Thursday, November 26, 2015

ConfigMgr Toolkit 2012 R2



https://www.microsoft.com/en-us/download/details.aspx?id=50012


Time again for a toolkit refresh. 


Server Based Tools
  • * DP Job Manager - A tool that helps troubleshoot and manage ongoing content distribution jobs to Configuration Manager distribution points.
  • * Collection Evaluation Viewer - A tool that assists in troubleshooting collection evaluation related issues by viewing collection evaluation details.
  • * Content Library Explorer - A tool that assists in troubleshooting issues with and viewing the contents of the content library.
  • Security Configuration Wizard Template for Microsoft System Center 2012 R2 Configuration Manager - The Security Configuration Wizard (SCW) is an attack-surface reduction tool for the Microsoft Windows Server 2008 R2 operating system. Security Configuration Wizard determines the minimum functionality required for a server's role or roles, and disables functionality that is not required.
  • Content Library Transfer – A tool that transfers content from one disk drive to another.
  • Content Ownership Tool – A tool that changes ownership of orphaned packages (packages without an owner site server).
  • Role-based Administration Modeling and Auditing Tool – This tool helps administrators to model and audit RBA configurations.
  • Run Metering Summarization Tool - The purpose of this tool is to run the metering summarization task to analyze raw metering data

Client Based Tools
  • Client Spy - A tool that helps you troubleshoot issues related to software distribution, inventory, and software metering on System Center 2012 Configuration Manager clients.
  • Configuration Manager Trace Log Viewer – A tool used to view log files created by Configuration Manager components and agents.
  • Deployment Monitoring Tool - The Deployment Monitoring Tool is a graphical user interface designed help troubleshoot Applications, Updates, and Baseline deployments on System Center 2012 Configuration Manager clients.
  • Policy Spy - A policy viewer that helps you review and troubleshoot the policy system on System Center 2012 Configuration Manager clients.
  • Power Viewer Tool – A tool to view the status of power management feature on System Center 2012 Configuration Manager clients.
  • Send Schedule Tool - A tool used to trigger a schedule on a client or trigger the evaluation of a specified DCM Baseline. You can trigger a schedule either locally or remotely.
  • Wakeup Spy – A tool that provides a view of the power state of Configuration Manager client computers and which operate as managers or manages.


Note: Items with an * are new in the R2 Toolkit and require Microsoft System Center 2012 R2 Configuration Manager for full functionality

Monday, November 23, 2015

Configuration Manager (next Version) and TP4

In case you missed the new ConfigMgr will no longer have a year marker on it.  It will simply be called  (Configuration Manager)  this aligns the product with the Windows 10 release in which it will simply be build code difference as the application slowly evolves.  And as the change is set to evolve, MS should still be on target to release the newest version/changes by the end of the year. 


Just a few days ago another Technical Preview was released with some fixes and new features.


Most notable are some MDM solution and more Windows 10 changes:


New features in this technical preview include:
  • Mobile Device management (MDM): enhanced feature parity with Intune standalone – With this technical preview, many of the MDM features that are supported via Intune standalone (cloud only) are also enabled for Configuration Manager integrated with Intune (hybrid). We will publish additional information later this year about the specific capabilities which will be supported with a hybrid deployment. 
  • Integration with Windows Update for Business – With Technical Preview 4, you have the ability to view the list of devices that are controlled by Windows Update for Business.  
  • Certificate provisioning for Windows 10 devices managed via on-premises mobile device management


More information can be found here:
http://blogs.technet.com/b/configmgrteam/archive/2015/11/19/now-available-system-center-configuration-manager-technical-preview-4.aspx


With all the changes that are due to come quickly, it is recommended that the enterprise users upgrade their environment as soon as the update is released so they can properly manage Windows 10 environments.


Today Gartner released a statement, "Windows 10 is poised to become the most widely installed version of Windows ever, following on the path of Windows XP and Windows 7 before it, according to Gartner, Inc. Gartner predicts that 50 percent of enterprises will have started Windows 10 deployments by January 2017"


http://www.gartner.com/newsroom/id/3170917


I think with this latest TP we see the end of the preview in sight and the realm of Windows 10 deployments set to happen. Hopefully, many companies have been testing with the 90 Trial Version with simply OSD deployments or using MDT.  Either way.  I expect to see a slow uptake in the next 6 months of Windows 10 deployments as more users are use to seeing the technology at home and then later in the office.


Start your application compatibility testing now as to not lose ground when the CIO asks when it can be deployed.

Tuesday, October 20, 2015

Now Available: October Update for System Center Configuration Manager Technical Preview 3

Many people are asking, "why so many updates and Previews for the next Configmgr release" 
Well you have to understand the speed at which Microsoft is now moving. Look at the updates made to Intune and the new Windows Servicing Model. 


In line with that change we have a the more Windows 10 management coming to the next update, Windows 10 Services. 






More information can be found here:


http://blogs.technet.com/b/configmgrteam/archive/2015/10/14/now-available-october-update-for-system-center-configuration-manager-tp3-.aspx




Windows 10 Servicing works of a what is referred to as "branches" These branches determine how fast the update is applied to your machine.  Branches are NOT security or stability updates, these come to all machines.  The branches are the features or a major jump in the OS. Like a 10.1 to 10.2.










This will allow you to see what branch is running and the progress. 


I think a good article about the branches and servicing can be found here: http://www.thewindowsclub.com/windows-10-servicing-branches


A link to the TechNet article can be found in the Team blog mentioned above.


Why do we need to be concerned with Servicing with ConfigMgr?
Well put simply, you need to know what you have in your environment so you can properly prepare the machines and keep them moving forward.


