Jump to content


Lagamorph

Established Members
  • Posts

    48
  • Joined

  • Last visited

Posts posted by Lagamorph

  1. Unfortunately the reason I'm using standalone media is that the servers are more often than not connected to networks where DHCP is disabled at the switch level for security, so the task sequence can't contact any external server at all. And we have so many different internal network ranges that putting a script into the task sequence to configure a temporary manual IP isn't possible.

  2. Hi all,

    So I'm possibly looking to do the impossible here but thought I would ask the question.
    At the moment my standalone media prompts with a UDI wizard to complete details such as hostname, OU and security policies, but I'm currently working on a Powershell script to automate Offline/Standalone SCCM builds of physical servers which aren't able to connect back to the SCCM infrastructure, but where the iLO can be reached remotely. This script will prompt a user to input details such as a hostname and some other custom variables that are in the UDI wizard at the moment, then using HPEiLOCmdlets it will connect to the iLO, mount an ISO and boot from it.

    Now I realise that the script won't be able to pass variables into the task sequence directly once the iLO boots from the ISO, but I'm wondering if there's any kind of alternative methods I can use to do this.

    One thought I had was, is it possible for these variables to be stored in a file on the ISO itself somewhere that the task sequence can then reference? My thinking is that the script will take a temporary copy of the 'Master' ISO, mount it, create and inject a file with the details input into the script to the ISO, then mount that onto the iLO. Once the build is complete the temporary copy of the ISO is deleted. Is anything like that possible? Or is there another possible way of doing what I'm trying to do?
    For most things I could even have separate ISOs for things like which security packages to apply and such, the main thing that I'd need to be able to control from the script is the hostname the server is built with, rather than it being built with a generic hostname that needs to be changed later.

  3. Bit of a long shot and I suspect this isn't something that can't be done (at least not easily) but is there any way to find out what collections a machine in SCCM used to be a member of but is no longer? I've got a server that appears to have been part of a patching collection with a maintenance window, but isn't any longer, and I'm wanting to confirm it was indeed a part of that collection. Even more I'd like to see when the server was removed from the collection and by who if it were at all possible.

    Is there any record, either within SCCM itself or in the logs on the actual server, of collections that the server used to be a member of?

  4. Looking at the ClientLocation.log I think I see that it's a certificate issue, there are errors for,
     

    Failed in WinHttpReceiveResponse API, ErrorCode = 0x2f0c
    [CCMHTTP] ERROR: URL=https://<MPFQDN>/SMS_MP/.sms_aut?SITESIGNCERT, Port=443, Options=31, Code=12044, Text=ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED


    Looks like I'll need to speak to some people who aren't back in the office until Friday :)

  5. Hi all,

    I've created a Task Sequence to deploy a non-domain joined Windows Server 2016 build however it fails whenever trying to install an Application with the following error,
    "Failed to run the action: Install Nagios Opsview. 
    Required management point not found (Error: 87D00269; Source: CCM)"

    I've found this thread on the issue, https://www.windows-noob.com/forums/topic/10746-error-0x87d00269-when-installing-application/ , and I've put a step into the task sequence before the Install Application step to set SMSTSMPListRequestTimeout to 20 minutes (So the value was set to 12000000 as it's in milliseconds) but the error still persists. I'd also seen another mention that when a machine is not domain joined it's not enough to set an SCCM Boundary based on AD sites so I've created an IP Address range boundary for the /23 subnet that the server is connected to, but again this hasn't made any difference.

    Packages will deploy/install absolutely fine, it's just when trying to install an Application that it's failing. The Install Application step doesn't take place immediately after a reboot, it's occurring after the step to set the Timeout variable, which occurs after an Install Package step. (There is a Reboot step just before that package install though)

    The installation properties I'm using to install the SCCM client during deployment is,
    SMSMP=<MPFQDN> SMSCACHESIZE=10240 FSP=<FSPFQDN>
    I've also seen a mention of needing to set the SMSSITECODE but if I put that into the Installation properties I get an error that the variable cannot be included in the Task Sequence Editor.

    I've attached a screenshot of the log file showing the failure (Though have blanked out the MP name)

    Application Failure.JPG

  6. On 2017-6-27 at 10:07 PM, GarthMJ said:

    Did you ask the original query write ,why you are having problems? AKA why post it here, instead of ask the original person? Why didn't you post a link to the other post?

