Script to Set Cache Size on SCCM Clients

Here’s a quick and easy way to set or change the cache size on SCCM clients.  If your organization is anything like mine, the 5 GB default is never enough, especially using Nomad.

I also set this in my OSD task sequence for new PC builds.

Just create a package and run the following VBScript – example being a command line — %systemroot%\system32\Wscript.exe SCCMCache.vbs

Dim ClientResource
Set objShell = WScript.CreateObject (“WScript.shell”)
Set ClientResource = CreateObject(“UIResource.UIResourceMgr”)
Set CacheInfo = ClientResource.GetCacheInfo
CacheInfo.TotalSize = 27680 ‘  Change this to your new cache size in MB

Posted in Application Packaging, SCCM 2007, SCCM 2012, Scripts | Leave a comment

ConfigMgr 2012 Update Scan Fails and Shows Incorrect Compliance

I ran into this a few months ago, however I am still seeing a few issues even after sending a script out to resolve it.  I figured I’d write a quick blog to show everyone what I did to resolve the issue.  It’s also important to note that the SCCM 2012 R2 SP1 update is also supposed to help with this.

Symptom:

After deploying a new software update group, I immediately notice that about 1500 workstations showed as “compliant”.  How can this be since I haven’t even deployed any patches?  At first I thought maybe Windows Update was turned on somehow by mistake?  Nope.

After troubleshooting I found this in the WindowsUpdate.log file, which is located in the Windows directory.

WARNING: ISusInternal::GetUpdateMetadata2 failed, hr=8007000E

It seemed that the clients were failing to scan against the WSUS patch repository.

 

The Fix:

It’s important to note that the bug only seemed to affect x86 Windows 7 clients.  It appears this bug was a memory leak in the Windows Update service.

I wrote the following script and sent it out to all x86 Windows 7 workstations.

@echo off

net stop wuauserv
Sc config wuauserv type= own
cd c:\windows
ren SoftwareDistribution SoftwareDistribution.old
net start wuauserv

start /wait wusa.exe Windows6.1-KB2728379-x86.msu /quiet /norestart

exit

KB2728379 can be downloaded from here:  https://support.microsoft.com/en-us/kb/2728379

You also may want to go through your WSUS console and decline any superseded update, and unselect any outdated operating systems like XP, Office 2003, Server 2003, etc.  This makes the payload of WSUS to clients smaller as it doesn’t need to worry about these old outdated OS’s.  It’s also worth noting that I saw this behavior in both SCCM 2007 and 2012.  This makes sense, since it’s technically a Windows Update service/WSUS bug, which SCCM piggybacks off

Posted in SCCM 2007, SCCM 2012, WSUS | Tagged , , , | Leave a comment

MP has rejected a policy request from GUID xx-xx-xx-xxxx because it was not approved

Quick little tip on SCCM 2007 – if you see the following messages in your SMS_MP_CONTROL_MANAGER component of the SCCM server, here’s the fix.

MP has rejected a policy request from GUID:XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX because it was not approved. The operating system reported error 2147942405: Access is denied.

 

SOLUTION:  Open SQL Management Studio and run the following query on your SMS database:

select SMS_Unique_Identifier0, Name0 from V_R_System where SMS_Unique_Identifier0 = ‘GUID:XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX’

This will show you your problem client.  You can then follow the standard processes for approving a client – most easily right clicking after searching in the collections, and approving.  Some times this may work and a re-install of the SCCM client may be necessary.  Hope this helps.

Posted in SCCM 2007 | Tagged , , | Leave a comment

Finding Workstations or Servers Without SCCM Client Installed

A quick query that creates a collection of workstations or servers missing the SCCM client.  This is especially useful for environments without the SCCM client push enabled.

Step 1

Create a collection that you will use as a limiting collection – for example “All Windows 8 Devices”, “All Windows Servers”, etc.  In this example, we’ll use all Windows Servers.  Limit this to All Systems to catch both cliented and un-cliented machines.

An example code would look like this.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (SMS_R_System.OperatingSystemNameandVersion like “Microsoft Windows NT Server 5%” or SMS_R_System.OperatingSystemNameandVersion like “Microsoft Windows NT Advanced Server%” or SMS_R_System.OperatingSystemNameandVersion like “Microsoft Windows NT Server 6%”)

Step 2

Create another collection called something like “All Servers Without SCCM Client.  You’ll limit this collection to the one created above.

