.

Below is SQL query ,if you want to create powershell grid view. (This query is filtered to get clients if LastPolicyRequest request is more than 25 days and collection).

SELECT ws.Name, ws.UserName,ws.LastMPServerName,
CONVERT ( varchar (26) , ws.CreationDate , 100) CreationDate,
CONVERT ( varchar (26) , ws.LastDDR , 100) LastDDR,
CONVERT ( varchar (26) , ws.LastPolicyRequest,100) LastPolicyRequest,
CONVERT ( varchar (26) , ws.LastHardwareScan,100) LastHardwareScan,
ws.SystemRole,
DATEDIFF ( DAY , ws.LastPolicyRequest , getdate() ) 'Days Since Last Communication'
FROM  vWorkstationStatus ws
JOIN dbo.v_FullCollectionMembership vfcm ON vfcm.ResourceID = ws.ResourceID
JOIN dbo.v_Collection vc ON vc.CollectionID = vfcm.CollectionID
WHERE vc.Name=’Your collection Name'
GROUP BY ws.Name, ws.UserName,ws.CreationDate,ws.LastMPServerName,ws.LastDDR,
ws.LastPolicyRequest,ws.LastHardwareScan,ws.SystemRole
HAVING (datediff(dd,max(ws.LastPolicyRequest),getdate()-25) >0)

In SSRS Report, I have made 2 parameters as prompts 1) Collection Name and 2) Number of days .

Below is SSRS report how it looks like?

Download the RDL File from TechNet here ,upload report to your SSRS Reports folder ,change the Data source and runt the report.

Questions appeared on https://social.technet.microsoft.com/Forums/en-US/b9940352-7382-462d-8ef9-8c7a1483a29f/sccm-client-last-communication-report?forum=configmanagerdeployment

https://social.technet.microsoft.com/Forums/office/en-US/5b21299a-d91a-43bd-bae7-dc02c09a8694/how-to-create-a-collection-based-on-days-since-last-communications?forum=configmanagerapps

https://www.reddit.com/r/SCCM/comments/3l67e8/help_with_custom_report/

There are instances (you might want to get list of required patches by server ,so can download and install in DMZ who do not have internet or for patch compliance checking for specific computer and many) , where you might be searching for list patches of required by specific computer/computers and generally ,we look at default reports if there is any report which can give me the required information.

If you look at default reports,there is no exact report give you the list of patches required by specific computer with targeted,required,when was it released and other information.

You can use below SQL Query to run  from SQL SERVER MANAGEMENT STUDIO or use this in your SSRS Reports with parameter for computer name.

This query has been customized to present the Month posted,Title of the patch,Targeted to the client,Required ,KB URL,Date posted and deadline if there is any.

Note: This Query is filtered with Severity (Security and critical)  from view v_UpdateInfo.

SQL Code:

select CAST(DATEPART(yyyy,ui.DatePosted) AS varchar(255)) + '-' + RIGHT('0' + CAST(DATEPART(mm, ui.DatePosted) AS VARCHAR(255)), 2) AS MonthPosted,
ui.bulletinid [BulletinID],ui.articleid [ArticleID], ui.Title,
    Targeted=(case when ctm.ResourceID is not null then '*' else '' end),
    IsRequired=(case when css.Status=2 then '*' else '' end),
    ui.InfoURL as InformationURL,
    ui.dateposted [Date Posted] ,
    Deadline=cdl.Deadline
    from V_UpdateComplianceStatus  css
    join v_UpdateInfo ui on ui.CI_ID=css.CI_ID
    left join v_CITargetedMachines  ctm on ctm.CI_ID=css.CI_ID and ctm.ResourceID = css.ResourceID
    INNER join v_CICategories_All catall2 on catall2.CI_ID=css.CI_ID
    INNER  join v_CategoryInfo catinfo2 on catall2.CategoryInstance_UniqueID = catinfo2.CategoryInstance_UniqueID
    and catinfo2.CategoryTypeName='UpdateClassification'
    JOIN dbo.v_R_System AS vrs ON vrs.ResourceID = css.ResourceID
       outer apply (
       select Deadline=min(a.EnforcementDeadline)
       from v_CIAssignment  a
       join v_CIAssignmentToCI atc on atc.AssignmentID=a.AssignmentID and atc.CI_ID=css.CI_ID
       ) cdl
   WHERE vrs.Name0='Win7X64-001' and
   ui.Severity IN (8, 10) --this is for security and critical updates
  AND css.Status=2  --for required
ORDER BY 1