     

    It was posted to a website back in 2010,
    http://www.madanmohan.com/2010/11/how-to-find-clients-with-no-maintenance.html
    And the writer hasn't updated since 2013.

     

    The problem I'm having is if I paste that query into the Query language of the SCCM query rules, it just comes back with Syntax errors. As I say I've virtually no experience with writing queries and don't know where to begin with debugging it, or how to build a similar query using the query builder as I've no idea which options I'd need to be selecting.

     

    EDIT - Found where I was going wrong. The queries I've been finding are SQL queries so are made for an SCCM report rather than a Collection Membership Rule query. It doesn't look like what I want to do is possible to do directly with a collection, but I've got a Report that gives me the output I need and can then use to do what we need to do.

  7. Hi all,

    I've been tasked with creating a collection in SCCM that will run a query and add any servers with no maintenance window configured to the collection. This will allow us to then target those machines to get them added to the maintenance windows we want. Unfortunately building SCCM queries is completely new to me so I'm not really sure where to begin. The query builder is somewhat overwhelming with how many options there are available when presented with the Select Attribute screen.

    I have been direct to this query that was posted on another website,

    SELECT sys.Name0 'Name', v_R_System.Operating_System_Name_and0 'Operating System'
    FROM v_ServiceWindow AS sw
    INNER JOIN v_FullCollectionMembership AS fcm ON sw.CollectionID = fcm.CollectionID
    RIGHT JOIN v_R_System AS sys ON fcm.ResourceID = sys.ResourceID
    WHERE sw.Name is NULL AND sys.Client0 = 1
    ORDER BY sys.Name0


    But putting that into the Query Language returns a syntax error and from looking at the date I believe it may have been written for Config Manager 2007 and isn't compatible with 2012.
     
    Can anyone offer some advice on where to even start with creating a query to do what I need?
  8. Wasn't sure whether to post this here or in the SCCM 2012 forum in all honesty, but I'll try here first :)

     

    Ok, so in our 2008 and 2012 deployments via SCCM we have GPO Packs that were created before my time at the company for MDT deployments, so I was able to just implement these easily enough into the SCCM task sequence. We're currently running SCCM 2012 R2 SP1 with the Windows 10 ADK and MDT 2013 Integration.

     

    Now though, I need to create a new 2016 GPO Pack that we can apply during the SCCM Deployment task sequence (We don't use actual AD GPO, just local policies applied via GPO Pack. Not my decision but that's how it is) so I'm looking to create the GPO Pack via the Microsoft Security Compliance Manager, which has now been updated with 2016 baselines. However I'm having some issues that I'm trying to wrap my head around.

     

    I've done some preliminary customisation work on the Microsoft Baseline to customise it for our systems but when I export it I'm getting some weird results when I re-import it to check it out.

    If I export it as a GPO Backup (Folder) which would allow me to use it in SCCM, when I re-import it many of the settings are missing and some new settings even seen to have been added that aren't present in the original baseline I exported.

    If I export it as a .cab file though then when I re-import it everything is exactly as it should be.

     

    At first I thought it was just that the "GPO Backup (Folder)" option simply didn't include things in a "Not Configured" state as that's what most of the entries seemed to be, but when I run the comparison tool I could see that ones explicitly set to Enabled/Disabled were also missing from the import of the Backup Folder export.

     

     

    Obviously my worry here is that when I come to put the GPO Backup export into SCCM then many of the settings I've configured have been lost and so will not be applied.

     

     

    Has anyone got any advice to offer? Or possibly a better way I can put together a local security policy for Server 2016 that I can then deploy via SCCM? Deployment will only be to OS Deployment task sequences, not existing servers.

  9. Sorry for the delayed response on this.

     

    There is no pid.txt file that I could see unfortunately, though after doing more digging I think I may have found the cause. Apparently with the last few versions of Windows, the installation on a non Volume Licensed copy of Windows cannot automatically bypass the Product Key entry with no product key specified in the Unattend.xml, even when deploying via SCCM, this functionality is only available on Volume License versions. As I'm just using the Windows Server 2016 trial ISO at the moment, which won't be a Volume License version, it may not yet possess the ability to do this automatically.