Do you have an MRI machine running from a Windows 10 device. These devices are typically kept in a steady state and don't want much change per the manufacture of the external devices.  For this reason you would use the LTSB Long Term Servicing Branch because you don't want OS change every few months.  This change in years.  No exact length is known because Microsoft is now just releasing 10.  But this allows these special machines to be maintained without much change.


What is cool about this update is that it uses the "Updates and Servicing" node in the Preview.


Please remember to add your "voice" to the changes and features via the User Voice feed back page:
http://configurationmanager.uservoice.com/forums/300492-ideas















Tuesday, September 29, 2015

Windows Intune and Windows 10

Look what's coming to Intune this month!!!
https://technet.microsoft.com/en-us/library/dn292747.aspx?f=255&MSPPError=-2147217396


IO9 and Win 10 management upgrades.


As Win 10 slowly ramps up across the world look for new updates.


Don't forget the on-prem solution major updates that is expected in Q4 of this year.


http://blogs.technet.com/b/configmgrteam/archive/2015/08/19/now-available-system-center-configuration-manager-technical-preview-3.aspx


Remember as a community member you have a voice in changes or issues that you think should be addressed in the products.


ConfigMgr
http://configurationmanager.uservoice.com/forums/300492-ideas


Intune:
https://microsoftintune.uservoice.com/


the product team looks at these and the community drives it.  Don't like something, let's change it or improve it!!

Wednesday, August 19, 2015

SCCM .vnext Preview 3

Preview 3 for the upcoming major update to SCCM has been released.
Technical documentation can be see here:https://technet.microsoft.com/library/dn965439.aspx

Microsoft has added the following updates:
This release adds the following additional capabilities:
  • Diagnostics and Usage Data
  • Service a server cluster
  • Support for SQL Server AlwaysOn for highly available databases
  • Deploy Windows Business Store applications
  • App deployment to Windows 10 devices with on-premises MDM
  • Compliance settings for Windows 10
  • Improved workflow for creating mobile device configuration items
  • Updates for Windows 10 in-place upgrade
  • Updates for bulk enrollment of Windows 10 devices with on-premises MDM

-----Microsoft Notification follows------
Greetings!
 

We are pleased to announce that the System Center Configuration Manager Technical Preview 3 has been published to the Microsoft Download Center!


 

Please see the recent blog post http://blogs.technet.com/b/configmgrteam/archive/2015/08/19/now-available-system-center-configuration-manager-technical-preview-3.aspx for additional details on the new features that are available and supporting documentation.

 


 

If you have a feature request, please be sure to use the new Configuration Manager UserVoice http://configurationmanager.uservoice.com/ site.

 

Thank you!

Tuesday, August 4, 2015

CU1 for SCCM R2SP1 or SCCM SP2

Microsoft has just announced a CU for the latest release of SCCM.
https://support.microsoft.com/en-us/kb/3074857#/en-us/kb/3074857


One of the most sought after feature is the auto update of the clients after a CU or update has been installed to the infrastructure. 

Key points (see the KB abover for more):

  • Update version of the Endpoint Protection client
  • Task sequence packages are downloaded two times when the "Install software packages according to dynamic variable list" option is selected, and the variable SMSTSPersistContent is set to "False." The package is downloaded one time, deleted, and then downloaded again before the actual installation.
  • Fixing of Windows 10 driver import
  • Debian 8 is added to the list of supported platforms for software distribution.
  • An attempt to create a Microsoft Intune subscription fails when Configuration Manager is installed to the default path or to any path that includes a space in the directory name. Additionally, errors that resemble the following are logged in the SMSDmpDownloader.log

Two Microsoft articles about the CU are now here

http://blogs.technet.com/b/configmgrteam/archive/2015/08/03/now-available_3a00_-cu1-for-configmgr-2012-r2-sp1-configmgr-2012-sp2.aspx

http://blogs.technet.com/b/configmgrteam/archive/2015/08/03/automatically-updating-the-configuration-manager-client.aspx

Tuesday, July 14, 2015

Patches for July 2015

https://support.microsoft.com/en-us/kb/894199


Be aware MS are re-released a patch from Jan but the KB makes no mentions of it.  I did find it in the SCCM console and the WSUS update release above:


MS15-006: Security Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB3004365)

Locale: All
Deployment: Important/Automatic Updates, WSUS, and Catalog
Classification: Security Updates
Security severity rating: Important
Supersedes: MS15-006 (KB3004365) on Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2
Target platforms: Windows 8.1, Windows RT* 8.1, and Windows Server 2012 R2
Approximate file sizes:
  • Windows 8.1 update: ~ 1830KB
  • Windows 8.1/Windows Server 2012 R2 x64 update: ~ 2904KB
  • Windows RT 8.1 update: ~ 1765KB
Description:
A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.

Thursday, July 9, 2015

Getting ramped on Windows 10 with Preview 2 on SCCM 2012

So you want more Windows 10 Features.  You will notice in Preview 2 that MS has once again extended their Branch Cache support .

This release is expected to hit the marked in Q4 of this year.  Given how smooth Windows 10 testing has go thus far hopefully we can see in in the November time frame but a Christmas present would be good as well.  Granted this is all dependent on the Windows 10 Enterprise rollout that is expected some time after the Home users recieve their updates. 



