On this Valentine day (Feb 14,2018 ), Microsoft released Feb 2018 Technical preview version 1802 for Configuration Manager with large number of features (21) that ever released before. These monthly Tech previews generally will be released on Friday's but this time ,shipped few days earlier.

You can install this version to update and add new capabilities to your SCCM technical preview site. To use the technical preview version, you must first install a baseline version of the technical preview build i.e Technical Preview 1711. After installing a baseline version, you then use in-console updates to bring your installation up-to-date with the most recent preview version. Typically, new versions of the Technical Preview are available each month.

If you plan to build new lab  ,download the preview baseline version 1711 is available from the TechNet Evaluation Center.

The following are new features you can try out with this Tech Preview 1802 version (21 features/updates):

1. Transition Endpoint Protection workload to Intune using co-management
2. Configure Windows Delivery Optimization to use Configuration Manager boundary groups
3. Windows 10 in-place upgrade task sequence via cloud management gateway
4. Improvements to Windows 10 in-place upgrade task sequence
5. Improvements to PXE-enabled distribution points
6. Deployment templates for task sequences
7. Product lifecycle dashboard
8. Improvements to reporting
9. Improvements to Software Center
10. Improvements to Run Scripts
11. Boundary group fallback for management points
12. Improved support for CNG certificates
13. Cloud management gateway support for Azure Resource Manager
14. Approve application requests for users per device
15. Use Software Center to browse and install user-available applications on Azure AD-joined devices
16. Report on Windows AutoPilot device information
17. Improvements to Configuration Manager Policies for Windows Device Exploit Guard
18. Microsoft Edge browser policies
19. Report for default browser counts
20. Support for Windows 10 ARM64 devices
21. Changes to Phased Deployments

To know more about these features ,Please read through https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1802

To install this tech preview ,login to your console ,Administration ,updates and servicing ,click on check for updates (make sure you have internet connection),wait for a while to see the entry in the console.

Right click on update and choose download

Downloading of the update can be monitored using the log file dmpdownloader.log

Right click on downloaded update and click install

Click next next next

Once the installation is done ,go to monitoring section to check the installation status .You can also monitor cmupdate.log and ConfigMgrSetup.log

Features are explored below

Boundary group fallback for management points:

Hide Installed Applications in Software Center:

Report for default browser counts:

Happy exploring !

Introduction:

we are in process of migrating users (mailbox) from on-prem to office 365 (Cloud).As part of this project ,one of the requirement is to deploy office 365 proplus (C2R) application to all users replacing old version of Microsoft Office. We use Powershell Application deployment kit which simplifies the complex scripting challenges of deploying applications in the enterprise, provides a consistent deployment experience and improves installation success rates.

Once users have got office 365 proplus and other office 365 components like Microsoft Teams,yammer,Onedrive etc ,there will be final task to migrate user mailbox to cloud. Mailbox migration can be the first or middle or last ,no sequence as it is independent task.

Deployment of office proplus and other components are done by SCCM hence we can create some nice dashboard /reports to monitor the progress of the deployments, but for some reason ,we are missing the mailbox migration status which happens from on-prem exchange server to exchange online (EOL).

How do we get the status of mailbox migration from on-prem to exchange online using SCCM ?

I am not exchange guy, hence i may not be able to provide much information about the theory behind this and if any questions around exchange online or mailbox migration ,you can reach out to TechNet forums or contact Microsoft support.

when the mailbox is moved (sync and cutover) from on-prem to exchange online ,there are couple of attributes that are set in Active directory .some of them are listed below.

msExchVersion
msExchRecipientDisplayType
msExchRecipientTypeDetails
msExchRemoteRecipientType
targetAddress

By default, then the user mailbox is on-prem ,the targetAddress attribute is set to empty (it does not contain any value). Once the user mailbox is moved to cloud ,this attribute is set with username@yourtenantname.mail.onmicrosoft.com

For example ,user email address is Demo1@eskor.com and after the migration ,targetAddress is set to Demo1@koneti.mail.onmicrosoft.com (where koneti is my tenant name).

Once this attribute is stamped with cloud email ,we can use SCCM to discover this attribute using AD user discovery and put that info in SSRS report.

A quick way to view an objects Active Directory targetAddress attribute is through the Active Directory Users and Computers panel. In AD Users and Computers, ensure that Advanced Features has been enabled under the View menu.

Go to the OU,locate the object that you are looking for ,right click on user properties ,choose attribute Editor ,locate targetAddress

How do we discover this attribute into SCCM ?

Go to your SCCM console ,Administration,Hierarchy configuration ,discovery method and choose Active Directory User Discovery.

From the available attributes ,choose targetAddress and click on Add ,click Ok

Once this is done, you will need to wait for the user discovery happen (delta discovery ) or you can force the discovery cycle by right click on discovery method.

After the discovery runs, you will have targetaddress0 in v_r_user SQL view to create nice SSRS reports.

couple of SQL views that i used to create SSRS report with office 365 proplus installation ,user mail,user name,cloud information and user group are listed below.

v_r_user

v_GS_OFFICE365PROPLUSCONFIGURATIONS

v_RA_User_UserGroupName

v_R_System

and finally SSRS report:

Hope it helps!

Microsoft released Configuration Manager Current Branch build version 1802 an in-console update. You can apply this update on sites that run version 1702, 1706, or 1710.

This build also available as baseline version which means, you can use this media to install new ConfigMgr sites.

You can download the baseline media either from MVLS site .For example, on the VLSC you can search for System Center Config Mgr (current branch and LTSB), and both 1802 and 1702 version baseline media are returned, and available for download.

Before you start installing this update as standalone or upgrade, you must go through the checklist like build version must be 1702 and above ,ADK version should be 1709 etc.  .More info  https://docs.microsoft.com/en-us/sccm/core/servers/manage/checklist-for-installing-update-1802

With this version, there are almost 37 new capabilities and changes available which are listed below.

Reassign distribution point

Configure Windows Delivery Optimization to use Configuration Manager boundary groups

Support for Windows 10 ARM64 devices

Improved support for CNG certificates

Boundary group fallback for management points

Cloud distribution point site affinity

Management insights

Cloud management gateway support for Azure Resource Manager

Improvements to cloud management gateway

Configure hardware inventory to collect strings larger than 255 characters

Deprecation announcement for Linux and Unix client support

Surface device dashboard

Change in the Configuration Manager client install

Transition Endpoint Protection workload to Intune using co-management

Co-management dashboard in System Center Configuration Manager

Microsoft Edge browser policies

Allow user interaction when installing an application

Do not automatically upgrade superseded applications

Approve application requests for users per device

Run scripts improvements

Windows 10 in-place upgrade task sequence via cloud management gateway

Improvements to Windows 10 in-place upgrade task sequence

Improvements to operating system deployment

Deployment templates for task sequences

Phased deployments for task sequences

Install multiple applications in Software Center

Use Software Center to browse and install user-available applications on Azure AD-joined devices

Hide installed applications in Software Center

Hide unapproved applications in Software Center

Software Center shows user additional compliance information

Schedule automatic deployment rule evaluation to be offset from a base day.

Report for default browser counts

Report on Windows AutoPilot device information

Report on Windows 10 Servicing details for a specific collection

Improvements to Configuration Manager Policies for Windows Defender Exploit Guard

New host interaction settings for Windows Defender Application Guard

Improvements to the Configuration Manager console

How to get this update in your console to install ?

Currently this update is available only via fast ring which means, you need to run PowerShell script to get this update available in your Configmgr console.

download PowerShell script from TechNet gallery and run it https://gallery.technet.microsoft.com/ConfigMgr-1802-Enable-4c8c0003

Once you run the script ,Open console ,click on updates and servicing ,wait for the updates to show up.

If you do not see the updates in console, restart SMS_execution service ,refresh the node to see the updates.

Alternatively you can follow the log dmpdownloader.log

You can also use SQL query to check the list of available updates in updates and servicing node:

select * from vSMS_CM_UpdatePackages

Update will be downloading to easysetuppayload folder with GUID ID of the update.

Status in the console for the update 1802 will be changed to downloading.

After sometime ,state will be changed to ready to install

Choose the update and click on Install update pack OR recommended is ,check the prereq before installing update pack.

Click Next to continue .  Choose the new features that you are interested in. You can also enable these features after the update installed.

click next ,next to see last page

Once it is done, you can monitor the status.

I had failure because of low diskspace in Configmgr drive (<15GB ) so once I extended ,I reinitiate the job

It will take almost 30min+ to finish the job ,once it is done, you will be prompted to install new console .

