SCCM – All about Microsoft Endpoint Manager

Since few days ,I am working on a customized Software update compliance dashboard report with some Pie charts for management to see how the patch compliance progress for each Business Unit (I say business unit means for each country).

Management are interested to see the overall patch compliance summary for each country (focused on servers ) into a nice pie chart which can be published to them either Via emails (using SSRS subscriptions or put them on Bigger screens especially for server compliance status).

This dashboard uses lot of pre-existing reports that are already published on my blog ,but there is one report (though SQL query is few lines code) which makes me to spend lot time doing lot of changes and check in the console if the results tally or not and the report is:

Top 5 or 10 missing patches for specific collection and specific update group.

The hard part for getting this report work is ,identifying the correct views to join Software update group ,compliance status . I would strongly recommended to use the SQL views documentation to create any custom SCCM reports.

After going through the SQL view documentation ,found below views that will help me to join the software update group (CI_ID) and software updates (CI_ID)

v_BundledConfigurationItems –contains information about each Update CI_ID and software update group ID

v_AuthListInfo –Contains Software update group Name, Update ID(CI_ID) .

For reporting (ONLY) ,we normally have 1 software update group that contains list of all updates (as per the requirement from IT Security team as they are the ones who decide what security patches to deploy ) that are deployed to clients from so long to until 2 months old from current month . Technically speaking, you cannot have more than 1000 updates in software update group which you can deploy to collection but ,in this case ,it is only used for reporting ,I can have more than 1000+ updates into 1 software update group and always make sure this SUG group is at good compliance rate for each BU .

As we move on, add the previous months patches to this Software update group and rerun the report to reflect the status for newly added updates against each country collection.

In this blog post, I will share you couple of SQL queries which are used my dashboard report ,help you to create your own dashboards.

P.S: The reason for not posting the dashboard which I created is because ,it has lot of customizations (more into collection ID’s and Software update group) per country basis and they are unique for each organization ,but I can share how the output of the dashboard look like.

Each pie chart has linked report to see the list of clients status like missing or unknown for troubleshooting purpose.

Below are couple of SQL queries that I wanted to share with you guys.

1.How to get list of top 5 or 10 missing patches against particular collection for specific software update ?

In SCCM console ,if you go to software updates node ,you can see lot of information for each update with Bulletin ID,Title ID,required,installed etc , but there is no way for you to filter against particular collection and if you want see the list of clients that needed by the patch ,no way in the console.

You either have to use default reports (if there is any such) otherwise ,create custom report.

Use the below Query in your SSRS or SQL management studio to get list of all updates from particular software update group against collection with missing count.

Declare @CollID nvarchar (255),@SUG nvarchar(255);
Set @CollID='PS100254';set @SUG='SUM_2016_July_All';
--CollID=Collection ID and SUG=Software update group Name

Select CAST(DATEPART(yyyy,ui.DatePosted) AS varchar(255)) + '-' + RIGHT('0' + CAST(DATEPART(mm, ui.DatePosted) AS VARCHAR(255)), 2) AS MonthPosted,
ui.Title, ui.ArticleID, ui.BulletinID, ui.DateRevised,
case when ui.IsDeployed='1' then 'Yes' else 'No' end as 'Deployed',
SUM (CASE WHEN ucs.status=3 or ucs.status=1 then 1 ELSE 0 END ) as 'Installed/Not Required',
sum( case When ucs.status=2 Then 1 ELSE 0 END ) as 'Required'
From v_UpdateInfo ui
JOIN v_Update_ComplianceStatus ucs on ucs.CI_ID = ui.CI_ID --AND ui.IsExpired = 0 AND ui.IsSuperseded = 0
--If you want display the expired and superdeded patches, remove the -- line in the above query
JOIN v_BundledConfigurationItems bci on ui.CI_ID = bci.BundledCI_ID
JOIN v_FullCollectionMembership fcm on ucs.ResourceID = fcm.ResourceID
join v_R_System sys on sys.ResourceID=ucs.ResourceID
where bci.CI_ID = (SELECT CI_ID FROM v_AuthListInfo where title=@SUG)
and fcm.CollectionID =@CollID
group by CAST(DATEPART(yyyy,ui.DatePosted) AS varchar(255)) + '-' + RIGHT('0' + CAST(DATEPART(mm, ui.DatePosted) AS VARCHAR(255)), 2),
ui.Title, ui.ArticleID, ui.BulletinID, ui.DateRevised, ui.IsDeployed
order by sum( case When ucs.status=2 Then 1 ELSE 0 END ) desc

If you compare the result you get from above SQL query ,the required count of clients will vary from what you see in the SCCM console software updates node and this is due the fact that ,in the console ,the software updates do not have any limitation over any collection(They apply to all clients) .But here ,we are trying to limit the software update against particular collection.

You can use this SQL query in multiple ways as you need.For example ,if someone want to see the list of updates that are still needed by specific collection(BU) ,you can simply comment Software update group and choose only collection ,you can also do the other way.

To get top 5 or 10 missing updates ,simply use TOP 5 or TOP 10 . Full SQL Query is below:

Declare @CollID nvarchar (255),@SUG nvarchar(255);
Set @CollID='PS100254';set @SUG='SUM_2016_July_All';
--CollID=Collection ID and SUG=Software update group Name

Select top 5 CAST(DATEPART(yyyy,ui.DatePosted) AS varchar(255)) + '-' + RIGHT('0' + CAST(DATEPART(mm, ui.DatePosted) AS VARCHAR(255)), 2) AS MonthPosted,
ui.Title, ui.ArticleID, ui.BulletinID, ui.DateRevised,
case when ui.IsDeployed='1' then 'Yes' else 'No' end as 'Deployed',
--SUM (CASE WHEN ucs.status=3 or ucs.status=1 then 1 ELSE 0 END ) as 'Installed/Not Required',
sum( case When ucs.status=2 Then 1 ELSE 0 END ) as 'Required'
From v_UpdateInfo ui
JOIN v_Update_ComplianceStatus ucs on ucs.CI_ID = ui.CI_ID --AND ui.IsExpired = 0 AND ui.IsSuperseded = 0
--If you want display the expired and superdeded patches, remove the -- line in the above query
JOIN v_BundledConfigurationItems bci on ui.CI_ID = bci.BundledCI_ID
JOIN v_FullCollectionMembership fcm on ucs.ResourceID = fcm.ResourceID
join v_R_System sys on sys.ResourceID=ucs.ResourceID
where bci.CI_ID = (SELECT CI_ID FROM v_AuthListInfo where title=@SUG)
and fcm.CollectionID =@CollID
group by CAST(DATEPART(yyyy,ui.DatePosted) AS varchar(255)) + '-' + RIGHT('0' + CAST(DATEPART(mm, ui.DatePosted) AS VARCHAR(255)), 2),
ui.Title, ui.ArticleID, ui.BulletinID, ui.DateRevised, ui.IsDeployed
order by sum( case When ucs.status=2 Then 1 ELSE 0 END ) desc

Now that, we have count of all updates for specific update group for specific collection with required client count ,but how to get the list of clients needed need specific update ?

This is mainly needed if you want to create linked SSRS report to see the list of clients for specific update for troubleshooting purpose.

SQL Query to list the clients required by specific software update ?

Declare @CollID nvarchar (255),@SUG nvarchar(255),@title nvarchar(255);
Set @CollID='PS100254';set @SUG=''SUM_2016_July_All'';
set @title='Security Update for Windows Server 2008 R2 x64 Edition (KB2992611)'
--CollID=Collection ID , SUG=Software update group Name and Title= Name of Software update title

Select sys.Name0,sys.User_Name0,os.Caption0 [OS],ws.LastHWScan,uss.LastScanTime [Last SUScan],os.LastBootUpTime0
From v_UpdateInfo ui
JOIN v_Update_ComplianceStatus ucs on ucs.CI_ID = ui.CI_ID
JOIN v_BundledConfigurationItems bci on ui.CI_ID = bci.BundledCI_ID
JOIN v_FullCollectionMembership fcm on ucs.ResourceID = fcm.ResourceID
join v_R_System sys on sys.ResourceID=ucs.ResourceID
join v_GS_OPERATING_SYSTEM OS on os.ResourceID=ucs.ResourceID
join v_GS_WORKSTATION_STATUS WS on ws.ResourceID=ucs.ResourceID
right join v_UpdateScanStatus uss on uss.ResourceID=ucs.ResourceID
where bci.CI_ID = (SELECT CI_ID FROM v_AuthListInfo where title=@SUG)
and fcm.CollectionID =@CollID
AND UCS.Status='2'
and ui.Title=@title
group by
sys.Name0,sys.User_Name0,os.Caption0,ws.LastHWScan,os.LastBootUpTime0,uss.LastScanTime
order by 1

SQL Query used in Pie Chart to get the patch compliance status for specific Collection and for specific update group ?

select CASE WHEN ucs.status=3 or ucs.status=1 then 'success'
When ucs.status=2 Then 'Missing'
When ucs.status=0 Then 'Unknown' end as 'Status',ucs.status [Status ID],coll.CollectionID
From v_Update_ComplianceStatusAll UCS
    left join v_r_system sys on ucs.resourceid=sys.resourceid
    left join v_FullCollectionMembership fcm on ucs.resourceid=fcm.resourceid
    left join v_collection coll on coll.CollectionID=fcm.CollectionID
    left join v_GS_OPERATING_SYSTEM os on ucs.resourceid=os.resourceid
    left join v_gs_workstation_status ws on ucs.resourceid=ws.resourceid
    left join v_updatescanstatus uss on ucs.ResourceId=uss.ResourceID
    left join v_AuthListInfo LI on li.ci_id=ucs.ci_id
where li.title='Software update group name' and coll.CollectionID=’CollectionID’
and os.Caption0 not like '%2003%'
order by 1

Hope these SQL queries are helpful to you .

