Microsoft released first Technical preview for Configuration Manager in this year 2019 with some exciting features Client health dashboard, management insights rules for collections,DP maintenance mode,search device using MAC address and many others.

If you want to get this preview install in your lab ,get the baseline version of Technical preview version 1810.2 from TechNet evaluation center . For more information about Technical previews ,please read here

Once you install baseline version, you will see 1901 in the console . Installation of Technical previews from the console is simple and very straight forward .

List of features that are added with this preview version 1901 are:

1. Client health dashboard
2. Specify priority for feature updates in Windows 10 servicing
3. Dedicated monitoring for phased deployments
4. Run CMPivot from the central administration site
5. Improvements to Run PowerShell Script task sequence step
6. Office products on lifecycle dashboard
7. Management insight rules for collections
8. Search device views using MAC address
9. Distribution point maintenance mode
10. Optimized image servicing
11. Import a single index of an OS image
12. Use Azure Resource Manager for cloud services
13. Confirmation of console feedback
14. Create a Configuration Manager technical preview lab in Azure
15. Specify a custom port for peer wakeup
16. View recently connected consoles
17. Stop cloud service when it exceeds threshold
18. Client provisioning mode timeout
19. Improvements to OS deployment

Some of the features that I am interested are client health dashboard ,insight for collection rules ,search device using MAC Address ,DP maintenance ,view recently connected consoles, monitoring phase deployment,create preview lab in azure.

I recently did blog post on how to identify the collections with different criteria and how to correct the collections where needed  http://eskonr.com/2019/01/sccm-configmgr-remove-collection-membership-for-direct-rule-collections-using-powershell/

http://eskonr.com/2019/01/sccm-configmgr-monitoring-collection-evaluations-and-change-update-membership-schedule-using-powershell/

Now Microsoft added way to identify the collections with different criteria listed below and take necessary action.

you can  use these insights to simplify management and improve performance.

The following rules are in the Collections group:

• Collections with no query rules and no direct members: To simplify the list of collections in your hierarchy, delete these collections.
• Collections with the same re-evaluation start time: These collections have the same re-evaluation time as other collections. Modify the re-evaluation time so they don't conflict.
• Collections with query time over two seconds: Review the query rules for this collection. Consider modifying or deleting the collection.
• The following rules include configurations that potentially cause unnecessary load on the site. Review these collections, then either delete them, or disable rule evaluation:
  • Collections with no query rules and incremental updates enabled
  • Collections with no query rules and enabled for scheduled or incremental evaluation
  • Collections with no query rules and schedule full evaluation selected

Double click on collection, you will see list of rules with progress status. Progress status will tell you whether action needed or not .

For each rule that it evaluates ,it will tell you if there is any action needed by admin or not .

From above, some rules says ,action needed. To know what collections  ,just double click on the rule to see .

I double click on Empty collections to see what collections are they.

I have a collection that has empty members . I can take action on this .

Once you are done, you can re-evaluate the rule by simply right click and re-evaluate .

Like there ,there are many other features added to preview version 1901.

Happy testing!

Microsoft has released Configuration Manager current branch 1902 as in-console and baseline version. You can apply this update on sites running on 1710, 1802, 1806, or 1810 .If you want to install new site ,you can download 1902 as baseline and install the update.

This build includes bunch of features listed below:

Site infrastructure:
  Client health dashboard
  New management insight rules
  Improvement to enhanced HTTP
  Improvement to setup prerequisites

Cloud-attached management:
  Stop cloud service when it exceeds threshold
  Use Azure Resource Manager for cloud services
  Add cloud management gateway to boundary groups

Real-time management:
  Run CMPivot from the central administration site
  Edit or copy PowerShell scripts

Content management:
  Distribution point maintenance mode

Client management:
  Client provisioning mode timeout
  View first screen only during remote control
  Specify a custom port for peer wakeup

Application management:
  Improvements to application approvals via email
  Improvements to Package Conversion Manager

OS deployment:
  Progress status during in-place upgrade task sequence
  Improvements to task sequence media creation
  Specify temporary storage
  Add a label to the media
  Import a single index of an OS image
  Optimized image servicing
  Improvements to Run PowerShell Script task sequence step
  Other improvements to OS deployment

Software Center:
  Replace toast notifications with dialog window
  Software changes are required
  Restart required
  Configure user device affinity in Software Center
  Configure default views in Software Center

Software updates:
Specify priority for feature updates in Windows 10 servicing

Office management:
  Redirect Windows known folders to OneDrive
  Integration with analytics for Office 365 ProPlus readiness
  Additional languages for Office 365 updates
  Office products on lifecycle dashboard

Phased deployments:
  Dedicated monitoring for phased deployments
  Improvement to phased deployment success criteria

Configuration Manager console:
    Improvements to Configuration Manager console
    Configuration Manager console notifications
    Confirmation of console feedback
   View recently connected consoles
    In-console documentation dashboard
    Search device views using MAC address
    Use .NET 4.7 for improved console accessibility

Read full set of features with description  https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1902 

list of PowerShell cmdlet changes https://docs.microsoft.com/en-us/powershell/sccm/1902-release-notes?view=sccm-ps 

For list of known issues https://docs.microsoft.com/en-us/sccm/core/servers/deploy/install/release-notes 

To download the baseline version of 1902 ,you can login to volume licensing servicing center or from evaluation center.

For now ,Microsoft has released this update via fastring . What does fastring means ? To get the update in console at this point of time,you need to run the script manually to see 1902 in console.

If you are not in rush and ok to wait for slow ring then you can simply ignore this script and continue to read the blog post.

Installation of this update via in-console is similar to previous build versions but Always review the latest checklist for installing this update. For more information, see Checklist for installing update 1902. After you update a site, also review the Post-update checklist.

For fastring ,download the PowerShell script from TechNet https://gallery.technet.microsoft.com/ConfigMgr-1902-Enable-87eef616?redir=0 and copy it to your SCCM site server.

Extract it and run the script from PowerShell command.

1.      Launch an elevated command prompt

2.      Run PowerShell

3.      Run the EnableFastUpdateRing1902.ps1 script (bundled in the exe in the link above)

·         EnableFastUpdateRing1902.ps1 <SiteServer_Name | SiteServer_IP> where SiteServer refers to the CAS or standalone primary site server

4.      Force a check for the update.

·         Go to \Administration\Overview\Cloud Services\Updates and Servicing and click "Check for Updates". 

Once you ran the script ,close any SCCM console connections and restart SMS executive service .

Launch SCCM console now. On a side ,open dmpdownloader.log .This log will track all info related to download of update.

On the updates and servicing node, click on check for updates

After a while ,you will see 1902 update appear in the console.

You can monitor dmpdownloader.log for any errors.

Once you see 1902 update in the console ,run the pre-requisites check to see if your site is ready for the upgrade.

After a while ,status will be updated .

Run the pre-requisite checker to see if your site is ready to update to 1902.

Once the pre-req check is passed, you are good to install the update pack.

Choose the features that you want to enable. If you are not sure what to be enabled, you can do it later after the update installed via features .

Have a pre-production collection and select the collection to install the 1902 client.

Accept the license terms , click next

Check the summary page ,click Next

you will see completion wizard

Now ,monitor the status of update 1902 from updates and servicing node or using log file cmupdate.log

Once the installation completed ,you will see a prompt asking to install new console version .click ok  to install new console.

Configuration manager version:

SCCM Site version: 5.00.8790.1000

SCCM console version:5.1902.1085.1500

SCCM Client version: 5.00.8790.1005

Happy exploring !

Additional resources:

• What’s New in System Center Configuration Manager
• Get Ready for System Center Configuration Manager
• Evaluate Configuration Manager in a lab
• Upgrade to System Center Configuration Manager
• Documentation for System Center Configuration Manager
• System Center Configuration Manager Forums
• System Center Configuration Manager Support
• Report an issue
• Provide suggestions

Microsoft has released SCCM ConfigMgr Current Branch build version 1902 and is available as in-console update and baseline version. You can apply this update on sites that runs on 1710,1802,1806 and 1810.

If you want to install new site ,you can download 1902 as baseline . Download baseline version of 1902 from volume licensing or

Once you update your existing version to 1902 ,you need to upgrade your secondary sites manually by right click on secondary site and upgrade.

You also need to update your configmgr clients to latest version to newly supported client features.

With 1902, there are bunch of new features added .Which means ,there is also number of SQL tables/views added which will help us to create custom reports.

Following are the newly added SQL views for custom reporting.

v_CH_ClientHealth
v_ClientActionResultOfTaskSummary
v_ClientActionResultSummary
v_ConsoleAdminsData
v_GS_OFFICE_ADDIN
v_GS_OFFICE_DOCUMENTMETRIC
v_GS_OFFICE_VBASUMMARY
v_GS_PHYSICALDISK
v_GS_SYSTEMBOOTDATA
v_GS_SYSTEMBOOTSUMMARY
v_Office_AdoptionStatus
v_Office_EntityLookup
v_Office_ValueLookup
v_OfficeProplusReadinessStrings
v_PhasedDeploymentOperationalDataCI
v_PhasedDeploymentOperationalDataPkgProgram
vSMS_CMPivotResult
vSMS_OfficeProplusReadiness

we can make use of these SQL views and create variety of dashboards.