  • Universal Windows apps support for Windows 10 – You can now side-load internally developed Universal Windows apps to Windows 10 devices.
  • Peer cache support for Windows PE – Peer cache support now includes OS deployment scenarios for Windows PE, extending our existing Configuration Manager peer cache content management.
  • Ability to manage Windows 10 PCs and mobile devices via MDM with on-premises Configuration Manager infrastructure – Support now includes Windows 10 PCs in addition to existing support for mobile devices which was added in the first Technical Preview. With this new option, you can manage Windows 10 devices using Configuration Manager integrated with Microsoft Intune (hybrid) without the need to store your data in the cloud. This is especially helpful for managing devices that are unable to connect to the Internet such as Windows IoT/Embedded devices. Note: An Intune subscription is required.



Full Article
http://blogs.technet.com/b/configmgrteam/archive/2015/07/09/whats-new-in-configmgr-tp2.aspx



Magic Quadrantfor MDM, 2015

When you think of Garter, you think of the "Magic Quadrant".  This is the top right corner where the big leaders are sitting.  Many won't buy a product unless they see you in the square. 
Microsoft recently submitted their entry to the MDM Review.


Main report here:
http://www.gartner.com/technology/reprints.do?id=1-2HIRGAD&ct=150609&st=sb


Microsoft is not in the top right but they have some strong advances.
One weakness described is the lag behind of the on-prem SCCM link to Intune.  Microsoft is working on this and we should see it in the next rounds of updates Microsoft is releasing.  If you have been watching, Microsoft has starting using a quicker cadence in updates/fixes/upgrades for SCCM as well as Intune.  I would expect the Microsoft will be in the magic quadrant in the next round of reviews.



Microsoft

Microsoft's EMM product is the Enterprise Mobility Suite (EMS), which includes Microsoft Intune, Azure Active Directory Premium and Azure Rights Management. Microsoft Intune provides the core EMM capabilities of MDM and MAM. Intune's strengths are its support of Office 365 and integration of System Center Configuration Manager (ConfigMgr). Microsoft also recently developed a secure PIM capability based on the Outlook mobile app for iOS and Android. This will rival secure PIM offerings available from other EMM vendors. While the end-user functionality of the Outlook mobile app looks compelling, it was not generally available at the time of this report. The EMS represents a comprehensive mobility security and management vision, and it positions Microsoft well for the future in this market. Currently, Intune adoption is low, and the product is still maturing. Organizations that should consider Intune are those that want to extend the Office 365 services to mobile devices and ConfigMgr customers that value client management and EMM integration over best-of-breed EMM functionality.
Strengths
  • Intune has unique technical capabilities to manage the Office Mobile apps on iOS and Android devices, including "conditional access," app-level authentication and copy/paste control.
  • The Intune license includes entitlement to ConfigMgr, allowing organizations to manage PCs and mobile devices through the same license and console.
  • The combination of Azure Active Directory Premium, Azure Rights Management and Intune addresses some useful mobile scenarios, for example, changing an Active Directory password from a mobile device.
Cautions
  • Intune has two modes: "standalone" and "hybrid" with ConfigMgr. The "hybrid" mode creates dependencies between Intune and ConfigMgr. Advanced administrative functionality requires Intune to be connected to ConfigMgr. However, new Intune functionality is not immediately available when Intune is connected to SCCM, and changes to ConfigMgr can affect its ability to work with Intune. The next major version of ConfigMgr plans to address this issue.
  • Intune supports most of the generic Android MDM APIs, as well as some Samsung Knox capabilities. It does not support MDM APIs of Android for Work or other handset manufacturers (such as LG and HTC).
  • Intune's MAM has limited compatibility with third-party mobile application development tools, and it is behind most competitive products on containerization and analytics features.

Wednesday, July 8, 2015

Schlumberger Interect Cloud offering

Schlumberger recently announced their first commercial SaaS (Software as a Service) for the  Azure cloud named, INTERSECT. 

http://azure.microsoft.com/blog/2015/07/01/big-compute-for-large-engineering-simulations/

I am reminded of the old TV show Chuck and how we the human Intersect.  A computer system that could detect and recall information about various criminals and terrorists. 

From their own words:

The INTERSECT high-resolution reservoir simulator goes beyond the capabilities of current-generation simulators to improve the accuracy and efficiency of field development planning and risk mitigation—even for the most complex fields.
Accurately and quickly model
  • Complex geological structures
  • Highly heterogeneous formations
  • Challenging wells and completion configurations
  • Advanced production controls in terms of reservoir coupling and flexible field management
 
The INTERSECT simulator is available in the cloud for leveraging its power without having to build your own high-performance computing infrastructure. The subscription-based model scales with your business to give you models and data that are secure, access-controlled, and always available.
 
Schlumberger is largest oilfield services company in the world.  I should mention that I work for Schlumberger but this article is completely independent of that relationship.
 
I recommend reading the article even if your not interested in what the oil field does in the way of simulation or reservoir models.  It shows what a company can do with Azure and the cloud in general.
 

Friday, July 3, 2015

Cloud Tax

Chicago now has about a 9% tax on streaming services.  This covers streaming media as well as remote database or computing platforms.  The affects will be far reaching, like the phone taxes.I think i saw a report estimate of 12 Millions dollars a year in revenue.

http://www.theverge.com/2015/7/1/8876817/chicago-cloud-tax-online-streaming-sales-netflix-spotify

How will this affect services and cities?  Well if you are a pour city, just tax the digital services.
This could create issues between not only the large services but the small services that trying to grow.

The question is what the actual line says in the bill  What if you have devices that are managed via the Intune cloud, or cloud DP.  How will this affect the company using or managing these services.


Only time will tell.

Tuesday, June 30, 2015

Intune - Remote Lock and Passcode Reset


 
I was asked recently why you would need Remote Lock as seen below in Intune:
 
 
 
 
I sent the Remote Lock to my device and below is the result of which is seen below: 
 
 Before I go any further, not all commands are available on all devices. 
 