Other day,I was looking at the client health dashboard which I published long ago https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-SSRS-2863c240 . From the dashboard report ,noticed that couple of clients were having software update scan issues .

If client fail to perform success software update scan ,it is out of patching window and client will never send or receive any software updates that you deploy from SCCM. You always need to make sure your clients are performing the successful software update scan as per the schedule you configure in SCCM client agent settings. Software update troubleshooting guide http://eskonr.com/2015/04/sccm-2012-troubleshoot-client-software-update-issues/

So ,the report had couple of clients with software update scan failures with lasterrorcode –2147012894 which leads to me take a look at one client (XXXXXXX) and see what's happening on that.

If you want to see, how your clients are performing software update scan (without dashboard) ,run the below SQL query in management studio.

This query will help you to get list of client that have issues with software update scan (software update scan not success).

--SQL code list clients with software update scan failures

select distinct sys.name0 [Computer Name],os.caption0 [OS],convert(nvarchar(26),ws.lasthwscan,100) as [LastHWScan],convert(nvarchar(26),sys.Last_Logon_Timestamp0,100) [Last Loggedon time Stamp],
sys.user_name0 [Last User Name] ,uss.lasterrorcode,uss.lastscanpackagelocation from v_r_system sys
inner join v_gs_operating_system os on os.resourceid=sys.resourceid
inner join v_GS_WORKSTATION_STATUS ws on ws.resourceid=sys.resourceid
inner join v_updatescanstatus uss on uss.ResourceId=sys.ResourceID
where uss.lasterrorcode!='0'
order by uss.lasterrorcode

Login to the problem client (it can be workstation or server ) ,open WUAHandler.log located in C:\widows\ccm\logs ,notice the below error.

OnSearchComplete - Failed to end search job. Error = 0x80072ee2.

Scan failed with error = 0x80072ee2.

0x80072ee2—>The operation timed out

The above log (Error) do not give much information ,so this leads me to look at windowsupdate.log located in C:\windows folder

This log has several entries related to proxy request ,send and download file failed etc.

2016-09-01 12:45:14:216 820 ce0 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <10.133.48.48:8080> Bypass List used : <(null)> Auth Schemes used : <>

2016-09-01 12:45:14:216 820 ce0 Misc FATAL: SOAP/WinHttp - SendRequest: SendRequestUsingProxy failed. error 0x80072ee2

2016-09-01 12:45:14:216 820 ce0 PT + Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0

Problematic Client is healthy and able to send inventory and receive other deployments like applications etc but software update scan is failing all the time.

if you look at the above log snippet, it is failing to download the cab files from WSUS server . It looks like ,client has some issues downloading the content ,so how do I check what is causing the problem for content download ?

From Windowsupdate.log snippet, client is trying to access the URL http://SCCMServerName.domain:8530/ClientWebService/WusServerVersion.xml which is failed due to proxy settings.

From other working client, found the below URL succeeded but not on the problem client ,so I ran the below URL on non-working client and it surely have issues with proxy.

http://SCCMServerName.domain:8530/ClientWebService/WusServerVersion.xml

I ran the same URL on working client and got below results:

How do I fix the proxy issues on the problem client and get the rid of software update scan issues ?

There is a registry key on the client machine which you will have to change to get it working. What is the registry ?

Login to working client that is reporting to the same SCCM site( WSUS) ,open the registry and export for the below registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

Save it on desktop ,copy it to the problematic client and run it (double click on it ).

Once the registry key is imported ,Open services.msc from RUN command ,restart windows update service.

follow windowsupdate.log and WUAHandler.log

After few min ,I noticed that, scan still failed with error code ,but this time it is different : OnSearchComplete - Failed to end search job. Error = 0x80244010.

0x80244010.—> The number of round trips to the server exceeded the maximum limit.

After a while ,it will try (you don’t have to do any) again to sync and sync will get Successfully completed .

If the sync is not running ,initiate software update scan cycle and monitor WUAHandler.log

Now go back to your site server ,run the SQL query ,you will see problematic client will no longer appear.

Summary:

For software update scan issues with error code:0x80072ee2

login to the working client ,export the registry key ,import into the problem client ,restart windows update service ,wait for a while ,monitor the logs.

References :

http://eskonr.com/2015/04/sccm-2012-troubleshoot-client-software-update-issues/

http://s9org.blogspot.sg/2015/03/software-updates-are-not-getting.html

https://blogs.technet.microsoft.com/sus/2008/09/18/wsus-clients-fail-with-warning-syncserverupdatesinternal-failed-0x80244010/

Since few days ,have been working on case with Microsoft on client issue wherein ,some clients stuck at downloading the policies/jobs and remain in Queued state without any reason and they never get deployments.

When you deploy the software update group to collection ,you will have to put a special attention to configuration setting in download settings : “If software updates are not available on preferred distribution point or remote distribution point,download content from Microsoft updates”

This is a new feature in Configuration manager 2012 SP1 that allows clients to fall back and use Windows Update to download the content. The client will only download content for the updates you have approved and deployed to client.

This is good option to select when the content is not available on Distribution point or client has some issues (possibly network)downloading the content from distribution point and client will direct to Microsoft update,download the content and install it.

But ,what happens when client do not have access to the internet (Microsoft update) and content is not available on the DP ? Here the problem comes.

If you check the option “if updates not available on DP, download from Microsoft Updates”, when the local/remote DP’s content location is not available, clients fallback to download from Microsoft Update, however, if it also fails at downloading from MU with some Internet connection issue, the DTS job (DataTransferService) keeps retrying the download the content and increments the Active job count on each failure until reaching the Active Job limit of 50 and it never gets decremented.

DataTransferService.log shows

Downloading from http://wsus.ds.download.windowsupdate.com:80/c/msdownload/update/software/secu/2016/07 without proxy encountered error: BITS error: 'The operation timed out

Context: 'The error occurred while the remote file was being processed.

QUEUE: Active job count incremented, value = 50

DTSJob {97A264D2-B234-4ED7-B1D9-257F80920063} in state 'Queued'.

If the client exhausts the Active Job limit, the clients get stuck and never receive any policy unless you reset the active job limit .

Though we have successfully distributed the content to DP’s (can see from the console and reports) and hundreds of clients in the same subnet/region are successfully downloaded /installed but not all clients.

So the only possible fix is: Restart SMS agent host on the problematic clients. This process will reset the active job limit and start downloading the policies and content without any further changes on the site server ,but make sure to deselect the setting if your clients do not have access to internet.

I am not sure with the selected settings above (download content from Microsoft update ),if this issue appear in Configuration manager current branch or is it only appear in Configmgr 2012 .

This issue is filed as bug in Microsoft connect and is active Status . https://connect.microsoft.com/ConfigurationManagervnext/feedback/details/956321/css-configmgr-2012-r2-dts-does-not-decrement-active-bits-job-counter-when-it-fails-to-download-content-from-the-mu-location

There is no updated information yet on this issue from product team but can we see this issue fix in next cumulative update for Configmgr 2012 ?

I wrote a blog post year ago on how to get count of MS Office Editions with versions installed across my environment using SCCM Configmgr. This report consists of 2 reports .1st report is ,to get count of Microsoft Editions for ex: how many are office 2003, 2007 ,2010 and 2013 and 2nd report is actually drilled report linked to 1st report to give list of all MS Office editions (what are the editions of office 2003 ,2007,2010 and 2013) with its client count .

Many of my blog viewers have requested through comments and some of them are via social networking sites ,that they want drill down the 2nd report to see the list of clients with each office edition and version.

Having drilled report to see the list of clients will certainly help to investigate and upgrade them to latest version of Microsoft office.

You can always create collection for office editions but having a report like this would help to export them to excel and other SSRS supported formats.

This request is pending from very long ,it was lying in my to-do list and finally going out through this blog post.

So what all you need to get this report (Count of MS office editions ) implemented in your SCCM site ?

Download the 3 reports from the TechNet Gallery ,upload the reports into your SSRS folder (make sure they all in same folder),change the data source for each report and you are good to run.

Note: This report will list only Microsoft Office 2003,2007,2010 and 2013 but not office 365. If you need office 365, you may have to wait for next update ,otherwise you can edit the RDL file and customize it.

How does the report look like ?

1. Count of MS Office editions

2. List MS Office editions for selected version (ex: 2003)

3. List of Clients by specific MS Office edition and version

Hope it helps.

Microsoft releasing the technical preview updates for SCCM Configmgr every month as part of ongoing commitment to quality and innovation .These technical preview updates will help to test in lab environment and report feedback to Microsoft before they made General Available (current Branch).To see these preview updates in your Configmgr console,you must have the base version of SCCM Configmgr Technical preview 5 (not applicable to current branch).These Technical Preview updates are intended for use in a lab environment. For more information about technical preview and updates, please refer https://technet.microsoft.com/library/mt595861.aspx?