Looking at some of the office SQL views like v_GS_OFFICE_ADDIN,v_GS_OFFICE_VBASUMMARY,_GS_OFFICE_DOCUMENTMETRIC etc, it is now easier to take decision to move to 64bit proplus from 32bit.

SCCM Configmgr 1902 build comes with following office 365 client management dashboard report and this dashboard is being made from these SQL tables/views.

Microsoft recommends to install 64bit proplus for many reasons .If you look at this article ,Microsoft default option to install proplus from office 365 is 64bit. https://support.office.com/en-us/article/Choose-between-the-64-bit-or-32-bit-version-of-Office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261#32or64Bit=Newer_Versions

If you still want to go with 32bit then Read the reasons to choose 32bit version. The decision factor for choosing 32bit depends on the data that you get from SQL Views above (Office).

We can now create some nice dashboards to monitor the system boot time for different models and take action against those causing trouble with long time boot.

When creating client health reports, we can now use V_CH_ClientHealth as it contains almost all info about client health like last policy request,LastDDR,Lastonline time,last offline time,OS ,member of what collection etc.

we can now monitor the CMPivot results executed by users and how much time does it take to run specific query. All this info stored in vSMS_CMPivotResult .Though it is not SQL view ,access to this table not permitted to all RBAC users/sccm console access unless you are SCCM Admin/SQL admin access provided.

Download SCCM Configmgr SQL views documentation for 1902 from TechNet  https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

Happy reporting!

Management insights are introduced from SCCM 1802 build to provide information about the current state of your environment. With build 1802 ,there are very limited insights added .These insights are based on analysis of data from the site database.These Insights help you to better understand your environment and take action based on rules that are pre-defined.

With the release of SCCM current branch 1902 ,there are more insights added to the console which will help you to understand your environment in more better way and take necessary action based on the recommendations .

To locate the management insights from the console ,\Administration\Overview\Management Insights

I am going to list down the list of all management insights (MI) that are available in CMCB 1902 .

There are total 27 management insights available in CMCB 1902.

These insights are grouped into 9 categories  based on their function like collection,packages,applications,boot images,software updates/ADR etc.

Management insight group names:

1. Security
2. Software Center
3. Software updates
4. Applications
5. Mac OS and Unix
6. Simplified management
7. Collections
8. Cloud Services
9. Proactive Maintenance

Following are the list of actual management insights that exist on SCCM Configmgr CMCB 1902 build along with its rule Description.Hope the following information useful for you to understand what each rule does .

If you want to know the status of each rule ,you can either check from SCCM admin console by clicking the insight group and go through each task or use SCCM report,but to take action ,you can only do using SCCM console and cannot be done using reporting .

On a schedule basis these rules will be evaluated and display the status in the console whether they are completed, failed or in progress .If any rules failed/action needed then you need to review the rule and take necessary action.

The management insight rules reevaluate their applicability on a weekly schedule. To reevaluate a rule on-demand, right-click the rule and select Re-evaluate.

The log file for management insight rules is SMS_DataEngine.log on the site server.

For example, Collections with query time over 5 minutes. What this rule does is ,it will check against all your CM collections and find collections that are taking more than 5 min for evaluation.

If you want know how many of these rules are needing your action, you need to click on each group and see the status which is time consuming process .

Starting in version 1810, the Management Insights node includes a graphical dashboard. This dashboard displays an overview of the rule states, which makes it easier for you to show your progress.

The new addition of MI in 1902 also included in the the dashboard .

Please note that, this dashboard is available only via console. If you want to view the MI stats using reporting URL ,you need to build custom report.

This dashboard is based on the SQL table vSMS_ManagementInsights and  ManagementInsightRulesLocalizedData . These are not SQL views hence non-SCCM Administrators (users are given with RBAC role) cannot access these SQL tables.

Following the SQL code for you to create custom SSRS report .

SELECT
MI.Id,
MI.GroupID,
loc.RuleName As Name,
case when MI.Status='1' then 'Completed' when MI.status='-1' then 'Action Needed' else 'Progress' end as 'Status',
MI.Results,
MI.LastRunTime,
MI.LastSuccessfulRunTime,
MI.Duration,
MI.Error,
MI.MoreInfoLink,
MI.ActionType
FROM vSMS_ManagementInsights MI
LEFT JOIN ManagementInsightRulesLocalizedData loc ON MI.Id = loc.Id
order by 2

Reference https://docs.microsoft.com/en-us/sccm/core/servers/manage/management-insights

Microsoft released SCCM Configmgr Technical preview build 1903 for this month (March 2019).  Technical previews are intended to use Lab purpose only and cannot be used in production environment.

The technical preview introduces new functionality that Microsoft is working on. It introduces new features that aren't yet included in the current branch of Configuration Manager. These features might eventually be included in an update to the current branch. Before we finalize the features, we want you to try them out and give us feedback.

If you already have technical preview lab running on build 1808 and above, you can get this in the console or if you want to build new lab ,you can download 1902.2 as baseline ,install it and then use in-console update to install 1903 build.

The Configuration Manager technical preview version 1902.2 is available as both an in-console update and as a new baseline version. Download baseline versions from the TechNet Evaluation Center..

Please read the technical preview supported hardware and products https://docs.microsoft.com/en-us/sccm/core/get-started/technical-preview

Features that are introduced in technical preview version 1903:

Cloud services cost estimator:This release introduces a new cost estimator tool in the Configuration Manager console.

Use your distribution point as a local cache server for Delivery Optimization:You can now install Delivery Optimization In-Network Cache server on your distribution points. By caching this content on-premises, your clients can benefit from the Delivery Optimization feature, but you can help to protect WAN links

Reclaim lock for editing task sequences :If the SCCM console stops responding, you can be locked out of making further changes until the lock expires after 30 minutes. This lock is part of the Configuration Manager SEDO (Serialized Editing of Distributed Objects) system

Drill through required updates: you can now drill through compliance statistics to see which devices require a specific software update. To view the device list, you need permission to view updates and the collections the devices belong to

Improvement to task sequence media creation: when you create task sequence media, Configuration Manager doesn't add an autorun.inf file. This file is commonly blocked by antimalware products

To install this update using in-console ,from the console, administrations –updates and servicing  ,check for updates to see 1903.

Once download and status changes to ready to install ,right click and choose install update pack.

If the binaries are not downloading, you can review dmpdownloader.log located in SCCM installation folder logs and review it. If it stuck at downloading, you can try restart of SMS executive and click check for updates to see download progress

Go with the default options that it take you through.

Monitor the installation using log (cmupdate.log located in your SCCM install directory) and also from the console (monitoring, updates and servicing status) .

After a while ,it will complete the installation and when you launch console ,it will display notification bar on the top to install new console.

Click on install new console.

Console version: 5.1906.1021.1000

Site version:5.0.8800.1000

Happy exploring of technical preview!

I was working on SCCM report for client health dashboard. During this report creation ,found that ,device appear twice with different GUID ID and resource ID but with same hostname.

So i started looking at this issue to see how identify the records with duplicate hostnames.

SCCM clients are uniquely identified by a GUID. A GUID is a combination of the client's media access control (MAC) address and the time when the GUID is assigned.

This combination produces a number that is virtually always unique. The GUID assignment occurs during the client discovery and installation processes.

The GUID is stored in the client's Registry and in a binary file on the client's hard disk into smscfg.ini file (C:\Windows\SMSCFG.INI)

As you see below snapshot ,computer record appear twice with the information that was gathered through inventory/BGB/discovery.

Take a look at the following screenshots with 3 different problems .

Device with different resource ID and Client=Yes

With this information ,i started looking at SQL to write code and convert that to collection ,so it would be easy to cleanup records in automated way.

Device with different resource ID and client =No

Device with different resource ID and client=No

So i went to site hierarchy settings to see the conflict records but the settings applied correctly:

Why did this happens ? Old article but still valid though https://support.microsoft.com/en-us/help/837374/how-to-locate-and-clean-advanced-client-duplicate-guids-in-sms-2003

If you have maintenance task enabled ,these obsolete or inactive stale records taken care by that but do want to wait until the default maintenance task runs ?

