Colleague of mine has received request to check why did the SCCM client (server OS) rebooted during office hours and more details about the reboot (who initiated etc.). I started looking at this request to find out whether the client was rebooted due to windows patching or any applications pushed by SCCM.

During my troubleshooting ,I went through several client logs ,event viewer,SQL Query,PowerShell script etc .

In this blog post, I will try to list down the steps that went through to identify who rebooted the SCCM Client (server OS).

1. First and foremost that anyone would look at is ,event viewer to find out who rebooted the server (whether it was SCCM Client or any user).

Go to event viewer –> Windows logs –-> system ,right click and select filter current log ,enter 1074 (Event ID:1074 for reboot) as shown below.

Event ID:1074 –>This event is written when an application causes the system to restart, or when the user initiates a restart or shutdown by clicking Start or pressing CTRL+ALT+DELETE, and then clicking Shut Down. This event is written to the system log only when the Shutdown Event Tracker group policy setting is enabled or not configured.

You will see lot of entries with 1074 event ID ,of which ,we only look at the recent one .

From the above screen, the recent restart was initiated by SMS agent host (ccmexec) on 10/31/2016 05:45:10 PM due to applications or software update installation. This doesn’t tell you the username as the restarted was initiated by system account (NT AUTHORITY\SYSTEM)

The process C:\Windows\CCM\CcmExec.exe (ComputerName) has initiated the restart of computer  ComputerName on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
Reason Code: 0x80020001
Shutdown Type: restart
Comment: Your computer will restart at 10/31/2016 05:45:10 PM to complete the installation of applications and software updates.

Now ,we need to find out ,what was installed on the server during the reboot time/before and does client have enough maintenance window to reboot .

2. Lets check what is the available maintenance window for the server ,that might help to analyze any installation that has pending reboot with enough maintenance window allowed reboot or not.

I use the following SQL query to check the available maintenance window for specific client.

DECLARE @file varchar(5000);
SET @file='Server Name'

select MW.[Collection Name],MW.[MW Name],MW.Description,convert(nvarchar(26),MW.StartTime,100)[StartTime],MW.Duration
from
(
select fcm.CollectionId, coll.Name [Collection Name],s.Name [MW Name],s.Description,s.StartTime,s.Duration
from dbo.v_R_System sys
Right JOIN dbo.fn_SplitString(@file,',' ) AS fss ON sys.Name0 = fss.substring
join dbo.v_FullCollectionMembership FCM on sys.ResourceID = fcm.ResourceID
join dbo.v_Collection coll on Coll.CollectionID = fcm.CollectionID
left join v_ServiceWindow S on s.CollectionID=fcm.CollectionID
) MW
where MW.[MW Name] not like ''

I have used @file is basically to pipe large number of clients that I wanted to query for. If you want to list the MW for more than 1 client ,your @file should be @file=’server1,server2,server3,server4’

With above SQL query ,I do not see any maintenance window available for server to reboot that time (server rebooted time ).

3. Now ,we will go back to problem server ,login to see what was Installed by SCCM during the reboot time or before the reboot.

we will try to look at AppEnforce.log (for applications),execmgr.log (for packages) and windows update logs (WUAHandler.log,UpdatesHandler.log) and other logs that you suspect.

AppEnforce.log :

From appenforce.log, there was an application that installed silently without any reboot (Matched exit code 3010 to a PendingSoftReboot entry in exit codes table.)

So the application doesn’t have any force reboot option and for sure,something else is caused the reboot .

4. Now ,take a look at the RebootCoordinator.log and MaintenanceCoordinator.log if that helps to reveal some information about reboot behavior.

RebootCoordinator.log

From above log,I see couple of entries related to server reboot which help my job to identify the root cause.

User S-1-5-21-1009845188-1641970364-1010270793-4361695 is getting pending reboot information

ServiceWindowsManager has not allowed us to Reboot

MTC allowed us to reboot

Notified UI grace period start with 900 grace seconds and 300 final seconds.

System reboot request succeeded.

As you see from the log, user SID is getting pending reboot information which means, someone logged into the server during the reboot of the server.

How to find who is that user ? Well ,you can find it using event viewer security logs or PowerShell script that converts SID to User name.

I have used below PowerShell script that convert SID Value to User Name

$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-5-21-1009845188-1641970364-1010270793-4361695")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value

copy the script ,change the SID Value and run the PowerShell script on the problem server to find the user name.

Now I got the user name ,who logged into the server during the reboot, but I cannot take this information as granted and confirm that this user initiated the reboot.

Well, RebootCoordinator.log doesn’t confirm if logged user restarted the server .So what next ?

In SCCM Configmgr 2012 and above, there are logs for users as well.These logs records the activity for notifying users about software for the specified user.

These user notify logs named with SCNotify_<domain>@<username>_1.log

open the log for the user (_SCNotify_<domain>@<Username>_2.log) who  logged into the server during the server reboot if he/she initiated .

From this log,found lot of useful information of which ,found below entry that confirm user allowed to restart system.

RestartCountdownDialog: IsRestartSystemAllowed - user is allowed to restart system      (Microsoft.SoftwareCenter.Client.Pages.RestartCountdownDialog at .ctor)

Notification is for a logoff/restart required or logoff/restart countdown.      (Microsoft.SoftwareCenter.Client.Notification.NotifyObjectBase at ShowBalloonTip)

Number of total seconds in countdown is 900; starting value is 2; seconds til restart is 898, system will restart at 5:45:09 PM (utc end time = 9:45:10 AM)      (Microsoft.SoftwareCenter.Client.Pages.RestartCountdownDialog at .ctor)

This confirm that, user who logged into the server has initiated the reboot and nothing from SCCM client.

If you have any other possible methods to identify who initiated the reboot, post it via comments section.

Until next!

Have seen couple of times on SCCM Configmgr forums asking for ‘How to get applications /deployment types that has allow clients to use fallback source location for content ’ is checked or not.

Allow fallback source location for content: This feature is designed to allow client to gain access (fallback) to content that is not available on a Distribution Point (DP) that is located in their Boundary Group.

If this feature is not implemented correctly, it can lead to unexpected results and high network utilization over remote WAN links.

For more information about fallback source location and distribution point, please read TechNet article https://technet.microsoft.com/en-us/library/gg712321.aspx?f=255&MSPPError=-2147217396#BKMK_PreferredDistributionPoint .

When this question was asked ,I thought ,I would look at it when I get time and later it went to my To-Do item list due to time constraints and never looked at it in the recent days.

Recently ,I had similar requirement to identify the list of applications with its deployment type properties to find out how  many of them are not checked this option ‘allow clients to use fallback source location for content ‘ and download options (slow or unreliable network boundary)

If you want to know the list of applications that has this option checked or not ,there is no default report and no easy way to check in console as well.

Either you have to create custom report or PowerShell (PoSH) script.

when you create an application using application wizard ,there are couple of options that doesn’t show you in GUI (unless you use scripting to create apps) and these are like allow clients to use a fallback and deployment options etc.

If you have few number of applications in SCCM ,it is easy to do manual check by right click on deployment type and look for this option ,but what if you have large number of applications with multiple deployment types and you want them to be displayed in report ?

Before we try to create report for this ,we need to identify ,what table/view this information is stored in and after we identify the right view,we can write SQL query.

Application and its deployment type property information in SCCM 2012 and above, is not stored directly in database view instead, it is stored in xml file in function fn_ListDeploymentTypeCIs(1033) with column name SDMPackageDigest.

