blaf

Hello, I would suggest to sign up for upcoming virtual training with Deployment Research team, it's next Thursday and I think it's well worth money. You can send them questions before training starts. I did training with them 6 months ago and it was useful, now they have notes from the field and definitively useful for all of us which have Windows 10 to upgrade in enterprise. http://www.eventbrite.com/e/windows-10-setup-and-deployment-internals-notes-from-the-field-tickets-25723298077 Other that that, I suggest to watch this free Microsoft Virtual Training https://mva.microsoft.com/en-US/training-courses/deploying-windows-10-using-system-center-configuration-manager-16311?l=MqgTvxQPC_5406573942 Blaf

Changes applied to previous post

1. I am preparing Windows updates deployments with SCCM in medium size company - around 500 computers. In my test environment I deployed Windows updates for last 6 months, more than 200 definitions got updated but a couple failed temporarily on some machines. When I mentioned temporarily they are installed after retry in software center. Challenge is the notification in status bar which shows that update failed, even though more than 200 updates got installed notification points to a couple of failing updates. I can hide all notifications when I configure settings for deployment and keep only end user notified for computer restart. This will probably bypass failing updates notification but will NOT install those required updates. If I keep this notifications enabled then end users will generate numerous tickets for Help Desk assuming updates are not installing properly. I can't send introductory email to 500 people with something like: "If you notice you have a couple of updates which failed please hit retry in software center and they will get installed" What are the best practices in the industry? 2. Second thing would be restart policy with SCCM. We can configure in Administration/Client Settings/Default Client Settings ( or create a custom client settings) /Computer Restart option to reboot computer max 24hours after updates are installed. (Display a temporary notification to the user that indicates the interval before the user is logged off or the computer restarts(minutes)) - max 1440min = 24h This will make sure that updates are being installed and computer is compliant. But it's not that simple as it seems. VIP people don't want to be forced to reboot their computers after 24 hours if they are in the middle of presentation or on meeting. It's really hard to plan and reboot computer prior to important events but there is no option to postpone. If we don't make reboot mandatory ( in group policy on domain controller ) than computers will be vulnerable. There are other tools on the market, like shutdown tool from coretech group, not sure if this tool could reboot computers which are not even patched by mistake after 7 days. I need to test this tool in my lab. Any advice, the best solutions out there? Thanks, Blaf

Actually it is solved, I have used the same script recently (offscrub.vbs) and it runs perfectly. Solution was simple and just behind the corner, this tool was amazing. Uninstalls Office 2010 without leaving any traces. Thank you for following up. Best regards Blaf

Hello, I need advice how should I proceed to configure the following environment: There is existing WSUS-1 server which is pushing updates to around 500 computers. It's completely controlled by group policy and running without any issues. We have SCCM 2012 SP1 configured with Software Update Point. There is a second WSUS-2 installed on SCCM site server which was used only to test deployments to Test OU, this Organizational Unit was not controlled by Group Policy on Domain Controller, same Group Policy which is pushing updates on WSUS-1. Lately I tried to include more machines in Test OU to continue testing this demo environment, eventually idea is to completely switch from old WSUS-1 ( independent ) to start running deployments with SCCM and Software Update Point configured with WSUS-2. Somehow machines added to Test OU are not reporting anymore to WSUS-2, I've tried any possible settings: Specify Microsoft Intranet Location - Local Group Policy on SCCM to point to WSUS-2. Registry settings to point to WSUS-2. Run manual client authorization detection in command prompt (on client ) Even disable (unprovision ) WSUS-1 Deploy update group with SCCM Still we are seeing in log files Group Policy conflict coming from WSUS-1, actually Group Policy on Domain Controller precedes Local Group Policy. Which settings should I look for... this was working at some instance on 2 computers in Test OU which was not controlled by GP on Domain Controller. Sys Admin which installed WSUS-1 and linked Group Policies didn't make any changes. I am aware that having 2 WSUS servers in this kind of environment is not recommended by Microsoft. We are talking about 500 computers, not cross forest domains with thousands or dozens of thousands machines in which case primary and secondary WSUS would make sense. But I don't want to uninstall WSUS-1 yet until WSUS-2 starts syncing clients and SCCM pushing updates successfully. Should I disregard WSUS-2 and point to WSUS-1 from SCCM as Group Policy is completely controlling this server (WSUS -1 )? Or should I uninstall WSUS-1 and point to WSUS-2 on SCCM site server, but still there would be probably hidden Group Policy settings preventing WSUS-2 to start syncing with clients, configured with Software Update Point on SCCM to deploy updates. What would be the best practices? Which GP settings should I check? What's mostly causing conflicts between local and domain group policy in this kind of setup? WSUS 3.0 SP2 version on both servers running. Thank you Blaf