Today,28th September 2016 ,Microsoft released latest technical preview update 1609 (YYMM) (Note : this is only for base version Technical preview 5 but not for Current Branch V1606,Production version) with some exciting features .

To use the technical preview you must first install a baseline version of the technical preview build. After installing a baseline version, you then use in-console updates to bring your installation up to date with the most recent preview version. Typically, new versions of the Technical Preview are available each month.Only the version included with System Center Technical Preview 5 can be used for a baseline install.

Features/updates included in this update are:

Windows 10 Upgrade Analytics – Assess and analyze device readiness and compatibility with Windows 10 to allow smoother upgrades. This is done through integration with Windows Upgrade Analytics.
Office 365 Client Management Dashboard – Use the Office 365 client management dashboard to track Office 365 updates and deployments.
Deploy Office 365 apps to clients – We have added a new Office 365 Servicing node in the Software Library where you can deploy Office 365 apps to clients.
Improvements for BIOS to UEFI conversion – An OS deployment task sequence can now be customized with a new variable, TSUEFIDrive, so that the Restart Computer step will prepare the drive for transition to UEFI. See the documentation for additional details on the necessary customizations.
Improvement to Endpoint Protection antimalware policy settings – You can now specify the level at which the Endpoint Protection Cloud Protection Service will block suspicious files.
Boundary Group Improvements – Improvements have been made to boundary groups to allow more granular control of fallback behavior, and greater clarity of what distribution points are used.

For more information, read the documentation Technical Preview for System Center Configuration Manager https://technet.microsoft.com/library/mt595861.aspx?

Happy exploring new features..

Recently ,I worked on on a SCCM project and as initial step ,it was mandatory to bring all the desktops and servers (where ever it was missing) into SCCM with Client installed.

Though ,there are different client installation methods available to install SCCM Client , one of the most widely used client installation method is Client startup script deployed via group policy.

Jason Sandys (MVP) created nice Client Startup Script (group policy) that install configmgr client agent during the system initial boot up.

If you want to achieve good client success rate ,would strongly recommend to look into script and get it implemented .

You can download the script from his blog post http://blog.configmgrftw.com/configmgr-client-startup-script/ .It has pdf document with all the instructions ,how to edit the xml file to make necessary changes.

In this blog post, I will show you, how to implement Jason Sandys client start script in your environment starting from creation of SCCM client folder ,creation of group policy ,deploying the group policy and tracking the results incase of any failures. Hope this blog can help to start with.

1. Login to your SCCM server ,create a folder called SCCMClient in D:drive( any other)

2. Copy the SCCM Client installation source files from your SCCM installed directory to above created folder (SCCMClient).

Copy the client installation files to SCCMClient folder

3.Create folder called hotfix in SCCMClient folder to place the hotfixes if at all any. (If you do not have any hotfixes to install ,you can simply ignore this step) .This step is needed to install the hotfixes along with SCCM client . If you are running on configmgr R2 SP1 CU3, then you need copy CU3 hotfix files into it.

4. Since am running on SCCM 2012 R2 SP1 CU3 (KB3135680) ,go to your hotfix folder (D:\Program Files\Microsoft Configuration Manager\hotfix\KB3135680\Client) ,identify the correct KB (latest cumulative update) ,client folder, copy the folder into hotfix folder.

Copy above 2 folders into hotfix folder

5. Now we need to share this folder so that ,it can be accessed during the client install at system boot up time.

Right click on the folder properties ,Go to sharing tab ,advance sharing

Client on Permissions ,give full control to every one

Click Ok ,Ok ,Ok

Note the share folder path which is need to input into the control file (xml) later.

6. Now ,we will create another folder inside the SCCMClient to store the error logs for the client that fail for some reason so we can investigate at later times.

Create a folder called Errorlogs

7. With this ,we have finished with folder creation and copied all necessary files . Now lets edit the start up script file and move onto group policy creation.

Go to the downloaded script folder ,edit ConfigMgrStartup.xml using notepad and make necessary changes as said in the PDF document .

This xml file is used supply the input parameters need for vbscript during the client installation.

You are required to make couple of changes as listed below (mandatory).

Parameters to edit are:

AgentVersion—Client with less than this version will initiate SCCM client install

ClientLocation—Client installation folder what we created above initiate ccmsetup from specified.

ErrorLocation –to store the error logs (computername.log) incase of any SCCM client failure

AutoHotfix –if you have any hotfix to install ,will added to the ccmsetup.exe command line else ,you can ignore this .

SMSMP---Management Point

For all the location paths, I would recommend to use FQDN instead of hostname.

My xml file looks like this:

<?xml version="1.0"?>
<Startup>
<Option Name="LocalAdmin" >eskonr/localadmin</Option>
<Option Name="SiteCode" >P01</Option>
<Option Name="CacheSize">10120</Option>
<Option Name="AgentVersion">5.00.8239.1403</Option>
<Option Name="MinimumInterval">0</Option>
<Option Name="ClientLocation">\\SGCM01.apac.eskonr.com\SCCMClient</Option>
<Option Name="MaxLogFile">2048</Option>
<Option Name="ErrorLocation">\\SGCM01.apac.eskonr.com\SCCMClient\Errorlogs</Option>
<Option Name="AutoHotfix">\\SGCM01.apac.eskonr.com\SCCMClient\Hotfix</Option>
<Option Name="Delay" >5</Option>
<InstallProperty Name="FSP">SGCM01.apac.eskonr.com</InstallProperty>
<InstallProperty Name="SMSMP">SGCM01.apac.eskonr.com</InstallProperty>
<CCMSetupParameter Name="BITSPriority">HIGH</CCMSetupParameter>
<CCMSetupParameter Name="noservice" />
<ServiceCheck Name="BITS" State="Running" StartMode="Auto" Enforce="True" />
<ServiceCheck Name="winmgmt" State="Running" StartMode="Auto" Enforce="True" />
<ServiceCheck Name="wuauserv" State="Running" StartMode="Auto" Enforce="True" />
<ServiceCheck Name="lanmanserver" State="Running" StartMode="Auto" Enforce="True" />
<ServiceCheck Name="RpcSs" State="Running" StartMode="Auto" Enforce="True" />
<RegistryValueCheck Key="HKLM\SOFTWARE\Microsoft\Ole" Value="EnableDCOM" Expected="Y" Enforce="True" Type="REG_SZ"/>
<RegistryValueCheck Key="HKLM\SOFTWARE\Microsoft\Ole" Value="EnableRemoteConnect" Expected="Y" Enforce="False" Type="REG_SZ"/>
<RegistryValueCheck Key="HKLM\SOFTWARE\Microsoft\Ole" Value="LegacyAuthenticationLevel" Expected="2" Enforce="False" Type="REG_DWORD"/>
<RegistryValueCheck Key="HKLM\SOFTWARE\Microsoft\Ole" Value="LegacyImpersonationLevel" Expected="2" Enforce="False" Type="REG_DWORD"/>
</Startup>

save the xml file .

we are now ready to implement the client start up script using Group policy.

if you are not authorized/permission issues to create group policy ,take the below scripts and handover to Active Directory guy to create start up script for you.

8.Login to the domain controller ,Go to Group Policy Management console ,create new Group policy and called it ‘Install Configmgr Client 2012’

Right on the GPO you created above and click on edit

Drill down to Policies –windows settings –scripts (startup/ Shutdown) ,double click on startup

Click on Show files

Now we need to place the vbscript and xml file in the startup folder

If you have issues with access denied when trying to place the files, you may have to open the actual folder (C:\windows etc) on your domain controller to place the files.

Go back to the startup script properties and click add and browse to select vb script

select ConfigMgrStartup1.75.vbs

In the script parameters ,type in /Config:ConfigMgrStartup.xml

Click ok

Click ok and close the Group Policy Management Editor .

we are now ready to link the GPO to any OU that you want the computers receive Configmgr client during the system boot up.

For troubleshooting ,script will create log file with name Scriptfilename.log (ConfigMgrStartup1.75.vbs.log) in C:\windows\temp folder and for some reason ,the client did not install ,it will copy the log file to errorlog location with computer name as log file.

Hope it helps.

Recently I was going through some of the Microsoft Ignite 2016 sessions that are related to windows 10,Intune ,MBAM ,UE-V ,Power BI ,Server 2016 and configuration manager which are uploaded to YouTube. During my surfing ,I found lot of videos on these technologies .

So ,in this blog post, I will share the sessions that are related to Configuration Manager ,Windows 10, Intune, MBAM ,UE-V and Power BI which will help you to go through and take notes for future reference.

Hope you will find them useful too.