Here is the SQL code to find out the list of devices with appear in SCCM console with its count.

select name0 [Device Name],count(*) Total from v_r_system
group by name0
having (count(name0))>1
order by Name0

If you want to see the device that appear maximum times in the top ,use the following query:

select name0 [Device Name],count(*) Total from v_r_system
group by name0
having (count(name0))>1
order by 2 desc

If you want to see the list of all devices with its resource ID ,use the following query:

select sys.name0,sys.ResourceID from v_r_system as sys
full join v_r_system as sys1 on sys1.ResourceId = sys.ResourceId
full join v_r_system as sys2 on sys2.Name0 = sys1.Name0
where sys1.Name0 = sys2.Name0 and sys1.ResourceId != sys2.ResourceId
group by sys.Name0,sys.ResourceID
order by 1

Create WQL Collection with following syntax:

I am making use of SMS_R_System with full join.

select sys.ResourceID,sys.ResourceType,sys.Name,sys.SMSUniqueIdentifier,
sys.ResourceDomainORWorkgroup,sys.Client from SMS_R_System as sys
full join SMS_R_System as sys1 on sys1.ResourceId = sys.ResourceId
full join SMS_R_System as sys2 on sys2.Name = sys1.Name
where sys1.Name = sys2.Name and sys1.ResourceId != sys2.ResourceId

P.S: The above queries are only used to find the computer names appear twice or more with different resource ID,GUID etc

Also note ,this collection includes active/live entry along with inactive entry .I could not find any way/logic to skip the active computers .

you can delete all these records  manually or create a powershell script with schedule to empty the collection . This way ,you loose the inventory of active computers but they send back in the next inventory cycle.

Hope it helps!

Introduction:

With the recent Current Branch updates starting from 1806 , Microsoft is making good improvement on Software updates maintenance but there is lot to come in the near future. Read the Software updates maintenance tasks available in SCCM https://docs.microsoft.com/en-us/sccm/sum/deploy-use/software-updates-maintenance

Many SCCM Admins think that ,installing WSUS ,doing initial configuration and configuring SUP role is enough for software update patching but that's not true. When you finish initial WSUS configuration ,you go SUP properties and start selecting classification and products. Based on this selection criteria , updates get synced with Microsoft . These synced updates include itanium and many other junk updates. Once the updates are synced successfully ,you will see them in SCCM console under software update section . With this ,you can start patching your clients but over a period of time ,if you don't maintain your metadata/update catalog with the help of maintenance job (custom scripts/tools) ,you will hit into lot of issues. These issues could be like high CPU usage (IIS worker process) ,WSUS application pool in IIS stops automatically ,clients software update scan performance issues and many more.

Top reasons to have site performance issues ,client update scan ,WSUS application pool etc, is due to large number of updates in your WSUS database which includes superseded ,Itanium and other unneeded updates. If you decline all unused,itanium, superseded updates etc. at regular intervals then your site server will be happy with better performance and also your clients to perform quick update scan which will help to achieve better compliance rate.

There are N number of questions asked in various forums around WSUS and software update scan issues and there are several posts available with maintenance solution.

After going through lot of forums ,blog posts ,suggestions from Microsoft, I have come up with standard document that i have used all the times in every SCCM infra that i setup as part of SUP maintenance.

This solution consists of PowerShell scripts and also SQL reports to perform the cleanup/decline the junk updates that will help to improve the site server performance and also client update scanning.

How is it different from the built in SUP maintenance tasks ? when am running current branch 1806 and above ,do i still need this solution ?

Yes, the software update maintenance solution that is built in does very basic things like expiring the superseded updates ,cleaning the unused updates etc but what am going to describe in this blog post is more of advanced to decline the unneeded updates ,

configure WSUS in IIS as per best practices and further more.

If you have CAS, primary,secondary sites then you should perform these steps from bottom to top (secondary ,primary and CAS ).

Steps at glance:

A) Check the status of WSUS database with count of updates. These count of updates decides the catalog size

B) Decline itanium and other junk updates that you don't use in your infra.

C) Decline superseded updates.

D) Perform SQL indexing

E) Invoke WSUS configuration (best practice)

F) Troubleshooting.

A) Check the status of WSUS database with count of updates:

We will first use some SQL queries to fetch the current status of WSUS with count of updates before we decline them.

1. Use the appropriate method to back up the WSUS database (SUSDB). For related information, please see Create a Full Database Backup (SQL Server) .

2.Once the database is being backed up ,run the following SQL code against your WSUS database to see the count of updates (superseded ,declined ,total updates, live updates etc). It is always good validate the results before and after cleanup task.

3.I assume your WSUS DB is running on SQL but not on windows internal database .If your wsus database is running windows internal database (WID) ,then follow this guide and run the following SQL command.

4. Open SQL server management studio ,connect to your secondary site database (incase you have ,else primary then CAS) and run the following SQL code:

--get the count of total updates, superseded ,declined updates.

use SUSDB;
select
(Select count (*) 'Total Updates' from vwMinimalUpdate ) 'Total Updates',
(Select count (*) 'Live updates'  from vwMinimalUpdate where declined=0) as 'Live Updates',
(Select count (*) 'Superseded'  from vwMinimalUpdate where IsSuperseded =1) as 'Superseded',
(Select count (*) 'Superseded But NoDeclined'  from vwMinimalUpdate where IsSuperseded =1 and declined=0) as 'Superseded but not declined',
(Select count (*) 'Declined'  from vwMinimalUpdate where declined=1) as 'Declined',
(Select count (*) 'Superseded & Declined' from vwMinimalUpdate where IsSuperseded =1 and declined=1) 'Superseded & Declined'

Total Updates: count of all updates which includes superseded ,decline .This basically include all updates in your wsus db.

Live updates: Count of updates without declined .This includes all updates with superseded/without superseded but not declined. These updates are considered to generate the update catalog file.

Superseded: Count of all superseded updates

Superseded but not declined: Count of all superseded updates but they are not declined yet.

Declined:Count of updates that are declined. Declined updates never goes into update catalog file .

Superseded & declined: Count of updates that are superseded and declined.

As you see above,the total live updates that are considered to generate update catalog is 18000+ .This usually be larger update catalog file and with huge amount of updates, it also impact the CPU,memory on your WSUS because clients always talk to WSUS to download update catalog.

B) Decline itanium and other junk updates that you don't need in your infra.

Now ,download and extract the PowerShell scripts and SQL files that are available here.

Following are the files you get from the download link

Following are 2 powershell scripts (customized) that am going to use to decline the unused /superseded/itanium updates.

b.1)Decline-OtherUpdates.ps1

b.2)Decline-supersededUpdates.ps1 /Decline-SupersededUpdatesWithExclusionPeriod.ps1

Decline-OtherUpdates script have the following titles to decline because i dont use them in my infra.

Itanium
ia64
ARM64-based Systems
Windows 10 (consumer editions)
Windows 10 Education
Windows 10 Team
Windows 10 Insider Preview

Please review the tiles and make changes as you need .

Run the PowerShell script with command line:  .\Decline-OtherUpdates.ps1 -UpdateServer YourWSUSServerName -Port 8530 –DeclineItanium

As you see ,i have 2402 updates declined. This includes all the titles listed above.

C) Decline superseded updates.

Now we will run decline superseded updates script.

There are 2 scripts here for you Decline-supersededUpdates.ps1 and other Decline-SupersededUpdatesWithExclusionPeriod.ps1 . The only difference with these 2 scripts are ,added with exclusion period as per your SUP settings.

Login to your secondary site (if you have any) ,launch powershell in admin and change directory to the script that you placed.

To decline superseded updates ,we can make use of ExclusionPeriod as criteria that will help to decline updates that are in sync with our software update component properties .

In your configuration manager SUP properties ,if you have set supersedence behavior to expire immediately then you don't need to use above ExclusionPeriod period in the PowerShell however ,if you have configured supersedence behavior with X months then i would recommend to use same period in the script.

The following command lines show different ways in which PS scripts can be run (if the script is run on a WSUS server, you can use LOCALHOST instead of the actual SERVERNAME).

Based on your SUP settings ,if you want to decline all superseded updates ,then run the following command:

Decline-supersededUpdates.ps1 -UpdateServer SERVERNAME -Port 8530

If you want to decline the superseded updates with some exclusion period ,use the following command:

Decline-SupersededUpdatesWithExclusionPeriod.ps1 -UpdateServer SERVERNAME -Port 8530 -ExclusionPeriod 60

ExclusionPeriod 60 to gather information about updates on the WSUS server from current date that you run the script and check the number of updates that can be rejected.

P.S: Don't look at SQL query count (18182) vs PowerShell count (18175) as they are not same servers when i execute the code  

Once the updates are declined ,go back to your SQL and run the query against your WSUS DB to see the status.

This time ,you should see different count compared to last time run .

After declining the updates in WSUS , these declined updates still appear in SCCM  until you run software update sync.

Once the software update sync happens on SCCM server ,the changes you made on WSUS will appear in SCCM console.

After SUP sync ,you will see all declined updates from WSUS will disappear from SCCM console.

D) Perform SQL indexing

After you decline the updates , SUSDB needs to be re-indexed for optimal performance. See the section on Re-Indexing the WSUS Database above for related information .

Please wait until the execution of script completed.

E) WSUS configuration (Best practice)

You will find script Invoke-WSUSConfiguration.ps1 which i got from Johan which i always use in all SCCM infra as per best practice .

Take a look at the script to see what it does before you execute in your infra.

F) Troubleshooting.

In some cases ,if your WSUS database never cleaned up before and is the first time you are doing it on some secondary /primary sites ,execution of scripts may fail with following error and is because of too many updates .

In my case ,I had 23k plus total number of updates in WSUS database, hence script was always failing to fetch the data.

Connecting to WSUS server localhost on Port 8530... Connected.
Getting a list of all updates... Failed to get updates.
Error: The operation has timed out
If this operation timed out, please decline the superseded updates from the WSUS Console manually.

