Category Archives: Configuration Manager 2007

ConfigMgr WMI Query ‘Not’ Statement

I had a scenario on client site to ensure the ‘Disable Bitlocker’ Action did not run for Virtual Machines. I did not have the MDT Toolkit running ‘In OS’ therefore I could not pull in the ‘IsVM’ variable therefore I wanted to exclude based on retrievable attributes from WMI.

Instead of the normal ‘like’ statements I used the below which you could adapt:

SELECT * FROM Win32_ComputerSystem WHERE NOT Model LIKE “%VMware Virtual Platform%”

SELECT * FROM Win32_ComputerSystem WHERE NOT Model LIKE “%Virtual Machine%”

For me this covered both VMware and Hyper-V virtual machines.

Pause a Task Sequence in ConfigMgr

There are many many ways to achieve the above but the scenario where I find this fits in most is with ConfigMgr 2012’s new Application model which while it has its pro’s it certainly has a long way to go in order to completely replace the packages.

The main issue I have seen on client sites has been around their use in a Task Sequence after a reboot. After the restart the machine comes online again and the agent re-establishes a connection. Particularly on machines with an SSD drive, everything happens very quickly and sometimes the build end up failing with a (405) error which is simply the Task Sequence trying to run before it can walk so to speak.

To allow it time to get up to speed a pause works great. The disadvantage of using a script is its yet another package which if it has an issue with not communicating another package will likely hit the same issue.

This is a simple command line step utilizing PING which is right out of the box 🙂

Simply create and amend as you wish but 1 minute is usually more than enough

Pause

Web Reporting not working in ConfigMgr 2007

This morning I was working on an item for a client when I had to amend the IIS Request Filtering options to allow an application to deploy and after amending the config file, instead of simply restarting the site in IIS, autopilot took over and I performed it from the Powershell cmdlt (IISRESET).

Anyway fast forward 1hr and when trying to view a Web report I was getting an authentication screen popup which strangly was working fine on the server using the same account accessing the same link.

Anyway after a bit of digging it turns out the following items had reset themselves and needed to be changed to allow the access denied box to go away:

Within IIS\[Your Web Site]\Reporting Site

Authentication

Ensure that under Windows Authentication > Advanced > Enable Kernel-mode authentication is set

IIS-1

Also under providers (Just to the right on the contect menu)

Ensure the Providers are configured as shown:

IIS-2

Ill make sure I use the website restart next time 🙂

Update Image offline with multiple Software Updates

With the ease at which ConfigMgr 2012 makes slipstreaming updates into an Image, that is both faster and negates the need for a technician VM it is hard going back to 2007 when updates are required to layer on top of a core WIM.

Since Microsoft did not release SP2 of Windows 7, anyone who has tried to keep a pure gold vanilla build (essentially a Win 7 CD) and layer updates on top would have hit the max 87 updates threshold for the step in the Task Sequence a long time ago so you need to be creative with how you reach your end goal.

One Option I have used when on client site with a GOLD WIM full of apps etc and no build and capture insight and miles out of compliance with updates is the method below:

1) Create a Software Update Package with all the updates you would like to inject into the WIM.

2) Once the updates have been downloaded copy the entire contents of the package down onto a technician PC. The updates will look something like the below:

updates

3) With these on your reference machine, inside each of these folders are .cab files for the updates. I extracted these into 2 folders x86 & x64 and then removed the other folders.
Example below:
patchlist

I then proceeded to create a folder structure including the WIM I wanted to mount and inject along with the update directories as shown below (as you can seem the client has created a VERY LARGE core WIM!):

wim

With all this in place you can then use the below Powershell script to add in all of your updates.

*Note – Save the file as a .ps1 with your other items for cleanliness!
**Note – Items highlighted will depend on your environment so ensure you adjust as necessary

***CODE START***
$UpdatesPath = “C:\WIM\Patches\x86\*”
$MountPath = “C:\WIM\Mount
$WimFile = “C:\WIM\Win7office2010 BaseBuild.wim
DISM /Mount-Wim /WimFile:$WimFile /index:2 /Mountdir:$MountPath
$UpdateArray = Get-Item $UpdatesPath
ForEach ($Updates in $UpdateArray)
{
DISM /image:$MountPath /Add-Package /Packagepath:$Updates
Start-Sleep –s 10
}
Write-Host “Updates Applied to WIM”
DISM /Unmount-Wim /Mountdir:$MountPath /commit
DISM /Cleanup-Wim
***CODE END***

Run this from an elevated powershell Window and you should see it cycle through the updates:

dism

The progress can also be monitored from the DISM Log – C:\Windows\Logs\DISM\Dism.log

Failed to Add Update Source for WUAgent

Every seen this before?????

SUP2

Fairly common issue when you have an unsuspecting GPO in your environment taking some precendence over ConfigMgr. Well what if you dont have one????

Working on a piece of work for a client who had around 3% of their clients reporting as ‘Compliance Unknown’ and this error was reported in WUAHandler.log

After ruling out anything to do with ConfigMgr and a Group Policy applying it turned out that there was a ‘jammed’ GPO policy on the end client which was resolved by deleting the following file:

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

As this was a machine setting after this was cleared and the machine restarted to force a policy update from a DC, the next time a Software Update Scan was initiated the Software update cycle began and on the Software Evaluation cycle the updates began to install!