SQL code for this query is:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (SMS_R_System.Client is null  or SMS_R_System.Client = 0) and SMS_R_System.Name != “Unknown”

 

This should give you a collection of servers that do not have the client installed.  You can use a ping test to see which ones are active and push the client.

Posted in SCCM 2007, SCCM 2012 | Tagged , , , | Leave a comment

How to Stop an System Center Configuration Manager (SCCM) Client Push

If you ever do a big oops and hit the “install client” action on a full collection instead of a single machine, there’s an easy way to fix this before you bring your network down to a crawl.

 

 

Software Push 1

First, I stop the SMS Exec service, and browse to your <SCCM install dir>\inboxes\ccr.box folder.  You should see tons of records in this folder.  Just select all files (minus the top 2 folders), and delete them.  You should then have an empty folder like this – then you can restart the SMS Exec service and be good to go!

CCR Box

Posted in SCCM 2007, SCCM 2012 | Tagged , , | Leave a comment

Using WMIC to Find Computer Model for SCCM or MDT

A quick tip that I use quite a bit.  If you like to query WMI to get the computer model for drivers in MDT or SCCM, one little nagging challenge is getting the exact name of the model in WMI.

Here’s a quick command line that you could also script if needed.

From an elevated command prompt, type:

wmic csproduct get name

The result should give you the exact name returned by WMI in your task sequence query. 

 wmic

 

 Then, just plug in your model you are targeting into a SCCM task sequence condition.  For example:

SELECT * FROM Win32_ComputerSystem WHERE Model LIKE “%HP Compaq Elite 8300 SFF%”

 

 

 

 

 

 

Posted in MDT, MDT 2010, SCCM 2007, SCCM 2012 | 1 Comment

Intel Wireless Driver Deployment With SCCM

A large part of any desktop engineers job is to keep drivers in the environment current.  It’s been debatable on the requirement to push driver updates – but in my mind updates are released for a reason.  It usually doesn’t hurt to keep drivers current.  Usually the biggest constraint is time to package, test, and deploy. 

My current client has had intermittent problems with the wireless connection on HP laptops.  We’ve had complaints of connections randomly dropping both in the office and at home (red flag!).  The list of variables that could cause this issue is endless.  Old routers, too many wireless devieces connected at home, signal strength, BIOS, drivers, etc.  Since this issue got some high level visibility we were asked to take at least one variable out of the equation – the wireless drivers.  Again, I was a little skeptical but then again – the drivers on the image were between 2-3 years old. 

Step one almost took the longest.  When I went to HP’s site the packaged drivers were not current.  Navigating Intel’s site can be cumbersome.  I finally found the link for wireless drivers (not the full Proset software).  You can find that here :  Intel Wireless Driver Download for IT Administrators

Intel provides an executable that can be run silently and is fairly quick and painless.  When you download, try running this exe.

iprodifx.exe /silent

I usually write a vb wrapper for all disitributions for logging, prerequisites, etc.  Here’s the command for vbs  (just substitue intInstallIntel and dim, etc)

intInstallIntel = objShell.Run(Chr(34) & strCurrentDir & “\iprodifx.exe” & Chr(34) & ” /silent”,1,True)

I am doing most of my targeting via SCCM collection queries rather than in the vbscript just because its a bit different for each model.

Posted in Application Packaging, SCCM 2007, SCCM 2012 | Leave a comment

Enterprise hotfix rollup is available for Windows 7 SP1 and Server 2008 R2 SP1

Some good news in the OSD world – Microsoft has released a 90 patch Windows 7 SP1 rollup update.  This should save some time in deployments if added to your image process.  Some of the things updated are:  From http://support.microsoft.com/kb/2775511

This hotfix rollup includes the following improvements:

  • Improves the Windows Client Remote File System components. These components include the following:
    • Web-based Distributed Authoring and Versioning (WebDAV)
    • DFSN client
    • Folder Redirection
    • Offline Files and Folders (CSC)
    • SMB client
    • Redirected Drive Buffering Subsystem (RDB)
    • Multiple UNC Provider (MUP)

Also found a good article on rolling this out with SCCM 2012.  http://blogs.technet.com/b/michaelgriswold/archive/2013/03/13/kb2775511-deployment-for-the-sccm-admin.aspx

 

Not sure if this is available for SCCM 2007 yet – looking into it.