 
Problem: I left my device at the Restaurant, I am going to get it but it won't lock automatically.
Solution: Remote lock so that no one can access the device
 
Problem: User is set to be fired from the company.
Solution: When the user is brought into HR, the Passcode can be reset and then the device can be locked.  Later the Remote wipe (Full or Selective ) can be performed.
 
Problem: Board meeting (or Corporate Examination) is about to begin, devices are collected or placed on the conference room table. 
Solution: To prevent members from watching their phones a remote lock can be performed as the icon is visible and can easily be seen if a user unlocks their device. 
 
Problem: User forgets their PassCode
Solution: Reset the code for the user.
 
  
 
 
PlatformRemote Lock
iOSSupported
AndroidSupported
Windows Phone 8 and Windows Phone 8.1Supported
Windows RT 8.1 and Windows RTSupported if the current user of the device is the same user who enrolled the device.
Windows 8.1Supported if the current user of the device is the same user who enrolled the device.
 
 
 
 

PlatformPasscode Reset
iOSSupported for clearing the passcode from a device. Does not create a new temporary passcode.
AndroidSupported and a temporary passcode is created.
Windows Phone 8 and Windows Phone 8.1Supported
Windows RT 8.1 and Windows RTNot Supported
Windows 8.1Not Supported



More information on Remote Lock and Passcode Reset can bee seen here:
https://technet.microsoft.com/en-us/library/jj676679.aspx

Tuesday, June 23, 2015

Intune updates for June 2015

Intune 2015 updates:

https://technet.microsoft.com/en-us/library/dn292747.aspx?f=255&MSPPError=-2147217396

Windows 10 is about to arrive for everyone and this includes the Enterprise.  This will now give you the ablilty to manage that.

Speaking of which, did you know you can download the Windows 10 Preview for your certain phones?

Join the insider program:
http://windows.microsoft.com/en-us/windows/preview-download-phone

We are slowly seeing an up swing in IOS and Android capabilities much like in May.  This is expected as Microsoft slowly takes over the competitors in the market.  Look for greater abilities to come.  Every month Microsoft is pushing out small improvements based on the market and community requests. 

GeoFencing:
http://download.microsoft.com/download/7/8/2/7820BD07-28E3-4B06-8E11-FB55AC07CB83/4-WindowsPhone81.pptx

This is a brilliant concep that is gaining market ground in many devices.  In this previous PPT we see the use of GeoFencing with triggers.  When a device enters an area an application executes something. 
This can also be used to inhibit applications or features.  Say you have a corporate building that doesn't allow cameras, then when you enter the building perimeter the phone, which is corporeate owned, will lock down the camera. 

Or maybe want to disable certain programs when someone travels outside the US. The possibilities are endless and with Intune we slowly see many of these abilities come to life. 


Thursday, June 18, 2015

Blank Distriuion Point Usage Summary Report

Problem:
  • The DP Usage Summary Report is not showing data.
  • You are running a custom website and possibly a custom port
Investigate your DP or Secondary to determine if the logs are pulled correctly

Review the server side log: Smsdpusage.log




Check the log.  Notice the folder the system is pulling: 
 Gathering statistics from C:\inetpub\logs\LogFiles\W3SVC1\ex150612.log
 This indicates a Site ID of 1 for the IIS Site

 W3SVC + [Side ID]

At first glance it appears everything is working correctly until you check the Site ID for your custom Website

 To access your Site ID, Select the Website and Open the Advanced Settings for the site






Default Website
Custom Website




























The default behavior is to create a new website ID for the custom Website. 

Problems existed with the Custom websites and Custom ports but were resolved in SP1 Cu1 and Cu2.  This new report was created and installed with R2.  It doesn't appears the process understood a custom website was on the DP when it was upgraded.

Solution:
To fix this you will need to change the IIS Site ID to 1 which is used by the process to pull the IIS data.

Because no two sites can share the same ID you will need to use a third number in order to flip the IDs. 

Working Default Site on Site #2
Working Custom Website on Site 1



When you change the IDs IIS will stop automatically.  You can stop the Sites before you make the change if you wish.  Post change:










You will need to start each site manually.
When this happens the logs will now start to saved to the Site ID 1 folder
C:\inetpub\logs\LogFiles\W3SVC1




Once this is done, I would recommend that you move the old IIS to the new, correct folder...C:\inetpub\logs\LogFiles\W3SVC1
The next we check the report and now see data:

I have noticed on 2 of my DPs the Bytes Sent is 0, which is wrong.  I haven't determine why this but it is is my next task.

It is possible that because we have this fix in place but it needs have been done before the R2 install.  I find it odd that it pulls in the log, the connections and requests but doesn't read the bytes sent.
 

Monday, June 15, 2015

Make your voice heard

Microsoft has several ways to pull in feedback, MVPs, forums, Microsoft Connect.  Here is another method to interact with Microsoft without having to fill out the complex Design Change Request.

Ask Microsoft what you would like to see or vote (up to 10x) on a topic.  If that topic is already in production or complete then your vote should be turned back to you to use again. 
Remove and change your votes as new ideas are submitted:


Here’s how it will work:

For ideas/DCRs only (no bugs) for Configuration Manager:


 

For Intune standalone, and ConfigMgr+Intune hybrid MDM (Bugs and DCRs):

Friday, June 5, 2015

ConfigMgr 2012 Site Boundary Group Assigmentment

If you have a 2007 and 2012 SCCM site you can't use site assignment because the 2012 machines might try to assign themselves to the 2007 site.  It can be confusing enough to have both infrastructures.  Or maybe you didn't set it before for some reason.  If you have too many to do by hand then here is a script you can modify to use in your enviroment. 