I posted the same query on TechNet forums ,more info https://social.technet.microsoft.com/Forums/en-US/8fe96532-d9ef-48f2-a356-6e1195d9273e/report-of-what-updates-are-needed-by-server?forum=configmanagergeneral#7185a84e-afab-47d2-82bd-7418e02dd75f

While Creating SSRS reports for configuration manager ,I use lot of expressions through the report definition. These expressions (formula filed) are used frequently in reports to control content and report appearance. Expressions are written in Microsoft Visual Basic, and can use built-in functions, custom code, report and group variables, and user-defined variables. Expressions begin with an equal sign (=) syntax.

These expressions can be used in reports to present data like calculate values for parameters, queries, filters, report item properties, group and sort definitions, text box properties, bookmarks, document maps, dynamic page header and footer content etc.

SQL Expressions Optimizes the report performance,used to speed up the report from the complicated selections.You cannot use Expression to connect MORE THAN 1 DATA SET in your Report.

In this blog post,I would like to show you some of the expression (like syntax) examples which I use in most of the my Configmgr reports.

You can Use thee simple expression directly on the design surface, in a dialog box, or in the Properties pane, or you can edit it in the Expression dialog box, just as you would with any expression.

Print Date—>How do you print the report execution date

="Printed on " & Globals!ExecutionTime

Total Report Runtime (Sec)—>Calculate the total execution time of report
="Total Run time (in Sec): "& System.DateTime.Now.Subtract(Globals!ExecutionTime).Seconds

Report Executed by—Print the UserID who executed the report
="Report Run by: "& User!UserID

Altering the row colors (BackgroundColor property on Text Box )—>Change the background color for alternate lines instead of having single color across all rows
=IIF(Rownumber(nothing) mod 2, "Transparent", "Silver")

How to show parameters (prompts) in report—> You wanted to bring the parameter value into the report for Ex: collection Name to be printed on the report
=Parameters!CollID.Label

To show the values in UPPERCASE—> To print all the values in UpperCase
=UCASE(Fields!FieldName.Value)

Convert text to Proper case—> To print the first letter of the word to be in UpperCase
=StrConv(Fields!FieldName.Value, VbStrConv.ProperCase)

If you want to replace NULL with other value—>replace the NULL with other values
=iif(Fields!FieldName.Value = nothing, "No Value",Fields! FieldName.Value)

How to set colors in Pie Chart instead of Random Colors based on the output (Example taken is patch compliance , Color property on Text Box  ):
=SWITCH(Fields!Patch_Status.Value = "Compliant", "Green",Fields!Patch_Status.Value= "Non-compliant", "Yellow",Fields!Patch_Status.Value = "Compliance state unknown", "Red")

you can also use IIF condition (Values greater than or equal to 10 display with a green background, between 1 and 9 display with a Yellow background, and less than 1 display with a red background.):
=IIF(Fields!status.Value >= 10, "Green", IIF(Fields!status.Value >= 1, "Yellow", "Red"))

Combining more than one filed using concatenation using (& vbCrLf & ):
=Fields!CollectionID.Value & vbCrLf & Fields!CollectionName.Value

The Right, Len, and InStr functions are useful for returning a substring, for example, trimming DOMAIN\username to just the user name. The following expression returns the part of the string to the right of a backslash (\) character from a parameter named User:
=Right(Parameters!User.Value, Len(Parameters!User.Value) - InStr(Parameters!User.Value, "\"))