Site version/console version:

Additional resources:

• What’s New in System Center Configuration Manager
• Get Ready for System Center Configuration Manager
• Start Using System Center Configuration Manager
• Upgrade to System Center Configuration Manager
• Documentation for System Center Configuration Manager
• System Center Configuration Manager Forums
• System Center Configuration Manager Support
• Report an issue
• Provide suggestions

Introduction:

Office 365 ProPlus is one of the subscription service plans in the new Office. It is productivity software (including Word, PowerPoint, Excel, Outlook, OneNote, Publisher, Access, Skype for Business) that is installed on your desktop or laptop computer. Office 365 ProPlus is a user-based service that allows people to access Office experiences on up to 5 PCs or Macs and on their mobile devices. Traditional Office installations were tied to the computers they were installed on.

Few months ago ,we have started rolling out office 365 proplus (cloud version) using Configmgr Current Branch. I have created application using powershell app deployment toolkit in combination with offscrub scripts from Microsoft.   Using these 2 scripts,you can fully automate the installation office 365 proplus by removing the old versions (2007,2010,2013 and 2016 MSI based ) of office and install cloud version. I will write blog post on how to use these 2 scripts and create application to install proplus and what are the GPO settings you need to consider for this proplus for performance issues,patching mechanism etc.

Problem:

Coming to this blog post, we have mixed environment which includes laptops ,desktops and VDI (virtual desktop infra) machines. So proplus installed on all these machines using SCCM .Installation went smooth and users started using the office for their day to work.

All looks good from user point of view but when it comes to managing this office proplus with updates ,you need to understand how it works and what are the settings applied on the on PC for proplus.

After the proplus installed on many computers, we started noticing the office 365 update section in SCCM (software library –office 365 client management--office 365 updates ) for patching and found that, some of the clients are reporting update status but majority of them are reporting unknown as shown below.

By the way ,we are going with semi-annual channel as we do not want to update proplus every month hence we look at semi-annual channel updates only for deployment.

Solution:

After looking at the unknown status with bigger count ,i started looking at clients chassis type as some of them are working good but majority are not. This is because ,we have used same package for proplus and and one GPO with proplus settings and one client agent settings.

When am using one configuration for all ,why there is difference in update scan status for office 365 client updates ?

Use the default report Home > ConfigMgr_Sitecode > Software Updates - A Compliance > Compliance 6 - Specific software update states (secondary)  to know the unknown clients.

After reviewing the unknown client, found that,majority of the clients are VDI hence there is something on VDI machines.

Got one VDI assigned on my name so i can troubleshooting to find the root cause.

Following are the checklist perform on the VDI that is having issue:

1. Check if SCCM client is working good and healthy .How do you say it is healthy ? Check in SCCM console of policy request and its inventory .

2.Is the client receiving policies and what is the software updates status on this PC ? look at its last software update scan and also last patching status. If this is working fine then for sure ,something wrong with office 365 proplus application how it was installed or the configurations applied on VDI’s.

3. Verified in SCCM that ,client agent settings are configured correctly with ‘Enable management of the office 365 client agent’ to ‘Yes’ in software update section .This setting can also be enabled through GPO. This is one of the requirement as SCCM Client check Office COM interface to be enabled  as it act as communication between office and Configmgr. This functionality must be turn ON.You can check the registry key on client PC for officemgmtcom (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Office\16.0\common\officeupdate)

After all the above checklist, i could not find anything wrong .Everything seems to be good.

While am troubleshooting on this ,found a Microsoft article referring to Troubleshooting Office 365 ProPlus https://blogs.technet.microsoft.com/askpfeplat/2017/03/23/troubleshooting-office-365-proplus-patching-through-system-center-configuration-manager/

After reading the article,found that, there is one setting that i need to verify which i mentioned in the checklist above 3) Verify COM interface is registered or not .As we have enabled this through GPO and also using SCCM Client agent settings ,COM interface should be registered (officemgmtcom) . So how to verify if COM interface registered or not ?

You can do this by verifying existence of following registry key on the client. This registry is same for proplus on each PC.

[HKEY_CLASSES_ROOT\CLSID\{B7F1785F-D69B-46F1-92FC-D2DE9C994F13}\InProcServer32]

@=”C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeC2RCom.dll”

On the problem client ,i could not find this registry key ({B7F1785F-D69B-46F1-92FC-D2DE9C994F13})

As per the technet blog ,i suspect AV (antivirus ) on the client is blocking com interface , hence involved AV Team but there is nothing after troubleshooting and also tried disabling the AV on the client then start ,stop the Microsoft Office Click-to-Run Service service.

Issue did not resolve even after AV disable .What could go wrong ?

we talk few times about COM interface and must be registered for this process hence i started looking at component services that is where the COM object register as well.

From the run command ,type dcomcnfg to open MMC .Browse to component services –>computers –>My computer.

This is what i see with red arrow colour down arrow which means component services are disabled hence COM interface unable to register. Why is this disabled ? is this through GPO ? if so ,why not disabled for laptops and desktops but only for VDI ? This is offline topic to be discussed internally with respective teams who disabled it.

There is service that is responsible for it, which is ‘COM+ System Application’ .Start the service (must do with admin rights)

After you start the service,close component services MMC and reopen again.

Browse to COM+ Applications and see if there is any entry related to OfficeC2R.

How do we get OfficeC2R com object here ?

As a simple fix, i restarted Microsoft Office Click-to-Run Service (ClickToRunSvc) so the COM object will get created hence registry also created but that did not work.

so what  i have done is the following fix which worked and also created simple batch script applied to all computers that did not find the registry key.

How to get OfficeC2RCom Object ?

1. Open Regedit and change the value of the registry key HLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate  from 1 to 0

  2. Restart ‪Microsoft Office Click-to-Run Service

3. Open Regedit and change the value of the registry key HLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate  from 0 to 1

4. Restart ‪Microsoft Office Click-to-Run Service again.

5. Open dcomcnfg to check OfficeC2RCom object and go to Regedit and check the registry key [HKEY_CLASSES_ROOT\CLSID\{B7F1785F-D69B-46F1-92FC-D2DE9C994F13}\InProcServer32]

    Registry check

    COM object verification (OfficeC2RCom )

I did not find any reference link or i missed that says ,COM+ System Application service must be started for this proplus.

Conclusion to Restore OfficeC2RCom:

1. Start the COM+ System Application service
2. Open Regedit and change the value of the registry key HLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate  from 1 to 0
3. Restart ‪Microsoft Office Click-to-Run Service.
4. Open Regedit and change the value of the registry key HLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate  from 0 to 1
5. Restart ‪Microsoft Office Click-to-Run Service again.
6. Open dcomcnfg to check OfficeC2RCom and go to Regedit and check the registry key [HKEY_CLASSES_ROOT\CLSID\{B7F1785F-D69B-46F1-92FC-D2DE9C994F13}\InProcServer32]

I have created a script that does the above actions .So you can create application/package and deploy to clients that doesn't have above office com+ Application.

Though the root cause simple and because of the service disable ,but to get the COM interface back,went through lot of troubleshooting .

Hope it helps!

How do we make this report work on older version of reporting ? You need to make 2 changes in to the RDL file to get it working.

1. Open the RDL file using notepad or other editing tools ,you will find something like below in the beginning of the code.

change the version from 2016 to 2010 .

2. Search for "ReportParametersLayout" in file and remove the whole block (This code is created on 2016 version of visual studio) .

As shown below ,remove the whole block and save the report.

Now try to upload the RDL file into the reporting service ,change the data source and run the report.

Conclusion:

change the SQL version on the RDL file and remove the ReportParametersLayout to get the report working.

Microsoft just released SCCM Configmgr Current Branch 1806 as in-console update for first wave customers (opt-in) which means ,you can run PowerShell script to get this update in your console .

This build can be applied to your Configmgr sites running on 1706 ,17010 and 1802 .
This build version is not available as standalone media (baseline) hence you you can download latest baseline media which is 1802 for new installation and then apply 1806 as in-console update.

With this build 1806 ,there some exciting features and improvements . If you are already using SCCM Configmgr technical preview builds in your lab ,you wont be surprised with 1806 features as most of them are already in the preview builds and there are some improvements from its previous current branch builds.

Of all the new and improved features ,some quick interesting are:

1. cmtrace is now installed with the client : folder %windir%\ccm\cmtrace.exe

2.Configuration manager tools included in smssetup\tools folder in the installation media (cd.latest)

3.Phased deployments of applications

4.Uninstall application on approval revocation

5.Maintenance windows in software center (you can now see ,next maintenance window in software center)

6.Third party software updates –You can now subscribe to partner catalogs in SCCM console and publish to WSUS.