Recall that you cannot assign a boundary group to a Secondary Site code, it must be assigned to the Primary.  Yes, I realize it is in the drop down list because it is a site but you should always assign the site to the Primary just like the client would see in the Site settings.

We have our Boundary Group labled as such:


Location - SiteCode
London1 - SC2
London2 - SC2
Scotland - SC3
Texas - SC1
Washington - SC4

The reason for this is to quickly determine where a bound group is connected in terms of the secondary controlling it.  For this reason we need to look at the Secondary site code and associate it with the Primary.


##PowerShell set the primary for the group.
$SiteServer = "foo.com"
$SiteCode = "PR1"
$WMIConnection = [WMICLASS]"\\$SiteServer\Root\SMS\Site_$($SiteCode):SMS_BoundaryGroup
$BoundaryLIst = $WMIConnection.psbase.GetInstances()
foreach ($Boundary in $BoundaryLIst)
{
    #echo $Boundary.Name
     $SecondarySiteCode = $Boundary.Name.Substring($Boundary.Name.Length-3,3)
     $Primary="CHECK"
    Switch ($SecondarySiteCode)
   {
   SC1 { $Primary="PR1"}
   SC2 { $Primary="PR2"}
   SC3 { $Primary="PR2"}
   SC4 { $Primary="PR1"}
   SC5 { $Primary="PR1"}
   SC5 { $Primary="PR3"}
 
   }

 if ($Primary -eq "CHECK")
 {
   echo $Boundary.Name
 }
 else
 {
  ##boundary group is correct set it
  $Boundary.DefaultSiteCode = $Primary
  $Boundary.Put()
  }
}
################################################

Note that if you want to uncheck the box you can simply blank the DefaultSiteCode
$Boundary.DefaultSiteCode = ""





Tuesday, May 19, 2015

Making a 1E Nomad client exempt from pulls

History:
For those not familar with Nomad from 1E: it is a peer to peer technology that helps elimintate Distribution Points with SCCM.  The client will ask if any machine in the local Subnet has the files.  If not it will then ask the ActiveEfficiency Server, assuming Single Site Download is setup, for files.  1E utilizes a Reverse QoS process along with many other cool features. 

My enviroment has many types of machines that we want to consume data utilizing Nomad but not allow other machines to pull from it.  For this 1E has a registry key.  We have several instances of when you don't want to interrupt a machine.  May it is a machine cluster crunching data, Video Editing machine, special server or maybe you have some political reasons as to exclude a machine.

The end result will be a machine with a Nomad Key
P2PElectionWeight set to 0
You must restart the Service for the machine to notice the change.



For this we create a Compliance check.  There are several ways to create this:



Application


Find the MSI of the application you are detecting
 
At settings, click next

 At Compliance Rules, click Next


Select the approriate Platform



This is a quick Detection method, you can use anyone that works for you. 

Here is a method I used to Detect if a machine has SQL install and Running:
(Note this example doesn't' include excluding SCCM Secondary servers)


First I wanted to find the machines that had SQL, this could also include SQL express and some machines with Bitlocker maybe seen as having SQL, which I found odd.


Let's set the rule to "Must Exist" if we are really seeing SQL on the box
 
 
Now that we have a machine that has SQL detected we need to check to see if it is Running, 


 
With both of these rules and more versions you can create detections if a machine has software installed.  Remember if you have applications with the App Model then you have some work already done for you,
 


Now create your Baseline:
Software names have been removed from this list.  Notice the purpose of these is "Prohibited" the reason is because we don't want these applications running.



The deployment is only run once a month before the patches as this is a heavy load on the enviroment.  And we don't expect it to change much.  This

To make this work we need a colleciton that has all the non-compliance machines

Create a package and push this Regfile to the machine to make it exempt from pulls


IF '%PROCESSOR_ARCHITEW6432%'=='' goto x86
   reg.exe add HKLM\Software\1E\NomadBranch /v P2PElectionWeight /t REG_DWORD /d 0 /f /reg:64

:x86
 reg.exe add HKLM\Software\1E\NomadBranch /v P2PElectionWeight /t REG_DWORD /d 0 /f

:: Restart the NomadBranch Service
NET STOP NomadBranch && NET START NomadBranch

Saturday, May 16, 2015

Extend Reboot of SCCM temporarily

To followup on this post: http://sms-hints-tricks.blogspot.com/2015/05/override-sccm-reboot-time.html

Say you just wanted simply extend the reboot of machine by a few hours and not permanently? 

Simply edit the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client\Reboot Management\RebootData\ InitiatedTimeStamp

Add the number of seconds you wish to have then kill the ScNotification.exe process and restart the SMS Agent Host.

When this happens the SCNotification application should kick back in after a few seconds. It will read the changed registry value and use the new time for the reboot.

Wednesday, May 13, 2015

Skype for Business, forced install

Be aware this month, May 2015, any machines that are running Lync 2013 and didn't upgrade last month to Skype for Business will now be forced to Skype


In the SCCM console you will see this update:


Security Update for Skype for Business 2015 (KB3039779)


Bulletin ID: MS15-044
Article ID: 3039779
Date revised: Tuesday, May 12, 2015
Maximum severity rating: Critical
Description:
A security vulnerability exists in Skype for Business 2015 64-Bit Edition that could allow arbitrary code to run when a maliciously modified file is opened. This update resolves that vulnerability.
Applicable languages:

Affected products:
Office 2013




This security update is a part of MS15-044:


Vulnerabilities in Microsoft Font Drivers Could Allow Remote Code Execution (3057110)
This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded TrueType fonts.