That's OK. Thank you for your reply. I will try to create script on my own. Regards

Hi there, I am not sure if this post will be active again but this is actually very interesting for me as I am in the middle of upgrade process from Office 2010 to Office 2013 with SCCM. Your post already provided answers on many question which I have during testing phase of Office 2010 upgrade. I am using Office Customization Tool to remove all Office 2010 apps and find my self confused by having SharePoint Workspace and Office 2010 Suite apps disabled but not uninstalled in Control Panel / Programs and Features. Uninstall XML file is configured and stored in source location. Uninstall command during upgrade process (deploying Office 2013 app): \\server\share\Office15\setup.exe /uninstall ProPlus /config \\server\share\Office15\ProPlus.WW\SilentUninstallConfig.xml I understand SharePoint Workspace is not present in 2013 and can't be removed during upgrade process. Additionally I don't want to leave traces of Office 2010 in computers after upgrade as users can start manually enabling some features in Office 2010 and create night mare. Even though I selected options ''remove all'' in OCT ( Office Customization Tool ) it keeps Office 2010 only disabled but not completely uninstalled. Is it possible to have pictures presented to make sure I am following right steps? Thanks

Hello community, I've experienced strange problem, in corporate environment application My Eclipse is not recognized/visible in any SCCM report. Vendor name - Genuitec - is not presented either. For some reason data about this application is obviously missing from database even though app is present in environment for long time. I installed app on my computer to test it, no change. Searched online, strange enough not custom issue that people are writing about. Link to vendor https://www.genuitec.com/products/myeclipse/download/ Application is windows .exe file. Thank you. Blaf

Pause task sequence is excellent feature, I will test it in the other task sequece - for OSD. Task sequence for uninstalling hotifx has failed. TS was running too long without any confirmation. Please find in the attachment smts log snapshot Any thoughts....

Pause task sequence is excellent feature, I will use it for Task Sequence OS deployments which is failing. Even though I included commands as suggested for hotfix deploment cmd.exe /c "C:\Windows\System32\WUSA.exe /uninstall /kb:2531912 /quiet" it didn't uninstall hotfix. Task sequence was running too long , I closed it and uninstallation was not performed properly. Not sure how to proceed. Please find below smts log file snapshot.

Thanks Niall, I'll try this right away, hopefully it will work. Your forum makes learning curve with SCCM much easier.Definitively I missed backslash after C: drive in command line. Best regards, Blaf

Hello, I am testing uninstallation of Microsoft Hotfix. It's pushed to a couple of machines successfully with SCCM 2012 as package. Now before deploying this mandatory hotfix ( KB 2531912 ) I need to test uninstall. I created task sequence with only this command: C:Windows\System32\WUSA.exe /uninstall /kb:2531912 /quiet /promptrestart On client I am getting error: Command line execution failed (80070002) Failed to run the last action: Run Command Line. Execution of task sequence failed. The system cannot find the file specified. (Error: 80070002; Source: Windows) Install Software failed to run command line, hr=0x80070002 Smts.log file at C:Windows\CCM\Logs\smts.log Any thoughts....? Thanks Blaf

