System Center Configuration Manager R3 Released!

Today Microsoft released SCCM 2007 R3! Instead of going into a long blog post about all the exciting new features R3 has, I’d like to refer to an EXCELLENT run down of all the features by a co-worker of mine, Steve Rachui. If you run SCCM, R3 is definitely a worthwhile update that’s painless to implement into your existing environment.

Check out Steve’s post here.

Download the evaluation copy here.

Read the official announcement here.

Posted in sccm | Leave a comment

SCCM: Collection Query to Find Machines Discovered via AD System Discovery in the last day without latest SCCM Client

In the final days I have with my current employer, I’ve been doing some client cleanup. As you may know, Active Directory System Discovery can make a mess out of your SCCM environment if AD isn’t kept clean. We have a lot of records in our DB that just don’t have the SCCM Client for a variety of reasons (not enough disk space, WMI is broken, etc).

The good thing about AD System Discovery though is that for each record it finds in AD, it’ll look to DNS to see if there’s a corresponding DNS record. If there is, it’ll create a DDR for that machine. So if you have a lot of junk in AD, and DNS scavenging is set to a reasonable amount of time, you should be seeing machines in your SCCM hierarchy that are actually on your corporate network.

So what I set out to do was look for all the machines that have reported back an AD System Discovery record within the last day (technically, the query below is referencing 23 hours) that doesn’t have the latest version of the SCCM client (or the client version is null). Here’s the query.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where ((DATEDIFF(hh, SMS_R_SYSTEM.AgentTime, getdate()) < 23) and AgentName = “SMS_AD_SYSTEM_DISCOVERY_AGENT”) and (SMS_R_System.ClientVersion < “4.00.6487.2000” or SMS_R_System.ClientVersion is null)

This gives me all the machines that I need to look into to fix. These are machines I wasn’t able to hit using Client Push installations, or at least I never got a successful client installation for them.

Posted in sccm | Tagged , , | 11 Comments

SCCM SCUP: How to Install Adobe Flash Player

With the new release of Flash Player 10.1 I’ve noticed in our environment that we were unable to install the Active X component for IE systems using the provided MSI file with SCUP. I’ve read in a few places that it’s best to utilize the .exe instead of the .msi that is provided by Adobe. So this evening I decided to do so.

Adobe has changed its command lines for flash 10.1 this go round. Originally I was using /s for a silent install but I noticed in Taskmgr that the .exe was sitting under the SYSTEM context doing nothing.

Appdeploy has an entry for Adobe Flash 10.1 that recommends to use -install for a silent install with the .exe form of installation. Once I added the -install switch, things worked just fine.

Now to figure out whether the mms.cfg file works still.

Posted in sccm | Tagged , | Leave a comment

MS10-041 KB979909 .NET Framework 3.5 Service Pack 1 and for the .NET Framework 2.0 Service Pack 2 for Windows 2000, for Windows Server 2003, and for Windows XP Fails to Install

Sorry for the long title.

This past Tuesday Microsoft released a slew of new security patches. I won’t go into detail about all of them, but suffice it to say we’re seeing KB979909 become a pretty hairy thorn in our side.

We deploy all of our updates via SCCM. In my pilot testing I’ve noticed quite a few machines that come up with an error code of -2147023293 with a HexErrorCode of 80070643. This error basically means a fatal error during installation.

Microsoft’s recommendation on how to fix this is referenced here: however what I’m seeing in my environment is nearly a 10% failure rate on my pilot users. There’s no real easy way to fix this remotely, and my help desk will be busy for a couple of days fixing this issue for the amount of calls they’ll be receiving.

Other people are seeing the same problems. For the time being, we’re pulling the update until we see a better solution than uninstall all versions of .NET as the fix.

Below are links to other people experiencing the same problem with this update. Some are also seeing problems with KB982168, and KB979906.

If you’re having the same problem, post a comment below.

Posted in sccm | Tagged , , , , , | 5 Comments

SCCM Fix: Error 0x80070643 or 0x8024200b when installing Office 2003 Updates by using WSUS or SCCM

In our SCCM test environment we were installing this months Microsoft Security Updates and noticed on one test machine that all the Office 2003 Updates were failing. I hadn’t seen this before, so I started to do a little digging.

Knowing that SCCM really doesn’t do much but call the Windows Update Agent components, I first checked out the c:\windows\windowsupdate.log to see if there were any specific error messages relating to why these updates weren’t installing. What I noticed was the following:

Handler : MSI transaction completed. MSI: 0x80070643, Handler: 0x8024200b, Source: No, Reboot: 0

We basically have two exit codes here. The handler tells me that WUA passed this on to MSI and MSI returned exit code 0x80070643. Windows Update (which is the Handler in this case) is saying its exit code is 0x8024200b. Based on both of these exit codes, we have a failure. The actual code we care about is the first one because that’s what was returned to MSI. The second code is basically just a generic failure code.

