Introduction:

we are in process of migrating users (mailbox) from on-prem to office 365 (Cloud).As part of this project ,one of the requirement is to deploy office 365 proplus (C2R) application to all users replacing old version of Microsoft Office. We use Powershell Application deployment kit which simplifies the complex scripting challenges of deploying applications in the enterprise, provides a consistent deployment experience and improves installation success rates.

Once users have got office 365 proplus and other office 365 components like Microsoft Teams,yammer,Onedrive etc ,there will be final task to migrate user mailbox to cloud. Mailbox migration can be the first or middle or last ,no sequence as it is independent task.

Deployment of office proplus and other components are done by SCCM hence we can create some nice dashboard /reports to monitor the progress of the deployments, but for some reason ,we are missing the mailbox migration status which happens from on-prem exchange server to exchange online (EOL).

How do we get the status of mailbox migration from on-prem to exchange online using SCCM ?

I am not exchange guy, hence i may not be able to provide much information about the theory behind this and if any questions around exchange online or mailbox migration ,you can reach out to TechNet forums or contact Microsoft support.

when the mailbox is moved (sync and cutover) from on-prem to exchange online ,there are couple of attributes that are set in Active directory .some of them are listed below.

msExchVersion
msExchRecipientDisplayType
msExchRecipientTypeDetails
msExchRemoteRecipientType
targetAddress

By default, then the user mailbox is on-prem ,the targetAddress attribute is set to empty (it does not contain any value). Once the user mailbox is moved to cloud ,this attribute is set with username@yourtenantname.mail.onmicrosoft.com

For example ,user email address is Demo1@eskor.com and after the migration ,targetAddress is set to Demo1@koneti.mail.onmicrosoft.com (where koneti is my tenant name).

Once this attribute is stamped with cloud email ,we can use SCCM to discover this attribute using AD user discovery and put that info in SSRS report.

A quick way to view an objects Active Directory targetAddress attribute is through the Active Directory Users and Computers panel. In AD Users and Computers, ensure that Advanced Features has been enabled under the View menu.

Go to the OU,locate the object that you are looking for ,right click on user properties ,choose attribute Editor ,locate targetAddress

How do we discover this attribute into SCCM ?

Go to your SCCM console ,Administration,Hierarchy configuration ,discovery method and choose Active Directory User Discovery.

From the available attributes ,choose targetAddress and click on Add ,click Ok

Once this is done, you will need to wait for the user discovery happen (delta discovery ) or you can force the discovery cycle by right click on discovery method.

After the discovery runs, you will have targetaddress0 in v_r_user SQL view to create nice SSRS reports.

couple of SQL views that i used to create SSRS report with office 365 proplus installation ,user mail,user name,cloud information and user group are listed below.

v_r_user

v_GS_OFFICE365PROPLUSCONFIGURATIONS

v_RA_User_UserGroupName

v_R_System

and finally SSRS report:

Hope it helps!

Microsoft released an updated version of System Center Updates Publisher (SCUP) version 6.0.278.0 is now available and can be downloaded here.

System Center Updates Publisher (Updates Publisher) is a stand-alone tool that enables independent software vendors or line-of-business application developers to manage custom updates.

Using Updates Publisher, you can:

• Import updates from external catalogs (non-Microsoft update catalogs).
• Modify update definitions including applicability, and deployment metadata.
• Export updates to external catalogs.
• Publish updates to an update server.

This released version of  SCUP adds support for Windows 10 and Windows Server 2016 including following improvements:

• Indexing for quicker imports of previously imported catalogs –  Catalog producers can now index their catalogs. This will allow users to more quickly import large catalogs containing few new updates.

• Inclusion of signing certificates within updates catalogs – Catalog producers can now include signing certificates with their updates catalogs.  This enables users to add the certificates to the trusted publishers list during import so that approval prompts will not block publish operations.

If you have installed SCUP preview 1 or SCUP Preview 2 ,you must manually upgrade the installation to this version.

How to upgrade SCUP from old version to new version ?

I have the following SCUP version in my lab (6.0.219.0) which will be migrating to new version (6.0.278.0)

Current version:

How to migrate to new version:

Since SCUP is stand alone tool and it doesn't require any database backup however ,i would like take the database file (scupdb.sdf) backup, incase of any issues after the migration. For more information about this database file refer this article

Close any existing SCUP Console (it doesnt allow more than one connection to open on the same machine for multiple users which i noticed).

If you did not close open SCUP console and proceed to install ,you will end up seeing below screen which will give you option to close and continue installation.

After the installation completed, you will see following screen

Now go to start menu and search for Update publisher and accept the license agreement

It will take few min to check the database availability and loan the console for you.

Now you should see the all the data and settings that were exist in previous version .

Go to about to check the SCUP Version.

All these settings like SCUP database and other settings in options will be retained from old version to new version.

If at all you don't see the configuration settings and catalogues ,you can load the database file that we taken backup in the first step.

Hope this helps to upgrade SCUP version from old to new and happy patching.

References:

http://eskonr.com/2017/08/sccm-configmgr-how-to-make-scup-console-settings-available-for-all-users-and-make-the-database-as-shared/

https://cloudblogs.microsoft.com/enterprisemobility/2018/03/21/system-center-updates-publisher-adds-support-for-new-oses/

https://docs.microsoft.com/en-us/sccm/sum/tools/updates-publisher

Microsoft released Configuration Manager Current Branch build version 1802 an in-console update. You can apply this update on sites that run version 1702, 1706, or 1710.

This build also available as baseline version which means, you can use this media to install new ConfigMgr sites.

With this version, there are almost 37 new capabilities and changes available which are listed below.

Reassign distribution point

Configure Windows Delivery Optimization to use Configuration Manager boundary groups

Support for Windows 10 ARM64 devices

Improved support for CNG certificates

Boundary group fallback for management points

Cloud distribution point site affinity

Management insights

Cloud management gateway support for Azure Resource Manager

Improvements to cloud management gateway

Configure hardware inventory to collect strings larger than 255 characters

Deprecation announcement for Linux and Unix client support

Surface device dashboard

Change in the Configuration Manager client install

Transition Endpoint Protection workload to Intune using co-management

Co-management dashboard in System Center Configuration Manager

Microsoft Edge browser policies

Allow user interaction when installing an application

Do not automatically upgrade superseded applications

Approve application requests for users per device

Run scripts improvements

Windows 10 in-place upgrade task sequence via cloud management gateway

Improvements to Windows 10 in-place upgrade task sequence

Improvements to operating system deployment

Deployment templates for task sequences

Phased deployments for task sequences

Install multiple applications in Software Center

Use Software Center to browse and install user-available applications on Azure AD-joined devices

Hide installed applications in Software Center

Hide unapproved applications in Software Center

Software Center shows user additional compliance information

Schedule automatic deployment rule evaluation to be offset from a base day.

Report for default browser counts

Report on Windows AutoPilot device information

Report on Windows 10 Servicing details for a specific collection

Improvements to Configuration Manager Policies for Windows Defender Exploit Guard

New host interaction settings for Windows Defender Application Guard

Improvements to the Configuration Manager console

How to get this update in your console to install ?

Currently this update is available only via fast ring which means, you need to run PowerShell script to get this update available in your Configmgr console.

download PowerShell script from TechNet gallery and run it https://gallery.technet.microsoft.com/ConfigMgr-1802-Enable-4c8c0003

Once you run the script ,Open console ,click on updates and servicing ,wait for the updates to show up.

If you do not see the updates in console, restart SMS_execution service ,refresh the node to see the updates.

Alternatively you can follow the log dmpdownloader.log

You can also use SQL query to check the list of available updates in updates and servicing node:

select * from vSMS_CM_UpdatePackages

Update will be downloading to easysetuppayload folder with GUID ID of the update.

Status in the console for the update 1802 will be changed to downloading.

After sometime ,state will be changed to ready to install

Choose the update and click on Install update pack OR recommended is ,check the prereq before installing update pack.

Click Next to continue .  Choose the new features that you are interested in. You can also enable these features after the update installed.

click next ,next to see last page

Once it is done, you can monitor the status.

I had failure because of low diskspace in Configmgr drive (<15GB ) so once I extended ,I reinitiate the job

It will take almost 30min+ to finish the job ,once it is done, you will be prompted to install new console .

Site version/console version:

Additional resources:

• What’s New in System Center Configuration Manager
• Get Ready for System Center Configuration Manager
• Start Using System Center Configuration Manager
• Upgrade to System Center Configuration Manager
• Documentation for System Center Configuration Manager
• System Center Configuration Manager Forums
• System Center Configuration Manager Support
• Report an issue
• Provide suggestions

The Azure Information Protection client (AIP) for Windows helps you keep important documents and emails safe from people who shouldn't see them, even if your email is forwarded or your document is saved to another location. You can also use this client (AIP) to open documents that other people have protected by using the Rights Management protection technology from Azure Information Protection.  Read more information about requirements for AIP https://docs.microsoft.com/en-us/azure/information-protection/get-started/requirements

All you need is a computer that runs at least Windows 7 with Service Pack 1 ,then download and install this free AIP client from Microsoft.

Before you try to install AIP client ,there are few components as prerequisites that needs to be installed on the computer before AIP can process the policies for you.

In this blog post , we will see what are the prerequisites that are required to deploy AIP client and also their detection methods on computers that are running windows 7 SP1 and above.

Since AIP client has 4 prerequisites ,we will use task sequence to deploy AIP client instead of application deployment with dependencies.

Prerequisites:

1.Microsoft .NET Framework 4.6.2 : AIP Client requires a minimum version of Microsoft .NET Framework 4.6.2 and if this is missing, the installer tries to download and install this prerequisite. When this prerequisite is installed as part of the client installation, your computer must be restarted.

2.Windows PowerShell version 4.0: The PowerShell module for the client requires Windows PowerShell version 4.0, which might need to be installed on older operating systems. For more information, see How to Install Windows PowerShell 4.0. The installer does not check or install this prerequisite for you. To confirm the version of Windows PowerShell that you are running, type $PSVersionTable in a PowerShell session .