Once we know where the application deployment property information is stored, we need to know how to extract the required information from this xml file.

This xml file contains lot of information out of which ,we now only look at couple of important fields like application name,deployment name,type,UserInteractionMode,ExecutionContext ,RequiresLogOn,FallbackToUnprotectedDP,OnSlowNetwork. If you want retrieve other information from the xml ,do customize the report yourself.

To know more information about the xml file and how to extract the information from xml file using SQL query ,read here .

The information that is stored in xml file for allow clients to use fallback source location for content is in column FallbackToUnprotectedDP with values true or NULL

If you have selected option called Deployment options as shown in the diagram ,either with do not download content or download content from distribution point and run locally ,is in  column ‘OnSlowNetwork’ with values Download or DoNothing or NULL

I have created SSRS Report for you .So all you need is ,download the report from Technet, upload to your SSRS reports, change the data source and run the report.

Note:If you have large number of applications and you are looking for deployment type names that has not checked ‘allow clients to use fallback source location for content ’ option ONLY ,then may have to edit the report and do custom changes to list only those applications with filtering instead listing all in your SCCM.

How does the report look like ?

Hope you enjoyed reading this article.

See you in the next post!

Setting up new SCCM Configmgr Current Branch 1606 in production environment .As part of it ,have created source folder (repository for content store) and placed couple of packages/applications for testing . while trying to distribute the packages, all failed with same error code.

The source directory \\servername\sources$\Applications\Microsoft\SCUPCert doesn't exist or the SMS service cannot access it, Win32 last error = 5

Win32 last error = 5 translates to access denied .I made sure ,SCCM site Server account, user account /group had full access to the source folder location but missed to add System account.

To see if the system account have enough read permission to the above share ,simply use sysinternal tools and access the share if that works or not.

PSEXEC -i -s -d CMD

In my case ,it says access denied but am able to access using user account.

To fix this ,you need to provide permissions to SYSTEM account as well both in sharing and security tabs (NTFS Sharing).

Hope it helps!

The Microsoft Deployment Toolkit (MDT) is a free tool for automating Windows and Windows Server operating system deployment, leveraging the Windows Assessment and Deployment Kit (ADK) for Windows 10. Microsoft released new build version 8443 for Microsoft Deployment Toolkit with some quality updates. This build update requires Windows Assessment and Deployment Kit (ADK) for Windows 10, version 1607, which you can download from Microsoft Hardware Dev Center(adksetup.exe file version 10.1.14393.0).

You can download MDT build version 8443 from Microsoft Download Center.

Summary of the significant changes in this build of MDT:

• Supported configuration updates
• Support for the Windows ADK for Windows 10, version 1607.
• Support for Windows 10, version 1607, and Windows Server 2016.
• Support for Configuration Manager, version 1606.

Quality updates :

• Deployment Wizard scaling on high DPI devices
• Johan’s “uber bug” for computer replace scenario
• Multiple fixes for the Windows 10 in-place upgrade scenario
• Several fixes to Configure ADDS step
• Removed imagex/ocsetup dependencies, rely solely on DISM
• Includes the latest Configuration Manager task sequence binaries (version 1606)

Reference:  https://blogs.technet.microsoft.com/msdeployment/2016/11/14/microsoft-deployment-toolkit-8443-now-available/

Microsoft released Update 1610 for SCCM Configmgr current branch (CB) that is available as an in-console update for previously installed sites that run version 1511, 1602, or 1606 which includes some great new features and product enhancements.

This update (1610) includes lots of new features and enhancements in Windows 10 and Office 365 management, application management, end user experience, client management and also includes new functionality for customers using Configuration Manager in hybrid mode with Microsoft Intune.

changes and new capabilities introduced in version 1610 of Configuration Manager current branch are:

• In-console monitoring of update installation status
• Exclude clients from automatic upgrade
• Improvements for boundary groups
• Peer Cache for content distribution to clients
• Migrate multiple shared distribution points at the same time
• Cloud management gateway for managing Internet-based clients
• Improvements to the Windows 10 Edition Upgrade Policy
• Manage hardware identifiers
• Enhancements to Windows Store for Business integration with Configuration Manager
• Policy sync for Intune-enrolled devices
• Use compliance settings to configure Windows Defender settings
• General improvements to Software Center
• Customizable Branding for Software Center Dialogs
• Enforcement grace period for required application and software update deployments
• Improved functionality for required software dialogs
• Software updates dashboard
• Improvements to the application request process
• Filter by content size in automatic deployment rules
• Office 365 Client Management dashboard
• Task sequence steps to manage BIOS to UEFI conversion
• New compliance settings for configuration items
• Improvements to the Prepare ConfigMgr Client for Capture task sequence step

For more information ,Whats new in Configmgr Current branch 1610 on https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1610

How to get this update available in your Configmgr Current branch ?

As the update is rolled out globally in the coming weeks, it will be automatically downloaded and you will be notified when it is ready to install from the “Updates and Servicing” node in your Configuration Manager console. If you can’t wait to try these new features, this PowerShell script can be used to ensure that you are in the first wave of customers getting the update. By running this script on your central administration site or standalone primary site, you will see the update available in your console right away.

Launch the console ,administration node—>updates and servicing—>Click check for updates.

Account that you use to run this ,make sure the security scope is set to All ,for more information ,read http://eskonr.com/2016/04/why-dont-i-see-sccm-configmgr-1602-updates-in-my-console/

If you are not able to see the updates ,run the powershell script.

Download the script and launch powershell cmd using administrator ,run it using the syntax:

EnableFastUpdateRing1610.ps1 <SiteServer_Name | SiteServer_IP> where SiteServer refers to the CAS or standalone primary site server

Monitor dmpdownloader.log to know the status of update downloading.

If the update installation is suspended at “Downloading” state for extended period of time, restart the SMS_EXECUTIVE (smsexec) service on the standalone primary or central administration site server (CAS).

After a while you will see updates in the console.

Once the download is ready ,state will be changed to available and ready for installation.

Right click on the update and choose Install Update Pack ,choose next next next depends on the options you need.

For installation status ,monitor CMUpdate.log .

1610 update has following version for:

Console Version:5.0.8458.1500

Site Version:5.0.8458.1000

Client Version:5.00.8458.1005

Recently I had a requirement to create a PowerShell script to read text file/CSV for list of clients (servers mainly) and check if they appear in SCCM if so delete them ,track the information into log file for reference.

There could be various reasons why do you want to delete computer record from SCCM and for that, you can either delete the record directly from the console or use scripting to do it for you.

One of of the reason for me to create this script is ,to help the team to delete the server records from SCCM after they decom immediately using task scheduler. Why immediate ? can't I wait for default maintenance tasks to remove the computer object after it becomes inactive or aged ? well ,it does . Once the computer record is disabled in AD or not online for X days ,It becomes inactive . Once the client is inactive and fall into the range X days to match site maintenance tasks  then it will be removed from SCCM database . When I leave these decom clients for deletion using site maintenance tasks ,these decom servers do appear in compliance reports and client health reports in SCCM and because of this ,the client health dashboard doesn’t appear in good status.

So ,this script will help guys to pipe the computer records into text file (as input ) and run the script or can schedule the script to run weekly once or so. The script will read the text file ,check if the computer record exist in database or  not ,if not ,out-put to log ,if exist ,delete the entry ,out-put results to log and this loop continue until the last line read in text file.

