Nunzi0

I just tried this and it seems to work OK, but if anyone has a better idea please let me know: Create collection based on operating system -like "%Windows Server%" Exclude Collections: Server Updates 2nd Tuesday, Server Updates 2nd Wednesday, etc.

Hi All, I am trying to build a catch-all collection where any new server that someone might forget to add to an AD patching group shows up in. We currently have collections built to look for specific AD security groups that patch servers on specific days. However i am trying to find a way to build a collection that looks for any servers NOT in one of these groups. Ex: ADGroup: 'Server Updates 2nd Tuesday', 'Server Updates 2nd Wednesday', etc. I built a collection that somewhat performs this by using 'System Resource.System Group Name is NULL'. However this will only show devices that are not in ANY group and not just the groups i specify. If i use 'SystemGroupName not like "Server Updates%"' it does not quite work correctly. Using the list view only shows the AD groups that currently have members in them. Therefore the results are skewed and do not show devices that are not a member of ANY of the groups.\ Does anyone have a quick way to find devices that are NOT a member of specific groups?

So i cannot have an FSP designated for one site, and another FSP designated for a different site? Yes i will be using HTTPS wherever possible. As for the reporting on primary servers, this is for a site by site basis. I only want some select users to have access to reporting for all locations, and other users to have reporting capabilities for single locations. I suppose i could accomplish this with RBAC and site permissions on the CAS as well. For SQL, with our current licensing model we would need to run SQL servers that are solely for the purposes of System Center and nothing else in order to be included in the agreement. So, i want to run 2 SQL servers at one datacenter, and 2 at another datacenter in a Windows cluster. That cluster will hold the CM instance, and if possible the CAS instance. I do not manage the databases so you'll have to forgive my lack of knowledge there. This was the design given to me by the DBA's. I'll be using CM16 Secondary sites are for the more remote locations scattered across the globe. I guess i could just deploy a site server and MP/DP at those sites instead, that may be the better option since it will want a local copy of SQL.

I was not aware of the CAS being down causing issues with SU. Thank you for that. If i install software update points at other primary sites, would i still be able to deploy them? To give you a better picture here's what i was thinking as far as layout: Datacenter A (Headquarters). with CAS and primary site. Roles on primary: System health validator, MP, DP, Reporting, State migration, Software Update, FSP, Asset Intelligence, Software catalog/web Datacenter B. (HQ DR) with Primary Site. Roles: System health validator, MP, DP, Reporting, State migration, Software Update, FSP, Asset Intelligence, Software catalog/web Datacenter C. Primary site. Roles: System health validator, MP, DP, Reporting, State migration, Software Update, FSP, Asset Intelligence, Software catalog/web Datacenters D-K Child Sites. Same roles. SQL will be Windows Clustered servers in multiple datacenters running only the system center instances. All servers are virtual, and will be using SCCM/SCOM 2016 and SQL 2016. I dont expect any of the datacenters to be down for any extended period of time, but i would like to be able to say that if one goes completely dark from either power or connectivity that we can still deploy to other sites.

In our current DR strategy, we will typically shut down entire datacenters at a time for maintenance, patching, upgrades, etc. This is why i would need more than one primary site to be active in order to keep things up and running. If you still think that i could get by without a CAS for a scenario like this, i would definitely look into it.

It's not about the sheer number of machines we have, as we probably only have around 20k. It's more for a central reporting/asset source of truth for all locations. We're going to have 3 primary sites, and several child sites, and would like to have one point where several groups can administer the entire environment as a whole for consistency at every location.

I'm in the process of designing an entirely new System Center environment for my company and just have a couple of questions regarding the SQL setup for it. I know that i need a CAS hierarchy in this new setup, as it will be global. Unfortunately i have not built a CAS environment before and I'm a bit unfamiliar with the database that it runs on. My plan is to install the database instances on a clustered SQL environment, however i am just unsure if the CAS database needs to run locally on the CAS itself or not. Also, what type of data is on the CAS database itself? Is it the client data for the entire environment, or just used as a vehicle to replicate primary site data between sites? Just trying to size out the storage requirements for the databases. Any insight is appreciated. Thanks

I've been tasked with building out a new instance of Configuration Manager in a brand new forest that things will eventually collapse into. I currently have one location available that i can start building in, however this is not the end goal for the primary site location. Can i build a primary site now, and then demote this to a child primary site once the final location is ready to be configured? For example, i'll be building a primary site in BOS now, and this will eventually become a child primary site for the final primary site location in TX, with additional child primary sites in LA.