7.Deploy software updates without content being download

8. WSUS cleanup wizard declines updates that are expired as per the supersedence rules.

9.New software update compliance report

10. Hardware inventory limit increased to

11. Hardware inventory default unit conversion is now back to MB so change your custom reports if you have any for inventory data.

12.Copy asset details from monitoring views

13.View currently signed on user for a device

For complete list of features and improvements ,please read TechNet article https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1806

Installation :

If you are on build ,1706,1710 and 1802 ,you will not see this update for now as this is released only for first wave customers which means ,customers who want to try this ,they can run the PowerShell script (opt-in) to see it in the console.

As the update is rolled out globally in the coming weeks, it will be automatically downloaded, and you will be notified when it is ready to install from the “Updates and Servicing” node in your Configuration Manager console.

If you can’t wait to try these new features, this PowerShell script can be used to ensure that you are in the first wave of customers getting the update. By running this script, you will see the update available in your console right away.

Download the script and extract it .Open the PowerShell command as admin and run the script . it will ask for SCCM site server, give the name.

Once the script run successfully ,Go to Administration –>Overview ,updates and servicing ,Click on check for updates and refresh the node .

At this point ,check dmpdownloader.log ,you will some progress about the new update.

Now back to the console to see build version 1806 with state: Available to download

Now click on the Download Arrow (green color) or right click on the update and choose download

A prompt appear about the download and log to verify the download of the content

When I look at the log for status ,it says WARNING: Failed to download easy setup payload with exception: The remote name could not be resolved: 'download.microsoft.com'

I browse the URL that failed to connect ,it works fine so I have to re-download the content again.

I went to console again ,if I can retry the download but the download option is grayed out .

So it look like there is internet connectivity issues .How to get the download option back ? Open the

From configuration service manager, you can simply restart SMS DMP downloader component (stop and start)

Now go back your log and monitor the status

If you get any errors like WARNING: The F:\ConfigMgr\EasySetupPayload\5b823327-92d9-4908-a24c-8d8c6625f407.cab signature could not be verified then download the cab file manually and place it in EasySetupPayload folder.

Now try to extract the cab file  using 7zip or other unzip tools and place the content into F:\ConfigMgr\EasySetupPayload\5b823327-92d9-4908-a24c-8d8c6625f407 folder and restart the DMP downloader service.

Once the download is done, you will see console state changed to ready to install

Right click on the update and click on install update pack

Click next next next ( unless you have any need to select the features included in the pack. Later also you can choose to enable these features.) and choose pre-production collection for client upgrade .

Now monitor the installation status either from monitoring node or cmupdate.log

after a while ,if you click on the console (refresh) you will see that ,there is new version of console to be upgraded .

Click ok to get the console upgraded.

Open the console and check the console and client version:

Site version: 5.0.8692.1000

client version:5.0.8692.1003

In the next blog post, I will cover some of the existing features released in this build.

See you in the next blog post!

Introduction:

In this blog post,i will discuss about some of the troubleshooting methods that i have used to identify the active/inactive computers on the network (Active is not based on SCCM agent ) .

Last week ,i was working on office 365 proplus deployment & training for customer in Vietnam. As part this ,one of the activity that i need to identify was,what are the actual number of computers that are talking to domain controller in last X days.

When i look at SCCM ,there are hundreds of computers without SCCM agent .So for me to start with the deployment/reports ,i need to know the actual number of computers on the network as there are lot of stale objects in active directory and also in SCCM.

Whatever the issue that am talking in this blog post may not be applicable to all or anyone and this can be improved /can be avoid using the best practices with the help of AD clean-up and also by implementing start-up script/other methods for client installation.

Coming back to the issue ,i was trying to identify the lit of computers that are active/inactive on the network in last 45 days and take this collection as base for the client health status and also deployments etc.

How do i identify the computers that are active/inactive on the network for last 45 days irrespective of whether they have SCCM agent or not ? For this ,i will use LastLogonTimeStamp .

If you have enabled AD system discovery then you can actually get LastLogonTimeStamp (is selected by default) of computers from Active Directory. To know more about LastLogonTimestamp ,please read Technet article.

So i started creating a collection using LastLogonTimeStamp . Following is the simple collection to identify the computers that are inactive on the network for last 45 days.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System
where DATEDIFF(dd,SMS_R_System.LastLogonTimestamp,GetDate()) > 45

With this ,i can get list of all computers that have connected to AD in last 45 days. Before i take any action ,i need to validate if these numbers correct or not.

So i looked at the computers in collection ,found that, some of them have actually agent installed and last policy request date as of current date (see fro the screenshot below) .

What went wrong with this collection ? why did it discovered the computer that have agent installed and active ?

When i look at the computer LastLogonTimeStamp ,it was showing very old date .So i went back to Active directory to tally this date. I can see that, the date that is shown in SCCM and what is shown in Active directory is no match.

From AD ,LastLogonTimeStamp shows few days ago but SCCM shows almost few months ago. Why is it so ?

As you know ,to successfully create a DDR for a computer with attributes like computer name,OS,IP Address,AD site etc , Active Directory System Discovery must be able to identify the computer account and then successfully resolve the computer name to an IP address (DNS name resolution).

So i open cmd and did ping and also nslookup for the computer that is discovered into the collection with SCCM agent installed and Active.

I cannot ping the computer and also no nslookup.

With this ,i conclude that, there is issue with name resolution and that must be be first action before trying anything else.

Use the following SQL query to identify the count of objects that are not discovered more than 30 days.

Agent discovery information stores in SQL view v_AgentDiscoveries

select distinct ad.AgentName [Discovery Method],
count(*) [Discovered Clients]
from v_R_System sys
inner join v_AgentDiscoveries AD on AD.ResourceId=sys.resourceid
and DATEDIFF(dd,AD.AgentTime,GetDate()) >30
group by ad.AgentName
order by ad.AgentName

Except MP_ClientRegistration ,rest of the count that is shown by discovery methods are something to be considered for troubleshooting.

with the help of SQL ,you can further drilldown to identify the list of computers

After all this troubleshooting ,it is required to work with Active Directory/DNS team to resolve the name resolution issues.

I have seen customers who don't even enable the AD system discovery and let the client installation happens through GPO/startup script/SUP /OSD that will help to maintain the accurate client information rather pumping all the junk from AD into SCCM.

Hope this guide helps cleaning computer accounts in SCCM based on last logontime stamp.

Problem:

If you are using qualys or Nessus tool or other tool to detect vulnerabilities on windows machines ,this post might be helpful to you.

Recently ,our security team has reported that ,lot of servers are vulnerable for adobe flash player and claiming that, these servers are running lower version of Flash player.

When i look at one of the server ,i could not find adobe flash player installed. If there are no application installed, there is no way for SCCM to detect the flash player components are running lower version (we do 3rd party patching as well) and you cannot patch/update flash either using manual method /patching/software distribution.

So i requested security team to provide more information about the detection criteria that is being used to detect the vulnerabilities for flash player.

They come with detection rule saying ,the file version flash.ocx is running low version in C:\windows\System32\Macromed\Flash.

So i look at C:\windows\System32\Macromed\Flash and tried to delete the files because there is no flash player installed ( verified from programs and features). I could not delete the files directly from the folder to match with qualys results.

But what i found is ,an applet in control panel with flash player created as well which is weird to me.

I tried downloading the latest adobe flash version and tried installing but could not go through it (installation did not happen as it says ,server 2012 R2 don't need flash player).

Nothing worked for me until here ,so i dig deeper to identify the reason for creating this folder structure and also applet in control panel.After some time ,found that ,it is coming from desktop experience feature that got installed with OS build image.

So ,i tried to remove the desktop experience feature manually from roles and features ,reboot the server (Reboot is mandate for this feature removal).

After the removal of the feature ,Flash player and the files in flash folder are disappear.

Now ,how do i know the list of servers that has desktop experience feature installed on server and how to remove it through automation ?

Solution:

I use SCCM compliance baseline to identify the list of servers that had desktop experience feature installed .If the role is installed ,you can remove the role as part of remediation script or get list of servers and then create a batch file to remove the role and reboot during the maintenance window.

Using configmgr, we can use compliance item by passing simple script that will check for the desktop experience roles ,if feature installed then output results as Non-compliant (server is vulnerable) and if not installed, output as COMPLIANT (server non vulnerable)

All you need is script to check for desktop experience feature ,if you are looking for other roles and features, feel free to modify it as per your needs.

If you are looking for other roles and features, open the powershell cmd ,import servermanager module and run the following powershell cmd to list the windows roles/features on the server

Get-WindowsFeature

The list above are installed server roles and features .If you are looking for specific name ,pick it from the Name column to check for the installed status.

