Setting up Configuration Manager current branch (1702) lab for testing. While running the Configmgr reports using IE browser ,http://servername/Reports/Pages/Folder.aspx ,it failed with error code HTTP 500 Internal Server Error. SQL server installed locally on Configmgr box .

I have seen this error couple of time but i don't remember what was the solution to get it fix. So ,in this blog post, we will try to troubleshoot the issue by going through the log files and solve it.

Following the error snippet while while browsing Configmgr reports :

When you get this error, the first place to look at is ,reporting point role installation logs which are located in your Configmgr installation logs folder.

srsrpsetup.log Records results of the reporting point installation process

srsrp.log Records information about the activity and status of reporting services point

From srsrpsetp.log ,reporting services role successfully installed . Next log to look at is srsrp.log to check the health

srsrp.log :

System.Web.Services.Protocols.SoapException: The operation you are attempting requires a secure connection (HTTPS). ---> Microsoft.ReportingServices.Diagnostics.Utilities.SecureConnectionRequiredException: The operation you are attempting requires a secure connection (HTTPS).~   at Microsoft.ReportingServices.WebServer.RsSoapExtension.EnsureHttpsLevel(SoapMessage message)~   at Microsoft.ReportingServices.WebServer.RsSoapExtension.ProcessMessage(SoapMessage message)~   at System.Web.Services.Protocols.SoapMessage.RunExtensions(SoapExtension[] extensions, Boolean throwOnException)~   at System.Web.Services.Protocols.SoapServerProtocol.ReadParameters()~   at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()

Failures reported during periodic health check by the SRS Server servername.domainname

SSRS Role was installed successfully but health check did not run successfully.

Next is to check Reporting services Configuration Manager wizard if anything configured faulty or reporting services running correctly or not (this can be check from services.msc)

At this stage ,all checks passed but still issue persists.

Till now ,we have done the troubleshooting in in Configmgr point of view , but from now onwards ,we will go little further to check from SQL point of view.

Next is to look at SQL reporting services log which is located in your SQL installation folder .Since am using SQL server 2014 on my SCCM server (SQL installed locally) ,reporting services logs can be found at

C:\Program Files\Microsoft SQL Server\MSRS12.MSSQLSERVER\Reporting Services\LogFiles

Look at recently modified date (ReportServerService__07_14_2017_00_05_14)  ,open the log using cmtrace.exe

System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

Did a internet search using ‘This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms’ ,found this  https://blogs.msdn.microsoft.com/dataaccesstechnologies/2015/07/16/report-manager-system-invalidoperationexception-this-implementation-is-not-part-of-the-windows-platform-fips-validated-cryptographic-algorithms/

Follow the instructions given in the above link and apply the solution.

For me, after applying the changes said above (i did web.config) ,i got the following error which leads me to change SecureConnectionLevel to 0 in rsreportserver.config file located in C:\Program Files\Microsoft SQL Server\MSRS12.MSSQLSERVER\Reporting Services\ReportServer ,referrence TechNet article here

Error: The underlying connection was closed: An unexpected error occurred on a send

Solution:

Go back to your reports URL (http://servername/Reports/Pages/Folder.aspx) ,run the reports again to see if it works or not ?

Hope it helps!

Quick post on how to get count of list of updates or count of updates in your Configuration Manager with severity categorised as Critical,Important,Moderate and Low.

In order to get this information count of updates with severity, you first need to identify what the SQL views that store this information about software updates.

Get the SQL views documentation for all Configmgr versions starting from SCCM 2012 to Current Branch 1702 from https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

Severity of the software updates is stored in v_UpdateInfo .This SQL view stores lot of other information like title,article ID,bulletin ID,date posted and lot more. Most of the metadata about software update information is stored in this SQL view v_UpdateInfo.

We will try to use this SQL view to get count of software updates with its severity.

Listed below are severity and its description:

Severity=2 –> Low

Severity=6—>Moderate

Severity=8—>Important

Severity=10—>Critical

Am Listing 2 SQL Queries here for you . 1) without any filters and this will get you what is available in your CM database 2) With custom filters and more of modified version (Thanks to Sherry on myitforum)

1.

select CASE(ui.Severity)
When 2 Then 'Low' When 6 Then 'Moderate' When 8 Then 'Important' When 10 Then 'Critical' Else 'NA' End as 'Severity',
ui.Severity ,count(ui.ci_id) [Total Updates]
from v_updateinfo ui
group by ui.severity
order by 3 desc

2.

;with cte as (   select
   CI_ID,
           BulletinID,
           ArticleID,
           Title,
           DatePosted,
                   DateRevised,
                   isExpired,
                   isSuperseded,
           CI_UniqueID,
         case
        when (ui.severity=0 and ui.CustomSeverity=0) or ui.severity is null then '0 None'
        when ui.CustomSeverity=6 then '6 Moderate'
        when ui.CustomSeverity=8 then '8 Important'
    when ui.CustomSeverity=10 then '10 Critical'
    when ui.CustomSeverity=2 then '2 Low'
    when ui.Severity=2 and ui.CustomSeverity=0 then '2 Low'
        when ui.Severity=6 and ui.CustomSeverity=0  then '6 Moderate'
        when ui.Severity=8 and ui.CustomSeverity=0  then '8 Important'
        when ui.Severity=10 and ui.CustomSeverity=0  then '10 Critical'
        end as 'Severity'
    from v_UpdateInfo ui
Where
   ui.title not like '%Itanium%'
)
select severity, count(*) [Count]
from cte
group by Severity
order by Severity

You can add  more filters to 2nd query like superseded!=0 and expired=1 etc.

In this post, i will discuss about the requirement that i have got recently. Local team /manager wants to run the software update compliance report for their LBU machines (collections) to see if all the clients in collection are compliant or not for all the patches with released date between X date to Y date.

No matter whether all the patches that are requested/available in SCCM are deployed or not but it should appear in SCCM report if the clients are in good shape or not for specific period.

