Peter33

Hi guys, be aware of a bug in the SCEP 2012 Client 4.10.205. A race condition during the update my result in broken SCEP Client, which will not load any signature updates or report back to Config Manager after that. 10% of our Clients and Servers are affected by this. The Workaround is to block the 4.10. update in the ADR/Update Group and to install SCEP 4.9 (use a regular package with the SCEPinstall /forceclean Switch). There will be a new 4.10. update. Unfortunately MS Support was not able to tell when. btw. Reports are useless to identify affected clients. Rather use a collection view in the console and opt in 'Endpoint Protection Last Update Time'.

Congratulations and keep up the good work. Just checking in for my flight back home from ATL. It has been a fun week here :-) Ciao Peter

Here is a SQL query you can run from the Management Studio, Power BI, Excel ... etc. Just cut the last line if you want a complete list or use it for filtering. SELECT v_UpdateInfo.Title, v_ContentInfo.ContentSource FROM v_UpdateInfo INNER JOIN v_UpdateContents ON v_UpdateInfo.CI_ID = v_UpdateContents.CI_ID INNER JOIN v_ContentInfo ON v_UpdateContents.Content_ID = v_ContentInfo.Content_ID WHERE (v_UpdateContents.ContentProvisioned = 1) AND v_UpdateInfo.Title LIKE '%KB2900986%'

That should do it ... select * from SMS_R_System inner join SMS_G_System_EndpointProtectionStatus on SMS_G_System_EndpointProtectionStatus.ResourceId = SMS_R_System.ResourceId where SMS_G_System_EndpointProtectionStatus.AtRisk = 1

Your MDT Database returns this ... So the sequence is working fine. Time to check your customsettings.ini and database entries.

Uninstalling a client involves no status messages between server and client. Therefore the Client Status in your console won't change. The status will change according to your client status settings and site maintanance settings. Changing the status manually would involve editing your CM Database, which is of course not supported.

Here is a neat little console extension, that will take care of your problem. https://gallery.technet.microsoft.com/Clean-Software-Update-5ae68ba2

Well, you should check the smsts.log to see how long the update step, or any other step takes to finish. Only way to find out what consumes the most time in your TS. Also, it doesn't matter how many updates are already installed in your Image. The Client has to process the policies for all assigned updates, which may take some time for Windws 7 and Office together.

Do you deploy updates in your task sequence? This would explain the duration. Updating Windows 7 is no fun at all. I'm curious to see how the plans for cumulative updates will play out, which were just announced by MS. At the moment i am creating monthly new images with MDT including all updates. Also, office and SAP are part of the image already, which helps a lot. The Windows 7 image weighs almost 13GB but deploys in an hour. You can speed it up a little by activating the option to apply the operating system image directly from the distribution point share, which will cost you additional space on the servers

You can still upgrade your 1511 Clients to 1607 in your current environment, when you are using a upgrade task sequence.

Try this. The script will simply split the DistinguishedName of your computer object and compare all the OU partial strings to all existing AD site names and return the valid one. $SysInfo = New-Object -ComObject "ADSystemInfo" $Computer = [ADSI]("LDAP://{0}" -f $SysInfo.GetType().InvokeMember("ComputerName", [System.Reflection.BindingFlags]::GetProperty, $null, $SysInfo, $null)) $sitesDN="LDAP://CN=Sites," + $([adsi] "LDAP://RootDSE").Get("ConfigurationNamingContext") ($Computer.distinguishedName).split(',') | % { $OU = ($_).split('=') if($OU[0] -eq 'OU'){ foreach ($site in $([adsi] $sitesDN).psbase.children){ if($site.objectClass -eq "site"){ $siteName=([string]$site.cn).toUpper() if($OU[1] -eq $siteName){ write-host "found valid site name $siteName in CN" break outer } } } } }

I think it's worth a try to check if the certificate is still valid. Ckeck the PXE server properties of your Distribution Point for the cert date.

No Problem. Open your SCCM Console and go to “Asset and Compliance“. Expand the Comliance Settings Folder and right click the Configuration Iems. Select “Create Configuration Item”, chose a proper name and click two times “Next”. Then click the “New” button and chose a name for the setting. As Setting Type chose “Script” and as data type “Boolean”. Under Discovery Script hit the “Add Script” button and paste in the powershell script script. Switsh to the Compliance Rules tab in the settings dialog and and click the new button. Select a proper name again and confirm two times with the OK Buttons. Then hit 3 times the next buttons in the dialog window. Switch to the Configuration Baseline Folder, right click it and chose “New Configuration Baseline”. Select a name and select your new configuration item by hitting the add button. Confirm with OK. Now you can deploy the Configuration Baseline to a collection of your choice, which is similar to deploying an application. By right clicking the newly created deployment you can create your compliant/nonCompliant Collections.

