jorlando

Going a step further. On some machines (Rare) i will see the task is scheduled under Microsfot > Microsft > Configuration manager. During install the client will not see this scheduled task because it expects it to be in Microsoft > Configuration Manager. No idea why this happens, but the fix to to kill the tasks in Microsoft > Microsoft > Configuration Manger.

Sounds like the client either has not evaluated the applicability of the update or it determined the update does not apply. Check c:\windows\ccm\logs\updatestore.log to see what updates are missing/installed. I would also double check your applicability rules in SCUP. I am also assuming you have properly setup SCUP with signing cert, depled cert to servers, allow 3rd party signed updates GPO... ect.

Is something like this what you were looking for: https://powersheller.wordpress.com/2012/05/24/sccm-2012-execute-task-sequence-with-powershell/

The client installer created the task. Ideally, upon successfull installation of the client the scheduled task will be deleted. This method survives a reboot if you have a system that needs to retry a client installation. For some rare reason I have seen the client successfully installed, but the task not deleted. The result is the client get reinstalled every 5 hours until I delete the scheduled task. James

Anytime I see this error in the ccmsetup.log its because the BITS service is either "Stopping" Not running or Disabled (damn users w/ admin rights). I know this issue you were seeing during the TS, but if anyone else see's this I would look at services first.

Well... I removed the SUP Role off Server 2 and Server 10 and then added the role back. Logs still show Server 2 as a place the client can get content, but the client did finally pull down content from Server 10.

I am having an issue with my internet facing clients pulling SCUP content from the internet facing distribution point. My setup: Server 1: Primary Site Server Server 2: SUP (Intranet) Server 3: DB Server 4: DP (intranet) Server 5: DP (intranet) Server 6: DP (intranet) Server 7: DP (intranet) Server 8: MP (intranet) Server 9: MP (intranet) Server 10: MP/SUP/DP (internet) CAS.log on my internet facing client shows: Location update from CTM for content 51b851db-685e-447d-bd33-ced84d586e01.1 and request {F6FE3382-2C32-4226-97F4-F7B22A1B29CE} Download location found 0 - net:http://<Server 2>:8530/Content/8A/9B5AE8758C171CD7CA67FAA4E9351BAC8CD8EB8A.cab Download location found 1 - http://<Server 10>/SMS_DP_SMSPKG$/51b851db-685e-447d-bd33-ced84d586e01 contenttransfermanager.log: Persisted locations for CTM job {6D281906-466B-4B5E-94BA-CCCC483F8A4F}: (LOCAL) net:http://<Server 2>8530/Content/45/7BB1CA64A8B5F86CF6EF47B1BE781D6DC7737D45.cab (LOCAL) http://<Server 10>/SMS_DP_SMSPKG$/c855ec5d-2b38-422c-9f52-0adc7bde7273 datatransferservice.log: CDTSJob::HandleErrors: DTS Job '{B6F78D35-9106-4734-B443-8C328EB1CEB6}' BITS Job '{7EE97231-4093-4CDA-A8B0-109C9F83BE02}' under user 'S-1-5-18' OldErrorCount 213 NewErrorCount 214 ErrorCode 0x801901F7 CDTSJob::HandleErrors: DTS Job ID='{B6F78D35-9106-4734-B443-8C328EB1CEB6}' URL='http://<Server 2>:80/Content/8A' ProtType=1 More info: These clients are configured to be always internet. locationservices.log: LSGetManagementPointsForSite: Client is configured to be always in Internet - INF MP will be used to get other INF MPs. Boundaries are pretty simple setup. By ip range. Boundaries are not the problem because MS updates and packages deploy no problem. Its ONLY SCUP updates. I cannot figure out why the clients are trying to download the content from Server 2. Server 2 is on the intranet boundary, configured for intranet clients only and is a SUP not a DP. Clients are being scanned succesfully for updates by Server 10. Server 10 is absolutely configured for internet clients only. Thoughs. Thanks. James

I am seeing this exact issue as well. 90% of my machines are applying the update without any issues. On 10% I am seeing this problem. Anyone resolve?

I disable the inventory throttle. I have a business need for a pretty extensive software inventory, and it still runs in < 5 minutes. Its worth noting that the performance impact on the machine during the inventory is not noticable. Here is a link for more information: http://myitforum.com/myitforumwp/2013/11/06/local-policy-override-to-disable-inventory-throttling/ James

Garth, I greatly appreciate your help, but I am not following what you are saying. I am not using subnets for my boundaries. I am using AD Sites. My AD Site has 16k clients. Should I get more granular with the boundary? Change it to subnet mask so there is never more than a few thousand client in a boundary? Thanks. James

I never really liked how SCCM calculates compliance. Here is how it works. If an update is needed on 10 machines, installed on 10 machines, and not required on 80 machines (total of 100 machines) it would calculate compliance as 90%. 10% for the installs and another 80% for machines that do not require the update at all. In my world compliance would actually be 50% since 10 out of 20 machines need the update. In your screen shot I can see 61 machines need the highlighted update, 0 have it installed, 471 do not need the update, and 208 are unknown (Total 740 under the pie). So, SCCM calculates that out of the 532 machines that have been evaluated (61+471) 471 have it or dont need it. so 471/740 = 63.64% If I do the math you are 0% saturated. 61 machines need it and 0 have it!