By default in SCCM, there are couple of reports available for software update compliance but if you want to know the compliance status for specific collection for all updates that exist in SCCM (no software update group here) between specific period let say Jan 1,2015 to Dec 31 2015 or X range to Y range.

How to generate software update compliance report for specific collection for all the updates available in SCCM within specific date ?

To create a report for this requirement, we need set of SQL views that have information about software updates ,collection,inventory of client etc.

Below are the SQL views that i used in this report:

v_GS_COMPUTER_SYSTEM

v_CICategories_All

v_CategoryInfo

v_gs_workstation_status

v_fullcollectionmembership

v_UpdateInfo

v_UpdateComplianceStatus

Download SSRS Report from Technet Gallery,Upload to your SSRS Folder ,change data source and run the report.

When you run the report ,it prompt for collection ,Start Date and End Date shown below.

The result what see in the report is excluded by superseded and expired updates (IsExpired=0 and IsSuperseded=0) .

The original report is taken from Garth post http://smsug.ca/blogs/garth_jones/archive/2009/02/25/patch-compliance-progression-report.aspx and modified to include the date prompt ,superseded,expired ,added inventory information like OS,update scan,IP address,Last reboot into the report.

Linked report to see list of updates for each client will be in the next post.

I have seen this questions often in social communities and online forums on this topic and how they work during content download. So i will try to explain what they mean and how they work when it comes to content download.

when you create any deployment (applications,software updates,task sequence etc) ,you will see two options for ‘Type of Deployment’ (for software updates) ,Purpose (for applications) with Required and Available. In this blog post, we will see what they mean and how they work .

Available:  Available deployments will not have any deadline and they meant for optional. When you choose the type of deployment as Available ,user can see the deployments in Software Center and it will never be installed automatically unless user select and install it.

When user choose to install the available deployments in Software Center ,it will start downloading the content and install it ,no matter if the client has maintenance window or not as it is initiated by User and it will proceed to install the deployment after the download but if the deployment require reboot ,it will check for MW (maintenance window) and only reboot.

In this type of deployment ,deployments will not be downloaded automatically unless user initiate the deployment.

Required: Required deployment have  available time and deadline time. When you create deployment ,you will have to set available time (For clients to download the policies and download the content ) and deadline time (for installation).

When machine policy runs on the client , client will download the policies that are new or updated ,evaluate the policies and inject into wmi.

If you have any deployments with future deadline date but not as soon possible (which means the current time when you do the deployment) ,client will not perform the evaluation of the deployment for content download ,instead it will wait for the deadline date for content download and install (if enough maintenance window available).

In Required deployment ,content download happens only when the deployment reaches/passes the deadline date .Once the download is finished, it will check for enough maintenance window ,if there is ,it will install right after the content download. If there is future maintenance window available ,it must wait for the MW and install it .

If you have set deadline to ‘As soon as possible which means the current time on the site server, client receive the policy ,process it and download the content immediately due to deadline behaviour but for install ,it will check if MW ,if yes,wait for the MW else install the deployment.

My Observation in software updates deployments:

Take an example that ,I have deployed few software update groups to a collection with future deadline date but available time is current date . After 60 min (default ) ,client will receive the new/updated policies ,they process it and inject into wmi --but the content will not be downloaded until it reach the deadline time.

In this case ,all my deployments are set to future deadline date ,so they will never be evaluated by software update deployment evaluation cycle unless the deadline reaches and you will not see the updates in software center. When the deadline time triggers ,patches will be downloaded and install if enough MW available.

you will only see the list of patches available in software center if it is evaluated by software update deployment evaluation cycle and this happens automatically when the deadline reaches or you can initiate the

What happens if the client downloaded the policies but you initiated the deployment evaluation ?

Once the deadline time reached, deployment evaluation starts ,it will pick the policies that are available in client WMI and start processing each update with its compliance check (require,not require or already install) and start download the updates into ccmcache.

In this scenario, the download happens when the deadline reaches but not because of the maintenance window available. Maintenance window is only for the installation of updates but not for download of updates.

For more information about how the maintenance window is calculated, take a look at https://blogs.technet.microsoft.com/charlesa_us/2015/04/21/system-center-configuration-manager-2012-maintenance-windows-getting-to-know-you/

My Observation in Application Deployment:

Like i said how the content download happens for software updates ,it is not same for application Deployment .

For application deployment ,after the deployment to collection with available time as current time and deadline time as future time ,it took random time of 3-4 hours for the application to display in software center and also download happen automatically (Disable deadline randomisation is set to Yes but still it happens after sometime).

Hope You will find this article useful.

To manage software updates using SCCM/Configmgr, software update scan (with help of windows update agent) is mandatory without which ,client cannot download the update catalog (metadata) from WSUS and perform the scan for letting the server know what is required and what is not required using the state messages.

When i was looking at the software update scan reports few days ago ,identified some of the clients (Windows servers) could not able perform software update scan. So i decided to take look at the one of the client logs and troubleshoot further.

After logging into the server ,looked at wuahandler.log ,scanagent.log and windowsupdate.log as these logs will help you help to troubleshoot software update scan issues at the initial stage.

Below is windows update log.

WARNING:     IsSessionRemote: WinStationQueryInformationW(WTSIsRemoteSession) failed for session 2, GetLastError=2250

COMAPI    FATAL: Unable to connect to the service (hr=80080005)

COMAPI    WARNING: Unable to establish connection to the service. (hr=80080005)

After seeing this error ,i tried to stop windows update service but windows update service stuck at “stopping” status (hung) and never finish . So i have to kill the service to stop using taskkill command.

Open cmd as an administrator

1. Run:  taskkill /f /fi “services eq wuauserv”

After the windows update service start, tried initiating the software update scan to see if that makes any any difference but again issue repeat (same error code in windows update log ,software update scan never move forward using wuahandler.log )

I even tried installing the updates manually to see if that goes through but that also failed.

