Introduction:

Software update groups provide you with an effective method to organize software updates in your environment. Software update group consists of multiple software updates (metadata Only) .You can manually add software updates to a software update group or automatically add software updates to a software update group by using an ADR.

One of the major advantage using software update group is ,easier to track the compliance status using reports or console method for multiple updates that you have deployed and delegate software update administration (You can set a security scope for each software update group).

Problem:

If you have multiple software update groups to deploy to multiple collections as part of monthly patching ,it would be difficult to do it via console .why is it difficult ?  well ,the user interface takes very long time (depends on the number of updates in each update group) to process the updates in each software update group ,validate and deploy to collection with some settings like available date,deadline date/time ,reboot settings,download settings etc. If you have already doing it from the console with user interface  ,you really need to look at other methods like tools or powershell script to save your time .

Solution:

There are lot of 3rd party tools and scripts available to deploy software update groups to collections but in this blog post, i will share the simple powershell script that i have created to deploy multiple software update groups to multiple collections reading from CSV file and pipe the information to Log file whether the deployments are created or not.

The CSV file is input for the script to read variables like Software update Group Name,collection name,deployment name,deployment type,available date,deadline date,time ,restart servers or workstations. I considered these variables in my script because they are most common settings that we go with.

If you want to customize variables like download settings etc ,you can pipe this information into CSV file  and modify the script to read these custom variables.

This powershell script uses the basic Configmgr powershell cmdlets with some custom powershell commands to read the input variables from CSV file ,check if the deployment name already exist or not and then create deployments.

Note: This script will check if the deployment name already exist or not before it create new one similar to user interface .Using console, you cannot use deployment name that already exist but using powershell ,you can create N number of deployments with same name however i did not allow that in my script.

If you want to create the deployment names without prior checking, you can delete Get the deployments and check the deployment if exist or not from the script.

What information do you need to input into CSV file ?

You need to pipe softwareupdate group name,collection name,deploymentname,type ,available date ,time etc ,restart workstation ,restart server. what you see in below snippet.

Always try to use the deployment name as Softwareupdate group + collection Name to have unique name and easy for identification while running the reports.

SUName: Software update group

CollName:Collection Name

DeploymentName: Deployment Name

DeployType: Deployment Type (Required or Available)

Restart workstation=true means supress the reboot on the workstations after the patches installed ,False means ,reboot the workstation after the patches installed .

you do not need to install any excel components on the machine that you run the script .Script can read the CSV file using notepad.

Download the script from Technet Gallary ,extract zip file, open the CSV file using excel on your machine that has excel installed ,when you are ready with CSV file ,run the script to create deployments.

If you are using SCCM Configmgr in your environment, you can accomplish lot manual /administrative tasks using Configmgr using deployment/compliance method.

Recently I was working on task to update the DNS records (Primary DNS server IP ) for lot of servers as servers use static IP and is required to change it on all where needed.

As there was change in network segment for DNS server ,the IP of the DNS server changed from Class B to Class A.

How do I update the old DNS server record with the new one on all the servers ? Before you use any method (scripting or Configmgr) ,you need to know the list of servers that are using the OLD DNS record and validate and then perform the change .

Since our infra is using Configmgr to manage workstations and servers ,I can use configmgr to pull report that using OLD DNS server record , create a collection for these servers ,deploy a script to update with DNS server record ,monitor the report if the change is successfully executed or not .

Before you generate report, you need to find out which SQL views store information about DNS server details. Network adaptor information is stored in v_GS_NETWORK_ADAPTER_CONFIGUR view.

The information that we are looking for is , DNSServerSearchOrder0 which is not enabled by default in the hardware inventory class.

You need to enable it by going to client settings-> hardware inventory –>set classes ,search with network ,you will see network adaptor configuration ,select DNS server search order .

After you enable this ,clients that are deployed with this client agent settings will download the policies and send the updated inventory during the next scheduled inventory cycle.

After this is done, you are good to generate report to see the servers that are using OLD DNS record.

Here is SQL query to check for DNS Server search order:

select sys.name0,os.Caption0,DNSServerSearchOrder0 from v_R_System sys

join v_GS_NETWORK_ADAPTER_CONFIGUR NAC on NAc.ResourceID=sys.ResourceID

join v_GS_OPERATING_SYSTEM os on os.ResourceID=sys.ResourceID

where OS.Caption0 like '%server%'

and nac.IPEnabled0='1'

and nac.DNSServerSearchOrder0 like '%OLD DNS SERVER IP%'

From the above query ,you will get servers with their primary DNS and secondary DNS server records .Create a new collection ,add these machines to the collection.

Now we have list of servers to update with new DNS server record but we do not have package to deploy to the collection.

To update the DNS server records ,you can either use powershell or VBscript .If you are running any server 2003 ,PowerShell is not good option for you ,so you might have to use vbscript.

I am posting both VBscript and PowerShell for your feasibility.

In my case, I need to update Primary DNS record (new IP) and keep secondary DNS server record as it is without any change.

VBscript:

on error resume next

strComputer = "."

Const FullDNSRegistrationEnabled = True

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

Set colNetCards = objWMIService.ExecQuery ("Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True")

FOR EACH objNetCard in colNetCards

arrDNSServers = Array("DNS server IP1","DNS Server IP2")

errEnable = objNetCard.SetDNSServerSearchOrder(arrDNSServers)

objNetCard.SetDynamicDNSRegistration FullDNSRegistrationEnabled

next

If you have primary and secondary DNS ,replace the IP address accordingly in the above script.

Powershell:

$NICs = Get-WMIObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPEnabled -eq "True"}

Foreach($NIC in $NICs) {

$DNSServers = “DNS server IP1"," DNS server IP2”

$NIC.SetDNSServerSearchOrder($DNSServers)

$NIC.SetDynamicDNSRegistration(“TRUE”)

}

When you deploy the powershell script ,focus on the command line you use .If you have enabled the execution of powershell to bypass in client agent settings ,you can simply use the command line as scriptname.ps1 and deploy it else you will have to use command line to bypass the execution of powershell script.

PowerShell.exe -ExecutionPolicy Bypass -File "scriptname.ps1"

Create a package using above scripts and deploy to the collection ,monitor the results.

For results , wait for the next hardware inventory cycle and fix the issue where it didn’t go through.

Few weeks ago ,i was assigned with task to manage clients in untrusted forest using Configuration Manager 2012 R2 SP1.Yes, we are still running on Configmgr 2012 but soon (next few weeks) on Configmgr Current Branch .

Scenario is ,I have a forest (intranet.asia) where SCCM 2012 R2 SP1 is installed and this is being used to manage clients in this forest .Now ,I have a requirement to manage clients in untrusted forest (life.net) which is completely isolated from the existing forest and there is no trust between these 2 .

So the task is ,how to manage the clients in untrusted forest (life.net) using the SCCM server reside in intranet.asia forest for software distribution ,patching etc.

My setup is like this:

Green colour : Current working site

Brown colour: Untrusted forest

Red colour: Firewall between these 2 forests

Blue colour: Clients in untrusted forest must talk to SCCM site in intranet.asia forest and let SCCM publish SCCM site information to AD ,perform AD system discovery ,automatic client push installation etc in untrusted forest .

LIFE.NET forest is completely isolated and there is no trust with INTRANET.ASIA forest that has SCCM installed. The aim is to manage the clients (though it has very few <50 for now ) in life.net forest using the existing SCCM site.

In order to manage the clients in untrusted forest using SCCM ,listed the steps below at high level.

1.First and foremost is firewall ports for clients in untrusted forest to talk to SCCM/roles (all ports that require for client to talk to MP,DP,SUP what is outlined here)  and let SCCM server to talk to remote forest (DNS port 53,LDAP port 389) to publish the information and discover objects.

2.Configure DNS with conditional forwarder or STUB ZONES in local forest (For SCCM to resolve remote hostnames dc02.life.net and remote clients for system discovery ) and untrusted for clients to resolve host names a.k.a MP,DP ,SUP etc.

