To manage software updates using SCCM/Configmgr, software update scan (with help of windows update agent) is mandatory without which ,client cannot download the update catalog (metadata) from WSUS and perform the scan for letting the server know what is required and what is not required using the state messages.

When i was looking at the software update scan reports few days ago ,identified some of the clients (Windows servers) could not able perform software update scan. So i decided to take look at the one of the client logs and troubleshoot further.

After logging into the server ,looked at wuahandler.log ,scanagent.log and windowsupdate.log as these logs will help you help to troubleshoot software update scan issues at the initial stage.

Below is windows update log.

WARNING:     IsSessionRemote: WinStationQueryInformationW(WTSIsRemoteSession) failed for session 2, GetLastError=2250

COMAPI    FATAL: Unable to connect to the service (hr=80080005)

COMAPI    WARNING: Unable to establish connection to the service. (hr=80080005)

After seeing this error ,i tried to stop windows update service but windows update service stuck at “stopping” status (hung) and never finish . So i have to kill the service to stop using taskkill command.

Open cmd as an administrator

1. Run:  taskkill /f /fi “services eq wuauserv”

After the windows update service start, tried initiating the software update scan to see if that makes any any difference but again issue repeat (same error code in windows update log ,software update scan never move forward using wuahandler.log )

I even tried installing the updates manually to see if that goes through but that also failed.

After doing the basic troubleshooting as said above ,the issue is not with SCCM client or windows update agent rather it is more of windows issue likely to be caused due to a missing/corrupt class in root\microsoft\windows\servermanager

How do you know the issue is related to missing/corrupt wmi class ?

For this ,you need to create dump to analyse what is going on and here is what found in the dump log.

0 0000003ebe29d4c8 00007ffd372713ed ntdll!ZwWaitForMultipleObjects+0xa

1 0000003ebe29d4d0 00007ffd39a1f9e4 KERNELBASE!WaitForMultipleObjectsEx+0xe1

…

4 0000003ebe29d850 00007ffd2f31a1c7 wbemcore!CCoreQueue::QueueWaitForSingleObject+0x5c   Waiting for thread running wbemcore!CCoreQueue::Execute

5 0000003ebe29d8a0 00007ffd2f328f5a wbemcore!CWmiFinalizer::GetOperationResult+0x67

6 0000003ebe29d8e0 00007ffd2a999afd wbemcore!CWbemNamespace::ExecQuery+0x2ae

7 0000003ebe29d9b0 00007ffd2aaad24a wuaueng!CSystemExprEvaluator::EvaluateWmiQuery+0x1e1

…

10 0000003ebe29df70 00007ffd2aaa7275 wuaueng!CAgentUpdateManager::EvaluateSingleApplicabilityRule+0x1a6

11 0000003ebe29e0a0 00007ffd2aaa6a76 wuaueng!CAgentUpdateManager::EvaluateUpdateApplicabilityRules+0x51a

12 0000003ebe29e8f0 00007ffd2a9857e9 wuaueng!CAgentUpdateManager::DetectForUpdate+0x3e7

13 0000003ebe29ead0 00007ffd2a997bdf wuaueng!CAgentUpdateManager::EvaluateUpdateSet+0x129

From the dump log ,We can see the hang is due to waiting for WBEM. WBEM is Web-Based Enterprise Management, and its Microsoft implementation is Windows Management Instrumentation (WMI).

When Windows Update is in “scanning for updates” state, the WMI provider in use is ServerManager.DeploymentProvider.

Below command is to compile servermanager.deploymentprovider.mof . If the ServerManager.DeploymentProvider is bad, this command will fix it. If the ServerManager.DeploymentProvider is good, below command will not cause any damage to the machine. Thus running this command is the troubleshooting action I chose.

Open cmd as an administrator

1. Run:  taskkill /f /fi “services eq wuauserv”
2. Run the following command to recompile the MOF file:  mofcomp c:\windows\system32\wbem\servermanager.deploymentprovider.mof
3. Restart the machine.

After the server reboot, software update scan went through successfully.

I could not able to find a way to check  whether ServerManager.DeploymentProvider is good or bad but compiling the MOF do not harm the server and that also fix the issue.

Hope it helps!

OverJoyed …..I got an email yesterday from the Microsoft MVP Award team saying that ,I have been awarded with Microsoft MVP award in Enterprise Mobility for 2017. I am extremely proud and honored to receive this award.

I started blogging (www.eskonr.com) in year 2009 to to share my technical views,tips and tricks that I have seen in my daily work on SMS 2003 /SCCM/Configmgr In 2012 and to keep this as my reference .I have no idea what the award means when I started blogging in the early stages of my career .It was purely on the basis of sharing the knowledge and helping the community. This blog has now over 2.5 million views since then with over 400+ subscribers ,500+ posts and 2000+ comments .

Here is what email says:

We are extremely pleased to present you with the 2017-2018 Microsoft Most Valuable Professional (MVP) Award! This award is given to exceptional technical community leaders who share their remarkable passion, real-world knowledge, and technical expertise with others through demonstration of exemplary commitment.

Thank you Microsoft for recognizing my contributions towards community.

Thanks to all  those who supported and encouraged me over the last few years (Janaka ,Niall Brady, Garth Jones)  and especially to my wife who let me spend time on blogging,being active in social communities .

If you want to know who executed (number of times ) the Configuration manager reports (or any other SSSRS reports) or if anyone compliant that some of the Configmgr reports are running slow or timed out ,how do you find the such reports and take action ?

I receive requests from remote users saying that they have issue while running some of the custom reports but when i run ,they works fine but not for remote users. There could be so many reasons why the report loads slow (network or SQL code issues etc) which am not going to discuss here.

Recently i was checking on this to see what are the reports ran by users most of the times and ,how many times they have run ,what are the top most reports and how long these report take time to execute .

When you run the SSRS reports ,it will log lot of information back into the report executionlog .

