Jump to content


Established Members
  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About cpuprofessional

  • Rank
  1. I think this is similar to what I am seeing, I apply patches, then push the patches to a machine to see if any are missing. and all the same patches reaply and the machine reboots. if it is listed in the gui that it is patched why does the wim seem like it is not patched I am also looking for a solution to this. My other alternative is to patch the wim using dism command line https://www.windows-noob.com/forums/topic/13545-wim-patching-and-patch-deployments-detection/
  2. I ran into the same problem with patching desktops, some recent critical patches needed a pre-req to be detected. What I did was scheduled my patches with a start time defined for each group. Also make sure you specify a deadline instead of the default so that you have full control of when patches go out. This will change based on how many patches you include. Look at the service window log or the wuaupdate log to make sure that you have enough for sccm to install the patches. if the window is too short it will say something like not enough time in service window or something link that. Then a few hours later, in the middle of my patch window I deploy a powershell script that runs a policy retrieval and software update scan. The package looks like this powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -File ".\PolicyForce_Machine_UpdateDeploy_UpdateScan.ps1" In the source folder the I have a ps1 with this inside it $computer = "." $SCCMClient = [wmiclass] "\\$computer\root\ccm:SMS_Client" #Machine Policy Retrieval and Evaluation Cycle $SCCMClient.TriggerSchedule("{00000000-0000-0000-0000-000000000021}") #Software Updates Deployment Evaluation Cycle $SCCMClient.TriggerSchedule("{00000000-0000-0000-0000-000000000108}") #Software Updates Scan Cycle $SCCMClient.TriggerSchedule("{00000000-0000-0000-0000-000000000108}") You can do this a few ways with vb or other scripts This shows you the actions you can do http://blogs.technet.com/b/charlesa_us/archive/2015/03/07/triggering-configmgr-client-actions-with-wmic-without-pesky-right-click-tools.aspx Here are a few different ways to get this accomplished, like vb and other methods. http://tompaps.blogspot.com/2012/12/machine-policy-retrieval-sccm.html https://blogs.technet.microsoft.com/configmgrdogs/2014/09/03/wmi-powershell-and-the-configuration-manager-client/ https://gallery.technet.microsoft.com/scriptcenter/ConfigMgr-Client-Action-16a364a5 hope this helps
  3. Config mgr 2012 sp1 All, just trying to figure out if anyone else runs into this problem. My company deploys patches quarterly, I read all the kbs, verify which patches I need, and also which patches need to be deployed by themselves. Set up deployments that runs overnight. I break up the deployments based on prereq’s and if a kb says is has to be installed solo, of if a reboot is necessary etc. Offices are on a 12am to 6am maintenance window. Patches are deployed during this time. Option to install outside maintenance window is unchecked. Deadlines are set to 15 ~ 30 minutes after available time. 90 restart time if user is logged in. Each deployment is given a lot of thought, deployment + install + reboot timer ( if logged in ) Brief overview of a recent patch deployment 12:00 am critical updates first round 12:30 am critical updates second round (patch restart if necessary) 2:30 am powershell script to force policy retrieval, software update scan, software update deployment. 3:00 am Security Updates Once the patches reach 90~100% compliance for my offices I start to patch my wim a few days later This time I patched the wim using the sccm gui on a copy of the current patch. I carefully selected only the patches I have pushed out in the recent update I did the gui patching in the same method I did the deployment, so start with the critical updates first round let it patch the wim, the once successful I start the process again with the next set. End result wim grows in size. Imagex is used to update the wim description and version # The wim was not distributed to my test dp’s until all of this is completed. I made a copy of my existing task sequence, then updated the install operating system step with the newly updated wim. Install updates step is disabled in task sequence. ( should be in the wim ) The imaged test machine is placed into a collection that sets the maintenance window to 24 hours I keep an eye on the wuahandler.log and updates deployment log to see if patches are triggered. Sadly all of the patches I updated in the gui redeploy to the test workstation. My question is, why are the patches not detected as installed and skipped. I compared the logs with the installed updates from the server and see the same kb numbers in both. Not sure why it is patching an already “patched” wim. My other option is to copy the wim, extract the patches to a folder and use dism /add-package switch to install the patches. ( I did this on the last version of the wim) really didn’t want to do this since not all patches are cab files that can be installed this way ( like .net updated) Any information would be greatly appreciated.
  4. I am working on helpdesk remediation strategies for virus notifications. I have setup alerts and find that most viruses get cleaned so the machine does not show up in the at risk collection. I want to setup a collection where a machine is infected so my helpdesk can deploy a cleaning package if the machine cannot be replaced right away. I have setup a device collection with the following criteria however I wanted to make sure this is correct. Usint he GUI it is set to Criteria Antimalware Infection Status.ComputerStatus is equal to 2 sql view looks like this select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_AntimalwareInfectionStatus on SMS_G_System_AntimalwareInfectionStatus.ResourceId = SMS_R_System.ResourceId where SMS_G_System_AntimalwareInfectionStatus.ComputerStatus = 2 Jus want to confirm if this looks correct. Running the query shows 1 machine I know to be cleaned but recently infected, however it does not list a second machine listed in the infected computers report, however the report is looking at a week long data.