3.Visual C++ Redistributable for Visual Studio 2015 (32-bit version) : For computers running Windows 7 Service Pack 1, install vc_redist.x86.exe from the following download page: Visual C++ Redistributable for Visual Studio 2015

4.If you have Windows 7 SP1, the Azure Information Protection client requires a specific update, KB2533623. If your PC needs this update but it is not installed, installation completes but with a message that the Azure Information Protection client requires this update. Until this update is installed, you won't be able to use all features of the Azure Information Protection client.

In this post, i will not go step by step creation of all the prerequisites instead, will go with some important information like installation program ,detection method and requirements etc.

Note: All these prereq files require reboot including .net, PowerShell . Without reboot ,it will not install any further components hence i leave the reboot to configmgr based on the exit codes (3010 soft reboot,1641 hard reboot)

1.Microsoft .NET Framework 4.6.2 or above:

since there is newer version of .net framework 4.7.1 available ,i will go with this version instead of 4.6.2 (min version) but in detection method ,i will look for .net 4.6.2 and above. If 4.6.2 exist ,i will not do installation of this 4.7.1 and skip this install.

Installation program : "NDP471-KB4033342-x86-x64-AllOS-ENU" /q

Detection Rule: Setting type: Registry ,Hive: Software\Microsoft\NET Framework Setup\NDP\v4\Full ,Value:Release ,data type:Integer , Operator: greater than or equal to 461310 (this is .net 4.6.1 and above)

User experience: Install for system ,weather or not user logged in and determine the behaviour based on return codes.

Requirements: Free disk space: 5GB ,OS :Windows 7 and other OS if you have.

2. Windows PowerShell version 4.0: I am going create both powershell 4.0 and powershell 5.0 as some of the windows 7 machine that has version 2.0 ,cannot be upgraded to 5 directly (at least i have seen some failures)

Installation Program: wusa.exe Windows6.1-KB2819745-x64-MultiPkg.msu /quiet

Detection Method: Powershell

if (($PSVersionTable.PSVersion | Select-Object -ExpandProperty Major) -gt 4 )
{
Write-Host "Installed"
}
else
{
}

Requirement: Windows 7 (for windows 10 ,there will be powershell 5.0 so no need to install for windows 10).

Windows PowerShell version 5.1:

Installation Program: wusa.exe Win7AndW2K8R2-KB3191566-x64.msu /quiet

Detection Method: Powershell

if (($PSVersionTable.PSVersion | Select-Object -ExpandProperty Major) -gt 5 )
{
Write-Host "Installed"
}
else
{
}

Requirement: Windows 7 (for windows 10 ,there will be powershell 5.0 so no need to install for windows 10).

3.Visual C++ Redistributable for Visual Studio 2015 (32-bit version) :

Installation program: "vc_redist.x86.exe" /q

Requirement rule: Windows 7 and windows 10.

Detection Method: Powershell . If the client has VC++ 2015 then it will skip the installation .

function Get-InstalledApps
{
if ([IntPtr]::Size -eq 4) {
$regpath = 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*'
}
else {
$regpath = @(
'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*'
'HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'
)
}
Get-ItemProperty $regpath | .{process{if($_.DisplayName -and $_.UninstallString) { $_ } }} | Select DisplayName, Publisher, InstallDate, DisplayVersion, UninstallString |Sort DisplayName
}

if (Get-InstalledApps | where {$_.DisplayName -like "Microsoft Visual C++ 2015 Redistributable*"})
{
Write-Host "Installed"
}
else
{
}

4. Azure Information Protection Client: Download AIP client (AzInfoProtection.exe) from https://portal.azurerms.com/#/download (this link has both viewer and client)

Also download the KB article as said in the prereq document .

Installation Program: Create a batch script and use the following code into it. (After the patch installation is done ,it will proceed to install AIP client and no reboot is required).

REM Install the KB article
wusa.exe "%~dp0Windows6.1-KB2533623-x64.msu" /quiet /norestart

sleep 10
REM Install Azure information protection client
AzInfoProtection.exe AllowTelemetry=0 /quiet /norestart

Detection Method: Windows installer: {30F836D2-A60B-4899-A369-B0FCA2884EAF}

Requirements : Windows 7 and windows 10.

If you are installing the AIP client on computers that run Office 2010 and your users are not local administrators on their computers or you do not want them to be prompted then you must supply ServiceLocation.

If the client was not installed with the ServiceLocation parameter, when you first open one of the Office applications that use the Azure Information Protection bar (for example, Word), you must confirm any prompts to update the registry for this first-time use. Service discovery is used to populate the registry keys.

Ex: AzInfoProtection.exe /quiet /norestart ServiceLocation=https://a44b2fd2-6a02-4d36-86b4-0017a1cede50.rms.eu.aadrm.com

How to get Service location ,please refer the document here

With this ,we have created 5 applications and now we can use task sequence to deploy these  applications in sequence given below.

1.Microsoft .Net Framework 4.6.2/4.7.1

2. Microsoft Powershell 4.0

3.Microsoft Powershell 5.1

4.Microsoft VC++ 2015

5.Microsoft AIP client

Troubleshooting:

Deploy the task sequence to collection (machine based) and follow the logs smsts.log,appenforce.log

 References:

https://docs.microsoft.com/en-us/information-protection/rms-client/client-user-guide

https://docs.microsoft.com/en-us/information-protection/rms-client/install-client-app

https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide-install

https://github.com/MicrosoftDocs/Azure-RMSDocs/blob/master/Azure-RMSDocs/rms-client/client-admin-guide-install.md

Introduction:

Office 365 ProPlus is one of the subscription service plans in the new Office. It is productivity software (including Word, PowerPoint, Excel, Outlook, OneNote, Publisher, Access, Skype for Business) that is installed on your desktop or laptop computer. Office 365 ProPlus is a user-based service that allows people to access Office experiences on up to 5 PCs or Macs and on their mobile devices. Traditional Office installations were tied to the computers they were installed on.

Few months ago ,we have started rolling out office 365 proplus (cloud version) using Configmgr Current Branch. I have created application using powershell app deployment toolkit in combination with offscrub scripts from Microsoft.   Using these 2 scripts,you can fully automate the installation office 365 proplus by removing the old versions (2007,2010,2013 and 2016 MSI based ) of office and install cloud version. I will write blog post on how to use these 2 scripts and create application to install proplus and what are the GPO settings you need to consider for this proplus for performance issues,patching mechanism etc.

Problem:

Coming to this blog post, we have mixed environment which includes laptops ,desktops and VDI (virtual desktop infra) machines. So proplus installed on all these machines using SCCM .Installation went smooth and users started using the office for their day to work.

All looks good from user point of view but when it comes to managing this office proplus with updates ,you need to understand how it works and what are the settings applied on the on PC for proplus.

After the proplus installed on many computers, we started noticing the office 365 update section in SCCM (software library –office 365 client management--office 365 updates ) for patching and found that, some of the clients are reporting update status but majority of them are reporting unknown as shown below.

By the way ,we are going with semi-annual channel as we do not want to update proplus every month hence we look at semi-annual channel updates only for deployment.

Solution:

After looking at the unknown status with bigger count ,i started looking at clients chassis type as some of them are working good but majority are not. This is because ,we have used same package for proplus and and one GPO with proplus settings and one client agent settings.

When am using one configuration for all ,why there is difference in update scan status for office 365 client updates ?

Use the default report Home > ConfigMgr_Sitecode > Software Updates - A Compliance > Compliance 6 - Specific software update states (secondary)  to know the unknown clients.

After reviewing the unknown client, found that,majority of the clients are VDI hence there is something on VDI machines.

Got one VDI assigned on my name so i can troubleshooting to find the root cause.

Following are the checklist perform on the VDI that is having issue:

1. Check if SCCM client is working good and healthy .How do you say it is healthy ? Check in SCCM console of policy request and its inventory .

2.Is the client receiving policies and what is the software updates status on this PC ? look at its last software update scan and also last patching status. If this is working fine then for sure ,something wrong with office 365 proplus application how it was installed or the configurations applied on VDI’s.

3. Verified in SCCM that ,client agent settings are configured correctly with ‘Enable management of the office 365 client agent’ to ‘Yes’ in software update section .This setting can also be enabled through GPO. This is one of the requirement as SCCM Client check Office COM interface to be enabled  as it act as communication between office and Configmgr. This functionality must be turn ON.You can check the registry key on client PC for officemgmtcom (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Office\16.0\common\officeupdate)

After all the above checklist, i could not find anything wrong .Everything seems to be good.

While am troubleshooting on this ,found a Microsoft article referring to Troubleshooting Office 365 ProPlus https://blogs.technet.microsoft.com/askpfeplat/2017/03/23/troubleshooting-office-365-proplus-patching-through-system-center-configuration-manager/

After reading the article,found that, there is one setting that i need to verify which i mentioned in the checklist above 3) Verify COM interface is registered or not .As we have enabled this through GPO and also using SCCM Client agent settings ,COM interface should be registered (officemgmtcom) . So how to verify if COM interface registered or not ?

You can do this by verifying existence of following registry key on the client. This registry is same for proplus on each PC.

[HKEY_CLASSES_ROOT\CLSID\{B7F1785F-D69B-46F1-92FC-D2DE9C994F13}\InProcServer32]

@=”C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeC2RCom.dll”

On the problem client ,i could not find this registry key ({B7F1785F-D69B-46F1-92FC-D2DE9C994F13})

As per the technet blog ,i suspect AV (antivirus ) on the client is blocking com interface , hence involved AV Team but there is nothing after troubleshooting and also tried disabling the AV on the client then start ,stop the Microsoft Office Click-to-Run Service service.

Issue did not resolve even after AV disable .What could go wrong ?

we talk few times about COM interface and must be registered for this process hence i started looking at component services that is where the COM object register as well.