Boundaries are setup based on AD Sites. However, one of the AD sites has 16,000 clients.

Stop the SMS Agent Host service. Run CMD as admin and run "c:\windows\ccmsetup\ccmsetup.exe resetkeyinformation=true"

I had a similiar problem a couple months ago. My fix was to re-download the updates into a new deployment package, distribute the new deployment package and delete the old deployment package. This resolved my issue.

I recently discovered (the hard way) that SCCM does not do any load balancing or randomizing of the distribution points. If a client is looking for content and it is provided 4 distribution points the client just starts at the top of the list. Essentially, it seems as though having more that 1 distribution point in a boundary is only for redundency instead of load balancing. I have two sites. On my primary site I have 4 distribution points for about 15,000 clients. Recently I released patches to the clients and at the same time there were a lot of OSD builds going on. Long story short one of my DP's was brought to its knee's trying to give content to clients while the other 3 DP's were being under utilized. From a client perspective downloading content took hours and it was overnight before the backlog was cleared. I am curious what others are doing when one of their sites are large with multiple DP's? My guess is if each DP can handle about 4,000 clients I probably should not have a boundary group that covers more than 4,000 clients? Thoughts and input are greatly appreciated. James

Here is what I ended up doing: http://myitforum.com/myitforumwp/2013/11/06/local-policy-override-to-disable-inventory-throttling/ Works as advertised and it was easy.

I would like to build a query based on an object variable. I have found the table MEP_MachineVariables, but the value is cryptic. I want to build a collection based on the value of the variable. For example if a machine has Project Standard, and Visio as a variable I want to be able to query for it and throw the object into two collections that will make those packages available to those machines. Thanks! James

Just use this link to determine what ports you will need configured through your DMZ/Domain firewall: http://technet.microsoft.com/en-us/library/bb632618.aspx You will have to configure a service account (Administration > Security > Accounts) for the Primary Site to use. But other than that once the firewall rules are in place just treat the DMZ MP the same as any other site server. Just start adding the roles. When adding the MP roles you will have to select HTTPS and allow internet only connections. One more thing... you will need to configure the firewall to allow the MP to communicate with the site database. (You will have to tell it to use the domain account for this)

Microsoft recommends a CAS only if you are going to have more than 100,000 clients. I am going to venture a guess and say this is probably not the case for you. Using the DMZ setup you are going to just want to setup a Site System Server in the SCCM Console. You will need to add the Distribution Point Role, Management Point Role, and Software Update Point. If you are just getting into SCCM this could end up being a pretty challenging setup. You have a lot to consider... If these sales laptops are not part of the domain you will need to get them certificates for HTTPS communication, plus how are you going to install the SCCM client? Additionally, the DMZ firewall will need some ports open to communicate with your primary site. Properly setting up the HTTPS on IIS on the DMZ server is not too painful but you do need to know some PKI and IIS. Hopefully these remote machines are part of the domain and you can automate some of this stuff. Use policy to generate certificates and client install. Good Luck! Sounds like you are just getting started on this project!

I am assuming these remote machines are 100% internet based and not just on a separate remote network. If they are on a remote network I would just set up a secondary site for those machines and then you can just secure communications between the primary and secondary sites. For our Internet Management we put a MP in the DMZ for them to communicate with. This way you only have to poke holes in the firewall between the Primary site and DMZ MP. The clients are then configured using HTTPS to communicate with the management point located at sccmexteral.<company>.com If it helps here is the install parameters for our intranet machines: ccmsetup.exe /UsePKICert /NOCRLCheck smssitecode=lab ccmhostname=sccmexternal.<company>.com If the intranet machines go offsite they automatically start looking for the external web address. For out 100% remote machines here is the install parameters: ccmsetup.exe /UsePKICert /NOCRLCheck smssitecode=lab ccmhostname=sccmexternal.<company>.com ccmalwaysinf=1 Notice ccmalwaysinf=1 means the client will always be internet based. Hope this helps.

If you look under the General Tab for Configuration Manger in the Control Panel there is a Client Certificate value. What does that say? I know you have tried to setup with HTTP or HTTPS, but I am wondering if the client is configured for PKI. When you set the MP to HTTP the client may still be trying to use PKI. And if you set the MP to HTTPS maybe the PKI infrastructure is not properly setup. Would start with HTTP and make sure the Client is configured for that.

Look at the LocationServices.log and ClientLocation.log any errors? Also put this in a URL: Replace MP with the name of your management point.

Have you double checked you launched the console with an account that has the proper permissions? That is the only time I have seen something greyed out...

Thanks for all the information!

We actually do have a need for the Software Inventory. Some other applications (3rd Party) we use need to know file information on executable, dll's or if we are looking for something specific (Like outlook add-on's or rarely we need to "tag" a machine with a file). Some encryption software for example we need to look at the file version to determine if its fully patched. So we use some products that are purposely not listed in the Installed Applications (Such as encryption for the disk or email tools) Would you call the errors in the InventoryProvider.log normal? Do you know the what function InventoryProvider.log is tracking?