In telemetry we trust?

More than patches

Telemetry is one of those things that tends to divide a room. On one hand it’s productive and accurate feedback for your product of choice and on the other hand it’s big brother spying on what you’re doing in that product. I wanted to share a recent experience with you based on my recent upgrade of Microsoft System Center Configuration Manager (SCCM) to the recent 1710 release as it may make you change your mind.

The long awaited 1710 release was made available last week a little before midnight in the UK on 20/11/17 (or 11/20 in the US Smile). The next morning I fired up my lab which runs the current branch version of SCCM, ran the early update ring PowerShell script and proceeded to whizz through the wizard in a speedy not hastily fashion. This was lab after all so on with the day job and I’ll check…

View original post 689 more words

Advertisements

ConfigMgr : Hardware Inventory flow

Being Configuration Manager Administrator

SCCM ..(Hardware Inventory)

Hardware Inventory

Hardware inventory is a feature in itself and functions independent to the other features of SCCM, but it closely depends on a successful deployment.

SCCM Setup has to complete successfully. The Hardware inventory feature on the server side solely depends on setup and successful SQL install. All the tables from the default sms_def.mof should get correctly created in SQL with the right credentials.

Similarly, for the hardware inventory agent to function as per requirements on the advanced client the client setup should have completed successfully and the client should have access to the MP for the advanced client. On the Advanced client the Inventory agent’s functionality is dependent on the running of the SMS Agent Host service (ccmexec).

The entire hardware inventory feature is dependent on the sms_def.mof file present in the clifiles.srchinv folder on the SiteServer. If that file is deleted or made corrupt…

View original post 1,169 more words

Power BI : Active Directory v/s SCCM Boundaries : [FREE PBIX]

Purpose :

Active Directory Sites and System Center Configuration Manager Boundaries are hard to keep in sync – especially in an environment where there are regular changes and several team managing each technology separately.

This Power BI dashboard solution will help analyze and reduce down the gaps in SCCM. The dashboard will help SCCM administrators / architects to resolve issues where clients are not covered – this helps in Client Health / Reporting and Compliance.

The dashboard is based off the Powershell script posted on Technet by Scott Breen and can be downloaded from here : https://gallery.technet.microsoft.com/Validate-Boundary-Group-d85ed496

How to use this :

A. The script can be configured to run on schedule via Scheduled Tasks on a server or via System Center Orchestrator.

B. The output CSV can be placed on a network share on local folder.

C. Power BI will read this csv and perform the necessary DAX operations.

D. Power BI can further be used to publish on o365 on the Power BI portal. Power BI gateway can be configured so that the content is autoupdated on a schedule. Embedded Power BI options can be used to inject the dashboard into Sharepoint or any site.

Backend engine :

The output [download csv here] of the script needs some work to be done and looks like this >

output

The last column is most important in this csv output – the result ‘False’ indicates the machine is not covered by any SCCM Boundary. The other columns provide plenty of information – but its not really presentable or understandable from the get go.

The conversion of the csv data from crude data to human readable format is performed by Power BI and via DAX. The csv file before conversion is available here – BoundaryCheck-csv

The PowerBI dashboard is configured to pull information from C:\PowerBI\adsite-vs-boundaries\Boundarycheck.csv

Get it now !

 

Download the PBIX.

ConfigMgr : Query to find SCCM client versions (ConfigMgr 2012)