Removing a device client manually deletes the client record from the Configuration Manager database. Typically, you should not use this action unless it is for troubleshooting scenarios. If you delete the client record and the Configuration Manager client is still installed and communicating with Configuration Manager, Heartbeat Discovery recreates the client record the Configuration Manager database, although the client history and any previous associations are lost.

To delete computer record from SCCM if exist ,I used inbuilt SCCM powershell cmdlet called Remove-CMDevice -name $comp –force .

You can download Powershell script to delete computer records from SCCM via TechNet .

You can use this script as schedule task to run on weekly basis .All you need is ,pipe the computer records into the notepad and let the script run for you automatically.

Problem:

Few weeks ago ,colleague of mine was trying to perform patch management on bulk number of clients (servers) as monthly patching ,as part of it he made sure the maintenance window was in place,deployment was set rightly for software updates deployment.

Maintenance window started ,patches started installing and after a while ,he logged in ( browse the reports ) to check the status for deployed patches (software update groups) using reports. He found that, 30-40% was compliant and rest of them non-compliant (majority) /unknown (very few) .

By the time ,he found something wrong ,he has only 1 hr left to finish the patching activity due to the maintenance window and after the maintenance window passed ,cannot reboot the servers and you need confirm the patching status with the application teams so that they can perform the application testing.

What do do now and how to get these non-compliant servers get fix in 1hr before the maintenance window elapse ? Since there was not enough time to troubleshoot the clients and look for other methods to fix ,had preferred manual method .

I got to know about this on the next day morning while I was chatting with him . I tried to sneak into the logs to help what could be the problem  but the logs are overwritten and nothing found for previous day issue.

The only status I got to know from him was that ,all updates available in software center showing  ‘Past due – will be installed’.

Solution:

If you ever get into such issues ,I would suggest to start picking one problem client for troubleshooting ,go through the logs to check if the client is waiting for enough maintenance window or updates are waiting to complete something before they could start etc.

There could be various reasons why the software updates failed  or not even started on client and to troubleshoot ,you must check the logs.  I written couple of articles on software updates troubleshooting and reference guides .

http://eskonr.com/2015/04/sccm-2012-troubleshoot-client-software-update-issues/

http://eskonr.com/2016/10/sccm-configmgr-troubleshooting-guides-for-reference/

coming to the problem ,how do I force to install the updates that are available in software center if I don’t have enough time to troubleshoot the issue or how do I install the updates that are made available on the client ?

Well ,we can use PowerShell script to select all the updates available in software center and install followed by settings configured in software update deployment like reboot or suppress reboot etc.

This script also useful to check if any updates are failed (from reporting you can get list of clients with status) for some reason and you want to install them without login to the client .

Part of the script taken from book Microsoft System Center Software Update Management Field Experience.pdf ,modified it to log the output,read notepad file for clients.

$MissingUpdates = Get-WMIObject -Namespace root\CCM\ClientSDK -Class CCM_SoftwareUpdate -Filter ComplianceState=0
$MissingUpdatesReformatted = @(MissingUpdates | Foreach-Object {if($_.ComplianceState -eq 0){[WMI]$_.__PATH}})
$InstallReturn = Invoke-WMIMethod -Namespace root\CCM\ClientSDK –Class CCM_SoftwareUpdatesManager -Name InstallUpdates –ArgumentList (,$MissingUpdatesReformatted)

Download the complete PowerShell script from TechNet Gallery Here.

To run the script on remote computers ,make sure you have enough permissions to connect wmi on remote computer and RPC (dynamic ) ports opened.

This script will check if the account you trying to run has enough permissions on remote computer ,if yes go into loop else move onto next client to perform the check and it repeat.

Script pipe the information into log file with client name, Targeted patches (approved patches) ,pending patches (include failed,waiting for MW etc) ,reboot pending and finally Compliant if it has nothing in software center to install.

If a client already installed all patches and waiting for reboot ,I considered it as compliant in the script as it will be rebooted either manually or auto reboot based on the settings you configured in deployment.

Post your feedback via comments section.

A week after the release of SCCM Configmgr current branch 1610 ,Microsoft released another update but that is for Configmgr technical preview with build version 1611 as part as part of ongoing commitment to quality and innovation.

These technical preview updates will help to test in lab environment and report feedback to Microsoft before they made into current Branch (production version).To see these preview updates in your Configmgr console,you must have the base version of SCCM Configmgr Technical preview 1610 (not applicable to current branch).These Technical Preview updates are intended for use in a lab environment. For more information about technical preview and updates, please refer https://technet.microsoft.com/library/mt595861.aspx?

At the time of writing this blog ,Microsoft hasn’t published any document on the new features released in this update (1611) but will update this post after seeing what's new.

If you do not have lab to play around with Configmgr technical preview features ,download the baseline version of technical preview 1610 from https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview .

To download and install preview update 1611 ,launch the console ,go to administration node,cloud services ,updates and serving ,click on check for updates

Monitor dmpdownloader.log for downloading the content.

After a while ,content will be downloaded to G:\Configmgr\EasySetupPayload\ca846c5b-64bf-4805-b95b-3ccf7589acc5

State status will be changed to available in the console for preview update 1611.

select the update and click install update pack ,go with the options that it take you through.

For installation status ,monitor CMUpdate.log or use updates and servicing status in the console—>monitoring node.

Close the SCCM console and open it to install new console version.

Technical preview update 1611 has following version for:

Console Version:5.0.8465.1000

Site Version:5.0.8465.1000

Client Version:5.00.8465.1000

For Technical preview documentation read https://docs.microsoft.com/en-us/sccm/core/get-started/technical-preview

Configuration Manager Resources:

Documentation for System Center Configuration Manager Technical Previews

Documentation for System Center Configuration Manager

System Center Configuration Manager Forums

System Center Configuration Manager Support

Download the Configuration Manager Support Center

Introduction:

One of my blog reader asked question about ‘There is report in your blog to find out packages that has no advertisements created,but is there similar report to find applications with no deployments created’.

I found this question is valid and is needed if you want to perform maintenance tasks like cleanup packages,applications,collections etc .Performing regular maintenance is important to ensure correct site operations.

There are several default site maintenance tasks available that maintain the health of your site database but when it comes to clean up unused collections,packages,applications etc,you have to find way to do it.

There are instances where someone create application without any deployment or deployment was created and deleted it later leaving the application in the console for longer time ,many other instances .

If you are Maintaining a maintenance log to document dates that maintenance was conducted, by whom, and any maintenance-related comments about the task conducted, I would add the following tasks to the maintenance document as they also required to cleanup every 6 months or yearly once.

1.Clean up unused collections

2.clean up unused packages

3.clean up unused applications etc.

This blog post covers task 3 to identify applications without any deployments and not used in any other task sequence.

How to create SQL query or SSRS report to identify applications with no deployments?

To create such report ,first you need to identify the SQL views that store the information about applications and its dependencies. For that, you can refer Configmgr SQL view documentation available here

There are 3 main sql views/functions that store the information about applications ,its deployment info,dependent application info and task sequence app references  etc and they are listed below:

dbo.fn_ListApplicationCIs(1033)

vSMS_AppRelation_Flat

v_TaskSequenceAppReferencesInfo

I will be using above views to create nice SSRS report.This report mainly output applications that has zero deployments and these applications are not referenced in any task sequence.