This report execution log is stored in the Reportserver database that by default is named ReportServer .if you have custom database name ,then you must that database to run the query.

As you can see in the following reportserver ,there are 3 SQL views that contain the information about execution log

Below is the take from Microsoft article about these executionlog sql views.

Now ,lets try SQL query to pull the information about the SSRS reports with its execution time, users ,time start etc.

Use  ReportServer
select * from ExecutionLog3
order by TimeStart desc

Results using above SQL Query:

Below query help you to find number of times that each user run the report.

Use ReportServer
select ItemPath,UserName,count(*) [No of times executed] from ExecutionLog3
group by ItemPath,UserName
order by 3 desc

One of the ways to reduce the disks space/cpu I/O is to enable cache use cache option in reports ,further reading ,please have a look at https://www.enhansoft.com/blog/how-to-setup-report-caching-for-a-ssrs-report

More information about the columns and its description can be found from http://www.sqlchick.com/entries/2011/2/6/querying-the-report-server-execution-log.html

Hope it helps!

I had setup standalone intune (MDM authority to Intune)  to manage mobile devices long-time ago ,but after doing some testing on android,windows and iOS devices ,i decided to change MDM authority from Intune to Configuration Manager console (hybrid) . To change the MDM authority from intune to hybrid ,Login login to SCCM console  ,go to administration –>cloud services –>Microsoft intune subscription –>Add Microsoft Intune Subscription

This process will prompt you to login using Microsoft intune subscription ,configure company contact information,logo etc.

After doing all the initial setup , verified logs and confirm that the MDM authority is set to Hybrid using URL https://admin.manage.microsoft.com/MicrosoftIntune/App.aspx

Admin page—>Mobile device management ,Mobile device management authority set to Configuration Manager

After this is done ,you can enable windows and android platform directly but for iOS devices ,you need to create APN certificate request ,download the APN certificate which is used to establish a trust relationship between the Apple Push Notification server and Intune’s mobile device management authority.

Once you are done with the enable iOS enrolment and uploaded the Apple Push Notification service certificate ,you can start enrolling the iOS devices.

Note:Do not upload the Apple Push Notification service (APNS) certificate until you enable iOS enrolment in the Configuration Manager console.

Once am done with the configuration setup ,i have enrolled windows and Android devices and these devices appear in SCCM console but not iOS devices.

Have tried enrolling few iOS devices ,but they never appear in SCCM console.I can see the applications ,company logo etc that i published to my users in the company portal in iOS device but the compliance just stuck for longer time without any joy.

This lead me to look at the logs .For this ,open the company portal and shake the device to get option to send logs.

Here is snippet from log .

After going through lot of troubleshooting steps which includes verifying the APN certificate expiry date in SQL database ,settings etc ,finally reach out to microsoft to check what is happening behind the scenes. There is nothing for us to troubleshoot on the intune part .

After spending few hours time with Microsoft support engineer ,they have told me that ,APN certificate that was uploaded corrupted and it requires to reset the MDM authority to fix the issue.

To reset MDM authority ,i need to perform the following actions

1. remove the users from the Intune User Group. Point the Intune Subscription to an empty user collection, or, remove all users from the targeted collection  and confirm in the CloudUserSync.log that users are removed.

2. Uncheck the iOS platform to purge the APNs certificate

3.  Delete any and all published applications that are for MDM Devices

4. Delete any and all polices that are for MDM Devices

5. Remove the Windows Intune Connector from within the Configuration Manager Console.

6. Remove the Intune subscription by right-clicking the subscription and selecting Delete

• Restart the SMS Executive Service

Once you are done with these steps ,Microsoft Engineer will proceed to reset MDM authority and able to successfully enroll iOS devices.

After you change the MDM authority from intune to sccm ,devices are already enrolled to intune will switch to SCCM and for this ,it can upto 8 hours to re-appear these devices into your SCCM console.

What you need to consider (best practise)  while switching your MDM authority from Intune to Configuration Manager is that ,you should use the same APN certificate that was used in standalone in SCCM but with renewed  certificate means ,renew the APN certificate that was used intune ,download it from apple store and uploaded into SCCM to avoid corruption of APN certificates.

Reference https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/change-mdm-authority

Maintenance windows in SCCM Configmgr enable you to define a time when SCCM operations can be carried out on members of a device collection. These maintenance windows are helpful to ensure that client configuration changes occur during periods that do not affect the productivity of the organization. More information about  Maintenance windows refer https://docs.microsoft.com/en-us/sccm/core/clients/manage/collections/use-maintenance-windows

I had requirement to remove all Maintenance windows that are set on list of collections .Removing the Maintenance windows for each collection would be tedious task. Right click on collection ,select maintenance window and delete the Maintenance window.

Note:Removing the Maintenance windows allow to install deployments that are pushed to collections.

In this blog post, we will see how powershell can do this task in seconds for any number of collections that you pipe into txt file.

All you need is ,get the list of Collection IDs and supply it to text file ,run the script.

This script will not output any results to log file saying what is the existing Maintenance window and what is deleted. If you want ,you can customize the script to log the output.

This script uses 2 basic powershell cmdlets available in configuration manager module which are

Get-CMMaintenanceWindow Gets the maintenance windows for a collection

Remove-CMMaintenanceWindow Removes a maintenance window associated with a collection

Download the powershell script from Technet Gallary ,supply the list of collection IDs ,run the script.

Microsoft Azure portal for Intune provide you the information about user sign-in activities (includes usage of managed applications) and Audit Logs (information about users ,group management ,your managed applications and directory activities) through reporting.

The information which is tracked ,will help you to determine sign-in status for applications,with MFA(Multi factor authentication),MFA results etc

To see the activity of Sign-ins and Audit logs, login to https://portal.azure.com ,click on Intune ,right side you will see Users

Click on Users to see activity with Sign-ins and Audit logs ,Click on Sign-Ins

On the right side ,you will see list of all users with their sign-in status for applications.