Join Windows 10 in Azure AD in five easy steps

https://www.youtube.com/watch?v=-CorjRbc7ME

Troubleshoot Windows 10 deployment: top 10 tips and tricks

https://www.youtube.com/watch?v=PZOtTzQjeeM

Dig deeply into BranchCache: learning from the experts

https://www.youtube.com/watch?v=ak25IoIli8s

Get an independent insiders view of desktop virtualization and session remoting:

https://www.youtube.com/watch?v=Nt9U9T7dSrU

Join your Windows 10 devices to Azure AD for anywhere, anytime productivity

https://www.youtube.com/watch?v=MkPG4JhzvII

Discover how App-V and UE-V align with an Evergreen Windows 10

https://www.youtube.com/watch?v=v-QthxIGAlQ

Get your LOB application data into Microsoft Power BI

https://www.youtube.com/watch?v=pbdw6xBl0Vc

Delight users and IT with modern identity experiences on Windows 10

https://www.youtube.com/watch?v=cnpauXwB0DE

Ask us almost anything about Windows 10

https://www.youtube.com/watch?v=2HE6JYsUGN4

Learn the top 10 reasons why you'll like Windows Server 2016

https://www.youtube.com/watch?v=r2-wl1RFM3U

Upgrade, upgrade, upgrade! Say goodbye to clean installs of Windows 10

https://www.youtube.com/watch?v=wZUi_YPsvos

Implement Windows as a Service: how Microsoft IT does it

https://www.youtube.com/watch?v=fRB9_qvauQM

Discover Windows 10 Internals

https://www.youtube.com/watch?v=Qz2bRdwS4O4

Simplify OS deployments with Windows Provisioning

https://www.youtube.com/watch?v=R8IMxWJ65bs

Conduct a successful pilot deployment of Microsoft Intune

https://www.youtube.com/watch?v=ZfHhXYLGYe0

Implement Windows as a Service: how Microsoft IT does it

https://www.youtube.com/watch?v=fRB9_qvauQM

Deploy and manage BitLocker using MBAM

https://www.youtube.com/watch?v=huSiZdLcyKk

Meetup: Learn how to start a user group

https://www.youtube.com/watch?v=N_DPby9P5ZM

Deploy Microsoft Office 365 Client using Configuration Manager

https://www.youtube.com/watch?v=GzZ2haV15nY

See what's new in mobile application management with Microsoft Intune

https://www.youtube.com/watch?v=5T3F8BELCtE

Windows 10 Under the Hood updates with Michael Niehaus

https://www.youtube.com/watch?v=rPVlW7_gnps

Understand and troubleshoot power management and modern standby in Surface and Windows 10

https://www.youtube.com/watch?v=au64NQGZS-4

Case of the unexplained: Windows troubleshooting with Mark Russinovich

https://www.youtube.com/watch?v=sAUeC2LiF5s

Secure Android devices and apps with Microsoft Intune

https://www.youtube.com/watch?v=CxpZTg33grM

Manage and secure iOS and Mac devices in your organization with Microsoft Intune

https://www.youtube.com/watch?v=-kx7ZRXQlxY

Understand settings roaming solutions in Windows

https://www.youtube.com/watch?v=OG58JBMliH8

Explore Windows 10 in education: innovations for using and deploying in schools

https://www.youtube.com/watch?v=fs46MzF3VDc

Enhance Windows 10 security and management with ConfigMgr, Intune, and new cloud services

https://www.youtube.com/watch?v=UDYm-5jb_kg

Ask the experts - Windows10 deployment, servicing, and provisioning

https://www.youtube.com/watch?v=pRNkNd3VU8Q

Upgrade to Windows 10: in depth

https://www.youtube.com/watch?v=eMV7OMMJ8kM

Cert Exam Prep: Exam 70-698: Installing and Configuring Windows 10

https://www.youtube.com/watch?v=KRp69ZkNARI

Prepare for Windows 10 and UEFI

https://www.youtube.com/watch?v=XOeCi9nQW5o

Customize the start menu in Windows 10

https://www.youtube.com/watch?v=T8cHQ5jZuuY

Learn what's new with OSD in System Center Configuration Manager and Microsoft Deployment Toolkit

https://www.youtube.com/watch?v=oYz9BGb2ysM

Use simplified provisioning tools to get Windows 10 up and running in schools

https://www.youtube.com/watch?v=qbEbBodR7Uc

Master Windows 10 Deployments – Expert Level

https://www.youtube.com/watch?v=jULZkDUG6Rs

Deploy and manage Office in complex scenarios with Configuration Manager

https://www.youtube.com/watch?v=59nxWjFFeWg

Secure access to Office 365, SaaS, and on-premises apps and files with Azure AD and Intune

https://www.youtube.com/watch?v=s_t0Sy7O6KM

Manage your mobile devices and apps with System Center Configuration Manager and Microsoft Intune

https://www.youtube.com/watch?v=_OpbL8zPZDA

Meet Windows Server 2016 and System Center 2016!

https://www.youtube.com/watch?v=0LviCzsudGY

Enhance Windows 10 deployment: what's new with Windows 10 deployment?

https://www.youtube.com/watch?v=tCMijTbWNEI

Until next !

Working on fine tuning collections to get the clients (DEV,UAT,PROD etc) from Active Directory based on OU for reporting purpose .Reporting can be either application deployment or software update compliance or anything that you want .In my case, all the OU’s in Active Directory are created based on BU( Business Unit) and business unit most likely with country name in OU.

Lets take example of OU structure like below in my Active Directory.

With the above OU structure ,I want to create collection that list all computers from PROD/DR OU for each Business Unit (Hong kong,Singapore,India etc) . Parent OU can be DBS,CT,CX or anything under each Business Unit.

So to get all computers from PROD/DR OU for Hong Kong Business Unit ,we will use wildcard character (%) with like operator in WQL Query .

ESKONR.INTRANET.ASIA/HK/LI/INFRASERVERS/%PROD%

The above Query will list all PROD clients from OU ‘HK/LI/infraservers’

If you want to list all PROD computers from HK OU irrespective of what Child OU they are in, but should be in PROD OU ,use the following condition.

ESKONR.INTRANET.ASIA/HK/%PROD%

If you want to combine PROD and DR Clients into 1 collection ,you can use OR condition by creating 2 criteria's like below.

ESKONR.INTRANET.ASIA/HK/%PROD%

ESKONR.INTRANET.ASIA/HK/%DR%

So ,How to achieve this using collection ?

Create new Device Collection ,Name the collection ,limit the collection to All Systems ,Add rule and select Query rule ,name the collection again ,select Edit Query statement

Click on Criteria ,select start Burst icon ,click Select

select Attribute class as System Resource and Attribute as

Click Ok ,select Operator as like and Value is your domain name/HK/LI/%PROD%

Click Ok ,Ok ,Ok and accept the default steps you see the screen.

Below is sample collection criteria used in my lab:

List all servers from PROD and DR OU excluding server 2003 operating system as my lab is running 1 server 2003 OS.

You can still it customize this query as per your needs but all you need is ,how to wild card operator .

Hope it helps!

Long ago ,I did step by step guide series on how to Install MBAM 2.5 SP1 integration with SCCM Configmgr 2012/Current Branch . In that guide,I have used MBAM server which has SQL server and MBAM components installed on local server and integrate MBAM with Configmgr 2012 server.

Few days ago ,I was trying to install MBAM 2.5 SP1 and integrate with SCCM Configmgr Current Branch 1606 in my lab. In this setup ,my requirement was different .I do not want to install SQL Server on MBAM server (local) instead ,use existing SQL instance (remote) to install MBAM Databases and reports.

Since I already have SQL Server installed locally on my Configmgr server ,have decided to use this SQL instance for my MBAM setup.

Before I start the setup in my lab ,I followed the steps on my blog post but I encountered some issues during the installation of web components and reports.

In this blog post, I will share the steps (no screen shots),tips and PowerShell scripts that I have used to setup MBAM in my lab.

If you are looking for step by step guide series on how to install MBAM 2.5 SP1,please go through http://eskonr.com/2015/09/how-to-install-mbam-2-5-sp1-and-integrate-with-sccm-configmgr-2012-r2-sp1/

In my lab ,I already have SCCM CB 1606 installed with SQL (local) and I will use this SQL to install my MBAM databases and reports (remote).

Below is my lab setup:

1 Domain Controller (DC01 ,apac.eskonr.com)

1 SCCM server running on Current Branch (CMCB01) with SQL local

1 MBAM Server (MBM01 , Plane server with domain join)

Here are the steps what I followed in short .

1.Create required MABM Accounts.

2.Register SPN for MBAM Server

3.Login to MBAM Server (MBAM01) and install the prerequisites like IIS components (No SQL server is needed ,we will be using remote SQL) and ASP.net MVC 4

4.Login to SCCM server(CMCB01) ,perform the changes to MOF,Hardware inventory ,run the MBAM server setup to perform system center configuration manager integration. you must run this setup only in your SCCM Server .

5.Login to MBAM Server (MBAM01) ,Insert/Copy Supported Version of SQL server media and install SSRS Reporting services (native) . SSRS must be installed and running during the MBAM Server installation.

Configure SSRS in "native" mode and not in unconfigured or "SharePoint" mode. You cannot use remote installed SSRS for MBAM Server.

6. On MBAM Server ,open Reporting services configuration manager ,click on connect ,go to web service URL ,create Virtual Directory ,move on to database tab ,create reportserver database (place the database on remote server that you wish to have ,in this case it will be on my SCCM Server) and to create the reportserver DB (I name it MBAMReportServer) on SCCM SQL , make sure you have full permissions on SCCM SQL database. Follow the steps reporting services configuration manager take you through.

7. Make sure the reporting services account that is running on your MBAM Server (MBAM01) must use domain account (cannot be system account and NT account) to connect to remotely configured Reportserver database . so open services.msc ,properties of SQL Service Reporting services ,choose account that permissions to connect to reportserver DB(MBAMReportServer) on SCCM Server.

8.Restart SQL Service reporting services.

9. Now its time to start the installation of MBAM components on MBAM Server (MBAM01).

10. Launch MBAM server setup ,go with default installation and open MBAM server Configuration ,click on add new features ,select databases (Compliance and Audit, Recovery Database) ,Reports .