After doing the basic troubleshooting as said above ,the issue is not with SCCM client or windows update agent rather it is more of windows issue likely to be caused due to a missing/corrupt class in root\microsoft\windows\servermanager

How do you know the issue is related to missing/corrupt wmi class ?

For this ,you need to create dump to analyse what is going on and here is what found in the dump log.

0 0000003ebe29d4c8 00007ffd372713ed ntdll!ZwWaitForMultipleObjects+0xa

1 0000003ebe29d4d0 00007ffd39a1f9e4 KERNELBASE!WaitForMultipleObjectsEx+0xe1

…

4 0000003ebe29d850 00007ffd2f31a1c7 wbemcore!CCoreQueue::QueueWaitForSingleObject+0x5c   Waiting for thread running wbemcore!CCoreQueue::Execute

5 0000003ebe29d8a0 00007ffd2f328f5a wbemcore!CWmiFinalizer::GetOperationResult+0x67

6 0000003ebe29d8e0 00007ffd2a999afd wbemcore!CWbemNamespace::ExecQuery+0x2ae

7 0000003ebe29d9b0 00007ffd2aaad24a wuaueng!CSystemExprEvaluator::EvaluateWmiQuery+0x1e1

…

10 0000003ebe29df70 00007ffd2aaa7275 wuaueng!CAgentUpdateManager::EvaluateSingleApplicabilityRule+0x1a6

11 0000003ebe29e0a0 00007ffd2aaa6a76 wuaueng!CAgentUpdateManager::EvaluateUpdateApplicabilityRules+0x51a

12 0000003ebe29e8f0 00007ffd2a9857e9 wuaueng!CAgentUpdateManager::DetectForUpdate+0x3e7

13 0000003ebe29ead0 00007ffd2a997bdf wuaueng!CAgentUpdateManager::EvaluateUpdateSet+0x129

From the dump log ,We can see the hang is due to waiting for WBEM. WBEM is Web-Based Enterprise Management, and its Microsoft implementation is Windows Management Instrumentation (WMI).

When Windows Update is in “scanning for updates” state, the WMI provider in use is ServerManager.DeploymentProvider.

Below command is to compile servermanager.deploymentprovider.mof . If the ServerManager.DeploymentProvider is bad, this command will fix it. If the ServerManager.DeploymentProvider is good, below command will not cause any damage to the machine. Thus running this command is the troubleshooting action I chose.

Open cmd as an administrator

1. Run:  taskkill /f /fi “services eq wuauserv”
2. Run the following command to recompile the MOF file:  mofcomp c:\windows\system32\wbem\servermanager.deploymentprovider.mof
3. Restart the machine.

After the server reboot, software update scan went through successfully.

I could not able to find a way to check  whether ServerManager.DeploymentProvider is good or bad but compiling the MOF do not harm the server and that also fix the issue.

Hope it helps!

OverJoyed …..I got an email yesterday from the Microsoft MVP Award team saying that ,I have been awarded with Microsoft MVP award in Enterprise Mobility for 2017. I am extremely proud and honored to receive this award.

I started blogging (www.eskonr.com) in year 2009 to to share my technical views,tips and tricks that I have seen in my daily work on SMS 2003 /SCCM/Configmgr In 2012 and to keep this as my reference .I have no idea what the award means when I started blogging in the early stages of my career .It was purely on the basis of sharing the knowledge and helping the community. This blog has now over 2.5 million views since then with over 400+ subscribers ,500+ posts and 2000+ comments .

Here is what email says:

We are extremely pleased to present you with the 2017-2018 Microsoft Most Valuable Professional (MVP) Award! This award is given to exceptional technical community leaders who share their remarkable passion, real-world knowledge, and technical expertise with others through demonstration of exemplary commitment.

Thank you Microsoft for recognizing my contributions towards community.

Thanks to all  those who supported and encouraged me over the last few years (Janaka ,Niall Brady, Garth Jones)  and especially to my wife who let me spend time on blogging,being active in social communities .

Maintenance windows in SCCM Configmgr enable you to define a time when SCCM operations can be carried out on members of a device collection. These maintenance windows are helpful to ensure that client configuration changes occur during periods that do not affect the productivity of the organization. More information about  Maintenance windows refer https://docs.microsoft.com/en-us/sccm/core/clients/manage/collections/use-maintenance-windows

I had requirement to remove all Maintenance windows that are set on list of collections .Removing the Maintenance windows for each collection would be tedious task. Right click on collection ,select maintenance window and delete the Maintenance window.

Note:Removing the Maintenance windows allow to install deployments that are pushed to collections.

In this blog post, we will see how powershell can do this task in seconds for any number of collections that you pipe into txt file.

All you need is ,get the list of Collection IDs and supply it to text file ,run the script.

This script will not output any results to log file saying what is the existing Maintenance window and what is deleted. If you want ,you can customize the script to log the output.

This script uses 2 basic powershell cmdlets available in configuration manager module which are

Get-CMMaintenanceWindow Gets the maintenance windows for a collection

Remove-CMMaintenanceWindow Removes a maintenance window associated with a collection

Download the powershell script from Technet Gallary ,supply the list of collection IDs ,run the script.

Beginning with Configmgr Version 1702, clients use boundary groups to find a new software update point. You can add individual software update points to different boundary groups to control which servers a client can find.

More information about boundary groups and its relation with  software update point changes in 1702 and 1706 ,please refer TechNet link  https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/boundary-groups ,it has lot of information than i explain.

Few weeks ago ,i was looking at the boundaries and boundary groups that are configured for my environment with its fallback information (distribution point and software update point).

I find it hard to locate the boundaries that are configured with fallback distribution points and fallback software update point.Incase you want to know the list of boundaries/boundary groups that are configured with fallback options,there is no default report.

I have created SSRS report that will help to pull information from SQL database into nice reporting .

References:

Relationships:

How does the report work ?

Download the report from Technet Gallary , upload the report into Configmgr SSRS reports folder,change the data source and run the report.

When you run the report, it prompt for Site Code since all the boundary groups that you created must have assigned to specific Site Code for site assignment. If you have not assigned the boundary groups to any specific site code, they will not be listed here .