How to display text prior to the selected values (Ex:Collection ID or Name):
="Collection Name: "& Parameters!CollID.Label

How to use If condition to return the value if that matches (example to check if client is installed or not return True or False):
=IIF(Fields!Client.Value =1, True, False)

If the date value is more than week ,display red color ,else Green (This is needed when checking the hardware inventory date of client):
=IIF(DateDiff("d",Fields!LastHWScan.Value, Now())>7,"Red","Green")

How to display page number and total pages in report in footer:
=Globals.PageNumber & " of " & Globals.TotalPages

How to display name of the reprot in the footer or body in each page:
=Globals.ReportName & ", dated " & Format(Globals.ExecutionTime, "d")

Page breaks—>place a page break at the end of a specified number of rows instead of, or in addition to, on groups or report items.:

=Ceiling(RowNumber(Nothing)/25)

Recommended Reading

 https://msdn.microsoft.com/en-us/library/ms345237.aspx

https://msdn.microsoft.com/en-us/library/ms157328.aspx?f=255&MSPPError=-2147217396

Microsoft released Technical preview 4 (TP4) for Configmgr Vnext ( System Center Configuration Manager and Endpoint Protection ) .The previous technical preview was Technical preview 3 with updated version 1510 (YYMM). Microsoft haven’t updated the TechNet documentation with capabilities available with this release (TP4) for now but soon to be updated here on https://technet.microsoft.com/library/dn965439.aspx.

This technical preview must be installed as new installation on server box with all the prerequisites met .Upgrading to SCCM Configmgr Vnext TP4 from a previous version of SCCM Configmgr Vnext TP3 is not supported. Upgrading from TP4 4 to a later version of SCCM Configmgr Vnext also not supported. For this Technical Preview 4, up to 10 clients can be managed. Only a standalone primary site is supported; secondary sites are not supported.

The Technical Preview is intended for use only in a lab environment due to its limited build which expires after 60 days and cannot be used in a production environment.

The Build version with TP4 released is: 5.0.8325.1000

Client Version: 5.0.8325.1000

Hoping to see some excitement features which are raised through configuration manager voice user support.

Download SCCM Configmgr Vnext Technical Preview 4 From https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview?i=1

A direct link to download Technical preview 4 is available here

Will update the installation document and features soon in next post.

There was a question raised by someone on MyItform list ,asking for ‘is there a way to get superseded patch list’ for all windows 7”. when I read the question ,I was thinking ,we can get this using the default reports but when I check the default reports,there is no such report that match this requirement  .

So ,I sat for sometime in the lab ,started writing the SQL Query ,found something . So thought of writing this blog post that helps others who are in similar needs.

If you want to know particular patch (ex:Cumulative Update for Windows 10 Version 1511 (KB3124200)) superseded by what software updates in SCCM/Configmgr ,you can simply browse Software Library /Software updates nodes,search with this title ,right click on the Software Update Properties ,Go to Supersedence Information ,You can see, this software update is superseded by (To replace ) also ,if this software update supersedes by any other update .

This method is easy if you want to check for specific software update but,what if you want to have a list of software updates that are superseded by what software updates ? 

In Configmgr ,Software update information is scattered across multiple tables/views and depends on your requirement ,you must choose right table to query the information.

For Writing the SQL Queries /SSRS Reports,always have these 2 as reference 1)Configmgr SQL views and 2)SSRS expressions

For our requirement, we will be retrieving the software update information from V_updateinfo and superseded information from v_CIRelation_all.

Based on the above 2 SQL views, I will be retrieving the Software updates that are superseded by what updates.

SQL Code:

select UI1.Title,UI1.IsSuperseded,ui1.BulletinID,UI1.InfoURL,
UI2.Title [S Title],ui2.IsSuperseded,UI2.BulletinID [S BulletinID],UI2.InfoURL [S InfoURL]
from v_CIRelation_all CA
left join v_UpdateInfo UI1 on CA.ReferencedCI_ID=UI1.CI_ID
left join v_UpdateInfo UI2 on ca.CI_ID=ui2.CI_ID
where RelationType=6
and UI1.title like '%Windows 10%'

If you want to list only windows 7 updates ,replace 10 with 7 .if you want to list all Software updates irrespective of OS ,then simply comment the last line using --

you can use this SQL Code to put in SSRS Reports with your customizations.