I've recently created a report to find Anti-Virus software that is missing from computers on the network. The workflow is as follows: Main Report: (Attached Image 1) Lists 3 collections and their member count - All Devices, Devices WITH anti-virus installed, Devices missing anti-virus Sub-Reports: All Devices with anti-virus installed - which includes net bios name, installed product name, and product version Devices missing anti-virus - Shows the host name of the devices in the collection (Attached Image 2) I was able to link the Collection Name results from the main report to the 'devices missing a/v' report. However, all 3 results from the main report are linked to that one report. Is there a way for me to specify each result to a different report? I would like the devices WITH a/v to go to the other sub report that shows all devices with a/v, and the devices without a/v to go to the devices without a/v report.

My problem ended up being that i was using a .wim file that i got from the build and capture process. I started using the install.wim from the Windows 7 CD and it worked fine afterwards. I suspect something went awry during the capture

I've been building the OSD procedures for our company here and have had decent success getting it to work. I've gotten the ConfigMgr Client to install on several device models, but I've run into a problem with a particular one. I'm not sure why the same client install package, and the same installation account used on multiple machines would not work on this device. Has anyone seen this before? I couldn't find much on the net. Here is the ccmsetup.log errors i am seeing. MSI: Action 11:10:38: CreateFolders. Creating folders ccmsetup 3/25/2016 11:10:38 AM 2332 (0x091C) MSI: Action 11:10:38: CcmDetectFilesInUseRollback. Rolls back files moved by CcmDetectFilesInUse. ccmsetup 3/25/2016 11:10:38 AM 2332 (0x091C) MSI: Action 11:10:38: CcmDetectFilesInUseCommit. Commits action of CcmDetectFileInUse. After this we cannot rollback. ccmsetup 3/25/2016 11:10:38 AM 2332 (0x091C) MSI: Action 11:10:38: InstallFiles. Copying new files ccmsetup 3/25/2016 11:10:38 AM 2332 (0x091C) MSI: Action 11:10:40: RegisterExtensionInfo. Registering extension servers ccmsetup 3/25/2016 11:10:40 AM 2332 (0x091C) MSI: Action 11:10:40: WriteRegistryValues. Writing system registry values ccmsetup 3/25/2016 11:10:40 AM 2332 (0x091C) MSI: Could not write value LastMsgSerialNum to key \SOFTWARE\Microsoft\CCM\StateSystem. Verify that you have sufficient access to that key, or contact your support personnel. ccmsetup 3/25/2016 11:10:40 AM 2332 (0x091C) MSI: Action 11:10:40: Rollback. Rolling back action: ccmsetup 3/25/2016 11:10:40 AM 2332 (0x091C) File C:\WINDOWS\ccmsetup\{181D79D7-1115-4D96-8E9B-5833DF92FBB4}\client.msi installation failed. Error text: ExitCode: 1603 Action: WriteRegistryValues. ErrorMessages: Could not write value LastMsgSerialNum to key \SOFTWARE\Microsoft\CCM\StateSystem. Verify that you have sufficient access to that key, or contact your support personnel. ccmsetup 3/25/2016 11:10:43 AM 2332 (0x091C) Client installation has failed too many times. Ccmsetup will now abort. ccmsetup 3/25/2016 11:10:43 AM 2332 (0x091C) A Fallback Status Point has not been specified. Message with STATEID='313' will not be sent. ccmsetup 3/25/2016 11:10:43 AM 2332 (0x091C) InstallFromManifest failed 0x80070643 ccmsetup 3/25/2016 11:10:43 AM 2332 (0x091C) Deleted file C:\WINDOWS\ccmsetup\ccmsetup.cab.download ccmsetup 3/25/2016 11:10:43 AM 2332 (0x091C) Deleted file C:\WINDOWS\ccmsetup\ccmsetup.xml ccmsetup 3/25/2016 11:10:43 AM 2332 (0x091C) CcmSetup failed with error code 0x80070643 ccmsetup 3/25/2016 11:10:43 AM 2332 (0x091C)

My company is going through an exercise to retire all of the SHA-1 certificates in the environment due to its upcoming EOL date by MSFT. One of the larger pools of devices using a SHA-1 cert are the end user devices, which use a self-signed SHA-1 certificate when using RDP. Most of the info i've found online so far only discuss how to force this cert to use SHA-1 with registry edits, but nothing about SHA-2. Has anyone gone through this exercise yet? If not you may need to soon. Looking for some technical pointers on how to accomplish this. Also, we currently use the self-signed cert that each device generates when connecting. If i force a new certificate from a domain CA, wouldn't I lose the ability to RDP from non-domain computers?

