SCCM (Anglais)

Update rollup for System Center Configuration Manager current branch, version 1702, is now available

The Official Configuration Manager Support Team Blog -

An update rollup for System Center Configuration Manager current branch, version 1702, is now available. This update is available for installation in the Updates and Servicing node of the Configuration Manager console. Please note that if the Service Connection Point is in offline mode, you must re-import the update so that it is listed in the Configuration Manager console. Refer to Updates for System Center Configuration Manager for details.

For complete details regarding the update rollup for ConfigMgr current branch v1702, including the list of issues that are fixed, please see the following:

4019926 – Update rollup for System Center Configuration Manager current branch, version 1702 (https://support.microsoft.com/help/4019926)

Update 1705 for Configuration Manager Technical Preview Branch released

The Official Configuration Manager Support Team Blog -

We are happy to let you know that update 1705 for the Technical Preview Branch of System Center Configuration Manager has been released. Technical Preview Branch releases give you an opportunity to try out new Configuration Manager features in a test environment before they are made generally available. For information on this month’s new preview features, please see the following:

Update 1705 for Configuration Manager Technical Preview Branch – Available Now!

Configuration Manager SQL queries to help IT Pros report on KBs related to WannaCrypt

The Official Configuration Manager Support Team Blog -

The following is shared by CSS Support Escalation Engineer Vinay Pamnani, to help give the IT Pro some sample queries that may assist them in their security update compliance reporting as it relates to WannaCrypt. It is provided as a sample and NOT to be taken as a definitive compliance posture information source. As with all Software Update compliance information, the queries below rely on current and accurate scan result information in the ConfigMgr database. The sample queries below have had limited testing against ConfigMgr version 1702 and SQL Server 2016.

Official Customer Guidance for WannaCrypt attacks: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

General information on ransomware: https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx

Microsoft Malware Protection Center blog: https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/

MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

The simplest and most generally recommended approach is to deploy the latest CU to Windows 10 or Server 2016 systems, and to deploy the latest Monthly Rollup to pre-Windows 10 machines, and use the built-in ConfigMgr Compliance reports to determine overall compliance.

However, the following queries can also enable admins to report on MS17-010 compliance.

What do these queries do? Pre-Windows 10 machines:

Windows 8.1 and Server 2012 R2 machines that do not report KB2919355 as installed will be returned by the query. This is because KB2919355 is required for the later KBs to be reported as applicable. So, these systems can be considered at risk and require further investigation.

For Windows Vista, Windows 7, Windows 8.1, Windows Server 2008 R2 SP1, Windows Server 2008 SP2, Windows Server 2012, and Windows Server 2012 R2 query below, the systems returned will be those that do not have either the March, April, or May monthly rollups installed -AND- are reporting the following specific ‘Security Only’ updates as ‘Required’:

Windows Vista and Server 2008 SP2: KB4012598
Windows 7 and Server 2008 R2 SP1: KB4012212
Windows Server 2012: KB4012214
Windows Server 2012 R2 and Windows 8.1: KB4012213

-- For Windows 7, Server 2008 R2 SP1, Windows Server 2012, Server 2012 R2 and Windows 8.1, Windows Vista and Server 2008 SP2 -- This query lists machines that are reporting any of the 'Security Only' updates as 'Required'. -- If any machine has either March, April or May Monthly Rollup installed, then they wouldn't report March 'Security Only' update as 'Required', but look for the Monthly updates anyway. -- Also include any Windows 8.1 and Server 2012 R2 machines which do not report ‘KB2919355’ as Installed. DECLARE @MarchSecurityOnly TABLE (ArticleID NVARCHAR(20)) INSERT INTO @MarchSecurityOnly VALUES ('4012212') INSERT INTO @MarchSecurityOnly VALUES ('4012213') INSERT INTO @MarchSecurityOnly VALUES ('4012214') INSERT INTO @MarchSecurityOnly VALUES ('4012598') DECLARE @MarchMonthly TABLE (ArticleID NVARCHAR(20)) INSERT INTO @MarchMonthly VALUES ('4012215') INSERT INTO @MarchMonthly VALUES ('4015549') INSERT INTO @MarchMonthly VALUES ('4019264') INSERT INTO @MarchMonthly VALUES ('4012216') INSERT INTO @MarchMonthly VALUES ('4015550') INSERT INTO @MarchMonthly VALUES ('4019215') INSERT INTO @MarchMonthly VALUES ('4012217') INSERT INTO @MarchMonthly VALUES ('4015551') INSERT INTO @MarchMonthly VALUES ('4019216') DECLARE @KB2919355 NVARCHAR(10) = '2919355'-- Pre-req SELECT        RS.Name0,        UI.ArticleID as ArticleID,        UI.BulletinID as BulletinID,        UI.Title as Title,        SN.StateDescription AS State,        UCS.LastStatusCheckTime AS LastStateReceived,        UCS.LastStatusChangeTime AS LastStateChanged,        UI.CI_UniqueID AS UniqueUpdateID FROM v_Update_ComplianceStatusReported UCS JOIN v_UpdateInfo UI ON UCS.CI_ID = UI.CI_ID JOIN v_R_System RS ON RS.ResourceType=5 AND RS.ResourceID = UCS.ResourceID JOIN v_StateNames SN ON SN.TopicType=500 AND SN.StateID=2 AND SN.StateID = UCS.Status WHERE UI.ArticleID IN (SELECT ArticleID FROM @MarchSecurityOnly) AND RS.Name0 NOT IN (        -- Monthly is installed        SELECT distinct RS.Name0        FROM v_Update_ComplianceStatusReported UCS        JOIN v_UpdateInfo UI ON UCS.CI_ID = UI.CI_ID        JOIN v_R_System RS ON RS.ResourceType=5 AND RS.ResourceID = UCS.ResourceID        JOIN v_StateNames SN ON SN.TopicType=500 AND SN.StateID=3 AND SN.StateID = UCS.Status        WHERE UI.ArticleID IN (SELECT ArticleID FROM @MarchMonthly) ) UNION -- Windows 8.1 and Server 2012 R2 machines that do not report KB2919355 as Installed. SELECT        distinct RS.Name0,        UI.ArticleID as ArticleID,        UI.BulletinID as BulletinID,        'KB2919355' as Title,             'Update is not Installed' AS State,        NULL AS LastStateReceived,        NULL AS LastStateChanged,        'KB2919355' AS UniqueUpdateID FROM v_Update_ComplianceStatusReported UCS JOIN v_UpdateInfo UI ON UCS.CI_ID = UI.CI_ID JOIN v_R_System RS ON RS.ResourceType=5 AND RS.ResourceID = UCS.ResourceID JOIN v_StateNames SN ON SN.TopicType=500 AND SN.StateID = UCS.Status AND SN.StateID <> 3 JOIN v_GS_OPERATING_SYSTEM OS ON RS.ResourceID = OS.ResourceID AND OS.BuildNumber0 = '9600' -- Windows 8.1 and Server 2012 R2 WHERE UI.ArticleID = @KB2919355 Windows 10 and Server 2016

