Jump to content


Sanchez

Established Members
  • Posts

    20
  • Joined

  • Last visited

Posts posted by Sanchez

  1. Perfect; thanks!

    1. Install an old version of 7-Zip (as an example), on a test workstation.
    2. Launch 7-Zip File Manager
    3. Create an application in SCCM, with the newest MSI version of 7-Zip (standard MSIExec switches).
    4. In the Install Behavior tab of the deployment type, add 7zFM.exe as an executable that must be closed.
    5. Deploy the application as required, to the test workstation, and make sure to leave "Automatically close any running executables you specified..." un-checked.
    6. Run the machine policy and application deployment evaluation cycles, to hurry things along.
    7. The first time you do this, the content will be downloaded, and the installation will fail (as it should).
    8. Do the same again, and this time, the installation will proceed, and 7-Zip File Manager will be terminated.

    At least that's what's happening here (just tried all of that myself).

    If you trigger it manually, by clicking "Install" in Software Center, it behaves as it should - the installation fails, and the application stays open.

    Is that enough detail, or do you need a step by step?

     

    Thanks.

     

  2. Hi.

    It seems that Install Behavior isn't working properly in the latest versions of Configuration Manager, as it is automatically closing applications, when it's not supposed to.

    I'm deploying an application, and have specified an executable that must be closed for the application installation to succeed, in the "Install Behavior" tab of the deployment type.

    I've created a required deployment for the application, but the "Automatically close any running executables..." option is un-checked. Despite that, when the deployment deadline is reached, the executable gets terminated. I would expect the installation to fail, without terminating the executable, which is what I want (and what it always used to do).

    I've tried this with a couple of different application deployments, and they both do the same thing.

    I had employed that method successfully a number of times in the past, to depoy applications as required, without having to worry about interrupting peoples' work. I first noticed the problem a couple of weeks ago, with Configuration Manager version 2103. I upgraded to version 2107, hoping that would resolve the issue, but it hasn't.

    The "Show notifications for new deployments" option in client settings is set to "No", as I don't want users being nagged when I deploy new applications, but that's never been a problem before.

    Is anyone else seeing this behaviour?


    Thanks.

  3. Thank you.

    Personally, I can't see anything of note in those logs. The only relevant clue is in Windows application logs, which record the installer's executable crashing:

    image.png.5997132d2554a73d9f870fd04d9dc3db.png

    Exception code 0xc0000005 is a memory violation, and the exit code in AppEnforce (3221225477) seems to mean the same thing. I'll speak to the developers, but it's just strange how this only happens when triggered automatically.

    All these logs are from a VM with Windows 10 1909, and no software installed. The only antivirus is Windows Defender, which I disabled by local Group Policy.

    AppLogs.zip

  4. Thanks for your reply.

    There's nothing documented, to say that the application requires a user to be logged-on, but I thought SCCM always used the system account, anyway. In both scenarios, the installer's temporary files and logs appear in C:\Windows\Temp, as opposed to the user's %Temp% folder, which is the bahaviour of the system account. Either way, I always test my deployments using PSExec to run the installer in the system context, and that always works, with this application.

    Also, the installation fails whether a user is logged-on or not, I'm afraid. So I don't know where that leaves us.

     

    Thanks.

  5. Hi.

    I have an application which has a "required" deployment. If I leave it to install by itself, it always fails. But if I log-on to one of the target computers, open Software Center, go into the deployment and click "Install", it always works.

    So what I'm wondering is: when SCCM automatically triggers the deployment, how is that different to triggering it from Software Center? Why would one work, but not the other?

    I suspect the problem is to do with the executable itslelf, but understanding the mechanics of how the two scenarios differ, could help me test and troubleshoot the issue.

    I hope someone can shed some light!

    Thanks.

  6. Yes, thanks Garth; I've read all that, and am taking it into account.

    As mentioned, I also followed your guide here: https://www.enhansoft.com/updated-how-to-create-a-sql-server-computer-account-login/, and it was already configured like that:

    image.png.68128db6f2675a5ef06825ccade4f0c8.png

    I ran the test as you described, and it was successful (the below test was performed on the site server):

    image.png.8b6032c4427e1825f73c9b8733d4848c.png

    As far as I understand, it's not the site server's account that's having a problem. NT AUTHORITY\SYSTEM is the local system account on the (separate) SQL server, isn't it? If it were the site server, the errors would show as <computer name>$, wouldn't they?

     

     

  7. Well, I wanted to double-check my previous experiment, so again, I mapped "NT AUTHORITY\SYSTEM" to the SCCM database, and gave it db_owner role membership. The permissions on the reports now look fine, and users can access them as expected.

    But I don't see this as a solution, as doing this isn't mentioned in any documentation or guides, so there must be an underlying problem. And I've also read that it's not a good idea, from a security standpoint.

    As for SW inv, I've traced it through all the logs I know of, and it seems to be going through the steps it's supposed to, without errors. But the reports are still empty, including the "All inventoried files..." ones.

     

    Thanks.

     

  8. Thanks for that, Garth. I was aware of the issues around software inventory, but I think your posts have finally persuaded me to turn it off. However, before I do that, I want to figure out why these tables aren't being populated, and why the permissions seem screwy.

    I agree that inventorying .exe is rather excessive, but I was trying to mirror the settings on the old server (set up long before my time), which was working perfectly well.