From the run command ,type dcomcnfg to open MMC .Browse to component services –>computers –>My computer.

This is what i see with red arrow colour down arrow which means component services are disabled hence COM interface unable to register. Why is this disabled ? is this through GPO ? if so ,why not disabled for laptops and desktops but only for VDI ? This is offline topic to be discussed internally with respective teams who disabled it.

There is service that is responsible for it, which is ‘COM+ System Application’ .Start the service (must do with admin rights)

After you start the service,close component services MMC and reopen again.

Browse to COM+ Applications and see if there is any entry related to OfficeC2R.

How do we get OfficeC2R com object here ?

As a simple fix, i restarted Microsoft Office Click-to-Run Service (ClickToRunSvc) so the COM object will get created hence registry also created but that did not work.

so what  i have done is the following fix which worked and also created simple batch script applied to all computers that did not find the registry key.

How to get OfficeC2RCom Object ?

1. Open Regedit and change the value of the registry key HLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate  from 1 to 0

  2. Restart ‪Microsoft Office Click-to-Run Service

3. Open Regedit and change the value of the registry key HLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate  from 0 to 1

4. Restart ‪Microsoft Office Click-to-Run Service again.

5. Open dcomcnfg to check OfficeC2RCom object and go to Regedit and check the registry key [HKEY_CLASSES_ROOT\CLSID\{B7F1785F-D69B-46F1-92FC-D2DE9C994F13}\InProcServer32]

    Registry check

    COM object verification (OfficeC2RCom )

I did not find any reference link or i missed that says ,COM+ System Application service must be started for this proplus.

Conclusion to Restore OfficeC2RCom:

1. Start the COM+ System Application service
2. Open Regedit and change the value of the registry key HLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate  from 1 to 0
3. Restart ‪Microsoft Office Click-to-Run Service.
4. Open Regedit and change the value of the registry key HLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate  from 0 to 1
5. Restart ‪Microsoft Office Click-to-Run Service again.
6. Open dcomcnfg to check OfficeC2RCom and go to Regedit and check the registry key [HKEY_CLASSES_ROOT\CLSID\{B7F1785F-D69B-46F1-92FC-D2DE9C994F13}\InProcServer32]

Though the root cause simple and because of the service disable ,but to get the COM interface back,went through lot of troubleshooting .

Hope it helps!

How do we make this report work on older version of reporting ? You need to make 2 changes in to the RDL file to get it working.

1. Open the RDL file using notepad or other editing tools ,you will find something like below in the beginning of the code.

change the version from 2016 to 2010 .

2. Search for "ReportParametersLayout" in file and remove the whole block (This code is created on 2016 version of visual studio) .

As shown below ,remove the whole block and save the report.

Now try to upload the RDL file into the reporting service ,change the data source and run the report.

Conclusion:

change the SQL version on the RDL file and remove the ReportParametersLayout to get the report working.

I am super excited and honoured to receive an email from Microsoft about my MVP award renewal for the year 2018-2019 in Enterprise Mobility . I receive the following email from Microsoft on 1st July 2018.

This is my 2nd year MVP award (First year 2017) and glad that, i am still part of great MVP community.

Dear Eswar Koneti,

We’re once again pleased to present you with the 2018-2019 Microsoft Most Valuable Professional (MVP) award in recognition of your exceptional technical community leadership. We appreciate your outstanding contributions in the following technical communities during the past year:

Enterprise Mobility
We are continuing to maintain MVP Award taxonomy to align with changes in technology. Following your award recognition, you may receive a notification regarding an update to your award category. Details will be shared with you very soon.

With this award ,there is a lot more responsibility on me to keep up this award and contribute more to the community in Enterprise Mobility (#intune #SCCM #Configmgr ) area.

I would like to thanks to my wife ,my family to get time for blogging,being on forums sharing technical information .

Thanks to my followers on linked ,twitter ,facebook and my blog readers who keep asking new things and allow me to find solutions for them.

Microsoft just released SCCM Configmgr Current Branch 1806 as in-console update for first wave customers (opt-in) which means ,you can run PowerShell script to get this update in your console .

This build can be applied to your Configmgr sites running on 1706 ,17010 and 1802 .
This build version is not available as standalone media (baseline) hence you you can download latest baseline media which is 1802 for new installation and then apply 1806 as in-console update.

With this build 1806 ,there some exciting features and improvements . If you are already using SCCM Configmgr technical preview builds in your lab ,you wont be surprised with 1806 features as most of them are already in the preview builds and there are some improvements from its previous current branch builds.

Of all the new and improved features ,some quick interesting are:

1. cmtrace is now installed with the client : folder %windir%\ccm\cmtrace.exe

2.Configuration manager tools included in smssetup\tools folder in the installation media (cd.latest)

3.Phased deployments of applications

4.Uninstall application on approval revocation

5.Maintenance windows in software center (you can now see ,next maintenance window in software center)

6.Third party software updates –You can now subscribe to partner catalogs in SCCM console and publish to WSUS.

7.Deploy software updates without content being download

8. WSUS cleanup wizard declines updates that are expired as per the supersedence rules.

9.New software update compliance report

10. Hardware inventory limit increased to 18,446,744,073,709,551,616 (2^64).

11. Hardware inventory default unit conversion is now back to MB so change your custom reports if you have any for inventory data.

12.Copy asset details from monitoring views

13.View currently signed on user for a device

For complete list of features and improvements ,please read TechNet article https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1806

Installation :

If you are on build ,1706,1710 and 1802 ,you will not see this update for now as this is released only for first wave customers which means ,customers who want to try this ,they can run the PowerShell script (opt-in) to see it in the console.

As the update is rolled out globally in the coming weeks, it will be automatically downloaded, and you will be notified when it is ready to install from the “Updates and Servicing” node in your Configuration Manager console.

If you can’t wait to try these new features, this PowerShell script can be used to ensure that you are in the first wave of customers getting the update. By running this script, you will see the update available in your console right away.

Download the script and extract it .Open the PowerShell command as admin and run the script . it will ask for SCCM site server, give the name.

Once the script run successfully ,Go to Administration –>Overview ,updates and servicing ,Click on check for updates and refresh the node .

At this point ,check dmpdownloader.log ,you will some progress about the new update.

Now back to the console to see build version 1806 with state: Available to download

Now click on the Download Arrow (green color) or right click on the update and choose download

A prompt appear about the download and log to verify the download of the content

When I look at the log for status ,it says WARNING: Failed to download easy setup payload with exception: The remote name could not be resolved: 'download.microsoft.com'

I browse the URL that failed to connect ,it works fine so I have to re-download the content again.

I went to console again ,if I can retry the download but the download option is grayed out .

So it look like there is internet connectivity issues .How to get the download option back ? Open the

From configuration service manager, you can simply restart SMS DMP downloader component (stop and start)

Now go back your log and monitor the status

If you get any errors like WARNING: The F:\ConfigMgr\EasySetupPayload\5b823327-92d9-4908-a24c-8d8c6625f407.cab signature could not be verified then download the cab file manually and place it in EasySetupPayload folder.

Now try to extract the cab file  using 7zip or other unzip tools and place the content into F:\ConfigMgr\EasySetupPayload\5b823327-92d9-4908-a24c-8d8c6625f407 folder and restart the DMP downloader service.

Once the download is done, you will see console state changed to ready to install

Right click on the update and click on install update pack

Click next next next ( unless you have any need to select the features included in the pack. Later also you can choose to enable these features.) and choose pre-production collection for client upgrade .

Now monitor the installation status either from monitoring node or cmupdate.log

after a while ,if you click on the console (refresh) you will see that ,there is new version of console to be upgraded .

Click ok to get the console upgraded.

Open the console and check the console and client version:

Site version: 5.0.8692.1000

client version:5.0.8692.1003

In the next blog post, I will cover some of the existing features released in this build.

See you in the next blog post!

Introduction:

In this blog post,i will discuss about some of the troubleshooting methods that i have used to identify the active/inactive computers on the network (Active is not based on SCCM agent ) .

Last week ,i was working on office 365 proplus deployment & training for customer in Vietnam. As part this ,one of the activity that i need to identify was,what are the actual number of computers that are talking to domain controller in last X days.

When i look at SCCM ,there are hundreds of computers without SCCM agent .So for me to start with the deployment/reports ,i need to know the actual number of computers on the network as there are lot of stale objects in active directory and also in SCCM.

Whatever the issue that am talking in this blog post may not be applicable to all or anyone and this can be improved /can be avoid using the best practices with the help of AD clean-up and also by implementing start-up script/other methods for client installation.

Coming back to the issue ,i was trying to identify the lit of computers that are active/inactive on the network in last 45 days and take this collection as base for the client health status and also deployments etc.

How do i identify the computers that are active/inactive on the network for last 45 days irrespective of whether they have SCCM agent or not ? For this ,i will use LastLogonTimeStamp .

If you have enabled AD system discovery then you can actually get LastLogonTimeStamp (is selected by default) of computers from Active Directory. To know more about LastLogonTimestamp ,please read Technet article.

So i started creating a collection using LastLogonTimeStamp . Following is the simple collection to identify the computers that are inactive on the network for last 45 days.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System
where DATEDIFF(dd,SMS_R_System.LastLogonTimestamp,GetDate()) > 45

With this ,i can get list of all computers that have connected to AD in last 45 days. Before i take any action ,i need to validate if these numbers correct or not.

So i looked at the computers in collection ,found that, some of them have actually agent installed and last policy request date as of current date (see fro the screenshot below) .

What went wrong with this collection ? why did it discovered the computer that have agent installed and active ?

When i look at the computer LastLogonTimeStamp ,it was showing very old date .So i went back to Active directory to tally this date. I can see that, the date that is shown in SCCM and what is shown in Active directory is no match.

From AD ,LastLogonTimeStamp shows few days ago but SCCM shows almost few months ago. Why is it so ?