For the Windows 10 and Server 2016 queries, there are 2 scenarios that may apply depending on an environment’s configuration on the expiry of superseded updates in ConfigMgr. For more information on this, see the Supersedence rules section on TechNet and this.

Scenario 1: Customers with Supersedence rule NOT set to ‘Immediately expire’:

If the superseded updates are not expired and therefore still available in ConfigMgr, you can use the following query to help identify Windows 10 and Windows Server 2016 systems that do not have the March CU or a subsequent CU installed. Please note that for the March CU data to be evaluated, the months to wait before an update is expired value in ConfigMgr must be set to a high enough value such that the March update was not expired. The same consideration applies to the subsequent updates. If this does not apply to your environment, the information in Scenario 2: Customers with Supersedence rule set to ‘Immediately expire’ (or not long enough) can be tried.

For the following Windows 10 and Server 2016, the query below returns systems that do not have any of the following monthly CUs, released in March or later (through the date of this post), installed:

Win10  RTM: KB4012606, KB4019474, KB4015221, KB4016637
Win10 1511: KB4013198, KB4015219, KB4016636, KB4019473
Win10 1607/Server 2016: KB4013429, KB4015217, KB4015438, KB4016635, KB4019472

-- Windows 10 machines that do not have the March (or any of the superseding updates) installed, and could be 'at risk'. -- These queries are OS dependent, since we are querying individual KB's, and need to compare those KB's against proper builds to prevent getting inaccurate results. -- Windows 10 RTM DECLARE @BuildNumberRTM INT = '10240' DECLARE @MarchWin10 TABLE (ArticleID NVARCHAR(20)) INSERT INTO @MarchWin10 VALUES ('4012606') -- March Cumulative INSERT INTO @MarchWin10 VALUES ('4019474') INSERT INTO @MarchWin10 VALUES ('4015221') INSERT INTO @MarchWin10 VALUES ('4016637') SELECT RS.Name0, OS.BuildNumber0 FROM v_R_System RS JOIN v_GS_OPERATING_SYSTEM OS ON RS.ResourceID = OS.ResourceID AND OS.BuildNumber0 = @BuildNumberRTM WHERE RS.Name0 NOT IN (        SELECT RS.Name0        FROM v_Update_ComplianceStatusReported UCS        JOIN v_UpdateInfo UI ON UCS.CI_ID = UI.CI_ID        JOIN v_R_System RS ON RS.ResourceType=5 AND RS.ResourceID = UCS.ResourceID        JOIN v_StateNames SN ON SN.TopicType=500 AND SN.StateID=3 AND SN.StateID = UCS.Status        JOIN v_GS_OPERATING_SYSTEM OS ON OS.ResourceID = RS.ResourceID AND OS.BuildNumber0 = @BuildNumberRTM        WHERE UI.ArticleID IN (SELECT ArticleID FROM @MarchWin10) ) -- Windows 10 1511 DECLARE @BuildNumber1511 INT = '10586' DECLARE @MarchWin101511 TABLE (ArticleID NVARCHAR(20)) INSERT INTO @MarchWin101511 VALUES ('4013198') -- March Cumulative INSERT INTO @MarchWin101511 VALUES ('4015219') INSERT INTO @MarchWin101511 VALUES ('4016636') INSERT INTO @MarchWin101511 VALUES ('4019473') SELECT RS.Name0, OS.BuildNumber0 FROM v_R_System RS JOIN v_GS_OPERATING_SYSTEM OS ON RS.ResourceID = OS.ResourceID AND OS.BuildNumber0 = @BuildNumber1511 WHERE RS.Name0 NOT IN (        SELECT RS.Name0        FROM v_Update_ComplianceStatusReported UCS        JOIN v_UpdateInfo UI ON UCS.CI_ID = UI.CI_ID        JOIN v_R_System RS ON RS.ResourceType=5 AND RS.ResourceID = UCS.ResourceID        JOIN v_StateNames SN ON SN.TopicType=500 AND SN.StateID=3 AND SN.StateID = UCS.Status        JOIN v_GS_OPERATING_SYSTEM OS ON OS.ResourceID = RS.ResourceID AND OS.BuildNumber0 = @BuildNumber1511        WHERE UI.ArticleID IN (SELECT ArticleID FROM @MarchWin101511) ) -- Windows 10 1607 DECLARE @BuildNumber1607 INT = '14393' DECLARE @MarchWin101607 TABLE (ArticleID NVARCHAR(20)) INSERT INTO @MarchWin101607 VALUES ('4013429') -- March Cumulative INSERT INTO @MarchWin101607 VALUES ('4015217') INSERT INTO @MarchWin101607 VALUES ('4015438') INSERT INTO @MarchWin101607 VALUES ('4016635') INSERT INTO @MarchWin101607 VALUES ('4019472') SELECT RS.Name0, OS.BuildNumber0 FROM v_R_System RS JOIN v_GS_OPERATING_SYSTEM OS ON RS.ResourceID = OS.ResourceID AND OS.BuildNumber0 = @BuildNumber1607 WHERE RS.Name0 NOT IN (        SELECT RS.Name0        FROM v_Update_ComplianceStatusReported UCS        JOIN v_UpdateInfo UI ON UCS.CI_ID = UI.CI_ID        JOIN v_R_System RS ON RS.ResourceType=5 AND RS.ResourceID = UCS.ResourceID        JOIN v_StateNames SN ON SN.TopicType=500 AND SN.StateID=3 AND SN.StateID = UCS.Status        JOIN v_GS_OPERATING_SYSTEM OS ON OS.ResourceID = RS.ResourceID AND OS.BuildNumber0 = @BuildNumber1607        WHERE UI.ArticleID IN (SELECT ArticleID FROM @MarchWin101607) ) Scenario 2: Customers with Supersedence rule set to ‘Immediately expire’ (or not long enough):