Trigger Configuration Manager Actions via WMIC

Quite often when working on Software Updating projects I am aiming to bring compliance up quite quickly inside a change windows and need to leverage the abilitly to quicken the agents poll for certain actions. Most of the common tasks can be placed in a program and deployed out to machines rather than initiating these steps manually.

An example of initiating a Software Update scan is below:

WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule “{00000000-0000-0000-0000-000000000113}” /NOINTERACTIVE

There are a number of additional triggers which can be interchanged into the above command.

{00000000-0000-0000-0000-000000000001} Hardware Inventory
{00000000-0000-0000-0000-000000000002} Software Inventory
{00000000-0000-0000-0000-000000000003} Discovery Inventory
{00000000-0000-0000-0000-000000000010} File Collection
{00000000-0000-0000-0000-000000000011} IDMIF Collection
{00000000-0000-0000-0000-000000000012} Client Machine Authentication
{00000000-0000-0000-0000-000000000021} Request Machine Assignments
{00000000-0000-0000-0000-000000000022} Evaluate Machine Policies
{00000000-0000-0000-0000-000000000023} Refresh Default MP Task
{00000000-0000-0000-0000-000000000024} LS (Location Service) Refresh Locations Task
{00000000-0000-0000-0000-000000000025} LS (Location Service) Timeout Refresh Task
{00000000-0000-0000-0000-000000000026} Policy Agent Request Assignment (User)
{00000000-0000-0000-0000-000000000027} Policy Agent Evaluate Assignment (User)
{00000000-0000-0000-0000-000000000031} Software Metering Generating Usage Report
{00000000-0000-0000-0000-000000000032} Source Update Message
{00000000-0000-0000-0000-000000000037} Clearing proxy settings cache
{00000000-0000-0000-0000-000000000040} Machine Policy Agent Cleanup
{00000000-0000-0000-0000-000000000041} User Policy Agent Cleanup
{00000000-0000-0000-0000-000000000042} Policy Agent Validate Machine Policy / Assignment
{00000000-0000-0000-0000-000000000043} Policy Agent Validate User Policy / Assignment
{00000000-0000-0000-0000-000000000051} Retrying/Refreshing certificates in AD on MP
{00000000-0000-0000-0000-000000000061} Peer DP Status reporting
{00000000-0000-0000-0000-000000000062} Peer DP Pending package check schedule
{00000000-0000-0000-0000-000000000063} SUM Updates install schedule
{00000000-0000-0000-0000-000000000071} NAP action
{00000000-0000-0000-0000-000000000101} Hardware Inventory Collection Cycle
{00000000-0000-0000-0000-000000000102} Software Inventory Collection Cycle
{00000000-0000-0000-0000-000000000103} Discovery Data Collection Cycle
{00000000-0000-0000-0000-000000000104} File Collection Cycle
{00000000-0000-0000-0000-000000000105} IDMIF Collection Cycle
{00000000-0000-0000-0000-000000000106} Software Metering Usage Report Cycle
{00000000-0000-0000-0000-000000000107} Windows Installer Source List Update Cycle
{00000000-0000-0000-0000-000000000108} Software Updates Assignments Evaluation Cycle
{00000000-0000-0000-0000-000000000109} Branch Distribution Point Maintenance Task
{00000000-0000-0000-0000-000000000110} DCM policy
{00000000-0000-0000-0000-000000000111} Send Unsent State Message
{00000000-0000-0000-0000-000000000112} State System policy cache cleanout
{00000000-0000-0000-0000-000000000113} Scan by Update Source
{00000000-0000-0000-0000-000000000114} Update Store Policy
{00000000-0000-0000-0000-000000000115} State system policy bulk send high
{00000000-0000-0000-0000-000000000116} State system policy bulk send low
{00000000-0000-0000-0000-000000000120} AMT Status Check Policy
{00000000-0000-0000-0000-000000000121} Application manager policy action
{00000000-0000-0000-0000-000000000122} Application manager user policy action
{00000000-0000-0000-0000-000000000123} Application manager global evaluation action
{00000000-0000-0000-0000-000000000131} Power management start summarizer
{00000000-0000-0000-0000-000000000221} Endpoint deployment reevaluate
{00000000-0000-0000-0000-000000000222} Endpoint AM policy reevaluate
{00000000-0000-0000-0000-000000000223} External event detection

These can be placed in a program and deployed to your clients.

WSUS Log Files

So often when interviewing or working with colleagues I often hear the question:

‘What is the best log file to look in if Updates are not deploying via ConfigMgr to clients????’

Well the answer is there is not just one. A number of log files work together to reflect the process of updates deploying and a few key ones I use are below:

Wsyncmgr.log
WUAHandler.log
Wsusctrl.log
WCM.log

Along with

Datatransfer.log
CAS.log

Often the issue will lie somewhere within these logs if the issues is specific to update deployment.

There is still the standard windowsupdate.log but I find the above are more granular where the issue lies if a problem was to occur!