I was contacted by colleague that Configmgr is not showing the updates that were published day ago by SCUP . So i started checking the SCUP configuration (proxy) and the updates status if they are published or not using the date published and also verified SCUP logs.

From SCUP perspective,all looks good. Next to look at Configmgr ,in this ,i checked the SUP properties if the published products are selected or not , check the proxy details in site system role properties.

Next to look at proxy details that are configured in IE for system account for which ,you can use psexec tool to verify it.

How to open IE using system account or check the proxy details in cmd using pxecec ? run the cmd using administrator ,run psexec –i –s cmd.exe

Type netsh winhttp show proxy it must give you the proxy details if at all configured .Run the following command to open IE using system account

PsExec.exe -i -s "C:\Program Files\Internet Explorer\iexplore.exe"

set the proxy in IE ,once this is done ,come back to cmd prompt (system account) and run netsh winhttp import proxy source =ie to import the IE settings .

This also looks good to me .What else could go wrong for the updates not shown up in SCCM console ?

Now ,i move onto the SUP logs WCM.log and WSUSCtrl.log both looks good and the final log is sync log wsyncmgr.log which has some errors init.

Sync failed: UssCommunicationError: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.~~at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request). Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncWSUS

we know that ,there are no changes to IIS or any configurations in the last few months with respect to SSL. I have tried the sync by providing the user name in site system role properties to use credentials to connect to proxy server but it failed with same error.

After searching in Google with above error ,found few blogs that refers to https://technet.microsoft.com/en-us/library/dn265983.aspx (configure trusted roots) but they do not apply to me .

 https://the-d-spot.org/2011/05/17/sccm-sup-sync-failed-6703/

http://www.mssccmfaq.de/2012/06/02/sup-synchronisation-schlagt-fehl-could-not-establish-trust-relationship-for-the-ssltls-secure-channel/

https://www.windows-noob.com/forums/topic/7559-sup-sync-issue/

After sometime ,got to know from another colleague that ,there were some changes made to the proxy server by NOC team which requires SSL authentication. What it means is ,software update sync happens using system account instead of user account which require SSL authentication and in this case, we need to get approval from security team to allow the SCCM site server computer account to bypass or added to exception list.

References and troubleshooting https://support.microsoft.com/en-us/help/10329/configuring-software-update-synchronization-in-system-center-configura 

https://technet.microsoft.com/en-sg/library/bb892795.aspx

Microsoft has released SCUP 2017 preview 2 update with enhanced update catalog to provide better experience for users in consuming large catalog updates. While old catalog formats are still supported, catalog providers will need to add information to their existing catalogues to take advantage of these improvements that exist in this preview 2 update. This preview 2 update contains the following improvements:

• Indexing for quicker imports of previously imported catalogs – Catalog producers can now index their catalogs. This will allow users to import large catalogs containing few new updates more quickly.
• Inclusion of signing certificates within updates catalogs – Catalog producers can now include signing certificates with their updates catalogs. This enables users to add the certificates to the trusted publishers list during import so that approval prompts will not block publish operations.
• Signature Timestamp – Updates published to a WSUS server will by default have the signature time-stamped. Note, this functionality requires internet access. If you have upgraded from preview 1 this will not be automatically enabled.  To enable or disable the signature timestamp or configure the timestamp server that is used see the Advanced page under Options.

In this post ,we will see how to

1. Download the SCUP Preview here.

2. Run UpdatesPublisher.msi on a computer that meets the prerequisites.

3. Configure the options for SCUP.

4. Start using the features of SCUP.

5. More information about SCUP ,refer https://docs.microsoft.com/en-us/sccm/sum/tools/updates-publisher

Download the SCUP Preview from https://www.microsoft.com/en-us/download/details.aspx?id=55543 ,installer size is around 5MB

Run the downloaded file on supported platform OS ,in this case, i will run the installer on my SCCM server in my lab.My lab server do not have any SCUP .since this is still in preview,do not install in production environment.

Before you run the SCUP tool ,make sure you meet the prerequisites listed below.

The following are required on the computer that runs Updates Publisher.+

• 64-bit operating system: The computer where you install Updates Publisher must run a 64-bit operating system.
• WSUS 4.0 or later:
  • On Windows Server, install the default Administration Console to meet this requirement.
  • For Windows 10 and Windows 8.1, install the Remote Server Administration Tools (RSAT) for Windows operating systems. This installs the necessary support to use Updates Publisher (API and PowerShell cmdlets, and User Interface Management Console).
• Permissions:
  • Installation: Local admin
  • Most operations: local user
  • Publishing, or operations that involve WSUS: Member of WSUS Administrators group on the WSUS Server.

Installation is straight forward.

Click next,next,finish

On the device that you installed preview, search for Update publisher (Preview)

.

Accept the license terms ,let it do some pre checks before the console made available to you.

Version of this SCUP 2017 Preview 2 is : 6.0.219.0

If you are using SCUP 2011 ,you now have 2 new features added in preview release with updates and logging.

Logging:

In advance tab ,you can now change the database file instead of leaving it in user profile and Signature Timestamp URL is enabled by default.

Timestamp: When enabled, a timestamp is added to updates you sign that identifies when it was signed. An update that was signed while a certificate was valid can be used after that signing certificate expires. By default, software updates cannot be deployed after their signing certificate expires.

In preview release, all the nodes are added with workspace like updates workspace,publications workspace,rules workspace and catalos workspace.

From the default catalog i can see only acrobat and reader but no flash player along with dell,HP,Fujitsu . For Adobe flash player ,you need to add the scup catalog manually. http://fpdownload.adobe.com/get/flashplayer/distribution/win/AdobeFlashPlayerCatalog_SCUP.cab

SCUP log that track the information about importing catalogs, publish and download of updates is changed from SCUP.log to updatepublisher.log which still store in user profile (%appdata%)

when you try to import download catalog file(cab) ,it will prompt you with few options like approve,always approve and decline.

Once the catalog is approved (always) ,you will not see any prompts during the publish of updates (content download) .This is really helpful if you are trying to publish lot of updates and have a coffee while it download the content and publish the info to WSUS server

In the older version,when you try to publish the updates ,it prompt to approve the content which is troublesome if you have multiple updates published at one go.

More to test on this ,Stay tuned until further updates.

When you install configuration manager client to manage any windows device ,it will try to configure local group policy to set WSUS server settings (unless you have no GPO configured to set these settings) .If at all ,you have any GPO to configure the WSUS information ,local GPO that created by configmgr client will fail which will be logged in wuahandler.log,windowsupdate.log.

If you look at wuahandler.log, you will see error something like below. “Group policy settings were overwritten by a higher authority (domain controller) to server and policy not configured” .

So before you try to install SCCM client,it is always recommended  to disable GPO settings for windows update to avoid the conflict with local GPO created by Configmgr client .More information about software update troubleshooting http://eskonr.com/2015/04/sccm-2012-troubleshoot-client-software-update-issues/ 

If you want to know more about Configmgr software update management and group policy relation ,please read Jason Sandy's explanation https://home.configmgrftw.com/software-update-management-and-group-policy-for-configmgr-what-else/ 

https://home.configmgrftw.com/software-updates-management-and-group-policy-for-configmgr-cont/

In this blog post, we are going to see ,how to check 4 primarily used windows update policy settings the WSUS settings like USEWUServer,WUServer,NoAutoupdate and accept trusted publisher certs (for 3rd party patching) that are correctly configured or not before clients perform software update scan.

1.WUServer

2.UseWUServer

3.NoAutoUpdate

4.AcceptTrustedPublisherCerts

Although you can do SQL query to get the clients that are having issue with GPO conflict ,but it is always good to check the these registry keys to make sure clients are good .

AcceptTrustedPublisherCerts—> for trusting the 3rd party updates if you are using SCUP to trust adobe,flash ,java and other updates that are deployed via SCCM.