On the top, you will see several filters like Date (Range from 1 month,7 days,24 hours and custom) ,User (user name or UPN name),Application (application name),client and Sign-in status (success,failure or all).

I want to see the activities performed by specific users (eswar) ,to see that, simply type the user name or UPN in User filter tab and click on Apply to see the results

You also have an option to download the results into CSV format.

To see the audit logs ,while you are on users and groups- sign-ins ,click on Audit logs to see information about users ,group management.

Audit logs also filter option to list the activities performed by specific user instead of seeing long results.

As you can see from above snippet,there are several activities for user eswar koneti like change user license ,add owner to group,member to group,update user initiated by (actor) .

This also gives you option to download the results into CSV file.

I will need to see if this information can get from Power BI without going through Azure portal. Power BI for Microsoft Intune ,please refer http://eskonr.com/2017/09/power-bi-for-microsoft-intune/ .

Beginning with Configmgr Version 1702, clients use boundary groups to find a new software update point. You can add individual software update points to different boundary groups to control which servers a client can find.

More information about boundary groups and its relation with  software update point changes in 1702 and 1706 ,please refer TechNet link  https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/boundary-groups ,it has lot of information than i explain.

Few weeks ago ,i was looking at the boundaries and boundary groups that are configured for my environment with its fallback information (distribution point and software update point).

I find it hard to locate the boundaries that are configured with fallback distribution points and fallback software update point.Incase you want to know the list of boundaries/boundary groups that are configured with fallback options,there is no default report.

I have created SSRS report that will help to pull information from SQL database into nice reporting .

References:

Relationships:

How does the report work ?

Download the report from Technet Gallary , upload the report into Configmgr SSRS reports folder,change the data source and run the report.

When you run the report, it prompt for Site Code since all the boundary groups that you created must have assigned to specific Site Code for site assignment. If you have not assigned the boundary groups to any specific site code, they will not be listed here .

So choose the Site Code (Primary or Secondary) or select All

Boundary groups that are assigned with specific Site Code will be listed with following information.

Boundary Group Name ,Site system Role,Site Code,Fallback Boundary Group,Fallback Site System,Fallback DP,Fallback SUP.

This is quick blog post to address the issue of blank site in the installation options while installing SCCM Client software using client push installation method.

In SCCM 2012 and above ,you have RBAC (Role based administration access) to secure the access that is needed to administer Configuration Manager. You also secure access to the objects that you manage, like collections, deployments, and sites. For more information about RBAC ,please read https://docs.microsoft.com/en-us/sccm/core/understand/fundamentals-of-role-based-administration  and https://blogs.technet.microsoft.com/hhoy/2012/03/06/role-based-administration-in-system-center-2012-configuration-manager/

Coming to the subject line ,We have created security scopes and security roles for different LBU’s with required permissions limiting to their country collections (Note: we have removed the default security scope from user/group permissions ).

when the LBU (local business unit) team try to perform the client installation using client push ,they do not see option to choose the site to install the client software . Allowing this will install the client software from specified site server.

This happens because user do not have access to view/read the site (it could be primary or secondary site).

To fix this ,you need to add the security scope that you assigned to user/group in primary/secondary site .

Go to administration—site configuration sites ,right click on Primary or secondary site that you want users to select ,click on set security scopes

choose from the available security scopes

Click ok ,now users should be able to choose the site to install client software from.

Hope it helps!

Microsoft has released SCUP 2017 preview 2 update with enhanced update catalog to provide better experience for users in consuming large catalog updates. While old catalog formats are still supported, catalog providers will need to add information to their existing catalogues to take advantage of these improvements that exist in this preview 2 update. This preview 2 update contains the following improvements:

• Indexing for quicker imports of previously imported catalogs – Catalog producers can now index their catalogs. This will allow users to import large catalogs containing few new updates more quickly.
• Inclusion of signing certificates within updates catalogs – Catalog producers can now include signing certificates with their updates catalogs. This enables users to add the certificates to the trusted publishers list during import so that approval prompts will not block publish operations.
• Signature Timestamp – Updates published to a WSUS server will by default have the signature time-stamped. Note, this functionality requires internet access. If you have upgraded from preview 1 this will not be automatically enabled.  To enable or disable the signature timestamp or configure the timestamp server that is used see the Advanced page under Options.

In this post ,we will see how to

1. Download the SCUP Preview here.

2. Run UpdatesPublisher.msi on a computer that meets the prerequisites.

3. Configure the options for SCUP.

4. Start using the features of SCUP.

Download the SCUP Preview from https://www.microsoft.com/en-us/download/details.aspx?id=55543 ,installer size is around 5MB

Run the downloaded file on supported platform OS ,in this case, i will run the installer on my SCCM server in my lab.My lab server do not have any SCUP .since this is still in preview,do not install in production environment.

System requirements to install SCUP 2017 Preview 2:

Installation is straight forward.

Click next,next,finish

On the device that you installed preview, search for Update publisher (Preview)

.

Accept the license terms ,let it do some pre checks before the console made available to you.

Version of this SCUP 2017 Preview 2 is : 6.0.219.0

If you are using SCUP 2011 ,you now have 2 new features added in preview release with updates and logging.

Logging:

In advance tab ,you can now change the database file instead of leaving it in user profile and Signature Timestamp URL is enabled by default.

In preview release, all the nodes are added with workspace like updates workspace,publications workspace,rules workspace and catalos workspace.

From the default catalog i can see only acrobat and reader but no flash player along with dell,HP,Fujitsu . For Adobe flash player ,you need to add the scup catalog manually. http://fpdownload.adobe.com/get/flashplayer/distribution/win/AdobeFlashPlayerCatalog_SCUP.cab

SCUP log that track the information about importing catalogs, publish and download of updates is changed from SCUP.log to updatepublisher.log which still store in user profile (%appdata%)

when you try to import download catalog file(cab) ,it will prompt you with few options like approve,always approve and decline.