    Oh and sorry for the misunderstanding; I didn't mean I'd configured it just now. I meant "simply". It's been like that since about October last year.

    Anyway I'm thinking more and more that this is a fault, and not that I've mis-configured something, so I'm going to try re-installing the reporting point, to see if that fixes it. After that, it's a call to Microsoft.

    Thanks for your help!

  9. Yup, I just configured it to inventory .exe on all client hard disks, including subfolders, excluding "Windows,Compressed".

    And I think it's unhealthy because on our old 2012 R2 site (which is still active, but has no clients), those same reports produce hundreds of records. As far as I can tell, they're both (the 1810 site and 2012 R2 site) configured the same, as far as SW inventory goes, but the new one produces just one record. And in addition, as I alluded to previously, when I gave NT AUTHORITY\SYSTEM the sysadmin role on the (1810) site database, that report suddenly starting showing lots of records. So I think that somewhere, the permissions are wrong.

    Besides that, there's the fact that users aren't getting access to reports, as I believe they should.


    Thanks.

  10. Indeed. As far as I know, I've configured everything required for those reports to work. I suppose I could stick to ARP reports, as you say. I just don't like to leave anything in less than 100% health.

    Thanks a lot for your advice, Garth.

    I tried giving NT AUTHORITY/SYSTEM the sysadmin role on the SCCM database, and that seemed to get everything working. But I haven't seen that in any of the documentation or guides I've read, which makes me think that something's just not right. And I've also seen it suggested that it's not good from a security standpoint, so I don't want to leave it like that. There's definitely something wrong with my setup, so it would be good to get to the bottom of it.

  11. Thank you very much!

    Sorry for the delay; I'd been having trouble logging in!

    I tend to use "Computers with a specific product" and "Computers with a specific product name and version" quite a lot. I suppose I could just use "Computers with specific software registered in Add Remove Programs", but it's useful to be able to narrow it down by version, and at the end of the day, having issues on a new environment makes me wonder what else might be wrong with it, so I'd rather fix any problems I come across. And it used to work on the old (2012 R2) site, so it should work on the new one.

    As for the SQL stuff, the site server is actually already a sysadmin on the instance (as explained in your link). It doesn't show up in the "Users" folder for the ReportServer database, but that's how the old (2012 R2) one was, and that one works just fine.

    I've run SSMS as suggested in your post (from the site server, running as "NT AUTHORITY\SYSTEM", using PsExec), and that all seems fine. I can successfully query both the SCCM and ReportServer databases.

    So I'm not sure what's going on. Any other suggestions?

  12. Hi.

    I recently set up a new Configuration Manager 1806 environment (now upgraded to 1810). Its SQL database is on a named instance, on a failover cluster, and Reporting Services is installed on one of its nodes (I know that SSRS is not cluster-aware).

    The site appears to be mostly fine, but reporting has always seemed a little off. Firstly, while most of the reports work as expected, some of the reports in the "Software - Companies and Products" folder, either produce no results, or only one result. I've read on lots of forums that you shouldn't use reports generated from software inventory, and should stick with hardware inventory, but some of those reports are very useful, and it's a new setup, so I want it to work properly.

    Secondly, when I go to the reports web site and look at the folders' permissions, it just says "BUILTIN\Administrators", and people who should have access to view those reports, don't seem to. They just get an error saying "You are not allowed to view this folder. Contact your administrator to obtain the necessary permissions.". These are people I've added to the "Read-only Analyst" security role, for example.

    srsrp.log keeps saying this, and I don't know if it's related:

    (!) Error retrieving folders - [Cannot open database "CM_MA1" requested by the login. The login failed.~~Login failed for user 'NT AUTHORITY\SYSTEM'.].

    The SQL instance is using Windows authentication only.

    Any help would be greatly appreciated.


    Thanks.

  13. Hi.

    I am the sole SCCM administrator for a small company. The current site is running Config Manager 2012 R2, on a Windows Server 2008 R2 VM. It's a simple hierarchy, consisting of one primary site, all managed from a single server, and 3 distribution points. SQL is hosted on a separate cluster. This was all set up long before I joined the company.

    Now that I'm wishing to upgrade to current branch, I've also decided to put it on a new Windows Server 2016 VM. I could do a side-by-side migration, but am quite tempted to start again from scratch, with a clean slate.

    My plan is to leave the current site up and running, while I set up the new one, giving me ample time to configure it all, create the deployments, distribute content, etc. Once it's ready, I can push-deploy the new client, and eventually take down the old site.

    I've already chosen a new site code and name, and new names for all the servers, so there should be no conflicts there. The only thing I'm a little uncertain about at present, is what's going to happen in the System Management container, when I set up the new site. Will its site code and name be added alongside the current one, or will it over-write? In either casem will the clients get confused (if not current ones, then new builds)? Should I maybe not give the new site server permissions on the container, and instead get it to publish to ADDS when everything's ready?

    As a bonus question, I thought I might as well set up the new SQL Server 2016 database for it, on the same cluster as the current one (since we have a cluster already in place, I prefer to use it). I thought I could just install SQL 2016 on the cluster, set up a new instance, and point the new site at that, but are there any potential pitfalls I'm overlooking / anything else I need to consider?

    Any guidance would be much appreciated.

    Thank you.

×
×
  • Create New...