Location that store above policy settings in the client registry is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate (for both 32bit and 64bit OS)

NoAutoupdate –>is to disable auto windows update

Following is SQL query to get clients info that have issues with GPO conflict:

select distinct sys.name0 [Computer Name],os.caption0 [OS],convert(nvarchar(26),ws.lasthwscan,100) as [LastHWScan],convert(nvarchar(26),sys.Last_Logon_Timestamp0,100) [Last Loggedon time Stamp],
sys.user_name0 [Last User Name] ,uss.lasterrorcode,uss.lastscanpackagelocation from v_r_system sys
left join v_gs_operating_system os on os.resourceid=sys.resourceid
left join v_GS_WORKSTATION_STATUS ws on ws.resourceid=sys.resourceid
left join v_updatescanstatus uss on uss.ResourceId=sys.ResourceID
inner join v_FullCollectionMembership fcm on fcm.ResourceID=sys.ResourceID
where uss.lasterrorcode!='0'
--and fcm.CollectionID in('PS100140')
and sys.client0 is not NULL
and uss.LastErrorCode='-2016409966'
order by sys.name0

Now lets focus on the Configuration item/configuration baseline to create task and deploy to collection:

I have couple of blogs how to create configuration item with settings hence i am not going to show you step by step . I will go through the settings that are really important for this task.

At the end ,i also attach the exported version of configuration baseline however you might have to edit it after import due WSUS server information.

In new setting, provide the following information.

Name: WUServer (anything you like) , Setting Type Registry value .Data type: String , Hive Name:HKEY_Local_Machine ,Key Name:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

Click on browse to select the registry key

Registry key:  Choose the following settings.

Click Ok

Click on compliance Rules , you will see 2 conditions .

f you have multiple WSUS servers ,click on the wuserver one of ,click Edit rule,

Paste all the WSUS server locations into the one of field setting and click ok

How do you get list of all WSUS server locations ?

Run the following SQL query against your CM database.

select LastScanPackageLocation from v_UpdateScanStatus
where LastScanPackageLocation not like ''
group by LastScanPackageLocation

we now have created one setting for WUserver ,like this we need to create for 3 more entries .

For UseWUServer ,click on New ,follow the options listed below.

While you are at this page ,click on browse ,follow the path below to select the registry key

Click on Ok .

Under compliance rules ,select Report noncompliance if this setting instance is not found .

we will create the rest 2 conditions in similar way that we created for UseWUServer . All you need is point the registry key to respective value.

3.NoAutoUpdate –> SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

Under compliance rules ,select Report noncompliance if this setting instance is not found

4.AcceptTrustedPublisherCerts—>SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

Under compliance rules ,select Report noncompliance if this setting instance is not found

Click ok

we now set 4 conditions that required to check windows update policy settings

Click next to verify all compliance rules

Click next for the completion of configuration item wizard.

We can now create configuration baseline and deploy it to collection .

If any of the above setting is not found on the client computer, it will report as non-compliant which will help you to troubleshoot and fix software update scan issues.

Download the CB – Configuration baseline for Windows update policy settings here .

To import ,go to compliance settings – configuration baseline ,right click and import the cab file.

After you import the cab file ,don't forget to edit the configuration item and modify your WSUS server settings.

Hope this guide helps!

This blog post is going to be version 3 on the same topic (report for MS office versions) but with different requirements.My previous posts on ssrs report for count of MS office versions and drilled report to see client names etc will have some limitations like they will not give you bit type(architecture) like 32bit or 64bit of office installed on the client. They simply get the count of the MS office edition installed and then drill down further to get you the list of client computers with office edition,version,its OS and hardware scan date info.

Both the versions with ssrs report can be found on https://gallery.technet.microsoft.com/office/SCCM-Configmgr-Report-for-2c36f1b9 https://gallery.technet.microsoft.com/office/SCCM-Configmgr-2012-SSRS-c482cca2 and

https://support.microsoft.com/en-us/help/928516/description-of-product-code-guids-in-2007-office-suites-and-programs

After posting these 2 reports, blog viewers ,TechNet gallery and in forums have asked to get bit type (32bit or 64bit) information for the office product that is installed on the client.

I have lot of requests /posts in my To-DO list to blog about ,but due to time limitations ,i cannot bring all them.

So for this requirement to get 32bit and 64bit for MS office ,i found microsoft article to identify if the MS office is 32bit or 64bit. https://support.microsoft.com/en-us/help/928516/description-of-product-code-guids-in-2007-office-suites-and-programs and it is based on the product code.

This product is that we use to uninstall any software using msiexec /x {productID} /x

Below is the screenshot from the support article .

From the product code ,21st character from left (substring(productID,21,1) ) will tell you if it is 32bit or 64bit .

0 for x86

1 for x64

If you read support article ,there are lot of other information like release version (RTM,SP1,SP2 etc) ,release type (Volume,retail,trail) ,

This product ID is stored in different SQL views in CM database ,of which  we are going to utilize v_Add_Remove_Programs. For more information about SQL views in SCCM, please refer https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

Following are the office editions are added into the report . If you have any other office editions which are not in below list ,please edit the report and append it.

'Microsoft Office Personal 2007'
'Microsoft Office Professional 2007'
'Microsoft Office Professional 2007 Trial'
'Microsoft Office Professional Hybrid 2007'
'Microsoft Office Professional Plus 2007'
'Microsoft Office Professional Plus 2007 (Beta)'
'Microsoft Office Standard 2007'
'Microsoft Office Standard 2007 Trial'
'Microsoft Office Ultimate 2007'
'Microsoft Office Enterprise 2007'
'Microsoft Office Ultimate 2007'
'Microsoft Office Ultimate 2007'
'Microsoft Office 2010'
'Microsoft Office Professional Plus 2010'
'Microsoft Office Standard 2010'
'Microsoft Office Professional 2010'
'Microsoft Office Home and Student 2010'
'Microsoft Office Home and Business 2010'
'Microsoft Office Professional Plus 2010 (Beta)'
'Microsoft Office Starter 2010 - English'
'Microsoft Office 2013'
'Microsoft Office Professional Plus 2013'
'Microsoft Office Standard 2013'
'Microsoft Office Professional 2013'
'Microsoft Office Home and Student 2013'
'Microsoft Office Home and Business 2013'
'Microsoft Office Professional Plus 2013 (Beta)'
'Microsoft Office Starter 2013 - English'
'Microsoft Office 2016'
'Microsoft Office Professional Plus 2016'
'Microsoft Office Standard 2016'
'Microsoft Office Professional 2016'
'Microsoft Office Home and Student 2016'
'Microsoft Office Home and Business 2016'
'Microsoft Office Professional Plus 2016 (Beta)'
'Microsoft Office Starter 2016 - English'

As usual ,download the SSRS reports (rdl) files from Technet gallery here ,upload to your reporting folder in SCCM reports,change the data source and run the report.

Output:

Linked report:

This report supports RBA (role based administration) functionality.

Note that, 2nd report (drilled report) cannot be run individually and to run that, you must run the 1st report which is count of office versions and drill to 2nd report.

SQL code and parameter values for dataset (RBA): The following information is for your information only and no input required from you to run this report.

DataSetAdminID:select dbo.fn_rbac_GetAdminIDsfromUserSIDs(@UserTokenSIDs) as UserSIDs

Parameter for UserTokenSIDs: General—>Parameter visibility—>Internal, default values—>specify values—>=SrsResources.UserIdentity.GetUserSIDs(User!UserID)
Parameter for UserSIDs:General—>Parameter visibility—>Internal, default values—>Get values from a query and choose DatasetAdminID

you can always edit the RDL files ,customize it.

Happy reporting!

I had request to disable the setting ‘Allow the computer to turn off this device to save power’ in power management settings on network adaptor.

From the screenshot above,there are 3 settings that will help for wake on Lan .All these settings information stored in client WMI. we want to uncheck the first option (Allow the computer to turn off this device to save power’ ) by leaving the rest of the 2 controls as it is.

In this blog post ,we will see how to change the power management settings on client using configuration manager compliance settings.

Before i go into compliance settings, i will provide you the WMI class and instance that store the information about power management settings ,so we can make use of these options in compliance settings

1. Allow the computer to turn off this device to save power , wmi class: root\wmi , instance:MSPower_DeviceEnable , property:Enable
2. Allow this device to wake the computer ,wmi class:root\wmi  , instance: MSPower_DeviceWakeEnable , property:Enable
3.Only allow a magic packet to wake the computer ,wmi class:root\wmi  , instance: MSNdis_DeviceWakeOnMagicPacketOnly, property:Enable

After you have the information about wmi ,it is easy to create configuration item and configuration baseline.

