rrasco

I had a package I created once for 3 months, I had not noticed I can select for last 1 year. Maybe I missed that or they expanded the options in R2? I used to manually patch the machines via WU, but I prefer when I can just join a machine to the domain and it pushes out the client, SCEP, and all previous updates. Just let the machine run for a day or so and it will get all the software deployments taken care of.

I am curious, how does everyone handle patching new machines? When I join a new machine to the domain and move it to the correct OU, SCCM pushes out the client, intalls SCEP, and patches the machines with all previously deployed Update Groups through the use of ADRs. My question is, what about the patches that you didn't have an Update Group for? Such as updates that were published prior to using ADRs? If you only have the product date set to last 1 day and run on Patch Tuesday, wouldn't that effectively miss all previous updates? What do you guys do to get new machines up to date prior to letting SCCM patch what it knows about?

It basically says it doesn't have a valid connection to the database from the Data Source screen in SSRS and when I try to run an audit report.

Yep, that's exactly how mine is configured. That's how I came across the test button, was following that step in your guide.

After completing this part none of my audit reports work, I get an error basically saying the database connection is failing. I see the Audit and Audit5 reports in the audit reports from the SCOM console. I get this too from the report server URL, under audit reports when I test the connection.

Thanks for this. My upgrade is currently running, hopefully all goes well. I have a few notes about my process: KB2734608 would not install for me. It acted like I didn't have the right version of WSUS; "the upgrade product is missing". I have SP2, but maybe there was a superseeded update already installed on my server. Just a guess though. The prerequisite check put out a warning saying I needed both KB2720211 and KB2734608 but allowed me to begin the install. Fingers crossed it succeeds. I had to add the User State Migration Tool (USMT) during the ADK installer. I had to go back and add this since I left only the defaults checked.

Probably not. I think I just needed to wait, just a few seconds ago clients started reporting "Application no longer available" and my new package is now available via Software Center. I was afraid I borked it up by not following the proper procedure to remove a package. The new package is failing to install, but that's another issue. EDIT: The new package wasn't downloading, had to increase cache through config manager in control panel.

I setup an Application for Office 2013 w/SP1. Long story short, SP1 has issues. I deleted the deployments and application and re-packaged non-SP1 Office 2013, but I still see the original 2013 application in the Software Center on client machines. Hindsight is 20/20 and I see it's recommended to retire applications, but it's too late for that. How can I get rid of this application in Software Center?

Not that I am aware of. Where is that setting at? I see 'delete quarantined files after (days)' option in my custom antimalware policy on the 'advanced' tab, but there is no option to disable the client user interface. I have not installed SP1 yet.

I have a client machine that I thought didn't have the SCEP client. According to the logs the SCEP client is already installed and protected, but it is not in the system tray. I want to run a full on-demand scan, but I can't do it because there is no interface to run. I uninstalled the SC client and re-pushed it to the client to see if it would re-install SCEP, but the EndpointProtectionAgent.log on the client says: Any ideas why the SCEP client is not visible?

Follow up: I was able to get mine working. There were a few more things I tried to get it going. Referencing this post I enabled the Protected Storage Service. That did no resolve the issue. Moved onto find this post where I located the MachineKeys directory on Windows 7 (C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys) and removed the key that started with 19c5cf and the cert was able to be created. Repaired CCM on the client and it was reporting in no time. I believe it was an old cert on that machine from before I had SCCM configured correctly, thus it had to be cleared to function correctly.

Which system did you have to enable the service for? Client or server? Mine is enabled on both and I am receiving this error from a new client I am trying to get into SCCM.

This has been configured for a few months for me. Checking in the \\sccm\sources\WindowsUpdates\EndpointProtection\ directory, it's full of definition updates, dating back to November. Over 1900 items and 2GB of data. Is SCCM supposed to delete expired definitions or do I need to do something else to manage that?

Does the ADR remove old updates along the way?

Just a suggestion, but couldn't we manually create the Deployment Package instead of creating an entire ADR just to create it? Is there any benefit to having an ADR create it instead?

The first Patch Tuesday since I setup SUP and ADRs to push out client updates is today, which is working amazingly, I love the user interaction through Software Center. Anyways, I have not setup ADRs for my servers yet. Most of my servers can be patched automatically, but I have others such as a SharePoint server I need to verify the patches before deploying them. What is the recommend method for doing this? I was hoping I could somehow push the patches to the server via an ADR, but not have a deadline so I could review and manually apply these updates or not. It seems the only options for a deadline are, to set one, or have it install as soon as possible. I thought about targeting my old WSUS server for these systems, but I'm sure SCCM has a way to handle this, as well as the WSUS settings on the server has to point to SCCM or my ADR for SCEP definition updates fail. In part 10 of the SCCM guide, the script creates the software update collections and I see an 'automatic', 'maintenance window', and 'manual' collection inside each folder for each OS....how do I use the manual option? I don't see any difference between the automatic and manual collections, so it's obviously another setting elsewhere.

I was trying to do it that way to begin with, but I couldn't figure out the details or find documentation for it. Thanks for the details instructions!

That worked. Thank you sir!

I am trying to have my device collections automatically update based on the OU each device is a member of. I found some example for doing this with user collections, but no clear cut way to do it with devices. I found an article on Technet and am trying to use this query to add devices from the 'Desktops' OU to my device collection. It doesn't seem to be working, or it is working slowly. I wasn't sure what log would contain the activity for collection membership updates. Is this the only way to do this? Is there anyway to be more granular with specifying the OU, would if there are two 'Desktop' OUs? Unless I'm supposed to be putting the full path...? select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemOUName = "Desktops" http://technet.microsoft.com/en-us/library/gg712323.aspx

It's super simple: If I am going to just execute the batch file, I would prefer to add a conditional to only run the command if the registry key exists, there are a few different product codes I need to target.

I deployed SCEP to my client machines, but they still have Symantec Endpoint installed (since SCCM will remove every version of SEP except 12). I have a command line that will silently uninstall SEP 12, but I am having trouble determining the best way to deploy it. I tried to create a manual scripted application and used a .bat file I created. It seems to be targeting my test machines, but doesn't seem to run. Any recommendations for how I could uninstall SEP 12 from the client machines, or a method to deploy the .bat?

Devices do have a site code in the console. Does this mean my boundaries are setup correct? I am only testing this on a few machines. I had one machine push out correctly, including EndPoint; automatically. I have two other machines I cannot get to auto-install the client. It is worth noting, I had to push-install the client on these machines. It did not install the client on discovery. I will work on those suggestions. Takes me forever to reboot my machine so I'll get to that shortly.

Never mind about the certificate. They are not expired, expiration is 2112 not 2012. Oops. Client still won't register though. Anyone know what log I can look at on SCCM to help pinpoint the issue?

The certs on the SCCM server also have the 10/26/12 expiration date. Is that normal?

I re-ran the client installation. Looks like it added new certs, but those are still expired. Original ones I deleted had a expiration of 10/26/12. The ones that were just issued expire on 11/11/12. Why would it issue an old cert?