Once the catalog is approved (always) ,you will not see any prompts during the publish of updates (content download) .This is really helpful if you are trying to publish lot of updates and have a coffee while it download the content and publish the info .

In the older version,when you try to publish the updates ,it prompt to approve the content which is troublesome if you have multiple updates published at one go.

More to test on this ,Stay tuned until further updates.

When you install configuration manager client to manage any windows device ,it will try to configure local group policy to set WSUS server settings (unless you have no GPO configured to set these settings) .If at all ,you have any GPO to configure the WSUS information ,local GPO that created by configmgr client will fail which will be logged in wuahandler.log,windowsupdate.log.

If you look at wuahandler.log, you will see error something like below. “Group policy settings were overwritten by a higher authority (domain controller) to server and policy not configured” .

So before you try to install SCCM client,it is always recommended  to disable GPO settings for windows update to avoid the conflict with local GPO created by Configmgr client .More information about software update troubleshooting http://eskonr.com/2015/04/sccm-2012-troubleshoot-client-software-update-issues/ 

If you want to know more about Configmgr software update management and group policy relation ,please read Jason Sandy's explanation https://home.configmgrftw.com/software-update-management-and-group-policy-for-configmgr-what-else/ 

https://home.configmgrftw.com/software-updates-management-and-group-policy-for-configmgr-cont/

In this blog post, we are going to see ,how to check 4 primarily used windows update policy settings the WSUS settings like USEWUServer,WUServer,NoAutoupdate and accept trusted publisher certs (for 3rd party patching) that are correctly configured or not before clients perform software update scan.

1.WUServer

2.UseWUServer

3.NoAutoUpdate

4.AcceptTrustedPublisherCerts

Although you can do SQL query to get the clients that are having issue with GPO conflict ,but it is always good to check the these registry keys to make sure clients are good .

AcceptTrustedPublisherCerts—> for trusting the 3rd party updates if you are using SCUP to trust adobe,flash ,java and other updates that are deployed via SCCM.

Location that store above policy settings in the client registry is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate (for both 32bit and 64bit OS)

NoAutoupdate –>is to disable auto windows update

Following is SQL query to get clients info that have issues with GPO conflict:

select distinct sys.name0 [Computer Name],os.caption0 [OS],convert(nvarchar(26),ws.lasthwscan,100) as [LastHWScan],convert(nvarchar(26),sys.Last_Logon_Timestamp0,100) [Last Loggedon time Stamp],
sys.user_name0 [Last User Name] ,uss.lasterrorcode,uss.lastscanpackagelocation from v_r_system sys
left join v_gs_operating_system os on os.resourceid=sys.resourceid
left join v_GS_WORKSTATION_STATUS ws on ws.resourceid=sys.resourceid
left join v_updatescanstatus uss on uss.ResourceId=sys.ResourceID
inner join v_FullCollectionMembership fcm on fcm.ResourceID=sys.ResourceID
where uss.lasterrorcode!='0'
--and fcm.CollectionID in('PS100140')
and sys.client0 is not NULL
and uss.LastErrorCode='-2016409966'
order by sys.name0

Now lets focus on the Configuration item/configuration baseline to create task and deploy to collection:

I have couple of blogs how to create configuration item with settings hence i am not going to show you step by step . I will go through the settings that are really important for this task.

At the end ,i also attach the exported version of configuration baseline however you might have to edit it after import due WSUS server information.

In new setting, provide the following information.

Name: WUServer (anything you like) , Setting Type Registry value .Data type: String , Hive Name:HKEY_Local_Machine ,Key Name:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

Click on browse to select the registry key

Registry key:  Choose the following settings.

Click Ok

Click on compliance Rules , you will see 2 conditions .

f you have multiple WSUS servers ,click on the wuserver one of ,click Edit rule,

Paste all the WSUS server locations into the one of field setting and click ok

How do you get list of all WSUS server locations ?

Run the following SQL query against your CM database.

select LastScanPackageLocation from v_UpdateScanStatus
where LastScanPackageLocation not like ''
group by LastScanPackageLocation

we now have created one setting for WUserver ,like this we need to create for 3 more entries .

For UseWUServer ,click on New ,follow the options listed below.

While you are at this page ,click on browse ,follow the path below to select the registry key

Click on Ok .

Under compliance rules ,select Report noncompliance if this setting instance is not found .

we will create the rest 2 conditions in similar way that we created for UseWUServer . All you need is point the registry key to respective value.

3.NoAutoUpdate –> SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

Under compliance rules ,select Report noncompliance if this setting instance is not found

4.AcceptTrustedPublisherCerts—>SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

Under compliance rules ,select Report noncompliance if this setting instance is not found

Click ok

we now set 4 conditions that required to check windows update policy settings

Click next to verify all compliance rules

Click next for the completion of configuration item wizard.

We can now create configuration baseline and deploy it to collection .

If any of the above setting is not found on the client computer, it will report as non-compliant which will help you to troubleshoot and fix software update scan issues.

Download the CB – Configuration baseline for Windows update policy settings here .

To import ,go to compliance settings – configuration baseline ,right click and import the cab file.

After you import the cab file ,don't forget to edit the configuration item and modify your WSUS server settings.

Hope this guide helps!

This blog post is going to be version 3 on the same topic (report for MS office versions) but with different requirements.My previous posts on ssrs report for count of MS office versions and drilled report to see client names etc will have some limitations like they will not give you bit type(architecture) like 32bit or 64bit of office installed on the client. They simply get the count of the MS office edition installed and then drill down further to get you the list of client computers with office edition,version,its OS and hardware scan date info.