Since CUs are superseded each month, and expired due to the ConfigMgr Supersedence Rules option being set to ‘Immediately Expire’, compliance data is not available on the expired update – in this scenario, you will, however, have compliance data on the newest CU available, so the simplest path forward would be to deploy the latest CU and report against it.

Alternate Options (for Windows 10 and Server 2016):

Alternative options to the above, that may help determine ‘at risk’ machines, by reporting on the expired CU, are as follows:

A. Extend Hardware Inventory to include Win32_QuickFixEngineering, and use this data to identify ‘at risk’ machines. If any machine has neither March, April or May CU installed, they’re ‘at risk’. NOTE that if you do not have this already enabled and enable it now, you would need to wait for all the clients to report Hardware Inventory.

-- Customers with Win32_QuickFixEngineering class enabled for HINV can use these queries. -- Windows 10 machines that do not have the March (or any of the superseding updates) installed and could be 'at risk'. -- These queries are OS dependent, since we are querying individual KB's, and need to compare those KB's against proper builds to prevent getting inaccurate results. -- Query limits results for machines that have at least one row in v_GS_Quick_Fix_Engineering class to ensure there is some HINV data for the machine for this class. -- Windows 10 RTM DECLARE @BuildNumberRTM INT = '10240' DECLARE @MarchWin10 TABLE (ArticleID NVARCHAR(20)) INSERT INTO @MarchWin10 VALUES ('4012606') -- March Cumulative INSERT INTO @MarchWin10 VALUES ('4019474') INSERT INTO @MarchWin10 VALUES ('4015221') INSERT INTO @MarchWin10 VALUES ('4016637') SELECT RS.Name0, OS.BuildNumber0, QFE.HotFixID0, COUNT(QFEALL.HotFixID0) AS TotalHotfixes FROM v_R_System RS JOIN v_GS_OPERATING_SYSTEM OS ON OS.ResourceID = RS.ResourceID AND OS.BuildNumber0 = @BuildNumberRTM JOIN v_GS_QUICK_FIX_ENGINEERING QFEALL ON QFEALL.ResourceID = RS.ResourceID LEFT JOIN v_GS_QUICK_FIX_ENGINEERING QFE ON QFE.ResourceID = RS.ResourceID AND QFE.HotFixID0 IN (SELECT 'KB' + ArticleID FROM @MarchWin10) WHERE QFE.HotFixID0 IS NULL GROUP BY RS.Name0, OS.BuildNumber0, QFE.HotFixID0 HAVING COUNT(QFEALL.HotFixID0) > 0 -- Windows 10 1511 DECLARE @BuildNumber1511 INT = '10586' DECLARE @MarchWin101511 TABLE (ArticleID NVARCHAR(20)) INSERT INTO @MarchWin101511 VALUES ('4013198') -- March Cumulative INSERT INTO @MarchWin101511 VALUES ('4015219') INSERT INTO @MarchWin101511 VALUES ('4016636') INSERT INTO @MarchWin101511 VALUES ('4019473') SELECT RS.Name0, OS.BuildNumber0, QFE.HotFixID0, COUNT(QFEALL.HotFixID0) AS TotalHotfixes FROM v_R_System RS JOIN v_GS_OPERATING_SYSTEM OS ON OS.ResourceID = RS.ResourceID AND OS.BuildNumber0 = @BuildNumber1511 JOIN v_GS_QUICK_FIX_ENGINEERING QFEALL ON QFEALL.ResourceID = RS.ResourceID LEFT JOIN v_GS_QUICK_FIX_ENGINEERING QFE ON QFE.ResourceID = RS.ResourceID AND QFE.HotFixID0 IN (SELECT 'KB' + ArticleID FROM @MarchWin101511) WHERE QFE.HotFixID0 IS NULL GROUP BY RS.Name0, OS.BuildNumber0, QFE.HotFixID0 HAVING COUNT(QFEALL.HotFixID0) > 0 -- Windows 10 1607 DECLARE @BuildNumber1607 INT = '14393' DECLARE @MarchWin101607 TABLE (ArticleID NVARCHAR(20)) INSERT INTO @MarchWin101607 VALUES ('4013429') -- March Cumulative INSERT INTO @MarchWin101607 VALUES ('4015217') INSERT INTO @MarchWin101607 VALUES ('4015438') INSERT INTO @MarchWin101607 VALUES ('4016635') INSERT INTO @MarchWin101607 VALUES ('4019472') SELECT RS.Name0, OS.BuildNumber0, QFE.HotFixID0, COUNT(QFEALL.HotFixID0) AS TotalHotfixes FROM v_R_System RS JOIN v_GS_OPERATING_SYSTEM OS ON OS.ResourceID = RS.ResourceID AND OS.BuildNumber0 = @BuildNumber1607 JOIN v_GS_QUICK_FIX_ENGINEERING QFEALL ON QFEALL.ResourceID = RS.ResourceID LEFT JOIN v_GS_QUICK_FIX_ENGINEERING QFE ON QFE.ResourceID = RS.ResourceID AND QFE.HotFixID0 IN (SELECT 'KB' + ArticleID FROM @MarchWin101607) WHERE QFE.HotFixID0 IS NULL GROUP BY RS.Name0, OS.BuildNumber0, QFE.HotFixID0 HAVING COUNT(QFEALL.HotFixID0) > 0