I tried few times running the script but I could not get through even though i restarted the IIS service and WSUS service.

If you are unable to decline the updates using script ,what other possibilities do we have ? open the WSUS console and do manual update,that takes lot of time.

Microsoft support engineer posted SQL code to decline the updates in SUSDB. 

1. If you have not backed up your SUSDB database, back up your SUSDB database before continuing .
2. Connect to SUSDB using SQL Management Studio.
3. Execute the following query: The number 60 for the number of rows containing " DECLARE @thresholdDays INT = 60" corresponds to the number of rows before # 1 and the number of days that match the number of months configured in the Supersedence rule. If the expiration date is set to expire immediately, you must set the SQL query value @thresholdDays to zero.
4. The SQL code that was posted in support article needs some syntax corrections to get it work OR it could be the reason that ,the support article in in Japanese language so while translating ,syntax got changed.

--Decline superseded updates in SUSDB; alternative to Decline-SupersededUpdatesWithExclusionPeriod.ps1
DECLARE @thresholdDays INT = 60--Specify the number of days between today and the release date for which the superseded updates must not be declined (ie, updates older than 90 days). This should match configuration of supersedence rules in SUP component properties, if ConfigMgr is being used with WSUS.
DECLARE @testRun BIT = 0--Set this to 1 without test excluding anything.
--There shouldn't be any need to modify anything after this line.




DECLARE @uid UNIQUEIDENTIFIER
DECLARE @title NVARCHAR (500)
DECLARE @date DATETIME
DECLARE @userName NVARCHAR (100) = SYSTEM_USER




DECLARE @count INT = 0




DECLARE DU CURSOR FOR
     SELECT MU.UpdateID, U.DefaultTitle, U.CreationDate FROM vwMinimalUpdate MU
     JOIN PUBLIC_VIEWS.vUpdate U ON MU.UpdateID = U.UpdateId
WHERE MU.IsSuperseded = 1 AND MU.Declined = 0 AND MU.IsLatestRevision = 1
     AND MU.CreationDate <DATEADD (dd,-@thresholdDays, GETDATE ())
ORDER BY MU.CreationDate




PRINT 'Declining superseded updates older than' + CONVERT (NVARCHAR (5), @thresholdDays) + 'days.' + CHAR (10)




OPEN DU
FETCH NEXT FROM DU INTO @uid, @title, @date
WHILE (@@FETCH_STATUS>-1)
BEGIN
     SET @count = @count + 1
     PRINT 'Declining update' + CONVERT (NVARCHAR (50), @uid) + '(Creation Date' + CONVERT (NVARCHAR (50), @date) + ')-' + @title + '...'
     IF @testRun = 0
         EXEC spDeclineUpdate @updateID = @uid, @adminName = @userName, @failIfReplica = 1
     FETCH NEXT FROM DU INTO @uid, @title, @date
END
CLOSE DU
DEALLOCATE DU




PRINT CHAR (10) + 'Attempted to decline' + CONVERT (NVARCHAR (10), @count) + 'updates.'

To check progress, monitor the Messages tab in the Results pane.

Depending on the number of updates ,it may take longer time. In my case ,it took ~15 min to decline around 10K updates.

Once the superseded updates are declined using SQL ,we can now go back to PowerShell script and run other script (decline other updates.).

Hope you find this post useful.

Following are some of the References that would help to go through the WSUS maintenance solution.

https://support.microsoft.com/en-sg/help/4490644/complete-guide-to-microsoft-wsus-and-configuration-manager-sup-maint

https://deploymentresearch.com/Research/Post/665/Fixing-WSUS-When-the-Best-Defense-is-a-Good-Offense

https://mnscug.org/blogs/sherry-kissinger/512-wsus-administration-wsuspool-web-config-settings-enforcement-via-configuration-items

https://home.configmgrftw.com/wsus-cleanup-for-configmgr/

https://damgoodadmin.com/2017/11/30/software-update-maintenance-its-a-thing-that-you-should-do/

I am super excited and honored to receive an email from Microsoft about my MVP award renewal for the year 2019-2020 in Enterprise Mobility . I have received the following email on 1st July 2019.

This is my 3rd consecutive year MVP award (First year 2017) and glad that, i am still part of great MVP community.

Dear Eswar Koneti,

We’re once again pleased to present you with the 2019-2020 Microsoft Most Valuable Professional (MVP) award in recognition of your exceptional technical community leadership. We appreciate your outstanding contributions in the following technical communities during the past year:

With this award ,there is a lot more responsibility on me to keep up this award and contribute more to the community in Enterprise Mobility (#intune #SCCM #Configmgr #EMS ) area.

Thanks to my followers on linked ,twitter ,Facebook and my blog readers who keep asking new things and allow me to find solutions for them.

Configuration Manager site database contains a large collection of information about the network, computers, users, user groups, and many other components of the computing environment. Being SCCM Admin, you need to understand the different categories of the SQL views, what information is stored in each view, and how the SQL views can be joined to one another to create reports that return the required information. For more information about SQL views please refer  https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

Hardware inventory views contain information about the computer hardware .Many hardware inventory views are created in ConfigMgr by default, and many can be enabled or created using the hardware inventory classes dialog box, accessible from client settings. Because of this, it is likely that ConfigMgr sites collect different hardware inventory resulting in different hardware inventory views.

If you want to know more about how extend hardware inventory in ConfigMgr ,please refer https://docs.microsoft.com/en-us/sccm/core/clients/manage/inventory/extend-hardware-inventory

The question in title was asked by one of my customer as they have lot of custom hardware inventory classes imported and they want to find a way to list-down all such custom hardware inventory classes.

Why is it important to know the list of custom hardware inventory classes that are imported (MOF changes)?

One of the reason i would think is ,to asses if these custom changes are still needed by the organization . If you have too many custom mof changes ,it enlarges the database and also impact clients sending huge inventory file back to  site server for processing.

The simple way to check the custom MOF configuration is to look at the configuration.mof file that is located in <SCCM installation dir>:\inboxes\clifiles.src\hinv but i started looking around database for list rather taking notes from the configuration.mof file.

This blog post will help you to get list of custom MOF imported to client device settings (Note: If you enable any of the existing classes not via MOF import in inventory settings, it is not covered in this post).

After going through the SQL views documentation ,found that ,there is one view called v_InventoryClass that store all inventory classes enabled in hardware inventory client settings.

v_InventoryClass Lists the WMI classes that are collected by ConfigMgr hardware inventory by class ID. The view also shows the WMI namespace, the class name and the name of the class as it will be displayed in Resource Explorer.

So i started querying this SQL view for the inventory classes.

select count(*) Total from v_InventoryClass

There are total of 161 inventory classes enabled in client device settings  .

Out of these 161, how do we tell the custom inventory classes (MOF IMPORT)?

By looking at above 161 classes , i thought to pick ‘isDeletable’ because all default classes that comes with Configmgr installation ,would not give you option to delete , which is not TRUE.

For for the WMI classes that are enabled by default at the time of ConfigMgr installation or available for you to enable can also be deleted from inventory settings.

So my next key observation was at SMSClassID.

For all default classes that are enabled at the time of ConfigMgr installation will start with Mcrosoft|.

Any custom inventory classes will not have Microsoft as starting word.

With this information ,i started creating SQL Query with count.

select tmp.[Inventory Type] ,count(*) Total  from
(
select case when IC.SMSClassID like 'Microsoft|%' then 'Default' else 'Custom'  end as 'Inventory Type'
from v_InventoryClass IC
) tmp
group by tmp.[Inventory Type]

To see the list of custom MOF changes ,following is the SQL query:

select * from v_InventoryClass IC
where ic.SMSClassID not like 'Microsoft|%'

Hope this helps!

Microsoft has just released update 1906 for Configuration Manager current branch is available as an in-console update. You can apply
this update on sites that run version 1806, 1810, or 1902 from the console. If you want to install new site ,you can download 1902 as baseline build and install the update.

Before we start upgrading the site to latest build ,lets review the features that are newly added and deprecated:

Features added/updated:

Site infrastructure:

Site server maintenance task improvements

Configuration Manager update database upgrade monitoring

Management insights rule for NTLM fallback

Add a SQL AlwaysOn node

Cloud-attached management:

Azure Active Directory user group discovery

Synchronize collection membership results to Azure Active Directory groups

Real-time management:

CMPivot standalone

Improvements to CMPivot

Content management:

Delivery Optimization download data in client data sources dashboard

Use your distribution point as an in-network cache server for Delivery Optimization

Client management:

Support for Windows Virtual Desktop

OneTrace (Preview)

Configure client cache minimum retention period

Co-management:

Improvements to co-management auto-enrollment

Multiple pilot groups for co-management workloads

Application management:

Filter applications deployed to devices

Application groups

Retry the install of pre-approved applications

Install an application for a device

Improvements to app approvals

OS deployment:

Task sequence debugger

Reclaim SEDO lock for task sequences

Pre-cache driver packages and OS images

Improvements to OS deployment

Software Center:

Improvements to Software Center tab customizations

Software Center infrastructure improvements

Redesigned notification for newly available software

More frequent countdown notifications for restarts

Direct link to custom tabs in Software Center

Software updates:

Additional options for WSUS maintenance

Configure the default maximum run time for software updates

Configure dynamic update during feature updates

Drill through required updates

Office 365 ProPlus upgrade readiness dashboard

Configuration Manager console:

Add SMBIOS GUID column to device and device collection nodes

Administration service support for security nodes

Depreciated features:

Classic service deployment to Azure for cloud management gateway and cloud distribution
point.