As you know ,to successfully create a DDR for a computer with attributes like computer name,OS,IP Address,AD site etc , Active Directory System Discovery must be able to identify the computer account and then successfully resolve the computer name to an IP address (DNS name resolution).

So i open cmd and did ping and also nslookup for the computer that is discovered into the collection with SCCM agent installed and Active.

I cannot ping the computer and also no nslookup.

With this ,i conclude that, there is issue with name resolution and that must be be first action before trying anything else.

Use the following SQL query to identify the count of objects that are not discovered more than 30 days.

Agent discovery information stores in SQL view v_AgentDiscoveries

select distinct ad.AgentName [Discovery Method],
count(*) [Discovered Clients]
from v_R_System sys
inner join v_AgentDiscoveries AD on AD.ResourceId=sys.resourceid
and DATEDIFF(dd,AD.AgentTime,GetDate()) >30
group by ad.AgentName
order by ad.AgentName

Except MP_ClientRegistration ,rest of the count that is shown by discovery methods are something to be considered for troubleshooting.

with the help of SQL ,you can further drilldown to identify the list of computers

After all this troubleshooting ,it is required to work with Active Directory/DNS team to resolve the name resolution issues.

I have seen customers who don't even enable the AD system discovery and let the client installation happens through GPO/startup script/SUP /OSD that will help to maintain the accurate client information rather pumping all the junk from AD into SCCM.

Hope this guide helps cleaning computer accounts in SCCM based on last logontime stamp.

Problem:

If you are using qualys or Nessus tool or other tool to detect vulnerabilities on windows machines ,this post might be helpful to you.

Recently ,our security team has reported that ,lot of servers are vulnerable for adobe flash player and claiming that, these servers are running lower version of Flash player.

When i look at one of the server ,i could not find adobe flash player installed. If there are no application installed, there is no way for SCCM to detect the flash player components are running lower version (we do 3rd party patching as well) and you cannot patch/update flash either using manual method /patching/software distribution.

So i requested security team to provide more information about the detection criteria that is being used to detect the vulnerabilities for flash player.

They come with detection rule saying ,the file version flash.ocx is running low version in C:\windows\System32\Macromed\Flash.

So i look at C:\windows\System32\Macromed\Flash and tried to delete the files because there is no flash player installed ( verified from programs and features). I could not delete the files directly from the folder to match with qualys results.

But what i found is ,an applet in control panel with flash player created as well which is weird to me.

I tried downloading the latest adobe flash version and tried installing but could not go through it (installation did not happen as it says ,server 2012 R2 don't need flash player).

Nothing worked for me until here ,so i dig deeper to identify the reason for creating this folder structure and also applet in control panel.After some time ,found that ,it is coming from desktop experience feature that got installed with OS build image.

So ,i tried to remove the desktop experience feature manually from roles and features ,reboot the server (Reboot is mandate for this feature removal).

After the removal of the feature ,Flash player and the files in flash folder are disappear.

Now ,how do i know the list of servers that has desktop experience feature installed on server and how to remove it through automation ?

Solution:

I use SCCM compliance baseline to identify the list of servers that had desktop experience feature installed .If the role is installed ,you can remove the role as part of remediation script or get list of servers and then create a batch file to remove the role and reboot during the maintenance window.

Using configmgr, we can use compliance item by passing simple script that will check for the desktop experience roles ,if feature installed then output results as Non-compliant (server is vulnerable) and if not installed, output as COMPLIANT (server non vulnerable)

All you need is script to check for desktop experience feature ,if you are looking for other roles and features, feel free to modify it as per your needs.

If you are looking for other roles and features, open the powershell cmd ,import servermanager module and run the following powershell cmd to list the windows roles/features on the server

Get-WindowsFeature

The list above are installed server roles and features .If you are looking for specific name ,pick it from the Name column to check for the installed status.

In this blog post, am not going with remediation script .what it means is ,if the specific role/feature that you are looking is found ,run the remediation script like remove the role from the server to fix it.

How to create configuration item/compliance baseline ?

Follow my blog post to create Configuration item  http://eskonr.com/2016/08/sccm-configmgr-how-to-clean-ccmcache-content-older-than-x-days-using-compliance-settings/ , but just replace the discovery script with below powershell script (no remediation script is needed)

Import-module servermanager
$DE=(Get-WindowsFeature -name desktop-experience).Installed
If ($DE -notlike "Installed")
{
write-output "True"
}
else
{
write-output "False"
}

Compliance Rule:

Create Configuration baseline ,deploy to collection that you are interested to find the desktop experience feature installed or not.

This is only to discover the list of servers with this feature installed. Once you get the list server that are non-compliant ,create collection and a simple package with following command line and deploy to the collection .

Once the package run on the server ,it wont reboot the server immediate rather, it wait for the maintenance window for reboot which will happen anyway with schedule reboot.

Powershell.exe -ExecutionPolicy Bypass -command Remove-WindowsFeature -Name Desktop-Experience

Hope it helps!

Introduction/Problem:

We are in process of completing office 365 project to all users which bring teams and other products as part of office 365. We are using Lync/Skype for business as collaboration tool prior to office 365 project but once the project started ,every one is on teams hence we can decom lync servers and also disable lync for users.

Before we proceed to sunset Lync/Skype for business, we need to look at the features feature comparison. Although teams  cannot be compared with Skype in terms of feature that it carry on,there is one major thing that is not as good as Lync is desktop sharing.  For support people (like desktop support,helpdesk) ,Lync is major function for desktop sharing and perform troubleshooting remotely.

In Teams,if you want to share desktop/give control to support person, you need to make audio/video call then have control which is bit inconvenient for users to be on call. So until Microsoft bring something to this feature, we depend on SCCM remote control functionality (If you have Configmgr in the infra) .

I know many of the organisations out there will be using Microsoft SCCM remote control primarily by helpdesk/desktop but we decided to make this SCCM Remote control tools available on each user desktop support technician and also IT people as standalone without sccm console.

Solution:

Many blog post there on the internet on how to SCCM remote control without being install SCCM Console. Reference Jörgen Nilsson post https://ccmexec.com/2012/05/running-configuration-manager-2012-remote-control-standalone/ and many others .

We will use these set of files located in your Configmgr installation folder (D:\Configmgr\AdminConsole\bin\i386 , files RdpCoreSccm.dll, CmRcViewer.exe and CmRcViewerRes.dll ) and create simple batch script to copy these files to C:\program files x86) and make the shortcut available in start Menu for all users.

Download the source files from here.

These files are being copied from SCCM Build 1802 or lower but it works fine irrespective of client version matches this remote control version or not .Give a try ,if you have any issues ,get the right files from your SCCM server that is installed in your infra.

Unzip the files and copy the folder to your SCCM Source location folder .

You will see the following content inside the remote control folder.

Here is the simple batch script that copy the remote control files and create shortcut in Start Menu folder for all users.

REM Copying SCCM Remote Control bits to Local Drive

XCOPY "SCCM Remote Control" "C:\Program Files (x86)\SCCM Remote Control" /s /i /y

REM Copy SCCM Remote control shortcut to All users start Menu

xcopy "%~dp0SCCM Remote Control\Remote Control.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs" /Y

You can now create application with detection rule as follows. You can also go with file version check.

Type: File

Path: %ProgramFiles(x86)%\SCCM Remote Control

File or Folder name: CmRcViewer.exe

User Experience:

Rest of the configuration go with default or if you have any custom requirement like OS limit etc.

Once the application is created ,distribute to distribution points and deploy to device collection.

Client results:

With this ,every support technician can use SCCM remote control to troubleshoot issues . (For successful remote control ,make sure the client is healthy ,active and required firewall ports are opened from the console to client)

You can deploy this tools to windows 7,windows 10 and server OS if user wish to remote control from.

Hope it helps !

Introduction/Problem:

Colleague mine has asked me , why is he getting applications /updates on his computer that he hasn't requested for. When i heard of this ,i  verified in SCCM , based on the computer  name provided and found ,the PC has no SCCM agent .

If the PC has no SCCM agent ,there is no way to receive the deployments. So i asked him to check if these deployments are coming through SCCM/Configmgr or other methods .He confirms that, they are coming from SCCM and his PC has SCCM agent and also apps in Software center.

Screenshot for PC has no SCCM agent installed :

When it was confirmed that ,PC has SCCM agent and is receiving the deployments ,i have decided to take this up further and help to troubleshoot.

Solution:

When PC has SCCM agent and is healthy , where should we look to fix the issue ? Can we simply uninstall the client and install it back ? does this work ?

I started troubleshooting on the client side by looking at client logs.

1. Review ClientIDManagerStartup.log  --> Records the creation and maintenance of client GUIDS and also the registration status of the client computer.This Can help to troubleshoot scenarios where the client changes its GUID after a hardware change or after Windows activation.

So from this log, i can get the GUID of the computer and check in SCCM,which computer this GUID is assigned to.

you can also get the GUID from smscfg.ini located in C:\windows folder.

Copy the GUID ID and go back to your SQL management studio to find out which computer has this GUID ID.

select name0,SMS_Unique_Identifier0
From v_R_System
where SMS_Unique_Identifier0='GUID:F43BD203-2466-4284-BF28-3A62860C958A'

Run the above Query ,replace GUID ID that you get from log or smscfg.ini file.

This GUID ID assigned to different computer as you can see from below query:

All the deployments that are targeted to this PC are actually hitting problem computer.This is where duplicate or GUID mismatch leads to wrong deployments. you always  need to have operation Collections to identify the duplicate GUID or GUID assigned to multiple computers to avoid these kind of issues.

How do we fix it without reinstalling client ?

Here is simple batch script to stop SMS Agent host ,delete SMSCFG.INI and certificates and start SMS Agent host service to create new GUID (this is not computer GUID).