So choose the Site Code (Primary or Secondary) or select All

Boundary groups that are assigned with specific Site Code will be listed with following information.

Boundary Group Name ,Site system Role,Site Code,Fallback Boundary Group,Fallback Site System,Fallback DP,Fallback SUP.

I was contacted by colleague that Configmgr is not showing the updates that were published day ago by SCUP . So i started checking the SCUP configuration (proxy) and the updates status if they are published or not using the date published and also verified SCUP logs.

From SCUP perspective,all looks good. Next to look at Configmgr ,in this ,i checked the SUP properties if the published products are selected or not , check the proxy details in site system role properties.

Next to look at proxy details that are configured in IE for system account for which ,you can use psexec tool to verify it.

How to open IE using system account or check the proxy details in cmd using pxecec ? run the cmd using administrator ,run psexec –i –s cmd.exe

Type netsh winhttp show proxy it must give you the proxy details if at all configured .Run the following command to open IE using system account

PsExec.exe -i -s "C:\Program Files\Internet Explorer\iexplore.exe"

set the proxy in IE ,once this is done ,come back to cmd prompt (system account) and run netsh winhttp import proxy source =ie to import the IE settings .

This also looks good to me .What else could go wrong for the updates not shown up in SCCM console ?

Now ,i move onto the SUP logs WCM.log and WSUSCtrl.log both looks good and the final log is sync log wsyncmgr.log which has some errors init.

Sync failed: UssCommunicationError: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.~~at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request). Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncWSUS

we know that ,there are no changes to IIS or any configurations in the last few months with respect to SSL. I have tried the sync by providing the user name in site system role properties to use credentials to connect to proxy server but it failed with same error.

After searching in Google with above error ,found few blogs that refers to https://technet.microsoft.com/en-us/library/dn265983.aspx (configure trusted roots) but they do not apply to me .

 https://the-d-spot.org/2011/05/17/sccm-sup-sync-failed-6703/

http://www.mssccmfaq.de/2012/06/02/sup-synchronisation-schlagt-fehl-could-not-establish-trust-relationship-for-the-ssltls-secure-channel/

https://www.windows-noob.com/forums/topic/7559-sup-sync-issue/

After sometime ,got to know from another colleague that ,there were some changes made to the proxy server by NOC team which requires SSL authentication. What it means is ,software update sync happens using system account instead of user account which require SSL authentication and in this case, we need to get approval from security team to allow the SCCM site server computer account to bypass or added to exception list.

References and troubleshooting https://support.microsoft.com/en-us/help/10329/configuring-software-update-synchronization-in-system-center-configura 

https://technet.microsoft.com/en-sg/library/bb892795.aspx

This blog post is going to be version 3 on the same topic (report for MS office versions) but with different requirements.My previous posts on ssrs report for count of MS office versions and drilled report to see client names etc will have some limitations like they will not give you bit type(architecture) like 32bit or 64bit of office installed on the client. They simply get the count of the MS office edition installed and then drill down further to get you the list of client computers with office edition,version,its OS and hardware scan date info.

Both the versions with ssrs report can be found on https://gallery.technet.microsoft.com/office/SCCM-Configmgr-Report-for-2c36f1b9 https://gallery.technet.microsoft.com/office/SCCM-Configmgr-2012-SSRS-c482cca2 and

https://support.microsoft.com/en-us/help/928516/description-of-product-code-guids-in-2007-office-suites-and-programs

After posting these 2 reports, blog viewers ,TechNet gallery and in forums have asked to get bit type (32bit or 64bit) information for the office product that is installed on the client.

I have lot of requests /posts in my To-DO list to blog about ,but due to time limitations ,i cannot bring all them.

So for this requirement to get 32bit and 64bit for MS office ,i found microsoft article to identify if the MS office is 32bit or 64bit. https://support.microsoft.com/en-us/help/928516/description-of-product-code-guids-in-2007-office-suites-and-programs and it is based on the product code.

This product is that we use to uninstall any software using msiexec /x {productID} /x

Below is the screenshot from the support article .

From the product code ,21st character from left (substring(productID,21,1) ) will tell you if it is 32bit or 64bit .

0 for x86

1 for x64

If you read support article ,there are lot of other information like release version (RTM,SP1,SP2 etc) ,release type (Volume,retail,trail) ,

This product ID is stored in different SQL views in CM database ,of which  we are going to utilize v_Add_Remove_Programs. For more information about SQL views in SCCM, please refer https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

Following are the office editions are added into the report . If you have any other office editions which are not in below list ,please edit the report and append it.

'Microsoft Office Personal 2007'
'Microsoft Office Professional 2007'
'Microsoft Office Professional 2007 Trial'
'Microsoft Office Professional Hybrid 2007'
'Microsoft Office Professional Plus 2007'
'Microsoft Office Professional Plus 2007 (Beta)'
'Microsoft Office Standard 2007'
'Microsoft Office Standard 2007 Trial'
'Microsoft Office Ultimate 2007'
'Microsoft Office Enterprise 2007'
'Microsoft Office Ultimate 2007'
'Microsoft Office Ultimate 2007'
'Microsoft Office 2010'
'Microsoft Office Professional Plus 2010'
'Microsoft Office Standard 2010'
'Microsoft Office Professional 2010'
'Microsoft Office Home and Student 2010'
'Microsoft Office Home and Business 2010'
'Microsoft Office Professional Plus 2010 (Beta)'
'Microsoft Office Starter 2010 - English'
'Microsoft Office 2013'
'Microsoft Office Professional Plus 2013'
'Microsoft Office Standard 2013'
'Microsoft Office Professional 2013'
'Microsoft Office Home and Student 2013'
'Microsoft Office Home and Business 2013'
'Microsoft Office Professional Plus 2013 (Beta)'
'Microsoft Office Starter 2013 - English'
'Microsoft Office 2016'
'Microsoft Office Professional Plus 2016'
'Microsoft Office Standard 2016'
'Microsoft Office Professional 2016'
'Microsoft Office Home and Student 2016'
'Microsoft Office Home and Business 2016'
'Microsoft Office Professional Plus 2016 (Beta)'
'Microsoft Office Starter 2016 - English'

As usual ,download the SSRS reports (rdl) files from Technet gallery here ,upload to your reporting folder in SCCM reports,change the data source and run the report.