You can read full set of features with description  https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1906

list of PowerShell cmdlet changes https://docs.microsoft.com/en-us/powershell/sccm/1906-release-notes?view=sccm-ps

For list of known issues https://docs.microsoft.com/en-us/sccm/core/servers/deploy/install/release-notes

To install this update from in-console, you must be running on 1806,1810 or 1902 .

For now ,Microsoft has released this update via fastring . What does fastring means ? To get the update in console at this point of time,you need to run the script manually to see 1906 in console. You need to request the updates manually using script.

If you are not in rush and ok to wait for slow ring then you can simply ignore this script and continue to read the blog post.

Installation of this update via in-console is similar to previous build versions but Always review the latest checklist for installing this update. For more information, see Checklist for installing update 1906. After you update a site, also review the Post-update checklist.

For fastring ,download the PowerShell script from TechNet http://download.microsoft.com/download/4/9/3/493BC9DE-ACAC-4D11-8B7E-5AFCECC626C2/EnableEarlyUpdateRing1906.exe and copy it to your SCCM site server.

Extract it and run the script from PowerShell command.

1.      Launch an elevated command prompt

2.      Run PowerShell

3.      Run the Fastring1906.ps1 script (bundled in the exe in the link above)

·         Fastring1906.ps1 <SiteServer_Name | SiteServer_IP> where SiteServer refers to the CAS or standalone primary site server

4.      Script will not force to  to check for the update.

·         Go to \Administration\Overview\Cloud Services\Updates and Servicing and click "Check for Updates".

You will see ‘configuration manager 1906’ in the console with downloading state. If it shows as available to download, you can select the update and click on download.

To see the status of download, please open dmpdownloader.log from SCCM logs folder.

You can also refer the download location at <Configmgr Install dir:\>easysetuppayload\

Wait for the download to be completed and you will see it the console with state ‘ready to install’

If the download stuck at downloading for some reason ,look at dmpdownloader.log and to start the download again, restart SMS_Executive or dmpdownloader component .

run the prerequisite check to ensure the site server meet all the requirements before the installation start.

we will now monitor the status of the installation using logs and also from console

For monitoring the installation status, refer to ConfigMgrSetup.log that is available at the root of the window drive and cmupdate.log available at configmgr logs folder.

you can monitor the installation status from console . Go to monitoring tab ,click on updates and servicing status node.

After a while, you should see a bar at the top of the console notifying to install.

Client on install new console version

If the above step fail to upgrade the console and you try to launch the console, you will see the image like below.

Click on Ok and it will upgrade the console for you.

Now ,update the client package which is located under packages to all distribution points .

As per your client upgrade schedule that you configured in site hierarchy settings ,it will take place within x many days. you can monitor the client installation from monitor tab.

If you have used client startup script using GPO http://eskonr.com/2016/09/sccm-configmgr-how-to-implement-jason-sandys-client-startup-script-to-achieve-good-client-success-rate/  ,please update your xml file with 1906 client version else your client will reinstall on every restart.

Finally ,check the version of the site .

Site version:5.0.8853.1000

Client version:5.0.8853.1006

In the next blog, i will talk about the new features that are released in this update along with SSRS reporting .

Happy exploring new features.

Additional resources:

• What’s New in System Center Configuration Manager
• Get Ready for System Center Configuration Manager
• Evaluate Configuration Manager in a lab
• Upgrade to System Center Configuration Manager
• Documentation for System Center Configuration Manager
• System Center Configuration Manager Forums
• System Center Configuration Manager Support
• Report an issue
• Provide suggestions

I have worked on couple of office 365 proplus rollout projects. In all projects ,one of the critical task is to manage MSI based deployments for visio/project 2016 on computer that runs office 365 proplus (Click-to-Run).

Click-to-Run is the technology used to install Office 365 proplus subscription based .Windows Installer technology (MSI) was used to install the volume license editions of older versions of Office 2016 and older, such as Microsoft Office Professional Plus ,Microsoft Office Standard,visio and project.

Until now ( if you are not on office 365) ,we usually deploy volume licensed versions of Project 2016 and Visio 2016 by using the Windows Installer (MSI) installation technology. But that won't work if you're trying to install volume licensed versions of Project 2016 and Visio 2016 on the same computer that has Office 365 ProPlus. That's because Office 365 ProPlus uses Click-to-Run as its installation technology, and in this case, having MSI and Click-to-Run installations on the same computer isn't supported.

Two main things that determine whether Office, Project, and Visio can be installed together on the same computer are the version of the product and the installation technology used to install the product.

The following rules governs whether an installation scenario is supported or not. This also applies to standalone applications like Access, Visio, Project, Skype for Business, or OneDrive for Business.

• You can’t install two products together that have the same version but use different installation technologies. Ex: office 365,office 2019 and office 2016 share same version (16.0) but different technology .
• You can’t install two products of different versions together if both products use Click-to-Run as the installation technology and those products have overlapping Office applications.

Example: If a computer has office 365 proplus ,then you cannot install any MSI version of 2016 on the same computer but you can install MSI version of 2013 and lower versions of visio/project,office et because they share different versions.

How do i know which technology of office installed on my computer ?

Open office application (word,excel,outlook etc) , Click on File > Office Account . Under the Product Information section, if you see an Update Options choice, Office was installed by using Click-to-Run. If you don’t see an Update Options choice, and you don’t see any mention of Microsoft Store, then Office was installed by using Windows Installer (MSI).

if you are trying to install same version of MSI on computer that already have C2R version then you hit with the following error (though it was for C2R with 15 version):

With the introduction of C2R ,MSI and its versions ,how do you deploy visio/project 2016 on computer that has office 365 proplus (C2R) installed and also get it activated using KMS/MAK volume license?

If you want to deploy volume licensed versions of Project 2016 and Visio 2016 on the same computer as Office 365 ProPlus, you can use the Office Deployment Tool .

The Office Deployment Tool uses Click-to-Run to do the installation, instead of using Windows Installer (MSI). But, Project and Visio are still activated by volume activation methods, such as Key Management Service (KMS) or Multiple Activation Key (MAK).

we will use office deployment tool (ODT) to download binaries for Visio/Project 2016 ,the same way we do for office 365 proplus.

1.Download the most current version of the Office Deployment Tool from the Microsoft Download Center.

2. Once the file downloaded, run the exe to extract the files.

copy the extracted files to C:\temp\ODT or any other folder.

In the extraction folder, you will see few configuration files that you can edit the Product element in the configuration.xml file, using the appropriate ID from the following table.

To use a Generic Volume License Key (GVLK) for volume activation with KMS, use the appropriate value in the table for the PIDKEY attribute.

This generic key given above works only with KMS.If you do not have KMS ,you can login to volume license portal /vendor portal that you get license keys from and get the MAK key for product  .So when you install visio/project ,it get auto activate for your users (device activation).

How to get PIDKey from volume licensing portal or vendor that you partnered with?

login to MVLS website https://www.microsoft.com/Licensing/servicecenter/default.aspx 

search for visio standard 2016 (your required product) ,under keys ,you will see Visio Standard 2016 C2R-P for use with the Office Deployment Tool ,copy the KEY ,which will be used to activate the license.

Only key with C2R-P works with ODT tool and volume license key for MSI based will not work .

Since the default configuration files doesn't have much information ,i have uploaded the Realtime configuration files to make it easy for you.

download the xml files from here for different product and copy them to ODT tool folder.

Edit the XML file and modify based  on your needs.

Sample XML file:

<Configuration>
<Add OfficeClientEdition="32" Channel="Broad" OfficeMgmtCOM="True">
     <Product ID="ProjectstdXVolume" PIDKEY="D8NRQ-JTYM3-7J2DX-646CT-6836M">
       <Language ID="en-us"/>
     </Product>
   </Add>
     <Display Level="Standard" AcceptEULA="TRUE"/>
     <Property Name="AUTOACTIVATE" Value="1" />
     <Logging Level="Standard" Path="C:\windows\o365proplus"/>
</Configuration>

Read this article about the settings and its description https://docs.microsoft.com/en-us/DeployOffice/configuration-options-for-the-office-2016-deployment-tool

Once we have the configuration file ready ,we can now download the binaries for visio and project

Open CMD and change the directory to ODT Tool that has all configuration files.

Run the setup.exe with configuration file to download the binaries.

setup.exe /download Configuration_ProjectPro-x86.xml

Once the binaries are downloaded, you can create application with command line setup.exe /Configure Configuration_ProjectPro-x86.xml

Since we already key in the MAK key for visio/project ,it will auto activate upon the installation.