One of my Blog reader has posted a comment asking for ‘How to create Collection to pop-up clients from multiple Collections start with ABC% ‘ ? ABC is the Collection Name starts with.

If you want to create a collection to see all clients from different Collections and the Collection Name starts with ABC .How do you get this done ?

For this requirement, You Cannot use Include collection as this is not Dynamic .If you choose to go with Include collection (which is Static) ,you cannot get the clients from collections that will be created in the Future.

To get this task done, we will using concept called sub Selected Queries with IN condition.

Create a New Collection ,Limit the Collection to All systems, Add a Query Rule ,Edit the Query Statement and paste the following WQL into it.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId in (
SELECT ResourceID from SMS_COLLECTION CO inner join SMS_FullCollectionMembership FCM
on FCM.COLLECTIONID=CO.COLLECTIONID and CO.Name like 'ABC%')

Where ABC is Name of the Collection that Start with ,for Ex: SU or Microsoft or Adobe etc.

Microsoft released SCCM Configmgr Upgrade Assessment Tool that provides administrative users with information that they can use to determine if the computers that are managed by System Center Configuration Manager can run Windows 7, Windows 8 or Windows 10.

The Upgrade Assessment Tool provides the following functionality:

• Retrieves device driver compatibility information for installed peripheral devices and creates reports that you can use to determine which device drivers need to be upgraded to support the Windows operating system.
• Allows you to see which computers meet the recommended system requirements for Windows operating systems and to customize these requirements for your environments.
• Creates summary reports that you can use to see an enterprise wide view of operating system upgrade readiness.
• Allows you to create dynamic collections for an operating system deployment. The collection query rules can be based on system requirements, application compatibility status, and device driver status.

Before you install this tool,you must have the following applications/software's to be in place .

• The site server must be running one of the following configmgr Versions:

Configmgr 2012 SP2 with CU 3
Configmgr 2012 R2 SP1 with CU3
Configmgr (current branch) Version 1602 or Higher

• Configuration Manager clients can run one of the following:

Configmgr 2012 SP1 or higher
Configmgr 2012 R2 or higher
Configmgr (current branch) version 1511 or higher

• You must have a reporting services point to view the compatibility information from clients.
• You must have one or more distribution points to deploy the ACT inventory collection package to clients.
• Clients must run hardware inventory.
• Application Compatibility Toolkit (ACT) 6.1
• Microsoft .NET Framework 4.5.2.

More information and download this tool from https://www.microsoft.com/en-us/download/details.aspx?id=37145

Collections in Configmgr play a crucial role .If you want to do anything(can be software deployment,OSD ,Client agent settings,Software updates,compliance etc) in configmgr against clients,you a collection .

Being Configmgr administrator, it is always important to look at collection performance ,if they are scheduled well and do some maintenance like identifying collections that take longer time to update (collection evaluation viewer tool from Configmgr 2012 toolkit) or identifying the collections that update too frequently than expected etc.

This blog post will assist you to identify collections with count of direct membership rules and type of schedule and other important collection Queries which can be represented in Nice SSRS Report.

The below SQL Code is for Collections with count of Direct Membership rule and what type of Collection Schedule configured.

Usually for Collections with Direct membership rule, you really no need to configure any Schedule at all as they are one time created and do not require any update.

so ,you can simply run this SQL Code ,if the count of Direct membership rule is bigger and if any Schedule configured to get the RID of it.