Create configuration item with name: Disable ‘Allow the computer to turn off this device to save power’ ,leave the default settings ,click next,choose the operating system that you want to deploy this setting

Under settings, create new with following information:

Name:MSPower_DeviceEnable ,Setting Tpe: WQL Query ,Data Type: Boolean , wmi class: root\wmi , instance:MSPower_DeviceEnable , property:Enable ,WQL Query: InstanceName like 'PCI%'

For other 2 settings ,all you  need is ,change the class with information given above in point 2 and 3.

Click on Compliance Rule ,click New ,follow the below settings.

For other 2 settings point 2 and 3 ,you can either set to True or False as per your needs.

Click ok

We now created configuration item and ready to create configuration baseline and deploy to Device Collection.

When you deploy the configuration baseline, make sure you choose the following setting to remediate (Allow remediation outside maintenance window is upto you ,you can either for maintenance window or ignore the window and remediate the setting)

End user results:

Hope it helps!

Deploying Onedrive for Business is straight forward .The command line switches are very simple :"OneDriveSetup.exe" /silent ,but when you create application in Configmgr, there are couple of things that you need to focus on like detection method and install behaviour.

If you search online ,how to deploy onedrive for business using Configmgr, you will get various post however the following method is what i have been using and it works fine . I would like to share the solution in simple steps.

Create application that you do normally but use use the following information to fill detection method ,User experience and install command line .

Install command line:"OneDriveSetup.exe" /silent

Detection method : The version that i deployed to users (user based collection) is 17.3.7076.1026 hence my detection method will look for 17.3.7076.1026. (There is already latest version available yet to deploy )

Onedrive for Business will store the installation files in user profile (C:\Users\eswar.koneti\AppData\Local\Microsoft\OneDrive)

Registry key from user profile for uninstall:

Setting Type: Registry

Hive: HKCU

Key:Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe

Value:DisplayVersion

Date Type: String

User Experience:

Requirements:

Choose the OS that you want to install the application . Since this is user based deployment ,would recommended to limit this to workstation OS (windows 7,windows 8 and windows 10 but not to server operating system unless there is need to use onedrive on server OS)

On windows 7, there is no onedrive by default hence you need to install but on windows 10 ,there is onedrive comes with OS however you need to check if the installed onedrive is latest version or not ,if not ,then you can above method to install the latest version.

By installing the latest version (using above method) will remove the old version from user profile and install new version.

Before you use this solution on mass deployment ,deploy this to pilot users (few) and see how this works.

Deploy the application to user collection and you are good.

If you have any issues with this ,post via comment section.

I was looking at the console other day and found that, there were many collections created in the root folder (device collection) with 0 count. So i looked at the collection properties ,i found empty there  (No direct or query based rule).

So i decided to write SQL query to identify the list of collections that have empty results with no query rules (Direct or query based) defined in it.

For this query ,i have used 2 SQL views (v_Collection and v_CollectionRuleQuery ) .

For full list of SQL views that exist in SCCM Configmgr ,please refer https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b .

Following is the SQL Code to identify empty collections with no query rule defined ,You can delete these collections to simplify the list of collections displayed when deploying objects as part of maintenance tasks ,unless there is a reason to be in the console.

You can use the following code to create SSRS report as well.

select coll.CollectionID,coll.Name,
case when coll.CollectionType='1' then 'User' else 'Device' end as 'Collection Type'
from v_Collection coll
where coll.collectionid not in (select CRQ.collectionid from v_CollectionRuleQuery CRQ)
and coll.MemberCount=0
group by coll.CollectionID,coll.Name,coll.CollectionType

Configuration manager Technical preview 1708 has ability to identify Applications without deployments and Empty collections as part of Management insights.  More information ,please read https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1708#management-insights

Hope it helps!

Yammer  is enterprise social networking service used for private communication within organizations. Access to a Yammer network is determined by a user's Internet domain so that only individuals with approved email addresses may join their respective networks.

Yammer can be used to discuss ideas, share updates, and crowd source answers from co-workers around the globe. Yammer gives you a faster, smarter way to connect and collaborate across your company.

If your organisation moved to O365 ,you will hit requirement to deploy O365 applications like Microsoft Teams,Onedrive,Yammer ,AIP etc. All of these applications (except AIP) are user specific and they will be installed in user profile (%AppData%) instead of %programfiles%

Deploying applications to computers would be straight forward but for applications that are user specific and installation does in %appdata% ,there will be little challenges for application detection method .

Application detection is one of the main criteria to identify if the application is installed correctly or not ,also it helps to reinstall the app if the app is removed on user machine (this happens with application deployment evaluation cycle ).

As i mentioned in my previous blog deploying Microsoft Onedrive using Configmgr , we will be similar method with detection rule for Yammer also.

Before we start of with this ,Download Yammer client (MSI) file from https://support.office.com/en-us/article/yammer-for-windows-and-mac-50920c05-cbfc-4f11-8503-e20fb2e623a5 .

Once the MSI file downloaded ,extract the file using 7zip or WinRAR to get the actual installer used to deploy to users. You will see something like below.

Copy the file to your SCCM source files ,start creating Application as you do for other EXE applications.

For Deployment Type ,choose script Installer

Installation Program:"yammerdesktop.exe" /s

Uninstallation Program:"%LocalAppData%\yammerdesktop\Update.exe" --uninstall -s

Detection Rule:

Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\yammerdesktop

Value:DisplayVersion

change the version value (1.3.1) name as per the application you are installing.

User Experience:

Requirements: Windows 7,windows 10 (based on where you need this to be installed).

Deploy the application to user collection .So when the user receive policy (user policy evaluation cycle) ,application will get install and shortcut icon will be created on users desktop.

Following is the registry location that application get installed.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\yammerdesktop

Hope it helps!

Introduction:

we are in process of migrating users (mailbox) from on-prem to office 365 (Cloud).As part of this project ,one of the requirement is to deploy office 365 proplus (C2R) application to all users replacing old version of Microsoft Office. We use Powershell Application deployment kit which simplifies the complex scripting challenges of deploying applications in the enterprise, provides a consistent deployment experience and improves installation success rates.

Once users have got office 365 proplus and other office 365 components like Microsoft Teams,yammer,Onedrive etc ,there will be final task to migrate user mailbox to cloud. Mailbox migration can be the first or middle or last ,no sequence as it is independent task.

Deployment of office proplus and other components are done by SCCM hence we can create some nice dashboard /reports to monitor the progress of the deployments, but for some reason ,we are missing the mailbox migration status which happens from on-prem exchange server to exchange online (EOL).

How do we get the status of mailbox migration from on-prem to exchange online using SCCM ?

I am not exchange guy, hence i may not be able to provide much information about the theory behind this and if any questions around exchange online or mailbox migration ,you can reach out to TechNet forums or contact Microsoft support.

when the mailbox is moved (sync and cutover) from on-prem to exchange online ,there are couple of attributes that are set in Active directory .some of them are listed below.

msExchVersion
msExchRecipientDisplayType
msExchRecipientTypeDetails
msExchRemoteRecipientType
targetAddress

By default, then the user mailbox is on-prem ,the targetAddress attribute is set to empty (it does not contain any value). Once the user mailbox is moved to cloud ,this attribute is set with username@yourtenantname.mail.onmicrosoft.com

For example ,user email address is Demo1@eskor.com and after the migration ,targetAddress is set to Demo1@koneti.mail.onmicrosoft.com (where koneti is my tenant name).

Once this attribute is stamped with cloud email ,we can use SCCM to discover this attribute using AD user discovery and put that info in SSRS report.

A quick way to view an objects Active Directory targetAddress attribute is through the Active Directory Users and Computers panel. In AD Users and Computers, ensure that Advanced Features has been enabled under the View menu.

Go to the OU,locate the object that you are looking for ,right click on user properties ,choose attribute Editor ,locate targetAddress

How do we discover this attribute into SCCM ?

Go to your SCCM console ,Administration,Hierarchy configuration ,discovery method and choose Active Directory User Discovery.

From the available attributes ,choose targetAddress and click on Add ,click Ok

Once this is done, you will need to wait for the user discovery happen (delta discovery ) or you can force the discovery cycle by right click on discovery method.

After the discovery runs, you will have targetaddress0 in v_r_user SQL view to create nice SSRS reports.

couple of SQL views that i used to create SSRS report with office 365 proplus installation ,user mail,user name,cloud information and user group are listed below.

v_r_user

v_GS_OFFICE365PROPLUSCONFIGURATIONS

v_RA_User_UserGroupName

v_R_System

and finally SSRS report:

Hope it helps!