B. Create a Configuration Item and Baseline which queries the March, April and May CU’s from Win32_QuickFixEngineering and reports Compliance. Here’s a sample PowerShell script written by Umair Khan that can be used in a DCM Baseline:

$InstalledKBList = Get-Wmiobject -class Win32_QuickFixEngineering -namespace "root\cimv2" | select-object -Property HotFixID | Out-String [array]$WannaCryList = "KB4012598", "KB4012212", "KB4012215", "KB4012213", "KB4012216", "KB4012214", "KB4012217", "KB4012606", "KB4013198", "KB4013429", "KB4015219", "KB4015221", "KB4016636", "KB4015438", "KB4015550", "KB4015551", "KB4016637", "KB4019473", "KB4016635", "KB4018466", "KB4015552", "KB4019215", "KB4019216", "KB4019474", "KB4019472", "KB4019264"    $Compliant = 0; foreach ($elem in $WannaCryList) {        if ($InstalledKBList -match $elem)     {     #Write-Output "$elem Found"     $Compliant = 1     break     } } $Compliant

Summary of changes in System Center Configuration Manager current branch, version 1702

The Official Configuration Manager Support Team Blog -

Update 1702 for System Center Configuration Manager current branch (ConfigMgr 1702) contains many changes that are intended to prevent issues and improve features. A list of these changes and fixes is available in the KB article below. Keep in mind that this list is not comprehensive, however it does include the items that the product development team believes are the most relevant to most customers. Many of these changes are in response to customer feedback about product issues and ideas for product improvement. For information about what has been fixed and/or updated, please see the following article:

4022075Summary of changes in System Center Configuration Manager current branch, version 1702 (https://support.microsoft.com/help/4022075)

ConfigMgr 1702 is available both as an in-console update to be installed at the top-most site in a hierarchy and as baseline media for new site installations. For more information about installing ConfigMgr 1702, see Checklist for installing update 1702 for System Center Configuration Manager.

Configuring Email Notification for Configuration Manager Reports

The Official Configuration Manager Support Team Blog -

This blog is a step-by-step example for the configuration of email notification for Configuration Manager Reports and well as for deleting the email subscriptions. We will also cover a bit of background changes (like in database & SSRS Config file) when things are implemented.

Introduction

“Email notification of Reports,” as the name suggests, is used to create a notification for any report we need to get on specific time or on repeated intervals. You can get a report link over an email or you can get report itself mailed to you. You can use a local SMTP service or a remote SMTP server or forwarder to support e-mail delivery. If you have access to an existing remote SMTP server, you should consider using it.

Steps to create email subscription

Browse to Monitoring\Overview\Reporting\Reports on SCCM console. Select any report for which you want to create email subscription and click on the Create Subscription at the top on console as shown below:

When Create Subscription Wizard is open, Report delivered by will have only one option, Windows File Share. You will not see any option for creating Email Notification

To get Email option, we need to configure SSRS (SQL Server Reporting Services) first. Open Reporting Services Configuration Manager console and go to E-mail Settings.

Configure Sender Address and SMTP Server details, click on Apply and I will be configured as shown below:

When the E-mail Settings are applied, this information will be written into rsreportserver.config file which you can find at following location. <Installation Drive:\ProgramFiles\Microsoft SQL Server\MSRS12.MSSQSERVER\Reporting Services\ReportServer> Value of MSRS12.MSSQSERVER will vary as per the version of SQL Server, for example: MSRS11.MSSQSERVER If we open this file rsreportserver.config and search with the name of our SMTP Server, we will find the updated information here, as shown below:

NOTE: Please do not open this file because if you make any irrelevant change by mistake in this file, you will end up messing your SSRS (SQL Server Reporting Services). The only reason to include screenshot is just to share the information for troubleshooting scenarios; for example: you configured the e-mail settings in SSRS but its not getting reflected or fails to Apply, etc.

Go back to SCCM console and try to create the Subscription again.

