Thursday, January 31, 2008

"Run Advertised Programs" with a limited account

If you have SCCM installed and you have an advertisement that has no manditory time then the user will see it in the Run Advertised programs (or add/remove depending on their settings) An issue has occured that if you are running in a locked down enviroment you might have a problem when sending advs down. We have our systems locked down so only a very few systems have Admin Rights. Even the IT dept runs with limited rights. We only use our admin account when necessary. The problem arises if you have this situation:

User only mode
No Manditory time on Advertisement
No Network Access Account

Bits 2.5 will fail at 99% or just not even start. Even though the Access Account is not used it prevents the download from occuring. When the same settings are used with an admin the problem is not seen. The solution is to configure a user account for use as the Network Access Account and downloads will work. Hopefully this will be fixed in the SP1 that should be out First Quarter of 2008

Wednesday, January 23, 2008

SCCM upgrade II

Well it seems I have it up and running, now I just need to configure everything. Seems that I needed the Enterprise AD admins to grant some permissions on the certificates for us little people. I was seeing that my certificate was not a valid cert and that SLL Client Authentication was not on the cert. As soon as that was solved I was able to add 2 computers to the SCCM computer collection. Of course it was well after work and I was very happy after fighting it for 3 days.

Monday, January 21, 2008

SCCM upgrade problems

Well I ran into some problems today while working on my SCCM upgrade. Seems I have a MP problem. It looks like my certificate might not have all the necessary options such as Client Authentication. I am waiting for the Enterprise guys to check the certificate. It is all install correctly and working but alas the clients can't talk to the server. There are multiple certificate problems. Well I will let you know exactly what was wrong and how I fixed it

Thursday, January 3, 2008

Patch Managment, the restart method

I have been asked and responded many times on various forums on how I do my patch management. Granted every organization is different so take it with a grain of salt. In an organization that is only 8am to 5pm with some people working late or early and where IT has been been given the power to control the machines on Patch Tuesday from 8pm to 6am here is what I do.

1. My patches are set to pre authorize and not have any user interaction
2. Patches are approved and setup to install by 4pm on Patch Tuesday
3. A system scan is done at 4:30pm when I can be assured the computers are on
4. A WOL packet is sent all over the state to all machines by 6pm, we have an inhouse software for this
5. A system scan is done at 7:30pm when I can be assured the computers are on
6. At 8pm all logged out machines are started and restarted when complete
7. At 11pm all logged on machines are patched and restarted when complete
8. At 1 AM all machines are restarted and scanned and patched again.
9. This is done every 3 hours until 5am when they are all set to stop. This insures that if a computer failed to install a patch that it will retry and have a restart if something happened
10. At 9:30AM a system scan is done for the morning report
11. At 10am patch install is set to install logged in/logged out but popup a message to the user for a restart


Out side of this we have a collection for each MS07-0XX patch and a Collection that has the previous scan package version. This is so we can target HTA popup messages. On unscanned machines (scan package version is current -1) we push a message box as soon as it comes on line and so the users understands a scan is about to start and then a patch will begin. On Thursday we send down a popup for the MS07-0XX patch subcollections with apopup telling the user they are missing a patch and to be aware it will attempt to install. If they recieve it more than 3 times they are to notify us. This means a patch is having an issue and IT needs to check it out.

This requires many complex collections and adv but we can have more than 80% patched the night of patch tuesday and then catch the rest later. These could be laptops, computers in closets, or messed up machines.