Quick blog post on how to get client count with active obsolete and missing status for collections in a nice tabular column.

I used 3 SQL views in this query V_r_system ,v_FullCollectionMembership_valid  and v_Collection with sum and case statements.

You can use this SQL code in report creation with collection prompt and also create linked reports.

select coll.Name [Collection Name],fcm.CollectionID,count(sys.name0) [Total clients],
SUM (CASE WHEN sys.Active0 = 1 THEN 1 ELSE 0 END) AS 'Active Clients',
SUM (CASE WHEN sys.Obsolete0 = 1 THEN 1 ELSE 0 END) AS 'Obsolete Clients',
SUM(CASE WHEN sys.Client0 is NULL THEN 1 ELSE 0 END) AS 'Client Missing'
from v_r_system sys
inner join v_FullCollectionMembership_Valid fcm on fcm.ResourceID=sys.ResourceID
inner join v_Collection coll on coll.CollectionID=fcm.CollectionID
where fcm.CollectionID in ('PS1000DE','PS1000DF')
Group by fcm.CollectionID,coll.Name

SQL output:

For more information about SCCM client health dashboard ,refer https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-SSRS-2863c240

Microsoft released an updated version of System Center Updates Publisher (SCUP) version 6.0.278.0 is now available and can be downloaded here.

System Center Updates Publisher (Updates Publisher) is a stand-alone tool that enables independent software vendors or line-of-business application developers to manage custom updates.

Using Updates Publisher, you can:

• Import updates from external catalogs (non-Microsoft update catalogs).
• Modify update definitions including applicability, and deployment metadata.
• Export updates to external catalogs.
• Publish updates to an update server.

This released version of  SCUP adds support for Windows 10 and Windows Server 2016 including following improvements:

• Indexing for quicker imports of previously imported catalogs –  Catalog producers can now index their catalogs. This will allow users to more quickly import large catalogs containing few new updates.

• Inclusion of signing certificates within updates catalogs – Catalog producers can now include signing certificates with their updates catalogs.  This enables users to add the certificates to the trusted publishers list during import so that approval prompts will not block publish operations.

If you have installed SCUP preview 1 or SCUP Preview 2 ,you must manually upgrade the installation to this version.

How to upgrade SCUP from old version to new version ?

I have the following SCUP version in my lab (6.0.219.0) which will be migrating to new version (6.0.278.0)

Current version:

How to migrate to new version:

Since SCUP is stand alone tool and it doesn't require any database backup however ,i would like take the database file (scupdb.sdf) backup, incase of any issues after the migration. For more information about this database file refer this article

Close any existing SCUP Console (it doesnt allow more than one connection to open on the same machine for multiple users which i noticed).

If you did not close open SCUP console and proceed to install ,you will end up seeing below screen which will give you option to close and continue installation.

After the installation completed, you will see following screen

Now go to start menu and search for Update publisher and accept the license agreement

It will take few min to check the database availability and loan the console for you.

Now you should see the all the data and settings that were exist in previous version .

Go to about to check the SCUP Version.

All these settings like SCUP database and other settings in options will be retained from old version to new version.

If at all you don't see the configuration settings and catalogues ,you can load the database file that we taken backup in the first step.

Hope this helps to upgrade SCUP version from old to new and happy patching.

References:

http://eskonr.com/2017/08/sccm-configmgr-how-to-make-scup-console-settings-available-for-all-users-and-make-the-database-as-shared/

https://cloudblogs.microsoft.com/enterprisemobility/2018/03/21/system-center-updates-publisher-adds-support-for-new-oses/

https://docs.microsoft.com/en-us/sccm/sum/tools/updates-publisher

The Azure Information Protection client (AIP) for Windows helps you keep important documents and emails safe from people who shouldn't see them, even if your email is forwarded or your document is saved to another location. You can also use this client (AIP) to open documents that other people have protected by using the Rights Management protection technology from Azure Information Protection.  Read more information about requirements for AIP https://docs.microsoft.com/en-us/azure/information-protection/get-started/requirements

All you need is a computer that runs at least Windows 7 with Service Pack 1 ,then download and install this free AIP client from Microsoft.

Before you try to install AIP client ,there are few components as prerequisites that needs to be installed on the computer before AIP can process the policies for you.

In this blog post , we will see what are the prerequisites that are required to deploy AIP client and also their detection methods on computers that are running windows 7 SP1 and above.

Since AIP client has 4 prerequisites ,we will use task sequence to deploy AIP client instead of application deployment with dependencies. If you already have these prereq installed on all your client PC ,then you simply create AIP application and deploy without task sequence.

Before you proceed further ,would recommend to read through these articles

Azure Information Protection client administrator guide https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide

Custom configurations for the Azure Information Protection client https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide-customizations

Prerequisites:

1.Microsoft .NET Framework 4.6.2 : AIP Client requires a minimum version of Microsoft .NET Framework 4.6.2 and if this is missing, the installer tries to download and install this prerequisite. When this prerequisite is installed as part of the client installation, your computer must be restarted.

2.Windows PowerShell version 4.0: The PowerShell module for the client requires Windows PowerShell version 4.0, which might need to be installed on older operating systems. For more information, see How to Install Windows PowerShell 4.0. The installer does not check or install this prerequisite for you. To confirm the version of Windows PowerShell that you are running, type $PSVersionTable in a PowerShell session .

3.Visual C++ Redistributable for Visual Studio 2015 (32-bit version) : For computers running Windows 7 Service Pack 1, install vc_redist.x86.exe from the following download page: Visual C++ Redistributable for Visual Studio 2015

4.If you have Windows 7 SP1, the Azure Information Protection client requires a specific update, KB2533623. If your PC needs this update but it is not installed, installation completes but with a message that the Azure Information Protection client requires this update. Until this update is installed, you won't be able to use all features of the Azure Information Protection client.

5. Configure the GPO with settings like ‘congratulations’ prompt for user when they launch  office apps and other settings as described in TechNet document https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide-customizations

In this post, i will not go step by step creation of all the prerequisites instead, will go with some important information like installation program ,detection method and requirements etc.

Note: All these prereq files require reboot including .net, PowerShell . Without reboot ,it will not install any further components hence i leave the reboot to configmgr based on the exit codes (3010 soft reboot,1641 hard reboot)

1.Microsoft .NET Framework 4.6.2 or above:

since there is newer version of .net framework 4.7.1 available ,i will go with this version instead of 4.6.2 (min version) but in detection method ,i will look for .net 4.6.2 and above. If 4.6.2 exist ,i will not do installation of this 4.7.1 and skip this install.

Installation program : "NDP471-KB4033342-x86-x64-AllOS-ENU" /q

Detection Rule: Setting type: Registry ,Hive: Software\Microsoft\NET Framework Setup\NDP\v4\Full ,Value:Release ,data type:Integer , Operator: greater than or equal to 461310 (this is .net 4.6.1 and above)

User experience: Install for system ,weather or not user logged in and determine the behaviour based on return codes.

Requirements: Free disk space: 5GB ,OS :Windows 7 and other OS if you have.

2. Windows PowerShell version 4.0: I am going create both powershell 4.0 and powershell 5.0 as some of the windows 7 machine that has version 2.0 ,cannot be upgraded to 5 directly (at least i have seen some failures)

Installation Program: wusa.exe Windows6.1-KB2819745-x64-MultiPkg.msu /quiet

Detection Method: Powershell

if (($PSVersionTable.PSVersion | Select-Object -ExpandProperty Major) -gt 4 )
{
Write-Host "Installed"
}
else
{
}

Requirement: Windows 7 (for windows 10 ,there will be powershell 5.0 so no need to install for windows 10).

Windows PowerShell version 5.1:

Installation Program: wusa.exe Win7AndW2K8R2-KB3191566-x64.msu /quiet

Detection Method: Powershell

if (($PSVersionTable.PSVersion | Select-Object -ExpandProperty Major) -gt 5 )
{
Write-Host "Installed"
}
else
{
}

Requirement: Windows 7 (for windows 10 ,there will be powershell 5.0 so no need to install for windows 10).

3.Visual C++ Redistributable for Visual Studio 2015 (32-bit version) :

Installation program: "vc_redist.x86.exe" /q

Requirement rule: Windows 7 and windows 10.