11. when the databases are created ,launch MBAM Server setup,again and this time select the leftover component Web Applications (Administration and monitoring and self-service portal).

At this step ,I had some issues with Application pool account that failed to connect to MBAM recovery and hardware database which was installed on my Configmgr SQL server. so I had to look at the logs to troubleshoot the issue by providing the enough permissions to MBAM Recovery and hardware database on my SCCM server for MBAM_HD_AppPool account

Error:

Cannot connect to the database using specified connection string 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Recovery and Hardware";Integrated Security=True'

Error: System.Data.SqlClient.SqlException (0x80131904): Login failed for user 'APAC\MBAM_HD_AppPool'.

12. If you see any errors during the installation of any of the MBAM components, check the event viewer which will give you more information about the issue . Where to look at event viewer ?

Open event viewer ,Applications and service logs ,Microsoft ,windows ,MBAM-Setup ,in this ,you have 2 sections 1) Admin 2) Operational .

All these steps can be performed through PowerShell scripts right from creation of MBAM User accounts/Groups to installation of MBAM components.

Tanner Slayton Sr Consultant Cyber Security from Microsoft has posted MBAM scripts on Github ,can be downloaded from https://github.com/tslayton.

13. Configure GPO settings as per the requirement ,for more information on this ,you can read part 5 of my step by step guide series

14. If you want add support for the BitLocker XTS-AES encryption type ,then install September 2016 servicing release hotfix from https://support.microsoft.com/en-us/kb/3168628

Below are scripts /command lines that I have used while installing the MBAM components in my lab.

Adding IIS Features:

Write-Host 'Adding IIS and the components required for MBAM Installation of the Helpdesk and SelfService Portals'
$Features = 'Web-Server', 'Web-WebServer', 'Web-Common-Http', 'Web-Default-Doc', 'Web-Static-Content', 'Web-Security', 'Web-Filtering', 'Web-Windows-Auth', 'Web-App-Dev', 'Web-Net-Ext45',
'Web-Asp-Net45', 'Web-ISAPI-Ext', 'Web-ISAPI-Filter', 'Web-Mgmt-Tools', 'Web-Mgmt-Console', 'NET-WCF-Services45', 'NET-WCF-HTTP-Activation45', 'NET-WCF-TCP-Activation45',
'WAS', 'WAS-Process-Model', 'WAS-NET-Environment', 'WAS-Config-APIs'
Add-WindowsFeature -Name $Features

Install MBAM componets:

Import-Module 'C:\Program Files\Microsoft BitLocker Administration and Monitoring\WindowsPowerShell\Modules\Microsoft.MBAM\Microsoft.MBAM.psd1'

# Enable compliance and audit database
Enable-MbamDatabase -AccessAccount 'APAC\MBAM_DB_RW' -ComplianceAndAudit -ConnectionString 'Data Source=CMCB01.apac.eskonr.com;Integrated Security=True' -DatabaseName 'MBAM Compliance Status' -ReportAccount 'APAC\MBAM_DB_RO'

# Enable recovery database
Enable-MbamDatabase -AccessAccount 'APAC\MBAM_DB_RO' -ConnectionString 'Data Source=CMCB01.apac.eskonr.com;Integrated Security=True' -DatabaseName 'MBAM Recovery and Hardware' -Recovery

# Enable self service web portal feature
Enable-MbamWebApplication -CompanyName 'Eskonr' -ComplianceAndAuditDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Compliance Status";Integrated Security=True' -HelpdeskUrlText 'Contact Helpdesk or IT department.' -HostName 'MBM01.apac.eskonr.com' -InstallationPath 'C:\inetpub' -Port 80 -RecoveryDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Recovery and Hardware";Integrated Security=True' -SelfServicePortal -VirtualDirectory 'SelfService' -WebServiceApplicationPoolCredential (Get-Credential -UserName "APAC\MBAM_HD_AppPool" -Message WebServiceApplicationPoolCredential)

# Enable report feature
Enable-MbamReport -ComplianceAndAuditDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Compliance Status";Integrated Security=True' -ComplianceAndAuditDBCredential (Get-Credential -UserName "APAC\MBAM_DB_RO" -Message ComplianceAndAuditDBCredential) -ReportsReadOnlyAccessGroup 'APAC\MBAM_HD_Reports'

# Enable agent service feature
Enable-MbamWebApplication -AgentService -ComplianceAndAuditDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Compliance Status";Integrated Security=True' -DataMigrationAccessGroup 'APAC\MBAM_HD_DataMig' -HostName 'MBM01.apac.eskonr.com' -InstallationPath 'C:\inetpub' -Port 80 -RecoveryDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Recovery and Hardware";Integrated Security=True' -WebServiceApplicationPoolCredential (Get-Credential -UserName "APAC\MBAM_HD_AppPool" -Message WebServiceApplicationPoolCredential)

# Enable administration web portal feature
Enable-MbamWebApplication -AdministrationPortal -AdvancedHelpdeskAccessGroup 'APAC\MBAM_HD_Adv_Users' -ComplianceAndAuditDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Compliance Status";Integrated Security=True' -HelpdeskAccessGroup 'APAC\MBAM_HD_Users' -HostName 'MBM01.apac.eskonr.com' -InstallationPath 'C:\inetpub' -Port 80 -RecoveryDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Recovery and Hardware";Integrated Security=True' -ReportsReadOnlyAccessGroup 'APAC\MBAM_HD_Reports' -ReportUrl 'http://mbm01.apac.eskonr.com/ReportServer' -VirtualDirectory 'HelpDesk' -WebServiceApplicationPoolCredential (Get-Credential -UserName "APAC\MBAM_HD_AppPool" -Message WebServiceApplicationPoolCredential)

Hope it helps!

Working on setting up the new hierarchy for SCCM Configmgr Current Branch 1606. As part of installation process ,it ask for prerequisite downloads folder and for it ,I can either choose Download Required files (it will download from internet )or Use previously downloaded files (download the files on any machine that has internet access and copy the files to your SCCM server). I choose download required files from internet as my server is has internet access through proxy IP.

After a while ,download of prereq’s failed ,which lead me to look at ConfigMgrSetup.log for the error details.

Log (ConfigMgrSetup.log) snippet is below:

ERROR: WinHttpReceiveResponse failed 80072ee2

ERROR: Download() failed with 0x80072EE2

ERROR: Failed to download language pack manifest (0x80072EE2)

I open IE on my windows server 2012 R2 Box and try to browse the URL that is displayed in log http://go.microsoft.com/fwlink/?LinkId=746984 to see if it works or not.

Below is what I see when I browse the URL and this is due to default Internet explorer settings .Download of any file is disabled (Default setting) on server 2012 R2.

In order to fix this ,we have to do some custom changes to Internet explorer settings to enable download file.

So I opened Internet Explorer options ,go to Security tab ,select Internet and Custom Level to enable the download File option but I see Custom Option is disabled with message : Some settings are managed by your system administrator (GPO policy)

This is due to the Group policy .My Group policy does not allow to perform any changes to the default IE settings.

What to do next next to download the files and allow my SCCM Server download files going forward ? Should I talk to AD team who control the group policy to allow custom level settings ? Nah .you don’t need to.

There is registry setting that control the above Custom Level Setting .If you make changes to that setting ,your IE setting Custom Level option is enabled and from there ,you can enable Download file.

Open the Registry on your server (you need to be administrator or run CMD as administrator)

Browse through HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

change Security_HKLM_only value to 0 from 1.

Now open IE Settings ,Security Tab, Internet ,Go to Custom Level

Downloads –>file Download ,select enable.

Click Ok.

Now try to browse the URL ,you are good to download the files.

After a while ,GPO policy will refresh and the registry setting may change back to 1 but Enable download option in the security setting custom Level will not be changed .

Thanks to my Friend (Alpesh) for providing the quick Fix .

Other day ,I have got a request to install/update VMware tools (32bit and 64bit) on servers that are running on VMware platform to latest version (as per the vsphere server version or what requester needs).

VMware Tools is a suite of utilities that enhances the performance of the virtual machines guest operating system and improves management of the virtual machine. Without VMware Tools installed in your guest operating system, guest performance lacks important functionalities.

To deploy VMware tools ,you can either use Legacy method called package or Application deployment method .If you go with package ,you will loose the control of deploying the vmware tools only on computers with model vmware virtual platform (unless you create collections separately) and check if the required tools already installed and many other things.

Application method always preferable for any deployments (unless specific reason) as it provides much control over packages to deploy applications.

In this blog post, we will see ,how to create VMware tools application for 32bit ,64bit with detection logic and requirements to install only on computers with model ‘VMware Virtual Platform‘.

I will divide this guide into 4 steps as listed below.

1. Copy VMware source files.

2.Create Global Condition for Computer model

3. Create Application which consists of 2 deployment types (32bit & 64bit ) with detection logic ,requirement rules.

4.Distribute the Application

5.Deploy the application to collection

6.Check the application status on Client

7.Deployment Results

1. Copy VMware source files.

Get the source files from the requestor and copy it to SCCM content source folder location.

It contain source files for both 32bit (setup.exe)and 64bit (setup64.exe) Operating system.

2.Create Global Condition for Computer model:

Before we create application for VMware tools ,we want to check if the computer model is vmware or not, if OS is not running on vmware platform ,we do not want to install vmware tools.