Posted in Patch Management, SCCM 2007, SCCM 2012, Windows OS | Leave a comment

Java 1.7 Auto-Update Deployment with SCCM/MDT

10/18/2013 Update – From a comment below.  I haven’t tested this as I’ve given up on Java completely. 

I just wanted to leave a note with how i got this working (there was lots of info in this thread but it was hard to find a clear step by step with success).

– Run the Java exe on a test machine, digg out the MSI + files from the %userprofile%\Appdata\…. area
– Create an MST using ORCA, set the update settings to not update etc.
– Create a blank “deployment.properties” file and have the “deployment.expiration.check.enabled=false” inside it.
– Install the MSI + MST
– Copy the deployment.properties to C:\Windows\Sun\Java\deployment
– Launch IE, browse to http://javatester.org
– Test the version with the button on the site
– Accept the security prompt (in our org. we are leaving this security level HIGH)
– Wait for any pop-up about an out of date version?
– Open up REGEDIT
– Browse to HKCU\Software\AppDataLow\Software\JavaSoft\DeploymentProperties
– You should see “deployment.expiration.check.enabled” REG_SZ false
– Retest by re-loading the Javatester.org website
– Retest by closing / reopening browser and hitting Javatester.org again
– Log off and on as a new user, repeat test to make sure the HKCU is being populated under the new user.
– Package up
– Have a beer

 

**Update 7/25/2013**  Sorry all, haven’t been as active with this as I’d like.  Unfortuntely we had to bite the bullet and get everyone upgraded to the latest and greatest.  It does seem that Oracle FINALLY sees this is massive issue and has released some patched versions for this.  Check all of the comments for the download link.  I personally haven’t even looked at the patches yet, so use at your own risk.  Please also look thru all the comments.  There any many different ways to look at resolving this at least temporarily.

 **Update 6/19/2013**  JAVA 7 UPDATE 25 RELEASED.   It appears a path was released for update 21, nothing that I can see for 25 yet.  From the comments

**Update 5/16/2013 **** PLEASE read all comments before implementing this.  Java has yet again changed the game and made the expiration date unavoidable.  There’s a lot of good info for temporary workarounds in the comments.  Key word … TEMPORARY. 

 

Unfortunately, you need a login on My Oracle Support (MSO). As I don’t have a login I cannot provide you a deep link to this particular patch.

If you have a login, you can sign-in on http://support.oracle.com, click “Patches and Updates”, then search for patch ID 16758419.

BTW: I have applied this interim patch on my PC today and changed the system date to August 10 (which is beyond the expiration date for the official public JRE 1.7.0_21). The infamous update popup did not occur, so the patch seems to work.

Oracle released an interim patch, 16758419, for JRE and JDK 1.7.0_21 (32bit only) with Auto-update Off and Insecure Java Version Message suppressed:

README for 16758419

Patch Details

Bug Number: 16758419

Product Name: Oracle JDK and JRE 1.7.0_21-fcs-b14
with Auto-update Off and Insecure Java Version Message suppressed
– Interim Patch

Platform: Windows-i586

 

some notes from Joe in the comments …

Got some bad news. If you start messing with your system date and set it to 5/16/13, even if you use the suggestions here of baseline.versions folder instead of files, you’ll get prompted. This all appears to be due to the JRE_EXPIRATION_DATE value that is hard coded to that date in 7.17. I tested it with 7.21 which has the variable set to 7/18/13 and it starts prompting you on 7/18 as expected (I mispoke in my post above 7/18 is correct). So I don’t know of any way to beat this.

I’m using this to push anyone with a JRE related app to demand from the vendor to move away from it. What a joke. 3 billion devices and counting … we’ll see about that Oracle.

Java, I do not like you!

 

Well, I am sure almost everyone is aware of the (in)famous Java updating mechanism within Java 1.7. 

Here’s the scenario if you haven’t already witnessed the madness with Java 1.7.x.  At the time of this writing, Java 1.7 update 15 was the latest version.  We package it up just like any other version, disabling auto-updates, and everything looks fine.  Then, we fast forward a few months and update 17 comes out.  No big deal, right?  Our package was set to turn Java auto-update off.  I wish it were so.  Once a user hits a webpage that uses Java, they will most likely see the following prompt.  The scary part – you’d never even know this was a problem until it’s too late.  If you deployed the latest version you wouldn’t see any error messages at all.  It’s only when a new version of Java is released that the messages start arriving. 