Thanks Peter. Device is already member of limited collection, but I am still experiencing intermittent problems when I am importing unknown computers in SCCM. I am using only MAC address. Will work on this. Thank you for reply. Blaf

Hello, I am deploying OSD to test computers. Importing device as unknown computers, including MAC address and GUID. However I am experiencing randomly problems with collection membership not being updated. For example, I am able to import unknown computer and deploy OSD through Task Sequence. Than I change Task Sequence steps ( include additional drivers, change AD OU where to add computer name etc. ), delete this device and device collection and try to import same unknown computer. When I manually run “ update membership ‘’ it doesn’t populate with any device – count 0. Reason why I was deleting this collection is because I could not push again changed Task Sequence. Even though previous deployment is scheduled to expire and deleted. Therefore I proceed to recreate same collection. As mentioned above collection and device was deleted. Seems to me it still has record in SQL database in SCCM. On the other hand, I tried to add completely new unknown computer ( not included before in devices and collections ), this is out-of-the box machine. It’s not populating when I create device collection, imported unknown computer in devices, created collection and selected update membership – zero count. In collevall.log no errors neither activities if I am reading properly. Incremental updates and membership rules are turned off for single unknown computers. I did change it and turn on, nothing updated. Probably after some time I will be able to update successfully that membership but not sure which cycle runs in background. Some reference online: • Determine from the Colleval.log file whether the Collection Evaluator was able to run a query against the SMS site database to obtain the latest information about a specific collection. This log file contains a record of SQL Server connectivity problems. The log file also records SQL Server environment issues related to running the query, such as the Tempdb database's running out of space or SQL Server's running out of memory. To determine or adjust SQL Server settings, use the SQL Enterprise Manager. • Verify that changes to update schedules in the SMS Administrator console are written to the SMS site database through the SMS Provider by checking the SMS Provider status messages or enabling and examining the SMSprov.log file. All Systems and All Unknown Computer membership rules are configured through Query, for single unknown computer which I imported membership rules are configured as - direct… SCCM Incremental updates are activated for All Systems and All Unknown Computer. Please let me know if you have any thoughts. I hope I am explaining this clearly. Thank you Blaf

Hello, I am running OS deployment task sequence on HP EliteBook 8570/8560p. I am using HP BiosConfig ( BCU ) to customize BitLocker encryption. BCU scripts are in bat files and last step enables BitLocker when OS is customized. However once OS is installed I've noticed that BitLocker is suspended, when I try to enable it I have following message: ''Wizard initialization has failed. One or more BitLocker key protectors are required. You cannot delete last key on this drive" When I try to Manage BitLocker in Control Panel, I have following message: "Manage BitLocker cannot open because there is no keys to manage" Network driver is installed but computer is not joined to domain. In task sequence it's configured to join domain with specific OU. I've included required config file with BiosConfig - tpm.rset to enable BitLocker and activate TPM. There is tutorial on this website how to customize task sequence with Dell computer, on HP website there is no real guidance besides forums. Properties of tpm.rset file are changing based on HP computer model where task sequence is deployed. What am I missing. Do I have to select different OU.... Thanks Blaf all steps: INstall OS Restarts in Windows PE Partition Disk 0 - BIOS Partition Disk 0 - UEFI Bitlocker configuration Prepare HP BIOS TPM package Set BIOS password Restart computer Prepare HP BIOS TPM package Enable TPM in BIOS Restart Computer Prepare HP BIOS TPM package REstart computer Activate TPM in BIOS Restart computer Prepare HP BIOS TPM package Take ownership of TPM Prepare HP BIOS TPM package Remove Temp BIOS password Preprovision BitLocker Apply OS Apply Windows settings Apply Network settings Apply Device drivers Setup OS Setup Windows and Configuration Manager Install updates Install applications Restart computer Take TPM ownership Enable Bitlocker