Direct membership rule info stored in v_CollectionRuleDirect View ,For more information about SQL Views in Configmgr, refer this Excel spreadsheet

Schedule can be of anything listed below:

Scheduled
Incremental
Scheduled and Incremental

SQL Code:

select coll.CollectionName,crd.CollectionID,COUNT(crd.RuleName) [Direct rules],
Case when coll.RefreshType = 1 then 'Manual'
when coll.RefreshType = 2 then 'Scheduled'
when coll.RefreshType = 4 then 'Incremental'
when coll.RefreshType = 6 then 'Scheduled and Incremental'
else 'Unknown' end as RefreshType
from v_CollectionRuleDirect  CRD
inner join v_Collections Coll on CRD.collectionID=coll.SiteID
Group by crd.CollectionID,coll.RefreshType,coll.CollectionName
order by crd.CollectionID

SQL Code for All Collections with its Refresh Type:

Select (Case when RefreshType = 1 then 'Manual'
when RefreshType = 2 then 'Scheduled'
when RefreshType = 4 then 'Incremental'
when RefreshType = 6 then 'Scheduled and Incremental'
else 'Unknown' end) as RefreshType, count(SiteID) as Collections
from v_Collections
group by RefreshType

if you are working on the Java upgrade using SCCM Configmgr, you will have to cautious to apply the correct version of Java on the existing Client (can be desktop or server) to make sure the dependent applications works. For this to happen,you need to identify the clients that have JAVA installed (can be 32bit or 64bit) and deploy the Java application to the respective collection.

Inventory that comes from the client add and remove programs is stored in 2 locations in WMI SMS_G_System_ADD_REMOVE_PROGRAMS and SMS_G_System_ADD_REMOVE_PROGRAMS_64. You will have to query one of these as per the needs.

If you are using SCUP or third party patching ,you can simply create software update group and deploy it to collection (without any JAVA filter ) and client go through the software update scan and install the required updates.

In this blog post , I posted 2 Collections to list all clients in your infra that are managed by SCCM that are less than Java 8 Update 92 (is the latest version at the time of writing this blog post) using sub Selected Queries. Sub selected query used to get list of All JAVA Version clients and exclude them from Clients that are with Java 8 update 92.

Create new collection ,Limit the collection ,select Query based ,edit and past the following the query for 32bit and 64bit Java Versions.

SCCM Collection for Java < JRE 1.8 Update 92_X86:

Both the Collection Queries excludes the windows server 2003 if you have any for safer side due to EOL for server 2003 .

If you wanted to get the clients that are lower version as per your need, make changes to the bold letters in the query below.

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from  SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName like "Java%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "Java %SE Development%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "Java(TM) %SE Development%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "Java %SDK%" and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName not like "Java%Updater%" and SMS_G_System_OPERATING_SYSTEM.Caption not like "%2003%" and SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID not in (select resourceID  from  SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceId = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "Java 8 Update 92")

SCCM Collection for Java < JRE 1.8 Update 92_X64:

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from  SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS_64 on SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName like "Java%" and SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName not like "Java %SE Development%" and SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName not like "Java(TM) %SE Development%" and SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName not like "Java %SDK%" and SMS_G_System_OPERATING_SYSTEM.Caption not like "%2003%" and SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceID not in (select resourceid from  SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS_64 on SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceId = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName = "Java 8 Update 92 (64-bit)")

Recently ,we had an issue with SCCM Configmgr Reporting services role (Remote SQL sitting on VM was crashed ,blog post coming soon ) and we were unable to generate reports mainly for the Software update compliance status that happens every month. This post is about ,how to check the software update compliance status for the deployed software update group/Groups per collection/collections without using Configmgr Reports . The reason for posting this blog is ,fixing the Configmgr Reporting services role took more than expected time and meantime ,we need to check the status of patch compliance status and troubleshoot the non-compliant machines (servers) within the Maintenance window.

I thought the SQL Code which I used to generate the compliance status would be handy for others if they do not want to Use configmgr Reports and use SQL Code for Quick results.

If you are unable to generate compliance status using the SSRS Reports ,the only possible method is ,to depend on Monitoring node—deployments ,look for the software update deployment for particular collection and see the non-compliant machines for troubleshooting which is not easy method if you have large number of deployments and collections.