Sounds like the perfect excuse to use the compliance settings once again, which will give you compliant and non compliant collections on the fly. $result = $true if ((Get-Service -Name TrustedInstaller ).Status -eq "Stopped"){ Start-Service -Name TrustedInstaller -ErrorAction SilentlyContinue -WarningAction SilentlyContinue if ((Get-Service -Name TrustedInstaller ).Status -ne "Running"){ $result = $false } else { Stop-Service -Name TrustedInstaller -ErrorAction SilentlyContinue -WarningAction SilentlyContinue } } return $result

It makes no sense to use it for the detection rule, because the status will alter once the service gets started again and your application will start to install once again. You will create a endless loop. Just create an installation wrapper script that shuts down the service before starting the setup and restart the service when the installer is finished. Anyways, the answer to your question is a simple single line. if ((Get-Service -Name PcaSvc ).Status -eq "Stopped"){Return $true} Any output in a scripted detection counts as success.

This will not work, unless you have the RSAT Tools installed on all of your Clients and activated the AD tools. Anyways, it's completely unnecessary. You already have the Information in your SCCM Database, if AD and AD Group Discovery is activated.

Sounds pretty doable to me. If you run at least Windows 8 you wouldn't even need a task sequence. Just create a new BDE Partition with the BdeHdCfg command, then create a new Protector on your OS Drive with manage-bde and the "usedspaceonly" parameter and finally start the encryprion also with manage-bde. All this assuming that you are not in UEFI mode since you got no BDE partiton already. For Windows 7 you would still need a task sequence with Windows 8 PE boot image (at least) to create the Protector with usedspaceonly.

It's a know issue for Task sequences and regular package programs. After the creation of the deployment, reopen the deployment and date back the the schedule for ".. will become available ..." by 1 day. Problem solved.

[cmdletbinding()] Param( [Parameter(Mandatory)] [String] [ValidateNotNullOrEmpty()] $ComputerName ) cls $SiteCode = "XXX" Import-Module -Name "$(split-path $Env:SMS_ADMIN_UI_PATH)\ConfigurationManager.psd1" cd $SiteCode":" Remove-CMDevice -DeviceName $ComputerName -Confirm:$false -Verbose -Force This should do the trick. The SCCM Console has to be installed on the computer. Also make sure you replace the site code in the script with your own.

No need for UNC path syntax. %~dp0 will take care of it. if not exist "C:\Program Files\SIMS\SIMS.Net\connect.ini" copy /y "%~dpSims Connect ini" "C:\Program Files\SIMS\SIMS.Net"

Is there a specific reason not to put the files into your package sources?