Hi Nial, Thank you so much for this information. I will test this on couple of devices, create document and keep it in file. I guess as you mention on this webpage this can happen to all of us in SCCM sooner or later. The way how we are gonna react and stop it makes difference. Best regards, Blaf

Hello, It would be great to have guide how to enable TPM chip and proceed with BitLocker steps inside Task Sequence on HP computers. Requirement is to use HP BiosConfig utility, there are some instructions online but it would be great to have tutorial on windows-noob like on this page for Dell computers. Reference: https://anothermike2.wordpress.com/2010/10/18/enable-tpm-via-task-sequence-on-hp-boxes/ http://myitforum.com/myitforumwp/2012/01/26/enable-bitlocker-on-hp-laptops-via-osd/ https://gallery.technet.microsoft.com/scriptcenter/SCCM-2012-Automatically-a505f1a7 Thanks, Blaf

Hello, What would be the best method to stop deployment, whether it's patch, application, client or OS... This step would be in emergency if deployment is started and needs to be prevented immediately. Example would be if wrong collection was selected, and start deploying application to All Systems instead of smaller collection of devices. I believe restarting some services would stop deployment, I am not sure if it's SMS_Site_Component_Manager or other service ( not SMS_Executive ). Thanks, Blaf

Hi TH0MA5, Just to confirm that I was able to finish report presenting computer age. I used query which you provided and pulled the BIOS dates for all computers in our domain, which is sufficient to use as reference for future deployments. Thank you so much for posting this SQL code, it was extremely helpful. Best regards, Blaf

Hi GarthMJ, I am sure that Enhansoft is excellent tool to pull this report, will try to run query posted by Thoma5 and see if there is need now for Enhansoft. It's interesting to know difference between warranty date and BIOS, might even contact HP to try to get more information how they calculate warranty and use that as reference. Demo would be interesting as well, if both solutions are working it would be interest to compare results. Thanks for posting this extensive report, Blaf

Hi Thoma5, I have to apologize for not replying on your letter before. I will test this query right away and let you know if it was successful. This is actually what we want, to determine how many computers we need to replace this year moving forward. Anyway, this is much appreciated, can't wait to test it. Thanks for your time. Blaf

Hello, I have to create report presenting age of computers in our company. We have hardware refresh cycle of 3 years and I need computer age report to calculate how many deployments to schedule per month/year. I was trying to create custom query, use SQL Report Builder inside of SCCM but without much experience and success. Kent Agerlund posted interesting link in one of the forums, for this tool: http://www.enhansoft.com/pages/warranty-information-reporting.aspx Before trying 3rd party tools it would be great if this report could be created directly in SCCM. Thanks, Blaf

Hi, Jorgen. I will follow this instructions. Thanks for quick reply. Much appreciated. Blaf

Hi there, I am trying to deploy smart card driver ( Gemalto.MiniDriver.IDPrime ) by using SCCM 2012. The idea is to predeploy driver before smart card is used to finish rest of the configuration ( when smart card is plugged into PC driver should be alredy installed, card will be recognized to proceed with configuration of smart card login on that PC). I've created driver package, used 1 PC as test collection and included following command inside driver package : RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 \\<networkpath> \Gemalto.MiniDriver.IDPrime.inf This command was tested in command prompt successfully, but when I try to deploy this package nothing happens. I used this command as per instructions from Microsoft website: InstallHinfSection is an entry-point function exported by Setupapi.dll that you can use to execute a section of an .inf file. InstallHinfSection can be invoked by calling the Rundll32.exe utility as described in the Remarks section. The prototype for the InstallHinfSection function follows the form of all entry-point functions used with Rundll32.exe. Default path : RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 path-to-inf\infname.inf I am still new to SCCM, and I was hoping that I can find answer at this forum. Sorry if I am missing something obvious. Thanks, Blaf