Detection Method: Powershell . If the client has VC++ 2015 then it will skip the installation .

function Get-InstalledApps
{
if ([IntPtr]::Size -eq 4) {
$regpath = 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*'
}
else {
$regpath = @(
'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*'
'HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'
)
}
Get-ItemProperty $regpath | .{process{if($_.DisplayName -and $_.UninstallString) { $_ } }} | Select DisplayName, Publisher, InstallDate, DisplayVersion, UninstallString |Sort DisplayName
}

if (Get-InstalledApps | where {$_.DisplayName -like "Microsoft Visual C++ 2015 Redistributable*"})
{
Write-Host "Installed"
}
else
{
}

4. Azure Information Protection Client: Download AIP client (AzInfoProtection.exe) from https://portal.azurerms.com/#/download (this link has both viewer and client)

Also download the KB article as said in the prereq document .

Installation Program: Create a batch script and use the following code into it. (After the patch installation is done ,it will proceed to install AIP client and no reboot is required).

REM Install the KB article
wusa.exe "%~dp0Windows6.1-KB2533623-x64.msu" /quiet /norestart

sleep 10
REM Install Azure information protection client
AzInfoProtection.exe AllowTelemetry=0 /quiet /norestart

Detection Method: Windows installer: {30F836D2-A60B-4899-A369-B0FCA2884EAF}

Requirements : Windows 7 and windows 10.

If you are installing the AIP client on computers that run Office 2010 and your users are not local administrators on their computers or you do not want them to be prompted then you must supply ServiceLocation.

If the client was not installed with the ServiceLocation parameter, when you first open one of the Office applications that use the Azure Information Protection bar (for example, Word), you must confirm any prompts to update the registry for this first-time use. Service discovery is used to populate the registry keys.

Ex: AzInfoProtection.exe /quiet /norestart ServiceLocation=https://a44b2fd2-6a02-4d36-86b4-0017a1cede50.rms.eu.aadrm.com

How to get Service location ,please refer the document here

Uninstall string for AIP: "C:\ProgramData\Package Cache\{153d0dfd-99e1-483f-9d3f-d2b5b88e016c}\AzInfoProtection.exe" /uninstall /quiet

Change the product ID of the AIP client as per the installer.

With this ,we have created 5 applications and now we can use task sequence to deploy these  applications in sequence given below.

1.Microsoft .Net Framework 4.6.2/4.7.1

2. Microsoft Powershell 4.0

3.Microsoft Powershell 5.1

4.Microsoft VC++ 2015

5.Microsoft AIP client

Troubleshooting:

Deploy the task sequence to collection (machine based) and follow the logs smsts.log,appenforce.log

 References:

https://docs.microsoft.com/en-us/information-protection/rms-client/client-user-guide

https://docs.microsoft.com/en-us/information-protection/rms-client/install-client-app

https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide-install

https://github.com/MicrosoftDocs/Azure-RMSDocs/blob/master/Azure-RMSDocs/rms-client/client-admin-guide-install.md

Introduction:

Office 365 ProPlus is one of the subscription service plans in the new Office. It is productivity software (including Word, PowerPoint, Excel, Outlook, OneNote, Publisher, Access, Skype for Business) that is installed on your desktop or laptop computer. Office 365 ProPlus is a user-based service that allows people to access Office experiences on up to 5 PCs or Macs and on their mobile devices. Traditional Office installations were tied to the computers they were installed on.

Few months ago ,we have started rolling out office 365 proplus (cloud version) using Configmgr Current Branch. I have created application using powershell app deployment toolkit in combination with offscrub scripts from Microsoft.   Using these 2 scripts,you can fully automate the installation office 365 proplus by removing the old versions (2007,2010,2013 and 2016 MSI based ) of office and install cloud version. I will write blog post on how to use these 2 scripts and create application to install proplus and what are the GPO settings you need to consider for this proplus for performance issues,patching mechanism etc.

Problem:

Coming to this blog post, we have mixed environment which includes laptops ,desktops and VDI (virtual desktop infra) machines. So proplus installed on all these machines using SCCM .Installation went smooth and users started using the office for their day to work.

All looks good from user point of view but when it comes to managing this office proplus with updates ,you need to understand how it works and what are the settings applied on the on PC for proplus.

After the proplus installed on many computers, we started noticing the office 365 update section in SCCM (software library –office 365 client management--office 365 updates ) for patching and found that, some of the clients are reporting update status but majority of them are reporting unknown as shown below.

By the way ,we are going with semi-annual channel as we do not want to update proplus every month hence we look at semi-annual channel updates only for deployment.

Solution:

After looking at the unknown status with bigger count ,i started looking at clients chassis type as some of them are working good but majority are not. This is because ,we have used same package for proplus and and one GPO with proplus settings and one client agent settings.

When am using one configuration for all ,why there is difference in update scan status for office 365 client updates ?

Use the default report Home > ConfigMgr_Sitecode > Software Updates - A Compliance > Compliance 6 - Specific software update states (secondary)  to know the unknown clients.

After reviewing the unknown client, found that,majority of the clients are VDI hence there is something on VDI machines.

Got one VDI assigned on my name so i can troubleshooting to find the root cause.

Following are the checklist perform on the VDI that is having issue:

1. Check if SCCM client is working good and healthy .How do you say it is healthy ? Check in SCCM console of policy request and its inventory .

2.Is the client receiving policies and what is the software updates status on this PC ? look at its last software update scan and also last patching status. If this is working fine then for sure ,something wrong with office 365 proplus application how it was installed or the configurations applied on VDI’s.

3. Verified in SCCM that ,client agent settings are configured correctly with ‘Enable management of the office 365 client agent’ to ‘Yes’ in software update section .This setting can also be enabled through GPO. This is one of the requirement as SCCM Client check Office COM interface to be enabled  as it act as communication between office and Configmgr. This functionality must be turn ON.You can check the registry key on client PC for officemgmtcom (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Office\16.0\common\officeupdate)

After all the above checklist, i could not find anything wrong .Everything seems to be good.

While am troubleshooting on this ,found a Microsoft article referring to Troubleshooting Office 365 ProPlus https://blogs.technet.microsoft.com/askpfeplat/2017/03/23/troubleshooting-office-365-proplus-patching-through-system-center-configuration-manager/

After reading the article,found that, there is one setting that i need to verify which i mentioned in the checklist above 3) Verify COM interface is registered or not .As we have enabled this through GPO and also using SCCM Client agent settings ,COM interface should be registered (officemgmtcom) . So how to verify if COM interface registered or not ?

You can do this by verifying existence of following registry key on the client. This registry is same for proplus on each PC.

[HKEY_CLASSES_ROOT\CLSID\{B7F1785F-D69B-46F1-92FC-D2DE9C994F13}\InProcServer32]

@=”C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeC2RCom.dll”

On the problem client ,i could not find this registry key ({B7F1785F-D69B-46F1-92FC-D2DE9C994F13})

As per the technet blog ,i suspect AV (antivirus ) on the client is blocking com interface , hence involved AV Team but there is nothing after troubleshooting and also tried disabling the AV on the client then start ,stop the Microsoft Office Click-to-Run Service service.

Issue did not resolve even after AV disable .What could go wrong ?

we talk few times about COM interface and must be registered for this process hence i started looking at component services that is where the COM object register as well.

From the run command ,type dcomcnfg to open MMC .Browse to component services –>computers –>My computer.

This is what i see with red arrow colour down arrow which means component services are disabled hence COM interface unable to register. Why is this disabled ? is this through GPO ? if so ,why not disabled for laptops and desktops but only for VDI ? This is offline topic to be discussed internally with respective teams who disabled it.

There is service that is responsible for it, which is ‘COM+ System Application’ .Start the service (must do with admin rights)

After you start the service,close component services MMC and reopen again.

Browse to COM+ Applications and see if there is any entry related to OfficeC2R.

How do we get OfficeC2R com object here ?

As a simple fix, i restarted Microsoft Office Click-to-Run Service (ClickToRunSvc) so the COM object will get created hence registry also created but that did not work.

so what  i have done is the following fix which worked and also created simple batch script applied to all computers that did not find the registry key.

How to get OfficeC2RCom Object ?

1. Open Regedit and change the value of the registry key HLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate  from 1 to 0

  2. Restart ‪Microsoft Office Click-to-Run Service

3. Open Regedit and change the value of the registry key HLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate  from 0 to 1

4. Restart ‪Microsoft Office Click-to-Run Service again.

5. Open dcomcnfg to check OfficeC2RCom object and go to Regedit and check the registry key [HKEY_CLASSES_ROOT\CLSID\{B7F1785F-D69B-46F1-92FC-D2DE9C994F13}\InProcServer32]

    Registry check

    COM object verification (OfficeC2RCom )

I did not find any reference link or i missed that says ,COM+ System Application service must be started for this proplus.