agent-smith.png

download : SQLQuery-find-agentsversions

outputofquery.png


select sys.Client_Version0, "CM Name"=
case sys.Client_Version0
when '4.00.6487.2000' then 'CM07 SP2 (4.00.6487.2000)'
when '4.00.6487.2188' then 'CM07 R3 (4.00.6487.2188)'
when '4.00.6487.2187' then 'CM07 R3 (4.00.6487.2187)'
when '4.00.6487.2157' then 'CM07 R3 (4.00.6487.2157)'
when '5.00.0000.0000' then 'CM12 RTM (5.00.0000.0000)'
when '5.00.7804.1000' then 'CM12 SP1 (5.00.7804.1000)'
when '5.00.7804.1202' then 'CM12 SP1 CU1 (5.00.7804.1202)'
when '5.00.7804.1300' then 'CM12 SP1 CU2 (5.00.7804.1300)'
when '5.00.7804.1400' then 'CM12 SP1 CU3 (5.00.7804.1400)'
when '5.00.7958.1000' then 'CM12 R2 (5.00.7958.1000)'
when '5.00.7958.1101' then 'CM12 R2 KB 2905002(5.00.7958.1101)'
when '5.00.7958.1203' then 'CM12 R2 CU1 (5.00.7958.1203)'
when '5.00.7958.1303' then 'CM12 R2 CU2 (5.00.7958.1303)'
when '5.00.7958.1401' then 'CM12 R2 CU3 (5.00.7958.1401)'
else 'Others(non-Clients)'
End,count(*) [Total]
from v_R_System sys
where sys.Name0 not like 'unknown' and
sys.Client_Version0 not like '' and sys.Client_Version0 not like '0.0%'
group by sys.Client_Version0
order by Client_Version0

 

ConfigMgr : OSD : How To Create a Bootable USB Windows 7 Build Disk

Windows-10-USB-drive-bootable

Prerequisites

The following are required to build the Windows 7 USB Media:

  • Windows 7 Machine
  • USB Removable Drive

 

Step by Step: How to prepare the USB

The USB device must be prepared prior to generate the stand alone media.

  1. On a Windows 7 PC, Insert the USB device and launch the command line in administrator mode
  2. Enter: “Diskpart” from a command line
  3. In disk part, Enter: “List Disk” – to view the disk number
  4. Select the device with the command “Select Disk 1” and substitute the number 1 with the correct device ID on your system. Make sure you select the correct device as the next step WILL DESTROY ALL DATA on the device selected.
  5. Enter: “clean” in the diskpart command line and hit “enter”
  6. Enter “create partition primary” in the diskpart command line and hit “enter”
  7. Enter “select partition 1” in the diskpart command line and hit “enter”
  8. Enter “format quick fs=ntfs” in the diskpart command line and hit “enter”
  9. Enter “active” in the diskpart command line and hit “enter”
  10. Enter “assign” in the diskpart command line and hit “enter”
  11. Enter “exit” in the diskpart command line and hit “enter”

 

For easy reference please check the below screen shot

dos.png

Now copy the content  of the ISO .

ConfigMgr : SQL Query to find Application and version by location

earth-gps

Download :  SQLQuery-Findmachines-withoutlook-locationspecific

outlook-per-location.png


SELECT distinct
b.Netbios_Name0,
b.User_Name0,
b.ad_site_name0,
a.FileName,
a.FileVersion,
a.FilePath
FROM
v_GS_SoftwareFile a
JOIN v_R_System b ON a.ResourceID = b.ResourceID
JOIN v_RA_System_SystemOUName c ON a.ResourceID = c.ResourceID
WHERE FileName = 'outlook.exe' and AD_Site_Name0 like '%perth%'
ORDER BY
b.Netbios_Name0


			

ConfigMgr : Creating queries, collections and reports for Window Server 2008 Core in System Center Configuration Manager 2007

17_desktop.jpg

System Center Configuration Manager 2007 SP2 allows client installation on Windows Server 2008 Core systems* but it does not differentiate between Windows Server 2008 and Windows Server 2008 Core machines in either queries, collections or reports.