So ,to overcome this ,you can USE SQL management studio and run the query (posted below) to generate non-compliance list of clients with extra information like hardware inventory,software update scan,,Operating System ,IP address,User Name ,does it have Client etc.

This SQL Query should be helpful to quickly generate compliance Status for multiple software update groups and for multiple collections.

I recently posted a blog about ,how to generate software update compliance Status for multiple update groups per collection but this SQL query helps to generate update compliance status for multiple updates groups against multiple collections.

you can use this SQL query to create nice SSRS Report for multiple update groups per multiple collections in OneClick.

The below SQL code is for list of clients with required/Missing Status ,If you want clients with Unknown ,change the @status value to 0 ,More about Update compliance Status ,see below :

Update compliance Status:

0—Detection Status Unknown

1—Not Applicable

2—Required/Missing

3—Already Installed /Compliant

--SQL Code to Generate Update compliance Status for multiple update groups against multiple collections

Declare @Status nvarchar(255);set @Status='2';
--Status 0 for Unknown, 1 for Not Applicable,2 for Required ,3 for installed
select sys.name0 [Computer Name],sys.User_Name0 [User Name], os.caption0 [OS],
CONVERT(VARCHAR(26), ws.lasthwscan, 100) as [LastHWScan],
CONVERT(VARCHAR(26), uss.lastscantime, 100) AS 'LastSUScanTime',
CONVERT(VARCHAR(26), sys.last_logon_timestamp0, 100) AS 'Last Logon Time',
case when sys.client0='1' then 'Yes' else 'No'
end as 'Client (Yes/No)', c.IPAddress AS [IP Address]
From v_Update_ComplianceStatusAll UCS
left join v_r_system sys on ucs.resourceid=sys.resourceid
left join v_FullCollectionMembership fcm on sys.resourceid=fcm.resourceid
left join v_collection coll on coll.collectionid=fcm.collectionid
left join v_GS_OPERATING_SYSTEM os on ucs.resourceid=os.resourceid
left join v_gs_workstation_status ws on ucs.resourceid=ws.resourceid
left join v_updatescanstatus uss on ucs.ResourceId=uss.ResourceID
left join v_AuthListInfo LI on ucs.ci_id=li.ci_id
INNER JOIN (SELECT     IP1.resourceid AS rsid2, IPAddress = substring
((SELECT     (IP_Addresses0 + ', ')
FROM    v_RA_System_IPAddresses IP2
WHERE     IP2.IP_Addresses0 NOT LIKE '169%' AND IP2.IP_Addresses0 NOT LIKE '0.%' AND IP2.IP_Addresses0 NOT LIKE '%::%' AND
IP_Addresses0 NOT LIKE '192.%' AND IP1.resourceid = IP2.resourceid
ORDER BY resourceid FOR xml path('')), 1, 50000)
FROM    v_RA_System_IPAddresses IP1
GROUP BY resourceid) c ON c.rsid2 = ucs.resourceid
where li.title IN (‘SUG1’,'SUG2’,SUG3’) and coll.collectionID in ('PS10029A','PS10000D')and ucs.status=@Status
group by sys.name0,sys.User_Name0,os.Caption0,ws.LastHWScan ,uss.LastScanTime,sys.Last_Logon_Timestamp0,sys.client0,c.IPAddress
order by 1

Hope it helps !

A friend of mine (you know who you are) asked help (kind of) ,how to clean up the content inside ccmcache folder in better way instead of using script to deploy it as application/package/task sequence .

I would recommended to use compliance settings(configuration item/configuration baseline) to deploy the script on schedule basis (monthly once or how you want) to Clients.

One advantage of using compliance settings is that, you do not need use source files to implement this solution and it would be easier to discovery and remediate if any content found older than x days.

In this blog post, we will see, how to use simple PowerShell script (can get from many sources on internet) to create configuration item and configuration baseline and deploy to clients.