Both the versions with ssrs report can be found on https://gallery.technet.microsoft.com/office/SCCM-Configmgr-Report-for-2c36f1b9 https://gallery.technet.microsoft.com/office/SCCM-Configmgr-2012-SSRS-c482cca2 and

https://support.microsoft.com/en-us/help/928516/description-of-product-code-guids-in-2007-office-suites-and-programs

After posting these 2 reports, blog viewers ,TechNet gallery and in forums have asked to get bit type (32bit or 64bit) information for the office product that is installed on the client.

I have lot of requests /posts in my To-DO list to blog about ,but due to time limitations ,i cannot bring all them.

So for this requirement to get 32bit and 64bit for MS office ,i found microsoft article to identify if the MS office is 32bit or 64bit. https://support.microsoft.com/en-us/help/928516/description-of-product-code-guids-in-2007-office-suites-and-programs and it is based on the product code.

This product is that we use to uninstall any software using msiexec /x {productID} /x

Below is the screenshot from the support article .

From the product code ,21st character from left (substring(productID,21,1) ) will tell you if it is 32bit or 64bit .

0 for x86

1 for x64

If you read support article ,there are lot of other information like release version (RTM,SP1,SP2 etc) ,release type (Volume,retail,trail) ,

This product ID is stored in different SQL views in CM database ,of which  we are going to utilize v_Add_Remove_Programs. For more information about SQL views in SCCM, please refer https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

Following are the office editions are added into the report . If you have any other office editions which are not in below list ,please edit the report and append it.

'Microsoft Office Personal 2007'
'Microsoft Office Professional 2007'
'Microsoft Office Professional 2007 Trial'
'Microsoft Office Professional Hybrid 2007'
'Microsoft Office Professional Plus 2007'
'Microsoft Office Professional Plus 2007 (Beta)'
'Microsoft Office Standard 2007'
'Microsoft Office Standard 2007 Trial'
'Microsoft Office Ultimate 2007'
'Microsoft Office Enterprise 2007'
'Microsoft Office Ultimate 2007'
'Microsoft Office Ultimate 2007'
'Microsoft Office 2010'
'Microsoft Office Professional Plus 2010'
'Microsoft Office Standard 2010'
'Microsoft Office Professional 2010'
'Microsoft Office Home and Student 2010'
'Microsoft Office Home and Business 2010'
'Microsoft Office Professional Plus 2010 (Beta)'
'Microsoft Office Starter 2010 - English'
'Microsoft Office 2013'
'Microsoft Office Professional Plus 2013'
'Microsoft Office Standard 2013'
'Microsoft Office Professional 2013'
'Microsoft Office Home and Student 2013'
'Microsoft Office Home and Business 2013'
'Microsoft Office Professional Plus 2013 (Beta)'
'Microsoft Office Starter 2013 - English'
'Microsoft Office 2016'
'Microsoft Office Professional Plus 2016'
'Microsoft Office Standard 2016'
'Microsoft Office Professional 2016'
'Microsoft Office Home and Student 2016'
'Microsoft Office Home and Business 2016'
'Microsoft Office Professional Plus 2016 (Beta)'
'Microsoft Office Starter 2016 - English'

As usual ,download the SSRS reports (rdl) files from Technet gallery here ,upload to your reporting folder in SCCM reports,change the data source and run the report.

Output:

Linked report:

This report supports RBA (role based administration) functionality.

Note that, 2nd report (drilled report) cannot be run individually and to run that, you must run the 1st report which is count of office versions and drill to 2nd report.

SQL code and parameter values for dataset (RBA): The following information is for your information only and no input required from you to run this report.

DataSetAdminID:select dbo.fn_rbac_GetAdminIDsfromUserSIDs(@UserTokenSIDs) as UserSIDs

Parameter for UserTokenSIDs: General—>Parameter visibility—>Internal, default values—>specify values—>=SrsResources.UserIdentity.GetUserSIDs(User!UserID)
Parameter for UserSIDs:General—>Parameter visibility—>Internal, default values—>Get values from a query and choose DatasetAdminID

you can always edit the RDL files ,customize it.

Happy reporting!

Using compliance settings in Configmgr, you can do many tasks as part of compliance. In the last couple of blogs, we have utilized compliance settings to identify WU settings,automatic update,trusted publisher settings etc. http://eskonr.com/2017/10/configmgr-how-to-use-compliance-settings-to-check-the-windows-update-policy-settings-like-wuserver-usewuservernoautoupdate-on-clients/

In this blog post ,we will see how to use compliance settings to check for Windows update agent version if it is older or latest one as per https://support.microsoft.com/en-us/help/949104/how-to-update-the-windows-update-agent-to-the-latest-version.

The Windows Update Agent runs on each client computer and checks for availability of updates. If you are using configmgr ,when the software update scan cycle runs ,a scan request is passed to the Windows Update Agent (WUA). This WUA then connects to the WSUS server location that is listed in the local policy (this policy will be created at the time of configmgr client installation), retrieves the software updates metadata (update catalog) that has been synchronized on the WSUS server, and scans the client computer for the updates. To read further on software updates https://docs.microsoft.com/en-us/sccm/sum/understand/software-updates-introduction

Daniel (PotentEngineer) has document all the versions of windows update agent on http://www.potentengineer.com/windows-update-agent-build-numbers-for-windows-7/

There are lot  cases on windows update issue which happened due to old version of windows update hence you need focus on brining the windows update agent to latest supported version.

I will not go in-detail (step by step) about how to create configuration Item and Configuration baseline instead ,i will guide you through the settings that you need configure for Windows update agent.

Though the configurations used in the settings/creation of rule in compliance setting is very simple ,i would like to get it in this blog post along with SQL Query and WQL collection to identify how many clients in your organisation are running older .

1.Define Compliance setting for the applicable OS (Windows update agent varies from OS to OS)  .This blog post focus on windows 7.

Once you deploy the configuration baseline to collection ,clients will perform the CI evaluation and send the results to Configmgr which will help you to create collection from the baseline results and deploy latest windows update agent.