In this blog post, am not going with remediation script .what it means is ,if the specific role/feature that you are looking is found ,run the remediation script like remove the role from the server to fix it.

How to create configuration item/compliance baseline ?

Follow my blog post to create Configuration item  http://eskonr.com/2016/08/sccm-configmgr-how-to-clean-ccmcache-content-older-than-x-days-using-compliance-settings/ , but just replace the discovery script with below powershell script (no remediation script is needed)

Import-module servermanager
$DE=(Get-WindowsFeature -name desktop-experience).Installed
If ($DE -notlike "Installed")
{
write-output "True"
}
else
{
write-output "False"
}

Compliance Rule:

Create Configuration baseline ,deploy to collection that you are interested to find the desktop experience feature installed or not.

This is only to discover the list of servers with this feature installed. Once you get the list server that are non-compliant ,create collection and a simple package with following command line and deploy to the collection .

Once the package run on the server ,it wont reboot the server immediate rather, it wait for the maintenance window for reboot which will happen anyway with schedule reboot.

Powershell.exe -ExecutionPolicy Bypass -command Remove-WindowsFeature -Name Desktop-Experience

Hope it helps!

Introduction/Problem:

We are in process of completing office 365 project to all users which bring teams and other products as part of office 365. We are using Lync/Skype for business as collaboration tool prior to office 365 project but once the project started ,every one is on teams hence we can decom lync servers and also disable lync for users.

Before we proceed to sunset Lync/Skype for business, we need to look at the features feature comparison. Although teams  cannot be compared with Skype in terms of feature that it carry on,there is one major thing that is not as good as Lync is desktop sharing.  For support people (like desktop support,helpdesk) ,Lync is major function for desktop sharing and perform troubleshooting remotely.

In Teams,if you want to share desktop/give control to support person, you need to make audio/video call then have control which is bit inconvenient for users to be on call. So until Microsoft bring something to this feature, we depend on SCCM remote control functionality (If you have Configmgr in the infra) .

I know many of the organisations out there will be using Microsoft SCCM remote control primarily by helpdesk/desktop but we decided to make this SCCM Remote control tools available on each user desktop support technician and also IT people as standalone without sccm console.

Solution:

Many blog post there on the internet on how to SCCM remote control without being install SCCM Console. Reference Jörgen Nilsson post https://ccmexec.com/2012/05/running-configuration-manager-2012-remote-control-standalone/ and many others .

We will use these set of files located in your Configmgr installation folder (D:\Configmgr\AdminConsole\bin\i386 , files RdpCoreSccm.dll, CmRcViewer.exe and CmRcViewerRes.dll ) and create simple batch script to copy these files to C:\program files x86) and make the shortcut available in start Menu for all users.

Download the source files from here.

These files are being copied from SCCM Build 1802 or lower but it works fine irrespective of client version matches this remote control version or not .Give a try ,if you have any issues ,get the right files from your SCCM server that is installed in your infra.

Unzip the files and copy the folder to your SCCM Source location folder .

You will see the following content inside the remote control folder.

Here is the simple batch script that copy the remote control files and create shortcut in Start Menu folder for all users.

REM Copying SCCM Remote Control bits to Local Drive

XCOPY "SCCM Remote Control" "C:\Program Files (x86)\SCCM Remote Control" /s /i /y

REM Copy SCCM Remote control shortcut to All users start Menu

xcopy "%~dp0SCCM Remote Control\Remote Control.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs" /Y

You can now create application with detection rule as follows. You can also go with file version check.

Type: File

Path: %ProgramFiles(x86)%\SCCM Remote Control

File or Folder name: CmRcViewer.exe

User Experience:

Rest of the configuration go with default or if you have any custom requirement like OS limit etc.

Once the application is created ,distribute to distribution points and deploy to device collection.

Client results:

With this ,every support technician can use SCCM remote control to troubleshoot issues . (For successful remote control ,make sure the client is healthy ,active and required firewall ports are opened from the console to client)

You can deploy this tools to windows 7,windows 10 and server OS if user wish to remote control from.

Hope it helps !

Introduction/Problem:

Colleague mine has asked me , why is he getting applications /updates on his computer that he hasn't requested for. When i heard of this ,i  verified in SCCM , based on the computer  name provided and found ,the PC has no SCCM agent .

If the PC has no SCCM agent ,there is no way to receive the deployments. So i asked him to check if these deployments are coming through SCCM/Configmgr or other methods .He confirms that, they are coming from SCCM and his PC has SCCM agent and also apps in Software center.

Screenshot for PC has no SCCM agent installed :

When it was confirmed that ,PC has SCCM agent and is receiving the deployments ,i have decided to take this up further and help to troubleshoot.

Solution:

When PC has SCCM agent and is healthy , where should we look to fix the issue ? Can we simply uninstall the client and install it back ? does this work ?

I started troubleshooting on the client side by looking at client logs.

1. Review ClientIDManagerStartup.log  --> Records the creation and maintenance of client GUIDS and also the registration status of the client computer.This Can help to troubleshoot scenarios where the client changes its GUID after a hardware change or after Windows activation.

So from this log, i can get the GUID of the computer and check in SCCM,which computer this GUID is assigned to.

you can also get the GUID from smscfg.ini located in C:\windows folder.

Copy the GUID ID and go back to your SQL management studio to find out which computer has this GUID ID.

select name0,SMS_Unique_Identifier0
From v_R_System
where SMS_Unique_Identifier0='GUID:F43BD203-2466-4284-BF28-3A62860C958A'

Run the above Query ,replace GUID ID that you get from log or smscfg.ini file.

This GUID ID assigned to different computer as you can see from below query:

All the deployments that are targeted to this PC are actually hitting problem computer.This is where duplicate or GUID mismatch leads to wrong deployments. you always  need to have operation Collections to identify the duplicate GUID or GUID assigned to multiple computers to avoid these kind of issues.

How do we fix it without reinstalling client ?

Here is simple batch script to stop SMS Agent host ,delete SMSCFG.INI and certificates and start SMS Agent host service to create new GUID (this is not computer GUID).

@echo Off
net stop CcmExec
sleep 5
Reg Delete HKLM\software\Microsoft\Systemcertificates\SMS\Certificates /f
DEL c:\Windows\SMSCFG.ini
sleep 5
net start CcmExec

Open command prompt as administrator and run the above script or command lines .

After you run this script ,monitor ClientIDManagerStartup.log .

After a while ,you will see that, client is now with SCCM client installed and whatever the false deployments on this PC will get disappear from software center in the next machine policy cycle also collection membership update .

Until next time!

Had request to uninstall teams as they had deployed the teams to users who not supposed to get it on their windows devices. Microsoft Teams brings together the full breadth and depth of Office 365, to provide a true chat-based hub for teamwork and give customers the opportunity to create a more open, fluid, and digital environment. Microsoft Teams is built on existing Microsoft technologies woven together by Office 365 Groups.

In this post ,we will see how to uninstall  teams client using ConfigMgr by creating application or package and deploy to either users or computers .

we can download Teams client 32bit or 64bit MSI and deploy to users or computers . When you deploy teams application ,it will be installed in that user's appdata folder.

we have 2 options to uninstall teams 1) simple uninstall command line 2) powershell script

Using command line ,we can create package or edit the teams application and edit the deployment type, add the uninstall program .

Uninstall program for teams uninstallation: "%LocalAppData%\Microsoft\Teams\Update.exe" --uninstall –s

This command like simply uninstall the teams client but it wont cleanup the folder .

There is 2nd method that we can use to uninstall teams client using powershell script.

<#
.SYNOPSIS
This script allows you to uninstall the Microsoft Teams app and remove Teams directory for a user.
.DESCRIPTION
Use this script to clear the installed Microsoft Teams application. Run this PowerShell script for each user profile for which the Teams App was installed on a machine. After the PowerShell has executed on all user profiles, Teams can be redeployed.
#>

$TeamsPath = [System.IO.Path]::Combine($env:LOCALAPPDATA, 'Microsoft', 'Teams')
$TeamsUpdateExePath = [System.IO.Path]::Combine($env:LOCALAPPDATA, 'Microsoft', 'Teams', 'Update.exe')

try
{
    if (Test-Path -Path $TeamsUpdateExePath) {
        Write-Host "Uninstalling Teams process"

        # Uninstall app
        $proc = Start-Process -FilePath $TeamsUpdateExePath -ArgumentList "-uninstall -s" -PassThru
        $proc.WaitForExit()
    }
    if (Test-Path -Path $TeamsPath) {
        Write-Host "Deleting Teams directory"
        Remove-Item –Path $TeamsPath -Recurse
    }
}
catch
{
    Write-Error -ErrorRecord $_
    exit /b 1
}

Create a powershell script and deploy the script to collection . When you deploy the script ,make sure it runs with user account and also only when user logged in.

since the teams client is installed in Appdata folder ,uninstall must run only when user logged in .