From there you can drill down to the Lync / Skype Security update


Microsoft Lync Basic 2013 Service Pack 1 (32-bit)
(Skype for Business Basic)
(3039779)

Not applicableCritical
Remote Code Execution

Once you open this update you will find this:
------------------------------------------------


MS15-044: Description of the security update for Lync 2013 (Skype for Business): May 12, 2015
This security update resolves a vulnerability in Microsoft Lync that could allow information disclosure if a user opens a specially crafted Lync meeting request.

This security update for Microsoft Lync 2013 includes the new Skype for Business client.

Notes
  • The download page will still display this update as being for Lync 2013.
  • After you apply this May 12, 2015, security update, Lync 2013 will be upgraded to Skype for Business. Get the general information about the new experience in Skype for Business .
  • You can still use the Lync client user interface after you apply this update for Lync 2013 (Skype for Business). Get the general information about how to switch between the Skype for Business and the Lync client user interfaces for Office 365 users and Lync Server 2013 users

Tuesday, May 5, 2015

Override SCCM Reboot Time

The SCCM reboot counter is controled via the SCNotification application and Policy.  Below is a basic policy as seen from WbemTest and Policy Spy.

 


To modify this we create a local policy.  Local Policy will override the machine

WMIC /namespace:\\root\ccm\policy\machine\requestedconfig path CCM_RebootSettings Create PolicySource="local",PolicyVersion="1.0" ,SiteSettingsKey="1", RebootCountdown=259200, RebootCountDownFinalWindow=4400 /NOINTERACTIVE

When you run this command the policy looks like the one below



When the restart happens...
 
You have something like this above.


Once the machine is set to reboot the registry will change here
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client\Reboot Management\RebootData


The OverrideRebootWindowTime is the Epoch time for the Forced box that cannot be closed to appear. 
Rebootby is the Epoch time that will cause the machine to restart.

I am still experimenting to see if the time can be modified as to cheat the reboot time and keep extending or to force it to be shorter.  I will detail those finding later. 

I did find the Epoch time had to be adjusted.  I found the time to subtract 5 hours to adjust for my Timezone,.  While it says it is in UTC I think it is UTC but offset from my timzone.  Odd.,  I might find the real solution once I delve deeper into this . 


Wednesday, April 15, 2015

System Center 2012 Configuration Manager Cmdlet Library has been released to Download Center

Do you want the PowerShell cmdlets but not the time to install the CU for them.  Well they are now a separate bundle that you can install. CUs will no longer have PowerShell updates packaged with them.


If you have R2, no matter what CU you have installed (or not installed) you can download this and update your environment.  RTM SP1 is NOT supported via this update.  You must be running the R2 platform to benefit from this change.




The download can be found here:


https://www.microsoft.com/en-us/download/details.aspx?id=46681.


Information on the installation cmdlet Library is here: https://technet.microsoft.com/en-us/library/dn958404


Admins have been asking on how to update their environment in different steps and this is the answer from Microsoft to allow a quicker adoption of PowerShell and giving the customer the ability to control the CUs. 



Tuesday, April 7, 2015

Manual force of WSUS via automation





Have you ever wanted to have an odd Schedule or found that your site will not longer sync on the schedule but a full sync will work. 


Well here is some code to kick off a Full sync on your site.  All you have to do is create a scheduled task on the Central or primary site.
The code modifies the control file.  Because of some timing issues I did add a few seconds on to the request. 


XXX - SITE CODE
SERVER - SERVERNAME
*******************************************


Set swbemLocator = CreateObject("WbemScripting.SWbemLocator")
swbemLocator.Security_.AuthenticationLevel = 6 'Packet Privacy
Set swbemServices= swbemLocator.ConnectServer("SERVER", "root\sms\site_XXX")

Set context = CreateObject("WbemScripting.SWbemNamedValueSet")
'context.Add "LocaleID", "MS\1033"
'context.Add "MachineName", "SERVER"
Context.Add "SessionHandle", swbemServices.ExecMethod("SMS_SiteControlFile", "GetSessionHandle").SessionHandle
                                        

SynchronizeSoftwareUpdatePoint swbemServices,context,"XXX"

Sub SynchronizeSoftwareUpdatePoint(swbemServices,swbemContext,siteCode)
    ' Load site control file and get the SMS_WSUS_SYNC_MANAGER component section.
    swbemServices.ExecMethod "SMS_SiteControlFile.Filetype=1,Sitecode=""" & siteCode & """", "Refresh", , , swbemContext
       
    ' Calculate the current timestamp (number of seconds from 1/1/1970 to current time UTC).
    calculatedUTCOffsetinSeconds = (8 * 60 * 60)
    currentTimestamp = datediff("s", "1/1/1970 12:00:00 AM", now()) + calculatedUTCOffsetinSeconds
    currentTimestamp=currentTimestamp-7198
   
    Query = "SELECT * FROM SMS_SCI_Component " & _
            "WHERE ComponentName = 'SMS_WSUS_SYNC_MANAGER' " & _
            "AND SiteCode = '" & siteCode & "'"
   
    Set SCIComponentSet = swbemServices.ExecQuery(Query, ,wbemFlagForwardOnly Or wbemFlagReturnImmediately, swbemContext)
                      
    ' Only one instance is returned from the query.
    For Each SCIComponent In SCIComponentSet
        ' Loop through the array of embedded SMS_EmbeddedProperty instances.
        For Each vProperty In SCIComponent.Props        
                           
            ' Setting: Sync Now
            If vProperty.PropertyName = "Sync Now" Then
               
                ' Modify the value.
                vProperty.Value = currentTimestamp
               ' wscript.echo "New value " & currentTimestamp
               