Conclusion to Restore OfficeC2RCom:

1. Start the COM+ System Application service
2. Open Regedit and change the value of the registry key HLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate  from 1 to 0
3. Restart ‪Microsoft Office Click-to-Run Service.
4. Open Regedit and change the value of the registry key HLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate  from 0 to 1
5. Restart ‪Microsoft Office Click-to-Run Service again.
6. Open dcomcnfg to check OfficeC2RCom and go to Regedit and check the registry key [HKEY_CLASSES_ROOT\CLSID\{B7F1785F-D69B-46F1-92FC-D2DE9C994F13}\InProcServer32]

I have created a script that does the above actions .So you can create application/package and deploy to clients that doesn't have above office com+ Application.

Though the root cause simple and because of the service disable ,but to get the COM interface back,went through lot of troubleshooting .

Hope it helps!

How do we make this report work on older version of reporting ? You need to make 2 changes in to the RDL file to get it working.

1. Open the RDL file using notepad or other editing tools ,you will find something like below in the beginning of the code.

change the version from 2016 to 2010 .

2. Search for "ReportParametersLayout" in file and remove the whole block (This code is created on 2016 version of visual studio) .

As shown below ,remove the whole block and save the report.

Now try to upload the RDL file into the reporting service ,change the data source and run the report.

Conclusion:

change the SQL version on the RDL file and remove the ReportParametersLayout to get the report working.

Introduction:

In this blog post,i will discuss about some of the troubleshooting methods that i have used to identify the active/inactive computers on the network (Active is not based on SCCM agent ) .

Last week ,i was working on office 365 proplus deployment & training for customer in Vietnam. As part this ,one of the activity that i need to identify was,what are the actual number of computers that are talking to domain controller in last X days.

When i look at SCCM ,there are hundreds of computers without SCCM agent .So for me to start with the deployment/reports ,i need to know the actual number of computers on the network as there are lot of stale objects in active directory and also in SCCM.

Whatever the issue that am talking in this blog post may not be applicable to all or anyone and this can be improved /can be avoid using the best practices with the help of AD clean-up and also by implementing start-up script/other methods for client installation.

Coming back to the issue ,i was trying to identify the lit of computers that are active/inactive on the network in last 45 days and take this collection as base for the client health status and also deployments etc.

How do i identify the computers that are active/inactive on the network for last 45 days irrespective of whether they have SCCM agent or not ? For this ,i will use LastLogonTimeStamp .

If you have enabled AD system discovery then you can actually get LastLogonTimeStamp (is selected by default) of computers from Active Directory. To know more about LastLogonTimestamp ,please read Technet article.

So i started creating a collection using LastLogonTimeStamp . Following is the simple collection to identify the computers that are inactive on the network for last 45 days.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System
where DATEDIFF(dd,SMS_R_System.LastLogonTimestamp,GetDate()) > 45

With this ,i can get list of all computers that have connected to AD in last 45 days. Before i take any action ,i need to validate if these numbers correct or not.

So i looked at the computers in collection ,found that, some of them have actually agent installed and last policy request date as of current date (see fro the screenshot below) .

What went wrong with this collection ? why did it discovered the computer that have agent installed and active ?

When i look at the computer LastLogonTimeStamp ,it was showing very old date .So i went back to Active directory to tally this date. I can see that, the date that is shown in SCCM and what is shown in Active directory is no match.

From AD ,LastLogonTimeStamp shows few days ago but SCCM shows almost few months ago. Why is it so ?

As you know ,to successfully create a DDR for a computer with attributes like computer name,OS,IP Address,AD site etc , Active Directory System Discovery must be able to identify the computer account and then successfully resolve the computer name to an IP address (DNS name resolution).

So i open cmd and did ping and also nslookup for the computer that is discovered into the collection with SCCM agent installed and Active.

I cannot ping the computer and also no nslookup.

With this ,i conclude that, there is issue with name resolution and that must be be first action before trying anything else.

Use the following SQL query to identify the count of objects that are not discovered more than 30 days.

Agent discovery information stores in SQL view v_AgentDiscoveries

select distinct ad.AgentName [Discovery Method],
count(*) [Discovered Clients]
from v_R_System sys
inner join v_AgentDiscoveries AD on AD.ResourceId=sys.resourceid
and DATEDIFF(dd,AD.AgentTime,GetDate()) >30
group by ad.AgentName
order by ad.AgentName

Except MP_ClientRegistration ,rest of the count that is shown by discovery methods are something to be considered for troubleshooting.

with the help of SQL ,you can further drilldown to identify the list of computers

After all this troubleshooting ,it is required to work with Active Directory/DNS team to resolve the name resolution issues.

I have seen customers who don't even enable the AD system discovery and let the client installation happens through GPO/startup script/SUP /OSD that will help to maintain the accurate client information rather pumping all the junk from AD into SCCM.

I know that ,DNS name resolution issues there everywhere.So ,what are the other possible solutions to consider in this case ?

1. You can query computer information into SCCM database without depend on AD system discovery and then do compare with client information with AD & SCCM . For more information, please follow this blog post to discover computers from AD into SCCM .

2. Use startup script as client installation method as described in this article .This will help to get every domain join computer get client installed (if any issues ,it will write log to shared drive to troubleshoot). Along with startup script ,you also need to enable the following option in AD system discovery method.

Only discover computers that have logged onto a domain in given period of time. This is based on lastlogontimestamp that is available in AD .So if there is issue with DNS name resolution ,the computer will not discover into SCCM however ,if you use client startup script ,client will send DDR via heartbeat discovery method. This method help to achieve clean the computers that are inactive .

Hope this guide helps cleaning computer accounts in SCCM based on last logontime stamp.

Problem:

If you are using qualys or Nessus tool or other tool to detect vulnerabilities on windows machines ,this post might be helpful to you.

Recently ,our security team has reported that ,lot of servers are vulnerable for adobe flash player and claiming that, these servers are running lower version of Flash player.

When i look at one of the server ,i could not find adobe flash player installed. If there are no application installed, there is no way for SCCM to detect the flash player components are running lower version (we do 3rd party patching as well) and you cannot patch/update flash either using manual method /patching/software distribution.

So i requested security team to provide more information about the detection criteria that is being used to detect the vulnerabilities for flash player.

They come with detection rule saying ,the file version flash.ocx is running low version in C:\windows\System32\Macromed\Flash.

So i look at C:\windows\System32\Macromed\Flash and tried to delete the files because there is no flash player installed ( verified from programs and features). I could not delete the files directly from the folder to match with qualys results.

But what i found is ,an applet in control panel with flash player created as well which is weird to me.

I tried downloading the latest adobe flash version and tried installing but could not go through it (installation did not happen as it says ,server 2012 R2 don't need flash player).

Nothing worked for me until here ,so i dig deeper to identify the reason for creating this folder structure and also applet in control panel.After some time ,found that ,it is coming from desktop experience feature that got installed with OS build image.

So ,i tried to remove the desktop experience feature manually from roles and features ,reboot the server (Reboot is mandate for this feature removal).

After the removal of the feature ,Flash player and the files in flash folder are disappear.

Now ,how do i know the list of servers that has desktop experience feature installed on server and how to remove it through automation ?

Solution:

I use SCCM compliance baseline to identify the list of servers that had desktop experience feature installed .If the role is installed ,you can remove the role as part of remediation script or get list of servers and then create a batch file to remove the role and reboot during the maintenance window.

Using configmgr, we can use compliance item by passing simple script that will check for the desktop experience roles ,if feature installed then output results as Non-compliant (server is vulnerable) and if not installed, output as COMPLIANT (server non vulnerable)

All you need is script to check for desktop experience feature ,if you are looking for other roles and features, feel free to modify it as per your needs.

If you are looking for other roles and features, open the powershell cmd ,import servermanager module and run the following powershell cmd to list the windows roles/features on the server

Get-WindowsFeature

The list above are installed server roles and features .If you are looking for specific name ,pick it from the Name column to check for the installed status.

In this blog post, am not going with remediation script .what it means is ,if the specific role/feature that you are looking is found ,run the remediation script like remove the role from the server to fix it.