Compliance Item :

New setting:

New Rule:  Replace the windows update agent that you are looking for.

Note: The above WUA agent is only for windows 7 hence you need to configure the OS while creation of CI or deploy this to only windows 7 collection.

If you want to create the rule for multiple OS to check WUA version ,you can try something like below (it is untested at the time of writing the blog post).

Make sure you add the latest version of windows update agent into the one of list.

2.WQL Query for collection:

Ronni has nice post on this ,please follow it https://www.ronnipedersen.com/2015/06/04/updating-the-windows-update-agent-on-windows-7-clients/

3.SQL Query:

Windows update agent version stored in v_GS_WINDOWSUPDATEAGENTVERSION  SQL view.

We will use this SQL view to find count of versions.

select a.version0 as 'WUA Version', count(*) as 'Total'
from v_GS_WINDOWSUPDATEAGENTVERSION as a
group by a.version0
order by 2 desc

More information http://eskonr.com/2010/02/sccm-collection-for-windows-update-agent/ 

Using this ,you can create nice SSRS report .you can also create drilldown report to find what are the machines that are running lower versions with computer name ,user name etc.

List of SCCM Configmgr SQL views documentation is available on TechNet https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

I had request to disable the setting ‘Allow the computer to turn off this device to save power’ in power management settings on network adaptor.

From the screenshot above,there are 3 settings that will help for wake on Lan .All these settings information stored in client WMI. we want to uncheck the first option (Allow the computer to turn off this device to save power’ ) by leaving the rest of the 2 controls as it is.

In this blog post ,we will see how to change the power management settings on client using configuration manager compliance settings.

Before i go into compliance settings, i will provide you the WMI class and instance that store the information about power management settings ,so we can make use of these options in compliance settings

1. Allow the computer to turn off this device to save power , wmi class: root\wmi , instance:MSPower_DeviceEnable , property:Enable
2. Allow this device to wake the computer ,wmi class:root\wmi  , instance: MSPower_DeviceWakeEnable , property:Enable
3.Only allow a magic packet to wake the computer ,wmi class:root\wmi  , instance: MSNdis_DeviceWakeOnMagicPacketOnly, property:Enable

After you have the information about wmi ,it is easy to create configuration item and configuration baseline.

Create configuration item with name: Disable ‘Allow the computer to turn off this device to save power’ ,leave the default settings ,click next,choose the operating system that you want to deploy this setting

Under settings, create new with following information:

Name:MSPower_DeviceEnable ,Setting Tpe: WQL Query ,Data Type: Boolean , wmi class: root\wmi , instance:MSPower_DeviceEnable , property:Enable ,WQL Query: InstanceName like 'PCI%'

For other 2 settings ,all you  need is ,change the class with information given above in point 2 and 3.

Click on Compliance Rule ,click New ,follow the below settings.

For other 2 settings point 2 and 3 ,you can either set to True or False as per your needs.

Click ok

We now created configuration item and ready to create configuration baseline and deploy to Device Collection.

When you deploy the configuration baseline, make sure you choose the following setting to remediate (Allow remediation outside maintenance window is upto you ,you can either for maintenance window or ignore the window and remediate the setting)

End user results:

Hope it helps!

Microsoft released December month ConfigMgr Technical Preview version (1712). It has been while since I look at my SCCM Tech preview lab. So I had chance to look at the new features that are released with this preview version and play around it in my lab.

Following are the new features released with this preview version (This is only for lab purpose,not for production release).

Do not automatically upgrade superseded applications

Install multiple applications in Software Center

Client-based PXE responder service

Change in the Configuration Manager client install

Change to the Surface device dashboard

Improvements to Office 365 Client Management dashboard

Improvements to the Configuration Manager console

Improvements to operating system deployment

Windows 10 Feedback Hub app integration

More information about these features and documentation,please refer https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1712 

As usual ,I open the console ,go to administration node, from updates and servicing ,click on check for updates .After a while (make sure you have internet connection for this to work) ,I saw Configuration manager technical preview 1712 but the state stuck at downloading for longer period . I looked at the internet connection if there is any outage ,internet connection looks good.Since my configmgr lab is running on virtual environment ,there is no AV (antivirus product running ). I went ahead to look at the log file that track the information about download of updates dmpdownloader.log . As you can see in the below snippet ,it throw different error codes.

Error in verifying the trust of file 'F:\ConfigMgr\EasySetupPayload\51d629d3-c355-4b80-ad6f-ba44b27f84ed.cab'.

after few lines later ,I can see the following error code.

Error in verifying the trust of file 'F:\ConfigMgr\EasySetupPayload\51d629d3-c355-4b80-ad6f-ba44b27f84ed.cab'.

WARNING: Failed to call IsFileTrusted

I tried the solution given in the TechNet article when  the update stuck with a state of Downloading in the Updates and Servicing node https://docs.microsoft.com/en-us/sccm/core/servers/deploy/install/release-notes but it doesn’t help for me ( I changed the registry key value ,stop the SMS_DMP_downloader component and start).

If you look at the folder F:\ConfigMgr\EasySetupPayload as per the log ,you will see cab file with hash ID:51d629d3-c355-4b80-ad6f-ba44b27f84ed and size is 0 bytes.

Usually this cab file should be of size around 600MB+ as this is set of installation files that will be used to update the configmgr to new version.

So I search in the log file using hash ID:51d629d3-c355-4b80-ad6f-ba44b27f84ed  ,I got URL http://download.microsoft.com/download/6/6/B/66B981F8-5740-4072-9B74-767541EA9915/51D629D3-C355-4B80-AD6F-BA44B27F84ED.cab

After I download the file manually ,put it in folder F:\ConfigMgr\EasySetupPayload  . Once you are done with it , open the configuration manager service manager ,stop SMS_DMP_DOWNLOADER ,start the component.