Output:

Linked report:

This report supports RBA (role based administration) functionality.

Note that, 2nd report (drilled report) cannot be run individually and to run that, you must run the 1st report which is count of office versions and drill to 2nd report.

SQL code and parameter values for dataset (RBA): The following information is for your information only and no input required from you to run this report.

DataSetAdminID:select dbo.fn_rbac_GetAdminIDsfromUserSIDs(@UserTokenSIDs) as UserSIDs

Parameter for UserTokenSIDs: General—>Parameter visibility—>Internal, default values—>specify values—>=SrsResources.UserIdentity.GetUserSIDs(User!UserID)
Parameter for UserSIDs:General—>Parameter visibility—>Internal, default values—>Get values from a query and choose DatasetAdminID

you can always edit the RDL files ,customize it.

Happy reporting!

Using compliance settings in Configmgr, you can do many tasks as part of compliance. In the last couple of blogs, we have utilized compliance settings to identify WU settings,automatic update,trusted publisher settings etc. http://eskonr.com/2017/10/configmgr-how-to-use-compliance-settings-to-check-the-windows-update-policy-settings-like-wuserver-usewuservernoautoupdate-on-clients/

In this blog post ,we will see how to use compliance settings to check for Windows update agent version if it is older or latest one as per https://support.microsoft.com/en-us/help/949104/how-to-update-the-windows-update-agent-to-the-latest-version.

The Windows Update Agent runs on each client computer and checks for availability of updates. If you are using configmgr ,when the software update scan cycle runs ,a scan request is passed to the Windows Update Agent (WUA). This WUA then connects to the WSUS server location that is listed in the local policy (this policy will be created at the time of configmgr client installation), retrieves the software updates metadata (update catalog) that has been synchronized on the WSUS server, and scans the client computer for the updates. To read further on software updates https://docs.microsoft.com/en-us/sccm/sum/understand/software-updates-introduction

Daniel (PotentEngineer) has document all the versions of windows update agent on http://www.potentengineer.com/windows-update-agent-build-numbers-for-windows-7/

There are lot  cases on windows update issue which happened due to old version of windows update hence you need focus on brining the windows update agent to latest supported version.

I will not go in-detail (step by step) about how to create configuration Item and Configuration baseline instead ,i will guide you through the settings that you need configure for Windows update agent.

Though the configurations used in the settings/creation of rule in compliance setting is very simple ,i would like to get it in this blog post along with SQL Query and WQL collection to identify how many clients in your organisation are running older .

1.Define Compliance setting for the applicable OS (Windows update agent varies from OS to OS)  .This blog post focus on windows 7.

Once you deploy the configuration baseline to collection ,clients will perform the CI evaluation and send the results to Configmgr which will help you to create collection from the baseline results and deploy latest windows update agent.

Compliance Item :

New setting:

New Rule:  Replace the windows update agent that you are looking for.

Note: The above WUA agent is only for windows 7 hence you need to configure the OS while creation of CI or deploy this to only windows 7 collection.

If you want to create the rule for multiple OS to check WUA version ,you can try something like below (it is untested at the time of writing the blog post).

Make sure you add the latest version of windows update agent into the one of list.

2.WQL Query for collection:

Ronni has nice post on this ,please follow it https://www.ronnipedersen.com/2015/06/04/updating-the-windows-update-agent-on-windows-7-clients/

3.SQL Query:

Windows update agent version stored in v_GS_WINDOWSUPDATEAGENTVERSION  SQL view.

We will use this SQL view to find count of versions.

select a.version0 as 'WUA Version', count(*) as 'Total'
from v_GS_WINDOWSUPDATEAGENTVERSION as a
group by a.version0
order by 2 desc

More information http://eskonr.com/2010/02/sccm-collection-for-windows-update-agent/ 

Using this ,you can create nice SSRS report .you can also create drilldown report to find what are the machines that are running lower versions with computer name ,user name etc.

List of SCCM Configmgr SQL views documentation is available on TechNet https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

I had request to disable the setting ‘Allow the computer to turn off this device to save power’ in power management settings on network adaptor.

From the screenshot above,there are 3 settings that will help for wake on Lan .All these settings information stored in client WMI. we want to uncheck the first option (Allow the computer to turn off this device to save power’ ) by leaving the rest of the 2 controls as it is.

In this blog post ,we will see how to change the power management settings on client using configuration manager compliance settings.

Before i go into compliance settings, i will provide you the WMI class and instance that store the information about power management settings ,so we can make use of these options in compliance settings

1. Allow the computer to turn off this device to save power , wmi class: root\wmi , instance:MSPower_DeviceEnable , property:Enable
2. Allow this device to wake the computer ,wmi class:root\wmi  , instance: MSPower_DeviceWakeEnable , property:Enable
3.Only allow a magic packet to wake the computer ,wmi class:root\wmi  , instance: MSNdis_DeviceWakeOnMagicPacketOnly, property:Enable

After you have the information about wmi ,it is easy to create configuration item and configuration baseline.

Create configuration item with name: Disable ‘Allow the computer to turn off this device to save power’ ,leave the default settings ,click next,choose the operating system that you want to deploy this setting

Under settings, create new with following information:

Name:MSPower_DeviceEnable ,Setting Tpe: WQL Query ,Data Type: Boolean , wmi class: root\wmi , instance:MSPower_DeviceEnable , property:Enable ,WQL Query: InstanceName like 'PCI%'

For other 2 settings ,all you  need is ,change the class with information given above in point 2 and 3.

Click on Compliance Rule ,click New ,follow the below settings.

For other 2 settings point 2 and 3 ,you can either set to True or False as per your needs.