This report contains fields like application name,Created by,Datelastmodified,Application age since created (days),Isenabled,is deployed,number of DT(deployment types),no of dependencies,number of devices with app,number of devices with failure.

After you run the report, take a look at column dependentdeployments as this filed refers this application is used as dependent application in another application (supersedence ).

ex: Application A appear in this report with dependentdeployments >1 which means ,application A is used as supersedence application in other applications listed in the dependentdeployments .

How does the report look:

Download the RDL file from Technet Gallery Here ,upload to your SSRS reports ,change the datasource and run it.

Introduction:

Few months ago ,we had an issue with one of the deployment (it was software updates) that was deployed to collection with override service window due to emergency patch to be installed on the clients.

Deployment went fine and results were positive .All good ,but after few days ,some clients were added to the above deployed collection and you know what, as soon the clients are added to the collection ,they had new policy now and try to perform scan against the deployed software updates to check if they are already installed or not ,if not installed ,they try to install right away due to the setting ‘Override Service Window’ .What happens after the installation ? If the patch you have deployed to the collection require reboot ,it will check if there is any MW available to reboot ,if there is no maintenance window, it will reboot else wait for the maintenance window.

Unfortunately ,some of the newly added clients had maintenance window on different collection on the next few days ,which no one noticed and client REBOOTED .

For sure if there is any such unplanned reboot occur, you must be in position to explain with root cause and how are you going to prevent such issues in the future with RCA (Root cause analysis).

So a request came to identify/create report that will help us to identify how many such deployments (it can be application,package or software update ) do exist with OverrideServiceWindows and RebootOutsideOfServiceWindows options selected.

Have got some time to allocate for this request ,so am posting it here for you guys incase you need to identify such deployments (applications,packages,software updates,baselines) .

Below screen show the Deployment settings under User experience Tab with User notifications,deadline behavior and device restart behavior settings.

How to get list of deployments with OverrideServiceWindows and RebootOutsideOfServiceWindows selected ?

To get information about OverrideServiceWindows and RebootOutsideOfServiceWindows for deployments, you need to first identify the right SQL views in SCCM.

All Deployments information (packages,applications,baselines ,software updates) stored in view called: v_CIAssignment

So have used this view to retrieve the information and put it in a nice SSRS report with options to choose OverrideServiceWindows and RebootOutsideOfServiceWindows  Yes or No.

How to identify if the deployment is package or application or software update ?

Use the below numbers to identify the deployment or package type.

When 0 Then 'Package'
When 2 Then 'Application'
When 3 Then 'Driver'
When 4 Then 'Task Sequence'
When 5 Then 'Software Update'
When 7 Then 'Virtual'
When 257 Then 'Image'
When 258 Then 'Boot Image'
When 259 Then 'OS Package'

Below is the report how it looks like: you can choose the options what you want and based on the selection ,report will give you the deployment information.

As usual ,have posted the report into TechNet Gallery ,download it from Here ,upload it your SSRS reports ,change the data source and run it.

Introduction:

I started blogging in year 2009 on www.eskonr.wordpress.com which was free from wordpress, but later I decided to move it to my own domain called www.eskonr.com in year 2010. Since then every year the number of views on my blog is getting increased twice and thrice compared to its previous year with increase in number of interesting posts on SCCM/Configmgr and its connected objects.

As we entered into new year 2017,I was noticing the statistics of my blog for previous years and overall views until today. I stumbled across seeing the total count of views on my blog that has reached (~) 2 Million views since it was created .

I should thank all my blog readers who followed and supported me writing useful blog posts . Hope this year is going to be another exciting year with more focused on Hybrid environment (SCCM+Intune),MBAM and SQL Stuff.

Crunchy numbers:

Year 2016 has its best ever views with 656,175 (650K) which means the views increased 1.5 times compared to last year (2015).

The busiest day of the year was August 24th with 3549 views with total published post count 41.

Attractions in 2016:

These are the posts that got most views in 2016.

How did they find you?

The top referring sites in 2016 are:

Where did they come from (Top 5 countries )?

Most visitors came from The United States. India & U.K. were not far behind.

Once again thank you all and hope you enjoyed reading post on my blog. Have a great year ahead.

Microsoft released first update 1701 for SCCM Configmgr Technical Branch in the new year 2017 with some new features and improvements to the existing features that are reported through user voice  .

These technical preview updates will help you to test in lab environment and report feedback to Microsoft before they make into current Branch (Production Version). You can install this version to update and add new capabilities to your Configuration Manager technical preview site.

To see these preview updates in your Configmgr console,you must have the base version of SCCM Configmgr Technical preview 1610 (not applicable to current branch).These Technical Preview updates are intended for use in a lab environment. For more information about technical preview and updates, please refer https://docs.microsoft.com/en-us/sccm/core/get-started/technical-preview

New features you can try out with this version:

Boundary groups improvements for software update points

Hardware inventory collects UEFI information

Improvements to operating system deployment

Host software updates on cloud-based distribution points

Validate device health attestation data via management points

Use the OMS connector for Microsoft Azure Government cloud

For more information about these features ,read the documentation here https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1701

If you do not have lab to play around with Configmgr technical preview features ,download the baseline version of technical preview 1610 from https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview .

To download and install this preview update 1701 ,launch the console ,go to administration node,cloud services ,updates and serving ,click on check for updates

Monitor dmpdownloader.log for downloading the content.

Refresh updates and servicing node in the console to see updates .

Look for easysetuppayload folder for download of files

select the update and click install update pack ,go with the options that it take you through.

For installation status ,monitor CMUpdate.log or use updates and servicing status in the console—>Monitoring node.

Close the SCCM console and open it to install new console version.

Technical preview update 1701 has following versions for:

Console Version:5.0.8471.1000

Site Version:5.0.8471.1000

Client Version:5.00.8471.1000

For Technical preview documentation read https://docs.microsoft.com/en-us/sccm/core/get-started/technical-preview

Configuration Manager Resources:

Documentation for System Center Configuration Manager Technical Previews

Documentation for System Center Configuration Manager

System Center Configuration Manager Forums

System Center Configuration Manager Support

Download the Configuration Manager Support Center

Introduction:

Maintenance windows in Configmgr help to ensure that client configuration changes occur during periods that do not affect the productivity of the organization.

Following Operations can be performed during the Maintenance window:

• Software update deployments
• Compliance settings deployment and evaluation
• Operating system deployments
• Task sequence deployments

More about MW https://technet.microsoft.com/en-us/library/hh508762.aspx?f=255&MSPPError=-2147217396

Problem:

So ,If you want to know the client maintenance window for next few days (20 days or recently occurred in the last 20 days ) ,you have no built in report and for that, you must go with custom report to find out the clients that are undergoing the changes that are deployed by your SCCM team.

I had a requirement to create report to get client maintenance window with prompt to choose past (occurred) and future days (going to happen) or simply enter the client name to list available maintenance Windows.

Solution:

This blog post will help you to identify the clients have maintenance window setup for the next few days or recently occurred with some custom dates.

What you get with this report : list clients with their collection name, Maintenance Window Name, Description (effective date),Days ahead (If –(minus) ,it was past date ,else future date )

After you run this report, it will prompt you to choose Past (-10) and Future (10) .Past and Future is considered from Current date.