Now you will get an option for creating email subscription:

Select Email and it will appear like below:

Now configure the required fields as shown below, also select whether you need just the Report Link, Reports itself or both as well as the Report Format:

Click Next and specify the scheduled as required.

Select the parameter value for which you need the Report.

Check the Summary and proceed further.

Complete the Setup and its done.

If you enable the Verbose logging for SCCM Console, you see the below information in logs. I have copied only few lines and highlighted the important once. You can see the following highlighted information:

  1. Report Name
  2. Available delivery extension
  3. Parameters you selected for Report
  4. DoWork and RunWorkerComplete steps.

SMSAdminUI.log XML loaded from C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\\XmlStorage\Forms\createreportsubscriptionwizard.xml

[PRI1.contoso.local] : Retrieving report parameters for [/ConfigMgr_PRI/Administrative Security/Administration activity log].

[PRI1.contoso.local] : Found delivery extension [Report Server FileShare].

[PRI1.contoso.local] : Found delivery extension [Report Server Email].

[ParameterPresenter] Retreiving parameters for report [Administration activity log].

[ParameterPresenter] Loading parameters for report [/ConfigMgr_PRI/Administrative Security/Administration activity log].

[PRI1.contoso.local] : Retrieving report parameters for [/ConfigMgr_PRI/Administrative Security/Administration activity log].

[ParameterControl] [admin]: Initializing default values.

[ParameterControl] [admin]: Adding parameter value [<All values>] to the list of values.

[ParameterControl] [type]: Initializing default values.

[ParameterControl] [type]: Adding parameter value [0] to the list of values.

[ParameterControl] [DateRange]: Initializing default values.

backgroundWorkerPostApply_DoWork

backgroundWorkerPostApply_RunWorkerCompleted
This new Subscription info will be inserted in Report Server Database with a unique SubscriptionID You can verify the same by running the query Select * from Subscriptions in Report Server Database as shown below:

Browse to Monitoring\Overview\Reporting\Subscriptions to check the Subscription you created.

You can also make any changes to the subscription you created by going into the properties of the same.

Now you can receive Configuration Manager Reports on emails as scheduled automatically.

Steps to remove email subscription

The purpose of additionally including this step is simply to save you from console crash issue. It appears very simple to delete the subscriptions and it is, but it must be done in correct order as specified below. 1. Delete the subscriptions from SCCM Console 2. Delete the Email Settings from SSRS

Reason: If you will delete the Email Settings from SSRS first, then every time when you will click on Subscription at Configuration Manager Console, it will crash.

Then you must either reconfigure the Email Settings in SSRS or you must manually delete all the existing Subscriptions from Report Server Database to resolve the Configuration Manager Console crash issue. So, its better to follow the correct steps. Hope this helpful to you. Happy Learning!

Additional Information

Configure a Report Server for E-Mail Delivery (SSRS Configuration Manager) https://msdn.microsoft.com/en-us/library/ms159155(v=sql.120).aspx

 

Rafid Ali, Support Engineer, Microsoft Enterprise Cloud Group

KB: Configuration Manager clients reinstall every five hours because of a recurring retry task and may cause an inadvertent client upgrade

The Official Configuration Manager Support Team Blog -

A Microsoft System Center 2012 or System Center 2012 R2 client installation (CCMSetup) initially fails and causes a client retry task to be registered in Windows Task Scheduler. After the client installation succeeds, the retry task is not deleted as expected. Therefore, the clients continue to reinstall every five hours.

In this situation, if you upgrade the System Center 2012 Configuration Manager infrastructure to System Center Configuration Manager Current Branch or Long-Term Servicing Branch, and if you do not upgrade the System Center 2012 Configuration Manager clients, the scheduled retry task continues to force a client reinstallation every five hours.

The next time that CCMSetup runs, the clients find an updated management point or distribution point, and they reinstall the client software. This upgrades the clients to System Center Configuration Manager.

These continual upgrades occur outside the normal upgrade process that is configured by the administrator. This includes the client piloting feature.

We have a new KB that describes this issue and gives options to resolve it and prevent an unwanted client upgrade For more information please see the following:

4018655Configuration Manager clients reinstall every five hours because of a recurring retry task and may cause an inadvertent client upgrade (https://support.microsoft.com/en-us/help/4018655)

Update 1704 for the Tech Preview Branch of System Center Configuration Manager released

The Official Configuration Manager Support Team Blog -

We are happy to let you know that update 1704 for the Technical Preview Branch of System Center Configuration Manager has been released. Technical Preview Branch releases give you an opportunity to try out new Configuration Manager features in a test environment before they are made generally available. For information on this month’s new preview features, please see the following:

Update 1704 for Configuration Manager Technical Preview Branch – Available Now!

Update for System Center Configuration Manager version 1702, first wave is now available

The Official Configuration Manager Support Team Blog -

Administrators who opted in to the first (early) wave deployment for System Center Configuration Manager current branch, version 1702, have an update available in the Updates and Servicing node of the Configuration Manager console. This update, made available on April 13, 2017, addresses important late-breaking issues that were discovered during the final release process for version 1702. This update does not apply to sites that update or install a copy of version 1702 that was downloaded after April 5, 2017.