Reference: https://docs.microsoft.com/en-us/microsoftteams/msi-deployment

https://docs.microsoft.com/en-us/microsoftteams/scripts/powershell-script-teams-deployment-clean-up

Introduction:

Customer is running on SCCM Configmgr current branch 1806 and configured with site maintenance tasks to delete the aged data for X number days . when you configure the site maintenance task ,the data which is older than X number days get deleted from site database which is expected.

So customer has asked ,is there is way to know the clients that get deleted by site maintenance task or manual or other ways  .So basically whatever get deleted in the site database including devices ,inventory etc.,customer wanted to have a record at later stage.

In earlier versions of configmgr build prior to 1702 ,there is no straight way to do it unless ,you configure out of box solutions like ,bring the AD computer objects into SCCM and do querying but it doesn’t get you the Inventory info of the deleted devices except that,what computers got deleted.

With 1702 ,there is pre-release feature feature introduced called Data warehouse service point .Beginning with version 1706, this feature is no longer a pre-release feature .

Data warehouse service point used to store and report on long-term historical data for your SCCM Configmgr deployment.

Data warehouse service point is not enabled by default when you upgrade your configmgr build to 1706 or  later versions and must be manually configured.

Data warehouse dataflow (captured from Technet article)

For more information about Data warehouse service point ,please read TechNet document https://docs.microsoft.com/en-us/sccm/core/servers/manage/data-warehouse 

In this blog post, we will see how to install Data warehouse service point and query the data that get deleted in the CAS/primary site database but exist in data warehouse for reporting and tracking purpose.

So in this post, I will show you ,how to use data warehouse to pull the information that get deleted from the primary database .

Prerequisites for Data warehouse server (CM01-DW):

1.create windows server 2012 R2 or higher with fully patched (CM01-DW)
2.Join (CM01-DW) to domain.
3.Add the primary site server (CM01) or CAS (if you have) that you are trying to install the data warehouse role computer account as local admin on the server (CM01-DW).

Note: The data warehouse site system role is supported only at the top-tier site of your hierarchy. (A central administration site or stand-alone primary site)

4. The computer where you install the site system (data warehouse) role requires .NET Framework 4.5.2 or later. Since am running server 2012 R2 OS ,I don’t need to install this role and is built-in enabled.

5.The data warehouse database requires the use of SQL Server 2012 or later. The edition can be Standard, Enterprise, or Datacenter. .I installed SQL server 2014 SP1 on CM01-DW server with default options and SQL collation must be: SQL_Latin1_General_CP1_CI_AS (is default as part of the installation)

While installing SQL Server ,choose database engine ,reporting services and management tools (for SQL Studio) in features. Choose default instance .

As part of SQL components installation ,you might hit error with .net framework 3.5 features which you can enable from server manager ,add roles and features .This requires to map server OS sxs files.

SQL server installation summary:

The following SQL Server configurations are supported to host the warehouse database:

• A default instance
• Named instance
• SQL Server Always On availability group
• SQL Server failover cluster

6. The computer account of the computer where you install the site system role (CM01-DW) is used to synchronize data with the data warehouse database. This account requires the following permissions:

• Administrator on the computer that hosts the data warehouse database. 
• DB_Creator permission on the data warehouse database. 
• Either DB_owner or DB_reader with execute permissions to the top-tier site's site database.

As part of this pre-req ,I pre-created DW Database on my remote SQL :CM_PS1_DW and provided the permissions as mentioned in point 6.

7.SQL server port 1433 used by the data warehouse synchronization service to connect to the data warehouse database. By default 1433 SQL Server port is used for communication.

How to Install the data warehouse service point from CAS or Primary Site:

Each hierarchy supports a single instance of this role, on any site system of the top-tier site. The SQL Server that hosts the database for the warehouse (CM01-DW) can be local to the site system role, or remote.

The data warehouse works with the reporting services point installed at the same site (CM01-DW). You do not need to install the two site system roles on the same server.

From CAS server or Primary site ( In my case ,I don’t have CAS) ,click on servers and site system roles to install new Role . Choose create site system server

Enter the remote server name to host the data warehouse database.

also make sure the primary site server computer account (CM01) is added to local admin group on remote server (CM01-DW) as we use site server’s computer account to install the site system.

Click next with default options since this role doesn’t require to connect to internet for syncing

Choose Data warehouse service point ,click Next

Key in the fields as shows below.

SQL Server : Remote server that we installed SQL server 2014: CM01-DW.apac.eskonr.com

SQL server instance : I installed SQL server on CM01-DW with default instance hence I leave it blank

Database Name:Leave with default name: CM_PS1_DW

Data warehouse service point account :This is used to connect to data warehouse database and must have read access to the database CM_PS1_DW.

This account is used to run the reports against data warehouse database and is configured in the data source properties which you can verify later.

Accept the default sync schedule,you can customize it as per the schedule . This schedule will help to sync the data from primary site to data warehouse database.

Review the summary page:

Login to remote server (CM01-DW) to check the logs

• DWSSMSI.log and DWSSSetup.log - Use these logs to investigate errors when installing the data warehouse service point.
• Microsoft.ConfigMgrDataWarehouse.log – Use this log to investigate data synchronization between the site database to the data warehouse database.

With this ,we completed the installation of data warehouse service point on remote computer.

If you hit any issues with database connectivity ,make sure the computer accounts are added with right permissions on the CM_PS1_DW database.

Now we will check if the data from primary site (CM01) is synced to data warehouse (CM01-DW) database or not .

Open SQL server management studio , run select * From system_disc (if you are doing it in prod, then try select top 10 * from system_disc)

As you can see above, in system_disc table ,there is one attribute value (Operationtype_DW)that refers the system deleted or not from Primary site .

Operationtype_DW basically contains information as listed below:

I: New Record

U:Updated record

D: Deleted Record

So once you know the information ,you can easily create SQL reports with above attribute type with operationType_DW=D and let customer device what they want to do.

With the data warehouse ,we also get some default reports and they are available in Primary site .But these reports will run against data warehouse database .These data warehouse reports datasource is pointed to CM01-DW SQL.

Data warehouse reports can be found in the SCCM console-reporting node or using SSRS webURL using primary site SSRS URL.

There are about 7 main reports and 7 linked reports (_) .

The data warehouse site system role includes the following reports, which have a Category of Data Warehouse:

• Application Deployment - Historical: View details for application deployment for a specific application and machine.
• Endpoint Protection and Software Update Compliance - Historical: View computers that are missing software updates.
• General Hardware Inventory - Historical: View all hardware inventory for a specific machine.
• General Software Inventory - Historical: View all software inventory for a specific machine.
• Infrastructure Health Overview - Historical: Displays an overview of the health of your Configuration Manager infrastructure
• List of Malware Detected - Historical: View malware that has been detected in the organization.
• Software Distribution Summary - Historical: A summary of software distribution for a specific advertisement and machine.

using SSRS report URL using primary site :

There will be a default data source created with name: {39B693BB-524B-47DF-9FDB-9000C3118E82} with connecting string and is configured with an account CM_SR to run the reports against with.

this CM_SR is used while installing the role.

Connection string: Persist Security Info=False;Initial Catalog=CM_PS1_DW;Data Source=CM01-DW.apac.eskonr.com;Encrypt=true;TrustServerCertificate=false

I tried to run one of the data warehouse report but I get the following error which is known issue:

A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)

To fix this error ,please follow the guide https://www.ronnipedersen.com/2018/01/15/sccm-unable-to-run-data-warehouse-reports-from-remote-sql/ and https://docs.microsoft.com/en-us/sccm/core/servers/manage/data-warehouse

Hope this guide help you to install and create custom reports .

In the next blog post, we will see what are the objects/information that get stored in data warehouse.

This blog post is continuation to my previous post ‘Monitor collection evaluation's and remove incremental membership schedule for non-priority collections’ .More information can be found at http://eskonr.com/2019/01/sccm-configmgr-monitoring-collection-evaluations-and-change-update-membership-schedule-using-powershell/ .

In this post ,we will see how to improve the collection evaluation performance further by identifying list of collections with direct rule created that have membership (incremental and/or full update) enabled and use powershell to remove the membership schedule.