For Ex: Today is 24-Jan-2017 ,I have client PC001 in collection ABC with MW set 21-Jan-2017 and PC002 in collection CDE with MW set 28-Jan-2017 .So I choose Past as 3 days and future 10 days ,I should get all clients from ABC and CDE collections as their MW fall under past (2) and future date (10) .

If I choose past as 1 day and future 3 days ,I won’t get anything in the report as there is no client that has MW between 1 <--->3 from current date.

The logic used in the SQL is: Maintenance Window date should be <future date and >past date from the current Date as shown in below snippet.

How does the report look like ?

As usual, download the RDL file from TechNet Gallery here ,upload to your SSRS folder ,change the data source and run the report.

Introduction:

Software update groups provide you with an effective method to organize software updates in your environment. Software update group consists of multiple software updates (metadata Only) .You can manually add software updates to a software update group or automatically add software updates to a software update group by using an ADR.

One of the major advantage using software update group is ,easier to track the compliance status using reports or console method for multiple updates that you have deployed and delegate software update administration (You can set a security scope for each software update group).

Problem:

If you have multiple software update groups to deploy to multiple collections as part of monthly patching ,it would be difficult to do it via console .why is it difficult ?  well ,the user interface takes very long time (depends on the number of updates in each update group) to process the updates in each software update group ,validate and deploy to collection with some settings like available date,deadline date/time ,reboot settings,download settings etc. If you have already doing it from the console with user interface  ,you really need to look at other methods like tools or powershell script to save your time .

Solution:

There are lot of 3rd party tools and scripts available to deploy software update groups to collections but in this blog post, i will share the simple powershell script that i have created to deploy multiple software update groups to multiple collections reading from CSV file and pipe the information to Log file whether the deployments are created or not.

The CSV file is input for the script to read variables like Software update Group Name,collection name,deployment name,deployment type,available date,deadline date,time ,restart servers or workstations. I considered these variables in my script because they are most common settings that we go with.

If you want to customize variables like download settings etc ,you can pipe this information into CSV file  and modify the script to read these custom variables.

This powershell script uses the basic Configmgr powershell cmdlets with some custom powershell commands to read the input variables from CSV file ,check if the deployment name already exist or not and then create deployments.

Note: This script will check if the deployment name already exist or not before it create new one similar to user interface .Using console, you cannot use deployment name that already exist but using powershell ,you can create N number of deployments with same name however i did not allow that in my script.

If you want to create the deployment names without prior checking, you can delete Get the deployments and check the deployment if exist or not from the script.

What information do you need to input into CSV file ?

You need to pipe softwareupdate group name,collection name,deploymentname,type ,available date ,time etc ,restart workstation ,restart server. what you see in below snippet.

Always try to use the deployment name as Softwareupdate group + collection Name to have unique name and easy for identification while running the reports.

SUName: Software update group

CollName:Collection Name

DeploymentName: Deployment Name

DeployType: Deployment Type (Required or Available)

Restart workstation=true means supress the reboot on the workstations after the patches installed ,False means ,reboot the workstation after the patches installed .

you do not need to install any excel components on the machine that you run the script .Script can read the CSV file using notepad.

Download the script from Technet Gallary ,extract zip file, open the CSV file using excel on your machine that has excel installed ,when you are ready with CSV file ,run the script to create deployments.

If you are using SCCM Configmgr in your environment, you can accomplish lot manual /administrative tasks using Configmgr using deployment/compliance method.

Recently I was working on task to update the DNS records (Primary DNS server IP ) for lot of servers as servers use static IP and is required to change it on all where needed.

As there was change in network segment for DNS server ,the IP of the DNS server changed from Class B to Class A.

How do I update the old DNS server record with the new one on all the servers ? Before you use any method (scripting or Configmgr) ,you need to know the list of servers that are using the OLD DNS record and validate and then perform the change .

Since our infra is using Configmgr to manage workstations and servers ,I can use configmgr to pull report that using OLD DNS server record , create a collection for these servers ,deploy a script to update with DNS server record ,monitor the report if the change is successfully executed or not .

Before you generate report, you need to find out which SQL views store information about DNS server details. Network adaptor information is stored in v_GS_NETWORK_ADAPTER_CONFIGUR view.

The information that we are looking for is , DNSServerSearchOrder0 which is not enabled by default in the hardware inventory class.

You need to enable it by going to client settings-> hardware inventory –>set classes ,search with network ,you will see network adaptor configuration ,select DNS server search order .

After you enable this ,clients that are deployed with this client agent settings will download the policies and send the updated inventory during the next scheduled inventory cycle.

After this is done, you are good to generate report to see the servers that are using OLD DNS record.

Here is SQL query to check for DNS Server search order:

select sys.name0,os.Caption0,DNSServerSearchOrder0 from v_R_System sys

join v_GS_NETWORK_ADAPTER_CONFIGUR NAC on NAc.ResourceID=sys.ResourceID

join v_GS_OPERATING_SYSTEM os on os.ResourceID=sys.ResourceID

where OS.Caption0 like '%server%'

and nac.IPEnabled0='1'

and nac.DNSServerSearchOrder0 like '%OLD DNS SERVER IP%'

From the above query ,you will get servers with their primary DNS and secondary DNS server records .Create a new collection ,add these machines to the collection.

Now we have list of servers to update with new DNS server record but we do not have package to deploy to the collection.

To update the DNS server records ,you can either use powershell or VBscript .If you are running any server 2003 ,PowerShell is not good option for you ,so you might have to use vbscript.

I am posting both VBscript and PowerShell for your feasibility.

In my case, I need to update Primary DNS record (new IP) and keep secondary DNS server record as it is without any change.

VBscript:

on error resume next

strComputer = "."

Const FullDNSRegistrationEnabled = True

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

Set colNetCards = objWMIService.ExecQuery ("Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True")

FOR EACH objNetCard in colNetCards

arrDNSServers = Array("DNS server IP1","DNS Server IP2")

errEnable = objNetCard.SetDNSServerSearchOrder(arrDNSServers)

objNetCard.SetDynamicDNSRegistration FullDNSRegistrationEnabled

next

If you have primary and secondary DNS ,replace the IP address accordingly in the above script.

Powershell:

$NICs = Get-WMIObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPEnabled -eq "True"}

Foreach($NIC in $NICs) {

$DNSServers = “DNS server IP1"," DNS server IP2”

$NIC.SetDNSServerSearchOrder($DNSServers)

$NIC.SetDynamicDNSRegistration(“TRUE”)

}

When you deploy the powershell script ,focus on the command line you use .If you have enabled the execution of powershell to bypass in client agent settings ,you can simply use the command line as scriptname.ps1 and deploy it else you will have to use command line to bypass the execution of powershell script.

PowerShell.exe -ExecutionPolicy Bypass -File "scriptname.ps1"

Create a package using above scripts and deploy to the collection ,monitor the results.

For results , wait for the next hardware inventory cycle and fix the issue where it didn’t go through.

Few weeks ago ,i was assigned with task to manage clients in untrusted forest using Configuration Manager 2012 R2 SP1.Yes, we are still running on Configmgr 2012 but soon (next few weeks) on Configmgr Current Branch .

Scenario is ,I have a forest (intranet.asia) where SCCM 2012 R2 SP1 is installed and this is being used to manage clients in this forest .Now ,I have a requirement to manage clients in untrusted forest (life.net) which is completely isolated from the existing forest and there is no trust between these 2 .

So the task is ,how to manage the clients in untrusted forest (life.net) using the SCCM server reside in intranet.asia forest for software distribution ,patching etc.