For more information, including the issues fixed, please see the following:

4018732Update for System Center Configuration Manager version 1702, first wave (https://support.microsoft.com/kb/4018732)

Known Issue with the Windows ADK for Windows 10, version 1703

The Official Configuration Manager Support Team Blog -

Author: Aaron Czechowski, Senior Program Manager, System Center Configuration Manager (@AaronCzechowski)

*** This post serves as a notification of this issue while we continue to investigate root cause and determine the proper fix. We will update this post when we have more information. ***

We are investigating an issue with the recently released Windows Assessment and Deployment Kit (ADK) for Windows 10, version 1703. When installing this version of the Windows ADK on a system with SecureBoot enabled, the Windows Program Compatibility Assistant will display the following warning:

Several files included with the Deployment Tools feature of the Windows ADK, including wimount.sys, are digitally signed with an older certificate which is considered “unsigned” by newer operating systems, and thus blocked when SecureBoot is enabled. The wimount.sys driver is used by DISM for mount operations which is used on the Configuration Manager site server to create and service boot images, as well as perform offline servicing operations on OS Image and OS Upgrade Packages.

For customers using Configuration Manager current branch version 1702 and deploying Windows 10, version 1703, the following workarounds are currently available:

  1. Use the prior version of the Windows ADK, version 1607, for working with Windows 10, version 1703 boot and OS images. This forward compatibility is supported for basic imaging operations (capture/apply). This is our primary recommendation to unblock customers that need to deploy Windows 10, version 1703, via traditional OS deployment methods (imaging). (NOTE: Windows 10 in-place upgrade and Windows 10 servicing do not use any Windows ADK components, thus those scenarios are unaffected by this issue.)
  2. Disable SecureBoot. While technically an option, it is not recommended in production environments as this increases the potential risk to the server.

We will update this post as more information is available.

Finding site systems on unsupported OSes

The Official Configuration Manager Support Team Blog -

As previously announced, Windows Server 2008 and 2008 R2 are not supported operating systems for a site server or most site system roles in Configuration Manager current branch version 1702.  You will not be able to upgrade to this version of Configuration Manager if there are site system roles running on Windows Server 2008 in your hierarchy.

To assist you with lifecycle and upgrade planning we have provided a sample SQL script that will help identify the site systems associated with the current site that are running on an unsupported operating system.  We suggest running the script for the following scenarios:

  • Prior to starting the upgrade to Configuration Manager current branch version 1702 to identify machines which may potentially block setup. The script should be run individually on the CAS and all the primary site servers.
  • During the upgrade process after running the pre-req checker if you have received the unsupported OS warning or failure. You can run the script on the SQL Server of the site that received the warning or failure to help identify specific machines that are causing the pre-req check notifications.

e2e: Configuring a simple HTTP Reporting Services Point in Configuration Manager

The Official Configuration Manager Support Team Blog -

Previously I posted a blog for configuring reporting service point for “HTTPS” in ConfigMgr, but I have seen sometime people getting confused due to Certificates and URLs configuration when they are trying to configure it for HTTP (Simple) Reporting Service Point. The goal of this blog is to provide a step-by-step guide for configuring a Reporting Services Point in System Center Configuration Manager (on HTTP).

A brief introduction

Reporting in System Center 2012 Configuration Manager provides a set of tools and resources that help you use the advanced reporting capabilities of SQL Server Reporting Services (SSRS) and the rich authoring experience that Reporting Services Report Builder provides. Reporting helps you gather, organize, and present information about users, hardware and software inventory, software updates, applications, site status, and other Configuration Manager operations in your organization. Reporting provides you with a number of predefined reports that you can use without changes, or that you can modify to meet your requirements, and you can create custom reports.

SQL Server Reporting Services

SQL Server Reporting Services provides a full range of ready-to-use tools and services to help you create, deploy, and manage reports for your organization and programming features that enable you to extend and customize your reporting functionality. Reporting Services is a server-based reporting platform that provides comprehensive reporting functionality for a variety of data sources. Configuration Manager uses SQL Server Reporting Services as its reporting solution. Integration with Reporting Services provides the following advantages:

  • Uses an industry standard reporting system to query the Configuration Manager database.
  • Displays reports by using the Configuration Manager Report Viewer or by using Report Manager, which is a web-based connection to the report.
  • Provides high performance, availability, and scalability.
  • Provides subscriptions to reports that users can subscribe to; for example, a manager could subscribe to automatically receive an emailed report each day that details the status of a software update rollout.
  • Exports reports that users can select in a variety of popular formats.

In this example, we will use a scenario where my Report Server, SSRS (SQL Server Reporting Services) is locally hosted and the ConfigMgr Site Database is also located locally. However, you can have your Report Server at a Remote Site Server as well.

Verify and make sure that Report Server version and SCCM Database version is same, just to make sure that we don’t have any SQL compatibility issues.

Open Reporting Services Configuration Manager Console and check the version of SQL Report Server

Configuration of Report Server Database

Go to “Database” tab on ‘Reporting Services Configuration Manager Console’ NOTE If the Database is already created and configured at the time of SQL Reporting Service feature installation then skip this part (Database Configuration), else proceed accordingly for configuring the Report Server Database.

In my case the Database named “ReportServer_new” is already created and configured but I am proceeding with configuration of a New Database just so that you can see how this is done.

Click on ‘Change Database’

Select “Create a new report server database” and click ‘Next’

Provide the server name where the SCCM Database instance is hosted and click on ‘Next’

Provide the name of Report Server Database you want to create. Here I have provided the name “ReportServer.”

Provide the credentials as per your environment configuration. I suggest “Local System” as a good one to use.

Click ‘Next’ to complete the configuration.

Click ‘Finish’ to complete

Once the Report Database is created you can verify the same by opening the SQL Management Console on the Site Database Server:

Configuration of URLs

Go to “Web Service URL”. You will find that the URL is already created on Port:80 but is not active. To make it active click on “Apply”.