* Configuration Manager 2007 SP2 Supported Configurations: http://technet.microsoft.com/en-us/library/ee344146.aspx

To determine which SKU a particular machine is running, you can use the following command:

wmic OS get OperatingSystemSKU

SKUs for Windows Server 2008:

  • 12 = Windows Server 2008 Datacenter Edition (core)
  • 13 = Windows Server 2008 Standard Edition (core)
  • 14 = Windows Server 2008 Enterprise Edition (core)
  • 40 = Windows Server 2008 Standard Edition without Hyper-V (core)

Reference: http://msdn.microsoft.com/en-us/library/aa394239(VS.85).aspx

This field is only present on Windows Vista / Server 2008 upwards.  Running the command above on a Windows XP or Windows Server 2003 computer will result in the following error:

Node – Machine1
ERROR:
Code = 0x80041017
Description = Invalid query
Facility = WMI

NOTE The table and field in SQL are:

Table – v_HS_OPERATING_SYSTEM
Column – OperatingSystemSKU0

In WMI it is:

Class – SMS_G_System_OPERATING_SYSTEM

And

Property – OperatingSystemSKU

The first step is to modify the sms_def.mof by adding a section in Hardware Inventory to collect the version information from the clients within their WMI repository.  Modify the mof file at \<SCCM Server Install Folder>\inboxes\clifiles.scr\hinv\ sms_def.mof to include the following:

[ SMS_Report     (TRUE),
SMS_Group_Name (“Operating System”),
SMS_Class_ID   (“MICROSOFT|OPERATING_SYSTEM|1.0”) ]
add >
[SMS_Report (TRUE)     ]
uint32     OperatingSystemSKU;

Once complete, you can do the following to speed up the process of the client reporting this information back to Configuration Manager.

– On the ConfigMgr console: Modify the hardware inventory agent to run at quicker interval.

– On the client: Trigger a ‘hardware inventory cycle’ on the client via the Configuration Manager applet in Control Panel

To verify that the collection took place, open the ConfigMgr admin console and navigate to Computer Management > Collections and right click on the client machine.  Click Start and then Resource Explorer > Hardware and click on Operating System.  A new column named  ‘OperatingSystemSKU’ should appear.

Creating a WQL Query

Once the OS information is being collected, you can use the query below to search for all Windows Server 2008 Core or Windows Server 2008 R2 Core systems only. To query for just Windows Server 2008 you can change %Server 6.% to %Server 6.0% or for Windows Server 2008 R2 you can change it to %Server 6.1%.

select SMS_R_System.Name, SMS_R_System.SMSAssignedSites, SMS_R_System.IPAddresses, SMS_R_System.IPSubnets, SMS_R_System.OperatingSystemNameandVersion, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.LastLogonUserDomain, SMS_R_System.LastLogonUserName, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceId, SMS_R_System.NetbiosName from  SMS_R_System join  SMS_G_System_OPERATING_SYSTEM on SMS_R_System.ResourceID=SMS_G_System_OPERATING_SYSTEM.ResourceID where SMS_R_System.OperatingSystemNameandVersion like “%Server 6.%”
and SMS_G_System_OPERATING_SYSTEM.OperatingSystemSKU IN (12,13,14,40)

 

Creating a Collection

A new Collection can be created by importing the WQL Query Statement we used above.

 

Creating a Report

The SQL statement below will search for all unique Windows Server 2008 or Windows Server 2008 R2 machines:

select distinct v_R_System.Name0 as ‘Machine Name’, v_HS_OPERATING_SYSTEM.caption0 as ‘OS Type’, CSDVersion0 as ‘Service Pack Level’, case v_HS_OPERATING_SYSTEM.OperatingSystemSKU0 when 12 then ‘Yes’ when 13 then ‘Yes’ when 14 then ‘Yes’ when 40 then ‘Yes’ else ‘No’ end as ‘Windows Core’ from v_R_System join v_HS_OPERATING_SYSTEM on v_R_System.resourceID = v_HS_OPERATING_SYSTEM.resourceID where v_HS_OPERATING_SYSTEM.OperatingSystemSKU0 is not null

The SQL statement above  will exclude all machines that have NULL in the SKU field and display a column indicating if the machine is Core or not.