                ' Output success message.
               ' wscript.echo " "
               ' wscript.echo "Reset 'Sync Now' property with current timestamp. "              
            End If
              
        Next  
             ' Update the component in your copy of the site control file. Get the path
             ' to the updated object, which could be used later to retrieve the instance.
             Set SCICompPath = SCIComponent.Put_(wbemChangeFlagUpdateOnly, swbemContext)
    Next
                         
    ' Commit the change to the actual site control file.
    Set InParams = swbemServices.Get("SMS_SiteControlFile").Methods_("CommitSCF").InParameters.SpawnInstance_
    InParams.SiteCode = siteCode
    swbemServices.ExecMethod "SMS_SiteControlFile", "CommitSCF", InParams, , swbemContext
     
    ' Release copy of the site control file.
    swbemServices.Get("SMS_SiteControlFile").ReleaseSessionHandle swbemContext.Item("SessionHandle").Value
End Sub

*******************************************






I know this works on SCCM 2007, I am sure it will work on SCCM 2012 but I never tried it:

Tuesday, March 24, 2015

0x87d00244 The object or subsystem has not been initialized

So you have a client that is running several days behind on SCEP updates.  It can see the updates and the machine is working but when you run the Software Updates Deployment Evaluation Cycle you see this:





 

 
 
The error you find is (0x87d00244) Updates will not be made available.  This points to a subsystem not ready.  Could it be Windows Update agent is broken.  First check to see the state of the machine:  Running Windows Update we see the machine is in a pending reboot state:
 



The machine would really like to run the SCEP update but other updats are pending a process. Restart the box, see if will install the updates.





Wednesday, March 18, 2015

Intune Fun

Playing with several settings with my Win 8.1 phone and Intune.  First I install the

Project My Screen App for Windows Phone
https://www.microsoft.com/en-us/download/details.aspx?id=42536

This is a great applicaiton to show your Windows 8.1 device on the desktop or even project. 

Now to the fun I had.

One feature that is nice is the ability to change the security


I did notice that after Setting the policy for Advanced Password setting, it will set your numeric keyboard login to a normal keyboard (seen above)
 
Unfortunately, keyboard setting "Password" is locked out.  Even after changing the policy back and forth, retiring the device and performing the unenroll.  The device was not able to be changed from the keyboard back to the number pad.
 
I used the Intune Wipe feature and selected the feature to remove corporate data.  I was very impressed that in less than 3 seconds the device shutdown and started the wipe process.
 
I wasn't looking forward to the restore process.  With the backup feature enabled, my device restorted to the orginal settings in about 20 mins.  There are a few personal settings there were not set back. 
 
In the future, I will run some more tests and record the screen shots using the Windows Project My screen Application.
 
I was a playing more than cocentrating on writing a good article. More to come...
 
 

Wednesday, March 4, 2015

Intune update for March coming this week!

Today Microsoft announced the next update to the Microsoft Intune cloud service for mobile devices:
http://blogs.technet.com/b/microsoftintune/archive/2015/03/04/march-updates-coming-this-week-to-microsoft-intune.aspx

Updates include:
  • Ability to streamline the enrollment of iOS devices purchased directly from Apple or an authorized reseller with the Device Enrollment Program (DEP)
  • Ability to restrict access to SharePoint Online and OneDrive for Business based upon device enrollment and compliance policies
  • Management of OneDrive apps for iOS and Android devices
  • Ability to deploy .appx files to Windows Phone 8.1 devices
  • Ability to restrict the number of devices a user can enroll in Intune

  • These updates are for the cloud only service.  If you are using the Hybrid or "Unified" approach which has Intune integrated into your SCCM console then you will see the following changes:

    •  create custom WiFi profiles with pre-shared keys (PSK) for Android devices

    Microsoft, as you have seen over the last year, has increased the cadence at software distribution. None is so apparent as the Intune updates.  If we simply look at Intune from where it started several years ago to today is had greatly improved and is now in the running with other Mobile Device vendors.

    Items that I would like to see in Intune is the ability to run it on Server class machines so that small companies can fully utilize the cloud based solution.  I can see Intune Partners or Vendors managing large number of small companies completely from Intune.  Then when a new version of Java is deployed all the small companies can pilot and then opt in and recieve it. 

    The one problem is that Inune is individual tenant based and we need to look at a "Intune console" similar to what you have in SCCM to manage different site codes, collection of systems in order to manage all the companies effectively as many branches of a single company depending on what the deployment. 

    While each "branch" might have a different need, this can be handled by the branch admins or even by the Intune Partner. 

    Just some thoughts......

    Thursday, February 12, 2015

    Wsus Fails to sync, WSUSPool stopped

    So yet again here is another problem with WSUS.  These are all running on Server 2012.