Your Java version is insecure.  Click Update to install the recommended secure version.  Click Block to stop Java content in your browser or Later to continue and be reminded again later.

 

error1

 

Unreal.  So let’s go thru the options here. 

Update:  Since 90% of corporate users are not local admins – that won’t work.  Result:  Service Desk Call

Block:  Block the app from running?  That’s why they are at this webpage to start with.  Result:  Service Desk Call

Later:  Well, this one kind of works.  This will at least get rid of the warning but only bring you to another!  Result:  Service Desk Call

Let’s assume a user clicks “later”  They will then see this additional popup message.  

Do you want to run this application?  Your version of Java is insecure and an application from the location below is requesting permission to run. 

 This particular site is just a Java tester site

 

error2

 So here’s our new options.

Run:  This will actually run the Java app.  Result:  No Service Desk Call (hopefully)

Update:  Another attempt to update Java to the latest version (remember, Java auto-update is turned off, right??)  Again, no local admin on most corporate machines.  Result:  Service Desk Call

Cancel:  Stops the app from running.  Result:  Service Desk Call

 

As you can see, sending this to an enterprise-wide distribution is not an option.  This would generate enormous amounts of Service Desk calls and very unhappy users.  This completely blows my mind.  I thought Adobe Flash was bad but now Oracle has topped the list.  I could go on for hours on why Oracle should disable this “feature”.  Until they do, we need a workaround.  Here’s my solution.  Not perfect by any means.  It seems to get rid of *most* of the popups.

You may have to tweak some things depending on your corporate policy/application requirements/etc. 

Remove all older versions of Java (at least 1.7 versions).  My testing with 1.6.x version has been a little strange but I realize application requirement may prevent this from happening. 

  • Verify C:\WINDOWS\sun\java\deployment directory is empty.  If not, have your install script delete this full directory.
  • You need to now create 2 text files, deployment.config and deployment.properties.  These files basically replace the command line switches in the java install.  Here are the contents of deployment.config

deployment.system.config=file\:C\:/WINDOWS/Sun/Java/Deployment/deployment.properties
deployment.system.config.mandatory=true

The top line basically tells the system where your deployment.properties file is located.  For simplicity I just stuck it in the default location but could also reside on the network.  The second line tells the system if this is mandatory.  I don’t know much more about this setting.  Just set it to “true”.

Here are the contents to put into deployment.properties

deployment.expiration.decision=NEVER
deployment.expiration.decision.suppression=TRUE
deployment.version=7.0
deployment.security.level=MEDIUM
deployment.security.mixcode=DISABLE
deployment.insecure.jres=ALWAYS
deployment.javaws.autodownload=NEVER

The key settings above are: 

deployment.expiration.decision=NEVER 

deployment.expiration.decision.suppression=TRUE

These settings suppresses the “Later” button so you are never prompted. 

deployment.security.level=MEDIUM

This is a big one also.  Still not 100% on this one yet.  The default in the Java install is “HIGH” so I hate to set this lower.  The MEDIUM setting seems to get rid of most of the popups.  The only setting I could find that completely suppresses all warning popup is “LOW” but I can’t imagine security departments allowing this.  May as well stick with the older versions of Java.

deployment.insecure.jres=ALWAYS

This setting suppresses the second popup that warns about running the Java application.  Set to ALWAYS

These 2 files need to be copied to the C:\WINDOWS\sun\java\deployment directory.  Have your script create the directory after you delete it. 

Update 3/8/2013 – NEW STEP

  • Create the folder C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\security before installing Java
  • Create 2 files – baseline.timestamp and baseline.versions

Contents of baseline.timestamp is just a period ( . )

Contents of baseline.versions shows up like this.  I believe this is telling Java what the current version is for each (1.8, 1.7, 1.6, etc).  I figured out that when you are prompted it creates this file and the registry shown below.  It defaults to 1.7.0_17.  I changed that setting to 1.7.0_13 to trick it into thinking its current.   Another option to get this file is to break it intentionally and go edit this file.  Crossing my fingers…. seems to work! 

baselline.versions

It also shows up in the registy like this.

registrychangesmall

 

To automate this, you’ll need to create a script to walk the directory tree and add this to each users profile.   You can also use group policy which may be a bit easier. 