My setup is like this:

Green colour : Current working site

Brown colour: Untrusted forest

Red colour: Firewall between these 2 forests

Blue colour: Clients in untrusted forest must talk to SCCM site in intranet.asia forest and let SCCM publish SCCM site information to AD ,perform AD system discovery ,automatic client push installation etc in untrusted forest .

LIFE.NET forest is completely isolated and there is no trust with INTRANET.ASIA forest that has SCCM installed. The aim is to manage the clients (though it has very few <50 for now ) in life.net forest using the existing SCCM site.

In order to manage the clients in untrusted forest using SCCM ,listed the steps below at high level.

1.First and foremost is firewall ports for clients in untrusted forest to talk to SCCM/roles (all ports that require for client to talk to MP,DP,SUP what is outlined here)  and let SCCM server to talk to remote forest (DNS port 53,LDAP port 389) to publish the information and discover objects.

2.Configure DNS with conditional forwarder or STUB ZONES in local forest (For SCCM to resolve remote hostnames dc02.life.net and remote clients for system discovery ) and untrusted for clients to resolve host names a.k.a MP,DP ,SUP etc.

3.Create an account in untrusted forest that is used to publish the SCCM site information into System Management Container that will be created later in LIFE.NET forest

4.Extend Schema (You can get the schema files from configmgr media) in untrusted forest  (LIFE.NET) with sufficient permissions (user must be schema admin) (this is optional ,read more if you really need to to extend schema)

5.Create System Management Container in untrusted forest and provide full permissions to this container for account that you created above to publish SCCM site information.

6.On SCCM server (INTRANET.ASIA) ,Add untrusted forest and configure the account that you created above ,monitor hman.log for any errors.

7.Check on the untrusted forest ,if site information is published into system management container or not.

8.If you want to discover clients from untrusted forest automatically ,configure AD system discovery .If you have not configured the DNS conditional forwarder ,then system discovery will not work due to name resolution (monitor log Adsysdisc.log for any errors).

9.If you want to perform client push installation ,get an account from untrusted forest and configure it in SCCM server.

10.Configure boundaries in SCCM (INTRANET.ASIA) for untrusted forest to manage clients.

11. If clients in untrusted forest are unable to resolve SCCM roles like MP,DP ,SUP etc for client installation,assignment process and downloading the policies ,you need to add the required entries (MP,DP,SUP) into host file (IP address and FQDN of Site ) on each client. But again, you must make sure the ports http:80,sup:8530 are working from untrusted forest to SCCM servers otherwise you cannot get basic things like software distribution ,software updates etc. .

The steps outlined above are in general ,but when it comes to reality ,some of the steps given above may not be allowed to configure like DNS conditional forwarders etc.. So in that case ,what other methods i have to get this task done ?

Please note ,in this untrusted forest ,i have <50 clients to manage and for that i can skip the DNS configuration and go with host file entry (manual feeding ) .But if you have large number of clients to manage ,you need to look for other solution like DNS configuration to allow name resolution .

The following site system roles can be installed at primary sites support connections from clients that are in untrusted locations, like the Internet or an untrusted forest (secondary sites do not support client connections from untrusted locations):

• Application Catalog website point

• Configuration Manager Policy Module

• Distribution point (HTTPS is required by cloud-based distribution points)

• Enrollment proxy point

• Fallback status point

• Management point

• Software update point

Steps i followed to manage these few clients in LIFE.NET forest for software distribution ,software updates from existing forest.

On Local forest( intranet.asia)

1. Due to the restrictions i have ,cannot configure conditional forwarders in DNS ,so have to add the untrusted forest entries into the host file on SCCM server.

Go to C:\windows\system32\drivers\etc ,open hosts file and add untrusted forest entries which includes life.net ,dc01.life.net with its IP address for name resolution.

Make sure you can ping the remote forest and able to resolve the hostname.

If there are any firewall restrictions ,please work with your network team to get it resolve.

2.  For local SCCM Server to talk to remote forest to publish site information into AD ,discover objects,client push installation etc , we need few accounts .Lets create them . In my case ,i will create one account and use this for publishing the site information .

If you want to discover AD objects on remote forest ,you only need normal user account with read permissions ,for client push account ,it must be member of local admin on remote clients that you perform sccm client install.

On untrusted forest ,create an account called CM_Publish (normal user) is enough.

3.On remote forest, login to domain controller or use account that has full permissions to perform following changes.

Open adsiedit.msc, create system management container and give full permissions to CM_Publish .

4. while on remote forest, extend AD schema .To extend it, copy the extadsch.exe file from your SCCM media or SCCM installation folder \bin\X64 . To perform this ,account must be member of schema admins .Verify the status from log extadsch.log to be created in the root of the system drive.

5. Now come back to local SCCM server ,from hierarchy configuration—>Active Directory Forest ,click on add Add forest

6.In domain suffix ,enter the domain suffix (in my case:life.net)

Use an account that we created above (CM_publish) to publish site information into AD System Management container.

Use specific account –>New account type in the credentials .

Click on verify and in path: You must be careful in typing the correct LDAP path .Do not go with default LDAP path as the auto filled path is wrong and it will never get you success. Default path after you enter credentials will be LDAP://DC=sglife,DC=net.

You need to replace with correct LDAP path : LDAP://life.net/DC=life,DC=net 

This LDAP path is needed to verify the connection is successful.

Under publishing tab ,select the Site that you want to publish the information about.

Monitor hman.log if attributes are published in remote forest system management container or not .also for any errors. You must extend schema before you publish the attributes .If you do not want to extend schema ,then clients will not leverage the schema extensions.

SMS-Site-SITECODE could not be created, error code = 8202. If you have not extended AD scheme, you will see errors like above in hman.log. After schema extension, you will see something like below:

After a while ,the publishing status for newly added forest will turn to succeeded .

Go to your untrusted domain controller ,open Active directory users and computers, from system management container, you should be able to see the objects related to site code,boundaries etc published.

With this ,we have successfully added untrusted forest into our SCCM and we are ready to discover objects ,perform client push installation etc before we start distributing applications, deploying software updates.

Before we proceed further like configuring the discovery methods ,client push installation account, we need to make sure ,we can ping the remote forest domain controller name or not ? why do we need it ? well ,the discovery method works on name resolution ,so if the name resolution doesnt happen ,then the discovery of objects will fail .

As i said initially ,if you need to discover the remote forest computer resources ,you need to Configure DNS with conditional forwarder or STUB ZONES on local forest (INTRANET.ASIA) else you forget about discovering the object and just install SCCM client on the remote forest clients manually.

After you configure the conditional forwarder in DNZ ,open configuration manager console ,hierarchy configuration –discovery methods ,open Active Directory System Discovery ,click on Burst Symbol ,add the path location.

Follow the same steps that you did while adding new trust like specifying new account ,LDAP path etc. Use the same LDAP (LDAP://life.net/DC=life,DC=net ) path you did above to verify the connection.

If the name resolution is not working then you will see errors in system discovery log adsysdis.log like below:

Wait for the discover to run ,monitor adsysdis.log for any errors.

Next is to configure Client push installation account ,which is straight forward. Get an account that is local admin on all untrusted forest clients ,add it in client push installation account.

No matter if you have multiple client push installation accounts added in client push properties ,it will try to use each account ,to install SCCM client until it get succeeded. Monitor ccm.log on your site server for any errors .