 

source ( my own post ) :

https://blogs.technet.microsoft.com/configurationmgr/2012/03/26/creating-queries-collections-and-reports-for-window-server-2008-core-in-system-center-configuration-manager-2007/

ConfigMgr : OSD : Build failure Troubleshooting and Logs gathering

win101

During the Build process if you encounter any issues you can perform further investigation with the below mandatory information

  • Machine model
  • Error code with snapshot
  • Error stage with snapshot (may be hiding behind the Task Sequence error window)
  • Single system failure OR multiple systems failures
  • Build Failure Logs (as described below)
  • Mention if any HW component has been replaced on the machine

Troubleshooting Steps

  1. Do not restart the system when the build failure occurs and shows the Task Sequence error
  2. Please note the error code with snapshot
  3. Note the error stage – the stage build got failed (may be behind the Task Sequence error window)
  4. Press F8 key for Command Prompt
  5. Refer the below table OSD Logs Path for logs location based on failure stage
  6. Copy all the log files to the USB drive connected to System
  7. Attach the gathered logs with incident / email to us for investigation

OSD Logs Path

Smsts.log is found in different locations depending on the stage of failure:

Build Failure Stage Log file location
WindowsPE, before HDD format x:\windows\temp\smstslog\smsts.log
WindowsPE, after HDD format x:\smstslog\smsts.log
Windows, SCCM agent not installed c:\_SMSTaskSequence\Logs\Smstslog\smsts.log
Windows x64, SCCM agent installed c:\windows\sysWOW64\ccm\logs\Smstslog\smsts.log
Task Sequence completed x64 c:\windows\sysWOW64\ccm\logs\smsts.log

Network Setup and Domain Join

For issues related to Build failure at domain joining step please gather the below logs

% SystemRoot %\debug\netsetup.log

ConfigMgr : Machine added to a ConfigMgr group is not captured during the Delta Discovery Process (ConfigMgr 2007)

usa_new_york_manhattan_rockefeller_center_binoculars_112290_602x339

When adding machines to a Security group you usually want them to appear in the collection quickly although there can be a delay while waiting on full discovery.  If increasing the Full Discovery Polling schedule is not an option, we wondered if there might be another way to speed up this process by getting the machine’s updated memberof information captured via the Delta Discovery process.

To test this we added machine A to Security Group – Computers-TEST.  We also created a collection based on the security group Computers-TEST:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = “SMS\\Computer-TEST”

We then enabled delta discovery [default 5 minutes] on the following:

Active Directory System Discovery
Active Directory System Group Discovery
Active Directory Security Group Discovery

Unfortunately when the delta discovery process ran there was no DDR created for the machine A.  We checked the LDAP search filters that were applied [for the LDAP path specified in the discovery method] and found the following in the Active Directory Security Group Discovery log:

search filter = ‘(&(uSNChanged>=149673)(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=2147483648)))’
In the above LDAP filter – it is checking for any Security Group with a uSNChanged value greater than or equal to 149672
information available here >
1.2.840.113556.1.4.804 = LDAP_MATCHING_RULE_BIT_OR

A match is found if any bits from the attribute match the value. This rule is equivalent to a bitwise OR operator (http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx).

2147483648 = ADS_GROUP_TYPE_SECURITY_ENABLED (http://msdn.microsoft.com/en-us/library/windows/desktop/ms677935(v=vs.85).aspx)

We checked the Active Directory System Discovery log and found this:

search filter = ‘(&(uSNChanged>=149673)(&(objectClass=user)(objectCategory=computer)))’

The same was found in the Active Directory System Group Discovery log:

search filter = ‘(&(uSNChanged>=149673)(&(objectClass=user)(objectCategory=computer)))’

In the above two LDAP filters, it is checking for a Class-User and Category-Computer with respective higher than or equal to uSNChanged values.

NOTE The default logging does not indicate what Active Directory Attributes are to be viewed. These are listed on the Active Directory System Discovery > Properties > Active Directory Attribute tab.