 

**Make sure these 2 files are present before installing Java. **

  • Install Java 1.7 with only a /qb or /qn switch.  No need to add any other switches since your files are now in the correct place. 
  • TEST TEST TEST!  Again, this is a far from perfect solution and differences will apply between corporations.  I am not a Java expert by any means – so let’s discuss any other options or repercussions! 

Also, a tip on locking the Java settings after deployment from the comments of Rafal below

Just a comment about config and properties file
if you want to prevent users from changing Java control properties you will need to place .locked on property you are changing in the properties mark
therefore
deployment.security.level=MEDIUM
deployment.security.level.locked
will effectivelly lockout/greyout the setting for the user

Hope this helps!

 

**Update 4/24***

Well, I managed to blow up my environment when Update 21 was released.  My group policy workaround for the files was set to update, not replace.  So if the files were already there and Java overwrote them, group policy didn’t care and saw it as compliant.  TONS of calls.  Ugh Java.

Read thru all the comments below as there are some other ideas that may work.  I think I may have thrown the white flag up and may just do some extensive end user training.  Just don’t hit the “update” button!!!

This is obviously a HUGE issue.  The blog has seen 25K hits just on this page since written.  Hopefully we can still figure it out eventually

 

Possible workaround – from Morgan in comments.  Worth trying.  Update 5/17

I created the following until Oracle gets there act together. It’s an AutoIT script that looks for the update window and then selects the ideal combination for the user. You can deploy it in the startup folder for users and there is very little CPU impact. Feel free to use and modify as you like.

http://www.autoitscript.com/site/autoit/

 

CODE HERE—- javafix.txt

 

Posted in Application Packaging, MDT, Patch Management, SCCM 2007, SCCM 2012 | Tagged , , | 220 Comments

The Pros and Cons of Intel VPro Technology – Part 1

This is the first of a multi-post journey thru the pro’s and con’s of Intel AMT VPro Technology.  I’ve recently been thru a 3-4 month Intel VPro implementation (to be fair, it’s not complete yet) with Newton Cunningham with Cireson.

Since the whole implementation is most likely going to be a novel and still ongoing, I’ll have to write this in pieces.  Hopefully some of you can avoid some frustration when doing your implementations.

VPro and AMT (Active Management Technology) are sometimes used interchangeably in the industry.  You may hear either term being used when referring to VPro technology.  Vpro is basically a marketing term for a basket of features for manageability and security.  For example, the biggest driver for our client was the remote KVM capability of the AMT device.  This was very important because the client had many remote sites with no IT staff onsite.  How many times does your IT staff get a call about a hung machine or blue screen and try to walk a regular person thru troubleshooting?  Yeah, good luck with that.  Most of the time, it’s either a long drive for a deskside technician or a replacement PC overnighted in the mail.  Either way, it’s an expensive and time consuming effort.

The best feature in my mind is the KVM functionality of the AMT VPro chips.  The AMT device doesn’t care about the OS.  It doesn’t care if the machine is powered on or off.  You connect to the AMT device directly to view the blue screen , the OS, the BIOS, the dark screen (because it’s turned off), etc.  So instead of having to walk a user thru troubleshooting a blue screen over the phone, just use VPro and get it fixed remotely.  We used VNC Viewer Plus which seemed to work just fine.  No client required on the target machine, only the Viewer piece on your technicians PC. I know there are a few other vendors that also have VPro support as well.

The next question I get was – how in the world do you fix a blue screen remotely?  Do you have every employee in the company carrying around an XP or Windows 7 install disk to repair it?  Here’s my second favorite feature – IDE-R or IDE Redirection.  This allows you to boot a remote computer to an ISO on the network.  Examples would include your companies’ WinPE disc, an XP disc, Windows 7, a utility boot disk, etc.  You create a share for your technicians to use and boot remote computers that need repair over the network.  Granted, a 400 MB WinPE disk over a small WAN link is still going to take some time, but still much faster than an 8 hour roundtrip or an overnight UPS package.

Next up – Part 2 – Details and examples of KVM and IDE-R

Posted in Intel Vpro, Remote Control, SCCM 2007, SCCM 2012 | Tagged , , , , , | Leave a comment
« Older