@echo Off
net stop CcmExec
sleep 5
Reg Delete HKLM\software\Microsoft\Systemcertificates\SMS\Certificates /f
DEL c:\Windows\SMSCFG.ini
sleep 5
net start CcmExec

Open command prompt as administrator and run the above script or command lines .

After you run this script ,monitor ClientIDManagerStartup.log .

After a while ,you will see that, client is now with SCCM client installed and whatever the false deployments on this PC will get disappear from software center in the next machine policy cycle also collection membership update .

Until next time!

Had request to uninstall teams as they had deployed the teams to users who not supposed to get it on their windows devices. Microsoft Teams brings together the full breadth and depth of Office 365, to provide a true chat-based hub for teamwork and give customers the opportunity to create a more open, fluid, and digital environment. Microsoft Teams is built on existing Microsoft technologies woven together by Office 365 Groups.

In this post ,we will see how to uninstall  teams client using ConfigMgr by creating application or package and deploy to either users or computers .

we can download Teams client 32bit or 64bit MSI and deploy to users or computers . When you deploy teams application ,it will be installed in that user's appdata folder.

we have 2 options to uninstall teams 1) simple uninstall command line 2) powershell script

Using command line ,we can create package or edit the teams application and edit the deployment type, add the uninstall program .

Uninstall program for teams uninstallation: "%LocalAppData%\Microsoft\Teams\Update.exe" --uninstall –s

This command like simply uninstall the teams client but it wont cleanup the folder .

There is 2nd method that we can use to uninstall teams client using powershell script.

<#
.SYNOPSIS
This script allows you to uninstall the Microsoft Teams app and remove Teams directory for a user.
.DESCRIPTION
Use this script to clear the installed Microsoft Teams application. Run this PowerShell script for each user profile for which the Teams App was installed on a machine. After the PowerShell has executed on all user profiles, Teams can be redeployed.
#>

$TeamsPath = [System.IO.Path]::Combine($env:LOCALAPPDATA, 'Microsoft', 'Teams')
$TeamsUpdateExePath = [System.IO.Path]::Combine($env:LOCALAPPDATA, 'Microsoft', 'Teams', 'Update.exe')

try
{
    if (Test-Path -Path $TeamsUpdateExePath) {
        Write-Host "Uninstalling Teams process"

        # Uninstall app
        $proc = Start-Process -FilePath $TeamsUpdateExePath -ArgumentList "-uninstall -s" -PassThru
        $proc.WaitForExit()
    }
    if (Test-Path -Path $TeamsPath) {
        Write-Host "Deleting Teams directory"
        Remove-Item –Path $TeamsPath -Recurse
    }
}
catch
{
    Write-Error -ErrorRecord $_
    exit /b 1
}

Create a powershell script and deploy the script to collection . When you deploy the script ,make sure it runs with user account and also only when user logged in.

since the teams client is installed in Appdata folder ,uninstall must run only when user logged in .

Reference: https://docs.microsoft.com/en-us/microsoftteams/msi-deployment

https://docs.microsoft.com/en-us/microsoftteams/scripts/powershell-script-teams-deployment-clean-up

Introduction:

We are in midst of completing office 365 project .As part of this project ,one of the primary activity is migration of Microsoft office to office 365 proplus. For office 365 proplus deployment ,we are using Powershell App deployment toolkit that provide GUI ,customize what to remove and other benefits compared with standard proplus that you download in ConfigMgr/configuration tool.

As you know ,office 365 proplus activation is not usual method (KMS) instead, it use o365 license and user must activate the product using the license that they get it.

After installing the proplus ,devices will perform auto activate if your UPN (eswar.koneti@eskonr.com) that is being used in Azure AD and also your on-prem domain login (eswar.koneti@apac.eskonr.com) same . In my case ,they are not same hence auto activation will not work.

If your cloud UPN and on-prem UPN is same then you can need to adjust your xml file for proplus installation with <Property Name="AUTOACTIVATE" Value="1" /> .

I have been travelling across Asia for office 365 project training and deployments .We have deployed proplus to thousands of users across asia and all going fine.

Problem:

As part of this project ,we want to monitor deployments along with the activation status of the proplus and make sure all the devices that got proplus installed are activated successfully. For some reason if the proplus not activated ,features of office apps (excel,word ,outlook) will be limited and functionality will be reduced.

If the activation is KMS based then it would connect to KMS server on certain ports for activation but office 365 proplus ,it is not the case .

How do we use Configmgr to get activation status for office 365 proplus ?

In this blog post ,we will see where does the activation results store on the windows PC and how to collect that information into SCCM for reporting purpose.

we can also use office 365 portal to know the activation status of users that you assigned license but office 365 portal wont give you the device information directly unless you use graph API to pull the information.

we can login to   https://admin.microsoft.com/AdminPortal/Home#/reportsUsage and look at office activations .

If we want to use SCCM ,we must first locate where does the activation of proplus store in registry ?

On windows device that installed with proplus ,you can navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration for 32bit proplus ,you see few keys with O365ProPlusRetail.EmailAddress,O365ProPlusRetail.ExcludedApps etc as shown below.

In the new model of Configuration manager current branch,office proplus information  is part of default inventory and all the information about proplus ,channel and other information which is available in the registry key /wmi is already being collected into SCCM database except the activation and other information .

Inventory information about proplus configuration is stored in v_GS_OFFICE365PROPLUSCONFIGURATIONS  .You can use this SQL view to query information about proplus versions,channel and lot more.

With this default inventory of proplus ,we don't get any activation details for which ,we will alter configuration.mof and also import mof to client agent settings to pull the activation status from registry to SCCM database.

Since we already know where does the activation information store in registry ,we will use RegKeyToMOF.exe tool to get MOF content .

Download RegKeyToMOFv33a.exe from TechNet

double click the exe file ,browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration

de-select 64bit unless you installed 64 bit proplus.

Click on Save MOF ,it will prompt for location to save the MOF files.

MOF files are now stored in to the location you specified as above.

What next ? we need to edit the MOF files and delete unnecessary content from it ,as most of the information is already being collected by hardware inventory and is available in v_GS_OFFICE365PROPLUSCONFIGURATIONS.

In this blog post,i will go with email address ONLY .If you want other information that you are interested in ,you can enable it so.

I have deleted all files in the folder except CM12Config.mof and CM12Import.mof

After deleting all the content except O365ProPlusRetail.EmailAddress ,my MOF files looks like below.

configuration.mof:

Save the MOF file .

Now we will try to compile the MOF file to make sure ,it is valid before we copy the code to configuration.mof file into SCCM Server location <SCCM install location folder: >\inboxes\clifiles.src\hinv.

To compile MOF file ,open cmd and run mofcomp.exe filename.mof

As you can see above, the MOF content could not process correctly and is because special character in the content .

CM12Config.mof (11): error SYNTAX 0X80044002: Expected semicolon or '='

If you look at it carefully ,the MOF content contains special character in the string value that fail to process at line 11 i.e String O365ProPlusRetail.EmailAddress;

we will make some changes to the mof file by removing the special characters .

Change the string value from O365ProPlusRetail.EmailAddress to Emailaddress or ActivationAddress or something that you are interested in.

I have made the change in 2 places which are highlighted in red colour. Please make sure ,both the red colour values are same. Thanks to Garth Jones who helped me in getting rid of this syntax error.

Modified content:

// RegKeyToMOF by Mark Cochrane (with help from Skissinger, SteveRac, Jonas Hettich, Kent Agerlund & Barker)
// this section tells the inventory agent what to collect
// 16/10/2018 3:05:03 PM

#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("Configuration", NOFAIL)
[DYNPROPS]
Class Configuration
{
[key] string KeyName;
String EmailAddress;
};

[DYNPROPS]
Instance of Configuration
{
KeyName="RegKeyToMOF";
[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\Configuration|O365ProPlusRetail.EmailAddress"),Dynamic,Provider("RegPropProv")] EmailAddress;
};

Now mofcomp the file again

MOF File processed successfully (leave about access denied ). We will now copy the modified content to configuration.mof file located in <SCCM install location folder: >\inboxes\clifiles.src\hinv

Go to end of the file and paste the code into it.

Both the arrows marked must be same string.

Save the MOF file. It will now start processing .For monitoring ,read datalder.log .

We have another MOF file to import to client agent ,hardware inventory to collect the inventory from clients.

keeping only required information and delete other information ,mof file looks like this.

we will now make some changes to this file to get it working . Following are the changes:

#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("Configuration", NOFAIL)
[SMS_Report(TRUE),SMS_Group_Name("o365 - Configuration"),SMS_Class_ID("o365Config")]
Class Configuration: SMS_Class_Template
{
[SMS_Report(TRUE),key] string KeyName;
[SMS_Report(TRUE)] String EmailAddress;
};

Red colour string must be same as configuration.mof file content and brown colour string can be anything that you like to see the SQL view in database for querying (v_GS_O365Config0)

do mofcomp.exe to check if the MOF file has been successfully parsed

we will now import this mof to inventory settings.

Go to your SCCM console ,administration ,client agent settings ,default client settings (you cannot import MOF file directly to custom client device settings),hardware inventory ,set classes ,import ,choose the import file.

After it import ,make sure you uncheck both as we don't this to be enabled in the default client settings instead ,we will create custom client agent settings or edit the custom one that you already have for inventory collection.

Monitor the log dataldr.log to see if the changes are processed and view created or not.

You can now create custom client agent settings and enable the classes .

With this ,we have successfully created MOF file,applied the MOF files to collect the office 365 proplus activation status.

Download the MOF files for office proplus activation from here

Wait for clients to download the policy and run the hardware inventory .

Here is different SQL codes  to check the activation results for proplus .Make changes where required.