3.Create an account in untrusted forest that is used to publish the SCCM site information into System Management Container that will be created later in LIFE.NET forest

4.Extend Schema (You can get the schema files from configmgr media) in untrusted forest  (LIFE.NET) with sufficient permissions (user must be schema admin) (this is optional ,read more if you really need to to extend schema)

5.Create System Management Container in untrusted forest and provide full permissions to this container for account that you created above to publish SCCM site information.

6.On SCCM server (INTRANET.ASIA) ,Add untrusted forest and configure the account that you created above ,monitor hman.log for any errors.

7.Check on the untrusted forest ,if site information is published into system management container or not.

8.If you want to discover clients from untrusted forest automatically ,configure AD system discovery .If you have not configured the DNS conditional forwarder ,then system discovery will not work due to name resolution (monitor log Adsysdisc.log for any errors).

9.If you want to perform client push installation ,get an account from untrusted forest and configure it in SCCM server.

10.Configure boundaries in SCCM (INTRANET.ASIA) for untrusted forest to manage clients.

11. If clients in untrusted forest are unable to resolve SCCM roles like MP,DP ,SUP etc for client installation,assignment process and downloading the policies ,you need to add the required entries (MP,DP,SUP) into host file (IP address and FQDN of Site ) on each client. But again, you must make sure the ports http:80,sup:8530 are working from untrusted forest to SCCM servers otherwise you cannot get basic things like software distribution ,software updates etc. .

The steps outlined above are in general ,but when it comes to reality ,some of the steps given above may not be allowed to configure like DNS conditional forwarders etc.. So in that case ,what other methods i have to get this task done ?

Please note ,in this untrusted forest ,i have <50 clients to manage and for that i can skip the DNS configuration and go with host file entry (manual feeding ) .But if you have large number of clients to manage ,you need to look for other solution like DNS configuration to allow name resolution .

The following site system roles can be installed at primary sites support connections from clients that are in untrusted locations, like the Internet or an untrusted forest (secondary sites do not support client connections from untrusted locations):

• Application Catalog website point

• Configuration Manager Policy Module

• Distribution point (HTTPS is required by cloud-based distribution points)

• Enrollment proxy point

• Fallback status point

• Management point

• Software update point

Steps i followed to manage these few clients in LIFE.NET forest for software distribution ,software updates from existing forest.

On Local forest( intranet.asia)

1. Due to the restrictions i have ,cannot configure conditional forwarders in DNS ,so have to add the untrusted forest entries into the host file on SCCM server.

Go to C:\windows\system32\drivers\etc ,open hosts file and add untrusted forest entries which includes life.net ,dc01.life.net with its IP address for name resolution.

Make sure you can ping the remote forest and able to resolve the hostname.

If there are any firewall restrictions ,please work with your network team to get it resolve.

2.  For local SCCM Server to talk to remote forest to publish site information into AD ,discover objects,client push installation etc , we need few accounts .Lets create them . In my case ,i will create one account and use this for publishing the site information .

If you want to discover AD objects on remote forest ,you only need normal user account with read permissions ,for client push account ,it must be member of local admin on remote clients that you perform sccm client install.

On untrusted forest ,create an account called CM_Publish (normal user) is enough.

3.On remote forest, login to domain controller or use account that has full permissions to perform following changes.

Open adsiedit.msc, create system management container and give full permissions to CM_Publish .

4. while on remote forest, extend AD schema .To extend it, copy the extadsch.exe file from your SCCM media or SCCM installation folder \bin\X64 . To perform this ,account must be member of schema admins .Verify the status from log extadsch.log to be created in the root of the system drive.

5. Now come back to local SCCM server ,from hierarchy configuration—>Active Directory Forest ,click on add Add forest

6.In domain suffix ,enter the domain suffix (in my case:life.net)

Use an account that we created above (CM_publish) to publish site information into AD System Management container.

Use specific account –>New account type in the credentials .

Click on verify and in path: You must be careful in typing the correct LDAP path .Do not go with default LDAP path as the auto filled path is wrong and it will never get you success. Default path after you enter credentials will be LDAP://DC=sglife,DC=net.

You need to replace with correct LDAP path : LDAP://life.net/DC=life,DC=net 

This LDAP path is needed to verify the connection is successful.

Under publishing tab ,select the Site that you want to publish the information about.

Monitor hman.log if attributes are published in remote forest system management container or not .also for any errors. You must extend schema before you publish the attributes .If you do not want to extend schema ,then clients will not leverage the schema extensions.

SMS-Site-SITECODE could not be created, error code = 8202. If you have not extended AD scheme, you will see errors like above in hman.log. After schema extension, you will see something like below:

After a while ,the publishing status for newly added forest will turn to succeeded .

Go to your untrusted domain controller ,open Active directory users and computers, from system management container, you should be able to see the objects related to site code,boundaries etc published.

With this ,we have successfully added untrusted forest into our SCCM and we are ready to discover objects ,perform client push installation etc before we start distributing applications, deploying software updates.

Before we proceed further like configuring the discovery methods ,client push installation account, we need to make sure ,we can ping the remote forest domain controller name or not ? why do we need it ? well ,the discovery method works on name resolution ,so if the name resolution doesnt happen ,then the discovery of objects will fail .

As i said initially ,if you need to discover the remote forest computer resources ,you need to Configure DNS with conditional forwarder or STUB ZONES on local forest (INTRANET.ASIA) else you forget about discovering the object and just install SCCM client on the remote forest clients manually.

After you configure the conditional forwarder in DNZ ,open configuration manager console ,hierarchy configuration –discovery methods ,open Active Directory System Discovery ,click on Burst Symbol ,add the path location.

Follow the same steps that you did while adding new trust like specifying new account ,LDAP path etc. Use the same LDAP (LDAP://life.net/DC=life,DC=net ) path you did above to verify the connection.

If the name resolution is not working then you will see errors in system discovery log adsysdis.log like below:

Wait for the discover to run ,monitor adsysdis.log for any errors.

Next is to configure Client push installation account ,which is straight forward. Get an account that is local admin on all untrusted forest clients ,add it in client push installation account.

No matter if you have multiple client push installation accounts added in client push properties ,it will try to use each account ,to install SCCM client until it get succeeded. Monitor ccm.log on your site server for any errors .

If you do not use client push but install the SCCM client manually ,you need to approve the clients manually in SCCM console .This is due to the settings in site hierarchy.

Once you install the client on untrusted forest ,approve the clients in SCCM console manually.

you can also create collection for clients that are unapproved ,select all of them manually to approve it. You can also automate this process via powershell.

select distinct system.* from SMS_R_System as system join SMS_FullCollectionMembership as collection on system.ResourceID = collection.ResourceID where collection.IsApproved=0

Hope this guide help you to managed clients in untrusted forest.

Reference:   https://blogs.technet.microsoft.com/neilp/2012/08/20/cross-forest-support-in-configmgr-2012-part-1-simple-management/

I had a requirement to generate report to list members (users/groups) of local administrators group on servers for auditing purpose. Finding the users/groups who are member of  local administrator group manually or scripting is tedious task on all servers .If you are managing the devices with configuration manager ,you can leverage Configmgr tool to get this task done so easily .

By default ,Configmgr do not have inbuilt solution /provide any report to get members of local administrator group ,but you we can achieve this using custom solution . The  only solution that i have tried earlier and seen people using ,is a solution that was provided /blogged by Sherry Kissinger .

Solution that was provided by Sherry was to create configuration item/configuration baseline with vbscript ,deploy this to collection ,import mof file into client agent settings to pull custom wmi changes that made by script,run report to get the required information.