Some facts while using ODT tool for visio/project deployment that affects your office 365 proplus:

• The binaries that are used for office 365 proplus ,visio and project are same.
• If you have installed office 365 proplus version 1808 on computer and you are trying to newer or older version of visio/project , your proplus version also gets updated with your visio/project.
• You cannot install visio/project C2R with monthly channel on computer that is running office 365 proplus semi annual channel. Both C2R must use same channel .

            So when you install visio/project, make sure you are on latest version else ,your proplus version will rollback to older version and you will need to patch it up to bring to latest version.

• When you patch office 365 proplus version ,it also update the support files for visio/project to latest version.
• All installed products must be either the 32-bit version or the 64-bit version. For example, you can’t install a 32-bit version of Visio on the same computer with a 64-bit version of Office.

Read through the Supported scenarios for installing different versions of Office, Project, and Visio on the same computer https://docs.microsoft.com/en-us/DeployOffice/install-different-office-visio-and-project-versions-on-the-same-computer

Hope it helps!

Additional resources:

Use the Office Deployment Tool to install volume licensed versions of Project 2016 and Visio 2016 https://docs.microsoft.com/en-us/DeployOffice/use-the-office-deployment-tool-to-install-volume-licensed-editions-of-visio-2016

Supported scenarios for installing different versions of Office, Project, and Visio on the same computer https://docs.microsoft.com/en-us/DeployOffice/install-different-office-visio-and-project-versions-on-the-same-computer 

Deployment guide for Project https://docs.microsoft.com/en-us/DeployOffice/deployment-guide-for-project

Deployment guide for Visio https://docs.microsoft.com/en-us/DeployOffice/deployment-guide-for-visio

I did detailed blog post on 'how to get  office 365 proplus activation status' with help of extended MOF file and inventory changes. With this method ,you will get the activation details such as user email address, shared computer activation etc. For more information, please refer http://eskonr.com/2018/10/how-to-get-office-365-proplus-activation-status-and-excluded-apps-etc-using-sccm-configmgr/ .

This method requires extension of MOF files ,make changes to hardware inventory which will then create new SQL views . If you don't' want go through all these , but just looking for office activation status (yes or No) ,then this blog will help you to achieve it.

In this blog post, we will see how to detect office activation status (can be office 2010,2013,2016,office 365 proplus or office 2019) using Configmgr compliance baseline method.

Before we start looking into SCCM ,we need to check Microsoft office activation via script or other possible ways and then make use of ConfigMgr baseline?

From office 2007 until office 365 proplus/office 2019 ,there is vbs script called OSPP.vbs which is Office Software Protection Platform script (ospp.vbs) enables you to configure volume licensed versions of Office products. For more information ,please refer https://docs.microsoft.com/en-us/deployoffice/vlactivation/tools-to-manage-volume-activation-of-office

To check the status of any Microsoft office products ,we will use this vb script with parameter /dstatus (Displays license information for installed product keys) .

For office 2016 ,office 365 proplus the installed location is  C:\Program Files (x86)\Microsoft Office\Office16 (for x86).

I ran the command line cscript "C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS" /dstatus to see the activation status:

Any product that is licensed will display the status in LICENSE STATUS.

with this information ,we can create simple PowerShell script to check the license status and get the results .

How to create Configuration baseline and deploy:

In SCCM console, assets and compliance, click compliance settings ,configuration item create new configuration item.

Name it as Office activation and choose windows desktops and servers and click next

choose the list of client OS to asses the compliance . I choose all platform

In setting ,click New ,Type the name: Detect Office activation

Setting: Script

Data type: String

Add script:

I have added all versions of office products into the script with their default location. If you have changed the default installation location of office installation to something else ,you need replace the path.

Add the following script into discovery script.

# Check for  office 2007
if(Test-Path -Path "C:\Program Files (x86)\Microsoft Office\Office12\OSPP.VBS"){
   $status= cscript "C:\Program Files (x86)\Microsoft Office\Office12\OSPP.VBS" /dstatus
}
if(Test-Path -Path "C:\Program Files\Microsoft Office\Office12\OSPP.VBS"){
     $status=cscript "C:\Program Files\Microsoft Office\Office12\OSPP.VBS" /dstatus
}
# Check for  office 2010
if(Test-Path -Path "C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS"){
   $status= cscript "C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS" /dstatus
}
if(Test-Path -Path "C:\Program Files\Microsoft Office\Office14\OSPP.VBS"){
     $status=cscript "C:\Program Files\Microsoft Office\Office14\OSPP.VBS" /dstatus
}

# Check for  office 2013
if(Test-Path -Path "C:\Program Files (x86)\Microsoft Office\Office15\OSPP.VBS"){
   $status= cscript "C:\Program Files (x86)\Microsoft Office\Office15\OSPP.VBS" /dstatus
}
if(Test-Path -Path "C:\Program Files\Microsoft Office\Office15\OSPP.VBS"){
     $status=cscript "C:\Program Files\Microsoft Office\Office15\OSPP.VBS" /dstatus
}
# Check for  office 2016/office 365 proplus/office 2019
if(Test-Path -Path "C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS"){
   $status= cscript "C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS" /dstatus
}
if(Test-Path -Path "C:\Program Files\Microsoft Office\Office16\OSPP.VBS"){
     $status=cscript "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" /dstatus
}

if (( $status |Select-String -Pattern '---LICENSED---') -ne $null )
{
write-output "True"
}
else
  {
write-output "False"
}

Click on compliance rules,click New and the value to comply with our script is True.

Validate the setting

Click next ,next until you see the summary page

with this ,we have created the configuration item. we will now create configuration baseline and deploy to collection.

Create new configuration baseline ,name it CB – Office Activation

under configuration data ,choose configuration items and select the CI that we just created

you can choose co-managed clients if you have co-management enabled.

we are now ready to deploy this baseline to device collection to get the office activation status.

Before we deploy this to any device collection , it is good practice to create collection with Microsoft office product installed instead deploying to device collection with devices that may or may not have office product installed.

Once you create the collection ,deploy the configuration baseline to the collection.

I schedule it onetime instead of recurring schedule .

End results:

Wait for the client to pick the policy and run through the compliance. Or you can run machine policy cycle from the collection (right click tools) to speed up the process.

On activated device (office 365 proplus) , it is compliant

on non-activated device (office 365 proplus) ,it is non-compliant.

we can also monitor the compliance status using console or SCCM reports.

From the console:

I have also uploaded the exported version of Configuration baseline for you . You can download it from here ,extract the zip file and the cab file import into your baseline settings.

SCCM has multiple discovery methods help you discover devices on your network, devices and users from Active Directory, or users from Azure Active Directory (Azure AD). Read more about the discovery methods in SCCM https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/about-discovery-methods

AD system discovery help to discover computer resources that can be used to create collections and queries. You can also install the SCCM Client client on a discovered device by using client push installation.

In order to successfully discover the computer (by creating the DDR Record) in domain by AD system Discovery , it must be able to identify the computer account and then successfully resolve the computer name to an IP address (DNS name resolution).

You can check Active Directory System Discovery logs which gets recorded in the log file adsysdis.log in the <InstallationPath>\LOGS folder on the site server.

In this blog post, we will see how to create SCCM device collection to identify devices that have old AD system discovery time stamp (older than 14 days) . This will help us to find the devices that are having issues while discovering though AD system discovery(SMS_AD_SYSTEM_DISCOVERY_AGENT) ,like the devices that are deleted from Active Directory but still in SCCM or having DNS name resolution.

Create a new collection ,edit the query and past the following and click.

Collection (WQL Query):

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,

SMS_R_SYSTEM.Client from SMS_R_System where ((DATEDIFF(dd, SMS_R_SYSTEM.AgentTime, getdate()) > 14) and AgentName ="SMS_AD_SYSTEM_DISCOVERY_AGENT")

Devices might appear in this device collection may have SCCM agent installed and healthy but they are failed to discovery through AD system discovery from its last discovery date is older.

If the devices are deleted in AD but still in SCCM means with no active client, they are yet to be cleanup using site maintenance tasks.

If you want to find the devices that are not reported via specific agent with old timestamp , then simply replace the AgentName in the above collection.

There are different discovery agents available in SCCM, listed below.

SQL Query for list of discovery agents:

select AgentName from v_AgentDiscoveries

group by AgentName

AgentName

ConfigMgr

Heartbeat Discovery

MP_ClientRegistration

SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT

SMS_AD_SYSTEM_DISCOVERY_AGENT

SMS_AD_USER_DISCOVERY_AGENT

SMS_AZUREAD_USER_DISCOVERY_AGENT

SMS_NETWORK_DISCOVERY

SMS_WINNT_SERVER_DISCOVERY_AGENT

If you want SCCM Collection for active inactive computers using Last Logon timestamp and troubleshooting ,you can refer this post http://eskonr.com/2018/08/sccm-collection-for-active-inactive-computers-using-last-logon-timestamp-and-troubleshooting/

Hope it helps!

About an year ago (Sep 2018),Microsoft announced the support for Win32 app management capabilities using Intune. Intune-only customers can now leverage management capabilities for their Win32 line-of-business (LOB) apps .