    Problem:
    In console monitoring showed a Sync Failure.  Error code was that WSUS service was unavaiable on the box.  This affected not only the top SUP but several of the lower Secondary Servers with SUP installed.  But not all.  Yet all stopped at a certain Content Version

    Troubleshooting process:
    Check the WSUS service on the box: Running
    Open the WSUS console (yes don't change/set anything): Unable to contact WSUS Server
    Sync logs shows it can't contact the server.
    Database running and working
    Memory on the box was at 96.4% used
    Found that in IIS the WSUS application Pool was stopped.  Restart the Pool.
    After 20 mins the Pool would stop again.

    wsysncmgr log on primary:

    Sync failed: WSUS server not configured. Please refer to WCM.log for configuration error details.. Source: CWSyncMgr::DoSync
    STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=Primary.foo.com SITE=PE0 PID=1744 TID=4156 GMTDATE=Thu Feb 12 17:25:48.682 2015 ISTR0="CWSyncMgr::DoSync" ISTR1="WSUS server not configured. Please refer to WCM.log for configuration error details." ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
    Sync failed. Will retry in 60 minutes
    Wsysctrl.log on sup
    Attempting connection to local WSUS server
    System.Net.WebException: The request failed with HTTP status 503: Service Unavailable.~~   at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~   at Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer()~~   at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber)
    System.Net.WebException: The request failed with HTTP status 503: Service Unavailable.~~   at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~   at Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer()~~   at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber)
    Failed to set WSUS Local Configuration. Will retry configuration in 1 minutes

    Solution:

    The 1st solution was add to a bit more ram on the VM.  This didn't solve the issue.
    So I did more digging and found the Recycle Setting for IIS and Max Ram it can use:

    Recycling Setting in IIS
    I changed the default setting for the wsus pool from 1843200 (Kbs) and added 1GB of ram to it.  The box now seems to be happy and is syncing again.  There is not a heavy load on the box but I am watching to see what happnes.  it is odd that the twin in a differen data center isn't showing the same signs. 



    Monday, January 12, 2015

    WSUS for SCCM won't sync

    Sometimes the most basic fix can get you over a hurdle so you can spend time fixing it instead of fighting a contanst fire:

    Symptoms:

    Manual Sync of WSUS from the "Update Repository" node works but the automated sync fails like such

    Wsyncmgr.log:
    Sync failed: The operation has timed out. Source: Microsoft.UpdateServices.Internal.ApiRemoting.ExecuteSPSearchUpdates
    Sync failed. Will retry in 60 minutes

    Quick Resolution:
    You could manually sync the server on the schedule but that doesn't solve the problem

    But why doesn't it work for the automated approach?  You may see in the console that it starts to download but never finisheds.  This could be a problem withe the SQL ram or the Server ram available.  Does it sync for the first few times after your restart your machine.  It could be the load on your site server has changed recently.

    I pulled part of the script from Microsft Technet and others from my internal script base.  I then used the server Scheduled Task to kick this off for me until I could find a solid solution.


    Another way would be to somehow force a script to run the manual sync for you:

    Change the following names:
    SITE_SERVER_NAME -> servername
    SITE_CODE -> ABC


    -----------------------WSYSNC.VBS-------------------------
    Set swbemLocator = CreateObject("WbemScripting.SWbemLocator")
    swbemLocator.Security_.AuthenticationLevel = 6 'Packet Privacy
    Set swbemServices= swbemLocator.ConnectServer("SITE_SERVER_NAME", "root\sms\site_SITE_CODE")

    Set context = CreateObject("WbemScripting.SWbemNamedValueSet")
    'context.Add "LocaleID", "MS\1033"
    'context.Add "MachineName", "SITE_SERVER_NAME "
    Context.Add "SessionHandle", swbemServices.ExecMethod("SMS_SiteControlFile", "GetSessionHandle").SessionHandle
                                            

    SynchronizeSoftwareUpdatePoint swbemServices,context,"SITE_CODE"

    Sub SynchronizeSoftwareUpdatePoint(swbemServices,swbemContext,siteCode)
        ' Load site control file and get the SMS_WSUS_SYNC_MANAGER component section.
        swbemServices.ExecMethod "SMS_SiteControlFile.Filetype=1,Sitecode=""" & siteCode & """", "Refresh", , , swbemContext
           
        ' Calculate the current timestamp (number of seconds from 1/1/1970 to current time UTC).
        calculatedUTCOffsetinSeconds = (8 * 60 * 60)
        currentTimestamp = datediff("s", "1/1/1970 12:00:00 AM", now()) + calculatedUTCOffsetinSeconds
        currentTimestamp=currentTimestamp-7198
       
        Query = "SELECT * FROM SMS_SCI_Component " & _
                "WHERE ComponentName = 'SMS_WSUS_SYNC_MANAGER' " & _
                "AND SiteCode = '" & siteCode & "'"
       
        Set SCIComponentSet = swbemServices.ExecQuery(Query, ,wbemFlagForwardOnly Or wbemFlagReturnImmediately, swbemContext)
                          
        ' Only one instance is returned from the query.
        For Each SCIComponent In SCIComponentSet
            ' Loop through the array of embedded SMS_EmbeddedProperty instances.
            For Each vProperty In SCIComponent.Props        
                               
                ' Setting: Sync Now
                If vProperty.PropertyName = "Sync Now" Then
                   
                    ' Modify the value.
                    vProperty.Value = currentTimestamp
          
                End If
                  
            Next  
                 ' Update the component in your copy of the site control file. Get the path
                 ' to the updated object, which could be used later to retrieve the instance.
                 Set SCICompPath = SCIComponent.Put_(wbemChangeFlagUpdateOnly, swbemContext)
        Next
                             
        ' Commit the change to the actual site control file.
        Set InParams = swbemServices.Get("SMS_SiteControlFile").Methods_("CommitSCF").InParameters.SpawnInstance_
        InParams.SiteCode = siteCode
        swbemServices.ExecMethod "SMS_SiteControlFile", "CommitSCF", InParams, , swbemContext
         
        ' Release copy of the site control file.
        swbemServices.Get("SMS_SiteControlFile").ReleaseSessionHandle swbemContext.Item("SessionHandle").Value
    End Sub
    ----------------------
    Why did I subtract time?
    currentTimestamp=currentTimestamp-7198

    The time is instant but I found sometimes there was a lag before it could read, so by subtracting time it makes it a future event.