You can use different rules to configure the members of a collection in SCCM like Direct Rule ,Query rule, include and exclude. For more information on collection types, please refer https://docs.microsoft.com/en-us/sccm/core/clients/manage/collections/create-collections

Direct Rule: This is a static collection (manual changes required all the time) which means the membership does not change unless you remove a resource from SCCM.

Query Rule:This is dynamic collection and it dynamically update the membership of a collection based on a query that SCCM runs on a schedule.

As you see in the above snapshot ,the type of rule is Direct for direct (static) based collections and for query based collections,you will see Query in-place of direct.

Direct rule collections do not require the membership enabled because these collections are static and they never get update again and again unless user do manual changes .

If you are adding the resources to direct based collections using scripts then make sure you also use the syntax  to update the collection membership right there in the script .This is required for direct based collections if you did not enable the incremental or full schedule update.

Why is it required to update collection membership if you use script to add resources direct based collection (consider no membership enabled ) ? 

If you are adding the resources manually to the collection using GUI then it does refresh the collection automatically and get the resources into the collection for you where as through scripting ,it doesn't get the resources but just that ,the resources will be only added to the collection (GUI as i shown above) but if you open the collection ,it will be empty (this is what i noticed in my testing with scripting).

With this ,we now need to identify the collections that are direct based which have schedule membership enabled (incremental or/and full update) and remove the membership using powershell script.

Microsoft recommendation is Do not use incremental updates for a large number of collections. This configuration might cause evaluation delays when you enable it for many collections. The threshold is about 200 collections in your hierarchy. For more info refer here

Following is simple powershell script to query direct based collections with membership schedule enabled.

we are using built-in SCCM powershell cmdlet get-CMcollection to get all collections (user and device based) that have membership enabled (SMS_CollectionRuleDirect).

This script will save the list of direct based collections with schedule enabled to CSV file for reference at later stage. If you have any direct based collections to exclude from this ,you can use script that i posted in previous blog.

Depends on your infra and number of collections you have ,it might take sometime . For me ,it took 4 min to get 700+ collections that fall in the criteria.

Note: Before you run the script in production ,make sure you understand the requirement and also comment the $Collection.Put() so you can verify the list of collections you have infra and rerun the script by un-comment the line.

<#
Title: Update membership schedule for collections with direct based rule. Direct rule based collections do not need membership enabled.
Following are the collection membership values for refreshtype
1:No Scheduled Update
2:Full Scheduled Update
4:Incremental Update (Only)
6:Incremental and Full Update Scheduled
Author: Eswar Koneti
Blog:www.eskonr.com
Date:31-12-2018
#>

$scriptPath = $script:MyInvocation.MyCommand.Path
$CD = Split-Path $scriptpath #Get the current directory of the script that is located
$RefreshTypeto='1' #This is to convert the membership schedule ,1 is to remove the schedule.
$date = (get-date -f dd-MM-yyyy-hhmmss) #Get the current date and time when script runs
$collectionsfound="$CD\collections with direct rules-"+$date+".csv" #This is our output file to pipe all collections with direct based rules for our reference later.

$ErrorActionPreference= 'silentlycontinue'

#Load SCCM module and map the powershell drive
Try
{
  import-module (Join-Path $(Split-Path $env:SMS_ADMIN_UI_PATH) ConfigurationManager.psd1)  #Import the powershell module . Make sure you have SCCM console installed on the PC that you run the script .
  $SiteCode=Get-PSDrive -PSProvider CMSITE #Get the sitecode
  cd ((Get-PSDrive -PSProvider CMSite).Name + ':')
}
Catch
{
  Write-Host "[ERROR]`t SCCM Module couldn't be loaded. Script will stop!"
  Exit 1
}
#Get all collections with membership enabled and direct membership rule only and export the collection details to CSV file for reference
get-CMcollection | where-object {$_.RefreshType -in ('2','4','6') -and ($_.Properties.CollectionRules.SmsProviderObjectPath -eq "SMS_CollectionRuleDirect")} `
|  select collectionID,Name | Export-CSV -NoTypeInformation $collectionsfound -append

foreach ($Coll in Import-Csv $collectionsfound ) #start the for loop for each each collection that found in SCCM and remove the collection membership schedule
{
$Collection = Get-CMCollection -CollectionId $Coll.collectionID
#write-host $Coll.collectionID $Coll.Name
  $Collection.RefreshType = $RefreshTypeto
  $Collection.Put()
}
write-host "Execution of script completed:" -foregroundcolor Yellow

you can also download the script from here

Following is the SQL code to pre-check and post-check the collections with membership schedule enabled.

select coll.SiteID,coll.CollectionName,
case when coll.CollectionType='1' then 'User' else 'Device' end as 'Collection Type'
from v_Collections_G coll
where coll.SiteID not in (select CRQ.collectionid from v_CollectionRuleQuery CRQ)
and coll.Flags in ('2','4','6')
group by coll.SiteID,coll.CollectionName,coll.CollectionType

Hope you enjoyed reading this article. See you in next post!

After long-time ,i am back with quick SCCM Configmgr software update compliance report .A friend of mine asked me today morning that ,he wants to check the compliance report for specific computer (could be VIP ) against one or multiple software update groups that they have created/deployed.

How do you check the compliance status of computer for specific software update groups ONLY and not for all updates that are available in SCCM ?

You have several software update compliance reports for software update groups and for computers but there is none to check if the particular computer is compliant or not for given software update group. The only possible way is to run the compliance report for specific collection and that will give you the overall compliance status and drill down further or run other compliance report which is tedious process. And if you want to repeat this multiple times for different updates groups ? Not easy. The only solution is custom report .

So i started off looking at this request and search online but could not find any thing except this link https://social.technet.microsoft.com/Forums/en-US/6cb95ee0-808e-4c8f-a39c-11bc35282357/limit-specific-computer-report-to-a-software-update-group?forum=configmanagergeneral and is unanswered.

I have also looked at my blog if i posted something similar on this but nothing that matches the requirement.

So i started of writing the SQL code and convert that to nice SSRS report and is now available for you to download and play with it.

I had added most of the computer information like software update group ,computer name,User name, OS, Last Hardware scan, Last software update scan,Last logon time,IP address and patch compliance status to troubleshoot further .

You can download the SQL views documentation from https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

How does this report works ? When you run this report  ,it prompt to choose list of software update groups that you are interested and enter the computer name (must enter ,no drop down ,just the computer name and no need to enter FQDN).

Output of the report shown below.

Download the report from Technet Gallery  ,upload to your SSRS reports, change the datasource and you are ready to run.

Some of software update compliance reports from my blog are listed below.

SCCM Configmgr 2012 Updated Patch Compliance reports for software update group and collection with patch progression

Configmgr SQL query to get the list of clients that require a specific software update patch

SCCM Configmgr Software Update Compliance Report for Specific Collection within Specific Time Frame

SCCM Configmgr SQL query to find Top X missing updates for specific collection for specific update group

SCCM Configmgr Get the Update Compliance Status for multiple Update groups against Multiple collections using SQL query without reporting

SCCM Configmgr Software update Compliance Report for multiple Software Update groups per collection

SCCM Configmgr SQL Query to check software update is superseded by what software updates

Configmgr How to list all Default and Custom reports with created by, modified by,data source , Path and Description

SCCM Configmgr How to generate patch compliance report that shows all updates for specific collection ?

SCCM Configmgr SSRS Report Get list of missing updates for PC from specific Software update group

sccm  SQL Query Get software updates that are downloaded but not in any software update group

SCCM Configmgr 2012 Software update compliant non-compliant results for list of computers from collection for specific month

SCCM Check Patch is member of what software update package

SCCM Configmgr  SSRS Patch Compliance Report Per Collection Per Update Group

SCCM Configmgr SSRS Report Overall Compliance Per Update Group Per Collection will help to troubleshoot the clients

SCCM Configmgr Patch Report – OU based Compliance status per Update Group

SCCM Configmgr Report Get the Status of Software Update Scan results

SCCM Configmgr Software update compliance states

SCCM report applications installed on computers without Updates

SCCM Configmgr Report for Software Update Compliance

Beginning with the release of SCCM ConfigMgr Build 1710 or later , you can use the SCCM Console to identify client devices that require a restart, and then use a client notification action to restart them. If you want get this feature enabled on the client side ,you must also upgrade clients to version 1710 or later for this capability to function

This become so much easier for SCCM engineers to restart the device with just one click .

To identify devices that are pending a restart, you can go to the Assets and Compliance workspace and select the Devices node ,then right click on the right side details pane in a new column named Pending Restart.

Once you choose this, you can sort with pending restart to see list of all devices with client state .

