I had a scenario on client site to ensure the ‘Disable Bitlocker’ Action did not run for Virtual Machines. I did not have the MDT Toolkit running ‘In OS’ therefore I could not pull in the ‘IsVM’ variable therefore I wanted to exclude based on retrievable attributes from WMI.
Instead of the normal ‘like’ statements I used the below which you could adapt:
SELECT * FROM Win32_ComputerSystem WHERE NOT Model LIKE “%VMware Virtual Platform%”
SELECT * FROM Win32_ComputerSystem WHERE NOT Model LIKE “%Virtual Machine%”
For me this covered both VMware and Hyper-V virtual machines.
There are many many ways to achieve the above but the scenario where I find this fits in most is with ConfigMgr 2012’s new Application model which while it has its pro’s it certainly has a long way to go in order to completely replace the packages.
The main issue I have seen on client sites has been around their use in a Task Sequence after a reboot. After the restart the machine comes online again and the agent re-establishes a connection. Particularly on machines with an SSD drive, everything happens very quickly and sometimes the build end up failing with a (405) error which is simply the Task Sequence trying to run before it can walk so to speak.
To allow it time to get up to speed a pause works great. The disadvantage of using a script is its yet another package which if it has an issue with not communicating another package will likely hit the same issue.
This is a simple command line step utilizing PING which is right out of the box 🙂
Simply create and amend as you wish but 1 minute is usually more than enough
This morning I was working on an item for a client when I had to amend the IIS Request Filtering options to allow an application to deploy and after amending the config file, instead of simply restarting the site in IIS, autopilot took over and I performed it from the Powershell cmdlt (IISRESET).
Anyway fast forward 1hr and when trying to view a Web report I was getting an authentication screen popup which strangly was working fine on the server using the same account accessing the same link.
Anyway after a bit of digging it turns out the following items had reset themselves and needed to be changed to allow the access denied box to go away:
Within IIS\[Your Web Site]\Reporting Site
Authentication
Ensure that under Windows Authentication > Advanced > Enable Kernel-mode authentication is set
Also under providers (Just to the right on the contect menu)
Ensure the Providers are configured as shown:
Ill make sure I use the website restart next time 🙂
With the ease at which ConfigMgr 2012 makes slipstreaming updates into an Image, that is both faster and negates the need for a technician VM it is hard going back to 2007 when updates are required to layer on top of a core WIM.
Since Microsoft did not release SP2 of Windows 7, anyone who has tried to keep a pure gold vanilla build (essentially a Win 7 CD) and layer updates on top would have hit the max 87 updates threshold for the step in the Task Sequence a long time ago so you need to be creative with how you reach your end goal.
One Option I have used when on client site with a GOLD WIM full of apps etc and no build and capture insight and miles out of compliance with updates is the method below:
1) Create a Software Update Package with all the updates you would like to inject into the WIM.
2) Once the updates have been downloaded copy the entire contents of the package down onto a technician PC. The updates will look something like the below:
3) With these on your reference machine, inside each of these folders are .cab files for the updates. I extracted these into 2 folders x86 & x64 and then removed the other folders.
Example below:
I then proceeded to create a folder structure including the WIM I wanted to mount and inject along with the update directories as shown below (as you can seem the client has created a VERY LARGE core WIM!):
With all this in place you can then use the below Powershell script to add in all of your updates.
*Note – Save the file as a .ps1 with your other items for cleanliness!
**Note – Items highlighted will depend on your environment so ensure you adjust as necessary
Fairly common issue when you have an unsuspecting GPO in your environment taking some precendence over ConfigMgr. Well what if you dont have one????
Working on a piece of work for a client who had around 3% of their clients reporting as ‘Compliance Unknown’ and this error was reported in WUAHandler.log
After ruling out anything to do with ConfigMgr and a Group Policy applying it turned out that there was a ‘jammed’ GPO policy on the end client which was resolved by deleting the following file:
As this was a machine setting after this was cleared and the machine restarted to force a policy update from a DC, the next time a Software Update Scan was initiated the Software update cycle began and on the Software Evaluation cycle the updates began to install!
Quite often when working on Software Updating projects I am aiming to bring compliance up quite quickly inside a change windows and need to leverage the abilitly to quicken the agents poll for certain actions. Most of the common tasks can be placed in a program and deployed out to machines rather than initiating these steps manually.
An example of initiating a Software Update scan is below:
So often when interviewing or working with colleagues I often hear the question:
‘What is the best log file to look in if Updates are not deploying via ConfigMgr to clients????’
Well the answer is there is not just one. A number of log files work together to reflect the process of updates deploying and a few key ones I use are below:
Wsyncmgr.log
WUAHandler.log
Wsusctrl.log
WCM.log
Along with
Datatransfer.log
CAS.log
Often the issue will lie somewhere within these logs if the issues is specific to update deployment.
There is still the standard windowsupdate.log but I find the above are more granular where the issue lies if a problem was to occur!