For more information about Intune Standalone - Win32 app management read here.

Microsoft Win32 Content Prep Tool to pre-process Windows Classic apps. The packaging tool converts application installation files into the .intunewin format. The packaging tool also detects the parameters required by Intune to determine the application installation state. After you use this tool on your apps, you will be able to upload and assign the apps in the Microsoft Intune console. For more information about win32 content prep tool ,please refer here.

Customer had SCCM+CMG ,co-management and Autopilot setup .While doing autopilot one of the task is installation of SCCM client on these Azure AD joined devices through intune ,so that ,they can manage patching ,apps deployments through SCCM .It is just extending the SCCM operations from on-prem to cloud connected devices.

One thing which was lately noticed was that ,all these Azure AD joined devices have turned to co-managed devices because of SCCM agent+Intune enrolled. When the devices are co-managed ,the compliance policies by default are handed over to ConfigMgr unless you move the workload 'compliance policies' to Intune.

Device status for co-managed devices:

Co-management workloads:

At this point of time ,the compliance is always taken care by SCCM and not intune device compliance policies due to the workloads.

If you have any conditional access policies with grant control is set to require compliant or hybrid azure AD join ,these devices will always be compliant unless you have any compliance policies created in SCCM.

In order to fix this gap , we have two options

1) Move the workloads for compliance policies to intune

2) Create device compliance policies in Configmgr.

I tried 2nd option to create device compliance policy in SCCM however i cannot find all compliance settings that are available in Intune. The most preferred method is to move the compliance policies to Intune.

Should we move slider to Intune ? Not at the moment for customer as the co-management is still in evaluation phase hence the only option for us to move forward is to uninstall Configmgr client on all Azure AD joined devices using intune

After the SCCM agent is removed from these AAD joined devices ,intune will manage these devices for all device management capabilities such as apps deployment ,compliance,device configuration ,patching etc.

How to uninstall SCCM agent on these Azure AD joined devices (ONLY) using Intune ?

we all know that,sccm client can be uninstalled with ccmsetup.exe /uninstall and we will use win32 content tool to prepare package and deploy using Intune.

1. Download the IntuneWinAppUtil.exe from https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool

2.Copy ccmsetup.exe from your SCCM site or any windows client that has sccm client installed to your local drive (C:\temp\sccmclient). ccmsetup.exe located in C:\windows\ccmsetup folder on the device.

2.Open cmd and run the following command

IntuneWinAppUtil -c "C:\Temp\SCCMclient" -s ccmsetup.exe -o "C:\Temp\Intune Packages\Win32_apps"

Once this is done ,you will see intunewin app created in the destination directory "C:\Temp\Intune Packages\Win32_apps"

We will now use this file to create win32 app in intune and deploy to Azure AD joined device only.

Login into Azure portal or device management ,click on apps https://portal.azure.com/#blade/Microsoft_Intune_Apps/MainMenu/1/selectedMenuItem/Overview

choose windows app (win32)

Upload the intunewin file that we generated

Program:

install command: ccmsetup.exe

Uninstall command: ccmsetup.exe /uninstall (we will use this to remove the agent)

Requirements: choose what is applicable to you.

Requirements :

Detection Rule:

I usually go with registry key as it is easier to identify the agent installation status instead of going with MSI or file/folder. You can also choose script to detect if SMS agent host service is running or not.

Uninstall command will run only on devices that have the following registry key.

Rule type: Registry

Key Path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client

Value Name: ProductVersion

Detection method: Value exists

Save the Add to create the app .It takes few min to upload the content and ready to assign to groups.

Once the app is created, you need to create Azure AD group to get list of Azure AD devices only and not any other devices as per the request.  Refer to this post to create AAD group using powershell http://eskonr.com/2019/10/use-powershell-to-create-azure-ad-dynamic-security-group-for-azure-ad-joined-aadj-devices-only/

Once the group is ready ,we can now target the sccm uninstall app to this group.

Assignment type:Uninstall

Once the assignment is done ,it takes few hours depends on the sync policy and ccmsetup.exe will start uninstall the client agent on the device.

End user experience/status:

In the next MDM sync policy ,device will receive this policy and uninstall the client. Read this article on how to force MDM sync policy on windows 10 https://oofhours.com/2019/09/28/forcing-an-mdm-sync-from-a-windows-10-client/

Troubleshooting intune win32 app installation issues https://docs.microsoft.com/en-us/intune/apps/troubleshoot-app-install

on the device ,ccmsetup.log located at C:\windows\ccmsetup\logs has the following information about client uninstallation.

When the SCCM agent remove from the device , you will see the device names with status Not installed which means ,SCCM agent is removed or these devices do not have have SCCM agent currently .

Below snapshot shows the uninstall status (29 uninstalled).

Hope you find this useful!

Microsoft released the technical preview for Configuration Manager, version 1910. These technical preview introduces new functionality that Microsoft is working on and  It introduces new features that aren't yet included in the current branch .

You can Install this version to update and add new features to your technical preview site but not available as baseline for new installation.

If you want to install Technical preview in lab ,then you need to download baseline version technical preview 1907 and then do console update. Download baseline versions from the TechNet Evaluation Center.

Technical preview version 1910 has the following features/improvements:

• Deploy Microsoft Edge, version 77 and later
• Include custom configuration baselines as part of compliance policy assessment
• Improvements to application groups
• Reclaim SEDO lock
• Attach files to feedback
• Client diagnostic actions
• Office 365 ProPlus pilot and health dashboard
• Improvements to console search
• New variable for Windows 10 in-place upgrade
• Improvements to Windows Virtual Desktop support

With this preview version,there is new device actions for Client Diagnostics in the console. This release includes the following actions:

• Enable verbose logging: Change the global log level for the CCM component to verbose, and enable debug logging.
• Disable verbose logging: Change the global log level to default, and disable debug logging.

Prerequisites

• Update the target client to the latest version.

• Your Configuration Manager administrative user needs the Notify resource permission. For more information, see Client notification

To enable /disable the verbose logging ,Launch SCCM console ,right click on the device and choose client diagnostic and choose enable or disable.

you will be prompted to continue

On the client, you will find log called diagnostics.log to track the status

Open the log to see the status:

Verify in registry:

You can disable verbose logging and monitor the log.

This is great feature added to see additional information about client communication and troubleshooting issues.

Happy exploring Technical preview .

References: https://docs.microsoft.com/en-us/sccm/core/get-started/2019/technical-preview-1910

Microsoft's System Center Configuration Manager (SCCM) delivers an "umbrella" approach for patch and application management, but when it comes to third-party application management and system management operations the process is still tiresome. SCCM current branch allows you to subscribe to third-party catalogs, publish updates to your software update point (SUP), and then deploy them to clients however it has limitations patching third-party components running on a network.

With a huge number of security vulnerabilities attributed to non-Microsoft applications, it is mandatory to patch these applications to shield your enterprise from data breaches. To be more precise, Adobe and Mozilla applications pose the biggest security threats, but a comprehensive patching strategy can minimize security issues in your network.

Make the most out of your SCCM ?

ManageEngine Patch Connect Plus is the non-Microsoft tool that efficiently
automates both system management operations and third-party software deployments, and extends SCCM's patching capabilities to more than 380 third-party applications. It provides end-to-end automated patching support via the SCCM console, scans the network, fetches the latest updates from vendor sites, publishes the patches to Windows Server Update Services (WSUS), initiates the WSUS-SCCM sync, and performs patch deployment and reporting. Additionally, it enables you to customize your process using templates, and create pre- and post- deployment scripts.

The Catalog Subscription feature in Patch Connect Plus provides you with a smart way to automatically import and manage over 300+ third-party updates to the SCCM server software catalog. Plus, with the Auto-catalog Scheduler, you can automate the publishing process, and eliminate the need to wait for the Microsoft-prescribed seven days to synchronize the updated catalogs.

Third-Party software deployment ?

Patch Connect Plus Application Management module facilitates the deployment of more than 300+ applications authored by third-party vendors such as Apple, Adobe, Java, Mozilla, and Google. As part of the software deployment, vendor download sites are contacted automatically, ensuring a streamlined and efficient process. The application template feature enables you to select all the options you need for your deployment.
Also, once a package has been created, Patch Connect Plus auto-updates the new versions that are released consecutively for that particular application.

For enterprises that often must address various contingencies, Patch Connect Plus application management capabilities enable you to run custom pre- and post deployment scripts to help  you efficiently streamline the process.

Administrator Tools for system management operations ?

Patch Connect Plus' Admin Tools helps you perform system management operations, troubleshooting, and other on-demand client operations remotely. This encompasses actions like registry, bit locker status, client group update policy, PowerShell, Command Prompt, control panel, and opening running processes. Additionally, troubleshooting operations such as client restart, accessing network folders, and other important client
actions like collecting data from the evaluation cycle, software metering usage reports, and scan cycle can be performed. Once you configure Admin Tools, you can accomplish client management operations on each client machine.

Now that you have an idea about how you can achieve the best results from your SCCM infrastructure, take a deeper look at Patch Connect Plus. Learn more and sign up for a free, 30-day trial .