If you search online with subject line ,you will mostly hit TechNet forum/blogs that refer to the following links.

http://myitforum.com/cs2/blogs/skissinger/archive/2010/04/25/report-on-all-members-of-all-local-groups.aspx

https://mnscug.org/blogs/sherry-kissinger/244-all-members-of-all-local-groups-configmgr-2012

http://mnscug.org/images/Sherry/WMIFrameworkForLocalGroupswithLogging.zip

I have tried this solution very long ago for some of my customers which worked fantastic , but i did not blog about this as there are already posts available online.

I started to follow above blogs few days ago for my task, but for some reason these URL’s not active .So during my online search,i found few other blogs that talk about this solution .

I tried importing the cab file from sherry blog into configuration baseline, but for some unknown reason ,importing of cab file that did not succeeded on both Configmgr 2012 and Configmgr Current branch 1610. Both environments have the following error.

I am not the only one facing issue while importing the cab file, there are lot more people who posted about it on TechNet for solution.

So i started creating configuration items ,configuration baseline and do changes to client agent settings (MOF file) ,generate report .

I am attaching the configuration baseline cab file here for you to download ,extract ,import into your configmgr 2012 or configmgr current branch 1610 and simply deploy to your required collection, import MOF file into client agent settings for hardware inventory.

If you see any issues while Importing the cab file into configuration baseline ,please follow the steps illustrated below how to implement this solution step by step.

In this blog post, i will help you  how to create configuration item ,configuration baseline with the script that sherry provided ,do MOF changes in client settings ,wait for hardware inventory and create SQL query to run report.

There are 2 vbscripts out there online 1) Get members of local administrators group ONLY (WIN32_localadmins) 2)Get members from all local groups on the machine (cm_localgroupmembers)

Script 1 will get you the information about users/members who are member of administrators group ONLY and script 2 will get you members of all locally created groups.

Have attached both scripts in the download section for your reference in case you don't want all groups information.

Note: This task can be achieved in 2 ways ,either by deploying script as package or deploying the script using baseline method ,but Pre-requisite ,is recurring deployment, or Recurring DCM Baseline/CI

Steps in brief:

1. Import the MOF file into default client agent settings but do not select the changes in default client agent settings. You can select these changes on custom client agent settings to deploy to collection .

2. Create configuration item,configuration baseline and deploy to collection on recurring basis.

3.Run SQL query /report to get members of local administrators group.

Note: Should i go with configuration item or as package ? I would strongly suggest you go with configuration item and make it recurring instead of scheduling it for 1 time. Why should i make it recurring ?

Since the script that is used in the configuration item will create the instance in wmi “cm_localgroupmembers ” and query local groups with its members 1 time per script run ,which means if you run the configuration item 1 time ,it will query  local groups and members and pipe the information into cm_localgroupmembers  ,but if any changes happened after the compliance item run ,they wont appear in cm_localgroupmembers . For any addition or deletion of users/groups from local groups ,you must schedule it on recurring basis.

In this post, i will go with configuration baseline method.

Before we start the steps, download the files that are required to create baseline,MOF file ,reports etc from here

Step 1: Copy the MOF file from download section to your SCCM server,import the MOF file into default client agent settings—>Hardware Inventory in your SCCM server (CAS if you have else primary site )  ,de-select the settings  in default client agent settings for localgroupmembers .

Go to your custom client agent settings and select localgroupmembers that you want to get local members information.

If you do not have any custom client agent settings in your environment ,you can enable this settings in default client agent settings.

monitor dataldr.log for the changes .

with this change ,there will be a SQL view created and can be used for reporting which is : v_gs_localgroupmembers0. The Information which is stored SQL views that start with V_GS comes from inventory.

Step 2: From configuration manager console, assets and compliance , compliance settings right click configuration item ,create new ,type Name ,description

click next (leave default OS settings) ,next, on settings page ,add new with following information.

Name: WMI Framework for cm_localgroupmembers

Setting Type: Script

Date Type: String

Edit the script ,select vbscript ,paste the content from the SCCMLocalGroupMembers.vbs file .This is script 2 what i referred above. If you want only members of local admin group ,select localadmins.vbs

Click ok, click next ,on the compliance rules ,click new with the following information

Name: cm_localgroupmembers

Selected setting: select the setting that you created above

Rule type: existential

Setting comply rule: This specified script does not return any values

Click Ok ,next next to see the summary page.

Create a new baseline ,select the configuration item that we created above ,deploy it to collection .

Wait for client to receive new client device settings and configuration baseline to create wmi instance followed by client inventory .

On client machine after the policy ,assigned configuration baseline is compliant.

Logging information by script:

output of the script into SCCMLocalGroupMembers.log in C:\windows\temp folder:

SQL Queries:

Now we have sufficient information about the local users ,member of all local groups which is stored in SQL view ‘v_gs_localgroupmembers0’ .

We can create variety of SQL queries depends on the requirement .

Query 1: List all clients with members of the local Administrators group:

select sys1.netbios_name0
,lgm.name0 [Name of the local Group]
,lgm.account0 as [Account Contained within the Group]
,lgm.domain0 [Domain for Account]
, lgm.type0 [Type of Account]
from v_gs_localgroupmembers0 lgm
join v_gs_workstation_status ws on ws.resourceid=lgm.resourceid
join v_r_system sys1 on sys1.resourceid=lgm.resourceid
where lgm.name0='Administrators'
order by sys1.netbios_name0, lgm.name0, lgm.account0

Query 2: List members of the local Administrators group on specific client:

select sys1.netbios_name0
,lgm.name0 [Name of the local Group]
,lgm.account0 as [Account Contained within the Group]
, lgm.category0 [Account Type]
, lgm.domain0 [Domain for Account]
, lgm.type0 [Type of Account]
from v_gs_localgroupmembers0 lgm
join v_gs_workstation_status ws on ws.resourceid=lgm.resourceid
join v_r_system sys1 on sys1.resourceid=lgm.resourceid
where lgm.name0='Administrators'
and sys1.Name0='clientname'
order by sys1.netbios_name0, lgm.name0, lgm.account0

Query 3: List all clients with members of the local Administrators group excluding certain users or group  :

This will be helpful in case, you have applied some of the policies through GPO who should be member in local administrator group on all the clients for ex: domain admins or some other AD sec groups.

'Domain Admins','wintelMonitoring','WintelAdmins','eskonr'

declare @PC nvarchar (255);set @PC='computername'
select sys1.netbios_name0
,lgm.name0 [Name of the local Group]
,lgm.account0 as [Account Contained within the Group]
,lgm.domain0 [Domain for Account]
, lgm.type0 [Type of Account]
from v_gs_localgroupmembers0 lgm
join v_gs_workstation_status ws on ws.resourceid=lgm.resourceid
join v_r_system sys1 on sys1.resourceid=lgm.resourceid
where lgm.name0='Administrators' -- and sys1.name0=@pc
and lgm.account0 not in ('Domain Admins','wintelMonitoring','WintelAdmins','eskonr')
order by sys1.netbios_name0, lgm.name0, lgm.account0

Hope it helps!

This is quick post to show you ,how to compare 2 or more collections to find clients that are not member of other collections. The reason for me to write this collection is ,for server patching ,we have been using direct membership rules ( I know AD sec groups is good way to automate this but lets leave this for now ) due to multiple business units with different maintenance windows .

There could be multiple scenarios to compare 1 collection with another collection for application deployment ,OSD etc.

So i want to compare the list of servers that are in Active directory are part of the patching collections or not . I am writing up another blog post on how to manage software updates for workstations or servers in an effective manner to achieve good compliance rate with some nice dashboard reports.

This way ,i can get to know the servers in AD that are supposed to patch on monthly basis are missing or not in patching collection. You can also achieve this using SQL query which is also listed in this blog post.

So i created a collection based on Active directory OU with collection ID: PS100318  .Creating collection with OU filter is straight forward.

I have another parent collection that is used for patching PS100315 .This collection include lot of individual collections with its own maintenance window set for patching.

Now ,i need to compare the OU based collection (PS100318 ) to find out if any server not in patching collection (PS1000315).