By doing a search, I found that 0x80070643 relates to an issue with the Office Source Engine being disabled. Sure enough, on the machine we saw this issue happening on, it had the service disabled. Once we set it to manual, everything worked as normal. See for more information.

So then I got to thinking, “How many machines in my environment have this service disabled? Our help desk could get flooded with calls.” But then I realized that if this really were a wide spread issue with this service disabled, we’d have a lot more issues in previous months with Office 2003 updates. But nonetheless, I was curious, so I made a query in SCCM to look for all machines with the Office Source Engine disabled. The query syntax is as follows:

select distinct SMS_R_System.NetbiosName from  SMS_R_System inner join SMS_G_System_SERVICE on SMS_G_System_SERVICE.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SERVICE.Name = “ose” and SMS_G_System_SERVICE.StartMode = “Disabled”

How many machines came back with this service disabled? 4 (out of over 2000).

I think we’re OK :)

Posted in sccm | Tagged , , , , , | Leave a comment

SCCM: Administrator Console Locked up, Frozen, Hosed, or Hung solution

Today I received an email from a tech who complained that the Configuration Manager administrator console we have installed on a Windows 2003 terminal server was hosed up. I’ve seen this happen in a few instances. I’m not entirely sure why the console just sits hung, but the solution that I’ve seen work most often is to delete the MMC related files in the user’s profile that get created after the console has been used. You want to delete the sms and/or adminconsole files (I think the sms file comes from the old SMS 2003 console).

You can find the files at the following path:

Windows 2003: C:\Documents and settings\userid\Application Data\Microsoft\MMC

Windows 2008: C:\users\userid\appData\Roaming\Microsoft\MMC

Once the files have been deleted, logoff and log back on and run the console. This should fix the issue.

Posted in sccm | Tagged , | Leave a comment

System Center Configuration Manager Beta 1 has been released!

It’s been a long time coming, and I’m very excited for the release of Configuration Manager v.Next. Listed below are just some of the bullet points in this release. You can see the full announcement here.

Today we are very excited to announce the release of Beta 1 for System Center Configuration Manager v.Next.

System Center Configuration Manager v.Next is uniquely positioned to provide for powerful and flexible user-centric client management, allowing users to be able to seamlessly access their data from virtually anywhere, across multiple device types while providing IT with unified management tools and centralized control.

This next release of Configuration Manager is focused on 3 main pillars:

User centric application management  – Empowering Administrators to define intent, and end users flexible access to the right application at the right time

  • Allow the administrator to think users first
  • Application management model to capture admin intent
  • End user self-service software portal

Infrastructure simplification – Simplify management infrastructure, processes and administrative overhead

  • Unified management across PCs and devices
  • New role based administration and end-user experiences
  • Automated content distribution and troubleshooting
  • Redesigned core infrastructure and improved scalability

Simplify Client Management – Daily tasks, model based configuration management and improvements over existing capabilities

  • Automated compliance remediation
  • Client health and auto remediation
  • Remote control enhancements
  • Offline servicing of OS images
  • Posted in ConfigMgr 2012 | Tagged , | Leave a comment

    SCCM: Software Distribution Fails with Error Code 1603 in Execmgr.log

    Error code 1603 by definition is just a generic windows installer (MSIexec) fatal error code. Yesterday I was seeing this for a software package deployment. The interesting part of this was this was an application that was packaged for us by a third party vendor (a vendor that will remain nameless, but has created some poor packages for us in the past that allows me to write up blog posts like this explaining the solution to their packaging issues), and the application was actually installing on some machines but not all. In total, about 50% had successfully installed the application and the other 50% had failed. So it was a very peculiar push that piqued my interest.

    After looking at the advertisement report, I noticed that most of the successful installs were from Windows 7 machines. The failures were coming from Windows XP. So that pointed me to setup a test XP machine and test the push on that platform.

    Next I looked at the package and how it was created in SCCM (I personally didn’t set this up or work with the vendor on packaging it, so this was all new to me). I noticed that the install program was using a transform that the vendor had created as well as a requiring ISScript8 be run first before installing.

    After doing some research, I came across a forum post that made reference to DCOM InstallShield InstallDriver Identity properties being set incorrectly. In my case, we were running this application with administrative rights and silently via SCCM. When a local administrator was logged on during runtime, the application would install fine. It would also install fine if no one was logged on. However if a user was logged on without admin rights, we’d get the 1603 error.

    So I took a look at the InstallShield InstallDriver Properties from DCOMCNFG. To do this, follow the following steps:

    From a command line (or start – run) type in dcomcnfg
    Select Component Services
    Expand Computers
    Expand My Computer
    Expand DCOM Config
    Right click on InstallShield InstallDriver (in my case I had two of these)
    Select Properties
    Select the Identity tab

    What SHOULD be selected here is The launching User. What I had selected was The interactive user. So by changing both InstallShield InstallDriver identities to The Launching User I was able to run the application successfully as the user which was a low rights account.