If you do not want to follow all the steps outlined here ,jump to end of the post, to see how you can achieve this task in just 2 to 3 steps.

How to create Configuration Item:

launch SCCM console –>go to Assets and compliance—right click on Configuration Items—create Configuration Item

Give meaning full name something like clean ccmcache content

Leave the default settings and click next

Create new compliance rule

Follow the settings as outlined below .

You need to have 2 PowerShell scripts 1) Discovery to check the count of folders that are older than x days for deletion 2) To remediate (delete) these folders if any exist older than x days

For Discovery script ,click on edit script and use the following PowerShell script.

This script will tell us ,the count of folders inside the ccmcache older than X days which will help us to clean the content.

Change the number of days that you want to delete content older than.

#discovery script
$MinDays = 14
$UIResourceMgr = New-Object -ComObject UIResource.UIResourceMgr
$Cache = $UIResourceMgr.GetCacheInfo()
($Cache.GetCacheElements() |
where-object {[datetime]$_.LastReferenceTime -lt (get-date).adddays(-$mindays)} |
Measure-object).Count

For remediation script, use the following PowerShell script to clean the content older than 14 days:

This script will clean the content (folders) older than 14 days.

#remediate script
$MinDays = 14
$UIResourceMgr = New-Object -ComObject UIResource.UIResourceMgr
$Cache = $UIResourceMgr.GetCacheInfo()
$Cache.GetCacheElements() |
where-object {[datetime]$_.LastReferenceTime -lt (get-date).adddays(-$mindays)} |
foreach {
$Cache.DeleteCacheElement($_.CacheElementID)
}

click on compliance rules and click New

Enter the name that you wish to use for the rule name and select the return value by the discovery script 0.

The setting must comply rule used ,if the content returns by the discovery script is 0 ,there is no content to clean up ,if at all the discovery script return count value other than 0 then perform the content cleanup using the remediation script.

Click Ok, Ok and Next

verify once if the settings are configured correctly below.

Click next,next,next to see the summary page:

with this ,we have completed ,how to create Configuration Item which includes all the settings like discovery ,remediation .

How to create Configuration Baseline:

Right click on Configuration Baseline and select Create configuration Baseline

Give a Name,description and click on Add Configuration Item

Select the configuration item that we created above ,add and click ok .

we are now created configuration baseline and ready to deploy to collection that you are interested in with schedule.

How to deploy Configuration Baseline to Collection:

Right click on the configuration baseline that we created earlier and click on deploy

Adjust the below settings according to your environment like collection and schedule .

Under the deployment tab ,you will see the configuration baseline deployed to collection and its compliance %

Wait the clients to receive the policy (trigger machine policy retrieval ,if you want to speed up the process) and let remediation happen..

Go to any SCCM client ,open configuration manager applet, look at configurations tab ,you will there is no ccmcache cleanup available.

As soon as you refresh the machine policy ,client will poll and get the newly created policy which will appear in configurations tab ,click on evaluate.

Evaluate will take few seconds to run the discovery script and if it find the count other than 0 ,perform the remediation script that we used .

Click on view report to see a nice html report with compliance status

After a while ,client evaluate the baseline and report the status to SCCM ,which you can see in console ,configuration baseline.

With this ,we have completed task of how to clean up content in ccmcache older than 14 days.

How to avoid following these steps and create all in 3 steps ?

To make this task easier for you ,I have exported the Configuration baseline into cab file . So all you need is ,download the cab file from here ,go to configuration baseline ,import the cab file and change the settings how you want in the PowerShell using above steps.

Below are client the logs (C:\windows\ccm\logs) which will help you to check and troubleshoot compliance setting issues:

CIDownloader.log –>Records details about configuration item definition downloads.

DcmWmiProvider.log—>Records information about reading configuration item synclets from Windows Management Instrumentation (WMI).

DCMReporting.log—>Records information about reporting policy platform results into state messages for configuration items.

CIAgent.log—>Records details about the process of remediation and compliance for compliance settings, software updates, and application management.