  5. I have a weird issue that I cannot track down. In our environment we keep getting complaints from helpdesk and users that their fonts change after they are remote controlled. Sometimes this happens after the helpdesk disconnects and other when they initially connect to the user via sccm remote control. Most clients are on dual dell 24 inch or single 19in monitors. Mostly with Nvidia nvs300 video cards, but this has also happened with new lenovo desktops using dual built in display ports via onboard ports. What happens after or during a remote control session is that the user states that the fonts look "thin" or distorted. Something that is visibly noticeable when someone is connected. Our environment is a citrix xenapp 6 farm for all applications so the desktop is essentially a terminal. We have seen this issue across several types of hardware and are still looking for the reason. The issue does not happen on every machine just sporadically. I used process explorer and see the memory usage on the nvidia video memory is a little high however I have not completely used and that varies from machine to machine. There is not notification to the IT person who is remote controlling the machine since they see the fonts normally. I think this has something to do with the scale to fit option that is turned on by default on sccm remote control, however I am not sure if that has something to do with this. Just wondering if anyone has seen this issue before
  6. Had the same issue had to open a support case due to deadline. I worked with a Microsoft engineer on the case. The issue is now resolved. The problem was due to the server not being part of a local security group that caused it to not install a function. We reviewed several logs to isolate the problem. The Microsoft engineer approached this from a "what is the expected outcome" rather than just the specified error code. Before this was fixed all of my EU desktops were showing up inactive and with no inventory, and no historical data. Now everything works properly. Details below Had Microsoft review my settings on support call confirmed boundaries were correct. Discovery groups and settings are correct. Secondary site settings and roles are correct. Overall health of SCCM is correct. Site hierarchy is correct Server installation procedure is correct. Server SCCM patch installation is correct. Site to site functions are correct, however we have to double check logs to make sure all components are correct. Since imaging and remote controlling are functioning there might be a component error as initially suspected. We isolated a machine in one office, and reviewed log files (inventoryagent.log and others) confirmed that the machine is sending it logs files to management point. We then took a look at log files on the servers to further isolate the issue. <PROBLEM SECONDARY SITE SERVER> U_ex***.log – iis server logs Compmon.log – component information including installation Perfsetup.log – performance counter information Mpfdm.log - Moves client files to the corresponding SMS\INBOXES folder Mp_Hinv.log to confirm that the mp is receiving and processing inventory dataldr.log – logs .mif file processing for inventory on primary site <PRIMARY SCCM SERVER> dataldr.log – logs .mif file processing for inventory on primary site dataldr.lo_ - logs .mif file processing for inventory on primary site We noticed that the associated .mif file for the desktop machine was not present on <PRIMARY SCCM SERVER>. ( search on ConfigMgr\inboxes\auth\dataldr.box ) We reviewed additional logs and found errors in the compmon.log files We concluded that there is a communication error between <PROBLEM SECONDARY SITE SERVER> and <PRIMARY SCCM SERVER>, since the inventory logs were present and processing on <PROBLEM SECONDARY SITE SERVER>. Deeper analysis of the logs pointed us to the root communication issue between <PROBLEM SECONDARY SITE SERVER> Local administrators group was correct with <PRIMARY SCCM SERVER> and <PROBLEM SECONDARY SITE SERVER> added. The sitecomp & compmon logs were reviewed further and we found some additional issue with components not installing fully. Per one of the logs we see a failed installation and a removal of the server from a local group. <PROBLEM SECONDARY SITE SERVER> was being removed from a local group – SMS_SiteToSiteConnection_[sITECODE] We added the server back to the group and restarted the SMS_SITE_COMPONENT_MANAGER service. Once this was restarted we reviewed the logs again. <PROBLEM SECONDARY SITE SERVER> started processing and completing any installation of missing components. Exit codes-0 for completed installations. Sender.log started showing progress in transmitting the inventory and collected data from the workstations. Results BGB installed correctly. <PROBLEM SECONDARY SITE SERVER> – shows green status in component settings in SCCM Console Refreshed the SCCM Console on <PRIMARY SCCM SERVER> <SECONDARY SITE> machines were now listed with the correct management point – <PROBLEM SECONDARY SITE SERVER> and are now showing as active. Software deployment status has been updated for EU offices.
  7. Dioes anyone have a solution to this issue. I have the same issue and eacth way i try to modify the files it still gives the error. Now all of my clients for the secondary site are showing up as inactive. Not sure if this is related or not.
  • Create New...