To check the application mode, we need to create global condition which can be used later in Requirements tab.

Right click on Global Conditions –>select create Global Condition

Fill the information as listed below.

Name: Computer Model

Device Type:Windows

Condition Type: Setting

Setting Type: WQL Query

Data Type: String

Name Space: root\cimv2

Class: Win32_computerSystem

Property: Model

Click on Ok

Now ,on the Global Condition node, you will see newly created Condition with Type -Custom (not default and created by User) ,read only –No (can edit it) and In Use –No (not yet used).

3.Create Application

Go to Application Management –Applications Node

Right click on folder that you would like to create the application and select Create Application

Since the file is exe ,select Manually specify the application information

Enter the application name and other information as needed

Accept the default (unless you don’t have anything to specify)

We will now create 2 deployment types 1 for 32bit and other for 64bit and I call them as x86 ,x64.

Click on Add

Since we are using exe for the deployment and it doesn’t come with msi ,select type as script and select manual this time as well.

Name it as Install x86 .

Specify the content location folder that you have copied the source files.

Installation Program: setup.exe /S /v" /qn REBOOT=R"

It will install silently without reboot .If you to reboot upon the completion of installation ,remove reboot=R ,more information here

We will now add detection method .It will help us to skip if the deploying version or greater already exist ,if not,install the tools.

Click On add Clause

Fill the content as per below screenshot.

Setting Type: File System

Type: File

Patch:C:\Program Files(x86)\VMware\VMware Tools\

File or Folder Name: vmtools.dll

Value: 10.0.9.55972

How to get version ?

On your source folder ,right click on setup.exe file ,you will find the vmware tools version in details tab.

Click Next

As per settings shown below for User Experience tab

Requirements tab:

We will now create 2 requirement rules 1 for OS and other for Model .

Click on Add

Since this is 32bit vmware tools and we want to install only on OS running x86 with vmware model.

select category: Device

Condition: Operating System

One of the Operating system: 32bit of server 2008 and others if you need.

Click Ok

we need to add one more rule for model ,so click on Add again

Select Category :Custom

Condition : Computer Model

Operator: Equals

Value:VMware Virtual Platform

These requirement rules use AND operator .So Server OS must be running on x86 and model: VMware Virtual Platform

Click Next ,accept default settings

Verify Summary Page

Click Next

We have now created deployment type for 32bit VMware tools .We need to do the same for 64bit vmware tools as well.

Click on Add and follow the same procedure as we did above except few things need change and they are listed below:

Installation Program:setup64.exe /S /v" /qn REBOOT=R"

Detection method:

Path :C:\Program Files\VMware\VMware Tools\

Requirement rules: OS will be only 64bit (can be server 2008 ,server 2012 and others)

when you are done, you will see 2 deployment types

Verify summary Page:

Click close to close the application wizard

we now created application with 2 deployment types (32bit and 64bit) .

By default ,when you create application ,settings Allow clients to use a fallback source location for content and deployment options for deployment are not enabled.

If you need above settings to be enabled ,do it for both the deployment types else ignore it.

Now ,we will distribute the application to distribution points . Right click on application and select distribute content

Go through the steps as you do for other applications.

when you are done with application distribution ,its time to deploy application to collection.

5.Deploy the application to collection

Create a collection that wanted to receive the new vmware tools (Installing the new version of vmware tools will automatically upgrade the existing version (old) to new .Only new version will exist )

If you simply add all systems ,this application will not install on all computers as we have a requirement rule to install it only on computer running on vmware platform with either 32bit or 64 bit.

So create collection as your needs and deploy the application to the collection.

6.Check the application status on Client

Open Software Center ,you will now see vmware tools appear on available software tab (This is for CM12 ,if you are on CMCB with new software center,you know where it will be)

Click on Install ,Client will download the source files into ccmcache and start the installation

Monitor the application deployment logs ( AppDiscovery.log,AppEnforce,DcmWmiProvider) more about logs ,please refer https://technet.microsoft.com/en-us/library/hh427342.aspx

After a while ,you will see application installed . If it fails,check the logs and troubleshoot why did it failed

7. Deployment results:

you can run the default report to check the status of application or can also see from deployment monitoring tab or from the console itself as shown below

Hope you found this post useful!

Few days back ,I was helping friend of mine ,who had some issues with SCCM Client and he was unable to launch Software Center .When he try to open Software Center application,it immediately pop-up with error code as shown below .

SCNotification has stopped working .

The procedure entry point HttpsisHostHstsEnabled could not be located in the dynamic link library WININET.dll

I tried launching event viewer ,MMC etc but unable to open any of them and all giving same error code as No storage available to perform this operation.

I tried uninstalling SCCM Client, remove SMS certificates ,delete smscfg.ini ,restart the client and install the client but still get same error.

How do I fix this issue if reinstalling the client did not help ?

If you look at the error message ,it says ,The procedure entry point HttpsisHostHstsEnabled could not be located in the dynamic link library WININET.dll.

This lead me to replace the existing WININET.dll file from working client in both System 32 and Syswow64 folder .

Note: In order to perform the following steps,you need to have local administrative rights on the client .

By default ,this file is owned by trusted installer and if you simply delete /rename this file and copy wininet.dll from working client ,it doesn’t allow you replace the file.

How to delete\replace the file then ? Well ,we will try to take the ownership of this file and then perform the operation on it.

Go to C:\windows\system32 folder on problem client ,right click on wininet.dll, Properties ,go to security ,click on Advanced

click on Owner Tab and select Edit

On the owner tab ,select administrators or user listed in the Change Owner from Trustedinstaller.

Windows security pop-up appear and proceed to perform these changes.

Now ,we have taken the ownership of WININET.dll file .

We will try to rename the file to something else like WININET_old.dll and then we will copy the file from working client to here.

Login or access admin$ share on any other working client ,copy WININET.dll file from C:\windows\system32 folder ,paste it on non-working client folder C:\windows\system32

We need to perform the same procedure as we did above for Syswow64 folder (incase if x64 OS) as well .

Go to C:\windows\syswow64 and take the ownership of file WININET.dll from trustedinstaller to administrators or other user who has local administrative rights.

Rename the file to WININET_old.dll .

Login or access admin$ share on any other working client ,copy WININET.dll file from C:\windows\syswow64 folder ,paste it on non-working client folder C:\windows\syswow64

Now reboot the client and launch System Center application ,it works as usual without any errors.

I have no idea what causes this issue and have not spent much time to find the root cause.

If you have any other better solution which worked, please post it via comments ,I will update the blog post for others.

Hope it helps!

Since few months ,Microsoft publishing some great guides (deep dive) on SCCM Configmgr understanding and troubleshooting process ,tips and tricks that will help Configmgr administrators in solving issues.

It is really hard to find these useful links through search engines when needed for reference and to send it internally for the team to go through .

I have tracked all the useful links in my OneNote and I have decided to let it go out for public incase for reference.

This blog post will be updating now and then ,when there is new content available.

1. Understanding and Troubleshooting Content Distribution in Microsoft Configuration Manager: This guide helps administrators understand the content distribution process and serves to build a foundation for diagnosing and resolving general content distribution related problems

2.Software Updates in Configuration Manager Current Branch Deep Dive – Client Operations

3.Troubleshooting the Database Replication Service in Microsoft Configuration Manager: This guide helps determine the type of DRS problem you are experiencing, explains how the processes work and offers troubleshooting suggestions for some of the most common problems.

4.Troubleshoot the Install Application task sequence in Microsoft Configuration Manager: This guide helps you understand the Install Application task sequence process and troubleshoot common problems that may occur. The Install Application task sequence step issued to install applications as part of the overall task sequence.

5.Troubleshooting PXE boot issues in Configuration Manager 2012:Helps administrators diagnose and resolve PXE boot failures in System Center 2012 Configuration Manager(ConfigMgr 2012 or ConfigMgr 2012 R2).

6.Software Update Management Troubleshooting in Configuration Manager: This guide helps you troubleshoot the software update management process in Microsoft System Center Configuration Manager, including client software update scanning, synchronization issues and detection problems with specific updates.

7.Configuring Software Update synchronization in System Center Configuration Manager: This guide explains the System Center Configuration Manager software update synchronization process from start to finish. Each step in the process is explained, including the various settings that control how update retrieval and synchronization are performed, common problems seen with each step in the process, as well as general troubleshooting tips.

8.complete guide to Microsoft WSUS and Configuration Manager SUP maintenance

9.Flowchart - Update replication for System Center Configuration Manager :These data flows display the process by which an in-console update you select to install replicates to additional sites. These flows also display the process of extracting the update to run prerequisite checks and to install updates at a central administration site and at primary sites.

10.Software Update Management Troubleshooting in Configuration Manager:This guide helps you troubleshoot the software update management process in Microsoft System Center Configuration Manager, including client software update scanning, synchronization issues and detection problems with specific updates.

See you all in the next post!

Microsoft released SCCM Configmgr Technical Preview branch update 1610 (YYMM) for October 2016 with some new client features.

This Technical Preview 1610 is available as both an in-console update for the Configuration Manager Technical Preview, and as a new baseline version that is available from the TechNet Evaluation Center website. If you are planning to build new lab ,you can now use this preview update as new installation and carry your testing.