Monitor the log file dmpdownloader.log ,you will see the extraction of the cab file will be happening and after a while ,the cab file will disappear from F:\ConfigMgr\EasySetupPayload  folder.

If you did not notice any errors in the log file, you are good to install the update from console .Go back to your console and install the update ,monitor the status using cmupdate.log and ConfigMgrSetup.log.

At the end ,you will see the following screen to upgrade the existing console to new version.

Hope it helps!

Deploying Onedrive for Business is straight forward .The command line switches are very simple :"OneDriveSetup.exe" /silent ,but when you create application in Configmgr, there are couple of things that you need to focus on like detection method and install behaviour.

If you search online ,how to deploy onedrive for business using Configmgr, you will get various post however the following method is what i have been using and it works fine . I would like to share the solution in simple steps.

Create application that you do normally but use use the following information to fill detection method ,User experience and install command line .

Install command line:"OneDriveSetup.exe" /silent

Detection method : The version that i deployed to users (user based collection) is 17.3.7076.1026 hence my detection method will look for 17.3.7076.1026. (There is already latest version available yet to deploy )

Onedrive for Business will store the installation files in user profile (C:\Users\eswar.koneti\AppData\Local\Microsoft\OneDrive)

Registry key from user profile for uninstall:

Setting Type: Registry

Hive: HKCU

Key:Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe

Value:DisplayVersion

Date Type: String

User Experience:

Requirements:

Choose the OS that you want to install the application . Since this is user based deployment ,would recommended to limit this to workstation OS (windows 7,windows 8 and windows 10 but not to server operating system unless there is need to use onedrive on server OS)

On windows 7, there is no onedrive by default hence you need to install but on windows 10 ,there is onedrive comes with OS however you need to check if the installed onedrive is latest version or not ,if not ,then you can above method to install the latest version.

By installing the latest version (using above method) will remove the old version from user profile and install new version.

Before you use this solution on mass deployment ,deploy this to pilot users (few) and see how this works.

Deploy the application to user collection and you are good.

If you have any issues with this ,post via comment section.

I was looking at the console other day and found that, there were many collections created in the root folder (device collection) with 0 count. So i looked at the collection properties ,i found empty there  (No direct or query based rule).

So i decided to write SQL query to identify the list of collections that have empty results with no query rules (Direct or query based) defined in it.

For this query ,i have used 2 SQL views (v_Collection and v_CollectionRuleQuery ) .

For full list of SQL views that exist in SCCM Configmgr ,please refer https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b .

Following is the SQL Code to identify empty collections with no query rule defined ,You can delete these collections to simplify the list of collections displayed when deploying objects as part of maintenance tasks ,unless there is a reason to be in the console.

You can use the following code to create SSRS report as well.

select coll.CollectionID,coll.Name,
case when coll.CollectionType='1' then 'User' else 'Device' end as 'Collection Type'
from v_Collection coll
where coll.collectionid not in (select CRQ.collectionid from v_CollectionRuleQuery CRQ)
and coll.MemberCount=0
group by coll.CollectionID,coll.Name,coll.CollectionType

Configuration manager Technical preview 1708 has ability to identify Applications without deployments and Empty collections as part of Management insights.  More information ,please read https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1708#management-insights

Hope it helps!

Introduction:

Boundaries for SCCM define network locations on your intranet that can contain devices that you want to manage. Boundary groups are logical groups of boundaries that you configure. For more information click here

Few days ago ,Jason Sandy’s has blogged about boundary group caching and missing boundaries ,more details ,read through https://home.configmgrftw.com/boundary-group-caching-and-missing-boundaries-in-configmgr .

This is one of the highly needed solution that everyone must implement in their environment to evaluate what is their accuracy of the boundaries /boundary groups defined. Boundaries play major role for site assignment and content download. If you do not define the boundaries correctly,client will not function as expected hence it take up lot of your time to troubleshoot and identify it is because of missing boundaries and it is recurring issue.

Jason has covered most of the part about missing boundaries,Boundary group caching ,wmi location and basic SQL query . In this blog post, i am going to show you how to get list of the clients devices that are missing in the boundaries/boundary groups using SSRS Report and troubleshoot these devices. Sometimes You may see something like ‘waiting for content download forever’ in software center and this is because of boundaries/boundary group are missing .

This blog post will help you to identify such client devices with its basic  inventory information like OS,hardware inventory ,software update scan,IP address, last reboot etc.

You can also use other methods to achieve this solution using Compliance Item/baseline but HINV method will give you more information and better reporting .

How to create report/upload report ?

Before you download the report ,please make the necessary changes as per the guideline from Jason Sandy's post.

Following are quick points to implement the changes:

1.Open SCCM console ,go to client settings, edit default client settings ,hardware inventory ,set classes,add,choose the wmi namespace and add ,once the boundary group cache added ,uncheck it from default settings and click ok. For more information ,how to add custom inventory ,you can refer guide here

2.Go to your custom client agent settings (if you have ,else you can make these changes in default client settings)

,hardware inventory ,set classes ,choose the class name that we added in default client agent settings.

3.Monitor dataldr.log to see if these changes are processing and view are created in SQL database (v_GS_BOUNDARYGROUPCACHE).

Once you are done with above steps ,download the SSRS report from Technet Gallary ,upload to your SCCM reports ,change the data source and run it.

Report will display the following information. This report is created with filter Client0='1' .I do not want to display the client information that do not have SCCM client .

Note: As of CB 1610, all clients that do not fall within the scope of a defined boundary group will be associated with the Default Boundary Group. This is not reflected in the BoundaryGroupCache class. Essentially, if the instance of the BoundaryGroupCache class contains no BoundaryGroupIDs, then the client is considered within the scope of the Default Boundary Group.