  10. Hi all.

     

    I know Server 2016 is still in Technical Preview, but we're beginning to do some work on testing deployment via SCCM. Whilst on the whole it's been successful, whenever we do the deployment it hangs at a screen prompting to enter a Product Key. We can manually select the option to Do it later and the deployment continues as normal, but obviously this is hardly a long term workable solution.

    Does anyone have any ideas on how we can automatically skip this?

     

    Below is my customsettings.ini,

    [Settings]
    Priority=Default
    Properties=MyCustomProperty
     
    [Default]
    OSInstall=Y
    SkipCapture=YES
    SkipAdminPassword=YES
    AdminPassword=<REMOVED>
    SkipProductKey=YES
    SkipLocaleSelection=YES
    KeyboardLocale=0809:00000809
    UserLocale=en-GB
    UILanguage=en-GB
    Systemlocale=en-GB
    SkipTimeZone=YES
    TimeZoneName=GMT Standard Time
    So we're already telling it to skip the product key there, though the Product Key field is blank in the Apply Windows Settings stage. This has never been a problem for our 2008R2 and 2012R2 deployments. We were simply able to deploy the OS then activate via KMS later.
  11. Hi all,

     

    So this is kind of following on from a previous thread where I was having trouble with installing an MSI during a deployment task sequence, where the installation would just hang endlessly. Oddly this only occurred on physical servers, deploying to VMs worked fine and the installation script worked fine outside of SCCM with no boxes popping up.

    I decided to try a different approach to resolve the issue and instead of a package I thought I'd make use of the new SCCM Applications to try and install the MSI, but I'm experiencing a new issue with this. Whenever I try to install the application I'm receiving an error,

    Permissions on the requested may be configured incorrectly. Access is denied. (Error: 80070005; Source: Windows)

    The smsts.log file shows the following,

    <![LOG[Policy evaluation initiated]LOG]!><time="16:00:47.371-60" date="05-25-2016" component="InstallApplication" context="" type="1" thread="4032" file="utils.cpp:4437">
    <![LOG[Waiting for policy to be compiled in 'root\ccm\policy\machine' namespace ]LOG]!><time="16:00:47.371-60" date="05-25-2016" component="InstallApplication" context="" type="1" thread="4032" file="installapplication.cpp:544">
    <![LOG[Query path = 'CCM_ApplicationCIAssignment.AssignmentID="DEP-ZER201AA-ScopeId_121E90BF-ADD6-4509-816E-76D3C5CF0367/Application_368f474b-9ba3-4984-977a-08770d9a8746"']LOG]!><time="16:00:47.371-60" date="05-25-2016" component="InstallApplication" context="" type="1" thread="4032" file="installapplication.cpp:571">
    <![LOG[Verified policy is compiled in 'root\ccm\policy\machine' namespace]LOG]!><time="16:00:47.371-60" date="05-25-2016" component="InstallApplication" context="" type="1" thread="4032" file="installapplication.cpp:596">
    <![LOG[Invoking App Management SDK to evaluate app polices]LOG]!><time="16:00:47.402-60" date="05-25-2016" component="InstallApplication" context="" type="0" thread="4032" file="installapplication.cpp:384">
    <![LOG[Process completed with exit code 2147942405]LOG]!><time="16:00:47.558-60" date="05-25-2016" component="TSManager" context="" type="1" thread="2408" file="commandline.cpp:1124">
    <![LOG[!--------------------------------------------------------------------------------------------!]LOG]!><time="16:00:47.558-60" date="05-25-2016" component="TSManager" context="" type="1" thread="2408" file="instruction.cxx:805">
    <![LOG[Failed to run the action: Install Splunk (x64). Permissions on the requested may be configured incorrectly.
    Access is denied. (Error: 80070005; Source: Windows)]LOG]!><time="16:00:47.558-60" date="05-25-2016" component="TSManager" context="" type="3" thread="2408" file="instruction.cxx:911">

    To me this makes it appear that the Detection Method of the Application is failing.

    Originally I left the detection method at the automatically created MSI method, but this failed. So I changed the Detection rule to simply detect the presence of a folder on the C:\ drive, however this is still failing.