Seems like you are hard to please. Well you can give this a try. This is my script for the 32Bit Runtime. It uninstalls every 32Bit Version of JRE 7 & 8 (not 6 for a specific reason in our case). It also creates a unique named hardlink for the Insallation directory under program files (request by our developers). It installs our internal certificates (Active Directory, etc), cleans up the user java cache directories (some applications will act up otherwise) and finally sets some global deployment properties for all users. It also skips the whole Installation i any Java process is open (we have some critical applications which might suffer a data loss otherwise). $VersionString = "jre1.8.0_65" $ExitCode = 0 $myPath = Split-Path $script:MyInvocation.MyCommand.Path Set-Location $myPath $Process = (Get-Process 'java','javaw','javaws','javacpl' -ErrorAction SilentlyContinue -FileVersionInfo) if ($Process){ $ExitCode = 222 } else { gwmi -Namespace root\cimv2\SMS -Class SMS_installedSoftware -Filter "ProductName Like '%Java 7 Update%' And Not ProductName Like '%Kit%' And Not ProductName Like '%64-bit%' " -Property SoftwareCode,ProductName | ForEach-Object { $myArgs = "/X" + $_.SoftwareCode + " /norestart /q" $ExitCode = (Start-Process -FilePath "msiexec.exe" -ArgumentList $myArgs -ErrorAction SilentlyContinue -NoNewWindow -Wait -PassThru).ExitCode } gwmi -Namespace root\cimv2\SMS -Class SMS_installedSoftware -Filter "ProductName Like '%Java 8 Update%' And Not ProductName Like '%Kit%' And Not ProductName Like '%64-bit%' " -Property SoftwareCode,ProductName | ForEach-Object { $myArgs = "/X" + $_.SoftwareCode + " /norestart /q" $ExitCode = (Start-Process -FilePath "msiexec.exe" -ArgumentList $myArgs -ErrorAction SilentlyContinue -NoNewWindow -Wait -PassThru).ExitCode } if(Test-Path 'C:\Program Files (x86)'){ c:\windows\system32\cmd.exe /C rd 'C:\Program Files (x86)\Java\jre8' /Q } else { c:\windows\system32\cmd.exe /C rd 'C:\Program Files\Java\jre8' /Q } Start-Sleep 30 $myArgs = "/i """ + $myPath + "\$VersionString.msi"" AUTOUPDATECHECK=0 JAVAUPDATE=0 JU=0 SYSTRAY=1 /norestart /q" $ExitCode = (Start-Process -FilePath "msiexec.exe" -ArgumentList $myArgs -ErrorAction SilentlyContinue -NoNewWindow -Wait -PassThru).ExitCode $Users = Get-ChildItem -Path "c:\Users" $str1 = "-importcert -trustcacerts -keystore " $str3 = "\Java\jre8\lib\security\cacerts"" -file cert1.cer -alias cert1 -storepass changeit -noprompt" $str4 = "\Java\jre8\lib\security\cacerts"" -file cert2.cer -alias cert2 -storepass changeit -noprompt" $str5 = "\Java\jre8\lib\security\cacerts"" -file cert3.cer -alias cert3 -storepass changeit -noprompt" If ( Test-Path 'C:\Program Files (x86)'){ $str2 = "C:\Program Files (x86)" cmd.exe /C "mklink /J ""C:\Program Files (x86)\Java\jre8"" ""C:\Program Files (x86)\Java\$VersionString""" } else { $str2 = "C:\Program Files" cmd.exe /C "mklink /J ""C:\Program Files\Java\jre8"" ""C:\Program Files\Java\$VersionString""" } $argString = $str1 + """" + $str2 + $str3 $argString1 = $str1 + """" + $str2 + $str4 $argString2 = $str1 + """" + $str2 + $str5 $comString = $str2 + "\Java\jre8\bin\keytool.exe" if(Test-Path "$comString"){ Start-Process -FilePath "$comString" -ArgumentList $argString -Wait -Passthru -NoNewWindow Start-Process -FilePath "$comString" -ArgumentList $argString1 -Wait -Passthru -NoNewWindow Start-Process -FilePath "$comString" -ArgumentList $argString2 -Wait -Passthru -NoNewWindow } foreach ($User in $Users){ $myPath = Join-Path -Path "C:\Users" -ChildPath $User $Path1 = Join-Path -Path $myPath -ChildPath "AppData\LocalLow\Sun\Java\Deployment\cache" If ( Test-Path $Path1 ) { Remove-Item -Path $Path1 -Recurse -Force -ErrorAction SilentlyContinue } } Remove-Item -Force -Path "$env:ALLUSERSPROFILE\microsoft\windows\start menu\programs\java" -recurse -ErrorAction SilentlyContinue New-Item -force -Path "$env:windir\Sun\Java\Deployment\deployment.properties" -ItemType file -ErrorAction SilentlyContinue New-Item -force -Path "$env:windir\Sun\Java\Deployment\deployment.config" -ItemType file -ErrorAction SilentlyContinue Add-Content -path "$env:windir\Sun\Java\Deployment\deployment.config" -value "deployment.system.config.mandatory=true" -ErrorAction SilentlyContinue Add-Content -path "$env:windir\Sun\Java\Deployment\deployment.config" -value "deployment.system.config=file:///$env:SystemDrive/Windows/Sun/Java/Deployment/deployment.properties" -ErrorAction SilentlyContinue Add-Content -path "$env:windir\Sun\Java\Deployment\deployment.properties" -value "deployment.expiration.check.enabled=false" -ErrorAction SilentlyContinue Add-Content -path "$env:windir\Sun\Java\Deployment\deployment.properties" -value "deployment.security.mixcode=HIDE_RUN" -ErrorAction SilentlyContinue Add-Content -path "$env:windir\Sun\Java\Deployment\deployment.properties" -value "deployment.security.level=HIGH" -ErrorAction SilentlyContinue Add-Content -path "$env:windir\Sun\Java\Deployment\deployment.properties" -value "deployment.security.level.unlocked" -ErrorAction SilentlyContinue Add-Content -path "$env:windir\Sun\Java\Deployment\deployment.properties" -value "deployment.insecure.jres=NEVER" -ErrorAction SilentlyContinue Add-Content -path "$env:windir\Sun\Java\Deployment\deployment.properties" -value "deployment.javaws.shortcut=NEVER" -ErrorAction SilentlyContinue } [Environment]::Exit($ExitCode)

Thanks for the info. That would be indeed a nice feature to have. I'm still a little bit worried about the traffic overhead and the performance impact while browsing several collections in a short time span.

Have a look at the App Deplyoment Tolkit. http://psappdeploytoolkit.codeplex.com/

Actually i'm not sure if like this idea. "Such feature instantly allows admins to see which computers are available/online/offline, without having to run a report or ping the Computer" <---- It just shows you a snapshot depending on the state Messaging Report cycle, which is no real time Status. The Information would be not reliable. It would give you a hint, OK ... but still ....