Collection Query (sub selected query):

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId in (select ResourceID   from SMS_FullCollectionMembership   where CollectionID = "PS100318") and SMS_R_System.ResourceId not in (SELECT ResourceID FROM SMS_FullCollectionMembership WHERE collectionid IN ('PS100315'))

If you have more than 1 collection to compare ,simply add all your collections into IN condition i.e WHERE collectionid IN ('PS100315',’PS100316’,’PS1000317’)) 

You can also use include exclude collection mechanism to do the same. Thanks to Nash for pointing this out.

SQL Query:

select fcm.name
from v_FullCollectionMembership fcm
where fcm.CollectionID='PS100318 '
and fcm.name not in (select fcm1.name from v_FullCollectionMembership fcm1 where fcm1.CollectionID='PS100315')

you can expand SQL Query further to know its OS,hardware inventory ,client installed etc.

Hope it helps!

In this blog post, we will see how to use compliance item in configuration manager to check specific server role or feature installed on server or not .This request has come up to due to the fact that ,one of the engineer has enabled desktop experience feature on some of the servers which leads to install/enable flash player components in C:\windows\System32\Macromed\Flash folder. Qualys is is a provider of cloud security, compliance services which scan your network, servers, desktops or web apps for security vulnerabilities ,more at https://www.qualys.com/

If you install desktop experience feature on server, it will try to install adobe flash components and create some files/folders in macromed

Folder structure:

Adobe flash in control panel:

So ,Qualys scan based on the .dll file that are available on the server. If the version of .dll that is present on the server do not match with latest version of the product ,server will be flagged as vulnerable.

During last couple of weeks ,it has come to my notice that ,some of the servers being detected as vulnerable for flash player but when i look into the server ,there is no flash related applications installed on the server (by looking at programs and features ).

If there are no applications installed, there is no way for SCCM to detect the flash player components are installed and you cannot try to patch/update flash either using manual method /patching/software distribution.

So there is need to identify how many servers are installed with desktop experience feature and remove this component if not needed.

Using configmgr, we can use compliance item by passing simple script that will check for the desktop experience roles ,if installed output False as Non-compliant and if not installed, output as COMPLIANT.

All you need is script to check for desktop experience feature ,if you are looking for other roles and features, feel free to modify it your needs.

If you are looking for other roles and features, open the powershell cmd ,import servermanager module and run the following powershell cmd to list the windows roles/features on the server

Get-WindowsFeature

Above listed are installed server roles and features .If you are looking for specific name ,pick it from the Name column to check for the installed status.

In this blog post, am not going with remediation script .what it means is ,if the specific role/feature that you are looking is found ,run the remediation script like remove the role from the server to fix it.

How to create configuration item/compliance baseline ?

Follow my blog post to create Configuration item  http://eskonr.com/2016/08/sccm-configmgr-how-to-clean-ccmcache-content-older-than-x-days-using-compliance-settings/ , but just replace the discovery script with below powershell script (no remediation script is needed)

Import-module servermanager
$DE=(Get-WindowsFeature -name desktop-experience).Installed
If ($DE -notlike "Installed")
{
write-output "True"
}
else
{
write-output "False"
}

Compliance Rule:

Create Configuration baseline ,deploy to collection that you are interested to find the desktop experience feature installed or not.

Hope it helps!

Since few days ,i have been working on the SCCM console connectivity issues from remote box. This is completely new setup replacing the existing CAS with primaries and going with flat design (1 Primary site.There is blog post coming soon on the SCCM design considerations and notes from the field )

As part of setting up SCCM current branch ,was creating RBAC for the team and for testing ,I have installed the current branch console (1702) on citrix and remote boxes (server/workstation) to try with different user accounts.

When i try to launch the console ,it failed with generic error message with some default possible solutions to check.

Next is to look at admin UI log SmsAdminUI.log on the console installation folder (C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\AdminUILog) for further troubleshooting.

Insufficient privilege to connect, error: 'Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))'\r\nSystem.UnauthorizedAccessException\r\nAccess is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))\r\n   at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)

As you can see above, the log doesn't say much about the issue except that, Insufficient privilege to connect, error: 'Access is denied .

The account which am trying to connect to the console is full administrator and is working on local SCCM server but not from any other remote box.

Since the console access is not working for anyone from any remote box ,i suspect the issue is almost on the SCCM server with DCOM permissions.

I have checked the DCOM permissions ,WMI security permissions (wmigmmt.msc) and wbemtest locally on the server ,all looks good.I could not able to find anything wrong with security permissions to SMS admin group .I have also compared the DCOM permissions from working SCCM site (another domain) with this newly setup current branch 1702 site but i could not able to find any permission issues.

Then looked at event viewer if i can any information pertaining to DCOM permissions ,all looks clean from event viewer .

what else could go wrong here except security permissions on the DCOM,WMI ? well , after spending sometime on the troubleshooting  colleague of mine helped to look at MSDTC service and have decided to uninstall MSDTC (Distributed Transaction Coordinator service)  ,install and reboot the SCCM server which fixed the issue of remote console connectivity.

What made colleague to look at MSDTC component ?As he explain,for any remote connections to happen it either go with DCOM/WMI/RPC .In this case ,i could not able connect to remote SCCM server using wmi (wbemtest) and console just failed. So ,there seems major issue on DCOM connection .         For this ,we checked the permissions on DCOM (dcomcnfg) ,all looks good t,hen went to registry to look for DCOM enabled ,it also looks good. The next part of troubleshooting in DCOM is to reinstall MSDTC component .

How do you uninstall MSDTC component ?

Open the cmd as run as administrator ,perform net stop MSDTC

run MSDTC –uninstall

Review event log: In Application Event Log message confirms that MSTDC was successfully uninstalled

Run MSDTC –install

Review event log: In Application Event Log message confirms that MSTDC was successfully installed

start MSDTC services using net start MSDTC

Reboot the SCCM server ,launch the console ,you see the nodes there .

If the reinstall of MSDTC doesn't work ,then  we may have to go little deeper into DCOM to troubleshoot.

See you in the next post!

Other day,I was trying to create my first SCCM Configmgr SSRS report with RBA (role based administration) what it means is ,data for all reports included with Configuration Manager is filtered based on the permissions of the administrative user who runs the report. Administrative users with specific roles can only view information defined for their roles.

The report which was trying to create : Get the Status of Bitlocker for all physical devices(Laptop and desktops) for specific collection .The main difference between the normal SQL code and SQL code that you use for RBA reports is ,you simply replace V_ with fn_rbac_ and append (@userSIDs) at the end of the SQL view name . SQL code i used in this report with RBA is given at the end of the post.

Since the report has collection prompt ,i created dataset for collection that also uses fn_rbac and tried to run the report .For some reason ,it failed to run with following error code.

Error: " The report parameter 'A' has a default value or valid value that depends on the report parameter 'A'. Forward dependencies are not valid ".

The above screen clearly says that ,COLLID prompt depends on the report parameter UserSIDs which is another parameter,hence forward dependencies are not valid. In SSRS ,the parameters always executed in specific order how you define them. All parameters cannot run at time.

If you look at my parameters in my SSRS ,they are in order 1)CollID 2)usertokenIDs and 3)UserIDs.

CollID has UserIDs parameter which cannot accept forward dependencies.

I need to change the order of parameters how they execute .So in your reporting tool, (I use visual Studio 2012) ,click on the parameters ,select the parameter value ,select the arrow to change the order of parameters and run the report.

I have to pull down the COLLID parameter to last to fix my issue here.