Click ok

We now created configuration item and ready to create configuration baseline and deploy to Device Collection.

When you deploy the configuration baseline, make sure you choose the following setting to remediate (Allow remediation outside maintenance window is upto you ,you can either for maintenance window or ignore the window and remediate the setting)

End user results:

Hope it helps!

Microsoft released December month ConfigMgr Technical Preview version (1712). It has been while since I look at my SCCM Tech preview lab. So I had chance to look at the new features that are released with this preview version and play around it in my lab.

Following are the new features released with this preview version (This is only for lab purpose,not for production release).

Do not automatically upgrade superseded applications

Install multiple applications in Software Center

Client-based PXE responder service

Change in the Configuration Manager client install

Change to the Surface device dashboard

Improvements to Office 365 Client Management dashboard

Improvements to the Configuration Manager console

Improvements to operating system deployment

Windows 10 Feedback Hub app integration

More information about these features and documentation,please refer https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1712 

As usual ,I open the console ,go to administration node, from updates and servicing ,click on check for updates .After a while (make sure you have internet connection for this to work) ,I saw Configuration manager technical preview 1712 but the state stuck at downloading for longer period . I looked at the internet connection if there is any outage ,internet connection looks good.Since my configmgr lab is running on virtual environment ,there is no AV (antivirus product running ). I went ahead to look at the log file that track the information about download of updates dmpdownloader.log . As you can see in the below snippet ,it throw different error codes.

Error in verifying the trust of file 'F:\ConfigMgr\EasySetupPayload\51d629d3-c355-4b80-ad6f-ba44b27f84ed.cab'.

after few lines later ,I can see the following error code.

Error in verifying the trust of file 'F:\ConfigMgr\EasySetupPayload\51d629d3-c355-4b80-ad6f-ba44b27f84ed.cab'.

WARNING: Failed to call IsFileTrusted

I tried the solution given in the TechNet article when  the update stuck with a state of Downloading in the Updates and Servicing node https://docs.microsoft.com/en-us/sccm/core/servers/deploy/install/release-notes but it doesn’t help for me ( I changed the registry key value ,stop the SMS_DMP_downloader component and start).

If you look at the folder F:\ConfigMgr\EasySetupPayload as per the log ,you will see cab file with hash ID:51d629d3-c355-4b80-ad6f-ba44b27f84ed and size is 0 bytes.

Usually this cab file should be of size around 600MB+ as this is set of installation files that will be used to update the configmgr to new version.

So I search in the log file using hash ID:51d629d3-c355-4b80-ad6f-ba44b27f84ed  ,I got URL http://download.microsoft.com/download/6/6/B/66B981F8-5740-4072-9B74-767541EA9915/51D629D3-C355-4B80-AD6F-BA44B27F84ED.cab

After I download the file manually ,put it in folder F:\ConfigMgr\EasySetupPayload  . Once you are done with it , open the configuration manager service manager ,stop SMS_DMP_DOWNLOADER ,start the component.

Monitor the log file dmpdownloader.log ,you will see the extraction of the cab file will be happening and after a while ,the cab file will disappear from F:\ConfigMgr\EasySetupPayload  folder.

If you did not notice any errors in the log file, you are good to install the update from console .Go back to your console and install the update ,monitor the status using cmupdate.log and ConfigMgrSetup.log.

At the end ,you will see the following screen to upgrade the existing console to new version.

Hope it helps!

Deploying Onedrive for Business is straight forward .The command line switches are very simple :"OneDriveSetup.exe" /silent ,but when you create application in Configmgr, there are couple of things that you need to focus on like detection method and install behaviour.

If you search online ,how to deploy onedrive for business using Configmgr, you will get various post however the following method is what i have been using and it works fine . I would like to share the solution in simple steps.

Create application that you do normally but use use the following information to fill detection method ,User experience and install command line .

Install command line:"OneDriveSetup.exe" /silent

Detection method : The version that i deployed to users (user based collection) is 17.3.7076.1026 hence my detection method will look for 17.3.7076.1026. (There is already latest version available yet to deploy )

Onedrive for Business will store the installation files in user profile (C:\Users\eswar.koneti\AppData\Local\Microsoft\OneDrive)

Registry key from user profile for uninstall:

Setting Type: Registry

Hive: HKCU

Key:Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe

Value:DisplayVersion

Date Type: String

User Experience:

Requirements:

Choose the OS that you want to install the application . Since this is user based deployment ,would recommended to limit this to workstation OS (windows 7,windows 8 and windows 10 but not to server operating system unless there is need to use onedrive on server OS)

On windows 7, there is no onedrive by default hence you need to install but on windows 10 ,there is onedrive comes with OS however you need to check if the installed onedrive is latest version or not ,if not ,then you can above method to install the latest version.

By installing the latest version (using above method) will remove the old version from user profile and install new version.

Before you use this solution on mass deployment ,deploy this to pilot users (few) and see how this works.

Deploy the application to user collection and you are good.

If you have any issues with this ,post via comment section.

If you are using Microsoft intune as MDM solution to manage mobile devices ,you will certainly hit the requirement of managing Internet access using Managed Browser policies with Microsoft Intune to allow or block,bookmark and set home page with certain URL’s.

Intune Managed Browser is a web browsing application that you can download from public app stores (apple store or Google play store) for use in your organization. Since this app has integration with the Intune SDK, you can also apply app protection policies like controlling cut ,copy,paste that comes with intune app protection policies.

If you are allowing end users to use managed browser for corporate use ,you must apply app protection policies and restrict managed apps to open the URL’s in intune browser .

If you are controlling the data on the managed apps using application protection policies ,you have the option of opening the URL within the managed apps using intune browser hence it is good advice to configure URL’s what is allowed and what is blocked for security reasons.

In this blog post ,we will see how to bookmark ,set homepage ,allow and block certain URLs for the Managed Browser .