We then manually ran the LDAP search filters via LDP and found that  when adding a computer to a security group, the security groups uSNChanged value increases and the computers uSNChanged value remains the same.

The ‘member’ attribute changes on the security group which triggers the uSNChanged bump.  The USN value for the machine does not increase as it is a “back link” attribute that is not populated like normal attributes (source : http://technet.microsoft.com/en-us/library/cc961761.aspx).

So the uSNChanged value of the machine has to increase for System Group Discovery Process to create a DDR for that machine, and only then will the attribute be fetched. Delta Discovery does not capture this occurrence of change in the machine due to this “back link” factor, hence the full discovery process is required for the machine to appear.

A workaround would be to change a field like the ‘Description’ field which then bumps up the uSNChanged value.  This  gets captured via the System Group Discovery Process and a DDR is created.

Here’s how to run the LDAP filters manually.  The example below shows a list of computers with an uSNChanged value above 149673:

launch ‘ldp.exe’ >
connection > connect ‘leave the name field blank’ – default port 389
connection > bind > default is ‘bind as currently logged on user’ > ok
Browse > Search >
Base DN : DC=contoso,DC=com
Filter : search filter = ‘(&(uSNChanged>=149673)(&(objectClass=user)(objectCategory=computer)))’
Scope – select ‘Subtree’
Attributes – add uSNChanged – so it would look like
objectclass;name;description;canonicalName;usnchanged
now Hit – Run

The output will look something like this:

ldap_search_s(ld, “DC=contoso,DC=com”, 2, “(&(uSNChanged>=149673)(&(objectClass=user)(objectCategory=computer)))”, attrList, 0, &msg)
Getting 1 entries:
Dn: CN=Machine-A,OU=Computers,DC=contoso,DC=com
canonicalName: contos.com/computers/machine-A;
description: its time for change !;
name: Computer-A;
objectClass (2): top; person; organizationlPerson; user; computer;
uSNChanged: 149689;

The above ldap output indicates that 1 entry returned the computer “Machine-A” whose uSNChanged value was 149689 (higher than the search filter).

Reference article:

How to poll for object attribute changes in Active Directory on Windows 2000 and Windows Server 2003: http://support.microsoft.com/kb/891995

 

source : (my own post) https://blogs.technet.microsoft.com/configurationmgr/2012/03/27/machine-added-to-a-configmgr-group-is-not-captured-during-the-delta-discovery-process/

ConfigMgr : Discovery Methods in System Center Configuration Manager 1706 CB

In Today’s tutorial, we learn about the discovery methods in System center configuration manager.

We have below discovery methods in System Center Configuration Manager.
– Active Directory Forest Discovery
– Active Directory Group Discovery
– Active Directory System Discovery
– Active Directory User Discovery
– Heartbeat Discovery
– Network Discovery

Active Directory Forest Discovery

By enabling Active Directory Forest Discovery, we can find resources from AD forests. When you configure the forests to discover AD sites and subnets, configuration manager can automatically create boundaries from this information.

Active Directory Group Discovery
By enabling Active Directory Group Discovery, we can discover the resources using AD group membership of computers and users.

Active Directory System Discovery
By enabling Active Directory System Discovery, we can find the computers in Active Directory Domain Services.

Active Directory User Discovery
By enabling Active Directory User Discovery, we can find the user accounts in AD domain Services.

Heartbeat Discovery
By configuring these settings, we can configure interval for configuration manager clients to periodically send a discovery data record to the site.

Network Discovery
By configuring these settings, we can configure settings and polling intervals to discover resources on the network like subnets, SNMP-enabled.

We can enable all these discovery methods by following below steps.
Login to Configuration manager console, Administration, expand hierarchy configuration and click on discovery methods, in results pane you will find all the discovery methods as below. To enable go to properties of each discovery methods.DiscoveryMethods
Thank you for reading ☺
Keep Learning ☺