SQL code to get the status of bitlocker for all physical devices from specific collection:

SELECT distinct SYS.Netbios_Name0 [Name],sys.User_Name0,
OS.Caption0 [OS],MEM.TotalPhysicalMemory0/1024 [Memory (MB)],
CS.Model0,
ev.driveletter0,
case when ev.protectionstatus0=1 then 'Yes' else 'No' end as 'IsDrive Bitlocker',
CONVERT(nvarchar(26), ws.LastHWScan , 100) [Last inventory],
CONVERT(nvarchar(26), sys.Last_Logon_Timestamp0 , 100) [Last Logontimestamp]
FROM fn_rbac_R_System(@UserSIDs) SYS
LEFT JOIN  fn_rbac_GS_X86_PC_MEMORY(@UserSIDs) MEM on SYS.ResourceID = MEM.ResourceID
LEFT JOIN  fn_rbac_GS_COMPUTER_SYSTEM(@UserSIDs) CS on SYS.ResourceID = CS.ResourceID
LEFT JOIN fn_rbac_GS_OPERATING_SYSTEM(@UserSIDs) OS on SYS.ResourceID=OS.ResourceID
--LEFT OUTER JOIN fn_rbac_R_User(@UserSIDs) vUSER ON vUSER.[User_Name0] = SYS.User_Name0
left join fn_rbac_GS_ENCRYPTABLE_VOLUME(@UserSIDs) EV on ev.resourceid=sys.resourceid
left join fn_rbac_GS_WORKSTATION_STATUS(@UserSIDs) ws on sys.ResourceID=ws.ResourceID
left join fn_rbac_FullCollectionMembership(@UserSIDs) fcm on sys.ResourceID=fcm.ResourceID
WHERE
fcm.CollectionID=@COLLID
and cs.Model0 not like '%virtual%'
ORDER BY SYS.Netbios_Name0

If you want to run the above SQL code in SQL server management studio ,simply replace the @COLLID with collection ID and add Declare @UserSIDs as varchar(Max) = 'Disabled' at the beginning of the query .

Collection Prompt:

select CollectionID, Name from fn_rbac_Collection(@UserSIDs)
order by Name

While i was checking the software update compliance reports for Microsoft and Non-Microsoft (3rd party updates ,SCUP integrated) ,i see that ,compliance report looks good for Microsoft but not for 3rd party updates.

SCCM Version: Configmgr Current Branch 1702 with SCUP integrated for 3rd party updates.

During the investigation on 1 client, found that ,it is failing to install only adobe & Java updates but rest of the 3rd party updates (Chrome, Filezilla,Firefox etc) installed successfully.

Initially when i ran the software update report and compliance % was not at at good shape ,so my thinking was ,it could be because of certificate issue but after logging to the client, found few 3rd party updates installed but not Java & Adobe.

So as part of troubleshooting ,verified the SCUP certificate imported successfully (double check though other 3rd party updates installed) ,AcceptTrustedPublisherCerts=1 set in registry correctly HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate.

Next is to look at the client logs for software updates. The first log to look at is wuahandler.log .

Failed to download updates to the WUAgent datastore. Error = 0x80246002.

0x80246002 refers to A download manager operation could not be completed because the file digest was not recognized.

After seeing above error, i went to ccmcache to verify the content download was successful or not but i can see the content downloaded to ccmcache and i can extract the file (cab) to see installation file for Java.

So next step is to look at UpdatesHandler.log if i can find any other information

Failed to initiate install of WSUS updates, error = 0x80246002

Failed to start batch install through WSUS Install handler , error = 0x80246002

Next to look at windowsupdate.log ,even that has same error as above.

All the logs have same error code “file digest was not recognized”. This could be due to the hash mismatch issue so which lead me to think about re-publishing the Java and Adobe (these 2 have issues) from SCUP to SCCM ,resync the software updates ,redownload the content ,delete the existing deployments, create new deployment solve the issue.

Steps that i followed to the fix are long enough but you can give a try by simply re-distributing the content to DP ,delete the existing deployment and re-create the deployment for Adobe & java updates to see if that works for you.

How did i solve the issue ?

1. Open SCUP console, go to publications ,look at the folder that has Java & Adobe updates . Select the folder ,click on Publish Icon that you see on the top

2.During the publish option ,do select the following Sign All ,click next ,next and close . Monitor SCUP.log for any errors.

3. Go back to SCCM console ,perform software update sync ,monitor wsyncmgr.log

4. After the sync success ,re-download Java & Adobe updates to package.

5.Delete the existing deployments because client must re-download the new package that you download now else client will follow the old content that was stored in ccmcache and it will keep failing.

6.After you delete and re-create the deployments, initiate the machine policy using client notification for clients to download the new policy

7.Login to one of the problematic client ,open software center ,if there is no maintenance window to install the updates ,install the updates manually ,monitor the logs (wuahandler.log,updatesdeployment.log,updatehanlder.log & windowsupdate.log)

Hope it helps.

Installing the distribution point on workstation or server is straight forward method from console .All you need is ,an account that has local admin rights on remote computer to install IIS components and install DP role.

To install Distribution point role on remote computer, Open configuration manager ,go to administration node, expand site configuration ,right click on servers and site system role ,choose create site system server and from there ,all self explained.

Installing DP role on 1 or 2 computers can be done using the console GUI ,but what if you have more than 10 or 50 or 100 computers to install DP ? can you do that manually from the console or use scripting to be done in few min ?

I recently installed DP role on 100+ workstations across the ASIA region and these 100+ distribution points are tagged under different secondary sites.

In this post, we will walk through the powershell script to install DP role on N number of computers and pipe the result into log file for reference.

Script does few things listed below:

1. It will read the CSV file for computer name,description and site code to which the DP need to be tagged under.

2.Check if the supplied computer name exist in Active directory or not ,if it is not ,pipe the output into log.

3.If the computer exist in AD ,check if DP role already installed or not ,if installed ,pipe the output into log.

4.If DP role not installed ,run the script to initiate the DP role  installation and pipe the output into log.

Note:The script do not check if the remote computer is online ,offline or issue with firewall ports as these are basic requirements before you run the script. Also script do not create any boundary groups ,no proxy configured.  This script will install DP Role using site server computer account (make sure your SCCM server account is member of local admin group on all remote computers).

To install DP role, i have used 2 basic commands which are New-CMSiteSystemServer and Add-CMDistributionPoint . To know more about these command and examples ,refer https://docs.microsoft.com/en-us/powershell/sccm/configurationmanager/vlatest/configurationmanager or from the powershell command, you can run get-help New-CMSiteSystemServer

If you want to install DP role using service account instead of using site server account ,you can do so by editing the script .

Download the script from Technet Gallary ,extract the content to folder ,edit the dpcomputers.csv to pipe computer name,description and Tsitecode (target sitecode) that you want to tag the DP .

CSV file format:

Output:

Hope it helps.

Setting up Configuration Manager current branch (1702) lab for testing. While running the Configmgr reports using IE browser ,http://servername/Reports/Pages/Folder.aspx ,it failed with error code HTTP 500 Internal Server Error. SQL server installed locally on Configmgr box .

I have seen this error couple of time but i don't remember what was the solution to get it fix. So ,in this blog post, we will try to troubleshoot the issue by going through the log files and solve it.

Following the error snippet while while browsing Configmgr reports :

When you get this error, the first place to look at is ,reporting point role installation logs which are located in your Configmgr installation logs folder.

srsrpsetup.log Records results of the reporting point installation process

srsrp.log Records information about the activity and status of reporting services point

From srsrpsetp.log ,reporting services role successfully installed . Next log to look at is srsrp.log to check the health

srsrp.log :

System.Web.Services.Protocols.SoapException: The operation you are attempting requires a secure connection (HTTPS). ---> Microsoft.ReportingServices.Diagnostics.Utilities.SecureConnectionRequiredException: The operation you are attempting requires a secure connection (HTTPS).~   at Microsoft.ReportingServices.WebServer.RsSoapExtension.EnsureHttpsLevel(SoapMessage message)~   at Microsoft.ReportingServices.WebServer.RsSoapExtension.ProcessMessage(SoapMessage message)~   at System.Web.Services.Protocols.SoapMessage.RunExtensions(SoapExtension[] extensions, Boolean throwOnException)~   at System.Web.Services.Protocols.SoapServerProtocol.ReadParameters()~   at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()

Failures reported during periodic health check by the SRS Server servername.domainname

SSRS Role was installed successfully but health check did not run successfully.