--select top 10 values from the office activations view
select top 10 * from v_gs_o365config0

--get count of activations and no-activations for proplus installation

select count(distinct case when o.emailaddress0 is not NULL then o.emailaddress0 else '0'  end ) 'Total Activations',
count(case when o.emailaddress0 is NULL then '1' end ) 'Not Activated'
from v_gs_o365config0 O
inner join v_Add_Remove_Programs arp on o.ResourceID=arp.ResourceID
where arp.DisplayName0 ='Microsoft Office 365 ProPlus - en-us'

--get list of devices with usesr names that are installed with proplus but not activated
 
select sys.name0,sys.User_Name0,u.Mail0,u.Full_User_Name0
from v_gs_o365config0 O
inner join v_Add_Remove_Programs arp on o.ResourceID=arp.ResourceID
inner join v_r_system sys on sys.ResourceID=o.ResourceID
inner join v_r_user u on u.User_Name0=sys.User_Name0
where arp.DisplayName0 ='Microsoft Office 365 ProPlus - en-us'
and o.EmailAddress0 is not NULL

Hope it helps!

Introduction:

Customer is running on SCCM Configmgr current branch 1806 and configured with site maintenance tasks to delete the aged data for X number days . when you configure the site maintenance task ,the data which is older than X number days get deleted from site database which is expected.

So customer has asked ,is there is way to know the clients that get deleted by site maintenance task or manual or other ways  .So basically whatever get deleted in the site database including devices ,inventory etc.,customer wanted to have a record at later stage.

In earlier versions of configmgr build prior to 1702 ,there is no straight way to do it unless ,you configure out of box solutions like ,bring the AD computer objects into SCCM and do querying but it doesn’t get you the Inventory info of the deleted devices except that,what computers got deleted.

With 1702 ,there is pre-release feature feature introduced called Data warehouse service point .Beginning with version 1706, this feature is no longer a pre-release feature .

Data warehouse service point used to store and report on long-term historical data for your SCCM Configmgr deployment.

Data warehouse service point is not enabled by default when you upgrade your configmgr build to 1706 or  later versions and must be manually configured.

Data warehouse dataflow (captured from Technet article)

For more information about Data warehouse service point ,please read TechNet document https://docs.microsoft.com/en-us/sccm/core/servers/manage/data-warehouse 

In this blog post, we will see how to install Data warehouse service point and query the data that get deleted in the CAS/primary site database but exist in data warehouse for reporting and tracking purpose.

So in this post, I will show you ,how to use data warehouse to pull the information that get deleted from the primary database .

Prerequisites for Data warehouse server (CM01-DW):

1.create windows server 2012 R2 or higher with fully patched (CM01-DW)
2.Join (CM01-DW) to domain.
3.Add the primary site server (CM01) or CAS (if you have) that you are trying to install the data warehouse role computer account as local admin on the server (CM01-DW).

Note: The data warehouse site system role is supported only at the top-tier site of your hierarchy. (A central administration site or stand-alone primary site)

4. The computer where you install the site system (data warehouse) role requires .NET Framework 4.5.2 or later. Since am running server 2012 R2 OS ,I don’t need to install this role and is built-in enabled.

5.The data warehouse database requires the use of SQL Server 2012 or later. The edition can be Standard, Enterprise, or Datacenter. .I installed SQL server 2014 SP1 on CM01-DW server with default options and SQL collation must be: SQL_Latin1_General_CP1_CI_AS (is default as part of the installation)

While installing SQL Server ,choose database engine ,reporting services and management tools (for SQL Studio) in features. Choose default instance .

As part of SQL components installation ,you might hit error with .net framework 3.5 features which you can enable from server manager ,add roles and features .This requires to map server OS sxs files.

SQL server installation summary:

The following SQL Server configurations are supported to host the warehouse database:

• A default instance
• Named instance
• SQL Server Always On availability group
• SQL Server failover cluster

6. The computer account of the computer where you install the site system role (CM01-DW) is used to synchronize data with the data warehouse database. This account requires the following permissions:

• Administrator on the computer that hosts the data warehouse database. 
• DB_Creator permission on the data warehouse database. 
• Either DB_owner or DB_reader with execute permissions to the top-tier site's site database.

As part of this pre-req ,I pre-created DW Database on my remote SQL :CM_PS1_DW and provided the permissions as mentioned in point 6.

7.SQL server port 1433 used by the data warehouse synchronization service to connect to the data warehouse database. By default 1433 SQL Server port is used for communication.

How to Install the data warehouse service point from CAS or Primary Site:

From CAS server or Primary site ( In my case ,I don’t have CAS) ,click on servers and site system roles to install new Role . Choose create site system server

Enter the remote server name to host the data warehouse database.

also make sure the primary site server computer account (CM01) is added to local admin group on remote server (CM01-DW) as we use site server’s computer account to install the site system.

Click next with default options since this role doesn’t require to connect to internet for syncing

Choose Data warehouse service point ,click Next

Key in the fields as shows below.

SQL Server : Remote server that we installed SQL server 2014: CM01-DW.apac.eskonr.com

SQL server instance : I installed SQL server on CM01-DW with default instance hence I leave it blank

Database Name:Leave with default name: CM_PS1_DW

Data warehouse service point account :This is used to connect to data warehouse database and must have read access to the database CM_PS1_DW.

This account is used to run the reports against data warehouse database and is configured in the data source properties which you can verify later.

Accept the default sync schedule,you can customize it as per the schedule . This schedule will help to sync the data from primary site to data warehouse database.

Review the summary page:

Login to remote server (CM01-DW) to check the logs

• DWSSMSI.log and DWSSSetup.log - Use these logs to investigate errors when installing the data warehouse service point.
• Microsoft.ConfigMgrDataWarehouse.log – Use this log to investigate data synchronization between the site database to the data warehouse database.

With this ,we completed the installation of data warehouse service point on remote computer.

If you hit any issues with database connectivity ,make sure the computer accounts are added with right permissions on the CM_PS1_DW database.

Now we will check if the data from primary site (CM01) is synced to data warehouse (CM01-DW) database or not .

Open SQL server management studio , run select * From system_disc (if you are doing it in prod, then try select top 10 * from system_disc)

As you can see above, in system_disc table ,there is one attribute value (Operationtype_DW)that refers the system deleted or not from Primary site .

Operationtype_DW basically contains information as listed below:

I: New Record

U:Updated record

D: Deleted Record

So once you know the information ,you can easily create SQL reports with above attribute type with operationType_DW=D and let customer device what they want to do.

With the data warehouse ,we also get some default reports and they are available in Primary site .But these reports will run against data warehouse database .These data warehouse reports datasource is pointed to CM01-DW SQL.

Data warehouse reports can be found in the SCCM console-reporting node or using SSRS webURL using primary site SSRS URL.

There are about 7 main reports and 7 linked reports (_) .

The data warehouse site system role includes the following reports, which have a Category of Data Warehouse:

• Application Deployment - Historical: View details for application deployment for a specific application and machine.
• Endpoint Protection and Software Update Compliance - Historical: View computers that are missing software updates.
• General Hardware Inventory - Historical: View all hardware inventory for a specific machine.
• General Software Inventory - Historical: View all software inventory for a specific machine.
• Infrastructure Health Overview - Historical: Displays an overview of the health of your Configuration Manager infrastructure
• List of Malware Detected - Historical: View malware that has been detected in the organization.
• Software Distribution Summary - Historical: A summary of software distribution for a specific advertisement and machine.

using SSRS report URL using primary site :

There will be a default data source created with name: {39B693BB-524B-47DF-9FDB-9000C3118E82} with connecting string and is configured with an account CM_SR to run the reports against with.

this CM_SR is used while installing the role.

Connection string: Persist Security Info=False;Initial Catalog=CM_PS1_DW;Data Source=CM01-DW.apac.eskonr.com;Encrypt=true;TrustServerCertificate=false

I tried to run one of the data warehouse report but I get the following error which is known issue:

A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)

To fix this error ,please follow the guide https://www.ronnipedersen.com/2018/01/15/sccm-unable-to-run-data-warehouse-reports-from-remote-sql/ and https://docs.microsoft.com/en-us/sccm/core/servers/manage/data-warehouse

Hope this guide help you to install and create custom reports .

In the next blog post, we will see what are the objects/information that get stored in data warehouse.

In my previous blog post, we saw how to install Data Warehouse role in Configuration manager build 1806 and also looked at the client data that is being deleted in primary site server for reporting purpose with some SQL views information.

In this blog post, we will see what information being stored in data warehouse before we start working on custom reports for users/customers to review historical data.

Central /Primary site database contains huge data about clients ,applications ,inventory ,execution data and much more. For list of SQL views in SCCM Configmgr ,please visit

with the installation of data warehouse, do we expect the entire data from Central/Primary do replicate to data warehouse database ? No ,it is not full data instead subset of data is being replicated to data warehouse for reporting purpose.

when you install Primary site ,the default size of SQL would be around 5 GB . Once the client start reporting to site ,database size will grow further .

When you install data warehouse role ,the only subset of sql information is being replicated and the initial size in my lab (my lab has only 20 devices with inventory) is about 170 MB for SQL database.

Data warehouse size:

Data warehouse log:

If you compare with Primary site SQL Views which contains 1600+ ,data warehouse contains 220 SQL views.

I have uploaded the SQL views information that are available in data warehouse to TechNet gallery  https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

Have a look at it before you start creating your custom reports .

See you next blog!

It has been very long since i did post on Configmgr as i am spending more time on office 365 projects  but i got something on SCCM this week that i would like to share . I have many other posts in TO-DO list especially on custom reporting but will get release them when i find time.

Recently , I was looking into automation of azure servers through SCCM . for newly build azure servers, We use SCCM to install apps ,configurations ,software updates and others using task sequence as part of operation readiness.

When a new server build in azure (using terraform and other tools) ,SCCM (on-prem) will pick the server ,add into OR (operation readiness) collection ,let the task sequence runs ,if it success or failure,send email respective team for further check and remove the device from collection (only for success).

As part of this ,what we noticed is,when the new azure server joined to domain and appear in SCCM default collection (all systems) ,it usually takes quite long time before it run the task sequence . So i have to dig into this and see if we can improve adding the server to collection that has got TS deployed.

