Jump to content


Established Members
  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About Sanchez

  • Rank

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Thanks, radish. I am pretty sure that both methods (automatically-triggered and via Software Center) use the system account, but if anybody knows different, I'd like to hear it. Understanding the exact difference between the two will help troubleshoot and explain it to the developer. Thanks.
  2. Thank you. Personally, I can't see anything of note in those logs. The only relevant clue is in Windows application logs, which record the installer's executable crashing: Exception code 0xc0000005 is a memory violation, and the exit code in AppEnforce (3221225477) seems to mean the same thing. I'll speak to the developers, but it's just strange how this only happens when triggered automatically. All these logs are from a VM with Windows 10 1909, and no software installed. The only antivirus is Windows Defender, which I disabled by local Group Policy. AppLogs.zip
  3. Hi. What does your Format and Partition Disk task sequence step look like?
  4. Thanks for your reply. There's nothing documented, to say that the application requires a user to be logged-on, but I thought SCCM always used the system account, anyway. In both scenarios, the installer's temporary files and logs appear in C:\Windows\Temp, as opposed to the user's %Temp% folder, which is the bahaviour of the system account. Either way, I always test my deployments using PSExec to run the installer in the system context, and that always works, with this application. Also, the installation fails whether a user is logged-on or not, I'm afraid. So I don't know where that leaves us. Thanks.
  5. Hi. I have an application which has a "required" deployment. If I leave it to install by itself, it always fails. But if I log-on to one of the target computers, open Software Center, go into the deployment and click "Install", it always works. So what I'm wondering is: when SCCM automatically triggers the deployment, how is that different to triggering it from Software Center? Why would one work, but not the other? I suspect the problem is to do with the executable itslelf, but understanding the mechanics of how the two scenarios differ, could help me test and troubleshoot the issue. I hope someone can shed some light! Thanks.
  6. Thanks for your help. Microsoft looked as well, and couldn't figure it out, but they disabled software inventory. I didn't get time to look at it for about 6 months, but when I re-enabled it, everything was working again. I guess some corrupted data got stuck in there somewhere, and leaving it disabled for 6 months flushed it out.
  7. As for SW inventory: Anything else I'd need to configure, to get it inventorying correctly?
  8. Yes, thanks Garth; I've read all that, and am taking it into account. As mentioned, I also followed your guide here: https://www.enhansoft.com/updated-how-to-create-a-sql-server-computer-account-login/, and it was already configured like that: I ran the test as you described, and it was successful (the below test was performed on the site server): As far as I understand, it's not the site server's account that's having a problem. NT AUTHORITY\SYSTEM is the local system account on the (separate) SQL server, isn't it? If it were the site server, the errors would show as <computer name>$, wouldn't they?
  9. Well, I wanted to double-check my previous experiment, so again, I mapped "NT AUTHORITY\SYSTEM" to the SCCM database, and gave it db_owner role membership. The permissions on the reports now look fine, and users can access them as expected. But I don't see this as a solution, as doing this isn't mentioned in any documentation or guides, so there must be an underlying problem. And I've also read that it's not a good idea, from a security standpoint. As for SW inv, I've traced it through all the logs I know of, and it seems to be going through the steps it's supposed to, without errors. But the reports are still empty, including the "All inventoried files..." ones. Thanks.
  10. Thanks for that, Garth. I was aware of the issues around software inventory, but I think your posts have finally persuaded me to turn it off. However, before I do that, I want to figure out why these tables aren't being populated, and why the permissions seem screwy. I agree that inventorying .exe is rather excessive, but I was trying to mirror the settings on the old server (set up long before my time), which was working perfectly well. Oh and sorry for the misunderstanding; I didn't mean I'd configured it just now. I meant "simply". It's been like that since about October last year. Anyway I'm thinking more and more that this is a fault, and not that I've mis-configured something, so I'm going to try re-installing the reporting point, to see if that fixes it. After that, it's a call to Microsoft. Thanks for your help!
  11. Yup, I just configured it to inventory .exe on all client hard disks, including subfolders, excluding "Windows,Compressed". And I think it's unhealthy because on our old 2012 R2 site (which is still active, but has no clients), those same reports produce hundreds of records. As far as I can tell, they're both (the 1810 site and 2012 R2 site) configured the same, as far as SW inventory goes, but the new one produces just one record. And in addition, as I alluded to previously, when I gave NT AUTHORITY\SYSTEM the sysadmin role on the (1810) site database, that report suddenly starting showing lots of records. So I think that somewhere, the permissions are wrong. Besides that, there's the fact that users aren't getting access to reports, as I believe they should. Thanks.
  12. Indeed. As far as I know, I've configured everything required for those reports to work. I suppose I could stick to ARP reports, as you say. I just don't like to leave anything in less than 100% health. Thanks a lot for your advice, Garth. I tried giving NT AUTHORITY/SYSTEM the sysadmin role on the SCCM database, and that seemed to get everything working. But I haven't seen that in any of the documentation or guides I've read, which makes me think that something's just not right. And I've also seen it suggested that it's not good from a security standpoint, so I don't want to leave it like that. There's definitely something wrong with my setup, so it would be good to get to the bottom of it.
  13. Thank you very much! Sorry for the delay; I'd been having trouble logging in! I tend to use "Computers with a specific product" and "Computers with a specific product name and version" quite a lot. I suppose I could just use "Computers with specific software registered in Add Remove Programs", but it's useful to be able to narrow it down by version, and at the end of the day, having issues on a new environment makes me wonder what else might be wrong with it, so I'd rather fix any problems I come across. And it used to work on the old (2012 R2) site, so it should work on the new one. As for the SQL stuff, the site server is actually already a sysadmin on the instance (as explained in your link). It doesn't show up in the "Users" folder for the ReportServer database, but that's how the old (2012 R2) one was, and that one works just fine. I've run SSMS as suggested in your post (from the site server, running as "NT AUTHORITY\SYSTEM", using PsExec), and that all seems fine. I can successfully query both the SCCM and ReportServer databases. So I'm not sure what's going on. Any other suggestions?
  14. Hi. I recently set up a new Configuration Manager 1806 environment (now upgraded to 1810). Its SQL database is on a named instance, on a failover cluster, and Reporting Services is installed on one of its nodes (I know that SSRS is not cluster-aware). The site appears to be mostly fine, but reporting has always seemed a little off. Firstly, while most of the reports work as expected, some of the reports in the "Software - Companies and Products" folder, either produce no results, or only one result. I've read on lots of forums that you shouldn't use reports generated from software inventory, and should stick with hardware inventory, but some of those reports are very useful, and it's a new setup, so I want it to work properly. Secondly, when I go to the reports web site and look at the folders' permissions, it just says "BUILTIN\Administrators", and people who should have access to view those reports, don't seem to. They just get an error saying "You are not allowed to view this folder. Contact your administrator to obtain the necessary permissions.". These are people I've added to the "Read-only Analyst" security role, for example. srsrp.log keeps saying this, and I don't know if it's related: (!) Error retrieving folders - [Cannot open database "CM_MA1" requested by the login. The login failed.~~Login failed for user 'NT AUTHORITY\SYSTEM'.]. The SQL instance is using Windows authentication only. Any help would be greatly appreciated. Thanks.
  • Create New...