Next is to check Reporting services Configuration Manager wizard if anything configured faulty or reporting services running correctly or not (this can be check from services.msc)

At this stage ,all checks passed but still issue persists.

Till now ,we have done the troubleshooting in in Configmgr point of view , but from now onwards ,we will go little further to check from SQL point of view.

Next is to look at SQL reporting services log which is located in your SQL installation folder .Since am using SQL server 2014 on my SCCM server (SQL installed locally) ,reporting services logs can be found at

C:\Program Files\Microsoft SQL Server\MSRS12.MSSQLSERVER\Reporting Services\LogFiles

Look at recently modified date (ReportServerService__07_14_2017_00_05_14)  ,open the log using cmtrace.exe

System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

Did a internet search using ‘This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms’ ,found this  https://blogs.msdn.microsoft.com/dataaccesstechnologies/2015/07/16/report-manager-system-invalidoperationexception-this-implementation-is-not-part-of-the-windows-platform-fips-validated-cryptographic-algorithms/

Follow the instructions given in the above link and apply the solution.

For me, after applying the changes said above (i did web.config) ,i got the following error which leads me to change SecureConnectionLevel to 0 in rsreportserver.config file located in C:\Program Files\Microsoft SQL Server\MSRS12.MSSQLSERVER\Reporting Services\ReportServer ,referrence TechNet article here

Error: The underlying connection was closed: An unexpected error occurred on a send

Solution:

Go back to your reports URL (http://servername/Reports/Pages/Folder.aspx) ,run the reports again to see if it works or not ?

Hope it helps!

Quick post on how to get count of list of updates or count of updates in your Configuration Manager with severity categorised as Critical,Important,Moderate and Low.

In order to get this information count of updates with severity, you first need to identify what the SQL views that store this information about software updates.

Get the SQL views documentation for all Configmgr versions starting from SCCM 2012 to Current Branch 1702 from https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

Severity of the software updates is stored in v_UpdateInfo .This SQL view stores lot of other information like title,article ID,bulletin ID,date posted and lot more. Most of the metadata about software update information is stored in this SQL view v_UpdateInfo.

We will try to use this SQL view to get count of software updates with its severity.

Listed below are severity and its description:

Severity=2 –> Low

Severity=6—>Moderate

Severity=8—>Important

Severity=10—>Critical

Am Listing 2 SQL Queries here for you . 1) without any filters and this will get you what is available in your CM database 2) With custom filters and more of modified version (Thanks to Sherry on myitforum)

1.

select CASE(ui.Severity)
When 2 Then 'Low' When 6 Then 'Moderate' When 8 Then 'Important' When 10 Then 'Critical' Else 'NA' End as 'Severity',
ui.Severity ,count(ui.ci_id) [Total Updates]
from v_updateinfo ui
group by ui.severity
order by 3 desc

2.

;with cte as (   select
   CI_ID,
           BulletinID,
           ArticleID,
           Title,
           DatePosted,
                   DateRevised,
                   isExpired,
                   isSuperseded,
           CI_UniqueID,
         case
        when (ui.severity=0 and ui.CustomSeverity=0) or ui.severity is null then '0 None'
        when ui.CustomSeverity=6 then '6 Moderate'
        when ui.CustomSeverity=8 then '8 Important'
    when ui.CustomSeverity=10 then '10 Critical'
    when ui.CustomSeverity=2 then '2 Low'
    when ui.Severity=2 and ui.CustomSeverity=0 then '2 Low'
        when ui.Severity=6 and ui.CustomSeverity=0  then '6 Moderate'
        when ui.Severity=8 and ui.CustomSeverity=0  then '8 Important'
        when ui.Severity=10 and ui.CustomSeverity=0  then '10 Critical'
        end as 'Severity'
    from v_UpdateInfo ui
Where
   ui.title not like '%Itanium%'
)
select severity, count(*) [Count]
from cte
group by Severity
order by Severity

You can add  more filters to 2nd query like superseded!=0 and expired=1 etc.

In this post, i will discuss about the requirement that i have got recently. Local team /manager wants to run the software update compliance report for their LBU machines (collections) to see if all the clients in collection are compliant or not for all the patches with released date between X date to Y date.

No matter whether all the patches that are requested/available in SCCM are deployed or not but it should appear in SCCM report if the clients are in good shape or not for specific period.

By default in SCCM, there are couple of reports available for software update compliance but if you want to know the compliance status for specific collection for all updates that exist in SCCM (no software update group here) between specific period let say Jan 1,2015 to Dec 31 2015 or X range to Y range.

How to generate software update compliance report for specific collection for all the updates available in SCCM within specific date ?

To create a report for this requirement, we need set of SQL views that have information about software updates ,collection,inventory of client etc.

Below are the SQL views that i used in this report:

v_GS_COMPUTER_SYSTEM

v_CICategories_All

v_CategoryInfo

v_gs_workstation_status

v_fullcollectionmembership

v_UpdateInfo

v_UpdateComplianceStatus

Download SSRS Report from Technet Gallery,Upload to your SSRS Folder ,change data source and run the report.

When you run the report ,it prompt for collection ,Start Date and End Date shown below.

The result what see in the report is excluded by superseded and expired updates (IsExpired=0 and IsSuperseded=0) .

The original report is taken from Garth post http://smsug.ca/blogs/garth_jones/archive/2009/02/25/patch-compliance-progression-report.aspx and modified to include the date prompt ,superseded,expired ,added inventory information like OS,update scan,IP address,Last reboot into the report.

Linked report to see list of updates for each client will be in the next post.

I have seen this questions often in social communities and online forums on this topic and how they work during content download. So i will try to explain what they mean and how they work when it comes to content download.

when you create any deployment (applications,software updates,task sequence etc) ,you will see two options for ‘Type of Deployment’ (for software updates) ,Purpose (for applications) with Required and Available. In this blog post, we will see what they mean and how they work .

Available:  Available deployments will not have any deadline and they meant for optional. When you choose the type of deployment as Available ,user can see the deployments in Software Center and it will never be installed automatically unless user select and install it.

When user choose to install the available deployments in Software Center ,it will start downloading the content and install it ,no matter if the client has maintenance window or not as it is initiated by User and it will proceed to install the deployment after the download but if the deployment require reboot ,it will check for MW (maintenance window) and only reboot.

In this type of deployment ,deployments will not be downloaded automatically unless user initiate the deployment.

Required: Required deployment have  available time and deadline time. When you create deployment ,you will have to set available time (For clients to download the policies and download the content ) and deadline time (for installation).

When machine policy runs on the client , client will download the policies that are new or updated ,evaluate the policies and inject into wmi.

If you have any deployments with future deadline date but not as soon possible (which means the current time when you do the deployment) ,client will not perform the evaluation of the deployment for content download ,instead it will wait for the deadline date for content download and install (if enough maintenance window available).

In Required deployment ,content download happens only when the deployment reaches/passes the deadline date .Once the download is finished, it will check for enough maintenance window ,if there is ,it will install right after the content download. If there is future maintenance window available ,it must wait for the MW and install it .

If you have set deadline to ‘As soon as possible which means the current time on the site server, client receive the policy ,process it and download the content immediately due to deadline behaviour but for install ,it will check if MW ,if yes,wait for the MW else install the deployment.

My Observation in software updates deployments:

Take an example that ,I have deployed few software update groups to a collection with future deadline date but available time is current date . After 60 min (default ) ,client will receive the new/updated policies ,they process it and inject into wmi --but the content will not be downloaded until it reach the deadline time.