To make things faster (adding the device to collection and run the TS on the device upon adding to collection) ,there are 2 things that i need to look at mainly.

1.check ‘use incremental updates for this collection’: Select this option to periodically scan for and update only new or changed resources from the previous collection evaluation, independently of a full collection evaluation. Incremental updates occur at 5 minute intervals by default.

2.Create device collection settings with client policy polling interval. Default time is 60 min which is longer and change it to 15 min and deploy this to OR Collection .When TS run succeeds ,device from OR collection will be deleted so ,the the collection must not have any device by default unless the TS fail and respective team will troubleshoot it further.

But on this occasion ,i have decided to look further on use incremental updates for this collection option.

Microsoft recommendation is Do not use incremental updates for a large number of collections. This configuration might cause evaluation delays when you enable it for many collections. The threshold is about 200 collections in your hierarchy. For more info refer here

Based on above recommendations ,how do you maintain the collections with ‘use incremental updates for this collection ‘ option not more than 200 collections ? If you exceed more than 200 ,it still work but it adds delay to collection evaluation ,hurt server performance and you should enable this ONLY for ‘HIGH PRIORITY’ collections.

since SCCM is being used by many people in organisation and they do have option to create collections hence knowingly/unknowingly ,they might enable use incremental updates for this collection for every collection which is not actually required unless you need to deploy something on them so urgent.

To have limited number of collections with ‘incremental updates ‘ option, i have gathered the list of all HIGH PRIORITY collections which must get update so frequent and rest of the collections that are created by users/admins should not have incremental updates and follow Full Update schedule.

I use powershell code to validate if there are any collections that have both Incremental Update (Only) & Incremental and Full Update Scheduled OR Incremental and Full Update Scheduled are ticked and make changes as per the recommendation.

If you have any collections that are enabled with use incremental updates for this collection then you don't need Full Scheduled Update.

Below given the powershell that query SCCM and get list of all collections that are enabled with Incremental Update (Only) & Incremental and Full Update Scheduled excluding HIGH PRIORITY that we collected earlier.

if there are any collection that is not high priority then use incremental updates will be disabled unless you add the new collections to HIGH PRIORITY list.

How to use this script ?

Create a folder and put the script into it. Create txt file called ExclusionIDs.txt and add all your HIGH PRIORITY collection ID’s into it.

Change values for collection membership types that you want for . Example ,i want to change the schedule for Incremental and Full Update Scheduled to Full Scheduled Update ONLY.

download the script from here

<#
Title: Update collection membership schedule
Following are the collection membership values for refreshtype
1:No Scheduled Update
2:Full Scheduled Update
4:Incremental Update (Only)
6:Incremental and Full Update Scheduled
Author: Eswar Koneti
Blog:www.eskonr.com
Date:31-12-2018
#>

$scriptPath = $script:MyInvocation.MyCommand.Path #Get the current folder of the script that is located
$CD = Split-Path $scriptpath
$RefreshTypefrom='6'  #This is to identify the collections with Incremental and Full Update Scheduled
$RefreshTypeto='2'  #This is to convert Incremental and Full Update Scheduled collections to Full Scheduled Update
$date = (get-date -f dd-MM-yyyy-hhmmss)
$exclusions="$CD\ExclusionIDs.txt" #High Priority collections (need your input with list of all collectionID's including device /used based)
$collectionsfound="$CD\collections with inc and full-"+$date+".csv" #Collections that are found with Incremental and Full Update Scheduled membership for your reference later
$ErrorActionPreference= 'silentlycontinue'

#Load SCCM module and map the powershell drive
Try
{
  import-module (Join-Path $(Split-Path $env:SMS_ADMIN_UI_PATH) ConfigurationManager.psd1)
  $SiteCode=Get-PSDrive -PSProvider CMSITE
  cd ((Get-PSDrive -PSProvider CMSite).Name + ':')
}
Catch
{
  Write-Host "[ERROR]`t SCCM Module couldn't be loaded. Script will stop!"
  Exit 1
}

#Get the collection ID (HIGH PRIORITY) exclusions that you want to exclude from being removing the collection membership into an array.
$exc= @()
foreach ($exc1 in get-content $exclusions )
{
$exc += $exc1
}

#Get all device collections that have both incremental and full update schedule but skip from the exclusion of the collection ID's that we imported above using exc variable
Get-CMCollection  | where-object {$_.RefreshType -eq $RefreshTypefrom -and $_.collectionID -notin $exc} | select collectionID,Name | Export-CSV -NoTypeInformation $collectionsfound -append
#import the collection that we want to change the membership into variable
$CollectionIDs=Import-Csv $collectionsfound | select -ExpandProperty collectionID
Foreach ($CollID in $CollectionIDs)  {
#Get the collection details that we want to change the membership (removal of incremental collection)
           $Collection = Get-CMCollection -CollectionId $CollID
            $Collection.RefreshType = $RefreshTypeto
            $Collection.Put()

}

Script folder looks like this before execution:

After execution:

New CSV file will be added with list of all collections that are enabled with ‘Incremental and Full Update Scheduled’ and we will act on these collections.

You can run this script using task scheduler on daily or weekly .

Following is the SQL code to identify the collection membership types and validate the results.

select
case Flags
when 1 then 'No Scheduled Update'
when 2 then 'Full Scheduled Update'
when 4 then 'Incremental Update (Only)'
when 6 then 'Incremental and Full Update Scheduled'
when 4100 then 'default collection'
else 'total'
End as  ScheduleType,
count(*) as Total
from v_Collections_G
where siteid not like 'SMS%'
group by flags,flags with rollup

Output:

If you want list of all collections with membership type then use the following SQL code: Replace the refreshtype values as per your needs.

select coll.SiteID,coll.CollectionName from v_FullCollectionMembership fcm
inner join v_Collections_G coll on coll.SiteID=fcm.CollectionID
where coll.Flags in ('4','6')
group by  coll.SiteID,coll.CollectionName

you can also use CEViewer.exe (Collection Evaluator viewer ) which is now part of CMCB 1810 server tools to see what is the total run time for full evaluation and for incremental evaluation. It is always recommended to run this tool to check what is going on with collection execution time .

Following is the results of incremental evaluation which is 57 sec for 67 collections and you can see what is the run time for each collection. The same can be viewed for full evaluation.

In the next post ,i will talk about ,how to get collections with direct membership rules ONLY (no query based) with membership schedule enable and how remove the schedule option using powershell.

For collections with direct rule added, you don't need to update them on schedule basis .

References:

https://blogs.technet.microsoft.com/leesteve/2017/08/22/sccm-for-those-nasty-incremental-collections/

https://byteben.com/bb/identifying-and-updating-sccm-collection-evaluations/

This blog post is continuation to my previous post ‘Monitor collection evaluation's and remove incremental membership schedule for non-priority collections’ .More information can be found at http://eskonr.com/2019/01/sccm-configmgr-monitoring-collection-evaluations-and-change-update-membership-schedule-using-powershell/ .

In this post ,we will see how to improve the collection evaluation performance further by identifying list of collections with direct rule created that have membership (incremental and/or full update) enabled and use powershell to remove the membership schedule.

You can use different rules to configure the members of a collection in SCCM like Direct Rule ,Query rule, include and exclude. For more information on collection types, please refer https://docs.microsoft.com/en-us/sccm/core/clients/manage/collections/create-collections

Direct Rule: This is a static collection (manual changes required all the time) which means the membership does not change unless you remove a resource from SCCM.

Query Rule:This is dynamic collection and it dynamically update the membership of a collection based on a query that SCCM runs on a schedule.

As you see in the above snapshot ,the type of rule is Direct for direct (static) based collections and for query based collections,you will see Query in-place of direct.

Direct rule collections do not require the membership enabled because these collections are static and they never get update again and again unless user do manual changes .

If you are adding the resources to direct based collections using scripts then make sure you also use the syntax  to update the collection membership right there in the script .This is required for direct based collections if you did not enable the incremental or full schedule update.

Why is it required to update collection membership if you use script to add resources direct based collection (consider no membership enabled ) ? 

If you are adding the resources manually to the collection using GUI then it does refresh the collection automatically and get the resources into the collection for you where as through scripting ,it doesn't get the resources but just that ,the resources will be only added to the collection (GUI as i shown above) but if you open the collection ,it will be empty (this is what i noticed in my testing with scripting).

With this ,we now need to identify the collections that are direct based which have schedule membership enabled (incremental or/and full update) and remove the membership using powershell script.

Microsoft recommendation is Do not use incremental updates for a large number of collections. This configuration might cause evaluation delays when you enable it for many collections. The threshold is about 200 collections in your hierarchy. For more info refer here

Following is simple powershell script to query direct based collections with membership schedule enabled.

we are using built-in SCCM powershell cmdlet get-CMcollection to get all collections (user and device based) that have membership enabled (SMS_CollectionRuleDirect).

This script will save the list of direct based collections with schedule enabled to CSV file for reference at later stage. If you have any direct based collections to exclude from this ,you can use script that i posted in previous blog.

Depends on your infra and number of collections you have ,it might take sometime . For me ,it took 4 min to get 700+ collections that fall in the criteria.

Note: Before you run the script in production ,make sure you understand the requirement and also comment the $Collection.Put() so you can verify the list of collections you have infra and rerun the script by un-comment the line.

<#
Title: Update membership schedule for collections with direct based rule. Direct rule based collections do not need membership enabled.
Following are the collection membership values for refreshtype
1:No Scheduled Update
2:Full Scheduled Update
4:Incremental Update (Only)
6:Incremental and Full Update Scheduled
Author: Eswar Koneti
Blog:www.eskonr.com
Date:31-12-2018
#>

$scriptPath = $script:MyInvocation.MyCommand.Path
$CD = Split-Path $scriptpath #Get the current directory of the script that is located
$RefreshTypeto='1' #This is to convert the membership schedule ,1 is to remove the schedule.
$date = (get-date -f dd-MM-yyyy-hhmmss) #Get the current date and time when script runs
$collectionsfound="$CD\collections with direct rules-"+$date+".csv" #This is our output file to pipe all collections with direct based rules for our reference later.