Each device has one or more of the following values:

• No: there is no pending restart
• Configuration Manager: this value comes from the client reboot coordinator component (RebootCoordinator.log)
• File rename: this value comes from Windows reporting a pending file rename operation (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager, PendingFileRenameOperations)
• Windows Update: this value comes from the Windows Update Agent reporting a pending restart is required for one or more updates (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired)
• Add or remove feature: this value comes from the Windows component-based servicing reporting the addition or removal of a Windows feature requires a restart (HKLM\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\Reboot Pending)

To restart the device ,you can simply right Right-click on the device, select Client Notification, and then select Restart. An information window opens about the restart. Click OK to confirm the restart request.

When the notification is received by a client, a Software Center notification window opens to inform the user about the restart. By default, the restart occurs after 90 minutes. You can modify the restart time by configuring client settings.

Settings for the restart behaviour are found on the Computer restart tab of the default settings.

If you want to know the list of pending reboot devices ,it is not always good to follow the steps that we did above .It doesn't give us the number of devices pending with reboot also ,you need to add the column and sort to find out how many.

In this blog post ,what we will see on how to create a dynamic collection that list all devices with pending reboot. This collection always be on your check list for troubleshooting.

Also ,i will get you nice SSRS report/s that show you the count of pending reboot devices against the collection Operating System and then it will have drilldown report to see list of all clients with client inventory.

Before we start creating collection with pending reboot ,we need to know ,where does this information store in WMI. Collection uses WQL hence you need to have the class and instance name.

Restart information stored in sms_combineddeviceresources with value clientstate.

Anything that is not 0 (clientstate!=0) will be treated as pending reboot.

Following are the list of applicable states you get with client pending reboot.

1 – Configuration Manager
2 – File Rename
3 – Configuration Manager, File Rename
4 – Windows Update
5 – Configuration Manager, Windows Update
6 – File Rename, Windows Update
7 – Configuration Manager, File Rename, Windows Update
8 – Add or Remove Feature
9 – Configuration Manager, Add or Remove Feature
10 – File Rename, Add or Remove Feature
11 – Configuration Manager, File Rename, Add or Remove Feature
12 – Windows Update, Add or Remove Feature
13 – Configuration Manager, Windows Update, Add or Remove Feature
14 – File Rename, Windows Update, Add or Remove Feature
15 – Configuration Manager, File Rename, Windows Update, Add or Remove Feature

Create a device collection ,choose query based and paste the following WQL Code into it.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System join sms_combineddeviceresources on
sms_combineddeviceresources.resourceid = sms_r_system.resourceid
where sms_combineddeviceresources.clientstate != 0

we have just created a collection to know the list of devices with pending reboot. You can now decide if you can reboot them using client notification or not.

How to reboot all devices at once ? you cannot do it by right click on collection , you must go into the collection ,choose all devices ,right click and do client notification . Collection level do not have reboot option.

Now we will look at SSRS report.

With the information that is available in SCCM ,we can have variety of reports however ,i am going with following customisations.

A report with custom collection and device restart type (Configuration Manager ,Add or Remove Feature etc ,multiple) .  It will show you count of Pending restart devices by Operating System.

The count will have drill down report to show list of clients with inventory information like last hardware inventory, IP address, last MP ,software update scan etc.

Parent Report:

Click on Pending Restart count appear in Blue colour to see list of all clients of that particular OS.

Child Report (Drilldown Report):

Child report has 3 parameters: Collection name ,Restart state name and OS .All these parameters will be passed to child report from parent report.

You might see pending reboot for clients that are inactive and this because , client never reported back to SCCM after pending restart status message and it will remain same until the device comes online and report its status.

You must run parent report to go child report. If you try to run child report directly ,you will run into issues which is expected and is because of hidden parameters in child report.

How to get the reports ?

Download the RDL files from Technet Gallery ,extract it ,upload the files to your SSRS reports (make sure both the reports in same folder location) ,change the datasource and run the reports.

Reference:

https://blogs.technet.microsoft.com/meamcs/2019/01/10/understanding-and-using-the-pending-restart-feature-in-sccm-current-branch/

When you assign office 365 proplus license to users in your Microsoft 365 tenant ,users will have option to download the proplus setup manually by visiting https://office.com or https://portal.office.com/ and click on install office.

Even though you manage these proplus updates using SCCM and channel using GPO ,there will be users in organisation ,who will go to office portal and download the setup files manually to install for users.

When they download the setup file (it can be 32bit or 64 bit) ,by default they get monthly channel which is not what most organisation will be looking to give it to users. In order to provide consistent experience to all users in the org, you need to  make sure everyone gets same channel updates through the deployment tool. (it can be monthly,semi annual etc )

So ,how do we control this channel updates when user downloads it from office portal ?or How do we disable the install office option completely and let all the proplus installations go through specific deployment tool (SCCM/Intune) ?

In this blog post ,we will see ,how to control these proplus channel updates for manual download from office portal for end users ?

It is not good practice to disable this option completely ,if you do so ,then for manual installation, you will need to create a offline installer with xml file that helps to install proplus which is tedious process.

If you simply enable the proplus option for users with right channel ,then in some urgent situations, they can simply download 32 or 64 bit right from portal and get it installed.

How to control it ?

1. Login to https://admin.microsoft.com/AdminPortal/Home#/homepage . You may need GA permissions to modify these settings.

2. On the left hand side you will see Settings—> services & Add-ins

3. scroll down all the way ,you will see Office Software download settings . This is where ,we control channels and which office apps are available to download

4. All the settings are available below which you can control for users to download.

Choose which software your users can install directly from Office 365. If you don't want your users installing software themselves, set the toggle to Off to disable this option on both desktop and mobile devices.

I always prefer to use every 6 months (Semi-Annual channel) for many reasons .Check out the Technet documentation for more information on semi annual channel https://docs.microsoft.com/en-us/deployoffice/overview-of-update-channels-for-office-365-proplus

Click on save.

Now when users try to download the proplus from office portal ,they always get latest version of semi-annual channel .

The draw back with this is ,it doesn't give you an option to control versioning but just the channel (Build version will be same but the actual proplus version 16.0.xxxx keeps changing when MS releases updates).

Hope you find this blog post useful!

Microsoft has released SCCM ConfigMgr Current Branch build version 1902 and is available as in-console update and baseline version. You can apply this update on sites that runs on 1710,1802,1806 and 1810.

If you want to install new site ,you can download 1902 as baseline . Download baseline version of 1902 from volume licensing or

Once you update your existing version to 1902 ,you need to upgrade your secondary sites manually by right click on secondary site and upgrade.

You also need to update your configmgr clients to latest version to newly supported client features.

With 1902, there are bunch of new features added .Which means ,there is also number of SQL tables/views added which will help us to create custom reports.

Following are the newly added SQL views for custom reporting.

v_CH_ClientHealth
v_ClientActionResultOfTaskSummary
v_ClientActionResultSummary
v_ConsoleAdminsData
v_GS_OFFICE_ADDIN
v_GS_OFFICE_DOCUMENTMETRIC
v_GS_OFFICE_VBASUMMARY
v_GS_PHYSICALDISK
v_GS_SYSTEMBOOTDATA
v_GS_SYSTEMBOOTSUMMARY
v_Office_AdoptionStatus
v_Office_EntityLookup
v_Office_ValueLookup
v_OfficeProplusReadinessStrings
v_PhasedDeploymentOperationalDataCI
v_PhasedDeploymentOperationalDataPkgProgram
vSMS_CMPivotResult
vSMS_OfficeProplusReadiness

we can make use of these SQL views and create variety of dashboards.

Looking at some of the office SQL views like v_GS_OFFICE_ADDIN,v_GS_OFFICE_VBASUMMARY,_GS_OFFICE_DOCUMENTMETRIC etc, it is now easier to take decision to move to 64bit proplus from 32bit.

SCCM Configmgr 1902 build comes with following office 365 client management dashboard report and this dashboard is being made from these SQL tables/views.

Microsoft recommends to install 64bit proplus for many reasons .If you look at this article ,Microsoft default option to install proplus from office 365 is 64bit. https://support.office.com/en-us/article/Choose-between-the-64-bit-or-32-bit-version-of-Office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261#32or64Bit=Newer_Versions

If you still want to go with 32bit then Read the reasons to choose 32bit version. The decision factor for choosing 32bit depends on the data that you get from SQL Views above (Office).

We can now create some nice dashboards to monitor the system boot time for different models and take action against those causing trouble with long time boot.

When creating client health reports, we can now use V_CH_ClientHealth as it contains almost all info about client health like last policy request,LastDDR,Lastonline time,last offline time,OS ,member of what collection etc.

we can now monitor the CMPivot results executed by users and how much time does it take to run specific query. All this info stored in vSMS_CMPivotResult .Though it is not SQL view ,access to this table not permitted to all RBAC users/sccm console access unless you are SCCM Admin/SQL admin access provided.