1. Login to www.portal.azure.com

2.Click on Intune node ,browse through Mobile apps ,App Configuration Policies (https://portal.azure.com/#blade/Microsoft_Intune_Apps/MainMenu/14/selectedMenuItem/Overview)

Or you can also click on Intune app Protection node (soon this node will be removed and you are required to use above option) ,under App management ,click on App Configuration (https://portal.azure.com/#blade/Microsoft_Intune/SummaryBlade/2)

3. Click on Add Config ,supply name and description

4. Under select required app ,choose Managed Browser (ManBro) for both iOS and Andriod,click Ok

5.Under Configuration ,first identify the URL’s that you want to allow .If you have requirement to block certain URL’s ,follow the steps above ,change the name to block.

You need to supply 2 values in the configuration 1.Name and 2.Value

Key Name to Allow URL’s:

Key Name to block URL’s:

I want to allow couple of URL’s that intune users access via browser are separated by (|)

http://eskonr.com/*|https://*.microsoft.com/*|https://expenses.contoso.com|http://www.eskonr.com:8080

http://eskonr.com/* –>Match all URL’s that begin with eskonr.com

https://*.microsoft.com/* –>Match all subdomains under

http://www.eskonr.com:8080 –>match single webpage that contains port number

To allow authentication, and access to Intune documentation, *.microsoft.com is exempt from the allow or block list settings. It is always allowed.

If you want to block any specific URL’s,add the above values in block list key value.

How to bookmarks specific URL’s ?

Key Name to bookmark:

microsoft.intune.mam.managedbrowser.homepage

Values:

Cyberark|https://cybr.intranet.asia/PasswordVault/default.aspx||Eswar Koneti Blog|http://www.eskonr.com

Each bookmark consists of the bookmark title, and the bookmark URL. Separate the title, and URL with the | character.

To configure multiple bookmarks, separate each pair with the double character, ||

6.Click Save,go to assignments and add group who should receive these settings.

End User Experience:

After you create the configuration and assign to group (list of users), on mobile device that was enrolled or MAM-WE(without enrolled) ,open intune browser ,you will see the changes that we configured in homepage ,bookmarks.

If you try to access any URL in the browser which is not allowed ,you will see message saying the URL is blocked. Unless you go back to the setting and allow ,user cannot open the URL using intune browser.

References:

https://docs.microsoft.com/en-us/intune/app-configuration-managed-browser

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-get-started#how-to-get-started

I was looking at the console other day and found that, there were many collections created in the root folder (device collection) with 0 count. So i looked at the collection properties ,i found empty there  (No direct or query based rule).

So i decided to write SQL query to identify the list of collections that have empty results with no query rules (Direct or query based) defined in it.

For this query ,i have used 2 SQL views (v_Collection and v_CollectionRuleQuery ) .

For full list of SQL views that exist in SCCM Configmgr ,please refer https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b .

Following is the SQL Code to identify empty collections with no query rule defined ,You can delete these collections to simplify the list of collections displayed when deploying objects as part of maintenance tasks ,unless there is a reason to be in the console.

You can use the following code to create SSRS report as well.

select coll.CollectionID,coll.Name,
case when coll.CollectionType='1' then 'User' else 'Device' end as 'Collection Type'
from v_Collection coll
where coll.collectionid not in (select CRQ.collectionid from v_CollectionRuleQuery CRQ)
and coll.MemberCount=0
group by coll.CollectionID,coll.Name,coll.CollectionType

Configuration manager Technical preview 1708 has ability to identify Applications without deployments and Empty collections as part of Management insights.  More information ,please read https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1708#management-insights

Hope it helps!

Introduction:

Boundaries for SCCM define network locations on your intranet that can contain devices that you want to manage. Boundary groups are logical groups of boundaries that you configure. For more information click here

Few days ago ,Jason Sandy’s has blogged about boundary group caching and missing boundaries ,more details ,read through https://home.configmgrftw.com/boundary-group-caching-and-missing-boundaries-in-configmgr .

This is one of the highly needed solution that everyone must implement in their environment to evaluate what is their accuracy of the boundaries /boundary groups defined. Boundaries play major role for site assignment and content download. If you do not define the boundaries correctly,client will not function as expected hence it take up lot of your time to troubleshoot and identify it is because of missing boundaries and it is recurring issue.

Jason has covered most of the part about missing boundaries,Boundary group caching ,wmi location and basic SQL query . In this blog post, i am going to show you how to get list of the clients devices that are missing in the boundaries/boundary groups using SSRS Report and troubleshoot these devices. Sometimes You may see something like ‘waiting for content download forever’ in software center and this is because of boundaries/boundary group are missing .

This blog post will help you to identify such client devices with its basic  inventory information like OS,hardware inventory ,software update scan,IP address, last reboot etc.

You can also use other methods to achieve this solution using Compliance Item/baseline but HINV method will give you more information and better reporting .

How to create report/upload report ?

Before you download the report ,please make the necessary changes as per the guideline from Jason Sandy's post.

Following are quick points to implement the changes:

1.Open SCCM console ,go to client settings, edit default client settings ,hardware inventory ,set classes,add,choose the wmi namespace and add ,once the boundary group cache added ,uncheck it from default settings and click ok. For more information ,how to add custom inventory ,you can refer guide here

2.Go to your custom client agent settings (if you have ,else you can make these changes in default client settings)

,hardware inventory ,set classes ,choose the class name that we added in default client agent settings.

3.Monitor dataldr.log to see if these changes are processing and view are created in SQL database (v_GS_BOUNDARYGROUPCACHE).

Once you are done with above steps ,download the SSRS report from Technet Gallary ,upload to your SCCM reports ,change the data source and run it.

Report will display the following information. This report is created with filter Client0='1' .I do not want to display the client information that do not have SCCM client .

Note: As of CB 1610, all clients that do not fall within the scope of a defined boundary group will be associated with the Default Boundary Group. This is not reflected in the BoundaryGroupCache class. Essentially, if the instance of the BoundaryGroupCache class contains no BoundaryGroupIDs, then the client is considered within the scope of the Default Boundary Group.