It's Microsoft Ignite this week (Sun, 3 Nov 2019 – Thu, 7 Nov 2019) with tons of announcements . One of the key announcements around ConfigMgr/Intune area is Microsoft Endpoint Manager (MEM) and licensing for intune.

Microsoft Endpoint Manager (MEM) is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune, without a complex migration, and with simplified licensing. Continue to leverage your existing Configuration Manager investments, while taking advantage of the power of the Microsoft cloud at your own pace.

The following Microsoft management solutions are all now part of the Microsoft Endpoint Manager brand:

• Configuration Manager
• Intune
• Desktop Analytics
• Autopilot
• Other features in the Device Management Admin Console

For more information about Microsoft Endpoint Manager , please refer https://www.microsoft.com/en-us/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/ 

and if you own ConfigMgr ,you now automatically have Intune licenses for co-managing Windows devices. Does this cover Azure AD Premium license ? No ,you still need to purchase it separately .

Configuration Manager technical preview version 1911 version released early for this month and is available as both an in-console update and as a new baseline version.

if you want to see this update in the SCCM console using updates and servicing, you must be running atleast 1908 and above (three successive versions are available) .

If you want to setup new lab ,then you can Download a baseline version from the TechNet Evaluation Center.

There is not much new features with this preview version but as we talked above, MEM (MEMCM) is biggest news  and is now part of MEM and not System center (SC).

The only new feature that is added with this preview release is:  Microsoft Connected Cache support for Intune Win32 apps 

When you enable Microsoft Connected Cache on your Configuration Manager distribution points, they can now serve Microsoft Intune Win32 apps to co-managed clients.

Before you start updating or installing new SCCM preview lab ,please go through https://docs.microsoft.com/en-us/configmgr/core/get-started/technical-preview

To update 1911 using in-console updates, go-to administration ,updates and servicing ,click on check for updates.

Logs to check for the backend process: Hman.log ,dmpdownloader.log

Once the updates are synced,you will see it in the console and ready to install.

Now right click on the update and select install update pack.

Logs to check: ConfigMgrSetup.log (root of the windows drive) & CMUpdate.log

Now monitor the status using logs and also from the console:

Console:\Monitoring\Overview\Updates and Servicing Status

Logs to check: Logs to check: ConfigMgrSetup.log (root of the windows drive) & CMUpdate.log

Once the installation is completed ,you will be prompted to install new version of admin console.

Microsoft Endpoint Configuration Manager 1911 Tech Preview installation completed.

Before the preview update:

After the preview update:

And from programs and features ,the display name for ConfigMgr console appear as ‘Microsoft Endpoint Configuration Manager Console ’

Once these changes (MEM) goes into production ,then you should alter your collections that have sccm console installed with the above name. This is because the old name appear in programs and features is not same as with MEMCM.

SCCM console version:5.1910.1060.1000

SCCM client version:5.00.8909.1000

How to enable Cache support for Intune Win32 apps :

Happy learning!

Microsoft Ignite is an event to learn innovative ways to build solutions and migrate and manage your infrastructure. You connect with over 25,000 individuals focused on software development, security, architecture, and IT. Explore new hands-on experiences that will help you innovate in areas such as security, cloud, and hybrid infrastructure and development.

For those of you, who would like to watch the ignite videos offline and download slide decks, they are available at https://myignite.techcommunity.microsoft.com/sessions? but difficult to search one by one and watch it when needed.

There are few Powershell scripts available online to download ignite videos however I have used use the Microsoft script ,modified little bit and input only the sessions codes that are related to ConfigMgr and intune for download.

By default, the script available in the Microsoft link that download videos with folder name as sessioncode .so i have modified the script to name the folder with title to make it more readable.

If you want to download all Ignite videos and slide decks, download the Powershell script https://myignite.techcommunity.microsoft.com/Download-Resources.zip and run it.

In this blog post, I will walk through the steps to download slide decks and videos of all Configmgr and intune sessions.

The following is the list of sessions related Configmgr/intune from Ignite 2019.

SCCM/Configmgr/Intune:

How to run the script to download videos and slide decks for the above sessions?

Download the custom script from here, open Powershell command and run with the following syntax:

.\Download-Resources.ps1 -directory . -sessionCodes "BRK3149,THR2265,BRK2230,BRK3082,BRK3253,THR2333,BRK3258,BRK3286,
PRE23,DEP50,WRK3036R,BRK2272R,THR3027,BRK3086,WRK3008R,BRK3286R,THR3134,
WRK3036,MLS1035,BRK2362,BRK3083,BRK3306R,THR2037,THR3028,BRK3076,BRK3219,
WRK3008,WRK3024R,BRK3331,THR3045,THR1061,THR3081,THR3026,WRK3019,WRK3019R,
THR2009,DEP40,WRK3024,BRK3084,BRK3306,BRK2272,THR3152,WRK3008R2,BRK3149,
BRK3085,THR2265,PRE25,BRK2230,THR3046,BRK3079,BRK3258,PRE23,THR3027,
BRK3086,WRK3008R,BRK3083,BRK3306R,BRK3076,WRK3008,BRK2177,THR3026,DEP40,
BRK3306,WRK3008R2"

Videos will be downloaded into the script folder with folder name as title:

Thanks for reading the post!

The Microsoft Store for Business (wsfb) is where you find and acquire Windows apps for your organization. When you connect the store to Configuration Manager, you then synchronize the list of apps you've acquired. View these apps in the Configuration Manager console, and deploy them like you deploy any other app.

More information about Microsoft Store for Business, please read here

Our users were trying to install some apps from the Microsoft store. when users try to install the apps from the store, it failed because of proxy issues. Microsoft Store on Windows 10 sign-in page goes through login.live and is blocked for security reasons.

So, we have to look for an alternative to deploy store apps for our users and we decided to integrate MSFB with the configuration manager and make full use of features that msfb provide.

Follow the guide here to Integrate Microsoft store for business with Configuration Manager.

How to integrate windows store for business with system center configuration manager ?

Login to console and browse to \Administration\Overview\Cloud Services\Azure Services

Click on configure azure services and follow the steps given in the screenshots below.

After the configuration of azure services for wsfb, wsfb failed to download Windows Store for Business application inventory.

Error code from the log WsfbSyncWorker.log located in your configuration manager setup folder.

Exception: [Microsoft.ConfigurationManager.CloudBase.CMHttpRequestException: Unsuccessful response when content result expected for request.

Error occurred making HTTP request calling 'GET' method on 'https://bspmts.mp.microsoft.com/V1/Inventory?maxResults=100&modifiedSince=0001-01-01T00:00:00.0000000&includeRemoved=true': (Unauthorized) 'Unauthorized'.

at Microsoft.ConfigurationManager.CloudBase.SmsHttpClient.<GetStringFromHttpResponseMessageAsync>d__35.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

What it means is, The azure web application that you created during the wsfb wizard does not have access to download the wsfb inventory.

In order to fix this, we will need to configure a tool to synchronize your Microsoft Store for Business inventory.

Login to https://businessstore.microsoft.com/ with an admin account.

Click on settings, distribute https://businessstore.microsoft.com/en-us/manage/settings/distribute

Click on add management tool

In the search, type the azure web app name that you created during the integration of wsfb in Configuration Manager.

Click add

Now we have given the permissions to the Azure web app to download the inventory.

When you add the tool, the status is in inactive, Click on Activate

The status is now changed to active and action changed to deactivate.

We will now go back to Configuration Manager console and perform sync from Microsoft Store for Business.

Monitor the log WsfbSyncWorker.log for sync status.

Soon after the sync successful, you will see the apps appear in the software library: \Software Library\Overview\Application Management\License Information for Store Apps

Reference:

Troubleshoot the Microsoft Store for Business integration with Configuration Manager

Configure mdm provider microsoft store for business

Microsoft has released update 1910 for SCCM which is now termed as Microsoft Endpoint Configuration Manager (#MEMCM) and is available as in-console update ONLY. You can apply this update on sites that runs on 1810 and later. For more information, please read

If you want to install a new Configuration Manager site, you can download 1902 as a baseline from the volume licensing portal.

For more information about how to perform in-console update for configuration manager update 1910, please refer here

After the in-console update, you need to manually upgrade any secondary sites by right click on the site and choose upgrade.

You also need to update your Configuration Manager clients to the latest version (1910) to newly supported client features.

With this update 1910, there are a bunch of new features added. This means, there is also a number of SQL tables/views added which will help us to create some great custom reports.

The following are the newly added SQL views/SMS tables for custom reporting.

we can make use of these SQL views and create variety of dashboards.

Some of the interesting things that will be useful are:

v_GS_BITLOCKER_DETAILS

vDeviceActionsHistory

vSMS_Office*

Download Microsoft endpoint configuration manager (#MEMCM) SQL views documentation for 1910 from TechNet  https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

For more information about Configuration manager 1910 ,please read http://eskonr.com/2019/11/configuration-manager-update-1910-is-now-available-as-microsoft-endpoint-configuration-manager-current-branch/

Happy reporting!