This month previous update contains the following new features:

Improvements to the notification experience for high-impact task sequence and required application deployments – Task sequence deployments that have a high-impact to the end user, such as operating system deployments for example, now display more intrusive notifications. However, end users can dismiss (snooze) these notifications, and control when they reappear. Any relevant client settings for notification frequency are still honored.
Deny previously approved application requests – As an administrator, you can deny a previously approved application request. This prevents new installations of the application To install this application later, users must resubmit a request. If the application was previously installed, it will not be uninstalled.
Filter by content size in automatic deployment rules – Use the content size filter in automatic deployment rules to prevent large software updates from automatically downloading to better support simplified Windows down-level servicing when network bandwidth is limited.
Exclude clients from automatic upgrade – When you configure settings to control how clients automatically upgrade, you can now specify a collection to exclude specific clients from the upgrade. This applies to automatic upgrade as well as other methods such as software update-based upgrade. This can be used for a collection of computers that need greater care when upgrading the client.

Download SCCM Configmgr technical preview 1610 from TechNet Evaluation Center

For more information about this preview update ,read https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1610

For Technical preview documentation read https://docs.microsoft.com/en-us/sccm/core/get-started/technical-preview

Configuration Manager Resources:

Documentation for System Center Configuration Manager Technical Previews

Documentation for System Center Configuration Manager

System Center Configuration Manager Forums

System Center Configuration Manager Support

Download the Configuration Manager Support Center

System Center Configuration Manager and Endpoint Protection (technical preview branch – version 1610

Colleague of mine has received request to check why did the SCCM client (server OS) rebooted during office hours and more details about the reboot (who initiated etc.). I started looking at this request to find out whether the client was rebooted due to windows patching or any applications pushed by SCCM.

During my troubleshooting ,I went through several client logs ,event viewer,SQL Query,PowerShell script etc .

In this blog post, I will try to list down the steps that went through to identify who rebooted the SCCM Client (server OS).

1. First and foremost that anyone would look at is ,event viewer to find out who rebooted the server (whether it was SCCM Client or any user).

Go to event viewer –> Windows logs –-> system ,right click and select filter current log ,enter 1074 (Event ID:1074 for reboot) as shown below.

Event ID:1074 –>This event is written when an application causes the system to restart, or when the user initiates a restart or shutdown by clicking Start or pressing CTRL+ALT+DELETE, and then clicking Shut Down. This event is written to the system log only when the Shutdown Event Tracker group policy setting is enabled or not configured.

You will see lot of entries with 1074 event ID ,of which ,we only look at the recent one .

From the above screen, the recent restart was initiated by SMS agent host (ccmexec) on 10/31/2016 05:45:10 PM due to applications or software update installation. This doesn’t tell you the username as the restarted was initiated by system account (NT AUTHORITY\SYSTEM)

The process C:\Windows\CCM\CcmExec.exe (ComputerName) has initiated the restart of computer ComputerName on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
Reason Code: 0x80020001
Shutdown Type: restart
Comment: Your computer will restart at 10/31/2016 05:45:10 PM to complete the installation of applications and software updates.

Now ,we need to find out ,what was installed on the server during the reboot time/before and does client have enough maintenance window to reboot .

2. Lets check what is the available maintenance window for the server ,that might help to analyze any installation that has pending reboot with enough maintenance window allowed reboot or not.

I use the following SQL query to check the available maintenance window for specific client.

DECLARE @file varchar(5000);
SET @file='Server Name'

select MW.[Collection Name],MW.[MW Name],MW.Description,convert(nvarchar(26),MW.StartTime,100)[StartTime],MW.Duration
from
(
select fcm.CollectionId, coll.Name [Collection Name],s.Name [MW Name],s.Description,s.StartTime,s.Duration
from dbo.v_R_System sys
Right JOIN dbo.fn_SplitString(@file,',' ) AS fss ON sys.Name0 = fss.substring
join dbo.v_FullCollectionMembership FCM on sys.ResourceID = fcm.ResourceID
join dbo.v_Collection coll on Coll.CollectionID = fcm.CollectionID
left join v_ServiceWindow S on s.CollectionID=fcm.CollectionID
) MW
where MW.[MW Name] not like ''

I have used @file is basically to pipe large number of clients that I wanted to query for. If you want to list the MW for more than 1 client ,your @file should be @file=’server1,server2,server3,server4’

With above SQL query ,I do not see any maintenance window available for server to reboot that time (server rebooted time ).

3. Now ,we will go back to problem server ,login to see what was Installed by SCCM during the reboot time or before the reboot.

we will try to look at AppEnforce.log (for applications),execmgr.log (for packages) and windows update logs (WUAHandler.log,UpdatesHandler.log) and other logs that you suspect.

AppEnforce.log :

From appenforce.log, there was an application that installed silently without any reboot (Matched exit code 3010 to a PendingSoftReboot entry in exit codes table.)

So the application doesn’t have any force reboot option and for sure,something else is caused the reboot .

4. Now ,take a look at the RebootCoordinator.log and MaintenanceCoordinator.log if that helps to reveal some information about reboot behavior.

RebootCoordinator.log

From above log,I see couple of entries related to server reboot which help my job to identify the root cause.

User S-1-5-21-1009845188-1641970364-1010270793-4361695 is getting pending reboot information

ServiceWindowsManager has not allowed us to Reboot

MTC allowed us to reboot

Notified UI grace period start with 900 grace seconds and 300 final seconds.

System reboot request succeeded.

As you see from the log, user SID is getting pending reboot information which means, someone logged into the server during the reboot of the server.

How to find who is that user ? Well ,you can find it using event viewer security logs or PowerShell script that converts SID to User name.

I have used below PowerShell script that convert SID Value to User Name

$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-5-21-1009845188-1641970364-1010270793-4361695")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value

copy the script ,change the SID Value and run the PowerShell script on the problem server to find the user name.

Now I got the user name ,who logged into the server during the reboot, but I cannot take this information as granted and confirm that this user initiated the reboot.

Well, RebootCoordinator.log doesn’t confirm if logged user restarted the server .So what next ?

In SCCM Configmgr 2012 and above, there are logs for users as well.These logs records the activity for notifying users about software for the specified user.

These user notify logs named with SCNotify_<domain>@<username>_1.log

open the log for the user (_SCNotify_<domain>@<Username>_2.log) who logged into the server during the server reboot if he/she initiated .

From this log,found lot of useful information of which ,found below entry that confirm user allowed to restart system.

RestartCountdownDialog: IsRestartSystemAllowed - user is allowed to restart system (Microsoft.SoftwareCenter.Client.Pages.RestartCountdownDialog at .ctor)

Notification is for a logoff/restart required or logoff/restart countdown. (Microsoft.SoftwareCenter.Client.Notification.NotifyObjectBase at ShowBalloonTip)

Number of total seconds in countdown is 900; starting value is 2; seconds til restart is 898, system will restart at 5:45:09 PM (utc end time = 9:45:10 AM) (Microsoft.SoftwareCenter.Client.Pages.RestartCountdownDialog at .ctor)

This confirm that, user who logged into the server has initiated the reboot and nothing from SCCM client.

If you have any other possible methods to identify who initiated the reboot, post it via comments section.

Until next!

Have seen couple of times on SCCM Configmgr forums asking for ‘How to get applications /deployment types that has allow clients to use fallback source location for content ’ is checked or not.

Allow fallback source location for content: This feature is designed to allow client to gain access (fallback) to content that is not available on a Distribution Point (DP) that is located in their Boundary Group.

If this feature is not implemented correctly, it can lead to unexpected results and high network utilization over remote WAN links.

For more information about fallback source location and distribution point, please read TechNet article https://technet.microsoft.com/en-us/library/gg712321.aspx?f=255&MSPPError=-2147217396#BKMK_PreferredDistributionPoint .

When this question was asked ,I thought ,I would look at it when I get time and later it went to my To-Do item list due to time constraints and never looked at it in the recent days.

Recently ,I had similar requirement to identify the list of applications with its deployment type properties to find out how many of them are not checked this option ‘allow clients to use fallback source location for content ‘ and download options (slow or unreliable network boundary)

If you want to know the list of applications that has this option checked or not ,there is no default report and no easy way to check in console as well.

Either you have to create custom report or PowerShell (PoSH) script.

when you create an application using application wizard ,there are couple of options that doesn’t show you in GUI (unless you use scripting to create apps) and these are like allow clients to use a fallback and deployment options etc.

If you have few number of applications in SCCM ,it is easy to do manual check by right click on deployment type and look for this option ,but what if you have large number of applications with multiple deployment types and you want them to be displayed in report ?

Before we try to create report for this ,we need to identify ,what table/view this information is stored in and after we identify the right view,we can write SQL query.

Application and its deployment type property information in SCCM 2012 and above, is not stored directly in database view instead, it is stored in xml file in function fn_ListDeploymentTypeCIs(1033) with column name SDMPackageDigest.

Once we know where the application deployment property information is stored, we need to know how to extract the required information from this xml file.

This xml file contains lot of information out of which ,we now only look at couple of important fields like application name,deployment name,type,UserInteractionMode,ExecutionContext ,RequiresLogOn,FallbackToUnprotectedDP,OnSlowNetwork. If you want retrieve other information from the xml ,do customize the report yourself.

To know more information about the xml file and how to extract the information from xml file using SQL query ,read here .