    How to change the Installshield Installdriver Identity via VBScript

    So I had the problem solved, but I needed a way to do this programatically. I basically needed to run ISScript first, then run a VBScript to change the Identity value, then run the application. The good news is that these options are all stored in the registry! The problem though is that they’re stored in GUID/AppID format, and with different versions of ISScript out there, there isn’t a consistent method to fix this. What this means for you is that you need to get the GUID/AppID yourself, luckily for you, you can get the GUID/AppID from within DCOMCNFG.

    How to find the GUID/AppID from DCOMCNFG

    To find the Application ID, repeat the steps I listed above to get to the Installshield InstallDriver Properties pane.

    From a command line (or start – run) type in dcomcnfg
    Select Component Services
    Expand Computers
    Expand My Computer
    Expand DCOM Config
    Right click on InstallShield InstallDriver (in my case I had two of these)
    Select Properties
    Under the General tab select the Application ID

    Once you have the application ID, you can use the following VBScript to change the Identity of the Installshield InstallDriver. Note that if you only have one InstallDriver, you can remove the second path and the second deletevalue command.

    const HKEY_CLASSES_ROOT = &H80000000
    strComputer = “.”

    Set oReg=GetObject(“winmgmts:{impersonationLevel=impersonate}!\\” &_
    strComputer & “\root\default:StdRegProv”)

    strStringValueName = “RunAs”

    oReg.DeleteValue HKEY_CLASSES_ROOT,strKeyPath1,strStringValueName
    oReg.DeleteValue HKEY_CLASSES_ROOT,strKeyPath2,strStringValueName

    Once you’ve made the file, put it in the packagesource folder and make a new SCCM program using cscript nameofscript.vbs.

    Posted in sccm | Tagged , , | 3 Comments

    SCCM: How to Restore the All Systems Collection in SCCM/SMS

    When I got into the office this morning an email came in from one of our technicians. The issue was that he couldn’t see the All Systems collection anymore and wanted me to put it back. Since I know I didn’t do this, I took a look at Status Message Queries to see what happened. I specifically looked at “Collections Created, Modified, or Deleted” to see who the culprit was and when the deletion happened. Once I figured out that yes, All Systems was in fact deleted, I ran the following VBScript (copy this text to a text file and save it as all_systems.vbs and run it on your site server):

    strSMSServer = “.”
    strParentCollID = “COLLROOT”
    ‘This example creates the collection in the collection root.
    ‘Replace COLLROOT with the CollectionID of an existing collection to make the new collection a child.

    strCollectionName = “All Systems”
    strCollectionComment = “This is the All Systems Collection.”
    Set objLoc = CreateObject(“WbemScripting.SWbemLocator”)
    Set objSMS = objloc.ConnectServer(strSMSServer, “root\sms”)
    Set Results = objSMS.ExecQuery (“SELECT * From SMS_ProviderLocation WHERE ProviderForLocalSite = true”)

    For each Loc in Results
    If Loc.ProviderForLocalSite = True Then
    Set objSMS = objLoc.ConnectServer(Loc.Machine, “root\sms\site_” & Loc.SiteCode)
    End if

    Set newCollection = objSMS.Get(“SMS_Collection”).SpawnInstance_()

    ‘Create new “All Systems” collection
    newCollection.Name = “All Systems”
    newCollection.OwnedByThisSite = True
    newCollection.Comment = strCollectionComment
    newCollection.CollectionID = “SMS00001”
    path = newCollection.Put_

    ‘Set the Relationship
    Set newCollectionRelation = objSMS.Get(“SMS_CollectToSubCollect”).SpawnInstance_()
    newCollectionRelation.parentCollectionID = strParentCollID
    newCollectionRelation.subCollectionID = (“SMS00001”)

    ‘Add the Query Rule
    Set objQueryRule = objSMS.Get(“SMS_CollectionRuleQuery”).SpawnInstance_
    objQueryRule.QueryExpression = Query
    objQueryRule.RuleName = “AllSystems”
    newCollection.AddMembershipRule objQueryRule

    The collection was remade and all the objects are there like they should be. Now I need to lock all collections down so our techs don’t delete them anymore.

    Posted in sccm | 3 Comments

    SCCM: Collection Query to get all machines who haven’t rebooted in X amount of Days

    Here’s a query that I use to see all machines who haven’t rebooted in 7 days. You can change the 7 to however many days you want.

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId where DATEDIFF(DD, SMS_G_System_OPERATING_SYSTEM.LastBootUpTime, GETDATE()) > 7

    Posted in sccm | Tagged , , | 2 Comments