If you do not use client push but install the SCCM client manually ,you need to approve the clients manually in SCCM console .This is due to the settings in site hierarchy.

Once you install the client on untrusted forest ,approve the clients in SCCM console manually.

you can also create collection for clients that are unapproved ,select all of them manually to approve it. You can also automate this process via powershell.

select distinct system.* from SMS_R_System as system join SMS_FullCollectionMembership as collection on system.ResourceID = collection.ResourceID where collection.IsApproved=0

Hope this guide help you to managed clients in untrusted forest.

Reference:   https://blogs.technet.microsoft.com/neilp/2012/08/20/cross-forest-support-in-configmgr-2012-part-1-simple-management/

Microsoft released February update 1702 for SCCM Configmgr Technical Branch with some new features and improvements to the existing features that are reported through user voice  .

These technical preview updates will help you to test in lab environment and report feedback to Microsoft before they make into current Branch (Production Version). You can install this version to update and add new capabilities to your Configuration Manager technical preview site.

To see these preview updates in your Configmgr console,you must have the base version of SCCM Configmgr Technical preview 1610 (not applicable to current branch).These Technical Preview updates are intended for use in a lab environment. For more information about technical preview and updates, please refer https://docs.microsoft.com/en-us/sccm/core/get-started/technical-preview

New features you can try out with this version are:

• Send feedback from the Configuration Manager console
• Changes for Updates and Servicing
• Peer Cache improvements
• Use Azure Active Directory Domain Services to manage devices, users, and groups
• Conditional access device compliance policy improvements
• Antimalware client version alert
• Compliance assessment for Windows Update for Business updates
• Improvements to Software Center settings and notification messages for high-impact task sequences
• Check for running executable files before installing an application
• Create PFX certificates with S MIME support
• New compliance settings for iOS devices
• Android for Work support

For more information about these features ,read the documentation here https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1702

If you do not have lab environment to play around with Configmgr technical preview features ,download the baseline version of technical preview 1610 from https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview .

To download and install this preview update 1702 ,launch the console ,go to administration node overview –> updates and serving ,click on check for updates

Monitor dmpdownloader.log for downloading the content.

For some reason ,if the state is stuck at downloading for longer time, restart sms executive service on SCCM server ,wait for a while ,check the log and console for status.

verify download folder location and its content from SCCM Installation directory\EasySetupPayload\0aff9384-6a8d-4dc5-a8bf-4e9afd2d51f1 .Total size of this update will be 1.3GB .

Right click on new update (1702) and click on install update pack.

This version includes updates for Site server updates ,console updates,Fixes for known issues and new features.

Click on next (select features that you are interested in) ,next (update without validating ),next (accept license terms) ,Next for summary

State is now changed to Installing from available in updates and servicing .

Monitor the installation status of the update from cmupdate.log from your Configmgr logs folder,Monitor—>updates and servicing status

After a while check the status ,Close the SCCM console and re-open it to install new console version.

This update 1702 has new feature that download latest ConfigMgr updates only which means , If two or more ConfigMgr updates apply, only the latest update is downloaded. For example, if your current ConfigMgr version is 2 or more versions older than the Current Branch version, only the most recent version downloads. A new clean-up function now deletes unneeded downloads from the EasySetupPayload folder. A new warning appears when you try to install an update that has been replaced by a newer one. The warning does not block other updates and you can override this warning.

After the update is installed ,evaluation time will reset to 90 days.

Technical preview update 1702 has following versions for:

Console Version: 5.0.8496.1000

Site Version: 5.0.8496.1000

Client Version:5.00.8496.1000

Today  I just finished in-place upgrade for one of my SCCM Configmgr 2012 R2 SP1 Site to Configmgr Current Branch 1606 and upgrade was very smooth without any issues.

After the in-place upgrade completed successfully,launch the console, check for updates under updates and servicing node for 1610. For some reason update 1610 stuck at downloading for longer time .

To troubleshoot this ,open dmpdownloader.log ,check the download status . As you can see below ,it is trying to extract autorun.inf from the cab file that was downloaded (update 1610) but it failed for some reason.

Why does it fail to extract ? Well ,the server is running Mcafee Antivirus and it is blocking the inf file.

How do you check Mcafee is blocking the inf file extraction ?

By default ,Mcafee logs stored in C:\ProgramData\McAfee\DesktopProtection . So check the AccessProtectionLog.txt on server ,i found below message.

1/3/2017    1:48:55 PM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    System:Remote    D:\Program Files\Microsoft Configuration Manager\EasySetupPayload\af633310-e419-44b3-9e0e-ab93d57087cf\autorun.inf    Anti-virus Standard Protection:Prevent remote creation of autorun files    Action blocked : Create

To fix this ,get your security /respective team to add folder “D:\Program Files\Microsoft Configuration Manager\EasySetupPayload folder” into exclusion list in McAfee or disable the McAfee AV temporary until the download is finished.

Hope it helps!

With Configuration manager 1606 ,new feature was added to software updates section which is called ‘Run software updates compliance scan immediately after a client installs software updates and restarts’ . This feature really helps to run a software update compliance scan immediately after a client installs software updates and restarts.This feature enables the client to check for additional software updates that become applicable after the client restarts, and then to install them (and become compliant) during the same maintenance window.

To set this up for a deployment, on the User Experience page of the Deploy Software Updates Wizard, select If any update in this deployment requires a system restart, run updates deployment evaluation cycle after restart. This enables the client to check for additional software updates that become applicable after the client restarts, and then to install them (and become compliant) during the same maintenance window.

For newly created deployments ,you set this option during the user wizard but what about if you have migrated your environment from SCCM Configmgr 2012 R2 to SCCM Configmgr 1606 or Current Branch 1610 ?

For existing deployments after you migrated from CM12 to 1606 or above ,you need to right click on the software update deployment ,go to user experience tab, at the bottom you will see “software update deployment re-evaluation behaviour upon restart” as shown below.

If you have fewer deployments, you can set this option manually but what if you have large number of deployments and setting up manually is not good option and for that, we will use powershell script.

To enable this option using powershell for all the software update deployments , we need to identify this property in wmi .I use WMI explorer connect to SCCM site ,ROOT\SMS,Root\SMS\site_Sitecode , filter with SMS_UpdateGroupAssignment ,select any update group assignment ,on the right side of wmi explorer ,you will find list of properties that are associated with each deployment.

In order to select this option for large number of deployments, we will use powershell script to set RequirePostRebootFullScan to TRUE. RequirePostRebootFullScan can accept only Boolean either False or True.

This property is not yet included in the configmgr powershell cmdlet but as per Configmgr User voice , this will be available in 1701 Technical preview which means we can expect this in the next current branch update .

Until this is available in the Configmgr powershell cmdlet ,we will set RequirePostRebootFullScan  to true using powershell for all the deployments that are not enabled this option.

This powershell script basically go through the list of all software update deployments and check if RequirePostRebootFullScan  is set to false ,change it to TRUE and pipe the deployment information to log file.

Download the powershell script from Technet Gallary here

I had a requirement to generate report to list members (users/groups) of local administrators group on servers for auditing purpose. Finding the users/groups who are member of  local administrator group manually or scripting is tedious task on all servers .If you are managing the devices with configuration manager ,you can leverage Configmgr tool to get this task done so easily .