The information that is stored in xml file for allow clients to use fallback source location for content is in column FallbackToUnprotectedDP with values true or NULL

If you have selected option called Deployment options as shown in the diagram ,either with do not download content or download content from distribution point and run locally ,is in column ‘OnSlowNetwork’ with values Download or DoNothing or NULL

I have created SSRS Report for you .So all you need is ,download the report from Technet, upload to your SSRS reports, change the data source and run the report.

Note:If you have large number of applications and you are looking for deployment type names that has not checked ‘allow clients to use fallback source location for content ’ option ONLY ,then may have to edit the report and do custom changes to list only those applications with filtering instead listing all in your SCCM.

How does the report look like ?

Hope you enjoyed reading this article.

See you in the next post!

Setting up new SCCM Configmgr Current Branch 1606 in production environment .As part of it ,have created source folder (repository for content store) and placed couple of packages/applications for testing . while trying to distribute the packages, all failed with same error code.

The source directory \\servername\sources$\Applications\Microsoft\SCUPCert doesn't exist or the SMS service cannot access it, Win32 last error = 5

Win32 last error = 5 translates to access denied .I made sure ,SCCM site Server account, user account /group had full access to the source folder location but missed to add System account.

To see if the system account have enough read permission to the above share ,simply use sysinternal tools and access the share if that works or not.

PSEXEC -i -s -d CMD

In my case ,it says access denied but am able to access using user account.

To fix this ,you need to provide permissions to SYSTEM account as well both in sharing and security tabs (NTFS Sharing).

Hope it helps!

The Microsoft Deployment Toolkit (MDT) is a free tool for automating Windows and Windows Server operating system deployment, leveraging the Windows Assessment and Deployment Kit (ADK) for Windows 10. Microsoft released new build version 8443 for Microsoft Deployment Toolkit with some quality updates. This build update requires Windows Assessment and Deployment Kit (ADK) for Windows 10, version 1607, which you can download from Microsoft Hardware Dev Center(adksetup.exe file version 10.1.14393.0).

You can download MDT build version 8443 from Microsoft Download Center.

Summary of the significant changes in this build of MDT:

Supported configuration updates
Support for the Windows ADK for Windows 10, version 1607.
Support for Windows 10, version 1607, and Windows Server 2016.
Support for Configuration Manager, version 1606.

Quality updates :

Deployment Wizard scaling on high DPI devices
Johan’s “uber bug” for computer replace scenario
Multiple fixes for the Windows 10 in-place upgrade scenario
Several fixes to Configure ADDS step
Removed imagex/ocsetup dependencies, rely solely on DISM
Includes the latest Configuration Manager task sequence binaries (version 1606)

Reference: https://blogs.technet.microsoft.com/msdeployment/2016/11/14/microsoft-deployment-toolkit-8443-now-available/

Recently I had a requirement to create a PowerShell script to read text file/CSV for list of clients (servers mainly) and check if they appear in SCCM if so delete them ,track the information into log file for reference.

There could be various reasons why do you want to delete computer record from SCCM and for that, you can either delete the record directly from the console or use scripting to do it for you.

One of of the reason for me to create this script is ,to help the team to delete the server records from SCCM after they decom immediately using task scheduler. Why immediate ? can't I wait for default maintenance tasks to remove the computer object after it becomes inactive or aged ? well ,it does . Once the computer record is disabled in AD or not online for X days ,It becomes inactive . Once the client is inactive and fall into the range X days to match site maintenance tasks then it will be removed from SCCM database . When I leave these decom clients for deletion using site maintenance tasks ,these decom servers do appear in compliance reports and client health reports in SCCM and because of this ,the client health dashboard doesn’t appear in good status.

So ,this script will help guys to pipe the computer records into text file (as input ) and run the script or can schedule the script to run weekly once or so. The script will read the text file ,check if the computer record exist in database or not ,if not ,out-put to log ,if exist ,delete the entry ,out-put results to log and this loop continue until the last line read in text file.

Removing a device client manually deletes the client record from the Configuration Manager database. Typically, you should not use this action unless it is for troubleshooting scenarios. If you delete the client record and the Configuration Manager client is still installed and communicating with Configuration Manager, Heartbeat Discovery recreates the client record the Configuration Manager database, although the client history and any previous associations are lost.

To delete computer record from SCCM if exist ,I used inbuilt SCCM powershell cmdlet called Remove-CMDevice -name $comp –force .

You can download Powershell script to delete computer records from SCCM via TechNet .

You can use this script as schedule task to run on weekly basis .All you need is ,pipe the computer records into the notepad and let the script run for you automatically.

Problem:

Few weeks ago ,colleague of mine was trying to perform patch management on bulk number of clients (servers) as monthly patching ,as part of it he made sure the maintenance window was in place,deployment was set rightly for software updates deployment.

Maintenance window started ,patches started installing and after a while ,he logged in ( browse the reports ) to check the status for deployed patches (software update groups) using reports. He found that, 30-40% was compliant and rest of them non-compliant (majority) /unknown (very few) .

By the time ,he found something wrong ,he has only 1 hr left to finish the patching activity due to the maintenance window and after the maintenance window passed ,cannot reboot the servers and you need confirm the patching status with the application teams so that they can perform the application testing.

What do do now and how to get these non-compliant servers get fix in 1hr before the maintenance window elapse ? Since there was not enough time to troubleshoot the clients and look for other methods to fix ,had preferred manual method Winking smile .

I got to know about this on the next day morning while I was chatting with him . I tried to sneak into the logs to help what could be the problem but the logs are overwritten and nothing found for previous day issue.

The only status I got to know from him was that ,all updates available in software center showing ‘Past due – will be installed’.

Solution:

If you ever get into such issues ,I would suggest to start picking one problem client for troubleshooting ,go through the logs to check if the client is waiting for enough maintenance window or updates are waiting to complete something before they could start etc.

There could be various reasons why the software updates failed or not even started on client and to troubleshoot ,you must check the logs. I written couple of articles on software updates troubleshooting and reference guides .

http://eskonr.com/2015/04/sccm-2012-troubleshoot-client-software-update-issues/

http://eskonr.com/2016/10/sccm-configmgr-troubleshooting-guides-for-reference/

coming to the problem ,how do I force to install the updates that are available in software center if I don’t have enough time to troubleshoot the issue or how do I install the updates that are made available on the client ?

Well ,we can use PowerShell script to select all the updates available in software center and install followed by settings configured in software update deployment like reboot or suppress reboot etc.

This script also useful to check if any updates are failed (from reporting you can get list of clients with status) for some reason and you want to install them without login to the client .

Part of the script taken from book Microsoft System Center Software Update Management Field Experience.pdf ,modified it to log the output,read notepad file for clients.

$MissingUpdates = Get-WMIObject -Namespace root\CCM\ClientSDK -Class CCM_SoftwareUpdate -Filter ComplianceState=0
$MissingUpdatesReformatted = @(MissingUpdates | Foreach-Object {if($_.ComplianceState -eq 0){[WMI]$_.__PATH}})
$InstallReturn = Invoke-WMIMethod -Namespace root\CCM\ClientSDK –Class CCM_SoftwareUpdatesManager -Name InstallUpdates –ArgumentList (,$MissingUpdatesReformatted)

Download the complete PowerShell script from TechNet Gallery Here.

To run the script on remote computers ,make sure you have enough permissions to connect wmi on remote computer and RPC (dynamic ) ports opened.

This script will check if the account you trying to run has enough permissions on remote computer ,if yes go into loop else move onto next client to perform the check and it repeat.

Script pipe the information into log file with client name, Targeted patches (approved patches) ,pending patches (include failed,waiting for MW etc) ,reboot pending and finally Compliant if it has nothing in software center to install.

If a client already installed all patches and waiting for reboot ,I considered it as compliant in the script as it will be rebooted either manually or auto reboot based on the settings you configured in deployment.

Post your feedback via comments section.

SCCM Configmgr SQL query to find Top X missing updates for specific collection for specific update group

SCCM Configmgr software update scan failed OnSearchComplete – Failed to end search job Error 0x80072ee2

SCCM Configmgr 2012 R2 SP1 download content from Microsoft updates causing client stuck at downloading policies

SCCM Configmgr Report for Count of MS Office Versions updated with list of clients

SCCM Configmgr Technical preview 1609 Available

SCCM Configmgr How to implement Jason Sandys Client Startup Script to achieve good client success rate

List of SCCM Configmgr Windows 10 Intune MBAM sessions from Microsoft Ignite 2016

SCCM Configmgr How to Create collections based on OU that contains DEV UAT PROD etc

Install MBAM 2.5 SP1 on remote SQL and integrate with SCCM Configmgr 1606 Notes and Scripts

SCCM Configmgr Failed to download prerequisite files due to Internet Settings not allow to download file

SCCM Configmgr How to deploy VMware tools (32bit and 64bit ) using Application deployment method

SCCM Configmgr client issue SCClient.exe Entry Point Not Found WININET.dll could not be located in the dynamic link library

SCCM Configmgr troubleshooting guides for reference

SCCM Configmgr Technical Preview update 1610 Available

How to find who initiated restart of SCCM Configmgr Client

SCCM Configmgr check if allow clients to use fallback source location for content is selected or not

SCCM Configmgr the source directory doesn’t exist or the SMS service cannot access it, Win32 last error = 5

Microsoft Deployment toolkit (MDT) build version 8443 is now available

Powershell script to delete computer records from SCCM

SCCM Configmgr Powershell script to install software updates on remote clients