  12. Check this

     

    Sadly adding this script didn't make any difference. The deployment still hangs when I attempt to deploy that package. As before it doesn't appear to ever start installing, just hangs endlessly with "Waiting for Job Notification"

     

    I'm hoping to get the SCCM environment upgraded to R2 soon, so I'll do that and rebuild the Standalone ISO and try again. Hopefully this is just an SCCM bug that's fixed somewhere after SP2, it doesn't strike me as being the package itself since it never even starts to run the installer and it's not doing anything special, just using msiexec.

  13. It's because the task sequence is essentially a "unified" sequence for different environments, so different applications (or versions of applications) will be installed as part of the deployment depending on which variables are selected using the UDI wizard at the start of the task sequence. As I said the install.wim has been updated with Windows Updates using the built-in SCCM tools, so it's not quite a 'from scratch' deployment.

     

    I did experiment with using a Captured image initially, but no matter what I did the Task sequence would always immediately exit after reaching the SCCM client installation, and would never actually move on to the Application installation point. The quickest way around this was to just forego the whole Build & Capture process and do a complete deployment.

  14. Check this

    I've had a read through that but I'm not sure it's quite the same issue I'm having.

    That article references deploying a captured image, which this isn't. The task sequence is deploying an OS from a .wim file pulled directly from an Installation ISO (Though it has had windows updates included via SCCM) and the Package I'm installing isn't the first one, it's the very last one after multiple other packages have installed successfully.

    The package has been hanging for longer than 12 hours as well, it begun hanging at around 5:40pm yesterday evening and was still waiting at 8:30am this morning.

     

    I'll give the recommended fix a try though, and put the powershell script in just before the Package that's hanging. Given how long the standalone builds take it'll probably be tomorrow before I can report back any success.

     

     

    I did try running the powershell command from F8 on one of the hung machines. Running just the Get-WMIObject did show some entries, then I ran the delete command, after that running just the Get-WMI-Object returns nothing, though the task sequence is still hung. It's possible though that the command has to be run before the package attempts to start.

  15. Hi all, me once again!

     

    I'm currently experiencing issues with a package installation. On my Virtual Machine builds I've noticed that it hangs sometimes, but the majority of the time it installs fine and the task sequence completes normally. However I've used the same task sequence on 9 Physical machines yesterday and every single one of them has hung at the same stage, installing the same package. Fortunately it's one of the very final steps in the task sequence, but I can't for the life of me figure out why it's failing.

    For reference the build is coming from a Standalone ISO and is an offline build, so there's no dependency on network connections.

     

    The application in question is Splunk Universal Forwarder, I'm installing the MSI as a package using a .cmd script, which contains the following,

    @echo off
     
    Echo Installing Splunk Universal Forwarder
     
    msiexec /i "splunkforwarder-6.3.0-aa7d4b1ccb80-x64-release.msi" /l*v "C:\Windows\LOGS\Splunk.log" AGREETOLICENSE=Yes INSTALLDIR="C:\Program Files\Splunk Universal Forwarder" DEPLOYMENT_SERVER="<myserver>.<mydomain>:<myport>" WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_FWD_ENABLE=1 WINEVENTLOG_SET_ENABLE=1 LAUNCHSPLUNK=0 SERVICESTARTTYPE=auto /qn
    
    (I've changed the Deployment server details just to keep things generic)
    The log file never gets created, so it seems that the installation is never actually starting. The LOGS folder is there, as other packages put logs there fine when they install, but no log for this one. If I press F8 and open task manager at the stage of the task sequence where it's hung then I don't see any msiexec processes running.
    Strangely though, when I've deployed the package using the same script to an already built machine, so install it via Software Center, then it installs fine, I only seem to have issues when deploying the package as part of a deployment task sequence.
    I've restarted one of the hung machines in order to get the smsts.log file, though there are multiple ones, in the Windows\CCM\Logs\SMSTSLog folder and more in the _SMSTaskSequence\Logs folder. I've checked the SMSTS.log and the ones with the date/time in the filename from both locations and in the C:\Windows\CCM\Logs\SMStslog\smsts.log file I just found multiple entries for
    Waiting for job status notification
    Right up until the point where I forced a reboot, where I then get a bunch of
    Failed to create instance if Software Execution Request Managerr. 0x80070005
    Though I assume this part is down to the forced/unexpected reboot of the machine during the task sequence.
    I've attached the relevant part of the log in a file to this post.
    Can anyone see why this might be failing and just endlessly hanging on the waiting for job status notification stage? There is a Reboot computer part of the task sequence directly before this package installation so there should be nothing else outstanding that was waiting on a reboot.
    For reference, I'm running SCCM 2012 SP2 (Non-R2)

    Splunk.log

  16. Sadly still getting issues, sometimes with updates that have previously worked. It seems as if there are just too many updates and it's overwhelming the builds.