By default ,Configmgr do not have inbuilt solution /provide any report to get members of local administrator group ,but you we can achieve this using custom solution . The  only solution that i have tried earlier and seen people using ,is a solution that was provided /blogged by Sherry Kissinger .

Solution that was provided by Sherry was to create configuration item/configuration baseline with vbscript ,deploy this to collection ,import mof file into client agent settings to pull custom wmi changes that made by script,run report to get the required information.

If you search online with subject line ,you will mostly hit TechNet forum/blogs that refer to the following links.

http://myitforum.com/cs2/blogs/skissinger/archive/2010/04/25/report-on-all-members-of-all-local-groups.aspx

https://mnscug.org/blogs/sherry-kissinger/244-all-members-of-all-local-groups-configmgr-2012

http://mnscug.org/images/Sherry/WMIFrameworkForLocalGroupswithLogging.zip

I have tried this solution very long ago for some of my customers which worked fantastic , but i did not blog about this as there are already posts available online.

I started to follow above blogs few days ago for my task, but for some reason these URL’s not active .So during my online search,i found few other blogs that talk about this solution .

I tried importing the cab file from sherry blog into configuration baseline, but for some unknown reason ,importing of cab file that did not succeeded on both Configmgr 2012 and Configmgr Current branch 1610. Both environments have the following error.

I am not the only one facing issue while importing the cab file, there are lot more people who posted about it on TechNet for solution.

So i started creating configuration items ,configuration baseline and do changes to client agent settings (MOF file) ,generate report .

I am attaching the configuration baseline cab file here for you to download ,extract ,import into your configmgr 2012 or configmgr current branch 1610 and simply deploy to your required collection, import MOF file into client agent settings for hardware inventory.

If you see any issues while Importing the cab file into configuration baseline ,please follow the steps illustrated below how to implement this solution step by step.

In this blog post, i will help you  how to create configuration item ,configuration baseline with the script that sherry provided ,do MOF changes in client settings ,wait for hardware inventory and create SQL query to run report.

There are 2 vbscripts out there online 1) Get members of local administrators group ONLY (WIN32_localadmins) 2)Get members from all local groups on the machine (cm_localgroupmembers)

Script 1 will get you the information about users/members who are member of administrators group ONLY and script 2 will get you members of all locally created groups.

Have attached both scripts in the download section for your reference in case you don't want all groups information.

Note: This task can be achieved in 2 ways ,either by deploying script as package or deploying the script using baseline method ,but Pre-requisite ,is recurring deployment, or Recurring DCM Baseline/CI

Steps in brief:

1. Import the MOF file into default client agent settings but do not select the changes in default client agent settings. You can select these changes on custom client agent settings to deploy to collection .

2. Create configuration item,configuration baseline and deploy to collection on recurring basis.

3.Run SQL query /report to get members of local administrators group.

Note: Should i go with configuration item or as package ? I would strongly suggest you go with configuration item and make it recurring instead of scheduling it for 1 time. Why should i make it recurring ?

Since the script that is used in the configuration item will create the instance in wmi “cm_localgroupmembers ” and query local groups with its members 1 time per script run ,which means if you run the configuration item 1 time ,it will query  local groups and members and pipe the information into cm_localgroupmembers  ,but if any changes happened after the compliance item run ,they wont appear in cm_localgroupmembers . For any addition or deletion of users/groups from local groups ,you must schedule it on recurring basis.

In this post, i will go with configuration baseline method.

Before we start the steps, download the files that are required to create baseline,MOF file ,reports etc from here

Step 1: Copy the MOF file from download section to your SCCM server,import the MOF file into default client agent settings—>Hardware Inventory in your SCCM server (CAS if you have else primary site )  ,de-select the settings  in default client agent settings for localgroupmembers .

Go to your custom client agent settings and select localgroupmembers that you want to get local members information.

If you do not have any custom client agent settings in your environment ,you can enable this settings in default client agent settings.

monitor dataldr.log for the changes .

with this change ,there will be a SQL view created and can be used for reporting which is : v_gs_localgroupmembers0. The Information which is stored SQL views that start with V_GS comes from inventory.

Step 2: From configuration manager console, assets and compliance , compliance settings right click configuration item ,create new ,type Name ,description

click next (leave default OS settings) ,next, on settings page ,add new with following information.

Name: WMI Framework for cm_localgroupmembers

Setting Type: Script

Date Type: String

Edit the script ,select vbscript ,paste the content from the SCCMLocalGroupMembers.vbs file .This is script 2 what i referred above. If you want only members of local admin group ,select localadmins.vbs

Click ok, click next ,on the compliance rules ,click new with the following information

Name: cm_localgroupmembers

Selected setting: select the setting that you created above

Rule type: existential

Setting comply rule: This specified script does not return any values

Click Ok ,next next to see the summary page.

Create a new baseline ,select the configuration item that we created above ,deploy it to collection .

Wait for client to receive new client device settings and configuration baseline to create wmi instance followed by client inventory .

On client machine after the policy ,assigned configuration baseline is compliant.

Logging information by script:

output of the script into SCCMLocalGroupMembers.log in C:\windows\temp folder:

SQL Queries:

Now we have sufficient information about the local users ,member of all local groups which is stored in SQL view ‘v_gs_localgroupmembers0’ .

We can create variety of SQL queries depends on the requirement .

Query 1: List all clients with members of the local Administrators group:

select sys1.netbios_name0
,lgm.name0 [Name of the local Group]
,lgm.account0 as [Account Contained within the Group]
,lgm.domain0 [Domain for Account]
, lgm.type0 [Type of Account]
from v_gs_localgroupmembers0 lgm
join v_gs_workstation_status ws on ws.resourceid=lgm.resourceid
join v_r_system sys1 on sys1.resourceid=lgm.resourceid
where lgm.name0='Administrators'
order by sys1.netbios_name0, lgm.name0, lgm.account0

Query 2: List members of the local Administrators group on specific client:

select sys1.netbios_name0
,lgm.name0 [Name of the local Group]
,lgm.account0 as [Account Contained within the Group]
, lgm.category0 [Account Type]
, lgm.domain0 [Domain for Account]
, lgm.type0 [Type of Account]
from v_gs_localgroupmembers0 lgm
join v_gs_workstation_status ws on ws.resourceid=lgm.resourceid
join v_r_system sys1 on sys1.resourceid=lgm.resourceid
where lgm.name0='Administrators'
and sys1.Name0='clientname'
order by sys1.netbios_name0, lgm.name0, lgm.account0

Query 3: List all clients with members of the local Administrators group excluding certain users or group  :

This will be helpful in case, you have applied some of the policies through GPO who should be member in local administrator group on all the clients for ex: domain admins or some other AD sec groups.

'Domain Admins','wintelMonitoring','WintelAdmins','eskonr'

declare @PC nvarchar (255);set @PC='computername'
select sys1.netbios_name0
,lgm.name0 [Name of the local Group]
,lgm.account0 as [Account Contained within the Group]
,lgm.domain0 [Domain for Account]
, lgm.type0 [Type of Account]
from v_gs_localgroupmembers0 lgm
join v_gs_workstation_status ws on ws.resourceid=lgm.resourceid
join v_r_system sys1 on sys1.resourceid=lgm.resourceid
where lgm.name0='Administrators' -- and sys1.name0=@pc
and lgm.account0 not in ('Domain Admins','wintelMonitoring','WintelAdmins','eskonr')
order by sys1.netbios_name0, lgm.name0, lgm.account0

Hope it helps!