How to create configuration item/compliance baseline ?

Follow my blog post to create Configuration item  http://eskonr.com/2016/08/sccm-configmgr-how-to-clean-ccmcache-content-older-than-x-days-using-compliance-settings/ , but just replace the discovery script with below powershell script (no remediation script is needed)

Import-module servermanager
$DE=(Get-WindowsFeature -name desktop-experience).Installed
If ($DE -notlike "Installed")
{
write-output "True"
}
else
{
write-output "False"
}

Compliance Rule:

Create Configuration baseline ,deploy to collection that you are interested to find the desktop experience feature installed or not.

This is only to discover the list of servers with this feature installed. Once you get the list server that are non-compliant ,create collection and a simple package with following command line and deploy to the collection .

Once the package run on the server ,it wont reboot the server immediate rather, it wait for the maintenance window for reboot which will happen anyway with schedule reboot.

Powershell.exe -ExecutionPolicy Bypass -command Remove-WindowsFeature -Name Desktop-Experience

Hope it helps!

Introduction/Problem:

We are in process of completing office 365 project to all users which bring teams and other products as part of office 365. We are using Lync/Skype for business as collaboration tool prior to office 365 project but once the project started ,every one is on teams hence we can decom lync servers and also disable lync for users.

Before we proceed to sunset Lync/Skype for business, we need to look at the features feature comparison. Although teams  cannot be compared with Skype in terms of feature that it carry on,there is one major thing that is not as good as Lync is desktop sharing.  For support people (like desktop support,helpdesk) ,Lync is major function for desktop sharing and perform troubleshooting remotely.

In Teams,if you want to share desktop/give control to support person, you need to make audio/video call then have control which is bit inconvenient for users to be on call. So until Microsoft bring something to this feature, we depend on SCCM remote control functionality (If you have Configmgr in the infra) .

I know many of the organisations out there will be using Microsoft SCCM remote control primarily by helpdesk/desktop but we decided to make this SCCM Remote control tools available on each user desktop support technician and also IT people as standalone without sccm console.

Solution:

Many blog post there on the internet on how to SCCM remote control without being install SCCM Console. Reference Jörgen Nilsson post https://ccmexec.com/2012/05/running-configuration-manager-2012-remote-control-standalone/ and many others .

We will use these set of files located in your Configmgr installation folder (D:\Configmgr\AdminConsole\bin\i386 , files RdpCoreSccm.dll, CmRcViewer.exe and CmRcViewerRes.dll ) and create simple batch script to copy these files to C:\program files x86) and make the shortcut available in start Menu for all users.

Download the source files from here.

These files are being copied from SCCM Build 1802 or lower but it works fine irrespective of client version matches this remote control version or not .Give a try ,if you have any issues ,get the right files from your SCCM server that is installed in your infra.

Unzip the files and copy the folder to your SCCM Source location folder .

You will see the following content inside the remote control folder.

Here is the simple batch script that copy the remote control files and create shortcut in Start Menu folder for all users.

REM Copying SCCM Remote Control bits to Local Drive

XCOPY "SCCM Remote Control" "C:\Program Files (x86)\SCCM Remote Control" /s /i /y

REM Copy SCCM Remote control shortcut to All users start Menu

xcopy "%~dp0SCCM Remote Control\Remote Control.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs" /Y

You can now create application with detection rule as follows. You can also go with file version check.

Type: File

Path: %ProgramFiles(x86)%\SCCM Remote Control

File or Folder name: CmRcViewer.exe

User Experience:

Rest of the configuration go with default or if you have any custom requirement like OS limit etc.

Once the application is created ,distribute to distribution points and deploy to device collection.

Client results:

With this ,every support technician can use SCCM remote control to troubleshoot issues . (For successful remote control ,make sure the client is healthy ,active and required firewall ports are opened from the console to client)

You can deploy this tools to windows 7,windows 10 and server OS if user wish to remote control from.

Hope it helps !

Introduction/Problem:

Colleague mine has asked me , why is he getting applications /updates on his computer that he hasn't requested for. When i heard of this ,i  verified in SCCM , based on the computer  name provided and found ,the PC has no SCCM agent .

If the PC has no SCCM agent ,there is no way to receive the deployments. So i asked him to check if these deployments are coming through SCCM/Configmgr or other methods .He confirms that, they are coming from SCCM and his PC has SCCM agent and also apps in Software center.

Screenshot for PC has no SCCM agent installed :

When it was confirmed that ,PC has SCCM agent and is receiving the deployments ,i have decided to take this up further and help to troubleshoot.

Solution:

When PC has SCCM agent and is healthy , where should we look to fix the issue ? Can we simply uninstall the client and install it back ? does this work ?

I started troubleshooting on the client side by looking at client logs.

1. Review ClientIDManagerStartup.log  --> Records the creation and maintenance of client GUIDS and also the registration status of the client computer.This Can help to troubleshoot scenarios where the client changes its GUID after a hardware change or after Windows activation.

So from this log, i can get the GUID of the computer and check in SCCM,which computer this GUID is assigned to.

you can also get the GUID from smscfg.ini located in C:\windows folder.

Copy the GUID ID and go back to your SQL management studio to find out which computer has this GUID ID.

select name0,SMS_Unique_Identifier0
From v_R_System
where SMS_Unique_Identifier0='GUID:F43BD203-2466-4284-BF28-3A62860C958A'

Run the above Query ,replace GUID ID that you get from log or smscfg.ini file.

This GUID ID assigned to different computer as you can see from below query:

All the deployments that are targeted to this PC are actually hitting problem computer.This is where duplicate or GUID mismatch leads to wrong deployments. you always  need to have operation Collections to identify the duplicate GUID or GUID assigned to multiple computers to avoid these kind of issues.

How do we fix it without reinstalling client ?

Here is simple batch script to stop SMS Agent host ,delete SMSCFG.INI and certificates and start SMS Agent host service to create new GUID (this is not computer GUID).

@echo Off
net stop CcmExec
sleep 5
Reg Delete HKLM\software\Microsoft\Systemcertificates\SMS\Certificates /f
DEL c:\Windows\SMSCFG.ini
sleep 5
net start CcmExec

Open command prompt as administrator and run the above script or command lines .

After you run this script ,monitor ClientIDManagerStartup.log .

After a while ,you will see that, client is now with SCCM client installed and whatever the false deployments on this PC will get disappear from software center in the next machine policy cycle also collection membership update .

Until next time!

Had request to uninstall teams as they had deployed the teams to users who not supposed to get it on their windows devices. Microsoft Teams brings together the full breadth and depth of Office 365, to provide a true chat-based hub for teamwork and give customers the opportunity to create a more open, fluid, and digital environment. Microsoft Teams is built on existing Microsoft technologies woven together by Office 365 Groups.

In this post ,we will see how to uninstall  teams client using ConfigMgr by creating application or package and deploy to either users or computers .

we can download Teams client 32bit or 64bit MSI and deploy to users or computers . When you deploy teams application ,it will be installed in that user's appdata folder.

we have 2 options to uninstall teams 1) simple uninstall command line 2) powershell script

Using command line ,we can create package or edit the teams application and edit the deployment type, add the uninstall program .

Uninstall program for teams uninstallation: "%LocalAppData%\Microsoft\Teams\Update.exe" --uninstall –s

This command like simply uninstall the teams client but it wont cleanup the folder .

There is 2nd method that we can use to uninstall teams client using powershell script.

<#
.SYNOPSIS
This script allows you to uninstall the Microsoft Teams app and remove Teams directory for a user.
.DESCRIPTION
Use this script to clear the installed Microsoft Teams application. Run this PowerShell script for each user profile for which the Teams App was installed on a machine. After the PowerShell has executed on all user profiles, Teams can be redeployed.
#>

$TeamsPath = [System.IO.Path]::Combine($env:LOCALAPPDATA, 'Microsoft', 'Teams')
$TeamsUpdateExePath = [System.IO.Path]::Combine($env:LOCALAPPDATA, 'Microsoft', 'Teams', 'Update.exe')

try
{
    if (Test-Path -Path $TeamsUpdateExePath) {
        Write-Host "Uninstalling Teams process"

        # Uninstall app
        $proc = Start-Process -FilePath $TeamsUpdateExePath -ArgumentList "-uninstall -s" -PassThru
        $proc.WaitForExit()
    }
    if (Test-Path -Path $TeamsPath) {
        Write-Host "Deleting Teams directory"
        Remove-Item –Path $TeamsPath -Recurse
    }
}
catch
{
    Write-Error -ErrorRecord $_
    exit /b 1
}

Create a powershell script and deploy the script to collection . When you deploy the script ,make sure it runs with user account and also only when user logged in.

since the teams client is installed in Appdata folder ,uninstall must run only when user logged in .