Once you click on ‘Apply’, it will be Active and will appear like below:

Go to “Report Manager URL” and do the same.

Both URLs are Active now. Browse the ‘Web Service URL’ to make sure it is working.

Installation of the Reporting Services Point role

Go ahead and add the ‘Reporting Service Point’ Role on the Server hosting SQL Reporting Services. In my case it’s the Primary Site Server.


IMPORTANT While adding the role make sure that you specify the following:

  • “SCCM Site Database Server Name” at ‘Site Database Server Name’ (Example: PRI1.contoso.local)
  • “SCCM Site Database Name” at ‘Database Name’ (Example: CM_PRI)
  • “Reporting Service Instance Name” at ‘Reporting Services Server Instance’ (Example: MSSQLSERVER)
  • Set the “User Name” (Example: Contoso\Administrator)

Below is the screen shot for the same:

Once the role is added you can verify the initiation of role installation and start of the Bootstrap Service in Sitecomp.log

Sitecomp.log

Starting bootstrap operations… SMS_SITE_COMPONENT_MANAGER 27-03-2017 17:27:33 38092 (0x94CC)         Installed service SMS_SERVER_BOOTSTRAP_PRI1. SMS_SITE_COMPONENT_MANAGER 27-03-2017 17:27:33 38092 (0x94CC)         Starting service SMS_SERVER_BOOTSTRAP_PRI1 with command-line arguments “PRI C:\Program Files\Microsoft Configuration Manager /install C:\Program Files\Microsoft Configuration Manager\bin\x64\rolesetup.exe SMSSRSRP “… SMS_SITE_COMPONENT_MANAGER 27-03-2017 17:27:33 38092 (0x94CC)           “C:\Program Files\Microsoft Configuration Manager\bin\x64\rolesetup.exe /install /siteserver:PRI1.CONTOSO.LOCAL” executed successfully on server PRI1.CONTOSO.LOCAL. SMS_SITE_COMPONENT_MANAGER 27-03-2017 17:28:09 38092 (0x94CC)         Bootstrap operation successful. SMS_SITE_COMPONENT_MANAGER 27-03-2017 17:28:09 38092 (0x94CC)         Deinstalled service SMS_SERVER_BOOTSTRAP_PRI1. SMS_SITE_COMPONENT_MANAGER 27-03-2017 17:28:09 38092 (0x94CC)       Bootstrap operations completed. SMS_SITE_COMPONENT_MANAGER 27-03-2017 17:28:09 38092 (0x94CC)

Verify that the role was added successfully by looking in SRSRPsetup.log

SRSRPSetup.log

<03/27/17 17:27:55> No versions of SMSSRSRP are installed.  Installing new SMSSRSRP. <03/27/17 17:27:55> Enabling MSI logging.  srsrp.msi will log to C:\Program Files\Microsoft Configuration Manager\logs\srsrpMSI.log <03/27/17 17:27:55> Installing C:\Program Files\Microsoft Configuration Manager\bin\x64\srsrp.msi SRSRPINSTALLDIR=”C:\Program Files\SMS_SRSRP” SRSRPLANGPACKFLAGS=0 <03/27/17 17:28:08> srsrp.msi exited with return code: 0 <03/27/17 17:28:08> Installation was successful. <03/27/17 17:28:08> Installation was successful.

Once the role installation is successful, look in the SRSRP.log and verify the HTTP URL you created. Also verify the SSRS Instance Version as well as the creation of the Source Folder and Data Source:

Once all of the above things are verified and configured, it will start creating respective Folders of those reports and deploying Reports:

Once all the reports are deployed it will check the SRS Web Service health and keep checking at regular intervals:

Now you can go ahead and Run the Reports from ConfigMgr Console as well as from the URL directly.

Additional Information

Introduction to reporting in System Center Configuration Manager

How to: Start Reporting Services Configuration Manager

Configuring Reporting in Configuration Manager

 

 

Rafid Ali, Support Engineer

Microsoft Enterprise Cloud Group

Reminder: Latest Improvements to the Simplified Servicing for Windows 7 and Windows 8.1

The Official Configuration Manager Support Team Blog -

Applies to: System Center Configuration Manager (all supported versions)

As previously announced, the Windows team has made some modifications to the servicing model for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 to further simplify update deployment. Beginning with March 2017, the Security Only Quality Update will no longer include updates for Internet Explorer. The cumulative Internet Explorer update will again be available as a separate update.

With this separation, the Security Only Quality Update package size will be significantly reduced, but you will need to deploy and install the Cumulative Security Update for Internet Explorer to remain secure for the latest supported version of the browser if you elect not to deploy the Security Monthly Quality Rollup for Windows. The Monthly Rollup will continue to include updates for Internet Explorer, as a single additive update that provides all security and reliability fixes since the beginning of the new servicing model in October 2016.

If you’re currently deploying the Security Only Quality Updates with Configuration Manager, please make the necessary deployment process changes to also deploy the Cumulative Security Update for Internet Explorer to remain secure.

Please see the Reducing the package size of the Security Only update section for full details.

Anti-malware Platform Support

The Official Configuration Manager Support Team Blog -

Applies to: System Center Endpoint Protection (All Versions), Forefront Endpoint Protection 2010

Microsoft plans to release anti-malware platform updates once or twice per year through Microsoft Update (MU) to down-level operating systems (e.g. Windows 8.1 and below) running SCEP or FEP. Customers must stay current with the latest anti-malware platform update to be fully supported. Our support structure is now dynamic, evolving into two phases depending on the availability of the latest platform version.