    I've noticed in some cases that when I reboot the VM during the hung update process the C: disk shows as only have 1GB of free space (on a 50GB disk), but on successful builds this free space is closer to 30GB. I wonder if something is happening to cause the C: drive to simply be getting too full due to the amount of updates that are needing to be downloaded and installed.

  17. Hi guys,

     

    I've recently updated the 2008R2 update group I'm using to deploy some servers, but since adding in non-security updates (so just "Update for Windows Server 2008R2 x64 Edition) I'm having a problem where some updates just seem to hang forever. I've left servers for over 24 hours and they'll never progress. Below is a screenshot of a server having the issue,

     

    dEOx1Mf.jpg

     

    Now my first thought is to just remove the problem update from the group, then just have it push out during a regular maintenance window after the server is built, but the problem is finding out exactly which update is causing the problem. As you can see it doesn't display the full KB number. I have checked through some logs, but I can't find a log file which references exactly which update is currently installing. Does anyone know which log file I should be checking and where it's located? C:\_SMSTaskSequence or C:\Windows\CCM\Logs ? Or somewhere else?

     

    I have tried to reduce the number of updates that are pushed out during the SCCM deployment by using SCCM to pre-install updates into my .wim file, but even after doing this there are a lot of updates that are pushed out via SCCM deployment as you can see.

     

     

    I was having a similar issue with my 2012R2 deployments, but using SCCM to pre-install the updates into the .wim did solve it there.

  18. Thanks! That's given me a good starting point!

    Have found some ways to get some custom task sequence variables configured from the wizard using a custom page, so just running some tests in my virtual dev environment. This could potentially solve a lot of potential issues we were going to face with our build...

  19. Hi all,

     

    I'm looking to put some steps into my task sequences where, at the start of the sequence, the user is prompted for some information. The information I'd like to prompt for is,

     

    Computer name - This would be a text entry box

    Site - This would be a drop down box and would assign the selected value to a Task Sequence variable

    Domain - Like above, a drop down box and would assign the selected value to a Task Sequence variable

     

    All in a user friendly GUI that will pop up more or less at the start of the task sequence (After disk formatting and downloading the toolkit files)

     

    Looking around on Google, it appears that the UDI may be the best way to do this, but I'm a little confused when I try to dig deeper. When I've tried to create an MDT sequence using the wizard, the only option available to me is for a UDI Replace sequence, but I don't want to do a replace, I'm wanting to use this for Bare Metal builds on totally blank machines, so there will be no user information to capture. The task sequence will be started from a Boot image and/or PXE boot, not an existing OS installation in the SCCM client. I understand that this was a change in MDT2012 to combine UDI and ZTI task sequences, but it's left me a little confused on how to implement UDI in a bare metal build.

     

    Are there any good guides available for how to use the UDI in a bare metal build this way? And potentially how to customise the wizard in what information it prompts for and what variable names it assigns this to in the case of custom variables we may use in condition queries during the task sequence?

  20. So much Googling and not once did I ever see a mention of this. Then again it seems that having multiple SUP servers doesn't seem to be a very common configuration.

    Honestly we wouldn't normally have it, but we've got some servers in an isolated environment that need patching via their own server. Firewalls, bane of my existence.

     

    Anyway, I have checked the wsyncmgr.log this morning and have seen the new SUP has been picked up and has lots of "Replica WSUS synchronizing updates" entries which have completed successfully, so looks like we're all good.

     

    Thanks very much for all the help guys!

    • Like 1
  21. From Peter's post I got the impression that I wouldn't need to configure a separate WSUS server outside of the SCCM environment. I read his post as saying that my new SUP would just sync from the first deployed SUP automatically. WSUS is just a required role installation on a SUP server isn't it? The role is installed, but WSUS is not configured on it (ie the WSUS Configuration Wizard has never been run)

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.