Posts Tagged ‘SCCM’

Sigh. Turns out this is one of those “obvious” facepalm issues. Posting the issue anyway in the event other people come across it.

Windows clients on Configuration Manager 2012 R2 are not applying power policies at all. Standard Windows power settings still applied and available.

  •  Client policy enabled for applying power settings
  • Collection has a power policy configured (either pre-existing or custom)
  • No Group Policies configured to apply any sort of power settings
  • Client in collection
  • PolicyEvaluator.log and PolicyAgent.log both indicate the policy has been applied by the client
    • Policy appears with the CollectionID as a reference
  • No power configuration change occur on the target workstation
  • Lots of activity in pwrmgmt.log, but nothing seem specific to the policy I have configured, and no errors
  • PwrProvider.log just repeats message: “Failed to read ValueUnitsSpecifier” and nothing else
  • No Windows Event Viewer messages stand-out as related to this issue

(more…)

Another “reminder where stuff is” post. This time for the Endpoint Protection logs. These should be the same for pretty much any version as far as I know, but I’m looking specifically at System Centre Endpoint Protection (SCEP) included as part of Config Manager 2012.

Log locations:

  • %allusersprofile%\Microsoft\Microsoft Antimalware\Support—Log files specific for the antimalware service
  • %allusersprofile%\Microsoft\Microsoft Security Client\Support—Log files specific for the SCEP client software
  • %windir%\WindowsUpdate.log—Windows Update log files, which include information about definition updates
  • %windir%\CCM\Logs\EndpointProtectionagent.log – Shows Endpoint version and policies applied
  • %windir%\temp\MpCmdRun.log – Activity when performing scans and signature updates
  • %windir%\temp\MpSigStub.log – Update progress for signature and Engine updates

References:

http://technet.microsoft.com/en-us/library/gg477022.aspx

The Automatic Deployment Rule (ADR) feature in ConfigMgr2012 is quite handy, especially for people moving from WSUS that aren’t too worried about updates being automatically deployed.

Many larger organisations however tend to have a more controlling approach to which updates are approved for deployment and will approve/decline each update as required.

One thing I liked in WSUS was the ability to have updates automatically approved, but being able to set the client policy to say “Notify Only”. On my servers I could have them scan and determine applicable updates, but then I would manually approve them and reboot as required, or I could exclude some updates if they were causing problems on a per-server basis (e.g. .NET). Sure you could do all that through WSUS itself if you wanted to setup lots of different computer groups, but for small environments with half a dozen servers it’s easier this way.

In ConfigMgr2012, there is no way to “auto create” and update group unless you use an ADR. However the ADR configuration makes all deployments Mandatory with a deadline and does not give a “Required” notify only type option.

(more…)

Last update: 6/2/2014 Link to Microsoft TechNet article response

When runnning a Windows 7 or Windows 8 OSD install task sequence on ConfigMgr 2012 SP1 (CU2 and CU3), I’ve noticed that it seems to get stuck and appears to hang for a while when it gets to the “Install Software Updates” step. Typically it will sit there for 5- 10 minutes or so with no apparent activity before it starts applying the updates as required. The updates do eventually apply and the build completes as normal.

(more…)

A light hearted post that I will update over time as I find new examples of typos and error in ConfigMgr log files.

(note: changed to be typos in ConfigMgr in general now)

(more…)

If you work in a site that uses WSUS and just has auto-approve rules setup, then read no further. Just go and create Auto Deployment Rules in ConfigMgr that will continue to do exactly the same thing.

If you work in an organisation that reviews and approves each Microsoft update to be released, and over the years you have a fairly unfriendly looking list of approved and not-approved updates, then the thought of going through that list, manually selecting each update to add to an Update Group, and then repeating for each computer group, probably isn’t very appealing.

Finding myself in that situation I did what any rational lazy admin would do before scripting my own solution:

TO THE INTERNET

Luckily, I managed to stumble across this site which seems to do exactly that is required. I haven’t tested it out yet, but it’s published on a Technet Blog, so what could possibly go wrong?

UPDATE: Yes, it all works as required. One thing to watch for is ConfigMgr doesn’t let you approve/deploy superseded and expired updates, so you will probably notice your update groups have fewer approved updates than you have been deploying. The scripts also don’t do anything about approving the newer versions of those older updates so you’ll need to then check what updates are required. Not such a drama really as most of the heavy lifting has already been done by the scripts.

http://blogs.technet.com/b/manageabilityguys/archive/2012/08/25/migrating-from-wsus-to-configuration-manager.aspx

Installing Configuration Manager 2012 clients on all my servers was fairly easy and straight forward. With one exception – My TMG2010 server running Server 2008R2.
For some reason, the client would install, but would never assign itself to my site, or download policies. The firewall rules allowed it to talk to the ConfigMgr server, and monitoring the traffic showed nothing was being blocked at all.
Much digging in TechNet etc and I found various mentions relating to certificates. This put me on the right track and got me 80% of the way there, but not quite.

There was not a lot of indication of what was going wrong. Most of the logs just weren’t reporting anything, let alone an error. The one log that was showing something is the “ClientIDManagerStartuplog” with repeating entries of

RegTask: Failed to get certificate. Error: 0x80004005

This was the only place I could find an indication of what was wrong.

Various articles say to delete all the files in the MachineKeys certificates folder. That is VERY BAD, DO NOT DO THAT!

While they are misguided, they do point to the correct resolution. Some suggest deleting one specific file which is the SMS certificate. At first, permissions blocked me doing this, but even after deleting it, the problem would repeat.

(more…)

This is considered a pedantic point by many people I work with, but it’s something I still work to change.

When Microsoft released System Centre Configuration Manager, the natural abbreviation/acronym that myself and pretty much everyone else used for it was “SCCM”. Makes sense.

At some time I recall that Microsoft started to make a point of telling people *not* to call it SCCM. I can’t seem to find any official Microsoft reference to this though. (If you know where an official Microsoft statement is, please let me know)

The reason is that Microsoft do not have any rights to “SCCM”, and also to prevent any possible confusion with another organisation that is already known as SCCM.

At this point I’ll hand over to the following links to explain:

http://myitforum.com/myitforumwp/2012/10/25/what-is-the-official-acronym-of-system-center-2012-configuration-manager/

http://blogs.technet.com/b/configmgr/archive/2008/06/01/sccm-is-not-the-official-acronym-for-configuration-manager.aspx

Unfortunately, SCCM is deeply ingrained into the vocabulary of the people that work with it, so it’s going to take a while (if ever) to change. I’m doing my part where I can. I will still tend to tag things with “SCCM” to help other people who are using it as a search term, but when referencing it in any documents I will use “ConfigMgr” or “CM[version]” (e.g. CM07, CM12) instead.

If you happen to notice me slipping in an “SCCM”, feel free to berate me over it.