How to troubleshoot these missing boundaries that are displayed in report:

1. From the report, we see that ,it has one device with its IP address . So we can go back to SCCM console ,look at under boundaries if the this IP address is part of the specified boundaries or not (it is ALWAYS recommended go with IP address range while defining the boundaries unless you have any specific reason not to use it) .

2.Make sure the client device has sent the inventory report successfully after you have made changes in the HINV and they are deployed to collection.

3.If the IP address is defined in boundaries ,check for boundary group ,if it is not ,add to boundary group with site system role .

4.If the IP address is part of boundaries and boundary group .what else can cause the client device appear in this report ?

5. If boundaries and boundary groups are added correctly ,MP must have returned the list of the distribution points that are configured in boundary groups for client to pick for content download.

6.If all above points looks ok ,would suggest to take a look at the client device logs (clientlocation.log ,locationservices.log and ContentTransferManager.log that will help you to identify the DP details.

Happy troubleshooting!

After the release of Configmgr Current branch version 1710 ,one of the primary issue was that ‘clients are not upgraded on systems that are running Windows Server 2008 SP2’ ,installation terminates with error code

‘Faulting application ccmsetup.exe, version 5.0.8577.1000, time stamp 0x5a03cc4c, faulting module KERNEL32.dll!K32EnumProcessModules’

So Microsoft released hotfix rollup update for Configmgr 1710 that resolves above issue along with many other issues listed in the support document https://support.microsoft.com/help/4057517.

This update is available for installation in the Updates and Servicing node of the Configuration Manager console. It also applies to customers that are running Configuration Manager version 1710, first wave.

To install ,right click on the update and choose install update pack,next ,choose  pre-production collection to validate the client package (on collection) before updating the production client package ,accept the terms and conditions

Click next

Go to monitoring node ,updates and servicing status ,click on hotfix rollup ,click show status

you can also monitor the status using the log file ConfigMgrSetup.log located in the root of windows drive (C:\)

Once the installation is finished, you will be promoted to install new console version

Site Version:5.0.8577.1000

Console Version:5.0.8577.1108

Client Version:5.0.8577.1108

Once the installation is done on the primary site, you must manually update the secondary sites (if you have any). To update a secondary site, click Administration, click Site Configuration, click Sites, click Recover Secondary Site, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site are not affected by this reinstallation.

To know if all the secondary sites are in sync with primary site update ,you can run the following SQL code on primary site .

select dbo.fnGetSecondarySiteCMUpdateStatus ('SS1')

SS1: Site of secondary site.

• If a value of 1 is returned, the site is up-to-date and has all the hotfixes applied to its parent primary site.
• If a value of 0 is returned, the site has not installed all the fixes that were applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.

References:

https://support.microsoft.com/en-us/help/4057517/update-rollup-for-system-center-configuration-manager-current-branch-v

Microsoft released first ConfigMgr Technical preview version for this year 2018 with some exciting features.

To use the technical preview, you must first install a baseline version of the technical preview build i.e Technical Preview 1711. After installing a baseline version, you then use in-console updates to bring your installation up-to-date with the most recent preview version. Typically, new versions of the Technical Preview are available each month.

If you plan to build new lab ,download the preview baseline version 1711 is available from the TechNet Evaluation Center.

The following are new features you can try out with this version:

1.Phased deployments
2.Co-management reporting
3.Improvements to automatic deployment rule evaluation schedule
4.Reassign distribution point
5.Improvements to hardware inventory
6.Improvements to client settings for Software Center
7.New settings for Windows Defender Application Guard
8.Improvements to Run Scripts

To know more about these features ,Please read through https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1801

To see the updates ,open the console ,click check for updates ,follow the log dmpdownloader.log

You can monitor the configmgrsetup.log and also from monitor status.

With this new features ,there are couple of new SQL tables/Views created that help us to some nice SSRS reports .

vSMS_PhasedDeployment

SMS_ScriptsExecutionSummary

Happy exploring new features.

Yammer  is enterprise social networking service used for private communication within organizations. Access to a Yammer network is determined by a user's Internet domain so that only individuals with approved email addresses may join their respective networks.

Yammer can be used to discuss ideas, share updates, and crowd source answers from co-workers around the globe. Yammer gives you a faster, smarter way to connect and collaborate across your company.

If your organisation moved to O365 ,you will hit requirement to deploy O365 applications like Microsoft Teams,Onedrive,Yammer ,AIP etc. All of these applications (except AIP) are user specific and they will be installed in user profile (%AppData%) instead of %programfiles%

Deploying applications to computers would be straight forward but for applications that are user specific and installation does in %appdata% ,there will be little challenges for application detection method .

Application detection is one of the main criteria to identify if the application is installed correctly or not ,also it helps to reinstall the app if the app is removed on user machine (this happens with application deployment evaluation cycle ).

As i mentioned in my previous blog deploying Microsoft Onedrive using Configmgr , we will be similar method with detection rule for Yammer also.

Before we start of with this ,Download Yammer client (MSI) file from https://support.office.com/en-us/article/yammer-for-windows-and-mac-50920c05-cbfc-4f11-8503-e20fb2e623a5 .

Once the MSI file downloaded ,extract the file using 7zip or WinRAR to get the actual installer used to deploy to users. You will see something like below.

Copy the file to your SCCM source files ,start creating Application as you do for other EXE applications.

For Deployment Type ,choose script Installer

Installation Program:"yammerdesktop.exe" /s

Uninstallation Program:"%LocalAppData%\yammerdesktop\Update.exe" --uninstall -s

Detection Rule:

Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\yammerdesktop

Value:DisplayVersion

change the version value (1.3.1) name as per the application you are installing.

User Experience:

Requirements: Windows 7,windows 10 (based on where you need this to be installed).

Deploy the application to user collection .So when the user receive policy (user policy evaluation cycle) ,application will get install and shortcut icon will be created on users desktop.

Following is the registry location that application get installed.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\yammerdesktop

Hope it helps!