How to troubleshoot these missing boundaries that are displayed in report:

1. From the report, we see that ,it has one device with its IP address . So we can go back to SCCM console ,look at under boundaries if the this IP address is part of the specified boundaries or not (it is ALWAYS recommended go with IP address range while defining the boundaries unless you have any specific reason not to use it) .

2.Make sure the client device has sent the inventory report successfully after you have made changes in the HINV and they are deployed to collection.

3.If the IP address is defined in boundaries ,check for boundary group ,if it is not ,add to boundary group with site system role .

4.If the IP address is part of boundaries and boundary group .what else can cause the client device appear in this report ?

5. If boundaries and boundary groups are added correctly ,MP must have returned the list of the distribution points that are configured in boundary groups for client to pick for content download.

6.If all above points looks ok ,would suggest to take a look at the client device logs (clientlocation.log ,locationservices.log and ContentTransferManager.log that will help you to identify the DP details.

Happy troubleshooting!

After the release of Configmgr Current branch version 1710 ,one of the primary issue was that ‘clients are not upgraded on systems that are running Windows Server 2008 SP2’ ,installation terminates with error code

‘Faulting application ccmsetup.exe, version 5.0.8577.1000, time stamp 0x5a03cc4c, faulting module KERNEL32.dll!K32EnumProcessModules’

So Microsoft released hotfix rollup update for Configmgr 1710 that resolves above issue along with many other issues listed in the support document https://support.microsoft.com/help/4057517.

This update is available for installation in the Updates and Servicing node of the Configuration Manager console. It also applies to customers that are running Configuration Manager version 1710, first wave.

To install ,right click on the update and choose install update pack,next ,choose  pre-production collection to validate the client package (on collection) before updating the production client package ,accept the terms and conditions

Click next

Go to monitoring node ,updates and servicing status ,click on hotfix rollup ,click show status

you can also monitor the status using the log file ConfigMgrSetup.log located in the root of windows drive (C:\)

Once the installation is finished, you will be promoted to install new console version

Site Version:5.0.8577.1000

Console Version:5.0.8577.1108

Client Version:5.0.8577.1108

Once the installation is done on the primary site, you must manually update the secondary sites (if you have any). To update a secondary site, click Administration, click Site Configuration, click Sites, click Recover Secondary Site, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site are not affected by this reinstallation.

To know if all the secondary sites are in sync with primary site update ,you can run the following SQL code on primary site .

select dbo.fnGetSecondarySiteCMUpdateStatus ('SS1')

SS1: Site of secondary site.

• If a value of 1 is returned, the site is up-to-date and has all the hotfixes applied to its parent primary site.
• If a value of 0 is returned, the site has not installed all the fixes that were applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.

References:

https://support.microsoft.com/en-us/help/4057517/update-rollup-for-system-center-configuration-manager-current-branch-v

Microsoft released first ConfigMgr Technical preview version for this year 2018 with some exciting features.

To use the technical preview, you must first install a baseline version of the technical preview build i.e Technical Preview 1711. After installing a baseline version, you then use in-console updates to bring your installation up-to-date with the most recent preview version. Typically, new versions of the Technical Preview are available each month.

If you plan to build new lab ,download the preview baseline version 1711 is available from the TechNet Evaluation Center.

The following are new features you can try out with this version:

1.Phased deployments
2.Co-management reporting
3.Improvements to automatic deployment rule evaluation schedule
4.Reassign distribution point
5.Improvements to hardware inventory
6.Improvements to client settings for Software Center
7.New settings for Windows Defender Application Guard
8.Improvements to Run Scripts

To know more about these features ,Please read through https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1801

To see the updates ,open the console ,click check for updates ,follow the log dmpdownloader.log

You can monitor the configmgrsetup.log and also from monitor status.

With this new features ,there are couple of new SQL tables/Views created that help us to some nice SSRS reports .

vSMS_PhasedDeployment

SMS_ScriptsExecutionSummary

Happy exploring new features.

Yammer  is enterprise social networking service used for private communication within organizations. Access to a Yammer network is determined by a user's Internet domain so that only individuals with approved email addresses may join their respective networks.

Yammer can be used to discuss ideas, share updates, and crowd source answers from co-workers around the globe. Yammer gives you a faster, smarter way to connect and collaborate across your company.

If your organisation moved to O365 ,you will hit requirement to deploy O365 applications like Microsoft Teams,Onedrive,Yammer ,AIP etc. All of these applications (except AIP) are user specific and they will be installed in user profile (%AppData%) instead of %programfiles%

Deploying applications to computers would be straight forward but for applications that are user specific and installation does in %appdata% ,there will be little challenges for application detection method .

Application detection is one of the main criteria to identify if the application is installed correctly or not ,also it helps to reinstall the app if the app is removed on user machine (this happens with application deployment evaluation cycle ).

As i mentioned in my previous blog deploying Microsoft Onedrive using Configmgr , we will be similar method with detection rule for Yammer also.

Before we start of with this ,Download Yammer client (MSI) file from https://support.office.com/en-us/article/yammer-for-windows-and-mac-50920c05-cbfc-4f11-8503-e20fb2e623a5 .

Once the MSI file downloaded ,extract the file using 7zip or WinRAR to get the actual installer used to deploy to users. You will see something like below.

Copy the file to your SCCM source files ,start creating Application as you do for other EXE applications.

For Deployment Type ,choose script Installer

Installation Program:"yammerdesktop.exe" /s

Uninstallation Program:"%LocalAppData%\yammerdesktop\Update.exe" --uninstall -s

Detection Rule:

Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\yammerdesktop

Value:DisplayVersion

change the version value (1.3.1) name as per the application you are installing.

User Experience:

Requirements: Windows 7,windows 10 (based on where you need this to be installed).

Deploy the application to user collection .So when the user receive policy (user policy evaluation cycle) ,application will get install and shortcut icon will be created on users desktop.

Following is the registry location that application get installed.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\yammerdesktop

Hope it helps!