Reference: https://docs.microsoft.com/en-us/microsoftteams/msi-deployment

https://docs.microsoft.com/en-us/microsoftteams/scripts/powershell-script-teams-deployment-clean-up

Introduction:

We are in midst of completing office 365 project .As part of this project ,one of the primary activity is migration of Microsoft office to office 365 proplus. For office 365 proplus deployment ,we are using Powershell App deployment toolkit that provide GUI ,customize what to remove and other benefits compared with standard proplus that you download in ConfigMgr/configuration tool.

As you know ,office 365 proplus activation is not usual method (KMS) instead, it use o365 license and user must activate the product using the license that they get it.

After installing the proplus ,devices will perform auto activate if your UPN (eswar.koneti@eskonr.com) that is being used in Azure AD and also your on-prem domain login (eswar.koneti@apac.eskonr.com) same . In my case ,they are not same hence auto activation will not work.

If your cloud UPN and on-prem UPN is same then you can need to adjust your xml file for proplus installation with <Property Name="AUTOACTIVATE" Value="1" /> .

I have been travelling across Asia for office 365 project training and deployments .We have deployed proplus to thousands of users across asia and all going fine.

Problem:

As part of this project ,we want to monitor deployments along with the activation status of the proplus and make sure all the devices that got proplus installed are activated successfully. For some reason if the proplus not activated ,features of office apps (excel,word ,outlook) will be limited and functionality will be reduced.

If the activation is KMS based then it would connect to KMS server on certain ports for activation but office 365 proplus ,it is not the case .

How do we use Configmgr to get activation status for office 365 proplus ?

In this blog post ,we will see where does the activation results store on the windows PC and how to collect that information into SCCM for reporting purpose.

we can also use office 365 portal to know the activation status of users that you assigned license but office 365 portal wont give you the device information directly unless you use graph API to pull the information.

we can login to   https://admin.microsoft.com/AdminPortal/Home#/reportsUsage and look at office activations .

If we want to use SCCM ,we must first locate where does the activation of proplus store in registry ?

On windows device that installed with proplus ,you can navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration for 32bit proplus ,you see few keys with O365ProPlusRetail.EmailAddress,O365ProPlusRetail.ExcludedApps etc as shown below.

In the new model of Configuration manager current branch,office proplus information  is part of default inventory and all the information about proplus ,channel and other information which is available in the registry key /wmi is already being collected into SCCM database except the activation and other information .

Inventory information about proplus configuration is stored in v_GS_OFFICE365PROPLUSCONFIGURATIONS  .You can use this SQL view to query information about proplus versions,channel and lot more.

With this default inventory of proplus ,we don't get any activation details for which ,we will alter configuration.mof and also import mof to client agent settings to pull the activation status from registry to SCCM database.

Since we already know where does the activation information store in registry ,we will use RegKeyToMOF.exe tool to get MOF content .

Download RegKeyToMOFv33a.exe from TechNet

double click the exe file ,browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration

de-select 64bit unless you installed 64 bit proplus.

Click on Save MOF ,it will prompt for location to save the MOF files.

MOF files are now stored in to the location you specified as above.

What next ? we need to edit the MOF files and delete unnecessary content from it ,as most of the information is already being collected by hardware inventory and is available in v_GS_OFFICE365PROPLUSCONFIGURATIONS.

In this blog post,i will go with email address ONLY .If you want other information that you are interested in ,you can enable it so.

I have deleted all files in the folder except CM12Config.mof and CM12Import.mof

After deleting all the content except O365ProPlusRetail.EmailAddress ,my MOF files looks like below.

configuration.mof:

Save the MOF file .

Now we will try to compile the MOF file to make sure ,it is valid before we copy the code to configuration.mof file into SCCM Server location <SCCM install location folder: >\inboxes\clifiles.src\hinv.

To compile MOF file ,open cmd and run mofcomp.exe filename.mof

As you can see above, the MOF content could not process correctly and is because special character in the content .

CM12Config.mof (11): error SYNTAX 0X80044002: Expected semicolon or '='

If you look at it carefully ,the MOF content contains special character in the string value that fail to process at line 11 i.e String O365ProPlusRetail.EmailAddress;

we will make some changes to the mof file by removing the special characters .

Change the string value from O365ProPlusRetail.EmailAddress to Emailaddress or ActivationAddress or something that you are interested in.

I have made the change in 2 places which are highlighted in red colour. Please make sure ,both the red colour values are same. Thanks to Garth Jones who helped me in getting rid of this syntax error.

Modified content:

// RegKeyToMOF by Mark Cochrane (with help from Skissinger, SteveRac, Jonas Hettich, Kent Agerlund & Barker)
// this section tells the inventory agent what to collect
// 16/10/2018 3:05:03 PM

#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("Configuration", NOFAIL)
[DYNPROPS]
Class Configuration
{
[key] string KeyName;
String EmailAddress;
};

[DYNPROPS]
Instance of Configuration
{
KeyName="RegKeyToMOF";
[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\Configuration|O365ProPlusRetail.EmailAddress"),Dynamic,Provider("RegPropProv")] EmailAddress;
};

Now mofcomp the file again

MOF File processed successfully (leave about access denied ). We will now copy the modified content to configuration.mof file located in <SCCM install location folder: >\inboxes\clifiles.src\hinv

Go to end of the file and paste the code into it.

Both the arrows marked must be same string.

Save the MOF file. It will now start processing .For monitoring ,read datalder.log .

We have another MOF file to import to client agent ,hardware inventory to collect the inventory from clients.

keeping only required information and delete other information ,mof file looks like this.

we will now make some changes to this file to get it working . Following are the changes:

#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("Configuration", NOFAIL)
[SMS_Report(TRUE),SMS_Group_Name("o365 - Configuration"),SMS_Class_ID("o365Config")]
Class Configuration: SMS_Class_Template
{
[SMS_Report(TRUE),key] string KeyName;
[SMS_Report(TRUE)] String EmailAddress;
};

Red colour string must be same as configuration.mof file content and brown colour string can be anything that you like to see the SQL view in database for querying (v_GS_O365Config0)

do mofcomp.exe to check if the MOF file has been successfully parsed

we will now import this mof to inventory settings.

Go to your SCCM console ,administration ,client agent settings ,default client settings (you cannot import MOF file directly to custom client device settings),hardware inventory ,set classes ,import ,choose the import file.

After it import ,make sure you uncheck both as we don't this to be enabled in the default client settings instead ,we will create custom client agent settings or edit the custom one that you already have for inventory collection.

Monitor the log dataldr.log to see if the changes are processed and view created or not.

You can now create custom client agent settings and enable the classes .

With this ,we have successfully created MOF file,applied the MOF files to collect the office 365 proplus activation status.

Download the MOF files for office proplus activation from here

Wait for clients to download the policy and run the hardware inventory .

Here is different SQL codes  to check the activation results for proplus .Make changes where required.

--select top 10 values from the office activations view
select top 10 * from v_gs_o365config0

--get count of activations and no-activations for proplus installation

select count(distinct case when o.emailaddress0 is not NULL then o.emailaddress0 else '0'  end ) 'Total Activations',
count(case when o.emailaddress0 is NULL then '1' end ) 'Not Activated'
from v_gs_o365config0 O
inner join v_Add_Remove_Programs arp on o.ResourceID=arp.ResourceID
where arp.DisplayName0 ='Microsoft Office 365 ProPlus - en-us'

--get list of devices with usesr names that are installed with proplus but not activated
 
select sys.name0,sys.User_Name0,u.Mail0,u.Full_User_Name0
from v_gs_o365config0 O
inner join v_Add_Remove_Programs arp on o.ResourceID=arp.ResourceID
inner join v_r_system sys on sys.ResourceID=o.ResourceID
inner join v_r_user u on u.User_Name0=sys.User_Name0
where arp.DisplayName0 ='Microsoft Office 365 ProPlus - en-us'
and o.EmailAddress0 is not NULL

Hope it helps!