I currently have all classifications selected to sync. What confuses me about the updates being possibly superceeded is that the new updates that replaced them should fix the issue/patch the vulnerability. However, i cannot find any of the updates that replaced the original either. Very strange

I am trying to figure out why my ConfigMgr is not syncing certain microsoft updates when in reality, they should be. My setup is a standalone primary site with all roles installed on a single server. I've checked WSUS on the server and verified that at least one of the updates i am looking for is in fact downloaded. However, when i check in the SCCM console, it never shows up. I've tried the manual import process using the Microsoft Update Catalog, but am never able to publish to the console. I checked to see if the update required manual input. From what i read on another post regarding a similar issue, updates would download into WSUS but not sync with ConfigMgr if that particular update required user input. This is not the case here. I've also checked for the updates that replaced this one, and found none of them. I made sure i am downloading all of the Office updates i may need in my environment. In this case, this update is for Excel 2010. And here it is in WSUS Not sure where to go from here. How do i get this update into ConfigMgr?

This Service Pack tool is exactly what the doctor ordered. Worked perfectly to do what i needed. Thanks!

We have Office 2010 installed already. It's the SP2 update that i'm trying to remove. So yes

I recently deployed an update for Office 2010 through an auto-deployment rule. This particular update caused some errors in the Outlook calendar when trying to invite users to meetings who are not members of our domain, but rather users of another domain in a trust. The issue is that it caused Outlook to crash completely every time this was attempted. I was able to manually remove the update via the 'View Installed Updates' link in the Programs and Features menu. However, anything i try to get this uninstalled in any other method has not worked. Here's what i tried: Following these instructions: https://weikingteh.wordpress.com/2013/05/13/how-to-rollback-remove-a-patch-using-sccm-configmgr/ I created a Task Sequence that runs this command line: C:\Windows\System32\wusa.exe /uninstall /kb:2687455 /quiet /norestart The end result was 100% failure. The errors shown in the ConfigMgr console under deployments show message ID 11170, and error: The task sequence manager could not successfully complete execution of the task sequence. Running this command locally on any device (with the /quite variable taken out) results in an error also. Next i tried using DISM using help from this post. I used the command: dism /online /get-packages /format:table The problem is that the package is not listed. It appears that this only lists packages for the operating system and not installed applications. Is there something i am missing here? How are you all doing this?

I'm looking for a place where i can download Microsoft's best practices for compliance on their systems. Like something for Server 2012, or Exchange, Windows domain controllers, etc. Does anyone know of any?

Do you have several maintenance windows set up? computers that are a part of multiple collections that all have their own maintenance windows will overlap. Meaning, if computer A is in collection 1 and maintenance window is set from 4pm-8pm and computer A is also a member of collection B where the maintenance window is set from 7pm-12pm, then your window becomes 7pm-8pm.

I've noticed this as well when deploying Applications rather than Packages. If I update an application adn try to redeploy it to the same collection, the status' will not change. It will essentially skip over the ones it touched already, or at least give the illusion that it did. Updating the application should also update any deployments you have set also

I ended up getting this to work by changing the program environment variables. It was originally trying to uninstall from SYSTEM and was not finding anything. I changed this option to only run when a user was logged in, and run with the users rights and it worked perfectly. This particular program installs on a per user basis, something i was not aware of at the starts

Great method. I've been using the ADR's and excluding the title of the updates, but this is much easier to maintain in the long run.

I ended up resolving my issue. I set the program to run "Only when a user is logged on" and it worked perfectly. This p[articular program must be on a per user basis, uninstalling from SYSTEM was not working properly. I kept getting No Instances available, or 1605 errors when trying to uninstall from system, even with msiexec /x {product code}

I'm getting an error trying to run this. UnauthorizedAccessException gwmi : At line:2 char:1 + gwmi -Namespace root\cimv2\SMS -Class SMS_InstalledSoftware -Filter "ProductName ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: ( [Get-WmiObject], UnauthorizedAccessException + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

I did end up trying this from a post on another forum. I used psexec -s -i cmd.exe and did a whoami to verify i was logged in as nt authority/system. The script ran fine when used that way. However, i added logging to the original .cmd file like this: New Script: taskkill /F /IM remote-viewer.exe /T echo start >"C:\temp\virtviewer.log" wmic product where "name like 'VirtViewer%%'" call uninstall /nointeractive >>"C:\temp\virtviewer.log" echo done >>"C:\temp\virtviewer.log" exit /B %EXIT_CODE% When deploying the script through ConfigMgr i get this from the log file: start No Instance(s) Available. done When running the exact same script locally i get: start Executing (\\VM-WIN7-MIKE\ROOT\CIMV2:Win32_Product.IdentifyingNumber="{235D4E1F-1C6F-4F75-BE85-A3B652AD3315}",Name="VirtViewer 0.5.6-25.el6_5.3.4.1 (64-bit)",Version="0.5.1561")->Uninstall() Method execution successful. Out Parameters: instance of __PARAMETERS { ReturnValue = 0; }; done