In this case ,all my deployments are set to future deadline date ,so they will never be evaluated by software update deployment evaluation cycle unless the deadline reaches and you will not see the updates in software center. When the deadline time triggers ,patches will be downloaded and install if enough MW available.

you will only see the list of patches available in software center if it is evaluated by software update deployment evaluation cycle and this happens automatically when the deadline reaches or you can initiate the

What happens if the client downloaded the policies but you initiated the deployment evaluation ?

Once the deadline time reached, deployment evaluation starts ,it will pick the policies that are available in client WMI and start processing each update with its compliance check (require,not require or already install) and start download the updates into ccmcache.

In this scenario, the download happens when the deadline reaches but not because of the maintenance window available. Maintenance window is only for the installation of updates but not for download of updates.

For more information about how the maintenance window is calculated, take a look at https://blogs.technet.microsoft.com/charlesa_us/2015/04/21/system-center-configuration-manager-2012-maintenance-windows-getting-to-know-you/

My Observation in Application Deployment:

Like i said how the content download happens for software updates ,it is not same for application Deployment .

For application deployment ,after the deployment to collection with available time as current time and deadline time as future time ,it took random time of 3-4 hours for the application to display in software center and also download happen automatically (Disable deadline randomisation is set to Yes but still it happens after sometime).

Hope You will find this article useful.

Few months ago ,i wrote blog post about how to use Compliance Settings to clean content in ccmcache folder. For more information, please refer http://eskonr.com/2016/08/sccm-configmgr-how-to-clean-ccmcache-content-older-than-x-days-using-compliance-settings/

This blog post is about deletion of client log files that contain SCNotify and SCClient.

What does these logs capture information about ?

SCNotify_<domain>@<username>_1.log : Records the activity for notifying users about software for the specified user.

SCNotify_<domain>@<username>_1-<date_time>.log: Records the historical information for notifying users about software for the specified user.

SCClient_<domain>@<username>_1.log: Records the activity in Software Center for the specified user on the client computer.

SCClient_<domain>@<username>_2.log: Records the historical activity in Software Center for the specified user on the client computer.

From these  logs ,you will see lot of wmi classes and information about application notification to user with their availability and also use activities performed against the software center.

We will use compliance settings to detect if there are any files with these logs that are older than 7 days and if the count is more than 0 then perform the cleanup.

I am not going in detail step by step to show you how to create compliance settings ,instead i will provide the discovery script and remediate script along with CAB files that i exported from my lab.

So If you want to create your own from scratch ,just replace the script form below for discovery and remediation and you are good OR

you can import the CAB file into your Configmgr and make changes how you like for example ,changing the number of days from 7 to 15 or what ever you like and logs folder location (C:\windows\ccm\logs).

Import the CAB file, deploy the configuration baseline to your clients on schedule basis.

Download the Configuration Baseline file from Technet Gallary

Discovery Script:

#discover
$MinDays = 7
(Get-ChildItem C:\windows\ccm\logs | Where-Object { ($_.Name -like 'SCNotify*' -or $_.Name -like 'SCClient*' -or $_.Name -like '_SCNotify*' -or $_.Name -like '_SCClient*') -and ([datetime]$_.LastWriteTime -lt (get-date).adddays(-$MinDays))} |Measure-Object).count

Remediation Script:

#Remediate
$MinDays = 7
$logs=Get-ChildItem C:\windows\ccm\logs | Where-Object { ($_.Name -like 'SCNotify*' -or $_.Name -like 'SCClient*' -or $_.Name -like '_SCNotify*' -or $_.Name -like '_SCClient*') -and ([datetime]$_.LastWriteTime -lt (get-date).adddays(-$MinDays))}
ForEach ($log in $Logs)
{
del $log.FullName
}

Here is the client that i noticed ,it has 1436 logs out of which with size of 530MB ,of which ,450MB+ logs are with SCNotify and SCClient that are older than 7 days.

Before i run the script ,there are 1436 files with size about 550MB.

After the script:

After the script ,file count reduced to 189 with size 20MB.

Hope this helps !

If you are using SCUP (system Center Update Publisher) tool to manage 3rd Party updates integrated with Configuration manager, there are 2 things which you need to look at .

1) The settings that are configured in SCUP Console are per user specific and stored in User profile (user.config in C:\Users\%UserName%\AppData\Local\Microsoft\Scup2011.exe_StrongName_XXXXXXXXXX)

2) Database file that store all your 3rd party catalogue ,publications etc also stored in user profile (C:\Users\%username%\AppData\Local\Microsoft\System Center Updates Publisher 2011\) at the time of configuration of SCUP.

If other users who have permissions ,try to open SCUP console , they will see everything blank and it is because of above said points . SCUP settings ,configurations and database are user specific when installed and configured.

It is always difficult for new users to go through the configurations ,settings,importing the catalogues  etc before they publish the updates.

In this blog post,we will see how to make the SCUP console settings and database available (shared)  to all users who ever want to manage 3rd party updates.

1. How to make SCUP Settings like publish to an updating server, Configmgr Integration ,Trusted Publishers(all your catalogue’s) and proxy settings (except password) available to all users.

To copy user specific settings to all users ,perform the following changes.

Go to user profile (C:\Users\%Username%\AppData\Local\Microsoft) who had configured SCUP settings ,imported the catalogues and publish updates to Configmgr.

In this folder ,you will see folder called Scup2011.exe_StrongName_Random number ,go into the folder to see user.config file.

C:\Users\%username%\AppData\Local\Microsoft\Scup2011.exe_StrongName_2wzdfznimh1kefuisr0pqsefwkw5k4tp\5.0.1727.0

This user.config file has all settings of your SCUP console .

We will try to copy these settings to config file (kind of shared) that will be used for all users (except proxy password if you have used in SCUP console ) .

Open the user.config file using notepad and keep this file aside .We will soon copy the settings from this file to commonly used config file .

Go to your SCUP installation folder , open Scup2011.exe.config file with notepad

By default ,the settings in the file are not configured with any values and this settings will be used to create new user config file when they try to launch SCUP console.

Now we have 2 Config files (user.Config and other is Scup2011.exe.config) .

If you have proxy server name with password, copying the setting will  not help .You will have to re-enter the password for the proxy .

Note: Take a backup of these 2 files before editing (incase something goes wrong while editing the files ).

Copy the settings that are common from User.Config to Scup2011.exe.config

Once you have copied all the settings ,save Scup2011.exe.config .

Now we have completed the task 1 that will help new users to get certificate and SCCM integration and other settings.

Wait, we are yet to complete Task 2 which is database that will contain information about catalogue ,publications etc.

Go to User profile (C:\Users\%UserName%\AppData\Local\Microsoft\System Center Updates Publisher 2011\5.00.1727.0000) and copy the database file scupdb.sdf

We are going to paste the database file to SCUP installation folder which is C:\Program Files (x86)\System Center Updates Publisher 2011

Now ,we will edit the config (Scup2011.exe.config ) file for all users to use this database as shared.

Edit Scup2011.exe.config  located at C:\Program Files (x86)\System Center Updates Publisher 2011 .

As you can see below ,the datafile is set to empty ,we will now change the value to point to datafile.

Add the following database file to value as shown below and click save ,close the notepad file.

<value>C:\Program Files (x86)\System Center Updates Publisher 2011\scupdb.sdf</value>

From now onwards , When existing user( who is using the console to manage SCUP updates) or new user try to launch the SCUP console ,they will point the database file to C:\Program Files (x86)\System Center Updates Publisher 2011\scupdb.sdf and also settings automatically loaded ,which can be verified using SCUP console –Options—Advanced-Current connection Details

With this ,we have completed copying the setting for new users and also made SCUP database as shared.

Hope this helps!

To manage software updates using SCCM/Configmgr, software update scan (with help of windows update agent) is mandatory without which ,client cannot download the update catalog (metadata) from WSUS and perform the scan for letting the server know what is required and what is not required using the state messages.