  • Security and Critical Updates servicing phase – When running the latest anti-malware version, you will be eligible to receive both Security and Critical updates to the anti-malware platform.
  • Technical Support (Only) phase – After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.*

*Technical support will continue to be provided for upgrades from the baseline version to the latest platform version.

NOTE: The platform updates for SCEP and FEP are published as follows: Category: Critical Updates, Product: Forefront Endpoint Protection 2010. Version 4.7 is the current baseline version for SCEP and FEP. Special MU detection logic and applicability rules are used to upgrade the baseline version directly to the latest platform version.

During the technical support (only) phase, commercially reasonable support incidents will be provided through Microsoft Customer Service & Support and Microsoft’s managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a non-security update, or requires a security update, customers will be asked to upgrade to the latest platform version.

The version history table below will be updated as new platform updates are released.

(Platform versions older than N-2 are no longer supported.)

Version Availability Date Support Phase 4.7 (baseline) February, 2015 Technical Support (Only) for upgrades to the latest platform version 4.8 May, 2015 Technical Support (Only) 4.9 April, 2016 Technical Support (Only) 4.10 October, 2016 Security and Critical Updates

Configuration Manager 2007 and Windows Enforcement of SHA1 Certs

The Official Configuration Manager Support Team Blog -

Effective February 14, 2017, Windows no longer trusts certain certificates signed with SHA-1.  System Center Configuration Manager 2007 supports SHA-1 but does not support SHA-2 certificates. If you use SHA-2 certificates with Configuration Manager 2007, Configuration Manager continues to operate as expected using SHA-1 fallback.   

For more information, see Windows Enforcement of SHA1 certificates.

For later versions of Configuration Manager see,

ConfigMgr (current branch): Support Removal Reminder

The Official Configuration Manager Support Team Blog -

Applies to: System Center Configuration Manager (current branch)

We announced back on July 10th, 2015 that support for Windows Server 2008 R2 as a site server or most site system roles as well as SQL Server 2008 R2 for the site server database role would be removed in the first update version for ConfigMgr (current branch) released in 2017. Please see Deprecated operating systems and Deprecated support for SQL Server versions as a site database for more information.

As we approach the release of this update version, we wanted to publish this reminder. Please plan accordingly, as updating to future update versions may be blocked.

Additional Resources:

Device fails to join domain during a ConfigMgr OSD Task Sequence due to DC time synchronization issues

The Official Configuration Manager Support Team Blog -

We have all dealt with mysterious task sequence failures while imaging. Owing to the number and types of issues we run into, I decided to put together a series of posts that discuss the unexpected and undocumented task sequence failures that are triggered by environmental issues and configurations. This is Post 1 of the series, and it concerns an interesting issue I worked recently. This will help in troubleshooting domain join scenarios during operating system deployment.

The core issue is that a task sequence fails to join the machine to the domain during the Windows imaging process via Configuration Manager.

Assessment:

===========

We looked at the task sequence, made sure that the user name and password were typed correctly, and then we looked at the log files:

netsetup.log (c:\windows\debug)

12/20/2016 17:51:07:055 NetpValidateName: name ‘Polyone.com’ is valid for type 3

12/20/2016 17:51:07:086 NetUseAdd to \\machine1.contoso.com\IPC$ returned 2457

12/20/2016 17:51:07:086 NetpJoinDomain: status of connecting to dc ‘\\ DC1.contoso.com: 0x999

12/20/2016 17:51:07:086 NetpJoinDomainOnDs: Function exits with status of: 0x999

 

Seuperr.log

This server’s clock is not synchronized with the primary domain controller’s clock.

Seupact.log

2017-01-06 10:18:51, Error                        [DJOIN.EXE] Unattended Join: NetJoinDomain failed error code is [2457]

2017-01-06 10:18:51, Error                        [DJOIN.EXE] Unattended Join: Unable to join; gdwError = 0x999

 

Error 2457 translated to:-

NERR_TimeDiffAtDC /* This server’s clock is not synchronized with the primary domain controller’s clock. */

Error 0x999 also translated to:-

NERR_TimeDiffAtDC /* This server’s clock is not synchronized with the primary domain controller’s clock. */

We tried a manual domain join with the logged-on user, and it was successfully joined to the domain. That tells us that the issue is specific to the domain join process during OS deployment only.

We checked on the domain controllers and found that the domain time was in sync. For that matter, if we joined the machine using the same service account that was used in the task sequence, we noticed the same error:

We tried another account and it went just as expected, so now it was clear that the issue was with the service account being used in the task sequence. We then took an ldifde dump of working users (successful domain joined accounts) and non-working users (failing accounts):

Non-Working user

ldifde -f test.ldf -d “CN=svc_SCCM,OU=Service,OU=Restricted Accounts,DC=Contoso,DC=com” -p subtree -s “DC1.Contoso.com”

Working user

ldifde -f test2.ldf -d “CN=Admin, ,OU=Users,DC=Contoso,DC=com” -p subtree -s “DC1.Contoso.com”

Upon comparison of these dumps, we determined that the UserAccountControl value for the bad account was 4260352, and for the good account it was set to 66048. We changed the UserAccountControl value of the failing account to 66048 and could now join the machine successfully through the task sequence.

Hope this helps! Do keep working and sharing! More on task sequence failures coming soon!

Anil Sood

Technical Advisor | Microsoft System Center Configuration Manager 

Disclaimer: This posting is provided “AS IS” with no warranties and confers no rights.

 

S'abonner à Philippe BARTH agrégateur - SCCM (Anglais)