$ErrorActionPreference= 'silentlycontinue'

#Load SCCM module and map the powershell drive
Try
{
  import-module (Join-Path $(Split-Path $env:SMS_ADMIN_UI_PATH) ConfigurationManager.psd1)  #Import the powershell module . Make sure you have SCCM console installed on the PC that you run the script .
  $SiteCode=Get-PSDrive -PSProvider CMSITE #Get the sitecode
  cd ((Get-PSDrive -PSProvider CMSite).Name + ':')
}
Catch
{
  Write-Host "[ERROR]`t SCCM Module couldn't be loaded. Script will stop!"
  Exit 1
}
#Get all collections with membership enabled and direct membership rule only and export the collection details to CSV file for reference
get-CMcollection | where-object {$_.RefreshType -in ('2','4','6') -and ($_.Properties.CollectionRules.SmsProviderObjectPath -eq "SMS_CollectionRuleDirect")} `
|  select collectionID,Name | Export-CSV -NoTypeInformation $collectionsfound -append

foreach ($Coll in Import-Csv $collectionsfound ) #start the for loop for each each collection that found in SCCM and remove the collection membership schedule
{
$Collection = Get-CMCollection -CollectionId $Coll.collectionID
#write-host $Coll.collectionID $Coll.Name
  $Collection.RefreshType = $RefreshTypeto
  $Collection.Put()
}
write-host "Execution of script completed:" -foregroundcolor Yellow

you can also download the script from here

Following is the SQL code to pre-check and post-check the collections with membership schedule enabled.

select coll.SiteID,coll.CollectionName,
case when coll.CollectionType='1' then 'User' else 'Device' end as 'Collection Type'
from v_Collections_G coll
where coll.SiteID not in (select CRQ.collectionid from v_CollectionRuleQuery CRQ)
and coll.Flags in ('2','4','6')
group by coll.SiteID,coll.CollectionName,coll.CollectionType

Hope you enjoyed reading this article. See you in next post!

After long-time ,i am back with quick SCCM Configmgr software update compliance report .A friend of mine asked me today morning that ,he wants to check the compliance report for specific computer (could be VIP ) against one or multiple software update groups that they have created/deployed.

How do you check the compliance status of computer for specific software update groups ONLY and not for all updates that are available in SCCM ?

You have several software update compliance reports for software update groups and for computers but there is none to check if the particular computer is compliant or not for given software update group. The only possible way is to run the compliance report for specific collection and that will give you the overall compliance status and drill down further or run other compliance report which is tedious process. And if you want to repeat this multiple times for different updates groups ? Not easy. The only solution is custom report .

So i started off looking at this request and search online but could not find any thing except this link https://social.technet.microsoft.com/Forums/en-US/6cb95ee0-808e-4c8f-a39c-11bc35282357/limit-specific-computer-report-to-a-software-update-group?forum=configmanagergeneral and is unanswered.

I have also looked at my blog if i posted something similar on this but nothing that matches the requirement.

So i started of writing the SQL code and convert that to nice SSRS report and is now available for you to download and play with it.

I had added most of the computer information like software update group ,computer name,User name, OS, Last Hardware scan, Last software update scan,Last logon time,IP address and patch compliance status to troubleshoot further .

You can download the SQL views documentation from https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

How does this report works ? When you run this report  ,it prompt to choose list of software update groups that you are interested and enter the computer name (must enter ,no drop down ,just the computer name and no need to enter FQDN).

Output of the report shown below.

Download the report from Technet Gallery  ,upload to your SSRS reports, change the datasource and you are ready to run.

Some of software update compliance reports from my blog are listed below.

SCCM Configmgr 2012 Updated Patch Compliance reports for software update group and collection with patch progression

Configmgr SQL query to get the list of clients that require a specific software update patch

SCCM Configmgr Software Update Compliance Report for Specific Collection within Specific Time Frame

SCCM Configmgr SQL query to find Top X missing updates for specific collection for specific update group

SCCM Configmgr Get the Update Compliance Status for multiple Update groups against Multiple collections using SQL query without reporting

SCCM Configmgr Software update Compliance Report for multiple Software Update groups per collection

SCCM Configmgr SQL Query to check software update is superseded by what software updates

Configmgr How to list all Default and Custom reports with created by, modified by,data source , Path and Description

SCCM Configmgr How to generate patch compliance report that shows all updates for specific collection ?

SCCM Configmgr SSRS Report Get list of missing updates for PC from specific Software update group

sccm  SQL Query Get software updates that are downloaded but not in any software update group

SCCM Configmgr 2012 Software update compliant non-compliant results for list of computers from collection for specific month

SCCM Check Patch is member of what software update package

SCCM Configmgr  SSRS Patch Compliance Report Per Collection Per Update Group

SCCM Configmgr SSRS Report Overall Compliance Per Update Group Per Collection will help to troubleshoot the clients

SCCM Configmgr Patch Report – OU based Compliance status per Update Group

SCCM Configmgr Report Get the Status of Software Update Scan results

SCCM Configmgr Software update compliance states

SCCM report applications installed on computers without Updates

SCCM Configmgr Report for Software Update Compliance

Beginning with the release of SCCM ConfigMgr Build 1710 or later , you can use the SCCM Console to identify client devices that require a restart, and then use a client notification action to restart them. If you want get this feature enabled on the client side ,you must also upgrade clients to version 1710 or later for this capability to function

This become so much easier for SCCM engineers to restart the device with just one click .

To identify devices that are pending a restart, you can go to the Assets and Compliance workspace and select the Devices node ,then right click on the right side details pane in a new column named Pending Restart.

Once you choose this, you can sort with pending restart to see list of all devices with client state .

Each device has one or more of the following values:

• No: there is no pending restart
• Configuration Manager: this value comes from the client reboot coordinator component (RebootCoordinator.log)
• File rename: this value comes from Windows reporting a pending file rename operation (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager, PendingFileRenameOperations)
• Windows Update: this value comes from the Windows Update Agent reporting a pending restart is required for one or more updates (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired)
• Add or remove feature: this value comes from the Windows component-based servicing reporting the addition or removal of a Windows feature requires a restart (HKLM\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\Reboot Pending)

To restart the device ,you can simply right Right-click on the device, select Client Notification, and then select Restart. An information window opens about the restart. Click OK to confirm the restart request.

When the notification is received by a client, a Software Center notification window opens to inform the user about the restart. By default, the restart occurs after 90 minutes. You can modify the restart time by configuring client settings.

Settings for the restart behaviour are found on the Computer restart tab of the default settings.

If you want to know the list of pending reboot devices ,it is not always good to follow the steps that we did above .It doesn't give us the number of devices pending with reboot also ,you need to add the column and sort to find out how many.

In this blog post ,what we will see on how to create a dynamic collection that list all devices with pending reboot. This collection always be on your check list for troubleshooting.

Also ,i will get you nice SSRS report/s that show you the count of pending reboot devices against the collection Operating System and then it will have drilldown report to see list of all clients with client inventory.

Before we start creating collection with pending reboot ,we need to know ,where does this information store in WMI. Collection uses WQL hence you need to have the class and instance name.

Restart information stored in sms_combineddeviceresources with value clientstate.

Anything that is not 0 (clientstate!=0) will be treated as pending reboot.

Following are the list of applicable states you get with client pending reboot.

1 – Configuration Manager
2 – File Rename
3 – Configuration Manager, File Rename
4 – Windows Update
5 – Configuration Manager, Windows Update
6 – File Rename, Windows Update
7 – Configuration Manager, File Rename, Windows Update
8 – Add or Remove Feature
9 – Configuration Manager, Add or Remove Feature
10 – File Rename, Add or Remove Feature
11 – Configuration Manager, File Rename, Add or Remove Feature
12 – Windows Update, Add or Remove Feature
13 – Configuration Manager, Windows Update, Add or Remove Feature
14 – File Rename, Windows Update, Add or Remove Feature
15 – Configuration Manager, File Rename, Windows Update, Add or Remove Feature

Create a device collection ,choose query based and paste the following WQL Code into it.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System join sms_combineddeviceresources on
sms_combineddeviceresources.resourceid = sms_r_system.resourceid
where sms_combineddeviceresources.clientstate != 0

we have just created a collection to know the list of devices with pending reboot. You can now decide if you can reboot them using client notification or not.

How to reboot all devices at once ? you cannot do it by right click on collection , you must go into the collection ,choose all devices ,right click and do client notification . Collection level do not have reboot option.

Now we will look at SSRS report.

With the information that is available in SCCM ,we can have variety of reports however ,i am going with following customisations.

A report with custom collection and device restart type (Configuration Manager ,Add or Remove Feature etc ,multiple) .  It will show you count of Pending restart devices by Operating System.

The count will have drill down report to show list of clients with inventory information like last hardware inventory, IP address, last MP ,software update scan etc.

Parent Report:

Click on Pending Restart count appear in Blue colour to see list of all clients of that particular OS.

Child Report (Drilldown Report):

Child report has 3 parameters: Collection name ,Restart state name and OS .All these parameters will be passed to child report from parent report.

You might see pending reboot for clients that are inactive and this because , client never reported back to SCCM after pending restart status message and it will remain same until the device comes online and report its status.

You must run parent report to go child report. If you try to run child report directly ,you will run into issues which is expected and is because of hidden parameters in child report.

How to get the reports ?

Download the RDL files from Technet Gallery ,extract it ,upload the files to your SSRS reports (make sure both the reports in same folder location) ,change the datasource and run the reports.

Reference:

https://blogs.technet.microsoft.com/meamcs/2019/01/10/understanding-and-using-the-pending-restart-feature-in-sccm-current-branch/