When i was looking at the software update scan reports few days ago ,identified some of the clients (Windows servers) could not able perform software update scan. So i decided to take look at the one of the client logs and troubleshoot further.

After logging into the server ,looked at wuahandler.log ,scanagent.log and windowsupdate.log as these logs will help you help to troubleshoot software update scan issues at the initial stage.

Below is windows update log.

WARNING:     IsSessionRemote: WinStationQueryInformationW(WTSIsRemoteSession) failed for session 2, GetLastError=2250

COMAPI    FATAL: Unable to connect to the service (hr=80080005)

COMAPI    WARNING: Unable to establish connection to the service. (hr=80080005)

After seeing this error ,i tried to stop windows update service but windows update service stuck at “stopping” status (hung) and never finish . So i have to kill the service to stop using taskkill command.

Open cmd as an administrator

1. Run:  taskkill /f /fi “services eq wuauserv”

After the windows update service start, tried initiating the software update scan to see if that makes any any difference but again issue repeat (same error code in windows update log ,software update scan never move forward using wuahandler.log )

I even tried installing the updates manually to see if that goes through but that also failed.

After doing the basic troubleshooting as said above ,the issue is not with SCCM client or windows update agent rather it is more of windows issue likely to be caused due to a missing/corrupt class in root\microsoft\windows\servermanager

How do you know the issue is related to missing/corrupt wmi class ?

For this ,you need to create dump to analyse what is going on and here is what found in the dump log.

0 0000003ebe29d4c8 00007ffd372713ed ntdll!ZwWaitForMultipleObjects+0xa

1 0000003ebe29d4d0 00007ffd39a1f9e4 KERNELBASE!WaitForMultipleObjectsEx+0xe1

…

4 0000003ebe29d850 00007ffd2f31a1c7 wbemcore!CCoreQueue::QueueWaitForSingleObject+0x5c   Waiting for thread running wbemcore!CCoreQueue::Execute

5 0000003ebe29d8a0 00007ffd2f328f5a wbemcore!CWmiFinalizer::GetOperationResult+0x67

6 0000003ebe29d8e0 00007ffd2a999afd wbemcore!CWbemNamespace::ExecQuery+0x2ae

7 0000003ebe29d9b0 00007ffd2aaad24a wuaueng!CSystemExprEvaluator::EvaluateWmiQuery+0x1e1

…

10 0000003ebe29df70 00007ffd2aaa7275 wuaueng!CAgentUpdateManager::EvaluateSingleApplicabilityRule+0x1a6

11 0000003ebe29e0a0 00007ffd2aaa6a76 wuaueng!CAgentUpdateManager::EvaluateUpdateApplicabilityRules+0x51a

12 0000003ebe29e8f0 00007ffd2a9857e9 wuaueng!CAgentUpdateManager::DetectForUpdate+0x3e7

13 0000003ebe29ead0 00007ffd2a997bdf wuaueng!CAgentUpdateManager::EvaluateUpdateSet+0x129

From the dump log ,We can see the hang is due to waiting for WBEM. WBEM is Web-Based Enterprise Management, and its Microsoft implementation is Windows Management Instrumentation (WMI).

When Windows Update is in “scanning for updates” state, the WMI provider in use is ServerManager.DeploymentProvider.

Below command is to compile servermanager.deploymentprovider.mof . If the ServerManager.DeploymentProvider is bad, this command will fix it. If the ServerManager.DeploymentProvider is good, below command will not cause any damage to the machine. Thus running this command is the troubleshooting action I chose.

Open cmd as an administrator

1. Run:  taskkill /f /fi “services eq wuauserv”
2. Run the following command to recompile the MOF file:  mofcomp c:\windows\system32\wbem\servermanager.deploymentprovider.mof
3. Restart the machine.

After the server reboot, software update scan went through successfully.

I could not able to find a way to check  whether ServerManager.DeploymentProvider is good or bad but compiling the MOF do not harm the server and that also fix the issue.

Hope it helps!

If you want to know who executed (number of times ) the Configuration manager reports (or any other SSSRS reports) or if anyone compliant that some of the Configmgr reports are running slow or timed out ,how do you find the such reports and take action ?

I receive requests from remote users saying that they have issue while running some of the custom reports but when i run ,they works fine but not for remote users. There could be so many reasons why the report loads slow (network or SQL code issues etc) which am not going to discuss here.

Recently i was checking on this to see what are the reports ran by users most of the times and ,how many times they have run ,what are the top most reports and how long these report take time to execute .

When you run the SSRS reports ,it will log lot of information back into the report executionlog .

This report execution log is stored in the Reportserver database that by default is named ReportServer .if you have custom database name ,then you must that database to run the query.

As you can see in the following reportserver ,there are 3 SQL views that contain the information about execution log

Below is the take from Microsoft article about these executionlog sql views.

Now ,lets try SQL query to pull the information about the SSRS reports with its execution time, users ,time start etc.

Use  ReportServer
select * from ExecutionLog3
order by TimeStart desc

Results using above SQL Query:

Below query help you to find number of times that each user run the report.

Use ReportServer
select ItemPath,UserName,count(*) [No of times executed] from ExecutionLog3
group by ItemPath,UserName
order by 3 desc

One of the ways to reduce the disks space/cpu I/O is to enable cache use cache option in reports ,further reading ,please have a look at https://www.enhansoft.com/blog/how-to-setup-report-caching-for-a-ssrs-report

More information about the columns and its description can be found from http://www.sqlchick.com/entries/2011/2/6/querying-the-report-server-execution-log.html

Hope it helps!

Maintenance windows in SCCM Configmgr enable you to define a time when SCCM operations can be carried out on members of a device collection. These maintenance windows are helpful to ensure that client configuration changes occur during periods that do not affect the productivity of the organization. More information about  Maintenance windows refer https://docs.microsoft.com/en-us/sccm/core/clients/manage/collections/use-maintenance-windows

I had requirement to remove all Maintenance windows that are set on list of collections .Removing the Maintenance windows for each collection would be tedious task. Right click on collection ,select maintenance window and delete the Maintenance window.

Note:Removing the Maintenance windows allow to install deployments that are pushed to collections.

In this blog post, we will see how powershell can do this task in seconds for any number of collections that you pipe into txt file.

All you need is ,get the list of Collection IDs and supply it to text file ,run the script.

This script will not output any results to log file saying what is the existing Maintenance window and what is deleted. If you want ,you can customize the script to log the output.

This script uses 2 basic powershell cmdlets available in configuration manager module which are

Get-CMMaintenanceWindow Gets the maintenance windows for a collection

Remove-CMMaintenanceWindow Removes a maintenance window associated with a collection

Download the powershell script from Technet Gallary ,supply the list of collection IDs ,run the script.

Beginning with Configmgr Version 1702, clients use boundary groups to find a new software update point. You can add individual software update points to different boundary groups to control which servers a client can find.

More information about boundary groups and its relation with  software update point changes in 1702 and 1706 ,please refer TechNet link  https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/boundary-groups ,it has lot of information than i explain.

Few weeks ago ,i was looking at the boundaries and boundary groups that are configured for my environment with its fallback information (distribution point and software update point).

I find it hard to locate the boundaries that are configured with fallback distribution points and fallback software update point.Incase you want to know the list of boundaries/boundary groups that are configured with fallback options,there is no default report.

I have created SSRS report that will help to pull information from SQL database into nice reporting .

References:

Relationships:

How does the report work ?

Download the report from Technet Gallary , upload the report into Configmgr SSRS reports folder,change the data source and run the report.

When you run the report, it prompt for Site Code since all the boundary groups that you created must have assigned to specific Site Code for site assignment. If you have not assigned the boundary groups to any specific site code, they will not be listed here .

So choose the Site Code (Primary or Secondary) or select All

Boundary groups that are assigned with specific Site Code will be listed with following information.

Boundary Group Name ,Site system Role,Site Code,Fallback Boundary Group,Fallback Site System,Fallback DP,Fallback SUP.