Download SCCM Configmgr SQL views documentation for 1902 from TechNet  https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

Happy reporting!

Management insights are introduced from SCCM 1802 build to provide information about the current state of your environment. With build 1802 ,there are very limited insights added .These insights are based on analysis of data from the site database.These Insights help you to better understand your environment and take action based on rules that are pre-defined.

With the release of SCCM current branch 1902 ,there are more insights added to the console which will help you to understand your environment in more better way and take necessary action based on the recommendations .

To locate the management insights from the console ,\Administration\Overview\Management Insights

I am going to list down the list of all management insights (MI) that are available in CMCB 1902 .

There are total 27 management insights available in CMCB 1902.

These insights are grouped into 9 categories  based on their function like collection,packages,applications,boot images,software updates/ADR etc.

Management insight group names:

1. Security
2. Software Center
3. Software updates
4. Applications
5. Mac OS and Unix
6. Simplified management
7. Collections
8. Cloud Services
9. Proactive Maintenance

Following are the list of actual management insights that exist on SCCM Configmgr CMCB 1902 build along with its rule Description.Hope the following information useful for you to understand what each rule does .

If you want to know the status of each rule ,you can either check from SCCM admin console by clicking the insight group and go through each task or use SCCM report,but to take action ,you can only do using SCCM console and cannot be done using reporting .

On a schedule basis these rules will be evaluated and display the status in the console whether they are completed, failed or in progress .If any rules failed/action needed then you need to review the rule and take necessary action.

The management insight rules reevaluate their applicability on a weekly schedule. To reevaluate a rule on-demand, right-click the rule and select Re-evaluate.

The log file for management insight rules is SMS_DataEngine.log on the site server.

For example, Collections with query time over 5 minutes. What this rule does is ,it will check against all your CM collections and find collections that are taking more than 5 min for evaluation.

If you want know how many of these rules are needing your action, you need to click on each group and see the status which is time consuming process .

Starting in version 1810, the Management Insights node includes a graphical dashboard. This dashboard displays an overview of the rule states, which makes it easier for you to show your progress.

The new addition of MI in 1902 also included in the the dashboard .

Please note that, this dashboard is available only via console. If you want to view the MI stats using reporting URL ,you need to build custom report.

This dashboard is based on the SQL table vSMS_ManagementInsights and  ManagementInsightRulesLocalizedData . These are not SQL views hence non-SCCM Administrators (users are given with RBAC role) cannot access these SQL tables.

Following the SQL code for you to create custom SSRS report .

SELECT
MI.Id,
MI.GroupID,
loc.RuleName As Name,
case when MI.Status='1' then 'Completed' when MI.status='-1' then 'Action Needed' else 'Progress' end as 'Status',
MI.Results,
MI.LastRunTime,
MI.LastSuccessfulRunTime,
MI.Duration,
MI.Error,
MI.MoreInfoLink,
MI.ActionType
FROM vSMS_ManagementInsights MI
LEFT JOIN ManagementInsightRulesLocalizedData loc ON MI.Id = loc.Id
order by 2

Reference https://docs.microsoft.com/en-us/sccm/core/servers/manage/management-insights

Microsoft released SCCM Configmgr Technical preview build 1903 for this month (March 2019).  Technical previews are intended to use Lab purpose only and cannot be used in production environment.

The technical preview introduces new functionality that Microsoft is working on. It introduces new features that aren't yet included in the current branch of Configuration Manager. These features might eventually be included in an update to the current branch. Before we finalize the features, we want you to try them out and give us feedback.

If you already have technical preview lab running on build 1808 and above, you can get this in the console or if you want to build new lab ,you can download 1902.2 as baseline ,install it and then use in-console update to install 1903 build.

The Configuration Manager technical preview version 1902.2 is available as both an in-console update and as a new baseline version. Download baseline versions from the TechNet Evaluation Center..

Please read the technical preview supported hardware and products https://docs.microsoft.com/en-us/sccm/core/get-started/technical-preview

Features that are introduced in technical preview version 1903:

Cloud services cost estimator:This release introduces a new cost estimator tool in the Configuration Manager console.

Use your distribution point as a local cache server for Delivery Optimization:You can now install Delivery Optimization In-Network Cache server on your distribution points. By caching this content on-premises, your clients can benefit from the Delivery Optimization feature, but you can help to protect WAN links

Reclaim lock for editing task sequences :If the SCCM console stops responding, you can be locked out of making further changes until the lock expires after 30 minutes. This lock is part of the Configuration Manager SEDO (Serialized Editing of Distributed Objects) system

Drill through required updates: you can now drill through compliance statistics to see which devices require a specific software update. To view the device list, you need permission to view updates and the collections the devices belong to

Improvement to task sequence media creation: when you create task sequence media, Configuration Manager doesn't add an autorun.inf file. This file is commonly blocked by antimalware products

To install this update using in-console ,from the console, administrations –updates and servicing  ,check for updates to see 1903.

Once download and status changes to ready to install ,right click and choose install update pack.

If the binaries are not downloading, you can review dmpdownloader.log located in SCCM installation folder logs and review it. If it stuck at downloading, you can try restart of SMS executive and click check for updates to see download progress

Go with the default options that it take you through.

Monitor the installation using log (cmupdate.log located in your SCCM install directory) and also from the console (monitoring, updates and servicing status) .

After a while ,it will complete the installation and when you launch console ,it will display notification bar on the top to install new console.

Click on install new console.

Console version: 5.1906.1021.1000

Site version:5.0.8800.1000

Happy exploring of technical preview!

Issue Description:

Few months ago, I have migrated the Primary SCCM site along with its secondary sites to SCCM build 1806 . Update of Primary site along with secondary site upgrades went fine except 1 secondary site.

The failed secondary site throw the following error code in log.

On the secondary site ,in the root of windows directory (C:\) ,you will find log called Configmgrsetup.log

Server components are experiencing fatal errors.

Failed to create process of SetupWpf.exe. return value 1

Error code 1 means Incorrect function.

While reading the log file ,found Registered OCX: D:\Configmgr\bin\x64\smsprov.dll with regsvr32.exe

It looks to me that ,it is failing to register the smsprov.dll and it just hangs there for longer period (almost an hour).

Have looked at the AV (anti virus) if something holding the process for long time ,but there is nothing .Have even tried disabling the AV but no luck.

Without further waiting , have rebooted the server and initiated the secondary site upgrade using SCCM console.

This time ,it failed again with same error code. I could not troubleshoot much further so raised support case to identify the root cause and fix it.

Support engineer collected the dump file and also procmon logs to find the root cause .

we Notice that TMP folder is created and all files are existing. However, the log stopped at “INFO: Registered OCX: D:\Configmgr\bin\x64\smsprov.dll with regsvr32.exe~”. No further more logs after 30 minutes. Then bootstrap delete the TMP file.

1. Go through previous log, notice that it will take several hours to make the registration works. It is not a correct behavior.

10-06-2018 12:44:05.261    Configuration Manager Setup    5196 (0x144c)    INFO: Registered OCX: D:\Configmgr\bin\x64\smsprov.dll with regsvr32.exe~

10-06-2018 18:27:37.251    Configuration Manager Setup    5196 (0x144c)    INFO: Registered OCX: D:\Configmgr\bin\x64\extnprov.dll with regsvr32.exe~

4. Manually run regsvr32.exe extnprov.dll. It did not finish. Check the process monitor. We see the process is there and did not process.
5. We check Analyze Wait Chain, it shows the block process is Isass.

6. We restart the secondary site, still not work.
7. Collected DUMP file of both Isass and regsvr32. DUMP shows that regsvr32 call isass. Isass send request to DC. But there is no information back. Below is details about the DUMP. “SMS Admins” is one default name, it will not display the exact account name.

The regsvr32.exe process stuck on the following call stack which invoke the RPC call LsaLookuprTranslateNames3 for account “SMS Admins” to LSASS.EXE process.

we tried possible solutions to fix the issue ,but none of the worked .support engineer discussed internally and come back with following workaround which is really simple.

Solution:

On secondary site (SS2) , open Local Users and Groups.

1. Click More Actions  > New Group…
2. Set group name as SMS Admins.

After you create SMS Admins group , reinitiate the secondary site upgrade ,that will fix the issue.

Few weeks ago ,on different customer, i ran into same issue for 2 of the secondary sites while upgrading to SCCM build 1810.  After creating SMS admins group locally ,secondary site installation went fine.

I hope this solution solve the mystery of installing secondary sites.